Thor’s Quick Sheets – CISSP® Domain 5

Contents

Access Control ...........................................................................................................................................................2

IAAA Access Management ..........................................................................................................................................2
Access Control Systems ..............................................................................................................................................5
Critical Aspects of Access Control and Security Management ......................................................................................7
Access Control – Authentication Protocols ..................................................................................................................7

https://thorteaches.com/
 Thor’s Quick Sheets – CISSP® Domain 5
Access Control
• Our Access Control is determined by our policies, procedures, and standards.
• This outlines how we grant access whom to what:
• We use the least privilege, need to know, and we give our staff and systems exactly the access
they need and no more.
• Access control spans all the layers of our defense in depth model. Different permissions are granted to
different subjects depending on their need to access the systems or data, which adheres to the procedures
for that area.
• We covered some of the physical parts of access control in Domain 3’s Physical Security, how we use
fences, locks, turnstiles, bollards, ...
• On the logical side, we do this by implementing the access security models we talked about in We never use
group logins or accounts; they have no accountability.

IAAA Access Management

Identification: Your name, username, ID number, employee number, SSN, etc.
Authentication: This should always be done with Multifactor Authentication!
• Something you know - Type 1: Authentication (passwords, passphrase, PIN, etc.).
• Something you have - Type 2: Authentication (ID, Passport, Smart Card, Token, a cookie on PC, etc.).
• Something you are - Type 3: Authentication (Biometrics) (Fingerprint, Iris Scan, etc.).
Multi-factor authentication requires authentication from 2 or more types.
Something you know - Type 1 Authentication: Passwords, passphrase, PIN, etc., also called Knowledge
factors. The subject uses these to authenticate their identity; they must be who they say they are if they know
the secret; this is the most commonly used form of authentication, and a password is the most common
knowledge factor. The user is required to prove knowledge of a secret to authenticate.
Passwords: We have password policies to ensure they are as secure as possible.; they should contain
minimum length, upper/lower case letters, numbers/symbols, should not contain full words or other easy to
guess phrases; they have expiration dates, password reuse policy, and minimum time before users can change
it again.
• Key Stretching: Adding 1-2 seconds to password verification. If an attacker is brute-forcing a password and
needs millions of tries, it will become an unfeasible attack.
• Brute Force Attacks: Uses the entire key space (every possible key); any ciphertext can be decrypted with
enough time. Effective against all key-based ciphers except the one-time pad.
• Dictionary Attacks: Based on a pre-arranged listing, often dictionary words. Often succeed because people
choose short passwords that are ordinary words and numbers at the end.
• Rainbow Tables Attacks (Limit number of wrong logins, Salts): Pre-made list of plaintext and matching
ciphertext. Often Passwords and matching Hashes, a table can have 1,000,000 pairs.
• Keylogging (Keystroke Logging): Added to the user's computer and records all keystrokes.
• Hardware: Attached to the USB port where the keyboard is plugged in. Can either call home or
needs to be removed to retrieve the information.
• Software: a program installed on the computer. The keylogger calls home or uploads the
keystrokes to a server at regular intervals.

