Fatskills
Practice. Master. Repeat.
Study Guide: SSCP: 2. Access Controls
Source: https://www.fatskills.com/systems-security-certified-practitioner-sscp/chapter/sscp-2-access-controls

SSCP: 2. Access Controls

By Fatskills Exam Guides Team — the exam nerds behind 28,500+ quizzes and 2.1M practice questions across 500+ global exams.

⏱️ ~5 min read

Access control systems use identification and authentication. Identification occurs when a subject professes an identity, and authentication occurs when the user proves the identity. Administrators authorize authenticated users access to resources by granting permissions to the resource.
The three factors of authentication are something you know (such as passwords), something you have (such as smart cards), and something you are (using biometrics). Most organizations use written password policies to define requirements. Technical controls implement and enforce password policies, and auditing tools verify compliance with the policies.
Passwords are the weakest authentication mechanism. Static passwords stay the same over a period of time. Dynamic one-time passwords use a different password for each user session and provide much more security than static passwords. Cognitive passwords are based on information that a user knows but an attacker is unlikely to know.
Smart cards, hardware tokens, and proximity cards are examples of something you have. It’s common to combine these methods with an additional factor of authentication, providing multifactor authentication. For example, users often enter a PIN along with using a smart card.
Hardware tokens use one-time passwords. A synchronous one-time password is time-based and requires the token and a server to be synchronized. An asynchronous one-time password doesn’t require time synchronization but instead uses another method to create the password. Software tokens use protocols such as Time-based One-Time Password (TOTP) and HMAC-based One-Time Password (HOTP). TOTP creates synchronous time-based one-time passwords. HOTP, One-time Password In Everything (OPIE), and S/KEY create asynchronous one-time passwords.
Many organizations implement two-step authentication using HOTP and/or TOTP. After a user attempts to log on, the authenticating system sends a numeric code to the user and requires the user to enter this code to complete the log on process.
Biometrics methods measure physical characteristics of individuals, such as their fingerprints, palms, retinas, and irises. These characteristics are in the something you are factor of authentication. When evaluating the effectiveness of biometrics, you should consider the type 1 and type 2 errors. The False Rejection Rate (FRR, or type 1 error) refers to the percentage of times a system falsely rejects a known user. The False Acceptance Rate (FAR, or type 2 error) refers to the percentage of times a biometric system falsely identifies an unknown user as a known user. The Crossover Error Rate (CER) indicates the point where the FAR and FRR are equal. Lower CERs indicate a better biometric system.
Single sign-on (SSO) allows a user to authenticate once for a system. The user can then access any resources in the system (as long as the user has access) without authenticating again. Kerberos is a popular SSO protocol used within networks. A Kerberos server issues symmetric encryption keys as a Key Distribution Center (KDC) and issues tickets as a ticket-granting server. Kerberos provides authentication on a network and contributes to the confidentiality and integrity of information. Many SSO systems use federated access, providing centralized authentication for different systems. Security Assertion Markup Language (SAML) uses an XML-based data format to share SSO information between servers within a federated identity management system. While SAML is primarily used for authentication, it can also exchange authorization information between different entities.
Two newer SSO technologies are OAuth 2.0 and OpenID Connect. OAuth 2.0 is an authentication framework. OpenID Connect is an authentication layer that is commonly used to extend the capabilities of OAuth. Combined, the two allow websites and online web applications to verify the identity of end users without managing the users’ credentials.
Access controls enforce security. For example, a security kernel (a central part of an operating system) enforces security for the operating system by monitoring subjects and objects. Examples of subjects are users, computers, and applications. Examples of objects include data, hardware, and facilities. Access controls can be logical (implemented with technology such as a security kernel) or physical (such as locked doors).
Several access control models are in use, including discretionary (DAC), non-discretionary (non-DAC), mandatory (MAC), role-based (Role-BAC or RBAC), rule-based, and attribute-based (ABAC) models. The DAC model provides the most granular control and is a subject-based or identity-based model. Individual users own the objects (such as files), and as the data owners, they can assign permissions to subjects (such as other users) as desired. DAC is used with file systems such as NTFS with Microsoft systems and NFS with Linux systems.
The RBAC model uses roles. Subjects (such as users) are placed into roles, and permissions to objects are assigned directly to the role. In non-DAC models, security administrators control access. An ABAC model is a sophisticated type of Rule-based Access Control model. Policies identify attributes of subjects, objects, and the environment to control access.
The MAC model provides the highest level of security when compared to DAC and RBAC models. Both subjects and objects are assigned labels, and when the labels match, access is granted. Several architectures are based on the MAC model. The Bell-LaPadula model has a primary goal of ensuring confidentiality and uses rules of no read up and no write down. The Biba model has a primary goal of ensuring integrity and uses rules of no read down and no write up. The Clark-Wilson model provides integrity by using certification and enforcement rules to enforce integrity and separation of duties. The Brewer-Nash model helps prevent conflicts of interest by preventing access to data organized in conflict-of-interest classes.
Many access control models use an access control matrix and/or a capability table. An access control matrix is object based, with a list of objects along with the permissions granted for each object. A capability table is subject based, with a list of subjects along with the capabilities granted to the subjects.
Identity and access management includes provisioning, maintenance, entitlement, and de-provisioning. Provisioning includes creating accounts and providing appropriate access. Many organizations use roles or groups to manage access to resources. Account management ensures that accounts use appropriate password policies and account lockout policies to help thwart online brute-force password attacks. Entitlement refers to privileges granted to users and helps ensure that the principle of least privilege is followed. Proper de-provisioning practices ensure that accounts are disabled when the employee is no longer working for the company.
Physical security controls include any controls that you can physically touch. Badges are one type of physical security control and typically include a picture of the employee. Badges can also include other capabilities such as a proximity card and/or a smart card. Data center assessments evaluate the physical security methods used to protect data centers.



ADVERTISEMENT