Access Control

Question 1

Which statement correctly describes biometric methods? A. They are the least expensive and provide the most protection. B. They are the most expensive and provide the least protection. C. They are the least expensive and provide the least protection. D. They are the most expensive and provide the most protection.

Answer 1

D. Compared with the other available authentication mechanisms, biometric methods provide the highest level of protection and are the most expensive.

Question 2

Authorization Creep

Answer 2

What is authorization creep*? (permissions accumulate over time even if you don’t need them anymore) Auditing authorization can help mitigate this. SOX requires yearly auditing.

Question 3

Access Controls

Answer 3

Access controls are security features that control how people can interact with systems, and resources. Goal is to protect from un-authorized access.

Question 4

Access

Answer 4

The data flow between an object and a subject.

Question 5

Access Control Subject

Answer 5

Is a person, process or program

Question 6

Object

Answer 6

Is a resource (file, printer etc)

Question 7

Components of Access Control

IA³

Answer 7

1. Identification – who am I? (userid etc)
2. Authentication – prove that I am who I say I
3. Authorization – now what am I allowed to access
4. Auditing – Big Brother can see what I accessed.

Question 8

Authentication Proving who you say you are, usually one of these 3.

Answer 8

Something you know (password)

Something you have (smart card / token)

Something you are (biometrics)

Question 9

Identity Management

Answer 9

Identity management products are used to id, authenticate and authorize users in an automated means. It’s a broad term. These products may (or may not) include User account management Access controls Password management Single Sign on Permissions

Question 10

Directories

Answer 10

Information about the users and resources LDAP (based on X.500)

Key concept is namespaces (like branches of a tree) and DN (distinguished names) Can anyone explain namespaces and DNs? DN=CN and multiple DCs can include OUs

Active Directory (an implementation of LDAP) Legacy NT (flat directory structure) Novell Netware

Question 11

A Federation ADFS

Answer 11

A Federation is multiple computing and/or network providers agreeing upon standards of operation in a collective fashion.

(self governing entities that agree on common grounds to easy access between them) A federated Identity is an identity and entitlements that can be used across business boundaries.

(MS passport, Google checkout) Active Directory Federated Services

Question 12

DAC

Answer 12

Discretionary Access Control

Owner or creator of resource specifies which subjects have which access to a resource. Based on the Discretion of the data owner* Common example is an ACL

(what is an ACL?) Commonly implemented in commercial products (Windows, Linux, MacOS)

Question 13

MAC

Answer 13

Mandatory Access Control

Data owners cannot grant access!* OS makes the decision based on a security label system*

Users and Data are given a clearance level (confidential, secret, top secret etc)*

Rules for access are configured by the security officer and enforced by the OS.

Question 14

Rules Based Access Control

Answer 14

RBAC

Is considered a “compulsory control” because the rules are strictly enforced and not modifiable by users. Routers and firewalls use Rule Based access control heavily.

RBAC

Question 15

Access Control Technology / Techniques

Answer 15

Constrained User Interfaces* view, shell, menu, physical Access Control Matrix* Capability Tables* ACL* Content Dependant Access Control Context Dependant Access Control You should really know ALL of these and be able to differential between similar types!

Question 16

Context-Dependent Access Control

Answer 16

Makes access decisions based on the context of a collection of information rather than on the sensitivity of the data.

A system that is using context-dependent access control “reviews the situation” and then makes a decision. For example, firewalls make contextbased access decisions.. syn + syn-ack + ack

Question 17

Content-Dependent Access Control

Answer 17

Access to objects is determined by the content within the object.

Question 18

Access Control Models

Answer 18

DAC MAC RBAC

DAC - Discretionary Access Control (DAC) is a type of access control in which a user has complete control over all the programs it owns and executes, and also determines the permissions other users have those those files and programs.

MAC - Mandatory Access Control (MAC) is a type ofaccess control in which only the administrator manages the access controls. The administrator defines the usage and access policy, which cannot be modified or changed by users, and the policy will indicate who has access to which programs and files.

RBAC - Role-based access control (RBAC) is an approach to restricting system access to authorized users.

Question 19

The DAC model enables data owners to allow other users to access their resources.

