CISSP 笔记 Access Control.doc

Access Controls OverviewAccess controls are security features that control howusers and systemscommunicate andinteract with othersystems and resources.Access control is abroad termthat covers several different types of mechanisms thatenforce access control features on computer systems, networks, and informationSecurity PrinciplesAICIdentification, Authentication, Authorization,and AccountabilityIdentificationdescribes a methodof ensuring that a subject (user, program, or process) is the entity it claims to be.To be properlyauthenticated,the subject is usually required to provide a second piece to thecredential setLogical access controls are technical tools used for identification, authentication, authorization, and accountability.Identification and AuthenticationThree general factors can be used for authentication:something a person knows, something a person has,and something a person is.Strong authenticationcontains two out of these three methods: something a personknows, has, or is. This is also referred to as two-factor authentication.Creating or issuing secure identities should includethree key aspects:uniqueness,nondescriptive, and issuanceIdentity ManagementIdentity management is a broad and loaded term that encompassesthe use of different products to identify, authenticate, and authorize users through automated meansthe term also includes user account management, access control, password management, single sign-on functionality, managing rights and permissions foruser accounts, and auditing and monitoring all of these itemsFor the CISSP exam, the following are the types of technologies you should beaware of: Directories Web access management Password management Legacy single sign-on Account management Profile update DirectoriesThe objects within the directory are managed by a directory service. Thedirectoryserviceallows an administrator to configure and manage how identification, authentication, authorization, and access controltake place within the network and on individual systems.In aWindows environment, when you log in, you are logging in to adomain controller(DC), which has a hierarchical directory in its database. The database is runninga directory service (Active Directory), which organizes the network resources and carriesout user access control functionality. So once you successfully authenticate to the DC,certain network resources will be available to you (print service, file server, e-mail server, and so on) as dictated by the configuration of AD.The directory service keep all of these entities organized byusing namespacesEach directory service has a way of identifying and naming the objects theywill manage.In databases based on the X.500 standard that are accessed by LDAP, thedirectory service assignsdistinguished names (DNs) to each object.DN is made up of acommon name (cn) and domain components (dc) Directories Role in Identity ManagementA directory used for IdM is specialized database software that has been optimized for reading and searching operations.It is the main component of an identity management solutionAmeta-directorygathers the necessary information from multiple sources and stores it in one central directory.Avirtual directoryplays the same role and can be used instead of a meta-directory.The difference between the two is that the meta-directoryphysically hasthe identitydata in its directory, whereas a virtual directory does not andpoints to where the actualdata reside Web Access ManagementWeb access management (WAM) software controlswhat users can access when using a web browser to interact with web-based enterpriseassets.The WAM software is the main gateway between users and the corporate web-basedresources. It is commonly a plug-in for a web server, so it works as a front-end processWAM tools usually also provide a single sign-on capability so that once a user isauthenticated at a web site, she can access different web-based applications and resources without having to log in multiple times.Cookies id used to keep the state of a web accessPassword Management Password SynchronizationPassword synchronization technologies can allow a user to maintain just one password across multiple systems Self-Service Password ResetSome products are implemented to allow users to reset their own passwords. Assisted Password ResetSome products are created for help-desk employeeswho need to work with individuals when they forget their password Legacy Single Sign-OnAn SSO technology allows a user to authenticate one time andthen access resources in the environment without needing to re-authenticateWithpassword synchronization, a producttakes the users password and updates each user account on each different system andapplication with that one password.So in SSOenvironments, the SSO software intercepts the login prompts from network systemsand applications and fills in the necessary identification and authentication information for the user.An SSO solution may also provide a bottleneck orsingle point of failure. If the SSOserver goes down, users are unable to access network resources. This is why its a goodidea to have some type of redundancy or fail-over technology in place.it can be expensive to implement, especially in larger environments. Many times companies evaluate purchasing this type of solution and find out it is toocost-prohibitiveThe otherissue is that it would mean all of the users credentials for the companys resources arestored in one location Account ManagementAccount management deals with creating user accounts on all systems, modifying the account privileges when necessary, and decommissioning the accounts when they are no longer