CYSE 101 FINAL STUDY SET|2023 LATEST UPDATE|GUARANTEED SUCCESS

What is access control? A security technique that regulates who or what can view or use resources in a computing environment It enables administrators to manage access at a more granular level Authentication Authentication is the step after identification It is to determine whether the claim of the identity is true Because access control is typically based on the identity of the user who requests access to a resource, authentication is essential to effective security. What is the role of authorization in access control? Authorization is the step after authentication. Authorization allows us to specify where the party should be allowed or denied access. What is the role of auditing in access control? We perform audits to ensure that compliance with applicable laws, policies, and other bodies of administrative control is being accomplished as well as detecting misuse. We may audit a variety of activities, including compliance with policy, proper security architecture, configuration management, personal behavior of users, or other activities. What are 4 different ways to authenticate a claim of identity? What you know - a password for an account What you have - a door key, a smart card Who you are - fingerprint What you do - how you pronounce a passphrase What is multi-factor authentication? A method of computer access control in which a user is only granted access after successfully presenting evidence to an authentication mechanism It decreases the probability of a false positive and increases the probability of a false negative Mandatory Access Control (MAC) A model of access control in which the owner of the resource does not get to decide who gets to access it, but instead access is decided by a group or individual who has the authority to set access on resources. Discretionary Access Control (DAC) A model of access control based on access being determined by the owner of the resource in question. The owner of the resource can decide who does and does not have access, and exactly what access they are allowed to have. Role-Based Access Control (RBAC) A model of access control that, similar to MAC, functions on access controls set by an authority responsible for doing so, rather than by the owner of the resource. The difference between RBAC and MAC is that access control in RBAC is based on the role the individual being granted access is performing. For example, if we have an employee whose only role is to enter data into a particular application, through RBAC we would only allow the employee access to that application, regardless of the sensitivity or lack of sensitivity of any other resource he might potentially access. How does a multi-level security (MLS) system work? The application of a computer system to process information with incompatible classifications (i.e., at different security levels), permit access by users with different security clearances and needs-to-know, and prevent users from obtaining access to information for which they lack authorization. Classified information requires complex layers of control that far exceed basic clearance granting and badge granting policies. Why is it important to consider utilities? Because they can provide temporary power in case of a power outage occurs, preventing loss of data. What are important issues to remember when disposing of computer equipment? Make sure the hard disk has to be wiped regardless of how it will be used in the future to prevent data to be recovered. Making sure someone is there to supervise proper destruction of equipment. What is the role of the password in access control? Used to gain access to the server and is reusable over a period of time. Can you give examples of common policy requirements for passwords? Not using same passwords at multiple sites. Disabling passwords that are no longer valid or if employee is not working anymore. Passwords must be stored as hashes. Make them long and complex. How do users sometimes misuse passwords? Using someone else's to the answer to reset a password Sharing passwords; makes auditing challenging. Social engineering is calling a call center on someone else's behalf in order to gain unauthorized access. Can you give examples of physical devices used in access control? Cameras Locks on doors What does "biometrics" mean literally? In the I.T. context? Use of biological measurements for authentication Based on something you are or something you do Can you give examples of common biometric technologies? Fingerprinting Iris recognition What are two important parts of the biometric process that are never perfect? Promises to make reusable passwords obsolete Requires an enrollment scan The scanning process is not perfectly repeatable False Acceptance Rate (FAR) Occurs when we accept a user whom we should actually have rejected. This type of issue is also referred to as a false positive. False Rejection rate (FRR) Is the problem of rejecting a legitimate user when we should have accepted him. This type of issue is commonly known outside the world of biometrics as a false negative. What are three different purposes for which biometric are commonly used? Replacing passwords Ease of access Verification Identification Watch lists What are ways in which a biometric process can fail? When the system cannot recognize the individual Something is blocking the camera What is a PKI? What are its components? What is its purpose? Is public key infrastructure and is where public key authentication is used with digital certificates. How might an attacker compromise a PKI? PKI needs a way to generate public/private key. If an impostor can deceive the provisioning authority, the system breaks down controlling the giving of access credentials is the prime authentication issue. How does the principle of least permissions relate to authorization? Because it performs similar duty it is an important concept promoting minimal user profile privileges not giving too much permission to do his/her job. What is federated identity management? System in which two companies can pass identity assertions to each other without allowing to access internal data. What is the purpose of auditing? One of the primary ways we can ensure accountability through technical means is by ensuring that we have accurate records of who did what and when they did it. Auditing provides us with the data with which we can implement accountability. If we do not have the ability to assess our activities over a period of time, then we do not have the ability to facilitate accountability on a large scale. Particularly in larger organizations, our capacity to audit directly equates to our ability to hold anyone accountable for anything. Federated Identity Management An arrangement that can be made among multiple enterprises that lets subscribers use the same identification data to obtain access to the networks of all enterprises in the group The means of linking a person's electronic identity and attributes, stored across multiple distinct identity management systems. Related to single sign-on (SSO), in which a user's single authentication ticket, or token, is trusted across multiple IT systems or organizations. SSO is a subset of federated identity management as it relates to authentication.