Access Control Part 1 1: Why does access control have to be policy-driven? ANS:

Question

Access Control Part 1

1: Why does access control have to be policy-driven?
ANS:

2. What are the differences between corrective and detective countermeasures? Provide at least two differences along with concrete examples.
ANS:

3. Explain how the concept of defense in depth can be applied using different access control types.
ANS:

4. Provide an overview of how the organization you are working for is implementing access control. Discuss the deficiencies of the approaches currently adopted in terms of different access control implementation types (i.e., physical, logical/technical, and administrative). Your answer should be at most 200 words.
ANS:

5. What are the best practices in using passwords? Provide at least three best practices.
ANS:

6. Which of the following is not one of the primary access control functions?
A) Authorization

B) Authentication

C) Addressing

D) Accounting

7. A firewall is a type of logical/technical access control as well as a type of preventative access control.
A) True

B) False

8. Authentication refers to the process of determining which system objects a user is allowed to access.
A) True
B) False

9. Mandatory access controls follow the "implicit deny" philosophy.

A) True

B) False

10. Alice has a temporary assignment with the purchasing department. For this assignment, her account is granted read/write access to the purchasing file server. When the assignment ends, along with her need for access to this server, the access is not removed. This continued access is an example of which of the following?

A) Enrollment

B) Implicit acceptance

C) Account review

D) Creeping privilege

E) Discretionary access control

11. RADIUS uses which of the following to defend against the use of stolen credentials?

A) Biometrics

B) Callback

C) Challenge-response authentication

D) Strong encryption

E) Cognitive passwords

12. One difference between DAC and RBAC is they do not both support the use of groups.

A) True

B) False

13. Type 1, 2 and 3 authentication methods are not considered equally strong. Which of the following correctly orders these from strongest (first) to weakest (last), when they are implemented correctly?

A) Type 1, Type 2, Type 3

B) Type 1, Type 3, Type 2

C) Type 2, Type 1, Type 3

D) Type 2, Type 3, Type 1

E) Type 3, Type 1, Type 2

F) Type 3, Type 2, Type 1

14. Effective authorization is crucial for accountability.

A) True

B) False

15. Which of the following always occurs together with authentication?

A) Authorization

B) Accounting

C) Identification

D) Auditing

16. A biometric authentication system has been generating a much higher false acceptance rate than desired. Increasing device sensitivity is one mechanism the organization can use to reduce this rate.

A) True

B) False

17. Which of the following is not an accounting mechanism?

A) Monitoring

B) Logging

C) Provisioning

D) Auditing

18. In a compartmentalized mandatory access control environment, a subject without specific clearance for a particular security domain can access objects in that domain as long as the subject has specific clearance for a different security domain at a higher level.

A) True

B) False

19. Permissions apply to objects whereas rights apply to subjects.

A) True

B) False

20. System logging is an example of which type of access control?

A) Physical

B) Detective

C) Corrective

D) Recovery

Explanation / Answer

Answer:

1:

Access Control is to give controls to the authorized people. The paper work which specifies the restrictions to access any authorized data is nothing but policy. For future purpose, the company defines the policy of access control for the data bases or authorized rooms or to authorized data.

Thus, to whom, to which data the access have to be given is defined in a paper form or documentary form is known as policy-driven access control.

Therefore, the access control should be policy driven.

2:

Corrective countermeasures

Detective countermeasures

It a Security control, that tries to decrease the effects caused by the threat when the system is being modified.

It is a Security control that is used to identify the existence/presence of the threat in the system.

It is active phase control.

It is an active phase control.

Example: OS upgrade, Backup data restoral, anti-virus, and Vulnerability mitigations softwares are used to control the threat.

Example: System monitoring, IDS, anti-virus, motion detector and IPS softwares are used to detect.

3:

Defense in depth:

It is a multilayer countermeasure which is used to protect the integrity of the assets information in an organization.

It is designed based on the military principle, such that it is very difficult to enter into the system than entering into a single barrier.

As the access control process is to provide the control of access over the systems for specified authorized persons/systems to access data. Thus, need to keep track of whether the authorized people are accessing the controls over the systems/data.

Hackers try to get into the organization and try to retrieve the data or access the system. To identify and to restrict the access for the hackers, some of the softwares are to be used by the system/network administrator.

The software like, antivirus, firewalls, anti_spyware, hierarchical passwords, intrusion detection and biometric verification are used comes under the defense in depth components. By using these softwares, administrator checks the controls over the access control list then modifies the access control list.

Thus, concept of defense in depth is applied using different access control types.

5:

The best practice of using passwords is by providing the password in the following criteria:

Example:

AbCd!@34

aaggh90*#

*Abcd!2#4$

6:

Addressing is not the primary access control function.

Reason:

The services provided by the access control systems are

Thus, the correct answer is option (C).

7:

True.

Firewalls are used to prevent a unknown subject from accessing the network resources.

So, a firewall is a type of logical/technical access control as well as a type of preventative access control.

Thus, the answer is True.

8:

True.

Authentication is a process by which the user’s or subject identification state is verified.

Thus, authentication refers to the process of determining which system objects a user is allowed to access.

9:

True.

In Mandatory access control is a prohibitive type. Is access is not granted, it will deny the subject to access the resources.

Thus, Mandatory access control uses the “implicit deny” philosophy.

10:

Creeping privileges accumulate the privileges a user account for over time like job roles and assigned tasks change. In this, when a new task is added to the user’s account, an additional privileges are added but no privilege is removed even though the user no longer uses the tasks.

Thus, the correct answer is option (D).

11:

RADIUS uses the callback security for layer protection. When the user calls in and the user is authenticated, the RADIUS will terminate the connection. Later it will call back to the user’s predefined phone number. If the users credentials are compromised, then it prevents the attacker from using them.

So, RADIUS uses Callback to defend against the use of stolen credentials.

Thus, the correct answer is option (B).

12:

False

DAC and RBAC are similar in that groups can be used in both and they serve as containers to organize users into manageable units.

Thus, Both DAC and RBAC both support the use of groups.

13:

When the authentication methods Type 1, 2 and 3 are implemented correctly in an order, the strongest among the Types is type 3 and the weakest is type 1.

So, the order from strongest to weakest is Type 3, Type 2, and Type 1.

Thus, the correct answer is option (F).

14:

False

The important point in the accountability is that it relies on the effective identification and authentication but does not rely on effective authorization.

So, effective authorization is not crucial for accountability.

Thus, the answer is False.

15:

Next to the authorization, identification and authentication occurs in combination in Access Control.

Thus, the correct answer is option (D).

16:

True

By increasing the device sensitivity the organization can reduce the False Acceptance Rate(FAR).

Thus, the correct answer is True.

17:

In accounting mechanism, it has keep track of monitoring of the accounts that has completed the tasks, login details mapping and also audits the accounts.

Thus, the correct option is (C).

18:

False

According to compartmentalized environment, each domain represents a separate isolated compartment. The subject must have specific clearance to its specific security domain in-order to gain access to an object.

Thus, the correct answer is False.

19:

False

The rights and permissions are applied for object.

Permissions are granting access to an object.

Rights are to take action on an object.

Thus, the correct answer is False.

20:

The correct answer is (A).

Corrective countermeasures

Detective countermeasures

It a Security control, that tries to decrease the effects caused by the threat when the system is being modified.

It is a Security control that is used to identify the existence/presence of the threat in the system.

It is active phase control.

It is an active phase control.

Example: OS upgrade, Backup data restoral, anti-virus, and Vulnerability mitigations softwares are used to control the threat.

Example: System monitoring, IDS, anti-virus, motion detector and IPS softwares are used to detect.

Related Questions

Navigate

• Browse (All)
• Browse A
• Subjects

---