CISSP Rapid Review: Access Control

  • 12/15/2012
This chapter from CISSP Rapid Review explains concepts and techniques for controlling access, how to understand control attacks, how to assess the effectiveness of access controls, and the identity and access provisioning lifecycle.

The Access Control domain covers a variety of different controls used to identify subjects, authenticate them, and control the access they are granted to different objects by controlling rights and permissions. Audit trails are an important element of accounting and logging and, combined with effective authentication, provide individual accountability. Access control attacks are common, and it’s important for security professionals to have a basic understanding of evaluating threats and analyzing vulnerabilities to determine overall risk. Ideally, access controls are implemented to fully support an organization’s security policy, and a way to verify this is through access reviews and audits. These reviews and audits can also detect problems in the identity and access provisioning life cycle, such as inactive accounts that have not been disabled.

This chapter covers the following objectives:

  • Objective 1.1: Control access by applying the following concepts/methodologies/techniques
  • Objective 1.2: Understand access control attacks
  • Objective 1.3: Assess effectiveness of access controls
  • Objective 1.4: Identity and access provisioning lifecycle (e.g., provisioning, review, revocation)

Objective 1.1: Control access by applying the following concepts/methodologies/techniques

For this exam objective, you must understand many of the basics related to IT risk management. Security policies provide overall direction for an organization. Personnel within the organization then implement different types of controls to support the policy. At the core of access control is effective authentication, and it’s important to understand the authentication factors. Without effective authentication, it isn’t possible to enforce authorization and data within audit trails is not useful. Single sign-on (SSO) authentication methods have been widely available within a single organization’s environment, but newer methods support SSO in federations. You should have an understanding of federated identity management systems and some of the XML-based protocols that they use to share authentication information.

Exam need to know…

  • Policies

    For example: Do you know and understand the common elements of a security policy, such as the principle of least privilege and separation of duties? What is an acceptable use policy?

  • Types of controls (preventive, detective, corrective, and so on)

    For example: What type of control is an audit trail? What type of control is a security guard?

  • Techniques (for example, non-discretionary, discretionary, and mandatory)

    For example: What is a commonly used non-discretionary model that organizes users into groups?

  • Identification and authentication

    For example: One authentication method requires users to enter a password and a PIN. Another model requires users to use a smart card and a PIN. Which is stronger?

  • Decentralized/distributed access control techniques

    For example: What XML-based standards are used to provide SSO capabilities in a federated identity management system?

  • Authorization mechanisms

    For example: How does a constrained user interface control access? What are the differences among an access control list, a capability table, and an access control matrix?

  • Logging and monitoring

    For example: What is provided by an audit trail? What is included in log management?


At the heart of any access control strategy is one or more security policies that identify the overall security goals of an organization. The security policy provides a high-level overview of generalized goals, and it is used to create more specific guidelines, standards, and procedures. Security policies commonly include one or more of the following elements:

  • An acceptable use policy (AUP) informs users of their responsibilities when using IT systems and identifies unacceptable behaviors. Users should reread and acknowledge the AUP periodically, such as once a year.
  • Least privilege refers to the practice of granting subjects access only to what they need to perform their jobs and no more.
  • A separation of duties policy ensures that no single entity can control an entire process. It helps prevent fraud by requiring two or more people to conspire together.
  • Job rotation policies help prevent fraud by ensuring that a person does not remain in the same position for an extended period and gain excessive control over any area of the business.

Access Control policies commonly refer to subjects and objects. A subject (such as a user) can access an object (such as a file or other resource). Subjects are often grouped together by using roles or groups to simplify administration. Similarly, objects are also grouped together, such as grouping files within folders or shares to simplify administration. As a best practice, permissions for an object are rarely granted to a single subject.

True or false? The primary goal of security policies is to protect confidentiality, integrity, and availability of an organization’s assets.

Answer: True. Security policies and procedures are in place to support the core security goals of preventing the loss of confidentiality, integrity, or availability of assets.

Types of controls (preventive, detective, corrective, and so on)

Security controls are safeguards or countermeasures put into place to reduce overall risk. One way they are classified is based on how they are implemented:

  • Technical or logical controls are implemented with technology such as protecting objects with permissions or requiring users to change their passwords with a technical password policy.
  • Physical controls include elements that you can physically touch, such as a door lock or a closed circuit television (CCTV).
  • Administrative or management controls are written security policies or methods used to check the effectiveness of security, such as assessment or audit.

