Wondershare EdrawMind
EdrawMindCISSP-5-Access Control
MindMap Gallery CISSP-5-Access Control
- 35
CISSP-5-Access Control
CISSP-Information System Security Professional Certification Mind Map, the main contents include access control steps, access control applications, access control markup language, access control model (authorization), access control methods, access control management methods, and access control management.
Edited at 2021-11-10 12:03:57- bacteria
This is a mind map about bacteria, and its main contents include: overview, morphology, types, structure, reproduction, distribution, application, and expansion. The summary is comprehensive and meticulous, suitable as review materials.
- Plant asexual reproduction
This is a mind map about plant asexual reproduction, and its main contents include: concept, spore reproduction, vegetative reproduction, tissue culture, and buds. The summary is comprehensive and meticulous, suitable as review materials.
- Reproductive development of animals
This is a mind map about the reproductive development of animals, and its main contents include: insects, frogs, birds, sexual reproduction, and asexual reproduction. The summary is comprehensive and meticulous, suitable as review materials.
CISSP-5-Access Control
- bacteria
This is a mind map about bacteria, and its main contents include: overview, morphology, types, structure, reproduction, distribution, application, and expansion. The summary is comprehensive and meticulous, suitable as review materials.
- Plant asexual reproduction
This is a mind map about plant asexual reproduction, and its main contents include: concept, spore reproduction, vegetative reproduction, tissue culture, and buds. The summary is comprehensive and meticulous, suitable as review materials.
- Reproductive development of animals
This is a mind map about the reproductive development of animals, and its main contents include: insects, frogs, birds, sexual reproduction, and asexual reproduction. The summary is comprehensive and meticulous, suitable as review materials.
- Recommended to you
- Outline
Access control
concept
Goal: Protect against unauthorized access
Use of system resources by illegal users
Illegal use of system resources by legitimate users
Concept: Access control is a means of security Control how users and systems communicate and interact with other systems and resources
effect
Protect confidentiality, integrity, availability
Confidentiality
Prevent leakage of sensitive information
Integrity
illegal tampering
Unauthorized modification
Internal and external information consistency
Availability
Reliable and timely access to resources
Access control steps
Identification: The subject providing identification information
claim user identity
elements
Uniqueness: unique within a control environment for easy auditing
Non-descriptive: Identification should not reveal the user’s identity or position
Features:
The first step in access control
unique identifier
Prerequisites for traceability
Authentication Verify identification information
Verify user identification information
what do you know? (can remember)
Password (password) (password)
static, fixed length
passphrase (Passphrase)
Dummy password, usually longer than the password
cognitive code (cognitive password)
Information based on personal facts or judgments
Example:
Credit card repayment date and other information
Graduation school or mother’s surname
There can be multiple cognitive information combinations
What to own?
storage card
Stores information but cannot process it
smart card
Contains microprocessors and integrated circuits, with information processing capabilities
Classification:
Contact
Has a golden seal on the surface
Requires power and data I/O
Contactless
There are antennas all around
Power is provided by the electromagnetic field entering the card reader
smart card attack
Side-channel attack: A non-intrusive attack and used to uncover sensitive information about how an organization operates without exploiting any form of flaw or weakness
Smart cards have stronger anti-tampering properties
One-Time Password (OTP) (One-Time Password)
Also called dynamic password, For authentication, can only be used once
Prevent replay attacks
Implementation: token
synchronous mode
Counter synchronization: User presses the token device's button to initiate one-time password creation
Time synchronization: Token and server must have the same clock
asynchronous mode
challenge/response mechanism
Advantages and Disadvantages:
Once the user ID and token device are shared or stolen, they can be used fraudulently.
The advantage is that you don’t have to remember the password
Example: Token Device
SMS verification code
what is it, What have you done?
Physiological characteristics
face scan
Scan the attributes and characteristics of the face, Including information about bones, forehead, etc.
Algorithm: Regional Feature Analysis Algorithm
Features
Low accuracy! ,high speed
The misrecognition rate and rejection rate are high!
hand shape
Geometric characteristics of the human hand shape, fingers and entire hand shape information
Includes: length, width and shape of palm and fingers
hand topology
Examine the different undulating shapes along the entire hand shape and its curved parts.
Disadvantages: Hand topology needs to be combined with hand shape
Palm scan
The palm has grooves, ridges and creases, the only characteristic
Includes: fingerprints for each finger
fingerprint (fingerprints)
Fingerprints are made up of curves and bifurcations and very tiny features
voice recognition
Differences between voice modes
You are required to speak different words during registration, and you need to mix the words and ask them to repeat them during the test.
retina scan
Scanning blood vessel patterns on the retina at the back of the eye
iris scan
The iris is the colored part of the eye that surrounds the pupil.
Irises have unique patterns, bifurcations, colors, changes, halos, and wrinkles
Features: Iris recognition is the most accurate
Behavioral characteristics (Behavioral traits)
Signature analysis
The speed and manner of signing, the way the signer holds the pen.
The physical movement caused by the signature produces an electrical signal that can be considered a biometric
keystrokes
Dynamic keystrokes capture the electrical signals produced when specific phrases are entered,
Capture the speed and movement of action.
Strong verification (strong authentication)
Two factors (Two of the three types included)
three factors (included in all three types)
Advantages and disadvantages of the three identification methods
What to know: Economical, but easy to be used fraudulently
What to have: For accessing facilities or sensitive areas where items can easily get lost
What it is and what it does: Based on physical characteristics and biometrics, it is not easy to be used by others.
Type 1 Error (FRR): False Rejection Rate, rejecting authorized individuals (false positives)
Type 2 Error (FAR): Accepting an impostor that should have been rejected (false negative)
Crossover error rate: the equivalent point of false rejection rate and false acceptance rate
Authorization Determine the operations performed by the subject on the objectable object
Determine the operation performed by the subject on the object
Access guidelines
role based
group based
Based on physical or logical location
Based on time period or time interval
Based on transaction type
Access denied by default
Know what they need
principle of least privilege
audit or audit (accountability) Audit logging and monitoring to track user activity
Traceability/Liability (accountable)
audit
security audit
Audit scope: system-level events, application-level events, user-level events
Audit content: time, place, tasks, what happened
Log storage period and size
Audit log protection (Log integrity)
Log server
write-once media
Use of logs
Manual check
automatic check
Log management
Keystroke monitoring
Purpose: To audit a person and his activities
Access control application
Identity management (identity management)
Table of contents
Follows the hierarchical data structure format, based on X.500 standards and protocols (such as LDAP) (LDAP Lightweight Directory Access Protocol)
Directory Services (DS)
Allows administrators to configure and manage identities, authentication, authorization, and access controls that appear on the network
Metadirectory
Only connect to one directory at a time
Metadirectory contains identity data
virtical list
Connect to multiple data sources
Points to where the actual data resides
identity repository
Vast amounts of information stored in identity management directories are spread across the enterprise
web access management
Front-end control software that provides single sign-on and other functions
HTTP is stateless
Cookies and sessions to maintain application state
Password management (password management)
Password synchronization
Maintaining only one password can strengthen the password
Weakness: Single point of failure, if the password is obtained, all resources can be accessed
Self-service password reset
Send a reset link by answering the registration question
Assisted password reset
Reset password after authenticating with helpdesk
sign in SSO
Centralized identity storage
Verify multiple resource access at once
Weakness: Single point of failure, if the password is obtained, all resources can be accessed
SSO instance
Kerberos
Identity authentication protocol
Based on symmetric cryptography
An example of single sign-on in a distributed environment
Provide end-to-end security
Integrity and confidentiality are provided, availability is not guaranteed
Main components:
Key Distribution Center KDC
Identity authentication service (Authentication Service,AS)
ticket granting service (Ticket Granting Service,TGS)
Secret key: shared between KDC and principal (Keys are stored on the KDC)
Session key: secret shared between two principals, destroyed at the end of the session
weakness:
KDC is a single point of failure
The secret key is temporarily stored on the user's workstation
The session key resides on the user's workstation
SESAME
Using symmetric and asymmetric cryptography
Main components:
Privileged Attribute Server (PAS) (Privileged Attribute Server)
Privileged Attribute Certificate (PAC), with digital signature.
