Chapter 14: Controlling and Monitoring Access

Question 1

1. What are Permissions?

Answer 1

Permissions refer to the access granted for an object and determine what you can do with it

Question 2

2. What are Rights?

Answer 2

Rights refers to the ability to take an action on an object.

Question 3

3. What are Privileges?

Answer 3

Privileges are the combination of rights and permissions.

4.

Question 4

What is implicit deny?

Answer 4

Implicit deny principle ensures that access to an object is denied unless access has been explicitly granted to the subject.

Question 5

5. What is Access Control Matrix?

Answer 5

Access control matrix is a table that includes subjects, objects and assigned privileges.

Question 6

6. What are capability tables?

Answer 6

capability tables are subject focused and identify objects that subjects can access.

Question 7

7. What is constrained interface?

Answer 7

constrained interface are used by applications to restrict what users can do or see based on their privileges.

Question 8

8. What are Content -Dependent Control? Content

Answer 8

Content-Dependent access controls restrict access to data based on the content within an object.

Question 9

9. What are Context-Dependent Control?

Answer 9

Context-dependent access control require a specific activity before granting access.

Question 10

10. What is need to know?

Answer 10

Need to know principle ensures hat subjects are granted access only to what they need to know for their work tasks and job functions.

Question 11

11. What is the difference between least privilege and need to know?

Answer 11

least privilege will include the right to take action on a system.

Question 12

12. What is separation of duties?

Answer 12

separation of duties and responsibilities principle ensures that sensitive functions are split into tasks performed by 2 or more employees

Question 13

13. What is a security policy?

Answer 13

A security Policy is a document that defines the security requirements of an organisation. It identifies assets that need protection and the extent to which security solutions should go to protect them. It provides an overview of the company’s security needs.

Question 14

14. What is Discretionary Access Control?

Answer 14

Discretionary Access Control means that every object has an owner and the owner can grant or deny access to any other subjects. e.g. New Technology File System (NTFS)

• A DAC model is implemented using access control lists (ACLs) on objects.

Question 15

15. What is Role Based Access Control?

Answer 15

Role based Access Control (RBAC) means that user accounts are placed in roles and administrators assign permissions privileges to the roles.

Question 16

16. What is the key characteristic of Rule Based Access Control?

Answer 16

Rule Based Access Control model applies global rules that apply to all subjects.

Question 17

17. What are rules in Rule based access control?

Answer 17

restrictions or filters

Question 18

18. What are Attribute Based Access Control?

Answer 18

Attribute Based Access Control (ABAC) model use rules that can include multiple attributes.

Question 19

19. What is Mandatory Access Control?

Answer 19

Mandatory Access Control models applies the use of labels to both subjects and objects. The MAC model is prohibitive rather than permissive, and it uses an implicit deny philosophy. The MAC model is more secure than the DAC model, but it isn’t as flexible or scalable.

Question 20

20. What are non-discretionary access controls? Administrators

Answer 20

Administrators centrally administer non discretionary access control.

Question 21

21. What is Attribute Based Access Control?

Answer 21

Attribute Based Access Control (ABAC) is an advanced implementation of rule based access control. ABAC models use policies that include multiple attributes for rules. e.g. attributes may be group membership, department, devices etc.

Question 22

22. List and describe the 3 types of MAC Model environments:

Answer 22

• Hierarchial Environment: relates to various classification labels in an ordered structure from low security to medium security to high security.
• Compartmentalized environment: there is no relationship between one security domain and the other.
• Hybrid Environment: Combines both hierarchical and compartmentalized concepts so that each hierarchical level may contain numerous subdivisions that are isolated from the rest of the security domain.

Question 23

23. What is Advanced Persistent Threat?

Answer 23

Advanced Persistent Threat (APT) is a group of attackers who are working together and highly motivated, skilled and patient. They have advanced knowledge and a wide range of skills to detect and exploit vulnerabilities. Nation states (governments) typically fund APTs, they can also be funded by criminal gangs.

Question 24

24. Discuss the threat model approaches:

Answer 24

• Focused on Assets: This method uses asset valuation results and attempts to identify threats to the valuable assets.
• Focused on Attackers: some organisations focus on the attackers and then identify the threats they represent based on the attacker’s goals.
• Focused on Software: if an organisation develops software, it can consider potential threats against the software.

Question 25

25. What is the weakest form of authentication?

Answer 25

Password

Question 26

26. What is password attack?

Answer 26

an attack on passwords or attacker may try to have access to a password and then use the access to launch an attack.

