Principles of Cyber Security Flashcards
DAC
Discretionary Access Control
DAC: DACL
DAC List
Tracks permissions against each object
DAC: Access Matrix
Combined DACLs
DAC: Advantages
Easily Implementable
Highly Flexible
DAC: Disadvantages
Poor Scaling (Matrix Explosion)
Prone to Mistakes (Complex Policy Management)
Frequent Changes
MAC
Mandatory Access Control
MAC: Object Access Requirements
At least the specified clearance level
All need-to-knows
MAC: Advantages
Most Secure
Easily Scalable
MAC: Disadvantages
Not Flexible
Limited User Functionality
High Admin Overhead
RBAC
Role-based Access Control
RBAC: Role Hierarchies
Roles can inherit permissions from other roles
RBAC: Constraints
Restricts roles:
- Mutually Exclusive Roles (Subject has only one role)
- Cardinality Restrictions (Constrain number of subjects assigned to role)
- Prerequisite Roles (Must hold specified role before assignment of new role)
RBAC: Consolidated
Combines Role Hierarchies and Constraints
RBAC: Advantages
Scalable
Flexible (Loose coupling of user and perms)
RBAC: Disadvantages
Roles need provisioning and maintenance
Possible rule explosion
Cannot accommodate real-time context
ABAC
Attribute-based Access Control
ABAC: Subject Attributes
Identity and characteristics of a subject e.g. name, job title, etc.
ABAC: Object Attributes
Extracted from object metadata
ABAC: Environment Attributes
Describe the current environmental context e.g. current malware threat
ABAC: Advantages
Dynamic
Fine-grained
Considers the Environment
ABAC: Disadvantages
Attributes need provisioning and maintenance
Possible Attribute Explosion
Complexity to Design and Implement
CVE
Common Vulnerabilities and Exposures (CVE)
A weakness knowledge base that lists common identifiers for publicly known cybersecurity vulnerabilities.
Each entry contains
- CVE ID
- A brief description
- Any pertinent references i.e. vulnerability reports
NVD
National Vulnerability Database (NVD)
A weakness knowledge base informed by CVE and run by the U.S. government
NVD analyses CVEs
CWE
Common Weakness Enumeration (CWE)
A weakness knowledge base. Community-developed list of common software weaknesses and vulnerabilities.
Acts as a baseline for weakness identification, prevention, and mitigation
CAPEC
An Attack Technique Knowledge Base
Describes common techniques employed by adversaries
Focuses on application security by enumerating exploits against vulnerable systems (including Social Engineering and Supply Chain Attacks)
CAPECxploits. Lists exploits of vulnerable systems
ATT&CK
An Attack Technique Knowledge Base
Describes phases in an adversary’s lifecycle and specific TTPs that APTs use.
Focuses on network defence by providing a contextual understanding of malicious behaviour. Focuses on adversaries interactions with the system, not the tools used
ATT&ACK
P
T
TTP
Tactics, Techniques, and Procedures
Cyber Essentials
A UK cybersecurity certification scheme designed to help businesses protect themselves against the most common cyber threats
Cyber Essentials: Firewalls
Ensure only necessary network services can be accessed from the internet to reduce exposure to attacks
All inbound connections are blocked by default except those towards services meant to be accessed from the internet and every inbound rule that accepts connections must be motivated and documented