Lecture 1 Flashcards
Accountability and Access Control
What is the CIA Triad?
Confidentiality, Integrity and Availability
The hardware, software, policy/procedures used to grant/restrict access, monitor/record access, identifies users accessing and determines authorization is what?
Access Control
The transfer of information from an object to a subject is called what?
Access
There are two types of access, what are they?
Physical and logical
Access should always have an implicit what statement?
Implicit Deny
What is the term that ensures that only authorized subjects can access objects?
Confidentiality
What is the term that ensures that unauthorized or unwanted changes to objects are denied?
Integrity
What is the term that ensures that authorized requests for objects are granted as quickly as system and network parameters allow?
Availability
What are the seven categories of function or purpose of Access Controls?
Preventive (or preventative) Deterrent Detective Corrective Recovery Compensation Directive
What are the 3 ways access controls can be implemented?
Physical
Technical/logical
Administrative
Why is accountability important?
It holds an entity responsible for their actions online/on the system
What steps are needed to hold someone accountable?
Identification Authentication Authorization Auditing Accountability
process by which a subject professes an identity is called what?
Identification
Examples: userid, username
process of verifying that a claimed identity is valid is called what?
Authentication
What are the 3 factors used for authentication?
Something you know (password, pin)
Something you have (token, smartcard)
Something you are (fingerprint, retina scan)
True/False: Multi-factor authentication includes having a password and a pin number to gain access
False
Multi-factor means using two different types of authentication like a smart card and a pin
The process that ensures that the requested activity or object access is possible given the rights and privileges assigned to the authenticated identity, is called what?
Authorization
Auditing is the process of what?
Tracking the activity of a subject in the system/online
What is the weakest technique of authentication?
Passwords
What type of authentication has a Cross Over Error Rate (CER)?
What does that mean?
Biometrics
The False Acceptance Rate and False Rejection Rate are Equal
In Biometrics the sensitivity that is Too sensitive is considered what?
Type 1 errors: False Rejection
False Rejection Rate (FRR)
In Biometrics the sensitivity that is Not sensitive enough is considered what?
Type 2 errors: False Acceptance
False Acceptance Rate (FAR)
Besides sensitivity, several other factors affect the effectiveness of biometric devices. What are they? (3)
Enrollment Time
Throughput Rate
Acceptibility
What are the 4 types of tokens?
Static
Synchronous dynamic password tokens
Asynchronous dynamic password tokens
Challenge-response tokens
This is a mechanism that employs a third-party entity to prove identification and provide authentication.
Ticket
Kerberos is the most known
Kerberos relies on what type of cryptography?
symmetric-key (private-key) cryptography
-Advanced Encryption Standard (AES)
What are the two primary categories of access control techniques?
Discretionary Access Control (DAC) Nondiscretionary Access Control -Mandatory Access Control (MAC) -Role Based Access Control (RBAC) -Task Based Access Control (TBAC)
What type of Access Control uses ACLs?
Discretionary
This type of Nondiscretionay access control uses classification labels.
Mandatory Access Controls (MAC)
It uses subjects and objects to identify access
This type of Nondiscretionay access control uses the subject’s roles and tasks to define access.
Role Based Access Control (RBAC)
Access control can be managed in two ways, what are they?
Centralized
Decentralized
Access control administration has 3 main responsibilities. What are they?
Account Administration
Account, Log, and Journal Monitoring (covered later in the course)
Access Rights and Permissions
Who is the person who has final responsibility for classifying and protecting objects?
The owner
Who is the subject who has been assigned the day-to-day responsibility of properly storing and protecting objects?
Custodian
