Access Control Flashcards
Provide an example of a “Subject” and an example of an “Object”
Subject - Anything operating on something else
Object - The thing being operated on
Definition of Access Control
Any hardware, software, administration, or process that performs the following tasks:
- Identifies users or subjects attempting to access resources
- Determines if access is authorized
- Grants or restricts access
- Monitors and records access activities
Can a subject be an object and then change repeatedly?
True
Explain Users vs Owners
User accesses and object and an owner determines which users can access the object.
There can be only one owner but multiple users
What is the CIA Triad?
C - Confidentiality… Can we keep the wrong people out?
I - Integrity… ensure only authorized changes occur
A - Availability… Is it available when I need it?
What is the difference between rights and permissions?
Interchangeable… but a permission seems to be a lower level authorization and rights tends to be higher level (system wide).
What are privileges?
The combination of rights and permissions (whole assembly).
What are the 7 types of access control?
Preventive - Gates, fences, passwords, biometrics
Detective - log analysis, CCTV (after the fact)
Corrective - Modification after something happened
Deterrent - Policies, signs, etc
Recovery - Repairs/ fixes made to fix
Directive - Signs, manuals, supervisors
Compensation - Compensating
What are Administrative Controls
Policies, procedures, hiring practices, etc
What are logical/ technical controls
Hardware or software controls (usernames, passwords or biometrics)
What are Physical Controls
This that can be physically interacted with (door locks, mantraps, etc)
What is a defense in depth strategy?
The use of multiple layers (typically three)
- Administrative
- Logical/ technical
- Physical
What are the elements of access control?
Authentication - Proof of a claimed identify
Authorization - Subject is granted access to objects on a proven identity
Accountability - Auditing to track subjects use of objects
What are the three types of Authentication?
- Something you know (password)
- Something you have (token) (somewhere too)
- Something you are (finger prints)
Effective accountability relies on which two of the three: Authentication, authorization, identification
Authorization - We just need to know who they are (reliably) and that they got in appropriately. Logging should cover whether or not it was properly authenticated.
Name several “good” authentication techniques
Passwords, god password selection, password aging, password complexity, password history
Name some examples of cognitive passwords
Date of birth, mothers maiden name, first pet
Are cognitive passwords effective?
Not in the age of social engineering
Explain a synchronous dynamic password token
Device that generates a token at the same time a synchronized server generates the same token. usually requires a time server to keep the two in sync.
Explain an asynchronous dynamic password token
a token is generated after a password is entered into the device.
Explain a static token
Could be a USB key that is inserted into a computer.
Define some biometric controls based on order of accuracy
Retina - Seen as bad because it can display health issues Iris - Does not change over time but can be spoofed with high quality image Fingerprint - Can be spoofed Face Finger/ Palm Heart/ Pulse Voice Pattern - issues with consistency Keystrokes - Not accurate
What is FRR?
False Rejection Rate(false negative)
What is FAR?
False Acceptance rate(False positive)`
