Implimenting Access Controls

Question 1

Mandatory access Control

Answer 1

Government entity or company controls how their data is shared.

Ex: hospital owns patient records and limits their sharing

Question 2

How is Mandatory Access Control normally used

Answer 2

Has a central authority that maintains access control and sets the rules
Used in secure systems government and military or private sectors

Question 3

Give an example of MAC system

Answer 3

Hospitals

Regulated by hippa

Question 4

Define Non-discretionary Access Control

Answer 4

The administration has ownership of a resource and decides how it can be shared. User has no rights

Question 5

Give example of the model discretionary access control

Answer 5

User creating a file and allowing other users or subjects to access that file.

Question 6

Define Discretionary Access Control policy

Answer 6

Users are granted access based on predefined role user has.
Owner / creator of a file assigns permission to user or subject to access their resource **however access rights are based on rules set by the administrator. **

• users can be organized in groups
• permission will be assigned to a resource for that specific group
• Not centrally managed

Question 7

Define Role based access control

Answer 7

Access rights are defined through roll you have in your organization, Administrator determines what time of rights user has

Systems that use role based: Windows

Question 8

Define Rule Based Access Control (RBAC)

Answer 8

Access is determined through system enforced rules or list of conditions

Ex: firewalls - lab network can only be accessed between 9am-6pm
Setting a rule that only chrom based browsers can be used to fill out a web based app

Question 9

What is Data Base Security

Answer 9

When a database has their own access control. May support data encryption

Question 10

Define role based Hirrarchies

Answer 10

A way of organizing roles to respect authority, responsibility, and competency

Subject to organizational policies or constraints.

Question 11

Explain Constrained User Interface (CUI)

Answer 11

A methodology that restricts the users actions of specific functions by not allowing the user to request functions that are outside of his/her respective level of privileged role

Question 12

How can we use CUI to deny or allow access to system function based on user authentication and capabilities/rights.

Answer 12

Menu and shells
Database views
Physically constraining a user interface

Question 13

Content dependent access control

Answer 13

Protects databases containing sensitive information

Permits or denies access based on the explicit content

Question 14

Define Context based access control

Answer 14

Used in firewall applications to extend the firewall decision making process to
Decision based on state
Application later protocol session information

Question 15

When would temporal isolation methodology be used?

Answer 15

Used to enhance role based access control

Bank access codes in vaults

Question 16

____A human user or NPE, such as a device that issues access requests to perform operations on objects

Answer 16

Subject

Question 17

_____A system resource for which access is managed by ABAC system. Such as devices, files, records, tables, process, programs, networks, or domain containing or receiving information

Answer 17

Object

Question 18

The representation of rules or relationships that makes it possible to determine if a requested access should be allowed

Answer 18

Policy

Question 19

___are the characteristics of the subject, object, or environment conditions.

Answer 19

Attributes

Question 20

What is view based access control

Answer 20

Separates A given access control object into sub components and permits or denies access to view or interact with specific sub components

Question 21

Attribute based access control

Answer 21

Subject request to perform operations on objects granted or denied based on assign attributes of the subject assign attributes of the object environment conditions and a set of policies

Question 22

Separation of duties

Answer 22

No single individual should perform a task from beginning to end

Question 23

Explain the Bell-LaPadula Confidentiality Model

Answer 23

Confidentiality model: a given user can read data at a lower sensitivity level But not those at a higher classification level.

Question 24

Biba integrity model

Answer 24

Looks at how the data is being manipulated to ensure integrity of the information.

subject cannot read down an object at a lower integrity level

Question 25

Define Clark-Wilson integrity models

Answer 25

Normally forms an access triple
of authenticated principles
programs acting on data
And the data items in them selves

• each triple or relation between user transaction and data item must be maintained in the system

Question 26

What are three integrity goals

Answer 26

1. Authentication prevents authorized users from making modifications on the system
2. Controls prevent authorize users from making improper modifications or other actions
3. Maintains internal and external consistency through the use of well-formed transactions

Question 27

Brewer and bash model -Chinese wall

Answer 27

Uses RBAC
Defines a wall to segment data types and developed a set of rules that ensure that no subject accesses o Jeff’s on the other side of the wall

Supports separation of duties

Question 28

Graham denning model and what are their 8 protection rights

Answer 28

Primarily concerned with

• how Subjects and objects are securely created
• how subjects are assigned rights of privileges
• how ownership of objects is managed
• how objects and subjects can be securely deleted

8 protection rights

1. Create object
2. create subject
3. Delete object
4. delete Subject
5. read access rights
6. grant access right
7. delete access right
8. transfer access right