Access Control Domain: Cissp Common Body of Knowledge Review
Access Control Domain: Cissp Common Body of Knowledge Review
Access Control Domain: Cissp Common Body of Knowledge Review
Review:
Access Control Domain
Version: 5.10
CISSP Common Body of Knowledge Review by Alfred Ouyang is licensed under the Creative Commons
Attribution-NonCommercial-ShareAlike 3.0 Unported License. To view a copy of this license, visit
http://creativecommons.org/licenses/by-nc-sa/3.0/ or send a letter to Creative Commons, 444 Castro Street, Suite
900, Mountain View, California, 94041, USA.
Learning Objective
Access Control
Access Control domain covers mechanisms by which a system
grants or revokes the right to access data or perform an action on
an information system.
• File permissions, such as “create”, “read”, “edit”, or “delete” on a file
server.
• Program permissions, such as the right to execute a program on an
application server.
• Data right, such as the right to retrieve or update information in a
database.
CISSP candidates should fully understand access control
concepts, methodologies and their implementation within
centralized and decentralized environments across an
organization’s computing environment.
-2-
Topics
Access Control
• Definition & Principles
• Threats
• Types of Access Control
– Identification, Authentication, Authorization, and
Accountability
• Access Control Models
– Security Models
– Centralized & Decentralized/Distributed
• Monitor & Management
– IPS & IDS
– Security Assessment & Evaluation
-3-
Definition & Principles
Access Control
• Access is the flow of information between a subject
(e.g., user, program, process, or device, etc.) and an
object (e.g., file, database, program, process, or
device, etc.)
• Access controls are a collection of mechanisms that
work together to protect the information assets of the
enterprise from unauthorized access.
• Access controls enable management to:
– Specify which user can access the resources contained
within the information system
– Specify what resources they can access
– Specify what operations they can perform
– Provide individual accountability
Reference:
• CISSP All-in-One Exam Guide, 4th Ed., S. Harris, McGraw-Hill
• Official (ISC)2 Guide To The CISSP CBK, H. Tipton and K. Henry, (ISC)2 Press,
Auerbach Publications
-4-
Definition & Principles
Reference: Access Control: Principles and Practices, Ravi Sandhu and Pierangela Samarati, IEEE Communications
Magazine, September 1994.
-5-
Definition & Principles
Reference: Official (ISC)2 Guide To The CISSP CBK, H. Tipton and K. Henry, (ISC)2 Press, Auerbach Publications.
-6-
Definition & Principles
Reference: NIST SP 800-64, Security Considerations in the Information System Development Life Cycle.
-7-
Definition & Principles
Information Classification
• Identifies and characterizes the critical information
assets (i.e. sensitivity)
• Explains the level of safeguard (protection level) or
how the information assets should be handled
(sensitivity and confidentiality).
-9-
Definition & Principles
Reference: Official (ISC)2 Guide To The CISSP CBK, H. Tipton and K. Henry, (ISC)2 Press, Auerbach Publications.
- 10 -
Definition & Principles
- 11 -
Definition & Principles
- 12 -
Definition & Principles
- 14 -
Definition & Principles
• Review access
• User registration • Penalty
logs • Business
• User agreement • Administrative
• Job rotation continuity
Management • Policy • NdA leave
• Investigation planning (BCP)
(Administrative) • Guidelines • Separation of • Controlled
• Security • Disaster recovery
duties termination
awareness planning (DRP)
• Warning banner processes
training
• Physical barriers
• Locks
• Badge system • User behavioral
• Security Guard • Monitor access modification
Physical/ • Reconstruction
• Procedure • Mantrap doors • Motion detectors • Modify and
Operational • Offsite facility
• Effective hiring • CCTV update physical
practice barriers
• Awareness
training,
Reference:
• CISSP All-in-One Exam Guide, 4th Ed., S. Harris, McGraw-Hill
• Official (ISC)2 Guide To The CISSP CBK, H. Tipton and K. Henry, (ISC)2 Press, Auerbach Publications
- 17 -
Definition & Principles
• User
authentication • Log access and
• Isolate, terminate
• Multi-factor transactions • Backups
connections
authentication • Store access • Recover system
Technical • Standards, • Modify and
• ACLs logs functions,
update access
• Firewalls • SNMP • Rebuild,
privileges
• IPS • IDS
• Encryption
Reference:
• CISSP All-in-One Exam Guide, 4th Ed., S. Harris, McGraw-Hill
• Official (ISC)2 Guide To The CISSP CBK, H. Tipton and K. Henry, (ISC)2 Press, Auerbach Publications
- 18 -
Questions:
• What are the two security implementation principles
for access control?
