Chapter 1: Access Control

Question 0

In Access Control, what is an object?

Answer 0

An object is a passive entity that provides information to active subjects.

Question 1

In Access Control, what is a subject?

Answer 1

An active entity that accesses a passive object to receive information from or modify (with authorization) an object.

Question 2

What are the three labels used in discussing objects?

Answer 2

User, owner, and custodian.

Question 3

What is a user in the context of a subject?

Answer 3

Any subject that accesses objects on a system to perform some action or accomplish a work task.

Question 4

What is an owner in the context of a subject?

Answer 4

The person who has final organizational authority for classifying objects and protecting and storing data.

Question 5

What is a custodian in the context of a subject?

Answer 5

A custodian is a subject who has been assigned or delegated the day-to-day responsibility of properly storing and protecting objects.

Question 6

What is the CIA triad?

Answer 6

The three categories of IT loss: confidentiality, integrity, and availability.

Question 7

What is confidentiality?

Answer 7

Assurance that only authorized subjects can gain access to objects.

Question 8

What is integrity?

Answer 8

Assurance that only authorized subjects can modify objects, and that unauthorized modifications are detected.

Question 9

What is availability?

Answer 9

Authorized requests for objects must be granted in reasonable time.

Question 10

Define permissions.

Answer 10

Permissions refer to access granted for an object and determine what you can do with it.

Question 11

What is a security policy?

Answer 11

A document that defines the security requirements for an organization. It identifies security assets and the extent to which security solutions should protect them.

Question 12

Define rights.

Answer 12

Rights refer to the ability to take an action on an object, such as modify system time or restore backed up data.

Question 13

Define privileges.

Answer 13

The combination of rights and permissions.

Question 14

What are the three primary types of access controls?

Answer 14

Preventive, detective, and corrective.

Question 15

There are three primary types of access control and four others. What are the other four?

Answer 15

Deterrent, recovery, directive, and compensation.

Question 16

What is a preventive access control?

Answer 16

An access control deployed to stop or thwart unwanted or unauthorized activity from occurring.

Question 17

What is a detective access control?

Answer 17

An access control that is deployed to discover or detect unwanted or unauthorized activity.

Question 18

What is a corrective access control?

Answer 18

An access control that returns systems to normal after an unwanted or unauthorized activity has occurred.

Question 19

What is a deterrent access control?

Answer 19

An access control that is deployed to discourage violation if security policies. For example, policies, security training, fences, guards, and cameras.

Question 20

What is a recovery access control?

Answer 20

An access control that is deployed to repair or restore resources, functions, and capabilities after a violation of security policies. An extension of corrective access controls, but with more advanced or complex abilities. Example: backups/restored, fault tolerant drive systems, clustering, antivirus.

Question 21

What is a directive access control?

Answer 21

An access control that is deployed to direct, confine, or control the actions of subjects to force it encourage compliance with security policies. Notifications, monitoring, supervision.

Question 22

What is a compensation access control?

Answer 22

An access control that is deployed to provide options to other existing controls to aid in enforcement and support of security policies.

Question 23

What are the implementation categories of access controls?

Answer 23

Administrative, logical/technical, and physical.

Question 24

What is an administrative access control?

Answer 24

Policies and procedures defined by an organization’s security policy and other regulations and requirements. Management controls. These focus on personnel and business practices.

Question 25

What is a logical/technical access control?

Answer 25

Hardware or software mechanisms used to manage access and provide protection for resources and systems.

Question 26

What are physical access controls?

Answer 26

Items you can physically touch that are deployed to prevent, monitor, or detect direct contact with systems or areas within a facility.

Question 27

What is Defense-in-depth?

Answer 27

A strategy in which multiple layers or levels of access controls are deployed to provide layered security. Should use all of administrative, logical/technical, and physical controls.

Question 28

What are the types if security elements that support access control?

Answer 28

Identification, authentication, authorization, and accountability.

Question 29

Describe identification

Answer 29

When a subject professes an identity and accountability is initiated. User provides a username, for example.

Question 30

Describe authentication.

Answer 30

The process of verifying or testing that a claimed identity is valid. Requires the subject to provide additional information.

Question 31

What are the authentication factor types?

Answer 31

Type 1: Something you know
Type 2: Something you have
Type 3: Something you are or do

Question 32

Describe authorization.

Answer 32

Authorization indicates which subjects are trusted to perform certain actions.

Question 33

Describe accountability.

Answer 33

The process of tracking subject activities within logs.

Question 34

What is the most common authentication technique?

Answer 34

Passwords.

Question 35

Why are passwords poor security mechanisms?

Answer 35

1) users choose easy to remember passwords that are therefore easy to guess or crack
2) randomly generated passwords are hard to remember, so are often written down.
3) passwords are easy to share, write down, and forget
4) passwords can be stolen in many ways
5) passwords are sometimes sent clear text or over weak channels
6) password databases are sometimes stored in publicly accessible locations
7) weak passwords can be brute forced

Question 36

What is a cognitive password?

Answer 36

A series of questions about facts or predefined responses that only the subject should know.

Question 37

What is a smart card?

Answer 37

A usually credit-card sized ID or badge with an integrated circuit chip embedded. Contains information about the authorized bearer and one or more PKI certificates. Tamper resistant. Inserted into a reader and often has a password or PIN.

Question 38

What is an access control token?

