










Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
A comprehensive overview of access controls in cybersecurity, covering key concepts like identification, authentication, authorization, and accounting. It delves into different types of authentication methods, including knowledge-based, ownership-based, and trait-based authentication. The document also explores various access control models, such as discretionary access control (dac), mandatory access control (mac), role-based access control (rbac), and attribute-based access control (abac). It further discusses the importance of data classification, asset marking, access policy definition, and data disposal in maintaining information security. The document concludes by examining different types of access controls, including administrative, physical, and technical controls, and their subcategories.
Typology: Exams
1 / 18
This page cannot be seen from the preview
Don't miss anything!











access controls the administrative, physical and technical controls that control the interaction between a subject and an object objective is to grant, deny or revoke access to a particular object
subject Any active entity that is requesting access to a resource Commonly acting on behalf of a principal
object Protected as the passive entity that is, or contains the information needed by the subject
four building blocks or process that charactice access controls identification authentication authorization accounting
identification identification process of giving the identity of a subject user - who are you
ex: user ID, IP addess
authentication process of proving the identity of a subject or user can you prove who you are claiming to be? ex: badge, fingerprint, password
authentication by knowledge user gives a secret that only he or she knows ex: password, pin disadvantage: once info is compromised or lost, an attacker would be able to gain successful authentication
authentication by ownership user is prompted to present evidence that he or she possesses something unique ex: smart card, badge, token drawback: if object is stolen or misplaced, an intruder would be able to authenticate successfully
authentication by trait something the user does - physiological or behavioral "biometric attribute ex: fingerprint, hand geometry, keystroke dynamic, facial recognition, voice drawback: susceptible to accuracy errors
A Type 1 Error "false rejection rate FRR when a system rejects a valid user who should have been authenticated " A Type 2 Error "false acceptance rate FAR" is when the system accepts a user that should have been rejected"
asset or data classification process of classifying the data based on the risk for the organization involved in case of a breach of the CIA of the data
asset marking process of marking or labeling the assets or data so its classification is clear for the user ex: ServiceNOW, InvGate Assets
access policy definition The process of defining policies and rules to govern access to an asset.
Data Disposal The process of disposing or eliminating an asset or data.
Military and Government Classify Data Using: top secret secret confidential unclassified
top secret Disclosure without authorization would cause grave damage to national security
secret Disclosure without authorization would cause severe damage to national security
confidential Disclosure without authorization would cause damage to national security
unclassified it is determined that unauthorized access to this information would not cause any harm to national security business sector classified data: confidential/proprietary private sensitive public confidential/proprietary unauthorized access to this information may cause catastrophic harm to organization private unauthorized access to this information may cause extreme harm to the organization sensitive unauthorized access to this information may cause limited harm to the organization public unauthorized access to this information causes no significant harm data at rest Data at rest refers to data that resides in a storage device such as a hard drive, CD or DVD
Data in motion Refers to data moving between two parties Data in this state is subject to higher risk because it goes outside of the security perimeter
they are ultimately responsible for the security of data and asset
data owner usually part of the management team and retains ownership and responsibility over a specific piece or subset of data
data custodian person who performs day-to-day tasks on behalf of the data owner
system owner responsible for the security of the systems that handle and process information owned by different data owners
security administrator manages the process for granting access rights to information
end user contribute to security of information by adhering to orgs security policies
security officer in charge of the design, implementation, management and review of security policies
information system security professional responsible for drafting policies, creating standards and guidelines related to information security and providing guidance on new and exiting threats
auditor role is responsible to identify whether owners, custodians and systems are compliant with the orgs security policies
access control types administrative controls physical controls technical controls
administrative controls encompass the policies, procedures around the definition of access controls, information classifications, role and responsibilities directly overseen by the senior management
administrative control subcategories operation and security policies and procedures policies around personnel or employee security security education and training auditing and monitoring policies
operation and security policies and procedures these would include policies around change control, vulnerability management, information classification, product life cycle management
