Access Control Management Quiz

Questions and Answers

What is the primary focus of the identification phase in access control?

• To grant access based on predefined policies.
• To track the actions of users within the system.
• To verify the identities of users attempting to access assets.
• To determine who is requesting access to an asset. (correct)

Which phase is responsible for verifying whether individuals can be authenticated?

• Authorization
• Authentication (correct)
• Accountability
• Identification

What does the authorization phase determine?

• How user actions are traced back to them.
• Which individuals are requesting access.
• Who is allowed to make system changes.
• What actions individuals can perform on assets. (correct)

During which phase are requests for access either granted or rejected?

Policy enforcement phase (A)

How are actions traced to an individual according to the four phases of access control?

Via the accountability phase. (A)

What is the primary purpose of access controls in an IT infrastructure?

To protect resources from unauthorized use (C)

Which of the following best describes a key concept related to access controls?

Managing identity through access control (C)

What does the process of defining access control primarily aim to achieve?

To ensure resource usage is limited to authorized individuals (C)

Why are mitigations important in access control?

They prevent threats from exploiting vulnerabilities (B)

What role do formal models of access control play in information security?

They help design and guide security mechanisms (C)

Access control primarily aims to protect which aspect of a resource?

The unauthorized sharing of the resource with others (A)

Which of the following is NOT a component of managing access controls?

Conducting regular data backups (B)

What outcome do effective access controls aim to achieve in an IT environment?

Reduced risk of unauthorized resource usage (D)

What is the primary function of a security kernel in a computing environment?

To enforce access control (B)

Which of the following is a key feature of the reference monitor concept?

Control over software access to data (A)

How does the reference monitor verify access requests?

By validating against a table of allowable access types (D)

Which of the following can a security kernel be implemented as?

As a firmware system or hardware component (C)

What role does the central point of access control play in a security kernel?

It establishes access permissions (D)

What is required for a subject to access an object in a security context?

An access request must be made (A)

In terms of security, what ensures that access control is consistently enforced throughout a system?

The security kernel's central access control (C)

Which characteristic is NOT associated with the access control managed by a security kernel?

It is decentralized across individual applications (B)

Which biometric method primarily relies on the unique characteristics of an individual's eye?

Iris scan (C)

What does action-based authentication primarily focus on?

Patterns of behavior (B)

Which biometric identification method is most likely to utilize fingerprints?

Palm print recognition (D)

Authentication by location is considered a strong indicator of what?

Authenticity (D)

Which of the following biometric identification techniques analyzes how you type?

Keystroke dynamics (D)

Which biometric method involves analyzing the shape and structure of a person's hands?

Hand geometry (B)

What technique is NOT classified under biometric methods?

Password strength analysis (B)

Which type of biometric does NOT rely on a physical characteristic?

Keystroke dynamics (A)

What is the main advantage of using Single Sign-On (SSO)?

Allows access to all systems with a single login. (D)

Which access control model emphasizes the importance of data confidentiality?

Bell-LaPadula model (A)

Which of the following is a challenge of implementing Single Sign-On (SSO)?

It can be difficult to put in place. (A)

What role does the Biba integrity model primarily serve?

Maintaining data integrity (D)

Which protocol is NOT associated with Single Sign-On processes?

Simple Mail Transfer Protocol (SMTP) (D)

What is a key purpose of log files in accountability policies?

To monitor and review user actions. (A)

In which scenario would the Clark and Wilson integrity model be most applicable?

In a financial transaction system (D)

The Menu Constrained User Interface is primarily used to:

Limit user interaction options (D)

Data retention policies are implemented mainly to:

Ensure compliance with regulatory requirements. (A)

What does media disposal refer to in accountability procedures?

Safely managing the disposal of storage media. (B)

Which of the following is NOT an integrity model mentioned?

Smith and Johnson integrity model (A)

Which of the following is NOT a process related to Single Sign-On (SSO) implementation?

Two-factor authentication (B)

The Brewer and Nash integrity model is designed to:

Prevent conflicts of interest (A)

What is a key characteristic of the Menu Constrained User Interface?

Reduces the number of visible options (A)

Monitoring and reviews in accountability policies primarily serve what purpose?

To identify security breaches and compliance issues. (D)

Which model focuses specifically on the needs of integrity in a business environment?

Biba integrity model (A)

Flashcards

Access Control Role

Access control protects resources by restricting use to authorized individuals.

Access Control Purpose

Access control prevents unauthorized access to resources.

Access Control Technologies

The methods and systems used to implement access control.

Formal Access Control Models

Structured ways of defining who can access what resources

Identity Management

The process of identifying and managing user accounts

System Access Controls, Maintenance

Regularly checking and updating access controls, securing systems

Access Control Protection

The process of preventing unauthorized resource usage, mitigating threats.

IT Infrastructure's Role

Providing the base structure and support essential for access control and resource security.

Identification in Access Control

Verifying the identity of a user requesting access to an asset.

Authentication in Access Control

Confirming the identity of a user.

Authorization in Access Control

Determining what a user can access and do.

Accountability in Access Control

Tracking actions to specific individuals.

Policy Enforcement Phase

Granting or denying access requests based on defined authorizations.

Security Kernel

The core of a secure computing environment, controlling access to computer and network resources. It can be hardware, software, or firmware.

Access Control

The process of restricting what users and processes can do on a computer or network.

Reference Monitor

A module that controls all software access to data objects or devices, verifying requests against a table of allowed access types.

Access Request

A subject's request to use a resource or perform an action.

Subject

The user or process that requests access.

Object

The data, device, or resource that is being accessed.

Access Permissions

Rules that define what a subject is allowed to do with an object.

Security Kernel Role

Enforces access control for computer systems, acts as a central point of control, and implements the reference monitor concept.

Biometric Authentication

Using unique biological traits to verify identity.

Fingerprint Recognition

Verifying identity by comparing a fingerprint to a stored template.

Facial Recognition

Identifying individuals based on their facial features.

Voice Pattern Recognition

Analyzing voice characteristics to authenticate users.

Iris Scan

Scanning the unique patterns in the iris of the eye for identification.

Keystroke Dynamics

Analyzing the rhythm and timing of keystrokes for authentication.

Signature Dynamics

Analyzing the unique pressure and strokes in your signature for authentication.

Authentication by Location

Using physical location as an additional security layer.

Single Sign-On (SSO)

A system where you only need to log in once to access multiple applications or resources.

Kerberos

A widely used authentication protocol for SSO, involving secure communication between client, server, and a central authentication server.

Lightweight Directory Access Protocol (LDAP)

A protocol used for querying and updating information in directories, often used in SSO implementations.

What are some examples of SSO processes?

Common SSO processes include Kerberos, SESAME, and LDAP. Each uses different methods to securely authenticate users and grant access to resources.

Log Files

Records of user activity on a system, providing a trail for accountability and security audits.

Data Retention Policy

A set of rules outlining how long data should be stored and what happens to it after that period.

Compliance Requirements

Rules and regulations that organizations must adhere to for data security, privacy, and other relevant areas.

Menu Constrained UI

A user interface where access to specific features or functions is limited based on the user's role or permissions. Users can only access options available in the menus assigned to their roles.

Bell-LaPadula Model

A security model focusing on confidentiality, preventing information from flowing to users with lower security clearance. It operates under the principle of 'no read up,' meaning a user cannot access data at a higher security level than their own.

Biba Integrity Model

A security model focused on data integrity. It prevents modification of data by users with lower integrity levels. It operates under the principle of 'no write down,' preventing users from writing to data at a lower integrity level.

Clark and Wilson Integrity Model

A model focusing on data integrity and the separation of duties, ensuring that actions on data are properly authorized and tracked. It relies on well-defined rules and procedures.

Brewer and Nash Integrity Model

A model focused on protecting the integrity of data in a competitive environment. It prevents conflicts of interest by ensuring that users cannot access information that could compromise their integrity.

Access Control Models

Formal frameworks that define how access to data and resources is regulated, specifying rules and policies for granting or denying access based on user permissions.

What is the purpose of security models like Bell-LaPadula and Biba?

These models define how to prevent unauthorized access to protect confidentiality (Bell-LaPadula) and data integrity (Biba) by establishing rules and restrictions based on user permissions and data security levels.

What is the difference between Bell-LaPadula and Biba?

Bell-LaPadula focuses on preventing unauthorized access to confidential information, while Biba focuses on data integrity, ensuring data accuracy and preventing corruption from users with lower integrity levels.

Study Notes

Access Controls in IT Infrastructure

• Access controls are crucial for protecting IT infrastructure from unauthorized use.
• They involve the process of managing and controlling who can access resources and data.
• The key components of access control include identification, authentication, authorization, and accountability.

Four Phases of Access Control

• Identification: Determining who is requesting access to an asset.
• Authentication: Verifying the identity of the user.
• Authorization: Defining what access rights the user has.
• Accountability: Ensuring actions taken are traceable to specific users.

Policy Definition and Enforcement Phases

• Policy definition phase: Defines who has access to what systems/resources.
• Policy enforcement phase: Grants or denies access based on the defined policy.
• Both phases work closely with identification and authentication, and are critical in accountability.

Two Types of Access Controls

• Physical controls: Regulate access to physical locations like buildings, parking lots, and secure areas.
• Logical controls: Control access to computer systems and networks.

Physical Access Control

• Examples of physical access control include smart cards.
• Smart cards are programmed using an ID number for controlling entry into various areas.
• Some office buildings may use additional after-hours cards for access.

Logical Access Control

• Logical access control focuses on deciding user access to systems.
• It involves monitoring and controlling user behavior within the system.

What is a Kernel?

• The kernel is the core of an operating system.
• It provides basic services that other OS parts use.
• It acts as an intermediary between hardware and the rest of the OS.
• It handles process and memory management, filesystems, device control, and networking.

The Security Kernel

• The Security Kernel is the part of the OS used to enforce access control policies.
• It's the central point for access control.
• It implements the reference monitor concept—a secure mechanism to allow only authorized access to resources.

What is a Security Kernel?

• The security kernel is the core of a secure computing environment.
• It can be hardware, software or firmware based.
• It's the central location for establishing access permissions.

Enforcing Access Control

• The security kernel intercepts access requests.
• It checks access rules against the security kernel database.
• If allowed, the kernel grants access to the requested resource.
• All access attempts are logged for later analysis.

Drafting Access Control Policies

• Policies include defining users, resources, actions allowed, and relationships between them.
• Users are individuals or processes using the system.
• Resources are protected objects within the system.
• Actions are specific operations authorized users can perform.
• Relationships may include dependencies or constraints between different items.

Logical Access Control Solutions

• Biometrics: Static (fingerprints, iris scans) and dynamic (signatures, voice) methods.
• Tokens: Used for authentication, they generate one-time passwords or hashed values.
• Passwords: Must be strong, have procedures for secure management.
• Single sign on: Allows users to access multiple systems with a single login.

Asynchronous vs Synchronous Tokens

• Asynchronous tokens: Generate a unique response to a challenge. These usually have a time interval between generations.
• Synchronous tokens: Time or event based, such as one-time passwords.

Smart Cards Access Control

• Smart cards require knowledge-based authentication (PIN).
• Authentication protocols validate access.
• Kerberos is a common protocol.

Authorization Policies

• Authorization policies grant or deny permissions to users or user groups.
• Policies define different types of users (individuals or groups), actions and objects.

Methods and Guidelines for Identification

• Identification methods include usernames, smart cards, and biometrics.
• Proper guidelines ensure processes for actions and accounting are correctly implemented.

Authentication Types

• Authentication is about verifying users' identities.
• Common methods include knowledge (passwords), ownership (tokens), characteristics (biometrics), location (location-based), and actions (action-based).

Authentication by Knowledge

• Passwords, as a knowledge-based authentication factor, can lead to security risks.
• Strong passwords or passphrases are important to avoid compromise.

Authentication by Ownership

• Time-based, event-based and continuous authentication systems use tokens.
• Smart cards, USB tokens, and memory cards are common ownership-based authentication methods

Authentication by Characteristics/Biometrics

• Static biometrics measure physical characteristics (fingerprints, iris scans).

Authentication by Location and Action

• Location-based authentication uses location to verify users.

