Section 2: Key Concepts, Identification and Authorization

Question 1

5 things that would make you’re information insecure.

Answer 1

1. Not applying security patches or app updates to your system
2. using weak passwords such as ‘password”
3. Downloading programs from the internet
4. Opening email attachments from unknown senders
5. Using wireless networks without encryption

Question 2

4 examples of ways confidentiality could be compromised (ATM example)

Answer 2

1. You could lose your laptop containing data
2. Someone could look over your shoulder while you enter the password.
3. You could send an email attachment to the wrong person
4. Attackers could penetrate your system

Question 3

Two things needed to maintain integrity

Answer 3

1. you need to have the means to prevent unauthorized changes to your data
2. you need the ability to reverse unwanted authorized changes.

Question 4

When is integrity particularly important?

Answer 4

when it concerns data that provides the foundation for other decisions

Question 5

4 examples of things that may cause you to lose availability of your data.

Answer 5

1. power loss
2. operating system or application problems
3. network attacks
4. a compromised system

Question 6

What is it called when an outside party like an attacker causes availability issues.

Answer 6

a DoS attack
(Denial of Service)

Question 7

What 6 principles make up the Parkerian Hexad?

Answer 7

1. Confidentiality
2. Integrity
3. Availability
4. Possession / Control
5. Authenticity
6. Utility

Question 8

How is Integrity defined differently in the Parkerian Hexad model than it is in the CIA Triad.

Answer 8

In Parkerian Hexad, integrity doesn’t account for authorized but incorrect modification of data. The data must be whole and completely unchanged from its previous state.

Question 9

IF you send an email message that’s altered so it appears to have come from a different email than the one it was sent from, which Parkerian Hexad principle was violated?

Answer 9

Authenticity

Question 10

Which principle of the Parkerian Hexad isn’t necessarily binary in nature?

Answer 10

Utility

Question 11

What are the 4 categories of attacks?

Answer 11

1. Interception
2. Interruption
3. Modification
4. Fabrication

Question 12

What type or types of attacks primarily affect Confidentiality?

(CIA Triad)

Answer 12

Interception

Question 13

What type or types of attacks primarily affect Integrity?

(CIA Triad)

Answer 13

1. Interruption
2. Modification
3. Fabrication

Question 14

What type or types of attacks primarily affect Availability?

(CIA Triad)

Answer 14

1. Interruption
2. Modification
3. Fabrication

Question 15

What are interception attacks?

1.
2.
3.

Answer 15

1. Unauthorized file viewing or copying
2. Eavesdropping on phone conversations
3. Reading someone else’s email

Question 16

What kind of data can interception attacks be conducted?

Answer 16

Data at rest and data in motion

Question 17

Where is data at rest usually stored?

Answer 17

1. hard drive
2. flash drive
3. database

(Can be more)

Question 18

What kind of protection does data at rest usually have?

Answer 18

some sort of encryption, often at the level of the file or the entire storage device

Question 19

What kind of protection does data in motion usually have?

Answer 19

encryption, but the encryption protects the network protocol or path used to move data from one place to another lol.

Question 20

What kind of protections surround data in use?

Answer 20

Permissions and authentication of users

Question 21

What are interruption attacks?

Answer 21

They make your assets unusable or unavailable either temporarily or permanently

Question 22

What are modification attacks?

Answer 22

Involve tampering with an asset

Question 23

What are Fabrication Attacks?

Answer 23

Involve generating data, processes, communications, or other similar material.

Question 24

What is a threat?

Answer 24

Something that has the potential to cause harm and tends to be specific to certain environments

Question 25

What is vulnerability?

Answer 25

Weaknesses, or holes that threats can exploit to cause you harm.

Question 26

What do you need to have risk in an environment?

Answer 26

You must have both a threat and a matching vulnerability that that the threat could exploit.

Question 27

What are the 5 steps of the risk management process?

Answer 27

1. Identify Assets
2. Identify Threats
3. Assess Vulnerabilities
4. Assess Risks
5. Mitigate Risks

Question 28

How would you identify your assets?

Answer 28

Enumerate your assets and evaluate the importance of each one.

Once you’ve identified assets in use, decide which ones are critical business assets.

