Access Control Flashcards
What is an Object ?
A passive entity such as a file, database system
What is a Subject ?
A active entity such as an individual or a process.
What is Access Control ?
The ability to permit or deny the use of an object on a subject.
Purpose of Preventative Controls ?
Reducing Risk
Purpose of Detective Controls ?
identifying violations and risks
Purpose of Corrective Controls ?
Remedying violations and incidents and improving existing preventative and detective controls.
Purpose of Deterrent Controls ?
Discouraging Violations
Purpose of Recovery Controls ?
Restoring systems and information
Purpose of Compensating Controls ?
Providing alternative ways of achieving a task.
What are Administrative Controls ?
Polices and Procedures an Organisation implements as part of its info. sec. strategy.
What are Technical (logical) Controls ?
Technical controls use both hardware and software to implement access control.
Some Examples of Technical Controls ?
Encryption, Access Control (Biometrics, smart cards, tokens), ACLs, Remote Access Auth: (Radius, PAP, CHAP,LDAP)
Some Examples of Detective Tech. Controls ?
Violation Reports, Audit Trails, Network Monitoring and Intrusion Detection.
What are Physical Controls ?
Physical (preventative) Controls ensure the safety and security of the physical environment.
Some Examples of Physical Controls ?
Security Perimeters - fences, guards, dogs, motion detectors and video cameras.
What are the three components of Access Control Services ?
Authentication, Authourisation and Accountability (AAA)
auth-auth-acc
What is Authentication ? (Access Control Service)
A two step process consisting of identification and authentication.
What is Authourisation? ((Establishment),Access Control Service))
Defines the Rights / Permissions granted to a user account or process
What is Accountability ? (Access Control)
The capability to associate users and processes with their actions.
Some Examples of Accountability (Access Control)
Audit Trails, System Logs.
Non Repudiation
Associated with Accountability (A.C.) It means that a user can’t deny an action because you can irrefutably associate him with that action.
System Access Control
A control category that protects the entire system, first line of defense.
Data Access Control
A control category that is specific to controlling access to data in a system.
Three Factors of Authentication
(01) Something you know (PIN,Password), (02) Something you have (Access Card, RSA Token) (03) Somthing you are (FingerPrint, Voice, Retina, Iris).
What is two factor authentication
This is an authentication method that requires two different factors of anthentications (Are,Have,Know).
What is strong authentication
This is an authentication method that requires at least two different factors of anthentications (Are,Have,Know).
What is identification
Identification is the act of claiming a specific identity
What is authentication
authentication is the act of verifiying an identity
Recommended minimum password length:
6 to 8 characters
Recommended password complexity:
Combination of Alpha Numerics, with special characters and a mix of capitalised and none capitised alpha characters.
Recommended password aging time length:
30-60-90 days
Recommended password History:
5
Recommended login attempts:
CounterThreshhold: 3 to 5
Counter reset: 30min
What is FRR ? (Access Control)
False Reject Rate (Type 1 Error) Authourised Users to whom the system incorrectly denies, based as a %.
What is FAR? (Access Control)
False Accept Rate (Type 2 Error) Unauthourised Users to whom a system incorrectly allows, based as a %
What is CER (Access Control)
CrossOver Error Rate is the point where FRR = FAR stated as a %.