CISSP Note (Domain 1: Access Control) – Let’s look at Controls

November 18, 2009 · Posted in Information Security 

Controls – are safeguards or countermeasures to avoid, counteract or minimize security risks. To help review or design security controls, they can be classified by several criteria, for example according to the time that they act, relative to a security incident.

  • Preventative – prevent harmful occurrence
  • Detective – detect after harmful occurrence
  • Corrective – restore after harmful occurrence

Controls can be

  • Administrative – policies & procedures
  • Logical & Technical – restricted access
  • Physical – locked doors

Planning to take the CISSP Exam?

Get a copy of my personal notes (300plus pages worth) that I used to pass the exam for only $25.00.

Click the Add To Cart Button to Purchase

Click the Add To Cart Button to Purchase

Plus you will also get copies of notes from other CISSPs.

Learn more about this package by visiting this blog entry: CISSP REVIEW NOTES I USED TO PASS THE EXAM.

CLICK BELOW TO MAKE YOUR PURCHASE NOW.

All Purchases are securely processed through Paypal.

IMPORTANT NOTICE:

I MANUALLY REVIEW ALL ORDERS. SO ONCE YOU PURCHASE THE PRODUCT, THERE WILL BE SOME DELAY ON YOU RECIEVING AN E-MAIL FROM ME WITH THE LINK TO THE DOWNLOAD AREA OF THE PRODUCT. YOU WILL GET A RESPONSE FROM ME WITHIN 24-48 HOURS.

Three types of access rules

1. Mandatory Access Control (MAC)

  • Authorization of subject’s access to an object depends on labels (sensitivity levels), which indicate subject’s clearance and classification or sensitivity of the object
  • Every object is assigned a sensitivity level/label and only users authorized up to that particular level can access the object
  • Access depends on roles and not by the identity of the subjects or objects alone
  • Only administrator (not owners) may change category of a resource – Orange book B-level
  • Output is labeled as to the sensitivity level
  • Unlike permission bits or ACLs, labels cannot ordinarily be changed
  • Can’t copy a labeled file into another file with a different label
  • Rule-based Access Control

2. Discretionary Access Control (DAC)

  • Subject has authority, within certain limits, to specify what objects can be accessible (e.g. use of ACL)
  • User-directed means a user has discretion
  • Identity-based or control is based on the subjects identity
  • Commonly used in commercial sector for its flexibility
  • Orange Book C Level
  • Relies on object owner to control access
  • Identity based AC

3. Non-Discretionary Access Control

  • Central authority determines what subjects can have access to certain objects based on organization’s security policy (good for organizations with high turn-over)
  • May be based on the individual’s role in the organization (Role-based) or the subject’s responsibilities or duties (Task-based)

Lattice Based

  • Provides least access privilege of the access pair
  • Access defined as either lower bound or upper bound

Administrative Controls

  • Preventative Controls
    • Policies and procedures
    • Pre-employment background checks
    • Strict hiring practices
    • Employment agreements
    • Friendly & unfriendly termination procedures
    • Vacation scheduling
    • Labeling of sensitive materials
    • Increased supervision
    • Security awareness training
    • Behavior awareness
    • Sign-up procedures to obtain access to information systems and networks
  • Detective Controls
    • Policies and procedures
    • Job rotation
    • Sharing of responsibilities

Technical Controls

  • Preventative Controls
    • Logical system controls
    • Smart cards
    • Bio-metrics
    • Menu shell
  • Detective Controls
    • IDS
    • Logging
    • Monitoring
    • Clipping levels

Physical Controls

  • Preventative Controls
    • Restricts physical access
    • Guards
    • Man-trap
    • Gates
  • Detective Controls
    • Motion detectors
    • Cameras
    • Thermal detectors
Bookmark and Share

Thought you should know, etc... Update

When Reality Hits - Project Managers Roll With It

When Reality Hits - Project Managers Roll With It By Project Manage This One of the top challenges new PM types face is facing, and then dealing, with reality. That point in the project when things just aren’t going as planned… At the beginning of the project your Gantt view is a work of art – each dependency [...

