Domain 1: Access Controls Flashcards
Physical Controls
Doors, Locks, Fences, etc
Logical Controls
ACL’s, IDS, FW, routers, Virus protection, activity logging
Administrative controls
Baners, Signs, policies, Procedures, directives, rules & regs, documents or log-on screens
The types of controls
Physical, Logical , Administrative
Physical Assets
Tangible things such as the building, property, business, equipment, and people
Digital assets
Generally consist of the data contained or stored on the IT systems
Information assets
The content information represented by the digital data
Most important asset to protect
People
Assurance procedures
Procedures that ensure that the access control mechanisms correctly implement the security policy
Subject
User or entity taking the action or accessing a resource such as a database. Always active. May change roles
Object
Item or resource being acted upon by a subject. Always passive. May change roles.
Finger scan technology
Only the features extracted from the fingerprint are stored
Fingerprint technology
Entire fingerprints are stored
False Rejection Rate (FRR)
Type 1 Error. Percentage of time a biometric system rejects a known good user, thus not allowing access
False Acceptance Rate (FAR)
Type II Error. Percentage of time a biometric system falsely identifies as good an unknown user, thus allowing access.
Crossover Error Rate (CER)
CER is where the false rejection rate and false acceptance rate cross over. Lower CER means better biometric authentication system.
Signature Dynamics
Biometric factor of handwriting analysis
Voiceprint
Stored voice in the biometric system
Keystroke Dynamics (aka Keystroke pattern recognition)
Recognizes how an individual types on a keyboard. Measures flight time (time between keystrokes) and dwell (length of time a key is pressed).
Dual Control
Two individuals must work together to gain access. aka Split Knowledge, Separation of Duties.
Reverse authentication
User authenticates to the system, then they also have knowledge the system is in fact genuine. Use chosen images or personal security questions.
Account Callback
System texts or emails person back with a passcode when they try to authenticate.
Session-Level Access Control
Restrict or Allow actions during a specific communication session. Login Notification, User Inactivity, Multiple logons, Origination location, Session time limit, Continuous Auth (IPsec)
View-based access control
Security control mechanism that restricts the users actions or displays only the data available to them based on their rights.
Data-level access control
Deals with protecting data in any of its three states. In process. In transit. At rest.
Content-based or Contextual Access Control
Based on the form or content of the actual data. Data content rules.
Physical Data and Printed Media Access Control
Handling and storage access procedures of physical devices
Assurance of accountability
Accountability is the result of a strong identification and authentication system. (Prove they are who they say they are)
Trusted Domain
Contains the user requesting access to a resource in another domain
Trusting Domain
aka Resource Domain. Containst the resource to which access is desired.
One way trust
Users in one domain may access resources in the second domain, but not vice-versa.
Two-way trust
Both domains trust each other. All AD domains are automatically two way trust.
Transitive trusts
A trusts B. B trusts C. So A trusts C.
Cloud Vendor Reliability
Financials and ability to provide safeguards and security controls
Data Clearing and Cleansing
Refers to data that may remain on cloud storage after a cloud size is reduced. What happens to data that remains after size reduction?
Cloud client encroachment
If one client has legal issues, it could impact other clients. If one client is attacked, the attacker might access other clients on the same system.
Included by exception
Whitelist, explicitly allowed.
Capability table
Access control list
False positive (re: Authentication)
Unknown user has been identified and authenticated and allowed access to a system.
False negative (re: Authentication)
Known good user is denied access to the system
OPIE
One time password in everything
System-Level Access Control
Value of the system. Method of accessing the information.
Capabilities List (MAC)
Security clearances. Labels applied to subjects
Security classifications
aka Information classifications. Labels assigned to objects
Special Access Programs (SAPs)
Control access, distribution, and protection to particularly sensitive info (top secret military info).
SCI
200-300 SCI compartments. Each compartment has a code word. Intelligence info.
MAC TCB (Trusted Computer Base) components
Reference monitor, Security Kernel, Audit File
Reference Monitor
Compares subject and object security labels prior to allowing access
Bell-LaPadulla Model
No read up, no write down
Biba Model
Information integrity (of objects). Seeks to not increase the integrity of info at a lower level. May not read at a lower level and write to a higher level (No read down, No write up)
Clark-Wilson Model
Concerned with object integrity and separation of duties.
Brewer-Nash Model (Chinese Wall)
Prohibits conflicts of interest. Objects are classified in a manner that indicates conflicts of interest.
