CISSP Study Sheet Access Control

Enter the Portal of Deals, Discounts, Sales, & Coupons

CISSP Study Sheet Access Control

Sep.04, 2008 in Access Control, Education & Certs

Series: CISSP Study Sheet
Entry: Access Control

The CISSP Study Sheet Series identifies the most important details regarding each individual domain within the Common Body of Knowledge. You will want to expand your preparation beyond these study sheets, such as my top 3 favorite CISSP study resources. The intent of this study sheet is to act as a last minute cram of the most significant principles, theories, formulas, and terms for each domain. I recommend reading the CISSP study sheets just before the test, and then doing a “brain dump” of notes for the first 15 minutes onto the paper issued with the CISSP exam. Hopefully, you will have remembered enough to have created an authorized cheat sheet. This second study sheet will focus on the Access Control domain.

Access Control Study Sheet

Access Control Attacks – Denial of Service, wardialing, brute force, shoulder surfing, dumpster diving, sniffing, spoofing, and dictionary attacks.
Identity Management – centralized technologies designed to control access rights of specific identities, such as directories LDAP, NIS, or DNS.
Data Classification – a multitier labeling of information that dictates how a piece of data should be treated.

Identification – unique usernames recognized on computer systems.
Authentication – proof of the claimed identity. Something you know…Something you have…Something you are.
Authorization – what the identity is permitted to do.
Accountability – the use of such things as audit trails to hold responsible the activity of the user.

Who you are… Ok, you are you…What can you do…What you did.

Preventative – access controls enabled to stop unwanted actions by blocking the ability to do them.
Detective – access controls that identify the unwanted actions after they have occurred.
Corrective – access controls which cure the enabling of unwanted actions and restore previous conditions.
Directive – government laws and organizational policy that determines what is allowable.
Deterrent – the repercussions of not following directives.
Recovery – access controls involving the restoration of computing resources after an incident.
Compensating – backup and contingency controls that reinforce normal operations.

Least Privilege – allowing for only the minimum resources needed to accomplish tasks.
Need to Know – not everyone with a secret clearance needs to know everything classified at secret. Certain information should remain only with the persons required to know it.
Separation of Duties – requires collusion of two or more people to commit fraud instead of a single entity having control of complete transactions.

Administrative – access controls related to policies and personnel, such as separation of duties and procedures.
Technical – logical access controls utilizing software and hardware solutions, such as encryption.
Physical – environmental and material access controls, such as doors and locks.

All Access Controls should default to no access.

Password – most used form of access control, but susceptible to brute force and dictionary attacks.
Passphrase – a series of words converted into a password that is not as vulnerable as a simple password.
Password Synchronization – allows users to access multiple systems with one password.
Self Service Password – the ability for users to reset their own passwords without administrative assistance.
Assisted Password Reset – Identification and authentication of a user prior to password reset. Usually through a question and answer process.
One Time Password – a time based synchronous changing of passwords to avoid shoulder surfing and replay attacks.
Single Sign On – centralized authentication database that gives access to numerous resources from one authentication, such as SESAME.
Kerberos – an SSO protocol using a ticket from the key distribution center for authentication in a single security domain. The ticket granting service then generates new tickets with the session keys.

Discretionary Access Control (DAC) – data owner designated access via identity permissions of users or group.
Mandatory Access Contorl (MAC) – sensitivity labeling of information to restrict access via two attributes to an object from unauthorized users.
Role Based Access Control (RBAC) – A form of DAC that uses the owner’s discretion to categorize access based on a users specific function or role.
Content Dependant Access Control – an object’s content is analyzed by an arbiter program to determine access privileges.
Nondiscretionary Access Control – role based access control managed by the system’s administrator rather than the data owner.

Centralized Access Control – One individual, device, or group makes the decision for network access, such as RADIUS, TACACS+, and Diameter.
Decentralized Access Control – the network access decision is distributed locally, such as peer to peer.

Access Control Lists (ACLs) – a common DAC that designates what users have access to an object, and what functions they are allowed to do on that object.
Capability Table – much like an ACL, but bound to a subject and lists what objects he or she can access.
Constrained User Interface – disallows the ability of a user to interact with certain objects, such as grayed out icons and database views.
Tempest – a way to combat the electrical signals in the airwaves.
Audit Logs – protected and reviewed record of user activities, system events, and application actions.
Keystroke Monitoring – a form of auditing that records every keystroke performed by a user.

Physiological Biometrics – identification and authentication controls recognizing physical characteristics, such as fingerprints and retina scans.
Behavioral Biometrics – identification and authentication controls recognizing mannerisms, such as voice inflections and keyboard strokes.
Biometrics Type I error – rejection of an authorized individual.
Biometrics Type II error – imposter was authenticated.
Smart Card – a physical access control device for authentication

User Provisioning – creation, maintenance, and removal of user attributes in systems, applications, and directories.
HR database – having been developed first and maintained by personal, the HR database is the primary source for user identification.

Intrusion Detection System (IDS) – monitors events in real time to detect intrusion attempts via statistical or signature based analysis, and alerts administrators of a possible attack.
Intrusion Prevention System (IPS) – acts as an IDS but also has advanced capability to stop or prevent attacks.
Host Based IDS & IPS – analyzes single computers for suspicious activity using audit logs and processing irregularities.
Network Based IDS & IPS – analyzes network packets, discards dangerous traffic, and alerts administrators.
Penetration Testing – a series of steps used to bypass systems security controls to gain unrestricted access to systems and data.

Degaussing – returns media to its original state through magnetism.
Phishing – a social engineering attempt to gather sensitive information.

More CISSP Study Sheets and other CISSP resources.

Tags: CISSP, CISSP Study Sheet

Welcome!

An Information Security Professionals Blog to assist general users on Computer Security, and to explore with other InfoSec Professionals topics of Systems Security, Forensics, ethical hacking, and Incident Response.

Most Popular Posts
Do Not Fall Victim to Internet Auction Fraud

Setup a Secure Wireless Network at Home

Selling Used Computers Identity Theft Concerns

Barack Obama Denied National Security Clearance

Exciting Computer Security Career Jobs

CONTESTS:

Funniest Computer Security Story Contest

SERIES:

Do Not Fall Victim to Internet Scams

CISSP Study Sheets

SURVEY:
Which film is the Most Realistic Hacker Movie?