Information Security Quiz 4
Policy definition phase
- Who has access and what systems or resources they can use • Tied to the authorization phase
Action
Something you do/how you do it
Two types of access control
physical and logical
which type of authentication includes smart cards? A. Knowledge B. Ownership C. Location D. Action
B
which one of the following is an example of a logical access control? A. key for a lock B. Access card C. Password D. Fence
C
Access Control Policies
Users, Resources, Actions, Relationships
Identification
Who is asking to access the asset? • Username • Smart card • Biometrics
Alan is evaluating different biometric systems and is concerned that users might not want to subject themselves to retinal scans due to privacy concerns. Which characteristic of a biometric system is he considering?
Acceptability
Ed wants to make sure that his system is designed in a manner that allows tracing actions to an individual. Which phase of access control is Ed concerned about?
Accountability
Actions
Activities that authorized users can perform on resources
During which phase of the access control process does the system answer the question,"What can the requestor access?"
Authorization
Logic Access Control Solutions
Biometrics, Tokens, Passwords, Single sign-on
Which one of the following is not a good technique for performing authentication of an end-user? A. Password B. Biometric scan C. Identification number D. Token
C
Authentication
Can their identities be verified?
Logical
Controls access to a computer system or network
Physical Control
Controls entry into buildings, parking lots, and protected areas
Biometrics
Fingerprints, iris granularity, retina blood vessels, facial features, and hand geometry
Authentication Types
Knowledge Ownership Characteristics Location Action
Tokens
Smart cards and memory cards
Characteristics
Something unique to you
Authorization
What, exactly, can the requestor access? And what can they do? - User-assigned privileges - Group membership policy
The ___________ is the central part of a computing environment's hardware, software, and firmware that enforces access control.
security kernel
Passwords
• Stringent password controls for users • Account lockout policies • Auditing logon events
Which one of the following is NOT a good technique for performing authentication of an end user?
Identification number
Logical Access Control
- Deciding which users can get into a system - Monitoring what each user does on that system - Restraining or influencing a user's behavior on that system
The Security Kernel
- Enforces access control for computer systems - Central point of access control - Makes access determinations based off of rules or Access Control Lists (ACLs)
Policy enforcement phase
- Grants or rejects requests for access based on the authorizations defined in the first phase • Tied to identification, authentication, and accountability phases
Authentication by Knowledge
- Password • Weak passwords easily cracked by brute-force or dictionary attack • Password best practices - Passphrase • Stronger than a password - Account lockout policies - Audit logon events
Physical Access Control
- Smart cards are an example - Programmed with ID number - Used at parking lots, elevators, office doors - Cards control access to physical resources
Authentication by Ownership
- Synchronous token -- Calculates a number at both the authentication server and the device - Asynchronous token • USB token • Smart card • Memory cards (magnetic stripe)
Access Control
- The process of protecting a resource so that it is used only by those allowed to - Prevents unauthorized use - Access can be granted to physical assets, such as buildings or rooms
single sign-on
A gateway service that permits users to log in once with a single user ID and password to gain access to multiple software applications.
Which answer best describes the accountability component of access control ~Accountability is the validation or proof that the subject requesting access is indeed the same subject who has been granted that access. ~Accountability is the method a subject uses to request access to a system. ~Accountability is the process of creating and maintaining the policies and procedures necessary to ensure proper information is available when an organization is audited. ~Accountability is the process of determining who is approved for access and what resources they are approved for.
Accountability is the process of creating and maintaining the policies and procedures necessary to ensure proper information is available when an organization is audited.
Which answer best describes the authentication component of access control ~Authentication is the validation or proof that the subject requesting access is indeed the same subject who has been granted that access. ~Authentication is the process of creating and maintaining the policies and procedures necessary to ensure proper information is available when an organization is audited. ~Authentication is the process of determining who is approved for access and what resources they are approved for. ~Authentication is the method a subject uses to request access to a system.
Authentication is the validation or proof that the subject requesting access is indeed the same subject who has been granted that access.
Which answer best describes the authorization component of access control?~Authorization is the method a subject uses to request access to a system. ~Authorization is the process of creating and maintaining the policies and procedures necessary to ensure proper information is available when an organization is audited. ~Authorization is the validation or proof that the subject requesting access is indeed the same subject who has been granted that access. ~Authorization is the process of determining who is approved for access and what resources they are approved for.
Authorization is the process of determining who is approved for access and what resources they are approved for.
Accountability
How are actions traced to an individual to ensure the person who makes data or system changes can be identified?
Which answer best describes the identification component of access control? ~Identification is the validation or proof that the subject requesting access is indeed the same subject who has been granted that access. ~Identification is the method a subject uses to request access to a system. ~Identification is the process of determining who is approved for access and what resources they are approved for. ~Identification is the process of creating and maintaining the policies and procedures necessary to ensure proper information is available when an organization is audited
Identification is the method a subject uses to request access to a system.
Which mitigation plan is most appropriate to limit the risk of unauthorized access to workstations?
Password protection
Users
People who use the system or Users processes (subjects)
Relationships
Permissions granted to a user
Which one of the following is NOT an advantage of biometric systems?
Physical characteristics may change.
Resources
Protected objects in the system
RBAC
Role Based Access Control
Ownership
Something you have
Knowledge
Something you know
Location
Somewhere you are
Access controls are policies or procedures used to control access to certain items. True or False?
True
Which one of the following is typically used during the identification phase of a remote access connection?
Username