access controls cissp guide to security essentials chapter 2 minor changes 6-13-11
TRANSCRIPT
![Page 1: Access Controls CISSP Guide to Security Essentials Chapter 2 Minor changes 6-13-11](https://reader031.vdocuments.net/reader031/viewer/2022032313/56649e3f5503460f94b3044f/html5/thumbnails/1.jpg)
Access Controls
CISSP Guide to Security Essentials
Chapter 2Minor changes 6-13-11
![Page 2: Access Controls CISSP Guide to Security Essentials Chapter 2 Minor changes 6-13-11](https://reader031.vdocuments.net/reader031/viewer/2022032313/56649e3f5503460f94b3044f/html5/thumbnails/2.jpg)
Objectives
• Identification and Authentication
• Centralized Access Control
• Decentralized Access Control
• Access Control Attacks
• Testing Access Controls
![Page 3: Access Controls CISSP Guide to Security Essentials Chapter 2 Minor changes 6-13-11](https://reader031.vdocuments.net/reader031/viewer/2022032313/56649e3f5503460f94b3044f/html5/thumbnails/3.jpg)
Controlling Access
![Page 4: Access Controls CISSP Guide to Security Essentials Chapter 2 Minor changes 6-13-11](https://reader031.vdocuments.net/reader031/viewer/2022032313/56649e3f5503460f94b3044f/html5/thumbnails/4.jpg)
Identification and Authentication
• Identification: unproven assertion of identity– “My name is…” – Userid
• Authentication: proven assertion of identity– Userid and password– Userid and PIN– Biometric
![Page 5: Access Controls CISSP Guide to Security Essentials Chapter 2 Minor changes 6-13-11](https://reader031.vdocuments.net/reader031/viewer/2022032313/56649e3f5503460f94b3044f/html5/thumbnails/5.jpg)
Authentication Methods
• What the user knows– Userid and password– Userid and PIN
• What the user has– Smart card– Token
• What the user is– Biometrics (fingerprint, handwriting, voice, etc.)
![Page 6: Access Controls CISSP Guide to Security Essentials Chapter 2 Minor changes 6-13-11](https://reader031.vdocuments.net/reader031/viewer/2022032313/56649e3f5503460f94b3044f/html5/thumbnails/6.jpg)
How Information Systems Authenticate Users
• Request userid and password– Hash password– Retrieve stored userid and hashed password– Compare
• Make a function call to a network based authentication service
![Page 7: Access Controls CISSP Guide to Security Essentials Chapter 2 Minor changes 6-13-11](https://reader031.vdocuments.net/reader031/viewer/2022032313/56649e3f5503460f94b3044f/html5/thumbnails/7.jpg)
How a User Should Treat Userids and Passwords
• Keep a secret
• Do not share with others
• Do not leave written down where someone else can find it
• Store in an encrypted file or vault– Use RofoForm
![Page 8: Access Controls CISSP Guide to Security Essentials Chapter 2 Minor changes 6-13-11](https://reader031.vdocuments.net/reader031/viewer/2022032313/56649e3f5503460f94b3044f/html5/thumbnails/8.jpg)
How a System Stores Userids and Passwords
• Typically stored in a database table– Application database or authentication database– Userid stored in plaintext
• Facilitates lookups by others
– Password stored encrypted or hashed• If encrypted, can be retrieved under
certain conditions– “Forgot password” function, application emails to user
• If hashed, cannot be retrieved under any circumstance (best method)
![Page 9: Access Controls CISSP Guide to Security Essentials Chapter 2 Minor changes 6-13-11](https://reader031.vdocuments.net/reader031/viewer/2022032313/56649e3f5503460f94b3044f/html5/thumbnails/9.jpg)
Password Hashes
• Cain, Cracker top tab, right-click empty space, Add to List
• LM hash is weak, no longer used in Win 7
• NT hash is stronger, but not salted
![Page 10: Access Controls CISSP Guide to Security Essentials Chapter 2 Minor changes 6-13-11](https://reader031.vdocuments.net/reader031/viewer/2022032313/56649e3f5503460f94b3044f/html5/thumbnails/10.jpg)
Strong Authentication
• Traditional userid + password authentication has known weaknesses– Easily guessed passwords
– Disclosed or shared passwords
• Stronger types of authentication available, usually referred to as “strong authentication”– Token
– Certificate
– Biometrics
![Page 11: Access Controls CISSP Guide to Security Essentials Chapter 2 Minor changes 6-13-11](https://reader031.vdocuments.net/reader031/viewer/2022032313/56649e3f5503460f94b3044f/html5/thumbnails/11.jpg)
