Information Security General Concepts
In a Role Based Access Control system, a role can only have one permission assigned to it. Select one: True False
False
No read-up (users at a lower level of security reading information at a higher level of security) is a rule of the Biba model. Select one: True False
False
Roles
One of the three Role Based Access Control (RBAC) system main components. Roles in an RBAC system are defined as a collection of permissions, logically grouped to allow a user to accomplish a task. Conceptually, roles can be thought of as being similar to a job title or function in an organization. Depending on how the system is configured, there could be a role for each job title or function in an organization.
A security model
Provides specifics of the implementation of the policy.
Role-Based Access Control (RBAC)
Role Based Access Control (RBAC) focuses on what users actually do (i.e. their responsibilities and duties) and the assets they need to use in order to do their jobs.
In a Mandatory Access Control system, the system automatically grants or denies access to a resource. Select one: True False
True
No write-down (users at a higher level of security writing information to a lower level of security) is a rule of the Bell-LaPadula model. Select one: True False
True
What is identification? Select one: a. The process by which a user states their identity b. The process by which a user's stated identity is verified c. Using biometrics to verify the user's identity d. Using passwords to verify the user's identity
a. The process by which a user states their identity
Mandatory Access Control (MAC)
A MAC system automatically grants a user access to an asset based on the user's rank and the asset's security level. MAC is hardly ever seen outside of military settings.
Roles
A collection of permissions, logically grouped to allow a user to accomplish a task.
Biba Intertity Model
A hierarchical information flow model concerned with the integrity of the data. Two rules: • No "write up" • No "read-down"
Biba Integrity Model
A hierarchical model not concerned with access control, confidentiality or any other security concern besides maintaining the integrity of information.
What is Mandatory Access Control (MAC)?
A security access control centrally controlled by a security policy administrator. Users do not have the ability to override the policy. The security policy administrator, normally implemented through the operating system, makes the final decision and can override the user's wishes. Users are given a security clearance and data is classified the same way. Access to an object is based on three items: (1) the clearance of the user, (2) the classification of the object and (3) the security policy of the system. In a MAC system, every object such as a file, directory, device, etc. must have a security label. This makes MAC very difficult to administer.
Accountability
Accountability allows administrators to hold users responsible for their conduct by keeping track of the actions they take.
Bell-LaPadula Confidentiality Model
An information flow model concerned about confidentiality of the data. A hierarchical model, separating users and data into levels. Two rules: • No "read-up" • No "write-down"
What are the two security models?
Bell-LaPadula Confidentiality Model and Biba Integrity Model
A RBAC system consists of 5 main components. True False
False. An RBAC system consists of 3 main components: Permissions, roles, and users. This is why most implementations of RBAC include a role hierarchy. The role hierarchy indicates which roles should override in the event of a conflict.
Security policy
Defines the goals of an organization, normally in abstract or general terms.
Biometrics
Describes the method of identifying a user through the use of unique physical attributes. Examples: Fingerprints, Retina Scan, Facial Recognition.
What are the three Access Control Models?
Discretionary Access Control (DAC), Mandatory Access Control (MAC), and Role Based Access Control (RBAC)
Authentification
During the authentication phase, the system somehow verifies the unknown person's claim of identity. Frequently this is a true or false process - the user is who they claim to be, or an impostor has been discovered.
Access Control List (ACL)
Each asset has a list that states which users may perform particular actions on it. This list is called an Access Control List (ACL).
Access Control
Function of policy that determines who can access a particular resource. In Information Security, this typically refers to which users are allowed access to some resource of the computing infrastructure and what functions they are allowed to perform therein.
Access control system responsibilities
Identification, authorization, and accountability
Inference
Inference is a process by which attackers are able to deduce higher restricted information than what they are allowed access to based on data they do have access to.
Users
One of the three Role Based Access Control (RBAC) system main components. By assigning roles to users, instead of the other way around, maximum flexibility is maintained. • Each role can be assigned to multiple users. • Each user can have multiple roles assigned to them. • Each role can have multiple permissions assigned. • Roles may conflict with other roles.
