Part 2 lesson 2

The flashcards below were created by user slmckissack on FreezingBlue Flashcards.

  1. follows authentication and determines what rights and permissions an authenticated user has--in other words, it determines the specific resources to which the user has access.

    Often overlooked in its importance, authorization is a vital part of any security policy.
  2. NOTE: Authorization is the final process in access control, following authentication and identification. You experience the authorization process each time you log in to a networked computer or gain access to an external network, such as though an ISP. By default, an operating system automatically grants user permissions that allow access to data resources and rights to perform certain actions on the data entities. An ISP typically uses an AAA server to perform authorization. Authorization can be either individual or group.
  3. is the default authorization in most operating systems. Typically, when an administrator creates a user account for an individual (not a member of a group), the administrator assigns a set of permissions and rights to the user based on the user's job function, security clearance, or "need-to-know." When the user logs in to the system or network, the system compares the user's credentials to the system's permissions registry to retrieve the rights and permissions of the user.
    Individual Authorization
  4. are generally associated with the login activity. They control how a user can gain access to the network or system. These authorizes users to perform specific actions.
  5. What action does the right to access a computer from a network grant?
    It allows the user to connect to a computer from a network.
  6. What action does the right to be allowed to login through Terminal Services grant?
    Allows a user to log on to a computer using a Remote Desktop connection.
  7. What action does the right to login as a batch job grant?
    Allows a user to log on using a batch-queue function, such as the Task Scheduler.
  8. dictates what an authorized user is able to do with a folder or directory and its contents.
  9. NOTE: User rights apply to user accounts, while permissions relate to objects.
  10. NOTE: The standard permissions (read, write, read & execute, modify, full control) are those that permit or limit a user's ability to see, open, manipulate, and remove data content. The security mechanisms of a Windows system use a trusted system component to verify the permission and rights of a use before a requested action proceeds.
  11. NOTE: Using a permission-based authorization method requires the administrators to manage each user independently.
  12. In the context of data integrity and security, is essentially permission-based authorization, except that the administrator assigns permissions to a group of individual users based on their jobs, department, function, security clearances, and so on.
    Group Authorization
  13. NOTE: Whether or not a user can access a folder or file depends on the permissions of the group in which he or she is a member. For example, the system administrator may create a group for the employees in the Order Processing department and give them permissions to the Order and Inventory files. Should the permissions required for the department change, the administrator needs only to make the change to the Order Processing group to affect the change for all of its members.
  14. One of the most important concepts in data security and authorization. Grants a user only the permissions (privileges) he or she needs to perform his or her tasks.
    Principle of Least Privilege
  15. NOTE: A well-formed security plan identifies the minimum required permissions of each department or employee function. Under the principle of least privilege, users have the fewest privileges they need to function in their jobs.
  16. is one of the basic concepts of internal controls. It protects against fraud, collusion, and errors in sensitive data and financial instruments. To achieve these objectives, it involves distributing rights, privileges, duties, and responsibilities to several people so that no one person performs all of the steps in an important process.
    Separation of duties (SOD)

    Under SOD, one person wouldn't be allowed to both purchase equipment and cut a check to pay for it. While SOD is an important business policy, it can also be an important security policy.
  17. What are the four functions that SOD requires the separation of critical process activities into?
    • -Authorization
    • -Custody
    • -Record-keeping
    • -Reconciliation
  18. NOTE: Under a strict SOD policy, no one person performs more than one of these functions. In performing the separate functions, individuals do part of a function or share in the performance of two or more functions. Examples of functional SOD are requiring two signatures on a check (authorization); requiring two or more individuals to verify the receipt, storage (custody), and record-keeping of critical items; and requiring someone other than the person who signs checks to reconcile a bank account.
  19. NOTE: Authorization is a critical part of the access control process, right along with authentication and identification.
  20. is a policy-based process that consists of two separate phases.
    Access Control on a network or system
  21. What are the two phases of Access Control?
    • -Policy definition
    • -Policy enforcement
  22. performs authentication and identification to define the level of access a particular user has based access policies.
    Policy Definition Phase
  23. the approval or denial of an access request depends on the policy definitions of the previous phase.
    Policy Enforcement Phase
  24. NOTE: Once the policy definition phase develops authorization (the user's authorized accesses), the policy enforcement phase compares the authorization to the request. If there's a match--that is, if the user is requesting access to something for which he or she has permission--the user gains access. However, if there isn't a match (the user is requesting something that he or she doesn't have permissions to access), the user's request is denied.
  25. NOTE: the definition phase of access control generally bases its authorization on some form of policy definition application, such as the principle of least privilege or an access control list (ACL). After we look at the four primary approaches to access control, we'll take a brief look at ACLs again.
  26. What are the 4 primary approaches to access control?
    • -Mandatory Access Control (MAC)
    • -Discretionary Access Control (DAC)
    • -Role-Based Access Control (RBAC)
    • -Rules-based access control
  27. Where the system administrator defines the rights and permissions in the access control policies (rules), which neither the user nor the system can modify
    Mandatory Access Control (MAC)