Question 29

How would you determine which assets are critical to conducting business?

Answer 29

Generally would require the input of functions that make sue of that asset, those that support the asset itself, and potentially other parties as well.

Question 30

How would you Identify threats?

Answer 30

After enumerating critical business assets, you can begin to identify threats that might affect them.

Question 31

What 2 frameworks can be used to assess threats against business critical assets?

Answer 31

1. CIA Triad
2. Parkerian Hexad

Question 32

How would you assess vulnerabilities?

Answer 32

Should be done in the context of potential threats.

Any asset can have millions of threats but only a small number will be relevant

Question 33

How should you assess risks?

Answer 33

Once you’ve identified threats and vulnerabilities for a given asset, you can assess overall risk.

You MUST have a matching threat and vulnerability to have a risk.

Question 34

What 3 categories are controls divided into?

Answer 34

1. physical
2. logical
3. administrative

Question 35

What kind of control would a lock be?

Answer 35

physical

Question 36

what kind of control would a camera be?

Answer 36

physical

Question 37

what kind of control would heating and air conditioning be?

Answer 37

physical

Question 38

what kind of control would a backup power generator be?

Answer 38

physical

Question 39

Logical controls are also called what?

Answer 39

tehchnical controls.

Question 40

what kind of control is a password?

Answer 40

logical

Question 41

what kind of control is encryption?

Answer 41

Logical

Question 42

what kind of control are access controls?

Answer 42

logical

Question 43

what kind of control is an intrusion detection system?

Answer 43

logical

Question 44

what do logical controls do?

Answer 44

enable you to prevent unauthorized activities.

Question 45

which kind of control, if implemented properly and is successful, would an attacker or unauthorized user be unable to access your applications and data without subverting the controls?

Answer 45

logical

Question 46

what do administrative controls represent?

Answer 46

authority

Question 47

Administrative controls are useless without what?

Answer 47

The authority or ability to ensure that people comply with your controls.

They can actively harm you by giving you a false sense of security.

Question 48

Incident response process consists of what 6 things?

Answer 48

1. Preparation
2. Detection and analysis
3. Containment
4. Eradication
5. Recovery
6. Post-incident activity

Question 49

Preparation phase of an incident response consists of what?

Answer 49

All of the activities you can perform ahead of time to better handle an incident.

Question 50

What activities are typically involved in preparation of an incident response?

Answer 50

1. Creating policies and procedures that govern indecent response and handling
2. Conducting training and education for both incident handlers and those who are expected to report incidences
3. Developing and maintaining documentation.

Question 51

What is the detection and analysis phase?
(3)

Answer 51

Where action begins in an incident response. This is where you:

1. Detect an issue
2. Decide whether it’s actually an incident
3. Respond appropriately

Question 52

What are the common detection tools you’ll use? (6)

Answer 52

1. IDS (Intrustion detection system)
2. AV (Antivirus) software
3. Firewall logs
4. Proxy logs
5. Alerts from a security information and event monitoring (SIEM) tool
6. Managed security service provider (MSSP)

Question 53

The analysis portion of detection and analysis in incident response is often a combination of what? (2)

Answer 53

Automation from a tool or service, usually a SIEM tool, and human judgment.

Question 54

What might human intervention looks like in analyzing incidences?

Answer 54

1. A review of logs output by various security, network and infrastructure devices.
2. Contact with the party who reported the incident
3. General evaluation of the situation.

Question 55

What is Containment in incident response?

Answer 55

Taking steps to ensure that the situation doesn’t cause any more damage than it already has—or at least lessen any ongoing harm.

Question 56

What is eradication in incident response?

Answer 56

Attempt to remove the effects of the issue from your environment.

Question 57

What is recovery in incident response?

Answer 57

Recover the state you were in prior to the incident.

Question 58

What is post-incident activity?

Answer 58

You’ll attempt to determine specifically what happened, why it happened, and what you can do to keep it from happening again.

Question 59

What is defense in depth?

Answer 59

Formulate a multilayered defense that will allow you to still mount a successful resistance should one or more of your defensive measures fail.

Question 60

What is the lowest standard of defenses you would want?

Answer 60

1. Data
2. Applications
3. Host
4. Internal network
5. External network

Question 61

What is the goal of defense in depth?

