Chapter 2 - Access Controls

Question 1

What are the steps required prior to granting user access to resources?

Answer 1

Identification, Authentication, Authorization

Question 2

What is a “Password History” policy?

Answer 2

Organizations prevent users from using the last ‘n’ passwords used, ‘n’ is typically 12

Question 3

What is a “Maximum Password Age” policy?

Answer 3

Organizations will force users to reset their passwords after a set amount of days.

Question 4

What is a “Minimum Password Age” policy?

Answer 4

Organizations limit the amount of password changes to deter users from reusing their passwords.

If “Minimum Password Age” is set to 1 minute, a user can then have the same password after 12 minutes as they can change their password every minute.

Question 5

What is a password Salt?

Answer 5

Random bits of data concatenated with passwords prior to hashing to introduce more randomness.

A salt will be different to each password hashed so to make rainbow table attacks harder for entire databases.

Question 6

What is a Rainbow Table?

Answer 6

A precomputed table that has the hashed output of plaintext data.

password1 : Hash 1
password 2 : Hash 2

Question 7

What is the Crossover Error Rate in biometric authentication?

Answer 7

Where False Rejection and False Acceptance rates intersect when plotted in a graph.

Organizations can tweak which side they want to favour depending on use case.

Question 8

What is Kerberos?

Answer 8

A protocol user for single sign on in Windows/Linux domains.

Question 9

What is SAML?

Answer 9

Security Assertion Markup Language is a XML based data format that is used for SSO over the internet.

SAML allows users logged into a corporate network to access authentication required resources outside of the organization such as healthcare and dental provider.

Question 10

What is OAuth?

Answer 10

Newer version of SAML that uses JSON and typically performs better on mobile.

Question 11

What can be treated as subjects when implementing access controls?

Answer 11

Users
Devices
Applications
Networks

Question 12

What is Discretionary Access Control (DAC)?

Answer 12

Resource objects are owned a by a user who can then assign access rights to each resource object they own.

Question 13

What is non-Discretionary Access Control (non-DAC)?

Answer 13

Security Administrators have control over who has access to resource objects.

Users are granted access to resource objects through requests.

Question 14

What is Role-Based Access Control (RBAC)?

Answer 14

RBAC uses roles and groups to grant access to users.

Users are added to roles/groups which in turn have access to resources set by security administrators.

Question 15

What is Rule-Based Access Control?

Answer 15

Similar to router-based network access control.

Resources are access through approved means of access such as gateways, portals VPN’s etc.

Question 16

What is Attribute-Based Access Control?

Answer 16

Similar to role-based access controls but attributes (labels) are added to resources and subject instead.

Human-readable rules

Subject: Entity trying to access the object

Object: Resource in question

Action: What the subject is trying to do with the object

Environment: Everything outside of the Subject/Object fields

Question 17

What is Mandatory Access Control?

Answer 17

Highest form of security between previously mentioned Access Control Protocols.

Subjects and Objects are labelled accordingly:

Top Secret
Secret
Confidential
Unclassified

Question 18

What are the differences between Access Control Matrix vs. Capability Tables?

Answer 18

Access Control Matrix are “Object Focues” while Capability Tables are “Subject Focused”

ACM = What can be done with this object?

CT = What actions are within the subjects remit?

Question 19

What is the difference between Access Rights vs. Access Permissions?

Answer 19

Access Rights state what a Subject can do to an Object.

Access Permissions state what Objects a Subject has access to.

Question 20

What does IAM stand for?

Answer 20

Identity and Access Management

Question 21

What is False Rejection Rate (FRR)?

Answer 21

The rate upon which authorized users are rejected incorrectly.

Question 22

What is False Acceptance Rate (FAR)?

Answer 22

The rate upon which unauthorized users are authorized access for an object they do not have access to.

Question 23

What is the Bell-LaPadula model?

Answer 23

Ensures confidentiality using two primary rules:

No Read Up: Users cannot read data with higher security label than their security clearance.

No Write Down: Users cannot modify data in objects categorized lower than their security clearance.

Question 24

What is the Biba Model?

Answer 24

The Biba model enforces integrity using two primary rules:

No Write Up: Users with lower security clearance cannot write to data with higher security label.

No Read Down: User data clearance does not automatically allow them to read data in lower security categorization.

Question 25

What is the Clark-Wilson model?

Answer 25

The Clark Wilson model enforces Integrity

Through the use of Certification (C1-C5) and Enforcement (E1-E4) rules.

The Certification Rules focuses on integrity-monitoring.

The Enforcement Rules focuses on integrity-preserving.

The model helps enforce separation of duties through an organization.

Question 26

What is the Brewer-Nash model?

Answer 26

Helps to prevent conflict of interest and enforce separation of duties.

Works through data classification with roles that have potential for conflict of interests.