needed.The automated workflow component is common in account management productsthat provide IdM solutions. Not only does this reduce the potential errors that can takeplace in account management, each step (including account approval) is logged andtracked. This allows for accountability and provides documentation for use in backtracking if something goes wrong. ProvisioningAn account management process.from the creation of an anccout to an decommission.User provisioning refers to the creation, maintenance, and deactivation of user objects and attributes as they exist in one or more systems, directories, or applications, inresponse to business processes.User provisioning software may include one or more ofthe following components:change propagation, self-service workflow, consolidateduser administration, delegated user administration, and federated change control summaryDirectoriesare built to containuser and resource information. A metadata directory pulls identity information thatresides in different places within the network to allow IdM processes to only have to getthe needed data for their tasks from this one location.User management toolsallow forautomated control of user identities through their lifetimes and can provide provisioning.A password management toolis in place so that productivity is not slowed down bya forgotten password.A single sign-ontechnology requires internal users to only authenticate once for enterprise access. Web access management tools provide a single sign-onservice to external users and control access to web-based resources.Profile UpdateThere can be a plethora of information ona user that is captured (e-mail address, home address, phone number, panty size, andso on). When this collection of data is associated with the identity of a user, we call it aprofile.The profileshould be centrally located for easier management. IdM enterprise solutions have profile update technology that allows an administrator to create, makechanges, or delete these profiles in an automated fashion when necessaryFederationIdentity federationis based upon linking a users otherwise distinct identitiesat two or more locationswithout the need to synchronize or consolidatedirectory information.Web porta ls functions are parts of a website that act as a point of access to information.A portal presents information from diverse sources in a unified manner.used and integrated in many web-based federated identity management processes and products today.Access Control and Markup LanguagesXML is a universal and foundational standard that provides a structurefor otherindependent markup languagesto be built from and stillallow for interoperabilityTheService Provisioning Markup Language (SPML)allows for the exchange of provisioning data between applicationsThis markup language allows for theintegration and interoperationof service provisioning requests across various platforms.SPML is made up of three main entities: theRequesting Authority (RA), which is the entity that is making the request to set up a newaccount or make changes to an existing account; theProvisioning Service Provider(PSP),which is the software that responds to the account requests;andthe Provisioning Service Target(PST), which is the entity that carries out the provisioning activitieson the requested system.Security Assertion Markup Language (SAML)It is an XML standard that allows the exchange of authentication and authorizationdata to be shared between security domainsSAML provides the authentication pieces to federated identity managementsystemsto allow business-to-business (B2B) and business-to-consumer (B2C) transactions.Transmission of SAML data can take place over different protocol types,but a common one isSimple Object Access Protocol (SOAP).SOAP is a specification that outlineshow information pertaining to web services is exchanged in a structured mannerAnSOAis a way to provide independentservices residing on different systems in different business domains in one consistentmanner.Extensible Access Control Markup Language (XACML)XACML is used to express security policies and access rights to assetsprovided through web services and other enterprise applicationsXACML is both anaccess control policy languageand aprocessing modelthat allows for policies to be interpreted and enforced in a standard manner.XACML uses a Subject element (requesting entity), a Resource element (requestedentity), and an Action element (types of access)BiometricsBiometric sverifies an individuals identity by analyzing a unique personal attributeor behavior, which is one of the most effective and accurate methods of verifying identificationBiometrics is typically broken up into two different categories. The first is thephysiologicalThe second category of biometrics is known asbehavioralWhen a biometric system rejects an authorized individual, it is called aType I error(false rejection rate)When the system accepts impostors who should be rejected it is called aType II error(false acceptance rate).Using theCERas an impartial judgment of a biometric system helps create standards by which products from differentvendors can be fairly judged and evaluated Fingerprint Palm Scan Hand Geometry Retina Scan Iris Scan Signature Dynamics Keystroke Dynamics Voice Print Facial Scan Hand Topography used in conjunction with hand geometry.Passwords Password ManagementIf passwords are properly generated,updated, and kept secret, they can provide effective security.If an attacker is after a password, she can try a few different techniques:Electronic monitoring Access the password fileBrute force attacksDictionary attacksSocial engineeringRainbow table Password CheckersA tool that