CompTIA Security_ Deluxe Study Guide_ SY0-201 - Emmett Dulaney [21]
The MAC model can be very restrictive. In a MAC model, administrators establish access. Users can’t share resources dynamically unless the static relationship already exists.
The acronym MAC appears in numerous computer-related contexts. One of the most common uses is to represent the Media Access layer in networking. Be careful not to confuse MAC addressing as it relates to network cards with Mandatory Access Control.
MAC uses labels to identify the level of sensitivity that applies to objects. When a user attempts to access an object, the label is examined to see if the access should take place or be denied. One key element to remember is that when mandatory control is applied, labels are required and must exist for every object.
The Discretionary Access Control Method
The Discretionary Access Control (DAC) model allows the owner of a resource to establish privileges to the information they own. The difference between DAC and MAC is that labels are not mandatory but can be applied as needed.
The DAC model allows a user to share a file or use a file that someone else has shared. It establishes an access control list (ACL) that identifies the users who have authorization to access that information. This allows the owner to grant or revoke access to individuals or groups of individuals based on the situation. This model is dynamic in nature and allows information to be shared easily between users.
The Role-Based Access Control Method
The Role-Based Access Control (RBAC) model allows a user to act in a certain predetermined manner based on the role the user holds in the organization. The roles almost always shadow the organizational structure.
Users can be assigned roles systemwide and can then perform certain functions or duties based on the roles they’re assigned. An example might be a role called salesperson. The user assigned the salesperson role can access only the information established for that role. Users may be able to access this information from any station in the network, based strictly on their role. A sales manager may have a different role that allows access to all of the individual salespersons’ information.
The RBAC model is common in network administrative roles.
Understanding Authentication
Authentication proves that a user or system is actually who they say they are. This is one of the most critical parts of a security system. It’s part of a process that is also referred to as identification and authentication (I&A). The identification process starts when a user ID or logon name is typed into a sign-on screen. Authentication is accomplished by challenging the claim about who is accessing the resource. Without authentication, anybody can claim to be anybody.
Authentication systems or methods are based on one or more of these three factors:
■ Something you know, such as a password or PIN
■ Something you have, such as a smart card or an identification device
■ Something physically unique to you, such as your fingerprints or retinal pattern
Systems authenticate each other using similar methods. Frequently, systems pass private information between each other to establish identity. Once authentication has occurred, the two systems can communicate in the manner specified in the design.
Several common methods are used for authentication. Each offers something to security and should be considered when you’re evaluating authentication schemes or methods.
Biometrics
Biometric readers use physical characteristics to identify the user. Such devices are becoming more common in the business environment. Biometric readers include hand scanners, retinal scanners, and soon, possibly, DNA scanners. To gain access to resources, you must pass a physical screening process. In the case of a hand scanner, the screening may include fingerprints, scars, and markings on your hand. Retinal scanners compare