CISSP CBK 1 – Access Control Systems & Methodology

Security principles

Confidentiality: The assurance that information is not disclosed to unauthorized individuals, programs or processes.

Integrity: Information must be accurate, complete and protected from unauthorized modification.

Availability: Information, systems and resources need to be available to users in a timely manner so productivity will not be affected.

Personal note: Conformity with legislation

Identification: Describes a method of ensuring that a subject (user, program or process) is the entity it claims to be. Identification can be verified through the use of a credential.

Biometics: Verifies an individual’s identity by a unique personal attribute, which is one of the most
effective and accurate methods of verifying identification.

Three main performance measures:

– FRR / False Rejection Rate or Type I Error – The percentage of valid subjects that are falsely rejected.

– FAR / False Acceptance Rate or Type II Error – The percentage of invalid subjects that are falsely accepted.

– CER / Crossover Error Rate – The percent in which the False Rejection Rate equals the False Acceptance Rate.

Other factors that must be considered:

– Enrolment time – The time it takes to initially ”register” with a system by providing samples of the biometric characteristic to be evaluated.

– Throughput rate – The rate at which individuals can be processed and identified or authenticated by a system.

– Acceptability – Considerations of privacy, invasiveness and psychological and physical comfort when using the system.

Types of biometric systems

Fingerprints: Are made up of ridge endings and bifurcations exhibited by the friction ridges and other detailed characteristics that are called minutiae.

Palm Scan: The palm has creases, ridges and grooves throughout it that are unique to a specific person.

Hand Geometry: The shape of a person’s hand (the length and width of the hand and fingers) measures hand geometry.

Retina Scan: Scans the blood-vessel pattern of the retina on the backside of the eyeball.

Iris Scan: Scan the colored portion of the eye that surrounds the pupil.

Signature Dynamics: Electrical signals of speed and time that can be captured when a person writes a signature.

Keyboard Dynamics: Captures the electrical signals when a person types a certain phrase.

Voice Print: Distinguishing differences in people’s speech sounds and patterns.

Facial Scan: Takes attributes and characteristics like bone structures, nose ridges, eye widths, forehead sizes and chin shapes into account.

Hand Topology: Looks at the size and width of an individual’s hand and fingers.

Authentication: The subject is required to provide a second piece to the credential set.

Passwords: Is a protected string of characters that is used to authenticate an individual.

Clipping level – An allowed number of failed logon attempts to happen before a user is locked out.

Password checkers – Test of user-chosen passwords.

Password Generators – Generators that produce users’ passwords.

Password Aging – Expiration dates for passwords.

Limit Login Attempts – Threshold set to allow only a certain number of unsuccessful login attempts.

Cognitive password: Fact or opinion based information used to verify an individual’s identity.

One-time passwords / dynamic password: After the password is used, it is no longer valid.

Token Device: Is a password generator that uses a challenge response scheme.

Synchronous token device – Synchronizes with the authentication service by using time or an event as the core piece of the authentication process.

Time based synchronous token device – The device and the authentication service must hold the exact same time within their internal clocks.

Event-synchronization – The user may need to initiate the logon sequence on the computer and push a button on the token device.

Asynchronous token device – Uses challenge-response scheme to communicate with the authenticate with the authentication service.

Cryptographic Keys: Presenting a private key or a digital signature.

Passphrase: Is a sequence of characters that is longer than a password. The user enters this phrase into an application and the application transforms the value into a virtual password.

Memory Card: A card that holds information, but does not process information.

Smart Card: A card that has the capability of processing information because it has a microprocessor and integrated circuits incorporated into the card itself. A smart card also provides a two-factor authentication method because the user has to enter a user ID and PIN to unlock the smart token.


Granting access to a subject to an object after the object has been properly identified and authenticated.


Users will only have the necessary rights and permissions they need to fulfil the obligations of their jobs within the company.

Single Sign-on

Capabilities that would allow a user to enter credentials one time and be able to access all resources in primary and secondary network domains.

Scripting: Batch files and scripts that contain each user’s ID, password and logon commands necessary for each platform.

Because scripts contain credentials, they must be stored in a protected area and the transmission of the scripts must be dealt with carefully.

Kerberos: Uses symmetric key cryptography and provide end-to-end security

Main components

 – KDC / Key Distribution Center:  Holds all users’ and services’ cryptographic keys. It provides authentication services, as well as key distribution functionality. The KDC provides security services to entities referred to as principals, that can be users, applications or services. A ticket is generated by the KDC and given to a principal when that principal needs to authenticate to another principal. A KDC provides security services for a set of components and principals. This is called realm in Kerberos.

 – AS / Authentication Service: Is the part of the KDC that authenticates a principal

 – TGS / Ticket Granting: Is the part of KDC that makes the tickets and hands them out to the principals.


