Access Control

Question 1

Provide an example of a “Subject” and an example of an “Object”

Answer 1

Subject - Anything operating on something else

Object - The thing being operated on

Question 2

Definition of Access Control

Answer 2

Any hardware, software, administration, or process that performs the following tasks:

• Identifies users or subjects attempting to access resources
• Determines if access is authorized
• Grants or restricts access
• Monitors and records access activities

Question 3

Can a subject be an object and then change repeatedly?

Answer 3

True

Question 4

Explain Users vs Owners

Answer 4

User accesses and object and an owner determines which users can access the object.

There can be only one owner but multiple users

Question 5

What is the CIA Triad?

Answer 5

C - Confidentiality… Can we keep the wrong people out?
I - Integrity… ensure only authorized changes occur
A - Availability… Is it available when I need it?

Question 6

What is the difference between rights and permissions?

Answer 6

Interchangeable… but a permission seems to be a lower level authorization and rights tends to be higher level (system wide).

Question 7

What are privileges?

Answer 7

The combination of rights and permissions (whole assembly).

Question 8

What are the 7 types of access control?

Answer 8

Preventive - Gates, fences, passwords, biometrics
Detective - log analysis, CCTV (after the fact)
Corrective - Modification after something happened
Deterrent - Policies, signs, etc
Recovery - Repairs/ fixes made to fix
Directive - Signs, manuals, supervisors
Compensation - Compensating

Question 9

What are Administrative Controls

Answer 9

Policies, procedures, hiring practices, etc

Question 10

What are logical/ technical controls

Answer 10

Hardware or software controls (usernames, passwords or biometrics)

Question 11

What are Physical Controls

Answer 11

This that can be physically interacted with (door locks, mantraps, etc)

Question 12

What is a defense in depth strategy?

Answer 12

The use of multiple layers (typically three)

1. Administrative
2. Logical/ technical
3. Physical

Question 13

What are the elements of access control?

Answer 13

Authentication - Proof of a claimed identify
Authorization - Subject is granted access to objects on a proven identity
Accountability - Auditing to track subjects use of objects

Question 14

What are the three types of Authentication?

Answer 14

1. Something you know (password)
2. Something you have (token) (somewhere too)
3. Something you are (finger prints)

Question 15

Effective accountability relies on which two of the three: Authentication, authorization, identification

Answer 15

Authorization - We just need to know who they are (reliably) and that they got in appropriately. Logging should cover whether or not it was properly authenticated.

Question 16

Name several “good” authentication techniques

Answer 16

Passwords, god password selection, password aging, password complexity, password history

Question 17

Name some examples of cognitive passwords

Answer 17

Date of birth, mothers maiden name, first pet

Question 18

Are cognitive passwords effective?

Answer 18

Not in the age of social engineering

Question 19

Explain a synchronous dynamic password token

Answer 19

Device that generates a token at the same time a synchronized server generates the same token. usually requires a time server to keep the two in sync.

Question 20

Explain an asynchronous dynamic password token

Answer 20

a token is generated after a password is entered into the device.

Question 21

Explain a static token

Answer 21

Could be a USB key that is inserted into a computer.

Question 22

Define some biometric controls based on order of accuracy

Answer 22

Retina - Seen as bad because it can display health issues
Iris - Does not change over time but can be spoofed with high quality image
Fingerprint - Can be spoofed
Face
Finger/ Palm
Heart/ Pulse
Voice Pattern - issues with consistency
Keystrokes - Not accurate

Question 23

What is FRR?

Answer 23

False Rejection Rate(false negative)

Question 24

What is FAR?

Answer 24

False Acceptance rate(False positive)`

Question 25

What is worse (FAR or FRR)

Answer 25

FAR - False Authorization

Question 26

What is CER

Answer 26

Crossover error rate - rate at which the FAR & FRR are balanced.

A higher CER means that the solution is less accurate compared to a system with a lower CER.

Question 27

Explain CER sensitivity

Answer 27

Strategy to dial in the accuracy of biometrics. We may de-tune the system to provide more false rejections. This means we do not mind annoying people.

Question 28

What is multi factor authentication?

Answer 28

The use of multiple Authentication Types (type1, type 2, type 3).

Question 29

What are the principles of security operations?

Answer 29

Need to Know
Least Privilege
Separation of duties

Question 30

Explain DAC.

Answer 30

Discretionary access controls… Method to allow Object owner the ability to control and define Subject access to the Object.

Question 31

Provide an example of Non-discretionary access

Answer 31

Systems like SAP & Oracle user ND. This is where roles are used that can allow central system-wide changes.

Question 32

Explain rule based access

Answer 32

Rule based systems are appropriate for environments with constant changes to data permissions.

Question 33

Where is lattice based security appropriate?

Answer 33

In an environment where the Object is refined over a period of time and Subject access can change as the Object is refined.

Question 34

Explain Mandatory Access Controls and provide an example.

Answer 34

It employs the use of attributes to define the Object.

Question 35

Name the core elements of Kerberos

Answer 35

Key Distribution Center (KDC)
Kerberos Authentication Server (KAS)
Ticket Granting Ticket (TGT)
Ticket

Question 36

Where is federated SSO used?

Answer 36

When trying to link multiple non related environments/ systems/ companies

Question 37

What are the AAA Protocols

Answer 37

Authentication
Authorization
Accounting

Question 38

When is Radius used?

Answer 38

In connecting external locations via telecom links

Question 39

When is Diameter more appropriate than Radius

Answer 39

In mobile environments

Question 40

Name multiple Authorization Mechanisms

Answer 40

Implicit Deny
Access Control Matrix
Constrained interface

Question 41

What is the Identity & Access Lifecycle

Answer 41

1. Provisioning
2. Regular Review
3. De-provisioning

Question 42

What is the difference between authentication, authorization, and identification?

Answer 42

Subjects claim an identity
Subjects prove their identity via authentication
Subjects interact with Objects via authentication

Question 43

What is SPML

Answer 43

Service Provisioning Markup Language - XML based method of federated SSO.

Question 44

What technology uses software to manage access to resources?

Answer 44

software/ technical.

Question 45

What is NOT needed for system accountability?

Answer 45

Authentication.

Question 46

What is an Access Control List based on?

Answer 46

Subjects

Question 47

What is not needed for SSO?
A. Kerberos
B. Federated Identity
C. TACAS
D. SPML

Answer 47

TACAS