–
–
- 19 -
Answers:
• What are the two security implementation principles
for access control?
– Least privilege
– Separation of duties
- 20 -
Questions:
• In the process of establishing a data classification
program, why it is important to develop the policy,
standard, process, and procedure?
– Policy defines…
– Standard delineates...
– Procedure provides...
- 21 -
Answers:
• In the process of establishing a data classification
program, why it is important to develop the policy,
standard, process, and procedure?
– Policy defines the management’s goals and objectives (i.e.,
requirements) to classify the information assets. Identifies
the roles and assign responsibilities.
– Standard delineates the data types and defines the
protection levels required.
– Process explains the mandatory activities, actions, and rules
for data classification.
– Procedure provides the step-by-step instruction on how to
identify and classify data.
- 22 -
Topics
Access Control
• Definition & Principles
• Threats
• Types of Access Control
– Identification, Authentication, Authorization, and
Accountability
• Access Control Models
– Security Models
– Centralized & Decentralized/Distributed
• Monitor & Management
– IPS & IDS
– Security Assessment & Evaluation
- 23 -
Threats to Access Control
- 24 -
Threats to Access Control
- 25 -
Threats to Access Control
- 26 -
Threats to Access Control
- 27 -
Threats to Access Control
- 29 -
Threats to Access Control
- 30 -
Threats to Access Control
- 31 -
Threats to Access Control
- 32 -
Threats to Access Control
* Note: The “classic” definition of covert channel is in the context of TCSEC (i.e., storage & timing channels).
- 33 -
Topics
Access Control
• Definition & Principles
• Threats
• Types of Access Control
– Identification, Authentication, Authorization, and
Accountability
• Access Control Models
– Security Models
– Centralized & Decentralized/Distributed
• Monitor & Management
– IPS & IDS
– Security Assessment & Evaluation
- 34 -
Types of Access Control
- 35 -
Identification and Authentication
- 36 -
Identification, Authentication, Authorization, and Accountability
• Types of authentication:
– Something the subject knows – Password, pass phrase, or
PIN.
– Something the subject has – Token, smart card, keys.
– Something the subject is – Biometrics: fingerprints, voice,
facial, or retina patterns, etc.
- 37 -
Identification, Authentication, Authorization, and Accountability
Object 1
Object 2
Security Kernel
Subject Object 3
Auditing of Transactions:
- What, who, how and when
- 38 -
Concept of Authentication Mechanism
- 39 -
Concept of Authentication Mechanism
- 40 -
Concept of Authentication Mechanism
- 41 -
Concept of Authentication Mechanism
• Challenges:
– Crossover error rate (CER) (false
False Acceptance False Rejection
acceptance vs. false rejection) Rate Rate
(Type II Error) (Type I Error)
Errors
issue.
Crossover Error
Rate (CER)
Sensitivity
- 42 -
Questions:
• What are the three types of access control?
–
–
–
- 43 -
Answers:
• What are the three types of access control?
– Administrative (Management)
– Technical (Logical)
– Physical (Operational)
- 44 -
Questions:
• What are the three types of authentication factors?
–
–
–
• What is B?
– Errors
Crossover Error
Rate (CER)
Sensitivity
- 45 -
Answers:
• What are the three types of authentication factors?
– Something the subject knows
– Something the subject has
– Something the subject is
(Type II Error)
• What is B?
