Security Concepts
(1) In most access control systems, during the identification phase, the unknown person asserts their identity. In other words, they state who they claim to be. This(s most frequently done with a user name, ID number or some other identifier that is unique to that user. The most common example of an identification scheme is the famous username and password scheme. • The username identifies the person ("jdoe" -> John Doe) • The password authenticates the person (using an example of something the user "knows") (2) During the authentication phase, the system somehow verifies the unknown person's claim of identity. Frequently this is a true or false process - the user is who they claim to be, or an impostor has been discovered. There are three common methods of authenticating a user: • What the user "has": ID Badge, Smart Card, etc. • What the user "knows": password, the answer to a secret question, etc. • What the user "is" (a physical attribute of the user): fingerprints, retina scans, iris scans, etc.
(1) Identification (2) Authentication
Which of the following rules violates the principles of the Biba Integrity Model? Select one: a. Users can "write down" to a lower level b. Users can "read up" to a higher level c. Users can "write up" to a higher level d. None of the above
c
Which of the following is an example of an access control technique in the real world? A lock on a door Username and password Keystroke dynamics Permissions
A lock on a door
__________ is the process of regulating which individuals or users have access to particular assets. Authentication Identification Biometrics Access Control
Access Control
Permissions are rules that tell the system how to respond to requests from users to use a particular asset. In most computer systems, there are three common permissions: • Read - the system enables a user with rights to view the information an asset contains. • Write - the system enables a user with rights to create, change or delete contents. • Execute - the system enables a user with rights to operate the asset, assuming that it does something more than contain information. Databases frequently have additional permissions that can be set for assets. • Append - the system enables a user to add data to a database table, but not to change any of the data already stored. • Update - the system enables a user to modify or delete the data already in a database, but not insert additional data.
Access Control - Authorization: Permissions
The process of ensuring that administrators are able to hold users responsible for their actions is known as: Ownership Authorization Accountability Integrity
Accountability
Which of the following permissions is specific to database systems? Execute Write Read Append
Append
Which of the following is not a primary responsibility of an access control system? Identification Availability Accountability Integrity
Availability
An access control list states which users assets belong to. True False
False An access control list states which users may perform particular actions.
In MAC, only certain objects have a security label. True False
False In MAC, all objects have a security label.
Discretionary access control is typically seen only in the military. True False
False Mandatory Access Control is typically seen only in the military.
____________ is a process by which attackers are able to deduce higher restricted information than they are allowed access based on data they do have access to. Inference Access control Identification Alteration
Inference
(1) Bell-LaPadula Confidentiality Model • An information flow model concerned about confidentiality of the data. • A hierarchical model, separating users and data into levels. • Two rules: • No "read-up" • No "write-down" (2) Biba Intertity Model • A hierarchical information flow model concerned with the integrity of the data. • Two rules: • No "write up" • No "read-down"
Security Model
Which of the following is not a commonly used method of authentication? A physical attribute such as a fingerprint scan Something a user knows such as a password Something a user has such as an ID Badge Something a user does such as his role as supervisor
Something a user does such as his role as supervisor
What is "authorization"? The permission to perform a desired action The process by which a user verifies their stated identity The process by which a user states their identity to the system All of the above
The permission to perform a desired action
Each object in a Discretionary Access Control system has an access control list associated with it. Select one: True False
True
In DAC, every asset has a set of permissions associated with it. True False
True In DAC, every asset has a set of permissions associated with it.
What is authorization? Select one: a. Authorization is the process by which an administrator verifies the integrity of an object. b. Authorization is the process of formally tasking a user with certain objectives that must be completed. c. Authorization is the process of ensuring that administrators are able to hold users responsible for their actions in the system. d. Authorization is the process of granting privileges to perform a certain action or use a particular resource.