Answer 61

To place enough defensive measures between your truly important asses and the attacker so that you’ll notice that an attack is in progress and have enough time to prevent it.

Question 62

What is insufficient entropy?

Answer 62

Not enough unpredictability

Question 63

What are 6 defensive measures for external networks?

Answer 63

1. DMZ (Demilitarized zone—subnetwork containing an organizations exposed outward facing services. Acts as the exposed point to an untrusted network)
2. VPN
3. Logging
4. Auditing
5. Penetration testing
6. Vulnerability analysis

Question 64

Name 7 defensive measures of network perimeters.

Answer 64

1. Firewalls
2. Proxy
3. Logging
4. State full packet inspection
5. Auditing
6. Penetration testing
7. Vulnerability analysis

Question 65

Name 6 defensive measures for internal networks

Answer 65

1. IDS (Intrusion detection system)
2. IPS (Intrusion prevention system)
3. Logging
4. Auditing
5. Penetration testing
6. Vulnerability Analysis

Question 66

Name 11 defensive measures for hosts.

Answer 66

1. Authentication
2. Antivirus
3. Firewall
4. IDS (Intrusion detection system)
5. IPS (Intrustion protection system)
6. Passwords
7. Hashing
8. Logging
9. Auditing
10. Penetration testing
11. Vulnerability analysis

Question 67

Name 6 defensive measures for applications

Answer 67

1. SSO (Single sign on)
2. Content filtering
3. Data validation
4. Auditing
5. Penetration testing
6. Vulnerability analysis

Question 68

Name 5 defensive measures for data

Answer 68

1. Encryption
2. Access controls
3. Backups
4. Penetration testing
5. Vulnerability analysis

Question 69

Areas of Information Security (8)

Answer 69

1. Security and risk management
2. Asset security
3. Security architecture and engineering
4. communications and network security
5. identity and access management
6. security assessment and testing
7. security operations
8. software development security

Question 70

Implicit deny is what?

Answer 70

Common in network security

An ACL rule that blocks all traffic that hasn’t been explicitly allowed via another acl rule.

ACL= Access Control List

Question 71

What is FISMA (Federal Information Security Act)?

Answer 71

US law that puts together information security framework that government organizations must follow

Question 72

What is the Gramm-Leach-Bliley Act?

Answer 72

If you’re a financial institution—you must explain your information sharing activities with customer data and making sure you safeguard that data.

How are you proactively securing that Data

Question 73

What is Due Care?

Answer 73

Often called the “prudent man” rule.

Doing what any responsible person would do, in other works implementing a security measure to mitigate against certain risks.

Question 74

What is due diligence?

Answer 74

Essentially the management of due care.

Ensuring the implemented security measure was done correctly.

Question 75

What is gross negligence?

Answer 75

The opposite of due care.

If you’re not performing due care, or what a “prudent man” would do, and you suffer a negative loss, you could be held legally liable, I.e. you acted with gross negligence.

Question 76

Authentication can be used to prove the identity of: (4)

Answer 76

1. A user
2. A service or process running on a computer or server
3. A workstation or server itself
4. A network device

Question 77

What is a common example of authentication?

Answer 77

Username and password

Question 78

What are 3 aspects of IT management?

Answer 78

1. People
2. Processes (things running on our servers)
3. Technology (devices themselves)

Question 79

What are the 5 factors of authentication?

Answer 79

1. Something you know
2. Something you have
3. Something you are
4. Something you do
5. Somewhere you are

Question 80

Name 2 examples of something you know form of authentication?

Answer 80

1. Password
2. Pin

Question 81

Name 3 examples of something you have types of authentication.

Answer 81

1. Smart card
2. RSA token
3. ATM card to get cash .

Things you must physically have in front of you

Question 82

Name an example of something you are types of authentication.

Answer 82

Biometrics

Question 83

Name 5 types of physiological Biometrics

Answer 83

1. Face
2. Fingerprint
3. Hand scan
4. Iris scan
5. DNA

Question 84

Name 3 kinds of behavioral biometrics?

Answer 84

1. Keystroke
2. Signature
3. Voice

Question 85

What is two-factor authentication?

