CIA Triad and Access Control

Question 1

Define Access Control

Answer 1

Oversees the authorisation of users based on some security policy that the system adheres to. In essence, the AC model determines who can do what.

Question 2

Define Confidentiality

Answer 2

Relates to the disclosure of information to unauthorised parties.

Question 3

Define Integrity

Answer 3

Relates to preventing the modification of data or/and system assets to operate in a way other the one they that was intended by unauthorised parties

Question 4

Define Availability

Answer 4

Relates to ensuring the availability of system resources to authorised parties.

Question 5

What are the 3 methods of determining the Access Control of an entity?

Answer 5

Identification, Authentication, Authorisation.

Question 6

Define Identification

Answer 6

The mapping of an identity to an entity. For example, a student ID card.

Question 7

Define Authentication

Answer 7

The process of verifying the identification.

Question 8

Define Authorisation

Answer 8

The granting or denying of access of an system entity to an object.

Question 9

What are the four methods of Authentication?

Answer 9

Something you know; something you are; something you have; your location.

Question 10

Give an example of a hard and soft token

Answer 10

Hard token : Key fob
Soft token : OTP

Question 11

Give an example of a ‘Who you are’ authentication method. What is an issue with this?

Answer 11

Biometric markers. However, still replicable with effort.

Question 12

What is multi-factor authentication?

Answer 12

An access control mechanism that uses two or more methods for providing authentication.

Question 13

What makes for a strong authentication process? Give an example.

Answer 13

Using 2 or more different methods for authentication. For example, a PIN and a OTP uses what you know and what you have.

Question 14

Define Access Control Model

Answer 14

A formal description of the concepts used to determine which permissions certain subjects have to objects.

Question 15

Define Access Control Policy

Answer 15

Defines what is allowed / forbidden from a security perspective in a system.

Question 16

Describe the concepts of PEP and PDP across the security model. Why are they needed?

Answer 16

They enforce the access control model.
Policy Enforcement Points are implemented across layers of the Security Model. When receiving a request, the PEP communicates with the PDP to determine whether access is granted or not.

Question 17

What are 2 issues of Biometric markers?

Answer 17

If compromised can’t generate a new one.
As of today, all biometric types have been broken.

Question 18

What is the Access Control Matrix Model? Give examples of subjects and objects.

Answer 18

A model that defines the permissions of subjects on system objects.
Subjects can be users, groups, processes etc.
Objects can be data, files, memory etc.

Question 19

What are 4 issues with the ACMM?

Answer 19

Subjects of a system are very dynamic and high in numbers, thus the model is constantly changing and is large. This leads to:
Poor scalability, Complexity, Poor modifiability / maintenance, Slow look up,

Question 20

Define the RBAC Matrix Model. How does it resolve the ACMM issues?

Answer 20

Model assigns subjects (users) to roles. Roles are relatively static in a system, thus model is more scalable, modifiable, smaller, maintainable and less complex.

Question 21

Define Roles Hierarchy in the RBAC. Give an example.

Answer 21

Access rights can be seen as the sample space. Subsets of these access rights are given out based on the hierarchical standing of the role.