- Something you know. Pwd/Login
- Something you have. Physical Key or RSA tag
- Something you are. DNA, fingerprint
Prevention was equated to...
- Discretionary Access Control: Means of restricting access to objects based on the indentity of subjects and/or groups to which they belong
- -owner of a file can specify what permissions members in the same group can have & also what permissions all others can have
- - ACLs are common mechanisms used to implement DAC
- "At the users discretion"
MAC in regards to ACL
- Mandatory Access Control: means of restricting access based on sensitivity(as represented by labels) of the info contained in the objects & the formal authoriazation of subjects to access info of such sensitivity.
- -e.g. Secret, Top Secret
- "Multilevel Security"
RBAC - Role
Role Based AC: Based on the user's ROLE. Permissions are granted based on terms of specific duties they must perform - not according to a security classification associated with individual objects
RBAC - Rule
- Rule Based AC: Uses ACLs to determine whether access should be granted by a series of RULES.
- -e.g. No employee may access payroll files on weekends
- -can be used in additionto MAC & others
Hardening of the OS
- Methods used to strengthen OS & to eliminate possible avenues through which attacks can be launched.
- -e.g. Windows Updates
Program designed to prevent damage caused by various types of malicious software
Host - Based IDS
Host-Based Intrusion Detection Systems: Devices designed to determine whether an intruder has penetrated a computer system or network.
Authentication: The "A" of CIA-AN
An individual is who they claim to be. Expanded in Chap 1
Availability- The "A" of CIA-AN
To ensure that the data, or system itself, is available for use when the authenticated user wants it.
Integrity- The "I" of CIA-AN
- Related to Confidentiality- modification of data.
- -Only authenticated individuals should be able to change or delete info
Confidentiality: "C" of CIA-AN
Confidentiality: Ensures that only those indviduals who have the authority to view a piece of info may do so.
CIA of Security - CIA-AN
- Original CIA
- AN: Added due to communication such as email
- DAC : Discretionary Access Control(AC)
- MAC : Mandatory AC
- RBAC : Role-Based AC
- RBAC : Rule-Based AC
By rotating through jobs, individuals gain a better perspective of how the various parts of IT can enhance (or hinder) business.
Operational Model of Security
- Protection = Prevention + (Detection + Response)
- Protection = P + (D + R)
Every security technique & technology falls into @ least one of the three elements of the equation.
- Access Controls
- Focus on protecting each computer and device individually
- - Bastion Hosts
- - Host-Based IDS
- - Anti-Virus
- - Hardening of the OS
- Emphasis is placed on controlling access to internal computers from external entities.
- -Routers, firewalls, authentication hardware & software, encryption & IDS
- Most fundamental approach to security
- An object (user, app, or process) should have only the rights & privileges necessary to perform its task, with no additional permissions
- -first step is to create a security baseline
Separation of Duties
- Separation of Duties:
- Ensures that for any given task, more than one indvidual needs to be involved
- No single individual can abuse the system for his or her own gain
- If a particular situation is not covered by any other rules access should NOT be granted.
- Applies to both access & authorization
Non-Repudiation: "N" of CIA-AN
Ability to verify that a message has been sent and received so that the sender/receiver can't refute(or repudiate) sending/receiving the info.