Two Factor Authentication
• First factor: what user knows
• Second factor: what user has– Password token– USB key– Digital certificate– Smart card
• Without the second factor, user cannot log in– Defeats password guessing / cracking
![Page 12: Access Controls CISSP Guide to Security Essentials Chapter 2 Minor changes 6-13-11](https://reader031.vdocuments.net/reader031/viewer/2022032313/56649e3f5503460f94b3044f/html5/thumbnails/12.jpg)
RSA was Hacked, and their Customers Too
• http://samsclass.info/RSA-alternatives.html
![Page 13: Access Controls CISSP Guide to Security Essentials Chapter 2 Minor changes 6-13-11](https://reader031.vdocuments.net/reader031/viewer/2022032313/56649e3f5503460f94b3044f/html5/thumbnails/13.jpg)
Biometric Authentication
• Stronger than userid + password
• Stronger than two-factor?– Can be hacked
![Page 14: Access Controls CISSP Guide to Security Essentials Chapter 2 Minor changes 6-13-11](https://reader031.vdocuments.net/reader031/viewer/2022032313/56649e3f5503460f94b3044f/html5/thumbnails/14.jpg)
Biometric Authentication (cont.)
• Measures a part of user’s body– Fingerprint– Iris scan– Signature– Voice– Etc.
![Page 15: Access Controls CISSP Guide to Security Essentials Chapter 2 Minor changes 6-13-11](https://reader031.vdocuments.net/reader031/viewer/2022032313/56649e3f5503460f94b3044f/html5/thumbnails/15.jpg)
Biometric Authentication (cont.)
False Accept Rate
False Reject Rate
Sensitivity
![Page 16: Access Controls CISSP Guide to Security Essentials Chapter 2 Minor changes 6-13-11](https://reader031.vdocuments.net/reader031/viewer/2022032313/56649e3f5503460f94b3044f/html5/thumbnails/16.jpg)
Authentication Issues
• Password quality
• Consistency of user credentials across multiple environments
• Too many userids and passwords
• Handling password resets
• Dealing with compromised passwords
• Staff terminations
![Page 17: Access Controls CISSP Guide to Security Essentials Chapter 2 Minor changes 6-13-11](https://reader031.vdocuments.net/reader031/viewer/2022032313/56649e3f5503460f94b3044f/html5/thumbnails/17.jpg)
Access Control Technologies
• Centralized management of access controls– LDAP
• Active Directory, Microsoft's LDAP
– RADIUS• Diameter, upgrade of RADIUS
– TACACS• Replaced by TACACS+ and RADIUS
– Kerberos• Uses Tickets
![Page 18: Access Controls CISSP Guide to Security Essentials Chapter 2 Minor changes 6-13-11](https://reader031.vdocuments.net/reader031/viewer/2022032313/56649e3f5503460f94b3044f/html5/thumbnails/18.jpg)
Single Sign-On (SSO)
• Authenticate once, access many information systems without having to re-authenticate into each
• Centralized session management
• Often the “holy grail” for identity management– Harder in practice to achieve – integration issues
![Page 19: Access Controls CISSP Guide to Security Essentials Chapter 2 Minor changes 6-13-11](https://reader031.vdocuments.net/reader031/viewer/2022032313/56649e3f5503460f94b3044f/html5/thumbnails/19.jpg)
Reduced Sign-On
• Like single sign-on (SSO), single credential for many systems
• But… no inter-system session management
• User must log into each system separately, but they all use the same userid and password
![Page 20: Access Controls CISSP Guide to Security Essentials Chapter 2 Minor changes 6-13-11](https://reader031.vdocuments.net/reader031/viewer/2022032313/56649e3f5503460f94b3044f/html5/thumbnails/20.jpg)
Weakness of SSO and RSO
• Weakness: intruder can access all systems if password is compromised
• Best to combine with two-factor / strong authentication
![Page 21: Access Controls CISSP Guide to Security Essentials Chapter 2 Minor changes 6-13-11](https://reader031.vdocuments.net/reader031/viewer/2022032313/56649e3f5503460f94b3044f/html5/thumbnails/21.jpg)
![Page 22: Access Controls CISSP Guide to Security Essentials Chapter 2 Minor changes 6-13-11](https://reader031.vdocuments.net/reader031/viewer/2022032313/56649e3f5503460f94b3044f/html5/thumbnails/22.jpg)
A. IdentificationB. AuthenticationC. Two-factor authenticationD. Biometrics authenticationE. Token authentication
A person hands you their business card. What
control function does this perform?
