CISSP - Access Control
Card Set Information
CISSP - Access Control
A study guide for the Access Control domain.
Name the 6 control types.
--for reducing risk
--for identifying violations and incidents
--for remedying violations & incidents
--for discouraging violations
--for restoring systems and information
--for providing alternative ways of achieving a task
Define subject and object.
is an active entity that accesses or acts on an object.
is a passive entity that a subject acts upon or accesses.
Name the 3 types of access controls.
Name some preventive technical controls.
--DES, AES, and Merkle-Hellman Knapsack
Access control mechanisms
--Biometrics, smart cards, and tokens
Access control list
--Permission list that define what a subject can or cannot do to an object
Remote access authentication protocols
--PAP, CHAP, RADIUS, and LDAP
Name some detective technical controls.
Network monitoring and intrusion detection
Name some preventive physical controls.
Security perimeters, such as fences, locked doors, and restricted areas
Guards and dogs
Name some detective physical controls.
Authentication determines weather a subject can log in.
is the act of claiming a specific identity.
is the act of verifying that identity.
Authorization determines what a subject can do (as defined by assigned rights and permissions).
Accountability determines what the subject did.
Name the 2 categories of access controls.
System access controls
--protect the entire system and provide the first line of defense for the data contained on the system
Data access controls
--protect the data contained on the system.
Name the 3 factors on which authentication can be based.
Something you know
--passwords or PINs
Something you have
--smart cards or tokens
Something you are
--fingerprint, voice, retina, or iris characteristics
Passwords/password problems include:
They tend to be
They are easily
They can be
What policies should an organization have in place concerning passwords?
Password age and a minimum age
Limit unsuccessful login attempts.
Set a lockout duration
Limit time which a user can login
System messages including login banners that give legal warnings and note the last successful login. Last username should be disabled.
Necessary factors for an effective biometric access control system include:
Accuracy--CER < 10%
Speed and throughput-- ~5 seconds with a throughput of 6-10 per minute
Data storage requirements
Define FRR (type I error)
False Reject Rate
is the percentage at which authorized users are incorrectly denied access.
Define FAR (type II error)
False Accept Rate
is the percentage at which unauthorized users are granted access.
Crossover Error Rate
is the point at which the FRR equals the FAR as stated as a percentage.
Common physiological biometric systems include:
Fingerprint recognition and finger scan systems
Hand geometry systems
Name three types of tokens.
Static password tokens
--static passwords or certificates
Synchronous dynamic password tokens
--a password that changes based on a time interval or an event
Asynchronous dynamic password tokens
--a password that is calculated in response to a system-generated random challenge string