Access Control

Question 1

Access Control Systems include

Answer 1

File Permissions, Program Permissions and Data Rights

Question 2

File Permissions allows

Answer 2

Create, Read, Edit or Delete on a File Server

Question 3

Program Permissions allows

Answer 3

execution of a program on a server.

Question 4

Data Rights allows

Answer 4

right to retrieve or update information in a database.

Question 5

A “SUBJECT” is

Answer 5

an ACTIVE entity i.e., an individual or process that accesses an OBJECT.

Question 6

An “OBJECT” is

Answer 6

a PASSIVE entity i.e., system or process that a SUBJECT ACTS UPON or accesses.

Question 7

PREVENTIVE controls are for

Answer 7

reducing risk.

Question 8

DETECTIVE controls are for

Answer 8

identifying violations and incidents.

Question 9

CORRECTIVE controls are for

Answer 9

remedying violations and incidents and improving existing preventive and detective controls.

Question 10

DETERRENT controls are for

Answer 10

discouraging violations and dissuading malicious activity.

Question 11

RECOVERY controls are for

Answer 11

restoring systems and information.

Question 12

COMPENSATING controls are for

Answer 12

providing alternative ways of achieving a task.

Question 13

Preventive controls together with and overall security program are compensated by

Answer 13

DETECTIVE, CORRECTIVE, DETERRENT, RECOVERY and COMPENSATING controls.

Question 14

ACCESS controls can be

Answer 14

Administrative, Technical, and Physical

Question 15

ADMINISTRATIVE controls include

Answer 15

policies and procedures that are implemented as part of an overall information security strategy

Question 16

Types of ADMINISTRATIVE controls may include

Answer 16

policies, standards, guidelines and procedures. Security awareness training. Asset clarification and control. Employment policies. Account administration. Account, log and journal monitoring. Review of audit trails.

Question 17

TECHNICAL controls are

Answer 17

technical ( or logical ) controls that leverage HW or SW to implement access control.

Question 18

PREVENTIVE TECHNICAL controls include

Answer 18

encryption, access control mechanisms, access control lists ( ACLs), Remote Access authentication protocols.

Question 19

Common technical ENCRYPTION controls are

Answer 19

DES ( Data Encryption Standard ) AES ( Advanced Encryption Standard ) and Merkle-Hellman Knapsack.

Question 20

Access Control Mechanisms are

Answer 20

Biometrics, Smart Cards, and Tokens.

Question 21

Access Control Lists ( ACLs ) are

Answer 21

permission defining what a SUBECT can or cannot do to an object.

Question 22

Remote Access Authentication Protocols are

Answer 22

PAP ( Password Authentication Protocol ) CHAP ( Challenge HandShake Authentication Protocol ) RADIUS ( Remote Authentication Dial In User Service ) and LDAP ( Lightweight Directory Access Protocol )

Question 23

DETECTIVE TECHNICAL controls include

Answer 23

Violation reports, Audit Trails, Network Monitoring and Intrusion Detection.

Question 24

PHYSICAL controls ensure

Answer 24

safety and security of the physical environment they are primarily PREVENTIVE AND DETECTIVE.

Question 25

PHYSICAL PREVENTIVE controls include

Answer 25

perimeter protections like; fences, locked entry, restricted area and guards / dogs.

Question 26

PHYSICAL DETECTIVE controls include

Answer 26

Motion detection and video cameras

Question 27

ACCESS CONTOL SYSTEMS provide what three essential services?

Answer 27

Authentication, Authorization, and Accountability.

Question 28

AUTHENTICATION is

Answer 28

( who can log in ) a two step process of Identification and Authentication or ( I&A).

Question 29

IDENTIFICATION is the means by which

Answer 29

a user ( SUBJECT ) presents a specific ID ( like a USERNAME ) to a system ( OBJECT )

Question 30

AUTHENTICATION is the process of verifying

Answer 30

an identity… IDENTIFICATION ( I of I&A) . A USERNAME ( identity) is verified with a PASSWORD ( authentication ).

Question 31

What determines a SUBECT can LOG in

Answer 31

AUTHENTICATION

Question 32

AUTHORIZATION or “establishment” defines

Answer 32

rights and permissions granted to a user account or process. ( what can be done with a system or resource )

Question 33

What determines a what a SUBECT can do with assigned rights and permissions.

Answer 33

AUTHORIZATION

Question 34

ACCOUNTABILITY is the capability to associate users and processes with

Answer 34

ACTIONS ( what they did ) AUDIT TRAILS AND SYSTEM LOGS.