1 of 6
![Page 23: Access Controls CISSP Guide to Security Essentials Chapter 2 Minor changes 6-13-11](https://reader031.vdocuments.net/reader031/viewer/2022032313/56649e3f5503460f94b3044f/html5/thumbnails/23.jpg)
A. HashedB. Hashed and saltedC. EncryptedD. LDAPE. Kerberos
A Website has a password-retrieval system that emails you your current password. Which of these systems is
most likely used at the Web server to store passwords?
2 of 6
![Page 24: Access Controls CISSP Guide to Security Essentials Chapter 2 Minor changes 6-13-11](https://reader031.vdocuments.net/reader031/viewer/2022032313/56649e3f5503460f94b3044f/html5/thumbnails/24.jpg)
A. IdentificationB. Token AuthenticationC. Two-factor authenticationD. Biometric authenticationE. More than one of the above
To enter a building, you must show a photo ID to the guard. The guard looks at the photo to make sure it matches your real
appearance. What control function does this accomplish?
3 of 6
![Page 25: Access Controls CISSP Guide to Security Essentials Chapter 2 Minor changes 6-13-11](https://reader031.vdocuments.net/reader031/viewer/2022032313/56649e3f5503460f94b3044f/html5/thumbnails/25.jpg)
A. IdentificationB. Token AuthenticationC. Two-factor authenticationD. Biometric authenticationE. More than one of the above
To enter a building, you must show tell the guard your name. The guard looks at a company
directory and compares a photo there to ensure it matches your real appearance. What control function does this accomplish?
4 of 6
![Page 26: Access Controls CISSP Guide to Security Essentials Chapter 2 Minor changes 6-13-11](https://reader031.vdocuments.net/reader031/viewer/2022032313/56649e3f5503460f94b3044f/html5/thumbnails/26.jpg)
A. SSOB. RSOC. LDAPD. RADIUSE. TACACS
Which technique allows users to access many systems after logging
on once?
5 of 6
![Page 27: Access Controls CISSP Guide to Security Essentials Chapter 2 Minor changes 6-13-11](https://reader031.vdocuments.net/reader031/viewer/2022032313/56649e3f5503460f94b3044f/html5/thumbnails/27.jpg)
A. Active DirectoryB. RSOC. LDAPD. RADIUSE. TACACS
Which system uses a ticket-granting ticket?
5 of 6
![Page 28: Access Controls CISSP Guide to Security Essentials Chapter 2 Minor changes 6-13-11](https://reader031.vdocuments.net/reader031/viewer/2022032313/56649e3f5503460f94b3044f/html5/thumbnails/28.jpg)
Access Control Attacks
![Page 29: Access Controls CISSP Guide to Security Essentials Chapter 2 Minor changes 6-13-11](https://reader031.vdocuments.net/reader031/viewer/2022032313/56649e3f5503460f94b3044f/html5/thumbnails/29.jpg)
Access Control Attacks
• Intruders will try to defeat, bypass, or trick access controls in order to reach their target
• Attack objectives– Guess credentials– Malfunction of access controls– Bypass access controls– Replay known good logins– Trick people into giving up credentials
![Page 30: Access Controls CISSP Guide to Security Essentials Chapter 2 Minor changes 6-13-11](https://reader031.vdocuments.net/reader031/viewer/2022032313/56649e3f5503460f94b3044f/html5/thumbnails/30.jpg)
Buffer Overflow
• Cause malfunction in a way that permits illicit access
• Send more data than application was designed to handle properly– “Excess” data corrupts application memory– Execution of arbitrary code– Malfunction
• Countermeasure: “safe” coding that limits length of input data; filter input data to remove unsafe characters
![Page 31: Access Controls CISSP Guide to Security Essentials Chapter 2 Minor changes 6-13-11](https://reader031.vdocuments.net/reader031/viewer/2022032313/56649e3f5503460f94b3044f/html5/thumbnails/31.jpg)
Script Injection
• Insertion of scripting language characters into application input fields– Execute script on server side
• SQL injection – obtain data from application database
– Execute script on client side – trick user or browser• Cross site scripting
• Cross site request forgery
• Countermeasures: strip “unsafe” characters from input