Answer 85

Uses a combination of two of the three factors of authentication.

1. Something you have
2. Something you know
3. Something you are

Question 86

What is non-repudiation?

Answer 86

Used to prevent an entity from denying an action took place.

Question 87

Name two examples of non-repudiation.

Answer 87

1. Digitally signed documents
2. Auditing system logs

Question 88

What is information security governance?

Answer 88

The process of how an organization manages its information security program via policies, procedures, roles, and responsibilities.

Determines how much security is enough security.

Question 89

Why is information security governance important?

Answer 89

It provides strategic direction for security activities and ensures that cybersecurity objectives such as effective risk management are achieved.

Question 90

What is identity proofing?

Answer 90

Validating someone’s identity before credentials are issued.

Question 91

What is a risk assessment score?

Answer 91

probability X impact.

Question 92

What is avoidance?

Answer 92

The process of eliminating a risk by not engaging in an activity.

We avoid a risk by eliminating it’s source altogether.

Question 93

What is acceptance?

Answer 93

Accepting an identified risk, meaning no action will be taken when a risk assessment score is low.

Question 94

What is mitigation?

Answer 94

The process of taking steps the minimize the impact of risk

Question 95

What is Transference?

Answer 95

Transferring the responsibility of a risk to a third party, such as insurance.

Question 96

What is residual risk?

Answer 96

The risk that remains when after risk mitigation or transference activities have taken place.

Question 97

Name 5 types of risk? (loss)

Answer 97

1. Monetary
2. Reputation
3. Loss of Asset
4. Intellectual Property
5. Legal

Question 98

Name 3 sources of threats.

Answer 98

1. Natural
2. Unintentional
3. Intentional

Question 99

What is Qualitative Risk?

Answer 99

More subjective way of analyzing risk

Question 100

What is Quatitative Risk?

Answer 100

More objective way of analyzing risk.

May include specific monetary values, how often it occurs, uses mathematics etc.

Question 101

What is AV? (Asset Value)

Answer 101

The value of an asset

Question 102

What is EF (exposure factor)?

Answer 102

the percentage loss of a specific asset if a risk is realized.

Question 103

What is SLE (Single loss expectancy)?

Answer 103

The monetary value expected from the occurrence of a risk on an asset

Question 104

What is the formula for SLE

Answer 104

SLE = AV x EF

(Single loss expectancy = Asset Value X Exposure Factor)

Question 105

What is ARO (Annual rate of occurrence?)

Answer 105

the estimated frequency of a threat occurring in a single year

Question 106

What is ALE (Annualized Loss Expectancy)

Answer 106

the expected monetary loss that can be expected from an asset due to a risk over a one year period

Question 107

What is the formula to calculate ALE (Annualized loss expectancy)

Answer 107

ALE = SLE x ARO

(Annualized loss expectancy = Single loss expectancy X Annual rate of occurrence)

Question 108

What is an attack surface?

Answer 108

Is a vulnerability. It’s any way an attacker can gain access to pose a security risk.

Question 109

What are 3 common attack surfaces?

Answer 109

1. Application: that are running on our network
2. Network (itself)
3. User

Question 110

When analyzing our applications for attack surfaces we commonly look at:

Answer 110

1. The amount of code (Higher chance of back doors and errors)
2. Data inputs (should be validated data)
3. System Services
4. Network Communication ports (Applications that are communicating on the network through port, attacker might be able to attack server/system through open port)

Question 111

When analyzing our network for attack surfaces, we will commonly look at: (4)

Answer 111

1. Overall network design
2. Placement of Mission critical servers and systems
3. Placement & configuration of network firewalls
4. Other security-Related devices and services: IDS, IPS, VPN, etc.

Question 112

When analyzing user for attack surfaces, well commonly look at: (4)

Answer 112

1. Effectiveness of Policies, Procedures, and Training
2. Risk of social engineering
3. Potential for human error
4. Risk of Malicious Behavior

Question 113

Name 7 types of assets

Answer 113

1. People
2. Information
3. Data
4. Hardware
5. Software
6. Processes
7. Ideas

Anything of value to the company

Question 114

What are the 5 steps to the Assett identification and classification process?