https://thorteaches.com/
2
 Thor’s Quick Sheets – CISSP® Domain 5
• Salt (Salting): Random data used as an additional input to a one-way function that hashes a password or
passphrase. Salts are very similar to nonce. The primary function of salts is to defend against dictionary
attacks or a pre-compiled rainbow table attack.
• Nonce (number only used once): A random or pseudo-random number is often issued in an authentication
protocol to ensure that old communications cannot be reused in replay attacks. They can also be useful as
initialization vectors and in the cryptographic hash function.
• Clipping Levels: Clipping levels are in place to prevent administrative overhead. Allows authorized users
who forget/mistype their password a couple of extra tries. It prevents password guessing by locking the
user account for a certain timeframe (an hour) or until unlocked by an administrator.
Password Management: We covered some password requirements; here are the official recommendations by
the U.S. Department of Defense and Microsoft:
• Password history = set to remember 24 passwords.
• Maximum password age = 90 days.
• Minimum password age = 2 days (to prevent users from cycling through 24 passwords to return to
their favorite password again).
• Minimum password length = 8 characters.
• Passwords must meet complexity requirements = true.
• Store password using reversible encryption = false.
Something you have - Type 2 Authentication: ID, passport, smart card, token, a cookie on PC, these are called
Possession factors. Subjects use them to authenticate their identity; they must be who they say they are if
they have the item. Most also assume a shared trust; you have your passport, it looks like you in the picture;
we trust the issuer, so we assume the passport is real.
• Single-Use Passwords: Having passwords that are only valid once makes many potential attacks
ineffective, just like one-time pads. While they are passwords, it is something you have in your
possession, not something you know.
• Smart Cards and Tokens (contact or contactless): Contain an ICC (Integrated Circuit Chip).
• Contact Cards: Inserted into a machine to be read. This can be credit cards you insert into the
chip reader or the DOD CAC (Common Access Card).
• Contactless Cards: Can be read by proximity. Key fobs or credit cards where you just hold it
close to a reader. They use an RFID tag (transponder) which an RFID Transceiver then reads.
Magnetic Stripe Cards: Swiped through a reader, no circuit. Very easy to duplicate.
Tokens: HOTP and TOTP can be either hardware or software-based. Cellphone apps are common.
• HOTP (HMAC-based One-Time Password): Shared secret and incremental counter, generated code
when asked, valid till used.
• TOTP (Time-based One-Time Password): Time-based with a shared secret, often generated every 30 or
60 seconds, synchronized clocks are critical.
Something you are - Type 3 Authentication (Biometrics): Fingerprint, iris scan, facial geometry, etc., these are
also called realistic authentication; the subject uses biometrics to authenticate their identity; if they are that,
they must be who they say they are; something that is unique to you, this one comes with more issues than
the two other common authentication factors; we can allow unauthorized people into our facilities or systems
if we accept someone by mistake (False Accept); we can prevent our authorized people from entering our
facilities if we refuse them by mistake (False Reject).

https://thorteaches.com/
3
 Thor’s Quick Sheets – CISSP® Domain 5
• Errors for Biometric Authentication:
• FRR (False rejection rate) Type 1 error:
o Authorized users are rejected.
o This can be too high settings - 99% accuracy on biometrics.
• FAR (False accept rate) Type 2 error:
o The unauthorized user is granted access.
o This is a very serious error.
• We want a good mix of FRR and FAR where they meet on the graph is the CER (Crossover Error Rate);
this is where we want to be.
Something you are - Type 3 Authentication (Biometrics):
Biometric identifiers are often categorized as physiological and behavioral characteristics.
• Physiological Characteristics: Uses the body's shape; these do not change unless a drastic event occurs;
fingerprint, palm veins, facial recognition, DNA, palm print, hand geometry, iris recognition, retina, and
odor.
• Behavioral Characteristics: Uses the pattern of behavior of a person; these can change but most often
revert to the baseline—typing rhythm, how you walk, signature, and voice.
Issues with Biometric Authentication:
• While passwords and smart cards should be safe because you keep them a secret and secure, biometrics
are inherently not, and something others can easily find out.
• Attackers can take pictures of your face, fingerprints, hands, and ears and print good enough copies to get
past a biometric scan.
• How you type, sign your name, and voice pattern can be recorded, also not too difficult to cheat biometrics
if it is worth the effort.
• Some types are still inherently more secure, but they are often also more invasive.
• Lost passwords and ID cards can be replaced with new ones; biometrics can't.
• Which should make us question, even more, the mass collection of biometric data.
Authorization: We use Access Control models to determine what a subject is allowed to access. What and how
we implement depends on the organization and our security goals; type can often be chosen depending on
which leg of the CIA Triad is the most important one to us.
• If it is Confidentiality, we would likely go with MAC (Mandatory Access Control).
• If it is Availability, we would likely go with DAC (Discretionary Access Control).
• If it is Integrity, we would likely go with RBAC (Role-Based Access Control) or ABAC (Attribute-Based Access
Control).
• RUBAC (Rule-Based Access Control) is mostly used on firewalls with IF/THEN statements, which can be used
in conjunction with the other models to provide defense in depth.
DAC (Discretionary Access Control): Often used when Availability is most important: Access to an object is
assigned at the discretion of the object owner; the owner can add, remove rights, commonly used by most
OSs; uses DACL's (Discretionary ACL), based on user identity.
MAC (Mandatory Access Control): Often used when Confidentiality is most important: Access to an object is
determined by labels and Clearance; this is often used in the military or in organizations where Confidentiality
is very important.

