Understanding Access Control

Questions and Answers

Which of the following reflects the primary purpose of access control in information security?

• To prevent unauthorized access to sensitive information and resources while allowing access to authorized users. (correct)
• To create a completely open system environment where all data is freely available to the public.
• To ensure all users have equal access to system resources, promoting collaboration and innovation.
• To maximize system performance by granting unlimited access to all processes and data.

If a system administrator implements a security measure that requires users to enter a password and then receive a verification code on their mobile device to gain access, which key security concept is being applied?

• Auditing, as the system is tracking user activity.
• Authorization, as the system is determining what the user is allowed to access.
• Enforcement, as the system is ensuring rules are followed by requiring additional steps.
• Authentication, as the system is verifying the user's identity through multiple factors. (correct)

A company decides to implement biometric scanners to control physical access to its server room. Which type of access control is being utilized?

• Physical access control, as it secures physical spaces. (correct)
• Network access control, as it restricts access to the company's network.
• Logical access control, as it involves the use of digital data.
• Administrative access control, as it is concerned with policy implementation.

Which of the following scenarios best illustrates the application of the 'least privilege' principle within the context of access control?

Ensuring users have only the necessary permissions required to perform their specific job duties, nothing more. (C)

In a scenario where a user's identity is confirmed using a username and password, followed by a fingerprint scan, which two key elements of access control are being applied?

Identification and authentication. (B)

A company implements a system that records all instances of users accessing sensitive files, noting the time, user ID, and files accessed. Which element of access control is primarily addressed by this practice?

Auditing, which provides a record of system activities for tracking and analysis. (D)

When a system administrator reviews logs to identify unusual access patterns and potential security breaches, which key element of access control is being applied?

Accounting, which reviews logs for security issues. (D)

Which access control technology is most directly involved in confirming a user's asserted identity using a password and a biometric scan?

Authentication, as it verifies the user's identity. (D)

An organization uses digital certificates to verify the identity of its employees when they access the company's network. Which access control technology is being employed?

Authentication, as it confirms the users' identities. (C)

A network administrator wants to implement a system that centrally manages user authentication and authorization for all applications within the organization. Which technology would be most suitable?

Active Directory, as it controls user identities and permissions in a network. (C)

An organization requires employees to use a password, along with a code generated by a mobile app, to access sensitive data. What type of authentication method is being employed?

Multi-factor authentication (MFA). (D)

A security system uses fingerprints and facial recognition to verify a user’s identity. Which authentication method is being employed?

Something you are. (B)

A user gains unauthorized access to a company's database by exploiting a vulnerability in the system's security. According to the D.A.D. Triad, which threat model is exemplified by this scenario?

Disclosure, as the data is accessed without permission. (C)

An attacker modifies critical financial records in a company's database without authorization. Which element of the D.A.D. Triad is exemplified by this scenario?

Alteration, which involves unauthorized modification of data. (C)

A company's website is flooded with traffic from multiple sources, causing it to become inaccessible to legitimate users. Which cybersecurity threat is being described?

Denial-of-service (DoS) attack. (B)

An employee is tricked into revealing their login credentials through a fraudulent email that appears to be from a trusted source. What type of cybersecurity threat is this?

Phishing. (B)

Which of the following strategies is most effective in preventing unauthorized access to sensitive data?

Enabling multi-factor authentication and using strong, unique passwords. (C)

A company outsources its security monitoring to a third-party provider located in another country. Which risk management strategy is being employed?

Transferal. (A)

An organization decides to continue using a legacy system despite knowing it has vulnerabilities because the cost of upgrading is too high and the likelihood of exploitation is deemed low. Which risk management strategy is being employed?

Acceptance. (C)

A hacker illegally gains access to a company's systems with the intent to steal sensitive customer data for financial gain. Which type of attacker is being described?

Black hat hacker. (B)

What distinguishes a 'cracker' from other types of hackers?

Crackers illegally break into systems. (C)

If someone uses pre-made tools to launch a denial-of-service attack without a deep understanding of the underlying systems, what type of attacker are they?

Script kiddie. (C)

A group of hackers targets a company's systems to disrupt their operations due to the company's political stance on a controversial issue. What type of attacker are these hackers?

Hacktivists. (C)

Which type of law is most directly concerned with protecting inventions for a limited time period?

Patent law. (B)

Which legal framework primarily focuses on protecting personal data and requires companies to be transparent about data collection and usage?

Under what circumstance might a company intentionally choose to 'accept' a known security risk?

When the cost of implementing a security control exceeds the potential impact of the risk, and the likelihood of exploitation is minimal. (D)

What is the most accurate description of the difference between 'identification' and 'authentication' in access control?

Identification is the process of claiming an identity, while authentication is the process of proving that identity. (B)

How do 'soft tokens' and 'hard tokens' differ in the context of authentication methods?

Soft tokens are digital authenticators stored on a device, while hard tokens are physical devices that store authentication credentials. (C)

In the context of access control, what is the primary function of 'auditing'?

To record system activity for tracking and later review, helping identify security incidents and policy violations. (D)

Which of the following scenarios represents an example of 'Single Sign-On' (SSO)?

A user logs in once with their credentials and can access multiple applications without re-authenticating. (C)

Under which circumstances would a company utilize the 'transferal' risk management strategy?

When the company wants to reduce the impact of the risk by purchasing cyber insurance or outsourcing security tasks. (C)

Which scenario describes the D.A.D. Triad element of 'Denial'?

A DDoS attack renders a website inaccessible to legitimate users. (B)

How does the 'Top-Down Approach' differ from the 'Bottom-Up Approach' in security planning?

The Top-Down Approach is led by senior management and aligns with business objectives, while the Bottom-Up Approach is driven by IT staff without central planning. (D)

What is the key differentiator between a 'white hat' hacker and a 'gray hat' hacker?

White hat hackers always seek permission before testing systems, while gray hat hackers may not. (A)

Why is it important for organizations to understand the different types of attackers?

To anticipate attacker motivations, methods, and targets, enabling more effective security strategies and resource allocation. (B)

Which scenario is the best example of 'social engineering'?

An attacker tricks an employee into divulging their login credentials. (A)

What is the most significant benefit of implementing 'Multi-Factor Authentication' (MFA)?

It significantly reduces the likelihood of unauthorized access by requiring multiple verification factors. (A)

Which statement best describes the role of 'LDAP' in access control technologies?

LDAP is a protocol for managing user authentication and authorization within an organization. (B)

What is the primary goal of 'security awareness training'?

To ensure employees understand and recognize cyber threats, promoting a security-conscious culture. (D)

Which of the following accurately describes the relationship between 'negligence' and security?

Ignoring laws can lead to negligence, potentially making companies liable for security failures. (C)

Why should organizations follow legal rules?

Organizations must follow legal rules to avoid fines, lawsuits, and reputational damage. (C)

What does account management do?

Account management consists of organizing user accounts across operating systems, applications, and databases. (A)

Which of the following is the weakest form of authentication?

Something you know (B)

Which of the following is described as how likely and harmful the risk is?

Assess Risks (A)

What is the primary purpose of the Key Distribution Center (KDC) in the Kerberos protocol?

To manage and distribute session keys for secure communications. (A)

Why is 'integrity' considered a critical component of the CIA Triad?

It maintains the accuracy and completeness of data, preventing unauthorized modification or corruption. (A)

Which password type uses single-use authentication codes?

One-Time passwords (OTP) (B)

What is the main intention of a 'cyber terrorist'?

Causing destruction or fear (C)

Which of the following reflects the purpose of logical access control?

Protecting digital data (D)

What is the purpose of a web portal?

Used by organizations to verify users across multiple applications. (D)

What is the primary function of 'enforcement' within the scope of key security concepts?

Ensures rules are followed. (C)

What is the intent of a Black Hat hacker?

Bad hackers who steal data (B)

Regarding authentication, what is something you have?

Smart cards (D)

Which of the following is not a common security threat?

Insider Threats (A)

Enabling Multi-Factor Authentication (MFA) is an example of what?

Best security practices (C)

What category of law covers crimes like hacking and fraud, potentially leading to jail time?

Criminal Law (A)

Which planning level's primary focus is on day-to-day security measures?

Operational (B)

Denial of Service (DoS) attacks relate to which component of the CIA Triad?

Availability (B)

Which of the following roles is responsible for making IT-related decisions within an organization?

CIO (A)

What is the primary focus of the risk management process?

Identifying, assessing, and controlling risks to reduce threats. (D)

After identifying risks, what is the next step in the risk management process?

Assessing risks. (A)

Which of the following best describes the 'least privilege' principle?

Granting users only the minimum necessary access rights required to perform their job duties. (C)

Flashcards

What is Access Control?

Decides who can see or use what in a system, protecting sensitive information.

Authentication

Proving you are who you claim to be (e.g., password, fingerprint).

Authorization

Defining what you are allowed to do (based on rules).

Enforcement

Ensuring access control rules are followed.

Logging

Recording actions for security tracking.

