ACESS CONTROL CONCEPTS Flashcards

1
Q

Subject

A

A subject can be defined as any entity that requests access to our assets.

A subject:

-Is a user, a process, a procedure, a client (or a server), a program, a device such as an endpoint, workstation, smartphone or removable storage device with onboard firmware.
-Is active: It initiates a request for access to resources or services.
-Requests a service from an object.
-Should have a level of clearance (permissions) that relates to its ability to successfully access services or resources.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Object

A

An object is a device, process, person, user, program, server, client, or other entity that responds to a request for service.

An object:

-Is a building, a computer, a file, a database, a printer or scanner, a server, a communications resource, a block of memory, an input/output port, a person, a software task, a thread, or a process.
-Is anything that provides service to a user.
-Is passive.
-Responds to a request.
-May have a classification.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Rule

A

An access rule is an instruction developed to allow or deny access to an object by comparing the validated identity of the subject to an access control list. One example of a rule is a firewall access control list.

A rule can:

-Compare multiple attributes to determine appropriate access.
-Allow access to an object.
-Define how much access is allowed.
-Deny access to an object.
-Apply time-based access.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Least Privilege

A

The Principle of Least Privilege is a standard of permitting only minimum access necessary for users or programs to fulfill their function. Users are provided access only to the systems and programs they need to perform their specific job or tasks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Defense in Depth

A

These are all implementations of access control and are part of a layered defense strategy, also known as defense in depth, developed by an organization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Privileged Accounts

A

Privileged accounts are those with permissions beyond those of normal users, such as managers and administrators.

Systems administrators, who have the principal responsibilities for operating systems, applications deployment and performance management.
Help desk or IT support staff, who often need to view or manipulate endpoints, servers and applications platforms by using privileged or restricted operations.
Security analysts, who may require rapid access to the entire IT infrastructure, systems, endpoints and data environment of the organization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Segregation of duties

A

A core element of authorization is the principle of segregation of duties (also known as separation of duties).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Two Person Integrity

A

The two-person rule is a security strategy that requires a minimum of two people to be in an area together, making it impossible for a person to be in the area alone.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly