1. Authentication
    • Something you know. Pwd/Login
    • Something you have. Physical Key or RSA tag
    • Something you are. DNA, fingerprint
  2. Prevention was equated to...
  3. DAC
    • Discretionary Access Control: Means of restricting access to objects based on the indentity of subjects and/or groups to which they belong
    • -owner of a file can specify what permissions members in the same group can have & also what permissions all others can have
    • - ACLs are common mechanisms used to implement DAC
    • "At the users discretion"
  4. MAC in regards to ACL
    • Mandatory Access Control: means of restricting access based on sensitivity(as represented by labels) of the info contained in the objects & the formal authoriazation of subjects to access info of such sensitivity.
    • -e.g. Secret, Top Secret
    • "Multilevel Security"
  5. RBAC - Role
    Role Based AC: Based on the user's ROLE. Permissions are granted based on terms of specific duties they must perform - not according to a security classification associated with individual objects
  6. RBAC - Rule
    • Rule Based AC: Uses ACLs to determine whether access should be granted by a series of RULES.
    • -e.g. No employee may access payroll files on weekends
    • -can be used in additionto MAC & others
  7. Hardening of the OS
    • Methods used to strengthen OS & to eliminate possible avenues through which attacks can be launched.
    • -e.g. Windows Updates
  8. Anti Virus
    Program designed to prevent damage caused by various types of malicious software
  9. Host - Based IDS
    Host-Based Intrusion Detection Systems: Devices designed to determine whether an intruder has penetrated a computer system or network.
  10. Authentication: The "A" of CIA-AN
    An individual is who they claim to be. Expanded in Chap 1
  11. Availability- The "A" of CIA-AN
    To ensure that the data, or system itself, is available for use when the authenticated user wants it.
  12. Integrity- The "I" of CIA-AN
    • Related to Confidentiality- modification of data.
    • -Only authenticated individuals should be able to change or delete info
  13. Confidentiality: "C" of CIA-AN
    Confidentiality: Ensures that only those indviduals who have the authority to view a piece of info may do so.
  14. CIA of Security - CIA-AN
    • Original CIA
    • Confidentiality
    • Integrity
    • Availability
    • -
    • AN: Added due to communication such as email
    • Authentication
    • Non-Repudiation
  15. Control Mechanisms
    • DAC : Discretionary Access Control(AC)
    • MAC : Mandatory AC
    • RBAC : Role-Based AC
    • RBAC : Rule-Based AC
  16. Job Rotation
    By rotating through jobs, individuals gain a better perspective of how the various parts of IT can enhance (or hinder) business.
  17. Operational Model of Security
    • Protection = Prevention + (Detection + Response)
    • Protection = P + (D + R)

    Every security technique & technology falls into @ least one of the three elements of the equation.
  18. Prevention
    • Access Controls
    • Firewalls
    • Encryption
  19. Host Security
    • Focus on protecting each computer and device individually
    • - Bastion Hosts
    • - Host-Based IDS
    • - Anti-Virus
    • - Hardening of the OS
  20. Network Security
    • Emphasis is placed on controlling access to internal computers from external entities.
    • -Routers, firewalls, authentication hardware & software, encryption & IDS
  21. Least Privilege
    • Most fundamental approach to security
    • An object (user, app, or process) should have only the rights & privileges necessary to perform its task, with no additional permissions
    • -first step is to create a security baseline
  22. Separation of Duties
    • Separation of Duties:
    • Ensures that for any given task, more than one indvidual needs to be involved
    • No single individual can abuse the system for his or her own gain
  23. Implicit Deny
    • If a particular situation is not covered by any other rules access should NOT be granted.
    • Applies to both access & authorization
  24. Non-Repudiation: "N" of CIA-AN
    Ability to verify that a message has been sent and received so that the sender/receiver can't refute(or repudiate) sending/receiving the info.
  25. End of Chap 1
Card Set
Test 1 Study Cards. Chapter 1 - 4