SSCP Study Guide and DVD Training System

Access Control Objectives

• The primary objective of access control is to provide access control subjects the ability to work with access control objects in a controlled manner.

• The three steps of obtaining access are authentication, identification, and authorization.

• Access control systems must provide assurance in the form of confidentiality, integrity, availability, and accountability.

Authentication Types

• There are three main authentication types: "something you know," "something you have," and "something you are."

• Enterprise authentication is more complex and requires special features such as SSO technology provided through access control systems utilizing Kerberos or X.509.

• Remote access authentication for the enterprise is typically provided by TACACS or RADIUS.

Password Administration

• Good password selection requirements include the use of minimum password lengths and required characters or symbols.

• Password management is most effective when it includes automatic password expiration and account lockouts.

• Auditing password usage or problems is useful in identifying attacks against an access control system.

Access Control Policies

• The three types of access control policies are preventive, corrective, and detective.

• The three types of access control policy implementations are administrative, logical/technical, and physical.

• A good access control system uses multiple combinations of these policy types and implementations.

Access Control Methodologies

• A centralized access control methodology provides a single central authority for authentication.

• A decentralized access control methodology allows for a more distributed approach by breaking up the authentication responsibility across multiple systems.

Access Control Models

• The "Orange" and "Red" books provide guidelines for rating access control models.

• DAC is the most common access control model and uses ACLs for access control subjects to control access.

• MAC is more of a government/military access control model and bases security on pre-determined sensitivity labels for data.

• Non-discretionary or RBAC takes into account the job functions or roles of the access control subject and bases access determinations on this factor.

• Three popular formal models for access control are Bell-LaPadula, Biba, and Clark-Wilson.

Administrating Access Control

• Account administration takes a significant amount of effort and involves the creation, maintenance, and destruction of accounts.

• Determining rights and permissions is a difficult but critical part of access control administration.

• Managing access control objects helps provide a great deal of security to the system.

• Monitoring the access control system is critical to maintaining the security and stability of the system.

• Securing removable media and managing data caches are two important parts of access control administration that are often overlooked.

Methods of Attack

• Dictionary and brute force attacks are common and effective techniques for cracking user's passwords.

• A DoS or DDoS attack is designed to attack the availability aspect of an access control system.

• Spoofing and MITM attacks are two methods used to gain unauthorized access to data without having to crack passwords.

• Spamming is the use of unsolicited e-mail which can either intentionally or unintentionally cause a DoS attack on mail servers.

• Sniffers are used to monitor networks for troubleshooting, but can also be used by intruders to capture data or passwords.

Monitoring

• IDSs and NIDSs are automated systems designed to monitor either a single system or a network for potential attack attempts.

• Alarms are alerts that can be created to notify administrators when there is a problem in the access control system.

• Audit trails and violation reports are used to track suspicious activity.

Penetration Testing

• Penetration testing is the art of trying to hack into your own system to determine the level of security that the system is providing.

• Penetration testing should be done prior to implementation of the access control system as well as after the implementation to try and catch as many weaknesses as possible.

• Weaknesses within the system should be patched or fixed as soon as possible.