Physical Access Control

Protecting physical spaces with locks, keycards, biometric scanners.

Logical Access Control

Securing digital data with passwords, encryption, and firewalls.

Identification

User claims their identity (e.g., username, ID card).

Auditing

The system records activity for tracking.

Accounting

Reviewing logs to check for security issues.

MAC Address

Unique ID for a device.

IP Address

Shows a device's location in a network.

RFID

Wireless identification via contactless cards.

Single Sign-On (SSO)

One login for multiple applications.

LDAP

Manages user authentication & authorization.

Active Directory (ADDS)

Controls user identities in a network.

Single-Factor Authentication (SFA)

Uses one authentication method (e.g., password).

Multi-Factor Authentication (MFA)

Uses multiple authentication methods (e.g., password + fingerprint).

Soft Tokens

Digital authentication stored on a device.

Hard Tokens

Physical devices for security.

Biometrics

Uses physical traits for authentication.

Kerberos

A security system handling authentication, authorization, and auditing.

Web Portal Access Control

Organizations using web portals to verify users across multiple applications.

Hacker

A tech expert who explores computer systems.

Cracker

A hacker who illegally breaks into systems.

Black Hat Hackers

Bad hackers who steal or harm systems.

White Hat Hackers

Good hackers who help secure systems.

Script Kiddies

New hackers using pre-made tools.

Hacktivists

Hackers attacking for political reasons.

Stealing Data

Taking private or company info.

Denial of Service (DoS)

Making websites crash.

Credential Verification

The system checks provided credentials.

Validation

If valid, access is granted.

Static Passwords

User-generated, reusable passwords.

Soft Tokens

Software-based authentication requiring activation.

What is Information Security?

Protecting data from being stolen, changed, or destroyed.

Confidentiality

Keeping data private and only accessible to the right people.

Integrity

Making sure data stays correct and unaltered.

Availability

Ensuring data is accessible when needed.

Malware

Harmful programs like viruses and ransomware.

Study Notes

• Access control determines who can access what within a system.
• It protects sensitive information by allowing access to only authorized users.

Key Security Concepts

• Authentication proves identity using methods like passwords or fingerprints.
• Authorization defines permissible actions based on established rules.
• Enforcement ensures rules are followed using firewalls and security tools.
• Logging records actions for security tracking through audit logs.

Types of Access Control

• Physical access control protects physical spaces via locks and biometric scanners.
• Logical access control protects digital data using passwords, encryption, and firewalls.

Protecting Facilities & IT Resources

• Physical security measures include gates, security guards, and electronic locks.
• Logical security uses strong passwords, encryption, and monitoring tools.

Five Key Elements of Access Control

• Identification involves a user claiming an identity with a username.
• Authentication is a user proving their identity, like with a password.
• Authorization lets the system decide what the user can access.
• Auditing tracks system activity.
• Accounting reviews logs for security issues.

Identification, Authentication, and Authorization

• Identification verifies an identity using user IDs or digital IDs.
• Authentication confirms identity using passwords or biometrics.
• Authorization determines access permissions.

Access Control Technologies - Identification Methods

• Identification methods include User IDs, Account Numbers, PINs, Digital IDs, and Access Badges.

Network Identification

• A MAC Address is a unique identifier for a device.
• An IP Address shows a device's network location.
• RFID enables wireless identification with contactless cards.

Identity Management

• Password Management enforces creating strong passwords.
• Account Management organizes user accounts across systems.
• Profile Management stores user information.
• Single Sign-On (SSO) allows users to log in once for multiple apps.

Directory Services

• LDAP manages user authentication and authorization.
• Active Directory (ADDS) controls user identities in a network.

Authentication Methods

• Single-Factor Authentication (SFA) uses one method like a password.
• Multi-Factor Authentication (MFA) uses multiple methods like a password and a fingerprint.
• Soft Tokens are digital authentications stored on a device.
• Hard Tokens are physical devices used for security.
• Biometrics uses physical traits like fingerprints or face scans.

Security Frameworks

• Kerberos is a security system that handles authentication, authorization, auditing, and secure login management with a Key Distribution Center.

Web Portal Access Control

• Web portals are used by organizations to verify users across multiple applications.

Attacker Profiles - Types of Attackers

• A hacker is a tech expert exploring computer systems.
• A cracker illegally breaks into systems.

Types of Hackers

• Black Hat Hackers steal or harm systems.
• White Hat hackers help secure systems.
• Gray Hat hackers do not always follow the rules but don't intend to cause harm.

