Please enable JavaScript.
Coggle requires JavaScript to display documents.
CAP14 - Controlling and monitoring access (Comparing access control models…
CAP14 - Controlling and monitoring access
Comparing access control models
Permissions - rights - privileges
AUthorization mechanism
implicit deny
access control matrix
capability tables
costrained interface
content-dependent control
need to know
least privilege
separation of duties and responsibilities
defense in depth (physical + logical + administrative controls)
access control models
DAC
- discretionary access control (every object has an owner)
RBAC
- roled based access control - use of roles and groups
rule based access control - rules applied to all subjects (es firewall)
attributes based access control - rules include multiple attributes
MAC
- mandatory access control - use of labels (implicit deny - hierarchical, compartmentalized,hybrid environment)
DAC - no DAC difference
Understanding access control attacks
Risk management (already seen in CAP2)
identify assets
identify threats
APT - advanced persistent threats (group of attackers)
focused on assets, attackers or software
identify vulnerabilities
Common access control attacks
access agregation attacks
password attacks
dictionary attacks
brute force attacks
birthday attack
rainbow table attacks (database of hashed passwords)
sniffer attacks (es wireshark)
spoofing attacks
social engineering attacks (gaining trust of someone)
phishing
spear phishing (phishing targeted to a group of users)
whaling
vishing
smartcard attacks
summary of protection methods
control of physical access to systemns
control eletronic access to files
create strong password policy
hash and salt password
use passwor masking
deploy multifactor authentication
use account lockout methods