Access Control Fundamentals Quiz

Questions and Answers

What is the primary purpose of access control in an IT infrastructure?

To simplify user experience

To enhance system performance

To protect resources from unauthorized use (correct)

To monitor user activity

Which component of access control answers the question 'who is asking to access the asset'?

Identification (correct)

Accountability

Authentication

Authorization

Which phase of access control involves determining who can access which systems or resources?

Policy definition phase (correct)

Inspection phase

Access auditing phase

User assignment phase

What does the accountability component of access control ensure?

That actions taken on data can be traced back to an individual

Which of the following best describes the role of authentication in access control?

It verifies the identities of users requesting access

What is a significant threat to access controls according to the principles outlined?

Unauthorized access attempts

What does the term 'decentralized access controls' generally refer to?

Management of access rights spread across multiple sources

Which of the following is not part of the four-part access control model?

Verification

What is the primary function of the policy enforcement phase in access control?

It grants or rejects requests based on predefined authorizations.

Which access control type focuses on restricting physical entry to facilities and secure areas?

Physical Access Control

What role does the Security Kernel play in access control?

It is the central point for enforcing access control and mediating requests.

Which of the following best describes a smart card in the context of physical access control?

A card programmed with an ID number to control physical resource access.

In which phase of access control is identification, authentication, and accountability primarily addressed?

Policy enforcement phase

What is a key responsibility of logical access control?

To monitor and influence user behavior on a computer system.

What is NOT one of the four central components of access control policies?

Encryption

Which of the following best summarizes logical access control?

Monitoring user access rights and system interactions.

What is one significant benefit of using biometrics for authentication?

The individual must be physically present to authenticate.

Which of the following is an example of a dynamic biometric measure?

Signature motions

What disadvantage is commonly associated with biometric authentication?

It can have accuracy issues.

What distinguishes synchronous tokens from asynchronous tokens?

Synchronous tokens use a fixed method of calculation.

Which of the following biometric modalities is considered physiological?

Iris scan

Which of these is NOT considered a concern when implementing biometric authentication?

Complexity of algorithms

Which type of biometric measure relates to identifiable features of an individual?

Physiological measures

What authentication method uses challenge-response technology?

Asynchronous token

Which access permissions are specifically part of Windows Share permissions?

Full, change, read, deny

In Role-Based Access Control, what primarily determines a user's access rights?

User's assigned role within the organization

Which of the following is a method of constraining user interface access?

Data encryption

What is a potential consequence of experiencing breaches in access control?

Disclosure of private information

Which of the following models specifically addresses data integrity?

Clark–Wilson integrity model

What is one of the key principles of the Brewer–Nash integrity model?

Conflict of interest management

Which of the following is NOT a threat to access controls according to the information provided?

Application layer attacks

Which access model is primarily focused on controlling access based on user roles?

Role-Based Access Control

What is a consequence of a violation of access control that impacts organizational reputation?

Loss of customer confidence

Which centralized access control protocol uses two configuration files?

RADIUS

What is a method of eavesdropping that does not involve electronic means?

Eavesdropping by observation

Which of the following is a potential organizational effect of access control violations?

More oversight

In decentralized access control, who primarily decides access control policies?

Individuals closest to the users

Which of the following is NOT typically an effect of access control violations?

Enhanced competitiveness

What type of management system does Microsoft use to aid in access control?

Group Policy Objects

Which of the following is a standard for exchanging authentication and authorization data?

SAML

Which protocol uses a challenge-response mechanism to enhance security during authentication?

Challenge-Handshake Authentication Protocol (CHAP)

What type of cloud is characterized by shared components among several organizations?

Community Cloud

Which of the following methods is likely monitored in a workplace for compliance?

Keystroke logging

What is the primary function of Identity and Access Management (IAM) in conjunction with Privileged Access Management (PAM)?

To control access to services and data based on user roles

Which type of one-time password generation relies on the time factor for its functionality?

Time-based One-Time Password (TOTP)

Which of the following is NOT considered a typical activity monitored in the workplace?

Monitoring usage of office supplies

What distinguishes Infrastructure as a Service (IaaS) among other cloud service models?

Delivers virtualized computing resources over the internet

Which common characteristic applies to both HOTP and TOTP in mobile device authentication?

They generate a one-time password for a single use

Study Notes

Access Controls

• Access control is the process of restricting resource use to authorized users.
• It prevents unauthorized access and misuse.
• Mitigation strategies protect resources from threats.

Learning Objectives and Key Concepts

• Explain the role of access controls in an IT infrastructure.
• Access control concepts and technologies
• Identification, authentication, and authorization
• Formal models of access control
• Threats to access controls and control violations
• Centralized and decentralized access controls

Defining Access Control

• The process of securing resources to limit use to authorized individuals.
• Prevents unauthorized resource use.
• Protects resources by implementing mitigations.