Question 35

“This” determines what a SUBJECT did

Answer 35

ACCOUNTABLITY

Question 36

The ability to irrefutably associate a user with an action that can’t be denied is

Answer 36

NON-REPUDATION

Question 37

What are the two categories of ACCESS CONTROL

Answer 37

SYSTEM ACCESS / DATA ACCESS controls

Question 38

SYSTEM ACCESS controls provide

Answer 38

the first line of defense for data contained in a system. This is renowned as AUTHENTICATION but include AUTHORIZATION and ACCOUNTABILITY.

Question 39

AUTHENTICATION is based on 3 FACTORS

Answer 39

something YOU KNOW ( PASSWORD and PINs ), YOU HAVE ( TOKEN or SMART CARD ) YOU ARE ( FINGERPRINT, VOICE, a physical body part )

Question 40

TWO FACTOR authentication requires

Answer 40

two of the three.

Question 41

STRONG authentication requires

Answer 41

at least TWO factors.

Question 42

Using THREE FACTORS is

Answer 42

3 FACTOR authentication.

Question 43

I & A techniques include

Answer 43

passwords/ phrases, PINS, BIOMETRICs, and OTP, Tokens, and SSO.

Question 44

Common or shared accounts as root, admin, or system are examples of accounts that have

Answer 44

no accountability and should not be permitted.

Question 45

The ACT of claiming a specific identity is

Answer 45

IDENTIFICATION

Question 46

The ACT of verifying a specific identity is

Answer 46

AUTHENTICATION

Question 47

The most common and weakest type of AUTHENTICATION is

Answer 47

the password.

Question 48

More difficult to hack the PASSPHRASE uses

Answer 48

a sequence of characters or words that are usually easier to remember.

Question 49

The downside of PASSPHRASE can be

Answer 49

inconvenient to implement ( too long ), system limitations for more than 8 characters or spaces. In the end a passphrase can be considered a password.

Question 50

General challenges with PASSWORDS and PASSPHRASES are

Answer 50

insecure, easily broken, inconvenient, refutable.

Question 51

Passwords or Passphrases are generally insecure because

Answer 51

human nature to select easy password. Transmission and storage in clear text.

Question 52

Passwords or Passphrases are easily broken by

Answer 52

BRUTE FORCE attacks, such as John the Ripper and L0phtCrack

Question 53

Passwords should demonstrate the following security best practices

Answer 53

LENGTH of six to eight characters. COMPLEXITY combination of upper lower case, special characters, AGING, which requires changes at regular intervals. HISTORY, allowing historical memory of up to 5 previous passwords, and LIMITED ATTEMPTS, defined number of unsuccessful log on attempts before lock out. LIMITED TIME PERIODS restrictions to when a user can log in, time of day. SYSTEM MESSAGES; LOGIN BANNER defining terms of use, and LAST USERNAME ( which should be disabled ) LAST SUCCESSFUL LOGIN unveils unlikely log in attempts.

Question 54

PINS are relatively weak authentication because

Answer 54

there are only 10,000 possible combinations to a four digit PIN.

Question 55

BIOMETRICs are based on THIRD FACTOR AUTHENTICATION which is

Answer 55

something YOU ARE. It is not considered STRONG authentication as it only uses one of three authentication requirements.

Question 56

BIOMETRICS access controls can be

Answer 56

PHYSICAL, presenting a biometric characteristic to be verified against a database. LOGICAL entry of a username or password plus a biometric characteristic.

Question 57

EFFECTIVE BIOMETRIC systems demonstrate

Answer 57

ACCURACY, SPEED and THROUGHPUT, DATA STORAGE REQUIREMENTS, RELIABILITY, ACCEPTABILITY

Question 58

ACCURACY in BIOMETRICS is defined by

Answer 58

FALSE REJECT RATES ( FRR) TYPE 1 ERROR and FALSE ACCEPTANCE RATE TYPE 2 ERROR

Question 59

( ! ) FALSE REJECT RATE ( FRR ) TYPE 1 ERROR

Answer 59

is the percentage of authorized users to whom the system incorrectly denies access.

Question 60

( ! ) FALSE ACCEPT RATE ( FAR ) TYPE 2 ERROR

Answer 60

is the percentage of unauthorized users to whom the systems incorrectly grants access.

Question 61

( ! ) CROSSOVER ERROR RATE

Answer 61

is the point at which the FRR equals the FAR stated as a percentage. It is considered the most important measure of BIOMETRIC accuracy.

Question 62

( ! ) The most common difficulty with BIOMETRIC systems is

Answer 62

gaining user acceptance.

Question 63

COMMON TYPES of PHYSIOLOGICAL access control systems include

Answer 63

Fingerprint recognition and scan, Hand geometry, Retina pattern, Iris pattern.

Question 64

COMMON TYPES of BEHAVIORAL access control systems include

Answer 64

Voice, Signature dynamics, Keystroke or Typing dynamics.

