CISSP - Between the lines facts on Access Control

Access Control domain is considered as one of the top 5 domains of CISSP CBK and must be paid well attention. In this domain also, there are some concepts that an average IT professional is pretty unfamiliar and which should be well understood to obtain the certification. Markup languages and their use can be the best example for such concepts.

A subject is an active entity and an object is a passive entity.

Permission refers to the access granted for an object like read, creat,edit and delete.

Right refers to the ability to take an action on an object. E.g. Modify system time.

Privilege = permission + right

A directive access control is deployed to direct, confine, or control the actions of subjects to force or encourage compliance with security policies.

A cognitive password is usually a series of questions about facts or predefined responses that only the subject should know. For example, what is your mother’s maiden name?

DAC is also referred to as identity-based access control because access is granted to subjects based on their identity.

A DAC model is implemented using access control lists (ACLs) on objects. It does not offer a centrally controlled management system because owners can alter the ACLs on their objects at will. Access to objects is easy to change, especially when compared to the static nature of mandatory access controls.

Within a DAC environment, users’ privileges can easily be suspended while they are on vacation, resumed when they return, or terminated when they leave.

Administrators centrally administer non-discretionary access controls and can make changes that affect the entire environment.

In a non-DAC model, access does not focus on user identity. Instead, a static set of rules governing the whole environment is used to manage access. Non-DAC systems are centrally controlled and easier to manage (although less flexible). Rule-based access controls and lattice-based access controls are both considered non-discretionary.

Subjects under lattice-based access controls acquire a least upper bound and a greatest lower bound of access to labeled objects based on their assigned lattice positions. A common example of a lattice-based access control is a mandatory access control.

A mandatory access control (MAC) system relies upon the use of classification labels. Each classification label represents a security domain, or a realm of security. A security domain is a collection of subjects and objects that share a common security policy.

Mandatory access controls are often considered to be non-discretionary controls because they are lattice based. However, the CISSP CIB lists them separately.

An expansion of this access control method is known as need to know. Subjects with specific clearance levels are granted access to resources only if their work tasks require such access.

Mandatory access control is prohibitive rather than permissive, and it uses an implicit deny philosophy. If access is not specifically granted, it is forbidden. It is generally recognized as being more secure than DAC, but it isn’t as flexible or scalable.

A distinguishing factor between MAC and rule-based access controls is that MAC controls have labels while the non-discretionary rule-based access controls do not use labels.

Objects have security labels (or sensitivity labels), subjects have clearances.

A capability table specifies the access rights a certain subject possesses pertaining to specific objects. A capability table is different from an ACL because the subject is bound to the capability table, whereas the object is bound to the ACL.

An access control matrix is a table of subjects and objects indicating what actions individual subjects can take upon individual objects. This type of access control is usually an attribute of DAC models. The access rights can be assigned directly to the subjects (capabilities) or to the objects (ACLs).

A meta-directory gathers the necessary information from multiple sources and stores it in one central directory. This provides a unified view of all users’ digital identity information throughout the enterprise.

A virtual directory plays the same role and can be used instead of a meta-directory. The difference between the two is that the meta-directory physically has the identity data in its directory, whereas a virtual directory does not and points to where the actual data reside.

Web portals functions are parts of a website that act as a point of access to information. A portal presents information from diverse sources in a unified manner.

A web portal is made up of portlets, which are pluggable user-interface software components that present information from other systems. A portlet is an interactive application that provides a specific type of web service functionality.

XML is a common language used to exchange information.

Security Assertion Markup Language (SAML) is an XML-based language that is commonly used to exchange authentication and authorisation (AA) information between federated organisations. It is often used to provide SSO capabilities for browser access.

When there is a need to allow a user to log in one time and gain access to different and separate web-based applications, the actual authentication data have to be shared between the systems maintaining those web applications securely and in a standardized manner. This is the role that the SAML plays. It is an XML standard that allows the exchange of authentication and authorization data to be shared between security domains.

The Service Provisioning Markup Language (SPML) allows for the exchange of provisioning data between applications, which could reside in one organization or many. SPML allows for the automation of user management (account creation, amendments, revocation) and access entitlement configuration related to electronically published services across multiple provisioning systems. This markup language allows for the integration and interoperation of service provisioning requests across various platforms. When a new employee is hired at a company, that employee usually needs access to a wide range of systems, servers, and applications. Setting up new accounts on each and every system, properly configuring access rights, and then maintaining those accounts throughout their lifetimes is time-consuming, laborious, and error-prone. What if the company has 20,000 employees and thousands of network resources that each employee needs various access rights to? This opens the door for confusion, mistakes, vulnerabilities, and a lack of standardization. SPML allows for all these accounts to be set up and managed simultaneously across the various systems and applications. SPML is made up of three main entities: the Re-questing Authority (RA), which is the entity that is making the request to set up a new account or make changes to an existing account; the Provisioning Service Provider (PSP), which is the software that responds to the account requests; and the Provisioning Service Target (PST), which is the entity that carries out the provisioning activities on the requested system.

