Computer Security Chapter 4 Access Control Definitions Quiz

Questions and Answers

What principle should be employed to reduce the risk of malevolent activity without collusion?

Principle of equal privilege

Principle of most privilege

Principle of least privilege (correct)

Principle of random privilege

What function should non-privileged accounts or roles be used for?

Accessing non-security functions (correct)

Accessing privileged functions

Executing administrative commands

Accessing sensitive data

What is the purpose of limiting unsuccessful logon attempts?

Preventing unauthorized access (correct)

Facilitating multiple login attempts

Enhancing user convenience

Providing administrative access

What is the purpose of encrypting CUI on mobile devices?

Protecting sensitive information

Which cryptographic mechanisms should be employed to protect the confidentiality of remote access sessions?

Symmetric-key encryption

What does NISTIR 7298 define access control as?

The process of granting or denying specific requests to obtain and use information and related information processing services

According to RFC 4949, what does access control regulate?

Use of system resources according to a security policy

According to SP 800-171, what is one of the basic security requirements for access control?

Limit information system access to authorized users, processes acting on behalf of authorized users, or devices

What is the main focus of access control according to NISTIR 7298?

Limiting access to authorized users only

According to RFC 4949, who are the authorized entities for using system resources?

Authorized users, programs, processes, and other systems

Study Notes

Reducing Malevolent Activity

• Principle of separation of duties should be employed to reduce the risk of malevolent activity without collusion.

Account Usage

• Non-privileged accounts or roles should be used for performing routine, daily tasks.

Logon Attempts

• Limiting unsuccessful logon attempts is done to prevent brute-force attacks and to reduce the risk of unauthorized access.

Protecting CUI

• Encrypting CUI (Controlled Unclassified Information) on mobile devices is done to protect the confidentiality of sensitive information.

Cryptographic Mechanisms

• Cryptographic mechanisms such as SSL/TLS and IPSec should be employed to protect the confidentiality of remote access sessions.

Access Control Definition

• NISTIR 7298 defines access control as the process of granting or denying access to a resource based on a user's identity, authentication, and authorization.

Access Control Regulation

• According to RFC 4949, access control regulates the access of subjects to objects, ensuring that only authorized entities have access to the resources they need.

Basic Security Requirements

• One of the basic security requirements for access control according to SP 800-171 is to limit access to authorized personnel, ensuring that only those with a legitimate need have access to sensitive resources.

Access Control Focus

• The main focus of access control according to NISTIR 7298 is to ensure that access to resources is restricted to authorized individuals, entities, or systems.

Authorized Entities

• According to RFC 4949, authorized entities are individuals, systems, or processes that have been granted access to system resources based on their identity, authentication, and authorization.

Description

Test your understanding of access control definitions as explained in Chapter 4 of 'Computer Security: Principles and Practice Fourth Edition'. This quiz covers the process of granting or denying specific requests to obtain and use information, related information processing services, and to enter specific physical facilities.