Question | Answer |
access control | granting or denying approval to use specific resources |
roles in access control | owner |
roles in access control | custodian |
roles in access control | end user |
basic steps in access control | identification |
basic steps in access control | authentication |
basic steps in access control | authorization |
basic steps in access control | access |
authentication | checking the persons credentials or id when logging into the system |
authorization | granting permission to take action |
access control model | standard that provides a predefined framework for hardware and software developers who need to implement access control in their devices or applications |
four major access control models | mandatory access control |
four major access control models | discretionary access control |
four major access control models | role based access control |
four major access control models | rule based access control |
MAC | typically found in military settings in which security is of supreme importance |
two elements of MAC | labels |
two elements of MAC | levels |
two major implementations of mandatory access control | lattice model |
two major implementations of mandatory access control | bell-lapadula model |
lattice | a type of screen or femcing that is used as a support for climbing garden plants |
bella lapudla model | protection prevents subjects from creating a new object or performing specific functions on objects that are at a lower level than their own |
microsoft windows four security levels | low |
microsoft windows four security levels | medium |
microsoft windows four security levels | high |
microsoft windows four security levels | system |
dac | discretionary access control |
dac | least restrictive |
dac model | every object has an owner who has total control over that object |
dac has two significant weaknesses | poses risks in that it relies on decisions by the end user to set the proper level security |
dac has two significant weaknesses | subjects permissions will be inherited by any programs that the subject executes |
role based access control | rbac |
rbac | non discretionary access control |
rbac | based on a users job function within an organization |
rbac model | assigns permissions to particular ???? pg 340 |
access control models | mandatory access control |
access control models | discretionary access control |
access control models | role based access control |
access control models | rule based access control |
establishing a set of best practices for limiting access | can also help secure systems and data |
best practices for access control | separation of duties |
best practices for access control | job rotation |
best practices for access control | least priviliege |
best practices for access control | implicit deny |
best practices for access control | mandatory vacation |
separation of duties | requires that if the fraudulent application of a process could potentially result in breach of security,then the process should be divided between two or more individuals |
job rotation | individuals are periodically moved from one job responsibility to another |
job rotation advantages | limits the amount of time that individuals are in a position to manipulate security configurations |
job rotation advantages | helps to expose any potential avenues for fraud by having multiple individuals with different perspectives learn about the job and uncover vulnerabilities that someoneelse may have overlooked |
job rotation advantages | reduce burnout |
challenges of least privileges | legacy applications |
challenges of least privileges | common administrative tasks |
challenges of least privileges | software installation/upgrade |
least privilege in access control | means that only the minimum amount of privileges necessary to perform a job or function should be allocated |
object | specific resource |
subject | user or process function on behalf of the user |
implicit deny | means that if a condition is not explicitly met then the request for access is rejected |
dac model that uses explicit deny | have stronger security because access control to all users is denied by default and permissions must be explicitly granted to approved users |
acess control list | set of permissions that are attached to an object |
access control entry items | security identifier |
access control entry items | an access mask that specifies the access rights controlled by the ace |
access control entry items | a flag that indicates the type of ACE |
access control entry items | a set of flags that determine whether objects can inherit permission |
operation | the action that is taken by the subject over the object |
labels | represent the relative importance of the object |
in a system using mandatory access control every entitiy | is an object |
MAC granst permissions by | matching object labels with subject labels based on their respective levels |
rule based role based access control | can dynamically assign roles to subjects based on a set of rules defined by a custodian |
sudo | superuser do command |
sudo | prompts the user for their personal password and confirms the request to execute a command |
registry | a database that stores settings and options for the operating system |
group policy | windows feature that provides centralized management and configuration of computers and remote users using the microsoft directory services active directory |
rbac | third access control model assigns permissions to particular roles in the organization, and then assigns users to those roles |
rule based role based access control | dynamically assigns roles pg 340 |
local group policy | lgp |
lgp | used to configure settings for systems that are not part of active directory |
two common account restrictions | time of day |
two common account restrictions | account expiration |
time of day restrictions | can be used to limit when a user can log on to a system |
orphaned accounts | user accounts that remain active after an employee has left an organization |
dormant accounts | an account that has not been accessed for a lengthy time period |
recommendations for dealing with orphaned or dormant accounts | establish a formal process |
recommendations for dealing with orphaned or dormant accounts | terminate access immediately |
recommendations for dealing with orphaned or dormant accounts | monitor logs |
account expiration | process of setting a users account to expire |
AAA | authentication,authorization,accounting |
most common type of authentication and AAA servers | RADIUS |
most common type of authentication and AAA servers | Kerberos |
most common type of authentication and AAA servers | Terminal access control access control systems |
most common type of authentication and AAA servers | generic servers built on lightweight directory access protocol |
radius | remote authentication dial in user service |
kerberos | used to verify the identity of networked users |
radius is suitable for | high volume service control applications |
supplicant | wireless device |
radius | allows an organization to maintain user profiles in a central database that remote servers can share |
terminal access control access control system | tacacs |
tacacs | is an authentication service commonly used on unix devices that communicates by forwarding user authentication information to a centralized server |
directory service | database stored on the network itself that contains information about users and network devices |
RADIUS features | user datagram protocol |
RADIUS features | combined authentication and authorization |
RADIUS features | unencrypted communication |
TACACS features | transmission control protocol |
TACACS features | encrypted communication |
TACACS features | interacts with kerberos |
TACACS features | can authenticate network devices |