Answer 114

1. Inventory your assets
2. Assign Ownership
3. Classify based on value
4. protect based on value classification
5. Periodically assess and review

Question 115

What are the 5 steps in the asset lifecycle

Answer 115

1. identify and classify (new assets should be)
2. secure (based on classified value)
3. monitor (regularly for changes in value and effectiveness of security controls)
4. recovery (if an asset is adversely impacted, recovery measures should be in place)
5. disposition

Question 116

What are the 2 methods of disposing of an asset?

Answer 116

1. archiving for long-term storage
2. defensible destruction : insuring there is no data remanence

Question 117

What is a reverse shell?

Answer 117

enables an attacker to gain remote access to and control of a machine by bypassing firewall safeguards

Question 118

What is identification?

Answer 118

Makes a claim about what someone or something is

Question 119

What is authentication?

Answer 119

Establishes whether something or someone is what they’re supposed to be

Question 120

Is identity verification less or more strong than authentication?

Answer 120

It’s less strong than authentication.

Question 121

What is the difference between authentication and authorization?

Answer 121

Authentication is a set of methods used to establish whether a claim of identity is true.

Authorization determines what someone is permitted to do.

Question 122

What is mutual authentication?

Answer 122

An authentication mechanism in which both parties in a transaction authenticate each other.

These are typically software based. (Client-server; server-client)

Question 123

What does mutual authentication generally rely on?

Answer 123

Digital certificates.

Question 124

What kind of attack do you leave yourself vulnerable to when you don’t perform mutual authentication?

Answer 124

MITM (Man in the middle)

Question 125

How does a MITM (man in the middle) attack work?

Answer 125

attacks where the attacker inserts themselves between the client and the server and impersonates the server to the client and the client to the server.

They circumvent the normal pattern of traffic and then intercept and forward the traffic that would normally flow directly between the client and the server

Question 126

What is manual synchronization of passwords?

Answer 126

Using the same password everywhere

Question 127

What is minutiae?

Answer 127

Noting elements that appear at certain parts of the image

Question 128

What 7 characteristics are biometric factors defined by?

Answer 128

1. Universality
2. Uniqueness
3. Permanence
4. Collectibility
5. Performance
6. Acceptability
7. Circumvention

Question 129

What is universality

Answer 129

Should be able to find your chosen biometric characteristic in the majority of people you expect to enroll in the system.

Question 130

What is uniqueness?

Answer 130

A measure of how unique a characteristic is among individuals

Question 131

What is permanence?

Answer 131

Tests how well a characteristic resists changes over time and with advancing age.

Question 132

What is collectability?

Answer 132

Measures how easy it is to acquire a characteristic.

Question 133

What is performance?

Answer 133

How well a given biometric system functions based on factors such a s speed, accuracy, and error rate.

Question 134

Hat is acceptability?

Answer 134

A measure of how acceptable the characteristic is to the users of the system.

In general, systems that are slow, difficult to use or awkward to use are less likely to be acceptable.

Question 135

What is circumvention?

Answer 135

Describes how easy it is to trick a system by using a falsified biometric identifier.

Question 136

What is a gummy finger?

Answer 136

A type of biometric identification attack where a fingerprint is lifted from a surface and used to create a mold with which the attacker can cast a positive image of the fingerprint in gelatin.

Question 137

What secondary features of biometric systems have been put in place to defeat gummy attacks?

Answer 137

Measuring skin temperature, pulse, or pupillary response.

Question 138

What are 2 of the mot important measures of biometric performance?

Answer 138

1. FAR (false acceptance rate)
2. FRR (False rejection rate)

Question 139

What is ERR equal error rate?

Answer 139

A balance between false acceptance and false rejection of biometric data.

Is often used as a measure of the accuracy of biometric systems.

Question 140

What are hardware tokens?

Answer 140

A small device, typically in the general form factor of a credit card or keychain fob.

Contains a certificate or unique identifier.

Question 141

What do more complex hardware tokens have that differentiates them?

Answer 141

LCD’s (Liquid crystal displays),
Keypads for entering passwords
Biometric readers
Wireless devices
Additional features to enhance security

Question 142

What are access controls?

Answer 142

Generally how you implement authorization, by using tools and systems you use to deny or allow access.

