Domain 3 Flashcards
Access Control Concepts
Which of the following is an example of security control?
Firewall
Subject definition
any entity that requests
access to asset. May be a user, program, etc., is active in initiating the request for services, and should have some level of clearance
Object definition
an entity that responds to a request for service. May be a building, file, etc., provides service to a user, is passive in the request, do not have their own access control logic, and may have a classification
an instruction developed to allow or deny access to an object by comparing the validated identity of the subject to an access control list
Rules
What is the definition of an object in the context of access controls?
An entity that responds to a request for service
Derrick logs on to a system to read a file.
In this example, Derrick is the ______.
Subject
Which of the following is a subject?
User
What is the strategy that integrates people, technology, and operations capabilities to establish variable barriers across multiple layers and missions of an organization?
Layered Defense
How does privileged access management implement the principle of least privilege?
By granting each user access only to the items they need
Physical access controls are
tangible methods or mechanisms that
limit someone from getting access to an
area or asset
Logical access controls are
electronic methods that limit someone
from getting access to systems, and
sometimes even to tangible assets or areas, including passwords, biometrics, etc.
Which of the following is an example of a logical access control method?
Biometrics on a smartphone
Limiting access to data on the network would be considered which of the following controls?
Logical or technical controls
A control serves to
reduce the risk
according to where it falls within
the risk tolerance of the individual
or organization
What would be considered an administrative control in the context of seat belt usage?
Passing a law requiring seat belt use
What would be considered a physical control in the context of seat belt usage?
The seat belt itself would be considered a physical control
What alternative control could be used if biometric locks on multiple doors are not necessary and access does not need to be audited?
Replacing doors with deadbolt locks
In what type of environment does role-based access control work well?
High-staff turnover and similar access requirements
Role-based access control provides
each worker
privileges based on what role
they have in the organization
What term is used to describe the situation where someone inherits expanded permissions that are not appropriate for their role in Role-based Access Control (RBAC)?
Privilege creep
What is the key feature of just-in-time privileged access management?
Role-based subsets of privileges
Privileged accounts are
those with
permissions beyond those of normal users,
such as managers and administrators
In Mandatory Access Control (MAC), what determines the level of access to certain areas in certain government agencies?
Government policy and security clearance
With Mandatory Access Control, who
assigns access rights or permissions?
security administrators
With Discretionary Access Control, who
assigns access rights or permissions?
the object owner
Who can modify security rules in a system governed by Mandatory Access Control (MAC)?
Trusted subjects designated as security administrators
Which of these combinations of physical security controls share a single point of failure?
High-illumination lighting and cameras
A power failure will disable both the cameras and the lights.
What challenges do small and medium businesses face regarding technical controls in payroll systems?
Insufficient personnel for duty separation
Which of the following is an example of a physical access control?
Motion detectors
Separation of duties is based on
the security practice that no one person should control
an entire high-risk transaction from start to finish.
Collusion is when
two individuals willfully work together to bypass the separation of duties to jointly commit fraud
Duncan and Mira work in the data center at Triffid, Inc. There is a policy in place that requires both to be present in the data center at the same time.
If one has to leave for any reason, the other must step out, too, until they can both re-enter.
This is called ________.
Two-person integrity
Why is Discretionary Access Control (DAC) not considered very scalable?
It relies on the discretion of individual object owners
What is the two-person rule in the context of security strategy?
Two people must be in an area together
Audit
Independent review and examination of records and activities to assess the adequacy of system controls, to ensure compliance with established policies and operational procedures
Crime Prevention through Environmental Design (CPTED)
An architectural approach to the design of buildings and spaces which emphasizes passive features to reduce the likelihood of criminal activity
Defense in Depth
Information security strategy integrating people, technology, and operations capabilities to establish variable barriers across multiple layers and missions of the organization
Discretionary Access Control (DAC)
A certain amount of access control is left to the discretion of the object’s owner, or anyone else who is authorized to control the object’s access. The owner can determine who should have access rights to an object and what those rights should be
Firewalls
Devices that enforce administrative security policies by filtering incoming traffic based on a set of rules
Insider Threat
An entity with authorized access that has the potential to harm an information system through destruction, disclosure, modification of data, and/or denial of service
iOS
An operating system manufactured by Apple Inc. Used for mobile devices.
Layered Defense
The use of multiple controls arranged in series to provide several consecutive controls to protect an asset; also called defense in depth.
Linux
An operating system that is open source, making its source code legally available to end users.
Log Anomaly
A system irregularity that is identified when studying log entries which could represent events of interest for further surveillance.
Logging
Collecting and storing user activities in a log, which is a record of the events occurring within an organization’s systems and networks
Logical Access Control Systems
Logical Access Control Systems
An automated system that controls an individual’s ability to access one or more computer system resources, such as a workstation, network, application or database. A logical access control system requires the validation of an individual’s identity through some mechanism, such as a PIN, card, biometric or other token. It has the capability to assign different access privileges to different individuals depending on their roles and responsibilities in an organization
Mandatory Access Control
Access control that requires the system itself to manage access controls in accordance with the organization’s security policies
Mantrap
An entrance to a building or an area that requires people to pass through two doors with only one door opened at a time
Object
Passive information system-related entity (e.g., devices, files, records, tables, processes, programs, domains) containing or receiving information. Access to an object (by a subject) implies access to the information it contains
Physical Access Controls
Controls implemented through a tangible mechanism. Examples include walls, fences, guards, locks, etc. In modern organizations, many physical control systems are linked to technical/logical systems, such as badge readers connected to door locks
Principle of Least Privilege
The principle that users and programs should have only the minimum privileges necessary to complete their tasks.
Privileged Account
An information system account with approved authorizations of a privileged user
Ransomware
A type of malicious software that locks the computer screen or files, thus preventing or limiting a user from accessing their system and data until money is paid
Role-based access control (RBAC)
An access control system that sets up user permissions based on roles.
Rule
An instruction developed to allow or deny access to a system by comparing the validated identity of the subject to an access control list.
Segregation of Duties
The practice of ensuring that an organizational process cannot be completed by a single person; forces collusion as a means to reduce insider threats. Also commonly known as Separation of Duties
Subject
Generally an individual, process or device causing information to flow among objects or change to the system state
Technical Controls
The security controls (i.e., safeguards or countermeasures) for an information system that are primarily implemented and executed by the information system through mechanisms contained in the hardware, software or firmware components of the system.
Turnstile
A one-way spinning door or barrier that allows only one person at a time to enter a building or pass through an area.
Unix
An operating system used in software development
User Provisioning
The process of creating, maintaining and deactivating user identities on a system
Why is it recommended to disable accounts for a period before deletion when an employee leaves the company?
To preserve the integrity of audit trails or files
Lakshmi presents a user ID and a password to a system to log on.
Which of the following characteristics must the password have?
Confidential
What is user provisioning in identity management?
Managing access to resources and information systems
Which of the following is the responsibility of systems administrators who use privileged accounts?
Operating systems and applications
What does behavioral biometrics measure?
User actions, such as voiceprints and keystroke dynamics
Which of the following is an example of a monitoring tool?
Cameras
Which is a physical control that prevents “piggybacking” or “tailgating,” when an unauthorized person follows an authorized person into a controlled area?
Turnstile
