Chapter 10: Access Control Systems and Methodology Flashcards
Accountability
Proving that a particular person committed a specific action at a particular time
Identification
A name, a handle, a SSN, student ID number, etc
Authentication
Additional information given to verify an identification; a password, for example, is simple authentication. A work badge or other ID gained by showing other documents counts as well.
Least Privilege/ Need to Know
Confining information or access to the smallest amount needed for the smallest number of people possible
Information Owner
The person who decides who gets access to the information inside the system they own. They “own” the information contained in the system whereas a custodian manages the equipment that the information runs or is stored on
Discretionary Access Control (DAC)
Access mediated by an information owner or management. Most access across well known systems (such as Windows) rely on DAC
Access Control Lists (ACL)
Lists of users and their associated privileges and permissions
Mandatory Access Control (MAC)
System granted access mediated via:
Subjects: People or other systems that are granted access to objects
Objects: Elements within the system that are being protected, usually data or information
Labels: Designators applied to objects and subjects that allows the “match up” of people and stuff
Role-Based Access Control
Access granted by individuals filling a predefined role and receiving the privileges that go with it.
Problems with passwords
Passwords can be insecure
Passwords are easily broken
Passwords are inconvenient
Passwords are repudiable
Two Factor Authentication
SYH/SYK (Something you have, something you know)
Example: a physical debit card or card number, and a PIN
A password token (maybe like the verification codes?) would count as 2 factor as well
Three factor authentication
SYH/SYK/SYA (Something you have, know, and are)
An example would be a person who swipes a badge, enters a pin, and scans a fingerprint
Biometrics
Includes fingerprints, signature dynamics, iris scanning, retina scanning, voice prints, facial recognition
Single Sign On
Setting up multiple systems to refer to one username and password for multiple systems instead of having to use a new one for each database or service
Kerberos
Single sign on Authentication for client/server applications. Allows for authentication across an insecure data channel such as the Internet. After a subject proves its identity, Kerberos assigns a unique ticket to subjects at sign on, and then embeds that ticket in all the communications so that the sender can be verified.