Flashcards in Access Control Deck (231)
Is an active entity (individual or process) a subject or object?
Is a passive entity (system or process) a subject or an object?
Which type of control is used to reduce risk?
(Preventative, deterrent, corrective, recovery, detective, compensating, directive)
Which type of control identifies violations and incidents?
(Preventative, corrective, detective, compensating, recovery, deterrent, directive)
Which type of control is used for re mediating violations and incidents and improving preventative and detective controls?
(Preventative, detective, deterrent, corrective, compensating, recovery, directive)
Which control is used for discouraging violations?
(Preventative, corrective, deterrent, recovery, detective, compensating, directive)
Which type of control is used for restoring systems and information?
(Preventative, detective, deterrent, corrective, recovery, compensating, directive)
Which of these determines whether a subject can login?
(Authentication, Authorisation, Accountability)
Which control provides alternative ways of achieving a task?
(Preventative, corrective, recovery, compensating, detective, deterrent, directive)
Which of these determines what a subject can do? Ie access rights and permissions? (Authentication, authorisation, accountability)
Authorisation (or establishment)
What is non-repudiation?
It means that a user can't deny an action because their identity is positively associated with their actions
Which of these determines what a subject did?
(Authorisation, authentication, accountability)
For the CISSP exam is an ATM card considered 2FA?
How many characters does a password have to be for it not to be stored in AD or local SAM (Security Account Manager)?
15 or longer
Biometrics: what is a one to one search?
Identify matched against an image file
Biometrics: what is a one to many search?
Identity matched against a database of identities
Which type of authentication system is a false reject rate or type 1 error used?
Note for exam: is biometric authentication considered 2fa?
What is a false reject rate (FRR) or type 1 error?
The percentage of authorised users to whom a system incorrectly denies access
What is a false accept rate (far) or type 2 error?
The percentage of unauthorised users to whom the system incorrectly grants access
In biometrics what is the crossover error rate (CER)?
The point at which the false accept rate equals the false reject rate
Which of these is considered the most important in biometric system accuracy? (False accept rate, false reject rate, crossover error rate)
Crossover error rate
CISSP answer: what is the most common difficulty about implementing a biometric system?
Generally accepted standards for biometric systems
Enrolment time =
Accuracy = crossover error rate less than 10%
Speed = 5 seconds
Throughput = 6 to 10 per minute
Enrolment time = less than 2 mins
What is the difference between a finger scan system and finger print system?
Finger scan systems don't store an image of the finger print, but rather a digitised file describing its unique characteristics
What are the two benefits of a finger scan system over a finger print system?
- Less storage and processing resources
- greater user acceptance as image of fingerprint not stored ie concerns with privacy
What is a hand geometry system?
Digitise image recording length, width, height and other unique characteristics of hand and fingers
Biometrics: what is the difference between a retina pattern and iris pattern?
Retina pattern records unique pattern in the vascular elements of the retina
Iris pattern records unique patterns of the colour portion surrounding the eye.
What is the most secure biometric system?
(Fingerprint/scan, hand geometry, iris pattern, retina pattern, signature, voice recognition, keystroke dynamics)