Module 1: Security Technology: Firewall and VPN Flashcards
This is the method by which systems determine whether and how to admit a user into a strusted area of the organization.
access control
This is a security technique that regulates who or what can view or use resources in a computing environment.
access control
This is a fundamental concept in security that minimizes risk to the business or organization.
access control
It is the allowing, restricting, and denying access to resources.
access control
What is the difference between authorization and access?
Access refers to the “means” while authorization refers to the “permission”.
This is the person responsible for the integrity and security of an asset. This may be a management role instead of a technical role.
owner
A person who maintains the security of a system, perhaps by adding and removing access by user accounts.
aka. administrator
custodian
A person who uses the asset, such as reading a file, opening a web page, or printing some data from a database, but who is not allowed to change access rights to the asset. This concept is also called a subject in some texts.
end user
They perform operations on objects or the assets.
subjects (users or procesess acting for users)
The most restrictive model; the owner defines a security policy, the custodian implements it, and the end users cannot change it; this may be implemented by setting a security level for each asset and granting authorization to users by assigning them to a level.
mandatory access control (MAC)
They are a strictly-enforced version of MACs that are managed by a central authority in the organization and can be based on an individual’s role (role-based access controls) or a specified set of tasks (tasks-based access controls)
nondiscretionary access control
Least restrictive model; suubjects (end users) can own objects, and have total control over them (like a SharePoint web server system); end users must set and maintain security for their assets, which most people will do badly; processes run by end users inherit their permission levels.
discretionary access control (DAC)
This type of access control provide the ability to share resources in a peer-to-peer configuration that allows users to control and possibly provide access to information/resources at their disposal.
discretionary access control
This is a form of nondiscretionary access control in which users are assigned a matrix of authorizations for areas of access.
lattice-based access control (LBAC)
Lattice-based access control specifies the level of access each subject has to each object, as implemented in ____ and ____.
Lattice-based access control specifies the level of access each subject has to each object, as implemented in access control lists (ACLs) and capabilities table.
____ controls are associated with the duties a user performs in an organization, such as a position or temporary assignment like project manager, while task-based controls are tied to a particular chore or responsibility, such as a department’s printer administrator.
role-based
Some consider this access control as a method of providing more detailed control over the steps or stages associated with a role or project.
task-based access control
What are the access control mechanisms
- identification
- authentication
- authorization
- accountability
access control mechanism
A mechanism whereby unverified or unauthenticated entities who seek access to resource provide a label by which they are known to the system.
I am a user of the system
identification
access control mechanism
It is the process of validating an unauthenticated entity’s purported identity.
I can prove I am a user of the system
authentication
access control mechanism
There are three widely used authentication mechanisms, or authentication factors:
- something you know
- something you have
- something you are
access control mechanism
This is the matching of an authenticated entity to a list of information assets and corresponding access levels. This list is usually an ACL or access control matrix.
Here’s what I can do with the system
autherization
An integration of access control lists (focusing on assets) and capabilities tables (focusing on users) that results in a matrix with organizational assets listed in the column headings and users listed in the row headings.
access control matrix
An authentication component in the form of a token—a card or key fob that contains a computer chip and a liquid crystal display and shows a computergenerated number used to support remote login authentication. This token does not require calibration of the central authentication server; instead, it uses a challenge/response system.
asynchronous token
An authentication card that contains digital user data, such as a personal identification number (PIN), against which user input is compared.
dumb card
A plain-language phrase, typically longer than a password, from which a virtual password is derived.
passphrase
A secret word or combination of characters that only the user should know; it is used to authenticate the user.
password
An authentication component similar to a dumb card that contains a computer chip to verify and validate several pieces of information instead of just a PIN.
smart card
In access control, the use of at least two different authentication mechanisms drawn from two different factors of authentication.
strong authentication
An authentication component in the form of a token—a card or key fob that contains a computer chip and a liquid crystal display and shows a computer-generated number used to support remote login authentication. This token must be calibrated with the corresponding software on the central authentication server.
synchronous token
The derivative of a passphrase
virtual password
This is an international standard (ISO/IEC 15408) for computer security certification. It is widely considered the successor to both TCSEC and ITSEC in that it reconciles some differences between the various other standards.
The Common Criteria for Information Technology Security Evaluation, aka Common Criteria or just CC
The system being evaluated
target of evaluation (ToE)
User-generated specification for security requirements
protection profile (PP)
Document describing the ToE’s security properties
security target (ST)
Catalog of a product’s security functions
security functional requirements (SFRs)
The rating or grading of a ToE after evaluation
evaluation assurance levels (EALs)
How many levels does the evaluation assurance level typically have?
EAL1 - 7
This is a “state machine reference model”—in other words, a
model of an automated system that is able to manipulate its state or status over time.
Bell-LaPadula (BLP) confidentiality model
This is similar to BLP. It is based on the premise that higher levels of integrity are more worthy of trust than lower ones. The intent is to provide access controls to ensure that objects or subjects cannot have less integrity as a result of read/write operations.
Biba integrity model
Unauthorized or unintended methods of communications hidden inside a computer system.
covert channels
Within TCB, a conceptual piece of the system that manages access controls—in other words, it mediates all access to objects by subjects.
reference monitor
TCSEC-defined covert channels that communicate by modifying a stored object, such as in steganography.
storage channels
TCSEC-defined covert channels that communicate by managing the relative timing of events.
timing channels
Under the Trusted Computer System Evaluation Criteria (TCSEC), this is the combination of all hardware, firmware, and software responsible for enforcing the security policy.
trusted computing base (TCB)
This model, which is built upon principles of change control rather than integrity levels, was designed for the commercial environment. The model’s change control principles are:
x No changes by unauthorized subjects
x No unauthorized changes by authorized subjects
x The maintenance of internal and external consistency
Clark-Wilson integrity model
This means that the system does what it is expected to do every time, without exception.
internal consistency
This means that the data in the system is consistent with similar data in the outside world.
external consistency
Data item with protected integrity.
Constrained data item (CDI)
Data not controlled by Clark-Wilson; nonvalidated input or any output
Unconstrained data item
Procedure that scans data and confirms its integrity
Integrity verification procedure (IVP)