Security+ AccessControl

Application - Presentation - Session - Transport - Network - Data - Physical
(All people should tell NMCI die please!)

Presentation

Blowfish, DES and IDEA

Diffie-Hellman, RSA

Security rule of thumb that states that users should be granted only the level of access needed for them to accomplish assigned work tasks and no more.

A privilege is an avility or activity that a user account is granted premission to perform

Implicit deny is the default security stance that if you are not specifically granted access or privileges over a resource, you are denied access by default

Seperation of guties is the division of administrator or privileged tasks into distinct groupings, with each group in turn assigned to unique administrators.

Job rotation means there are multiple people who have the knowledge to perform each highly privileged task

A form of access control commonly employed by gov and military environments. MAC specifies that access is granted based on a set of rules rather than at the discertion of a user.

sensitivity labels, security domains or classifications

To prevent disclosure: the violation of security principle of configentiality

Clearance level and sensitivity label

Including the Need To Know

A form of access control that is used in most commercial and home environment. DAC is user directed, controlled by the owner and creators of the object in the environment.

Access is granted or restricted by the owner's identity.

ACL

It may be grouped with non-discretionary access control methods along with MAC

Where there is a high level of employee turnover.

Government uses: Unclass, sensitive but unclass, confidential, secret and top secret
Private sector: Public, sensitive, private, confidential

In centralized privilege management, a single server (or set of servers) is responsible for managing, controlling and implementing all security control, access rights, and privileges. E.G. RADIUS authentication

In decentralized privilege management, each system is responsible for managing, controlling and implementing security control access rights and privileges.

Access control list is the collection of usernames and group names with specific permission allow/deny assignments embedded onto a resource object

A password policy is both a set of rules writeen out as part of the organizational security policy that dictates the req of users and device passwords

A form of access control that is used in most commercial and home environment. DAC is user directed, controlled by the owner and creators of the object in the environment.

Access is granted or restricted by the owner's identity.

ACL

It may be grouped with non-discretionary access control methods along with MAC

Where there is a high level of employee turnover.

Government uses: Unclass, sensitive but unclass, confidential, secret and top secret
Private sector: Public, sensitive, private, confidential

In centralized privilege management, a single server (or set of servers) is responsible for managing, controlling and implementing all security control, access rights, and privileges. E.G. RADIUS authentication

In decentralized privilege management, each system is responsible for managing, controlling and implementing security control access rights and privileges.

Access control list is the collection of usernames and group names with specific permission allow/deny assignments embedded onto a resource object

A password policy is both a set of rules writeen out as part of the organizational security policy that dictates the req of users and device passwords

A domain password policy is the password policy wihtin a GPO

Single sign-on means that once a user is authenticated into a realm, they need not reauthenticate to access resources

Multi-factor authentication is the req that a user must provide 2 or more authentication factors

Authentication uses 2 factors

Something you know
Something you have
Something you are

Kerberos is a trusted 3rd party authentication protocol. It uses encryption keys as tickets with time stamp to prove identity and grant access to resources. Kerberos is a SSO solution employing a KDC to manage its centralized authentication mechanism

Challenge-Handshake Authentication Protocol and is primary used for dial-up connections. CHAP uses a one-way hash to protect passwords and periodically reauthenticates clients.

The most popular but weakest form of protection

Tokens are a "something you have" type of authentication factor.

Mutual authentication is two-way authentication. The subject authenticates to the object and the object authenticates back to the subject

Something you are

Physical acess control regers to mechanisms designed to manage and control enterance into a location

Physical barriers are erected to control access into a location

Doors and gates can be locked and controlled in such a way that only authorized personnel can unlock and enter through them. This could be lock and keys or biometrically controlled

Someone watching over security boundary

A mantrap is a form of high-security barrier entrance device

Locks are keyed to biometrics

Restricts users from accessing resources on a network

Proves the identity of communication partners

Prevents unauthorized disclosure of secured data

Prevents unwanted changes of data while in transit

RSA, Diffie-Hellman

Password Authentication Protocol. It is a weak authentication protocol with just user name and password in plaintext

X.500

NAT, IP addressing, name resolution

Sound, Infrared, Ultrasound

Terminal Access Controller Access Control System

Knowledge-based IDS solutions use known attack signatures to identify network attacks. Behavior-based IDS is incorrect because behavior-based IDS solutions measure access patterns against known baselines to identify attacks.