![Page 32: Access Controls CISSP Guide to Security Essentials Chapter 2 Minor changes 6-13-11](https://reader031.vdocuments.net/reader031/viewer/2022032313/56649e3f5503460f94b3044f/html5/thumbnails/32.jpg)
Cross-Site Scripting (XSS)• One client posts active content, with
<script> tags or other programming content
• When another client reads the messages, the scripts are executed in his or her browser
• One user attacks another user, using the vulnerable Web application as a weapon
32
![Page 33: Access Controls CISSP Guide to Security Essentials Chapter 2 Minor changes 6-13-11](https://reader031.vdocuments.net/reader031/viewer/2022032313/56649e3f5503460f94b3044f/html5/thumbnails/33.jpg)
• <script>alert("XSS vulnerability!")</script>• <script>alert(document.cookie)</script>• <script>window.location="http://www.ccsf.edu"</script>
33
![Page 34: Access Controls CISSP Guide to Security Essentials Chapter 2 Minor changes 6-13-11](https://reader031.vdocuments.net/reader031/viewer/2022032313/56649e3f5503460f94b3044f/html5/thumbnails/34.jpg)
XSS Scripting Effects• Steal another user's authentication cookie
– Hijack session
• Harvest stored passwords from the target's browser
• Take over machine through browser vulnerability
• Redirect Webpage
• Many, many other evil things…
34
![Page 35: Access Controls CISSP Guide to Security Essentials Chapter 2 Minor changes 6-13-11](https://reader031.vdocuments.net/reader031/viewer/2022032313/56649e3f5503460f94b3044f/html5/thumbnails/35.jpg)
Data Remanence
• Literally: data that remains after it has been “deleted”
• Examples– Deleted hard drive files– Data in file system “slack space”– Erased files– Reformatted hard drive– Discarded / lost media: USB keys, backup
tapes, CDs
• Countermeasures: improve media physical controls
![Page 36: Access Controls CISSP Guide to Security Essentials Chapter 2 Minor changes 6-13-11](https://reader031.vdocuments.net/reader031/viewer/2022032313/56649e3f5503460f94b3044f/html5/thumbnails/36.jpg)
Denial of Service (DoS)
• Actions that cause target system to fail, thereby denying service to legitimate users– Specially crafted input that causes application malfunction
– Large volume of input that floods application
• Distributed Denial of Service (DDoS)– Large volume of input from many
(hundreds, thousands) of sources
• Countermeasures: input filters, patches, high capacity
![Page 37: Access Controls CISSP Guide to Security Essentials Chapter 2 Minor changes 6-13-11](https://reader031.vdocuments.net/reader031/viewer/2022032313/56649e3f5503460f94b3044f/html5/thumbnails/37.jpg)
Dumpster Diving
• Literally, going through company trash in the hopes that sensitive printed documents were discarded that can be retrieved– Personnel reports, financial records– E-mail addresses– Trade secrets– Technical architecture
• Countermeasures: on-site shredding
![Page 38: Access Controls CISSP Guide to Security Essentials Chapter 2 Minor changes 6-13-11](https://reader031.vdocuments.net/reader031/viewer/2022032313/56649e3f5503460f94b3044f/html5/thumbnails/38.jpg)
Eavesdropping
• Interception of data transmissions– Login credentials– Sensitive information
• Methods– Network sniffing
(maybe from a compromised system)– Wireless network sniffing
• Countermeasures: encryption, stronger encryption
![Page 39: Access Controls CISSP Guide to Security Essentials Chapter 2 Minor changes 6-13-11](https://reader031.vdocuments.net/reader031/viewer/2022032313/56649e3f5503460f94b3044f/html5/thumbnails/39.jpg)
Emanations
• Electromagnetic radiation that emanates from computer equipment– Network cabling
• More prevalent in networks with coaxial cabling
– CRT monitors– Wi-Fi networks
• Countermeasures: shielded cables, LCD monitors, lower power or eliminate Wi-Fi
![Page 40: Access Controls CISSP Guide to Security Essentials Chapter 2 Minor changes 6-13-11](https://reader031.vdocuments.net/reader031/viewer/2022032313/56649e3f5503460f94b3044f/html5/thumbnails/40.jpg)
