CH20 Access Control Flashcards
Which of the following access control methods utilizes a set of organizational roles in which users are assigned to gain permissions and access rights?
a. MAC
b. RBAC
c. DAC
d. ABAC
b. RBAC
Role-based access control (RBAC) is a modification of DAC that provides a set of organizational roles that users may be assigned in order to gain access rights. The system is non-discretionary since the individual users cannot modify the ACL of a resource. Users gain their access rights implicitly based on the groups to which they are assigned as members.
Julie was just hired to conduct a security assessment of Dion Training’s security policies. During her assessment, she noticed that there were many group accounts being shared by users to conduct their work roles. Julie recommended that the group accounts be eliminated and instead have an account created for each user. What improvement will this recommended action provide for the company?
a. More routing auditing
b. Increase password security
c. Increase individual accountability
d. More efficient baseline management
c. Increase individual accountability
To adequately provide accountability, the use of shared or group accounts should be disabled. This allows you to log and track individual user actions based on their individual user accounts. This enables the organization to hold users accountable for their actions, too.
Marta’s organization is concerned with the vulnerability of a user’s account being vulnerable for an extended period of time if their password was compromised. Which of the following controls should be configured as part of their password policy to minimize this vulnerability?
a. Minimum password length
b. Password history
c. Password expiration
d. Password complexity
c. Password expiration
A password expiration control in the policy would force users to change their password at specific intervals of time. This will then locks out a user who types in the incorrect password or create an alter that the user’s account has been potentially compromised.
While the other options are good components of password security to prevent an overall compromise, they are not effective against the vulnerability described in this particular scenario, as it states the issue is based on time.
Which of the following types of access control provides the strongest level of protection?
a. MAC
b. ABAC
c. RBAC
d. DAC
a. MAC
OBJ-3.8: Mandatory Access Control (MAC) requires all access to be predefined based on system classification, configuration, and authentication. MAC is commonly used in highly centralized environments and usually relies on a series of labels, such as classification levels of the data.
Julie was just hired to conduct a security assessment of Dion Training’s security policies. During her assessment, she noticed that many users were sharing group accounts to conduct their work roles. Julie recommended that the group accounts be eliminated and instead have an account created for each user. What improvement will this recommended action provide for the company?
a. More efficient baseline management
b. Increase individual accountability
c. Increase password security
d. More routing auditing
b. Increase individual accountability
OBJ-5.3: To adequately provide accountability, the use of shared or group accounts should be disabled. This allows you to log and track individual user actions based on individual user accounts. This enables the organization to hold users accountable for their actions, too.
Which type of personnel control is being implemented if Kirsten must receive and inventory any items that her coworker, Bob, orders?
a. Dual control
b. Background checks
c. Separation of duties
d. Mandatory vacation
c. Separation of duties
OBJ-5.3: This organization uses separation of duties to ensure that neither Kirsten nor Bob can exploit the organization’s ordering processes for their gain. Separation of duties is the concept of having more than one person required to complete a particular task to prevent fraud and error. Dual control, instead, requires both people to act together. For example, a nuclear missile system uses dual control and requires two people to each turn a different key simultaneously to allow for a missile launch to occur. Mandatory vacation policies require employees to take time away from their job and detect fraud or malicious activities. A background check is a process a person or company uses to verify that a person is who they claim to be and provides an opportunity for someone to check a person’s criminal record, education, employment history, and other past activities to confirm their validity.