d
Which of these is not a computerized example of access control? Select one: a. Firewall b. Username and password c. An intrusion detection system d. A lock
d
(1) Discretionary Access Control - is the most widely used access control model. In a system using DAC, every asset (file, directory/folder, database table, etc.) has a set of permissions associated with it. These permissions state which users may perform particular actions on that asset. Furthermore, each asset has an owner, which is usually the person that created/uploaded the asset. In a DAC system, the owner of the asset assigns permissions to other users on the system. This allows the owner to tightly control access to their asset. To prevent having unprotected assets, many systems allow newly created assets to inherit permissions from another asset. (2) Mandatory Access Control (MAC) - is a security access control centrally controlled by a security policy administrator. Users do not have the ability to override the policy. The security policy administrator, normally implemented through the operating system, makes the final decision and can override the user's wishes. Users are given a security clearance and data is classified the same way. Access to an object is based on three items: (1) the clearance of the user, (2) the classification of the object and (3) the security policy of the system. In a MAC system, every object such as a file, directory, device, etc. must have a security label. This makes MAC very difficult to administer. (3) Role Based Access Control -unlike other access control models which focus on assets and users, Role Based Access Control (RBAC) focuses on users' job functions, i.e. their responsibilities and duties, and the assets they need to use to perform their jobs. A RBAC system consists of three main components: • Permissions • Roles • Users
Access Control Models
A RBAC system consists of 5 main components. True False
False An RBAC system consists of 3 main components. (1) Permissions - are the ability to perform a specific action on a specific asset. There are three commonly seen permissions: Read - Analogous to access, this permission enables a user to examine the contents of an asset. Write - This permission enables a user to modify an asset in some way. This may mean changing the contents already stored, or it could mean the addition or removal of data. Execute - This permission enables a user to use a particular asset. This permission is most commonly associated with software programs running on an operating system, or possibly macros running on a database system. (2) Roles -Roles in an RBAC system are defined as a collection of permissions, logically grouped to allow a user to accomplish a task. Conceptually, roles can be thought of as being similar to a job title or function in an organization. Depending on how the system is configured, there could be a role for each job title or function in an organization. (3) Users - By assigning roles to users, instead of the other way around, maximum flexibility is maintained. • Each role can be assigned to multiple users. • Each user can have multiple roles assigned to them. • Each role can have multiple permissions assigned to it. • Roles may conflict with other roles. This is why most implementations of RBAC include a role hierarchy. The role hierarchy indicates which roles should override in the event of a conflict.
• Concerned about confidentiality, i.e. leakage of classified information. • Main goal is to prevent secret information from being accessed in an unauthorized manner. • Original implementation used a scheme similar to MAC to decide whether or not a given action was allowed to continue. • A hierarchical model, separating users and data into levels. • Users at higher levels considered to be more senior, and have access to more sensitive information. • Data at higher levels considered to be more sensitive. Users wishing to access this information should be at a more senior level.
The Bell-LaPadula Model is an information flow model:
What is authentication? Using passwords to verify the user's identity The process by which a user states their identity The process by which a user's stated identity is verified Using biometrics to verify the user's identity
The process by which a user's stated identity is verified
DAC is hard to manage and can be time consuming. True False
True DAC is hard to manage and can be time consuming. There are several difficulties administrators experience when using DAC: DAC can be hard to manage. • Because individual users are in charge of granting privileges, IT can be left out of permission management. Whenever individual users are responsible for security, bad things can happen. DAC can be time consuming. • The process of awarding permission to specific users must be repeated for each person who needs access to a resource. DAC can be difficult to implement correctly. • There are many details to track, which can lead to oversight (and potential security threats). • Permissions can be accidentally granted that should not be granted. For example, in Windows, simply checking the wrong box may give a user "Full Control" instead of "Read" access.
Mandatory access control is centrally controlled by a security policy administrator. True False
True Mandatory access control is a security access control centrally controlled by a security policy administrator.
RBAC focuses on users' job functions and the assets they need to perform their jobs. True False
True Role-based access control focuses on users' job functions and the assets they need to perform their jobs.
