Weak Points #3 Flashcards
Rule-Based Access Control
An access control model in which access to resources is granted or denied depending on the contents of Access Control List (ACL) entries
Label-based access control that defines whether access should be granted or denied to objects by comparing the object label and the subject label
ABAC Access Policy Properties
Subject (user or process requesting access)
Type of action (for example “read”, “write”, “execute”)
Resource type (medical record, bank account etc.)
Environment (contextual data, such as time of day or geolocation)
MAC Characteristics
Users are not allowed to change access policies at their own discretion
Labels and clearance levels can only be applied and changed by an administrator
Every resource has a sensitivity label matching a clearance level assigned to a user
PAM
Privileged Access Management:
A security solution that provides control over elevated (i.e. administrative type) accounts
DER Characteristics
Encoded in binary format
.der and .cer file extension
Generally used for Java servers
PEM Characteristics
Encoded in text (ASCII Base64) format
.pem .crt .cer .key file extensions
Generally used for Apache servers or similar configurations
PFX & P12 Characteristics
Encoded in binary format
.pfx .p12 file extensions
Generally used for Windows servers
P7B Characteristics
Encoded in text (ASCII Base64 format)
.p7b file extension
Generally used for Windows & Java Tomcat servers
IPFIX
An IETF specification that defines how IP flow information is to be formatted and transferred from an exporter to a collector
Order of Volatility
Cache memory -> RAM -> Swap/Pagefile -> Temporary files -> Disk files -> Archival media
Operational Control Examples
Data backups
Configuration management
Awareness programs
Preventative Control Examples
Security Guards
System hardening
Separation of duties
Detective Control Examples
Log monitoring
Security audits
CCTV
IDS
Corrective Control Examples
IPS
Backups & system recovery
Alternate site
Fire suppression system
Compensating Control Examples
Backup power system
Sandboxing
Temporary port blocking
Temporary service disablement
CIS (Simplified)
Center for Internet Security:
Configuration guidelines for hardening
ISO/IEC 27001
Basic procedure for cybersecurity (international standard) - focused on establishing/maintaining info systems
ISO/IEC 27002
International standard focused on information security controls
(to protect those systems)
ISO/IEC 27701
Adding privacy to ISMS (privacy extension for ISO 27001)
Focuses on privacy data management
ISO/IEC 31000
Attempt to create global risk management framework
A family of standards providing principles & guidelines for risk management
SOC 2 Audits (SSAE 18)
System & Organization Controls:
Provides detailed information and assurance about a service organization’s security, availability, processing integrity, confidentiality and/or privacy controls, based on their compliance with the AICPA’s TSC (Trust Services Criteria)
SOC 2 Audit Type I
Provides a snapshot of the organization’s control landscape in a specific point in time
SOC 2 Audit Type II
Evaluates the effectiveness of controls over a period of time of at least six consecutive calendar months
CSA
Cloud Security Alliance:
A nonprofit organization promoting best security practices related to cloud computing environments