CISSP Exam Note (Domain 1: Access Control) – Centralized & Decentralized, etc…

November 23, 2009 · Posted in Information Security, Information Systems 

Access Control – Centralized and Decentralized

Centralized Access Control – is a facility in which all the core functions for access such as Authentication, Authorization, and Accountability (AAA) are performed from a centralized location.

  • RADIUS – Remote Access Dial-In User Service (incorporates an AS and dynamic password)
  • TACACS – Terminal Access Controller Access Control System (for network applications, static pwd)
  • TACACS+ – Terminal Access Controller Access Control System Plus, supports token authentication

CHAP – Challenge Handshake Authentication Protocol

  • Supports encryption, protects password

Decentralized Access Control – generally require medium to large workgroups of individuals and carry higher administrative overhead accordingly. In a decentralized environment, maintaining a homogeny of equipment and services scales in increasing difficulty with proportion to the number of access control points. Changes effected on individual systems are spread locally, instead of having the wide-reaching consequences and effects of a singular centralized system.

Planning to take the CISSP Exam?

Get a copy of my personal notes (300plus pages worth) that I used to pass the exam for only $25.00.

Click the Add To Cart Button to Purchase

Click the Add To Cart Button to Purchase

Plus you will also get copies of notes from other CISSPs.

Learn more about this package by visiting this blog entry: CISSP REVIEW NOTES I USED TO PASS THE EXAM.

CLICK BELOW TO MAKE YOUR PURCHASE NOW.

All Purchases are securely processed through Paypal.

IMPORTANT NOTICE:

I MANUALLY REVIEW ALL ORDERS. SO ONCE YOU PURCHASE THE PRODUCT, THERE WILL BE SOME DELAY ON YOU RECIEVING AN E-MAIL FROM ME WITH THE LINK TO THE DOWNLOAD AREA OF THE PRODUCT. YOU WILL GET A RESPONSE FROM ME WITHIN 24-48 HOURS.

Relational Database Security

  • Relational Database Support queries
  • Object Oriented databases do not support queries

Relational Database

  • Data structure called tables (relations)
  • Integrity rules on allowable values
  • Operators on the data in tables

Persistency – preservation of integrity through the use of non-volatile storage media

Schema

  • Description of the database
  • Defined by Data Description Layer (DDL)

Database Management System (DBMS)

  • Provides access to the database
  • Allows restriction of access

Relational Database

  • Relation (table) is the basis of a relational database – relation is represented by a table
  • Rows – Records (tuples)
  • Column – attributes

Primary Key

  • Unambigously identifies a record, points to a record (tuple)
  • Every row (record, tuple) must contain the primary key of the relation (table)

Cardinality – number of rows in a relationship (table)

Degree – number of columns in a relationship table

Candidate Key – any identifies that is unique to the record

Foreign Key – any value that matches the primary key of another relation (table)

Relational Database – best suited for text

Relational Database Operations

  • Select – based on criteria i.e. all items with value > $300.00
  • Join – join tables based on a common value
  • Union – forms a new relation (table) from two other relations
  • View – (virtual table) uses join, project, select – views can be used to restrict access (least privileges)
  • Query plan
    • Comprised of implementation procedures, lowest ost plan based on “cost”
    • Costs are CPU time, Disk Access
    • Bind – used to create plan

Data Normalization

  • Ensures that attributes in a table rely only on the primary key
  • Eliminates repeating groups
  • Eliminates redundant data
  • Eliminates attributes not dependent on the primary key

SQL – Structured Query Language

  • Select
  • Update
  • Delete
  • Insert
  • Grant – Access Privileges
  • Revoke – Access Privileges

Object Oriented Databases – OODB

  • Best suited for multi-media, graphics
  • Steep learning curve
  • High overhead

Intrusion Detection

  • Network based
  • Real time
  • Passive

Host Based

  • system and event logs
  • Limited by log capabilities

Signature Based – Knowledge Based

  • Signatures of an attack are stored and referenced
  • Failure to recognize slow attacks
  • Must have signature stored to identify

Statistical Anomaly Based (Behavior Based)

  • IDS determines “normal” usage profile using statistical samples
  • Detects anomaly from the normal profile

Access Control Issues

  • Confidentiality
  • Integrity
  • Availability
  • Accountability of users

Measures for compensating for both internal and external access violations

  • Backups
  • RAID – Redundant Array of Inexpensive Disks
  • Fault Tolerance
  • Business Continuity Planning
  • Insurance
Bookmark and Share

Thought you should know, etc... Update

Uses for a Project Management Tool

The uses for a project management tool will vary depending on its intended purpose. The things all project management tools have in common is they are a device that will save time, money and effort by the user when applied…

The Gates of Development

On new development projects, the production stage can be the point of no return. Before it's too late, a rigorous gating process can help to ensure that development activities, teamwide input and critical stakeholder priorities are all aligned with the overall project vision.

