- 468 pages
- English
- ePUB (mobile friendly)
- Available on iOS & Android
eBook - ePub
Official (ISC)2 Guide to the SSCP CBK
About this book
The (ISC) Systems Security Certified Practitioner (SSCP ) certification is one of the most important credentials an information security practitioner can have. Having helped thousands of people around the world obtain this distinguished certification, the bestselling Official (ISC)2 Guide to the SSCP CBK has quickly become the book that many of
Trusted byĀ 375,005 students
Access to over 1.5 million titles for a fair monthly price.
Study more efficiently using our study tools.
Information
Chapter 1
Access Controls |
Paul Henry
Contents
Access Control Concepts
What Is a Subject?
Subject Group Considerations
What Is an Object?
Object Group Considerations
Discretionary Access Control
Rule SetāBased Access Controls
Role-Based Access Controls
Constrained User Interface
Content-Dependent Access Control
Context-Based Access Control
Temporal Isolation (Time-Based) Access Control
Nondiscretionary Access Control
Mandatory Access Control
Separation of Duties
Architecture Models
BellāLaPadula
Biba
ClarkāWilson
Other Considerations of ClarkāWilson
BrewerāNash: Chinese Wall
Identification, Authentication, Authorization, and Accountability
Identity (Who Is the Subject?)
Methods (User ID, PIN, Account Number)
Registration of New Users
Periodic Review of Access Levels
Clearance
Authentication (Proof of Identity)
Knowledge
Ownership
Characteristic
Multifactor Authentication
Two-Factor vs. Three-Factor Authentication
Dual Control
Continuous Authentication
Reverse Authentication
Certificate-Based Authentication
Authorization
Access to Systems vs. Data, Networks
Access Control Lists/Matrix
Directories
Single Sign-On
Accountability
Standard Format Logs
Remote Access Methods
Centralized Remote Access
Remote Authentication Dial-In User Services
Terminal Access Controller Access Control System
Extended Terminal Access Controller Access Control System
Terminal Access Controller Access Control System Plus
Diameter
Decentralized Remote Access
Password Authentication Protocol/Challenge Handshake Authentication Protocol
Other Access Control Areas
Physical Security
Portable Device Security
Mobile Phones
USB, CD, and DVD Drives
Bypass of Logical Security
Access to Computers and Equipment
Clear Desk/Clean Screen
Sample Questions
Access controls permit management to specify what users can do, which resources they can access, and what operations they can perform on a system. Access controls provide system managers with the ability to limit and monitor who has access to a system and to restrain or influence the userās behavior on that system. Access control systems define what level of access that individual has to the information contained within a system based on predefined conditions such as authority level or group membership. Access control systems are based on varying technologies, including passwords, hardware tokens, biometrics, and certificates to name a few. Each access control system offers different levels of confidentiality, integrity, and availability to the user, the system, and stored information.
A Systems Security Certified Practitioner candidate is expected to demonstrate knowledge in how different access control systems operate and are implemented to protect the system and its stored data. In addition, a candidate must demonstrate knowledge in account management, access control concepts, and attack methods that are used to defeat access control systems. Key areas of knowledge include
ā Implement logical access controls in terms of subjects
ā Requirements for access controls
ā Account creation and maintenance
ā Implement logical access controls in terms of objects
ā Requirements for access controls
ā Object groups
ā Implement authentication techniques, for example, single and multifactor authentication, single sign-on, offline authentication
ā Apply access control concepts, for example, discretionary access control (DAC), least privilege, and separation of duties
ā Manage Internet work trust architectures, for example, extranet, third-party connections.
Access Control Concepts
Access controls are those systems that provide for the ability to control āwhoā can do specifically āwhatā with respect to data, applications, systems, networks, and physical spaces. In the simplest of terms (and in a perfect world), an access control system grants system users only those rights necessary for them to perform their respective jobs.
For any access control subject to obtain any access to an access control object, there are three steps that must be accomplished (Figure 1.1).
Figure 1.1 Three steps to access control: identification, authentication, and authorization.
The term āaccess controlsā is very broad in nature and can include everything from a simple password authentication that allows a user to access an e-mail account to a biometric retina scanner that unlocks the door to a critical data center.
What Is a Subject?
An access control subject is an active entity and can be any user, program, or process that requests permission to cause data to flow from an access control object to the access control subject or between access control objects.
Access control subjects include
ā Authorized users
ā Unauthorized users
ā Applications
ā Processes
ā Systems
ā Networks
The authorization provided to the access control subject by an access control system can include but is not limited to the following considerations:
The attributes of a subject are referred to as privilege attributes or sensitivities. When these attributes are matched against the control attributes of an object, privilege is either granted or denied.
In a typical access control system, additional subject-specific requirements may include
ā A secure default policy should be applied to any newly created subject.
ā The attributes of the subject should not be expressed in terms that can easily be forged such as an IP address.
ā The system should provide for a default deny on all permissions for the subject, thereby requiring that access to any object be explicitly created by an administrator.
ā In the absence of policy for a given subject, the default policy should be interpreted as default deny.
ā A user ID should remain permanently assigned to a subject.
Subject Group Considerations
The configuration of privileges in access control for an individual subject affords maximum granularity. In systems with perhaps hundreds or thousands of users, this granularity can quickly become a management burden. By incorporating multiple subjects with similar permissions, for example, job titles, within a group, the granularity is thereby coarsened and the administration of the access control system is simplified.
