1 access control systems & methodology cissp. 2 topics to be covered overview access control...
TRANSCRIPT
![Page 1: 1 Access Control Systems & Methodology CISSP. 2 Topics to be covered Overview Access control implementation Types of access control MAC & DAC Orange](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649e565503460f94b4e819/html5/thumbnails/1.jpg)
1
Access Control Access Control Systems & Systems & MethodologyMethodology
CISSP
![Page 2: 1 Access Control Systems & Methodology CISSP. 2 Topics to be covered Overview Access control implementation Types of access control MAC & DAC Orange](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649e565503460f94b4e819/html5/thumbnails/2.jpg)
2
Topics to be covered
Overview Access control
implementation Types of access control MAC & DAC Orange Book Authentication Passwords Biometrics
Tokens/SSO Kerberos Attacks/Vulnerabilities/
Monitoring IDS Object reuse TEMPEST RAS access control Penetration Testing
![Page 3: 1 Access Control Systems & Methodology CISSP. 2 Topics to be covered Overview Access control implementation Types of access control MAC & DAC Orange](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649e565503460f94b4e819/html5/thumbnails/3.jpg)
3
What is access control?
Access control is the traditional center of security
Definitions: The ability to allow only authorized users, programs or
processes system or resource access The granting or denying, according to a particular
security model, of certain permissions to access a resource
An entire set of procedures performed by hardware, software and administrators, to monitor access, identify users requesting access, record access attempts, and grant or deny access based on pre-established rules.
![Page 4: 1 Access Control Systems & Methodology CISSP. 2 Topics to be covered Overview Access control implementation Types of access control MAC & DAC Orange](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649e565503460f94b4e819/html5/thumbnails/4.jpg)
4
Access control nomenclature Authentication
Process through which one proves and verifies certain information
Identification Process through which one ascertains the identity of another
person or entity
Confidentiality Protection of private data from unauthorized viewing
Integrity Data is not corrupted or modified in any unauthorized manner
Availability System is usable. Contrast with Denial of Service (DOS)
![Page 5: 1 Access Control Systems & Methodology CISSP. 2 Topics to be covered Overview Access control implementation Types of access control MAC & DAC Orange](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649e565503460f94b4e819/html5/thumbnails/5.jpg)
5
How can AC be implemented?
Hardware Software
Application Protocol (Kerberos, IPSec)
Physical Logical (policies)
![Page 6: 1 Access Control Systems & Methodology CISSP. 2 Topics to be covered Overview Access control implementation Types of access control MAC & DAC Orange](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649e565503460f94b4e819/html5/thumbnails/6.jpg)
Why access control does not work?
? ?
![Page 7: 1 Access Control Systems & Methodology CISSP. 2 Topics to be covered Overview Access control implementation Types of access control MAC & DAC Orange](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649e565503460f94b4e819/html5/thumbnails/7.jpg)
7
What does AC hope to protect? Data - Unauthorized viewing,
modification or copying System - Unauthorized use, modification
or denial of service It should be noted that nearly most network
operating system is based on a secure physical infrastructure
The easiest way to protect data is not to have it one the system. Make it some-one else’s problem.