Answer 38

A password generating device users carry with them. Often used with an additional access code or PIN.

Question 39

What are the two most common types of access control tokens?

Answer 39

Synchronous and asynchronous.

Question 40

What is a synchronous dynamic password token?

Answer 40

A token that generates passwords at fixed intervals. Such as every 60 seconds. Requires clock synchronization. Also uses a PIN.

Question 41

What is asynchronous dynamic token?

Answer 41

Does not use a clock, instead it generates passwords based on some event, such as the user entering a PIN. Often challenge response where the server sends the PIN.

Question 42

What is a static token?

Answer 42

An access control token that doesn’t generate dynamic passwords. Swipe card or physical key, for example.

Question 43

Biometrics are what type of authentication factor?

Answer 43

Type 3: something you are

Question 44

List biometric authentication and identification techniques.

Answer 44

Fingerprints, face scans, retina scans, iris scans, palm scans, hand geometry, heart/pulse patterns, voice recognition patterns, signature dynamics, keystroke patterns.

Question 45

What is the most accurate form of biometric authentication?

Answer 45

Retina scan. Can differentiate between identical twins.

Question 46

What is the second most accurate form of biometric authentication?

Answer 46

Iris scan.

Question 47

What is the least acceptable form of biometric authentication? Why?

Answer 47

Retina scan. It can reveal medical information.

Question 48

What do palm scanners actually measure?

Answer 48

Vein patterns in the hand using near-infrared light.

Question 49

What is a type 1 error in biometric authentication?

Answer 49

When a valid subject is not authenticated.

Also called False Rejection Rate (FRR)

Question 50

What is a type 2 error in biometric authentication?

Answer 50

When an invalid subject us authenticated.

Also called False Acceptance Rate (FAR)

Question 51

What is the Crossover Error Rate, and what is it used for?

Answer 51

It’s the point where a biometric authenticator’s false accept and false reject rate are equal. It’s a quality measure of the authenticator’s.

Question 52

What is biometric enrollment or registration?

Answer 52

The process a user must go through to create an initial profile in the system.

Question 53

What is the maximum time generally accepted for biometric registration or enrollment.

Answer 53

Used to be 2 minutes. Now generally one.

Question 54

The time a biometric system requires to scan and identify a subject is called?

Answer 54

Throughput rate.

Question 55

What range of times do subjects typically accept for biometric throughput rate?

Answer 55

6 seconds or faster.

Question 56

What is the risk of using multifaceted authentication when both authenticator’s are of the sane type?

Answer 56

The same attack may be used to compromise both. For example, stealing two passwords may be no harder than stealing one.

Question 57

What are Discretionary Access Controls?

Answer 57

Allows the owner of the object to control and define subject access to the object. All objects have owners. AKA identity-based access control. Often uses ACLs.

Question 58

What are Nondiscretionary Access Controls?

Answer 58

Administrators control access, not object owners. Central control, easier to manage, less flexible.

Question 59

Is a Rule Based Access Control discretionary or Nondiscretionary?

Answer 59

Nondiscretionary

Question 60

Example of a Rule Based Access Control?

Answer 60

Firewall.

Question 61

A Lattice Bases Access Control is discretionary or Nondiscretionary?

Answer 61

Nondiscretionary

Question 62

How do Lattice Based Access Controls work?

Answer 62

They define upper and lower bounds of access for every relationship between a subject and object.

Question 63

Describe Mandatory Access Control.

Answer 63

Relies upon classification labels, each of which represents a security domain. For example, Secret, Top Secret, etc. subjects get clearances that define their access levels.

Question 64

In Mandatory Access Control, what is a security domain?

Answer 64

A set of subjects and objects that share a common security policy.

Question 66

What is a hierarchical environment?

Answer 66

One where classification levels are ordered from low to high, and access to objects at one level grants access to all objects at a lower level, but prohibits access to objects at a higher level.

Question 67

What is a compartmentalized environment?

Answer 67

There is no relationship between one security domain and another. Each domain is a separate compartment, and the subject must have a specific clearance for each.

Question 68

What is a hybrid environment?

Answer 68

One that contains both heirarchical and compartmentalized concepts, such that each heirarchical level can contain isolated subdivisions.

Question 69

What is Role Based Access Control (RBAC)

Answer 69

RBAC defines a subject’s ability to access an object based on the subject’s role, or assigned tasks. Often implemented using groups.

In strict RBAC, users have only permissions granted to a role, no privileges are granted to users directly.

Question 70

When is RBAC useful?

Answer 70

In an environment with frequent personnel changes, since permissions are tied to a role, not an identity.

Question 71

What is Centralized Access Control?

Answer 71

All authorization verification is performed by a single entity within a system.

Question 72

What is Decentralized Access Control?

Answer 72

Various entities located throughout a system perform authentication verification. Also called idstributed access control.

Question 73

What are AAA protocols?

Answer 73

Authentication, authorization, and accounting.

Question 74

What are AAA protocols for?

Answer 74

They’re often used with VPNs and other network access servers to prevent internal LAN authentication systems and other servers from being attacked remotely.

Question 75

What is excessive privilege?

Answer 75

The situation where users have more privileges than their assigned work tasks dictate.

Question 76

What is creeping privilege?

Answer 76

The situation where users accumulate privileges over time as job roles and tasks change, but those privileges are not removed when no longer needed.