19 jun. 2014

CISSP: Access Control

Flow of information between subject (active entity) and object (passive entity)
Subjects: Clearance, capability
Object: Clasiffication, ACL

Principles:
Least privilege:
Separation of duties:


Identification:
Authentication
Authorization:
Accountability:

Controls types:
Administrative
Technical (logical)
Physical

Controls categories:
Directive:
Preventive:
Detective:
Corrective:
Recovery:
Deterrent:

Types:

Mandatory Access Control (MAC): Use labels
Discretionary Access Control (DAC)
Non-discretionary Access Control

Type I: Something you Know
Type II: Something you Have
Type III: Something you Are

Biometric:
Retina: Change over time, Invasion privacy
Iris: Remains (comparatively), not invasive
Minutiae:
Type I Error: FRR (False Reject Rate)
Type II Error: FAR (False Acceptance Rate)
CER (Crossover Error Rate) or Equal Error rate

Single Sign On (SSO)
Pro:
Cons:

Kerberos:
Symetric crypto
KDC
AS
TGT
TGS

SESAME:

KRYPTONIGHT

Directory Services:

Access Control Methodologies:

Centralized:
RADIUS:
DIAMETER:
CALLBACK:
CHAP
TACACS+

Smart Cards:
Contact
Contactless
Combi card

Identity Management:
Directory based
Web access management
Password management
Account management

Provisioning
Profile update

Threats:
Computing: DDOS, Unauthorized software, Software defects
Physical: Unauthorized access, electronic emanations
Personal: Social engineering

No hay comentarios.:

Publicar un comentario