Logical Access Controls
Two principles: least privilege and separation of duties
A new hire on the help desk needs to reset passwords. Should that account also be able to open the company's payroll file? The answer the whole of logical access control turns on is no, and the reason has a name: least privilege. A logical access control is a technical safeguard, enforced by software or firmware, that decides whether a subject (a user, process, or device) may use an object (a file, database, application, or system). Before we look at the three competing models for writing those decisions, learn the two principles that say how generous any decision should be. The principles apply no matter which model you run; keep them on a separate shelf from the models.
Least privilege
Least privilege means restricting every subject to the minimum access its assigned task requires[1], and nothing beyond that. The help-desk technician gets password-reset rights and not the salary database, because the salary database is not part of the job. The benefit is a smaller blast radius. If that account is phished or misused, the attacker inherits only the handful of permissions it actually held, not the keys to everything.
Need-to-know is least privilege applied to information rather than to systems. The two are easy to confuse, so separate them by what they grant. A clearance or a job title can make you eligible to see a whole category of data; need-to-know[2] is the narrower decision that you actually require these specific records to do your work. An analyst cleared for Secret material still cannot pull a Secret file that has nothing to do with the current case, because the need-to-know is missing.
Separation of duties
Separation of duties (also written segregation of duties) splits a sensitive process so that no single person holds enough privilege to misuse the system alone[3]. The textbook case is payments: the person who requests a payment must not be the same person who approves it, because one individual controlling both steps could quietly pay themselves. Dual control is the strictest form, requiring two authorized people to act together to complete one action, like two officers each turning a key to launch. Separation of duties is a preventive administrative control. It reduces the chance of fraud by one insider acting alone, though it does not stop two people colluding, which is why sensitive duties are also rotated.
The three access-control models: who gets to decide
Once you know how much access to grant, the next question is who writes the rule. The CC outline teaches three access-control models, and the cleanest way to keep them straight is a single question that each one answers differently: who decides access? With that one axis you never mix them up.
DAC: the owner decides
Under discretionary access control (DAC), access is left to the discretion of the object's owner[4], who can grant permissions to other subjects and even let them pass those permissions along. The everyday example is sharing a file on your laptop or a shared drive: whoever created the document picks who else may read or edit it. DAC is flexible and is the default in most commercial operating systems, which is also its weakness. Because owners re-share at will, permissions drift in ways no central administrator planned.
MAC: the system decides
Mandatory access control (MAC) is a policy uniformly enforced across all subjects and objects by the system itself[5]. Each object carries a sensitivity label (for example Confidential, Secret, Top Secret) and each subject holds a formal clearance. The system grants access only when the subject's clearance is high enough for the object's label and a need-to-know exists. The defining trait, and the delta from DAC, is that an ordinary user cannot change a label or hand access to anyone else; the decision belongs to the system, not the owner. That rigidity is exactly why MAC is used in military, government, and intelligence systems where confidentiality must be guaranteed.
RBAC: the role decides
Role-based access control (RBAC) grants access based on the role a user holds in the organization[6] rather than on individual identity. Permissions attach to roles such as Nurse, Cashier, or Database Administrator, and a user gains those permissions by being placed in the role. When someone changes jobs you move them to a new role instead of editing dozens of individual grants, so RBAC scales cleanly and maps naturally onto least privilege. It sits between the other two: more controlled than DAC because an administrator, not the end user, defines the roles, and lighter than MAC because it needs no clearance hierarchy. RBAC is the common choice for ordinary businesses.
Notice the one shared axis at work. DAC puts the decision with the owner, MAC puts it with the system, and RBAC puts it with the role an administrator defines. Read any scenario by asking who holds the decision, and the model names itself.
Choosing a model, and how MAC checks a request
Picking a model is a trade between flexibility and control, and the same single axis from the last section, who decides, drives the choice. Walk three questions in order and the model falls out.
