Domain 1.1-1.2 Flashcards
whats purpose of security controls
Prevent security events, minimize the impact, and limit the damage
control categories
technical
managerial
operational
physical
technical controls
controls implemented by systems. Fire wall, anti-virus
managerial controls
adminstrative controls associated with security design and implementation
security policies and standard operating procedures
operational controls
controls implemented by people instead of systems
example: security guards, employee training
physical controls
limit physical access
ex: guard shack, fences, locks, badge readers
first 3 control types
- Preventive control type- you shall not pass think about how it applieds to each category of control TMOP.
- Deterrent- Discourage an intrusion attempt, does not directly prevent access
- Detective- Identify and log an intrusion attempt, may not prevent access.
second 3 control types
- Corrective- Apply a control after an event has been detected, reverse the impact of an event, continue operating with minimal downtime.
- Compensating (temporary fixes)- control using other means because existing controls aren’t sufficient
- Directive- direct a subject towards security compliance. This is the weakest security control because it leaves decision in the hands of the subject.
non-repudiation
provides proof of the origin, authenticity and integrity of data
can’t deny what youve said, no taking it back.
uses digital signature to verify proof of origin. digital signature adds to non-repudiation
AAA
Authentication- prove you are who you say you are
Authorization- determines your access rights. what info do you have the right to see
Accounting- Resources used: login time, data sent received etc
how to authenticate Systems
you authenticate a system by putting a digitally signed certificate on the device.
CA
certificate authority, organizations usually maintain their own so they can digitally sign.
What does no authorization model mean?
you have to give access to each individual every time they need access to resources
Authorization models
defining by roles.
Add Abstraction- clear relationship between the user and resource. Give rights to the role not an individual then assign people to those roles.
Gap analysis
Where you are vs where you want to be. Needs a lot of research usually.