Term
|
Definition
| A collection of mechanisms that work together to protect the assets of an enterprise. |
|
|
Term
| Access controls help protect against ______ and ______. |
|
Definition
| Threats and Vulnerabilities |
|
|
Term
| Access controls enable management to: |
|
Definition
Specify which users can access the system
Specify what resources they can access
Specify whater operations they can perform
Provide individual accountabilty |
|
|
Term
|
Definition
| Define and divide elements of a process or work function among different functions. |
|
|
Term
|
Definition
| Limit users and processes to access only resources necessary to perform assigned functions. |
|
|
Term
| The environment for access controls includes: |
|
Definition
Facilities
Support Systems
Information Systems
Personnel -
management, users, customers, business partners |
|
|
Term
Control categories:
Deterrent |
|
Definition
|
|
Term
Control Categories:
Preventive |
|
Definition
|
|
Term
Control categories:
Detective |
|
Definition
|
|
Term
Control categories:
Corrective |
|
Definition
Remedy circumstances
mitigate damage
Restore controls |
|
|
Term
Control Categories:
Compensating |
|
Definition
Alternative control
(for example, supervision) |
|
|
Term
Control Categories:
Recovery |
|
Definition
| Restore conditions to normal |
|
|
Term
|
Definition
Administrative
Technical (Logical)
Physical |
|
|
Term
|
Definition
| Policies and procedures, including personnel controls such as security clearances, background checks. |
|
|
Term
| Technical (logical) controls |
|
Definition
| Anti-virus software, password protection, firewalls, auditing |
|
|
Term
|
Definition
| locks, alarms, badge systems |
|
|
Term
|
Definition
| The use of influence and persuasion to deceive people by convincing them that the social engineer is someone he/she is not, or by manipulation. As a result, the social engineer is able to take advantage of people to obtain information with or without use of technology. |
|
|
Term
|
Definition
| Identification, Authentication, Authorization, Accountability |
|
|
Term
|
Definition
|
|
Term
|
Definition
| Verifies who the user is and whether access is allowed |
|
|
Term
|
Definition
| What the user is allowed to do. |
|
|
Term
|
Definition
| Tracks what the user did and when it was done. |
|
|
Term
|
Definition
User IDs
Username
Account Number
Personal Identification Number (PIN)
Badge System
Biometric Devices |
|
|
Term
| User Identification Guidelines |
|
Definition
Unique
Standard naming convention
Non-indicative of job function
Secure and documented process for issuance |
|
|
Term
|
Definition
Authentication by Knowledge
Authentication by Owernship
Authentication by Characteristic |
|
|
Term
| Authentication by Knowledge |
|
Definition
What a person Knows
Passwords, Passphrases
(Password encryption schemes) |
|
|
Term
| Authentication by Ownership |
|
Definition
|
|
Term
| Authentication by Characteristic |
|
Definition
|
|
Term
| Asynchronous Token Device |
|
Definition
| A challenge-response technology/scheme. Authentication servers provide a challenge to the remote entity that can only be answered by the token that the individual holds in his/her hands. Two way communiction between the token and the server. |
|
|
Term
|
Definition
Event, location, or time based.
Authentication server knows the expected value from the token and the user must input it or be in close proximity.
Like WoW Authenticator. |
|
|
Term
|
Definition
Identity is confirmed by either:
Physiological Trait (unique, fingerprint, retina, iris)
Behavioral characteristics (keystroke, signature pattern) |
|
|
Term
| Important elements of Biometric devices |
|
Definition
Accuracy: Type I, Type II errors
Processing Speed: how fast the accept/reject is made
User acceptability
Protection of Biometric Data |
|
|
Term
|
Definition
| Fingerprint, Hand Geometry, Palm Scan, Voice Pattern, Retina Pattern/Scan, Iris Pattern/Recognition, Signature Dynamics, Facial Recognition, Keystroke Dynamics |
|
|
Term
Authentication Methods
Risk Vs. Cost |
|
Definition
Password - High Risk, Low Cost
Software Token - High/Medium Risk - Medium Cost
Hardware Token - Medium Risk, Medium/High Cost
Signing Action - High Cost, Medium/High Risk
Biometric - High Cost, Low Risk |
|
|
Term
|
Definition
| Enables a user to logon once to the enterprise and access all additional authorized network resources. |
|
|
Term
|
Definition
Efficient log-on process
Users may create stronger password
No need for multiple passwords
Timeout and attempt thresholds enforced across entire platform
Centralized Administration |
|
|
Term
|
Definition
- Compromised password allows intruder into all authorized resources
- Inclusion of unique platforms may be challenging
|
|
|
Term
|
Definition
| Provides the means to heirarchically organize and manage information and to retrieve the information by name association. |
|
|
Term
| Network Directory Service |
|
Definition
Contains a set of information about resources and services on the network, such as users, workstations, and servers.
