Secure Software Design - Access Control

Question 1

What are the two core principles of access control?

Answer 1

Record everything and detect and deal with intrusions.

Question 2

List the four main types of credentials used in access control.

Answer 2

Knowledge-based (passwords), Possession-based (key or card), Biometric (fingerprints), Social Access (authorization by a known person).

Question 3

Fill in the blank: The principle of granting only necessary access is called the ______.

Answer 3

Principle of least privilege.

Question 4

Why is session management important in access control?

Answer 4

It prevents unauthorized access by managing and protecting session IDs, ensuring they are not exposed or reused.

Question 5

What is broken access control?

Answer 5

A vulnerability where permission checks are insufficient, allowing unauthorized access to restricted resources.

Question 6

Name two common vulnerabilities in access control.

Answer 6

Broken access control and bad session management.

Question 7

Fill in the blank: Insecure session management can lead to the theft of ______.

Answer 7

Credentials.

Question 8

What is a direct way to prevent access control vulnerabilities?

Answer 8

Verify all references to data and functions with appropriate access control checks.

Question 9

What is the purpose of multi-factor authentication (MFA)?

Answer 9

To strengthen security by requiring multiple pieces of evidence for user verification.

Question 10

List the three types of multi-factor authentication (MFA) factors.

Answer 10

Something you know, something you have, something you are.

Question 11

What is a security token?

Answer 11

A device or software that verifies ‘something you have,’ unique to the user for authentication purposes.

Question 12

Explain the difference between paper, software, and hardware tokens.

Answer 12

Paper tokens are one-time passwords; software tokens are installed on devices; hardware tokens are physical devices for secure access.

Question 13

What is a drawback of software tokens?

Answer 13

They can be copied if the device is infected or compromised.

Question 14

Why are hardware tokens considered more secure?

Answer 14

They are less vulnerable to tampering and copying, making them suitable for strong two-factor authentication.

Question 15

Fill in the blank: Passwords stored in databases should be hashed with a ______ for added security.

Answer 15

Salt.

Question 16

What is the purpose of salting in password storage?

Answer 16

Salting adds a unique value to each password, making it harder for attackers to use precomputed tables like rainbow tables.

Question 17

How does broken session management affect security?

Answer 17

It can allow attackers to hijack sessions, exposing sensitive user data or access.

Question 18

List three methods for storing secure passwords.

Answer 18

Using cryptographic hash functions, adding salts, and not storing plaintext passwords.

Question 19

Explain how one-time passwords (OTPs) prevent replay attacks.

Answer 19

OTPs are valid for a single transaction, so once used, they cannot be reused by attackers.

Question 20

Fill in the blank: ______ is the process of verifying that a user has the correct permissions for each data or function reference.

Answer 20

Access control verification.

Question 21

Why is it critical to avoid using direct database references in access control?

Answer 21

Direct references can be guessed or manipulated by attackers to access unauthorized resources.

Question 22

What is the main benefit of multi-factor authentication in terms of access control?

Answer 22

It increases security by requiring multiple independent factors, reducing the risk of unauthorized access.

Question 23

What does session timeout help prevent?

Answer 23

Unauthorized access from an inactive session, especially on shared or public devices.

Question 24

Fill in the blank: Hashing a password with a unique value added is called ______.

Answer 24

Salting.

Question 25

What is a rainbow table?

Answer 25

A precomputed table of hash chains that helps attackers reverse cryptographic hashes if passwords are unsalted.

Question 26

How does salting protect against rainbow table attacks?

Answer 26

Salting ensures each password hash is unique, preventing the use of precomputed tables for mass password cracking.

Question 27

Explain the concept of ‘one-time password (OTP).’

Answer 27

A password valid for one transaction only, designed to improve security and prevent replay attacks.

Question 28

Fill in the blank: In access control, MFA usually combines a ______ with a ______.

Answer 28

Password (something you know) with a token (something you have).

Question 29

Why is it important to log and monitor all access attempts?

Answer 29

Logging helps in tracking unauthorized access and auditing security issues.

Question 30

What is an advantage of using cryptographic key-based authentication?

Answer 30

Only users with the private key can sign in, offering strong security if the key is protected.

Question 31

Describe a scenario where bad session management can lead to a security breach.

Answer 31

Leaving session IDs in URLs can allow attackers to hijack sessions by simply copying the URL.

Question 32

What type of attack does hashing with salt help mitigate?

Answer 32

Dictionary and rainbow table attacks.

Question 33

Fill in the blank: Secure access control involves verifying both user ______ and their ______ for each resource.

Answer 33

Authentication and authorization.

Question 34

Why are access logs essential in secure access control?

Answer 34

They provide evidence of who accessed what resources and can identify suspicious activity.

Question 35

Define ‘session hijacking.’

Answer 35

A type of attack where an unauthorized user takes over an active session, usually due to exposed session IDs.

Question 36

Fill in the blank: Multi-factor authentication improves security by requiring more than one method to verify ______.

Answer 36

Identity.