Access Control System Flashcards
a collection of mechanisms that work together to create security architecture to protect the assets of an information system
Access controls
One of the goals of access control is ______________ ___________, which is the mechanism that proves someone performed a computer activity at a specific point in time
personal accountability
Access control is the heart of an information technology (IT) security system and is needed to meet the major objectives of InfoSec:
Confidentiality and Integrity
uniquely identify the users of an information system
Identification credentials
Site examples of information credentials:
Examples: name, initials, email address, or a meaningless string of characters, Social Security number, IDs, and others
permit the system to verify one’s identification credential
Authentication credentials
Site an example of authentication credential:
Password
- The predominant strategy to ensure confidentiality
- The objective is to give people the least amount of access to a system that is needed to perform the job they’re doing
Least Privilege (Need-to-Know)
Maintains overall responsibility for the information within an information system
Information Owner
The ________________ must be the one to make the decisions about who uses the system and how to recover the system in the event of a disaster
information owner
dictates that the information owner is the one who decides who gets to access the system(s)
Principle of Discretionary Access Control (DAC)
A list or a file of users who are given the privilege of access to a system or resource (a database, for example)
Access Control Lists
- Granting access to new employees
- Include checking management approvals for grating access
User Provisioning
- The system decides who gains access to information based on the concepts of subjects, objects, and labels
- Often used in military and government systems
Mandatory Access Control
Mandatory Access Control is also called…
Nondiscretionary Access Control
The people or other systems that are granted a clearance to access an object within the information system
Subjects
The elements within the information system that are being protected from use or access
Objects
The mechanism that binds objects to subjects. A subject’s clearance permits access to an object based on the labeled security protection assigned to that object
Labels
Involves assigning users to a group and then assigning rights to the group for access control purposes
Role-Based Access Control
are most appropriate where there is high turnover of employees and/or frequent movements between job roles
Role-Based Access Control
The idea of authentication is that only the legitimate user possesses the secret information needed to prove to a system that she has the right to use a specific user ID
Principles of Authentication
These secrets are commonly passwords, but history has shown that passwords are problematic:
Passwords can be insecure
Passwords are easily broken
Passwords are inconvenient
Passwords are repudiable
Passwords are an example of a…
single factor authentication
- Using more than one authentication mechanism
Multifactor Authentication
- This is accomplished by adding more controls and/or devices to the password authentication process
Multifactor Authentication
- With two or three factors to authenticate, an information owner can have confidence that users who access their systems are indeed authorized
Multifactor Authentication
a user has a physical device (a card, a token, a smart card, and so forth) that contains his credentials, protected by a personal identification number (PIN) or a password that the user keeps secret
Two-Factor Authentication
unique information related to the user is added to the two-factor authentication process. This unique information may be a biometric (fingerprint, retinal scan, and so forth) needed for authentication
Three-Factor Authentication
works by measuring unique human characteristics as a way to confirm the identity
Biometric-based identification
Some common biometric techniques include:
Fingerprint recognition
Signature dynamics
Iris scanning
Retina scanning
Voice prints
Face recognition
The most common biometric in use is ___________.
Fingerprint recognition
Advantages of Fingerprint recognition:
- Highly accurate
- Unique and can never be the same for two persons
- Most economical technique
- Easy to use
- Use of small storage space
users have one password for all corporate and back-office systems and applications they need to perform their jobs
Single Sign-On
Single Sign-On mechanisms include:
Password Safe
Kerberos
Proprietary and custom developed solutions
- designed to provide authentication for client/server applications by using symmetric-key cryptography
- A free implementation available from MIT
- Works by assigning a unique key, called a ticket, to each user
- User logs in once and then can access all resources based on the permission level associated with the ticket
Kerberos
a client/server protocol and software that enables remote access users to communicate with a central server to authorize their access to the requested system or service
Remote Access Dial-In User Service (RADIUS)
- a user connects to the Internet via her ISP and initiates a connection to the protected network, creating a private tunnel between the end points that prevents eavesdropping or data modification
- Uses cryptography to both authenticate sender and receiver and to encrypt the traffic
Virtual Private Networks