Spoofing and Masquerading
• Specially crafted network packets that contain forged address of origin– TCP/IP protocol permits forged MAC and IP address– SMTP protocol permits forged e-mail “From” address
• Countermeasures: router / firewall configuration to drop forged packets, judicious use of e-mail for signaling or data transfer
![Page 41: Access Controls CISSP Guide to Security Essentials Chapter 2 Minor changes 6-13-11](https://reader031.vdocuments.net/reader031/viewer/2022032313/56649e3f5503460f94b3044f/html5/thumbnails/41.jpg)
Social Engineering
• Tricking people into giving out sensitive information by making them think they are helping someone
• Methods– In person
– By phone
• Schemes– Log-in, remote access, building entrance help
• Countermeasures: security awareness training
![Page 42: Access Controls CISSP Guide to Security Essentials Chapter 2 Minor changes 6-13-11](https://reader031.vdocuments.net/reader031/viewer/2022032313/56649e3f5503460f94b3044f/html5/thumbnails/42.jpg)
Phishing
• Incoming, fraudulent e-mail messages designed to give the appearance of origin from a legitimate institution– “Bank security breach”– “Tax refund”– “Irish sweepstakes”
• Tricks user into providing sensitive data via a forged web site (common) or return e-mail (less common)
• Countermeasure: security awareness training
![Page 43: Access Controls CISSP Guide to Security Essentials Chapter 2 Minor changes 6-13-11](https://reader031.vdocuments.net/reader031/viewer/2022032313/56649e3f5503460f94b3044f/html5/thumbnails/43.jpg)
Pharming
• Redirection of traffic to a forged website– Attack of DNS server (poison cache, other attacks)– Attack of “hosts” file on client system– Often, a phishing e-mail to lure user to
forged website– Forged website has appearance of the real thing
• Countermeasures: user awareness training, patches, better controls
![Page 44: Access Controls CISSP Guide to Security Essentials Chapter 2 Minor changes 6-13-11](https://reader031.vdocuments.net/reader031/viewer/2022032313/56649e3f5503460f94b3044f/html5/thumbnails/44.jpg)
Password Guessing
• Trying likely passwords to log in as a specific user– Common words– Spouse / partner / pet name– Significant dates / places
• Countermeasures: strong, complex passwords, aggressive password policy, lockout policy
![Page 45: Access Controls CISSP Guide to Security Essentials Chapter 2 Minor changes 6-13-11](https://reader031.vdocuments.net/reader031/viewer/2022032313/56649e3f5503460f94b3044f/html5/thumbnails/45.jpg)
![Page 46: Access Controls CISSP Guide to Security Essentials Chapter 2 Minor changes 6-13-11](https://reader031.vdocuments.net/reader031/viewer/2022032313/56649e3f5503460f94b3044f/html5/thumbnails/46.jpg)
Password Cracking
• Obtain / retrieve hashed passwords from target
• Run password cracking program– Runs on attacker’s system – no one will notice
• Attacker logs in to target system using cracked passwords
• Countermeasures: frequent password changes, controls on hashed password files, salting hash
![Page 47: Access Controls CISSP Guide to Security Essentials Chapter 2 Minor changes 6-13-11](https://reader031.vdocuments.net/reader031/viewer/2022032313/56649e3f5503460f94b3044f/html5/thumbnails/47.jpg)
Malicious Code
• Viruses, worms, Trojan horses, spyware, key logger
• Harvest data or cause system malfunction
• Countermeasures: anti-virus, anti-spyware, security awareness training
![Page 48: Access Controls CISSP Guide to Security Essentials Chapter 2 Minor changes 6-13-11](https://reader031.vdocuments.net/reader031/viewer/2022032313/56649e3f5503460f94b3044f/html5/thumbnails/48.jpg)
![Page 49: Access Controls CISSP Guide to Security Essentials Chapter 2 Minor changes 6-13-11](https://reader031.vdocuments.net/reader031/viewer/2022032313/56649e3f5503460f94b3044f/html5/thumbnails/49.jpg)
A. SniffingB. EmanationsC. Buffer overflowD. Script injectionE. Data remanance
Which risk can be reduced by using BitLocker disk
encryption?
