Access Control Definition Quiz

Questions and Answers

What is the primary goal of access control according to RFC 4949?

To grant access to all users

To limit access to physical facilities

To deny access to all unauthorized users

To regulate the use of system resources according to a security policy (correct)

What is the principle of limiting system access to only the types of transactions and functions that authorized users are permitted to execute?

Access Control Policy

Role-Based Access Control (correct)

Separation of Duties

Least Privilege

What is the purpose of providing privacy and security notices according to NIST SP 800-171?

To comply with applicable CUI rules (correct)

To provide a list of authorized users

To prevent unauthorized access to CUI

To inform users of the access control policy

What is the purpose of separating the duties of individuals according to NIST SP 800-171?

To reduce the risk of malevolent activity without collusion

According to NIST SP 800-171, what is the purpose of employing the principle of least privilege?

To limit access to specific security functions and privileged accounts

What is the purpose of capturing the execution of privileged functions in audit logs according to NIST SP 800-171?

To prevent non-privileged users from executing privileged functions

What is the primary purpose of employing cryptographic mechanisms in remote access sessions?

To protect the confidentiality of remote access sessions

What is the key difference between discretionary access control (DAC) and mandatory access control (MAC)?

DAC is based on user identity, while MAC is based on security labels

What is the purpose of authenticating a user or system entity?

To verify the credentials of a user or system entity

What type of access control is based on the roles that users have within the system?

Role-based access control (RBAC)

What is the purpose of using session lock with pattern-hiding displays?

To prevent access and viewing of data after a period of inactivity

What is the basic element of access control that refers to an entity capable of accessing objects?

Subject

Study Notes

Access Control

• Defined by NISTIR 7298 as the process of granting or denying specific requests to obtain and use information and related information processing services and enter specific physical facilities
• Also defined by RFC 4949 as a process by which use of system resources is regulated according to a security policy and is permitted only by authorized entities

Security Requirements for Access Control

• Basic Security Requirements:
• Limit system access to authorized users, processes acting on behalf of authorized users, and devices
• Limit system access to the types of transactions and functions that authorized users are permitted to execute
• Derived Security Requirements:
• Control the flow of CUI in accordance with approved authorizations
• Separate the duties of individuals to reduce the risk of malevolent activity without collusion
• Employ the principle of least privilege, including for specific security functions and privileged accounts
• Use non-privileged accounts or roles when accessing non-security functions
• Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs
• Limit unsuccessful logon attempts
• Provide privacy and security notices consistent with applicable CUI rules
• Use session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity
• Terminate (automatically) a user session after a defined condition
• Monitor and control remote access sessions
• Employ cryptographic mechanisms to protect the confidentiality of remote access sessions
• Route remote access via managed access control points
• Authorize remote execution of privileged commands and remote access to security-relevant information
• Authorize wireless access prior to allowing such connections
• Protect wireless access using authentication and encryption
• Control connection of mobile devices
• Encrypt CUI on mobile devices and mobile computing platforms
• Verify and control/limit connections to and use of external systems
• Limit use of portable storage devices on external systems
• Control CUI posted or processed on publicly accessible systems

Computer Security

• Concerned with access control
• Defined by RFC 4949 as measures that implement and assure security services in a computer system, particularly those that assure access control service

Access Control Concepts

• Authentication: Verification that the credentials of a user or other system entity are valid
• Authorization: The granting of a right or permission to a system entity to access a system resource
• Audit: An independent review of system records and activities in order to test for adequacy of system controls, to ensure compliance with established policy and operational procedures

Types of Access Control

• Discretionary access control (DAC): Controls access based on the identity of the requestor and on access rules (authorizations) stating what requestors are (or are not) allowed to do
• Mandatory access control (MAC): Controls access based on comparing security labels with security clearances
• Role-based access control (RBAC): Controls access based on the roles that users have within the system and on rules stating what accesses are allowed to users in given roles
• Attribute-based access control (ABAC): Controls access based on attributes of the user, the resource to be accessed, and current environmental conditions

Basic Elements of Access Control

• Subject: An entity capable of accessing objects
• Object: A resource that is accessed by a subject
• Access right: A allowed action that a subject can perform on an object

Classes of Subjects

• Owner
• Group
• World

Description

Test your knowledge of access control definitions from NISTIR 7298, RFC 4949, and NIST SP 800-171. Identify the correct definitions and understand the concepts.