ISC(2) CISSP Revision Notes – Access Control
Access Control, one of the core and more important parts of the CISSP.
[alert style=”red”]In NO way should these notes be used as your sole source of study for the CISSP exam. These notes lack things completely that could be included on your exam. I in no way provide any guarantee or assurance that these notes are correct or satisfactory for your learning. For further information see my CISSP Study and Exam Tips.[/alert]
ISC(2) CISSP Revision Notes – Study and Exam Tips
ISC(2) CISSP Revision Notes – Overarching Themes for the CISSP
ISC(2) CISSP Revision Notes – Access Control (You are here)
ISC(2) CISSP Revision Notes – Business Continuity and Disaster Planning
ISC(2) CISSP Revision Notes – Cryptography
ISC(2) CISSP Revision Notes – Information Security Governance and Risk Management
ISC(2) CISSP Revision Notes – Legal, Regulatory, Investigations and Compliance
ISC(2) CISSP Revision Notes – Operations Security
ISC(2) CISSP Revision Notes – Security Architectural Design
ISC(2) CISSP Revision Notes – Software Development Security
ISC(2) CISSP Revision Notes – Telecommunications and Network Security
Subject: Active party (eg user)
Object: Passive party (eg file share)
Administrative Controls:
Policies, Standards & Guidelines
- Reviews or Audits
Technical Controls:
- eg Encryption, audit trails
Physical Controls:
- eg Fences, security guards
Access Control Service – AAA
- Authentication – “Can they logon?”
- Authorization – “What can they do?”
- Accountability – “What did they do?”
- (+Non-repudiation – “Was it them?”)
System Access (Outside) vs Data Access (Inside)
Factors in Authentication:
- “Something you know” – eg password
- “Something you have” – eg token
- “Something you are” – eg fingerprint
- One-factor, two-factor, three-factor
Password Controls:
Length, complexity, aging, history and logon attempts
Biometric
Type 1 Error: False Reject Rate (FRR)
Type 2 Error: False Accept Rate (FAR)
Crossover Rate (CER)
| CER | Seconds | File Size | Advantages | Disadvantages | |
| Finger Scan | <1-5% | 1-7 | 250 – 1500b | Cheap | Biometric can change |
| Hand Geometry | <1-2% | 3-5 | ~10b | Small filesize | Biometric can change |
| Retina Pattern | 1.5% | 4-7 | 96b | Obtrusive | |
| Iris Pattern | <0.5% | 2.4-4 | 256-512b | Lowest CER | Obtrusive |
| Voice Recognition | <10% | 10-14 | 1000 – 10000b | Large file size | |
| Signature Dynamic | 1% | 5-10 | 1000 – 1500b | Forgery |
One Time Passwords (OTP): Valid for one session only
Single Sign On (SSO): Only one point of authentication for entire session (keys to the castle), based on tickets, eamples include KERBEROS, SEASEME, KrypoKnight
Centralised: eg LDAP, RAS (CHAP, PAP), RADIUS, Diameter, TACAS
LDAP: eg Microsoft Active Directory, Novell eDirectory
PAP: Two way handshake, clear text
CHAP: Three way handshake, one way hash
EAP: Various (MD5), S/Key, used in 802.11x
RADIUS: Application layer, UDP, used by ISPS and in VPNs
Tacas: Open source
Discretionary Access Control (DAC)
- Permissions determined by the owner
- File and data ownership (eg chmod 775)
- Not centralized, often open by default
Mandatory Access Control (MAC)
- Permissions determined by system/admin
- Works with labels (eg Secret, Top Secret, etc)
Rule Based Access Control: Set by admin
Lattice Based Access Control: Upper and lower boundaries of permissions
- Lack of flexibility and can be difficult in setting up
Bell-La Padula Confidentiality
Simple Security Property (SS Property) – No Read Up
Star Property (*-Property)- No Write Down
Biba (/Bell-La Padula Upsite Down) Integrity
Lattice based
Simple Integrity Property – No Read Down
* Integrity Property – No Write Up
Clark-Wilson Integrity
Data access through an application (think SQL Views)
Unconstrained Data Item (UDI) – Outside data
Constrained Data Item (CDI) – Inside data
Integrity Verification Procedures (IVP) – Checks CDI for validity
Transformational Procedure (TP) – Checks CDI for integrity
Non-inference Model
Can’t see actions of other on same system (objects and subjects)
Access Matric Model
DAC Extension
Access Control Attacks: Brute Force/Dictionary, Buffer/Stack Overflow, Man-in-the-Middle, Sniffing, Session Hijacking, Social Engineering
Access Control Testing: Pen test (port scanning, blackbox [unknown], whitebox [known], grepbox [somewhere in the middle], application scan)
[alert style=”red”]In NO way should these notes be used as your sole source of study for the CISSP exam. These notes lack things completely that could be included on your exam. I in no way provide any guarantee or assurance that these notes are correct or satisfactory for your learning. For further information see my CISSP Study and Exam Tips.[/alert]
2 Comments
[…] Study and Exam Tips ISC(2) CISSP Revision Notes – Overarching Themes for the CISSP (You are here) ISC(2) CISSP Revision Notes – Access Control ISC(2) CISSP Revision Notes – Business Continuity and Disaster Planning ISC(2) CISSP Revision […]
[…] Study and Exam Tips (You are here) ISC(2) CISSP Revision Notes – Overarching Themes for the CISSP ISC(2) CISSP Revision Notes – Access Control ISC(2) CISSP Revision Notes – Business Continuity and Disaster Planning ISC(2) CISSP Revision […]