1 of 5
![Page 50: Access Controls CISSP Guide to Security Essentials Chapter 2 Minor changes 6-13-11](https://reader031.vdocuments.net/reader031/viewer/2022032313/56649e3f5503460f94b3044f/html5/thumbnails/50.jpg)
A. EmanationB. Buffer overflowC. Script injectionD. Slack spaceE. Worm
Which term refers to a non-indexed portion of a
hard disk?
2 of 5
![Page 51: Access Controls CISSP Guide to Security Essentials Chapter 2 Minor changes 6-13-11](https://reader031.vdocuments.net/reader031/viewer/2022032313/56649e3f5503460f94b3044f/html5/thumbnails/51.jpg)
A. Source MAC AddressB. Source IP AddressC. "From" email addressD. More than one of the aboveE. None of the above
You want to determine who sent you an email message. Which of these values can
you trust?
3 of 5
![Page 52: Access Controls CISSP Guide to Security Essentials Chapter 2 Minor changes 6-13-11](https://reader031.vdocuments.net/reader031/viewer/2022032313/56649e3f5503460f94b3044f/html5/thumbnails/52.jpg)
A. Shielded cablesB. Encrypting hard drivesC. Antivirus softwareD. On-site shreddingE. None of the above
Which countermeasure will protect you from social
engineering?
4 of 5
![Page 53: Access Controls CISSP Guide to Security Essentials Chapter 2 Minor changes 6-13-11](https://reader031.vdocuments.net/reader031/viewer/2022032313/56649e3f5503460f94b3044f/html5/thumbnails/53.jpg)
A. Shielded cablesB. Encrypting hard drivesC. Antivirus softwareD. On-site shreddingE. None of the above
Which countermeasure will protect you from emanations?
5 of 5
![Page 54: Access Controls CISSP Guide to Security Essentials Chapter 2 Minor changes 6-13-11](https://reader031.vdocuments.net/reader031/viewer/2022032313/56649e3f5503460f94b3044f/html5/thumbnails/54.jpg)
Access Control Concepts
![Page 55: Access Controls CISSP Guide to Security Essentials Chapter 2 Minor changes 6-13-11](https://reader031.vdocuments.net/reader031/viewer/2022032313/56649e3f5503460f94b3044f/html5/thumbnails/55.jpg)
Access Control Concepts
• Principles of access control
• Types of controls
• Categories of controls
![Page 56: Access Controls CISSP Guide to Security Essentials Chapter 2 Minor changes 6-13-11](https://reader031.vdocuments.net/reader031/viewer/2022032313/56649e3f5503460f94b3044f/html5/thumbnails/56.jpg)
Principles of Access Control
• Separation of duties– No single individual should be allowed
to perform high-value or sensitive tasks on their own
• Financial transactions
• Software changes
• User account creation / changes
![Page 57: Access Controls CISSP Guide to Security Essentials Chapter 2 Minor changes 6-13-11](https://reader031.vdocuments.net/reader031/viewer/2022032313/56649e3f5503460f94b3044f/html5/thumbnails/57.jpg)
Principles of Access Control
• Least privilege– Persons should have access to only the
functions / data that they require to perform their stated duties
– Server applications• Don't run as root
– User permissions on File Servers• Don't give access to others' files
– Workstations• User Account Control
![Page 58: Access Controls CISSP Guide to Security Essentials Chapter 2 Minor changes 6-13-11](https://reader031.vdocuments.net/reader031/viewer/2022032313/56649e3f5503460f94b3044f/html5/thumbnails/58.jpg)
Principles of Access Controls (cont.)