policies around personnel or employee security these would include the level of clearance required to access certain information, background checks on new items
security education and training this would include all policies and efforts required to implement end-user training and education
recovery controls used after the environment or system has been modified because of an unauthorized access restoring the initial behavior ex: backup, disaster recovery plan
compensating controls complement or give an alternative to a primary control generally used as a temporary measure goal is to reduce risk to an acceptable level
identity-based access controls (IBACs) controls that authorize access to resources based on the identity of the subjects
discretionary access controls object owner has the right to decide who can access an object simpler compared to other models it is possible to bypass the security policy, no centralized control
non-discretionary access control broad category includes all kinds of access control models where the authorization is decided by a central admin
mandatory access control (MAC) most restrictive Access Decisions enforced by the access policy enforcer
Use of Security Labels Strict Control over Information Flow Complex Administration For Access to be granted, Security Labels must match Role-Based Access Control (RBAC) Access decisions depend upon the role or function of the Subject Scalable and Easy to manage Role Definition on the Increase Attribute-Based Assess Control (ABAC) Access decisions depend on Attributes or Characteristics of Subject, Object and Environment User Role, Identity, Security Flexible more complicated when compared to DAC or RBAC
authorization creep or privilege creep is a problem of privileges assigned to a user and never being taken away when the user doesn't need them any more
user assignment assignment is made by the security administrator
permission assignment each role is given permission over an object
3 components of the RBAC model core RBAC hierarchical RBAC
Access Control Matrix (ACM) 3 entities: subject, object and set of permissions per subject and each column represents an object collection of access control lists/ collection of capabilities table what are well known AAA protocols? RADIUS TACACS+ Diameter RADIUS remote authentication dial-in user service USP encrypts user password in ACCESS-REQUEST packets used to provide network access services client/server protocol can support PPP, PAP, CHAP and EAP strong account capabilities radius operates on what port for authentication and authorization? UDP protocol port 1812 radius operates on what port for accounting? port 1813 TACACS+ terminal access controller access control system plus client/server model uses TCP as transport protocol more reliable connection and fault tolerance 3 different steps for AAA
optionally encrypt the full payload basic accounting capabilities, allows command authorization TACACS+ request packets are sent from the access server to the TACACS+ server TACACS+ response packets are sent from the TACACS+ server to the access server diameter capability to work with applications that enable protocol extension port based access control permit or deny a device physically connected to a network port to access a particular resource
802.1x IEEE standard used to provide port-based access control only allow traffic on the port when the device has successfully authenticated and authorized port access control technology enables dynamic authorization policy to be pulled from authentication server
EAP extensible authentication protocol used between the supplicant and authentication server to exchange authentication information
This is a security group-based ACL that enforces access control based on the security group assigned to a user.
community can communicate with the promiscuous port and with other devices in the same community false postiive system raises an event against legitimate traffic which is not malicious false negative when the system fails to recognize a malicious event true positive the right behavior of the system when real threat has been detected true negative Refers to the behavior of the system that does not block any traffic when no event is triggered for legitimate traffic
NIPS and NIDS detection methods pattern matching and stateful pattern matching recognition protocol analysis heuristic based analysis anomaly based analysis global threat correlation capability
HIDS and HIPS Software that interfaces with the OS to offer access control and protection against threats Software installed in addition to the host OS May require an update of several end-points Can only see the traffic hitting the host can slow down the OS can check if an attack has succeeded on a host
have visibility after encryption and can support an attack delivered by encrypted packets attack reaches the target before being stopped
NIDS and NIPS networking devices deployed at critical network segments (on a dedicated machine) and have visibility on all traffic entering or leaving a segment easy to maintain and update can introduce a delay to packet processing does not have any visibility into if an attack was successful can black an attack at entry point does not have visibility intro encrypted packets
antivirus/antimalware software that can be used to detect and prevent the installation of computer malware
network based antivirus/antimalware deployed on a dedicated machine easier to maintain and update have visibility into all network traffic can introduce a delay due to packet processing does not have any visibility into if an attack was successful does not have the capability to view encrypted packets can block an attack at the entry point server based antivirus/antimalware software is installed on top of the host OS may require updating of several end points have visibility only into traffic hitting the host