Information Security Quiz 4

Policy definition phase

- Who has access and what systems or resources they can use • Tied to the authorization phase

Action

Something you do/how you do it

Two types of access control

physical and logical

which type of authentication includes smart cards? A. Knowledge B. Ownership C. Location D. Action

B

which one of the following is an example of a logical access control? A. key for a lock B. Access card C. Password D. Fence

C

Access Control Policies

Users, Resources, Actions, Relationships

Identification

Who is asking to access the asset? • Username • Smart card • Biometrics

Alan is evaluating different biometric systems and is concerned that users might not want to subject themselves to retinal scans due to privacy concerns. Which characteristic of a biometric system is he considering?

Acceptability

Ed wants to make sure that his system is designed in a manner that allows tracing actions to an individual. Which phase of access control is Ed concerned about?

Accountability

Actions

Activities that authorized users can perform on resources

During which phase of the access control process does the system answer the question,"What can the requestor access?"

Authorization

Logic Access Control Solutions

Biometrics, Tokens, Passwords, Single sign-on

Which one of the following is not a good technique for performing authentication of an end-user? A. Password B. Biometric scan C. Identification number D. Token

C

Authentication

Can their identities be verified?

Logical

Controls access to a computer system or network

Physical Control

Controls entry into buildings, parking lots, and protected areas

Biometrics

Fingerprints, iris granularity, retina blood vessels, facial features, and hand geometry

Authentication Types

Knowledge Ownership Characteristics Location Action

Tokens

Smart cards and memory cards

Characteristics

Something unique to you

Authorization

What, exactly, can the requestor access? And what can they do? - User-assigned privileges - Group membership policy

The ___________ is the central part of a computing environment's hardware, software, and firmware that enforces access control.

security kernel

Passwords

• Stringent password controls for users • Account lockout policies • Auditing logon events

Which one of the following is NOT a good technique for performing authentication of an end user?

Identification number

Logical Access Control

- Deciding which users can get into a system - Monitoring what each user does on that system - Restraining or influencing a user's behavior on that system

The Security Kernel

- Enforces access control for computer systems - Central point of access control - Makes access determinations based off of rules or Access Control Lists (ACLs)

Policy enforcement phase

- Grants or rejects requests for access based on the authorizations defined in the first phase • Tied to identification, authentication, and accountability phases

Authentication by Knowledge

- Password • Weak passwords easily cracked by brute-force or dictionary attack • Password best practices - Passphrase • Stronger than a password - Account lockout policies - Audit logon events

Physical Access Control

- Smart cards are an example - Programmed with ID number - Used at parking lots, elevators, office doors - Cards control access to physical resources

Authentication by Ownership

- Synchronous token -- Calculates a number at both the authentication server and the device - Asynchronous token • USB token • Smart card • Memory cards (magnetic stripe)

Access Control

- The process of protecting a resource so that it is used only by those allowed to - Prevents unauthorized use - Access can be granted to physical assets, such as buildings or rooms

single sign-on

A gateway service that permits users to log in once with a single user ID and password to gain access to multiple software applications.

Which answer best describes the accountability component of access control ~Accountability is the validation or proof that the subject requesting access is indeed the same subject who has been granted that access. ~Accountability is the method a subject uses to request access to a system. ~Accountability is the process of creating and maintaining the policies and procedures necessary to ensure proper information is available when an organization is audited. ~Accountability is the process of determining who is approved for access and what resources they are approved for.

Accountability is the process of creating and maintaining the policies and procedures necessary to ensure proper information is available when an organization is audited.

Which answer best describes the authentication component of access control ~Authentication is the validation or proof that the subject requesting access is indeed the same subject who has been granted that access. ~Authentication is the process of creating and maintaining the policies and procedures necessary to ensure proper information is available when an organization is audited. ~Authentication is the process of determining who is approved for access and what resources they are approved for. ~Authentication is the method a subject uses to request access to a system.

Authentication is the validation or proof that the subject requesting access is indeed the same subject who has been granted that access.

Which answer best describes the authorization component of access control?~Authorization is the method a subject uses to request access to a system. ~Authorization is the process of creating and maintaining the policies and procedures necessary to ensure proper information is available when an organization is audited. ~Authorization is the validation or proof that the subject requesting access is indeed the same subject who has been granted that access. ~Authorization is the process of determining who is approved for access and what resources they are approved for.

Authorization is the process of determining who is approved for access and what resources they are approved for.

Accountability

How are actions traced to an individual to ensure the person who makes data or system changes can be identified?

Which answer best describes the identification component of access control? ~Identification is the validation or proof that the subject requesting access is indeed the same subject who has been granted that access. ~Identification is the method a subject uses to request access to a system. ~Identification is the process of determining who is approved for access and what resources they are approved for. ~Identification is the process of creating and maintaining the policies and procedures necessary to ensure proper information is available when an organization is audited

Identification is the method a subject uses to request access to a system.

Which mitigation plan is most appropriate to limit the risk of unauthorized access to workstations?

Password protection

Users

People who use the system or Users processes (subjects)

Relationships

Permissions granted to a user

Which one of the following is NOT an advantage of biometric systems?

Physical characteristics may change.

Resources

Protected objects in the system

RBAC

Role Based Access Control

Ownership

Something you have

Knowledge

Something you know

Location

Somewhere you are

Access controls are policies or procedures used to control access to certain items. True or False?

True

Which one of the following is typically used during the identification phase of a remote access connection?

Username