127 terms

Chapter 6 - Access Control

Sec +
STUDY
PLAY

Terms in this set (...)

Best practices related to authentication, authorization, and access control include:
(a) Separation of duties
(b) Job rotation
(c) Implicit deny
(d) Least privilege
MAC model
(a) OS of network controls access
DAC model
(a) Allows data owners to specify
(b) what users can access certain data
________ can be assigned by user, group, or role in the company.
Privileges
RBAC
(a) Role-based access control
(b) allows access to be based on role
(c) that user holds within organization
Rule-based access control
(a) based on ACLs
(b) not necessarily tied to ID of user
(c) provides access rules applied to all users in organization
(d) based on: desired action, location, time of day, user ID, etc
Some of the most effective account restrictions include:
(a) Limiting logon attempts
(b) Using expiry dates
(c) Disabling unused accounts
(d) Setting time restrictions
(e) Restricting machine access
(f) Using tokens
Use these password policies to prevent password weaknesses:
(a) Regular password rotation
(b) Enforce strong passwords (length, characters, etc)
(c) Employ password aging
Each _________ should have his own personal data directory, where only he has access to create, delete, and modify files and directories within.
User
When you first create an ACL for a resource, use ___________ as a default.
no access
In ACL, no access enables?
(a) start with clean slate
(b) can add access permissions based on needs of particular
(c) user or group
(d) giving only enough access permissions to perform job function
Physical-access control security includes:
(a) Video surveillance/monitoring
(b) ID cards, locks, man-traps
(c) Security guards, cameras, access logs
ID cards should be complemented with __________ or ______.
access codes, PINs
Two simple and often overlooked aspects of security are:
Access control, authentication
Access includes rights to:
(a) Personal and shared folders on network server
(b) Company intra nets
(c) Printers
(d) other network resources/devices
Access control
(a) permissions applied to resources
(b) determine which users can access those resources
_________ assure that users who are authorized to receive access to certain resources can access them, while users who are unauthorized do not receive access to those same resources.
Access control
________ contains all of the techniques, policies, and programs designed to ensure that only those entities with a verified need and clearance level for the systems or data in question are able to access it, and all others that don't are denied.
Access control
Examples of Access control include:
(a) technical: ie permissions
(b) physical: secured doors, gates
(c) deterrent, preventative, detective
(d) compensating, administrative
Access control: Compensating control
(a) mitigate risks best as you can
(b) while you work to completely remediate them
Access control: Administrative control
(a) put policies & procedures into place
(b) creates another layer of protection
Access control: Deterrent
attempting to deter unauthorized activity
Access control: Preventative
preventing unauthorized activity
Access control: Detective
detecting unauthorized activity
Authentication
(a) paired with Access control
(b) identifies users
(c) verifies they are, who they claim to be
(d) comes after person/entity has ID themselves to the system
After a user has been __________, the resources for which the user has appropriate permissions become accessible.
authenticated
When an identity is ___________, it means that it's verified as being true or confirmed.
authenticated
As an administrator, you must carefully consider system and network security when creating ______ and ________ policies.
access, authentication
Basic security practices such as login IDs and passwords must be augmented with __________ techniques and _______.
Advanced logical access control, password aging
Advanced logical access control techniques include:
(a) long
(b) non-dictionary
(c) alphanumeric passwords (aka password complexity)
(d) regular password rotation and expiration
Protection of personal and shared data resources on network file servers must be maintained through the use of _______ and _______ permissions on a per-user or per-group basis.
directory, file access control
Physical access control
(a) 1st level barrier
(b) prevents unauthorized users from entry
__________ methods determine how users interact with resources and computer systems.
Access control
________ must be protected from unauthorized modification or tampering.
Resources
Access controls must be enforced on a network to ensure that __________ users cannot access its resources or the network and computer system infrastructure.
Unauthorized
Regarding access control methods, your first task is to define who are the _______ and to what _____ they need access.
users, resources
Access control: Users
(a) doesn't always mean a specific person
(b) computer can act as user (when it tries to connect to resource of another computer)
Access control: Resource
(a) from text file to network printer
(b) to file server to proxy server
(c) anything to be used by dun dun dun...USERS!
Access control: Backup user
(a) must also have its access control defined properly
(b) so it can securely perform its job
Just as your users must be carefully defined, the ___________ offered by your computer network need to be categorized and _________ defined for the resources' security.
resources, access controls
Resources must be categorized with the following attributes in mind:
(a) Sensitivity
(b) Integrity
(c) Availability
Sensitivity
(a) How confidential is data from resource?
(b) Seen by certain users, or all?
(c) ie: payroll, HR data
(d) address via: Access Controls
Integrity
(a) Should users only read from files in directory, or modify files too?
(b) If integrity vital, should be read-only
(c) ie: datasheet of company finances
(d) address via: Access Controls (primarily file/directory security)
Availability
(a) How available should data as a resource be?
(b) Data needs to be available all time, or only certain times?