In a Role Based Access Control system, how many users can be assigned the same role? Select one: a. Multiple users b. Two c. Three d. One
a
Is it possible to implement both the Bell-LaPadula Confidentiality model as well as the Biba Integrity model simultaneously? Select one: a. Yes - they deal with different, non-overlapping subjects b. No - the requirements are in direct conflict c. None of the above d. Unknown because no one has tried
a
What are permissions? Select one: a. Rules that tell the system how to respond to requests from users to use a particular asset (file, database table, etc.) b. Formal responsibilities that have been assigned to individual users in an organization c. The process of granting privileges to perform a certain action or use a particular resource d. A listing of all access attempts by unauthorized users
a
What is accountability? Select one: a. A formal practice that allows the administrators to hold users responsible for their conduct by keeping track of the actions they take b. A formal practice that, when enforced properly, ensures the integrity of all assets in an organization c. A formal practice that, when enforced properly, can prevent security breaches from occurring d. A formal practice that allows administrators to regulate access to an object
a
What is identification? Select one: a. The process by which a user states their identity b. The process by which a user's stated identity is verified c. Using biometrics to verify the user's identity d. Using passwords to verify the user's identity
a
When a user attempts to log into a system, two things occur: identification and authentication. What happens during the authentication phase of a user attempting to log in to a system? Select one or more: a. The system uses some means (password, fingerprint, etc.) to verify the unknown person's claim of identity b. The system only needs a user name to identify and authenticate the user c. The user states their supposed identity Correct d. The system somehow infers the identity of the user
a
Which of the following are not examples of biometrics? Select all that apply. Select one or more: a. Passwords b. Usernames c. Digital certificates d. Retinal scans e. Fingerprints
a, b, c
In a Role Based Access Control system, what is a role hierarchy? Select one or more: a. A system to assign roles to a user based on their job title Incorrect b. A system to assign roles to users c. A system used to resolve conflicts between roles d. A system that indicates which roles should take priority in the event of a conflict between roles
b
Regarding Role Based Access Control, which of the following would be an example of a role? Select one: a. Fingerprint b. Job title in an organization c. E-mail address d. Username
b
What is the most commonly seen/used method of authenticating a user of a computer system? Select one: a. Keystroke Dynamics b. Password or Passphrase c. Retinal Scan d. Fingerprint Scan
b
Which of the following is not a commonly observed problem with administering Discretionary Access Control systems? Select one: a. Making sure the owners of objects (i.e. the users) have not changed permissions on objects, possibly leaving them under-protected b. Ensuring users have been assigned the proper roles c. Objects (files, folders, etc.) that have not had permissions explicitly assigned to them may be unprotected d. Ensuring that a user's permissions are up to date, and the user does not have extra permissions they do not need.
b
How does a Mandatory Access Control system determine whether a user should be granted access to a particular file? Select one: a. Permissions are grouped based on what a user actually does within a specific organization. b. The system looks at the access control list for the file to determine if the user should be granted access. c. The system automatically grants or denies access to an object based on the object's classification and the user's rank. d. Permissions are grouped based on who the user is within a specific organization.
c
In a system using Discretionary Access Control each asset has what? Select one: a. An owner b. An auditor c. Permissions d. An inspector
c
Mandatory Access Control is most commonly seen in __________ settings. Select one: a. Public b. Private c. Military d. None of the above
c
Which of the following is not one of the five basic philosophies that govern the design of the Bell-LaPadula confidentiality model? Select one: a. A security breach cannot occur if a user at a higher level of security reads information at a lower level of security b. A security breach can occur if a user at a higher level of security writes information to a lower level of security c. A security breach cannot occur if a user at a lower level of security reads information at a higher level of security d. A security breach cannot occur if a user at a lower level of security writes information at a higher level of security
c
Which of these is not a primary objective of an access control system? Select one: a. Accountability b. Identity c. Integrity d. Authority
c
Why is Role Based Access Control gaining popularity in the security industry? Select one: a. When using RBAC, the system can automatically grant or deny access to an asset without needing to have it explicitly defined b. RBAC requires less CPU processing time than other security models c. The model allows permissions to be organized more logically according to what each individual's responsibilities are. d. RBAC allows more "fine grained" control over individual assets
c
Which of the following are not commonly seen permissions in an operating system? Select one or more: a. Write b. Read c. Execute d. Append e. Abort
d, e