Permissions
One of the three Role Based Access Control (RBAC) system main components. Permissions are the ability to perform a specific action on a specific asset. There are three commonly seen permissions: • Read - Analogous to access, this permission enables a user to examine the contents of an asset. • Write - This permission enables a user to modify an asset in some way. This may mean changing the contents already stored, or it could mean the addition or removal of data. • Execute - This permission enables a user to use a particular asset. This permission is most commonly associated with software programs running on an operating system, or possibly macros running on a database system.
Permissions
Rules that tell the system how to respond to requests from users to use a particular asset. In most computer systems, there are three common permissions: • Read - enables a user with rights to view the information an asset contains. • Write - enables a user with rights to create, change or delete contents. • Execute - enables a user with rights to operate the asset, assuming that it does something more than contain information. Databases frequently have additional permissions that can be set for assets. • Append - enables a user to add data to a database table, but not to change any of the data already stored. • Update - enables a user to modify or delete the data already in a database, but not insert additional data.
Bell-LaPadula Confidentiality Model
The Bell LaPadula Confidentiality Model was originally developed by the U.S. government to prevent the accidental exposure of sensitive data. It is a hierarchical model Which separates users and data into levels. Users at higher levels are considered to be more senior, and therefore have access to more sensitive information.
Discretionary Access Control (DAC)
The most widely seen and known access control model. In a system using DAC, every asset (file, directory/folder, database table, etc.) has a set of permissions associated with it.
What is Discretionary Access Control (DAC)?
The most widely used access control model. In a system using DAC, every asset (file, directory/folder, database table, etc.) has a set of permissions associated with it. These permissions state which users may perform particular actions on that asset. Furthermore, each asset has an owner, which is usually the person that created/uploaded the asset. In a DAC system, the owner of the asset assigns permissions to other users on the system. This allows the owner to tightly control access to their asset. To prevent having unprotected assets, many systems allow newly created assets to inherit permissions from another asset.
Authorization
The process of granting priviliges to perform a certain action or use a particular resource.
Access Control
The process of regulating which individuals or users have access to particular assets. Physical Example: A bank regulating which employees have physical access to the vault. Virtual Example: A company regulating which employees can access a particular database.
RBAC focuses on users' job functions and the assets they need to perform their jobs. True False
True Role-based access control focuses on users' job functions and the assets they need to perform their jobs.
DAC is hard to manage and can be time consuming. True False
True • DAC can be hard to manage. Because individual users are in charge of granting privileges, IT can be left out of permission management. Whenever individual users are responsible for security, bad things can happen. • DAC can be time consuming. The process of awarding permission to specific users must be repeated for each person who needs access to a resource. • DAC can be difficult to implement correctly. There are many details to track, which can lead to oversight (and potential security threats). Permissions can be accidentally granted that should not be granted. For example, in Windows, simply checking the wrong box may give a user "Full Control" instead of "Read" access.
Which of these is a primary objective of an access control system? Select one: a. Identification b. Availability c. Integrity d. Up time
a. Identification
____________ is a process by which attackers are able to deduce higher restricted information than they are allowed access based on data they do have access to. a. Inference b. Access control c. Identification d. Alteration
a. Inference
In a Role Based Access Control system, how many users can be assigned the same role? Select one: a. Multiple users b. Two c. Three d. One
a. Multiple users
Which of the following are not examples of biometrics? Select all that apply. Select one or more: a. Passwords b. Usernames c. Digital certificates d. Retinal scans e. Fingerprints
a. Passwords b. Usernames c. Digital certificates
Which of the following are examples of biometrics? Select all that apply. Select one or more: a. Retinal scans b. Passwords c. Digital certificates d. Fingerprints
a. Retinal scans d. Fingerprints
What are permissions? Select one: a. Rules that tell the system how to respond to requests from users to use a particular asset (file, database table, etc.) b. Formal responsibilities that have been assigned to individual users in an organization c. The process of granting privileges to perform a certain action or use a particular resource d. A listing of all access attempts by unauthorized users
a. Rules that tell the system how to respond to requests from users to use a particular asset (file, database table, etc.)