Answer 19

The DAC model enables data owners to allow other users to access their resources.

Question 20

Access Control Techniques

Access control techniques are used to support the access control models.

• Access control matrix Table of subjects and objects that outlines their access relationships
• Access control list Bound to an object and indicates what subjects can access it and what operations they can carry out
• Capability table Bound to a subject and indicates what objects that subject can access and what operations it can carry out
• Content-based access Bases access decisions on the sensitivity of the data, not solely on subject identity
• Context-based access Bases access decisions on the state of the situation, not solely on identity or content sensitivity
• Restricted interface Limits the user’s environment within the system, thus limiting access to objects
• Rule-based access Restricts subjects’ access attempts by predefined rules

Answer 20

Access Control Techniques

Access control techniques are used to support the access control models.

• Access control matrix Table of subjects and objects that outlines their access relationships
• Access control list Bound to an object and indicates what subjects can access it and what operations they can carry out
• Capability table Bound to a subject and indicates what objects that subject can access and what operations it can carry out
• Content-based access Bases access decisions on the sensitivity of the data, not solely on subject identity
• Context-based access Bases access decisions on the state of the situation, not solely on identity or content sensitivity
• Restricted interface Limits the user’s environment within the system, thus limiting access to objects
• Rule-based access Restricts subjects’ access attempts by predefined rules

Question 21

Access Control Techniques are used to?

Answer 21

Access control techniques are used to support the access control models.

Question 22

Access control matrix

Answer 22

Access control matrix A Table of subjects and objects that outlines their access relationships

Question 23

RADIUS

Answer 23

Remote Authentication Dial-In User Service (RADIUS) is a network protocol that provides client/server authentication and authorization, and audits remote users.

Question 24

Rule-based access

Answer 24

Restricts subjects’ access attempts by predefined rules

Question 25

RADIUS

Answer 25

Remote Authentication Dial-In User Service (RADIUS)

A network protocol that provides client/server authentication and authorization, and audits remote users.

Question 26

TACACS

Answer 26

Terminal Access Controller Access Control System (TACACS)

Combines its authentication and authorization processes; XTACACS separates authentication, authorization, and auditing processes; and TACACS+ is XTACACS with extended two-factor user authentication. TACACS uses fixed passwords for authentication, while TACACS+ allows users to employ dynamic (one-time) passwords, which provides more protection.

Question 27

RADIUS

Answer 27

Question 28

Which Document assigns individual roles and responsibilities?

Answer 28

Acceptable use policy

Question 29

The main purpose of Change control/mamagement system?

Answer 29

Document change for audit and management review

Question 30

Risk is commonly expressed as a function of the likelihood that harm will occur and its potential impact.

Answer 30

Risk is commonly expressed as a function of the likelihood that harm will occur and its potential impact.

Question 31

Communications security management and techniques prevents, detects, and corrects errors so that the integrity, availability, and confidentiality of transactions over networks may be maintianed.

Answer 31

Communications security management and techniques prevents, detects, and corrects errors so that the integrity, availability, and confidentiality of transactions over networks may be maintianed.

Question 32

Risk Analysis is Most useful when applied during

Answer 32

Project Identification

Question 33

Fundamental components of a Regulatory Security Policy

Answer 33

WHAT is to be done.

WHEN it is to be done.

WHY is it to be done.

Question 34

BIBA Model

Answer 34

No Write UP

No Read DOWN

Question 35

The MOST critical characteristic of a biometrics system?

EA2T

Answer 35

Enrollment time

Accuracy

Acceptability

Throughput rate

Question 36

FIPS-140

Is a standard for the security of?

Answer 36

Federal Information Processing Standard (FIPS)

Hardware and software cryptographic Modules

Question 37

DSV

Answer 37

Dynamic Signature Verification

Question 38

Elements of BCP

Answer 38

Obtaining senior managements approval of the results

Creating an awareness of the plan

Updating the plan regularly and as needed

Question 39

Components of CC protection

Answer 39

Threats against the product that must be addressed

Security objectives

Target of Evaluation (TOE) description

Question 40

International Standard for the Common Criteria

IS15408

Answer 40

International Standard for the Common Criteria

IS15408