D3: Access Controls

Question 1

They dictate how subjects access _, adn their main goal is to protect the _ from _ _.

Answer 1

objects

objects; unauthorized access

Question 2

Access controls can be (3):

Answer 2

1) physical
2) administrative
3) logical

Question 3

Access control defines:

Answer 3

how users should be identified, authenticated, and authorized

Question 4

Access control needs to be integrated into the core of operating systems through the use of _, _, and _ models

Answer 4

DAC
MAC
RBAC

Question 5

How is access control enforced in the physical world?

Answer 5

security zones, network segmentation, locked doors, securit yguards

Question 6

Access is…

Answer 6

a flow of information between a subject and an object

Question 7

subject v. object

Answer 7

subject - aactive entity that requests access to an object

object 0 a passive entity

Question 8

a subject can be a

Answer 8

user, program, process

Question 9

Access controls are security features that are usually considered the _ _ _ _ in asset protection.

Answer 9

First line of defense

Question 10

Name security mechanisms that provide confidentiality:

Answer 10

• encryption
• logical and physical access control
• transmission protogol
• database views
• controlled traffic flow

Question 11

Name some identity management solutions:

Answer 11

• directories
• web access management
• passwrod management
• legacy single sign-on
• account management
• profile update

Question 12

What is the benefit of password synchronization?

Answer 12

It reduces the complexity of keeping up with different passwords for different systems.

Question 13

Benefits of self-service password reset:

Answer 13

Reduces help-desk call volumes by allowing users to reset their own passwords

Question 14

What are the benefits for assisted password reset?

Answer 14

It reduces the resolution process for password issues for the help-desk department

Question 15

What do IdM directories contain and what’s the purpose?

Answer 15

All resource information, user’s attributes, authorization profiles, roles, and possibly access control policies.

Other IdM applications have one centralized resource from which to gather this information

Question 16

Automated workflow component is _ in account management products that provide IdM solutiosn

Answer 16

common

Question 17

User provisioning refers to:

Answer 17

creation, maintenance, and deactivation of user objects and attributes, as they exist in one or more systems, directories, or applications

Question 18

The HR database is usually considereed the authoritative source for:

Answer 18

user identities. This is where it is first developed and properly maintained

Question 19

What are the three main access control models?

Answer 19

1 - discretionary
2 - mandatory
3 - role-based

Question 20

DAC

Answer 20

Discretionary Access Control. Enables data owners to dictate what subjects have access to the files and resources they own.

Question 21

MAC

Answer 21

Mandatory Access Control.

This model uses a security label system. Users have clearnaces, and resources have security labels that contain data classifications.

MAC systems compare these two attributes to determine access control capabilities.

Question 22

Role-Based Access Control

Answer 22

Based on the user’s role and responsibiliteis (tasks) within the company

Question 23

What are the three main tyapes of restricted interface measurements?

Answer 23

1 - menus and shells
2 - database views
3 - physically constrained interfaces

Question 24

Access control lists are bound to _ and indicate what _ can use them.

Answer 24

objects

subjects

Question 25

A capability table is bound to a _ and lists what _ it can access.

Answer 25

subject

objects

Question 26

What are the two man ways that access control can be adminstered?

Answer 26

1 - centralized

2 - decentralized

Question 27

Provided a decentralized administration access control example:

Answer 27

peer-to-peer working group

Question 28

Provide some examples of centralized administration access control technologies:

Answer 28

RADIUS
TACACS+
Diameter

Question 29

Provide examples of administrative controls:

Answer 29

• security policy
• personnel controls
• supervisory structure
• security awareness training
• testing

Question 30

Provide examples of physical controls

Answer 30

• network segregation
• perimeter security
• computer controls
• work area separation
• cable

Question 31

Provide examples of technical controls

Answer 31

• system access
• network architecture
• network access
• encryption and protocols
• auditing

Question 32

For a subject to be able to access a resource it must be:

Answer 32

1 - identified
2 - authenticated
3- authorized
4 - held accountable for its actions

Question 33

Through what ways can authentication be accomplished?

Answer 33

1 - biometrics
2 - password
3 - passphrase
4 - cognitive password
5 - one-time password
6 - token

Question 34

Biometrics Type I error =

Answer 34

the system rejected an authorized individual

Question 35

Biometrics Type II error =

Answer 35

an imposter was authenticated

Question 36

A _ _ cannot process information, but a _ _ can through the use of integrated circuits and processors

Answer 36

memory card

smart card

Question 37

What do Least-privilege and need-to-know principles do?

Answer 37

Limit users’ rights to only what is needed to perform tasks of their job

Question 38

Single sign-on cabailities can be accomplished through:

Answer 38

• Kerberos
• SESAME
• domains
• thin clients

Question 39

How does Kerberos work?