First, must access be tightly and uniformly controlled, with no user able to over-share? If yes, and the data is classified or highly sensitive, choose MAC, because only MAC takes the decision away from people entirely. If that level of rigidity is not required, move on. Second, do users map cleanly onto well-defined jobs, with many people sharing the same access? If yes, choose RBAC, the scalable middle ground for hospitals, banks, and large enterprises. Third, if neither pressure applies and the priority is letting owners share their own resources conveniently, DAC is the natural fit, which is why ordinary file sharing uses it.
How MAC evaluates one request
MAC is the model most worth seeing step by step, because its check is mechanical and exam-friendly. When a subject asks to read an object, the system compares two things it controls, not the user. It reads the object's label and the subject's clearance, then applies two tests. The clearance must be high enough to dominate the label (a Secret clearance can reach Confidential and Secret data, but not Top Secret), and a need-to-know must exist for that specific object. Only when both tests pass does the system allow access; if either fails, it denies. The user is never consulted and cannot grant an exception, which is the whole point of "mandatory."
This is also where a security label differs from a security marking[7]. A marking is human-readable text that tells a person how to handle a document; a label is machine-readable metadata bound to the object so the system can parse and enforce it automatically. MAC depends on labels, because a person reading a marking is back to discretion, and MAC's purpose is to remove discretion.
Exam-pattern recognition
CC questions on this topic reward one habit: read the scenario for who holds the decision, then name the model. The wording is consistent enough that a few patterns cover most items.
Spotting the model from the stem
- If the stem says a file owner or user sets or shares permissions on their own resource, the answer is DAC. Trigger words: owner, at their discretion, the user grants access, shared folder.
- If the stem mentions labels, classifications, clearances, or sensitivity levels, and stresses that users cannot change the rules, the answer is MAC. Trigger words: Top Secret/Secret/Confidential, security label, clearance, system-enforced, military or government.
- If the stem assigns access by job title or function and talks about moving people between groups, the answer is RBAC. Trigger words: role, job function, Nurse/Cashier/Administrator, assign users to groups.
Principle versus model
Another family of questions tests the two principles against each other. A stem where one person can both create and approve a payment, and the fix is to split those duties, is separation of duties, not least privilege. A stem where an account simply has more access than its job needs, and the fix is to trim it, is least privilege. When the scenario is specifically about eligibility versus the specific data required, the answer is need-to-know: a cleared user still being blocked from an unrelated file is the classic tell.
Why the distractors are wrong
The wrong answers usually swap the decider. "The owner assigns clearances" is wrong because clearances are a MAC idea and owners do not assign them. "RBAC lets each user set their own permissions" is wrong because that is DAC's owner-discretion, not RBAC's administrator-defined roles. "MAC is the most flexible model" is wrong because MAC is the most rigid by design; DAC is the most flexible. Anchor every choice to the single axis, who decides access, and the distractors that move the decision to the wrong party fall away.
Who decides access: DAC vs MAC vs RBAC
| Question | DAC (discretionary) | MAC (mandatory) | RBAC (role-based) |
|---|---|---|---|
| Who decides access | The object's owner | The system, from a central policy | An administrator, by defining roles |
| Decision is based on | Owner's choice (permissions on the object) | Security labels and user clearances | The user's assigned job role |
| Can a user re-share access | Yes, owners can grant and pass on rights | No, users cannot change labels or grant access | No, only role membership grants access |
| Flexibility | Highest, but hardest to control centrally | Lowest, rigid and uniformly enforced | Moderate, controlled yet scalable |
| Typical use | Personal computers, shared drives, most commercial OSes | Military, government, classified systems | Hospitals, banks, large enterprises |
Decision tree
Sharp facts the exam loves — give these one last read before exam day.
Cheat sheet
Sharp facts the exam loves — scan these before test day.
- A logical access control is a technical safeguard that gates a subject's use of an object
Logical access controls are enforced by software or firmware, and they decide whether a subject (a user, process, or device) may use an object (a file, database, application, or system). They are the technical, or logical, type of control, separate from physical controls like locks and from administrative controls like policies. Every access decision answers two questions: how much access to grant, set by the principles least privilege and need-to-know, and who writes the rule, set by the model DAC, MAC, or RBAC.
