SlideShare ist ein Scribd-Unternehmen logo

Certified Information Systems Security Professional (cissp) Domain “access control”

master student
master student
Bildung
1 von 9
Downloaden Sie, um offline zu lesen
Certified Information Systems Security Professional (cissp) Report paper Domain “access control” Supervised by instructor dogus sarica prepared by zaid dawad al-rustom (20112465)
Certified Information Systems Security Professional (cissp) Domain “access control” Definitions First thing I will present some definitions about Certified Information Systems Security Professional (cissp), Certified Information Systems Security Professional (CISSP) is an independent information security certification governed by International Information Systems Security Certification Consortium also known as (ISC) ². As of November 2012, (ISC)² reports 84,596 members hold the CISSP certification worldwide, in143countries. InJune2004, theCISSPhasobtainedaccreditationby ANSI ISO/IECStandard17024:2003 accreditatio n. It is also formally approved by the U.S. Department of Defense (DoD) in both their Information Assurance Technical (IAT) and Managerial (IAM) categories for their DoDD 8570 certification requirement. The CISSP has been adopted as a baseline for the U.S. National Security Agency's ISSEP program. My definition it is an international certificate depends on it to secure the data in computers, made by a specialist computer security programmer group to provide a standard security certificate, the main advantage from this is to put many computer security laws and ethical rules prevent us against internet information crimes. The 10 Domains: 1. Security Management Practices 2. Access Control Systems & Methodology 3. Law, Investigations, Ethics 4. Physical Security 5. Business Continuity & Disaster Recovery Planning 6. Security Architecture & Models 7. Cryptography 8. Telecommunications & Network Security 9. Applications & Systems Development 10. Operations Security.
Access control "The first line of defense" Some attacks let's look at some of the different attacks on passwords there simply is called the dictionary attack brute force attacked or a combination would call a hybrid attack first of all the dictionary type what is a dictionary attack ,first of all password is not a password and clear text in the file on your computer it's a hash of the password so dictionary attacked basically takes every word in the dictionary creates ahead and then compares the hash with the file on the computer and I think it's a match that it looks back at the word it used to create that action and password a brute force attacked as just that if tries all possible combinations in order to get your hash or create your password, This type force attacked well always succeed online it literally prize all of those trust every possible combination where some of the things that you can do to mitigate those attacks well, first of all the obvious one is don't send your passwords clear text, or don't use common words dictionary words. There are some tools out there Satan being one of them that you can use to look at that password checkers, to see how secure they are identifies those that are weak and then simply change those. Access control administration The organization has to decide access control model they're going to implement where there is going to be DAC or MAC whatever they can be used expect to find that in the security policy then the technologies and techniques that are going to support that model need to be identified and they need to be put in place the standards need to be developed policies they develop the procedures need to be developed and put in place and then the next question they have to answer is how are we going to manages? are we going to any centrally one central location is going to handle everything that might work for small organization but when you get into a large
organization particularly multinational or international or even across many country, a centralized approach may not be the best solution for you and you may want to decentralize you may only want to decentralize a portion of that to someone that would refer to as the hybrid approach were let's say you centrally manage the network with them for local printers for local file shares you centralize that at that particular location so much use a hybrid approach for the management of that par for the administration of that when we talk about the centralized access control we have one into the wanted location that is making the decision with regarding access senior management has to decide that has to be defined in the security policy data owner makes the ultimate decision in senior management besides what they're going to have in place in order to support that are they going to use something like radiance or attack exploits or the new version of a radius diameter as their centralized access control the words you've got one location that location is controlling access for everybody . Centralized access control I will give an example to discuss centralized access control It is a handshaking protocol that allows that radius server to provide the authentication authorization information to the networks server and radius client we dialing we access that radius server directly certain server will contain a database of users and credentials, that radius server may have be configured to give you access to another leader a lightweight directory access protocol server that has the credentials on it for example radius server could be configured to access active directory and windows and provide that database abusers and credentials and then there needs to be communication between the radius client and the server in that communication needs to be protected , the user initiates that point-to-point protocol authentication with the provider the radius client than prompts the user for their credentials user types and the user id password , than checks those credentials either locally in its own database or against the act let's say active directory to this and then says back here in accept or reject or it may send a challenge response back and if successful then radius will allow the client access to the network so you can get there on the network and do whatever you want to.
Access control methodologies Administrative:  Group membership  Time of day  Transaction type The methodologies for access control administrative technical and physical with administrative the group membership or group remember off what time of day or transaction type so from an administrative methodology we can restrict access to data based on time today payroll files are not accessed Sunday morning at 3:00am time of day or transaction type you're not allowed to do a transaction type equipment to do leading the database table administrative access control methodologies. Technical access control  Directory service  Network architecture  Network access  Encryption  Auditing Directory service The technical layer of access control what are the techno classics access controls we've already mentioned directory service but the way that you architect the network also can be an access control and that's technical? the network access as a technical control as his encryption and let me point out one thing auditing is a technical access control audit logs our technical controls because that tracks activity of the users and systems it’s not preventative it can't prevent someone from accessing but it helps an administrator system administrator understand how the access to a place so in the future they can make changes, for directory services there are different types all of the x.500, LDAP, network directory services, and active directory all of those four different types of directory services and all of those are technical controls which directory services I saw published there except
x.500 which is the lightweight directory access protocol which basically adapts the directory to work over TCPIP. Network architecture Where you place firewalls for example you may have an internal network with in your trusted network let's say that that's just for the top secret data and you put up our wall in front of that top secret data portion of your network to block it so basically what you're doing is you're architecting network to control access you put a DMZ place you put your bastion host servers that you've removed all the extra services imports from in a DMZ the firewall front of the DMZ you put the firewall after the DMZ how you architect the network is going to control? Who has access? And who can get here? Physical layer  Network segregation  Perimeter security  Computer controls  Work area separation  cabling Access control of the physical controls network segregation, perimeter security, computer controls, work area separation, and cable. network segregationist just that you can physically separate the network you can logically separate the network physically separated so that the wiring one set a routers one set of switches physically separated from other parts of the network are logically with virtual LAN’s with primary security you've got those that locks on the doors man perhaps to get into the building guards all of those are physical security controls. Computer controls like a lock on your laptop so you lock it to your desk so people can't walk off on with it for those of you better under the requirement that you can't use the USB ports a physically removing them from the device or putting a proxy into that so you can’t put the USB device into that slot because the slots been filled up with the proxy those are all types of computer controls and then were curious separation I have one client the state agency
who has direct connection with a federal agency they're both in the same physical building on the same floor but you have to go through the state agency to get to the back of the room to another private door that only the federal employees are allowed to go through and they have their own internal men trapped in order to get into the federal area to me that's work area separation and then cabling actually keeping the cables separate. Those are all types of physical layer or physical controls networks. Identification and Authentication Identification and authentication are the keystones of most access control systems. Identification is the act of a user professing an identity to a system, usually in the form of a log-on ID to the system. Identification establishes user accountability for the actions on the system. Authentication is verification that the user’s claimed identity is valid and is usually implemented through a user password at log-on time. Authentication is based on the following three factor types: 1. Something you know, such as a PIN or password 2. Something you have, such as an ATM card or smart card 3. Something you are (physically), such as a fingerprint or retina scan Passwords Passwords can be compromised and must be protected. In the ideal case, a password should only be used once. This “one-time password” provides maximum security because a new password is required for each new log-on. A password that is the same for each log-on is called a static password. A password that changes with each log-on is termed a dynamic password. The changing of passwords can also fall between these two extremes. Passwords can be required to change monthly, quarterly, or at other intervals, depending on the criticality of the information needing protection and the password’s frequency of use. Obviously, the more times a password is used, the more chance there is of it being compromised. A passphrase is a sequence of characters that is usually longer than the allotted number for a password. The passphrase is converted into a virtual password by the system.
Biometrics An alternative to using passwords for authentication in logical or technical access control is biometrics. Biometrics are based on the Type 3 authentication mechanism something you are. Biometrics are defined as an automated means of identifying or authenticating the identity of a living person based on physiological or behavioral characteristics. In biometrics, identification is a “one-to-many” search of an individual’s characteristics from a database of stored images. Authentication in biometrics is a “one to- one” search to verify a claim to an identity made by a person. Biometrics is used for identification in physical controls and for authentication in logical controls. The following are typical biometric characteristics that are used to uniquely authenticate an individual’s identity:  Fingerprints  Retina scans  Iris scans  Facial scans  Palm scans  Hand geometry  Voice  Handwritten signature dynamics Single Sign-On (SSO) Single Sign-On (SSO) addresses the cumbersome situation of logging on multiple times to access different resources. A user must remember numerous passwords and IDs and may take shortcuts in creating passwords that may be open to exploitation. In SSO, a user provides one ID and password per work session and is automatically logged-on to all the required applications. For SSO security, the passwords should not be stored or transmitted in the clear. SSO applications can run either on a user’s workstation or on authentication servers. The advantages of SSO include having the ability to use stronger passwords, easier administration of changing or deleting the passwords, and requiring less time to access resources. The major disadvantage of many SSO implementations
is that once a user obtains access to the system through the initial logon, the user can freely roam the network resources without any restrictions. Conclusion We talked about that you could have physical or you can have logical of virtual land let's say for top secret of virtual for secret and in a virtual for public information or for unclassified data. I am going to conclude this subject on access control, we've talked about access control as being the first line of defense we've talked about how people access data and the resources that go along to make that happen the main goal is to protect resource from unauthorized access. the models discretionary access control mandatory access control role based access control and rule based access control and then whether you want to manage access control either centrally or decentralized or whether you want to use a hybrid approach we talked about the fact that controls can be administrative physical or technical controls and that regardless of whether they're administrative physical or technical those controls can give you preventative detective and recovery services I hope you've enjoyed this article about access control and I look forward to seeing you again hoca for next semester and excuse me for my English language errors Reference: 1. http://en.wikipedia.org/wiki/Certified_Information_Systems_Security_Pro fessional 2. http://www.ntgtraining.com/courses/courses_cissp_cbk_10.html 3. The CISSP Prep Guide—Mastering the Ten Domains of Computer Security Ronald L. Krutz Russell Dean Vines Wiley Computer Publishing John Wiley & Sons, Inc.

