Research Paper
Considering the importance of data in organization, it is absolutely essential to secure the data present in the database. What are the strategic and technical security measures for good database security? Be sure to discuss at least one security model to properly develop databases for organizational security. Create a diagram of a security model for your research paper.
Your paper should meet the following requirements:
- Be approximately four to six pages in length, not including the required cover page and reference page.
- Follow APA7 guidelines. Your paper should include an introduction, a body with fully developed content, and a conclusion.
- Support your answers with the readings from the course and at least two scholarly journal articles to support your positions, claims, and observations, in addition to your textbook. The UC Library is a great place to find resources.
- Be clearly and well-written, concise, and logical, using excellent grammar and style techniques. You are being graded in part on the quality of your writing.
4 pages needed, More than 2 references (recent articles)
Chapter 14
Controlling and Monitoring Access
Comparing Access Control Models
Comparing
Permissions
,
Rights
, and
Privileges
Understanding Authorization Mechanisms
Defining Requirements with a Security Policy
Implementing Defense in Depth
Summarizing Access Control Models
Discretionary Access Controls
Nondiscretionary Access Controls
overview
Comparing Permissions, Rights, and Privileges
Permissions
Access granted for an object
Rights
Ability to take action on an object
Privileges
Combination of rights and permissions
Understanding Authorization Mechanisms
Implicit deny
Access control matrix
Capability tables
Constrained interface
Content-dependent control
Context-dependent control
Need to know
Least privilege
Separation of duties and responsibilities
Defining Requirements with a Security Policy
Clarifies requirements
Shows senior leadership support
Sets guidelines and parameters
Implementing Defense in Depth
Protects against single-focused attacks
Document in security policy
Personnel are key
Uses combined
solution
approach
Summarizing
Access Control Models
Discretionary Access Control (DAC)
Role Based Access Control (RBAC)
Rule-based access control (rule BAC)
Attribute Based Access Control (ABAC)
Mandatory Access Control (MAC)
Discretionary Access Controls
Owner, create, custodian define access
Based on identity
Uses ACLs on each object
Not centrally managed
Supports change
Nondiscretionary Access Controls
Centrally administered
Changes affect entire environment
Not based on identity, instead uses rules
Less flexible
Role Based Access Control
Based on subject’s role or assigned tasks
Enforces principle of least privilege
Related to job descriptions and work functions
Useful in dynamic environments
Often implemented using groups (via DAC)
Task based access control (TBAC)
Rule-Based Access Controls
Rules, restrictions, filters
Global rules apply to all subjects
Firewall and router rules/filters
Attribute Based Access Controls
Characteristics are used to determine rule applications
Can relate to users, groups, network, or devices
Mandatory Access Control
Based on classifications
Top Secret, Secret, Confidential
Confidential/Proprietary, Private, Sensitive, Public
Need to know
Prohibitive rather than permissive
Hierarchical
Compartmentalization
Hybrid
Understanding Access Control Attacks
Risk Elements
Identifying Assets
Identifying Threats
Threat Modeling Approaches
Identifying Vulnerabilities
Common Access Control Attacks
Summary of Protection Methods
overview
Risk Elements
Risk
Assets
Threat
Vulnerability
Risk Management
Identifying Assets
Asset valuation
Tangible value
Intangible value
Cost-benefit analysis
Identifying Threats
Threat modeling
Secure by Design, Secure by Default, Secure in Deployment and Communication (SD3+C)
Goals:
Reduce number of defects
Reduce severity of remaining defects
Advanced Persistent Threat (APT)
Threat Modeling Approaches
Focused on assets
Focused on attackers
Focused on software
Identifying Vulnerabilities
Vulnerability analysis
Weakness to threat
Technical and administrative
Vulnerability scans
Common Access Control
Attacks 1/2
Impersonation
Access aggregation
Password
Dictionary
Brute force
Birthday
Rainbow table
Sniffer
Common Access Control
Attacks 2/2
Spoofing
Social engineering
Phishing
Drive-by download
Spear phishing
Whaling
Vishing
Smartcard
Side-channel attack
Summary of Protection Methods
Control physical access and electronic access
Create a strong password policy
Hash and salt passwords
Use password masking
Deploy multifactor authentication
Use account lockout controls
Use last logon notification
Educate users about security
Conclusion
Read the Exam Essentials
Review the chapter
Perform the Written Labs
Answer the Review Questions
Chapter 13
Managing Identity and Authentication
Controlling Access to Assets
Assets:
Information, systems, devices, facilities, personnel
Comparing Subjects and Objects
The CIA Triad
Types of Access Control
Preventative Detective
Corrective Deterrent
Recovery Directive
Compensating
Administrative, logical/technical, physical
Comparing
Identification and Authentication
1/5
Identification and Authentication
Registration and Proofing of Identity
Authorization and Accountability
Authentication Factors
Type 1: Something you know
Type 2: Something you have
Type 3: Something you are
Somewhere you are
Context-aware authentication
Comparing Identification and Authentication 2/5
Passwords
Strong passwords
Age, complexity, length, history
Passphrases
Cognitive
Smartcards
Common Access Card (CAC)
Personal Identity Verification (PIV) card
Comparing Identification and Authentication 3/5
Tokens
One-time passwords
Synchronous Dynamic Password Tokens
Asynchronous Dynamic Password Tokens
Two-step authentication
Hash message authentication code (HMAC)
Time-based One-Time Password (TOTP)
Email or SMS PIN challenge
Comparing Identification and Authentication 4/5
Biometrics
Fingerprints, face, retina, iris, palm, hand geometry, heart/pulse, voice, signature, keystroke
Errors:
Type 1: False Rejection Rate (FRR)
Type 2: False Acceptance Rate (FAR)
Crossover error rate (CER)
Enrollment
Reference profile/template
Throughput rate
Comparing Identification and Authentication 5/5
Multifactor Authentication
Device Authentication
Device fingerprinting
802.1x
Service Authentication
Application accounts
Implementing Identity
Management 1/2
Centralized vs. decentralized
Single Sign-On
LDAP and PKI
Kerberos
KDC, TGT, ST
Federated Identity Management
Security Assertion Markup Language (SAML),
Service Provisioning Markup Language (SPML),
Extensible Access Control Markup Language (XACML)
OAuth 2.0, OpenID, OpenID Connect
Scripted access
Implementing Identity
Management 2/2
Credential Management Systems
Integrating Identity Services
Identity and access as a service (IDaaS)
Managing Sessions
AAA Protocols
Remote Authentication Dial-in User Service (RADIUS)
Terminal Access Controller Access-Control System (TACACS)
Diameter
Managing the Identity and
Access Provisioning Lifecycle
Provisioning
Account Review
Excessive privilege
Privilege creep
Account Revocation
Conclusion
Read the Exam Essentials
Review the chapter
Perform the Written Labs
Answer the Review Questions