CISSP For Dummies
In This Chapter
-
Understanding access control concepts
-
Discovering identification and authentication techniques
-
Following methodologies and implementation in centralized and decentralized environments
-
Knowing methods of attack
-
Understanding discretionary and mandatory access control
-
Getting to know access control models
-
Testing access control mechanisms
Overview
Access control is at the heart of information security. For that matter, access control is at the heart of all security. During medieval times, castles were built to provide safety and security. The castle was normally built in a strategic location with towering walls surrounded by a moat. Battlements were positioned along the top of the wall with bastions at the corners. A heavily fortified and guarded entrance was secured by a drawbridge to control entry to (and departure from) the castle. These measures created a security perimeter, preventing hostile forces from freely roaming through the castle grounds and attacking its inhabitants. Breaching the perimeter and gaining entry to the castle was the key to victory for an attacking force. After getting inside, the castle defenses were relatively simple, and the attackers were free to burn and pillage. Hard and crunchy on the outside, chewy in the middle.
Similarly, computer security requires a strong perimeter and elaborate defenses. Unfortunately, a drawbridge doesn’t suffice for access control in computer security. Threats to computer security are much more sophisticated and prevalent than marauding bandits and the occasional fire-breathing dragon. Access control is still critical to securing a perimeter, but it’s not limited to a single point of entry. Instead, security professionals must protect their systems from a plethora of threats, including Internet-based attacks, viruses and Trojan horses, insider attacks, covert channels, software bugs, and honest mistakes.
Additionally, you must ensure that the drawbridge operator (the firewall administrator) is properly trained on how and when to raise or lower the drawbridge (following policies and procedures), and you must be sure that he’s not sleeping on the job (that is, monitoring your logs). The End!
The Certified Information Systems Security Professional (CISSP) candidate must fully understand access control concepts (including control types and authentication, authorization, and accounting), system access controls (including identification and authentication techniques, methodologies and implementation, and methods of attack), and data access controls (including access control techniques and models).
Категории