(c) Info critical that must be available whenever user requests?
(d) typically, this decreases the more secure it is, so needs balance
(e) address via: backups, clustering, redundancy solutions
Levels of security, before a user is allowed access to a facility or resource, three main levels must be passed:
1) Identification
2) Authentication
3) Authorization
Level of security: Identification
(a) user must ID themselves, usually login user name or account name
(b) aka: identity proofing
(c) prove identity before going any further
Identify proofing
(a) aka: Identification
(b) ensures user is who they claim to be (could be app program or process too)
Level of security: Authentication
(a) follows Identification
(b) provide proof of use for login name, credentials
(c) by supplying password, PIN, token
(d) identity & supplied info match credential database, user is authenticated
Level of security: Authorization
(a) finally, user tries to access resource
(b) system must check that user ID is authorized for that resource
(c) and check permissions/privileges user has when using it
(d) user being ID'd & authenticated doesn't mean they'd be able to access all resources
Access security grouping
(a) grouping users on similarities in their attributes, more efficient
In Access security grouping, administrators need to identify groups of users in three ways
(a) Job function
(b) Department
(c) Physical location
Access security grouping: Job function
(a) user performs same job? likely all need access to same resources
(b) model can be define hierarchically
Access security grouping: Department
(a) users who belong in same department probably need access
(b) same data and resources
Access security grouping: Physical location
(a) security model can be set up by physical location
(b) users grouped depending on office where they belong
In the most efficient security model, data resources are organized based on ________ criteria.
need-to-know
Each resource must have its ___________ specifically set to allow access only to users authorized for that resource.
access controls
___________ also flow down into more granular levels of security, in which a user might have access to read a file, but not modify or execute it.
access controls
Access control best practices to increase security through proper organizational structures and data security principles:
(a) Separation of duties
(b) Rotation of job duties
(c) Mandatory vacations
(d) Implicit deny
(e) Explicit deny
(f) Least privilege
__________ ensures that one individual isn't tasked with both performing and verifying functions, particularly sensitive security functions.
Separation of duties
_________ requires that more than one person allow a specific procedure to take place to ensure that important security decisions are not relegated to a single person.
N-person control
To separate duties that involve high-security situations, a certain amount of __________ must take place.
N-person control
__________ means that all access is denied by default and access permissions are granted only to specific resources as required.
Implicit deny
Job rotation
(a) provides workforce skills improvement
(b) increased job satisfaction
(c) enhances security of organization
________ also ensures better security, as no single employee retains the same amount of access control for a particular area for an extended period of time.
Job rotation
This can prevent internal corruption that can occur, for example, when a long-term employee, because of her deep knowledge of a particular area of duty, might take advantage of the position and security access.
Job rotation
Job rotation also boosts ___________ when another person takes over a specific job duty and examines potential inefficiencies or evidence of security lapses.
accountability
Mandatory vacations
(a) security measure
(b) requires employees to use vacation at certain times of year
(c) most often used to detect security issues, ie: fraud or other hacking activities
Implicit deny
(a) security principle of starting a user out with NO access rights
(b) granting permissions to resources as required
(c) must implicitly deny all access to provide fully secure baseline
(d) only then can admin grant user access to resources
The _________ principle is more secure than starting out with a policy that grants a user default access to all resources and then denies access permissions to certain resources.
implicit deny
The ___________ policy should be applied to all aspects of an organization's security, from physical security and access control, to file and resources permissions on a file server, and to network firewall and router rules.
implicit deny
Explicit deny
(a) access to certain resource explicitly denied to user or group of users
(b) access to that resource cannot be granted to those users
(c) even if access was inherited from another policy
Least privilege
(a) grants users ONLY access rights they need to perform job
(b) requires giving users least amount of access possible
(c) prevents more powerful access
The function of ___________ is to decide exactly what a person needs to know or for what areas the person requires access for a particular position.
management
The _________ must enact the decision managers make about access for particular position.
network administrator
Data access should be based on the ______ principle, which ensures that users have the minimal access rights available to perform their job function and nothing more.
least privilege principle
Access control models
(a) policies that define how users access data
(b) also determine extent or degree a user can further allow access to the data to others
(c) policies based on security and business goals of organization
(d) rules enforced through access control types/technologies
The main Access control types/technologies:
(a) Mandatory access control (MAC)
(b) Discretionary access control (DAC)
(c) Role-based access control (RBAC)
(d) Rule-based access control
Mandatory access control (MAC)
(a) OS controls access to data
(b) most data owners can work with permissions to own files & share them
(c) OS access controls override any settings though
(d) centralized, often used in high-security environments
Discretionary access control (DAC)
(a) enables data creators and owners to specify which users can access
(b) access to resources allowed only for authorized users through permission on resource
(c) most common model in Windows & Unix
(d) admins create hierarchy of files, directories, and other resources
(e) based on user privileges and access rights
(f) less centralized version of MAC
Role-based access control (RBAC)
(a) aka: non-discretionary access control
(b) centrally controlled model
(c) allows access based on role the user holds within organization
(d) not to individual users, but groups of users performing common functions instead
(e) vs discretionary, use of groups/roles is purely ease of use, but its REQUIRED here
Logical access controls
(a) technical components
(b) control user access to resources
(c) provides user account, password, access privileges management
List account restrictions and access control methods that can be used to increase security of user accounts
(a) Good naming convention
(b) Limit logon attempts
(c) Setting account expiry dates
(d) Disable unused accounts
(e) Set time restrictions
(f) Set machine restrictions
(g) Using tokens
(h) Restricting multiple/shared accounts
This can prevent internal corruption that can occur, for example, when a long-term employee, because of her deep knowledge of a particular area of duty, might take advantage of the position and security access.