Used to simplify access and administration by providing a unified organization of the network resources. |
|
|
Term
|
Definition
Domain of trust that shares a single security policy and single management.
Access parameters controlling which sets of objects a subject can access.
Think of a “security domain” as a concept where the principle of separation protects each resource and each domain is encapsulated into distinct address spaces. |
|
|
Term
| Discretionary Access Control |
|
Definition
| Owner determines who has access & what privileges they have |
|
|
Term
|
Definition
Owner and System determine who has access.
Systems decision based on privilege (clearance) of subject (user) & sensitivity (classification) of object (file). |
|
|
Term
| Mandatory Access Control Features |
|
Definition
For systems of highly sensitive data
Sensitivity labels to all objects and clearance labels to all subjects.
Objects's sensitivity level and the subjects clearance level determine success.
Permits processing of multiple levels on one system. |
|
|
Term
| Major difference between Mandatory Access Controls and Discretionary Access Controls |
|
Definition
| Discretionary Controls involve only the resource owner's permission, while Mandatory Controls require the system's and the owner's permission. |
|
|
Term
Examples of Access Permissions
"No Access/Null" |
|
Definition
| No access permission granted |
|
|
Term
Example of Access Permissions
Read (R) |
|
Definition
| Read but make no other changes. |
|
|
Term
Example of Access Permissions
Write (W) |
|
Definition
| Write to File; includes change capability |
|
|
Term
Example of Access Permissions
Execute (X) |
|
Definition
|
|
Term
Example of Access Permissions
Delete (D) |
|
Definition
|
|
Term
Example of Access Permissions
Change (C) |
|
Definition
| Read, write, execute and delete; may not change file permission |
|
|
Term
Example of Access Permissions
Full Control |
|
Definition
| All abilities; including changing access control permission |
|
|
Term
| Rule-Based Access Control |
|
Definition
Access based on a list of rules that determine authorization.
Owners create or authorize the rules.
Mediation mechanisms enforce the rules to ensure authorized access. |
|
|
Term
| Role-Based Access Control |
|
Definition
- Access Control decisions are based on job function.
- Each role will have its own access capabilities.
- Determination of role/job function is discretionary and is in compliance with security access control policy.
|
|
|
Term
| Intrusion Prevention System (IPS) |
|
Definition
| Intrusions are prevented. |
|
|
Term
| Intrusion Detection Systems (IDS) |
|
Definition
| Intrusion attempts and any set of actions that attempt to gain unauthorized access are detected. Need for auditing for intrusion attempts in a timely basis. |
|
|
Term
| To ensure an effective IDS (Intrusion Detection System): |
|
Definition
- Employ a technically knowledgable person to select, install, configure, operate, and maintain the IDS.
- Update the system with new signature attacks and also to evaluate expected behavior profiles.
- Be aware that the IDS itself may be vulnerable to attacks.
|
|
|
Term
|
Definition
| A record of system activities. |
|
|
Term
| Audit Trail Configuration |
|
Definition
| Capturing data generated by system, network, application, and user activities. |
|
|
Term
|
Definition
- Alert staff to suspicious activity for investigation.
- Provide details on extent of intruder activity
- Provide information for legal proceedings.
|
|
|
Term
|
Definition
- Network connection event data
- System-level event data
- Application-level event data
- User-level event data - keystroke activity
|
|
|
Term
|
Definition
Series of activities undertaken to identify and exploit security vulnerabilities.
