MOD 1 / UNIT 1
The company you work for has suffered numerous intrusions due to poor password management by employees. Given a significant budget to mitigate the problem, what type of security control would you use?
A multi-factor authentication product would mitigate this type of problem by requiring users to authenticate with a smart card or bio-metric information as well as a password.
How does accounting provide non-repudiation?
A user's actions are logged on the system. Each user is associated with a unique computer account. So long as the user's authentication is secure, they cannot deny having performed the action.
What is the difference between authorization and authentication?
Authorization means granting a user account configured on the computer system the right to make use of a resource (allocating the user privileges on the resource). Authentication protects the validity of the user account by testing that the person accessing that account is who he says he is.
What type of access control system is based on resource ownership?
Discretionary Access Control.
True or false? A "Need to Know" policy can only be enforced using discretionary or role-based access control.
False - a mandatory access control system supports the idea of domains or compartments to supplement the basic hierarchical system.
You have implemented a web gateway that blocks access to a social networking site. How would you categorize this type of security control?
It is a technical type of control (implemented in software) and acts as a preventive measure.
What is the basis of computer security accounting?
Log files. It is also vital that users be properly authenticated.
You are implementing security controls to protect highly confidential information that must only be made available on a "Need to Know" basis. What class of security control should you investigate?
Mandatory Access Control systems are best-suited for applying non-discretionary, need-to-know access controls.
What term is used to describe a property of a secure network where a sender cannot deny having sent a message?
Non-repudiation.
What steps should be taken to enroll a new user?
Perform identity proofing to confirm the user's identity, issue authentication credentials securely, and assign appropriate permissions / privileges to the account.