Empfohlen

Slide Deck CISSP Class Session 4
Slide Deck CISSP Class Session 4Slide Deck CISSP Class Session 4
Slide Deck CISSP Class Session 4FRSecure
 
CIS14: Physical and Logical Access Control Convergence
CIS14: Physical and Logical Access Control ConvergenceCIS14: Physical and Logical Access Control Convergence
CIS14: Physical and Logical Access Control ConvergenceCloudIDSummit
 
Chapter 15 incident handling
Chapter 15 incident handlingChapter 15 incident handling
Chapter 15 incident handlingnewbie2019
 
Application Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingApplication Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingPriyanka Aash
 
Defense In Depth Using NIST 800-30
Defense In Depth Using NIST 800-30Defense In Depth Using NIST 800-30
Defense In Depth Using NIST 800-30Kevin M. Moker, CFE, CISSP, ISSMP, CISM
 
Mcafee data loss_prevention_11.6.x_product_guide_9-28-2021
Mcafee data loss_prevention_11.6.x_product_guide_9-28-2021Mcafee data loss_prevention_11.6.x_product_guide_9-28-2021
Mcafee data loss_prevention_11.6.x_product_guide_9-28-2021Chaitanya chandra sekhar
 
Security and management
Security and managementSecurity and management
Security and managementArtiSolanki5
 
Infocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training SessionInfocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training SessionInfocyte
 

Empfohlen

Slide Deck CISSP Class Session 4
Slide Deck CISSP Class Session 4Slide Deck CISSP Class Session 4
Slide Deck CISSP Class Session 4FRSecure
 
