2. Exam Essentials for Access Control Attacks and Monitoring

Understand basic risk elements

Risk is the likelihood that a threat can exploit a vulnerability and cause damage to assets.

Asset valuation identifies the value of assets

Threat modeling identifies threats against these assets

Vulnerability analysis identifies weaknesses in an organization’s valuable assets.

Access aggregation is a type of attack that combines, or aggregates, nonsensitive information to learn sensitive information that is used in reconnaissance attacks.

Brute vs dictionary attacks.

brute force uses keyboard combinations, dictionary uses a list.

Strong Passwords

Password policies ensure users make complex passwords, which make password crackers less successful.

Increase strength by adding one of the factors (see authentication factors here).


Spoofing is pretending to be someone or something else. Spoofing attacks can include email, phone, IP.


A packet capturing program reads and stores data that is sent over a network medium in cleartext.

Social Engineering

Convince someone to do something they wouldn’t normally do, usually by pretending to be someone else and asking for help.


Trying to get a user to give up personal information, spear phishing targets specific groups of users and whaling targets high-level executives. Vishing uses VoIP.

Log Types

Security Logs, System Logs, Application Logs, Firewall Logs, Proxy Logs and Change Management Logs. Logs should be protected and should be read only.


Basically, monitoring is a form of auditing that focuses on active review of log file data. It holds subjects accountable for their actions, and detects abnormal or malicious activities. IDSs and SIEMs automate monitoring and provide real-time analysis of events.


Accountability is maintained by auditing subjects. This promotes good user behavior and compliance.

Audit trails

Records created by recording information about events and occurrences into logs are used to reconstruct an event.


Sampling or data extraction, is extracting elements from a large body of data to construct a meaningful representation or summary of the whole. Statistical sampling uses precise mathematical functions to extract meaningful information from a large volume of data.

Clipping is a form of nonstatistical sampling that only records events that exceed a threshold. e.g. bad login attempts over 10 times.



1. Exam Essentials for Access Control

Know the difference between subject and objects and know common subject labels.

Subjects are active entities, like users.
Objects are passive, like files.


  • A user is a subject who accesses objects in the course of performing some action or accomplishing a work task.
  • An owner is the subject responsible for classifying and labeling objects and for protecting and storing data on any system.
  • A custodian has day to day responsibilities for protecting and storing objects.

Know types of access control.

Preventative: to stop unwanted or unauthorized activity from occurring.

Detective: to discover unwanted or unauthorized activity.

Corrective: to restore systems to normal after an unwanted or unauthorized activity occurred.

Deterrent: to discourage violation of security policy.

Recovery: to repair or restore resources, functions and capabilities after a violation of security policy has occurred.

Directive: to direct, confine, or control the action of subjects to force or encourage compliance with security policy.

Compensation: to provide various options to other existing controls to aid in enforcement and support of security policy.

Controls can be; administrative, policies or procedures to implement and enforce overall access control; logical/technical, hardware or software mechanisms used to manage access to resources and systems and to provide protection for those resources and systems; and physical, barriers deployed to prevent direct contact with systems or areas within a facility.

Know the difference between identification, authentication, and authorization.

Subjects claim an identity, subjects prove their identity  by providing authentication credentials. Subjects are then granted authorization to objects based on their proven identity.

Understand the details of the three authentication factors.

  1. Something you know
  2. Something you have
  3. Something you are

Biometrics have Type 1 (false rejection rate) and Type 2 (false acceptance rate) errors.

Know the details about each of the access control techniques.

Discretionary: all objects have owners and the owners can modify permissions.

Non-discretionary: centrally managed, like a firewall.

Mandatory: use labels for subjects and objects and match the two.

Role-based: access controls use task based roles and users gain privileges when their accounts are placed within that role.

Identify common mechanisms, like implicit deny, access control matrices, access control lists, constrained interfaces, content/context dependent controls.

Know SSO

a subject can authenticate once and access multiple objects without authenticating again. Kerberos is most common and uses symmetric cryptography and tickets to prove id and auth. SPML is commonly used to share federated id info.

Other SSO methods are scripted access, sesame and kryptoknight.

Understand the purpose of AAA (authentication, authorization, accounting) protocols.

Radius uses udp and encrypts the password only.

Tacacs+ uses tcp and encrypts the entire session.

Diameter is based on radius.

Understand ID and access provisioning lifecycle.