CISSP ch 14 Flashcards
Permissions
the access granted for an object and determine what you can do with it
E.g., read and execute permissions for an application file, which gives you the right to run the application
Rights
the ability to take an action on an object
E.g., the right to modify the system on a computer or the right to restore backed-up data
Privileges
combination of rights and permissions
Capabilit tables
a way to identify privileges assigned to subjects (as opposed to ACLs, which are focused on objects)
ACL
access control list
constrained interface / restricted interface
used to restrict what users can do or see based on their privileges
Content dependent control
restricts access to data based on the content within an object
context dependent control
requires specific activity before granting users access
DAC model
Discretionary Access Control model
Every object has an owner and the owner can grant or deny access to any other subject
Windows’ New Technology File Systems (NTFS) uses the DAC model
Identity-based access control is a subset of DAC because systems identify users based on their identity and assign resource ownership to identities
Windows’ NTFS
Windows’ New Technology File Systems (NTFS) uses the DAC model (discretionary Access control)
RBAC
Role Based Access Control
The use of roles or groups, instead of assigning permissions directly to users, user accounts are placed in roles and administrators assign privileges to the roles
Windows implements this model with the use of groups
TBAC
Task Based Access Control
Similar to RBAC, but instead of being assigned to one or more roles, each user is assigned an array of tasks
Control access by assigned tasks rather than by user identity
Rule based Access control
Applies global rules to all subjects
Rules within the rule-based access control model are sometimes referred to as restrictions or filters
E.g., firewall
ABAC
Attribute Based Access Control
Use of rules that can include multiple attributes, allowing more flexibility than a rule-based access control model
Many software defined networks (SDNs) uses the ABAC model
Mobile device management (MDM) systems can use attributes to identify mobile devices
MAC
Mandatory Access Control = a lattice-based model
Use of labels applied to both subjects and objects
E.g., if a user has a label of top secret, the user can be granted access to a top-secret document – both the object and subject have matching labels
Each classification label represents a security domain (e.g., Secret or Top Secret), or a realm of security
Types of MAC environments
Hierarchical
Compartmentalized
Hybrid
Hierarchical (MAC environment)
Relates various classification labels in an ordered structure from low security to high security, such as Confidential, Secret and Top Secret
Each level or classification label is related: Clearance in one level grants the subject access to objects in that level as well as to all objects in lower levels but prohibits access to all objects in higher levels
Compartmentalized (MAC environment)
No relationship between one security domain and another, each domain represents a specific isolated compartment
Risk-based Access control
Grants access after evaluating risk
Evaluates the environment and the situation and makes risk-based decisions using policies embedded within software code
Can use machine learning to make predictive conclusions about current activity based on past activity
nondiscretionary Access controls
administrators centrally manage nondiscretionary access controls and can make changes that affect the entire environment
XML
Extensible Markup Language
Goes beyond describing how to display the data by actually describing the data
Can include tags to describe data as anything desired:
<ExamResults>Passed</ExamResults>
Databases from multiple vendors can import and export data to and from an XML format, making XML a common language used to exchange information
Many specific schemas exist, and if companies agree on what schemas to use, they can easily share information
SAML
Security Assertion Markup Language
An open XML-based standard commonly used to exchange authentication and authorization (AA) information between federated organizations
Provides SSO capabilities for browser access
The Organization for the Advancement of Structured Information Standards (OASIS) adopted SAML 2.0 as a standard in 2005, and has maintained it since then
Utilizes three entities:
Principal or user agent
Service Provider (SP)
Identity Provider (IdP)
SP (SAML)
Service Provider (SP)
With service being accessed and requiring authentication + authorization
IdP (SAML)
Identity Provider (IdP)
Third party that holds the user authentication and authorization information
IdP assertions (SAML)
Authentication Assertion
Authorization Assertion
Attribute Association
Authentication Assertion (SAML)
Provides proof that the user agent provided the proper credentials, identifies the identification method and identifies the time the user agent logged on
Authorization Assertion (SAML)
Indicates whether the user agent is authorized to access the requested service
If the message indicates access is denied, it indicates why
Attribute association
Attributes can be any information about the user agent