Access Control Systems Overview

Questions and Answers

What is the primary purpose of an Access Control List (ACL) in access control systems?

• To log all unauthorized access attempts
• To authenticate users before access is granted
• To define permissions granted to specific subjects for resources (correct)
• To create backup copies of resources

Which of the following processes is NOT part of the access control system?

• Compilation (correct)
• Identification
• Authentication
• Authorization

What does the principle of 'least privilege' advocate for in access control?

• Granting maximum permissions to all users
• Automatically granting all sources access by default
• Creating unnecessary complexity in permissions management
• Providing only the necessary permissions for users to perform their job functions (correct)

In the context of access control, what does 'implicit deny' mean?

Any access request not defined by a rule is automatically denied (D)

Which access control model emphasizes the owner's rights over resource permissions?

Discretionary Access Control (DAC) (C)

What is the primary role of Mandatory Access Control (MAC) in an access control system?

It assigns a security clearance level to each user and resource. (A)

Which of the following is NOT a characteristic of Role-based Access Control (RBAC)?

Access permissions are determined by user identity. (A)

How does continuous authentication enhance security in access control systems?

It verifies users at multiple points during their session. (B)

Which of the following best describes the purpose of accounting in an access control system?

To keep an audit log of user access and actions. (B)

What is the most appropriate use of a Standard User account in Windows?

To limit users to basic activities without risk to system integrity. (C)

What is a significant disadvantage of Single Sign-On (SSO)?

Compromising one account can lead to multiple service compromises. (B)

Which method is NOT a type of encryption mentioned in the content?

Elliptic Curve encryption (A)

What is the main challenge associated with symmetric encryption?

Secure distribution and storage of the secret key. (B)

How does asymmetric encryption primarily enhance security during communication?

By using a public key that cannot decrypt the message it encrypts. (B)

Which type of encryption is described as being faster but less complex than asymmetric encryption?

Symmetric encryption (B)

What is the role of a Certificate Authority (CA) in Public Key Infrastructure (PKI)?

To issue digital certificates that validate users or servers. (B)

What primary benefit does using encryption provide for information traveling over public networks?

It keeps the data private, preventing unauthorized understanding. (A)

Which authentication factor is most susceptible to loss and theft?

Something you have (B)

What is a primary drawback of using biometric authentication?

It can lead to high error rates. (C)

Why is multifactor authentication considered stronger than single-factor authentication?

It combines multiple forms of authentication data. (D)

Which method is NOT typically classified as an authentication factor?

Something you feel (D)

What is a potential drawback of location-based authentication?

It can be easily manipulated. (B)

What type of data is primarily used in personally identifiable information (PII) for authentication?

Responses to challenge questions. (C)

Which authentication method combines a hardware token with a PIN code?

Something you have (B)

Which of the following is a feature of Windows Hello?

It supports biometric authentication. (D)

Flashcards

Access Control System

A set of controls determining how subjects (users, processes) interact with objects (resources, like files, networks).

Access Control List (ACL)

A list of subjects and their permissions on an object. It's the core of most access control systems.

Least Privilege

Granting users only the rights they need to perform their job, minimizing risk.

Implicit Deny

The principle that access is denied unless explicitly allowed. A default rule of no access if not listed.

Discretionary Access Control (DAC)

An access control model where the owner of a resource controls who can access it.

RBAC (Role-Based Access Control)

A security model that assigns users to roles, and these roles have specific permissions. It's more organized than giving individual permissions to users.

MAC (Mandatory Access Control)

A security model where access is determined by security clearance levels (think high/low). Objects and users are assigned to a level.

User Account Types

Different types of user accounts (standard user, administrator, guest) have varying levels of access and permissions to the system.

Non-repudiation

A concept that ensures a user cannot later deny performing some action (e.g. modifying a file).

Group Accounts

For managing multiple users, group accounts collect users together and share permissions. This simplifies access control.

Multifactor Authentication

Combining multiple methods for verifying a user's identity (e.g., PIN and DOB).

Single Sign-On (SSO)

Logging in once to access multiple related resources.

Symmetric Encryption

Using the same secret key for encrypting and decrypting data.

Asymmetric Encryption

Using separate public and private keys for encrypting and decrypting.

Public Key Infrastructure (PKI)

A system that uses digital certificates to authenticate users or servers on public networks.

Cipher Text

Encrypted message.

Plain Text

Unencrypted message.