What is accountability? Select one: a. A formal practice that allows the administrators to hold users responsible for their conduct by keeping track of the actions they take b. A formal practice that, when enforced properly, ensures the integrity of all assets in an organization c. A formal practice that, when enforced properly, can prevent security breaches from occurring d. A formal practice that allows administrators to regulate access to an object
a. A formal practice that allows the administrators to hold users responsible for their conduct by keeping track of the actions they take
Which of these is an example of access control in the real (i.e. physical) world? Select one: a. A virtual intrusion detection system b. A security guard c. Username and password d. Firewall
b. A security guard
Regarding Role Based Access Control, which of the following would be an example of a role? Select one: a. Fingerprint b. Job title in an organization c. E-mail address d. Username
b. Job title in an organization
Which of the following are common methods of authenticating a user? Select all that apply. Select one or more: a. E-mail address b. Full name c. Thumb print d. Password
c. Thumb print d. Password
The Bell-LaPadula Model is an information flow model that:
Concerned about confidentiality, i.e. leakage of classified information. Main goal is to prevent secret information from being accessed in an unauthorized manner. •Original implementation used a scheme similar to MAC to decide whether or not a given action was allowed to continue. A hierarchical model, separating users and data into levels. Users at higher levels considered to be more senior, and have access to more sensitive information. Data at higher levels considered to be more sensitive. Users wishing to access this information should be at a more senior level.
An access control list states which users assets belong to. True False
False An access control list states which users may perform particular actions.
In MAC, only certain objects have a security label. True False
False In MAC, all objects have a security label.
Discretionary access control is typically seen only in the military. True False
False Mandatory Access Control is typically seen only in the military.
Identification
In most access control systems, during the identification phase, the unknown person asserts their identity. In other words they state who they claim to be.
Each object in a Discretionary Access Control system has an access control list associated with it. Select one: True False
True
In DAC, every asset has a set of permissions associated with it. True False
True In DAC, every asset has a set of permissions associated with it.
Mandatory access control is centrally controlled by a security policy administrator. True False
True Mandatory access control is a security access control centrally controlled by a security policy administrator.
What is Role Based Access Control (RBAC)?
Unlike other access control models which focus on assets and users, Role Based Access Control (RBAC) focuses on users' job functions, i.e. their responsibilities and duties, and the assets they need to use to perform their jobs. A RBAC system consists of three main components: • Permissions • Roles • Users
Which of the following is an example of an access control technique in the real world? a. A lock on a door b. Username and password c. Keystroke dynamics d. Permissions
a. A lock on a door
In a Role Based Access Control system, what is a role? Select one: a. A logical group of permissions that users need in order to complete a specific organizational task b. A logical group of users that are required to complete a specific task c. A mapping of which users are supposed to complete specific tasks d. None of the above
a. A logical group of permissions that users need in order to complete a specific organizational task
What is "authorization"? a. The permission to perform a desired action b. The process by which a user verifies their stated identity c. The process by which a user states their identity to the system d. All of the above
a. The permission to perform a desired action
Is it possible to implement both the Bell-LaPadula Confidentiality model as well as the Biba Integrity model simultaneously? Select one: a. Yes - they deal with different, non-overlapping subjects b. No - the requirements are in direct conflict c. None of the above d. Unknown because no one has tried
a. Yes - they deal with different, non-overlapping subjects
In a Role Based Access Control system, what is a role hierarchy? Select one or more: a. A system to assign roles to a user based on their job title Incorrect b. A system to assign roles to users c. A system used to resolve conflicts between roles d. A system that indicates which roles should take priority in the event of a conflict between roles
b. A system to assign roles to users
Which of the following is not a primary responsibility of an access control system? a. Identification b. Availability c. Accountability d. Integrity
b. Availability
When a user attempts to log into a system, two things occur: identification and authentication. What happens in the identification phase of an access control system? Select one: a. The system states who it believes the unknown user to be b. The user states their supposed identity c. The system infers the user's identity d. The system confirms the user's identity
b. The user states their supposed identity
Which of the following are rule(s) of the Biba Integrity model? Select all that apply. Select one or more: a. Users at a higher level of integrity may not write information at a lower level of integrity b. Users at a lower level of integrity may not write information to a higher level of integrity c. Users at a lower level of integrity may not read information at a higher level of integrity d. Users at a higher level of integrity may not read information at a lower level of integrity
