ISC2 - Study Notes 5

Question 1

Another method is device fingerprinting that identifies devices based on several characteristics. Many of the following characteristics are easy to capture when a user attempts to connect to a network with a web page: operating system and version, IP addresses, browser, browser fonts, browser plug-ins, time zone, data storage, screen resolution, cookie settings, and HTTP headers.

Answer 1

Info

Question 2

A user requesting a web page from a server is clearly a subject. Similarly, the web pages served by the web server are the objects. However, this web server is retrieving data from a back-end database (protected behind a firewall) to build the web page. When the web server retrieves the data, it is a subject and the database is the object.

Answer 2

Info

Question 3

Time, Remote Access Attribute, Location, Role or group membership

Answer 3

Subject Attributes

Question 4

Data (stored in files, folders, and shares)

Hardware (such as desktop computers, servers, and printers)

Applications (such as a web server application)

Networks (such as an Internet connection or an internal connection)

Facilities (controlled with physical security)

Answer 4

Access control systems can treat any of the following as objects :

Question 5

Users

Computers

Applications

Networks

Answer 5

Access control systems can treat any of the following as subjects :

Question 6

??? (also called technical access controls) are implemented with technologies. Many logical access controls use access control lists (ACLs). For example, a router has an ACL with multiple rules that identify the traffic allowed in or out of a network. Similarly, files and folders often use ACLs to identify who can access the resource and what level of access each user has.

Answer 6

Logical Access Controls

Question 7

provides the most granular level of access control. It is an identity-based (or subject-based) model and allows data owners to assign permissions to subjects at the most basic level. For example, you can assign read permission to a single user. File systems such as New Technology File System (NTFS, used by Microsoft) and Network File System (NFS, used on UNIX-based systems such as Solaris and Linux) use the DAC model.

Answer 7

DAC Model

Question 8

security administrators control the access granted to users. Other ??? models include role-based, rule-based, and attribute-based models.

Answer 8

non-Discretionary Access Control (non-DAC) models

Question 9

Some operating systems implement non-DAC models for system file access. This prevents malware from taking ownership of any critical or sensitive system files or modifying permissions on any of these files. Users still own and manage their own files using DAC, but the non-DAC model methods protect system files. In other cases, the operating system uses a non-DAC model exclusively, such as Mandatory Access Control.

Answer 9

non-DAC model info

Question 10

uses roles or groups to determine access. Subjects are placed into specific roles and object permissions are granted to the roles. Although the Role-BAC model doesn’t provide the granularity offered by DAC, it is easier to implement for large groups of people. ??? reduce the administrative workload and are very useful in organizations with high employee turnover.

Answer 10

The Role-based Access Control (Role-BAC or RBAC) model