What Is an Object?
An access control object is a passive entity that typically receives or contains some form of data. The data can be in the form of a file, a program, or may be resident within system memory.
Access control objects
ā Data
ā Applications
ā Systems
ā Networks
ā Physical space, for example, the data center
Typical access control object considerations can include but are not limited to the following:
ā Restrict access to operating system configuration files and their respective directories to authorized administrators.
ā Disable write/modify permissions for all executable files.
ā Ensure that newly created files inherit the permissions of the directory in which they were created.
ā Ensure that subdirectories cannot override the permissions of parent directories unless specifically required by policy.
ā Log files should be configured to only permit appending data to mitigate the risk of a log fileās contents being purposely deleted or overwritten by a malicious user or process.
ā Encryption of data at rest can afford additional security and should be a consideration in the determination of the policies for access control objects.
Object Group Considerations
The configuration of privileges to access an individual object affords maximum granularity. It is not uncommon today for the number of objects within an access control system to number in the tens or even hundreds of thousands. While configuring individual objects affords maximum control, this granularity can quickly become an administrative burden. It is a common practice to assign the appropriate permissions to a directory, and each object within the directory inherits the respective parent directory permissions. By incorporating multiple objects with similar permissions or restrictions within a group or directory, the granularity is thereby coarsened and the administration of the access control system is simplified.
Discretionary Access Control
In DAC, the owner of the access control object would determine the privileges (i.e., read, write, execute) of the access control subjects. This methodology relies on the discretion of the owner of the access control object to determine the access control subjectās specific rights to afford the security of the access control object. Hence, security of the object is literally up to the discretion of the object owner. DACs are not very scalable; they rely on the decisions made by each individual access control object owner, and it can be difficult to find the source of access control issues when problems occur.
Rule SetāBased Access Controls
Rule SetāBased Access Controls are discretionary controls whereby the owner has the discretion to determine the rules to facilitate access. A Linux-specific open source initiative known as Rule SetāBased Access Control (RSBAC) has been in development since 1996 and in stable production since January 2000. RSBAC is based on the Abrams and LaPadula Generalized Framework for Access Control (GFAC). RSBAC works at the kernel level and affords flexible access control based on several modules:
ā Mandatory Access Control module (MAC)
ā Privacy module (PM)
ā Function Control module (FC)
ā File Flag module (FF)
ā Malware Scan module (MS)
ā Role Compatibility module (RC)
ā Function Control module (FC)
ā Security Information Modification module (SIM)
ā Authentication module (Auth)
ā Access Control List module (ACL)
All security relevant system calls in the Linux kernel are extended by RSBAC security enforcement code. The RSBAC security enforcement code calls the central decision component, which then in turn calls all active decision modules (see above listing) and generates a combined decision. This decision is then enforced by the RSBAC system call extensions. One of the original goals of RSBAC was to achieve Orange book B1 certification.
Role-Based Access Controls
Role-based access control (RBAC) is generally considered to be discretionary because the owner determines what roles have access. RBAC is also discretionary because the owner determines the rules. While there are several different implementations of nondiscretionary access controls, most implementations work on the principle of RBAC. RBAC works by assigning roles to access control subjects as well as labels to the access control objects that specify which roles are...
Table of contents
- Cover
- Halftitle
- Title
- Copyright
- Contents
- Foreword
- Editor
- About the Authors
- Introduction
- 1. Access Controls
- 2. Cryptography
- 3. Malicious Code
- 4. Monitoring and Analysis
- 5. Networks and Telecommunications
- 6. Security Operations and Administration
- 7. Risk, Response, and Recovery
- Appendix
- Index
Frequently asked questions
Yes, you can cancel anytime from the Subscription tab in your account settings on the Perlego website. Your subscription will stay active until the end of your current billing period. Learn how to cancel your subscription
No, books cannot be downloaded as external files, such as PDFs, for use outside of Perlego. However, you can download books within the Perlego app for offline reading on mobile or tablet. Learn how to download books offline
Perlego offers two plans: Essential and Complete
- Essential is ideal for learners and professionals who enjoy exploring a wide range of subjects. Access the Essential Library with 800,000+ trusted titles and best-sellers across business, personal growth, and the humanities. Includes unlimited reading time and Standard Read Aloud voice.
- Complete: Perfect for advanced learners and researchers needing full, unrestricted access. Unlock 1.5M+ books across hundreds of subjects, including academic and specialized titles. The Complete Plan also includes advanced features like Premium Read Aloud and Research Assistant.
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1.5 million books across 990+ topics, weāve got you covered! Learn about our mission
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more about Read Aloud
Yes! You can use the Perlego app on both iOS and Android devices to read anytime, anywhere ā even offline. Perfect for commutes or when youāre on the go.
Please note we cannot support devices running on iOS 13 and Android 7 or earlier. Learn more about using the app
Please note we cannot support devices running on iOS 13 and Android 7 or earlier. Learn more about using the app
Yes, you can access Official (ISC)2 Guide to the SSCP CBK by R Anderson,J D Dewar, Harold F. Tipton in PDF and/or ePUB format, as well as other popular books in Computer Science & Certification Guides in Computer Science. We have over 1.5 million books available in our catalogue for you to explore.