Question 143

What 4 basic tasks would you probably want to use access control for?

Answer 143

1. Allowing access
2. Denying access
3. Limiting access
4. Revoking access

Question 144

Name one example of a sandbox?

Answer 144

JVM Java virtual Machine

Question 145

What are the two main methods of implementing access controls?

Answer 145

1. Access control lists
2. Capabilities

Question 146

What are access control lists?

Answer 146

Lists containing information about what kind of access certain parties are allowed to have in a given system.

Question 147

What are the three types of permissions in an ACL access control list file system?

Answer 147

1. Read allowing user to access the contents of the file or directory
2. Write allowing a user to write a file or directory
3. Execute allowing a user to execute the contents of that file if the file contains a program or script capable or running on the system in question.

Question 148

What command would you issue on a Linux-based OS to view the three sets of permissions? (For viewing files)

Answer 148

Ls -la

Question 149

In Linux, when looking at ACL permissions, what do each of the 4 sections represent
- | r w - | r - - | r - -

Answer 149

1. First character = file type. R=regular D=Directory
2. Represents the user who owns the files permissions and is set to r w. Meaning user can read and write but not execute.
3. Group permissions= set to r - - meaning that members of the group that was given ownership and read it but not write or execute it.
4. Other is also set to r - - meaning anyone who is not the user who owns the file or in the group that owns the file can also read it but not write or execute it.

Question 150

What do you use to filter access in network ACL’s

(3)

Answer 150

1. IP (Internet Protocol) addresses
2. Media Access Control Addresses
3. Ports

Question 151

What network infrastructure can you see network ACL’s
(3)

Answer 151

1. Routers
2. Switches
3. Firewall devices including software firewalls such as google, facebook, email, etc.

Question 152

How to network ACL’s work?

Answer 152

Tend to be binary, either allow or deny by granting or denying access to traffic.

Question 153

What is media access control addresses?

Answer 153

Unique identifiers hard-coded into each network interface in a given system.

Question 154

Why is media access control not a good choice for a unique identifier of a device on a network?

Answer 154

Because software settings in most OS can override this address, thus changing it is easy.

Question 155

Why aren’t IP adresses a good form of network ACL?

Answer 155

Because you can falsify an IP address, they’re not unique to a network and they’re issued by ISP’s and are subject to frequently change.

Question 156

What is blackholing?

Answer 156

It’s the use of large-scale filtering to block out known attacks, spammers, or undesirable traffic and can be applied to IP addresses, ISP’s or even entire countries.

Question 157

What are network ports?

Answer 157

A numerical designation for one side of a connection between two devices and are used to identify applications to which traffic should be routed.

Question 158

Why aren’t network ports a great method of ACL?

Answer 158

Because while ports being used for specific applications are conventions, they aren’t absolute rules and you can thus with relative ease change the ports that applications use to entirely different ones

Question 159

What is a socket?

Answer 159

A combination of an IP address and a network port.

Question 160

Systems that use ACL’s to manage permissions are vulnerable to what kind of attack?

Answer 160

Confused deputy problem

Question 161

What is the confused deputy problem?

Answer 161

It’s a type of attack used when ACL’s are used to manage permissions and occurs when software with access to a resource (the deputy) has a greater level of permission to access the resource than the user who is controlling the software. If you can trick the software into misusing its greater level of authority, you can potentially carry out an attack.

Question 162

What are client-side attacks?

Answer 162

Tricking the user into taking some action when they really think they are doing something else entirely. They take advantage of weaknesses in applications running on the users computers.

Question 163

Name 3 forms client-side attacks could take. (examples of how they may be carried out)

Answer 163

1. Code sent through web browser and executed on the local machine.
2. Malformed PDF files
3. Images and videos with attack code embedded.

Question 164

Name 2 of the more common attacks exploiting the confused deputy problem.

Answer 164

1. Cross-site request forgery (CSRF)
2. Clickjacking

Question 165

What is CSRF (cross-site request forgery)?

Answer 165

An attack that misuses the authority of the browser on the user’s computer.

If the attacker knows of or can guess a website that has already been authenticated by the user such as amazon.com, the attacker can embed a link in a web page or HTML-based email, generally to an image hosted from a site controlled by the attacker. When the targets browser attempts to retrieve the image in the link, it also executes the additional commands the attacker has embedded in it, often completely invisible to the target.

