CISSP (Domain 1 - Access Control) Flashcards
What Are Access Control Mechanisms
Protect information and resources from unauthorized disclosure, modifications, and destruction
3 main types of Access Control Mechanisms
ATP
- administrative (closest to data)
- technical
- physical
Administrative Controls
How you should act.
Development of policies, standards, and procedures. (Ex. How servers should be installed)
Screening personnel, security awareness training, monitoring activity.
Technical Controls
Protect Data.
Logical mechanisms that provide password and resource management, identification and authentication, and software configuration.
Ex: anti-virus software, IDS, encryption
Physical Controls
Physical Threats. Barrier between bad people.
Protecting individual systems, the network, employees, and the facility from physical damage.
Ex: Removing floppy drives, security guards monitoring facility.
7 Access Control Types/Categories
PDCDRCD
- Preventative
- Detective
- Corrective
- Deterrent
- Recovery
- Compensation
- Directive
Preventive - AC Type*
Controls to prevent undesirable events.
Administrative - Policies, background checks
Technical - Passwords, Firewalls
Physical - Badges/Swipe Cards, CCTV
Detective - AC Type*
Controls to identify undesirable events
Administrative - Job Rotation, Inspections
Technical - IDS, Review audit logs
Physical - Human evaluation of cameras
Corrective - AC Type
Controls to correct the effects of undesirable events
Ex: Patch systems
Deterrent - AC Type
Controls to discourage security violations
Ex: Signs
Recovery - AC Type
Controls to restore resources
Ex: Restore backups
Compensation - AC Type
Controls to provide alternative solutions
Ex: Personal PC vs. Hardware
Directive - AC Type
Policies to preclude or mandate actions to reduce risk
Access Control
Security features that control how subjects and objects communicate and interact with other subjects and objects
Access Control - Subject/Object/Access
Subject: Active entity that requests access to an object or the data within the object.
Object: Passive entity that contains information
Access: Ability of subject to do something (CRUD)
4 Steps of Access Control
IAAA
- Identification
- Authentication
- Authorization
- Accounting
Access Control - Identification
Identify the subject
Ex: username, smartcard
Access Control - Authentication
Proving the subject is who it claims to be
Ex: second piece of credential set
Access Control - Authorization
Granting access to resources based on a criteria
Access Control - Accounting
Keeping records of activity
3 Types of Authentication
KHA
Type 1: Something you know (Password, PIN, Pass-phrase)
Type 2: Something you have (smart card, OTP, RSA Key)
Type 3: Something you are (Biometrics)