CIS 4.1 -4.6
match the glossary with its definition: 1. the process of granting or denying specific requests to: obtain and use information and related information processing services & enter specific physical facilities 2. a process by which use of system resources is regulated according to a security policy and is permitted only by authorized entities (user, programs, processes, or other systems) according to that policy A. RFC 4949 Internet Security Glossary B. NIST IR 7298 Glossary of Key Information Security Terms
1. B 2. A
what dictates what types of access are permitted, under what circumstances, and by whom? A. access control policy B. authorization policy C. authorize control policy
A - ACCESS CONTROL POLICY
Name that control policy: Controls access based on attributes of the user, the resource to be accessed, and current environmental conditions
ABAC - attribute based access control
What is the central element of computer security? 1. symmetric encryption 2. access control 3. keys
ACCESS CONTROL
ACLs: For each object, an ACL lists users and their permitted access rights. The ACL may contain a default, or public, entry. This allows users that are not explicitly listed as having special rights to have a default set of rights. The default set of rights should always follow the rule of least privilege or read-only access, whichever is applicable. Elements of the list may include individual users as well as groups of users.
ACL
When it's desired to determine which subjects have which access rights to a particular resource _______ are convenient. However, this data structure is not convenient for determining the access rights available to a specific user.
ACLs
An authorization table contains _____ row for one ____________ of one ___________ to one _________.
An authorization table contains one row for one access right of one subject to one resource.
What is the verification that the credentials of a user or other system entity are valid
Authentication
Name the access right: User may create new files, records, or fields
Create
Name that control policy: Controls access based on the identity of the requestor and on access rules (authorizations) stating what requestors are (or are not) allowed to do. This policy is termed discretionary because an entity might have access rights that permit the entity, by its own volition, to enable another entity to access some resource
DAC - Discretionary access control
Access control policies are generally grouped into four categories. What are they?
DAC - Discretionary access control MAC - Mandatory access control RBAC - Role-based access control ABAC - Attribute access control
What policy is the traditional method of implementing access control?
DAC - discretionary access control
User may delete certain system resources, such as files or records
Delete
_________________: Access rights include the ability to read/write the device, to control its operation, and to block/unblock the device for use
Devices
Name the access right: User may execute specified programs
Execute
Only some operating systems have a rudimentary and robust access control component. True or False?
FALSE all operating systems have it
RBAC has become increasingly popular, while ABAC has not. True or False?
False; they've both become increasingly popular
Name that control policy: Controls access based on comparing security labels (which indicate system entities are eligible to access certain resources). This policy is termed mandatory because an entity that has clearance to access a resource may not, just by its own volition, enable another entity to access that resource
MAC - mandatory access control
Which policy is a concept that evolved out of requirements for military information security and is best covered in the context of trusted systems?
MAC - mandatory access control
1 dimension - identified subjects that may attempt data access to resources. typically this list consists of individual users or user groups, although access could be controlled for terminals, network equipment, hosts, or applications instead of or in addition to users 1 dimension - lists the objects that may be accessed. objects may be individual data fields.
MATRIX
___________________: Access rights include the ability to read/write certain regions of memory that are protected such as the default is to disallow access.
Memory locations or regions
What are the roles such that a user can be assigned to only one role in the set called
Mutually exclusive roles
Are these four policies mutually exclusive? Can multiple of these policies be used for one access control mechanism ?
No, not mutually exclusive Yes
Access rights for ____________. This may be the creator of a resource, such as a file. For system resources, ownership may belong to a system administrator. For project resources, a project administrator or leader may be assigned ownership.
Owner
Basic access control typically defines three classes of subject. What are they?
Owner Group World
________________: Access rights include the ability to delete a process, stop, and wake up a process
Processes
__________ now enjoys widespread commercial use and remains an area of active research
RBAC
Name that control policy: Controls access based on the roles that users have within the system and on rules stating what accesses are allowed to users in given roles
RBAC - Role-based access control
Name the access right: User may view information in a system resource (e.g. a file, selected records in a file, selected fields within a record, or some combination) Includes the ability to copy or print
Read
Name the access right: User may list the files in a directory or otherwise search the directory
Search
___________________: Access rights with respect to a subject have to do with the ability to grant or delete access rights of that subject to other objects.
Subjects
Which model assumes a set of subjects, a set of objects, and a set of rules that govern the access of subjects to objects?
The general model for DAC
Access control implements a security policy that specifies who* or what* may have access to each specific system resource and the type* of access that is permitted in each instance. True or False?
True
Role hierarchies provide a means of reflecting the hierarchical structure of roles in an organization T or F?
True
Access rights for ___________. The least amount of access is granted to users who are able to access the system but are not included in the categories owner and group for this resource.
