ISC(2) CISSP Revision Notes – Access Control

access-control

Access Control, one of the core and more important parts of the CISSP.

In NO way should these notes be used as your sole source of study for the CISSP exam.  These notes lack things completely that could be included on your exam.  I in no way provide any guarantee or assurance that these notes are correct or satisfactory for your learning.  For further information see my CISSP Study and Exam Tips.

ISC(2) CISSP Revision Notes – Study and Exam Tips
ISC(2) CISSP Revision Notes – Overarching Themes for the CISSP
ISC(2) CISSP Revision Notes – Access Control (You are here)
ISC(2) CISSP Revision Notes – Business Continuity and Disaster Planning
ISC(2) CISSP Revision Notes – Cryptography
ISC(2) CISSP Revision Notes – Information Security Governance and Risk Management
ISC(2) CISSP Revision Notes – Legal, Regulatory, Investigations and Compliance
ISC(2) CISSP Revision Notes – Operations Security
ISC(2) CISSP Revision Notes – Security Architectural Design
ISC(2) CISSP Revision Notes – Software Development Security
ISC(2) CISSP Revision Notes – Telecommunications and Network Security

Subject: Active party (eg user)

Object: Passive party (eg file share)

Administrative Controls:

Policies, Standards & Guidelines

  • Reviews or Audits

Technical Controls:

  • eg Encryption, audit trails

Physical Controls:

  • eg Fences, security guards

Access Control Service – AAA

  • Authentication – “Can they logon?”
  • Authorization – “What can they do?”
  • Accountability – “What did they do?”
  • (+Non-repudiation – “Was it them?”)

System Access (Outside) vs Data Access (Inside)

Factors in Authentication:

  • “Something you know” – eg password
  • “Something you have” – eg token
  • “Something you are” – eg fingerprint
  • One-factor, two-factor, three-factor

Password Controls:

Length, complexity, aging, history and logon attempts

Biometric

Type 1 Error: False Reject Rate (FRR)

Type 2 Error: False Accept Rate (FAR)

Crossover Rate (CER)

CER Seconds File Size Advantages Disadvantages
Finger Scan <1-5% 1-7 250 – 1500b Cheap Biometric can change
Hand Geometry <1-2% 3-5 ~10b Small filesize Biometric can change
Retina Pattern 1.5% 4-7 96b Obtrusive
Iris Pattern <0.5% 2.4-4 256-512b Lowest CER Obtrusive
Voice Recognition <10% 10-14 1000 – 10000b Large file size
Signature Dynamic 1% 5-10 1000 – 1500b Forgery

 

One Time Passwords (OTP): Valid for one session only

Single Sign On (SSO): Only one point of authentication for entire session (keys to the castle), based on tickets, eamples include KERBEROS, SEASEME, KrypoKnight

Centralised: eg LDAP, RAS (CHAP, PAP), RADIUS, Diameter, TACAS

LDAP: eg Microsoft Active Directory, Novell eDirectory

PAP: Two way handshake, clear text

CHAP: Three way handshake, one way hash

EAP: Various (MD5), S/Key, used in 802.11x

RADIUS: Application layer, UDP, used by ISPS and in VPNs

Tacas: Open source

Discretionary Access Control (DAC)

  • Permissions determined by the owner
  • File and data ownership (eg chmod 775)
  • Not centralized, often open by default

Mandatory Access Control (MAC)

  • Permissions determined by system/admin
  • Works with labels (eg Secret, Top Secret, etc)

Rule Based Access Control: Set by admin

Lattice Based Access Control: Upper and lower boundaries of permissions

  • Lack of flexibility and can be difficult in setting up

Bell-La Padula Confidentiality

Simple Security Property (SS Property) – No Read Up

Star Property (*-Property)- No Write Down

Biba (/Bell-La Padula Upsite Down) Integrity

Lattice based

Simple Integrity Property – No Read Down

* Integrity Property – No Write Up

Clark-Wilson Integrity

Data access through an application (think SQL Views)

Unconstrained Data Item (UDI) – Outside data

Constrained Data Item (CDI) – Inside data

Integrity Verification Procedures (IVP) – Checks CDI for validity

Transformational Procedure (TP) – Checks CDI for integrity

Non-inference Model

Can’t see actions of other on same system (objects and subjects)

Access Matric Model

DAC Extension

 

Access Control Attacks: Brute Force/Dictionary, Buffer/Stack Overflow, Man-in-the-Middle, Sniffing, Session Hijacking, Social Engineering

Access Control Testing: Pen test (port scanning, blackbox [unknown], whitebox [known], grepbox [somewhere in the middle], application scan)

In NO way should these notes be used as your sole source of study for the CISSP exam.  These notes lack things completely that could be included on your exam.  I in no way provide any guarantee or assurance that these notes are correct or satisfactory for your learning.  For further information see my CISSP Study and Exam Tips.

Trackbacks for this post

  1. ISC(2) CISSP Revision Notes – Overarching Themes for the CISSP | Gyp the Cat dot Com
  2. ISC(2) CISSP Revision Notes – Study and Exam Tips | Gyp the Cat dot Com

Got something to say? Go for it!