Job rotation
Federation
(a) related to SSO
(b) implemented through enterprise-wide identity management system
(c) users' identity and associated attributes carried across enterprise boundaries
(d) centers around transitive trust
Transitive trust
(a) trust relationship between tow domains
(b) allows authentication of trusted users across both domains
(c) requires organizations to agree on standards for sharing id attributes
(d) ie stuent log into portal, uses same creds for access to external library
Privilege management
(a) creation and use of policies defining
(b) users and groups
(c) accessing company resources (ie data files or printers)
(d) needs logical structure to define access privileges depending on type of user, groups, specific role
User
(a) single user's access rights and privileges
(b) revolve around data person creates, mods, deletes
(c) their rights plus rights of whatever group/role they are part of
Group
(a) subset of users that are fairly static
(b) privileges can be distributed to entire group
(c) greater overall control of access to resources
Role
(a) security privileges according to role in company
(b) ie DBA has extra privileges accorded to that role
(c) predetermined permissions for a role can be created and then applied
Security concerns with file and print servers center around ?
Authentication, access permissions
File servers should be configured so that no user can access through the network without first being ?
authenticated via user name and password
ACL
(a) contains list of permissions granted
(b) to users for each resource
Common permissions that can be assigned via ACL
1) Read
2) Write
3) Read & Execute
4) Modify
5) Full control
Read
(a) view or list contents
(b) file or directory
Write
(a) create and save
(b) new file
(c) or write to existing file
Read & Execute
(a) view or list contents
(b) file or directory
(c) and execute accessible files
Modify
(a) read, write, execute, or delete
(b) file or directory
Full control
(a) R/W,E,M,D
(b) file or directory
The most basic types of security that can be set at the resource level are:
(a) full access
(b) no access
An _____ should be created for every resource and applied for all users.
ACL
When you first create an ACL for a resource, start with _______ as default. Then add access permissions based on needs of particular user or group.
no access
Physical access control differs from computer security how?
Prevent:
(a) computer security = accessing resources of your system
(b) physical security = access an environment
Physical security is required to protect:
(a) employees
(b) company data
(c) equipment
(d) facility itself
To secure access to the facility, access systems should be installed to:
(a) identify employees
(b) control what areas of facility they can enter
Access control also includes:
(a) surveillance and monitoring of company property
(b) installation of physical barriers to prevent unauthorized intruders from trespass
Your first line of defense is the security of the ____ of the facility or the ____ of its property.
perimeter, boundaries
Building security includes:
(a) physical barriers
(b) surveillance
(c) access control
The simplest form of surveillance is the use of?
(a) common security procedures
(b) ie security guards
________ is of primary importance, both in terms of efficiency of surveillance and equipment costs.
Camera placement
The use of _____ can ensure that a surveillance and monitoring system is proactive by alerting you to suspicious behavior.
intruder detection equipment
Proximity detector
(a) senses changes in electromagnetic field
Photoelectric detector
(a) changes in light patterns
(b) emits beam of light that sounds alarm if disrupted
Protected distribution
(a) protects sensitive cabling from taps or other malicious activity
Man-trap
(a) 2 tier, physical-access control method
(b) 2 physical barriers between person and resource
As part of an overall security plan, ______ should contain the names of all visitors to the facility and in/out times of their visits.
access logs
Advanced personnel-access control techniques include the use of:
personal identification verification cards
Most common method of personnel access control used today is the:
Smart card
Use these when organizing your security infrastructure and grouping users and resources into appropriate security groups and zones.
(a) Separation of duties
(b) Job rotation
(c) Implicit deny
(d) Least privilege principles
In MAC model, the _____ of the network is in control of access to data.
OS
_______ allows the data owners to specify what users can access certain data.
DAC
Privileges can be assigned by:
(a) user
(b) group
(c) role in company
Role-based access control (RBAC) allows:
(a) access based on role user holds within organization
(This permission allows:) View or list the contents of a file or directory and execute accessible files.
Read and execute
(This permission allows:) View or list the contents of a file or directory
Read
(This permission allows:) Read, write, execute, or delete a file or directory
Modify, Full Control
______ access control does not necessarily have to be tied to an authorized identity and could involve access based on network location, content, and other content filtering.
Rule-based ACL
...
...