Access Control Management Quiz

Questions and Answers

What is the primary focus of the identification phase in access control?

To grant access based on predefined policies.

To track the actions of users within the system.

To verify the identities of users attempting to access assets.

To determine who is requesting access to an asset. (correct)

Which phase is responsible for verifying whether individuals can be authenticated?

Authorization

Authentication (correct)

Accountability

Identification

What does the authorization phase determine?

How user actions are traced back to them.

Which individuals are requesting access.

Who is allowed to make system changes.

What actions individuals can perform on assets. (correct)

During which phase are requests for access either granted or rejected?

Policy enforcement phase

How are actions traced to an individual according to the four phases of access control?

Via the accountability phase.

What is the primary purpose of access controls in an IT infrastructure?

To protect resources from unauthorized use

Which of the following best describes a key concept related to access controls?

Managing identity through access control

What does the process of defining access control primarily aim to achieve?

To ensure resource usage is limited to authorized individuals

Why are mitigations important in access control?

They prevent threats from exploiting vulnerabilities

What role do formal models of access control play in information security?

They help design and guide security mechanisms

Access control primarily aims to protect which aspect of a resource?

The unauthorized sharing of the resource with others

Which of the following is NOT a component of managing access controls?

Conducting regular data backups

What outcome do effective access controls aim to achieve in an IT environment?

Reduced risk of unauthorized resource usage

What is the primary function of a security kernel in a computing environment?

To enforce access control

Which of the following is a key feature of the reference monitor concept?

Control over software access to data

How does the reference monitor verify access requests?

By validating against a table of allowable access types

Which of the following can a security kernel be implemented as?

As a firmware system or hardware component

What role does the central point of access control play in a security kernel?

It establishes access permissions

What is required for a subject to access an object in a security context?

An access request must be made

In terms of security, what ensures that access control is consistently enforced throughout a system?

The security kernel's central access control

Which characteristic is NOT associated with the access control managed by a security kernel?

It is decentralized across individual applications

Which biometric method primarily relies on the unique characteristics of an individual's eye?

Iris scan

What does action-based authentication primarily focus on?

Patterns of behavior

Which biometric identification method is most likely to utilize fingerprints?

Palm print recognition

Authentication by location is considered a strong indicator of what?

Authenticity

Which of the following biometric identification techniques analyzes how you type?

Keystroke dynamics

Which biometric method involves analyzing the shape and structure of a person's hands?

Hand geometry

What technique is NOT classified under biometric methods?

Password strength analysis

Which type of biometric does NOT rely on a physical characteristic?

Keystroke dynamics

What is the main advantage of using Single Sign-On (SSO)?

Allows access to all systems with a single login.

Which access control model emphasizes the importance of data confidentiality?

Bell-LaPadula model

Which of the following is a challenge of implementing Single Sign-On (SSO)?

It can be difficult to put in place.

What role does the Biba integrity model primarily serve?

Maintaining data integrity

Which protocol is NOT associated with Single Sign-On processes?

Simple Mail Transfer Protocol (SMTP)

What is a key purpose of log files in accountability policies?

To monitor and review user actions.

In which scenario would the Clark and Wilson integrity model be most applicable?

In a financial transaction system

The Menu Constrained User Interface is primarily used to:

Limit user interaction options

Data retention policies are implemented mainly to:

Ensure compliance with regulatory requirements.

What does media disposal refer to in accountability procedures?

Safely managing the disposal of storage media.

Which of the following is NOT an integrity model mentioned?

Smith and Johnson integrity model

Which of the following is NOT a process related to Single Sign-On (SSO) implementation?

Two-factor authentication

The Brewer and Nash integrity model is designed to:

Prevent conflicts of interest

What is a key characteristic of the Menu Constrained User Interface?

Reduces the number of visible options

Monitoring and reviews in accountability policies primarily serve what purpose?

To identify security breaches and compliance issues.

Which model focuses specifically on the needs of integrity in a business environment?

