Access Control MindMap (1 of 2) | CISSP Domain 5

hey I'm Rob Witcher from destination certification and I'm here to help you pass the cissp exam we're going to go through a review of the major topics related to access control in domain 5 to understand how they interrelate and to guide your studies this is the first of two videos for domain 1 I've included links to the other mindmap videos in the description [Music] below access controls are the collection of mechanisms that work together to protect the assets of an organization these access controls can be both physical controls like blocks and logical controls such as

login mechanisms to access an operating system access controls enable management to specify which users can access what resources what operations they can perform and to provide individual accountability fundamentally every access control system is about controlling a subject's access to an object through some form of mediation that mediation is based on a set of rules and all this is logged and monitored this is known of course as the reference monitor concept the implementation of the RMC is known as a security Kernel thus every access control system is a security Kernel now let's jump into the Mind

map there are three major principles that we apply throughout access control the first is separation of Duties to divide up heat processes into multiple Parts assigned to different people need to know and leas privilege are very similar only give users the access they need based on their job and nothing more but there's a subtle difference between them that you need to know need to know is focused on restricting users access to knowledge access to data to only the data required for them to perform their role whereas lease privilege is focused on restricting a user's actions

to only those required to perform their role when it comes to administering access to systems the addition modification and removal of users there are three main approaches centralized decentralized and hybrid in a centralized approach access to multiple separate applications is managed through one centralized system in a decentralized approach access to multiple applications is managed individually within each application many organizations use a hybrid approach which is simply a combination of centralized and decentralized now let's talk about the access control services there are four major services that All Access Control Systems must provide identification authentication authorization and

accountability we'll start with identification this is where the user must assert their identity to the system for example my username is R Witcher authentication is where the system verifies the user's identity by one of the three factors of authentication knowledge ownership or characteristic authentication by knowledge also referred to as something you know is where a user verifies their identity by providing some information that they have memorized it could be a password or a past phrase a long sequence of words that are easy to remember or answering security questions the second factor of authentication is ownership

also commonly referred to as something that you have authentication by ownership are things that we have in our possession the most common form of authentication by ownership is one-time passwords we call them onetime passwords because they are meant to only be used once hard tokens are dedicated pieces of Hardware that generate onetime passwords such as an RSA ID key soft tokens are apps software that generate one-time passwords such as the Microsoft or Google Authenticator apps that we can install on our mobile phones there are two types of hard or soft tokens synchronous and asynchronous in

a synchronous system both the hard or soft token and the authentication server are generating the same onetime password every 30 to 60 seconds they are synchronized asynchronous in involves a challenge and a response to authenticate the user is sent a challenge from the server which they enter into their hard or soft token device and a response is generated the onetime password asynchronous systems are rare and they are more expensive and complicated but they are more secure so in really high value situations like say Bloomberg Financial terminals they are used going back to the other forms

of authentication by ownership we have Smart cards and memory cards smart cards are well named because they have a computer chip within them that provides some smarts memory cards on the other hand just store some data that can be read the same data every time less secure authentication by characteristic the reason we call it characteristic and not just Biometrics is that there are two main categories of characteristics that we can look at for authentication physiological characteristics are what make up our physiology our bodies and are therefore often referred to as Biometrics it's pretty obvious what

most most of these physiological characteristics are looking at our fingerprints hand geometry is looking at the overall dimensions of our hands vascular pattern scanners are looking at our vein patterns often on the back of our hands when you take the cisp exam you are likely to encounter a vascular scanner as many of the Pearson view testing centers use them as part of the registration process before you can take the exam they want to make sure that if you step out during the exam to take a break that it is you coming back into the room

and not someone you've hired to write test for you facial scanners look at our faces Iris scanners look at the colored ring of our eye the outside of our eyeball retinal scanners on the other hand look at the vein pattern on the back of our eyeballs the inside of our eyeballs retinal scanners are typically considered to be the most accurate of the biometric systems behavioral characteristics are how we act how we do certain things how we speak type and walk voice systems analyze the way we speak the minutia of our voice voices signature systems look

at how we write how we sign our name for example keystroke Dynamics look at how we type characteristics such as dwell time and flight time and gate Dynamics look at how we walk when a biometric system collects a sample for a user for example their fingerprint scan facial scan Etc the data will be processed to look for unique characteristics and a mathematical representation of the user's unique biometric data will be created this unique math mathematical representation is called a biometric template templates can be used in a couple of major ways in one to n in