True or false? Pre-employment background investigations are a type of administrative control.

Answer: True. This is a procedure and would be done based on a policy.

Another way controls are classified is based on what they do, and they are often grouped together with the implementation method. Control classifications include the following:

  • Preventive controls attempt to prevent incidents before they occur. A firewall is a technical preventive control because it can prevent malicious traffic from entering a network. A guard is a physical preventive control. Administrative preventive controls include access reviews and audits.
  • Detective controls identify security violations after they have occurred, or they provide information about the violation as part of an investigation. An intrusion detection system is a technical detective control, and a motion detector is a physical detective control. Note that both an intrusion detection system and a motion detector include the word “detect,” which is a good clue. Reviewing logs or an audit trail after an incident is an administrative detective control.
  • Corrective controls attempt to modify the environment after an incident to return it to normal. Antivirus software that quarantines a virus is an example of a technical corrective control. A fire extinguisher is an example of a physical corrective control.
  • Deterrent controls attempt to discourage someone from taking a specific action. A high fence with lights at night is a physical deterrent control. A strict security policy stating severe consequences for employees if it is violated is an example of an administrative deterrent control. A proxy server that redirects a user to a warning page when a user attempts to access a restricted site is an example of a technical deterrent control.
  • Directive controls are administrative controls that provide direction or guidance.
  • Compensating controls are controls used as alternatives to the recommended controls. NIST SP800-53 mentions a compensating control used for an industrial control system (ICS). A change management policy might dictate the testing of all updates on live systems prior to deployment, but this might not be feasible for an ICS. A compensating control is an offline replicated system used for testing.
  • Recovery controls provide methods to recover from an incident.

True or false? A user entitlement access review and audit is a detective control.

Answer: False. It is a preventive control. It is designed to identify whether users have more privileges than necessary prior to an incident. Discrepancies in assigned privileges can be corrected to prevent an incident. If an incident had already occurred, reviewing an audit trail would be a detective control.

Techniques (non-discretionary, discretionary, and mandatory)

Non-discretionary access controls are centrally managed, and discretionary access controls (DAC) are managed by data owners. Mandatory access controls (MACs) are predefined by a higher authority, such as a policy that defines access labels.

In a DAC model, every object is owned by a subject and the owner has full control over the object. For example, when a user creates a file, the user owns the file and can modify the permissions. Common operating systems such as Windows and Linux use the DAC model.

In non-DAC models, subject and object access is controlled centrally, such as by an administrator. Role-Based Access Control (RBAC) is a common example in which subjects are placed into roles or groups by administrators. Access to objects is granted to the roles rather than to individuals.

True or false? Access control administration is simplified by grouping subjects and grouping objects.

Answer: True. Users and other subjects are often grouped together by using an RBAC model. Similarly, objects such as files are often grouped together in folders and shares.

MAC uses labels assigned to subjects and objects, and when the labels match, subjects are granted access. Labels can be assigned in a hierarchical environment such as Unclassified, Secret, and Top Secret, with higher-level authorization also providing access to lower-level classifications. For example, someone granted Top Secret access also has Secret access. Labels can be assigned in a compartmentalized environment where access to one compartment does not provide access to any other data. A hybrid model uses compartments within classification levels and is easier to manage.

True or false? The Bell-LaPadula model is an example of a MAC model.

Answer: True. It uses a basic rule of no read up, no write down. The Simple Security Rule states that a subject cannot read up, and the *-property (star property) rule states that a subject cannot write down. In contrast, the Biba model (which is also a MAC model) uses a Simple Integrity Axiom of no read down and a * (star) Integrity Axiom of no write up.

Identification and authentication

Identification occurs when a user claims an identity, such as with a user name. Authentication occurs when the user proves the claimed identity by using one or more factors of authentication. The three primary factors of authentication are as follows:

  • Something you know (such as a password or PIN)
  • Something you have (such as a smart card or RSA token)
  • Something you are (proven with biometrics)

You can combine two or more factors to provide stronger authentication. Two-factor authentication uses a method in two of the categories and is stronger than using a single factor. Multifactor authentication uses methods in two or more categories.

Even though passwords are usually stored as a hash, they can be cracked by using common comparative analysis tools. If attackers can access a password database, they can perform an offline analysis and quickly crack the passwords. Rainbow tables are commonly used in these attacks. Salting the hash with random bits protects against many offline password attacks, including the use of rainbow tables.

