Unit 5: Access Controls

Question 1

Process of Protecting a Resource so that it used by only those allowed use it. Methods to restrict and allow access to certain items. (Codes, Keys, Passwords, Fingerprints, Combinations).

Answer 1

Access Controls

Question 2

Process of deciding how has access to what computer and network resources. Based on job roles, background screening, and any gov. requirements.

Answer 2

Authorization

Question 3

Assigns privileges at a user level. Very difficult to manage since every person has unique privileges. Very detailed and controlling

Answer 3

User-Based Privileges

Question 4

Assigns privileges based on group policy. Easy to manage since assigning a person to a group automatically gives them those privileges (Student group)

Answer 4

Group-Based Privileges

Question 5

Set of rules that allows a special group for users to perform a set of actions on a set of resources

Answer 5

Access Control Policy

Question 6

People/Processes that use the system & perform some services

Answer 6

Users/Subjects

Question 7

Protected Objects in the system. This can be accessed only buy authorized subjects(users). This can only be used in authorized ways.

Answer 7

Resources

Question 8

Activities that authorized users can perform on the resources

Answer 8

Actions

Question 9

Permissions granted to an authorized user, such as to read, write, execute

Answer 9

Relationships

Question 10

These controls can control access to physical resources. (Parking Lots, protected areas)

Answer 10

Physical Access Controls

Question 11

These controls can control access to a computer system/network

Answer 11

Logical Access Controls

Question 12

This asks the question ‘Who is asking to access the asset?’

Answer 12

Identificaiton

Question 13

This asks the question ‘Can the requestor’s ID be verified?’

Answer 13

Authentication

Question 14

This asks the question ‘What exactly can the requestor access and do?

Answer 14

Authorization

Question 15

This asks the question ‘How can the actions be traced to the individual, and what methods are in place to track the actions of users?’

Answer 15

Accountability

Question 16

Common ID method through smart card, key FOB automatically.

Answer 16

Username

Question 17

Uses Physical Traits of the User (Fingerprints, Voice, facial recognition.)

Answer 17

Biometrics

Question 18

Account policies should PROHIBIT this to allow for attribution of Actions

Answer 18

General/Guest Accounts and Account Sharing.

Question 19

Authentication type that is Something the User Knows (Passwords, Passphrase, pin# etc.)

Answer 19

Knowledge

Question 20

Disables the ability to login after a set amount of consecutive failed attempts. (Prevents Brute Force/Dictionary Attacks)

Answer 20

Lockout Policy

Question 21

Authentication type that is something the user has. (Smart Card, FOB, Badge, etc.)

Answer 21

Ownership

Question 22

An algorithm that calculates a number on both the authentication server & the device held by the user. User would then enter the number on the device, and it would be compared to the server for authentication

Answer 22

Synchronous Token

Question 23

Authentication type that is Something the User Is (Physical Attributes, Fingerprints, Optical/Facial Recognition)

Answer 23

Characteristics

Question 24

Measures various parts of a person’s anatomy/physical activities.

Answer 24

Biometrics

Question 25

Fingerprints, Iris, Facia, Retina

Answer 25

Static Biometrics

Question 26

Handwriting, Voice pattern, keyboard usage

Answer 26

dynamic biometrics.

Question 27

Advantages of Biometrics

Answer 27

Person must physically be present to authenticate Nothing to Remember Hard to Fake/Forge

Question 28

Disadvantages of Biometrics

Answer 28

Physical Characteristics may change. Physical Disabilities may cause problems. Often Slow and Expensive

Question 29

Authentication type that is Somewhere the user is(Buildings, etc.)

Answer 29

Location

Question 30

Authentication type that is Something that the user can do. (Handwriting, typing, style of word choice, etc.)

Answer 30

Action

Question 31

Allows a user to login to a computer/network once, then allows the user to access all authorized computers/applications. (Facebook/Cellphone App.) Encourages a single strong password to prevent having to remember too many, but if you lose one account, you lose access to all

Answer 31

Single Sign-On (SSO)

Question 32

Tracing an Action to a person/process to know who/what made a change to a system/data (Log Files are key...) (Logs record who logged into a system/data accessed, when they logged in, and what info/resource they used.)

Answer 32

Accountability

Question 33

Lists (Files) which track the user, files, and permissions

Answer 33

Access Control List (ACL)

Question 34

Each User has access control over their own data. Creator = Owner. (Controls permission to access objects). Default for most OS, File Ownership allows full control. Very Flexible but not as secure due to possible inheritance of permissions. Uses ACL to track File permissions

Answer 34

Discretionary Access Control (DAC)

Question 35

Used in orgs. that require an elevated emphasis on confidentiality & classification of Data. (GOVT/Military). Strictest Level of Control & Hardest to maintain, Users have no control over classification of data. Objects/Resources must be labeled with a classification (Secret, Top Secret, Classified, etc.), Users must individually be authorized to access a certain level classification based on clearance.

Answer 35

Mandatory Access Control (MAC)

Question 36

System admin assigns privileges to a JOB Title/Position rather than a person. (Group Level. Employees are only allowed to access the info necessary to effectively perform their duties. Lower-level employees do not have access to sensitive data if they don't need it to fulfill their responsibilities. Helpful if there are many employees & use 3rd party contractors that make it difficult to closely monitor network access

Answer 36

Role-Based Access Control.

Question 37

Indicates a subjects rights to a system/application/network/resource/etc. In a DAC Environment, the authorization system uses this to determine what objects any subject can access.

Answer 37

Permission Levels

Question 38

Permission Levels based on a specific user (hard to maintain)

Answer 38

User-Based Permission Levels

Question 39

Permission Levels based on common group/specific job role a person is assigned.

Answer 39

Job/Group/Role Based Access Controls