Access Control
Access control → security mechanism that determines who can access a resource, what actions they are allowed to perform, and under what conditions access is permitted or denied.
Least Privilege
Least privilege → access control principle that ensures users are granted only the minimum permissions necessary to perform their job functions, reducing the impact of compromised accounts.
MAC in Linux
Mandatory access control (MAC) → access control model where permissions are enforced by the system based on security policies and classifications, not by the resource owner, commonly used in high-security environments.
DAC in Linux
Discretionary access control (DAC) → access control model where the owner of a resource decides who can access it, offering flexibility but increasing the risk of improper permission settings.
RBAC
Role-based access control (RBAC) → access control model that assigns permissions based on job roles, making access management scalable and consistent across an organization.
Rule Based Access Control
Rule-based access control → access control model that grants or denies access based on predefined rules such as Internet Protocol address, device type, or network conditions.
ABAC
Attribute-based access control (ABAC) → access control model that makes dynamic decisions using multiple attributes such as user identity, device posture, location, time, and resource sensitivity.
Like: Allow nurses to read patient records only if they are assigned to the patients ward, and at specific times, etc.
Time of Day Restrictions
Time of day restrictions → access control technique that limits system access to specific hours, reducing exposure to unauthorized access during off-hours.
MFA
Multifactor authentication (MFA) → authentication method requiring two or more factor types such as something you know like a username and password, something you have like a smartphone or hardware token, something you are like a fingerprint or facial scan, or somewhere you are based on geographic location.
Just-in-time Permission
Just-in-time permission → access control approach that provides temporary elevated access only when needed and automatically removes it after a short time to reduce standing privileges.
-
Security Controls10
-
The CIA Triad & Non-Repudiation8
-
AAA & Gap Analysis10
-
Zero Trust12
-
Physical Security8
-
Deception & Disruption4
-
Change Management9
-
Technical Change Management9
-
Public Key Infrastructure & Encrypting Data24
-
Key Exchange & Encyption Technology10
-
Obfuscation8
-
Hashing & Digital Signatures9
-
Digital Certificates12
-
Threat Actors8
-
Common Threat Vectors12
-
Common Social Engineering Attacks9
-
Application & Memory-Based Attacks9
-
SQL Injections & Cross-site Scripting6
-
Operating System & Hardware Vulnerabilities7
-
Virtualization & Cloud-specific Vulnerabilities10
-
Supply Chain & Misconfiguration Vulnerabilities10
-
Mobile Device & Zero-day Vulnerabilities7
-
An Overview of Malware14
-
Viruses, Worms, Spyware & Bloatware10
-
Other Malware Types & Physical Attacks9
-
Denial of Service & DNS Attacks10
-
Wireless & On-Path Attacks:6
-
Replay Attacks & Malicious Code9
-
Cryptographic & Password Attacks8
-
Indicators of Compromise10
-
Segmentation, Access Control & Mitigation Techniques10
-
Hardening Techniques10
-
Cloud Infrastructures9
-
Network Infrastructure Concepts14
-
Infrastructure Considerations15
-
Intrusion Prevention7
-
Network Appliances & Port Security16
-
Firewall Types & Secure Communication11
-
Data Types & Classifications12
-
States of Data & Protecting Data14
-
Resiliency9
-
Capacity Planning, Backups & Recovery Testing9
-
Infrastructure Hardening & Secure Deployment11
-
Wireless Security Settings11
-
Application Security7
-
Asset Management, Vulnerability Scanning & Threat Intelligence14
-
Penetration Testing & Analyzing Vulnerabilities14
-
Vulnerability Remediation & Security Monitoring10
-
Security Tools10
-
Secure Protocols, OS & Email Security15
-
Monitoring Data & Endpoint Security13
-
Identity & Access Management8
-
Access Controls10
-
Incident Response & Planning10
-
Digital Forensics & Log Data17
-
Security Policies, Standards, Procedures & Considerations12
-
Data Roles, Risk Analysis & Management Strategies14
-
Business Impact Analysis & Agreement Types15
-
Compliance, Privacy, Audits & Assessments11
-
Penetration Testing, Security Awareness & User Training10
