Domain 1 - Access Control Flashcards
Is an active entity in an Information System
Subject
A Passive data file
Object
Is an access control that gives subjects full control of objects they
have been given access to, including sharing the objects with other subjects
Discretionary Access Control - DAC
System-enforced access control based on
subject’s clearances and object’s labels
Mandatory Access Control - MAC
Is an access control where subjects are grouped into roles and each
defined role has access permissions based upon the role, not the individual
Role-Based Access Control - RBAC
Its purpose is to allow authorized users access to appropriate data and
deny access to unauthorized users.
Access Control
is keeping data secret. Data must only be accessible to users who
have the clearance, formal access approval, and the need to know
Confidentiality
Threat to confidentiality
Disclosure of Information
Protects against unauthorized alteration of data
Integrity
Ensures that information is readily accessible to authorized users or
programs as the information is needed
Availability
Occurs when subjects not only maintain old access rights but gain new
ones as they move from one division to another within an organization.
Authorization Creep
is another non-discretionary access control model, related to RBAC. It is is based on the tasks each subject must
perform, such as writing prescriptions, or restoring data from a backup tape, or
opening a help desk ticket.
Task-based Access Control
Concentrates access control in one logical point for a system or organization.
Centralized Access Control
Local sites support and maintain
independent systems, access control databases, and data.
Decentralized Access Control
Is a 3rd party authentication system described in RFC 2865, 2866. Its uses UDP ports 1812 and 1813.
Remote Authentication Dial In User Service (RADIUS)
is RADIUS’ successor, designed to provide an improved (AAA) framework. RADIUS provides limited accountability, and has problems with flexibility, scalability, reliability, and security.
Diameter
What are the number of Attribute Value Pairs (AVP) of Radius and Diameter.
Radius = 8 Diameter = 32
The cornerstone concept of InfoSecurity
The CIA triad
Opposing forces to CIA
DAD - Disclosure, Alteration and destruction
True or false. Our mission as information security professionals is to balance the needs of CIA and make trade offs as needed
True
Is the unauthorised disclosure of information
Disclosure
Is the unauthorised modification of data
Alteration
Making systems in available
Destruction
—— is a claim of who you are
Identity
Proving an identity is called ——
Authentication
—— describes the actions you can perform on a system once you have identified and authenticated. Actions may include reading, writing, or executing files or programs
Authorisation
—– holds a user accountable of his actions. This is typically done by logging and analysing audit data
Accountability
It means a user cannot deny having performed a transaction. It combined authentication and integrity
Non repudiation
True of false. You must have both authentication and integrity to have non repudiation
True
It means users should be granted the minimum amount of access (authorisation) required to do their jobs
Least Privilege
Is an active entity on a data system
Subject
This applies multiple safeguards also called controls, measures taken to reduce risk to protect an asset
Defence in depth or layered defenses
True or false. All controls can fail, and sometimes multiple control will fail. Deploying a range of different Defense in depth safeguards in your your organisation lowers the chance that all control will fail.
True
—- give subjects full control of objects they have been given access to, including sharing the objects with other subjects
Discretionary Access Control - DAC
Is a system enforced access control based on subject clearances and object labels
Mandatory Access Control -MAC
True or false. A subject may access an object only if the subjects clearance is equal to or greater than the objects label.
True
It defines how information is accessed on a system based on the role of the object
Role Based Access Control - RBAC
True or false. RBAC is a type of non discretionary access control because users do not have discretion regarding the group of objects they are allowed to access and are unable to transfer objects to other subjects.
True
Is another non discretionary access control model, related to RBAC based on the tasks each subject must perform, such as writing prescriptions, restoring data from a backup tape, or opening a help a help desk ticket.
Task Based Access Control
Concentrates access control in one logical point for a system or organisation
Centralised Access Control
Is an access control where organisations spans to multiple location. The local sites support and maintain independent systems, access control database and data
Decentralised Access Control
This occurs as individual users gain more access to more systems
Access aggregation
Users gain more entitlements without shedding the old ones.
Authorisation creep
Is a centralised access control system that requires users to send an ID and static (reusable) password for authentication. It uses UDP or TCP port 49.
TACACS
In Microsoft trust relationship, if A trust B, then A will trust all B’s trusted partners. What type of relationship is this?
Transitive trust
This means limiting the access of authorised users to data they require to perform their duties
Least Privilege
This allows an organisation to maintain checks and balances among the employees with privileged access by having more than one individual to perform part of a sensitive transaction.
Separation of Duties
This describes a process that requires different staff perform the same duty.
Rotation of Duties
Is a label that shall be applied to information,the unauthorised disclosure of which reasonably could be effected to cause exceptionally grave damage to the national security.
Top Secret
Is a label that shall be applied to information,the unauthorised disclosure of which reasonably could be effected to cause serious damage to the national security.
Secret
Is a label that shall be applied to information,the unauthorised disclosure of which reasonably could be effected to cause damage to the national security.
Confidential
Is a determination about whether or not a user can be trusted with a specific level of information
Clearance.
Remember objects have labels, subject have clearances
Is documented approval from data owner for a subject to access certain objects, requiring the subject to understand all of the rules , and requirements for accessing data and consequences should the data become lost, destroyed or compromised
Formal Access Approval
What are the six access control types?
Preventive Detective Corrective Recovery Deterrent Compensating
Three access control categories
Administrative
Technical
Physical
Is a type of access control that prevents actions from occurring.
Preventive
Are controls that alert during or after a successful attack
Detective
Is control that works by correcting a damaged system or process
Corrective
After a security incident has occurred, this control may have to be taken in order to restore the functionality of the system and organisation.
Recovery
This control deter users from performing an actions on a system
Deterrent
Is an additional security control put in place to compensate for weaknesses in other control
Compensating
These controls are implemented by creating and following organisational policy, procedure, or regulation. User training and awareness also fall into this category
Administrative
These controls are implemented using software, hardware, or firmware that restricts logical access on an information technology system . Examples includes firewalls, routers, encryption, etc
Technical
These controls are implemented with physical devices such as locks, fences, gates, security guards, etc…
Physical
Is a term used for the combination of both identification and authentication of a user
Credential set
Three basic authentication methods
Type 1 - something that you know
Type 2 - something that you have
Type 3 - something you are
Is reusable password that may or may not expire
Static password
—– Are long static passwords, comprises of words in phrases or sentence
Passphrase
This password may be used for single authentication, impossible to reuse and is valid for single use
One time password
—-passwords that change at regular intervals
Dynamic Passwords
This requires that user present more than one authentication factor
Strong authentication or multifactor authentication
