Lecture 1 Flashcards

Accountability and Access Control

1
Q

What is the CIA Triad?

A

Confidentiality, Integrity and Availability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

The hardware, software, policy/procedures used to grant/restrict access, monitor/record access, identifies users accessing and determines authorization is what?

A

Access Control

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

The transfer of information from an object to a subject is called what?

A

Access

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

There are two types of access, what are they?

A

Physical and logical

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Access should always have an implicit what statement?

A

Implicit Deny

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is the term that ensures that only authorized subjects can access objects?

A

Confidentiality

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is the term that ensures that unauthorized or unwanted changes to objects are denied?

A

Integrity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is the term that ensures that authorized requests for objects are granted as quickly as system and network parameters allow?

A

Availability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What are the seven categories of function or purpose of Access Controls?

A
Preventive (or preventative)
Deterrent
Detective
Corrective
Recovery
Compensation
Directive
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What are the 3 ways access controls can be implemented?

A

Physical
Technical/logical
Administrative

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Why is accountability important?

A

It holds an entity responsible for their actions online/on the system

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What steps are needed to hold someone accountable?

A
Identification
Authentication
Authorization
Auditing
Accountability
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

process by which a subject professes an identity is called what?

A

Identification

Examples: userid, username

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

process of verifying that a claimed identity is valid is called what?

A

Authentication

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What are the 3 factors used for authentication?

A

Something you know (password, pin)
Something you have (token, smartcard)
Something you are (fingerprint, retina scan)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

True/False: Multi-factor authentication includes having a password and a pin number to gain access

A

False

Multi-factor means using two different types of authentication like a smart card and a pin

17
Q

The process that ensures that the requested activity or object access is possible given the rights and privileges assigned to the authenticated identity, is called what?

A

Authorization

18
Q

Auditing is the process of what?

A

Tracking the activity of a subject in the system/online

19
Q

What is the weakest technique of authentication?

A

Passwords

20
Q

What type of authentication has a Cross Over Error Rate (CER)?
What does that mean?

A

Biometrics

The False Acceptance Rate and False Rejection Rate are Equal

21
Q

In Biometrics the sensitivity that is Too sensitive is considered what?

A

Type 1 errors: False Rejection

False Rejection Rate (FRR)

22
Q

In Biometrics the sensitivity that is Not sensitive enough is considered what?

A

Type 2 errors: False Acceptance

False Acceptance Rate (FAR)

23
Q

Besides sensitivity, several other factors affect the effectiveness of biometric devices. What are they? (3)

A

Enrollment Time
Throughput Rate
Acceptibility

24
Q

What are the 4 types of tokens?

A

Static
Synchronous dynamic password tokens
Asynchronous dynamic password tokens
Challenge-response tokens

25
Q

This is a mechanism that employs a third-party entity to prove identification and provide authentication.

A

Ticket

Kerberos is the most known

26
Q

Kerberos relies on what type of cryptography?

A

symmetric-key (private-key) cryptography

-Advanced Encryption Standard (AES)

27
Q

What are the two primary categories of access control techniques?

A
Discretionary Access Control (DAC)
Nondiscretionary Access Control
 -Mandatory Access Control (MAC)
 -Role Based Access Control (RBAC)
 -Task Based Access Control (TBAC)
28
Q

What type of Access Control uses ACLs?

A

Discretionary

29
Q

This type of Nondiscretionay access control uses classification labels.

A

Mandatory Access Controls (MAC)

It uses subjects and objects to identify access

30
Q

This type of Nondiscretionay access control uses the subject’s roles and tasks to define access.

A

Role Based Access Control (RBAC)

31
Q

Access control can be managed in two ways, what are they?

A

Centralized

Decentralized

32
Q

Access control administration has 3 main responsibilities. What are they?

A

Account Administration
Account, Log, and Journal Monitoring (covered later in the course)
Access Rights and Permissions

33
Q

Who is the person who has final responsibility for classifying and protecting objects?

A

The owner

34
Q

Who is the subject who has been assigned the day-to-day responsibility of properly storing and protecting objects?

A

Custodian