CompTIA Security+ Chapter 10: Access Control Methods and Models
Trusted Computer System Evaluation Criteria (TCSEC)
A DoD standard that sets basic requirements for assessing the effectiveness of computer security access policies. Also known as The Orange Book.
Access Control List (ACL)
A list of permissions attached to an object. They specify what level of access a user, users, or groups have to an object. When dealing with firewalls, This is a set of rules that applies to a list of network names, IP Addresses, and port numbers.
CAPTCHA
A type of challenge-response mechanism used primarily in websites to tell whether or not the user is human. Tells humans and computers apart.
Mandatory Access Control (MAC)
An Access Control policy determined by a computer system, not by a user or owner.
Role-Based Access Control (RBAC)
An Access model that works with sets of permissions, instead of individual permissions that are label-based. So roles are created for various job functions in an organization.
Discretionary Access Control (DAC)
An access control policy generally determined by the owner.
Permissions
Controls which file system resources a person can access on the network.
Implicit Deny
Denies all traffic to a resource unless the users generating that traffic are specifically granted access to the resource. For example, when a device denies all traffic unless a rule is made to open the port associated with the type of traffic desired to be let through.
Access Control Model
Specifies methodologies by which admission to physical areas and, more importantly, computer systems, is managed and organized.
Separation of duties
This is when more than one person is required to complete a particular task or operation.
Least Privilege
When a user is given only the amount of privileges needed to do his job.
Job Rotation
When users are cycled through various assignments