100% tevredenheidsgarantie Direct beschikbaar na je betaling Lees online óf als PDF Geen vaste maandelijkse kosten
logo-home
Eerder door jou gezocht
Eerder door jou gezocht
logo
Summary (ISC)2 Information Systems Security Architecture Professional (ISSAP) €4,98
In winkelwagen
Snel navigeren naar
Voorbeeld
  2.  
  3. 2 Information Systems Security Architecture Professional
  4.  
  5. 2 Information Systems Security Architecture Professional

Samenvatting

Summary (ISC)2 Information Systems Security Architecture Professional (ISSAP)
 1 keer verkocht

The Information Systems Security Architecture Professional (ISSAP) is a CISSP who specializes in designing security solutions and providing management with risk-based guidance to meet organizational goals. ISSAPs facilitate the alignment of security solutions within the organizational context (e.g....

[Meer zien]

Voorbeeld 4 van de 71  pagina's

Document informatie

  • Ja
  • 13 augustus 2021
  • 71
  • 2020/2021
  • Samenvatting

Onderwerpen

Gekoppeld boek

book image

Titel boek:

Auteur(s):

  • Uitgave:
  • ISBN:
  • Druk:

Geschreven voor

Alle documenten voor dit vak (1)

Verkoper

avatar-seller
jeroenkloet

Ontvangen beoordelingen

Voorbeeld van de inhoud

BOOK SUMMARY

(ICS)2 OFFICIAL GUIDE TO THE ISSAP CBK
SECOND EDITION




2

,DOMAIN I
ACCESS CONTROL SYSTEMS & METHODOLOGY

Access Control concepts
Security architects should be interested in access control because it has desirable attributes that can preserve
the critical information found in Line of Business systems. Systems with logical access controls watch over
important information. These desirable attributes of logical access controls can protect resources from loss or
exposure and provide accountability for those accessing the information or system.

Essentially, access control is a way to discover the following:
 Who (which subject) is accessing the information?
 What (object) is being accessed?
 How (via which mechanism) might the access occur?

The combined usage of subjects, objects, permissions, and rights forms the foundation of a system’s access
control, where:
 Subjects are the persons, entities, or processes that want to access an object.
 Objects are resources such as files, devices, or services.
 Permissions are the type of access a subject is given. Common permissions include read, write, modify,
delete, and execute.
 Rights are special abilities granted to a subject. For example, an administrator has the right to create
accounts, while ordinary users do not. Rights have policy influences over the interactive who, what, and
how questions of the access control mechanism.

Access control coupled with auditing establishes the basis for accountability. Auditing is the process of
recording access control actions and is the principal method used to achieve accountability.

Access control is the fundamental mechanism that provides for the confidentiality, integrity, and availability of
information within an information technology (IT) system. Access control thus enables:
 Confidentiality, through measures that project objects from unauthorized disclosure.
 Integrity, by preventing unauthorized modifications when properly implemented.
 Availability, when integrity is properly enabled.

A system security policy can be viewed as a structure, such as the one depicted below. Confidentiality,
integrity, and availability establish the foundation of a security policy. Rules formed by laws, regulations,
standards, and policy are the primary pillars supporting the policy. The rules give shape to managerial,
organizational, and technical controls that make up the foundation of the system security policy.




2

,The mechanisms of access control can be found in a variety of products and at multiple levels within an IT
system. The more common products implementing access control include:
 Network devices. Access control at network level tends to be more connection oriented, such as allowing
or disallowing ports and protocols associated with given IP addresses. Typically, an access control
mechanism is limited to the box (router, switch, firewall) itself.
 Operating systems. Most operating systems provide some form of access control by default. At this level,
an access control mechanism is sometimes shared among workstations and servers in a network.
However, this is not always the case for every commercial operating system.
 Database Management Systems. Many databases provide capabilities to control access to the data they
contain. In some cases, a database management system might also be able to distribute access control
functionality among distributed systems, in much the same way as some operating systems.
 Applications. Some applications contain their own access control mechanisms, which might be as simple
as allowing or denying access based on presenting acceptable credentials or a robust access control
mechanism like those found in an operating system or database.

The figure below illustrates many different access control methods and techniques that can be applied to the
various layers of the Open System Interconnectivity (OSI) model.




Two important features of access control mechanisms are the Access Control List (ACL) and the ACL repository.
The ACL identifies the security attributes of a particular system object. Typically, this will include information
about the object owner and other entities having authorized access associated with the rights granted to each
entity. Each subject identified in an ACL is known as an Access Control Entity (ACE). The ACL repository is used
to manage each ACL in the system.

Discretionary Access Control
Discretionary Access Control (DAC) is the predominant access control technique in use today. The underlying
concept of DAC is to give an object owner the discretion to decide who is authorized to access an object and to
what extent. The definition of an object owner is the person who best understands the value of the
object to the organization.
 Read. It is essential to understand that read permission does not mean read-only. It really means read-
and-copy. Any subject with the permission to read a file can also make a copy of the same file. This occurs
during the reading process. When an application reads a data file, it makes a copy of the contents in
memory.




