Access Control System

Question 1

a collection of mechanisms that work together to create security architecture to protect the assets of an information system

Answer 1

Access controls

Question 2

One of the goals of access control is ______________ ___________, which is the mechanism that proves someone performed a computer activity at a specific point in time

Answer 2

personal accountability

Question 3

Access control is the heart of an information technology (IT) security system and is needed to meet the major objectives of InfoSec:

Answer 3

Confidentiality and Integrity

Question 4

uniquely identify the users of an information system

Answer 4

Identification credentials

Question 5

Site examples of information credentials:

Answer 5

Examples: name, initials, email address, or a meaningless string of characters, Social Security number, IDs, and others

Question 6

permit the system to verify one’s identification credential

Answer 6

Authentication credentials

Question 7

Site an example of authentication credential:

Answer 7

Password

Question 8

• The predominant strategy to ensure confidentiality
• The objective is to give people the least amount of access to a system that is needed to perform the job they’re doing

Answer 8

Least Privilege (Need-to-Know)

Question 9

Maintains overall responsibility for the information within an information system

Answer 9

Information Owner

Question 10

The ________________ must be the one to make the decisions about who uses the system and how to recover the system in the event of a disaster

Answer 10

information owner

Question 11

dictates that the information owner is the one who decides who gets to access the system(s)

Answer 11

Principle of Discretionary Access Control (DAC)

Question 12

A list or a file of users who are given the privilege of access to a system or resource (a database, for example)

Answer 12

Access Control Lists

Question 13

• Granting access to new employees
• Include checking management approvals for grating access

Answer 13

User Provisioning

Question 14

• The system decides who gains access to information based on the concepts of subjects, objects, and labels
• Often used in military and government systems

Answer 14

Mandatory Access Control

Question 15

Mandatory Access Control is also called…

Answer 15

Nondiscretionary Access Control

Question 16

The people or other systems that are granted a clearance to access an object within the information system

Answer 16

Subjects

Question 17

The elements within the information system that are being protected from use or access

Answer 17

Objects

Question 18

The mechanism that binds objects to subjects. A subject’s clearance permits access to an object based on the labeled security protection assigned to that object

Answer 18

Labels

Question 19

Involves assigning users to a group and then assigning rights to the group for access control purposes

Answer 19

Role-Based Access Control

Question 20

are most appropriate where there is high turnover of employees and/or frequent movements between job roles

Answer 20

Role-Based Access Control

Question 21

The idea of authentication is that only the legitimate user possesses the secret information needed to prove to a system that she has the right to use a specific user ID

Answer 21

Principles of Authentication

Question 22

These secrets are commonly passwords, but history has shown that passwords are problematic:

Answer 22

Passwords can be insecure
Passwords are easily broken
Passwords are inconvenient
Passwords are repudiable

Question 23

Passwords are an example of a…

Answer 23

single factor authentication

Question 24

• Using more than one authentication mechanism

Answer 24

Multifactor Authentication

Question 25

• This is accomplished by adding more controls and/or devices to the password authentication process

Answer 25

Multifactor Authentication

Question 26

• With two or three factors to authenticate, an information owner can have confidence that users who access their systems are indeed authorized

Answer 26

Multifactor Authentication

Question 27

a user has a physical device (a card, a token, a smart card, and so forth) that contains his credentials, protected by a personal identification number (PIN) or a password that the user keeps secret

Answer 27

Two-Factor Authentication

Question 28

unique information related to the user is added to the two-factor authentication process. This unique information may be a biometric (fingerprint, retinal scan, and so forth) needed for authentication

Answer 28

Three-Factor Authentication

Question 29

works by measuring unique human characteristics as a way to confirm the identity

Answer 29

Biometric-based identification

Question 30

Some common biometric techniques include:

Answer 30

Fingerprint recognition
Signature dynamics
Iris scanning
Retina scanning
Voice prints
Face recognition

Question 31

The most common biometric in use is ___________.

Answer 31

Fingerprint recognition

Question 32

Advantages of Fingerprint recognition:

Answer 32

• Highly accurate
• Unique and can never be the same for two persons
• Most economical technique
• Easy to use
• Use of small storage space

Question 33

users have one password for all corporate and back-office systems and applications they need to perform their jobs

Answer 33

Single Sign-On

Question 34

Single Sign-On mechanisms include:

Answer 34

Password Safe
Kerberos
Proprietary and custom developed solutions

Question 34

• designed to provide authentication for client/server applications by using symmetric-key cryptography
• A free implementation available from MIT
• Works by assigning a unique key, called a ticket, to each user
• User logs in once and then can access all resources based on the permission level associated with the ticket

Answer 34

Kerberos

Question 35

a client/server protocol and software that enables remote access users to communicate with a central server to authorize their access to the requested system or service

Answer 35

Remote Access Dial-In User Service (RADIUS)

Question 36

• a user connects to the Internet via her ISP and initiates a connection to the protected network, creating a private tunnel between the end points that prevents eavesdropping or data modification
• Uses cryptography to both authenticate sender and receiver and to encrypt the traffic

Answer 36

Virtual Private Networks