Controls

Administrative Policy and procedure Personnel controls Supervisory Structure Security-awareness training Testing Physical Controls Network Segregation Perimeter Security Computer Controls Work area separation Data Backups Cabling Control Zone Technical Controls System Access Network Architecture Network Access Encryption and protocols Auditing Types Subject is an active entity that requests access to an object or data within an object Access Control - security features that control how users and systems communicate and interact with other systems Access - flow of information between subject and object Object is a passive entity that contains information or needed functionality Preventive Detective Corrective Recovery Deterrent Discretionary Access Control (DAC) Gives subjects full control of objects full control of objects the have been given access to, including sharing the objects with other subjects Windows and Linux use it for filesystems Identity based access control Non-discretionary Mandatory Access Control (MAC) System-enforced control based on subject's clearance and object's labels. Security Labels (Sensitivity Labels) Contains classifications and different categories Categories enforce need-to-know rules Role-based Access Control (RBAC) Uses centrally administrated set of controls to determine how subjects and objects interact Core RBAC Hierarchical RBAC

Access Control Techniques and Technologies

Rule-Based Access Control Constrained User Interfaces Access Control Matrix Capability Table Access Control List Content-dependent access control

General Concepts

Compensating

Access Control Models

Context-dependent access control

CISSP Access Control

Access Control Administration
Centralized RADIUS -Remote Authentication Dial-In User Interface TACACS - terminal Access Controller Access Control System DIAMETER Decentralized Confidentiality Integrity Availability Identification Identity Management Directory Web Access Management Password Management Password Synchronization Password Self-service reset Assisted Password reset Attacks Electronic Monitoring Access the passwords file Brute Force Dictionary Social Engineering Rainbow Tables Clipping Level Password Hashing and Encryption Password Aging Limit Logon Attempts Cognitive Passwords - fact or opinionbased information used to verify individual's identity One-time passwords The token device Fingerprints Synchronous Time based Counter Based Asynchronous Cryptographic Keys Passphrase Memory Cards Smart Card Contact Contactless Legacy single Sign-on Account Management Profile Update Provisioning Authoritative System of Record (ASOR) Identity Repository User provisioning - creation, maintenance, deactivation of user objects and attributes as they exist in one or more systems, directories, or applications, in response to business processes Federation Federated Identity - portable identity and its associated entitlements, that can be used across the business boundaries Allows the user to be authenticated across multiple IT systems and enterprises. SESAME Secure Europeans Systems for Application in Multi-vendor Environment Palm Scan Hand Geometry Retina Scan Iris Scan Signature Dynamics Keystroke Dynamics Voice Print Facial Scan Hand Topography Strong Authentication - two factor authentication or multi-factor authentication Weaknesses Single point of failure Handling of requests in timely manner Secret keys stored on user workstations Secret keys are decrypted on users workstations Vulnerable to password guessing Network traffic is not protected Short keys vulnerable to brute force attacks Client and clocks should be synchronized Authentication by characteristic Biometrics Type I Error - False rejection rate (FRR) Type II Error - False Acceptance rate (FAR) Crossover Error Rate (CER) - point at which FRR equals FAR. Lower CER is better Also called ERR - Equal Error Rate Processing speed - time from user inserts data until user receives an accept or reject response. Should take 5-10 seconds Biometric types Authentication Something you have Authentication by ownership Key Swipe Card Badge Something you know Authentication by knowledge Password Pin Lock combination Something you are Authorization Access Criteria Roles Groups Physical or logical location Time of day Transaction-type restrictions Principles Security Audits Need to Know access Default to No access Authorization Creep Single Sign-On Kerberos Key distribution center (KDC) Ticket Ticket Granting Service (TGS) Principals Authentication Process Security Assessments Accountability Logical Access Controls - technical tools used for identification, authentication, authorization and accountability Race Condition - when process carry out its tasks on shared resources in an incorrect order Unauthorized Disclosure of Information Object reuse Emanation Security TEMPEST White Noise Control Zone

Practices

Monitoring
Intrusion Detection System Network-based Host-based Knowledge-based Signature-based State-based Statistical anomaly-based Protocol anomaly-based Traffic anomaly-based Rule-based Intrusion Prevention System Honeypot Network Sniffers

Assessment
Penetration Testing Social Engineering Zero-knowledge (Black Box) Full-knowledge (crystal-box) Partial-knowledge Methodology Planning Reconnaissance Scanning (Enumeration) Vulnerability Assessment Exploitation Reporting Vulnerability Testing

Security Principles

Security Domains resources within logical structure work under same security policy and managed by the same group Directory Services Thin Clients