2

,  Write. Giving an entity the ability to write to a file object allows it to write anything to that object. This
could include a virus, appended to the end. Another problem with this permission is that an entity could
also replace all the data in a file with one byte of information. This is like having the ability to delete a file.
The implication of the write permission is that object integrity can be affected.
 Execute. It is essential to understand the concept of the context of an executing process. When an entity
executes a process, that process typically has access to all object available to the entity. This feature of
DAC is what gives a Trojan horse the ability to steal information or damage a system.

DAC implementation strategies
Overcoming the challenges of the read permission is a difficult task, but mitigations are possible. The following
are some approaches to consider:
 Limit access to essential objects only.
 Label sensitive data.
 Filter information where possible.
 Provide guidance that prohibits unauthorized duplication of information.
 Conduct monitoring for noncompliance.

Appropriate access control settings need to be established for all resources within a system. The following are
a few objects for which write permission should be restricted:
 Configuration files. Any file used to store configuration information should be set to read-only where
updates are not routine actions.
 Windows Registry. Lock down system registry keys to read-only. This is especially important for the run
keys, which designate software to execute a boot. Run keys are a primary target for malware.
 Services. If a service is not needed, it should be disabled. If users do not need a service, then they should
be prevented through the ACL from interacting with it.
 Data. Follow the concepts of least privilege and separation of duties when assigning permissions to data
files.

Solving the problem with execute permissions with DAC is by far the most important measure. The execution
of unauthorized processes can threaten the integrity of the user context, or worse, that of the entire system
when the context is that of an administrator or the system itself. The best approach to this problem is to apply
restrictive access controls to existing executables and monitor for unauthorized access instances. The following
is a list of recommended approaches:
 Set access control entries for all executable binary files to read-only.
 Prevent execution from removable media.
 Use host-based firewalls.
 Conduct software integrity inventories.
 Monitor executions.

Nondiscretionary Access Control
Access control mechanisms that are neither DAC nor Mandatory Access Control (MAC) are referred to as forms
of nondiscretionary access control.
 Role-Based Access Control (RBAC). It is desirable to limit individuals to only those resources that are
needed to support their duties. This can be achieved when user access is controlled according to assigned
job functions or roles. The unique quality of RBAC is that rights and permissions are ordered in a
hierarchical manner. Privileges on resources are mapped to job functions.
 Originator Controlled (ORCON). An information owner may desire to control the life cycle of certain types
of information. Some of the desired control might concern how long the information remains available or
who can view the information.
 Digital Rights Management (DRM). Intellectual content such as music, movies, and books need methods
to control who is authorized to access them. Additionally, DRM must have portability features, because a
user might want to access the protected content from different systems of platforms. It relies on
cryptographic techniques to preserve the authenticity of and access to protected information.
 Usage Controlled (UCON). Another problem associated with protecting intellectual content involves
frequency of access. DRM techniques provide measures that attempt to control who can access the


2

Dit zijn jouw voordelen als je samenvattingen koopt bij Stuvia:

Bewezen kwaliteit door reviews

Bewezen kwaliteit door reviews

Studenten hebben al meer dan 850.000 samenvattingen beoordeeld. Zo weet jij zeker dat je de beste keuze maakt!

In een paar klikken geregeld

In een paar klikken geregeld

Geen gedoe — betaal gewoon eenmalig met iDeal, creditcard of je Stuvia-tegoed en je bent klaar. Geen abonnement nodig.

Direct to-the-point

Direct to-the-point

Studenten maken samenvattingen voor studenten. Dat betekent: actuele inhoud waar jij écht wat aan hebt. Geen overbodige details!

Veelgestelde vragen

Wat krijg ik als ik dit document koop?

Je krijgt een PDF, die direct beschikbaar is na je aankoop. Het gekochte document is altijd, overal en oneindig toegankelijk via je profiel.

Tevredenheidsgarantie: hoe werkt dat?

Onze tevredenheidsgarantie zorgt ervoor dat je altijd een studiedocument vindt dat goed bij je past. Je vult een formulier in en onze klantenservice regelt de rest.

Van wie koop ik deze samenvatting?

Stuvia is een marktplaats, je koop dit document dus niet van ons, maar van verkoper jeroenkloet. Stuvia faciliteert de betaling aan de verkoper.

Zit ik meteen vast aan een abonnement?

Nee, je koopt alleen deze samenvatting voor €4,98. Je zit daarna nergens aan vast.

Is Stuvia te vertrouwen?

4,6 sterren op Google & Trustpilot (+1000 reviews)

Afgelopen 30 dagen zijn er 69052 samenvattingen verkocht

Opgericht in 2010, al 15 jaar dé plek om samenvattingen te kopen

Begin nu gratis
€4,98  1x  verkocht
  • (0)
In winkelwagen
Toegevoegd