-
Name the 6 control types.
- Preventive--for reducing risk
- Detective--for identifying violations and incidents
- Corrective--for remedying violations & incidents
- Deterrent--for discouraging violations
- Recovery--for restoring systems and information
- Compensating--for providing alternative ways of achieving a task
-
Define subject and object.
- A subject is an active entity that accesses or acts on an object.
- An object is a passive entity that a subject acts upon or accesses.
-
Name the 3 types of access controls.
- Administrative
- Technical
- Physical
-
Name some preventive technical controls.
- Encryption--DES, AES, and Merkle-Hellman Knapsack
- Access control mechanisms--Biometrics, smart cards, and tokens
- Access control list--Permission list that define what a subject can or cannot do to an object
- Remote access authentication protocols--PAP, CHAP, RADIUS, and LDAP
-
Name some detective technical controls.
- Violation reports
- Audit trials
- Network monitoring and intrusion detection
-
Name some preventive physical controls.
- Security perimeters, such as fences, locked doors, and restricted areas
- Guards and dogs
-
Name some detective physical controls.
- Motion detectors
- Video cameras
-
Define authentication.
Authentication determines weather a subject can log in.
-
Define I&A.
- Identification is the act of claiming a specific identity.
- Authentication is the act of verifying that identity.
-
Define authorization.
Authorization determines what a subject can do (as defined by assigned rights and permissions).
-
Define accountability.
Accountability determines what the subject did.
-
Name the 2 categories of access controls.
- System access controls--protect the entire system and provide the first line of defense for the data contained on the system
- Data access controls--protect the data contained on the system.
-
Name the 3 factors on which authentication can be based.
- Something you know--passwords or PINs
- Something you have--smart cards or tokens
- Something you are--fingerprint, voice, retina, or iris characteristics
-
Passwords/password problems include:
- They tend to be insecure.
- They are easily broken.
- They can be inconvenient.
- They are refutable.
-
What policies should an organization have in place concerning passwords?
- Password length
- Password complexity
- Password age and a minimum age
- Password history
- Limit unsuccessful login attempts.
- Set a lockout duration
- Limit time which a user can login
- System messages including login banners that give legal warnings and note the last successful login. Last username should be disabled.
-
Necessary factors for an effective biometric access control system include:
- Accuracy--CER < 10%
- Speed and throughput-- ~5 seconds with a throughput of 6-10 per minute
- Data storage requirements
- Reliability
- Acceptability
-
Define FRR (type I error)
The False Reject Rate is the percentage at which authorized users are incorrectly denied access.
-
Define FAR (type II error)
The False Accept Rate is the percentage at which unauthorized users are granted access.
-
Define CER
The Crossover Error Rate is the point at which the FRR equals the FAR as stated as a percentage.
-
Common physiological biometric systems include:
- Fingerprint recognition and finger scan systems
- Hand geometry systems
- Retina pattern
- Iris pattern
-
Name three types of tokens.
- Static password tokens--static passwords or certificates
- Synchronous dynamic password tokens--a password that changes based on a time interval or an event
- Asynchronous dynamic password tokens--a password that is calculated in response to a system-generated random challenge string
|
|