Chapter 5 - Access Control

Question 1

What are the three functions of access controls?

Answer 1

The three functions of access controls are:
Authentication - Assessing the identity of the supplicant.
Authorization - Giving permissions appropriate to the user.
Auditing - Collecting information about the user’s activities.

Question 2

What are the four bases for authentication credentials?

Answer 2

To be authenticated, you must show verifier credentials that are based on one of the following:

• What you know (password/private key)
• What you have (physical key/smart card)
• Who you are (fingerprint/retina scan)
• What you do (how you pronounce a passphrase)

Question 3

What is two-factor authentication’s promise? How can Trojan horses or man-in-the-middle attacks beat this?

Answer 3

Two factor authentication provides a form of defense-in-depth, which is a more complete protection. Unfortunately, a trojan horse can still act after full authentication has been achieved, and a man-in-the-middle can still act quickly as authentication is occurring to gain access as well with the credentials while they are valid.

Question 4

What is role-based access control? Why is it popular?

Answer 4

Role-based access control, or RBAC, is when a user’s access controls is based on the role they have in the system, such as buyer, editor, administrator, etc. Each role has its own set of access control rules, which are generally applicable to anyone that serves that role in the system. This is cheaper than individual application of rules, has less room for errors, and is far easier to revoke en-masse.

Question 5

Why do technologically strong access controls not provide strong access control in real organizations?

Answer 5

As advanced as some of these technologies seem, they are always placed in the context of an organization, or of people being people. This means, basically, that people make mistakes, and the more people, the more likely the mistakes.

Question 6

What is the difference between mandatory access controls and discretionary access controls?

Answer 6

In mandatory access control, departments are not able to alter access controls that have been put in place by “higher authorities”. This is bad, because you’ll always need some flexibility.
In discretionary access control, which basically is mandatory access control, but departments have have discretion to give access to individuals.

Question 7

What is multilevel security?

Answer 7

Multilevel security is where there is a system that has multiple levels of security restriction, from “declassified” to “top secret” and with levels in between.

Question 8

What are SBU documents?

Answer 8

SBU documents stand for “sensitive but unclassified”.

Question 9

What is siting?

Answer 9

Siting refers to the placement of equipment.

Question 10

If cabling cannot be run through walls, what should be done with it?

Answer 10

Cabling that cannot be run through walls needs to be run through secured, armored conduits.

Question 11

What are reusable passwords?

Answer 11

Reusable passwords are passwords that can be used repeatedly, for weeks or months at a time.

Question 12

Why is password cracking over a network difficult to do?

Answer 12

Generally, accounts are locked once a password authentication attempt has failed too many times. Installing a cracking program on a server bypasses this.

Question 13

What are two ways password-cracking programs can be used?

Answer 13

Password-cracking programs can be used on-site, or by taking the password hashes off-site, at home.

Question 14

Why is it a problem to use the same password at multiple sites?

Answer 14

It is a problem to use the same password at multiple sites because if one site is compromised, they all are.

Question 15

Why is it difficult to enforce a policy of using a different password at each site?

Answer 15

It is difficult to enforce a policy of “different password at different site” because it’s difficult to remember that many passwords.

Question 16

Why are password reset questions difficult to create?

Answer 16

Password reset questions are difficult for various reasons:

• Some questions are, themselves, security violations (asking for SSN).
• Some questions are done by simple research.
• Some questions may be difficult for the actual user to remember, involving opinions that might change.
• Some questions may have spelling issues.

Question 17

How may password resets be handled in high-risk environments?

Answer 17

In high-risk environments, password resets must sacrifice convenience for security, removing automated resets, or even help-desk call resets.

Question 18

What is the difference between magnetic stripe cards and smart cards?

Answer 18

Magnetic stripe cards are inactive, storing only data. Smart cards have microprocessors, and are active.

Question 19

What are one-time password tokens?

Answer 19

A one-time password token is a small device that displays a number that changes frequently, which is the current password.

Question 20

What are USB tokens?

Answer 20

USB tokens are like smart cards, but don’t require smart card readers.

Question 21

Why can PINs be short - only four to six digits - while passwords must be much longer?

Answer 21

PINs can be shorter than passwords because they must be entered locally, by hand.

Question 22

On what two things about you is biometric authentication based?

Answer 22

Biometric authentication is based on something you are (fingerprints, retinas) or something you do (write, type, talk, etc).