• Defense in depth– Use of multiple controls to protect an asset– Heterogeneous controls preferred
• If one type fails, the other remains
• If one type is attacked, the other remains
• Examples– Nested firewalls– Anti-virus on workstations, file servers,
e-mail servers
![Page 59: Access Controls CISSP Guide to Security Essentials Chapter 2 Minor changes 6-13-11](https://reader031.vdocuments.net/reader031/viewer/2022032313/56649e3f5503460f94b3044f/html5/thumbnails/59.jpg)
Types of Controls
• Technical– Authentication, encryption, firewalls, anti-virus
• Physical– Key card entry, fencing, video surveillance
• Administrative– Policy, procedures, standards
![Page 60: Access Controls CISSP Guide to Security Essentials Chapter 2 Minor changes 6-13-11](https://reader031.vdocuments.net/reader031/viewer/2022032313/56649e3f5503460f94b3044f/html5/thumbnails/60.jpg)
Categories of Controls
• Detective controls
• Deterrent controls
• Preventive controls
• Corrective controls
• Recovery controls
• Compensating controls
![Page 61: Access Controls CISSP Guide to Security Essentials Chapter 2 Minor changes 6-13-11](https://reader031.vdocuments.net/reader031/viewer/2022032313/56649e3f5503460f94b3044f/html5/thumbnails/61.jpg)
Detective Controls
• Monitor and record specific types of events
• Does not stop or directly influence events– Video surveillance– Audit logs– Event logs– Intrusion detection system
![Page 62: Access Controls CISSP Guide to Security Essentials Chapter 2 Minor changes 6-13-11](https://reader031.vdocuments.net/reader031/viewer/2022032313/56649e3f5503460f94b3044f/html5/thumbnails/62.jpg)
Deterrent Controls
• Highly visible
• Prevent offenses by influencing choices of would-be intruders
![Page 63: Access Controls CISSP Guide to Security Essentials Chapter 2 Minor changes 6-13-11](https://reader031.vdocuments.net/reader031/viewer/2022032313/56649e3f5503460f94b3044f/html5/thumbnails/63.jpg)
Deterrent Controls (cont.)
• A purely deterrent control does not prevent or even record events– Signs – Guards, guard dogs (may be preventive if they
are real)– Razor wire
![Page 64: Access Controls CISSP Guide to Security Essentials Chapter 2 Minor changes 6-13-11](https://reader031.vdocuments.net/reader031/viewer/2022032313/56649e3f5503460f94b3044f/html5/thumbnails/64.jpg)
Preventive Controls
• Block or control specific events– Firewalls– Anti-virus software– Encryption– Key card systems– Bollards stop cars (as shown)
![Page 65: Access Controls CISSP Guide to Security Essentials Chapter 2 Minor changes 6-13-11](https://reader031.vdocuments.net/reader031/viewer/2022032313/56649e3f5503460f94b3044f/html5/thumbnails/65.jpg)
Corrective Controls
• Post-event controls to prevent recurrence
• “Corrective” refers to when it is implemented– Can be preventive, detective, deterrent,
administrative
• Examples (if implemented after an incident)– Spam filter– Anti-virus on e-mail server– WPA Wi-Fi encryption
![Page 66: Access Controls CISSP Guide to Security Essentials Chapter 2 Minor changes 6-13-11](https://reader031.vdocuments.net/reader031/viewer/2022032313/56649e3f5503460f94b3044f/html5/thumbnails/66.jpg)
Recovery Controls
• Post-incident controls to recover systems
• Examples– System restoration– Database restoration
![Page 67: Access Controls CISSP Guide to Security Essentials Chapter 2 Minor changes 6-13-11](https://reader031.vdocuments.net/reader031/viewer/2022032313/56649e3f5503460f94b3044f/html5/thumbnails/67.jpg)
Compensating Controls
• Control that is introduced that compensates for the absence or failure of a control
• “Compensating” refers to why it is implemented– Can be detective, preventive, deterrent,
administrative
• Examples– Daily monitoring of anti-virus console– Monthly review of administrative logins– Web Application Firewall used to protect buggy
application
![Page 68: Access Controls CISSP Guide to Security Essentials Chapter 2 Minor changes 6-13-11](https://reader031.vdocuments.net/reader031/viewer/2022032313/56649e3f5503460f94b3044f/html5/thumbnails/68.jpg)
Testing Access Controls
![Page 69: Access Controls CISSP Guide to Security Essentials Chapter 2 Minor changes 6-13-11](https://reader031.vdocuments.net/reader031/viewer/2022032313/56649e3f5503460f94b3044f/html5/thumbnails/69.jpg)
