Access Control System Flashcards

1
Q

a collection of mechanisms that work together to create security architecture to protect the assets of an information system

A

Access controls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

One of the goals of access control is ______________ ___________, which is the mechanism that proves someone performed a computer activity at a specific point in time

A

personal accountability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Access control is the heart of an information technology (IT) security system and is needed to meet the major objectives of InfoSec:

A

Confidentiality and Integrity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

uniquely identify the users of an information system

A

Identification credentials

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Site examples of information credentials:

A

Examples: name, initials, email address, or a meaningless string of characters, Social Security number, IDs, and others

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

permit the system to verify one’s identification credential

A

Authentication credentials

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Site an example of authentication credential:

A

Password

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q
  • The predominant strategy to ensure confidentiality
  • The objective is to give people the least amount of access to a system that is needed to perform the job they’re doing
A

Least Privilege (Need-to-Know)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Maintains overall responsibility for the information within an information system

A

Information Owner

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

The ________________ must be the one to make the decisions about who uses the system and how to recover the system in the event of a disaster

A

information owner

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

dictates that the information owner is the one who decides who gets to access the system(s)

A

Principle of Discretionary Access Control (DAC)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

A list or a file of users who are given the privilege of access to a system or resource (a database, for example)

A

Access Control Lists

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q
  • Granting access to new employees
  • Include checking management approvals for grating access
A

User Provisioning

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q
  • The system decides who gains access to information based on the concepts of subjects, objects, and labels
  • Often used in military and government systems
A

Mandatory Access Control

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Mandatory Access Control is also called…

A

Nondiscretionary Access Control

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

The people or other systems that are granted a clearance to access an object within the information system

17
Q

The elements within the information system that are being protected from use or access

18
Q

The mechanism that binds objects to subjects. A subject’s clearance permits access to an object based on the labeled security protection assigned to that object

19
Q

Involves assigning users to a group and then assigning rights to the group for access control purposes

A

Role-Based Access Control

20
Q

are most appropriate where there is high turnover of employees and/or frequent movements between job roles

A

Role-Based Access Control

21
Q

The idea of authentication is that only the legitimate user possesses the secret information needed to prove to a system that she has the right to use a specific user ID

A

Principles of Authentication

22
Q

These secrets are commonly passwords, but history has shown that passwords are problematic:

A

Passwords can be insecure
Passwords are easily broken
Passwords are inconvenient
Passwords are repudiable

23
Q

Passwords are an example of a…

A

single factor authentication

24
Q
  • Using more than one authentication mechanism
A

Multifactor Authentication

25
- This is accomplished by adding more controls and/or devices to the password authentication process
Multifactor Authentication
26
- With two or three factors to authenticate, an information owner can have confidence that users who access their systems are indeed authorized
Multifactor Authentication
27
a user has a physical device (a card, a token, a smart card, and so forth) that contains his credentials, protected by a personal identification number (PIN) or a password that the user keeps secret
Two-Factor Authentication
28
unique information related to the user is added to the two-factor authentication process. This unique information may be a biometric (fingerprint, retinal scan, and so forth) needed for authentication
Three-Factor Authentication
29
works by measuring unique human characteristics as a way to confirm the identity
Biometric-based identification
30
Some common biometric techniques include:
Fingerprint recognition Signature dynamics Iris scanning Retina scanning Voice prints Face recognition
31
The most common biometric in use is ___________.
Fingerprint recognition
32
Advantages of Fingerprint recognition:
- Highly accurate - Unique and can never be the same for two persons - Most economical technique - Easy to use - Use of small storage space
33
users have one password for all corporate and back-office systems and applications they need to perform their jobs
Single Sign-On
34
Single Sign-On mechanisms include:
Password Safe Kerberos Proprietary and custom developed solutions
34
- designed to provide authentication for client/server applications by using symmetric-key cryptography - A free implementation available from MIT - Works by assigning a unique key, called a ticket, to each user - User logs in once and then can access all resources based on the permission level associated with the ticket
Kerberos
35
a client/server protocol and software that enables remote access users to communicate with a central server to authorize their access to the requested system or service
Remote Access Dial-In User Service (RADIUS)
36
- a user connects to the Internet via her ISP and initiates a connection to the protected network, creating a private tunnel between the end points that prevents eavesdropping or data modification - Uses cryptography to both authenticate sender and receiver and to encrypt the traffic
Virtual Private Networks