Class 2:
Access control
Lecturer Shon Harris, CISSP, MCSE
President, Logical Security
CISSP Essentials:
Mastering the Common Body of Knowledge
CISSP Essentials Library:
www.searchsecurity.com/CISSPessentials
Class 2 Quiz:
www.searchsecurity.com/Class2quiz
Class 2 Spotlight:
www.searchsecurity.com/Class2spotlight
Description
Preventative
Detective
Corrective
Deterrent
Recovery
Compensation
Control combinations
Detective Administrative
Job rotation
Sharing responsibilities
Inspections
Incident response
Use of auditors
Detective Technical
IDS
Reviewing audit logs
Reviewing violations of clipping
levels
Forensics
Detective Physical
Password
Smart card
Examples
Biometrics
Token devices
Synchronous and
asynchronous devices
Memory cards
Smart cards
Cryptographic keys
Private key
Example:
System with a CER of 4 has greater accuracy than a system with a CER of 5
Description
Fingerprint
Finger scan
Palm scan
Hand geometry
Retina scan
Iris scan
Signature dynamics
Keyboard dynamics
Voice print
Facial scan
Hand topology
Smart card
Smart card characteristics
Tamperproof device
Reader purchase
Card generation and maintenance
Different technologies
Single sign-on methods
Scripts
Directory services
Thin clients
Kerberos
SESAME
Realm
All principals that a specific KDC is responsible for
A KDC can be responsible for one or more domains
Similar to Microsofts concept of a domain or zones within DNS
servers
Model Types
Discretionary Access Control (DAC)
Mandatory Access Control (MAC)
Role-Based Access Control (RBAC)
RADIUS characteristics
Remote Authentication
Dial-In User Service
(RADIUS)
AAA protocol
Authentication, authorization,
auditing
Works on a client/server
model
TACACS+ Characteristics
TACACS+
Terminal Access Controller
Access Control System
(TACACS)
Splits authentication,
authorization and auditing
features
Diameter characteristics
Diameter
New and improved RADIUS
Open source protocol for all to use and integrate
RADIUS is limited in its methods of authenticating users
IDS
Network-based IDS
Monitors traffic on a
network segment
Computer or network
appliance with NIC in
promiscuous mode
Host-based IDS
Small agent programs that
reside on individual
computers
Types of IDSes
Signature-based
Also called knowledge-based
IDS has a database of signatures, which are
patterns, of previously identified attacks
Behavior-based
Statistical or anomaly-based
Creates many false positives
Better defense against new attacks
Compares audit files, logs and network behavior,
and develops and maintains profiles of normal
behavior
Behavioral-based IDS
Statistical
Setting of a threshold for certain activities
Once the threshold is exceeded, an alert is released
For example:
Anomaly-based
Identification of abnormal behavior based on a profile
of normal behavior
CISSP Essentials:
Mastering the Common Body of Knowledge
Lecturer Shon Harris, CISSP, MCSE
President, Logical Security
www.LogicalSecurity.com
ShonHarris@LogicalSecurity.com