Certified Information Systems Security Professional (cissp) Domain “access control”Document Transcript
Certified Information Systems Security Professional (cissp) Report paper Domain “access control” Supervised by instructor dogus sarica prepared by zaid dawad al-rustom (20112465)
Certified Information Systems Security Professional (cissp) Domain “access control”DefinitionsFirst thing I will present some definitions about Certified Information SystemsSecurity Professional (cissp), Certified Information Systems SecurityProfessional (CISSP) is an independent information security certification governed byInternational Information Systems Security Certification Consortium also known as(ISC) ².As of November 2012, (ISC)² reports 84,596 members hold the CISSP certificationworldwide, in143countries. InJune2004,theCISSPhasobtainedaccreditationby ANSI ISO/IECStandard17024:2003 accreditation. It is also formally approved by the U.S. Department of Defense (DoD) in both theirInformation Assurance Technical (IAT) and Managerial (IAM) categories fortheir DoDD 8570 certification requirement. The CISSP has been adopted as a baselinefor the U.S. National Security Agencys ISSEP program. My definition it is an international certificate depends on it to secure the data incomputers, made by a specialist computer security programmer group to provide astandard security certificate, the main advantage from this is to put many computersecurity laws and ethical rules prevent us against internet information crimes.The 10 Domains: 1. Security Management Practices 2. Access Control Systems & Methodology 3. Law, Investigations, Ethics 4. Physical Security 5. Business Continuity & Disaster Recovery Planning 6. Security Architecture & Models 7. Cryptography 8. Telecommunications & Network Security 9. Applications & Systems Development 10. Operations Security.
Access control "The first line of defense"Some attackslets look at some of the different attacks on passwords there simply is called thedictionary attack brute force attacked or a combination would call a hybrid attack firstof all the dictionary type what is a dictionary attack ,first of all password is not apassword and clear text in the file on your computer its a hash of the password sodictionary attacked basically takes every word in the dictionary creates ahead andthen compares the hash with the file on the computer and I think its a match that itlooks back at the word it used to create that action and password a brute forceattacked as just that if tries all possible combinations in order to get your hash orcreate your password,This type force attacked well always succeed online it literally prize all of those trustevery possible combination where some of the things that you can do to mitigatethose attacks well, first of all the obvious one is dont send your passwords clear text,or dont use common words dictionary words.There are some tools out there Satan being one of them that you can use to look atthat password checkers, to see how secure they are identifies those that are weak andthen simply change those.Access control administrationThe organization has to decide access control model theyre going to implementwhere there is going to be DAC or MAC whatever they can be used expect to findthat in the security policy then the technologies and techniques that are going tosupport that model need to be identified and they need to be put in place the standardsneed to be developed policies they develop the procedures need to be developed andput in place and then the next question they have to answer is how are we going tomanages? are we going to any centrally one central location is going to handleeverything that might work for small organization but when you get into a large
organization particularly multinational or international or even across many country, acentralized approach may not be the best solution for you and you may want todecentralize you may only want to decentralize a portion of that to someone thatwould refer to as the hybrid approach were lets say you centrally manage the networkwith them for local printers for local file shares you centralize that at that particularlocation so much use a hybrid approachfor the management of that par for the administration of that when we talk about thecentralized access control we have one into the wanted location that is making thedecision with regarding access senior management has to decide that has to be definedin the security policy data owner makes the ultimate decision in senior managementbesides what theyre going to have in place in order to support that are they going touse something like radiance or attack exploits or the new version of a radius diameteras their centralized access control the words youve got one location that location iscontrolling access for everybody .Centralized access controlI will give an example to discuss centralized access control It is a handshakingprotocol that allows that radius server to provide the authentication authorizationinformation to the networks server and radius client we dialing we access that radiusserver directly certain server will contain a database of users and credentials, thatradius server may have be configured to give you access to another leader alightweight directory access protocol server that has the credentials on it for exampleradius server could be configured to access active directory and windows and providethat database abusers and credentials and then there needs to be communicationbetween the radius client and the server in that communication needs to be protected ,the user initiates that point-to-point protocol authentication with the provider theradius client than prompts the user for their credentials user types and the user idpassword , than checks those credentials either locally in its own database or againstthe act lets say active directory to this and then says back here in accept or reject or itmay send a challenge response back and if successful then radius will allow the clientaccess to the network so you can get there on the network and do whatever you wantto.
Access control methodologiesAdministrative: Group membership Time of day Transaction typeThe methodologies for access control administrative technical and physicalwith administrative the group membership or group remember offwhat time of day or transaction type so from an administrative methodology we canrestrict access to data based on time today payroll files are not accessed Sundaymorning at 3:00am time of day or transaction type youre not allowed to do atransaction type equipment to do leading the database table administrative accesscontrol methodologies.Technical access control Directory service Network architecture Network access Encryption AuditingDirectory serviceThe technical layer of access control what are the techno classics access controlsweve already mentioned directory service but the way that you architect the networkalso can be an access control and thats technical?the network access as a technical control as his encryption and let me point out onething auditing is a technical access control audit logs our technical controls becausethat tracks activity of the users and systems it’s not preventative it cant preventsomeone from accessing but it helps an administrator system administrator understandhow the access to a place so in the future they can make changes, for directoryservices there are different types all of the x.500, LDAP, network directory services,and active directory all of those four different types of directory services and all ofthose are technical controls which directory services I saw published there except
x.500 which is the lightweight directory access protocol which basically adapts thedirectory to work over TCPIP.Network architectureWhere you place firewalls for example you may have an internal network with inyour trusted network lets say that thats just for the top secret data and you put up ourwall in front of that top secret data portion of your network to block it so basicallywhat youre doing is youre architecting network to control access you put a DMZplace you put your bastion host servers that youve removed all the extra servicesimports from in a DMZ the firewall front of the DMZ you put the firewall after theDMZ how you architect the network is going to control? Who has access? And whocan get here?Physical layer Network segregation Perimeter security Computer controls Work area separation cablingAccess control of the physical controls network segregation, perimeter security,computer controls, work area separation, and cable. network segregationist just that you can physically separate the network you canlogically separate the network physically separated so that the wiring one set a routersone set of switches physically separated from other parts of the network are logicallywith virtual LAN’s with primary security youve got those that locks on the doors manperhaps to get into the building guards all of those are physical security controls.Computer controls like a lock on your laptop so you lock it to your desk so peoplecant walk off on with it for those of you better under the requirement that you cantuse the USB ports a physically removing them from the device or putting a proxy intothat so you can’t put the USB device into that slot because the slots been filled upwith the proxy those are all types of computer controls and then were curiousseparation I have one client the state agency
who has direct connection with a federal agency theyre both in the same physicalbuilding on the same floor but you have to go through the state agency to get to theback of the room to another private door that only the federal employees are allowedto go through and they have their own internal men trapped in order to get into thefederal area to me thats work area separation and then cabling actually keeping thecables separate. Those are all types of physical layer or physical controls networks.Identification and AuthenticationIdentification and authentication are the keystones of most access control systems.Identification is the act of a user professing an identity to a system, usually in theform of a log-on ID to the system. Identification establishes user accountability forthe actions on the system. Authentication is verification that the user’s claimedidentity is valid and is usually implemented through a user password at log-on time.Authentication is based on the following three factor types:1. Something you know, such as a PIN or password2. Something you have, such as an ATM card or smart card3. Something you are (physically), such as a fingerprint or retina scan Passwords Passwords can be compromised and must be protected. In the ideal case, a password should only be used once. This “one-time password” provides maximum security because a new password is required for each new log-on. A password that is the same for each log-on is called a static password. A password that changes with each log-on is termed a dynamic password. The changing of passwords can also fall between these two extremes. Passwords can be required to change monthly, quarterly, or at other intervals, depending on the criticality of the information needing protection and the password’s frequency of use. Obviously, the more times a password is used, the more chance there is of it being compromised. A passphrase is a sequence of characters that is usually longer than the allotted number for a password. The passphrase is converted into a virtual password by the system.
BiometricsAn alternative to using passwords for authentication in logical or technicalaccess control is biometrics. Biometrics are based on the Type 3 authenticationmechanism something you are. Biometrics are defined as an automated means ofidentifying or authenticating the identity of a living person based onphysiological or behavioral characteristics. In biometrics, identification is a“one-to-many” search of an individual’s characteristics from a database of storedimages. Authentication in biometrics is a “one to- one” search to verify a claimto an identity made by a person. Biometrics is used for identification in physicalcontrols and for authentication in logical controls.The following are typical biometric characteristics that are used to uniquelyauthenticate an individual’s identity: Fingerprints Retina scans Iris scans Facial scans Palm scans Hand geometry Voice Handwritten signature dynamicsSingle Sign-On (SSO)Single Sign-On (SSO) addresses the cumbersome situation of logging onmultiple times to access different resources. A user must remember numerouspasswords and IDs and may take shortcuts in creating passwords that may beopen to exploitation. In SSO, a user provides one ID and password per worksession and is automatically logged-on to all the required applications. For SSOsecurity, the passwords should not be stored or transmitted in the clear. SSOapplications can run either on a user’s workstation or on authentication servers.The advantages of SSO include having the ability to use stronger passwords,easier administration of changing or deleting the passwords, and requiring lesstime to access resources. The major disadvantage of many SSO implementations
is that once a user obtains access to the system through the initial logon, the user can freely roam the network resources without any restrictions.ConclusionWe talked about that you could have physical or you can have logical of virtual landlets say for top secret of virtual for secret and in a virtual for public information or forunclassified data. I am going to conclude this subject on access control, weve talkedabout access control as being the first line of defense weve talked about how peopleaccess data and the resources that go along to make that happen the main goal is toprotect resource from unauthorized access. the models discretionary access controlmandatory access control role based access control and rule based access control andthen whether you want to manage access control either centrallyor decentralized or whether you want to use a hybrid approach we talked about thefact that controls can be administrative physical or technical controls and thatregardless of whether theyre administrative physical or technical those controls cangive you preventative detective and recovery services I hope youve enjoyed thisarticle about access control and I look forward to seeing you again hoca for nextsemester and excuse me for my English language errors Reference: 1. http://en.wikipedia.org/wiki/Certified_Information_Systems_Security_Pro fessional 2. http://www.ntgtraining.com/courses/courses_cissp_cbk_10.html 3. The CISSP Prep Guide—Mastering the Ten Domains of Computer Security Ronald L. Krutz Russell Dean Vines Wiley Computer Publishing John Wiley & Sons, Inc.