1.

Give at least 3 best practices for limiting

access can help secure systems and
data (5 pts)
 Establishing best practices for limiting access can help secure systems and data, examples are :

 Separation of duties -not to give one person total control

 Job rotation -individuals periodically moved between job responsibilities

 Least privilege -limiting access to information based on what is needed to perform a job
function

 Implicit deny -if condition is not explicitly met, access request is rejected

 Mandatory vacations -limits fraud, because perpetrator must be present daily to hide
fraudulent actions

2. Give at least 3 MAC: Major Implementations (5

pts)
 Lattice model -subjects and objects are assigned“rung” on lattice and multiple lattices can
be placed beside each other
 Bell-Lapadula-similar to lattice model but subjects may not create new object or perform
specific functions on lower level objects
 BIBA integrity model -goes beyond BLP model and adds protecting data integrity and
confidentiality
 Mandatory Integrity Control (MIC) -based on BIBA model, mic ensures data integrity by
controlling access to securable objects

3. Identify the 4 Access Control Models ( 5 pts)

4. Define the Basic Steps in Access Control (5 pts)

5. Explain Access Control (5 pts)

 Users first must be identified as authorized user, such as by logging in with user name
and password to laptop computer.
 Because laptop connects to corporate network that contains critical data, important also to
restrict user access to only software, hardware, and other resources for which user has
been approved.
 These two acts—authenticating only approved users and controlling their access to
resources—are important foundations in information security

6. What is the difference of identification, authorization and authentication? (5 pts)

 Identification -presenting credentials (example: delivery driver presenting employee

badge)
 Authentication -checking credentials (example: examining the delivery driver’s badge)
 Authorization -granting permission to take action (example: allowing delivery driver to
pick up package)

7. What do you mean by Discretionary Access Control (DAC)? ( 5pts)

 Discretionary access control (DAC) -least restrictive model

 Every object has owner, who has total control over that object
 Owners can create and access their objects freely
 Owner can give permissions to other subjects over these objects
 DAC used on operating systems like Unix and Microsoft Windows

8. Give at least one weakness of DAC? (5 pts)

 DAC relies on decisions by end-user to set proper level of security; incorrect permissions
might be granted to subject or permissions might be given to unauthorized subject.
 Subject’s permissions will be “inherited” by any programs that subject executes;
attackers often take advantage of this inheritance because end-users

9. Explain the concept of Role Based Access Control (RBAC) ( 5pts)

 Role Based Access Control (RBAC) -considered more “real-world” access control than
other models because access based on user’s job function within organization
 Instead of setting permissions for each user or group assigns permissions to particular
roles in organization and then assigns users to those roles
 Objects are set to be a certain type, to which subjects with that particular role have access
 Subjects may have multiple roles assigned to them
 Rule Based Access Control (RBAC) -dynamically assign roles to subjects based on set of
rules defined by custodian
 Each resource object contains set of access properties based on rules
 When user attempts to access that resource, system checks rules contained in object to
determine if access is permissible

10. What are the technologies used to Implementing Access Control? ( 5pts)

 Now that we have discussed the models that can be implemented it is time to examine the
technologies used to implement access control:
 Access control lists
 Group policy
 Account restrictions