PAC includes: the identity of the subject, the ability to access the object, Access period and PAC life cycle
Play a similar role to KDC
Authentication Server (AS) Authentication Server
KryptoKnight
ticket-based
two-part authentication
No clock synchronization is required, use Nonce (one-time random number)
SAML
Web-based single sign-on
Is the standard for federated identity management
security domain
Establish trust between domains that share unified security policies and management
IDP
SA security assertion
Account management
Centralized account management, synchronized identity directory
Streamlined identity management approval creation process
federated identity
Sharing user information between multiple units
Identity as a Service IDaaS /SaaSIAM
Cloud-based identity broker and access management service Cloud-IAM
Identity management, access control, intelligent analysis
Can realize single sign-on, federated identity, fine-grained control, service integration, etc.
access control markup language
GML
SGML
HTML
Hypertext Markup Language (Hypertext Markup Language)
Standard Universal Markup Language (Standard Generalized Markup Language)
XML
SPML
Service Configuration Markup Language (provisioning)
SAML (implementing web-based SSO) (Security Assertion Security Assertion)
An XML-based standard for exchanging authentication and authorization data between different security domains
IDP (Identity Provider)
If there is a problem with the third party (IDP) all users will be affected
XACML
Through web services and other applications, To realize asset management and control using security policies and access permissions
OpenID
OpenID is an open standard for user authentication by third parties
OAuth
an open standard (Open Authorization)
OAuth 2.0 using access tokens
access control model (Authorization)
Discretionary access control model (DAC)
Based on user authorization
Rely on object owner’s discretion
type
Based on user and resource identification
Restrictions directly to users
shortcoming:
not safe
facing problems
Trojan horse
social engineering
Mandatory access control model (MAC)
MAC relies on security tags
Develop object-sensitive labels (Objects have classification), At the same time, only users higher than the object level are allowed to access. (The subject has clearance) (Inherent attribute)
Only administrators can change the object level, not the object owner (data owner)
Higher security level situations: military/government agencies
Role-based access control model (RBAC) (Also known as: Non-discretionary access controlNon-DAC)
Use centralized access control to determine access to subjects and objects
Based on user roles
Features
Assigning permissions based on job responsibilities
Can be associated with organizational structure
Able to follow the principle of least privilege
Segregation of Duties
Users or groups correspond to roles and grant certain permissions to the roles.
category
Core RBAC
Users, roles, permissions, actions and sessions Should be defined and mapped according to policy
Hierarchical RBAC
Role relationships define user membership and permission integration
Response organization and functional description
type
limited level
Single role inheritance
Normal level
Multiple role inheritance
Restricted RBAC
Introduce separation of duties
Static separation of duties in RBAC
Example: Accounting and Cashier
Prevent fraud
Dynamic separation of duties in RBAC
Depending on the role in the active session, Dynamically restrict permissions for additional separation of duties
Rule-based access control (RuBAC)
based on if x then y
Use specific rules to dictate what can and cannot happen between subjects and objects.
Rule-based access control is not necessarily identity-based
Many routers and firewalls use rules to determine which types of packets are allowed into the network and which are denied
(ABAC) Attribute-based access control
The new access control solves the shortcomings of RBAC. Each resource and user is assigned a series of attributes. Based on the comparative evaluation of user attributes, such as time, position, and location, it is determined whether the user can access a certain resource. RBAC is a special case of ABAC.
Access control methods
access control matrix (Access Control Matrix)
Matrix table of subject and object access relationships
Access capability table (row in matrix)
Specifies the objects that the subject can access
Takes the form of a ticket, token or key
Example: Tickets for keberos
Access Control List (ACL) (column in matrix)
Specifies who can access it
Permissions table
Example: Configuration of firewalls and routers
Content-based access control (content-dependent)
Access to the object depends on the object content
Example: Content-based filtering rules Packet filtering firewall
Context-sensitive access control (context-dependent)
Context-based access decisions
Example: Stateful Inspection Firewall
Restrictive user interface
include:
menu
shell
Database view (create view)
Physically restricted interface
Access control management methods
Authentication protocol
Password Authentication Protocol,PAP (Password Authentication Protocol)
Challenge Handshake Authentication Protocol, CHAP (Challenge Handshake Authentication Protocol)
Extensible Authentication Protocol, EAP (Extensible Authentication Protocol)
Centralized access control management (Centralized access control administration)
RADIUS
Combined authentication and authorization
Use UDP
Encrypt only passwords transmitted between RADIUS client and RADIUS server
TACACS
Use TCP
Support dynamic password
Using AAA architecture, Separate authentication, authorization and auditing
Encrypt all traffic between client and server
Diameter
basic agreement
extended protocol
Built on the basis of the basic agreement, Ability to extend multiple services such as VoIP, etc.