- Least privilege grants only the access a task needs, shrinking the blast radius
Least privilege restricts every user, process, or device to the minimum permissions its assigned job requires, and nothing more. The benefit is containment: if the account is phished or misused, the attacker inherits only the few permissions it actually held rather than the keys to everything. A help-desk technician who resets passwords should not also reach the payroll file, because reading payroll is not part of that job.
Trap Granting broad access for convenience and planning to trim it later; the standing extra permissions are exactly what an attacker inherits if the account is compromised.
18 questions test this
- Which security principle requires that users be given only the minimum access rights necessary to perform their job duties?
- According to the principle of least privilege, users should be granted which level of access?
- A security administrator needs to ensure that privileged users use non-privileged accounts when performing routine tasks. Which principle…
- When a user with a privileged account needs to perform routine non-security tasks, what should they do according to least privilege…
- An organization applies the principle of least privilege to its systems. Which statement BEST describes this security principle?
- A security administrator needs to ensure that employees can only access information necessary for their specific duties. Which principle…
- Which security principle requires that users be granted only the minimum access necessary to perform their job functions?
- A database application needs to connect to a production database containing customer records. Applying the principle of least privilege to…
- A security administrator is configuring file permissions for a new employee. According to the principle of least privilege, what approach…
- What is the PRIMARY purpose of the principle of least privilege?
- How does role-based access control (RBAC) support the principle of least privilege?
- Which security principle is MOST directly supported by the timely de-provisioning of user accounts when employees leave an organization?
- According to privilege management best practices, what should users with privileged accounts do when performing routine non-security tasks?
- An organization's file server uses permissions that include Read, Write, and Execute. A user needs to run a program stored on the server…
- When applying the principle of least privilege to access control list configuration, which approach should an administrator follow?
- Which security principle should guide how permissions are configured in an access control list for a new employee?
- What is the primary objective of the principle of least privilege?
- Which principle should guide the configuration of access control lists for system resources?
- Need-to-know is least privilege applied to information, separate from clearance
Clearance or job title sets eligibility to see a whole category of data; need-to-know is the narrower decision that a person actually requires these specific records to do their work. The two are independent, so a user cleared for Secret material still cannot pull an unrelated Secret file because the need-to-know is missing. Need-to-know limits which data within an eligibility level a person may touch.
Trap Treating a high clearance as automatic permission to read every file at that level; clearance is eligibility, but need-to-know must also exist for the specific object.
- Separation of duties splits a sensitive process so no one person can finish it alone
Separation of duties (also called segregation of duties) divides a critical process across two or more people, so no single individual holds enough privilege to misuse the system by themselves. The classic case is payments: whoever requests a payment must not also approve it, since one person controlling both steps could pay themselves. It is a preventive administrative control aimed at fraud by a lone insider.
Trap Calling it least privilege when the real fix is splitting one over-powered process across two people; least privilege trims one account's access, separation of duties divides the steps.
6 questions test this
- An organization wants to prevent employees from both creating purchase orders and approving them. Which RBAC feature addresses this…
- In RBAC, which mechanism ensures that a user who is assigned to the role of Accounts Payable Clerk cannot also be assigned to the role of…
- Which security principle does RBAC directly support by ensuring that multiple people are required to complete sensitive tasks?
- In RBAC, what mechanism is commonly used to enforce separation of duties between conflicting job functions?
- Which access control principle ensures that no single employee can both initiate and approve purchase orders?
- When implementing separation of duties in an organization, what is the primary security objective?
- Dual control requires two authorized people to act together for one action
Dual control is the strictest form of separation of duties: a single action cannot complete unless two authorized people act together, such as two officers each turning a key. Where ordinary separation of duties splits a multi-step process across people, dual control binds two people to the very same step. Both reduce single-insider abuse but do not stop two people colluding, which is why sensitive duties are also rotated.
