Know the difference between subject and objects and know common subject labels.
Subjects are active entities, like users.
Objects are passive, like files.
Labels:
- A user is a subject who accesses objects in the course of performing some action or accomplishing a work task.
- An owner is the subject responsible for classifying and labeling objects and for protecting and storing data on any system.
- A custodian has day to day responsibilities for protecting and storing objects.
Know types of access control.
Preventative: to stop unwanted or unauthorized activity from occurring.
Detective: to discover unwanted or unauthorized activity.
Corrective: to restore systems to normal after an unwanted or unauthorized activity occurred.
Deterrent: to discourage violation of security policy.
Recovery: to repair or restore resources, functions and capabilities after a violation of security policy has occurred.
Directive: to direct, confine, or control the action of subjects to force or encourage compliance with security policy.
Compensation: to provide various options to other existing controls to aid in enforcement and support of security policy.
Controls can be; administrative, policies or procedures to implement and enforce overall access control; logical/technical, hardware or software mechanisms used to manage access to resources and systems and to provide protection for those resources and systems; and physical, barriers deployed to prevent direct contact with systems or areas within a facility.
Know the difference between identification, authentication, and authorization.
Subjects claim an identity, subjects prove their identity by providing authentication credentials. Subjects are then granted authorization to objects based on their proven identity.
Understand the details of the three authentication factors.
- Something you know
- Something you have
- Something you are
Biometrics have Type 1 (false rejection rate) and Type 2 (false acceptance rate) errors.
Know the details about each of the access control techniques.
Discretionary: all objects have owners and the owners can modify permissions.
Non-discretionary: centrally managed, like a firewall.
Mandatory: use labels for subjects and objects and match the two.
Role-based: access controls use task based roles and users gain privileges when their accounts are placed within that role.
Identify common mechanisms, like implicit deny, access control matrices, access control lists, constrained interfaces, content/context dependent controls.
Know SSO
a subject can authenticate once and access multiple objects without authenticating again. Kerberos is most common and uses symmetric cryptography and tickets to prove id and auth. SPML is commonly used to share federated id info.
Other SSO methods are scripted access, sesame and kryptoknight.
Understand the purpose of AAA (authentication, authorization, accounting) protocols.
Radius uses udp and encrypts the password only.
Tacacs+ uses tcp and encrypts the entire session.
Diameter is based on radius.
Understand ID and access provisioning lifecycle.
