CISSP All-in-One Exam Guide Chapter Review PDF

CISSP All-in-One Exam Guide 804 Chapter Review This is one of the more important chapters in the book for a variety of reasons. First, access control is central to security. The models and mechanisms discussed in this chapter are security controls you should know really well and be able to implement in your own organization. Also, the CISSP exam has been known to include lots of questions covering the topics discussed in this chapter, particularly the access control models. We chose to start this chapter with these models because they set the foundations for the discussion. You may think that they are too theoretical to be useful in your daily job, but you might be surprised how often we’ve seen them crop up in the real world. They also inform the mechanisms we discussed in more detail, like OAuth, OpenID Connect, and Kerberos. While these technologies are focused on logical access control, we wrapped up the chapter with a section on how physical and logical controls need to work together to protect our organizations. Quick Review An access control mechanism dictates how subjects access objects. The reference monitor is an abstract machine that mediates all access subjects have to objects, both to ensure that the subjects have the necessary access rights and to protect the objects from unauthorized access and destructive modification. There are six main access control models: discretionary, mandatory, role-based, rule-based, attribute-based, and risk-based. Discretionary access control (DAC) enables data owners to dictate what subjects have access to the files and resources they own. Access control lists are bound to objects and indicate what subjects can use them. The mandatory access control (MAC) model uses a security label system. Users have clearances, and resources have security labels that contain data classifications. MAC systems compare these two attributes to determine access control capabilities. The terms “security labels” and “sensitivity labels” can be used interchangeably. Role-based access control (RBAC) is based on the user’s role and responsibilities (tasks) within the company. Rule-based RBAC (RB-RBAC) builds on RBAC by adding “if this, then that” (IFTTT) rules that further restrict access. Attribute-based access control (ABAC) is based on attributes of any component of the system. It is the most granular of the access control models. Risk-based access control estimates the risk associated with a particular request in real time and, if it doesn’t exceed a given threshold, grants the subject access to the requested resource. Extensible Markup Language (XML) is a set of rules for encoding documents in machine-readable form to allow for interoperability between various web-based technologies. Chapter 17: Managing Identities and Access 805 The Service Provisioning Markup Language (SPML) allows for the automation of user management (account creation, amendments, revocation) and access entitlement configuration related to electronically published services across multiple provisioning systems. The Security Assertion Markup Language (SAML) allows for the exchange of authentication and authorization data to be shared between security domains. Extensible Access Control Markup Language (XACML), which is both a declarative access control policy language implemented in XML and a processing model, describes how to interpret security policies. OAuth is an open standard that allows a user to grant authority to some web resource, like a contacts database, to a third party. OpenID Connect is an authentication layer built on the OAuth 2.0 protocol that allows transparent authentication and authorization of client resource requests. Kerberos is a client/server authentication protocol based on symmetric key cryptography that can provide single sign-on (SSO) for distributed environments. The Key Distribution Center (KDC) is the most important component within a Kerberos environment because it holds all users’ and services’ secret keys, provides an authentication service, and securely distributes keys. Kerberos users receive a ticket granting ticket (TGT), which allows them to request access to resources through the ticket granting service (TGS), which in turn generates a new ticket with the session keys. The following are weaknesses of Kerberos: the KDC is a single point of failure; it is susceptible to password guessing; session and secret keys are locally stored; KDC PART V needs to always be available; and management of secret keys is required. Some examples of remote access control technologies are RADIUS, TACACS+, and Diameter. The identity and access provisioning life cycle consists of provisioning, access control, compliance, configuration management, and deprovisioning. A system account is created by the operating system for use by a particular process, not by a human. A service account is a system account for a process that runs as a service (i.e., it listens for and responds to requests from other processes). Authorization creep takes place when a user gains too much access rights and permissions over time. Managed service accounts (MSAs) are Active Directory domain accounts that are used by services and provide automatic password management. Questions Please remember that these questions are formatted and asked in a certain way for a reason. Keep in mind that the CISSP exam is asking questions at a conceptual level. Questions may not always have the perfect answer, and the candidate is advised against

CISSP All-in-One Exam Guide Chapter Review PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue