Question

This is for CYBER SECURITY

1)What are the 3 factors of Authentication and provide at least 3 examples for each?

2) Please compare and contrast the following 4 Access Control Models and let me know how they work and give me an example of each.

1. Discretionary Access Control

2. Mandatory Access Control

3. Rule Based Access Controls

4. Role Based Access Controls

Answer 1

Question1)

The three factors of Authentication are as shown below.

1. knowledge
2. possession
3. Inherence

Knowledge:

The knowledge factor is the main authentication factor that is seen.It generally has the parameters that are needed by the user to login to the system to access.

The knowledge factor includes User Id,Name,Passwords,PINs etc..comes under this knowledge factor.

Possession:

The Possession factor is the other major factor that a user must possess to login.These factors include smart phones,OTP tokens,SIM cards etc..

Inherence:

The Inherence factors are the third major important factors that must be possessed by the user to login.

These factors include biological factors that should be present with the user to be confirmed to login to the system.

These include factors like finger print, retina scan,iris scan etc..

Question2:

There are four access control methods.These can be briefly explained as shown below.

1. Discretionary Access Control

2. Mandatory Access Control

3. Rule Based Access Control

4. Role Based Access Control

Discretionary Access Control:

Discretionary access control method is the method in which the system allows each user to have control over their own data.In most of the desktop operating systems,the discretionary access control method is the default mechanism.

Each resource object in DAC has a Access control list that is present with it.

This control list maintains a list of users and groups where the users are permitted to access the data of their own.

It should be observed that in the discretionary access control methods,the user is allowed just to set the permissions for the data and other resources that are owned by the user.

Example:

Consider two users A and B

User A cannot change the access control over the files that are owned by the other user B.

User A can just set the access permissions to the data and the files that are owned by him/her.

Mandatory Access Control:

Mandatory access control is the method in which the hierarchical approach is used to control access control over the data and the files that are owned by the user.

It is generally stated that mandatory access control is the strictest level of access control method.

The system administrator is the only individual who has the control over the data and files that are present in the system.

The ability to grant and revoke the access permissions is solely responsible by the system administrator.

The security labels are used by the resource objects and these security labels has two pieces of information.These are classification and category.

The classification includes things like top secrets that are confidential.The category is essential to indicate the level of the user who is using the system like management level,department level etc...

Rule Based Access Control:

Rule Based Access Control is the method in which the system administrator defines the set of rules based on which the access control mechanisms are established.

Like Access control list that are used in the discretionary access control method, the Rule Based Access Control method also uses the access control lists(ACL) that stores the details of the users and their level of access to the data.

Example:

consider the situation where we need to permit a user or a group of users to a particular network at certain amount of time.

In this situation, the rule based access control method is used.

Role Based Access Control:

Role based access control method is the real world approach method to organise the structure of granting the access control to the users over the files and data.

This is also known as Non-discretionary access control method.

As the name indicates, the access to the data is based on the role of the user in the organization.

Users are assigned to particular roles and access is granted to them based on their level of job role.

Example:

Consider an accountant in the organization.

He gains access to the resources that are needed by the accountant to perform operations.The accountant gets the permissions as similar to the other accountants.

These are the various access control methods in the cyber security that are mostly used.