Authentication Factors

Different ways to verify a user's identity, like something they know (password), have (smart card), or are (fingerprint).

Something You Know

Authentication method using information a user knows, such as passwords, PINs, or answers to security questions.

Something You Have

Authentication method using a physical device like a smart card or token to verify identity.

Something You Are

Authentication method using biometric characteristics like fingerprints, iris scans, etc.

Multifactor Authentication

Combining multiple authentication factors for enhanced security.

Two-Factor Authentication

Authentication using two separate factors, like a password and a code from a token.

Smart Card

A physical card with an embedded chip that stores authentication data, often used with PINs for enhanced security.

Windows Hello

Windows 10 feature that enables biometric authentication, using methods such as fingerprint scanning.

Study Notes

Access Control Systems

• Access control systems manage subject-object interactions. Subjects are users, processes, or anything needing access. Objects are resources like networks, servers, and files.
• Access Control Lists (ACLs) detail subjects and their permissions on objects.
• Access control systems involve four key processes:
  • Identification: Creating user or process IDs.
  • Authentication: Verifying subject identity.
  • Authorization: Defining and enforcing subject permissions on resources.
  • Accounting: Tracking resource usage.

Least Privilege and Implicit Deny

• Least privilege limits permissions to only what users need for job functions, reducing misuse risk.
• Implicit deny relies on explicit authorization for access, denying any request not explicitly permitted. This model is common in firewall rules.

Authorization Access Models

• Discretionary Access Control (DAC): Resource owners control access, granting permissions to others.
• Role-Based Access Control (RBAC): Uses predefined roles and assigns users to those roles to manage access efficiently.
• Mandatory Access Control (MAC): Uses security clearance levels (labels) for restricted access based on hierarchical trust. A user can only access objects at their clearance level or below.
• Rule-based Access Control: Policies based on system-enforced rules, such as RBAC and MAC, are examples. Continuous authentication (e.g., Windows UAC) adds an extra layer of security by requiring confirmation for privileged actions.

Accounting and Non-repudiation

• Accounting logs user authentication and access, providing an audit trail for authorized and unauthorized actions.
• Logging is part of enforcing non-repudiation (the user cannot deny actions).
• Non-repudiation is established through various mechanisms:
  • Video surveillance
  • Biometrics (strong authentication)
  • Signatures
  • Receipts

User Account Types

• User accounts validate user identity during login.
• Default Windows user accounts:
  • Administrator: Full control, disabled by default, strong password required.
  • Guest: Disabled by default.
  • User Accounts created during setup: Local or Microsoft account, Admin privileges by default.

Group Accounts

• Group accounts simplify administration, assigning permissions to groups and enabling inheritance to users.
• Windows default groups:
  • Administrators: Full control, used sparingly.
  • Standard Users: Basic functions, restricted admin privileges.
• Workgroups have limited group accounts.

Authentication Factors

• Authentication ensures accounts are used only by their proper holders.
• Authentication factors:
  • Something you know (passwords, PINs, etc.)
  • Something you have (smart cards, tokens)
  • Something you are (biometrics)

Password Cracking and Management

• "Something you know" authentication is prone to password attacks.
• Cracking methods:
  • Dictionary attacks (using common words)
  • Brute-force attacks (trying all possible combinations)
• Password best practices:
  • Length (longer is better)
  • Complexity (avoid simple words, blend upper/lowercase)
  • Memorability (use long phrases with symbols)
  • Confidentiality (don't share or write down)
  • History and expiration (change regularly)
  • Avoid reuse (don't use passwords across sites)

Encryption Types

• Encryption hides information using keys.
• Common terminology:
  • Plain text: Unencrypted data
  • Cipher text: Encrypted data
  • Cipher: Encryption/decryption algorithm
• Encryption types:
  • Symmetric (single key for encryption and decryption); security depends on keeping the key secret.
  • Asymmetric (public and private keys); suitable for authentication and key exchange.
  • Cryptographic hashing (creates short, fixed-length data representations for integrity checks)

Public Key Infrastructure (PKI)

• PKI authenticates subjects on public networks using digital certificates (a public key embedded and signed by a Certificate Authority).
• Clients encrypt data using a server's public key for secure transmission.

Digital Signatures

• Digital signatures use private keys to encrypt messages, proving their origin and preventing modification.

Virtual Private Networks (VPNs)

• A VPN creates a secure tunnel through a public network to connect two private networks or a remote host to a local network, employing encryption and authentication.