Four-Part Access Control

• Identification: Identifying the user requesting access.
• Authentication: Verifying the user's identity.
• Authorization: Determining what resources the user can access and what actions they can perform.
• Accountability: Tracking actions to identify those who made changes.

Policy Definition and Enforcement Phases

• Policy Definition Phase: Defines who has access to what systems or resources.
• Policy Enforcement Phase: Grants or denies access requests based on defined policies.
• Tied to identification, authentication, and accountability phases.

Two Types of Access Controls

• Physical Controls: Regulate access to physical locations (buildings, parking lots, etc.).
• Logical Controls: Control access to computer systems and networks.

Physical Access Control

• Example: Smart cards programmatically linked to identification numbers, used in parking, elevators, office doors, and after-hours access.

Logical Access Control

• Examples: Deciding user system access, monitoring user actions, and managing or influencing user behaviors.

The Security Kernel

• Enforces access control for computer systems.
• Central point of control for access.
• Implements the reference monitor concept.
• Mediates all access requests, granting access after verifying rules and conditions.
• An illustrated diagram detailing the process is provided.

Access Control Policies

• Users: Individuals using systems or processes.
• Resources: Protected objects within the system (e.g., files, folders, databases).
• Actions: Authorized activities users can perform on resources.
• Relationships: Conditions linking users and resources.

Authorization Policies

• Authorization is the process for deciding who has access to which resources.
• In organizations, authorization often uses job roles, background checks, and government requirements.
• Access is determined by:
  • Individual user privileges
  • Group membership policies
  • Authority level policies

Methods and Guidelines for Identification

• Methods: Username, smart cards, biometrics.
• Guidelines: Nonrepudiation, accounting.

Processes and Requirements for Authentication

• Knowledge: Something the user knows (e.g., password).
• Ownership: Something the user has (e.g., a token).
• Characteristics: Something unique to the user (e.g., biometrics).
• Action/Performance: Something the user does (e.g., typing patterns).
• Behavior: Observable traits or behaviors that are unique to the user.
• Location: Physical location of the user.
• Relationship: Trusted individuals the user interacts with.

Authentication by Knowledge

• Passwords: Vulnerable to brute-force or dictionary attacks, thus strong passwords with best practices are critical.
• Password policies: Enforce strong password requirements and account lockout policies.
• Passphrases: Stronger than a password, typically used with special requirements.
• Account lockout policies: Limit failed login attempts.
• Audit logon events: Track login attempts and activities.

Authentication by Ownership

• Synchronous token: Calculates a number on both the authentication server and device using time-based or event-based synchronization for authentication security.
• Continuous authentication: A continuous process.
• Asynchronous token: Uses challenge-response technology with key fob, mobile device or USB token, and smart cards.

Authentication by Characteristics/Biometrics

• Static (physiological): Measures based on what a user is (e.g., fingerprint, iris scan).
• Dynamic (behavioral): Measures based on what a user does (e.g., voice, keystroke).

Concerns Surrounding Biometrics

• Accuracy: Ensuring accurate identification.
• Acceptability: Measures user acceptance and comfort with the process.
• Reaction time: Speed of the authentication process.

Types of Biometrics

• Examples: Fingerprint, palm print, hand geometry, vein analysis, retina scan, iris scan, facial recognition, voice pattern, keystroke dynamics, signature dynamics, and gait analysis.

Advantages and Disadvantages of Biometrics

• Advantages: Physical presence needed, nothing to remember, difficult to fake.
• Disadvantages: Physical characteristics may change, issues for physically disabled users, inconsistent or ineffective techniques, potentially slow response, expensive equipment needs, privacy concerns.

Authentication by Location and Action

• Location: Using a user's location as a strong authentication factor.
• Action: Analyzing patterns in user behavior.
• Additional information: Location and behavior data used to suggest granting/denying access.
• Typing patterns: Analyzing how users type.

Single Sign-On (SSO)

• Sign on once and gain access to multiple systems.
• Reduces human error during authentication.
• Difficult to implement.

Advantages and Disadvantages of SSO

• Advantages: Efficient logon process, promotes stronger passwords, continuous reauthentication, and centralized administration.
• Disadvantages: Compromised passwords granting access. Static passwords providing limited security, difficulties with existing systems/scripts, server potential single point of failure.

SSO Processes

• Kerberos: Network authentication protocol.
• SESAME: Developed for applications in a multi-vendor environment.
• LDAP: Directory access protocol.