Answer 39

1 - the Kerberos user receives a ticket granting ticket (TGT) which allows him to request access to resources through the ticket granting service (TGS)
2 - The TGS generates a new ticket with the session keys

User –> TGT –> TGS –> ticket with session keys

Question 40

Name types of access control attacks

Answer 40

• DoS
• Spoofing
• dictionary
• brute force
• war dialing

Question 41

KEYSTROKE LOGGING

Answer 41

A type of auditing that tracks each keystroke made by a user

Question 42

How can object reuse unintentiallly disclose information?

Answer 42

By assigning media to a subject before it is properly erased

Question 43

Is removing pointers to files (deleting file, formatting hard drive) enough protection for proper object reuse?

Answer 43

No

Question 44

Information can be obtained via electrical signals in airwaves. The ways to combat this type of intrusion are:

Answer 44

TEMPEST
White noise
control zones

Question 45

User authentication is accomplished by:

Answer 45

what someone knows, is, or has

Question 46

One-time password generating token devices can use synchronous (, ) or asynchronous (-) methods

Answer 46

time, event

challenge-based

Question 47

Strong authentication requires:

Answer 47

two of the three authentication attributes (knows, is, has)

Question 48

What are the weaknesses of Kerberos:

Answer 48

• the KDC is a single point of failure
• it is susceptible of password guessing
• session and secret keyes are locally stored
• KDC needs to always be available
• there must be management of secret keys

Question 49

What is phishing?

Answer 49

A type of social engineering with the goal of obtaining personal information, credentials, credit card numbers, or financial data

Question 50

When is a race condition possible?

Answer 50

When two or more processes use a shared resource and the access steps could take place out of sequence

Question 51

What is mutual authentication?

Answer 51

When two entities must authenticate to each other before sending data back and forth.

Also referred to as two-way authentication

Question 52

What is a directory service?

Answer 52

A software component that stores, organizes, and provides access to resources, whicih are listed in a directory (listing) of resources. Individual resources are assigned names within a namespace

Question 53

Cookie

Answer 53

Data that are held permanently on a hard drive in the format of a text file or held temporariliy in memory. It can be used to store browsing habits, authentication data, or protocol state information

Question 54

Federated Identity

Answer 54

A portable identity.

Its associated entitelements that can be used across business boundaries without the need to synchronize or consolidate directory information

Question 55

Extensible Markup Language (XML)

Answer 55

A set of rules for encoding documents in machine-readable form to allow for interoperability between various web-based technologies

Question 56

Service Provisioning Markup Language (SPML)

Answer 56

An XML-based framework being developed by OASIS

Question 57

eXtenible Access Control Markup Language (XACML)

Answer 57

A declaritive access control policy language implemented in XML and a processing model, describes how to interpret security policies

Question 58

Replay attack

Answer 58

A form of network attack in which a valid data transmission is maliciously or fradulently repeated with the goal of obtaining unauthorized access.

Question 59

Clipping level

Answer 59

A threshold value. Once a threshold is passed, the activity is considred an event that is logged, investigated, or both

Question 60

RAINBOW TABLE

Answer 60

A set of precomputed hash values that represent password combinations. These are used in password attack processes and usually produce results more quickly than dictionary or brute force attacks.

Question 61

COGNITIVE PASSWORDS

Answer 61

Fact- or opinion-based information used to verify an individuals identity

Question 62

Smart cards can require physical interaction with a reader () or no physical interaction with the reader ( _ _ ). Two _ _ are combi ( ) and hybrid ( _).

Answer 62

contact
contactless architecture
contactless architectures 
one chip
two chips

Question 63

How is a side channel attack carried out?

Answer 63

By gathering data pertaining to how something works and using that data to attack or crack it, as in differntial power analysis or electronmagnetic analysis.

Question 64

When does authorization creep take place?

Answer 64

when a user gains too much access rights and permissions over time.

Question 65

What is SESAME?

Answer 65

A single sign-on technology developed to address issues in Kerberos. It is based upon publi key cryptography (asymmetic) and uses privileged atribute servers and certs.

Question 66

Intrusion detection systems are either _ or _ based and provide _ (statistical) or _ (knowledge) types of functionality.

Answer 66

host; network

behavioral; signature

Question 67

If a DNS server is poisoned and points users to a malicious website, its called:

Answer 67

pharming

Question 68

A web portal is commonly made up of _, which are pluggale user interface software components that present information and services from other systems

Answer 68

portlets

Question 69

SPML

Answer 69

Service Provisioning Markup Language.
Allows for the automation of user management (account creation, amendments, revocation) and access entitlement configuration related to electornically published services across mulitple provisioning systems

Question 70

SAML

Answer 70

Security Assertion Markup Language.

Allows for exchange of authentication and authroization data to be shared between security domains.

Question 71

SOAP

Answer 71

Simple Object Access Protocol.

For exchanging structured information in the implementation of web services and networked environments.

Question 72

SOA

Answer 72

Service oreiented architecture.

Allow ofr a suite of interoperable services to be used within multiple, separate systems from several business domains

Question 73

Threat modeling

Answer 73

identifies potential threats and attack vectors.

Question 74

vulnerability analysis

Answer 74

identifies weaknesses and lack of countermeasures;