![Page 8: 1 Access Control Systems & Methodology CISSP. 2 Topics to be covered Overview Access control implementation Types of access control MAC & DAC Orange](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649e565503460f94b4e819/html5/thumbnails/8.jpg)
8
Proactive access control
Awareness training Background checks Separation of duties Split knowledge Policies Data classification Effective user registration Termination procedures Change control procedures
![Page 9: 1 Access Control Systems & Methodology CISSP. 2 Topics to be covered Overview Access control implementation Types of access control MAC & DAC Orange](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649e565503460f94b4e819/html5/thumbnails/9.jpg)
9
Physical access control
Guards Locks Mantraps ID badges Digital Carmeras, sensors, alarms Biometrics Fences - the higher the voltage the better Card-key and tokens Guard dogs
![Page 10: 1 Access Control Systems & Methodology CISSP. 2 Topics to be covered Overview Access control implementation Types of access control MAC & DAC Orange](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649e565503460f94b4e819/html5/thumbnails/10.jpg)
10
AC & privacy issues
Expectation of privacy Policies Monitoring activity, Internet usage,
e-mail Login banners should detail
expectations of privacy and state levels of monitoring
HIPPA
![Page 11: 1 Access Control Systems & Methodology CISSP. 2 Topics to be covered Overview Access control implementation Types of access control MAC & DAC Orange](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649e565503460f94b4e819/html5/thumbnails/11.jpg)
11
Varied types of Access Control Discretionary (DAC) Mandatory (MAC) Lattice/Role/Task Formal models:
Biba Take/Grant Clark/Wilson Bell/LaPadula
Used set theory to define the concept of a secure state, the modes of access, and the rules for granting access.
Not Real Useful, but part of the test!
![Page 12: 1 Access Control Systems & Methodology CISSP. 2 Topics to be covered Overview Access control implementation Types of access control MAC & DAC Orange](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649e565503460f94b4e819/html5/thumbnails/12.jpg)
12
Problems with formal models
Based on a static infrastructure Defined and succinct policies These do not work in corporate systems which are
extremely dynamic and constantly changing None of the previous models deals with:
Viruses/active content Trojan horses firewalls
Limited documentation on how to build these systems
Last Generation
![Page 13: 1 Access Control Systems & Methodology CISSP. 2 Topics to be covered Overview Access control implementation Types of access control MAC & DAC Orange](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649e565503460f94b4e819/html5/thumbnails/13.jpg)
13
MAC vs. DAC
Discretionary Access Control You decided how you want to protect
and share your data
Mandatory Access Control The system decided how the data will
be shared
![Page 14: 1 Access Control Systems & Methodology CISSP. 2 Topics to be covered Overview Access control implementation Types of access control MAC & DAC Orange](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649e565503460f94b4e819/html5/thumbnails/14.jpg)
14
Mandatory Access Control
Assigns sensitivity levels, Secret, Confidential .. (AKA labels)
Every object is given a sensitivity label & is accessible only to users who are cleared up to that particular level.
Only the administrators, not object owners, make change the object level
Generally more secure than DAC Orange book B-level Used in systems where security is critical, i.e.,
military
![Page 15: 1 Access Control Systems & Methodology CISSP. 2 Topics to be covered Overview Access control implementation Types of access control MAC & DAC Orange](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649e565503460f94b4e819/html5/thumbnails/15.jpg)
15
Mandatory Access Control (Continued)
Downgrade in performance Relies on the system to control access Example: If a file is classified as confidential,
MAC will prevent anyone from writing secret or top secret information into that file.
All output, i.e., print jobs, floppies, other magnetic media must have be labeled as to
the sensitivity level
![Page 16: 1 Access Control Systems & Methodology CISSP. 2 Topics to be covered Overview Access control implementation Types of access control MAC & DAC Orange](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649e565503460f94b4e819/html5/thumbnails/16.jpg)
16
Discretionary Access Control
Access is restricted based on the authorization granted to the user
Orange book C-level Prime use to separate and protect
users from unauthorized data Used by Unix and Windows. Relies on the object owner to
control access
![Page 17: 1 Access Control Systems & Methodology CISSP. 2 Topics to be covered Overview Access control implementation Types of access control MAC & DAC Orange](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649e565503460f94b4e819/html5/thumbnails/17.jpg)
17
Access control lists (ACL)