CIS14: Physical and Logical Access Control Convergence
CIS14: Physical and Logical Access Control ConvergenceCIS14: Physical and Logical Access Control Convergence
CIS14: Physical and Logical Access Control ConvergenceCloudIDSummit
 
Chapter 15 incident handling
Chapter 15 incident handlingChapter 15 incident handling
Chapter 15 incident handlingnewbie2019
 
Application Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingApplication Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingPriyanka Aash
 
Defense In Depth Using NIST 800-30
Defense In Depth Using NIST 800-30Defense In Depth Using NIST 800-30
Defense In Depth Using NIST 800-30Kevin M. Moker, CFE, CISSP, ISSMP, CISM
 
Mcafee data loss_prevention_11.6.x_product_guide_9-28-2021
Mcafee data loss_prevention_11.6.x_product_guide_9-28-2021Mcafee data loss_prevention_11.6.x_product_guide_9-28-2021
Mcafee data loss_prevention_11.6.x_product_guide_9-28-2021Chaitanya chandra sekhar
 
Security and management
Security and managementSecurity and management
Security and managementArtiSolanki5
 
Infocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training SessionInfocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training SessionInfocyte
 
Operational Security Intelligence
Operational Security IntelligenceOperational Security Intelligence
Operational Security IntelligenceSplunk
 
Security architecture principles isys 0575general att
Security architecture principles isys 0575general attSecurity architecture principles isys 0575general att
Security architecture principles isys 0575general attSHIVA101531
 
DTS Solution - Penetration Testing Services v1.0
DTS Solution - Penetration Testing Services v1.0DTS Solution - Penetration Testing Services v1.0
DTS Solution - Penetration Testing Services v1.0Shah Sheikh
 
Dancyrityshy 1foundatioieh
Dancyrityshy 1foundatioiehDancyrityshy 1foundatioieh
Dancyrityshy 1foundatioiehAnne Starr
 
1 info sec+risk-mgmt
1 info sec+risk-mgmt1 info sec+risk-mgmt
1 info sec+risk-mgmtmadunix
 
002.itsecurity bcp v1
002.itsecurity bcp v1002.itsecurity bcp v1
002.itsecurity bcp v1Mohammad Ashfaqur Rahman
 
Information security principles
Information security principlesInformation security principles
Information security principlesDan Morrill
 
Five Essential Enterprise Architecture Practices to Create the Security-Aware...
Five Essential Enterprise Architecture Practices to Create the Security-Aware...Five Essential Enterprise Architecture Practices to Create the Security-Aware...
Five Essential Enterprise Architecture Practices to Create the Security-Aware...UBM_Design_Central
 
Residency research makeup project acme enterprise scenario resi
Residency research makeup project acme enterprise scenario resiResidency research makeup project acme enterprise scenario resi
Residency research makeup project acme enterprise scenario resiSHIVA101531
 
SIEM and Threat Hunting
SIEM and Threat HuntingSIEM and Threat Hunting
SIEM and Threat Huntingn|u - The Open Security Community
 
Ethical hacking and social engineering
Ethical hacking and social engineeringEthical hacking and social engineering
Ethical hacking and social engineeringSweta Kumari Barnwal
 
An overview of access control
An overview of access controlAn overview of access control
An overview of access controlElimity
 
Fundamentals of-information-security
Fundamentals of-information-security Fundamentals of-information-security
Fundamentals of-information-security madunix
 
ATP Technology Pillars
ATP Technology PillarsATP Technology Pillars
ATP Technology PillarsPriyanka Aash
 
A holistic approach to risk management 20210210 w acfe france & cyber rea...
A holistic approach to risk management 20210210 w acfe france & cyber rea...A holistic approach to risk management 20210210 w acfe france & cyber rea...
A holistic approach to risk management 20210210 w acfe france & cyber rea...Judith Beckhard Cardoso
 
Cisa ransomware guide
Cisa ransomware guideCisa ransomware guide
Cisa ransomware guideanpapathanasiou
 
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)WAJAHAT IQBAL
 
Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!
Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!
Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!Michele Chubirka
 
Phases of Incident Response
Phases of Incident ResponsePhases of Incident Response
Phases of Incident ResponseEC-Council
 
From Business Architecture to Security Architecture
From Business Architecture to Security ArchitectureFrom Business Architecture to Security Architecture
From Business Architecture to Security ArchitecturePriyanka Aash
 
CISSP introduction 2016 Udemy Course
CISSP introduction 2016 Udemy CourseCISSP introduction 2016 Udemy Course
CISSP introduction 2016 Udemy CourseAdrian Mikeliunas
 
Slide Deck Class Session 8 – FRSecure CISSP Mentor Program
Slide Deck Class Session 8 – FRSecure CISSP Mentor ProgramSlide Deck Class Session 8 – FRSecure CISSP Mentor Program
Slide Deck Class Session 8 – FRSecure CISSP Mentor ProgramFRSecure
 

Weitere ähnliche Inhalte

Was ist angesagt?

Operational Security Intelligence
Operational Security IntelligenceOperational Security Intelligence
Operational Security IntelligenceSplunk
 
Security architecture principles isys 0575general att
Security architecture principles isys 0575general attSecurity architecture principles isys 0575general att
Security architecture principles isys 0575general attSHIVA101531
 
DTS Solution - Penetration Testing Services v1.0
DTS Solution - Penetration Testing Services v1.0DTS Solution - Penetration Testing Services v1.0
DTS Solution - Penetration Testing Services v1.0Shah Sheikh
 
Dancyrityshy 1foundatioieh
Dancyrityshy 1foundatioiehDancyrityshy 1foundatioieh
Dancyrityshy 1foundatioiehAnne Starr
 
1 info sec+risk-mgmt
1 info sec+risk-mgmt1 info sec+risk-mgmt
1 info sec+risk-mgmtmadunix
 
Information security principles
Information security principlesInformation security principles
Information security principlesDan Morrill
 
Five Essential Enterprise Architecture Practices to Create the Security-Aware...
Five Essential Enterprise Architecture Practices to Create the Security-Aware...Five Essential Enterprise Architecture Practices to Create the Security-Aware...
Five Essential Enterprise Architecture Practices to Create the Security-Aware...UBM_Design_Central
 
Residency research makeup project acme enterprise scenario resi
Residency research makeup project acme enterprise scenario resiResidency research makeup project acme enterprise scenario resi
Residency research makeup project acme enterprise scenario resiSHIVA101531
 
Ethical hacking and social engineering
Ethical hacking and social engineeringEthical hacking and social engineering
Ethical hacking and social engineeringSweta Kumari Barnwal
 
An overview of access control
An overview of access controlAn overview of access control
An overview of access controlElimity
 
Fundamentals of-information-security
Fundamentals of-information-security Fundamentals of-information-security
Fundamentals of-information-security madunix
 
ATP Technology Pillars
ATP Technology PillarsATP Technology Pillars
ATP Technology PillarsPriyanka Aash
 
A holistic approach to risk management 20210210 w acfe france & cyber rea...
A holistic approach to risk management 20210210 w acfe france & cyber rea...A holistic approach to risk management 20210210 w acfe france & cyber rea...
A holistic approach to risk management 20210210 w acfe france & cyber rea...Judith Beckhard Cardoso
 
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)WAJAHAT IQBAL
 
Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!
Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!
Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!Michele Chubirka
 
Phases of Incident Response
Phases of Incident ResponsePhases of Incident Response
Phases of Incident ResponseEC-Council
 
From Business Architecture to Security Architecture
From Business Architecture to Security ArchitectureFrom Business Architecture to Security Architecture
From Business Architecture to Security ArchitecturePriyanka Aash
 

Was ist angesagt? (20)

Operational Security Intelligence
Operational Security IntelligenceOperational Security Intelligence
Operational Security Intelligence
 
Security architecture principles isys 0575general att
Security architecture principles isys 0575general attSecurity architecture principles isys 0575general att
Security architecture principles isys 0575general att
 
DTS Solution - Penetration Testing Services v1.0
DTS Solution - Penetration Testing Services v1.0DTS Solution - Penetration Testing Services v1.0
DTS Solution - Penetration Testing Services v1.0
 
Dancyrityshy 1foundatioieh
Dancyrityshy 1foundatioiehDancyrityshy 1foundatioieh
Dancyrityshy 1foundatioieh
 
1 info sec+risk-mgmt
1 info sec+risk-mgmt1 info sec+risk-mgmt
1 info sec+risk-mgmt
 
002.itsecurity bcp v1
002.itsecurity bcp v1002.itsecurity bcp v1
002.itsecurity bcp v1
 
Information security principles
Information security principlesInformation security principles
Information security principles
 
Five Essential Enterprise Architecture Practices to Create the Security-Aware...
Five Essential Enterprise Architecture Practices to Create the Security-Aware...Five Essential Enterprise Architecture Practices to Create the Security-Aware...
Five Essential Enterprise Architecture Practices to Create the Security-Aware...
 
Residency research makeup project acme enterprise scenario resi
Residency research makeup project acme enterprise scenario resiResidency research makeup project acme enterprise scenario resi
Residency research makeup project acme enterprise scenario resi
 
SIEM and Threat Hunting
SIEM and Threat HuntingSIEM and Threat Hunting
SIEM and Threat Hunting
 
Ethical hacking and social engineering
Ethical hacking and social engineeringEthical hacking and social engineering
Ethical hacking and social engineering
 
An overview of access control
An overview of access controlAn overview of access control
An overview of access control
 
Fundamentals of-information-security
Fundamentals of-information-security Fundamentals of-information-security
Fundamentals of-information-security
 
ATP Technology Pillars
ATP Technology PillarsATP Technology Pillars
ATP Technology Pillars
 
A holistic approach to risk management 20210210 w acfe france & cyber rea...
A holistic approach to risk management 20210210 w acfe france & cyber rea...A holistic approach to risk management 20210210 w acfe france & cyber rea...
A holistic approach to risk management 20210210 w acfe france & cyber rea...
 
Cisa ransomware guide
Cisa ransomware guideCisa ransomware guide
Cisa ransomware guide
 
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
 
Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!
Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!
Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!
 
Phases of Incident Response
Phases of Incident ResponsePhases of Incident Response
Phases of Incident Response
 
From Business Architecture to Security Architecture
From Business Architecture to Security ArchitectureFrom Business Architecture to Security Architecture
From Business Architecture to Security Architecture
 

Andere mochten auch

CISSP introduction 2016 Udemy Course
CISSP introduction 2016 Udemy CourseCISSP introduction 2016 Udemy Course
CISSP introduction 2016 Udemy CourseAdrian Mikeliunas
 
Slide Deck Class Session 8 – FRSecure CISSP Mentor Program
Slide Deck Class Session 8 – FRSecure CISSP Mentor ProgramSlide Deck Class Session 8 – FRSecure CISSP Mentor Program
Slide Deck Class Session 8 – FRSecure CISSP Mentor ProgramFRSecure
 
How to Prepare for the CISSP Exam
How to Prepare for the CISSP ExamHow to Prepare for the CISSP Exam
How to Prepare for the CISSP Examkoidis
 
Slide Deck CISSP Class Session 6
Slide Deck CISSP Class Session 6Slide Deck CISSP Class Session 6
Slide Deck CISSP Class Session 6FRSecure
 
Slide Deck CISSP Class Session 3
Slide Deck CISSP Class Session 3Slide Deck CISSP Class Session 3
Slide Deck CISSP Class Session 3FRSecure
 
3. security architecture and models
3. security architecture and models3. security architecture and models
3. security architecture and models7wounders
 
Slide Deck CISSP Class Session 5
Slide Deck CISSP Class Session 5Slide Deck CISSP Class Session 5
Slide Deck CISSP Class Session 5FRSecure
 
