Thursday, July 15, 2010

CISSP - Access Control

Access Control

Role Based(Non-discretionary) vs Discretionary Access Control

Discretionary Access Control allows the owner to manage permissions of their resources. In theory this was a good idea but most owners aren't proficient enough to manage the security of their resources effectively. This also isn't usually a priority for them. A good example of this would be giving new users permission but never removing any of the old users.

Role Based Access Control is very similiar but permissions are based on a role. Now an administrator can manage the security by assigning users to their appropriate roles and giving that role the necessary permissions. The key distinction besides the obvious is that in the DAC, only the owner can make the changes.

Detective Access Control

CRC is a Detective Access Control because it detects that the integrity has been breached.

Preventive vs Deterrent: 4 foot fence is deterrent - and 8 foot fence is preventive. I would argue that deterrent is a subset of preventive.

Types of Authentication

Type 1 -> 3 - Something you know, have, are


Accuracy of Bio-Metrics: Fingerprint > Palm Scan > Hand Geometry > Retina Scan > Iris Scan

Zephyr Chart is used to compare different bio metric systems (by factoring in acceptance, etc.) When comparing like systems - use the CER (Cross Over Erorr Rate - where FRR meets FAR) AKA EER (Equal Error Rate)

Lower CER the Better.

Type 1 = FRR = Annoying

Type 2 = FAR = Breach

Leap: Cisco Proprietary version of EAP

CVE: Common Vulnerabilities and Exposures

Policies are high level and do not say how.

MITM: Man in the Middle

ACLs are used in Discretionary Access Controls. On CISSP - think decentralized workgroup file ACLS (NOT AD centralized ACLS)

Enticement vs Entrapment: You entice someone that is committing a crime to do something that you can record to catch them. Entrapment is 'enticing' someone to commit the crime in the first place. The line can get gray quickly - entrapment is illegal/unethical and serves as a defense for the criminal.

Sesame is an Assymetric version of SSO (Kerberos)

Biba (Integrity - no write down)


Rainbow Table: precomputed password hashes - big file instead of computing time

SATAN is the first vulnerability scanner - renamed SANTA

Superzapping - program that bypasses normal security

Smurf - ping users across a network with spoofed source so that the spoofed source (victim) gets overwhelmed

LAND - SYN packet with source and destination ip and port as the target (most NICs are no longer vulnerable to this)

TRINOO - sort of bot net that was part of the yahoo DDOS attack of 2000.

SYN attack - AKA half open attack - target runs out of memory while trying to keep track of an infinite number of TCP sessions.

Chargen - Character Generator - can be used to cause systems to go into an infinite loop talking to themselves.

Ping of Death - icmp packets that are larger than allowed

Fraggle - wrote by the same author as Smurf - this attack is similiar to smurf only it uses echo instead of ping

Teardrop - crashes a victim by sending malformed IP fragments that are over sized and/or overlapping

MEME - hoax - usually a chain letter looking for victims to forward it throughout the internet

EICAR - is used to verify the functionaly of antivirus software. Simply an innocent signature that all vendors flag for test purposes

1 comment:

  1. I really appreciate information shared above. It’s of great help. If someone want to learn Online (Virtual) instructor lead live training in CISSP, kindly contact us
    MaxMunus Offer World Class Virtual Instructor led training on CISSP. We have industry expert trainer. We provide Training Material and Software Support. MaxMunus has successfully conducted 100000+ trainings in India, USA, UK, Australlia, Switzerland, Qatar, Saudi Arabia, Bangladesh, Bahrain and UAE etc.
    For Demo Contact us.
    Nitesh Kumar
    Skype id: nitesh_maxmunus
    Ph:(+91) 8553912023