- Three access-control models differ on one axis: who decides access
DAC, MAC, and RBAC are the three access-control models, and the clean way to tell them apart is a single question each answers differently: who decides access. DAC puts the decision with the object's owner, MAC puts it with the system, and RBAC puts it with a role an administrator defines. Read any scenario by asking who holds the decision and the model names itself.
4 questions test this
- What is the key characteristic of Discretionary Access Control (DAC)?
- In a discretionary access control (DAC) model, who has the authority to determine access rights to an object?
- What distinguishes discretionary access control (DAC) from mandatory access control (MAC) when managing permissions for system resources?
- Which access control model allows the owner of a resource to grant or revoke access to other users based on the owner's judgment?
- DAC lets the object's owner decide and re-share access
Under discretionary access control (DAC), access is left to the discretion of the object's owner, who can grant permissions to other subjects and even let them pass those permissions along. Sharing a file on a laptop or shared drive is the everyday example, and DAC is the default in most commercial operating systems. Its flexibility is also its weakness, because owners re-share at will and permissions drift in ways no central administrator planned.
Trap Believing DAC permissions are centrally controlled; owners can grant and pass on access themselves, which is why DAC is the least centrally controlled model.
6 questions test this
- What is the key characteristic of Discretionary Access Control (DAC)?
- In a discretionary access control (DAC) model, who has the authority to determine access rights to an object?
- What distinguishes discretionary access control (DAC) from mandatory access control (MAC) when managing permissions for system resources?
- In discretionary access control (DAC) environments, who typically has the authority to modify the ACL on an object?
- Which access control model allows the owner of a resource to grant or revoke access to other users based on the owner's judgment?
- In a discretionary access control (DAC) environment, who determines access permissions to a resource?
- MAC is enforced by the system from labels and clearances, and users cannot override it
Mandatory access control (MAC) is a policy uniformly enforced across all subjects and objects by the system itself. Each object carries a sensitivity label and each subject holds a formal clearance, and the system grants access only when the clearance is high enough for the label and a need-to-know exists. The defining trait is that an ordinary user cannot change a label or grant access to anyone else, because the decision belongs to the system, not the owner.
Trap Assuming an owner can grant an exception or relabel data under MAC; only the system decides, so users have no discretion to override the policy.
- RBAC grants access by job role, not by individual identity
Role-based access control (RBAC) attaches permissions to roles such as Nurse, Cashier, or Database Administrator, and a user receives those permissions by being assigned to the role. When someone changes jobs you move them to a new role instead of editing dozens of individual grants, so RBAC scales cleanly and maps naturally onto least privilege. An administrator, not the end user, defines the roles.
Trap Saying RBAC lets each user set their own permissions; that is DAC owner-discretion, while RBAC access comes only through administrator-defined role membership.
16 questions test this
- In a role-based access control (RBAC) system, how do users receive their permissions?
- In a role-based access control (RBAC) system, what determines a user's access permissions?
- An organization assigns access permissions to employees based on their job functions defined in the human resources system. What type of…
- Which characteristic BEST describes how access decisions are made in a Role-Based Access Control (RBAC) system?
- In a role-based access control (RBAC) system, what is the primary relationship that simplifies security administration?
- In a role-based access control (RBAC) system, what is the PRIMARY method by which users acquire permissions?
- A user was recently transferred from the sales department to the engineering department. The user can still access sales files but cannot…
- In a role-based access control (RBAC) system, how do users obtain access permissions to resources?
- How does role-based access control (RBAC) support the principle of least privilege?
- In a Role-Based Access Control (RBAC) system, permissions are assigned directly to which element?
- What is a PRIMARY advantage of using Role-Based Access Control compared to assigning permissions directly to individual users?
- An organization is implementing RBAC and needs to define roles. Which approach represents the correct relationship between users, roles,…
- In a role-based access control (RBAC) system, how are permissions assigned to users?