    More than likely, what you visualize as typical access control is permission-based authorization and access control, and you're right on the money. The most common form of access control--the one operating system use is Mandatory Access Control.
  28. This approach to access control is defined as " a means to restricting access to objects based on the identity of subjects and/or groups to which they belong." An example is that on a UNIX system, directories and files have owners, and owners can extend or take back permission to access their owned resources (subject to mandatory access control). Another example is the access a computer's owner grants in a peer-to-peer network arrangement.
    Discretionary Access Control (DAC)
  29. NOTE: The U.S. Department of Defense developed the TCSEC standard in the mid-1980s. It defined the basic requirements for assessing the effectiveness of the security controls of a computer an was the basis for the evaluation of computers for processing, storage, and retrieval of sensitive and classified data. The Common Criteria for information Technology Security Evaluation, an international standard, replaced the TCSEC in 2005. You'll usually hear people refer to this standard as simply "Common Criteria."  This standard unified three other existing standards to simplify the compliance process for companies selling computer products to government agencies.
  30. Limits an individual user to a single role associated with her specific function, although she may belong to multiple permission groups. A user cannot have access beyond his or her role. The accountant gets exactly the same permissions as all other accountants.
    Role-Based Access Control (RBAC)
  31. This approach to access control uses rules and permission sets defined by the system administrator as the basis of its access or deny decisions.
    Rules-based access control

    Typically, the rules of a rules-based access control system are in the ACL associated with each resource. For example, an ACL permits the Order Processing group to access certain data resources only during specific hours in a day or on certain data resources only during specific hours in a day or on certain day of the week.
  32. In addition to the ability to implement ACLs, some operating systems contain enough robust security methods, procedures, and safeguards to achieve the status of ___________________. This status indicates that an operating system supports multilevel security that meets government requirements.
    Trusted Operating System (TOS)
  33. What common criteria is used to award Trusted Operating System (TOS)?
    Evaluation Assurance Levels (EAL)