Biba integrity model

Study Notes

Access Controls in IT Infrastructure

• Access controls are crucial for protecting IT infrastructure from unauthorized use.
• They involve the process of managing and controlling who can access resources and data.
• The key components of access control include identification, authentication, authorization, and accountability.

Four Phases of Access Control

• Identification: Determining who is requesting access to an asset.
• Authentication: Verifying the identity of the user.
• Authorization: Defining what access rights the user has.
• Accountability: Ensuring actions taken are traceable to specific users.

Policy Definition and Enforcement Phases

• Policy definition phase: Defines who has access to what systems/resources.
• Policy enforcement phase: Grants or denies access based on the defined policy.
• Both phases work closely with identification and authentication, and are critical in accountability.

Two Types of Access Controls

• Physical controls: Regulate access to physical locations like buildings, parking lots, and secure areas.
• Logical controls: Control access to computer systems and networks.

Physical Access Control

• Examples of physical access control include smart cards.
• Smart cards are programmed using an ID number for controlling entry into various areas.
• Some office buildings may use additional after-hours cards for access.

Logical Access Control

• Logical access control focuses on deciding user access to systems.
• It involves monitoring and controlling user behavior within the system.

What is a Kernel?

• The kernel is the core of an operating system.
• It provides basic services that other OS parts use.
• It acts as an intermediary between hardware and the rest of the OS.
• It handles process and memory management, filesystems, device control, and networking.

The Security Kernel

• The Security Kernel is the part of the OS used to enforce access control policies.
• It's the central point for access control.
• It implements the reference monitor concept—a secure mechanism to allow only authorized access to resources.

What is a Security Kernel?

• The security kernel is the core of a secure computing environment.
• It can be hardware, software or firmware based.
• It's the central location for establishing access permissions.

Enforcing Access Control

• The security kernel intercepts access requests.
• It checks access rules against the security kernel database.
• If allowed, the kernel grants access to the requested resource.
• All access attempts are logged for later analysis.

Drafting Access Control Policies

• Policies include defining users, resources, actions allowed, and relationships between them.
• Users are individuals or processes using the system.
• Resources are protected objects within the system.
• Actions are specific operations authorized users can perform.
• Relationships may include dependencies or constraints between different items.

Logical Access Control Solutions

• Biometrics: Static (fingerprints, iris scans) and dynamic (signatures, voice) methods.
• Tokens: Used for authentication, they generate one-time passwords or hashed values.
• Passwords: Must be strong, have procedures for secure management.
• Single sign on: Allows users to access multiple systems with a single login.

Asynchronous vs Synchronous Tokens

• Asynchronous tokens: Generate a unique response to a challenge. These usually have a time interval between generations.
• Synchronous tokens: Time or event based, such as one-time passwords.

Smart Cards Access Control

• Smart cards require knowledge-based authentication (PIN).
• Authentication protocols validate access.
• Kerberos is a common protocol.

Authorization Policies

• Authorization policies grant or deny permissions to users or user groups.
• Policies define different types of users (individuals or groups), actions and objects.

Methods and Guidelines for Identification

• Identification methods include usernames, smart cards, and biometrics.
• Proper guidelines ensure processes for actions and accounting are correctly implemented.

Authentication Types

• Authentication is about verifying users' identities.
• Common methods include knowledge (passwords), ownership (tokens), characteristics (biometrics), location (location-based), and actions (action-based).

Authentication by Knowledge

• Passwords, as a knowledge-based authentication factor, can lead to security risks.
• Strong passwords or passphrases are important to avoid compromise.

Authentication by Ownership

• Time-based, event-based and continuous authentication systems use tokens.
• Smart cards, USB tokens, and memory cards are common ownership-based authentication methods

Authentication by Characteristics/Biometrics

• Static biometrics measure physical characteristics (fingerprints, iris scans).

Authentication by Location and Action

• Location-based authentication uses location to verify users.

Single Sign-On (SSO)

• SSO (Single Sign-On) allows users to access multiple systems with a single login.
• It reduces errors associated with managing numerous credentials.
• Implementing SSO may be challenging.