Slide Deck Class Session 11 – FRSecure CISSP Mentor Program
Slide Deck Class Session 11 – FRSecure CISSP Mentor ProgramSlide Deck Class Session 11 – FRSecure CISSP Mentor Program
Slide Deck Class Session 11 – FRSecure CISSP Mentor ProgramFRSecure
 
Cissp cbk final_exam-answers_v5.5
Cissp cbk final_exam-answers_v5.5Cissp cbk final_exam-answers_v5.5
Cissp cbk final_exam-answers_v5.5madunix
 
2 Security Architecture+Design
2 Security Architecture+Design2 Security Architecture+Design
2 Security Architecture+DesignAlfred Ouyang
 
INFORMATION SECURITY
INFORMATION SECURITYINFORMATION SECURITY
INFORMATION SECURITYAhmed Moussa
 

Andere mochten auch (12)

CISSP introduction 2016 Udemy Course
CISSP introduction 2016 Udemy CourseCISSP introduction 2016 Udemy Course
CISSP introduction 2016 Udemy Course
 
Slide Deck Class Session 8 – FRSecure CISSP Mentor Program
Slide Deck Class Session 8 – FRSecure CISSP Mentor ProgramSlide Deck Class Session 8 – FRSecure CISSP Mentor Program
Slide Deck Class Session 8 – FRSecure CISSP Mentor Program
 
How to Prepare for the CISSP Exam
How to Prepare for the CISSP ExamHow to Prepare for the CISSP Exam
How to Prepare for the CISSP Exam
 
Slide Deck CISSP Class Session 6
Slide Deck CISSP Class Session 6Slide Deck CISSP Class Session 6
Slide Deck CISSP Class Session 6
 
5 Ways To Improve Cissp Exam Score Without Studying
5 Ways To Improve Cissp Exam Score Without Studying5 Ways To Improve Cissp Exam Score Without Studying
5 Ways To Improve Cissp Exam Score Without Studying
 
Slide Deck CISSP Class Session 3
Slide Deck CISSP Class Session 3Slide Deck CISSP Class Session 3
Slide Deck CISSP Class Session 3
 
3. security architecture and models
3. security architecture and models3. security architecture and models
3. security architecture and models
 
Slide Deck CISSP Class Session 5
Slide Deck CISSP Class Session 5Slide Deck CISSP Class Session 5
Slide Deck CISSP Class Session 5
 
Slide Deck Class Session 11 – FRSecure CISSP Mentor Program
Slide Deck Class Session 11 – FRSecure CISSP Mentor ProgramSlide Deck Class Session 11 – FRSecure CISSP Mentor Program
Slide Deck Class Session 11 – FRSecure CISSP Mentor Program
 
Cissp cbk final_exam-answers_v5.5
Cissp cbk final_exam-answers_v5.5Cissp cbk final_exam-answers_v5.5
Cissp cbk final_exam-answers_v5.5
 
2 Security Architecture+Design
2 Security Architecture+Design2 Security Architecture+Design
2 Security Architecture+Design
 
INFORMATION SECURITY
INFORMATION SECURITYINFORMATION SECURITY
INFORMATION SECURITY
 

Ähnlich wie Certified Information Systems Security Professional (cissp) Domain “access control”

Chap 6 cloud security
Chap 6 cloud securityChap 6 cloud security
Chap 6 cloud securityRaj Sarode
 
SANS 20 Security Controls
SANS 20 Security ControlsSANS 20 Security Controls
SANS 20 Security ControlsCasey Wimmer
 
Introduction to Access Control Week6 Part1-IS Revis.docx
Introduction to Access Control Week6 Part1-IS Revis.docxIntroduction to Access Control Week6 Part1-IS Revis.docx
Introduction to Access Control Week6 Part1-IS Revis.docxmariuse18nolet
 
CIS502 discussion post responses.Respond to the colleagues posts.docx
CIS502 discussion post responses.Respond to the colleagues posts.docxCIS502 discussion post responses.Respond to the colleagues posts.docx
CIS502 discussion post responses.Respond to the colleagues posts.docxmccormicknadine86
 
Information Technology Security Is Vital For The Success...
Information Technology Security Is Vital For The Success...Information Technology Security Is Vital For The Success...
Information Technology Security Is Vital For The Success...Brianna Johnson
 
2.· Unshielded Twisted Pair (UTP) Cables· Shielded Twisted Pai.docx
2.· Unshielded Twisted Pair (UTP) Cables· Shielded Twisted Pai.docx2.· Unshielded Twisted Pair (UTP) Cables· Shielded Twisted Pai.docx
2.· Unshielded Twisted Pair (UTP) Cables· Shielded Twisted Pai.docxvickeryr87
 
Implementing Active Directory and Information Security Audit also VAPT in Fin...
Implementing Active Directory and Information Security Audit also VAPT in Fin...Implementing Active Directory and Information Security Audit also VAPT in Fin...
Implementing Active Directory and Information Security Audit also VAPT in Fin...KajolPatel17
 
ANSWER QUESTIONS AND RESPOND TO BOTH Your CISO was very.docx
ANSWER QUESTIONS AND RESPOND TO BOTH Your CISO was very.docxANSWER QUESTIONS AND RESPOND TO BOTH Your CISO was very.docx
ANSWER QUESTIONS AND RESPOND TO BOTH Your CISO was very.docxwrite4
 
ANSWER QUESTIONS AND RESPOND TO BOTH Your CISO was very.docx
ANSWER QUESTIONS AND RESPOND TO BOTH Your CISO was very.docxANSWER QUESTIONS AND RESPOND TO BOTH Your CISO was very.docx
ANSWER QUESTIONS AND RESPOND TO BOTH Your CISO was very.docxwrite4
 
ANSWER QUESTIONS AND RESPOND TO BOTH Your CISO was very.docx
ANSWER QUESTIONS AND RESPOND TO BOTH Your CISO was very.docxANSWER QUESTIONS AND RESPOND TO BOTH Your CISO was very.docx
ANSWER QUESTIONS AND RESPOND TO BOTH Your CISO was very.docxwrite31
 