Transmission of SAML data can take place over different protocol types, but a common one is Simple Object Access Protocol (SOAP). SOAP is a specification that outlines how information pertaining to web services is exchanged in a structured manner. It provides the basic messaging framework, which allows users to request a service and, in exchange, the service is made available to that user. Let's say you need to interact with your company's customer relationship management (CRM) system, which is hosted and maintained by the vendor—for example, Salesforce.com. You would log in to your company's portal and double-click a link for Salesforce. Your company's portal will take this request and your authentication data and package it up in an SAML format and encapsulate that data into a SOAP message. This message would be transmitted over an HTTP connection to the Salesforce vendor site.

The use of web services in this manner also allows for organizations to provide service oriented architecture (SOA) environments. An SOA is a way to provide independent services residing on different systems in different business domains in one consistent manner. For example, if your company has a web portal that allows you to access the company's CRM, an employee directory, and a help-desk ticketing application, this is most likely being provided through an SOA. The CRM system may be within the marketing department, the employee directory may be within the HR department, and the ticketing system may be within the IT department, but you can interact with all of them through one interface.

Extensible Access Control Markup Language (XACML) is used to define access control policies within an XML format, and it commonly implements role-based access controls. It helps provide assurances to all members in a federation that they are granting the same level of access to different roles.

Diameter supports a wide range of protocols, including traditional IP, Mobile IP, and Voice over IP (VoIP). Because it supports extra commands, it is becoming popular in situations where roaming support is desirable, such as with wireless devices and smart phones.”

Key steps in risk management are as follows:

• Identifying assets
• Identifying threats
• Identifying vulnerabilities

After identifying and prioritizing assets, an organization attempts to identify any possible threats to the valuable systems. Threat modelling refers to the process of identifying, understanding, and categorizing potential threats. A goal is to identify a potential list of threats to these systems and to analyze the threats.

Access aggregation refers to collecting multiple pieces of non-sensitive information and combining (aggregating) them to learn sensitive information. Reconnaissance attacks are access aggregation attacks.

A birthday attack focuses on finding collisions. It is so named based on a statistical phenomenon known as the birthday paradox. The birthday paradox states that if there are 23 people in a room, there is a 50 percent chance that any two of them will have the same birthday.

Birthday attacks are mitigated by using hashing algorithms with a sufficient number of bits to make collisions computationally infeasible. There was a time when MD5 (using 128 bits) was considered to be collision free. However, computing power continues to improve, and MD5 is no longer considered safe against collisions. SHA-2 can use as many as 512 bits and is considered safer against birthday attacks and collisions—at least for now.

A drive-by download is a type of malware that installs itself without the user’s knowledge when the user visits a website. Drive-by downloads take advantage of vulnerabilities in browsers or plug-ins.

Network Segregation, perimeter security, control zone and cabling are physical controls.

Extended TACACS (XTACACS) separates authentication, authorization and accounting processes.

Employing a password generator is a bad idea as users will write down difficult passwords somewhere.

Two factor authentication is better than biometric authentication alone.

In Windows environments, administrators can use a Syskey utility that encrypts the database storing the passwords with a locally stored system key.

Signature dynamics is a method that captures the electrical signals when a person signs a name. Keystroke dynamics captures electrical signals when a person types a certain phrase.

A passphrase is a sequence of characters that is longer than a password and, in some cases, takes the place of a password during an authentication process. The user enters this phrase into an application, and the application transforms the value into a virtual password, making the passphrase the length and format that is required by the application.

A memory card holds information but cannot process information. A smart card holds information and has the necessary hardware and software to actually process that information.

Two types of contactless smart cards are available: hybrid and combi. The hybrid card has two chips, with the capability of utilizing both the contact and contactless formats. A combi card has one microprocessor chip that can communicate to contact or contactless readers.

ISO/IEC standard for Smart Cards is ISO/IEC 14443.

Attackers often delete audit logs that hold this incriminating information. Deleting specific incriminating data within audit logs is called scrubbing.