Week 4: Overview of Security Concepts Flashcards
Access Control refers to
any hardware, software, or organizational/administrative policyor procedurethat
grants or restricts access
monitors and records attempts to access
identifies users attempting to access
The transfer of information from an object to a subject is called
access
subject
The subject(e.g. user) is the active element
object
The object(e.g. database) is the passive element
These three essential security principles are known as the
CIA Triad
Confidentiality
Integrity
Availability
Confidentiality
Confidentiality ensures that only authorized subjects can access objects
Integrity
Integrityensures that unauthorized or unwanted changes to objects are denied
Availability
Availabilityensures that authorized requests for objects are granted as quickly as system and network parameters allow
The term access control describes
The term access control describes a broad range of controls used to enforce these security principles (CIA)
Access controls can be divided into the following seven categories of function or purpose
- Preventive
- Deterrent
- Detective
- Corrective
- Recovery
- Compensation
- Directive
preventive access control
stop unwanted or unauthorized activity from occurring – Examplesof preventive access controls include • fences and locks • separation of duties and job rotation • data classification
deterrent access control
A deterrent access control is deployed to discourage violation of security policies
A deterrent implies certain consequences in the event of an attempted or successful violation
Examplesof deterrent access controls include
security guards & security cameras
trespass or intrusion alarms
detective access control
A detective access control is deployed to discover unwanted or unauthorized activity
Often detective controls operate after the fact
Examplesof detective access controls include security guards, guard dogs motion detectors review of recordings captured by security cameras audit trails honeypots or honeynets intrusion detection systems incident investigations
corrective access control
A corrective access control is deployed to restore systems after an unwanted or unauthorized activity has occurred
–
Usually corrective controls have only minimal capability to respond to access violations
Examplesof corrective access controls include
antivirus solutions
terminating access
recovery access control
A recovery access control is deployed to repair or restore functions and capabilities after a violation of security policies
Recovery controls have more advanced or complex capabilities to respond to access violations than corrective access controls
Examplesof recovery access controls include
backups and restores
fault-tolerant systems
compensation access control
A compensation access control is deployed to provide various options to other existing controls to aid in the enforcement and support of security policy
Examplesof compensation access controls include
personnel supervision, monitoring, and work task procedures
Can also include controls used instead of more desirable controls
For example, if a guard dog cannot be deployed due to proximity to residential areas, a motion detector with a spotlight and a barking sound playback device can be used
directive access control
A directive access control is deployed to direct or control the actions of subjects to force or encourage compliance with security policies
Examplesof directive access controls include
security guards and posted notifications
Types of Access Control Implementation
Administrative access controls
Logical/technical access controls
Physical access controls
Administrative access controls
The proceduresdefined by an organization’s security policy to implement and enforce overall access control
Hiring practices, background checks, and security training
Data classification
Logical/technical access controls
The hardware or software mechanisms used to manage access to resources and systems
Intrusion detection systems
Encryption, smart cards, passwords, and biometrics
Physical access controls
The physical barriers deployed to prevent direct contact with systems or areas within a facility
Guards, fences and locks
Several steps lead up to the ability to hold a person accountable for online actions
Identification Authentication Authorization Auditing Accountability / Monitoring
Identification
Identificationis the process by which a subject professes an identity
A user provides a username, a logon ID, a personal identification number (PIN), or a smart card to represent an identification process
Providing a process ID number also represents an identification process
Once a subject has identified itself, the claimed identity becomes accountable for any further actions undertaken by that subject
IT systems track activity by identities, not by subjects themselves
Authentication
Authenticationis the process of verifying that a claimed identity is valid
Requires that a subject provide additional information that must correspond exactly to the identity professed
Three factors of authentication
Type 1. Something you know: any string of characters you have memorized and can reproduce on a keyboard when prompted
passwords, PINs, lock combinations, passphrases
Type 2. Something you have: a physical device that you possess and must have on your person at the time of authentication
smart cards, tokens, memory cards, physical location
Type 3: Something you are (biometrics): a physical characteristic of your person
fingerprints, iris patterns, hand geometry, writing a signature
Strong authentication requires
two or more factors
When two of the same factors are used together, the system is no more secure than it would be if just one factor was used, as a single type of attack could compromise both instances
Authorization
The process of authorization ensures that the requested activity or object access is possible given the rights and privileges assigned to the authenticated identity
access control matrix
For authorization: In most cases, the system evaluates an access control matrix that compares the subject, the object, and the intended activity
Auditing
Auditingis the process by which online activities of user accounts and processes are tracked and recorded
Auditing produces audit trails, which can be used to reconstruct events and to verify whether a security policy was violated
NIST Audit Documents
Minimum Security Requirements for Federal Information and Information Systems (FIPS 200)
Minimum Security Requirements for Multi-User Operating Systems (NIST IR 5153)
Requirements for audit data recording
Create, retain, and protect audit recordsto the extent needed to enable the monitoring, investigation, and reporting of unlawful, or unauthorized activity
Ensure that the actions of individual information system users can be uniquely tracedto those users so they can be held accountable for their actions
A subject must provide an ___ to a system to start the authentication process
identity
A subject’s identity is typically considered public information
Authentication verifies the ____ of the subject by comparing one or more factors against a database of valid identities
identity
Authentication factors are typically considered private information
Passwords
The most common, but weakest, authentication technique
Password types
Static vs. dynamic
- Static passwords always remain the same
- Dynamic passwords change after a specified interval of time or use
One-time or single-use passwords Passphrases Cognitive passwords (security questions)
One-time or single-use passwords
Dynamic passwords that change every time they are used