used for find out the weakness of a password is called password checker. Password Hashing and EncryptionSaltsare random values addedto the encryption process to add more complexity and randomness Password Aging Limit Logon Attempts Cognitive PasswordCognitive passwordsare fact- or opinion-based information used to verify an individuals identity.One-Time PasswordOne-time password generating tokens come in two general types: synchronous and asynchronous.Thetoken deviceis the most common implementation mechanism for OTP andgenerates the one-time password for the user to submit to an authentication server. The Token DeviceThe token device, or password generator, is usually a handhelddevice that has an LCD display and possibly a keypad.The token device presents the user with a list of characters to be entered as a password when logging on to a computer. Only the token device and authentication service know themeaning of these characters. SynchronousA synchronous token device synchronizes with the authenticationserviceby using time or a counter as the core piece of the authentication process.If the synchronization is time-based, the token device and the authentication service must hold the same time within their internal clocks. The time value on the token device anda secret key are used to create the one-time password.If the token device and authentication service use counter-synchronization,the userwill need to initiate the creation of the one-time password by pushing a button on thetoken device. This causes the token device and the authentication service to advance tothe next authentication value.In either time- or counter-based synchronization, the token device and authentication service must share the same secret base key used for encryption and decryption. AsynchronousA token device using an asynchronous tokengenerating methodemploys achallenge/responsescheme to authenticate the user.Cryptographic KeysAnother way to prove ones identity is to use a private key by generating a digital signatureA digital signature isa technology that uses aprivate key to encrypt a hash value(message digest).The act ofencrypting this hash valuewith a private key is called digitallysigning a message.PassphraseMemory CardsThe main difference between memory cards and smart cards is theircapacity to processinformation. Amemory card holds information but cannot processinformation. Asmart cardholds information and has the necessary hardware and software to actuallyprocess that information.Smart CardAsmart cardhas the capability of processing information because it has a microprocessor and integrated circuits incorporated into the card itselfTwo general categories of smart cards are thecontact and the contactless typesThe contact smart card has a gold seal on the face of the card. When this card is fully inserted into a card reader, electrical fingers wipe against the card in the exact position that the chip contacts are located. This will supply power and data I/O to the chip forauthentication purposesThe contactless smart card has an antenna wire that surroundsthe perimeter of the card. When this card comes within an electromagnetic field of thereader, the antenna within the card generates enough energy to power the internal chipThis fact and the complexity of the smart token make these cardsresistant toreverse-engineeringand tampering methods。The drawbacks to using a smart card are the extra cost of the readers and the overheadof card generationSmart Card AttacksThe attacker reviews the result of an encryption function afterintroducing an errorto the card, and also reviews the correct result, which the card performs when no errors areintroduced. Analysis of these different results may allow an attacker to reverse-engineerthe encryption process, with the hope of uncovering the encryption key. This type ofattack is referred to asfault generation.Side-channel attacks are nonintrusive and are used to uncover sensitive informationabout how a component works, without trying to compromise any type of flaw orweaknessSome examples ofside-channel attacksthat have been carried out onsmart cards aredifferential power analysis(examining the power emissions released during processing),electromagnetic analysis(examining the frequencies emitted), andtiming(how long a specific process takes to complete)So a noninvasive attack is one in which the attacker watches how something worksand how it reacts in different situations instead of trying to “invade” it with more intrusive measures.Software attacksare also considered noninvasive attacksIf you would like to be more intrusive in your smart card attack, givemicroprobinga try.AuthorizationAlthough authentication and authorization are quite different,together they comprise a two-step process thatdetermines whether an individual is allowed to access a particular resource.Access CriteriaGranting access rights to subjects should be based on the level oftrusta companyhas in a subject and the subjectsneed-to-knowUsing rolesisan efficient way to assign rights to a type of user who performs a certain task.Using groupsis another effective way of assigning access control rights.Physical or logical locationcan also be used to restrict access to resources.Time of day, or temporal isolation, is another access control mechanism that can be usedTransaction-type restrictionscan be used to control what data is accessed duringcertain types of functions and what commands can be carried out on the data。eg, bank account operationDefault to No AccessNeed to KnowTheneed-to-knowprinciple is similar to the least-privilege principle. It is based onthe concept that individuals should be given access only to the info