CISSP: Study Notes — Security Management and Access Control

Secu­rity Management

  • Define com­pul­sory: manda­tory, enforced Ex. Fol­low­ing the secu­rity pol­icy is compulsory.

Access Con­trol

  • Eval­u­at­ing Bio­met­ric Devices
    The key con­cepts for this is mem­o­riza­tion of Type I error, Type II error, and CER. A Type I error is that of false rejec­tion. For exam­ple, Joe should be allowed in the data cen­ter. If Joe scans his retina and is denied access to the data cen­ter is it a false rejec­tion or Type I error. A Type II error is just the oppo­site. If Jill does not have access to the data cen­ter, scans her retina, and access is granted, that is a false accep­tance or Type II error.
  • DAC, MAC, and Secu­rity Labels
    The type of access con­trol sys­tem typ­i­cal com­puter users are accus­tomed to is called a Dis­cre­tionary Access Con­trol sys­tem. This means that a user’s right to read/write/execute an object is based soley on their need-to-know. Data own­ers are able to decide who can access the data via an Access Con­trol List (ACL). Because the mil­i­tary and other gov­ern­ment agen­cies want to con­trol access based both on clas­si­fi­ca­tion and need-to-know, they use the Manda­tory Access Con­trol sys­tem. A Secu­rity Label is an attribute of an object defin­ing it’s clas­si­fi­ca­tion level and need-to-know cat­e­gories. A per­son must have both a clear­ance equal to or greater than the object and have been granted a need-to-know for one or more of the cat­e­gories con­tained in the secu­rity label in order to access the object.
  • Capa­bil­ity Table
    This was a new term for me. Essen­tially a capa­bil­ity table is a list of per­mis­sions that is bound to a sub­ject whereas an ACL is a list of per­mis­sions bound to an object. I’m sure the term is wrong, but I like to think of it as an inverse of an ACL.
  • Traf­fic Analy­sis Attack
    Now to me, this attack is quite a stretch. basi­cally, it says that by watch­ing traf­fic pat­terns peo­ple can dis­cover infor­ma­tion. Now in that sim­ply form, yes, traf­fic mon­i­tor­ing can lead to all types of great infor­ma­tion. My prob­lem is with the book’s exam­ple: “For exam­ple, heavy traf­fic between HR and head­quar­ters could indi­cate an upcom­ing lay­off.” Maybe it’s just me, but that seems like a leap. I’m much more inclined to believe an upcom­ing lay­off could be revealed by look­ing at the email fly­ing by, not so much by the amount of traffic.

Studying for the CISSP: Self Check (1–4)

I got away from study­ing for the CISSP a cou­ple months ago when I ran into some stress­ful life sit­u­a­tions. Now that things are back in order, I’m hit­ting the books again. Last week I read Chap­ters 3 and 4, cov­er­ing Secu­rity Mod­els & Archi­tec­ture and Phys­i­cal Secu­rity respec­tively. Tonight I took the self exam­ine for each of the first four chap­ters. Need­less to say, I’m not happy with my results. This does pro­vide a nice bench­mark for me though.

0.91 (10/11)    Secu­rity Man­age­ment
0.50 (6/12)     Access Con­trol
0.45 (5/11)     Secu­rity Mod­els & Archi­tec­ture
1.00 (13/13)    Phys­i­cal Secu­rity
0.72 (34/47)    Total

Since I plan on using this blog mainly as a repos­i­tory of my thoughts below is my list of items that require fur­ther study and some quick thoughts about them.

  • Com­pul­sory — I missed the ques­tion not because I didn’t under­stand the topic and answers, but because I didn’t under­stand what com­pul­sory meant. I thought it meant “optional.” Nope, it actu­ally means: “manda­tory.” Oops!
  • Bio­met­ric Eval­u­a­tion — Here I need to know what Type I, Type II, and CER stand for.
  • Ker­beros — Even though I know it’s an authen­ti­ca­tion pro­to­col, I need to bet­ter under­stand the spe­cific weak­nesses it has.
  • Secu­rity Label — This is part of MAC (Manda­tory Access Con­trol) and is a con­cept where infor­ma­tion about an object includ­ing clas­si­fi­ca­tion level and need-to-know is main­tained.  A subject’s clas­si­fi­ca­tion and need-to-know are com­pared against the object’s before grant­ing access.
  • Capa­bil­ity Tables are the rows of an Access Con­trol Matrix that are bound to the subjects.
  • Access Con­trol Lists are the columns of an Access Con­trol Matrix that are bound to the objects.
  • RADIUS, TEMPEST, TACACS, Diam­e­ter — I must under­stand the what/when/why/how of each and their differences.
  • Brush up on the dif­fer­ences between Mul­ti­task­ing, Mul­ti­pro­cess­ing, Mul­ti­thread­ing, and Mul­ti­pro­gram­ming.
  • Ref­er­ence Monitor
  • Secu­rity Kernal
  • Clark Wil­son Model
  • Trusted Com­put­ing Base
  • Biba Model
  • Bell-LaPadula Model
  • Com­mon Cri­te­ria — Mainly TOE, EPL and Pro­tec­tion Profiles

I plan on going back through this con­tent dur­ing this week and writ­ing at least a para­graph on each con­cept I missed in order to drive the points home.

As some may have noticed I have begun to post longer more infor­ma­tive posts.  This is the trend I want to con­tinue and build on.  I believe writ­ing longer posts not only pro­vides prac­tice at com­mu­ni­ca­tion through the writ­ten word, but are more infor­ma­tive and less likely to be quick emo­tional reac­tions to other blog posts or news sto­ries. As always, I implore any­one read­ing this to leave com­ments.  I may have been in the field for 5 years now, but see­ing as how I’m at least 35 years away from retire­ment I have at a min­i­mum, 35 years more worth of learn­ing to do!

As Joseph Addi­son said, “The utmost extent of man’s knowl­edge, is to know that he knows nothing.”