Unit 3, Additional Basic Functions of Cyber Security and Their Implementation

What is the difference between identification and authentication?

Identification is asserting an identity to the system (like a username). Authentication is proving that identity belongs to the person attempting access (like providing a password).

What are the three components of access control?

1) Identification - asserting identity, 2) Authentication - proving identity, 3) Authorization - determining what the authenticated identity can do.

What is the main problem with shared/joint identities?

Lack of accountability - you cannot trace actions back to specific individuals, making security investigations and compliance impossible.

What are the four authentication factors?

1) Something you KNOW (passwords), 2) Something you HAVE (tokens), 3) Something you ARE (biometrics), 4) Something you DO (behavioral patterns).

According to current NIST guidelines, should passwords be changed frequently?

No. Frequent mandatory password changes lead to weaker passwords as users create predictable patterns.

What provides more password security: length or complexity?

Length provides exponentially more security than complexity.

How many more combinations does a 9-character password have versus an 8-character password (using 62 symbols)?

62 times more combinations.

What are the current NIST password best practices?

Minimum 8+ characters (12+ preferred), unique per system, no mandatory periodic changes, check against breach databases, use password managers.

Why is MFA critical for security?

MFA prevents 99.9% of attacks because even if passwords are compromised, attackers need the additional factor to gain access.

What is the primary limitation of biometric authentication?

Biometric identifiers cannot be changed if compromised.

How do time-based security tokens prevent replay attacks?

They generate dynamic codes valid only for short time windows.

What should happen if a hardware security token is lost?

1) Immediately disable the token, 2) Issue temporary authentication method, 3) Require identity verification for replacement, 4) Assume account is compromised until secured.

In a scenario where a user enters their account number and receives an SMS code, which is identification and which is authentication?

Account number = Identification, SMS code = Authentication.

Why should a shared 'NurseStation' account NOT be used for accessing patient records?

No individual accountability - cannot trace who accessed what patient data.

What is the principle of least privilege?

Users should be granted only the minimum permissions necessary to perform their job functions.

When is RBAC most efficient compared to ACLs?

RBAC is most efficient for large organizations because you manage permissions by role once.

What is Discretionary Access Control (DAC)?

An access control model where resource owners have the discretion to grant or deny access to their resources.

What is the main vulnerability of DAC systems?

Resource owners may lack security expertise to make appropriate access decisions.

What is Mandatory Access Control (MAC)?

An access control model where a central authority sets security policies that cannot be overridden by resource owners.

What are the trade-offs between MAC and DAC?

MAC provides consistent security but is rigid; DAC provides flexibility but may have inconsistent security decisions.

What is separation of duties in RBAC?

Designing roles so no single person can control critical end-to-end processes without oversight.

How does permission inheritance work in RBAC?

Users inherit ALL permissions from ALL roles they are assigned to.

What security risk can occur with multiple role assignments in RBAC?

Permission accumulation - users may receive broader access than necessary.

Why can't traders with INTERNAL clearance be assigned to a group requiring CONFIDENTIAL access in MAC?

In MAC, users cannot inherit permissions to access data classified above their clearance level.

What access control model should a medical practice use for nurses, assistants, and admin staff?

RBAC - Create roles for each job function with appropriate permissions.

What access control model allows university professors to grant research file access to students?

Discretionary Access Control (DAC).

What access control model should handle public marketing materials, confidential trade secrets, and customer data?

Hybrid approach: Biba for financial integrity, Bell-LaPadula for trade secret confidentiality.

What is the purpose of the Bell-LaPadula model?

To protect confidentiality by preventing unauthorized disclosure of sensitive information.

What are the two Bell-LaPadula rules?

1) No Read Up - users can only read data at their level or lower, 2) No Write Down - users can only write data at their level or higher.

What documents can Agent Smith read under Bell-LaPadula with SECRET clearance (Level 3)?

SECRET (Level 3), CONFIDENTIAL (Level 2), and UNCLASSIFIED (Level 1) documents. Cannot read TOP SECRET (Level 4).

What classification level will Agent Smith's written documents have with SECRET clearance (Level 3)?

SECRET or higher (TOP SECRET). Cannot write CONFIDENTIAL or UNCLASSIFIED documents due to 'no write down' rule.