A file used by the access control system to determine who may access what programs and files, in what method and at what time
Different operating systems have different ACL terms
Types of access: Read/Write/Create/Execute/Modify/Delete/Rename
![Page 18: 1 Access Control Systems & Methodology CISSP. 2 Topics to be covered Overview Access control implementation Types of access control MAC & DAC Orange](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649e565503460f94b4e819/html5/thumbnails/18.jpg)
18
Standard UNIX file permissions
Permission Allowed action, ifobject is a file
Allow action if object is adirectory
R (read) Reads contents of a file List contents of the directoryX (execute) Execute file as a program Search the directoryW (write) Change file contents Add, rename, create files and
subdirectories
![Page 19: 1 Access Control Systems & Methodology CISSP. 2 Topics to be covered Overview Access control implementation Types of access control MAC & DAC Orange](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649e565503460f94b4e819/html5/thumbnails/19.jpg)
19
Standard Sharing - Changing
![Page 20: 1 Access Control Systems & Methodology CISSP. 2 Topics to be covered Overview Access control implementation Types of access control MAC & DAC Orange](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649e565503460f94b4e819/html5/thumbnails/20.jpg)
20
Orange Book
DoD Trusted Computer System Evaluation Criteria, DoD 5200.28-STD, 1983
Provides the information needed to classify systems (A,B,C,D), defining the degree of trust that may be placed in them
For stand-alone systems only
![Page 21: 1 Access Control Systems & Methodology CISSP. 2 Topics to be covered Overview Access control implementation Types of access control MAC & DAC Orange](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649e565503460f94b4e819/html5/thumbnails/21.jpg)
21
Orange book levels
A - Verified protection A1 Boeing SNS, Honeywell SCOMP
B - MAC B1/B2/B3 MVS w/ s, ACF2 or TopSecret, Trusted IRIX
C - DAC C1/C2 DEC VMS, NT, NetWare, Trusted Solaris
D - Minimal security. Systems that have been evaluated, but failed
![Page 22: 1 Access Control Systems & Methodology CISSP. 2 Topics to be covered Overview Access control implementation Types of access control MAC & DAC Orange](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649e565503460f94b4e819/html5/thumbnails/22.jpg)
22
Problems with the Orange Book
Based on an old model, Bell-LaPadula
Stand alone network systems extensions exist
Systems take a long time Certification is expensive For the most part, not used outside
of the government sector
![Page 23: 1 Access Control Systems & Methodology CISSP. 2 Topics to be covered Overview Access control implementation Types of access control MAC & DAC Orange](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649e565503460f94b4e819/html5/thumbnails/23.jpg)
23
Red Book
Used to extend the Orange Book to networks
Actually two works: Trusted Network Interpretation of the TCSEC
(NCSC-TG-005) Trusted Network Interpretation
Environments Guideline: Guidance for Applying the Trusted Network Interpretation (NCSC-TG-011)
![Page 24: 1 Access Control Systems & Methodology CISSP. 2 Topics to be covered Overview Access control implementation Types of access control MAC & DAC Orange](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649e565503460f94b4e819/html5/thumbnails/24.jpg)
24
Authentication
3 types of authentication:
Something you know - Password, PIN, mother’s maiden name, passcode, fraternity chant
Something you have - ATM card, smart card, token, key, ID Badge, driver license, passport
Something you are - Fingerprint, voice scan, iris scan, retina scan, body odor, DNA
![Page 25: 1 Access Control Systems & Methodology CISSP. 2 Topics to be covered Overview Access control implementation Types of access control MAC & DAC Orange](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649e565503460f94b4e819/html5/thumbnails/25.jpg)
Confidentiality Integrity Availability
![Page 26: 1 Access Control Systems & Methodology CISSP. 2 Topics to be covered Overview Access control implementation Types of access control MAC & DAC Orange](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649e565503460f94b4e819/html5/thumbnails/26.jpg)
26
Multi-factor authentication
2-factor authentication. To increase the level of security, many systems will require a user to provide 2 of the 3 types of authentication. ATM card + PIN Credit card + signature PIN + fingerprint Username + Password (NetWare, Unix, NT default)
3-factor authentication -- For higher security Username + Passcode + SecurID token Username + Password + Fingerprint
![Page 27: 1 Access Control Systems & Methodology CISSP. 2 Topics to be covered Overview Access control implementation Types of access control MAC & DAC Orange](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649e565503460f94b4e819/html5/thumbnails/27.jpg)
27
Problems with passwords
Insecure - Given the choice, people will choose easily remembered and hence easily guessed passwords such as names of relatives, pets, phone numbers, birthdays, hobbies, etc.
