CISSP Access Control
Who develops and keeps track of all the standardized languages?
The Organization for the Advancement of Structured Information Standards (OASIS)
Type II error
(False acceptance rate) when a biometric system accepts imposters who should be rejected
Type I error
(False rejection rate) when a biometric system rejects an authorized individual
What is a Distinguished Name (DN) made of?
- Common Name (cn) - Domain Component (dc)
What are some techniques used for Administrative Access Control?
- Effective Hiring and Termination Practices: background checks before hiring and revocation of user accounts and network access permissions when firing - Data Classification: helps protect confidential data by categorizing it based on the level of sensitivity - Work Supervision and Reviews - Separation and Rotation of Duties
When is Revocation of an entity's access control required?
- Employee Termination: the employee's account should be disabled, passwords for equipment should be changed, and access to system accounts needs to be removed. This process can be manual because employee termination is usually predetermined - Intrusion Detection: when some information entering a system is considered hostile, the source of info is restricted from entering the system... in this case, dynamic revocation of access control takes place in order to detect the intrusion attack
What are the three things that you need to do to implement proper access control? (fourth is helpful)
- Identify a user (present username and password) - Authenticate the user (compare username and password to see if it matches the user's information stored in the system) - Authorize the user to access resources (based on the access rights and permissions granted to the user, the user is permitted to access the resources) - Accountability
What specific types of controls do Physical Access Controls include?
- Network Segregation - Perimeter Security - Computer Controls - Work Area Separation - Data Backups - Cabling
What are some examples of situations in which an organization could protect itself using access controls?
- Nonemployees accessing network resources - Employees accessing the organization's complete information including trade secrets - Employees using confidential information for personal gain - Employees performing unauthorized modifications of data
What specific types of controls do Administrative Access Controls include?
- Policies and Procedures - Personnel Controls - Supervisor Structure - Security Awareness Training - Testing
What are the main goals of Identity Management?
- Streamline the management of identity, authentication, authorization - The auditing of subjects on multiple systems throughout the enterprise
What specific types of controls do Technical Access Controls include?
- System Access - Network Architecture - Network Access - Encryption and Protocols - Control Zone - Auditing
Three Main Categories for Maintaining Access Control
- Technical - Administrative - Physical
What needs to be known for authorization to occur?
- The Principle of Least Privilege - The Separation of Duties and Responsibilities - The Users, Data Owners, and Custodians
What are the four rules associated with the X.500 standard?
- The directory has a tree structure to organize the entries using a parent-child configuration - Each entry has a unique name made up of attributes of a specific object - The attributes used in the directory are dictated by the defined schema - The unique identifiers are called distinguished names
Creating or issuing secure identities should include what three aspects?
- Uniqueness: identifiers must be specific to an individual - Nondescriptive: neither piece of the credential set should indicate the purpose of that account - Issuance: another entity should be able to provide identity (like a drivers license from the State)
What is a Digital Identity made of?
1. Attributes: department, role in company, shift time, clearance, etc 2. Entitlements: resources available to user, authoritative rights in the company, etc 3. Traits: biometric information, height, sex, etc
What is the two step process for authentication?
1. Enter public information for identification (username, employee number, account number, dept ID) 2. Enter private information (statis password, smart token, cognitive password, onetime password, PIN, or digital signature)
What are the two main issues with passwords?
1. Help-desk workers and administrators have to spend a lot of time resetting passwords when users forget them 2. Users are required to remember many if there are different platforms on the network
What are the main barriers to the acceptance of biometric devices?
1. It's the most expensive way of verifying a person's identity 2. It's creepy 3. It takes a while to set up 4. Reading may require several attempts (which can be annoying)
What are three password management technologies that can help provide a more secure and automated password management system?
1. Password Synchronization: one password for all systems 2. Self-Service Password Reset: alternative authentication pieces and personal questions or account registration info and email to another email account 3. Assisted Password Reset: password management tool that identifies and authenticates a user before resetting the password
Where are cookies placed?
A cookie can be in the format of a text file stored on the user's hard drive (permanent) or it can be only held in memory (session)... if the cookie contains any type of sensitive information, then it should only be held in memory and be erased once the session has completed
What is the difference between signature dynamics and a digitized signature?
A digitized signature is just a digital copy of someone's signature. It doesn't include other information besides what is visible.
When would you like to have a balance with more Type I errors or Type II errors?
A military institution that is very concerned about confidentiality would be prepared to accept a certain number of Type I errors, but would absolutely not accept any false accepts (Type II errors)
How is a retina scanned and used to authenticate an individual?
A system that reads a person's retina scans the blood-vessel pattern of the retina on the backside of the eyeball. The pattern has been shown to be extremely unique. A camera is used to project a beam inside the eye and capture the pattern and compare it to a reference file recorded previously
How are facial scans read and used to authenticate an individual?
A system that scans a person's face takes many attributes and characteristics into account: bone structures, nose ridges, eye widths, forehead sizes, and chin shapes
How is Accountability sorted out with regards to user authorization?
After the user is authorized to access a resource, the user is accountable for all tasks performed by the user using the resource
Why is obtaining a 100% match difficult to do?
Biometric systems are sensitive. A smudge on the reader or oil on the person's finger are examples of things that can cause issues and imperfect matches
Why is CER important? Wouldn't you just want a device that catches lots of bad guys?
CER is important because a low type II error rate can come at the expense of productivity
How are voice prints read and used to authenticate an individual?
During the enrollment process, an individual is asked to say several different words. Later, when this individual needs to be authenticated, the biometric system jumbles these words and presents them to the individual. The individual then repeats the sequence of words given.
How is a fingerprint read and used to authenticate an individual?
Fingerprints are made up of ridge endings and bifurcations exhibited by friction ridges and other detailed characteristics called minutiae... it is the distinctivenes of these minutiae that gives each individual a unique footprint
What are some techniques used for Physical Access Control?
Guards, fences, motion detectors, door and window locks, cable sheathes, computer locks, swipe cards and badges, guard dogs, video cameras, and alarms
How is hand topography read and used to authenticate an individual?
Hand topography looks at the different peaks and valleys of the hand, along with its overall shape and curvature. To be authenticated the person places the hand on the system. Off to one side of the system, a camera snaps a side-view picture of the hand. It's commonly used in conjunction with hand geometry
What is the most accurate biometric system?
Iris scans are the most accurate. The iris remains constant through adulthood, which reduces the type of errors that can happen during the authentication process. Sampling the iris offers more reference coordinates than any other type of biometric. Mathematically, this means it has a higher accuracy potential than any other type of biometric.
What does Account Management Software do?
It automates the workflow of account management and gives an administrator the ability to manage user accounts across multiple systems (and directories); it reduces potential man-made errors and logs each step, including approval... which brings accountability into the system
How are keystroke dynamics read and used to authenticate an individual?
Keystroke dynamics captures electrical signals when a person types a certain phrase. As a person types a specified phrase, the biometric system captures the speed and motions of this action. It is much harder to repeat a person's typing style than it is to acquire a password
How is a palm scan read and used to authenticate an individual?
The palm has creases, ridges, and grooves throughout that are unique to a specific person. The palm scan also includes the fingerprints of each finger
What type of biometric system provides more accuracy: behavior (signature dynamics) or physical attributes (iris, retina, fingerprint)?
Physical attributes, because they typically don't change and are harder to impersonate than an individuals behaviors, which can also change over time
Why is processing speed important when it comes to biometric devices?
Processing speed directly affects the length of time it takes to authenticate users. From the time a user inserts data until she receives an accept or reject response should take five to ten seconds
What are the downsides to SSO?
Since most environments aren't homogeneous in devices and applications, it makes it more difficult and expensive to implement. Security-wise, it also means there's a single point of failure... if an attacker breaks into the one location with the username and password, they could do whatever they wanted with the company's assets
How can you prevent criminals from using a body signature that isn't living?
Some systems will check for the pulsation and/or heat of a body part to make sure it's alive.
When two companies have security domains that trust each other either mutually or one way, there are two terms: producer of assertions and consumer of assertions... what do they mean?
The company that is sending the authorization data is referred to as the producer of assertions and the receiver is called the consumer of assertions (ex: if Bob logs into a car inventory application, his identity is authenicated, and he is given the authority to order tires and windshield wipers, etc. The application company is the producer of assertions and the tire company is the consumer of assertions)
How is an iris scanned and used to authenticate an individual?
The iris is the colored portion of the eye that surrounds the pupil. The iris has unique patterns, rifts, colors, rings, coronas, and furrows. The uniqueness of each of these characteristics within the iris is captured by a camera and compared with the information gathered during the enrollment phase.
What is a more accurate biometric device: one that has a CER of 3 or one with a CER of 4?
The one with the CER of 3 is more accurate... the lower the CER, the more accurate the device
How are signature dynamics read and used to authenticate an individual?
The physical motions performed when someone is signing a document create electrical signals that provide unique characteristics that can be used to distinguish one individual from another. Characteristics include: the speed of signing, the way the person holds the pen, and the pressure the signer exerts to generate the signature.
How is hand geometry read and used to authenticate an individual?
The shape of a person's hand (the shape, length and width of the hands and fingers) defines hand geometry. This trait differs significantly between people. A person places her hand on a device that has grooves for each finger. The system compares the geometry of each finger, and the hand as a whole, to the information in a reference file to verify that person's identity
What are the issues involved in balancing a user's level of access control?
Too much access to resources opens the company up to potential fraud and other risks. Too little access means the user cannot do his job
What are the most dangerous types of errors: Type I or Type II?
Type II
How do you combine the different access controls to create a secure environment?
Use them as multiple layers of defense: an asset is surrounded by administrative access controls, which is surrounded by technical access controls, which is finally surrounded by physical access controls
What does Web Access Management (WAM) do?
WAM software controls what users can access when using a web browser to interact with web-based enterprise assets... WAM software is the main gate between users and the corporate web-based resources... it is commonly a plug-in for a web server and it usually offers single sign-on. After the user is authenticated, a cookie is used to indicate what services she should be allowed to have access to
How does logging into a Windows account typically work?
You log into a domain controller (DC), which has a hierarchical directory in its database. The database is running a directory service (Active Directory), which organizes the network resources and carries out user access control functionality. Once you successfully authenticate to the DC, certain network resources become available (print, file server, email server, etc) as dictated by the configuration of AD.
What does Single Sign-On do?
You only have to provide your credentials once and the continual validation that you have the necessary cookie will allow you to go from one resource to another
What format and protocol do most directories follow?
a hierarchical database format, based on the X.500 standard, and Lighweight Directory Access Protocol (LDAP)
Object
a passive entity that contains information (Ex: computer, database, file, computer program, directory, or filed contained in a table within a database)
Cognitive Password
a password based on a user's opinion or life experience (ex: mother's maiden name, favorite color, dog's name)
Federated Identity
a portable identity, and its associated entitlements, that can be used across business boundaries; it allows a user to be authenticated across multiple IT systems and enterprises; based upon linking a user's otherwise distinct identities at two or more locations without the need to synchronize or consolidate directory information (a key to e-commerce)
SSO (Single Sign-On)
a technology that allows a user to authenticate one time and then access resources in the environment without needing to re-authenticate; SSO software intercepts the login prompts from network systems and applications and fills in the necessary identification and authentication info (username and password) for the user
Markup Language
a way to structure text and how it will be viewed; it controls how it looks and some of the actual functionality the page provides (ex: HTML and XML)
Subject
an active entity that requests access to an object or the data within an object (Ex: user, program, or process)
Biometrics
an expensive, complex, effective, and accurate method of verifying identification; it analyzes a unique personal attribute or behavior
SPML (Service Provisioning Markup Language)
derivative of XML that allows company interfaces to pass service requests, and the receiving company allows access to these services
Strong Authentication
contains two out of these three methods: something a person knows, has, or is
Account Management
creating user accounts on all systems, modifying the account privileges when necessary, and decommissioning the accounts when they are no longer needed
What does a Meta-Directory do?
it gathers the necessary information from multiple sources and stores them in one central directory... this provides a unified view of all users' digital identity information throughout the enterprise. it synchronizes itself with all of the identity stores periodically to ensure the most up-to-date information is being used by all applications and IdM components within the enterprise
What does a Virtual Directory do?
it plays the same role as a Meta-Directory, but it doesn't actually gather and store the information. it just points to where the actual data resides
CER (Crossover Error Rate) (aka EER (Equal Error Rate))
stated as a percentage and represents the point at which the false rejection rate equals the false accceptance rate; it is the most important measurement when determining a system's accuracy
User Provisioning
the creation, maintenance, and deactivation of user objects and attributes as they exist in one or more systems, directories, or applications, in response to business processes
Access Control
the first line of defense for computers, networks, and data, providing mechanisms for protection against unauthorized access (Ex: prompting a user to provide a username and password). Access Controls help implement access rights and permissions by specifying which subjects can have access to objects and the actions subjects can or cannot perform... this ensures the authorized access of objects by authorized subjects. It also ensures the confidentiality, integrity, and availability of information. It is embedded into operating systems, applications, and devices.
Verification 1:N
the measurement of a single identity compared against multiple identities
Verification 1:1
the measurement of an identity against a single claimed identity
Data Owners
the people who classify data and determine access controls for proper data handling
Data Custodians
the people who take care of data backups according to the instructions provided by the data owners
Separation of Duties and Responsibilities
the principle that requires that a single individual is not solely responsible for performing a set of transactions
Access
the process of subjects (users, programs, computers, files, and databases) receiving information from objects
Data Users
the subjects that require objects to perform tasks
What are Control Zone Controls?
these are both technical and physical controls that protect network devices emitting electrical signals so that confidential information does not leak out through airwaves
What are Network Segregation Controls?
these are controls, implemented by physical and logical access means, that separate employee workstations and computers, database work areas and servers, and work areas used to interact with routers and switches. The controls control entry and exit to the network.
What are Encryption and Protocol Controls?
these are technical controls that provide the confidentiality and integrity of information flowing within a network and ensure that only authorized users have access to information and unauthorized modifications do not take place
What are Computer Controls?
these controls are implemented to prevent the theft of computer parts and the removal of floppy disks and CD-ROMs to prevent the copying of confidential information
What are Network Architecture Controls?
these controls are put in place when you logically segment a network to provide segregation and protection to an environment and control communication among different segments.
What are Supervisor Structure Controls?
these controls define the hierarchy of employees in the organization, which defines the supervisors to whom each employee has to report, and they also hold the supervisor responsible for the employee's actions
What are Policy and Procedure Controls?
these controls define the the high-level plan for implementing security, which includes the actions not acceptable and the level of risk acceptable by the organization
What are Network Access Controls?
these controls determine which subjects can enter a network and access objects and what actions subjects can perform after authentication. Each entity on the network, such as routers, switches, NICs, and bridges have logical controls associated with them
What are Cabling Controls?
these controls ensure that cables are protected from electrical interference, crimping, and sniffing by sheathes
Administrative Controls
these controls ensure the fulfillment of security goals by supporting procedures, standards, and guidelines.
What are Security Awareness Training Controls?
these controls help educate employees about access control usage... the employees are the weakest link in the security chain of an organization, so educating them is very important
What are Data Backup Controls?
these controls help information access in case of system failures or natural disasters
What are Work Area Separation Controls?
these controls help restrict access to specific areas of a facility such as research laboratories, server rooms, and wiring closets
What are System Access Controls?
these controls indicate how resources are accessed on a system. They include Kerberos, Mandatory Access Control (MAC) architecture, and Discretionary Access Control (DAC) architecture.
What are Personnel Controls?
these controls state the expected behavior of employees when they deal with the organization's resources and the ramifications in case of noncompliance
What are Testing Controls?
these controls test other access controls to help check their effectivenesss in supporting the security policy of the organization
What are Auditing Controls?
these controls track activities within a network or on a specific computer to help identify security breaches
What are Perimeter Security Controls?
these controls vary according to an organization's requirements and help protect individuals, facilities, and components within facilities
Technical Access Controls
these types of access controls are also known as logical controls. They include software tools to restrict the access of subjects to objects to protect objects from unauthorized access and ensure the confidentiality, integrity, and availability of resources. They form part of operating systems, applications, devices, protocols, encryption mechanisms, and add-on security packages.
Accountability
this links users to their actions. It supports identification because actions can be traced back to users and it helps detect intrusions, reconstruct events, and produce problem reports that help recover from unexpected control failures. It is performed by recording user activities, including system-level events, application-level events, and user-level events, in log files and using audit trails.
Principle of Least Privilege
this principle lists the minimum set of privileges that a user needs to have to perform a job according to his role. It is implemented when authorizing a user
Identity Management (IdM)
using different products to identify, authenticate, and authorize users through automated means; requires management of uniquely identified entities, their attributes, credentials, and entitlements