Lecture ‐ Access Control Asset Security - Dleifnesor/SEC-250 GitHub Wiki

Asset Identification

The process of identifying and cataloging important IT and software assets within an organization

image

Components:

IT assets: Hardware, software, networks, data.

Criticality: Classifying assets based on their importance to business operations.

Asset management: Tools and techniques for tracking and securing assets.

These include IoT devices, and peripherals

Threat Analysis

The process of identifying potential security threats to assets

image

Components:

Threat Types: Internal, External, Third party

Threat monitoring and modeling: STRIDE, DREAD, and PASTA methodologies for assessing threats.

Risk Management: Evaluating and prioritizing threats based on likelihood and impact.

Access Control Policies Discretionary Access Control (DAC) Controls access based on the identity of the requestor and on access rules (authorizations) stating what requestors are (or are not) allowed to do Role-Based Access Control (RBAC) Controls access based on the roles that users have within the system and on rules stating what accesses are allowed to users in given roles Mandatory Access Control (MAC) Controls access based on comparing security labels with security clearances Attribute-Based Access Control (ABAC) Controls access based on attributes of the user, the resource to be accessed, and current environmental conditions