Easily broken - Programs such as crack, SmartPass, PWDUMP, NTCrack & l0phtcrack can easily decrypt Unix, NetWare & NT passwords.
Dictionary attacks are only feasible because users choose easily guessed passwords!
Inconvenient - In an attempt to improve security, organizations often issue users with computer-generated passwords that are difficult, if not impossible to remember
Repudiable - Unlike a written signature, when a transaction is signed with only a password, there is no real proof as to the identity of the individual that made the transaction
![Page 28: 1 Access Control Systems & Methodology CISSP. 2 Topics to be covered Overview Access control implementation Types of access control MAC & DAC Orange](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649e565503460f94b4e819/html5/thumbnails/28.jpg)
28
Classic password rules
The best passwords are those that are both easy to remember and hard to crack using a dictionary attack.
Don’t use: common names, DOB, spouse, phone #, etc. word found in dictionaries password as a password systems defaults
Those trying break passwords have access to most password rules in their tool kit!
![Page 29: 1 Access Control Systems & Methodology CISSP. 2 Topics to be covered Overview Access control implementation Types of access control MAC & DAC Orange](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649e565503460f94b4e819/html5/thumbnails/29.jpg)
29
Password management
Configure system to use string passwords Set password time and lengths limits Limit unsuccessful logins Limit concurrent connections Enabled auditing How policies for password resets and
changes Use last login dates in banners
![Page 30: 1 Access Control Systems & Methodology CISSP. 2 Topics to be covered Overview Access control implementation Types of access control MAC & DAC Orange](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649e565503460f94b4e819/html5/thumbnails/30.jpg)
30
Password Attacks
See if it is “password” Brute force
l0phtcrack Dictionary
Crack John the Ripper
Trojan horse login program
![Page 31: 1 Access Control Systems & Methodology CISSP. 2 Topics to be covered Overview Access control implementation Types of access control MAC & DAC Orange](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649e565503460f94b4e819/html5/thumbnails/31.jpg)
31
Biometrics
Authenticating a user via human characteristics
Using measurable physical characteristics of a person to prove their identification
Fingerprint signature dynamics Iris retina voice face DNA, blood
![Page 32: 1 Access Control Systems & Methodology CISSP. 2 Topics to be covered Overview Access control implementation Types of access control MAC & DAC Orange](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649e565503460f94b4e819/html5/thumbnails/32.jpg)
32
Advantages of hand / fingerprint-based biometrics
• Can’t be lent like a physical key or token and can’t be forgotten like a password
• Good compromise between ease of use, template size, cost and accuracy
• Fingerprint contains enough inherent variability to enable unique identification even in very large (millions of records) databases
• Basically lasts forever -- or at least until amputation or dismemberment
• Makes network login & authentication effortless
![Page 33: 1 Access Control Systems & Methodology CISSP. 2 Topics to be covered Overview Access control implementation Types of access control MAC & DAC Orange](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649e565503460f94b4e819/html5/thumbnails/33.jpg)
33
Biometric Disadvantages
Still relatively expensive per user Cost is going down!
Companies & products are often new & immature
Some hesitancy for user acceptance After 9-11, some thoughts towards use
at airport security.
![Page 34: 1 Access Control Systems & Methodology CISSP. 2 Topics to be covered Overview Access control implementation Types of access control MAC & DAC Orange](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649e565503460f94b4e819/html5/thumbnails/34.jpg)
34
Biometric privacy issues
Tracking and surveillance - Ultimately, the ability to track a person's movement from hour to hour
Anonymity - Biometric links to databases could dissolve much of our anonymity when we travel and access services
Profiling - Compilation of transaction data about a particular person that creates a picture of that person's travels, preferences, affiliations or beliefs
![Page 35: 1 Access Control Systems & Methodology CISSP. 2 Topics to be covered Overview Access control implementation Types of access control MAC & DAC Orange](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649e565503460f94b4e819/html5/thumbnails/35.jpg)
U.S. Airports Now Fingerprint Foreigners
Foreigners arriving at U.S. airports were photographed and had their fingerprints scanned Monday in the start of a government effort to use some of the latest surveillance technology to keep terrorists out of the country.
