Week 2 Flashcards
(20 cards)
What are the three main authentication factors?
Something you know; Something you have; Something you are
Give an example of each authentication factor.
Know: Password/PIN; Have: Smart card/Token;
Are: Fingerprint/Iris scan
List two common password vulnerabilities.
Too short or dictionary words; Written down and reused across systems.
What is social engineering in the context of passwords?
Manipulating people into revealing password (e.g., phishing)
How does locking out after three failed password attempts protect - and harm - security?
Prevents guessing attacks but can enable denial-of-service by lockout.
Name two recommendations from NCSC’s password guidance.
Reduce reliance on user recall; Implement technical solutions (e.g. password managers)
Define “Authentication” vs “Authorization”.
Authentication: Verifying Identity claimed;
Authorization: Granting access rights based on that identity
What does “Accounting” ensure in access control?
That user activities can be tracked back to them
Describe “Mandatory Access Control (MAC)”
OS-enforced policy using security labels; users cannot override
What is Discretionary Access Control (DAC) matrix?
Owner-defined rights matrix; often implemented via ACLs or capability lists.
How does a Capability List differ from an Access Control List?
Capability list attaches rights to subjects (rows); ACL attaches rights to objects (columns).
Summarize the Bell-LaPadula model.
“No read up, no write down” for confidentiality enforcement.
Summarize the Biba integrity model.
“No write up, no read down” to prevent integrity violations.
What does the Clark-Wilson model enforce?
Separation of duties and well-defined transactions to maintain internal & external consistency.
Define Role-Based Access Control (RBAC).
Permissions assigned to roles; users acquire permissions by role membership.
How does the Attribute-Based Access Control (ABAC) extend RBAC?
Uses arbitrary user, resource, and environment attributes rather than just roles.
What requirements must a biometric trait meet?
Universality; Distinctiveness; Persistence; Collectability; Performance; Acceptability; Resistance to Circumvention
Explain False Accept Rate (FAR) and False Reject Rate (FRR)
Far: % of imposters accepted;
FRR: % of genuine users rejected
Why must privileged (sysadmin) access be tightly controlled?
Privileged accounts can modify system, erase logs, grant rights - high risk of misuse or error.
What are the four access control fundamentals?
Identity: Authentication; Authorization; Accounting (plus Audit & Compliance)
