Domain 1.1-1.2 Flashcards
whats purpose of security controls
Prevent security events, minimize the impact, and limit the damage
control categories
technical
managerial
operational
physical
technical controls
controls implemented by systems. Fire wall, anti-virus
managerial controls
adminstrative controls associated with security design and implementation
security policies and standard operating procedures
operational controls
controls implemented by people instead of systems
example: security guards, employee training
physical controls
limit physical access
ex: guard shack, fences, locks, badge readers
first 3 control types
- Preventive control type- you shall not pass think about how it applieds to each category of control TMOP.
- Deterrent- Discourage an intrusion attempt, does not directly prevent access
- Detective- Identify and log an intrusion attempt, may not prevent access.
second 3 control types
- Corrective- Apply a control after an event has been detected, reverse the impact of an event, continue operating with minimal downtime.
- Compensating (temporary fixes)- control using other means because existing controls aren’t sufficient
- Directive- direct a subject towards security compliance. This is the weakest security control because it leaves decision in the hands of the subject.
non-repudiation
provides proof of the origin, authenticity and integrity of data
can’t deny what youve said, no taking it back.
uses digital signature to verify proof of origin. digital signature adds to non-repudiation
AAA
Authentication- prove you are who you say you are
Authorization- determines your access rights. what info do you have the right to see
Accounting- Resources used: login time, data sent received etc
how to authenticate Systems
you authenticate a system by putting a digitally signed certificate on the device.
CA
certificate authority, organizations usually maintain their own so they can digitally sign.
What does no authorization model mean?
you have to give access to each individual every time they need access to resources
Authorization models
defining by roles.
Add Abstraction- clear relationship between the user and resource. Give rights to the role not an individual then assign people to those roles.
Gap analysis
Where you are vs where you want to be. Needs a lot of research usually.
planes of operations
data plane- part of device performing security process
control plane- manages data plane, defines policies and rules
Adaptive identity
apply security controls based on multiple sources. such as where request is coming from
threat scope reduction
decrease the # of entry points
policy driven access control
combine adaptive identity with predefined set of rules
policy administrator
talks to PEP. Tells PEP to allow or deny access. Generate access tokens or credentials
policy engine
evaluates each access decision based on policy and other info sources
policy enforcement point (PEP)
gatekeeper, all traffic has to pass through PEP
Policy decision point (PDP)
process of making and authentication decision
implicit trust zone
there is trusted and untrusted zones. If someone is coming from untrusted to internal they wouldnt be allowed.
If they come from trusted to internal they would be implicitly allowed or implied.
subject/system
end users/ applications, non human entities
bollard
fencing
a fence around the area
lighting
add more light no darkness
sensors
infared- detects infared radiation in light and dark (good for motion detection)
pressure- detects pressure change
microwave-detects movement across large areas
ultrasonic- send signal and receive reflected sound waves, good for motion detection
cctv
closed circuit tv for video surveillance
honeyfile
file with fake info. alert is sent if file is accessed
honeytokens
allow administrators to identify who it was stolen from or how it was leaked