https://thorteaches.com/
4
 Thor’s Quick Sheets – CISSP® Domain 5
• Labels: Objects have Labels assigned to them; the subject's Clearance must dominate the object's label. The
label is used to allow Subjects with the right Clearance access them. Often more granular than just "Top
Secret," they can be "Top Secret – Nuclear."
• Clearance: Subjects have Clearance assigned to them. Based on a formal decision on a subject's current and
future trustworthiness. The higher the Clearance, the more in-depth the background checks should be.
RBAC (Role-Based Access Control): Often used when Integrity is most important: Policy-neutral access control
mechanism defined around roles and privileges. A role is assigned permissions, and subjects in that role are
added to the group. If they move to another position, they are moved to the permissions group for that
position. It makes the administration of 1,000's of users and 10,000's of permissions much easier to manage—
the most commonly used form of access control. If implemented right, it can also enforce separation of duties
and prevent authorization/privilege creep.
ABAC (Attribute-Based Access Control): Access to objects is granted based on subjects, objects, AND
environmental conditions. Attributes could be:
• Subject (user): Name, role, ID, clearance, etc.
• Object (resource): Name, owner, and date of creation.
• Environment: Location and/or time of access and threat levels.
Expected to be used by 70% of large enterprises within the next five years, versus around 25% today. It can
also be referred to as policy-based access control (PBAC) or claims-based access control (CBAC).
Context-Based Access Control: Access to an object is controlled based on certain contextual parameters, such
as location, time, sequence of responses, access history. Providing the username and password combination
followed by a challenge and response mechanism such as CAPTCHA, filtering the access based on MAC
addresses on wireless, or a firewall filtering the data based on packet analysis are all examples of context
dependent access control mechanisms.
Content-Based Access Control: Access is provided based on the attributes or content of an object, then it is
known as content-dependent access control. In this type of control, the value and attributes of the content
being accessed determine the control requirements. Hiding or showing menus in an application, views in
databases, and access to confidential information are all content-dependent.
Accountability (often referred to as Auditing): Traces an Action to a Subject's Identity:
• Proves who performed given action; it provides non-repudiation.
• Group or shared accounts are never OK; they have zero accountability.
• Uses audit trails and logs to associate a subject with its actions.
Access Control Systems
Access Control Systems: We can use centralized and/or decentralized (distributed) access control systems.
Both options provide different benefits. Access control decisions are made by comparing the credential to an
access control list. This lookup can be done by a host or server, by an access control panel, or by a reader.
Most common is hub and spoke with a control panel as the hub and the readers as the spokes.
• Centralized Pro's (Decentralized Con's): All systems and locations have the same security posture. Easier to
manage: All records, configurations, and policies are centralized and only configured once per policy.
Attackers look for the weakest link in our chain; if a small satellite office is not following our security
posture, they can be an easy way onto our network. It is more secure; only a few people have access and
can make changes to the system. It can also provide separation of duties; the local admin can't edit/delete
logs from their facility; SSO can be used for user access to multiple systems with one login.

https://thorteaches.com/
5
 Thor’s Quick Sheets – CISSP® Domain 5
• Centralized Con's (Decentralized Pro's): Traffic overhead and response time, how long does it take for a
door lock to authenticate the user against the database at the head office? Is connectivity to the head office
stable, is the important equipment on redundant power and internet?
• Hybrid: Centrally-controlled; access lists for that location are pushed to a local server on a daily/hourly
basis; local administrators have no access. We must still ensure that the local site follows the organization's
security posture in all other areas.
• Just-In-Time (JIT) Access Control: This allows us to use third-party websites without checking if all our
employees have accounts on those sites. Users log in on a third-party site, and on their first visit, the JIT
system confirms the employee with our systems and creates the user account on their systems, most
commonly using SAML.
• OpenID Connect (OIDC)/Open Authorization: Adds an identity layer to OAuth 2.0, allowing 3rd party
applications or sites to verify the identity of a user. You can use your Google or Facebook account to log
into 1000s of other sites.
• Risk-Based Access Control: Access decisions are made based on risk assessment, done using machine
learning, which analyzes behavioral and contextual data analytics to calculate risk for each access.
Federated Identity: How we link a person's electronic identity and attributes across multiple distinct identity
management systems.
• FIDM (Federated Identity Management): Having a common set of policies, practices, and protocols in place
to manage the identity and trust of IT users and devices across organizations.
• SSO: A subset of FIDM, only uses authentication and technical interoperability.
• Technologies used for federated identity include SAML, OAuth, OpenID, Security Tokens, MS Azure Cloud, …
• SAML (Security Assertion Markup Language): An XML-based, open-standard data format for
exchanging authentication and authorization data between parties. The single most important
requirement that SAML address is web browser SSO.
• SSO (Single Sign-on): Users use a single sign-on for multiple systems. It is often deployed in organizations
where users must access 10+ systems, and it is too burdensome to remember all those passwords. SSO has
the same strong password requirements as normal system passwords. If an attacker compromises a single
password, they have access to everything the user can access.
• Super Sign-on: One login can allow you to access many systems and sites. Social media logins are common
super sign-on; an attacker can access multiple other sites or systems if an account is compromised. The
social media account is linked to all the other systems.
• IDaaS (Identity as a Service): Identity and access management built, hosted, and managed by a third-party
service provider. Native cloud-based IDaaS solutions can provide SSO functionality through the cloud, FIDM
for Access Governance, Password Management,... Hybrid IAM solutions from vendors like Microsoft and
Amazon provide cloud-based directories that link with on-premises IAM systems.

https://thorteaches.com/
6
 Thor’s Quick Sheets – CISSP® Domain 5
Critical Aspects of Access Control and Security Management
Policy Decision Point (PDP): A function that evaluates policies and makes decisions based on those policies.
Policy Enforcement Point (PEP): A function that enforces the decisions made by the PDP.
Principle of Least Privilege: Users are granted the minimum level of access required to perform their job
functions.
Service Accounts: Specialized accounts used by applications or services to access resources and perform
automated tasks.
Managing and Securing Service Accounts:
• Inventory and classify all service accounts.
• Limit the number of service accounts where possible.
Policies and Procedures:
• Establish strong policies and procedures that govern access to assets.
• Clearly define who is allowed to access which resources under specific conditions.
User Education and Awareness:
• Train users making and using service accounts on the importance of protecting sensitive resources.
• Clarify roles and responsibilities when it comes to access control.

Access Control – Authentication Protocols

Kerberos:
• Authentication protocol that works based on tickets to allow nodes communicating over a non-secure
network to prove their identity to each other in a secure manner.
• The protocol was named after the character Kerberos (or Cerberus) from Greek mythology, the three-
headed guard dog of Hades.
• It is based on a client-server model, and it provides mutual authentication for both the user and the server
verify each other's identity.
• Messages are protected against eavesdropping and replay attacks.
• It builds on symmetric keys, requires a trusted third party, and can optionally use PKI during certain
authentication phases.
• Uses UDP port 88 by default; used in Active Directory from Windows 2000 onwards, and many Unix OSs.
• Pros: Easy for end users; centralized control and easy to administer.
• Cons: Single point of failure, access to everything with a single password
1. Send TGT request sending only plaintext user ID.
2. Sends session key encrypted with user's secret key + TGT encrypted with TGS secret key.
3. TGT + Service request encrypted with the client/TGS session key.
4. Client-to-server ticket encrypted with server's secret key + client/session key encrypted with the
client/TGS session key.
5. Client/session key encrypted with the client/TGS session key + new authenticator encrypted with the
client/server session Key.
6. Timestamp authentication Client/Server Session Key.