Two Aspect Endorsement Access Control for web Based Cloud Computing
Two Aspect Endorsement Access Control for web Based Cloud Computing Two Aspect Endorsement Access Control for web Based Cloud Computing
Two Aspect Endorsement Access Control for web Based Cloud Computing IRJET Journal
 
Top 20 certified ethical hacker interview questions and answer
Top 20 certified ethical hacker interview questions and answerTop 20 certified ethical hacker interview questions and answer
Top 20 certified ethical hacker interview questions and answerShivamSharma909
 
Remote Access Policy Is A Normal Thing
Remote Access Policy Is A Normal ThingRemote Access Policy Is A Normal Thing
Remote Access Policy Is A Normal ThingKaren Oliver
 
Third Party Access Control
Third Party Access ControlThird Party Access Control
Third Party Access Controlfrancisdinha
 
ethical hacking report
ethical hacking report ethical hacking report
ethical hacking reportAkhilesh Patel
 
Cybersecurity Interview Questions and Answers | CyberSecurity Interview Tips ...
Cybersecurity Interview Questions and Answers | CyberSecurity Interview Tips ...Cybersecurity Interview Questions and Answers | CyberSecurity Interview Tips ...
Cybersecurity Interview Questions and Answers | CyberSecurity Interview Tips ...Edureka!
 
Physical/Network Access Control
Physical/Network Access ControlPhysical/Network Access Control
Physical/Network Access Controljwpiccininni
 
Data security in practice
Data security in practiceData security in practice
Data security in practiceAndres Kütt
 

Ähnlich wie Certified Information Systems Security Professional (cissp) Domain “access control” (20)

Chap 6 cloud security
Chap 6 cloud securityChap 6 cloud security
Chap 6 cloud security
 
SANS 20 Security Controls
SANS 20 Security ControlsSANS 20 Security Controls
SANS 20 Security Controls
 
Introduction to Access Control Week6 Part1-IS Revis.docx
Introduction to Access Control Week6 Part1-IS Revis.docxIntroduction to Access Control Week6 Part1-IS Revis.docx
Introduction to Access Control Week6 Part1-IS Revis.docx
 
P3 m2
P3 m2P3 m2
P3 m2
 
CIS502 discussion post responses.Respond to the colleagues posts.docx
CIS502 discussion post responses.Respond to the colleagues posts.docxCIS502 discussion post responses.Respond to the colleagues posts.docx
CIS502 discussion post responses.Respond to the colleagues posts.docx
 
Information Technology Security Is Vital For The Success...
Information Technology Security Is Vital For The Success...Information Technology Security Is Vital For The Success...
Information Technology Security Is Vital For The Success...
 
2.· Unshielded Twisted Pair (UTP) Cables· Shielded Twisted Pai.docx
2.· Unshielded Twisted Pair (UTP) Cables· Shielded Twisted Pai.docx2.· Unshielded Twisted Pair (UTP) Cables· Shielded Twisted Pai.docx
2.· Unshielded Twisted Pair (UTP) Cables· Shielded Twisted Pai.docx
 
Implementing Active Directory and Information Security Audit also VAPT in Fin...
Implementing Active Directory and Information Security Audit also VAPT in Fin...Implementing Active Directory and Information Security Audit also VAPT in Fin...
Implementing Active Directory and Information Security Audit also VAPT in Fin...
 
ANSWER QUESTIONS AND RESPOND TO BOTH Your CISO was very.docx
ANSWER QUESTIONS AND RESPOND TO BOTH Your CISO was very.docxANSWER QUESTIONS AND RESPOND TO BOTH Your CISO was very.docx
ANSWER QUESTIONS AND RESPOND TO BOTH Your CISO was very.docx
 
ANSWER QUESTIONS AND RESPOND TO BOTH Your CISO was very.docx
ANSWER QUESTIONS AND RESPOND TO BOTH Your CISO was very.docxANSWER QUESTIONS AND RESPOND TO BOTH Your CISO was very.docx
ANSWER QUESTIONS AND RESPOND TO BOTH Your CISO was very.docx
 
ANSWER QUESTIONS AND RESPOND TO BOTH Your CISO was very.docx
ANSWER QUESTIONS AND RESPOND TO BOTH Your CISO was very.docxANSWER QUESTIONS AND RESPOND TO BOTH Your CISO was very.docx
ANSWER QUESTIONS AND RESPOND TO BOTH Your CISO was very.docx
 
Two Aspect Endorsement Access Control for web Based Cloud Computing
Two Aspect Endorsement Access Control for web Based Cloud Computing Two Aspect Endorsement Access Control for web Based Cloud Computing
Two Aspect Endorsement Access Control for web Based Cloud Computing
 
Top 20 certified ethical hacker interview questions and answer
Top 20 certified ethical hacker interview questions and answerTop 20 certified ethical hacker interview questions and answer
Top 20 certified ethical hacker interview questions and answer
 
Remote Access Policy Is A Normal Thing
Remote Access Policy Is A Normal ThingRemote Access Policy Is A Normal Thing
Remote Access Policy Is A Normal Thing
 
Third Party Access Control
Third Party Access ControlThird Party Access Control
Third Party Access Control
 
ethical hacking report
ethical hacking report ethical hacking report
ethical hacking report
 
Cybersecurity Interview Questions and Answers | CyberSecurity Interview Tips ...
Cybersecurity Interview Questions and Answers | CyberSecurity Interview Tips ...Cybersecurity Interview Questions and Answers | CyberSecurity Interview Tips ...
Cybersecurity Interview Questions and Answers | CyberSecurity Interview Tips ...
 
