Chapter 106 · Tricks

Security Standards — Tricks & Mnemonics

Four memory tricks and three practice scenarios for exam-day recall of access control models, password storage, physical security classification, and encryption by data state.

01MAC/DAC/RBAC/ABAC: Who Decides Access?

Every access control model question can be answered by asking: who or what decides access?

  • The SYSTEM (labels) → MAC. No user can override the system.
  • The OWNER (their choice) → DAC. Discretion means the owner decides.
  • The ROLE (job function) → RBAC. Access follows the job title.
  • MULTIPLE ATTRIBUTES (user + resource + environment) → ABAC. All attributes evaluated together.

Memory sentence: "Military Systems; Data Owners; Role Bosses; Attribute Bureaucrats"

Exam trap: "The file owner sets permissions on their own files" = DAC, not RBAC (even though the owner may have a role). In DAC, the specific discretion of the owner determines access; in RBAC, the role determines access regardless of the resource owner's preference.

Second trap: "Users in the Finance role can access financial reports" = RBAC. "Users in Finance can access financial reports EXCEPT after 6 PM and except from personal devices" = ABAC (role + time + device attributes).

02Password Storage: Hash + Salt = Always Required

Password storage questions will describe a breach and ask what storage method was (or should have been) used. Key rules:

  • Plaintext storage → Never acceptable. Immediately exposes all passwords on breach.
  • Reversible encryption → Never acceptable for passwords. Key compromise = all passwords exposed.
  • Hash without salt → Insufficient. Rainbow tables can crack common passwords instantly.
  • Hash + salt → Required minimum. bcrypt/Argon2/PBKDF2 + unique salt = correct.

Exam trigger: "The developer stored passwords using SHA-256" → insufficient (no salt, too fast). "The developer stored passwords using MD5" → never acceptable (broken + no salt). "The developer stored passwords using bcrypt with a unique salt per user" → correct.

Key insight: the salt does not need to be secret (it is usually stored alongside the hash). Its purpose is uniqueness, not secrecy. It defeats pre-computed tables, not online guessing.

03Data States: At Rest, In Transit, In Use

Encryption questions often describe a scenario and ask which data state is involved. Use this filter:

  • On a disk / database / backup / USB → Data at rest → AES-256, full-disk encryption
  • Moving over a network / between systems → Data in transit → TLS 1.3, VPN, SFTP
  • Being processed in RAM / actively used → Data in use → TEE, secure enclaves

Exam trap: "An employee sends an email with attached PII" → the email in transit = data in transit (TLS needed). The same email in the recipient's mailbox on disk = data at rest (mailbox encryption needed). Two different states for the same data at different points in its lifecycle.

Also: different data states may have different encryption requirements. The same organization may require TLS 1.3 for all web traffic (in transit) but only require AES-128 for non-sensitive internal data at rest. The encryption standard must specify requirements per state AND per sensitivity level.

04Visitor vs. Contractor vs. Employee: Escort Decision

Physical security questions will describe a person accessing a facility and ask whether they should be escorted or what badge type they should have. Use this decision tree:

  • Is this a regular employee? → Permanent badge; no escort required in authorized areas.
  • Is this a vetted contractor on an ongoing contract? → Contractor badge; access limited to authorized areas; may work independently; revoke on contract end.
  • Is this anyone else (vendor, visitor, delivery, maintenance)? → Visitor badge; escort ALWAYS REQUIRED in restricted areas.

Exam trap: "The CEO's spouse visited the office and was given a badge by reception. They then walked to the server room unescorted while waiting." This is a physical security violation even if the person seems harmless. Visitor = escort always. Familiarity does not change the rule.

Second trap: Contractors are background-checked but are NOT employees. A contractor should not have unsupervised access to areas beyond their contractual scope, even if they are on-site daily.

Practice Scenarios

Scenario 1: Classify the Access Control Model

Classify each of the following as MAC, DAC, RBAC, or ABAC:

  1. A hospital system grants doctors access to patient records based on their physician role; nurses have a separate role with different access.
  2. A file server where each user can set read/write/execute permissions on their own home directory files.
  3. A classified government network where documents labeled "SECRET" can only be accessed by users with SECRET or higher clearance, enforced by the system regardless of who owns the document.
  4. A cloud platform that grants access to financial reports IF the user is in Finance AND the access occurs during business hours AND from a managed corporate device.
  5. A contractor who has been granted read access to a specific project folder by the project manager, even though the contractor's job role does not normally include that access.

Answers: (1) RBAC — access follows job role (physician/nurse). (2) DAC — file owner sets permissions at their discretion. (3) MAC — system enforces labels; no user can override. (4) ABAC — role + time + device attributes all evaluated. (5) DAC — the project manager (resource owner) granted access based on their discretion, outside of the normal role structure.

Scenario 2: Password Storage Audit

An auditor reviews three applications' password storage methods: (A) Application 1 stores passwords as MD5 hashes with no salt. (B) Application 2 encrypts passwords with AES-128 using a key stored in the application configuration file. (C) Application 3 stores passwords as bcrypt hashes with a unique random 16-byte salt per user.

Rank these from most secure to least secure and explain what specific attack each storage method is vulnerable to.

Answer: Most to least secure: (C) > (A) > (B). (C) bcrypt + unique salt: most secure. Salting defeats rainbow tables; bcrypt is slow (millions of attempts required per password crack). Resistant to pre-computed attacks; offline brute force is extremely time-intensive. (A) MD5 without salt: partially secure in that it is one-way, but MD5 is extremely fast and rainbow tables exist for common MD5 hashes. Without salt, identical passwords produce identical hashes — attackers can identify which users share passwords and crack them at scale. (B) AES-128 reversible encryption: least secure despite appearing sophisticated. The encryption key is stored in the application config — if an attacker compromises the application, they have the key and can decrypt ALL passwords instantly. Reversible encryption for passwords is never acceptable because the key is the single point of failure.

Scenario 3: Encryption Standard Gaps

A company's encryption standard specifies: "All databases containing PII must use AES-256 encryption. All external web applications must use TLS 1.2 or higher." An auditor finds: (1) A vendor-managed payroll application uses TLS 1.0 for API calls to the company's HR system. (2) Company laptops store customer PII in unencrypted local SQLite databases used by the sales application. (3) An analyst processes financial data in memory on a shared server with no additional memory protection.

Identify which data state standard violation each finding represents, and what remediation is required.

Answer: (1) TLS 1.0 API calls = data in transit violation. The standard requires TLS 1.2 minimum. TLS 1.0 is deprecated and has known vulnerabilities (POODLE, BEAST). Remediation: upgrade the vendor API connection to TLS 1.2+ or terminate the vendor relationship and use a compliant alternative. (2) Unencrypted local SQLite with PII = data at rest violation. The standard requires AES-256 for PII databases. Remediation: implement SQLite encryption (SQLCipher or similar) or move PII storage to the encrypted central database. (3) Financial data in memory on a shared server = data in use concern. The current standard does not explicitly address data in use — this is a standard gap. Remediation: update the encryption standard to address data in use for high-sensitivity data; implement hardware-based memory isolation (Intel SGX or AMD SEV) for sensitive processing. Note: gaps in standards (not explicitly addressed) are as much a finding as explicit violations.