What is the 'classification creep' problem in Bell-LaPadula?

Documents migrate upward in classification when high-clearance users modify them, making routine information inaccessible to other staff requiring manual re-classification.

What is the purpose of the Biba model?

To protect data integrity by preventing unauthorized modifications that could corrupt trusted information.

What are the Biba model rules?

1) No Write Up - users can only modify data at their integrity level or lower, 2) No Read Down - users can only read data at their level or higher (often relaxed).

What can a junior analyst (MEDIUM integrity) do if they find an error in a HIGH integrity financial record under Biba?

Create a MEDIUM integrity correction request that a HIGH integrity user must review and apply. Cannot directly edit HIGH integrity data.

How can integrity be restored in the Biba model after lower-level modification?

A higher-integrity user reviews and validates all content, then creates a new version at their integrity level, essentially 'vouching for' the modified content.

When should you use Bell-LaPadula vs Biba models?

Bell-LaPadula for confidentiality protection (classified info, trade secrets). Biba for integrity protection (financial transactions, medical protocols, quality control).

What process must Dr. Williams follow to restore HIGH integrity after Nurse (MEDIUM) adds notes?

Dr. Williams must review and validate all content, then create a new HIGH integrity version based on the MEDIUM integrity document.

Why are pure Bell-LaPadula and Biba models often too restrictive for business?

They create operational paralysis - Bell-LaPadula causes classification creep, Biba prevents legitimate collaboration. Practical implementations use hybrid approaches with exceptions.

How would you implement security for a government contractor with both classified defense projects and commercial software development?

1) Bell-LaPadula for classified projects with strict classification levels, 2) RBAC for commercial teams, 3) Complete environment separation, 4) Comprehensive audit trails with DLP tools.

What models should a multinational bank use for public reports, trading algorithms, and customer transactions?

Biba for financial reports (integrity), Bell-LaPadula for trading algorithms (confidentiality), hybrid Bell-LaPadula and Biba for customer transactions.

What are the two purposes of evidence preservation?

1) Technical diagnosis - recreate events for troubleshooting and security analysis, 2) Legal compliance - provide court-admissible proof of events.

What are the four pillars of legally admissible evidence?

1) Authenticity - prove evidence is what you claim, 2) Integrity - prove it hasn't been altered, 3) Reliability - collected using accepted methods, 4) Completeness - relevant evidence not omitted.

What are the essential elements that every quality log entry must contain (5 W's)?

WHO (account name), WHEN (timestamp), WHAT (action description), WHERE (system/resource), RESULT (success/failure status).

What is the difference between a standard copy and a forensic copy?

Standard copy: file content only, updates timestamps, not legally admissible. Forensic copy: bit-for-bit exact replica, preserves metadata, cryptographically verified, court admissible.

What is the purpose of hash verification in digital forensics?

To prove the forensic copy is identical to the original evidence by comparing cryptographic hashes (MD5, SHA-256) - if hashes match, the copy is authentic and unaltered.

What is write-blocking and why is it essential?

Hardware/software that prevents any modification of original evidence during collection. Essential because any alteration invalidates evidence for legal proceedings.

What should you do if you discover a compromised computer with no apparent entry point?

Immediately preserve ALL data on external medium. Future forensic techniques may reveal hidden indicators that current tools cannot detect.

What is chain of custody?

Documented proof that evidence has been continuously controlled and unaltered from collection to court presentation, including who handled it, when, where, and why.

What information must be documented for every evidence transfer?

From whom (name, title, signature), to whom (name, title, signature), date/time/location of transfer, reason for transfer, evidence condition verification.

Why is chain of custody critical for legal proceedings?

Without proper chain of custody documentation, evidence can be ruled inadmissible in court because you cannot prove it wasn't tampered with or contaminated.

What are indicators of compromise (IoCs)?

Signs that an attack has been successful, such as unauthorized logins, malware installation, unexpected file changes, unusual network traffic, or inappropriate system functions.

Why should organizations preserve evidence even for unknown attack methods?

To ensure that any potential evidence can be analyzed and used in future investigations, regardless of the attack method.

What are examples of network-level IoCs?

Connections to known bad IPs, unusual outbound traffic, DNS queries to suspicious domains, traffic on unexpected ports, large data uploads indicating exfiltration.

What are examples of system-level IoCs?