SSO Processes (Implementation)

• Several protocols and systems can support SSO, including Kerberos, Sesame, and LDAP.

Policies and Procedures for Accountability

• Keeping logs of all related information, and procedures regarding record keeping, storage and disposal of sensitive material, and compliance requirements are important.

Formal Models of Access Control

• DAC (Discretionary Access Control): Resource owners set the access permissions.
• MAC (Mandatory Access Control): Security policy defines access restrictions.
• Non-discretionary Access Control: Access rules are strictly managed by security administrators
• Rule-based Access Control: Rules determine access permissions based on attributes and policies.

Discretionary Access Control (DAC)

• Resource owners decide on access permissions.
• OS-based DAC uses system-level access control mechanisms (users, groups).
• Application-based policies allow only authorized actions in specific contexts/applications.

Application-based DAC Example

• Applications define access based on context and content.
• Users are only presented with options they are explicitly authorized to perform.

Mandatory Access Control (MAC)

• Sensitivity levels determine resource access restrictions (the sensitivity/classification labels).
• Temporal isolation restricts access based on specific times.

MAC Bell-La Padula confidentiality model

• A model for ensuring confidentiality in access control.
• Access privileges are granted based on security labels.

MAC Subjects and Objects labels

• Sensitivity labels (e.g., Confidential, Top Secret) classify resources (objects).
• Clearance levels (e.g., Authorised) assign different privilege levels or access restrictions to individuals.

Rule-Based Access Control (ABAC)

• Access control based on rules and user attributes.
• Data owners define rules to determine who gets access, which actions can be performed, and with what data object.

Nondiscretionary Access Control

• Security administrators manage access rules, rather than resource owners.
• This approach enhances security and integrity for sensitive data and resources

Access Control Lists (ACL)

• Access control lists specify permissions for users and resources.
• ACLs are used in Linux and OS X for managing access to files and folders.
• Windows systems also use ACLs for sharing resources and permissions.

Role-Based Access Control (RBAC)

• An access control model that assigns access rights based on roles assigned to users.
• This system helps manage access control with fewer issues based on the users.

Content-Dependent Access Control

• Access to resources is contingent or based on information contained within those resources (like specific data content). This approach is especially useful in data security.

Constrained User Interface

• User interfaces restrict access based on user permissions. This type of access control involves menus, database views and also physical restrictions on user interfaces.

Physical Constrained User Interface Example

• ATMs have constrained user interfaces, where available options vary based on user status or permissions. (ATM Example)

Menu Constrained User Interface Example

• Applications (like a retail system) restrict user options in an interface to what they are authorized to perform. (Retail System Example).

Other Access Control Models

• Different models for access control mechanisms are discussed here, including the Bell-LaPadula, Biba integrity, Clark-Wilson integrity, and Brewer-Nash integrity models.

Effects of Breaches in Access Control

• Breaches in access control lead to losses of intellectual property, revenue, and trust.
• Consequences of violations must be addressed to improve security.

Threats to Access Controls

• Attackers attempt to overcome safeguards, using a variety of techniques like physical access or intercepting communication.

Credential and Permissions Management

• Systems that manage credentials.
• Microsoft's implementation of this—and other systems are detailed, especially in relation to central management of access, permissions and data.

Centralized and Decentralized Access Control

• Centralized systems use single authentication servers for multiple systems.
• Decentralized systems assign control to users responsible for handling data and controlling access closest to the user performing actions.

Decentralized Access Control

• Access control resides in the hands of system users who are closer to the subject needing access. (Examples include PAP, CHAP, Mobile device authentication, and one-time passwords (HOTP, TOTP).

Privacy

• Privacy expectations are communicated through policies, as well as in notices and banners.
• Monitoring employee use in the workplace (email, phone logs, web browsing) may impact privacy.

Description

Test your knowledge on the fundamental phases of access control in IT infrastructure. This quiz covers identification, authentication, authorization, and their significance in maintaining security. Understand key concepts and the role of access controls in protecting resources.