Access Control Basics

Questions and Answers

In the context of access control, which of the following best describes the purpose of 'authorization'?

• Verifying a user's identity through credentials like passwords or biometrics.
• Granting a user specific permissions and defining what actions they are allowed to perform. (correct)
• Ensuring that implemented security rules and policies are consistently followed.
• Recording user actions for security tracking and generating audit logs.

Which of the following scenarios best illustrates the use of multi-factor authentication (MFA)?

• A user setting up security questions for account recovery.
• A user using a fingerprint scan to unlock their mobile phone.
• A user entering their password and a code sent to their mobile phone to access a banking application. (correct)
• A user entering their password to log into their email account.

A company implements a system that requires employees to use a password, and also a rotating code generated by a mobile app. This is an example of what?

• Single-factor authentication.
• Single sign-on.
• Two-factor authentication. (correct)
• Password management.

Which of the following is the primary goal of 'logical access control'?

Securing digital data through measures like passwords, encryption, and firewalls. (A)

What is the main function of a 'Key Distribution Center' within the Kerberos security framework?

Managing and distributing encryption keys for secure communication. (A)

An organization discovers that an employee has been accessing and misusing sensitive customer data for personal gain. This situation is best categorized as:

An insider threat. (B)

Which of the following is the most accurate description of the role of a 'White Hat' hacker?

A hacker who helps secure systems by identifying vulnerabilities and improving security. (C)

What is the primary difference between 'identification' and 'authentication' in the context of access control?

Identification is claiming an identity, while authentication is proving that identity. (B)

An organization decides to purchase cyber insurance to cover potential losses from data breaches and cyber attacks. Which risk management strategy does this best exemplify?

Risk transference. (C)

A company updates its incident response plan to include detailed steps for recovering from ransomware attacks and assigns specific roles for communication, technical recovery, and legal compliance. What risk management strategy is being implemented?

Risk mitigation. (B)

Flashcards

What is Access Control?

Decides who can see or use what in a system; protects sensitive information.

Authentication

Proves who you are (e.g., password, fingerprint).

Authorization

Defines what you can do (based on rules).

Enforcement

Ensures rules are followed (firewalls, security tools).

Logging

Records actions for security tracking (audit logs).

Physical Access Control

Protects physical spaces with measures like locks and biometric scanners.

Logical Access Control

Protects digital data with passwords, encryption, and firewalls.

Identification

User claims identity (e.g., username, ID card).

Authorization (Access Control)

System decides what the user can access based on verified identity.

Auditing

System records activity for tracking purposes.

Study Notes

Access Control Basics

• Access control determines who can access what within a system.
• It safeguards sensitive data by permitting only authorized users.

Key Security Concepts

• Authentication verifies identity through credentials like passwords or fingerprints.
• Authorization defines user permissions based on established rules.
• Enforcement ensures adherence to security rules using firewalls and security tools.
• Logging records user actions for security tracking via audit logs.

Access Control Types

• Physical access control secures physical spaces using locks, keycards, and biometric scanners.
• Logical access control secures digital data using passwords, encryption, and firewalls.

Protecting Facilities and IT

• Physical security includes gates, security guards, and electronic locks.
• Logical security involves strong passwords, encryption, and monitoring tools.

Five Elements of Access Control

• Identification is when a user claims an identity using a username or ID card.
• Authentication is when a user proves their identity using a password or biometrics.
• Authorization is when a system grants what the user can access.
• Auditing involves system tracking of activity.
• Accounting involves reviewing logs to check for security issues.

Identification, Authentication, and Authorization

• Identification validates who you are using User IDs, PINs, or Digital IDs.
• Authentication confirms your identity by using passwords or biometrics.
• Authorization determines what access you have based on permissions.

Identification Methods

• Methods include User IDs, account numbers, PINs, digital IDs, and access badges.

Network Identification

• MAC addresses uniquely identify a device.
• IP addresses show a device's location on a network.
• RFID is used for wireless identification such as contactless access cards.

Identity Management

• Password management involves enforcing strong passwords.
• Account management organizes user accounts across systems.
• Profile management refers to storing user information
• Single Sign-On (SSO) allows one login for multiple apps.

Directory Services

• LDAP manages user authentication and authorization.
• Active Directory (ADDS) controls user identities in a network.

Authentication Methods

• Single-Factor Authentication (SFA) uses one method of authentication like a password.
• Multi-Factor Authentication (MFA) uses multiple authentication methods, like a password and a fingerprint.

Tokens

• Soft tokens are digital authentications stored on a device.
• Hard tokens are physical devices used for security.
• Biometrics uses physical traits like fingerprints or face scans.

Security Frameworks

• Kerberos is a security system managing authentication, authorization, auditing, and secure logins via a Key Distribution Center.

Web Portal Access Control

• Organizations use web portals to verify users across multiple applications.

Types of Attackers

• Hackers are tech experts who explore computer systems and may or may not be malicious.
• Crackers are hackers who break into systems illegally.

Types of Hackers

• Black hat hackers steal or harm systems.
• White hat hackers help secure systems.
• Gray hat hackers don't always follow rules, but don't intend to cause harm.

Common Hacker Types

• Script kiddies are new hackers who use pre-made tools.
• Hacktivists are hackers who attack for political reasons.
• State-sponsored hackers work for governments.
• Cyber terrorists cause destruction or fear through hacking.

