Term
|
Definition
Presenting credentials
–Example: delivery driver presenting employee badge |
|
|
Term
|
Definition
Checking the credentials
–Example: examining the delivery driver’s badge |
|
|
Term
|
Definition
Granting permission to take action
–Example: allowing delivery driver to pick up package |
|
|
Term
|
Definition
Specific resource
–Example: file or hardware device |
|
|
Term
|
Definition
User or process functioning on behalf of a user
–Example: computer user |
|
|
Term
|
Definition
Action taken by the subject over an object
–Example: deleting a file |
|
|
Term
|
Definition
| Standards that provide a predefined framework for hardware or software developers |
|
|
Term
| Access Control Models (cont’d.) |
|
Definition
Mandatory Access Control
–Most restrictive access control model
–Typically found in military settings
–Two elements
•Labels
•Levels
Security+ |
|
|
Term
| Discretionary Access Control (DAC) |
|
Definition
Least restrictive model
–Every object has an owner
–Owners have total control over their objects
–Owners can give permissions to other subjects over their objects |
|
|
Term
| Role Based Access Control (RBAC) |
|
Definition
Also called Non-discretionary Access Control
–Access permissions are based on user’s job function |
|
|
Term
| RBAC assigns permissions to particular roles in an organization |
|
Definition
| Users are assigned to only 1 role |
|
|
Term
| Rule Based Access Control (cont’d.) |
|
Definition
Each resource object contains access properties based on the rules
–When user attempts access, system checks object’s rules to determine access permission
–Often used for managing user access to one or more systems
•Business changes may trigger application of the rules specifying access changes |
|
|
Term
|
Definition
Fraud can result from single user being trusted with complete control of a process
–Requiring two or more people responsible for functions related to handling money
–System is not vulnerable to actions of a single person |
|
|
Term
|
Definition
Database stored on a network
–Contains information about users and network devices
–Keeps track of network resources and user’s privileges to those resources
–Grants or denies access based on its information |
|
|
Term
|
Definition
| Lightweight Directory Access Protocol |
|
|
Term
|
Definition
| Person responsible for the information |
|
|
Term
|
Definition
| Determines the level of security needed for the data and delegates security duties as required |
|
|
Term
|
Definition
| Determines that the file salary.xlsx can be read only by department managers |
|
|
Term
|
Definition
| Individual to whom day-to-day actions have been assigned by the owner |
|
|
Term
|
Definition
| periodically reviews security settings and maintains records of access by end users |
|
|
Term
|
Definition
| Sets and reviews security settings on Salary.xlsx |
|
|
Term
|
Definition
| user who accesses information in the course of routine job responsibilities |
|
|
Term
|
Definition
| Follows organization's security guidelines and does not attempt to circumvent security |
|
|
Term
|
Definition
|
|
Term
|
Definition
| Right given to access specific resources |
|
|
Term
|
Definition
| Delivery person can only retrieve box by door |
|
|
Term
|
Definition
| user allowed to access only specific data |
|
|
Term
MAC
Mandatory Access Control |
|
Definition
Most restrictive
found in military settings
2 elements: labels and levels
Matching object labels with subject labels based on their respective labels |
|
|
Term
| 2 major implementations of MAC |
|
Definition
|
|
Term
|
Definition
additional restriction not found in the original lattice model
prevents subjects from creating new object or performing specific functions on objects that are lower level than their own |
|
|
Term
UAC
Windows User Account Function |
|
Definition
Standard user who attempts to install software is required by UAC to enter a high level administrative password.
Attempts to match the subjects privilege level with that of the object |
|
|
Term
DAC
Discretionary Access Control |
|
Definition
least restrictive
every object has an owner
owners can create and access their objects freely
the owner can give permissions to other subjects |
|
|
Term
|
Definition
Relies on decisions by the end user to set the proper level of security
subjects permissions will be inherited by any programs that the subject executes
inheritance are vulnerable to Trojans |
|
|
Term
RBAC
Role Based Access Control |
|
Definition
Non discretionary Control
based on users job function within an organization
assigns permissions to a particular role, then assign users to those roles
users and objects inherit all of the permissions for the role |
|
|
Term
RBAC
Rule Based Access Control |
|
Definition
Automated provisioning
dynamically assign roles to subjects based on a set of rules defined by a custodian
each resource object contains a set of access properties based on rules
cannot be changed by users |
|
|
Term
|
Definition
|
|
Term
| Best Practices for Access Control |
|
Definition
Separation of duties
job rotation
least privileges
implicit deny
mandatory vacations |
|
|
Term
|
Definition
| requires that if the fraudulent application of a process could be potentially result in a breach of security, then process should be divided between two or more individuals |
|
|
Term
|
Definition
| employees rotate either within their home department or across positions in other departments |
|
|
Term
|
Definition
| only minimum amount of privileges necessary to perform a job or function should be allocated |
|
|
Term
|
Definition
| if a condition is not explicitly met, then the request for access is rejected |
|
|
Term
|
Definition
| an audit is performed while they are on vacation |
|
|
Term
|
Definition
set of permissions that are attached to an object
which subjects are allowed to access the object and what operations they can perform |
|
|
