Week 10 - Systems Security Flashcards
Achieving the security of CIA and non-repudiation depends on?
Authentication - identity to entity
Malware is?
intrusive software designed to damage or take control of a system
NCSC - reduce reliance on passwords
use single sign on (SSO) - ues MFA to check identity then grants a token that can be used instead of password.
NCSC -implement technical solutions
use controls such as max number of authentication attempts
NCSC - protect all password
encryption
NCSC - password overload
human factor, password management systems, good practices and against password expiry
NCSC - help generate better passwords
use machine generated passwords, or “three random words”
NCSC - training
provide guidance and advice
DoS is?
Denial of service, high level of requests over a network which floods the machine/network, responses fail
combination of authentication and authorisation is?
access control
Access control list (ACL)
a list of who has authorisation to communicate with whom
Specifying authorisation rules, terms used?
subject entity
object the asset on which the operation is being performed
action the operation being attempted
permission allowed or denied
two key security properties that authorisation enables in a system:
least privilege
authorisation to perform minimal set of operations to complete function
separation of privileges
separation of duties so that no 1 employee is given enough privilege to misuse the system
Mandatory access control (MAC)?
Access to resources is strictly controlled by the operating system (OS) as specified by the system administrator
Advantages of MAC?
high level security, every subject and object has sensitivity label with NWU and NRD
Disadvantages of MAC?
large surface area, human error with assigning labels, wrong input gives access to unauthorised personnel or denies access to correct entity
high admin and maintenance costs
Discretionary Access Control (DAS)?
widely used, subjects set access control on objects they own. based on trust
DAC -permissions?
grants entities the right to read, write or execute object
DAC - read?
abrv - (r) open make no changes
DAC - write
abrv - (w) make changes
DAC - execute
abrv - (x) run a program
Advantages of DAC?
easy to implement, users gives permissions and security
Disadvantages of DAC?
lack of accountability, difficult to execute in larger settings, not good for limited access permissions
Role based access controls (RBAC)
users assigned roles, object accessing by user with appropriate roles
advantages of RBAC?
sets roles across and organisation, users automatically assigned the correct transactions once in a roles, users cannot receive permissions outside of role.
disadvantages of RBAC?
creating roles more difficult than DAC, role explosion (creating more roles if not checked).
Reference monitor?
enforces access control rules, if not rules - default is applied.
three main types of accountability?
non-repudiation
cannot deny
digital forensics
traces in the log, logs of interacting entities
compliance
erating in accordance with the relevant standards, regulations, or internal policies.
GDPR?
general data protection regulation
privacy and security law, what personal information can be collected, regulates how data is processed or stored
Accountability challenges ?
volume of logs,