Unauthorized account creation, privilege escalation attempts, unusual process execution, file system modifications, persistence mechanism installation.

What evidence is required for GDPR Article 33 breach notification?

Nature of breach, categories and volumes of data affected, likely consequences, measures taken to address breach - all within 72 hours and forensically sound.

What makes cloud forensics challenging compared to traditional forensics?

Data location uncertainty, shared responsibility models, virtual machine snapshots, jurisdiction issues, CSP cooperation requirements, multi-tenant isolation.

What is the challenge with mobile device forensics?

Strong encryption, regular security updates, cloud synchronization, app sandboxing, and legal access restrictions make evidence extraction difficult.

How do AI and automation help with digital forensics?

Automated malware detection, anomaly detection in large datasets, pattern recognition beyond human capabilities, correlation across multiple evidence sources, faster processing.

How do the Unit 3 sections work together in a complete security system?

Identification/Authentication → Rights Management → Policy Enforcement → Audit Evidence creates end-to-end access control with accountability.

How does Unit 3 support GDPR compliance?

Identity management (accountability), access controls (data minimization), security models (automated privacy enforcement), evidence preservation (breach notification documentation).

How do Unit 3 concepts apply to Zero Trust architecture?

Never trust/always verify (continuous authentication), least privilege (rights management), micro-segmentation (policy enforcement), continuous monitoring (evidence collection).

How does AWS IAM implement Unit 3 concepts?

Users/Groups/Roles (RBAC), MFA enforcement (authentication), resource policies (security models), CloudTrail logs (evidence preservation).

How do Unit 3 concepts apply to DevSecOps CI/CD pipelines?

Service accounts (identity), pipeline permissions (rights management), security gates (policy enforcement), build logs (evidence preservation).

What Unit 3 skills does a Security Architect need?

Enterprise identity management design, access control architecture, security model application to business requirements, forensic readiness planning.

What Unit 3 skills does a Digital Forensics Analyst need?

Evidence collection procedures, identity correlation across systems, access control analysis for investigations, security model understanding.

What Unit 3 skills does a Compliance Officer need?

Access control audit procedures, authentication requirements for regulations, security model compliance verification, evidence documentation for auditors.

Design access control for a hospital with doctors, nurses, admin staff, and patient data with different sensitivity levels.

Hybrid approach: RBAC for role-based permissions, Bell-LaPadula for patient data confidentiality levels, Biba for medical protocol integrity, comprehensive audit logging.

How would you implement security for a multinational corporation with public marketing, confidential trade secrets, and different data protection laws?

Layered approach: MAC for classified trade secrets, RBAC for global efficiency, DAC for departmental flexibility, ACLs for granular control, with comprehensive audit trails.

What security models and evidence procedures for a financial institution handling external data, internal processing, and final authorized transactions?

Biba integrity model with LOW (external), MEDIUM (internal), HIGH (authorized) levels, plus comprehensive transaction logging and forensic readiness for regulatory compliance.

What are the top 5 security problems for a company using shared passwords, no MFA, and giving everyone full access?

1) No individual accountability, 2) No authentication strength, 3) Principle of least privilege violation, 4) No audit trail, 5) Cannot revoke individual access.

Why might Bell-LaPadula be inappropriate for a collaborative software development environment?

Classification creep would make code inaccessible when senior developers modify it, preventing collaboration and code reviews essential for development.

When would you choose MAC over RBAC for an organization?

When security is more important than operational efficiency, such as government classified environments where central control and consistent enforcement are critical.

How do modern password policies differ from traditional policies and why?

Modern: longer passwords, no forced changes. Traditional: complex passwords, frequent changes. Research showed traditional policies led to weaker, predictable passwords.

Design authentication for a banking app considering security and usability.

Username/password + MFA (SMS/app), biometric for convenience on trusted devices, risk-based authentication for unusual access patterns, comprehensive logging.

Explain how to preserve evidence of a suspected insider threat involving financial fraud.

Forensic imaging of user systems, complete access logs, email/communication preservation, database transaction logs, chain of custody for all evidence, coordinate with legal/HR.

How would you implement least privilege for a growing startup?

RBAC with role definition based on job functions, regular access reviews, automated provisioning/deprovisioning tied to HR systems, principle of deny by default.