Access Control Fundamentals Quiz

Questions and Answers

What is the primary purpose of access control in an IT infrastructure?

To simplify user experience

To enhance system performance

To protect resources from unauthorized use (correct)

To monitor user activity

Which component of access control answers the question 'who is asking to access the asset'?

Identification (correct)

Accountability

Authentication

Authorization

Which phase of access control involves determining who can access which systems or resources?

Policy definition phase (correct)

Inspection phase

Access auditing phase

User assignment phase

What does the accountability component of access control ensure?

That actions taken on data can be traced back to an individual (A)

Which of the following best describes the role of authentication in access control?

It verifies the identities of users requesting access (C)

What is a significant threat to access controls according to the principles outlined?

Unauthorized access attempts (B)

What does the term 'decentralized access controls' generally refer to?

Management of access rights spread across multiple sources (D)

Which of the following is not part of the four-part access control model?

Verification (B)

What is the primary function of the policy enforcement phase in access control?

It grants or rejects requests based on predefined authorizations. (B)

Which access control type focuses on restricting physical entry to facilities and secure areas?

Physical Access Control (B)

What role does the Security Kernel play in access control?

It is the central point for enforcing access control and mediating requests. (D)

Which of the following best describes a smart card in the context of physical access control?

A card programmed with an ID number to control physical resource access. (B)

In which phase of access control is identification, authentication, and accountability primarily addressed?

Policy enforcement phase (C)

What is a key responsibility of logical access control?

To monitor and influence user behavior on a computer system. (B)

What is NOT one of the four central components of access control policies?

Encryption (B)

Which of the following best summarizes logical access control?

Monitoring user access rights and system interactions. (D)

What is one significant benefit of using biometrics for authentication?

The individual must be physically present to authenticate. (D)

Which of the following is an example of a dynamic biometric measure?

Signature motions (A)

What disadvantage is commonly associated with biometric authentication?

It can have accuracy issues. (B)

What distinguishes synchronous tokens from asynchronous tokens?

Synchronous tokens use a fixed method of calculation. (D)

Which of the following biometric modalities is considered physiological?

Iris scan (D)

Which of these is NOT considered a concern when implementing biometric authentication?

Complexity of algorithms (B)

Which type of biometric measure relates to identifiable features of an individual?

Physiological measures (B)

What authentication method uses challenge-response technology?

Asynchronous token (B)

Which access permissions are specifically part of Windows Share permissions?

Full, change, read, deny (C)

In Role-Based Access Control, what primarily determines a user's access rights?

User's assigned role within the organization (A)

Which of the following is a method of constraining user interface access?

Data encryption (B)

What is a potential consequence of experiencing breaches in access control?

Disclosure of private information (B)

Which of the following models specifically addresses data integrity?

Clark–Wilson integrity model (A)

What is one of the key principles of the Brewer–Nash integrity model?

Conflict of interest management (B)

Which of the following is NOT a threat to access controls according to the information provided?

Application layer attacks (A)

Which access model is primarily focused on controlling access based on user roles?

Role-Based Access Control (D)

What is a consequence of a violation of access control that impacts organizational reputation?

Loss of customer confidence (B)

Which centralized access control protocol uses two configuration files?

RADIUS (D)

What is a method of eavesdropping that does not involve electronic means?

Eavesdropping by observation (A)

Which of the following is a potential organizational effect of access control violations?

More oversight (B)

In decentralized access control, who primarily decides access control policies?

Individuals closest to the users (C)

Which of the following is NOT typically an effect of access control violations?

Enhanced competitiveness (A)

What type of management system does Microsoft use to aid in access control?

Group Policy Objects (A)

Which of the following is a standard for exchanging authentication and authorization data?

SAML (B)

Which protocol uses a challenge-response mechanism to enhance security during authentication?

Challenge-Handshake Authentication Protocol (CHAP) (B)

What type of cloud is characterized by shared components among several organizations?

Community Cloud (D)

Which of the following methods is likely monitored in a workplace for compliance?

Keystroke logging (C)

What is the primary function of Identity and Access Management (IAM) in conjunction with Privileged Access Management (PAM)?

To control access to services and data based on user roles (D)

Which type of one-time password generation relies on the time factor for its functionality?

Time-based One-Time Password (TOTP) (B)

Which of the following is NOT considered a typical activity monitored in the workplace?

Monitoring usage of office supplies (C)

What distinguishes Infrastructure as a Service (IaaS) among other cloud service models?

Delivers virtualized computing resources over the internet (C)

Which common characteristic applies to both HOTP and TOTP in mobile device authentication?

They generate a one-time password for a single use (D)

Flashcards

Access Control

Protecting a resource so only authorized users can use it.

Identification

Determining who is requesting access to an asset.

