Chapter 2 - Access Controls Flashcards

1
Q

What are the steps required prior to granting user access to resources?

A

Identification, Authentication, Authorization

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is a “Password History” policy?

A

Organizations prevent users from using the last ‘n’ passwords used, ‘n’ is typically 12

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is a “Maximum Password Age” policy?

A

Organizations will force users to reset their passwords after a set amount of days.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is a “Minimum Password Age” policy?

A

Organizations limit the amount of password changes to deter users from reusing their passwords.

If “Minimum Password Age” is set to 1 minute, a user can then have the same password after 12 minutes as they can change their password every minute.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is a password Salt?

A

Random bits of data concatenated with passwords prior to hashing to introduce more randomness.

A salt will be different to each password hashed so to make rainbow table attacks harder for entire databases.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is a Rainbow Table?

A

A precomputed table that has the hashed output of plaintext data.

password1 : Hash 1
password 2 : Hash 2

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is the Crossover Error Rate in biometric authentication?

A

Where False Rejection and False Acceptance rates intersect when plotted in a graph.

Organizations can tweak which side they want to favour depending on use case.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is Kerberos?

A

A protocol user for single sign on in Windows/Linux domains.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is SAML?

A

Security Assertion Markup Language is a XML based data format that is used for SSO over the internet.

SAML allows users logged into a corporate network to access authentication required resources outside of the organization such as healthcare and dental provider.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is OAuth?

A

Newer version of SAML that uses JSON and typically performs better on mobile.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What can be treated as subjects when implementing access controls?

A

Users
Devices
Applications
Networks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is Discretionary Access Control (DAC)?

A

Resource objects are owned a by a user who can then assign access rights to each resource object they own.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is non-Discretionary Access Control (non-DAC)?

A

Security Administrators have control over who has access to resource objects.

Users are granted access to resource objects through requests.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is Role-Based Access Control (RBAC)?

A

RBAC uses roles and groups to grant access to users.

Users are added to roles/groups which in turn have access to resources set by security administrators.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is Rule-Based Access Control?

A

Similar to router-based network access control.

Resources are access through approved means of access such as gateways, portals VPN’s etc.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is Attribute-Based Access Control?

A

Similar to role-based access controls but attributes (labels) are added to resources and subject instead.

Human-readable rules

Subject: Entity trying to access the object

Object: Resource in question

Action: What the subject is trying to do with the object

Environment: Everything outside of the Subject/Object fields

17
Q

What is Mandatory Access Control?

A

Highest form of security between previously mentioned Access Control Protocols.

Subjects and Objects are labelled accordingly:

Top Secret
Secret
Confidential
Unclassified

18
Q

What are the differences between Access Control Matrix vs. Capability Tables?

A

Access Control Matrix are “Object Focues” while Capability Tables are “Subject Focused”

ACM = What can be done with this object?

CT = What actions are within the subjects remit?

19
Q

What is the difference between Access Rights vs. Access Permissions?

A

Access Rights state what a Subject can do to an Object.

Access Permissions state what Objects a Subject has access to.

20
Q

What does IAM stand for?

A

Identity and Access Management

21
Q

What is False Rejection Rate (FRR)?

A

The rate upon which authorized users are rejected incorrectly.

22
Q

What is False Acceptance Rate (FAR)?

A

The rate upon which unauthorized users are authorized access for an object they do not have access to.

23
Q

What is the Bell-LaPadula model?

A

Ensures confidentiality using two primary rules:

No Read Up: Users cannot read data with higher security label than their security clearance.

No Write Down: Users cannot modify data in objects categorized lower than their security clearance.

24
Q

What is the Biba Model?

A

The Biba model enforces integrity using two primary rules:

No Write Up: Users with lower security clearance cannot write to data with higher security label.

No Read Down: User data clearance does not automatically allow them to read data in lower security categorization.

25
Q

What is the Clark-Wilson model?

A

The Clark Wilson model enforces Integrity

Through the use of Certification (C1-C5) and Enforcement (E1-E4) rules.

The Certification Rules focuses on integrity-monitoring.

The Enforcement Rules focuses on integrity-preserving.

The model helps enforce separation of duties through an organization.

26
Q

What is the Brewer-Nash model?

A

Helps to prevent conflict of interest and enforce separation of duties.

Works through data classification with roles that have potential for conflict of interests.