Access Control Flashcards
What is * (star) integrity?
Biba model, which prohibits “write up” from a lower to a higher security level
What is * (star) security?
Bell-LaPadula model, which prohibits writing down to a process at a lower security level
What is access control based on job functions or duties?
Role-based access control
What is centralized control?
All identity management and access control decisions for an organization are handled by one server system
What is decentralized access control?
An organization’s total access control needs is partitioned, with each partition having its own access control servers
What is the difference between decentralized and centralized access control?
- Centralized: harder to set up but easier to make global changes and updates
- Decentralized: easier to set up but harder to maintain or make global changes
What is discretionary access control?
Allows subjects to modify access control system constraints, rules, or policies
What is identity proofing?
Establishes the truthfulness of documents or other information that attest to a person’s claim to be that person
What is Institute of Electrical and Electronics Engineers (IEEE) 802.1X?
Access control standard that defines the Extensible Authentication Protocol
What is mandatory access control address whitelisting?
Access control restricted to device matching MAC addresses; done by router or firewall
What is privilege creep?
Continued accumulation of privileges despite changes in job, role, functions, or conditions
What is a reference monitor?
the functionality that checks every access attempt to see if it should be authorized or denied
What is separation of duties?
Policies that allocate parts of sensitive or critical job functions to different people so that no one single person performs all tasks and can see or modify data
What are the steps in identity management?
Provisioning, review, revocation, deletion
What are the subjects and objects?
Subjects are people, processes, tasks, or devices that are trying to do things to objects, such as read, copy, modify, and run them;
Objects can be people, devices, files, or processes
What is the AAA of access control?
- Authentication
- Authorization
- Accounting
What is transitive trust?
If node A trust B, and B trust C, then node A trusts C. This is how chains of trust form
What is a Type 1 access control error?
False positive, allowing an unauthorized subject or user to gain access
What is a Type 2 access control error?
False negative, prohibiting an authorized user from gaining access
What kind of subjects should be authenticated before being granted access?
All types (devices, people, software processes)
How do intranet, extranet, and wide area networks differ?
- Intranet is an internet segment under local administration and control of an end user organization
- Extranet is an internet segment that join multiple intranets together
- WANs connect many LANs, WANs, or other networks usually across a large geographic area such as a city
How do identity assurance levels (IALs) relate to just in time identity?
Enables to use just in time or self provisioning identity and account creation to meet their overall security needs.
- IAL1 does nothing
- IAL2 requires validation by means of another online identity provider
- IAL3 requires physical verification of the authenticity and correctness of documents that attest to the identity being claimed
What steps are generally part of credential management?
Sponsorship, enrollment, production, issuance, suspension, expiration, or other actions required
What are the 3 main inputs to a user and entity behavioral modeling and analytics (UEBA) access control system?
Threat typologies, allowed behavior typologies, and user or entity session histories
