Lecture 7 - Ch. 5 Access Control
What is role-based access control?
(RBAC). Basing access rules on organizational roles. Cheaper and less prone to human error than individual accounts.
What're the 4 types of credentials a user can provide based on?
1) What you know (PW) 2) What you have (Access card) 3) What you are (Biometric) 4) What you do (Speak pass-phrase)
What're two examples of hardware devices used for access control? What're cons?
Access cards - Have microprocessor and RAM Tokens - One-time passwords Loss and theft are frequent
What is mandatory access control (MAC)?
Access controls are set by higher power, with no ability to alter by department
Define: Piggybacking
Also known as tailgating. Following authorized user through door
Define: AAA Protections
Authentication, Authorization, Auditing
What is the basis of biometric authentication and why is it desirable?
Based on biological measurements and will make usable passwords obsolete
What is individual access control?
Basing access permissions on individual accounts
What is discretionary access control (DAC)?
Department has ability to control rules set by higher power
What're the 2 generic types of cryptographic function used for authentication?
Electronic signatures in the forms of HMACS (fast and inexpensive) and Digital Signatures (extremely strong, but slow)
What is subject of ISO/IEC 9.2 and give an example on relevant control
Equipment security. Supporting utilities - Frequent testing.
What may cause FTE?
Failure to Enroll. Poor fingerprints due to clerical work or age
What is the difference between FARs and FRRs
False Acceptance Rates (FARs) is % of people identified as template matches but should not be. FRRs is the opposite.
What is a PKI and its weak link?
Firms are own CAs. Weakest link = human registration
Why are passwords not considered strong anymore?
Increased computer speeds available to hackers
What is the Principle of Least Permissions?
Initially giving people permissions needed to complete job
Does biometric require exact math between template and sample data?
It will never match, adjustments are made using the match index
What is subject of ISO/IEC 9.1 and give an example on relevant control
Secure areas. Create rules for working in secure areas - Limit unsupervised work.
What is multi-factor authentication?
Using two or more types together. Ex. Access card and PIN