What’s new in Access Control

ISC2 published the 3rd edition of their CISSP CBK in late 2012.  I ordered my copy in December 2012 and said, “So what’s new?”

First, let me say that all quoted material in this article is from the “Official (ISC)2 Guide to the CISSP® CBK Third Edition.”

I started going through the Access Control domain and these are some of the changes that I found:

–      For “Personnel Security, Evaluation, and Clearances” and additional source of information for staff verification has been added.  “…An online search of publicly available information on social media sites…”

–      A whole section has been added for “Session Management” and includes two major areas: 1) Desktop Sessions and 2) Logical Sessions.  The Desktop Session section had several sub-sections including:

  • Screensavers
  • Timeouts and Automatic Logouts
  • Session/Logon Limitation
  • Schedule Limitations

An interesting addition as a key point to remember about Kerberos was added, it reads, “..Kerberos processes are extremely time sensitive and often require the use of Network Time Protocol (NTP) Daemons to ensure times are synchronized.  Failure to maintain a synchronized time infrastructure will lead to authentication failures.  This can be an attractive vector for a DOS attack..”

There’s a new section on Security Information and Event Management.  It goes into some detail with respect to log management and something that I’ve been saying for several years and that is “near real time” management of security information.

Spyware has been expanded to identify and discuss “Malvertisements” and “Malnets.”

Threat Modeling has gotten its own section, including some specific steps for organizations to take as an approach.  Those steps include:

–      Define the Scope and Objectives

–      Understanding or Modeling the System

–      Development of Threats

–      Development of Vulnerabilities

–      Determining Impacts and Risk

–      Develop a Mitigation Plan

We use to see this strategy as part of Business Impact Analysis and Risk Assessment but it has been moved to Access Control.  That is also true for “Asset Valuation” which has been moved to Access Control and includes:

–      Hardware

–      Software

–      Integration

–      Opportunity Costs

–      Regulatory Exposure

–      Information Replacement

–      Reputational Exposure

Also included in this section are the calculations for SLE and ALE which we use to find in the Risk domain.

The last two major areas, which received additional coverage includes, “Access Review and Audit” and “Identity and Access Provisioning Lifecycle.”

Of course along with any change you get re-sequencing, font size change, bolded emphasis, and the occasional colorful metaphor.  All-in-all, I’m pleased with the revisions to this domain and I look forward to the other nine.

InfoSec Institute is in the process of updating their CISSP curriculum and where appropriate will include coverage of any new material which is included in the new CISSP CBK.