6.1 Access Control Models
How do separation of duties and job rotation differ?
- Separation of duties is the concept of having more than one person required to complete a task. Two operators must review and approve each others work. - Job Rotation is the practice of cross-training in multiple job positions. Job rotation helps in detecting fraud, allow oversight of past transactions and training purposes.
Subjects
Subjects are users, applications, or processes that need access to objects.
Audit trails produced by auditing activities are which type of security control? - Deterrent - Detective - Directive - Preventative
Detective
Objects
Objects are data, applications, systems, networks, and physical space.
You have implemented an access control method that only allows users who are managers to access specific data. Which type of access control model is being used? - MAC - DACL - RBAC - DAC
RBAC
Which of the following is an example of rule-based access control? - A subject with a government clearance that allows access to government classification labels of Confidential, Secret, and Top Secret. - A member of the accounting team that is given access to the accounting department documents. - Router access control lists that allow or deny traffic based on the characteristics of an IP packet. - A computer file owner who grants access to the file by adding other users to an access control list.
Router access control lists that allow or deny traffic based on the characteristics of an IP packet.
How are rule-based access control and mandatory access control (MAC) similar?
A rule based access control can be seen as a mandatory access control as they do not consider the identity of the subject.
Access control
Access control is the ability to permit or deny access to resources on a network or computer.
Access control policy
An access control policy defines the steps and measures that are taken to control access to objects.
Access control system
An access control system includes policies, procedures, and technologies that are implemented to control access to objects.
Which access control model is based on assigning attributes to objects and using Boolean logic to grant access based on the attributes of the subject? - Mandatory Access Control (MAC) - Role-Based Access Control (RBAC) - Attribute-Based Access Control (ABAC) - Rule-Based Access Control
Attribute-Based Access Control (ABAC)
Auditing
Auditing, also referred to as accounting, is maintaining a record of the activity within the information system.
A remote access user needs to gain access to resources on the server. Which of the following processes are performed by the remote access server to control access to resources? - Authorization and accounting - Authentication and accounting - Identity proofing and authentication - Authentication and authorization - Identity proofing and authorization
Authentication and authorization
Authentication
Authentication is the process of validating identity. It includes the identification process, a user providing input to prove identity, and the system accepting that input as valid.
Authorization
Authorization is granting or denying access to an object based on the level of permissions or the actions allowed with the object.
You want to implement an access control list in which only the users you specifically authorize have access to the resource. Anyone not on the list should be prevented from having access. Which of the following methods of access control should the access list use? - Implicit allow, implicit deny - Implicit allow, explicit deny - Explicit allow, implicit deny - Explicit allow, explicit deny
Explicit allow, implicit deny
What is access control and why is it important?
Is the ability to permit or deny the privileges that a user has when accessing resources on a network or computer. This will allow you to control where a user can go in the network making it more secure.
Which authentication type requires you to prove your identity?
Multi-Factor Authenication.
Which of the following principles is implemented in a mandatory access control model to determine object access by classification level? - Principle of least privilege - Ownership - Need to Know - Clearance - Separation of duties
Need to Know
What is the primary purpose of separation of duties? - Increase the difficulty of performing administrative duties - Grant a greater range of control to senior management - Inform managers that they are not trusted - Prevent conflicts of interest
Prevent conflicts of interest
You assign access permissions so that users can only access the resources required to accomplish their specific work tasks. Which security principle are you complying with? - Principle of least privilege - Need to know - Job rotation - Cross-training
Principle of least privilege
Which of the following is an example of privilege escalation? - Principle of least privilege - Privilege creep - Separation of duties - Mandatory vacations
Privilege creep
How does role-based control differ from rule-based control?
Rule base does not care who the user is unlike role based.
Which of the following is used for identification? - PIN - Username - Cognitive question - Password
Username
