Exam Objectives Fast Track

Access Control Objectives

The primary objective of access control is to provide access control subjects the
ability to work with access control objects in a controlled manner.
The three steps of obtaining access are authentication, identification, and
authorization.
Access control systems must provide assurance in the form of confidentiality,
integrity, availability, and accountability.
Authentication Types
There are three main authentication types: "something you know," "something you
have," and "something you are."
Enterprise authentication is more complex and requires special features such as SSO
technology provided through access control systems utilizing Kerberos or X.509.
Remote access authentication for the enterprise is typically provided by TACACS
or RADIUS.
Password Administration
Good password selection requirements include the use of minimum password
lengths and required characters or symbols.
Password management is most effective when it includes automatic password
expiration and account lockouts.
Auditing password usage or problems is useful in identifying attacks against an
access control system.
Access Control Policies
The three types of access control policies are preventive, corrective, and detective.
The three types of access control policy implementations are administrative,
logical/technical, and physical.
A good access control system uses multiple combinations of these policy types and
implementations.
Access Control Methodologies
A centralized access control methodology provides a single central authority for
authentication.
A decentralized access control methodology allows for a more distributed approach
by breaking up the authentication responsibility across multiple systems.
Access Control Models
The "Orange" and "Red" books provide guidelines for rating access control models.
DAC is the most common access control model and uses ACLs for access control
subjects to control access.
MAC is more of a government/military access control model and bases security on
pre-determined sensitivity labels for data.
Non-discretionary or RBAC takes into account the job functions or roles of the
access control subject and bases access determinations on this factor.
Three popular formal models for access control are Bell-LaPadula, Biba, and Clark-
Wilson.
Administrating Access Control
Account administration takes a significant amount of effort and involves the
creation, maintenance, and destruction of accounts.
Determining rights and permissions is a difficult but critical part of access control
administration.
Managing access control objects helps provide a great deal of security to the system.
Monitoring the access control system is critical to maintaining the security and
stability of the system.
Securing removable media and managing data caches are two important parts of
access control administration that are often overlooked.
Methods of Attack
Dictionary and brute force attacks are common and effective techniques for
cracking user's passwords.
A DoS or DDoS attack is designed to attack the availability aspect of an access
control system.
Spoofing and MITM attacks are two methods used to gain unauthorized access to
data without having to crack passwords.
Spamming is the use of unsolicited e-mail which can either intentionally or
unintentionally cause a DoS attack on mail servers.
Sniffers are used to monitor networks for troubleshooting, but can also be used by
intruders to capture data or passwords.
Monitoring
IDSs and NIDSs are automated systems designed to monitor either a single system
or a network for potential attack attempts.
Alarms are alerts that can be created to notify administrators when there is a
problem in the access control system.
Audit trails and violation reports are used to track suspicious activity.
Penetration Testing
Penetration testing is the art of trying to hack into your own system to determine the
level of security that the system is providing.
Penetration testing should be done prior to implementation of the access control
system as well as after the implementation to try and catch as many weaknesses as
possible.
Weaknesses within the system should be patched or fixed as soon as possible.