Access Control Systems Overview

Questions and Answers

What is the primary purpose of an Access Control List (ACL) in access control systems?

To log all unauthorized access attempts

To authenticate users before access is granted

To define permissions granted to specific subjects for resources (correct)

To create backup copies of resources

Which of the following processes is NOT part of the access control system?

Compilation (correct)

Identification

Authentication

Authorization

What does the principle of 'least privilege' advocate for in access control?

Granting maximum permissions to all users

Automatically granting all sources access by default

Creating unnecessary complexity in permissions management

Providing only the necessary permissions for users to perform their job functions (correct)

In the context of access control, what does 'implicit deny' mean?

Any access request not defined by a rule is automatically denied

Which access control model emphasizes the owner's rights over resource permissions?

Discretionary Access Control (DAC)

What is the primary role of Mandatory Access Control (MAC) in an access control system?

It assigns a security clearance level to each user and resource.

Which of the following is NOT a characteristic of Role-based Access Control (RBAC)?

Access permissions are determined by user identity.

How does continuous authentication enhance security in access control systems?

It verifies users at multiple points during their session.

Which of the following best describes the purpose of accounting in an access control system?

To keep an audit log of user access and actions.

What is the most appropriate use of a Standard User account in Windows?

To limit users to basic activities without risk to system integrity.

What is a significant disadvantage of Single Sign-On (SSO)?

Compromising one account can lead to multiple service compromises.

Which method is NOT a type of encryption mentioned in the content?

Elliptic Curve encryption

What is the main challenge associated with symmetric encryption?

Secure distribution and storage of the secret key.

How does asymmetric encryption primarily enhance security during communication?

By using a public key that cannot decrypt the message it encrypts.

Which type of encryption is described as being faster but less complex than asymmetric encryption?

Symmetric encryption

What is the role of a Certificate Authority (CA) in Public Key Infrastructure (PKI)?

To issue digital certificates that validate users or servers.

What primary benefit does using encryption provide for information traveling over public networks?

It keeps the data private, preventing unauthorized understanding.

Which authentication factor is most susceptible to loss and theft?

Something you have

What is a primary drawback of using biometric authentication?

It can lead to high error rates.

Why is multifactor authentication considered stronger than single-factor authentication?

It combines multiple forms of authentication data.

Which method is NOT typically classified as an authentication factor?

Something you feel

What is a potential drawback of location-based authentication?

It can be easily manipulated.

What type of data is primarily used in personally identifiable information (PII) for authentication?

Responses to challenge questions.

Which authentication method combines a hardware token with a PIN code?

Something you have

Which of the following is a feature of Windows Hello?

It supports biometric authentication.

Study Notes

Access Control Systems

• Access control systems manage subject-object interactions. Subjects are users, processes, or anything needing access. Objects are resources like networks, servers, and files.
• Access Control Lists (ACLs) detail subjects and their permissions on objects.
• Access control systems involve four key processes:
  • Identification: Creating user or process IDs.
  • Authentication: Verifying subject identity.
  • Authorization: Defining and enforcing subject permissions on resources.
  • Accounting: Tracking resource usage.

Least Privilege and Implicit Deny

• Least privilege limits permissions to only what users need for job functions, reducing misuse risk.
• Implicit deny relies on explicit authorization for access, denying any request not explicitly permitted. This model is common in firewall rules.

Authorization Access Models

• Discretionary Access Control (DAC): Resource owners control access, granting permissions to others.
• Role-Based Access Control (RBAC): Uses predefined roles and assigns users to those roles to manage access efficiently.
• Mandatory Access Control (MAC): Uses security clearance levels (labels) for restricted access based on hierarchical trust. A user can only access objects at their clearance level or below.
• Rule-based Access Control: Policies based on system-enforced rules, such as RBAC and MAC, are examples. Continuous authentication (e.g., Windows UAC) adds an extra layer of security by requiring confirmation for privileged actions.

Accounting and Non-repudiation

• Accounting logs user authentication and access, providing an audit trail for authorized and unauthorized actions.
• Logging is part of enforcing non-repudiation (the user cannot deny actions).
• Non-repudiation is established through various mechanisms:
  • Video surveillance
  • Biometrics (strong authentication)
  • Signatures
  • Receipts

User Account Types

• User accounts validate user identity during login.
• Default Windows user accounts:
  • Administrator: Full control, disabled by default, strong password required.
  • Guest: Disabled by default.
  • User Accounts created during setup: Local or Microsoft account, Admin privileges by default.

Group Accounts

• Group accounts simplify administration, assigning permissions to groups and enabling inheritance to users.
• Windows default groups:
  • Administrators: Full control, used sparingly.
  • Standard Users: Basic functions, restricted admin privileges.
• Workgroups have limited group accounts.

Authentication Factors

• Authentication ensures accounts are used only by their proper holders.
• Authentication factors:
  • Something you know (passwords, PINs, etc.)
  • Something you have (smart cards, tokens)
  • Something you are (biometrics)

Password Cracking and Management

• "Something you know" authentication is prone to password attacks.
• Cracking methods:
  • Dictionary attacks (using common words)
  • Brute-force attacks (trying all possible combinations)
• Password best practices:
  • Length (longer is better)
  • Complexity (avoid simple words, blend upper/lowercase)
  • Memorability (use long phrases with symbols)
  • Confidentiality (don't share or write down)
  • History and expiration (change regularly)
  • Avoid reuse (don't use passwords across sites)

Encryption Types

• Encryption hides information using keys.
• Common terminology:
  • Plain text: Unencrypted data
  • Cipher text: Encrypted data
  • Cipher: Encryption/decryption algorithm
• Encryption types:
  • Symmetric (single key for encryption and decryption); security depends on keeping the key secret.
  • Asymmetric (public and private keys); suitable for authentication and key exchange.
  • Cryptographic hashing (creates short, fixed-length data representations for integrity checks)

Public Key Infrastructure (PKI)

• PKI authenticates subjects on public networks using digital certificates (a public key embedded and signed by a Certificate Authority).
• Clients encrypt data using a server's public key for secure transmission.

Digital Signatures

• Digital signatures use private keys to encrypt messages, proving their origin and preventing modification.

Virtual Private Networks (VPNs)

• A VPN creates a secure tunnel through a public network to connect two private networks or a remote host to a local network, employing encryption and authentication.

Description

Explore the essentials of access control systems, including the key processes of identification, authentication, authorization, and accounting. Understand the concepts of least privilege and implicit deny, as well as various authorization access models such as DAC. This quiz is perfect for those looking to deepen their knowledge in security and resource management.