- In RBAC, which mechanism ensures that a user who is assigned to the role of Accounts Payable Clerk cannot also be assigned to the role of…
- In RBAC, what mechanism is commonly used to enforce separation of duties between conflicting job functions?
- When an employee changes positions within an organization using RBAC, what is the MOST appropriate access management action?
- Choose the model by trading flexibility against control
DAC is the most flexible but hardest to control centrally, MAC is the most rigid and uniformly enforced, and RBAC sits in the middle as the scalable, administrator-controlled choice. Pick MAC when access must be tightly and uniformly controlled for classified or highly sensitive data, RBAC when many users map cleanly onto well-defined jobs, and DAC when owners should conveniently share their own resources.
Trap Calling MAC the most flexible model; MAC is the most rigid by design, while DAC is the most flexible because owners control sharing.
- MAC fits classified and government systems; RBAC fits ordinary businesses
MAC is used in military, government, and intelligence systems where confidentiality must be guaranteed and individual discretion is too risky to allow. RBAC is the common choice for hospitals, banks, and large enterprises because access maps onto job functions and scales without per-user editing. DAC suits personal computers, shared drives, and most commercial operating systems where convenience matters more than tight central control.
- A model alone does not enforce the principles; apply least privilege and separation of duties on top
Choosing DAC, MAC, or RBAC decides who writes the access rule, but it does not by itself guarantee that the rule grants only what each task needs or that sensitive processes are split. Least privilege and separation of duties are principles applied on top of whichever model is in force. A system can run RBAC and still over-grant if its roles bundle more access than the job requires.
- An ACL lists which identities may access a resource and what they may do, one access control entry per identity
An access control list (ACL) is a mechanism attached to a resource that enumerates the identities permitted or denied access along with their specific rights (read, write, execute). Each individual line is an access control entry (ACE), which names one trustee (user or group) and the operations allowed, denied, or audited for it.
Trap Treating the ACL as the single entry rather than the whole list; the ACE is the per-identity line inside the ACL.
13 questions test this
- An access control list (ACL) is a mechanism that implements access control by associating which of the following with a system resource?
- When configuring ACL permissions for a file, what is the purpose of specifying read, write, and execute operations?
- Which of the following best describes an access control list (ACL)?
- What information does an individual entry in an access control list (ACL) specify?
- What is the primary function of an Access Control Entry (ACE) within an access control list?
- In identity-based access control systems using ACLs, what must happen for a subject to be granted access to an object?
- An access control list (ACL) is comprised of individual entries that specify access rights. What is each of these individual entries called?
- A mechanism that implements access control for a system resource by listing the identities permitted or denied access is known as a(n)…
- An administrator needs to determine which users can read, write, or modify a file on a Windows server. Which security component should the…
- An access control list (ACL) is best described as which of the following?
- A mechanism that specifies which users or groups have been granted or denied access to a specific system resource.
- What does an access control list (ACL) contain?
- An access control list (ACL) is made up of individual entries that specify permissions for specific users or groups. What are these…
- In Windows a DACL decides who gets access; a SACL decides whose access attempts get logged
A Windows security descriptor holds two ACL types: the Discretionary Access Control List (DACL) lists the trustees allowed or denied access, while the System Access Control List (SACL) tells the system which access attempts to record in the security event log. Configure the SACL when the goal is auditing access rather than granting it.
Trap Reaching for a DACL to capture an audit trail of access attempts; auditing is the SACL's job.
8 questions test this
- In Windows security architecture, what is the primary function of a System Access Control List (SACL)?
- In the context of discretionary access control (DAC), what are the two common types of Access Control Lists (ACLs) used to manage and…
- In Windows security, which pair correctly identifies the two main types of Access Control Lists (ACLs) found in a security descriptor?
- In Windows environments, what is the difference between a Discretionary Access Control List (DACL) and a System Access Control List (SACL)?
