ACCESS-CONTROL SYSTEMS AND METHODOLOGY

  1. Identification (the process of claiming to be a certain person), authentication (the process of determining the legitimacy of a user or process), and authorization (granting access to a subject or an object after the object has been properly identified and authenticated) are access-control methods.
  2. Authentication is typically verified through the use of a password, tokens, or biometrics.
  3. Biometric systems include

    FRR The False Rejection Rate or Type I Error is the percentage of valid users who are falsely rejected.

    FAR The False Acceptance Rate or Type II Error is the percentage of invalid users who are falsely accepted.

    CER The Crossover Error Rate is the point at which the False Rejection Rate equals the False Acceptance Rate.

  4. One-time passwords are used only once and are valid for only a short period of time; they are usually provided by a token device.
  5. Single sign-on allows a user to enter credentials one time to access all resources.
  6. Kerberos and SESAME are two examples of single sign-on systems.
  7. Centralized access control such as RADIUS, TACACS, and DIAMETER can be used to maintain user IDs, rights, and permissions in one central location.
  8. Attacks on access control can come in the form of DoS attacks.

    Ping of death Employs an oversize IP packet

    Smurf Sends a message to the broadcast address of a subnet or network so that every node on the network produces one or more response packets

    Syn flood Sends TCP connection requests faster than a machine can process them

    Trinoo A DDoS tool that can launch UDP flood attacks from various channels on a network

  9. Data access controls are established to control how subjects can access data. Common types include the following:

    The DAC model is so titled because the user controls who has access to the system he maintains.

    The MAC model uses the system rather than the user to who has access. The MAC model is typically used by organizations that handle highly sensitive data.

    RBAC models place users into groups to maintain access. These are used extensively by banks and other organizations.

The CISSP Cram Sheet

A Note from Series Editor Ed Tittel

About the Author

Acknowledgments

We Want to Hear from You!

Introduction

Self-Assessment

The CISSP Certification Exam

Physical Security

Security-Management Practices

Access-Control Systems and Methodology

System Architecture and Models

Telecommunications and Network Security

Applications and Systems-Development Security

Operations Security

Business Continuity Planning

Law, Investigations, and Ethics

Cryptography

Practice Exam 1

Answers to Practice Exam 1

Practice Exam 2

Answers to Practice Exam 2



CISSP Exam Cram 2
CISSP Exam Cram 2
ISBN: 078973446X
EAN: 2147483647
Year: 2003
Pages: 204
Authors: Michael Gregg

Flylib.com © 2008-2020.
If you may any questions please contact us: flylib@qtcs.net