Domain 3 Flashcards
What do Data Centers contain?
Contains all of the servers, storage, and other computing resources needed to run business
What is a flaw for Server Rooms?
Lacks strong security controls
Media storage facilities contains what?
Contains sensitive data and must have security standards equal to or even greater than the main data center due to their remote locations
What is an Evidence storage rooms?
Room safe from intrusion that stores evidence that may be used in court. Investigators must document and preserve chain of custody ensuring evidence is not tampered
What happens if a Wiring Closets is not properly secured?
If not properly secured, they can offer an intruder physical access to eavesdrop on network communications or gain access to sensitive networks
Cable distribution runs are what?
Cable that leaves wiring closets and travel around an organization’s facility to deliver network connectivity
Bollards are what?
Used to block sidewalks and access roads
Crime Prevention through environmental design (CPTED) have what 3 goals?
3 goals:
1. Natural surveillance – facilities are designed in a way that allows employees and passerby to observe what is happening around the facility and notice a potential intruder
2. Natural access control – Uses gates and other structures to funnel people into a single point of entry and limits ability of an intruder to get to areas where they might not be under surveillance
3. Natural territorial reinforcement – Makes it obvious that an area is closed to the public through signage, landscaping, lighting, and similar techniques
Closed-circuit television (CCTV) cameras provide what?
Provides an added level of monitoring to areas where visitors are present.
Two-person rule ensures what?
Ensures personnel involved in very sensitive operations act appropriately.
Two-person integrity required what?
Two people be present for any access to a sensitive area
Two-person control is used for what?
Used to control access to very sensitive functions, requiring the concurrence of two individuals to carry out an action
Authorization is what?
Final step in access control process
Least privilege is what type of principle
Principle stating that an individual should only have minimum set of permissions necessary to accomplish their job duties
2 important reasons:
1. Minimizes potential damage from insider attack
2. Limits ability of an external attacker to quickly gain privileged access when compromising an employee’s account
Segregation of duties means what?
No single person should possess two permissions that, in combination, allow them to perform a sensitive operation
“Separation of duties”
Exam uses segregation
Authorization Models contains what 3 Access Controls?
Mandatory Access Control (MAC)
Discretionary Access Control (DAC)
Role Based Access Control (RBAC)
Mandatory Access Control (MAC) is what?
Most stringent type of access control
Operating system itself restricts permissions that can be granted to users and processes on system resources. Permissions granted by systems based on series of labels placed on users and objects they want to access
Discretionary Access Control (DAC) is what?
Allows users to assign access permissions to other users; owners of files, computers, and other resources have discretion to configure permissions as they see fit
Role Based Access Control (RBAC) is what?
Admins create job-based roles and then assign permissions to those roles. They then assign users to the roles.
What are some Account types
User
Administrator
Guest
Shared/Generic
Service
User accounts is what?
Assigned to individual user and grants routine access to resources
Administrator account have what?
Have extensive privileges to modify system configurations.
Highly Sensitive
Guarded by using Privileged Account Management (PAM)
Guest Accounts provide what?
Provides users with temporary access to resources
Shared/Generic Accounts is what?
Account where more than one individual has access to use the account
Difficult to trace who performed an action with shared account
Service Accounts is used how?
Used internally by a system to run a process or perform other actions
Non-Repudiation is what type of security goal?
Security goal that prevents someone from falsely denying that something is true.
Digital signature uses what?
Uses encryption technology to provide non-repudiation for electronic documents
Account Management Tasks do what?
Implementing job rotation schemes
Mandatory Vacation Policies
Managing the account life cycle
Job Rotation do what?
Moves employees through different positions
Added security benefit of reducing the likelihood of fraud
Mandatory Vacation policies requires what?
Require time away from work
Requires staff in key positions take a minimum number of consecutive vacation days each year and not have access to corporate systems
Managing account life cycle is what?
Name convention – aids in identifying specific users
Inaccurate permissions mean what?
Block work and/or violate least privilege
Account audits protect against what?
Protect against inaccurate permissions
USER ACCOUNT AUDITS:
1. Pulls permissions list
2. Review with managers
3. Making adjustments
Attestation does what?
Reviews formal approval documentation
Continuous Account Monitoring does what?
- Watch for suspicious activity
- Alert administrators to anomalies
Access Policy Violations implies to what?
- Impossible travel time logins
- Unusual network location logins
- Unusual time-of-day logins
- Deviations from normal behaviors
- Deviation in volume of data transferred
Geotagging adds what?
Adds user location information to logs
Geofencing alerts what?
Alerts when a device leaves a defined boundary
Provisioning means what?
After onboarding, admins create authentication credentials and grant appropriate authorization
Deprovisioning means what?
During offboarding process
Admins disable accounts and revoke authorizations at the appropriate time
Prompt Termination is Critical. Why?
Prevents users form accessing resources without permission
Especially critical when a user leaves under adverse circumstances
Routine Workflow disables what?
Disables accounts on a scheduled basis for planned departures
Emergency Workflow immediately does this.
Immediately suspends access when user is unexpectedly terminated
Incorrectly Timed Account Revocations does what?
May inform a user in advance of pending termination
May allow a user access to resources after termination
What are the Administrative Controls in relation to Access control?
Directive Controls. Organizational policies and procedures
What are the Technical Controls in relations to Access Controls?
Hardware/software/firmware - firewalls, routers, encryption
What are physical controls in relation to Access Controls?
Locks, fences, guards, dogs, gates, bollards
What are the 6 different types of access controls?
Preventative - prevents attacks
Detective - detects during or after an attack
Corrective - corrects an attack
Recovery - helps recover
Deterrent - deter attacks
Compensating - compensates from an attack
Name the ASTM Standard Gates
Class I Residential
Class II Commercial/General Access
Class III Industrial/Limited Access
Class IV Restricted Access
What are the Centralized Pros (Decentralized Cons) for Access Control Systems?
All systems and locations have the same security posture
What are the Centralized Cons (Decentralized Pros) for Access Control Systems?
Traffic overhead and response time
Hybrid is what in regard to the centralized and decentralized controls?
Centrally-controlled. Both Centralized and decentralized controls are used
What is JIT?
Just in Time Access Control
Employee logs into normal account
The first time they visit third party website, the website confirms employment
Confirm how longwith employment to determine how many points to give.
What is context-based access control?
Access to an object is controlled based on certain contextual parameters, such as location, time sequence of responses, access history
ABAC
Content-Based Access Control is what?
Access provided based on attributes or content of an object (content-dependent access control)
Least privilege is the minimum necessary access. What do we give the users/systems?
Exactly the access they need, nor more, no less
What should be known even if you have access to Need to Know materials?
If you do not need to know, then you should not access the data.
What is the concept of Separation of Duties?
More than one individual in one single task is an internal control intended to prevent fraud and error
What do we know of Job Rotations?
To detect errors and frauds. Easier to detect fraud and there is less chance of collusion between individuals if they rotate jobs
Why must Mandatory Vacations be done?
To ensure one person is not always performing the same task, someone else has to cover and it can keep fraud from happening or help detect it.
