Exam Objectives Fast Track | SSCP Study Guide and DVD Training System

The primary objective of access control is to provide access control subjects the ability to work with access control objects in a controlled manner.
The three steps of obtaining access are authentication, identification, and authorization.
Access control systems must provide assurance in the form of confidentiality, integrity, availability, and accountability.

There are three main authentication types: "something you know," "something you have," and "something you are."
Enterprise authentication is more complex and requires special features such as SSO technology provided through access control systems utilizing Kerberos or X.509.
Remote access authentication for the enterprise is typically provided by TACACS or RADIUS.

Good password selection requirements include the use of minimum password lengths and required characters or symbols.
Password management is most effective when it includes automatic password expiration and account lockouts.
Auditing password usage or problems is useful in identifying attacks against an access control system.

The three types of access control policies are preventive, corrective, and detective.
The three types of access control policy implementations are administrative, logical/technical, and physical.
A good access control system uses multiple combinations of these policy types and implementations.

A centralized access control methodology provides a single central authority for authentication.
A decentralized access control methodology allows for a more distributed approach by breaking up the authentication responsibility across multiple systems.

The "Orange" and "Red" books provide guidelines for rating access control models.
DAC is the most common access control model and uses ACLs for access control subjects to control access.
MAC is more of a government/military access control model and bases security on pre-determined sensitivity labels for data.
Non-discretionary or RBAC takes into account the job functions or roles of the access control subject and bases access determinations on this factor.
Three popular formal models for access control are Bell-LaPadula, Biba, and Clark-Wilson.

Account administration takes a significant amount of effort and involves the creation, maintenance, and destruction of accounts.
Determining rights and permissions is a difficult but critical part of access control administration.
Managing access control objects helps provide a great deal of security to the system.
Monitoring the access control system is critical to maintaining the security and stability of the system.
Securing removable media and managing data caches are two important parts of access control administration that are often overlooked.

Dictionary and brute force attacks are common and effective techniques for cracking user's passwords.
A DoS or DDoS attack is designed to attack the availability aspect of an access control system.
Spoofing and MITM attacks are two methods used to gain unauthorized access to data without having to crack passwords.
Spamming is the use of unsolicited e-mail which can either intentionally or unintentionally cause a DoS attack on mail servers.
Sniffers are used to monitor networks for troubleshooting, but can also be used by intruders to capture data or passwords.

IDSs and NIDSs are automated systems designed to monitor either a single system or a network for potential attack attempts.
Alarms are alerts that can be created to notify administrators when there is a problem in the access control system.
Audit trails and violation reports are used to track suspicious activity.

Penetration testing is the art of trying to hack into your own system to determine the level of security that the system is providing.
Penetration testing should be done prior to implementation of the access control system as well as after the implementation to try and catch as many weaknesses as possible.
Weaknesses within the system should be patched or fixed as soon as possible.