Question 166

What is clickjacking?

Answer 166

Also known as user interface redressing.

Takes advantage of some of the page rendering features that are available in newer web browsers.

Attacker must legitimately control or have taken control of some portion of a website. Attacker constructs or modifies the site by placing an invisible layer over something the client would normally click. This causes the client to execute a command that’s different than the one they think they’re performing.

Can be used to trick the client into making purchases, changing permissions on applications or operating systems, or performing other unwanted activities.

Question 167

What is a capability?

Answer 167

It’s a way of controlling access and permissions based on a user’s token or key.

These generally aren’t physical tokens.

Question 168

In a capability-based system how is the right to access a resource decided?

Answer 168

Based on possession of the token rather than who possesses the token. Anyone can use the token and anyone who has that token can use it to access anything granted to that token.

Question 169

What is an access control model?

Answer 169

A way of determining who should be allowed to access what resources.

Question 170

What are the 6 most common access control models?

Answer 170

1. Discretionary access control
2. Mandatory access control
3. Rule-based access control
4. Role-based access control
5. Attribute-based access control
6. Multi-level access control

Question 171

What is DAC (Discretionary Access Control)

Answer 171

The owner of the resource d determines who gets access to it and exactly what level of access they can have.

Question 172

What is MAC (mandatory access control)

Answer 172

The owner of a resource doesn’t get to decide who gets access to it. Instead, a separate group or individual has the authority to set access to resources.

MAC is often implemented in government organizations where access to a given resource is largely dictated by the sensitivity label applied to it.

Question 173

What is rule-based access control?

Answer 173

Allows access according to a set of rules defined by the system administrator. If the rule is matched, access to the resource will be granted or denied accordingly.

Question 174

What is role-based access control. (RBAC)

Answer 174

Allows access based on the role of the individual being granted access.

Question 175

What type of access control is RBAC?

Answer 175

Role based access control

(Not rule-based access control)

Question 176

What is ABAC? (Attribute-based access control)

Answer 176

Based on the specific attributes of a person, resource, or environment. You can often find it implemented on infrastructure systems such as those in network or telecommunication environments.

Question 177

What are subject attributes?

Answer 177

A potential attribute in attribute-based access control.

Belong to an individual. Could be height, or captcha’s

Question 178

What are resource attributes?

Answer 178

A potential attribute in attribute-based access control.

Belong to a resource such as an operating system or application. You’ll often see access controlled by resource attributes.

Sometimes this is technical such as software only running on a particular OS.

Question 179

What are environmental attributes?

Answer 179

A kind of attribute that may be used in attribute-based access control.

Enables access controls based on environmental conditions. People commonly use time to control access to physical and logical resources.

Question 180

What is multilevel access control?

Answer 180

Combine several of the access control models. Used when simpler access control models aren’t considered robust enough to protect the information to which you’re controlling access.

Question 181

What kind of access control is the Bell-LaPadula Model?

Answer 181

Multilevel access control

Question 182

What is the Bell-LaPadula Model?

Answer 182

Implements a combination of discretionary and mandatory access controls (DAC and MAC) and is primarily concerned with the confidentiality of the resource in question.

Question 183

What is the simple security property?

Answer 183

Level of access granted to an individual must be at least as high as the classification of the resource in order for the individual to access it.

Individual cannot read a resource classified at a higher level but they can red resources at a lower level.

Question 184

What is the * property (or star property)

Answer 184

Anyone accessing a resource can only write (copy) its contents to another resource classified at the same level or higher.

Question 185

What is the Biba model?

Answer 185

Primarily concerned with protecting the integrity of data, even at the expense of confidentiality.

Question 186

what 2 security rules does Biba have?

Answer 186

1. The simple integrity axiom level of access granted to an individual must be no lower than the classification of the resource. Ie, access to one level does not grant access to lower levels
2. The integrity axiom (or star integrity axiom) anyone accessing a resource can only write its contents to a resource classified at the same level or lower.

Question 187

No read down, no write up

Answer 187

The Biba model

Question 188

No read up, no write down

Answer 188

The Bell-LaPadula model