– False Rejection Rate Errors
(Type I Error)
Crossover Error
Rate (CER)
Sensitivity
- 46 -
Topics
Access Control
• Definition & Principles
• Threats
• Types of Access Control
– Identity & Authentication
• Access Control Models
– Security Models
– Centralized & Decentralized/Distributed
• Monitor & Management
– IPS & IDS
– Security Assessment & Evaluation
- 47 -
Access Control Models
- 48 -
Access Control Models
2 ● ●
3
Subject
4 ●
5 ● ●
6 ●
7 ●
- 49 -
Access Control Models
- 50 -
Access Control Models
Access Permission
• List of typical access permission:
– UNIX has 8 access permission settings for 3 types of users (o,g,w)
• Combination of Read (r), Write (w), Execute (x)
• --- All types of access denied
• --x Execute access is allowed only
• -w- Write access is allowed only
• -wx Write and execute access are allowed
• r-- Read access is allowed only
• r-x Read and execute access are allowed
• rw- Read and write access are allowed
• rwx Everything is allowed
– Windows has 14 access permission settings for SID & UID!
• Full Control,
• Traverse Folder / Execute File, List Folder / Read Data,
• Read Attributes, Read Extended Attributes,
• Create Files / Write Data, Create Folders / Append Data,
• Write Attributes, Write Extended Attributes,
• Delete Subfolders and Files, Delete,
• Read Permissions, Change Permissions, Take Ownership
- 51 -
Access Control Models
Object
Program A Program B Program C Database D Database E File F File G
Joe User 1 r-x --- --- r-x --- rwx rwx
User Role 2 --- --- --- --- --- -wx -wx
Subject
- 52 -
Access Control Models
Object
- 53 -
Access Control Models
A B C D A B
A N/A X X
B N/A X
C X N/A X
D N/A C D
- 54 -
Access Control Models
Top Secret
Top Secret
Object: A Object: A Object: A
Secret
Secret
Secret
Subject: Alfred Subject: Alfred Subject: Alfred
(Secret) Object: B (Secret) Object: B (Secret) Object: B
Confidential
Confidential
Confidential
High
Object: A Object: A
Middle
Middle
Low
Object: Object:
C C
Objects
Subject Program
Reference: D. Clark, D. Wilson, A Comparison of Commercial and Military Computer Security Policies, IEEE
Symposium on Security and Privacy, 1987 - 57 -
Access Control Models
Reference: M.D. Abrams, K.W. Eggers, L.J. LaPadula, I.M. Olson, Generalized Framework
capabilities.
• The model consists of:
– Access enforcement function (AEF)
– Access decision function (ADF)
Subject
1 6
Request Grant or deny
access to the the access
object
2 Activate the security policy
AEF ADF
4 Send a reply with the new
7 attribute value if necessary
3
Access normally
5 Refers to
(if granted)
Update
- 59 -
Access Control Models
Roles Hierarchy
user_sessions session_roles
SESSIONS
- 60 -
Technical (Logical) Access Controls
Step 1: Sign-On
• Subject (user) authenticates 1 Security token from the requestor
1
- 62 -
Technical (Logical) Access Controls
Single Sign-On
Sec. Token
T
T
US
US
(Trusted sub-domain A) (Trusted sub-domain B)
TR
TR
exchange certificate tokens
and negotiate SSL/TLS Sec. Token
Sec. Token
2
Security token from the requestor trusted sub-
domain A is used to acquire security token from
Trusted CA to access services from resources
root CA. in trusted sub-domain B.
`
Sec. Token Sec. Token
User Workstation
Policy Web Server Policy
Fingerprint Scanner
- 63 -
Technical (Logical) Access Controls
- 64 -
Technical (Logical) Access Controls
P2Key
• A Ticket Granting Server (Client ID, SK1)
authenticate a trusted
relationship between two
Principals.
- 65 -
Technical (Logical) Access Controls
Kerberos Ticket).
• SESAME components can be
accessible through Kerberos v5
protocol.
- 66 -
Questions:
• What are the difference between discretionary
access control (DAC) and mandatory access control
(MAC)?
– DAC:
– MAC:
- 67 -
Answers:
• What are the difference between discretionary
access control (DAC) and mandatory access control
(MAC)?
– DAC: Information owner determines who can access and
what privilege the subject may has.
– MAC: Information owner and system determines assess.
Clearance of subject = Classification of object.
- 68 -
Topics
Access Control
• Definition & Principles
• Threats
• Types of Access Control
– Identification, Authentication, Authorization, and
Accountability
• Access Control Models
– Security Models
– Centralized & Decentralized/Distributed
• Monitor & Management
– IPS & IDS
– Security Assessment & Evaluation
- 69 -
Access Control Monitor & Management
- 70 -
Access Control Monitor & Management
N-IPS
Exterior Firewalls
Multi-Service Switches
DMZ DMZ
Primary Backup
- 71 -
Access Control Monitor & Management
real time.
User Workstations
Interior Firewall
Campus/
` `
`` `` Building LANs
` ` ` `
User Workstations
LANs User Workstations
Layer 2 Switches
Mail Srvr. Domain Controller N-IDS Business Specific VLAN N-IDS Domain Controller
Sensor
Sensor
Directory Srvr. Certificate Srvr. Business Specific VLAN Certificate Srvr. Directory Srvr.
N-IDS N-IDS
Sensor Sensor
Monitor & Management VLAN Reporting I/F Monitor & Management VLAN Reporting I/F
- 72 -
Access Control Monitor & Management
- 73 -
Access Control Monitor & Management
- 74 -
Access Control Monitor & Management
• Protocol Anomaly-based
– Looks for deviations from RFC standards.
– Can identify unknown attacks.
– May not handle complex protocols (SOAP, XML, etc).
- 75 -
Access Control Monitor & Management
- 76 -
Access Control Monitor & Management
- 77 -
Access Control Monitor & Management
ASSESSMENTS
INFOSEC Enhancements
INFOSEC Enhancements
(Level I)
EVALUATIONS
(Level II)
RED TEAM
(Level III)
- 78 -
Validation Time…
1. Classroom Exercise
2. Review Answers
- 79 -
Exercise #1:
Treasury PKI & IdM Systems
• Treasury Enterprise Directory Service (TEDS)
• Treasury Operational CA (TOCA)
• Online Certificate Status Protocol (OCSP) Server
- 80 -
Exercise #1: Data Flow
IDMS
CMS
Enrollment
Station
Issuance
Station
Sponsorship
I/F
Adjudication
I/F
Treasury
PKI/IdM
Corporate
System
AAS
- 81 -
Exercise #2: Security Controls
Treasury PKI & IdM Systems: Certificate Srvr.
• Operational CA (TOCA) Directory Srvr.
CMS
Functional:
• ?
Database Srvrs. Application Srvrs. • ?
Assurance:
AAS • AC-3: Access Enforcement
• AC-4: Information Flow Enforcement Functional:
Web Srvrs • SC-2: Application Partitioning • ?
• SC-3: Security Function Isolation • ?
• SC-5: Denial of Service Protection • ?
• SC-7 Boundary Protection Assurance:
• IA-2: User Identification and Authentication
• IA-6: Authenticator Feedback
• IA-7: Cryptographic Module Authentication
• AC-3: Access Enforcement
• AC-4: Information Flow Enforcement
• AC-5: Separation of Duties
• AC-6: Least Privilege
Functional: • AC-7: Unsuccessful Login Attempts
• Host-based security to protect security • AC-12 Session Termination
enclave. (H-FW, H-IDS, H-IPS, etc.) • AC-14 Permitted Actions without
• VLANs to partition network into layers of Identification or Authentication.
security domains/enclaves. • SC-8: Transmission Integrity
• Harden servers and permit only the mission • SC-9: Transmission Confidentiality
required network services and protocols. • SC-13: Use of Validated Cryptography
• Role-based access control for Privileged and • SC-17: Public Key Infrastructure
Functional:
General Users. Certificates
• ?
Assurance: • ?
• AC-3: Access Enforcement Assurance:
• AC-4: Information Flow Enforcement • AC-3: Access Enforcement
• AC-5: Separation of Duties • AC-4: Information Flow Enforcement
• AC-6: Least Privilege • SC-2: Application Partitioning
• AC-7: Unsuccessful Login Attempts • SC-3: Security Function Isolation
• AC-12 Session Termination • SC-5: Denial of Service Protection
• AC-14 Permitted Actions without Identification • SC-7 Boundary Protection
or Authentication.