Question 65

ONE TIME PASSWORD is valid for

Answer 65

one log-on session only, after the session the PW is no longer valid. They provide maximum security for access control. ( TOKENS and S/KEY are types of OTP )

Question 66

TOKENS are

Answer 66

two factor authentication ( something you have and something you know ) key fobs, dongles, smart cards, soft tokens, that store static passwords ( digital certificate ) or generate dynamic passwords.

Question 67

The THREE general types of TOKENS are

Answer 67

STATIC PASSWORD ( digital certificate ) SYNCHRONOUS DYNAMIC PW ( timed event ) ASYNCHRONOUS DYNAMIC PW.

Question 68

SINGLE SIGN ON addresses

Answer 68

multiple systems and multiple logins. Address human factor of poor password implementation / selection and productivity impact on user and IT maintenance team.

Question 69

SSO challenges are

Answer 69

unrestricted access to multiple systems once logged in , and complexity to deploy the services.

Question 70

SSO leverages these common third party ticket based services.

Answer 70

KERBEROS, SESAME, KRYPTOKNIGHT

Question 71

In Kerberos two types of keys are

Answer 71

a SESSION KEY ( dynamic ) and a SECRET KEY

Question 72

A SESSION KEY ( dynamic ) is

Answer 72

generated when needed and shared between two principals then destroyed as no longer need.

Question 73

A SECRET KEY is

Answer 73

a static key that is used to encrypt a session key.

Question 74

SEASAME =

Answer 74

SECURE EUROPEAN SYSTEM and APPLICATIONS in a Multi-vendor Environment.

Question 75

SEASAME is a

Answer 75

ticket based system developed by the EUROPEAN COMPUTER MANUFACTURERS ASSOCIATION. ECMA

Question 76

KRYPTOKNIGHT

Answer 76

ticket and key distribution system developed by IBM and provides two party authentication, key distribution and data integrity services.

Question 77

( ! ) Three examples of TICKET BASED SSO services for AUTHENTICATION ARE

Answer 77

KERBEROS, SESAME, KRYPTOKNIGHT

Question 78

Access Control Methodologies are generally classified as

Answer 78

CENTRALIZED or DECENTRALIZED

Question 79

( ! ) CENTRALIZED ACCESS CONTROL examples include

Answer 79

LDAP ( Lightweight Directory Access Protocol ), RAS ( Remote Access Service ), RADIUS ( Remote Authentication Dial-in User Service ), DIAMETER, TACACS ( Terminal Access Controller Access Control System ),

Question 80

REMOTE ACCESS SERVICE leverages Point to Point Protocol ( PPP ) to encapsulate IP packets and uses the following three authentication protocols

Answer 80

PAP ( Password Authentication Protocol ), CHAP ( CHALLENGE HANDSHAKE AUTHENTICATION PROTOCOL ), EAP ( Extensible Authentication Protocol )

Question 81

DECENTRALIZED ACCESS CONTROL includes

Answer 81

multiple domains and trust, databases controlled by a DataBase Management System.

Question 82

( ! ) A Database view is

Answer 82

a type of constrained user interface. Restricting access to specific functions by not allow requests of those functions.

Question 83

Data Access Controls include

Answer 83

DISCRETIONARY ACCESS CONTOL, and MANDATORY ACCESS CONTOL

Question 84

( ! ) Who determines access policy in DISCRETIONARY ACCESS CONTROL

Answer 84

OWNER

Question 85

TWO CONCEPTS of DISCRETIONARY Access Control are

Answer 85

File and Data Ownership / Access Rights and Permissions

Question 86

TWO CONCEPTS of MANDATORY Access Control are

Answer 86

Sensitivity Labels / Data Import Export

Question 87

( ! ) What determines access policy in MANDATORY ACCESS CONTROL

Answer 87

SYSTEM

Question 88

ACCESS CONTROL MODELS are

Answer 88

BELL - LA PADULA, BIBA, CLARK-WILSON, NonINTERFERRENCE MODEL, ACCESS MATRIX MODEL, INFORMATION FLOW MODEL.

Question 89

BELL - LA PADULA defines two properties

Answer 89

Simple Security property ( ss property ) and *-property ( start property )

Question 90

( ! ) BELL - LA PADULA addresses

Answer 90

CONFIDENTIALITY

Question 91

( ! ) BIBA and CLARK WILSON addresses

Answer 91

INTEGRITY

Question 92

ACCESS CONTOL ATTACKS are

Answer 92

Brute-Force or Dictionary Attack, Buffer or Stack overflow, Man in the Middle, Packet Sniffing, Session Hijacking, Social Engineering.

Question 93

Tactics to deploy against Access Control attacks are

Answer 93

Threat Modeling, Asset Valuation, Vulnerability Analysis, and Access Aggregation.

Question 94

Access Control Evaluation and Testing include

Answer 94

Port Scanning, Application Scanning, Blackbox testing, Whitebox testing, Greybox teststing, Host Scanning, Operating system detection.