Firewall Unit 11

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

Standard naming conventions

"Rules" that have been established for creating account names Options typically include: • First initial of first name followed by last name, • First name with a punctuation mark followed by last name • Last name followed by department code In the event two names appear to be the same • A standard policy should be established for resolving conflicts

Employee Onboarding in a Microsoft Windows environment

> Provision the new computer > Create email mailboxes and AD users > Add user accounts to groups > Create home folder > Review security settings

directory service

A database stored on the network itself that contains information about users and network devices.

Authentication Framework Protocols

A framework for transporting authentication protocols is known as the Extensible Authentication Protocol (EAP) EAP was created as a more secure alternative to: • Challenge-Handshake Authentication Protocol (CHAP) • The Microsoft version of CHAP (MS-CHAP) • Password Authentication Protocol (PAP) EAP: • Defines the format of the messages • Uses four types of packets: • Request, response, success, and failure

Clean Desk Policy

A policy designed to ensure that all confidential or sensitive materials are removed from a user's workspace and secured when the items are not in use or an employee leaves her workspace.

Lightweight Directory Access Protocol (LDAP)

A protocol for a client application to access an X.500 directory

Accounting

A record that is preserved of who accessed the network, what resources they accessed, and when they disconnected

Access management ACL

A set of permissions attached to an object Specifies which subjects may access the object and what operations they can perform

Object

A specific resource Example: file or hardware device

Authentication, Authorization, and Accounting (AAA)

A system for tracking user activities on an IP-based network and controlling their access to network resources.

Subject

A user or process functioning on behalf of a user Example: computer user

Employee offboarding

Actions to be taken when an employee leaves an enterprise Steps include: • Back up all employee files from local computer and server • Archive email • Forward email to a manager or coworker • Hide the name from the email address book

Security Assertion Markup Language (SAML)

An Extensible Markup Language (XML) standard that allows secure web domains to exchange user authentication and authorization data.

Kerberos

An authentication system developed by the Massachusetts Institute of Technology (MIT) and used to verify the identity of networked users.

RADIUS

An industry standard authentication service with widespread support across nearly all vendors of networking equipment.

Authentication

Checking the credentials Example: examining the delivery driver's badge

Physical access control

Consists of fencing, hardware door locks, and mantraps to limit contact with devices

Technical access control

Consists of technology restrictions that limit users on computers from accessing data

Custodian or steward

Description: Individual to whom day to- day actions have been assigned by the owner Duties: Periodically reviews security settings and maintains records of access by end users Example: Sets and reviews security settings on SALARY.XLSX

Privacy officer

Description: Manager who oversees data privacy compliance and manages data risk Duties: Ensures the enterprise complies with data privacy laws and its own privacy policies Example: Decides that users can have permission to access SALARY.XLSX

Owner

Description: Person responsible for the information Duties: Determines the level of security needed for the data and delegates security duties as required Example: Determines that the file SALARY.XLSX can be read only by department managers

End user

Description: User who access information in the course of routine job responsibilities Duties: Follows organization's security guidelines and does not attempt to circumvent security Example: Opens SALARY.XLSX

ACE structure (Windows)

Each entry in the ACL table is called access control entry (ACE) • Security identifier (SID) for the user or group account or logon session • Access mask that specifies access rights controlled by ACE • Flag that indicates type of ACE • Set of flags that determine whether objects can inherit permissions

Access Control Entry

Entries in an access control list containing information describing the access rights related to a particular security identifier or user.

MAC Element Labels

Every entity is an object and is assigned a classification label that represents the relative importance of the object Subjects are assigned a privilege label (clearance)

Role-Based Access Control (RBAC)

Explanation: Assigns permissions to particular roles in the organization and then users are assigned to roles Description: Considered a more "realworld" approach

Rule-Based Access Control

Explanation: Dynamically assigns roles to subjects based on a set of rules defined by a custodian Description: Used for managing user access to one or more systems

Mandatory Access Control (MAC)

Explanation: End user cannot set controls Description: Most restrictive model

Discretionary Access Control (DAC)

Explanation: Subject has total control over objects Description: Least restrictive model

Attribute-Based Access Control (ABAC)

Explanation: Uses policies that can combine attributes Description: Most flexible model

Access Control

Granting or denying approval to use specific resources

Authorization

Granting permission to take action Example: allowing delivery driver to pick up package

Least Privilege

Means that only the minimum amount of privileges necessary to perform a job or function should be allocated

Account Auditing

Once accounts have been created, they should be periodically maintained and audited

Group-based access control

Permits the configuration of multiple computers by setting a single policy for enforcement

Location-Based Policies

Policies that establish geographical boundaries where a mobile device can and cannot be used.

Identification

Presenting credentials Example: delivery driver presenting employee badge

Employee Onboarding

Refers to the tasks associated with hiring a new employee Onboarding steps: • Scheduling • Job duties • Socializing • Work space • Training

Mandatory Vacations

Requiring that all employees take vacations Limits fraud, because perpetrator must be present daily to hide fraudulent actions Audit of employee's activities usually scheduled during vacation for sensitive positions

database security

Security functions provided by access control lists (ACLs) for protecting SQL and relational database systems.

file system security

Security functions provided by access control lists (ACLs) for protecting files managed by the operating system.

MAC Bell-LaPadula (BLP) model

Similar to lattice model Subjects may not create a new object or perform specific functions on lower level objects

MAC Lattice model

Subjects and objects are assigned a "rung" on the lattice Multiple lattices can be placed beside each other

Job Rotation

The act of moving individuals from one job responsibility to another.

Operation

The action taken by the subject over an object Example: deleting a file

Separation of duties

The practice of requiring that processes should be divided between two or more individuals.

User Access Control (UAC)

a Windows feature that controls user access to resources

MAC Element Levels

a hierarchy based on the labels is used Top secret has a higher level than secret, which has a higher level than confidential

Dormant account

an account that has not been accessed for a lengthy period

Usage auditing and review

an audit process that looks at the applications that the user is provided, how frequently they are used, and how they are being used

Time-of-day restrictions

can be used to limit when a user can log into their account

Permission auditing and review

intended to examine the permissions that a user has been given to determine if each is still necessary

Terminal Access Control Access Control System+ (TACACS+)

is an authentication service commonly used on UNIX devices that communicates by forwarding user authentication information to a centralized server. • The current version is TACACS+

Recertification

the process of periodically revalidating a user's account, access control, and membership role

Orphaned accounts

user accounts that remain active after an employee has left

MAC Microsoft Windows

uses a MAC implementation called Mandatory Integrity Control (MIC) A security identifier (SID) is issued to the user, group, or session Each time a user logs in, the SID is retrieved from the database for that user SID is used to identify user with subsequent interactions with Windows Windows links the SID to an integrity level

Local Group Policy (LGP)

• Has fewer options than a Group Policy • Used to configure settings for systems not part of AD


Ensembles d'études connexes

Liver Failure and Pancreatitis, NCLEX

View Set

LPIC Level 1 Exam 1 - Init e telinit

View Set

Chapter 5 "Life Insurance Basics" Insurance Questions

View Set

HESI RN Case Study Diabetes Type 1

View Set

Unit 4: National Brokerage: Sale & Lease Contracts:Quiz

View Set

SmartBook Questions Ch. 1 Lecture

View Set

Real Estate Principles Study Guide

View Set