    Has seven levels, with EAL 7 meaning the system has undergone the most rigorous testing. Some systems that have achieved TOS status are Apple Mac OS X (EAL 3), HP-UX 11i (EAL 4), some Linux versions (EAL 4), and windows 7 and Server 2008 (EAL 4).
  34. What does EAL 1 equal in the Evaluation Assurance Level?
    Functionally tested
  35. What does EAL 2 equal in the Evaluation Assurance Level?
    Structurally tested
  36. What does EAL 3 equal in the Evaluation Assurance Level?
    Methodically tested and checked
  37. What does EAL 4 equal in the Evaluation Assurance Level?
    Methodically designed, tested, and reviewed.
  38. What does EAL 5 equal in the Evaluation Assurance Level?
    Semi-formally designed and tested
  39. What does EAL 6 equal in the Evaluation Assurance Level?
    Semi-formally verified design and tested
  40. What does EAL 7 equal in the Evaluation Assurance Level?
    Formally verified design and tested.
  41. is a series of permissions or denies associated with a system, network, or perhaps even an individual system resource.  It contains a list of permissions that define whether or not a user has access to an object and, typically, what the user can do to or with the object.  An object in this context can be a network server, a directory or folder, a file, or a peripheral device.
    Access Control Lists (ACL)
  42. What are the three types of ACLs?
    • -ACL-based security model
    • -Filesystem ACL
    • -Network ACL
  43. determines if an authorized user is able to perform a certain action on one or more system resources. It identifies which users have permission to edit the ACL itself.
    ACL-based security model.
  44. Specifies which individual users or groups have rights and permissions for system resources like programs, processes, files, and other stored elements. Made up of access control entries (ACEs).
    Filesystem ACL
  45. these assign identifier codes to each accessible object, and then they define which users or groups can access the objects and what actions they can take (read, write, or execute).
    Access Control Entries (ACEs)
  46. implements rules that define access to TCP/UDP ports or system processes on a host or network basis. Each controlled network resource, such as port 80, may have an entry in a server, router, or firewall ACL that lists which hosts or networks have permission to access that resource. A standard ACL permits or denies inbound or outbound traffic from a particular interface to pass (permit) or be dropped (deny).
    Network ACL
  47. NOTE: An example of an ACL entry on a Cisco router: access-list 10 permit This ACL statement allows any traffic from IP addresses to to pass. The elements of this ACL statement are the access-list command, the ACL line number (sequence within the ACL), the permit/deny action, the minimum IP address, and the subnet mask for all addresses included.
  48. defines the implementation of the rules concerning who or what can gain access to a system or network resource. This in use by a network applies one of the access control methods: mandatory access control, discretionary access control, role-based access control, or rules-based access control.
    Access Control Policy

    Unless a user or network request passes through an access control policy or two, it can't access any system or network resources.
  49. What are the three primary components of an access control policy?
    • -Access Group
    • -Action group
    • -Resource group
  50. This consists of users and requests for network or system resources.
    Access group
  51. This consists of the activities the requesters wish to do with the resource requested.
    Action group
  52. This includes the protected system or network objects controlled by the access control policy.
    Resource group.
  53. NOTE: Here's how these three components come together in an access control policy: An access group member issues a request to access a controlled resource to write to a secured file. In other words, a user in the Accounting group requests access and write permissions to an accounting system file. Each entry in an ACL should address, directly or indirectly, each of these components because each ACL entry is a part of an overall access control policy.
  54. What are the three common access control policy implementations?
    • -Implicit permit/deny
    • -Explicit permit/deny
    • -Time-based ACL
  55. always take the action identified in the ACL statement. However, what makes an ACL statement implicit is a word like any, all, or every.
    Implicit permit/deny

    In the Cisco ACL statement, "access-list permit any," it's implicit that any access request passes. Obviously, this is a dangerous statement to have in an ACL if it's not in the correct sequence. An implicit deny should always be the last statement in an ACL list in order to deny any other traffic not specifically dealt with in the preceding ACL statements.
  56. explicitly names the target of the statement as a specific port, interface, IP address, or range of addresses. For example, in the sequence, access-list 1 deny Network 3
    access-list permit any
    requests from Network 3 are explicitly denied and any other requests are implicitly permitted.
    Explicit permit/deny
  57. As part of a network's policy-based routing (PBR) policies, time-based (time of day) ACL statements can limit or reroute traffic during specific hours of the day or days of the week. Here's an example of a time-based ACL:

    Time-range no-http
    periodic weekdays 8:00 to 18:00
    time-range udp-yes
    periodic weekend 12:00 to 20:00

    In this example, an ACL is set to deny HTTP traffic Monday through Friday between the hours of 8:00am and 6:00pm (18:00) and permit UDP traffic on Saturday and Sunday from noon to 8:00pm (20:00).
    Time-based ACL
  58. allows users to access a network's resources through a single username and password credential. It also allows security administrators to terminate a user's access to a network by disabling a single account.
    Single Sign-on (SSO)
  59. What is the biggest security risk about SSO?
    Is that a hacker needs to learn only one credential set to access not only that user's data, but also all of the network's resources, as limited by the user's permissions and rights.
  60. What are the three most common SSO configurations?
    • -Kerberos SSO
    • -Smart card SSO
    • -One-Time Password (OTP) token SSO
  61. In this type of SSO, the user's credentials generate a Kerberos ticket-granting-ticket (TGT). Any applications requiring separate authentication use the TGT to prove the user's identity, eliminating the need for the user to sign in again.
    Kerberos SSO
  62. When prompted for the initial sign-on, the user provides the smart card for authentication. Any additional applications requiring separate authentication use the smart card as needed.
    Smart Card SSO
  63. Provides a two-factor authentication that's more secure and effective at blocking unauthorized access than the other SSO methods.
    One-Time Password token SSO
  64. NOTE: In the overall scope of access control, limiting access to a facility, room, or area to only authorized individuals can be just as important as limiting access to network resources. Physical access control can involve humans (security guards); technical means, such as locks, keys, badges, smart cards, and biometrics; or a combination of these methods.
  65. NOTE: Access control deals with allowance, as in who enters or leaves an area. Physical access control determines if a person is able to enter, where he can enter or exit, when he may enter or exit, and what he may carry in or out of the secured area.
  66. NOTE: A person with a key has permission to enter through one or more doors with a matching lock. However, locked doors may not be the best method of securing an area. You can duplicate or lose a key, and a mechanical key and lock set doesn't record the entry or exit of the key holder.
  67. NOTE: Electronic access control systems improve on a mechanical lock and key by offering a range of tokens that permit or deny entrance or exit. The access control token may be a username and password combination; it may be an RFID (radio frequency ID) badge, key fob, or the like; or it may be a smart card or something similar.
  68. NOTE: Biometrics provides a more positive identification for purposes of access control. Where a key or an electronic token is something you possess and can misplace, biometric access controls are either something you have at all times, such as your fingerprint, or something you can reproduce without failure when required, such as your voice.
  69. NOTE: An area of access control that can slip through the crack is employees who leave a company or organization. Nearly 80% of attacks on a network launch internally, and about one-half of these are from disgruntled employees, or employees who are no longer with the firm but continue to have access because their accounts are still active. In these cases, the employee may not physically have access to the building, but he or she still has logical access to the systems. Ensure that the physical security policies are in synchronization with the logical security policies.
  70. This process determines the rights and permissions an authenticated user has to specific resources
  71. A user has only the permissions required to perform his or her tasks.
    Principle of least privilege
  72. One of the basic concepts of internal controls
    Separation of duties
  73. The phase of access control that performs authentication and identification
    Policy definition
  74. The form of access control that is commonly the default method in operation systems.
    Mandatory Access Control
  75. The form of access control that is based on a person's function?
    Role-based access control
  76. Defines whether a request can access network objects?
    Access Control List
  77. This type of ACL entry specifically identifies a host on a network?
    Explicit permit/deny
  78. This type of ACL entry should always be the last entry in a list?
    Implicit deny
  79. Users are authenticated to network resources through one set of credentials?
    Single sign-on
  80. The form of access control that deals with who enters or leaves an area?
    Physical Access Control
  81. What principle of internal security limits users or groups to only the objects and resources they require to perform their duties?
    A. Separation of duties
    B. Authentication
    C. Access Control
    D. Principle of least privilege
    D. Principle of least privilege
    (this multiple choice question has been scrambled)
  82. The ACL statement "Access-list 10 deny any" is an example of what type of access control policy?
    A. Implicit Permit
    B. Explicit Permit
    C. Implicit Deny
    D. Explicit Deny
    C. Implicit Deny
    (this multiple choice question has been scrambled)
  83. What type of access control policy limits requesters to only the privileges and permissions associated with the performance of their job function?
    A. Discretionary Access Control
    B. Rules-based access control
    C. Role-based access control
    D. Mandatory Access Control
    C. Role-based access control
    (this multiple choice question has been scrambled)
  84. What internal control principle is intended to prevent theft and misappropriation, and limits access to secured objects?
    A. Mandatory access control
    B. Separation of duties
    C. Two-signature authorization
    D. Single sign-on
    B. Separation of duties
    (this multiple choice question has been scrambled)
  85. What international standard defines a security specification for operating systems and access control?
    A. OTP
    B. Common Criteria
    C. OSI
    D. RFID
    B. Common Criteria
    (this multiple choice question has been scrambled)
Card Set:
Part 2 lesson 2
2015-02-13 19:39:04
Part lesson
Part 2 lesson 2
Part 2 lesson 2
Show Answers: