NOTE: These notes have not been updated since I took the test many years ago.
To perform a more up to date study for your CISSP exam, I suggest buying the Shon Harris Book.
DOMAIN 1 – ACCESS CONTROL
Access control protects the systems and resources from unauthorized access, and, usually determines the level of authorization.
Access control consists of the following primary areas:
The last three of these are largely comprised of ‘logical access controls’.
Biometrics: Very sophisticated and accurate, but expensive.
Type 1 error: false rejection.
Type 2 error: false acceptance.
Other barriers to widespread adoption of biometrics include user acceptance, enrollment time and throughput (and money).
Collected biometric images are stored in a corpus.
The (descending) order of effectiveness and acceptance for biometric devices:
Order of Effectiveness Order of Acceptance
Palm scan Iris scan
Hand geometry Keystroke dynamics
Iris scan Signature dynamics
Retina pattern Voice verification
Fingerprint Facial recognition
Voice verification Fingerprint
Facial Recognition Palm scan
Signature Dynamics Hand Geometry
Keystroke Dynamics Retina Pattern
Three factors (types) of authentication are something you know, have, or are.
Strong authentication requires two of these (two-factor authentication).
Passwords are the most commonly used, but also considered one of the weakest.
Key terms: password, pass phrase, virtual password, cognitive password.
There are two types of one-time passwords – synchronous and asynchronous.
Synchronous – Token device synchronizes (shares same secret key) with authentication server via a time-based or event-based synchronization.
Asynchronous – Uses a challenge-response scheme to communication with the authentication server.
Other authentication mechanisms:
- Private Key – digitally signing a message.
- Pass phrase – transformed into a virtual password.
- Memory card – holds information but does not process it. Example ATM card.
- Smart card – capabilities of memory card plus it can actually process information.
The system knows who you are (authentication) and must now decide if you are permitted to carry out the requested actions (authorization).
Access criteria types can be broken up into:
- Physical or logical (network) location
- Time of day
- Transaction type
All access criteria should default to “no access”.
Need to know principle:
- Management’s job is to determine the need-to-know.
- Administrator job is to configure access control and security mechanisms to fulfill the need-to-know requirements.
Single Sign-on Mechanisms:
Scripting: Batch files automate authentication process, but may contain logon credentials (userID and password). Insecure. High maintenance maintaining scripts.
Kerberos is a single sign-on system that uses symmetric key cryptography (DES) and end-to-end encryption. Kerberos eliminates the need for transmitting passwords over the network. In order to implement Kerberos, all software in use me be Kerberos compatible or, “kerberized”. The components of Kerberos are:
KDC: Key distribution center. Holds user’s and services’ keys. The foundation of Kerberos is the client and server’s trust in the KDC. The KDC actually consists of a ticket granting service and authentication server.
Principals: Entities requiring KDC services – users, apps or services. The KDC and each principal share a secret key.
Ticket: Tickets are created by the KDC and given to a principle when that principle needs to authenticate to another principle.
Realm: A “realm” is the set of components and principles that the KDC provides services for.
AS: Authentication service – this is part of the KDC.
Kerberos Authentication Process:
The client trusts the KDC and the services trust the KDC due to their secret keys. An overview of the process when a client wants to use a service via Kerberos is:
- The client sends its user id and the name of the requested service to the KDC.
- The KDC provides a session key for the client and service to use. One is encrypted with the user secret key and the other with the service secret key.
- The KDC generates a service ticket containing both session keys. This ticket is sent back to the client. The user enters their password and if the password is correct, the client converts it into the necessary key to decrypt the client session key in the ticket.
- The client decrypts the client portion of the ticket to get the session key and sends the ticket on to the service. The service uses its own private key to decrypt the session key.
- The user and service are now authenticated to each other and communicate with encrypted data via the session key.
Secret key: Shared between KDC and a principle.
Session key: Shared between two principles.
Kerberos has a number of weaknesses that make it vulnerable to attack. Some of these are:
- The KDC is a single point of failure.
- The secret keys are temporarily stored on user’s workstations, in memory, etc.
- Session keys are decrypted and reside on user’s workstations.
- Vulnerable to password guessing.
- Does not protect network traffic unless encryption is enabled.
- When a user changes password, the KDC database needs to be updated with a new corresponding secret key.
- Replay attacks can be used against Kerberos.
Secure European System for Applications in a Multi-user Environment. Sesame is a single sign-on system designed to address some of the weaknesses in Kerberos. It uses public key cryptography for the distribution of secret keys and supports MD5 and CRC32 hashing. SESAME is also vulnerable to password guessing. Sesame uses the Needham-Schroeder protocol.
No local processing. User must authenticate to the network just to be able to use the computer/terminal.
KryptoKnight is another single sign-on protocol similar to Kerberos.
Provides the following security services:
- Key Distribution
- Data Privacy
- Data Integrity
- Single Sign-On
Although the services provided are essentially the same as Kerberos, some differences are:
- KryptoKnight uses a hash function for authentication.
- KryptoKnight uses nonces for challenges instead of timestamps.
- Any network entity may initiate the protocol.
ACCESS CONTROL MODELS
An access control model is a framework that dictates how subjects access objects. There are three main types of access control model: mandatory access control, discretionary access control and role-based access control.
Discretionary (DAC): The creator of a file is the ‘owner’ and can grant ownership to others. Access control is at the discretion of the owner. Most common implementation is through access control lists. Discretionary access control is required for the Orange Book “C” Level.
Mandatory (MAC): Much more structured. Based on security labels and categories. Access decisions are based on clearance level of the data and clearance level of the user, and, classification of the object. Rules are made by management, configured by the administrators and enforced by the operating system. Mandatory access control is required for the Orange Book “B” Level.
Role-Based (RBAC): (nondiscretionary access control) continually administered set of controls by role within organization. Roles are tighter controlled than groups. A user can only have one role. RBAC is best suited for companies with a high turnover rate.
Three step process for administering RBAC access control:
- System/information owners make decisions about rights and permissions (not the systems administrators).
- System/Network administrator (data custodian) actually creates the roles and functions on behalf of owners.
- Security administrator assigns rights to the roles.
Can use different types of RBAC:
Role-based: User’s role within organization.
Task-based: Specific task assigned to the user.
Lattice-based: Determined by the sensitivity level assigned to the role. Provides an upper and lower bound of access capabilities for every subject and object relationship.
Access Control Techniques and Technologies:
Once a company decides on the access control model to use, the technologies and techniques to implement that model need to be determined:
Role-based: Can be used with DAC – NT Groups.
Can be used with MAC – Labels assigned to roles.
Rule-based: Router or firewall rules – user cannot change.
- Menus and shells
- Database views
- Physically constrained interfaces.
Access Control Matrix:
Table of subjects and objects indicating access.
Specifies the access a certain subject has to specific objects. Corresponds to a row in the access control matrix. Bound to subject.
Access Control Lists:
Bound to object. List of subjects authorized to access a specific object, and, the level of access/authorization.
Database views are a good example – access is based on the data content itself.
Access is based on location, time of day, previous access history, etc.
Access Control Administration:
Access control administration is either centralized, decentralized or a hybrid of the two.
Examples of centralized access control technologies include:
RADIUS: Remote Authentication Dial-In User Service. Usually used for dialup. Access server requests user login credentials and forwards to a backend RADIUS server. Can add callback function for additional security.
TACACS: Terminal Access Controller Access Control System. There are several types of TACACS:
- TACACS: Combines its authentication and authorization processes. Passwords are static.
- XTACACS: Separates authentication, authorization and accounting processes.
- TACACS+: XTACACS with two-factor user authentication. Supports token authentication.
Security Domain: A security domain is defined as a “realm of trust”. Subjects and objects share common security policies and procedures and are managed by the same system. Also used within operating systems and applications to protect system files or processes.
Access Control Methods:
There are three broad categories of access control layers:
- Administrative, Technical, and Physical
Policies and procedures: Guidelines + standards + baselines
Personnel controls: Hiring, firing, promotions, transfers, separation of duties, rotation of duties, forced vacation.
Supervisory structures: Clear lines of reporting.
Security Testing: Drills, penetration testing, queries to employees, interviews, reviews.
- Network segregation.
- Perimeter security.
- Computer controls.
- Work area separation.
- Data backups.
Logical (Technical) Controls:
System Access – See previous access control mechanisms.
Network architecture – Logical controls can provide segregation and protection of an environment. I/P address ranges, subnets, routing between networks, etc
Network Access – Logical network access controls – routers, switches, NICs, bridges.
Encryption and Protocols
Control Zone – Technical and physical control. Surrounds and protects network devices that emit electrical signals. TEMPEST related.
Access Control Types
Each control method can also perform different functionality. The functionality types are:
- Policies and procedures, effective hiring practices, background checks, data classification, security awareness training.
- Biometrics, badges, swipe cards, guards, dogs, motion detectors, fences, mantraps, locks and alarms.
- Passwords, biometrics, smart cards, encryption, call-back systems, database views, antivirus software, ACLs, firewalls, IDS
Accountability: Auditing capabilities ensure that users are held accountable for their actions, verify that policies are enforced, deter improper actions and are an investigative tool.
There are 3 main types of audit tools:
- Audit reduction
- Variance detection
- Attack-signature detection
Audit data must be protected from unauthorized viewing and modification.
Access Control Practices:
The following tasks should be carried out regularly:
- Deny access to undefined or anonymous accounts
- Limit and monitor administration accounts
- Suspect access after a number of failed logins
- Remove accounts as soon as someone leaves an organization.
Format Access Control Models:
Bell LaPadula: The Bell LaPadula model is built on state machine concepts and focuses on confidentiality. The objective of this model is to ensure that the initial state is always secure and that transitions always result in a secure state. Bell LaPadula defines a secure state through 3 multilevel properties:
Simple Security Policy: No read up – a lower level subject cannot read a higher level object (protects confidentiality).
Security * (star) property: No write down – do not allow confidential information to be written to a local level, where a lower level subject can view it.
Discretionary Security Property: Uses a discretionary access control matrix to manage exceptions.
Biba Model: The Biba model is lattice-based and focuses on integrity more than confidentiality. Biba specifies the following three axioms:
Simple Integrity Axiom: No read down. A higher level subject cannot read information from a lower level. This prevents higher level reports and data being corrupted by lower level (and less trustworthy) information.
Integration * (Star) Axiom: No write up. A subject cannot write data above its security level – higher level data might be compromised by lower level, less trustworthy data.
A subject at one integrity level cannot invoke a subject at a higher integrity level.
Clark-Wilson Model: This model has emphasis on integrity – both internal and external consistency. Clark-Wilson uses well formed transactions, separation of duties and the labeling of subjects and objects with programs to maintain integrity. Security properties are partly defined through five certification rules, suggesting the check that should be conducted so that the security policy is consistent with the application requirements.
CDI – Constrained Data Item: A data item whose integrity must be preserved.
IVPS – Initial Verification Procedures: Confirm that all CDIs are in a valid integrity state when the IVP is run.
TP – Transformation Procedure: Manipulates the CDIs through a well-formed transaction, which transforms a CDI from one valid integrity state to another.
UDI – Unconstrained Data Item: Data items outside of the control area such as input information.
Any TP that takes a UDI as input must either convert the UDI into a CDI or reject the UDI and perform no transaction at all.
Unauthorized disclosure of information:
There are several ways in which information can be inadvertently disclosed. The follow items are related to information disclosure:
Object Reuse: Reassigning media to a subject when media might still contain some residual information. Make sure media is cleaned. Degaussing works best. Object reuse controls are required for TCSEC B2 and above.
Emanation: Picking up radiation emitted by devices. TEMPEST is very expensive.
Some alternatives are:
White Noise – Uniform spectrum of random electrical signals used to disguise real data.
Zones – Control zones.
Access Control Monitoring
Keeping track of who attempts to access specific resources, access control monitoring is an important detective mechanism usually carried out by intrustion detection systems:
Intrusion Detection Systems (IDS):
Network Based: Monitors network, or a segment of the network (passive). Placement of sensors is a critical part of configuring a network based IDS. Place a sensor on the outside firewall to detect attacks and inside the firewall to detect invasions. Another factor to consider is that the network traffic should never exceed the IDS threshold, or the IDS may just start to drop packets.
Host-Based: Monitors a specific system.
Intrusion detection systems have two main methods of operation:
Knowledge / Signature based: This type of IDS looks for known attacks and is therefore weak vs. new attacks. There are fewer false alarms. This type of IDS may also fail to detect “slow” attacks extended over a long period of time.
Behavior based / Statistical IDS: This type of IDS detects deviations from expected behavior of users and systems. May use expert systems. Detects new attacks and doesn’t rely on a database of signatures to be updated, but, can cause more false positives.
Relational Database Security
The following are areas relating to database technology and security:
Schema: Description of the database and its tables. Usually written using a DDL.
Cardinality: Number of rows in a table.
Degree: Number of columns in a table.
Domain: The set of all allowable values an attribute can take.
Entity Integrity & Referential Integrity:
View: Virtual table defined from other tables that are used to restrict access, hide attributes and provide content-dependant access. Views help implement least privilege and need to know principles.
To protect against “inference attacks”, databases may have a minimum query set size and prohibit query of “all but one” tuples. Highly secure systems may also employ context dependant access control where the tuples a user can read are based on those already read.
The main categories of threat to access control mechanisms are:
- Dictionary attack.
- Brute force attack.
- Spoofing at login – fake login screen to capture details.
- Man in the Middle Attacks
A “trusted path” can mitigate login spoofing.
The following measures are used to compensate for internal and external access violations:
- Fault tolerance
- Business continuity planning
No tags for this post.