Access Control Flashcards
CIA
Confidentiality, Integrity, Availability
Aceess controls protect against:
Threats such as unauthorized acess, inappropriate modification of data, and loss of confidentiality
DAD
Opposing forces of CIA. Disclosure, Alteration, Destruction
Confidentiality
Seeks to prevent unauthorized read access. Example is PII
Integrity
Seeks to prevent unauthorized modification of information
Two types of Integrity
Data Integrity & System Integrity
Data Integrity
seeks to protect information against unauthorized modification
System integrity
seeks to protect a system from unauthorized modification
Availability
ensures that information is available when needed
AAA
Authentication, Authorization, Accountability
Identity
a claim of who you are (like a username)
Authentication
proving an identity claim (like a password)
Authorization
actions you perform on a system once you have identified and authenticated. May include, read, write, execute files/programs
Accountability
holds users accountable tofr their actions. Typically done by logging and analyzing audit data
Non-Repudiation
user cannot deny having performed a transaction. You must have authentication and integrity to have non-repudiation
Least privilege
users should be granted the minimum amount of access (authorization) required to do their jobs
Need to know
user must need to know that spcific piece of information before accessing it (user must have a business need to access data)
Subject
an active entity on a system. Manipulate objects
Object
Passive data on a system. Do not manipulate other objects
Defense in Depth
applies multiple safeguards (called controls) to protect an asset
Which Access control model is the best?
none, each model is used for a specific information security purpose
What are the primary Access Control Models?
Discretionary Access Control (DAC), Mandatory Access Control (MAC), and Non-Discretionary Access Control
What is DAC?
Discretionary Access Control?gives subjects full control of objects they have been given access to, includeing sharing the objects with other subjects
What is MAC?
Mandatory Access Control?primarily for Gov’t/Military?system-enforced access control based on subject clearance level and object labels
Two types of non-discretionary access control
Role-based Access Control (RBAC) and Task-based access control
What is RBAC?
Role-based Access Control: defines how info is access on a system based on the role of the subject.
Three rules of RBAC?
- Role Assignment 2. Role Authorization 3. Transaction Authorization
Task-based access control
based on the tasks each subject must perform (focuses on specific tasks rather than roles)
Content- and Context-dependent access controls
not full fledged access control methods in their own right, but are part of a defense in depth supporting role
Centralized access control
concentrates access control in one logical point for a system or organization
Decentralized access control
IT administration to occur closer to the mission and operations of the organization. Also called distributed access control
Identity Lifecycle Rules
* password policy compliance checking * notifying users to change passwords before they expire * ID lifecycle changes such as inactive accounts * ID new accounts not used for 10 days * ID suspended accounts * Id all accounts belonging to expired contract
Access aggregation
Individual users gain more access to a system over time as jobs change and permissions aren’t removed
What is RADIUS
Remote Authentication Dial-In User Service: considered an AAA system
What is Diameter
successor to RADIUS; provided an improved AAA framework
What is TACACS and TACACS+
Terminal Access Controller Acces Control System: centralized access control system that requires users to send an ID and password for authentication