Chapter 2 - Access Controls Flashcards
What are the steps required prior to granting user access to resources?
Identification, Authentication, Authorization
What is a “Password History” policy?
Organizations prevent users from using the last ‘n’ passwords used, ‘n’ is typically 12
What is a “Maximum Password Age” policy?
Organizations will force users to reset their passwords after a set amount of days.
What is a “Minimum Password Age” policy?
Organizations limit the amount of password changes to deter users from reusing their passwords.
If “Minimum Password Age” is set to 1 minute, a user can then have the same password after 12 minutes as they can change their password every minute.
What is a password Salt?
Random bits of data concatenated with passwords prior to hashing to introduce more randomness.
A salt will be different to each password hashed so to make rainbow table attacks harder for entire databases.
What is a Rainbow Table?
A precomputed table that has the hashed output of plaintext data.
password1 : Hash 1
password 2 : Hash 2
What is the Crossover Error Rate in biometric authentication?
Where False Rejection and False Acceptance rates intersect when plotted in a graph.
Organizations can tweak which side they want to favour depending on use case.
What is Kerberos?
A protocol user for single sign on in Windows/Linux domains.
What is SAML?
Security Assertion Markup Language is a XML based data format that is used for SSO over the internet.
SAML allows users logged into a corporate network to access authentication required resources outside of the organization such as healthcare and dental provider.
What is OAuth?
Newer version of SAML that uses JSON and typically performs better on mobile.
What can be treated as subjects when implementing access controls?
Users
Devices
Applications
Networks
What is Discretionary Access Control (DAC)?
Resource objects are owned a by a user who can then assign access rights to each resource object they own.
What is non-Discretionary Access Control (non-DAC)?
Security Administrators have control over who has access to resource objects.
Users are granted access to resource objects through requests.
What is Role-Based Access Control (RBAC)?
RBAC uses roles and groups to grant access to users.
Users are added to roles/groups which in turn have access to resources set by security administrators.
What is Rule-Based Access Control?
Similar to router-based network access control.
Resources are access through approved means of access such as gateways, portals VPN’s etc.