Physical/Network Access Control
Physical/Network Access ControlPhysical/Network Access Control
Physical/Network Access Control
 
Data security in practice
Data security in practiceData security in practice
Data security in practice
 
IMPLEMENTATION OF METHODS FOR TRANSACTION IN SECURE ONLINE BANKING
IMPLEMENTATION OF METHODS FOR TRANSACTION IN SECURE ONLINE BANKINGIMPLEMENTATION OF METHODS FOR TRANSACTION IN SECURE ONLINE BANKING
IMPLEMENTATION OF METHODS FOR TRANSACTION IN SECURE ONLINE BANKING
 

Kürzlich hochgeladen

Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)eniolaolutunde
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactPECB
 
Web & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfWeb & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfJayanti Pande
 
fourth grading exam for kindergarten in writing
fourth grading exam for kindergarten in writingfourth grading exam for kindergarten in writing
fourth grading exam for kindergarten in writingTeacherCyreneCayanan
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactdawncurless
 
Disha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdfDisha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdfchloefrazer622
 
Arihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfArihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfchloefrazer622
 
Interactive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationInteractive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationnomboosow
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxheathfieldcps1
 
IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...
IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...
IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...PsychoTech Services
 
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Krashi Coaching
 
Sanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfSanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfsanyamsingh5019
 
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformChameera Dedduwage
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityGeoBlogs
 
Z Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphZ Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphThiyagu K
 
Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3JemimahLaneBuaron
 
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...fonyou31
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfciinovamais
 
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...Sapna Thakur
 

Kürzlich hochgeladen (20)

Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
 
Web & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfWeb & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdf
 
fourth grading exam for kindergarten in writing
fourth grading exam for kindergarten in writingfourth grading exam for kindergarten in writing
fourth grading exam for kindergarten in writing
 
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptxINDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impact
 
Disha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdfDisha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdf
 
Arihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfArihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdf
 
Interactive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationInteractive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communication
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptx
 
IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...
IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...
IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...
 
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
 
Sanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfSanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdf
 
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy Reform
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activity
 
Z Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphZ Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot Graph
 
Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3
 
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
 
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
 

Certified Information Systems Security Professional (cissp) Domain “access control”