Common Hacker Types

• Script kiddies use pre-made tools.
• Hacktivists launch attacks for political reasons.
• State-Sponsored Hackers work for governments.
• Cyber terrorists aim to cause destruction or fear.

Why Hackers Attack

• Stealing Data is taking private or company information.
• Denial of Service (DoS) crashes websites.
• Taking Over Systems gains full control of networks.
• Money Fraud involves stealing financial details.

Authentication Process

• Identification occurs when a user claims an identity.
• Credential verification happens when the system checks credentials.
• Validation grants access if credentials are valid.

Authentication Factors

• Type I: Something You Know includes passwords and security questions. It's the weakest form.
• Type II: Something You Have involves smart cards, security tokens, and OTPs.
• Type III: Something You Are uses biometrics like fingerprint or face recognition.
• Type IV: Someplace You Are uses geo-location.

Password Types

• Static Passwords are user-generated and reusable.
• Passphrases are long passwords using phrases.
• One-Time Passwords (OTP) are single-use.
• Dynamic Passwords regularly change.

Tokens & Biometrics

• Soft Tokens are software-based, needing activation.
• Hard Tokens are physical devices storing credentials.
• Biometric Authentication utilizes unique biological features.

Multi-Factor Authentication (MFA)

• MFA uses at least two authentication factors for enhanced security.

Information Security

• Information Security protects data from being stolen, changed, or destroyed.

C.I.A. Triad

• Confidentiality keeps data private and accessible to the right people.
• Integrity ensures data remains correct and unaltered.
• Availability ensures data is accessible when needed.

Common Security Threats

• Malware includes harmful programs like viruses.
• Social Engineering is phishing to steal data.
• Insider Threats are employees misusing access.
• Denial-of-Service (DoS) Attacks overload systems and make them unusable.

Data Protection

• Encryption converts data into a code.
• Access Control limits who can see or change data.
• Backups keep copies of important data.
• Security Training teaches people how to avoid cyber threats.

Security Models

• The D.A.D. Triad (Threat Model) includes disclosure, alteration, and denial.

Best Security Practices

• Use Strong Passwords, not simple or common ones.
• Enable Multi-Factor Authentication (MFA).
• Keep Software Updated.
• Monitor Network Activity.

Why Security Laws are Important

• Organizations must follow legal rules to avoid fines, lawsuits, and reputational damage; ignoring laws leads to negligence.

Major Legal Systems

• Civil Law uses written laws.
• Common Law uses past cases as guides.
• Religious & Customary Law is based on religious texts or traditions.

Types of Laws in Security

• Criminal Law covers crimes like hacking.
• Civil Law handles lawsuits.
• Administrative Law covers government rules.

Intellectual Property Laws

• Trademark protects brand names and logos.
• Patent protects inventions for about 20 years.
• Copyright protects creative works.

Privacy Laws

• GDPR (Europe) protects personal data.
• Data Privacy Act (Philippines) protects private information.

Security Planning

• Security planning is important, it protects sensitive business data, it helps prepare for cyber threats, an ensures legal compliance.

Levels of Planning

• Strategic (5+ years) involves a long-term security strategy.
• Tactical (1-3 years) involves strategies that breaks big goals into smaller tasks.
• Operational (Daily Tasks) focuses on day-to-day measures.

Roles in Security Planning

• CIO makes IT-related decisions.
• CISO focuses on cybersecurity.
• Managers & Technicians handle operations.

Security Planning Approaches

• The Top-Down Approach involves senior management leading.
• Bottom-Up Approach involves IT staff making improvements without central planning.

Security Awareness Training (SETA Program)

• Security Education covers learning principles.
• Security Training focuses on practicing skills.
• Security Awareness works to recognize cyber threats.

Risk Management

• Risk is the chance of something bad happening.

Risk Management Steps

• Identify Risks involves finding weak points.
• Assess Risks involves checking how likely and harmful the risk is.
• Control Risks involves taking steps to reduce threats.

Ways to Handle Risks

• Defense means using strong security measures.
• Transferal involves buying cyber insurance or outsourcing.
• Mitigation involves creating backup plans.
• Acceptance means doing nothing if the risk is low.
• Termination involves removing the risky asset.

Common Cyber Attacks

• Phishing tricks people into giving passwords.
• Malware consists of viruses and spyware.
• DDoS overloads websites.
• Social Engineering manipulates people to gain access.

Hacker Categorization

• Black Hat hackers steal data.
• White Hat hackers improve security.
• Gray Hat hackers break rules but don't intend harm.

Attack Protection

• Use multi-factor authentication and strong passwords.
• Keep software updated.
• Train employees to spot phishing emails and scams.