other words one to many lookups for identification and in one to one direct comparisons for authentication a challenging aspect of biometric systems for authentication is that they are not binary and by that I mean they are not 100% sure that it is a valid user and not 100% sure that it is an invalid user user trying to authenticate as such we have to deal with two types of Errors related to biometric systems the first is a type one false reject this is where a valid user is falsely rejected a type two false accept is the

inverse this is where an invalid user say an attacker is falsely authenticated and given access not good we really don't want type two errors the final piece here related to authentication by characteristic is the crossover error rate type 1 and type two errors are inverse to each other if you graph them you would see that the line for type 1 errors will intersect the line for type two errors and where they intersect is aply named as the crossover error rate or equal error rate the crossover error rate is a good measure of the overall accuracy

of a biometric system we've now discussed the three factors of authentication knowledge ownership and characteristic single Factor authentication is simply using one of these factors multiactor authentication means using two or more different factors of authentication the authenticator Assurance levels is a model for measuring the robustness the security of an authentication process there are three levels AAL level one is the least secure and AAL level three is the most secure just in time access is an access control strategy where users access to a system is granted exactly when needed and only for the deration required to

complete a specific task essentially instead of having constant access at all times users are granted permission dynamically when they need to use them and these permissions are revoked once a task is completed very cool idea now let's talk about authorization this is where we Define a user specific access within the system what they are authorized to access and this is where we apply principles like lease privilege and need to know the first Access Control philosophy is known as discretionary access and the defining characteristic of discretionary access is that the owner of the system is deciding

who is authorized to access what this is a very good security practice as owners best understand their systems and are accountable for the security of their systems within discretionary access we have rule-based just a list of rules or a file an ACL an access control list that's all rule-based access control is very simple role-based access where we create roles Define the access for these roles and and then assign one or more roles to a user the roles assigned to a user defines a user's access there are four major types of rbac ro-based access that you

should be familiar with non rbac means there is no ro-based access control limited rback means that within specific applications you can create roles and the role within an application will only Define a user's access in that application hybrid rbac is where you get to the point that you can create a role and through through that role you can define a user's access to multiple different systems but not every application across the organization is integrated into the role-based access system which brings us to full arbac full arbac means that through a role you could Grant a

user access to any application across the organization most companies don't get to full rbac and instead use limited or hybrid rbac and attribute based access sometimes referred to as context based Access Control where we look at a series of different attributes to make an authorization decision Source IP address geolocation OS type classification of asset being accessed what exactly the user is doing what their role is ETC the next Access Control philosophy is known as non-discretionary recall discretionary means the owner decides so non-discretionary means someone other than the owner decides who is authorized to access what

like an IT Help Desk person this is not good security practice the last and final Access Control philosophy is known as Mand mandatory mandatory Access Control means the system decides based on the security clearance of users and the classification of assets labeling is an important requirement for mandatory access control the final and most important Access Control service is accountability to have security we must ensure users are accountable for their actions on a system because accountability is the most important Access Control service we give it a special name the principle of access control so remember the

principle of Access Control is accountability and accountability is the principal access control the final piece here is session management whenever user has identified themselves being authenticated and authorized into a system this begins a session session management is all about managing these sessions to ensure they are secure the major risk we are concerned with related to sessions is session hijacking all right that's an overview of Access Control within domain 5 as you're no doubt seeing as you go through these mindmap videos there is an immense amount of information across a huge number of topics that you

need to know to pass the cisb exam a huge challenge most people like yourself face is figuring out what do you need to focus on what exactly do you already know and what exactly do you need to focus on in your studies across all eight domains this is a problem we have solved for our students as you work through our cisp Master Class the system automatically Builds an extremely detailed personalized guide for you that will show you exact exactly which domains you need to focus on which sections within domain and which topics within a section

you need to focus on and the absolute best part is that our guide is that our system then automatically gives you access to all of our highquality study materials for each topic we show you exactly what you need to study and provide all the study materials you need to confidently pass the cisp exam you can learn more about our cisp masterclass here at desert.com for / cisp link is in the description below as [Music] well