![Page 36: 1 Access Control Systems & Methodology CISSP. 2 Topics to be covered Overview Access control implementation Types of access control MAC & DAC Orange](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649e565503460f94b4e819/html5/thumbnails/36.jpg)
36
Practical biometric
Network access control
Staff time and attendance tracking
Authorizing financial transactions
Government benefits distribution (Social Security, welfare, etc.)
Verifying identities at point of sale
Using in conjunction with ATM , credit or smart cards
Controlling physical access to office buildings or homes Protecting personal property
Prevent against kidnapping in schools, play areas, etc.
Protecting children from fatal gun accidents
Voting/passports/visas & immigration
![Page 37: 1 Access Control Systems & Methodology CISSP. 2 Topics to be covered Overview Access control implementation Types of access control MAC & DAC Orange](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649e565503460f94b4e819/html5/thumbnails/37.jpg)
37
Tokens
Used to facilitate one-time passwords
Physical card SecurID S/Key Smart card Access token
![Page 38: 1 Access Control Systems & Methodology CISSP. 2 Topics to be covered Overview Access control implementation Types of access control MAC & DAC Orange](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649e565503460f94b4e819/html5/thumbnails/38.jpg)
38
Single sign-on
User has one password for all enterprise systems and applications
That way, one strong password can be remembered and used
All of a users accounts can be quickly created on hire, deleted on dismissal
Kerberos, CA-Unicenter, Memco Proxima, IntelliSoft SnareWorks, Tivoli Global Sign-On, x.509
![Page 39: 1 Access Control Systems & Methodology CISSP. 2 Topics to be covered Overview Access control implementation Types of access control MAC & DAC Orange](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649e565503460f94b4e819/html5/thumbnails/39.jpg)
39
Kerberos
Part of MIT’s Project Athena Currently in version 5 Kerberos is an authentication protocol used for
networkwide authentication All software must be kerberized Tickets, authenticators, key distribution center
(KDC) Divided into realms Kerberos is the three-headed dog that guards
the entrance to Hades (this won’t be on the test)
![Page 40: 1 Access Control Systems & Methodology CISSP. 2 Topics to be covered Overview Access control implementation Types of access control MAC & DAC Orange](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649e565503460f94b4e819/html5/thumbnails/40.jpg)
40
Attacks
Passive attack - Monitor network traffic and then use data obtained or perform a replay attack.