World
Name the access right: User may add, modify, or delete data in system resource (e.g. files, records, programs) Also includes read access
Write
What is a set of objects together with access rights to those objects?
a protection domain
In terms of the access matrix, what defines a protection domain?
a row
An access control mechanism mediates between who and who?
a user & system resources
What are some examples of unforgeable tokens? This form of capability ticket is appropriate for use in a distributed environment, when the security of its contents (can/cannot) be guaranteed.
a very large random password cryptographic message authentication code cannot
Which function determines if the specific requested access by this user is permitted?
access control
what function consults the database to determine whether to grant access?
access control
Decomposition by columns yields: ? Decomposition by rows yields: ?
access control lists capability tickets
What is a general approach to DAC that is exercised by an operating system or database management system?
access matrix
What describes the way in which a subject may access an object?
an access right
what is an independent review and examination of system records and activities in order to test for adequacy of system controls, to ensure compliance with established policy and operational procedures, to detect breaches in security and to recommend any indicated changes in control, policy and procedures
an audit
What's a data structure that's not sparse like the access matrix but MORE CONVENIENT than either ACLs or capability lists?
an authorization table
What is a resource to which access is controlled. It's an entity used to contain and/or receive information Examples: records, blocks, pages, files, directories, directory trees, mailboxes, messages
an object
A subject typically held accountable for the actions they have initiated. What may be used to record the association of a subject with security relevant actions performed on an object by the subject?
audit trail
which function monitors and keeps a record of user accesses to system resources?
auditing function
Which function determines whether the user is permitted to access the system at all?
authentication
what is the granting of a right or permission to a system entity to access a system resource? this function determines who is trusted for a given purpose
authorization
What specifies authorized objects and operations for a particular user?
capability tickets
What is is called - setting a maximum number with respect to roles
cardinality
What are two utilities that can provide access control functions.
database management systems firewalls
The set of users changes, in some environments frequently, and the assignment of a user to one or more roles may also be _____________
dynamic
The number of types of objects to be protected by an access control system depends on the __________________ in which access control operators and the desired tradeoff between ________________ on the one hand and ______________________ on the other hand
environment security complexity, processing burden, ease of use
Typically, job functions with greater responsibility have _________ authority to access resources
greater
Access rights for ________________: In addition to the privileges assigned to an owner, a named group of users may also be granted access rights, such that membership in the group is sufficient to exercise these access rights. In most schemes, a user may belong to multiple groups.
group
RFC4949 defines computer security as measures that _________ and ___________ security services in a computer system, particularly those that assure access control service.
implement and assure
How does one make the tickets unforgeable? Have the operating system hold all tickets on behalf of users. These tickets would have to be held in a region of memory ______________ to users. Another way is to include an unforgeable ___________ in the capability.
inaccesible token
Traditional DAC systems define the access rights of the _________ users and ____________ of users
individual users and groups of users
When the user process calls a system routine, that routine executes in a system mode, or what has come to be called ____ mode, in which privileged instructions may be executed and in which protected areas of memory may be accessed
kernel
The relationship of users to roles is _______ to ________ as is the relationship of roles to resources, or system objects
many to many
RBAC lends itself to an effective implementation of the principle of least privilege. Each role should contain the _________ set of access rights needed for that role. A user is assigned to a role that enables him or her to perform only what is required for that role. Multiple users assigned to the same role, enjoy the same minimal set of access rights
minimum
RBAC an approval of a particular mode of access to one or more objects. equivalent terms are access right, privilege, and authorization
permission
RBAC a named job function within the organization that controls this computer system. typically, associated with each role is a description of the authority and responsibility conferred on this role, and on any user who assumes this role
role
RBAC systems assign access rights to _______ instead of individual users. In turn, users are assigned to different ______, either statically or dynamically, according to their responsibilities
roles
Who maintains an authorization database that specifies what type of access to which resources is allowed for this user
security administrator
RBAC a mapping between a user and an activated subset of the set of roles to which the user is assigned
session
The set of roles in the system in most environments is relatively ____, with only occasional additions or deletions
static
The association between a process and a domain can be _______ or _____________ For example, a process may execute a sequence of procedures and require different access rights for each procedure, such as read file and write file. In general, we would like to minimize the access rights that any user or process has at any one time; the use of protection domains provides a simple means to satisfy this requirement
static or dynamic
What is an entity capable of accessing objects? --the concept of this equates that of process--
subject
What are the basic elements of access control?
subject object access right
Each entry in the matrix indicates the access rights of a particular _____________ for a particular _________________
subject; object
RBAC is based on the roles that users assume in a ______ rather than the user's identity
system
The principal objectives of computer security are to prevent __________ from gaining access to resources, to prevent ___________ from accessing resources in an unauthorized manner, and to enable _______________ to access resources in an authorized manner
unauthorized legitimate legitimate
Tickets must be un______able.
unforgeable
A user program executes in a ____ mode, in which certain areas of memory are protected from the user's use and in which certain instructions may not be executed
user
RBAC an individual that has access to this computer system. each individual a _____ ID
user
What are the four types of entities in an RBAC system
user, role, permission, session
Three requirements of the model 1. representing the protection state 2. enforcing access rights 3. allowing subjects to alter the protection state in certain ways
ya
