Domain_3 Flashcards
Secure design principles
Principles like least privilege, defense in depth, secure defaults, fail securely, separation of duties, keep it simple, zero trust, privacy by design, trust but verify, shared responsibility
Quantum cryptography
Relevant and expanded information versus the official study guide for selecting and determining cryptographic solutions
Cryptanalytic attacks
Brute force, ciphertext only, known plaintext, frequency analysis, chosen ciphertext, implementation attacks, side-channel, fault injection, timing, Man-in-the-Middle (MITM), Pass the hash, Kerberos exploitation, Ransomware
Purpose of a security model
Provides a way for designers to map abstract statements into a security policy, determines how security will be implemented and what subjects/objects can access the system
State machine model
Describes a system that is always secure no matter what state it is in based on the computer science definition of a finite state machine
Information flow model
Focuses on the flow of information, includes Biba and Bell-LaPadula models
Non-interference model
Concerned with how higher security level subjects affect lower level subjects, ensures different subjects/objects don’t interfere with each other
Lattice-based model
Based on the interaction between objects and subjects, used to define security levels
Simple security property
Describes rules for read operations (no read up)
Star * security property
Describes rules for write operations (no write down)
Invocation property
Rules around invocations (calls) to subjects
Bell-LaPadula
No read up, no write down
Biba
No read down, no write up
Clark-Wilson
Access control triple (principal
Brewer and Nash (Chinese Wall)
Prevents conflict of interest problems
Mandatory Access Control (MAC)
Enforces policy determined by the system using classification labels, not by object owner
Role of security policy
To inform and guide the design, development, implementation, testing, and maintenance of a system
Trusted Platform Module (TPM)
A chip on the motherboard for storage and management of encryption keys, provides OS access to keys
Trusted Computing Base (TCB)
Combination of hardware, software and controls that enforce the security policy
Reference monitor
The logical part of the TCB that confirms access rights prior to granting access
Security kernel
The collection of TCB components that implement the reference monitor functionality
Common Criteria
Enables objective evaluation to validate that a product or system satisfies security requirements, has replaced TCSEC and ITSEC
Covert channel
Method to pass information over a path not normally used for communication, outside normal security controls
Type I hypervisor
Native or bare-metal hypervisor with no host OS
Type II hypervisor
Hosted hypervisor running on top of a regular host OS
Cloud Access Security Broker (CASB)
Security policy enforcement solution for cloud environments
Multifactor Authentication (MFA)
Using multiple factors like something you know, have, and are for authentication
Authentication vs Authorization
Authentication proves identity, authorization grants permissions based on proven identity
Privilege and accountability
Least privilege
Security flaws and vulnerabilities
Buffer overflows, backdoors, time-of-check-to-time-of-use (TOCTTOU) attacks
Secure code principles
Process isolation, layering, abstraction, data hiding
Physical security controls
Administrative (policies, procedures), logical (technical controls), physical (fencing, locks, etc.)
Site selection factors
Visibility, surrounding area, accessibility, natural disaster effects
Secure work area design
Restricted access areas
Physical access control threats
Propping doors, masquerading, piggybacking
Clean power needs
Electronic equipment requires clean, consistent power from sources like UPS systems