Issuance Station
• SC-2: Application Partitioning
• SC-3: Security Function Isolation
• SC-5: Denial of Service Protection
`
• SC-7: Boundary Protection
• SC-8: Transmission Integrity PIV Card
Issuance Issuing
Reader
• SC-9: Transmission Confidentiality Station Authority
• SC-13: Use of Validated Cryptography Applicant
• SC-17: Public Key Infrastructure Certificates
• IA-2: User Identification and Authentication
Fingerprint
• IA-6: Authenticator Feedback
Scanner
• IA-7: Cryptographic Module Authentication
- 82 -
Exercise #2: Security Controls
• Please describe the functional security controls
needed for meeting the assurance requirements…
- 83 -
Suggested
ANSWERS
- 84 -
Exercise #1: Data Flow
IDMS X X X X X X
CMS X X X X
Enrollment
X
Station
Issuance
X
Station
Sponsorship
X
I/F
Adjudication
X
I/F
Treasury
X X
PKI/IdM
Corporate
X
System
AAS
- 85 -
Exercise #2: Security Controls
Treasury PKI & IdM Systems: Certificate Srvr.
• Operational CA (TOCA) Directory Srvr.
CMS
Functional:
• Perimeter-based security to protect security
enclave. (RTR ACL, FW, IDS, IPS, etc.)
Database Srvrs. Application Srvrs. • VLANs to partition network into layers of
security domains/enclaves. Functional:
AAS Assurance: • Two-factor identification and strong
• AC-3: Access Enforcement authentication.
Web Srvrs • AC-4: Information Flow Enforcement • Role-based discretionary access control to
• SC-2: Application Partitioning information.
• SC-3: Security Function Isolation • Application-based VPN to ensure
• SC-5: Denial of Service Protection confidentiality and integrity of data-in-
• SC-7 Boundary Protection transit. (i.e. FIPS 140.2 certified TLS/SSL).
Assurance:
• IA-2: User Identification and Authentication
• IA-6: Authenticator Feedback
• IA-7: Cryptographic Module Authentication
• AC-3: Access Enforcement
• AC-4: Information Flow Enforcement
Functional: • AC-5: Separation of Duties
• Host-based security to protect security • AC-6: Least Privilege
enclave. (H-FW, H-IDS, H-IPS, etc.) • AC-7: Unsuccessful Login Attempts
• VLANs to partition network into layers of • AC-12 Session Termination
security domains/enclaves. • AC-14 Permitted Actions without
• Harden servers and permit only the mission Identification or Authentication.
required network services and protocols. • SC-8: Transmission Integrity
Functional: • SC-9: Transmission Confidentiality
• Role-based access control for Privileged and • Perimeter-based security to protect security
General Users. • SC-13: Use of Validated Cryptography
enclave. (RTR ACL, FW, IDS, IPS, etc.) • SC-17: Public Key Infrastructure
Assurance: • VLANs to partition network into layers of
• AC-3: Access Enforcement Certificates
security domains/enclaves.
• AC-4: Information Flow Enforcement Assurance:
• AC-5: Separation of Duties • AC-3: Access Enforcement
• AC-6: Least Privilege • AC-4: Information Flow Enforcement
• AC-7: Unsuccessful Login Attempts • SC-2: Application Partitioning
• AC-12 Session Termination • SC-3: Security Function Isolation
• AC-14 Permitted Actions without Identification • SC-5: Denial of Service Protection
or Authentication.
Issuance Station
• SC-7 Boundary Protection
• SC-2: Application Partitioning
• SC-3: Security Function Isolation
• SC-5: Denial of Service Protection
`
• SC-7: Boundary Protection
• SC-8: Transmission Integrity PIV Card
Issuance Issuing
Reader
• SC-9: Transmission Confidentiality Station Authority
• SC-13: Use of Validated Cryptography Applicant
• SC-17: Public Key Infrastructure Certificates
• IA-2: User Identification and Authentication
Fingerprint
• IA-6: Authenticator Feedback
Scanner
• IA-7: Cryptographic Module Authentication
- 86 -