Domain 1 - Access Control Flashcards by wyt hat

Is an active entity in an Information System

Subject

How well did you know this?

Not at all

Perfectly

A Passive data file

Object

How well did you know this?

Not at all

Perfectly

Is an access control that gives subjects full control of objects they
have been given access to, including sharing the objects with other subjects

Discretionary Access Control - DAC

How well did you know this?

Not at all

Perfectly

System-enforced access control based on

subject’s clearances and object’s labels

Mandatory Access Control - MAC

How well did you know this?

Not at all

Perfectly

Is an access control where subjects are grouped into roles and each
defined role has access permissions based upon the role, not the individual

Role-Based Access Control - RBAC

How well did you know this?

Not at all

Perfectly

Its purpose is to allow authorized users access to appropriate data and
deny access to unauthorized users.

Access Control

How well did you know this?

Not at all

Perfectly

is keeping data secret. Data must only be accessible to users who
have the clearance, formal access approval, and the need to know

Confidentiality

How well did you know this?

Not at all

Perfectly

Threat to confidentiality

Disclosure of Information

How well did you know this?

Not at all

Perfectly

Protects against unauthorized alteration of data

Integrity

How well did you know this?

Not at all

Perfectly

Ensures that information is readily accessible to authorized users or
programs as the information is needed

Availability

How well did you know this?

Not at all

Perfectly

Occurs when subjects not only maintain old access rights but gain new
ones as they move from one division to another within an organization.

Authorization Creep

How well did you know this?

Not at all

Perfectly

is another non-discretionary access control model, related to RBAC. It is is based on the tasks each subject must
perform, such as writing prescriptions, or restoring data from a backup tape, or
opening a help desk ticket.

Task-based Access Control

How well did you know this?

Not at all

Perfectly

Concentrates access control in one logical point for a system or organization.

Centralized Access Control

How well did you know this?

Not at all

Perfectly

Local sites support and maintain

independent systems, access control databases, and data.

Decentralized Access Control

How well did you know this?

Not at all

Perfectly

Is a 3rd party authentication system described in RFC 2865, 2866. Its uses UDP ports 1812 and 1813.

Remote Authentication Dial In User Service (RADIUS)

How well did you know this?

Not at all

Perfectly

is RADIUS’ successor, designed to provide an improved (AAA) framework. RADIUS provides limited accountability, and has problems with flexibility, scalability, reliability, and security.

Diameter

How well did you know this?

Not at all

Perfectly

What are the number of Attribute Value Pairs (AVP) of Radius and Diameter.

Radius = 8
Diameter = 32

How well did you know this?

Not at all

Perfectly

The cornerstone concept of InfoSecurity

The CIA triad

How well did you know this?

Not at all

Perfectly

Opposing forces to CIA

DAD - Disclosure, Alteration and destruction

How well did you know this?

Not at all

Perfectly

True or false. Our mission as information security professionals is to balance the needs of CIA and make trade offs as needed

True

How well did you know this?

Not at all

Perfectly

Is the unauthorised disclosure of information

Disclosure

How well did you know this?

Not at all

Perfectly

Is the unauthorised modification of data

Alteration

How well did you know this?

Not at all

Perfectly

Making systems in available

Destruction

How well did you know this?

Not at all

Perfectly

—— is a claim of who you are

Identity

How well did you know this?

Not at all

Perfectly

Proving an identity is called ------

Authentication

------ describes the actions you can perform on a system once you have identified and authenticated. Actions may include reading, writing, or executing files or programs

Authorisation

----- holds a user accountable of his actions. This is typically done by logging and analysing audit data

Accountability

It means a user cannot deny having performed a transaction. It combined authentication and integrity

Non repudiation

True of false. You must have both authentication and integrity to have non repudiation

True

It means users should be granted the minimum amount of access (authorisation) required to do their jobs

Least Privilege

Is an active entity on a data system

Subject

This applies multiple safeguards also called controls, measures taken to reduce risk to protect an asset

Defence in depth or layered defenses

True or false. All controls can fail, and sometimes multiple control will fail. Deploying a range of different Defense in depth safeguards in your your organisation lowers the chance that all control will fail.