|
|
|
Term
Types of Penetration Testing
Zero-Knowledge |
|
Definition
Team has no relevant information about target
Typically performed by independent third party |
|
|
Term
Types of Penetration Testing
Partial Knowledge |
|
Definition
| Team may have some information about the target |
|
|
Term
Types of Penetration Testing
Full Knowledge |
|
Definition
| Performed by team with intimate knowledge of target environment |
|
|
Term
Examples of Pen Test Methods
Discovery |
|
Definition
| Identify and Document information about target |
|
|
Term
Examples of Pen Test methods
Enumeration |
|
Definition
| Gain more information with intrusive methods |
|
|
Term
Examples of Pen Test Methods
Vulerability Mapping |
|
Definition
| Map environment profile to known vulnerabilities |
|
|
Term
Examples of Pen Test Methods
Exploitation |
|
Definition
| Attempt to gain user and privileged access. |
|
|
Term
| Application Security Testing |
|
Definition
| Evaluate controls over the application and its process flow. |
|
|
Term
| Denial of Service (DoS) Testing |
|
Definition
| Evaluate system's susceptibility to attacks that will render it inoperable. |
|
|
Term
|
Definition
| Identify, analyze, and exploit modems, remote access devices, and maintenance connections. |
|
|
Term
|
Definition
| Prevents unauthorized disclosure of systems and information. |
|
|
Term
|
Definition
| Prevents unauthorized modification of systems and information. |
|
|
Term
|
Definition
| Prevents disruption of service and productivity. |
|
|
Term
| Goals of Information Security |
|
Definition
Confidentiality
Integrity
Availability |
|
|
Term
| Requirements fo Security Solutions |
|
Definition
| Functional Requirements & Assurance Requirements |
|
|
Term
|
Definition
| Define security behavior of the IT product or system. |
|
|
Term
|
Definition
| Establish confidence that the security function will perform as intended. |
|
|
Term
|
Definition
| Tailored best practices that, in total, form a comprehensive security policy program and technical architecture. |
|
|
Term
| Individual security blueprints reflect |
|
Definition
Tailored requirements meeting the organization's specific requirements.
Influenced by legal, regulatory, business, IT drivers. |
|
|
Term
|
Definition
•Documents and communicates management’s goals and objectives.
•Defines the organization’s response to laws, regulations, and standards of due care.
•Builds a foundation for a comprehensive and effective security program.
•Defines what assets and principles the organization considers valuable.
•Identifies organization goals and objectives. |
|
|
Term
|
Definition
Standards
Procedures
Baselines
Guidelines |
|
|
Term
|
Definition
| Specific hardware and software mechanisms and products. |
|
|
Term
|
Definition
| Step by step required actions, such as user registration, contracting for security purposes, information system material destruction, incident response. |
|
|
Term
Organization Roles and Responsibilities
Executive Management |
|
Definition
| Assigned overall responsibility for asset protection. |
|
|
Term
Organizational Roles and Responsibilities
Information Systems Security Professionals |
|
Definition
| Response for the design, implementation, management, and review of the organization's security policies, standards, baselines, procedures, and guidelines. |
|
|
Term
Organizational Roles and Responsibilities
Owners |
|
Definition
Responsible for:
- Ensuring that appropriate security, consistent with the organization's security policy, is implemented in their information systems.
- Determining appropriate sensitivity or classification levels
- Determining access privileges
|
|
|
Term
Organizational Roles and Responsibilities
Custodian |
|
Definition
| A function who has "custody" of the system/databases, not necessarily belonging to them, for any period of time. Usually network administration or operations. |
|
|
Term
Organizational Roles and Responsibilities
Users |
|
Definition
| Responsible to use resources and preserve availability, integrity, and confidentiality of assets - responsible to adhere to security policy. |
|
|
Term
Organizational Roles and Responsibilities
IS/IT Function |
|
Definition
| Responsible for implementing and adhering to security policies. |
|
|
Term
Organizational Roles and Responsibilities
Information Systems Auditor |
|
Definition
Responsible for:
- Providing independent assurance to management on the appropriateness of the security objectives.
- Determing whether the security policy, standards, baselines, procedures, and guidelines are appropriate and effective to comply with the organization's security objectives.
- Identifying whether the objectives and controls are being achieved.
|
|
|
Term
|
Definition
- Ensure all access cards and tools are returned.
- Remove user access immediately upon departure.
- Suspension/disciplinary procedures
|
|
|
Term
|
Definition
- Clearly defined roles, job descriptions, and responsibilities
- Least privilege/need to know basis
- Separation of duties
- Job rotation
- Mandatory Vacations
|
|
|
Term
| Key Points of Security Awareness |
|
Definition
Awareness - reminder of security responsibilities
Training - provides skills needed for security
Education - decision making and security management skills |
|
|
Term
| Quantitative Risk Analysis |
|
Definition
| An attempt to assign independently objective numeric values to the elements of the risk assessment and to the assessment of potential losses. |
|
|
Term
| Qualitative Risk Analysis |
|
Definition
| Scenario Oriented, does not attempt to assign absolute numeric values to components, purely qualitative risk analysis is possible. |
|
|
Term
| List the Five Goals of Physical Security |
|
Definition
1. Deter
2. Delay
3. Detect
4. Assess
5. Respond |
|
|
Term
| List the three key strategies of crime prevention through environmental design |
|
Definition
- Territoriality - people protect territory that is their own
- Surveillance - high degree of visual control
- Access control - limit access and control the flow of access
|
|
|