True or false? Using a PIN and a password is an example of multifactor authentication.

Answer: False. A personal identification number (PIN) and a password are both in the same authentication factor (something you know). This is one-factor authentication, not multifactor authentication.

Biometrics provide strong authentication, but they are susceptible to both false positives and false negatives. A false positive presents the highest risk. This occurs when an unauthorized individual is incorrectly identified as being authorized. The accuracy of a biometric system is identified by the crossover error rate (CER), which is calculated from Type 1 errors (false rejections) and Type 2 errors (false positives). A lower CER indicates a more accurate biometric system.

A simple way to reduce the risk of Type 1 and Type 2 errors is to use two-factor authentication. For example, in addition to the biometric method, the user can also be required to use a password.

A similar concept is used with credit cards and online purchases. Instead of just requiring the user to provide the credit card number and expiration date, users are often required to provide the credit card verification code. This is a 3-digit or 4-digit number on the front or back of the card.

True or false? Between iris scanners and retinal scanners, iris scanners are the most accurate form of biometric authentication.

Answer: False. Retinal scans are the most accurate form of biometric authentication. Even identical twins will have identifiable differences.

Single sign-on (SSO) techniques are used in several different access control and identity management systems. These allow a user to log on once and access multiple resources without logging on again.

Internal networks can use a database such as Microsoft’s Active Directory to manage user identities and provide SSO. Regular users have a single account and can access any resources in the network as long as they have permissions.

Kerberos is commonly used as an authentication protocol in a centralized model. It requires a central database of accounts and synchronized time (ideally synchronized with an external time source). Kerberos uses time-stamped tickets to authenticate accounts when they try to access a resource. These tickets are encrypted with symmetric encryption. Early versions of Kerberos used Data Encryption Standard (DES), which is now considered cracked, and current versions use Advanced Encryption Standard (AES).

Remote access protocols provide authentication, authorization, and accounting (AAA) services. Some common AAA protocols include the following:

  • Terminal Access Controller Access-Control System (TACACS) One of the first AAA protocols used with remote access systems, TACACS has been replaced by RADIUS, TACACS+, or Diameter in most situations. TACACS uses UDP port 49 by default.
  • Remote Authentication Dial-in User Service (RADIUS) This is a widely used AAA protocol in remote access systems and by Internet service providers (ISPs). It is used with both dial-in and virtual private network (VPN) access. It uses UDP and encrypts the password but not the entire authentication session.
  • TACACS Plus (TACACS+) Cisco created this as a proprietary upgrade to TACACS. It separates each element of AAA in three processes. In comparison, RADIUS combines authentication and authorization. TACACS+ uses TCP port 49 instead of UDP, and it encrypts the entire authentication session instead of just the password.
  • Diameter This is an alternative or upgrade to RADIUS, and it has much more flexibility. It can be used with wireless devices, Voice over IP (VoIP), Mobile IP, and smartphones, but it is not backward-compatible with RADIUS. The name implies it is twice as good as RADIUS because the diameter of a circle is twice the length of the radius.

Decentralized/distributed access control techniques

Distributed computing environments (DCEs) use distributed SSO mechanisms to control access. Federated identity management systems are used to provide SSO to Internet users from different entities. In this context, a federation is a group of companies that decide they want to collaborate to share resources.

For example, imagine that employees in Company A are granted access to resources in Company B and Company C. Instead of requiring these users to have three separate passwords, they can log on once within Company A and then access resources in Company B and Company C without logging on again.

A significant challenge is sharing the authentication and authorization information between the companies. If everyone used the same technologies, it would be easier to share the data, but more often, the federation has a heterogeneous identity environment. Different companies use different identity management methods.

Standards based on Extensible Markup Language (XML) are often used to share federated identity information over the Internet. Some of the commonly used standards include the following:

  • Security Assertion Markup Language (SAML), which includes both authentication and authorization information
  • Service Provisioning Markup Language (SPML), which is used to share provisioning information between organizations in the federation
  • Extensible Access Control Markup Language (XACML), which provides a standard for evaluating authorization requests

True or false? SAML is used to provide SSO access when users are accessing sites with web browsers.

Answer: True. SAML is one of the schemas used with federated access, and it is often used to provide access via web browsers.

Authorization mechanisms

After subjects prove their identity, or authenticate, they are granted access to objects based on their proven identity. Most authorization systems start with an implicit deny philosophy. For example, a user is denied access to files and folders unless the user is specifically given permissions to access them.