- An organization needs to track and audit which users attempted to access sensitive financial files, regardless of whether the access was…
- An administrator needs to determine which users can read, write, or modify a file on a Windows server. Which security component should the…
- What is the primary purpose of a System Access Control List (SACL)?
- In Windows operating systems, which type of access control list identifies which users and groups are allowed or denied access to a…
- An empty DACL denies everyone; a missing (NULL) DACL grants everyone full access
An empty DACL contains no entries, so no access is granted and the system denies all requests. A NULL DACL (no DACL assigned at all) is the opposite and dangerous default: the object has no protection, so everyone gets full access. The same logic applies to ACLs generally: if no entry grants the request, access is denied.
Trap Assuming an empty DACL and a NULL DACL behave the same; the empty one locks everyone out, the missing one lets everyone in.
7 questions test this
- In a discretionary access control (DAC) system, what happens when an object's access control list contains no entries?
- In Windows, what happens when a securable object has no discretionary access control list (DACL) assigned to it?
- What happens when a protected object has a Discretionary Access Control List (DACL) that contains no access control entries?
- What happens when a Windows object has a Discretionary Access Control List (DACL) that contains no access control entries?
- An administrator notices that an object on the system has no discretionary access control list (DACL) assigned to it. What is the result of…
- A system administrator creates a new file but does not configure any access control entries in the discretionary access control list…
- A security administrator discovers that a Windows file has no discretionary access control list (DACL) configured. What is the security…
- Anything not explicitly allowed is denied by default (implicit deny)
Implicit deny, also called default deny, means a request that matches no rule granting it is automatically blocked. It is the safe default for ACLs, firewall rules, and file permissions: access is granted only when a rule explicitly permits it, so a missing entry results in denial.
Trap Expecting traffic or a subject to pass because no rule explicitly blocks it; with implicit deny the absence of an allow rule is itself the block.
9 questions test this
- In a discretionary access control (DAC) system, what happens when an object's access control list contains no entries?
- An organization needs to implement a permission model where access is granted only if it is explicitly specified in the access control…
- An administrator configures an ACL on a shared folder that grants read access only to the Accounting group. A user who belongs to the Sales…
- A security administrator is configuring firewall rules for network traffic. When traffic does not match any rule in the access control…
- What happens when a protected object has a Discretionary Access Control List (DACL) that contains no access control entries?
- What happens when a Windows object has a Discretionary Access Control List (DACL) that contains no access control entries?
- In identity-based access control systems using ACLs, what must happen for a subject to be granted access to an object?
- A system administrator creates a new file but does not configure any access control entries in the discretionary access control list…
- When an access control list has no rule that matches an incoming request, what typically happens?
- MFA requires factors from two different categories: something you know, have, or are
Multi-factor authentication combines factors from at least two of the three categories: something you know (password, PIN), something you have (token, badge, phone), and something you are (biometric). The point is that compromising one category does not give an attacker the others, so the factors must be of different kinds.
Trap Counting a password plus a PIN (or password plus a security question) as MFA; both are "something you know," so it is still one factor category.
19 questions test this
- A user logs into an application using a fingerprint scan on their smartphone, which then generates a one-time code. What type of…
- Which combination represents a valid implementation of multi-factor authentication (MFA)?
- What is the primary purpose of implementing multi-factor authentication (MFA)?
- An organization wants to implement MFA for employee access. Which combination represents true multi-factor authentication?
- An organization implements authentication requiring users to enter a password AND a PIN code. Is this considered multi-factor…
- What are the three authentication factors used in multi-factor authentication?
- An organization wants to implement multi-factor authentication. A user logs in with a password and then enters a PIN. Does this…
- A hardware token that generates a six-digit code every 60 seconds represents which authentication factor?
- Which authentication scenario demonstrates the proper implementation of two-factor authentication?
- A user authenticates to a corporate system using their password and then receives a one-time code on their registered smartphone. Which…
- A security administrator needs to implement stronger authentication for remote access to critical systems. Which combination represents…
- Which statement accurately describes the role of biometrics in authentication according to security best practices?
