Module 1: Security Technology: Firewall and VPN Flashcards
This is the method by which systems determine whether and how to admit a user into a strusted area of the organization.
access control
This is a security technique that regulates who or what can view or use resources in a computing environment.
access control
This is a fundamental concept in security that minimizes risk to the business or organization.
access control
It is the allowing, restricting, and denying access to resources.
access control
What is the difference between authorization and access?
Access refers to the “means” while authorization refers to the “permission”.
This is the person responsible for the integrity and security of an asset. This may be a management role instead of a technical role.
owner
A person who maintains the security of a system, perhaps by adding and removing access by user accounts.
aka. administrator
custodian
A person who uses the asset, such as reading a file, opening a web page, or printing some data from a database, but who is not allowed to change access rights to the asset. This concept is also called a subject in some texts.
end user
They perform operations on objects or the assets.
subjects (users or procesess acting for users)
The most restrictive model; the owner defines a security policy, the custodian implements it, and the end users cannot change it; this may be implemented by setting a security level for each asset and granting authorization to users by assigning them to a level.
mandatory access control (MAC)
They are a strictly-enforced version of MACs that are managed by a central authority in the organization and can be based on an individual’s role (role-based access controls) or a specified set of tasks (tasks-based access controls)
nondiscretionary access control
Least restrictive model; suubjects (end users) can own objects, and have total control over them (like a SharePoint web server system); end users must set and maintain security for their assets, which most people will do badly; processes run by end users inherit their permission levels.
discretionary access control (DAC)
This type of access control provide the ability to share resources in a peer-to-peer configuration that allows users to control and possibly provide access to information/resources at their disposal.
discretionary access control
This is a form of nondiscretionary access control in which users are assigned a matrix of authorizations for areas of access.
lattice-based access control (LBAC)
Lattice-based access control specifies the level of access each subject has to each object, as implemented in ____ and ____.
Lattice-based access control specifies the level of access each subject has to each object, as implemented in access control lists (ACLs) and capabilities table.
____ controls are associated with the duties a user performs in an organization, such as a position or temporary assignment like project manager, while task-based controls are tied to a particular chore or responsibility, such as a department’s printer administrator.
role-based
Some consider this access control as a method of providing more detailed control over the steps or stages associated with a role or project.
task-based access control
What are the access control mechanisms
- identification
- authentication
- authorization
- accountability
access control mechanism
A mechanism whereby unverified or unauthenticated entities who seek access to resource provide a label by which they are known to the system.
I am a user of the system
identification
access control mechanism
It is the process of validating an unauthenticated entity’s purported identity.
I can prove I am a user of the system
authentication
access control mechanism
There are three widely used authentication mechanisms, or authentication factors:
- something you know
- something you have
- something you are
access control mechanism
This is the matching of an authenticated entity to a list of information assets and corresponding access levels. This list is usually an ACL or access control matrix.
Here’s what I can do with the system
autherization
An integration of access control lists (focusing on assets) and capabilities tables (focusing on users) that results in a matrix with organizational assets listed in the column headings and users listed in the row headings.
access control matrix
An authentication component in the form of a token—a card or key fob that contains a computer chip and a liquid crystal display and shows a computergenerated number used to support remote login authentication. This token does not require calibration of the central authentication server; instead, it uses a challenge/response system.
asynchronous token