Authentication

Verifying the identity of a user requesting access.

Authorization

Determining what resources a user has permission to access.

Accountability

Tracking who made changes to a system or data.

Policy Definition

Determining user access privileges and allowed resources/systems.

Policy Enforcement

Implementing the access controls defined in the policies.

Four-Part Access Control

Access control system with components of Identification, Authentication, Authorization, & Accountability.

Access Control Phases

A sequential process for controlling access, often involving authorization and policy enforcement.

Policy Enforcement Phase

The stage where access requests are granted or denied based on previously defined authorizations.

Physical Access Control

Security measures to control entry into physical locations such as buildings and parking lots.

Logical Access Control

Security measures to control access to computer systems and networks.

Smart Cards

Physical cards that store user identification and are used for access control in physical environments.

Security Kernel

A central component in a computer system that enforces access control.

Reference Monitor

A concept used by security kernels to mediate all access requests.

Access Control Policies

Rules that determine which users have access to which resources in a system.

Password best practices

Strategies for creating strong passwords that improve account security.

Synchronous token

A security token that calculates a number simultaneously on the authentication server and device to verify identity.

Asynchronous token

A security token that uses challenge-response technology; the device sends a response to a challenge.

Static biometric

A biometric measurement of physical characteristics that don't change (e.g., fingerprints, iris scan).

Dynamic biometric

A biometric measurement of behavioral characteristics that change (e.g., signature, keystroke).

Biometric concerns

Issues related to reaction time, accuracy, and acceptance of biometric authentication methods.

Fingerprint biometrics

A biometric authentication method that uses unique fingerprint patterns to verify identity.

Password account policies

Rules that govern the creation and usage of passwords for accounts.

Eavesdropping by observation

Gaining unauthorized access to information by observing physical activities, such as looking over someone's shoulder or reading documents left unattended.

Bypassing security

Gaining unauthorized access by circumventing security mechanisms, such as using a backdoor, exploiting vulnerabilities, or using social engineering.

Exploiting hardware and software

Gaining unauthorized access by exploiting weaknesses in system hardware or software, such as vulnerabilities in operating systems, applications, or network devices.

Reusing or discarding media

Gaining unauthorized access by retrieving sensitive information from discarded or reused media, such as old hard drives, floppy disks, or even old USB drives.

Electronic eavesdropping

Gaining unauthorized access to information by intercepting electronic communications, such as phone calls, emails, or data transmissions.

Intercepting communication

Gaining unauthorized access to information by intercepting and decoding messages, such as tapping into communication lines or using packet sniffers.

Accessing networks

Gaining unauthorized access to a network, such as by exploiting vulnerabilities in network devices or using brute force attacks.

Exploiting applications

Gaining unauthorized access to information by exploiting vulnerabilities in applications, such as web browsers, databases, or other software.

Access Control Lists

Lists of permissions that specify who can access resources and what they can do (e.g., read, write, execute).

Role-Based Access Control (RBAC)

An access control model that grants access based on the roles a user plays within a system (e.g., administrator, editor, viewer).

Content-Dependent Access Control

Access control that restricts access based on the characteristics or types of data.

Constrained User Interface

Restricting user interaction to prevent unauthorized data access or modification.

Brewer-Nash Integrity Model

A model for access control that focuses on preventing conflicts of interest in access.

Effects of Access Control Breaches

Compromised security can lead to data breaches, corruption of information, loss of insights, and damage to systems.

Threats to Access Controls

Actions that could bypass security measures to gain unauthorized access or create security threats.

Linux/macOS Permissions

File access control method for Linux and macOS using read, write, and execute.

Password Authentication Protocol (PAP)

A simple authentication protocol where the user's password is sent in clear text.

Challenge-Handshake Authentication Protocol (CHAP)

A more secure authentication protocol that uses a challenge-response mechanism to verify the user's identity.

HMAC-based One-Time Password (HOTP)

A type of one-time password (OTP) that uses a hash-based message authentication code (HMAC) to generate a unique code for each login attempt.

Time-Based One-Time Password (TOTP)

A type of OTP that uses a time-based algorithm to generate a unique code that expires after a certain time period.

Identity and Access Management (IAM)

A system that manages user identities and controls access to organizational resources.

Privileged Access Management (PAM)

A specialized system that manages and restricts access for users with high-level privileges.

Private Cloud

A cloud computing environment managed by a single organization for its own use.

Infrastructure as a Service (IaaS)

A cloud service model that provides access to computing resources like servers, storage, and networking.

Study Notes

Access Controls

• Access control is the process of restricting resource use to authorized users.
• It prevents unauthorized access and misuse.
• Mitigation strategies protect resources from threats.

Learning Objectives and Key Concepts

• Explain the role of access controls in an IT infrastructure.
• Access control concepts and technologies
• Identification, authentication, and authorization
• Formal models of access control
• Threats to access controls and control violations
• Centralized and decentralized access controls

Defining Access Control

• The process of securing resources to limit use to authorized individuals.
• Prevents unauthorized resource use.
• Protects resources by implementing mitigations.

Four-Part Access Control

• Identification: Identifying the user requesting access.
• Authentication: Verifying the user's identity.
• Authorization: Determining what resources the user can access and what actions they can perform.
• Accountability: Tracking actions to identify those who made changes.

Policy Definition and Enforcement Phases

• Policy Definition Phase: Defines who has access to what systems or resources.
• Policy Enforcement Phase: Grants or denies access requests based on defined policies.
• Tied to identification, authentication, and accountability phases.

Two Types of Access Controls

• Physical Controls: Regulate access to physical locations (buildings, parking lots, etc.).
• Logical Controls: Control access to computer systems and networks.

Physical Access Control

• Example: Smart cards programmatically linked to identification numbers, used in parking, elevators, office doors, and after-hours access.

Logical Access Control

• Examples: Deciding user system access, monitoring user actions, and managing or influencing user behaviors.

The Security Kernel

• Enforces access control for computer systems.
• Central point of control for access.
• Implements the reference monitor concept.
• Mediates all access requests, granting access after verifying rules and conditions.
• An illustrated diagram detailing the process is provided.

Access Control Policies

• Users: Individuals using systems or processes.
• Resources: Protected objects within the system (e.g., files, folders, databases).
• Actions: Authorized activities users can perform on resources.
• Relationships: Conditions linking users and resources.

Authorization Policies

• Authorization is the process for deciding who has access to which resources.
• In organizations, authorization often uses job roles, background checks, and government requirements.
• Access is determined by:
  • Individual user privileges
  • Group membership policies
  • Authority level policies

Methods and Guidelines for Identification

• Methods: Username, smart cards, biometrics.
• Guidelines: Nonrepudiation, accounting.

Processes and Requirements for Authentication

• Knowledge: Something the user knows (e.g., password).
• Ownership: Something the user has (e.g., a token).
• Characteristics: Something unique to the user (e.g., biometrics).
• Action/Performance: Something the user does (e.g., typing patterns).
• Behavior: Observable traits or behaviors that are unique to the user.
• Location: Physical location of the user.
• Relationship: Trusted individuals the user interacts with.

Authentication by Knowledge

• Passwords: Vulnerable to brute-force or dictionary attacks, thus strong passwords with best practices are critical.
• Password policies: Enforce strong password requirements and account lockout policies.
• Passphrases: Stronger than a password, typically used with special requirements.
• Account lockout policies: Limit failed login attempts.
• Audit logon events: Track login attempts and activities.

Authentication by Ownership

• Synchronous token: Calculates a number on both the authentication server and device using time-based or event-based synchronization for authentication security.
• Continuous authentication: A continuous process.
• Asynchronous token: Uses challenge-response technology with key fob, mobile device or USB token, and smart cards.

Authentication by Characteristics/Biometrics

• Static (physiological): Measures based on what a user is (e.g., fingerprint, iris scan).
• Dynamic (behavioral): Measures based on what a user does (e.g., voice, keystroke).

Concerns Surrounding Biometrics

• Accuracy: Ensuring accurate identification.
• Acceptability: Measures user acceptance and comfort with the process.
• Reaction time: Speed of the authentication process.

Types of Biometrics

• Examples: Fingerprint, palm print, hand geometry, vein analysis, retina scan, iris scan, facial recognition, voice pattern, keystroke dynamics, signature dynamics, and gait analysis.

Advantages and Disadvantages of Biometrics

• Advantages: Physical presence needed, nothing to remember, difficult to fake.
• Disadvantages: Physical characteristics may change, issues for physically disabled users, inconsistent or ineffective techniques, potentially slow response, expensive equipment needs, privacy concerns.

Authentication by Location and Action

• Location: Using a user's location as a strong authentication factor.
• Action: Analyzing patterns in user behavior.
• Additional information: Location and behavior data used to suggest granting/denying access.
• Typing patterns: Analyzing how users type.

Single Sign-On (SSO)

• Sign on once and gain access to multiple systems.
• Reduces human error during authentication.
• Difficult to implement.

Advantages and Disadvantages of SSO

• Advantages: Efficient logon process, promotes stronger passwords, continuous reauthentication, and centralized administration.
• Disadvantages: Compromised passwords granting access. Static passwords providing limited security, difficulties with existing systems/scripts, server potential single point of failure.

SSO Processes

• Kerberos: Network authentication protocol.
• SESAME: Developed for applications in a multi-vendor environment.
• LDAP: Directory access protocol.

Policies and Procedures for Accountability

• Log files: Record of user activities and access attempts.
• Monitoring and reviews: Regular evaluation of log files.
• Data retention: Policies controlling how long access records are kept.
• Media disposal: Proper disposal of storage media containing sensitive data (e.g, hard drives, optical media).
• Compliance requirements: Adherence to regulatory compliance related to retention and disposal.

Formal Models of Access Control

• Discretionary Access Control (DAC): Access controlled by the owner of the resource (i.e., flexibility and discretion)
• Mandatory Access Control (MAC): Access control based on the sensitivity of the resource (i.e., strict restrictions)
• Nondiscretionary Access Control: Security administrator-controlled access restrictions, generally more secure than DAC.
• Rule-based access control: Access granted based on policies rather than individual permissions, offering flexibility.

DAC (Discretionary Access Control)

• Operating systems-based: DAC policies in operating systems.
• Access control method: Mechanism for defining and implementing the DAC policy.
• New user registration: Process for authorizing new users.
• Periodic review: Review of access controls
• Application-based: DAC policies in applications.
• Permission Levels: Define access levels for specific users.
  • User, job based, group based or role based (RBAC), project based, and task based policies..

MAC (Mandatory Access Control)

• Access restrictions based on resource sensitivity.
• Classification labels determine security levels.
• Individuals need formal authorization (clearance).
• System/owner decisions for access.
• Temporary isolation or time-of-day restrictions for access.
• MAC is considered more secure than DAC.

Nondiscretionary Access Control

• Security administrator manages access rules, not system owners.
• Sensitive files are write-protected and restricted to authorized users.
• Usually more secure.

Rule-Based Access Control

• Explicit authorization rules are established to determine access.
• Access control is granted based on defined rules

Access Control Lists (ACLs)

• Linux/macOS: Permissions based on read, write, and execution.
• Windows: Permissions using different control levels (full, change, read, deny).
• ACLs: Illustrative example of access control lists.

Role-Based Access Control (RBAC)

• Explicit rules and roles govern access.
• Roles are assigned privileges.
• User access based on role.
• This structure is illustrated in a diagram.

Content-Dependent Access Control

• Access limitations are based on data content.
• Example: Local manager access limited to their department's employee data.

Constrained User Interface

• Methods of limiting user access include menus, database views, and physically constrained user interfaces.
• Encryption, a security measure.

Other Access Control Models

• Other models (e.g., Bell-LaPadula, Biba, Clark-Wilson, Brewer-Nash) that describe specific approaches to access control.

Brewer-Nash Integrity Model

• Addresses conflicts of interest.
• Illustrates a diagram to show this model.

Effects of Breaches in Access Control

• Data compromise, loss of confidence and business opportunities.
• Regulatory sanctions, damage to reputation, and financial penalties.

Threats to Access Controls

• Gaining physical access.
• Eavesdropping by observation.
• Bypassing security.
• Exploiting hardware and software.
• Media reuse/discard issues.
• Electronic eavesdropping.
• Inter-communication issues.
• Network access.
• Application exploitation..

Effects of Access Control Violations

• Loss of confidence and potentially of business opportunities.
• Regulatory requirements and sanctions.
• Damage to reputation
• Increased oversight
• Financial penalties.

Credential and Permissions Management

• Systems for collecting, managing, and employing access control data.
• Microsoft solutions (e.g. Group Policy and GPOs) support this.

Centralized and Decentralized Access Controls

• Centralized approach manages security from a central point, while decentralized security control is implemented locally.
• Protocols like RADIUS, TACACS+, DIAMETER, and SAML (including illustrative diagrams) are used in this context.

Decentralized Access Control

• Management and security control locally, often managed by the individuals closest to the users.
• Protocols including PAP, CHAP, OATH, HOTP and TOTP.

Privacy

• Privacy expectations are communicated in acceptable use policies (AUPs) and login banners.
• Workplace monitoring includes email opening, automated email checking, keyboard usage, site visit logs, credit reference agencies, PoS terminals, and CCTV recordings. .

Cloud Computing

• Different cloud computing categories (private, community, public, hybrid).
• Descriptions of each cloud type
• Common cloud services (IaaS, PaaS, SaaS).

Advantages and Disadvantages of Cloud Computing

• Advantages: No data center or disaster recovery site maintenance needed, dynamic provisioning for performance and connectivity.
• Disadvantages: Difficulty maintaining data security, danger of data leakage, reliance on constant network access, and vendor trust.

Description

Test your knowledge on the key components and principles of access control in IT infrastructures. This quiz covers essential concepts such as authentication, accountability, and policy enforcement. Ideal for students and professionals looking to deepen their understanding of access control mechanisms.