  • 1. Certified Information Systems Security Professional (cissp) Report paper Domain “access control” Supervised by instructor dogus sarica prepared by zaid dawad al-rustom (20112465)
  • 2. Certified Information Systems Security Professional (cissp) Domain “access control” Definitions First thing I will present some definitions about Certified Information Systems Security Professional (cissp), Certified Information Systems Security Professional (CISSP) is an independent information security certification governed by International Information Systems Security Certification Consortium also known as (ISC) ². As of November 2012, (ISC)² reports 84,596 members hold the CISSP certification worldwide, in143countries. InJune2004, theCISSPhasobtainedaccreditationby ANSI ISO/IECStandard17024:2003 accreditatio n. It is also formally approved by the U.S. Department of Defense (DoD) in both their Information Assurance Technical (IAT) and Managerial (IAM) categories for their DoDD 8570 certification requirement. The CISSP has been adopted as a baseline for the U.S. National Security Agency's ISSEP program. My definition it is an international certificate depends on it to secure the data in computers, made by a specialist computer security programmer group to provide a standard security certificate, the main advantage from this is to put many computer security laws and ethical rules prevent us against internet information crimes. The 10 Domains: 1. Security Management Practices 2. Access Control Systems & Methodology 3. Law, Investigations, Ethics 4. Physical Security 5. Business Continuity & Disaster Recovery Planning 6. Security Architecture & Models 7. Cryptography 8. Telecommunications & Network Security 9. Applications & Systems Development 10. Operations Security.
  • 3. Access control "The first line of defense" Some attacks let's look at some of the different attacks on passwords there simply is called the dictionary attack brute force attacked or a combination would call a hybrid attack first of all the dictionary type what is a dictionary attack ,first of all password is not a password and clear text in the file on your computer it's a hash of the password so dictionary attacked basically takes every word in the dictionary creates ahead and then compares the hash with the file on the computer and I think it's a match that it looks back at the word it used to create that action and password a brute force attacked as just that if tries all possible combinations in order to get your hash or create your password, This type force attacked well always succeed online it literally prize all of those trust every possible combination where some of the things that you can do to mitigate those attacks well, first of all the obvious one is don't send your passwords clear text, or don't use common words dictionary words. There are some tools out there Satan being one of them that you can use to look at that password checkers, to see how secure they are identifies those that are weak and then simply change those. Access control administration The organization has to decide access control model they're going to implement where there is going to be DAC or MAC whatever they can be used expect to find that in the security policy then the technologies and techniques that are going to support that model need to be identified and they need to be put in place the standards need to be developed policies they develop the procedures need to be developed and put in place and then the next question they have to answer is how are we going to manages? are we going to any centrally one central location is going to handle everything that might work for small organization but when you get into a large
  • 4. organization particularly multinational or international or even across many country, a centralized approach may not be the best solution for you and you may want to decentralize you may only want to decentralize a portion of that to someone that would refer to as the hybrid approach were let's say you centrally manage the network with them for local printers for local file shares you centralize that at that particular location so much use a hybrid approach for the management of that par for the administration of that when we talk about the centralized access control we have one into the wanted location that is making the decision with regarding access senior management has to decide that has to be defined in the security policy data owner makes the ultimate decision in senior management besides what they're going to have in place in order to support that are they going to use something like radiance or attack exploits or the new version of a radius diameter as their centralized access control the words you've got one location that location is controlling access for everybody . Centralized access control I will give an example to discuss centralized access control It is a handshaking protocol that allows that radius server to provide the authentication authorization information to the networks server and radius client we dialing we access that radius server directly certain server will contain a database of users and credentials, that radius server may have be configured to give you access to another leader a lightweight directory access protocol server that has the credentials on it for example radius server could be configured to access active directory and windows and provide that database abusers and credentials and then there needs to be communication between the radius client and the server in that communication needs to be protected , the user initiates that point-to-point protocol authentication with the provider the radius client than prompts the user for their credentials user types and the user id password , than checks those credentials either locally in its own database or against the act let's say active directory to this and then says back here in accept or reject or it may send a challenge response back and if successful then radius will allow the client access to the network so you can get there on the network and do whatever you want to.
  • 5. Access control methodologies Administrative:  Group membership  Time of day  Transaction type The methodologies for access control administrative technical and physical with administrative the group membership or group remember off what time of day or transaction type so from an administrative methodology we can restrict access to data based on time today payroll files are not accessed Sunday morning at 3:00am time of day or transaction type you're not allowed to do a transaction type equipment to do leading the database table administrative access control methodologies. Technical access control  Directory service  Network architecture  Network access  Encryption  Auditing Directory service The technical layer of access control what are the techno classics access controls we've already mentioned directory service but the way that you architect the network also can be an access control and that's technical? the network access as a technical control as his encryption and let me point out one thing auditing is a technical access control audit logs our technical controls because that tracks activity of the users and systems it’s not preventative it can't prevent someone from accessing but it helps an administrator system administrator understand how the access to a place so in the future they can make changes, for directory services there are different types all of the x.500, LDAP, network directory services, and active directory all of those four different types of directory services and all of those are technical controls which directory services I saw published there except
  • 6. x.500 which is the lightweight directory access protocol which basically adapts the directory to work over TCPIP. Network architecture Where you place firewalls for example you may have an internal network with in your trusted network let's say that that's just for the top secret data and you put up our wall in front of that top secret data portion of your network to block it so basically what you're doing is you're architecting network to control access you put a DMZ place you put your bastion host servers that you've removed all the extra services imports from in a DMZ the firewall front of the DMZ you put the firewall after the DMZ how you architect the network is going to control? Who has access? And who can get here? Physical layer  Network segregation  Perimeter security  Computer controls  Work area separation  cabling Access control of the physical controls network segregation, perimeter security, computer controls, work area separation, and cable. network segregationist just that you can physically separate the network you can logically separate the network physically separated so that the wiring one set a routers one set of switches physically separated from other parts of the network are logically with virtual LAN’s with primary security you've got those that locks on the doors man perhaps to get into the building guards all of those are physical security controls. Computer controls like a lock on your laptop so you lock it to your desk so people can't walk off on with it for those of you better under the requirement that you can't use the USB ports a physically removing them from the device or putting a proxy into that so you can’t put the USB device into that slot because the slots been filled up with the proxy those are all types of computer controls and then were curious separation I have one client the state agency
  • 7. who has direct connection with a federal agency they're both in the same physical building on the same floor but you have to go through the state agency to get to the back of the room to another private door that only the federal employees are allowed to go through and they have their own internal men trapped in order to get into the federal area to me that's work area separation and then cabling actually keeping the cables separate. Those are all types of physical layer or physical controls networks. Identification and Authentication Identification and authentication are the keystones of most access control systems. Identification is the act of a user professing an identity to a system, usually in the form of a log-on ID to the system. Identification establishes user accountability for the actions on the system. Authentication is verification that the user’s claimed identity is valid and is usually implemented through a user password at log-on time. Authentication is based on the following three factor types: 1. Something you know, such as a PIN or password 2. Something you have, such as an ATM card or smart card 3. Something you are (physically), such as a fingerprint or retina scan Passwords Passwords can be compromised and must be protected. In the ideal case, a password should only be used once. This “one-time password” provides maximum security because a new password is required for each new log-on. A password that is the same for each log-on is called a static password. A password that changes with each log-on is termed a dynamic password. The changing of passwords can also fall between these two extremes. Passwords can be required to change monthly, quarterly, or at other intervals, depending on the criticality of the information needing protection and the password’s frequency of use. Obviously, the more times a password is used, the more chance there is of it being compromised. A passphrase is a sequence of characters that is usually longer than the allotted number for a password. The passphrase is converted into a virtual password by the system.
  • 8. Biometrics An alternative to using passwords for authentication in logical or technical access control is biometrics. Biometrics are based on the Type 3 authentication mechanism something you are. Biometrics are defined as an automated means of identifying or authenticating the identity of a living person based on physiological or behavioral characteristics. In biometrics, identification is a “one-to-many” search of an individual’s characteristics from a database of stored images. Authentication in biometrics is a “one to- one” search to verify a claim to an identity made by a person. Biometrics is used for identification in physical controls and for authentication in logical controls. The following are typical biometric characteristics that are used to uniquely authenticate an individual’s identity:  Fingerprints  Retina scans  Iris scans  Facial scans  Palm scans  Hand geometry  Voice  Handwritten signature dynamics Single Sign-On (SSO) Single Sign-On (SSO) addresses the cumbersome situation of logging on multiple times to access different resources. A user must remember numerous passwords and IDs and may take shortcuts in creating passwords that may be open to exploitation. In SSO, a user provides one ID and password per work session and is automatically logged-on to all the required applications. For SSO security, the passwords should not be stored or transmitted in the clear. SSO applications can run either on a user’s workstation or on authentication servers. The advantages of SSO include having the ability to use stronger passwords, easier administration of changing or deleting the passwords, and requiring less time to access resources. The major disadvantage of many SSO implementations
  • 9. is that once a user obtains access to the system through the initial logon, the user can freely roam the network resources without any restrictions. Conclusion We talked about that you could have physical or you can have logical of virtual land let's say for top secret of virtual for secret and in a virtual for public information or for unclassified data. I am going to conclude this subject on access control, we've talked about access control as being the first line of defense we've talked about how people access data and the resources that go along to make that happen the main goal is to protect resource from unauthorized access. the models discretionary access control mandatory access control role based access control and rule based access control and then whether you want to manage access control either centrally or decentralized or whether you want to use a hybrid approach we talked about the fact that controls can be administrative physical or technical controls and that regardless of whether they're administrative physical or technical those controls can give you preventative detective and recovery services I hope you've enjoyed this article about access control and I look forward to seeing you again hoca for next semester and excuse me for my English language errors Reference: 1. http://en.wikipedia.org/wiki/Certified_Information_Systems_Security_Pro fessional 2. http://www.ntgtraining.com/courses/courses_cissp_cbk_10.html 3. The CISSP Prep Guide—Mastering the Ten Domains of Computer Security Ronald L. Krutz Russell Dean Vines Wiley Computer Publishing John Wiley & Sons, Inc.