Educate users about security

654
Chapter 14 
■
Controlling and Monitoring Access
An access control matrix is an object-focused table that includes objects, subjects, and 
the privileges assigned to subjects. Each row within the table represents an ACL for a 
single object. ACLs are object focused and identify access granted to subjects for any spe-
cific object. Capability tables are subject focused and identify the objects that subjects can 
access.
A constrained interface restricts what users can do or see based on their privileges. 
Content-dependent controls restrict access based on the content within an object. Context-
dependent controls require specific activity before granting users access.
The principle of least privilege ensures that subjects are granted only the privileges they 
need to perform their work tasks and job functions. Separation of duties helps prevent 
fraud by ensuring that sensitive functions are split into tasks performed by two or more 
employees.
A written security policy defines the security requirements for an organization, and 
security controls implement and enforce the security policy. A defense-in-depth strategy 
implements security controls on multiple levels to protect assets.
With discretionary access controls, all objects have an owner, and the owner has full 
control over the object. Administrators centrally manage nondiscretionary controls. Role-
based access controls use roles or groups that often match the hierarchy of an organiza-
tion. Administrators place users into roles and assign privileges to the roles based on jobs 
or tasks. Rule-based access controls use global rules that apply to all subjects equally. 
Mandatory access controls require all objects to have labels, and access is based on subjects 
having a matching label.
It’s important to understand basic risk elements when evaluating the potential loss from 
access control attacks. Risk is the possibility or likelihood that a threat can exploit a vul-
nerability, resulting in a loss. Asset valuation identifies the value of assets, threat modeling 
identifies potential threats, and vulnerability analysis identifies vulnerabilities. These are 
all important concepts to understand when implementing controls to prevent access control 
attacks.
Common access control attacks attempt to circumvent authentication mechanisms. 
Access aggregation is the act of collecting and aggregating nonsensitive information in an 
attempt to infer sensitive information.
Passwords are a common authentication mechanism, and several types of attacks 
attempt to crack passwords. Password attacks include dictionary attacks, brute-force 
attacks, birthday attacks, rainbow table attacks, and sniffer attacks. Side-channel attacks 
are passive attacks against smartcards.
Exam Essentials

Download 19,3 Mb.

Do'stlaringiz bilan baham: