Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
50 Cards in this Set
- Front
- Back
|
Subject
|
An active entity on an organization |
|
|
Object
|
A Passive Data File |
|
|
DAC |
Gives the subject full control of the objects they have been given access to Including: Sharing the objects with other subjects |
|
|
MAC
|
System-enforced access control based on subject's clearances and object's labels |
|
|
RBAC
|
Subjects are grouped into roles, and each defined role has access permissions based upon the role |
|
|
Access Control
|
This is the basis for all security disciplines.
The purpose of access control is to allow authorized users access to appropriate data and deny access to unauthorized users. |
|
|
Confidentiality
|
Seeks to prevent the unauthorized disclosure of information: it keeps data secret.
Confidentiality Attack Example: Theft of PII |
|
|
PII
|
Any information that could identify a person. Including Credit Cards |
|
|
HIPPA
|
Health Insurance Portability and Accountability Act
This law requires that medical providers keep the personal and medical information of their patients private. |
|
|
Integrity
|
Seeks to prevent unauthorized modification of information |
|
|
What are the two types of integrity?
|
2. System Integrity |
|
|
Data Integrity
|
Seeks to protect information against unauthorized modification |
|
|
System Integrity
|
Seeks to protect a system such as Windows Server 2008 server operating system, from unauthorized modification. |
|
|
Availability
|
Ensures that the information is available when needed.
|
|
|
DAD
|
|
|
|
Disclosure |
is the unauthorized disclosure of information |
|
|
Alteration |
Is the unauthorized modification of data. |
|
|
Destruction
|
Is making systems unavailable.
|
|
|
Identity
|
Example: If you name is PersonX, than you identify yourself by saying I am PersonX. NOTE: Identity alone is weak because there is no Proof |
|
|
Authorization
|
Describes the actions you can perform on a system once you are identified and authenticated. |
|
|
Accountability
|
Holds Users accountable for their actions. |
|
|
Non-Repudiation |
Means a user cannot deny (repudiate) having performed a transaction.
|
|
|
Least Privilege
|
Means users should be granted the minimum amount of access (authorization) required to do their jobs, but no more. |
|
|
Need to Know |
The user must need to know that specific piece of information before accessing it.
Example: If Sebastian's Practice is treating a patient, least privilege could allow him access, but need to know would not. |
|
|
What is Defense in Depth often called?
|
Layered Defenses |
|
|
Defense in Depth
|
This applies multiple safeguards (also called Controls) to protect an asset. |
|
|
Control
|
Measure taken to reduce risk |
|
|
IDS |
This inspects all inbound and outbound network activity and identifies suspicious pattern that may indicate a network or system attack from someone attempting to break into or compromise a system |
|
|
CIRT
|
Investigates and resolves computer security incidents. |
|
|
DAC
|
Gives subjects full control of objects they have been given access to. INCLUDING: sharing the objects with other subjects |
|
|
What are the 3 most common clearances
|
- Confidential - Secret - Top Secret |
|
|
What are some Non-Linux examples of MAC systems
|
- Purple Penelope NOTE: These systems were developed under tight scrutiny of the U.S. and British governments. |
|
|
What is a Linux example of MAC system?
|
NOTE: Lids is a hardened Linux distribution that uses MAC. |
|
|
NIST
|
This is a non-regulatory federal agency under the department of commerce |
|
|
According to NIST: What are the 3 rules of RBAC? |
2. Role Authorization 3. Transaction Authorization |
|
|
Role Assignment
|
NOTE: The identification and authorization process is not considered a transaction. All other user activities are conducted through transactions. |
|
|
Role Authorization |
A subjects active role must be authorized for the subject. |
|
|
Transaction Authorization
|
A subject can execute a transaction only if the transaction is authorized through the subject's role memberships, and subject to any constraints that may be applied across users, roles and permissions. |
|
|
Non-discretionary Access Control
|
Restricting access to objects based on the identity of the subjects and/or groups to which they belong |
|
|
Why is RBAC a type of non-discretionary access control?
|
The users do not have discretion regarding the groups of objects they are allowed to access and are unable to transfer objects to other subjects. |
|
|
What are the 3 types of access control?
|
- MAC: Mandatory Access Control - Non-Discretionary Access Control |
|
|
Task-Based Access Control |
This is based on the tasks each subject must perform, such as writing prescriptions, restoring date from a backup tape, or opening a help-desk ticket. NOTE: This is another non-discretionary access control model. |
|
|
Content and context dependent access controls are __________
|
Not full-fledged access control methods in their own right (as MAC and DAC are), but typically play a defense in depth supporting role.
NOTE: They may be added as additional controls, typically to DAC.
|
|
|
Content-dependent access control
|
Add additional criteria beyond identification and authentication: the actual content the subject is attempting to access. EXAMPLE: An employee can view his/her HR Record but is blocked when trying to access others. |
|
|
Centralized Access Control
|
Concentrates access control in one logical point for a system or organization. NOTE: This can be used to provide SSO (Single Sign On) |
|
|
Authentication |
Provide an identity claim |
|
|
Authorization
|
Allowing authenticated subject to sign on a system |
|
|
Accountability |
Ability to Audit a system and demonstrate the actions of subjects |
|
|
Decentralized Access Control |
Allow IT administration to occur closer to the mission an operations of the organization. EXAMPLE: An organization spans multiple locations, and the local sites support and maintain independent system systems, access control databases. NOTE: On the CISSP exam Decentralized Access Control will be spelled out not to be confused with DAC (Discretionary Access Control) |
|
|
Distributed Access Control
|
This is also known as Decentralized Access Control |