b. Users at a lower level of integrity may not write information to a higher level of integrity d. Users at a higher level of integrity may not read information at a lower level of integrity
Which of the following is one of the five basic philosophies that govern the design of the Bell-LaPadula confidentiality model? Select one: a. A security breach cannot occur if a user at a lower level of security reads information at a higher level of security b. A security breach can occur if a user at a lower level of security writes information to a higher level of security c. A security breach cannot occur if a user at a higher level of security reads information at a lower level of security d. A security breach cannot occur if a user at a higher level of security writes information to a lower level of security
c. A security breach cannot occur if a user at a higher level of security reads information at a lower level of security
Mandatory Access Control is most commonly seen in __________ settings. Select one: a. Public b. Private c. Military d. None of the above
c. Military
In a system using Discretionary Access Control each asset has what? Select one: a. An owner b. An auditor c. Permissions d. An inspector
c. Permissions
Which of the following describes how roles relate to users in a Role Based Access Control system? Select one: a. Organizational tasks are assigned to roles. Roles are then assigned to users. b. Roles are job titles within an organization. Roles are then assigned to users. c. Roles represent a logical group of permissions that a user needs to complete their assigned task. Roles are then assigned to users. d. Users are grouped together into logical groups in order to complete assigned organizational tasks.
c. Roles represent a logical group of permissions that a user needs to complete their assigned task. Roles are then assigned to users.
Which of these is not a computerized example of access control? Select one: a. Firewall b. Username and password c. An intrusion detection system d. A lock
d. A lock
__________ is the process of regulating which individuals or users have access to particular assets. a. Authentication b. Identification c. Biometrics d. Access Control
d. Access Control
Why is accountability a critical issue for information security? Select one: a. Without accountability, users might feel enabled to perform malicious actions with little fear of getting caught b. Without accountability, users might be less diligent in the performance of their duties c. Without accountability, it becomes virtually impossible to investigate attacks d. All of the above
d. All of the above
Which of the following is a permission that is commonly seen in database platforms but not an operating system? Select one: a. Execute b. Write c. Read d. Append
d. Append
Which of the following permissions is specific to database systems? a. Execute b. Write c. Read d. Append
d. Append
How does a DAC system determine whether a user is granted access to a file or folder? Select one: a. The system consults an access control list (ACL) which contains a listing of all users that may access the file and folder, along with a full listing of what types of actions they can perform (read, write, etc.). b. The system examines the user's rank, and the classification level of the file/folder they are trying to open. c. The system has been configured to grant access based on what the user does for the organization, and whether or not they need access to the file to do their work. d. The system examines the user's activities on the system, and attempts to infer the user's intentions. Users with hostile intentions are not granted access.
a. The system consults an access control list (ACL) which contains a listing of all users that may access the file and folder, along with a full listing of what types of actions they can perform (read, write, etc.).
When a user attempts to log into a system, two things occur: identification and authentication. What happens during the authentication phase of a user attempting to log in to a system? Select one or more: a. The system uses some means (password, fingerprint, etc.) to verify the unknown person's claim of identity b. The system only needs a user name to identify and authenticate the user c. The user states their supposed identity Correct d. The system somehow infers the identity of the user
a. The system uses some means (password, fingerprint, etc.) to verify the unknown person's claim of identity
Which of the following statements are true of access control lists (ACLs)? Select one or more: a. There is a list associated with every asset in the system b. The list contains information detailing which users can perform particular actions on an asset c. The list can be overridden by the operating system d. All of the above are true
a. There is a list associated with every asset in the system b. The list contains information detailing which users can perform particular actions on an asset
Which of the following is not a commonly observed problem with administering Discretionary Access Control systems? Select one: a. Making sure the owners of objects (i.e. the users) have not changed permissions on objects, possibly leaving them under-protected b. Ensuring users have been assigned the proper roles c. Objects (files, folders, etc.) that have not had permissions explicitly assigned to them may be unprotected d. Ensuring that a user's permissions are up to date, and the user does not have extra permissions they do not need.