A common type of access model is RBAC, in which users are placed into roles or groups and privileges are granted to the group. However, there are other authorization mechanisms that can be used either separately or in combination with an RBAC model.

A constrained user interface limits what the user can see or do based on the user’s privileges. For example, imagine an application that can be used by both administrators and regular users. When administrators use it, all the menu items are visible and the application has full functionality. When a regular user starts the application, the menu items are either hidden or dimmed so that they can’t be selected. When menu items are hidden, the users are unaware of the advanced capabilities.

Databases commonly use views as a constrained user interface to limit the available data. For example, an employee table might include names, addresses, phone numbers, and salary data. One view might include only names and phone numbers, and another view might include names and salary data. Users are granted access to the view that shows data that they’re authorized to view, but they are not granted access to the other view or the underlying table.

Temporal-based authorization controls limit access based on time. For example, a virtual private network (VPN) user might be authorized to connect any weekday between 7:00 A.M. and 7:00 P.M. If the user attempts to connect on a weekend, the connection is blocked.

Location-based authorization controls limit access to specific locations. For example, an employee might be authorized to work from home by using a dial-in connection. Caller ID or callback technologies can be used to ensure that the user is calling from home and that another user is not impersonating the user from another location.

An extension of this is location-based authorization controls using domains. For example, the United States government purchased antivirus (AV) software for all government employees that they can download for free. The AV vendors restrict access to the download websites to allow only traffic coming from .mil domain locations.

Access control lists (ACLs), capability tables, and access control matrices (ACM) are related. An ACL is directly associated with an object, a capability table is directly associated with a subject, and an ACM combines them both. For example, a folder named data (an object) includes an ACL that lists all users granted access to the folder and their specific levels of access, such as read or write. A capability table might be created for a user named Darril (the subject) and include a list of all folders that he can access. The ACM includes all objects and all subjects and can be quite large.

True or false? The security kernel of an operating system controls access between subjects and objects.

Answer: True. A security kernel controls access. For example, the Windows kernel-mode security reference monitor in current Windows–based systems uses discretionary ACLs (DACLs) to determine access with the DAC model.

Logging and monitoring

Logs record activity as it occurs and record details such as who did it (which account), what happened, when it happened, and where it happened. You can use one or more audit logs to create an audit trail. An audit trail is a detective control and provides enough information so that you can identify the relevant events leading up to and during an incident.

Audit trails are required to ensure accountability and depend on effective identification and authorization techniques. If users can easily use another account, the audit trail cannot effectively identify who took an action.

Log management methods ensure that logs are maintained to provide a full audit trail, that the logs are protected from modification, and that they are regularly reviewed. Protecting logs from modification is especially important if they will be used as evidence in court. Access to the logs should be restricted to administrators and security personnel only.

Administrators also use logs to manage and maintain systems. They provide key information used during troubleshooting and recovery of systems after a failure. These logs are used to help prevent or minimize loss of availability.

True or false? Audit trails are a type of preventive control that record who took an action, what action the user took, and when the user took it.

Answer: False. Audit trails are a type of detective control. An audit trail logs events as they occur, including details on who, what, when, and where. After an incident has occurred, these logs can be examined to re-create the events.

Intrusion detection systems (IDSs) and intrusion prevention systems (IPSs) are also used for logging and monitoring. An IDS is a detective control that can detect attacks, and an IPS is a preventive control that can prevent attacks by detecting and blocking them before they reach an internal network. Both controls send alerts or some type of notification when they detect a potential attack.

However, each alert isn’t necessarily an attack. IDSs have adjustable thresholds, and an alert is created only when activity exceeds the threshold. If the threshold is too high, actual attacks can get through undetected. If the threshold is too low, the system generates too many false positives.

True or false? An IPS is placed in line with traffic.

Answer: True. All traffic goes through an IPS. The IPS detects and blocks malicious traffic but allows safe traffic through to the network.

Can you answer these questions?

You can find the answers to these questions at the end of the chapter.

  1. An organization has created a high-level document designed to provide direction to employees about security within the organization. What is this?
  2. An audit trail is being used to identify events leading up to a security incident. What type of control is an audit trail in this situation?
  3. What is the difference between an ACL and an ACM?
  4. What is a measure of a secure biometric authentication system?
  5. What is the purpose of SAML?
  6. What type of authorization mechanism is a database view?
  7. An audit trail is used after an incident. What is required for this audit trail to support individual accountability?