Question 27

27. List some password attacks:

Answer 27

Dictionary Attack, Brute Force Attack.

Question 28

28. What is Dictionary Attack?

Answer 28

A dictionary attack is an attempt to discover passwords by using every possible password in a predefined database or list of common or expected passwords.

Question 29

29. What is Brute Force Attack?

Answer 29

Brute Force Attack is an attempt to discover passwords for user accounts by systematically attempting all possible combinations of letters, numbers and symbols. Many attackers are using graphic processing units (GPUs) in brute-force attacks.

Question 30

30. What is hybrid attack?

Answer 30

Hybrid attack attempts a dictionary attack and then performs a type of brute force attack with one upped construction password

Question 31

31. What is a rainbow table?

Answer 31

Involves a large database of precomputed hashes. attackers guess a password with either dictionary attack or brute force attack, hash it and the put both the hashed password and the hash of the guessed password into the rainbow table

Question 32

32. To reduce the effect of rainbow tables____ passwords:

Answer 32

salt

Question 33

33. List 2 algorithms used to salt passwords:

Answer 33

bcrypt and Password Based Key Derivation Function 2 (PBKDF2)

Question 34

34. What is pepper?

Answer 34

Pepper is a large constant number stored elsewhere. Adding pepper to salted passwords increase security

Question 35

35. what are sniffer attacks?

Answer 35

Sniffing captures packets sent over a network with the intent of analysing the packets. A sniffer (also called a packet analyzer or protocol analyzer) is a software application that captures traffic traveling over the network. • A sniffer attack (also called a snooping attack or eavesdropping attack) occurs when an attacker uses a sniffer to capture information transmitted over a network. They can capture and read any data sent over a network in clear text, including passwords.

Question 36

36. What are ways to prevent sniffing attacks?

Answer 36

Encrypt all sensitive data (including passwords) • use onetime passwords when encryption is not feasible • protect network devices with physical security • monitor the network for signatures from sniffers. e..g. Intrusion

Question 37

37. What is Spoofing?

Answer 37

Spoofing (aka Masquerading) is pretending to be something or someone else.

Question 38

38. What is email spoofing?

Answer 38

email spoofing occurs when spammers spoof the email address in the from field to make the email appear to come from another source. e.g phishing

Question 39

39. What is phone number spoofing?

Answer 39

Caller ID services allow users to identify the phone number of the caller. Phone number spoofing allows a caller to replace this number with another one, which is a common technique on Voice over Internet Protocol (VoIP) systems.

Question 40

40. What is social engineering?

Answer 40

Social Engineering occurs when an attacker attempts to gain the trust of someone using deceit such as false flattery or impersonation or by using conniving behaviour.

Question 41

41. What is Shoulder Surfing?

Answer 41

Shoulder Surfing involves a social engineer that attempts to look over the shoulder of an individual to read the computer screen or watch the keyboard as the user types.

Question 42

42. What is Phishing?

Answer 42

Phishing is a form of social engineering that attempts to trick users into giving up sensitive information, opening an attachment, or clicking a link. The goal of sending a phishing email may be to install malware on user systems or steals PII or cardholder details

Question 43

43. What is drive by download?

Answer 43

Drive-by download installs itself on without the user’s knowledge when the user visits a website. Drive by downloads take advantage of vulnerabilities in browsers or plug-ins.

Question 44

44. What is Ransomware?

Answer 44

Ransomware is a malware that takes control of a user’s system and data and blocks the user’s access until the user pays a fee or ransom.

Question 45

45. What is Spear phishing?

Answer 45

Spear phishing is a form of phishing targeted to a specific group of users.

Question 46

46. What is Zero day vulnerability?

Answer 46

Zero day vulnerability is one that application vendors either do not know about or have not released a patch to remove the vulnerability.

Question 47

47. What is Whaling?

Answer 47

Whaling is a variant of phishing that targets senior or high level executives such as CEOs and presidents of a company

Question 48

48. What is Vishing?

Answer 48

Vishing is the use fraudulent phone numbers, voice-altering software, text messages, VoIP, or social engineering to trick users into divulging sensitive information. Vishing attacks commonly spoof the caller ID number to impersonate a valid bank or financial institution.

Question 49

49. Example of a smartcard attack?

Answer 49

Side-channel attack is a passive, non-invasive attack intended to observe the operation of a device.

Question 50

a

Answer 50

a

Question 51

a

Answer 51

a

Question 52

a

Answer 52

a

Question 53

a

Answer 53

a

Question 54

a

Answer 54

a