Why Hackers Attack

• Hackers steal data, which can be for private or company information.
• They initiate Denial of Service (DoS) attacks to crash websites.
• Hackers take over systems to gain total control of networks.
• They commit money fraud by stealing financial details.

Authentication Process

• Identification involves the user claiming an identity.
• Credential verification involves the system checking credentials.
• Validation involves granting access if the credentials are valid.

Authentication Factors

• Type I is something you know such as passwords, PINs, and security questions, and is the weakest form of authentication.
• Type II is something you have, such as smart cards, security tokens, and OTPs.
• Type III is something you are, such as biometrics like fingerprint, retina scan, and face recognition.
• Type IV is someplace you are, such as geo-location or GPS-based authentication.

Password Types

• Static passwords are user generated and reusable.
• Passphrases are long passwords using phrases.
• One-Time Passwords (OTP) are single-use authentication codes.
• Dynamic passwords change regularly through token-generated codes.

Tokens and Biometrics

• Soft tokens are software-based authentications that require activation.
• Hard tokens are physical devices that store authentication credentials.
• Biometric authentication uses unique biological features like voiceprints or iris scans.

Multi-Factor Authentication (MFA)

• MFA uses at least two authentication factors for enhanced security.

Information Security

• Information security prevents unauthorized people from stealing, changing, or destroying data.
• The CIA Triad ensures confidentiality, integrity, and availability.
  • Confidentiality keeps data private and accessible to only the right people.
  • Integrity ensures data remains correct and unaltered.
  • Availability ensures data is accessible when needed.

Common Security Threats

• Malware includes harmful programs such as viruses and ransomware.
• Social engineering uses tricks like phishing to steal personal data.
• Insider threats refer to employees misusing their access.
• Denial-of-Service (DoS) attacks overload systems to make them unusable.

Protecting Data

• Encryption converts data into code to prevent unauthorized access.
• Access control limits who can see or change data.
• Backups keep copies of important data in case of loss.
• Security training teaches people how to avoid cyber threats.

Security Models

• The DAD Triad threat model includes disclosure of data without permission.
  • Alteration occurs when data is changed without approval.
  • Denial occurs when data is blocked from authorized users.

Best Security Practices

• Use strong passwords, avoiding simple or common choices.
• Enable Multi-Factor Authentication (MFA) for extra security.
• Keep software updated to fix security weaknesses.
• Monitoring network activity helps to spot threats early.

Legal & Regulatory Issues

• Organizations must comply with legal regulations to avoid fines, lawsuits, and reputational damage.
• Ignoring laws can lead to negligence, which makes companies responsible for security failures.

Major Legal Systems

• Civil law uses written laws to settle disputes.
• Common law uses past court cases to guide future decisions.
• Religious and customary law is based on religious texts or traditions like Shariah Law.

Types of Laws in Security

• Criminal law covers crimes like hacking and fraud, potentially leading to jail time.
• Civil law handles lawsuits, including privacy violations and intellectual property theft.
• Administrative law consists of government rules for specific industries, such as GDPR and the Data Privacy Act.

Intellectual Property Laws

• Trademark protects band names and logos.
• Patent protects inventions for about 20 years.
• Copyright protects creative works such as books, music, and software.

Privacy Laws

• GDPR (Europe) protects personal data and requires companies to be transparent.
• Data Privacy Act (Philippines) protects private information collected by businesses.

Planning for Security

• Security planning protects sensitive business data.
• It helps companies prepare for cyber threats
• It ensures legal compliance

Levels of Planning

• Strategic (5+ years) planning focuses on long-term security strategies.
• Tactical (1-3 years) planning breaks down big goals into smaller security tasks.
• Operational (daily tasks) planning involves day-to-day security measures.

Who Handles Security Planning

• CIO (Chief Information Officer) makes IT-related decisions.
• CISO (Chief Information Security Officer) focuses on cybersecurity.
• Security managers and technicians handle security operations.

Security Planning Approaches

• The Top-Down approach is where senior management leads the security plan.
• The Bottom-Up approach is where IT staff make security improvements without central planning.

Security Awareness Training (SETA Program)

• Security education involves learning security principles.
• Security training involves practicing security skills.
• Security awareness involves recognizing cyber threats.

Risk Management

• Risk is the chance of something bad happening, such as hacking or data leaks.

Steps to Handle Risks

• Identify risks by finding weak points like outdated software.
• Assess risks by checking how likely and harmful the risk is.
• Control risks by taking steps to reduce threats.

Ways to handle risks

• Defense includes using strong security measures such as firewalls or encryption.
• Transferral includes buying cyber insurance or outsourcing security tasks.
• Mitigation includes creating backup plans for disaster recovery and incident response.
• Acceptance means doing nothing if the risk is low.
• Termination means removing the risky asset, such as discontinuing use of old software.

Cybersecurity Threats and Attacks

• Phishing tricks people into giving passwords.
• Malware includes viruses, worms, and spyware.
• DDoS (Denial of Service) overloads a website so it crashes.
• Social engineering manipulates people to gain access.

Types of Hackers

• Black hat hackers steal data.
• White hat hackers improve security.
• Gray hat hackers break rules but don't intend harm.

How to Protect Against Attacks

• Use strong passwords and multi-factor authentication (MFA).
• Keep software updated to fix security holes.
• Train employees to spot phishing emails and scams.