8.1 Access Control Methods
Access Control Policy
A policy that defines the steps and measures that are taken to control subject's access to objects.
Transitive Trust
A trust that allows the trust relationship to flow among domains.
Non-transitive trust
A trust where trust relationships must be explicit between domains.
One-Way Trust
A unidirectional authentication path created between two domains.
Role-based Access Control (RBAC)
An access control model that allows access by organizational role, not individual user.
Discretionary Access Control (DAC)
An access control model that assigns access directly to subject's based on the owner's discretion.
Attribute-Based Access Control (ABAC)
An access control model that restricts access by assigning attributes to resources.
Mandatory Access Control (MAC)
An access control model that uses labels for both subjects (users who need access) and objects (resources with controlled access, such as data, applications, systems, networks, and physical space).
Rule-based access control (RBAC)
An access control model that uses the characteristics of objects or subjects and rules to restrict access.
Preventative Access Control
An access control that deters intrusion or attacks.
Deterrent Access Control
An access control that discourages attack escalation.
Corrective Access Control
An access control that implements short-term repairs to restore basic functionality following an attack.
Compensative Access Control
An access control that is an alternative to primary access controls.
Recovery Access Control
An access control that restores the system to normal operations after the attack and short-term stabilization period.
Detective Access Control
An access control that searches for details about that attack or the attacker.
Which access control model is based on assigning attributes to objects and using Boolean logic to grant access based on the attributes of the subject?
Attribute-Based Access Control (ABAC)
Which of the following is the term for the process of validating a subject's identity?
Authentication
A remote access user needs to gain access to resources on the server. Which of the following processes are performed by the remote access server to control access to resources?
Authentication and authorization
Technical Controls
Computer mechanisms that restrict access.
Physical Controls
Controls that restrict physical access.
Which access control type is used to implement short-term repairs to restore basic functionality following an attack?
Corrective
Which form of access control enforces security based on user identities and allows individual users to define access controls over owned resources?
DAC
You have a system that allows the owner of a file to identify users and their permissions to the file. Which type of access control model is implemented?
DAC
Objects
Data, applications, systems, networks, and physical space.
Which of the following defines an object as an entity in the context of access control?
Data, applications, systems, networks, and physical space.
Audit trails produced by auditing activities are which type of security control?
Detective
Which access control model is based on multilevel security where objects are assigned a security classification and subjects are granted a security clearance which allows them to access objects at or below that security classification?
Mandatory Access Control (MAC)
Administrative Controls
Policies that describe accepted practices.
You have implemented an access control method that only allows users who are managers to access specific data. Which type of access control model is used?
RBAC
A router access control list uses information in a packet such as the destination IP address and port number to make allow or deny forwarding decisions. This is an example of which kind of access control model?
RSBAC
What form of access control is based on job descriptions?
Role-based access control (RBAC)
Which access control model manages rights and permissions based on job descriptions and responsibilities?
Role-based access control (RBAC)
Which of the following is an example of a Role-based access control (RBAC)?
Router access control lists that allows or denies traffic based on the characteristics of an IP .
Encryption is which type of access control?
Technical
Access Control
The ability to permit or deny the privileges users have when accessing resources on a network or computer.
Authorization
The access control process that grants or denies a subject's access to an object based on the subject's level of permissions or the actions allowed with the object.
Identification
The access control process that identifies the subject.
Auditing
The access control process that maintains a record of subject's activity within the information system.
Authentication
The access control process that validates a subject's identity.
Two-Way Trust
Two-one way trusts in opposite directions.
Subjects
Users, applications, or processes that need access to objects.