Question 23

What are the three scanner actions in biometric enrollment?

Answer 23

The three scanner processes in biometric enrollment are as follows:

• The reader scans far too much data, as an enrollment scan.
• The reader extracts key features from the scanned data.
• The reader sends the key features to the database to be stored as a template.

Question 24

Why are key features not used, instead of a whole scan?

Answer 24

Key features are used instead of a whole scan because if the user scans or swipes with a new angle, it will be very different and invalid.

Question 25

What is a match index, and why is it important?

Answer 25

A match index is used to measure the variations between a scan’s key features and the template that is stored. If the scan is further off than the match index, it is rejected.

Question 26

What is error rate, in biometrics?

Answer 26

Error rate in biometrics refers to accuracy when the supplicant is not trying to deceive the system.

Question 27

What’s the difference between false acceptance and false rejection.

Answer 27

False acceptance occurs when the system makes a match to a template that should not be made. False rejection is the inverse.

Question 28

What is false acceptance rate and false rejection rate?

Answer 28

False acceptance rate is the percentage of false acceptances out of total access attempts. False rejection is the inverse.

Question 29

Why is false acceptance bad? Why is false rejection bad? Which is worse from a user acceptance standpoint? A security standpoint?

Answer 29

False acceptance could mean incorrectly labeling someone for access or restriction. In fact, false rejection falls under this as well.

From a security standpoint, false acceptance is worse. From a user acceptance standpoint, false rejection is worse.

Question 30

What is failure to enroll?

Answer 30

Failure to enroll occurs when the system fails to enroll a user, often for reasons like damaged fingerprints.

Question 31

What are the three major goals of biometric authentication?

Answer 31

The three major goals of biometric authentication are:
Verification - Verifying if someone is a particular person (they are providing the identity).
Identification - Verifies the identity of a supplicant (they are not providing the identity).
Watch Lists - Identify the person as a member of a group.

Question 32

What is the strongest form of authentication?

Answer 32

Crypographic authentication is the most secure form of authentication, if implemented correctly.

Question 33

List the functions of a PKI.

Answer 33

The functions of a PKI are as follows:

• Create public key-private key pairs.
• Distributing Digital Certificates
• Accepting Digital Certificates
• Revoking Digital Certificates
• Provisioning

Question 34

Can a firm be its own certificate authority? What is the advantage of doing so?

Answer 34

Yes, but due to the labor involved, it is very expensive. The advantage is that firms then have control of trust in their entire public key infrastructure.

Question 35

Who creates a computer’s private key–public key pair?

Answer 35

The client or server generates the private key-public key pair.

Question 36

What is provisioning?

Answer 36

Provisioning is the accepting of public keys, and the providing of new digital certificates.

Question 37

What is the prime authentication problem?

Answer 37

The prime authentication problem says that unless individuals are carefully vetted before being allowed into the system, impostors can enroll through social engineering.

Question 38

What is the principle of least permissions?

Answer 38

Same as before, it’s the principle that people should only get the permissions they need to do their jobs.

Question 39

A(n) ________ is a statement from Firm A that Firm B should accept as true if Firm B trusts Firm A.

Answer 39

Assertion

Question 40

What is the difference between a ticket granting ticket and the service ticket within Kerberos?

Answer 40

The ticket granting ticket is given to the supplicant when it first logs into the Kerberos server. It allows the supplicant to log in to the Kerberos server later without needing authorization.
The service ticket is sent to the supplicant after being authenticated. When it is decrypted by the verifier host, it contains a session key that the supplicant uses to talk to the verifier, as well as permissions it should have on the verifier.

Question 41

What are directory servers?

Answer 41

Directory servers are central repositories for information about people, equipment, software, and databases. They also store authentication, authorization, and auditing information required for security. And host configurations, employee contact info, and tons of other stuff.

Question 42

What is LDAP’s purpose?

Answer 42

LDAP is made to retrieve and update information from directory servers.

Question 43

How do central authentication servers often get their authentication information? What is the advantage of this?

Answer 43

Central authentication servers often get their authentication information from directory servers. The advantage of this is that the directory servers provide centralization for information needed by central authentication servers.

Question 44

What are the three elements an assertion may have?

Answer 44

An assertion may have authenticity information, authorizations, or attributes (describing the party).