https://thorteaches.com/
7
 Thor’s Quick Sheets – CISSP® Domain 5
SESAME (Secure European System for Applications in a Multi-vendor Environment): Called the successor to
Kerberos, addresses some of the issues of Kerberos. It uses PKI encryption, which fixed the Kerberos the
plaintext storage of symmetric keys issue. Uses a PAS (Privilege Attribute Server), which issues PACs (Privilege
Attribute Certificates) instead of Kerberos' tickets. Not widely used.
RADIUS (Remote Authentication Dial-In User Service): A networking protocol that provides centralized
Authentication, Authorization, and Accounting management for users who connect and use a network
service. Widely used by ISP's (Internet service providers) and large organizations to manage access to IP
networks, AP's, VPNs, Servers, 802.1x, ... It uses a client/server protocol that runs in the application layer and
can use either TCP or UDP as transport. Network access servers, the gateways that control access to a
network, usually contain a RADIUS client component that communicates with the RADIUS server. Uses UDP
ports 1812 for authentication and 1813 for accounting, can use TCP as the transport layer with TLS for
security.
Diameter: Provides centralized AAA (Authentication, Authorization, Accounting) management for users who
connect and use a network service. It was intended as a replacement for RADIUS; this never happened.
Diameter is largely used in the 3G space; RADIUS is used elsewhere. It uses 32bit for the AVP field (4.2 billion
AVPs), RADIUS uses 8bit and only has 256 possible AVPs. Use SCTP (Stream Control Transmission Protocol) or
TCP as default. Not directly backward compatible but provides an upgrade path for RADIUS.
TACACS (The Terminal Access Controller Access Control System): Centralized access control system requiring
users to send an ID and reusable (vulnerable) passwords for authentication; uses TCP/UDP port 49. TACACS+
and RADIUS have replaced TACACS.
TACACS+: Better password protection by using two-factor strong authentication. Not backward compatible
with TACACS; uses TCP port 49 for authentication with the TACACS+ server. Similar to RADIUS. However,
RADIUS only encrypts the password TACACS+, encrypts the entire data package.
PAP (Password Authentication Protocol): Authentication is initialized by the client/user by sending a packet
with credentials (username and password) at the beginning of the connection. One of the oldest
authentication protocols, no longer secure. Credentials are sent in plain text.
CHAP (Challenge-Handshake Authentication Protocol): Provides protection against peer replay attacks by the
peer using an incrementally changing identifier and a variable challenge value. Requires the client and server
to know the plaintext of a shared secret, but it is never sent over the network, providing better security than
PAP, which is vulnerable for both these reasons; used by PPP (Point to Point Protocol) servers to validate the
remote clients. Periodically verifies the identity of the client by using a three-way handshake. The CHAP server
stores plaintext passwords of each client, an attacker gaining access to the server can steal all the client
passwords stored on it.
AD (Active Directory): Microsoft's directory service for Windows domain networks. It is included in most
Windows Server OS as a set of processes and services. Originally it was only in charge of centralized domain
management; as of Windows Server 2008, AD became an umbrella term for a broad range of directory-based
identity-related services. A server running Active Directory Domain Services (AD DS) is a domain controller.
The DC authenticates and authorizes all subjects in a domain; networks can have one or more domains; uses
LDAP (Lightweight Directory Access Protocol) versions 2 and 3, Microsoft's version of Kerberos, and DNS. Each
domain can have a separate authentication process, users, network components, and data objects. Uses
groups to control user access to data objects, often used as an RBAC where roles are assigned to groups and
have access rights. Can use Trust domains which allow users in one domain to access resources in another.

https://thorteaches.com/
8
 Thor’s Quick Sheets – CISSP® Domain 5
• One-way Trust: One domain allows access to users on another domain, but the other domain does not
allow access to users on the first domain.
• Two-way Trust: Two domains allow access to users on both domains.
• Trusted Domain: The trusted domain whose users have access to the trusting domain.
• Transitive Trust: Trust that can extend past two domains to other trusted domains in the forest.
• Intransitive (non-transitive) Trust: A one-way trust that does not extend beyond two domains.

https://thorteaches.com/
9