cisspills #1.01

CISSPillsDOMAIN 1: Access Control

# 1.01

CISSPills

Table of Contents Overview Access Control Flow Access Control Elements Authentication Factors

CISSPills

Overview

Access Controls relate to those mechanisms used to regulate how resources can be accessed by entities. They protect systems from unauthorised access.Access is the flow of information between a subject and an object. Subject: is an active entity that request access to an object or data

within an object. Subjects can be users, programs, processes, computers, etc.;

Object: is a passive element, which contains information or needed functionalities. Objects can be databases, files, printers, storage media, etc.

Sometimes the same entity could behave as a subject (requesting information), but also as an object (being accessed by a subject). The rule of thumb to distinguish the role being provided by an entity is as follows:The subject is always the active entity that receives the information or data, whilst the object is always the passive entity that provides or host the information or data.

CISSPills

Access Control Flow

CISSPills

Access Control ElementsThe security elements that work together to support access control are grouped into four types: identification, authentication, authorisation and accountability. Identification: is the mechanism by which a subject claims an identity, for

instance using a username or an account number; Authentication: is the mechanism by which a subject proves a claimed identify,

for example by providing a password; Authorisation: is the mechanism by which subjects are granted only the

privileges they are entitled to. Access Control Lists (ACLs) are a typical example of mechanism to enforce authorisation: if they determine that a subject may access the resource, they authorise the subject. It’s worth noting that just because a subject is authenticated, it is not given access to anything and everything.

Accountability: is accomplished by implementing auditing, which helps keeping track of the subject’s activities (e.g. when a subject accesses, modifies or deletes an object). Audit trails support accountability by logging the activities performed by a subject over an object.

All the four elements above must exist for an access control system to be effective.

CISSPills

Access Controls Elements (cont’d)

Identification

Authentication

Accountability

Subject

Authorisation

e.g. Username

e.g. Password

e.g. ACLs

e.g. audit logs

Object

Access

CISSPills

Autenthication Factors

Type 1: is something you know. It’s any string of characters that can be memorised and typed on a keyboard (e.g. passwords, PINs, etc.);

Type 2: is something you have. It’s a physical device users must have in their possession during the authentication (e.g. tokens, smart cards, etc.);

Type 3: is something you are. It’s a trait, either physical or behavioural, that uniquely identifies a person (e.g. fingerprints, retina patterns, keystroke dynamics, etc.)

Strong Authentication (also known as multifactor authentication) is when two out of the three factors are used during the authentication.

CISSPills

That’s all Folks!We are done, thank you for the interest! Hope you have enjoyed these pills as much as I have had fun writing them.For comments, typos, complaints or whatever your want, drop me an e-mail at:

cisspills <at> outlook <dot> comMore resources: Stay tuned on for the next issues; Join ”CISSP Study Group Italia” if you are preparing your exam.

Brought to you by Pierluigi Falcone. More info about me on

Contact Details