You are on page 1of 24

CISSP Essentials:

Mastering the Common Body of Knowledge

Class 2:
Access control
Lecturer Shon Harris, CISSP, MCSE
President, Logical Security

CISSP Essentials:
Mastering the Common Body of Knowledge
CISSP Essentials Library:
www.searchsecurity.com/CISSPessentials
Class 2 Quiz:
www.searchsecurity.com/Class2quiz
Class 2 Spotlight:
www.searchsecurity.com/Class2spotlight

Access control domain objectives


Access control types and
characteristics
Identification, authentication and
authorization methods
Access control models and techniques
Single sign-on technologies and
characteristics
Centralized and decentralized
administration
Intrusion-detection systems

Access control mechanism examples


Physical
Locks
Removal of floppy and CD-ROM drives
Security guards controlling access to facility and equipment
Computer chassis locks
Technical (logical)
Encryption
Passwords and tokens
Biometrics
Operating system and application controls
Identification and authorization technologies
Administrative
Policies and procedures
Security awareness training
Quality assurance

Access control characteristics


Control Service

Description

Preventative

Keep undesirable events from


happening

Detective

Identify undesirable events that


have taken place

Corrective

Correct undesirable events that


have taken place

Deterrent

Discourage security violations


from taking place

Recovery

Restore resources and


capabilities after a violation or
accident

Compensation

Provide alternatives to other


controls

Control combinations
Detective Administrative

Job rotation
Sharing responsibilities
Inspections
Incident response
Use of auditors

Detective Technical

IDS
Reviewing audit logs
Reviewing violations of clipping
levels
Forensics

Detective Physical

Human evaluation of output from


sensors or cameras
Motion detectors, intrusion
detection, video cameras
Guard responding to alarm

Authentication mechanisms characteristics


Verifying identification
information

Something you know

Something you have

Password
Smart card

Something you are

Biometrics (example = voice print)

Access control mechanisms in use today


Mechanism

Examples

Biometrics

Retina scan, finger print,


voice print

Token devices

Synchronous and
asynchronous devices

Memory cards

ATM card, proximity card

Smart cards

Credit card, identification


card

Cryptographic keys

Private key

Crossover Error Rate (CER)


Statistical metric
CER value is when Type 1 and Type 2 errors are equal

Example:

System ABC has 1 out of 100 Type I errors = 1%


System ABC has 1 out of 100 Type II errors = 1%
CER = 1

The lower the CER value, the higher the accuracy

(Type 1 = Type 2 errors) = CER metric value

System with a CER of 4 has greater accuracy than a system with a CER of 5

Customers can use rating when comparing biometric systems

Biometric system types


Biometric Type

Description

Fingerprint

Ridge endings and bifurcations = minutiae

Finger scan

Same as fingerprint, but extracting a smaller


amount of data from fingerprint

Palm scan

All prints from fingers and creases, ridges, and


grooves from palm

Hand geometry

Shape of (length and width) hand and fingers

Retina scan

Blood vessel pattern of retina on back of eyeball

Iris scan

Colored portion of eye that surrounds pupil

Signature dynamics

Captures electrical signals of signature process

Keyboard dynamics

Captures electrical signals of typing process

Voice print

Distinguishes differences in sounds, frequencies


and patterns

Facial scan

Bone structure, nose ridges, forehead size, eye


width

Hand topology

Side-view of hand, reviewing size and width

Smart card
Smart card characteristics

Microprocessor and integrated circuits

Holds and processes data

Tamperproof device

After a threshold of failed login attempts, it can render


itself unusable

PIN or password unlocks smart card


functionality
Smart card could be used for:

Holding biometric data in template


Responding to challenge
Holding private key
Holding user work history, medical information, money,
etc.

Added costs compared to other


authentication technologies

Reader purchase
Card generation and maintenance

Different technologies
Single sign-on methods
Scripts
Directory services
Thin clients
Kerberos
SESAME

Kerberos components working together


Components of Kerberos
Key Distribution Center (KDC)

Holds all of the principals secret keys


Principals authenticate to the KDC before networking can take place
Principals
Any user or service that interacts with a network
Term that is applied to anything within a network that needs to
communicate in an authorized manner

Realm
All principals that a specific KDC is responsible for
A KDC can be responsible for one or more domains
Similar to Microsofts concept of a domain or zones within DNS
servers

More components of Kerberos


Two major services of the KDC
Authentication Server (AS)

Authenticates user at initial logon


Generation of initial ticket to allow user to authenticate to local
system
Initial ticket is also used to allow user to request a Ticket Granting
Ticket (TGT) from TGS

Ticket Granting Service (TGS)


Generation of tickets to allow subjects to authenticate to each other
Tickets are called Ticket Granting Tickets (TGTs)

Kerberos authentication steps

Models for access


Access control models
Once security goals are understood, a model must be
chosen to fulfill the directives of the security policy
Model is actually integrated into the operating system and application

Security model that enforces access control by regulating


how subjects and objects interact

Model Types
Discretionary Access Control (DAC)
Mandatory Access Control (MAC)
Role-Based Access Control (RBAC)

Also called non-discretionary

Rule-Based Access Control


Access Control Matrix

Remote centralized administration


Technologies
RADIUS
TACAS+
Diameter

RADIUS characteristics
Remote Authentication
Dial-In User Service
(RADIUS)
AAA protocol

Authentication, authorization,
auditing

De facto standard for


authentication protocol

Open source, thus has


been integrated into many
vendor products

Works on a client/server
model

TACACS+ Characteristics
TACACS+
Terminal Access Controller
Access Control System
(TACACS)

Cisco proprietary protocol

Splits authentication,
authorization and auditing
features

Not open source for others to use

Allows the administrator more


flexibility

Provides more protection


for client-to-server
communication compared
to RADIUS

Diameter characteristics
Diameter
New and improved RADIUS
Open source protocol for all to use and integrate
RADIUS is limited in its methods of authenticating users

SLIP and PPP connections


PAP, CHAP and some EAP authentication methods

Diameter does not encompass such limitations


Can authenticate wireless devices and smart phones
Can authenticate by using other authentication protocols
Open for future growth

Users can move between service provider networks and


change their points of attachment

Includes better message transport, proxying, session


control and higher security for AAA transactions

IDS
Network-based IDS
Monitors traffic on a
network segment

Computer or network
appliance with NIC in
promiscuous mode

Sensors communicate with


a central management
console

Host-based IDS
Small agent programs that
reside on individual
computers

Detects suspicious activity


on one system, not a
network segment

Types of IDSes
Signature-based
Also called knowledge-based
IDS has a database of signatures, which are
patterns, of previously identified attacks

Cannot identify new attacks


Software needs continual updates of signatures

Behavior-based
Statistical or anomaly-based
Creates many false positives
Better defense against new attacks
Compares audit files, logs and network behavior,
and develops and maintains profiles of normal
behavior

Behavioral-based IDS
Statistical
Setting of a threshold for certain activities
Once the threshold is exceeded, an alert is released
For example:

10 FTP requests in a 10-minute period is okay. 50 FTP requests in a


10-minute period indicates an attack.

Anomaly-based
Identification of abnormal behavior based on a profile
of normal behavior

The profile is built by the IDS learning about the


environments day-in and day-out activities

An anomaly does not fall within a set of historical


values

CISSP Essentials:
Mastering the Common Body of Knowledge
Lecturer Shon Harris, CISSP, MCSE
President, Logical Security
www.LogicalSecurity.com
ShonHarris@LogicalSecurity.com

Coming next: Class 3: Cryptography


Register at the CISSP Essentials Library:
www.searchsecurity.com/CISSPessentials