Hard to detect Active attack - Attacker is actively trying to break-
in. Exploit system vulnerabilities Spoofing Crypto attacks
Denial of service (DoS) - Not so much an attempt to gain access, rather to prevent system operation
Smurf, SYN Flood, Ping of death Mail bombs
![Page 41: 1 Access Control Systems & Methodology CISSP. 2 Topics to be covered Overview Access control implementation Types of access control MAC & DAC Orange](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649e565503460f94b4e819/html5/thumbnails/41.jpg)
41
Vulnerabilities
Follow the Money! Physical Natural
Floods, earthquakes, terrorists, power outage, lightning
Hardware/Software Media
Corrupt electronic media, stolen disk drives
Emanation Communications Human
Social engineering, disgruntled staff
![Page 42: 1 Access Control Systems & Methodology CISSP. 2 Topics to be covered Overview Access control implementation Types of access control MAC & DAC Orange](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649e565503460f94b4e819/html5/thumbnails/42.jpg)
42
Monitoring
IDS Logs Audit trails Network tools
Tivoli Spectrum OpenView
![Page 43: 1 Access Control Systems & Methodology CISSP. 2 Topics to be covered Overview Access control implementation Types of access control MAC & DAC Orange](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649e565503460f94b4e819/html5/thumbnails/43.jpg)
43
Intrusion Detection Systems
IDS monitors system or network for attacks
IDS engine has a library and set of signatures that identify an attack
Adds defense in depth Should be used in conjunction with
a system scanner
![Page 44: 1 Access Control Systems & Methodology CISSP. 2 Topics to be covered Overview Access control implementation Types of access control MAC & DAC Orange](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649e565503460f94b4e819/html5/thumbnails/44.jpg)
44
Object reuse
With Compact Disks – One-Time Write not much of an issue; with tapes, floppies, read/write CDs
Sample Rules Must ensure that magnetic media must not have any
remnance of previous data Also applies to buffers, cache and other memory allocation Documents recently declassified as to how 10-pass writes
were recovered Objects must be declassified Magnetic media must be degaussed or have secure
overwrites
![Page 45: 1 Access Control Systems & Methodology CISSP. 2 Topics to be covered Overview Access control implementation Types of access control MAC & DAC Orange](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649e565503460f94b4e819/html5/thumbnails/45.jpg)
45
TEMPEST - DoD
Electromagnetic emanations from keyboards, cables, printers, modems, monitors and all electronic equipment. With appropriate and sophisticated enough equipment, data can be readable at a few hundred yards.
TEMPEST certified equipment, which encases the hardware into a tight, metal construct, shields the electromagnetic emanations
WANG Federal is the leading provider of TEMPEST hardware TEMPEST hardware is extremely expensive and can only be
serviced by certified technicians Rooms & buildings can be TEMPEST-certified TEMPEST standards NACSEM 5100A NACSI 5004 are
classified documents
![Page 46: 1 Access Control Systems & Methodology CISSP. 2 Topics to be covered Overview Access control implementation Types of access control MAC & DAC Orange](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649e565503460f94b4e819/html5/thumbnails/46.jpg)
46
Banners
Mostly to protect provider – no one reads them Some Reasons
Banners display at login or connection stating that the system is for the exclusive use of authorized users and that their activity may be monitored
Not foolproof, but a good start, especially from a legal perspective
Make sure that the banner does not reveal system information, i.e., OS, version, hardware, etc.
![Page 47: 1 Access Control Systems & Methodology CISSP. 2 Topics to be covered Overview Access control implementation Types of access control MAC & DAC Orange](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649e565503460f94b4e819/html5/thumbnails/47.jpg)
47
Penetration Testing
Identifies weaknesses in Internet, Intranet, Extranet, and RAS technologies
Discovery and footprint analysis Exploitation Physical Security Assessment Social Engineering
Attempt to identify vulnerabilities and gain access to critical systems within organization
Identifies and recommends corrective action for the systemic problems which may help propagate these vulnerabilities throughout an organization
Assessments allow client to demonstrate the need for additional security resources, by translating exiting vulnerabilities into real life business risks
![Page 48: 1 Access Control Systems & Methodology CISSP. 2 Topics to be covered Overview Access control implementation Types of access control MAC & DAC Orange](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649e565503460f94b4e819/html5/thumbnails/48.jpg)
48
Rule of least privilege
One of the most fundamental principles of infosec States that: Any object (user, administrator,
program, system) should have only the least privileges the object needs to perform its assigned task, and no more.
An AC system that grants users only those rights necessary for them to perform their work
Limits exposure to attacks and the damage an attack can cause
Physical security example: car ignition key vs. door key
![Page 49: 1 Access Control Systems & Methodology CISSP. 2 Topics to be covered Overview Access control implementation Types of access control MAC & DAC Orange](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649e565503460f94b4e819/html5/thumbnails/49.jpg)
49
Implementing least privilege
Ensure that only a minimal set of users have access to full system.
Don’t run insecure programs on the firewall or other trusted host.
Lots more!