- Which of the following is classified as a 'something you have' authentication factor?
- A data center requires employees to both present their badge AND enter a PIN code at the card reader to gain entry. Which security concept…
- A security administrator is implementing multi-factor authentication for a corporate application. Which combination provides true…
- An organization is implementing multi-factor authentication. Which combination represents factors from two DIFFERENT categories?
- A security administrator is implementing multi-factor authentication. Which combination represents TRUE multi-factor authentication?
- When a user presents an access badge to a reader to enter a secured facility, what authentication factor is primarily being used?
- Which of the following represents a valid multi-factor authentication implementation?
- Modern NIST guidance favors long passwords over forced complexity and drops scheduled expiration
NIST SP 800-63B treats length as the primary driver of password strength and advises against mandatory composition rules, because complexity requirements push users toward predictable patterns. It also recommends against fixed periodic password changes, requiring a change only when there is evidence of compromise.
Trap Mandating character-mix rules and a routine 90-day reset; current guidance calls for length instead and changes only on evidence of compromise.
6 questions test this
- According to current NIST password guidelines, what is the recommended approach to password complexity?
- According to current security guidance, what is the recommended approach to password expiration policies?
- When should organizations require users to change their passwords according to modern security guidelines?
- According to current password security best practices, what is more important than requiring complex character combinations in passwords?
- According to current password security guidelines, what is the PRIMARY factor that determines password strength?
- According to current NIST guidelines for password management, which practice is now recommended against?
- Store passwords salted and hashed so a stolen database resists offline cracking
Passwords should be stored using a one-way hash with a unique random salt per password, never in plaintext or reversible form. The salt makes identical passwords hash differently and defeats precomputed rainbow tables, while a deliberately slow hashing scheme makes brute-force guessing of a stolen hash database expensive.
Trap Relying on hashing alone without a per-password salt; without salt, identical passwords share a hash and rainbow tables still work.
5 questions test this
- How should passwords be stored in authentication systems to protect against offline attacks?
- What security measure should organizations implement to protect stored passwords from offline attacks?
- What is the PRIMARY purpose of salting passwords before hashing them for storage?
- An organization stores passwords using a one-way mathematical function combined with a random value unique to each password. What security…
- What is the primary security benefit of requiring passwords to be salted and hashed before storage?
- End sessions with an idle timeout, an absolute timeout, and an easy logout
An idle (inactivity) timeout ends a session after a period of no activity, limiting the risk of an unattended workstation being hijacked, while an absolute (overall) timeout caps total session length regardless of activity. Applications should also give users a readily accessible logout to terminate a session on demand.
Trap Confusing the idle timeout with the absolute timeout; the idle one triggers on inactivity, the absolute one fires after a fixed duration even on an active session.
8 questions test this
- According to security best practices, what should a web application provide to users regarding session termination?
- What is the PRIMARY purpose of implementing an idle session timeout control?
- What is the PRIMARY purpose of implementing an idle session timeout as part of system hardening?
- What is the PRIMARY security purpose of implementing an idle session timeout?
- According to NIST guidelines, what are the two types of session timeouts used in session management?
- A web application allows users to log in but does not provide a logout button. Which security vulnerability does this create?
- Which session management control should be implemented to address the risk of a user leaving their workstation without logging out?
- Which of the following BEST describes the difference between an idle timeout and an absolute timeout in session management?
- Enforce authentication and session timeouts server-side where the client cannot tamper with them
Session timeout, expiration, and authentication enforcement must live on the server, not the client. If timing or authorization is tracked in client-controlled data such as cookies, an attacker can manipulate it to extend a session indefinitely, so security controls belong where the user cannot reach them.
Trap Trusting client-side cookie values to enforce session timeout; an attacker edits them, so the server must track inactivity itself.
6 questions test this
- Where should session timeout controls be enforced to ensure they cannot be bypassed by attackers?
