Flashcards in Learning: 6.4 Compare and contrast authentication, authorization, accounting, and non-repudiation concepts. Deck (16)
Which non-repudiation mechanism records who goes in or out of a particular area without user interaction?
A video surveillance camera
What information can be used as a response to a security question?
Personally Identifiable Information (PII)
Security questions are used as a password reset mechanism to confirm someone’s identity to reset passwords via the web or by telephone. The answer to a question should be something unique to that person, or Personally Identifiable Information (PII).
Which non-repudiation mechanism can prove that the user was an author of a document?
A physical or digital signature
A physical or digital signature can be used to prove that a user was an author of a document. These are used for many written documents, including emails and source code.
What service must be enabled for you to log on to multiple resources, servers, or sites using a common account and password?
Single Sign On
Single Sign On (SSO) is a feature that allows users to have access to multiple resources, servers, or sites after authenticating just once. This means that each separate system will not ask for the user’s credentials after the user has successfully authenticated.
What is the authorization concept known as implicit deny?
A principle stating that access requires explicit authorization and everything else is rejected
Which non-repudiation mechanism can prove that a person was genuinely operating an account and that it was not hijacked?
A biometric authentication device
A biometric authentication device uses physiological identifiers to prove that a person was genuinely the one operating an account and that the account was not hijacked.
Where does tracking users’ actions fit within the access control system?
It is part of accounting and is required for non-repudiation.
Which of the following describes Discretionary Access Control (DAC)?
An authorization access model that stresses the importance of the owner who has full control over the resource
Which factor of authentication can be stolen and replayed from a remote location?
A software token
Which example uses single-factor authentication?
A website requires a username, a password, and a PIN number.
Single-factor authentication uses only one of the three factors of authentication: something you know, something you have, or something you are. In this example, a website requiring a username, a password, and a PIN number only satisfies one factor ("something you know") and is therefore single-factor authentication.
How does RSA’s SecurID token provide multi-factor authentication?
It generates a number code synchronized to a code on a server and is combined with a PIN.
A SecureID is a hardware token that generates a number code that is synchronized to a code on a server for the user to enter to log on. It is considered a one-time password that typically changes every 60 seconds.
What is rule-based access control?
An authorization access model in which access is based on policies that are non-discretionary
Rule-based access control is a term that can refer to any sort of access control model where access control policies are determined by system-enforced rules rather than system users. As such, Role-Based Access Control (RBAC) and Mandatory Access Control (MAC) are both examples of rule-based (or non-discretionary) access control.
What is Role-based Access Control (RBAC)?
An authorization access model that groups users based on administrative or job functions
What is the set of rules that determines what actions you are allowed to perform on a computer and what resources you can access?
Permissions are the rules that determine what a user on a computer or a network is allowed to do and what resources the user is allowed to access. Each specific user is uniquely identified by a user account, and assigned a set of permissions.
Which of the following describes Mandatory Access Control (MAC)?
An authorization access model that has security clearance levels or compartments
The Mandatory Access Control (MAC) model uses security clearance levels (if using a hierarchical model) or compartments (domain-based model). Each object and each subject is granted a clearance level, referred to as a label, and given access for that level and all levels below, or if they belong to the same domain.