Single Sign-On (SSO)

• SSO (Single Sign-On) allows users to access multiple systems with a single login.
• It reduces errors associated with managing numerous credentials.
• Implementing SSO may be challenging.

SSO Processes (Implementation)

• Several protocols and systems can support SSO, including Kerberos, Sesame, and LDAP.

Policies and Procedures for Accountability

• Keeping logs of all related information, and procedures regarding record keeping, storage and disposal of sensitive material, and compliance requirements are important.

Formal Models of Access Control

• DAC (Discretionary Access Control): Resource owners set the access permissions.
• MAC (Mandatory Access Control): Security policy defines access restrictions.
• Non-discretionary Access Control: Access rules are strictly managed by security administrators
• Rule-based Access Control: Rules determine access permissions based on attributes and policies.

Discretionary Access Control (DAC)

• Resource owners decide on access permissions.
• OS-based DAC uses system-level access control mechanisms (users, groups).
• Application-based policies allow only authorized actions in specific contexts/applications.

Application-based DAC Example

• Applications define access based on context and content.
• Users are only presented with options they are explicitly authorized to perform.

Mandatory Access Control (MAC)

• Sensitivity levels determine resource access restrictions (the sensitivity/classification labels).
• Temporal isolation restricts access based on specific times.

MAC Bell-La Padula confidentiality model

• A model for ensuring confidentiality in access control.
• Access privileges are granted based on security labels.

MAC Subjects and Objects labels

• Sensitivity labels (e.g., Confidential, Top Secret) classify resources (objects).
• Clearance levels (e.g., Authorised) assign different privilege levels or access restrictions to individuals.

Rule-Based Access Control (ABAC)

• Access control based on rules and user attributes.
• Data owners define rules to determine who gets access, which actions can be performed, and with what data object.

Nondiscretionary Access Control

• Security administrators manage access rules, rather than resource owners.
• This approach enhances security and integrity for sensitive data and resources

Access Control Lists (ACL)

• Access control lists specify permissions for users and resources.
• ACLs are used in Linux and OS X for managing access to files and folders.
• Windows systems also use ACLs for sharing resources and permissions.

Role-Based Access Control (RBAC)

• An access control model that assigns access rights based on roles assigned to users.
• This system helps manage access control with fewer issues based on the users.

Content-Dependent Access Control

• Access to resources is contingent or based on information contained within those resources (like specific data content). This approach is especially useful in data security.

Constrained User Interface

• User interfaces restrict access based on user permissions. This type of access control involves menus, database views and also physical restrictions on user interfaces.

Physical Constrained User Interface Example

• ATMs have constrained user interfaces, where available options vary based on user status or permissions. (ATM Example)

Menu Constrained User Interface Example

• Applications (like a retail system) restrict user options in an interface to what they are authorized to perform. (Retail System Example).

Other Access Control Models

• Different models for access control mechanisms are discussed here, including the Bell-LaPadula, Biba integrity, Clark-Wilson integrity, and Brewer-Nash integrity models.

Effects of Breaches in Access Control

• Breaches in access control lead to losses of intellectual property, revenue, and trust.
• Consequences of violations must be addressed to improve security.

Threats to Access Controls

• Attackers attempt to overcome safeguards, using a variety of techniques like physical access or intercepting communication.

Credential and Permissions Management

• Systems that manage credentials.
• Microsoft's implementation of this—and other systems are detailed, especially in relation to central management of access, permissions and data.

Centralized and Decentralized Access Control

• Centralized systems use single authentication servers for multiple systems.
• Decentralized systems assign control to users responsible for handling data and controlling access closest to the user performing actions.

Decentralized Access Control

• Access control resides in the hands of system users who are closer to the subject needing access. (Examples include PAP, CHAP, Mobile device authentication, and one-time passwords (HOTP, TOTP).

Privacy

• Privacy expectations are communicated through policies, as well as in notices and banners.
• Monitoring employee use in the workplace (email, phone logs, web browsing) may impact privacy.

Description

Test your knowledge on the fundamental phases of access control in IT infrastructure. This quiz covers identification, authentication, authorization, and their significance in maintaining security. Understand key concepts and the role of access controls in protecting resources.