- To prevent attackers from bypassing security controls, where should authentication and session enforcement mechanisms be implemented?
- Where should security controls like session timeouts be enforced for maximum security?
- Which component should enforce session timeout settings to prevent manipulation by attackers?
- Where should session timeout management and expiration be primarily enforced?
- Where should session timeout management and expiration controls be enforced?
- Review access periodically and on every role change to stop privilege creep
Privilege creep is the gradual accumulation of access rights beyond what a user's current job needs, typically when someone changes roles but keeps old permissions. Counter it with periodic (regular) access reviews plus event-driven reviews triggered by transfers, removing rights that are no longer required to keep least privilege intact.
Trap Granting new access on a role change without removing the old; keeping both is exactly how privilege creep accumulates.
9 questions test this
- How often should organizations conduct access reviews to effectively maintain the principle of least privilege in an RBAC environment?
- An organization notices that employees who have changed roles multiple times retain access from all their previous positions. What security…
- Which practice is MOST important for maintaining effective privilege management over time?
- What security risk occurs when users accumulate access permissions over time that exceed their current job requirements?
- What security concern occurs when employees change roles within an organization but retain their previously assigned privileges in addition…
- Which process should be performed when an employee transfers to a different department within the same organization?
- What is the BEST practice for maintaining the principle of least privilege in an RBAC environment over time?
- What is 'privilege creep' in the context of user account management?
- What is the term used to describe the gradual accumulation of access rights beyond what a user needs for their assigned job functions?
- Disable a leaver's access immediately so no orphan accounts remain
When an employee is terminated, the first and most critical step is to immediately disable or revoke all of their access, ideally driven by an HR-initiated lifecycle event. Accounts left active after someone departs become orphan accounts that former staff, contractors, or attackers can still use to reach internal systems and data.
Trap Deleting the leaver's data or escalating to legal before cutting access; revoking the credentials comes first to close the window for unauthorized entry.
10 questions test this
- When a terminated employee's badge is returned to Human Resources, what action should the electronic access control system administrator…
- When an employee is terminated from an organization, what is the MOST important immediate action regarding their physical access badge?
- What is the MOST significant security risk when employees are not promptly de-provisioned from company systems after leaving the…
- What is the PRIMARY security risk associated with orphan accounts in an organization's systems?
- When an employee is terminated from an organization, which action should be performed FIRST regarding their user account?
- When an employee leaves an organization, what is the PRIMARY security concern if the user account is not properly de-provisioned?
- When an employee is terminated from an organization, what is the MOST critical first step in the de-provisioning process?
- When an employee leaves an organization, what is the MOST critical immediate action regarding their user account?
- Which security principle is MOST directly supported by the timely de-provisioning of user accounts when employees leave an organization?
- When an employee is terminated, what is the MOST critical immediate security action regarding their user account?
- RBAC grants access by role so administration scales, and senior roles can inherit junior permissions
Role-Based Access Control assigns permissions to roles and users to roles, so admins manage stable roles instead of editing each user individually, which is its main advantage at scale. A role hierarchy lets senior roles automatically inherit the permissions of junior roles, further reducing duplication.
Trap Assigning permissions directly to each individual user; that does not scale and is the very overhead RBAC's role layer removes.
3 questions test this
- Which RBAC concept allows senior roles to automatically acquire the permissions of junior roles?
- What is a PRIMARY advantage of using Role-Based Access Control compared to assigning permissions directly to individual users?
- When an employee changes positions within an organization using RBAC, what is the MOST appropriate access management action?
Also tested in
References
- https://csrc.nist.gov/glossary/term/least_privilege
- https://csrc.nist.gov/glossary/term/need_to_know
- https://csrc.nist.gov/glossary/term/separation_of_duty
- https://csrc.nist.gov/glossary/term/discretionary_access_control
- https://csrc.nist.gov/glossary/term/mandatory_access_control
- https://csrc.nist.gov/glossary/term/role_based_access_control
- https://csrc.nist.gov/glossary/term/security_marking