Policies and Procedures for Accountability

• Log files: Record of user activities and access attempts.
• Monitoring and reviews: Regular evaluation of log files.
• Data retention: Policies controlling how long access records are kept.
• Media disposal: Proper disposal of storage media containing sensitive data (e.g, hard drives, optical media).
• Compliance requirements: Adherence to regulatory compliance related to retention and disposal.

Formal Models of Access Control

• Discretionary Access Control (DAC): Access controlled by the owner of the resource (i.e., flexibility and discretion)
• Mandatory Access Control (MAC): Access control based on the sensitivity of the resource (i.e., strict restrictions)
• Nondiscretionary Access Control: Security administrator-controlled access restrictions, generally more secure than DAC.
• Rule-based access control: Access granted based on policies rather than individual permissions, offering flexibility.

DAC (Discretionary Access Control)

• Operating systems-based: DAC policies in operating systems.
• Access control method: Mechanism for defining and implementing the DAC policy.
• New user registration: Process for authorizing new users.
• Periodic review: Review of access controls
• Application-based: DAC policies in applications.
• Permission Levels: Define access levels for specific users.
  • User, job based, group based or role based (RBAC), project based, and task based policies..

MAC (Mandatory Access Control)

• Access restrictions based on resource sensitivity.
• Classification labels determine security levels.
• Individuals need formal authorization (clearance).
• System/owner decisions for access.
• Temporary isolation or time-of-day restrictions for access.
• MAC is considered more secure than DAC.

Nondiscretionary Access Control

• Security administrator manages access rules, not system owners.
• Sensitive files are write-protected and restricted to authorized users.
• Usually more secure.

Rule-Based Access Control

• Explicit authorization rules are established to determine access.
• Access control is granted based on defined rules

Access Control Lists (ACLs)

• Linux/macOS: Permissions based on read, write, and execution.
• Windows: Permissions using different control levels (full, change, read, deny).
• ACLs: Illustrative example of access control lists.

Role-Based Access Control (RBAC)

• Explicit rules and roles govern access.
• Roles are assigned privileges.
• User access based on role.
• This structure is illustrated in a diagram.

Content-Dependent Access Control

• Access limitations are based on data content.
• Example: Local manager access limited to their department's employee data.

Constrained User Interface

• Methods of limiting user access include menus, database views, and physically constrained user interfaces.
• Encryption, a security measure.

Other Access Control Models

• Other models (e.g., Bell-LaPadula, Biba, Clark-Wilson, Brewer-Nash) that describe specific approaches to access control.

Brewer-Nash Integrity Model

• Addresses conflicts of interest.
• Illustrates a diagram to show this model.

Effects of Breaches in Access Control

• Data compromise, loss of confidence and business opportunities.
• Regulatory sanctions, damage to reputation, and financial penalties.

Threats to Access Controls

• Gaining physical access.
• Eavesdropping by observation.
• Bypassing security.
• Exploiting hardware and software.
• Media reuse/discard issues.
• Electronic eavesdropping.
• Inter-communication issues.
• Network access.
• Application exploitation..

Effects of Access Control Violations

• Loss of confidence and potentially of business opportunities.
• Regulatory requirements and sanctions.
• Damage to reputation
• Increased oversight
• Financial penalties.

Credential and Permissions Management

• Systems for collecting, managing, and employing access control data.
• Microsoft solutions (e.g. Group Policy and GPOs) support this.

Centralized and Decentralized Access Controls

• Centralized approach manages security from a central point, while decentralized security control is implemented locally.
• Protocols like RADIUS, TACACS+, DIAMETER, and SAML (including illustrative diagrams) are used in this context.

Decentralized Access Control

• Management and security control locally, often managed by the individuals closest to the users.
• Protocols including PAP, CHAP, OATH, HOTP and TOTP.

Privacy

• Privacy expectations are communicated in acceptable use policies (AUPs) and login banners.
• Workplace monitoring includes email opening, automated email checking, keyboard usage, site visit logs, credit reference agencies, PoS terminals, and CCTV recordings. .

Cloud Computing

• Different cloud computing categories (private, community, public, hybrid).
• Descriptions of each cloud type
• Common cloud services (IaaS, PaaS, SaaS).

Advantages and Disadvantages of Cloud Computing

• Advantages: No data center or disaster recovery site maintenance needed, dynamic provisioning for performance and connectivity.
• Disadvantages: Difficulty maintaining data security, danger of data leakage, reliance on constant network access, and vendor trust.

Description

Test your knowledge on the key components and principles of access control in IT infrastructures. This quiz covers essential concepts such as authentication, accountability, and policy enforcement. Ideal for students and professionals looking to deepen their understanding of access control mechanisms.