Testing Access Controls
• Access controls are the primary defense that protect assets
• Testing helps to verify whether they are working properly
• Types of tests– Penetration tests– Application vulnerability tests– Code reviews
![Page 70: Access Controls CISSP Guide to Security Essentials Chapter 2 Minor changes 6-13-11](https://reader031.vdocuments.net/reader031/viewer/2022032313/56649e3f5503460f94b3044f/html5/thumbnails/70.jpg)
Penetration Testing
• Automatic scans to discover vulnerabilities– Scan TCP/IP for open ports, discover
active “listeners”
– Potential vulnerabilities in open services
– Test operating system, middleware, server, network device features
– Missing patches
• Example tools: Nessus, Nikto, SAINT, Superscan, Retina, ISS, Microsoft Baseline Security Analyzer
![Page 71: Access Controls CISSP Guide to Security Essentials Chapter 2 Minor changes 6-13-11](https://reader031.vdocuments.net/reader031/viewer/2022032313/56649e3f5503460f94b3044f/html5/thumbnails/71.jpg)
Application Vulnerability Testing
• Discover vulnerabilities in an application
• Automated tools and manual tools
• Example vulnerabilities– Cross-site scripting, injection flaws, malicious file
execution, broken authentication, broken session management, information leakage, insecure use of encryption, and many more
![Page 72: Access Controls CISSP Guide to Security Essentials Chapter 2 Minor changes 6-13-11](https://reader031.vdocuments.net/reader031/viewer/2022032313/56649e3f5503460f94b3044f/html5/thumbnails/72.jpg)
Audit Log Analysis
• Regular examination of audit and event logs
• Detect unwanted events– Attempted break-ins– System malfunctions– Account abuse, such as credential sharing
• Audit log protection– Write-once media– Centralized audit logs
![Page 73: Access Controls CISSP Guide to Security Essentials Chapter 2 Minor changes 6-13-11](https://reader031.vdocuments.net/reader031/viewer/2022032313/56649e3f5503460f94b3044f/html5/thumbnails/73.jpg)
![Page 74: Access Controls CISSP Guide to Security Essentials Chapter 2 Minor changes 6-13-11](https://reader031.vdocuments.net/reader031/viewer/2022032313/56649e3f5503460f94b3044f/html5/thumbnails/74.jpg)
A. Separation of dutiesB. Least PrivilegeC. Defense in depthD. Detective controlE. Deterrent control
The movie theatre has one employee who sells tickets, and another who examines them and
tears them when you enter. What security function does this
accomplish?
1 of 5
![Page 75: Access Controls CISSP Guide to Security Essentials Chapter 2 Minor changes 6-13-11](https://reader031.vdocuments.net/reader031/viewer/2022032313/56649e3f5503460f94b3044f/html5/thumbnails/75.jpg)
A. Corrective controlB. Least PrivilegeC. Defense in depthD. Deterrent controlE. Detective control
CCSF does not give teachers keys to the buildings. What security function does that
accomplish?
2 of 5
![Page 76: Access Controls CISSP Guide to Security Essentials Chapter 2 Minor changes 6-13-11](https://reader031.vdocuments.net/reader031/viewer/2022032313/56649e3f5503460f94b3044f/html5/thumbnails/76.jpg)
A. Detective controlB. Deterrent controlC. Preventive controlD. Corrective controlE. None of the above
Safeway has a guard at the front door, but the guard has no gun
and no police powers. What purpose does the guard serve?
3 of 5
![Page 77: Access Controls CISSP Guide to Security Essentials Chapter 2 Minor changes 6-13-11](https://reader031.vdocuments.net/reader031/viewer/2022032313/56649e3f5503460f94b3044f/html5/thumbnails/77.jpg)
A. Defense in depthB. Detective controlC. Deterrent controlD. Preventive controlE. Corrective control
Employees are stealing on the job, so the company hires a spy to work with them, and send in secret reports. What function
does the spy serve?
4 of 5
![Page 78: Access Controls CISSP Guide to Security Essentials Chapter 2 Minor changes 6-13-11](https://reader031.vdocuments.net/reader031/viewer/2022032313/56649e3f5503460f94b3044f/html5/thumbnails/78.jpg)
A. Defense in depthB. Detective controlC. Preventive controlD. Corrective controlE. Recovery control
A company uses Symform to save a copy of critical backup
files on the Web. What security function does this accomplish?
5 of 5