b. Ensuring users have been assigned the proper roles
Which of the following is a commonly cited reason why Discretionary Access Control systems can be difficult to manage? Select one: a. Individual users have no say in the granting or revocation of specific permissions, placing a tremendous burden on IT b. Individual users have complete control over the granting and revocation of permissions, meaning that IT can be left out of the loop c. Discretionary Access Control does not provide a way to grant specific permissions to specific users, meaning that permissions must be controlled through group policies d. All of the above
b. Individual users have complete control over the granting and revocation of permissions, meaning that IT can be left out of the loop
What is the most commonly seen/used method of authenticating a user of a computer system? Select one: a. Keystroke Dynamics b. Password or Passphrase c. Retinal Scan d. Fingerprint Scan
b. Password or Passphrase
In a Role Based Access Control system, the role hierarchy indicates: Select one: a. Which roles were created first b. The order in which roles should be enforced in the event of a conflict c. Who owns an asset d. All of the above
b. The order in which roles should be enforced in the event of a conflict
Which of the following is not one of the five basic philosophies that govern the design of the Bell-LaPadula confidentiality model? Select one: a. A security breach cannot occur if a user at a higher level of security reads information at a lower level of security b. A security breach can occur if a user at a higher level of security writes information to a lower level of security c. A security breach cannot occur if a user at a lower level of security reads information at a higher level of security d. A security breach cannot occur if a user at a lower level of security writes information at a higher level of security
c. A security breach cannot occur if a user at a lower level of security reads information at a higher level of security
The process of ensuring that administrators are able to hold users responsible for their actions is known as: a. Ownership b. Authorization c. Accountability d. Integrity
c. Accountability
Which of these is not a primary objective of an access control system? Select one: a. Accountability b. Identity c. Integrity d. Authority
c. Integrity
Why is Role Based Access Control gaining popularity in the security industry? Select one: a. When using RBAC, the system can automatically grant or deny access to an asset without needing to have it explicitly defined b. RBAC requires less CPU processing time than other security models c. The model allows permissions to be organized more logically according to what each individual's responsibilities are. d. RBAC allows more "fine grained" control over individual assets
c. The model allows permissions to be organized more logically according to what each individual's responsibilities are.
What is authentication? a. Using passwords to verify the user's identity b. The process by which a user states their identity c. The process by which a user's stated identity is verified d . Using biometrics to verify the user's identity
c. The process by which a user's stated identity is verified
How does a Mandatory Access Control system determine whether a user should be granted access to a particular file? Select one: a. Permissions are grouped based on what a user actually does within a specific organization. b. The system looks at the access control list for the file to determine if the user should be granted access. c. The system automatically grants or denies access to an object based on the object's classification and the user's rank. d. Permissions are grouped based on who the user is within a specific organization.
c. The system automatically grants or denies access to an object based on the object's classification and the user's rank.
Which of the following rules violates the principles of the Biba Integrity Model? Select one: a. Users can "write down" to a lower level b. Users can "read up" to a higher level c. Users can "write up" to a higher level d. None of the above
c. Users can "write up" to a higher level
Which of the following are not commonly seen permissions in an operating system? Select one or more: a. Write b. Read c. Execute d. Append e. Abort
d. Append e. Abort
The process of granting privileges to perform certain actions on a particular object or resource is: Select one: a. Verification b. Accountability c. Integrity d. Authorization
d. Authorization
What is authorization? Select one: a. Authorization is the process by which an administrator verifies the integrity of an object. b. Authorization is the process of formally tasking a user with certain objectives that must be completed. c. Authorization is the process of ensuring that administrators are able to hold users responsible for their actions in the system. d. Authorization is the process of granting privileges to perform a certain action or use a particular resource.
d. Authorization is the process of granting privileges to perform a certain action or use a particular resource.
How do permissions relate to roles in Role Based Access Control? Select one: a. A role represents a specific user and their needed permissions b. Roles are not related to permissions c. Roles represent a group of users that need a specific permission d. Roles represent a group of permissions that a specific user needs
d. Roles represent a group of permissions that a specific user needs
Which of the following is not a commonly used method of authentication? a. A physical attribute such as a fingerprint scan b. Something a user knows such as a password c. Something a user has such as an ID Badge d. Something a user does such as his role as supervisor
d. Something a user does such as his role as supervisor