Decentralized access control management
One approach controls access to who is close to a resource to better understand who should and should not have access to certain files, data, and resources.
Compared:
Centralized access control has a single point of failure and unified access is efficient
Decentralized access control: based on user authorization, no single point, lack of consistency
Access control management
category
management control
strategies and measures
personnel control
regulatory structure
Security awareness and training
test
physical control
network segmentation
perimeter security
computer control
Regional isolation
wiring
control area
technical control
system access
network architecture
network access
Encryption and protocols
audit
Accountability
The audit function ensures that users are responsible for their actions, ensures the security of enforcement of security policies, and can be used as an investigation tool
Access control monitoring
Intrusion detection system, IDS (Intrusion Detection System)
composition:
sensor
Analyzer
Administrator interface
Classification:
Network IDS (NIDS)
Monitor network communications
Host IDS (HIDS)
Analyze activity within a specific computer system
Characteristic IDS (False negative)
Efficiency depends on the update of the feature database
Knowledge-based or feature-based IDS
Based on the existing specific attack signature database or knowledge base, Do pattern matching
Stateful IDS
Pay attention to the gap between pre-invasion and intrusion process Activity status, matching with preset rules
Abnormal IDS (behavioral/heuristic) (false positive)
Statistical anomaly IDS
Disadvantages: false positives
Advantages: Ability to detect zero-day attacks or "small and slow" attacks
The IDS must not be attacked when in learning mode. Otherwise, attacks cannot be detected
The agreement itself is flawed
Traffic anomaly type IDS
Build a normal traffic baseline
Regular IDS
Based on expert system, based on the rules of if x the y
Intrusion prevention system, IPS (Intrusion Prevention System)
IDS passive detection
Active defense
Honeypot (detective control) (legal)
Honeypots are enticement
is legal
An entrapment is not a honeypot
Illegal and cannot be used as evidence
Threats faced
Password attack methods
electronic monitoring
By monitoring traffic, capturing password information, and conducting replay attacks
access password file
Access the password file on the server
Brute force attack (brute force cracking)
Loop through all possible characters, numbers, and symbols to guess passwords
dictionary attack
Construct a dictionary file to compare with the user's password
social engineering
Reset your password by calling or spoofing your password
rainbow table
Includes all hashed passwords
keylogging
Password Security Advice
Password checker
Tools for testing password strength
Password Hashing and Encryption
Password life cycle
Specify password change period
Remember the number of historical passwords
Limit the number of logins
Smart cards under attack
side channel attack
Differential Power Analysis (differential power analysis)
View the amount of power emitted by the treatment process
electromagnetic analysis (electromagnetic analysis)
View transmit frequency
Timing analysis (Timing analysis)
Calculate the time required for a specific function
software attack
Enter information in the smart card to retrieve user instructions
fault generation (fault generation)
Cause errors through some environment components
Includes: temperature fluctuations, changing input voltage, clock frequency
direct attack
Micro area exploration (microprobing)
Use a needle and ultrasonic vibration to remove the external protective material on the smart card point path, Connect directly to the smart card ROM chip to access and manipulate the data in it
information leakage
Chapter 1: Social Engineering
Chapter 3: Covert Passage
Chapter 8: Malicious Code
object reuse
Memory locations, variables, and registers are not cleared before object allocation
Files and data tables are not cleared before object allocation
radiation safety
The metal shell of the Faraday cage, Ensure that electronic devices emit signals within a certain range
White Noise
Random electronic signal with uniform spectrum Unable to obtain information from electromagnetic waves
control area
Special materials are used on the surface of the device to shield electronic signals
Need to create a security perimeter
Authorization process issues
Empowerment creeps (creep)
Gaining more and more authority due to job or department transfers
Login spoofing
Phishing phishing
Social engineering as a means of attack
Create web sites similar to legitimate sites
URL grafting pharming
DNS poisoning
Redirect to illegal IP address or URL
identity theft