True

---- give subjects full control of objects they have been given access to, including sharing the objects with other subjects

Discretionary Access Control - DAC

Is a system enforced access control based on subject clearances and object labels

Mandatory Access Control -MAC

True or false. A subject may access an object only if the subjects clearance is equal to or greater than the objects label.

True

It defines how information is accessed on a system based on the role of the object

Role Based Access Control - RBAC

True or false. RBAC is a type of non discretionary access control because users do not have discretion regarding the group of objects they are allowed to access and are unable to transfer objects to other subjects.

True

Is another non discretionary access control model, related to RBAC based on the tasks each subject must perform, such as writing prescriptions, restoring data from a backup tape, or opening a help a help desk ticket.

Task Based Access Control

Concentrates access control in one logical point for a system or organisation

Centralised Access Control

Is an access control where organisations spans to multiple location. The local sites support and maintain independent systems, access control database and data

Decentralised Access Control

This occurs as individual users gain more access to more systems

Access aggregation

Users gain more entitlements without shedding the old ones.

Authorisation creep

Is a centralised access control system that requires users to send an ID and static (reusable) password for authentication. It uses UDP or TCP port 49.

TACACS

In Microsoft trust relationship, if A trust B, then A will trust all B's trusted partners. What type of relationship is this?

Transitive trust

This means limiting the access of authorised users to data they require to perform their duties

Least Privilege

This allows an organisation to maintain checks and balances among the employees with privileged access by having more than one individual to perform part of a sensitive transaction.

Separation of Duties

This describes a process that requires different staff perform the same duty.

Rotation of Duties

Is a label that shall be applied to information,the unauthorised disclosure of which reasonably could be effected to cause exceptionally grave damage to the national security.

Top Secret

Is a label that shall be applied to information,the unauthorised disclosure of which reasonably could be effected to cause serious damage to the national security.

Secret

Is a label that shall be applied to information,the unauthorised disclosure of which reasonably could be effected to cause damage to the national security.

Confidential

Is a determination about whether or not a user can be trusted with a specific level of information

Clearance. Remember objects have labels, subject have clearances

Is documented approval from data owner for a subject to access certain objects, requiring the subject to understand all of the rules , and requirements for accessing data and consequences should the data become lost, destroyed or compromised

Formal Access Approval

What are the six access control types?

``` Preventive Detective Corrective Recovery Deterrent Compensating ```

Three access control categories

Administrative Technical Physical

Is a type of access control that prevents actions from occurring.

Preventive

Are controls that alert during or after a successful attack

Detective

Is control that works by correcting a damaged system or process

Corrective

After a security incident has occurred, this control may have to be taken in order to restore the functionality of the system and organisation.

Recovery

This control deter users from performing an actions on a system

Deterrent

Is an additional security control put in place to compensate for weaknesses in other control

Compensating

These controls are implemented by creating and following organisational policy, procedure, or regulation. User training and awareness also fall into this category

Administrative

These controls are implemented using software, hardware, or firmware that restricts logical access on an information technology system . Examples includes firewalls, routers, encryption, etc

Technical

These controls are implemented with physical devices such as locks, fences, gates, security guards, etc...

Physical

Is a term used for the combination of both identification and authentication of a user

Credential set

Three basic authentication methods

Type 1 - something that you know Type 2 - something that you have Type 3 - something you are

Is reusable password that may or may not expire

Static password

----- Are long static passwords, comprises of words in phrases or sentence

Passphrase

This password may be used for single authentication, impossible to reuse and is valid for single use

One time password

----passwords that change at regular intervals

Dynamic Passwords

This requires that user present more than one authentication factor

Strong authentication or multifactor authentication