Cissp - Access Control Flashcards
A passive data file
Object
An active entity on an information system
Subject
Gives subjects full control of objects they have been given access to, including sharing the objects with other subjects.
Discretionary access control - DAC
System enforced access control based on subject’s clearances and objects labels.
Mandatory access control - MAC
Subjects are grouped into roles and each defined role has access permissions based on the role not the individual .
Role based access control - RBAC
The mission and purpose of access control is to:
Protect the confidentiality, integrity, and availability of data.
- What type of password cracking attack will always be successful?
Brute Force
- What is the difference between password cracking and password guessing?
Password guessing attempts to log into the system, password cracking attempts to determine a password used to create a hash.
- The most insidious part of phishing and spear phishing attacks come from which part of the attack anatomy.
Phishing and spear phishing attacks are rarely successful.
- What is the term used for describing when an attacker, through a command and control network, controls hundreds, thousands, or even tens of thousands of computers to perform actions all at once?
Botnets
- What are the main differences between retina scans and iris scans?
Iris scans invade a person’s privacy and retina scans to not.
- What is the most important decision an organization needs to make when implementing RBAC?
The roles users have on the system need to be clearly defined..
- What access control method weighs additional factors such as time of attempted access before granting access?
Context-dependent access control.
- An attacker sees a building is protected by security guards and attacks a building next door with no guards. What control combination are the security guards.
Physical/deterrent
- A Type II biometric is also known as what?
False accept rate (FAR)
- Within Kerberos, which part is the single point of failure?
Key distribution center
- Your company has hired a third-party company to conduct a penetration test. Your CIO would like to know if exploitation of critical business systems is possible. The two requirements the company has are:
- The tests will be conducted on live, business functional networks. Thes networks must be functional in order for business to run and cannot be shut down, even for an evaluation.
- The company wants the most indepth test possible.
What kind of test should be recommended?
Full knowledge
- Your company has hired a third-party company to conduct a penetration test. Your CIO would like to know if exploitation of critical business systems is possible. The two requirements the company has are:
- The tests will be conducted on live, business functional networks. Thes networks must be functional in order for business to run and cannot be shut down, even for an evaluation.
- The company wants the most indepth test possible.
While conducting the penetration test, the tester discovers that a crical business system is currently compromised. What should the tester do?
Immediately end the penetration test and call the CIO.
- What group launches the most attacks?
Outsiders
- A policy stating that a user must have a business requirement to view data before attempting to do so is an example of enforcing what?
Need to know.
- What technique would raise the false accept rate (FAR) and lower the false reject rate (FRR) in a fingerprint scanning system?
Decrease the amount of minutiae that is verified.
CIA stands for
Confidentiality, integrity, and availability
What do access controls protect against.
Unauthorized access, inappropriate modification of data, and loss of confidentiality of data
What are the opposing forces in CIA
.
Disclosure, Alteration, and Destruction
What is PII
Personally identifiable information
What is integrity
Unauthorized modification of files
What is availability
Data is accessible when needed
What is confidentiality
Prevent unauthorized disclosure
What is DAD
Disclosure, alteration destruction (opposite of CIA)
What is AAA
Identity and authentication, authorization and accountability
What is authentication
You are the person you claim to be
What is Authorization
.
Actions you can preform on a system once you have identified and authenticated
What is non-repudiation
User can not deny having performed a transaction (combines authentication and integrity
What is least privilege
User granted minimum amount of access
What is a subject
Is an active entity on a system, running computer programs are also subjects
What is an object
Passive data within the system
What is Defense in depth
Also known as layered security, uses multiple safeguards, or controls, to protect an asset
What are controls
Controls are measures taken to protect an asset
What is Discretionary access control (DAC)
Gives full control of objects the user has been given access to, including sharing the objects with other subjects.
Deploying a range of different ___________ safeguards in your organization lowers the chance that all controls will fail.
Defense in Depth
What is MAC
Mandatory Access Control
Honeywell’s SCOMP and Purple Penelope are examples of _______ systems.
MAC
What is RBAC
Role-Based Access Control
What rules are included in RBAC
Role assignment, role authorization, and transaction authorization.
Role Assignment means
A subject can execute a transaction only if the subject has selected or been assigned a role. Identification and authentication are not considered a transaction. All other user activities on the system are conducted thru activities.
Role authorization means
A subject’s active role must be authorized for the subject. This with Role assignment ensures that users can take on only roles for which they are authorized.
Transaction authorization means
Subject can execute a transaction only if the transaction is authorized through the subject’s role memberships, and subject to any constraints that may be applied across users, roles, and permissions.
Non-Discretionary access control
RBAC is a type of ________ because users do not have discretion regarding the groups of objects they are allowed to access and are unable to transfer objects to other subjects.
What is role based access control
How information is accessed on a system based on the role of the subject. Permissions are based on role not individual user
What is task based access control
Another non-discretionary access control, permission based on a task the subject I preforming
Content and content-dependent play what role?
Defense in depth supporting role
Content-depend relies on
Access based on the content the subject is accessing
What is centralized access control
Instead of managing access locally you have a central system managing it, Single Sign on (SSO). Subject can authenticate once then access multiple systems
Access control catagories
- Preventative
- Detective
- Corrective
- Recovery
- Deterrent
- Compensating
Access control catagories
Can fall into one of three categories
Administrative (Directive) controls– policies, training regulations
Technical controls- Software, hardware, firmware
Physical Controls – locks, fences, gates
Type one authentication: Passwords
Involves testing a subject with some sort of challenge
Static passwords -
user generated and often used with another authentication method
Passphrase -
comprised of words or phrases with different twists. Maybe using a “Zero” instead of a “O”
One time password -
can only be used once
Dynamic passwords –
passwords that always change (RSA)
Microsoft Lan Manager makes password all
uppercase before hashing
Hybrid attack
substitutes and and prepends characters in a password
Salt allows one password to be
hashed multiple ways, prevent rainbow tables
Asynchronus dynamic tokens are not
synchronized with a central server, EX: challenge response token …System produces a challenge for the token device user then enter information into device along with a pin. It then goes back to the system The reponse is tied to the system making it correct