The question: Is the Mainframe still the "right answer" for your business?

(Posted February 11, 2012) The short answer is  A B S O L U T E L Y  . . . In fact, why would risk your corporate future on anything else!!!! When the question “Why is System z essential to your business?” is presented, Terrie Jacopi, Program Director, DB2 for z/OS...

Exit...Stage Left

I’ve changed houses.  Instead of Suzhou, Jiangsu, China, I’mon the Southern Outer Banks of North Carolina.  Instead of skyscrapers, cranes and car horns honking, it’slittle buildings, quaint shops and a Jimmy Buffet-like atmosphere… 

“Welcome back Sanity…you werea missed chum...

Project Management Lite: Estimating–Preparing non-human Resource Cost Estimates

1. Objective •    To produce estimates of the non-human resource costs of the project (computer hardware, communications hardware, systems software, package software, etc.). 2. Responsibilities •    The Project M...

What Email Faux Pas Do You Commit?

Email—it’s a part of our everyday lives as business people.  Do you send emails that your co-workers take seriously?  Do you find some incoming emails off putting?  This humorous video by -->

Tags: no tags

Comments

Leave a Reply




  • Your Shopping Cart

    Your cart is empty

  • Calendar

    November 2009
    M T W T F S S
    « Oct   Dec »
     1
    2345678
    9101112131415
    16171819202122
    23242526272829
    3031  

  • RSS From the National Vulnerability Database

    • CVE-2011-3958 (chrome) February 7, 2012
      Google Chrome before 17.0.963.46 does not properly perform casts of variables during handling of a column span, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted document. […]
      nvd@nist.gov
    • CVE-2012-1033 (bind) February 7, 2012
      The resolver in ISC BIND 9 through 9.8.1-P1 does not properly implement a cache update policy, which allows remote attackers to trigger continued resolvability of domain names that are no longer registered via an unspecified "Ghost Names exploit." […]
      nvd@nist.gov
    • CVE-2011-3971 (chrome) February 7, 2012
      Use-after-free vulnerability in Google Chrome before 17.0.963.46 allows user-assisted remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to mousemove events. […]
      nvd@nist.gov
    • CVE-2011-3954 (chrome) February 7, 2012
      Google Chrome before 17.0.963.46 allows remote attackers to cause a denial of service (application crash) via vectors that trigger a large amount of database usage. […]
      nvd@nist.gov
    • CVE-2011-3970 (chrome, libxslt) February 7, 2012
      libxslt, as used in Google Chrome before 17.0.963.46, allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors. […]
      nvd@nist.gov
    • CVE-2012-0926 (realplayer, realplayer_sp) February 7, 2012
      The RV10 codec in RealNetworks RealPlayer 11.x, 14.x, and 15.x before 15.02.71, and RealPlayer SP 1.0 through 1.1.5, does not properly handle height and width values, which allows remote attackers to execute arbitrary code via a crafted RV10 RealVideo video stream. […]
      nvd@nist.gov
    • CVE-2011-3969 (chrome) February 7, 2012
      Use-after-free vulnerability in Google Chrome before 17.0.963.46 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to layout of SVG documents. […]
      nvd@nist.gov
    • CVE-2011-3956 (chrome) February 7, 2012
      The extension implementation in Google Chrome before 17.0.963.46 does not properly handle sandboxed origins, which might allow remote attackers to bypass the Same Origin Policy via a crafted extension. […]
      nvd@nist.gov
    • CVE-2011-3968 (chrome) February 7, 2012
      Use-after-free vulnerability in Google Chrome before 17.0.963.46 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors involving Cascading Style Sheets (CSS) token sequences. […]
      nvd@nist.gov
    • CVE-2012-1035 (ada_web_services) February 7, 2012
      AdaCore Ada Web Services (AWS) before 2.10.2 computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters. […]
      nvd@nist.gov
Get Adobe Flash playerPlugin by wpburn.com wordpress themes