Saying No to Say Yes

I find that I’m often inspired by the sermons at my church to write a project management article.  It seems like an odd marriage of ideas, I realize, but it somehow works for me.  Well, this past Sunday’s message was no different.  As our pastor was talking about ‘saying no to say yes’ – meaning [...

Stack Overflow's Scaling Problems

Nick Craver from the Stack Overflow team has a very interesting post on issues the team is facing with respect to handling storage space created due to higher traffic and usage...

Project Management Lite: Estimating–Specify Deliverables

In order to prepare an estimate, the specifications for what must be produced by the project must be specific, unambiguous and quantitative. This requires the estimator to work out as much detail of the conceptual solution as is feasible, consistent ...

Tags: , , , , , , , , , ,

Comments

Leave a Reply




  • Your Shopping Cart

    Your cart is empty

  • Calendar

    November 2009
    M T W T F S S
    « Oct   Dec »
     1
    2345678
    9101112131415
    16171819202122
    23242526272829
    3031  

  • RSS From the National Vulnerability Database

    • CVE-2012-1034 (episerver_cms) February 7, 2012
      Multiple cross-site scripting (XSS) vulnerabilities in the admin interface in EPiServer CMS through 6R2 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. […]
      nvd@nist.gov
    • CVE-2011-5076 (hdwiki) February 6, 2012
      SQL injection vulnerability in model/comment.class.php in HDWiki 5.0, 5.1, and possibly other versions allows remote attackers to execute arbitrary SQL commands via the PATH_INFO to index.php. NOTE: some of these details are obtained from third party information. […]
      nvd@nist.gov
    • CVE-2012-1021 (4images) February 6, 2012
      Cross-site scripting (XSS) vulnerability in admin/categories.php in 4images 1.7.10 allows remote attackers to inject arbitrary web script or HTML via the cat_parent_id parameter in an addcat action. […]
      nvd@nist.gov
    • CVE-2012-1031 (episerver_cms) February 6, 2012
      Unspecified vulnerability in EPiServer CMS 5 and 6 through 6R2, in certain configurations using Forms Authentication, allows remote authenticated users to obtain WebAdmins access by leveraging Edit Mode privileges, a different vulnerability than CVE-2011-3416 and CVE-2011-3417. […]
      nvd@nist.gov
    • CVE-2012-1008 (officesip_server) February 6, 2012
      OfficeSIP Server 3.1 allows remote attackers to cause a denial of service (daemon crash) via a crafted To header in a SIP INVITE message. […]
      nvd@nist.gov
    • CVE-2012-0992 (openemr) February 6, 2012
      interface/fax/fax_dispatch.php in OpenEMR 4.1.0 allows remote authenticated users to execute arbitrary commands via shell metacharacters in the file parameter. […]
      nvd@nist.gov
    • CVE-2012-1004 (foswiki) February 6, 2012
      Multiple cross-site scripting (XSS) vulnerabilities in UI/Register.pm in Foswiki before 1.1.5 allow remote authenticated users with CHANGE privileges to inject arbitrary web script or HTML via the (1) text, (2) FirstName, (3) LastName, (4) OrganisationName, (5) OrganisationUrl, (6) Profession, (7) Country, (8) State, (9) Address, (10) Location, (11) Telephon […]
      nvd@nist.gov
    • CVE-2012-1019 (xwiki_enterprise) February 6, 2012
      Multiple cross-site scripting (XSS) vulnerabilities in XWiki Enterprise 3.4 allow remote attackers to inject arbitrary web script or HTML via the (1) XWiki.XWikiComments_comment parameter to xwiki/bin/commentadd/Main/WebHome, (2) XWiki.XWikiUsers_0_company parameter when editing a user profile, or (3) projectVersion parameter to xwiki/bin/view/DownloadCode/D […]
      nvd@nist.gov
    • CVE-2012-1002 (openconf) February 6, 2012
      Unspecified vulnerability in OpenConf 4.x before 4.12 has unknown impact and attack vectors. […]
      nvd@nist.gov
    • CVE-2012-1029 (tube_ace) February 6, 2012
      SQL injection vulnerability in mobile/search/index.php in Tube Ace (Adult PHP Tube Script) 1.6 allows remote attackers to execute arbitrary SQL commands via the q parameter. NOTE: some of these details are obtained from third party information. […]
      nvd@nist.gov
Get Adobe Flash playerPlugin by wpburn.com wordpress themes