The KDC is a single point of failure

The AS must be able to handle a huge amount of requests.

Secret keys are temporarily stored on users’ workstations.

Session keys are decrypted and reside on the users’ workstations.

Is vulnerable to password guessing.

Network traffic is not protected.

When a user changes his password, it changes the secret key and the KDS needs to be updated.


Uses public key cryptography for the distribution of secret keys.

Uses a ticket for authorization which is called a Privilege Attribute Certificate.

Is vulnerable to password guessing.

Thin Clients: Dump terminals authenticating to a server.

Access Control Models

Is a framework that dictates how subjects access objects.

DAC / Discretionary Access Control: Enables the owner of the resource to specify what subjects can access specific resources. Access is restricted based on the authorization granted to the users. The most common implementation of DAC is through ACL’s

MAC / Mandatory Access Control: Users are given a security clearance and data is classified. The classification is stored in the security labels of the resources. When the system makes a decision about fulfilling a request to access an object, it is based on the clearance of the subject and the classification of the object. The model is used in environments where information classification and confidentiality is of
utmost importance.

Sensitivity labels: When MAC is used every subject and object must have a sensitivity label. It contains classification and different categories. The classification indicates the sensitivity level and the categories indicate which objects take on the classification.

RBAC / Role-based access control: Also called nondiscretionary access control. Uses a centrally administrated set of controls to determine how subjects and objects interact. Allows access to resources based on the role the user holds within the company.

RBAC models can use:

 – Role-based access: Determined by the role the user has within the company.

 – Task-based access: Determined by the task assigned to this user.

 – Lattice-based access: Determined by the sensitivity level assigned to the role.

Access Control Techniques and Technologies

Techniques and technologies available to support different access control models.

Role-Based Access Control: Based on the tasks and responsibilities that individuals need to accomplish to fulfil the obligations of their positions in the company.

RBAC can be used with:
– DAC, administrators can develop roles and owners can decide if these roles can have access to their resources.
– MAC, roles can be developed and sensitivity labels assigned to those roles indicating its security level.

Rule-Based Access Control: Based on specific rules that indicate what can and cannot happen to an object. Is a type of MAC because the administrator sets the rules and the users cannot modify these controls.

Restricted Interfaces: Restrict users’ access abilities by not allowing them to request certain functions, information or have access to specific system resources.

Three types of restricted interfaces:

 – Menus and shells: Users are only given the options of the commands they can execute.

 – Database views: Are mechanisms used for restricting user access to data that is contained in databases.

 – Physically constrained interfaces: Can be implemented by only providing certain keys on a keypad or touch buttons on a screen.

Access Control Matrix: Is a table of subjects and objects indicating what actions individual subjects can take upon individual objects.

Is usually an attribute of DAC models and the access rights can be assigned directly to the subjects (capabilities) or to the objects (ACLs).

Capability Tables: Specifies the access rights a certain subject possesses pertaining to specific objects. The subject is bound to the capability table. Is used in Kerberos.

Access Control Lists: They are lists of subjects that are authorized to access a specific object and they define what level of authorization is granted. Authorization can be specified to an individual, role or group.

Content-Dependent Access Control: Access to objects is determined by the content within the object.

Access Control Administration

Centralized: One entity (department or individual) is responsible for granting all users access to resources. Provides a consistent and uniform method of controlling users’ access rights. Examples of centralised access control technologies:

 – Radius / Remote Authentication Dial-in User Service: Is an authentication protocol that authenticates and authorizes users usually dial-up users.

 – TACACS / Terminal Access Controller Access Control System: Is a client/server protocol that provides the same type of functionality as Radius.

Three generations:

  * TACACS – Combines authentication and authorization.

  * XTACACS – Separates authentication, authorization and accounting processes.

  * TACACS+ – Separates authentication, authorization and accounting processes, with extended two-factor user authentication.

Decentralized and Distributed Access Administration: Gives control of access to the people closer to the resources. Does not provide uniformity and fairness across the organizations.

Examples of decentralized access control administration techniques.

Security Domain: Can be described as a realm of trust. All subjects and objects share common security policies, procedures and rules and they are managed by the same management system. Each security domain is different because different policies and management govern it. Can be implemented in hierarchical structures and relationships. Are used within operating systems and applications to ensure that rogue activities do not accidentally damage important system files or processes. Protection of security level is done through segmenting memory spaces and addresses. A security domain can also be described as the resources available to a user.

Hybrid: Is a combination of the centralized and decentralized access control administration methods.

Access Control Methods

Administrative Controls

Policy and Procedures: Is a high level plan stating management’s intent pertaining to how security should be practiced within an organization, what actions are acceptable and what level of risk the company is willing to accept. Senior management will decide if DAC, MAC or RBAC access methodology should be used and if it should be administered via centralization or decentralization.

Personal Controls: Indicate how employees are expected to interact with security mechanisms and noncompliance issues pertaining to these expectations.

 – Separation of duties: Not one individual can carry out a critical task alone that could prove to be detrimental to the company.

 – Collision: More than one person would need to commit fraud and this effort would need to happen in a concerted effort.

– Rotation of duties: People need to know how to fulfil the obligations of more than one position.

Supervisory Structure: Each employee has a superior to report to and that superior in return is responsible for that employee’s actions.

Security Awareness Training: People are usually the weakest link and cause the most security breaches and compromises.

Testing –  All security controls and mechanisms need to be tested on a periodic basis to ensure they
properly support the security policy, goals and objectives set for them.

Physical Controls:

Network Segregation –  Can be carried out through physical and logical means.

Perimeter Security –  Mechanisms that provide physical access control by providing protection for individuals, facilities and the components within facilities.

Computer Control –  Physical controls installed and configured.

Work Area Separation –  Controls that are used to support access control and the overall security policy of the company.

Data Backups – Ensure access to information in case of an emergency or a disruption of the network or a system.

Cabling – All cables need to be routed throughout the facility in a manner that is not in people’s way or that could be exposed to any danger of being cut, burnt, crimped or eavesdropped upon.

Logical Controls:

System Access – A technical control that can enforce access control objectives.

Network Architecture – Can be constructed and enforced through several logical controls to provide segregation and protection of an environment. Can be segregated physically and logically.

Network Access – Access to different network segments should be granular in nature. Routers and switches can be used to ensure that only certain types of traffic get through to each segment.

Encryption and protocols – Works as technical controls to protect information as it passes throughout a network and resides on computers.

Control Zone – Is a specific area that surrounds and protects network devices that emit electrical signals.

Auditing – Technical controls that track activity within a network, on a network device or on a specific computer.

Access Control Types (P – Physical / A – Administrative / T – Technical)

Preventative: Controls used to deter and avoid undesirable events from taking place.

P –  Fences, Locks, Badge System, Security guard, Biometric system, Mantrap door, Lighting, CCTV, Alarms

A – Security policy, Monitoring and supervising, Separation of duties, Job rotation, Information Classification, Personnel procedures, Testing, Security awareness training.

T – ACLs, Routers, Encryption,  IDS, Antivirus software, Firewalls, Smart cards, Dial-up call-back systems.

Detective: Controls used to identify undesirable events that have occurred.

P –  Security guard, Biometric system, Motion detectors, CCTV, Alarms, Backups.

A – Monitoring and supervising, Job rotation, Personnel procedures, Investigations, Security awareness training.

T – Audit logs,  IDS, Antivirus software, Firewalls.

Corrective: Controls used to correct undesirable events that have occurred.

P –  Fences, Locks, Badge System, Security guard, Biometric system, Mantrap door, Lighting, CCTV, Alarms

A – Security policy.

T – IDS, Antivirus software.

Deterrent: Controls used to discourage security violations.

P –  Backups

A – Monitoring and supervising, Separation of duties, Personnel procedures.

T – Encryption,  IDS, Firewalls.

Recovery: Controls used to restore resources and capabilities.

P –  Fences, Locks, Security guard, Mantrap door, Lighting, Alarms, Backups

A –

T – Antivirus software.

Compensation: Controls used to provide alternatives to other controls.

P –

A – Monitoring and supervising, Personnel procedures.

T –

Review of audit information:

Audit reduction – Reduces the amount of information within an audit log.

Variance-detection tool – Monitor computer and resource usage trends and detect variations.

Attack signature-detection tool – The application will have a database of information that has been known to indicate specific attacks.

Keystroke Monitoring: Review and record keystrokes entered by a user during an active session.

Access Control Monitoring

IDS / Intrusion detection:

Network-based – Monitors a network or a segment of the network.

Host-based – Monitors a particular system.

Knowledge-based / signature-based – Models of how the attacks are carried out are developed.

Behaviour-based / Statistical – Observes and detects deviation from expected behaviour of users and systems.

TIM / Time-based induction machine – perform real-time anomaly detection.

Honeypot – A ”fake” system that is not locked down and has open ports and services enabled within the network.

Network sniffers – Is a type of wiretap that plugs into a network for the purpose of eavesdropping on network traffic.

Threats to Access Control

Dictionary Attack: Programs that enable an attacker to identify user credentials. The program is fed lists of commonly used words or combinations of characters, and the program applies these values to a logon prompt.

Brute Force Attack: An attack that continually tries different inputs to achieve a predefined goal. Are also used in wardialing efforts.

Spoofing at Login: A program that presents a fake login screen, to obtain user credentials.