CISSP 2015 Update: Identity and Access Management
The CISSP 2015 Update brings new viewpoints on the key domains covered in this certification. The CISSP is already one of the broadest of all certs in that the amount of information it covers in different fields is staggering. However, breaking this down into its component domains or fields can help to chop at it bit by bit. With the new updates, each domain is a bit more streamlined – a bit easier to manage in the overall picture – and becomes easier to understand.
We will be diving into each domain over the course of the coming weeks, to see what you need to know if you have just started studying for the CISSP. Right off the bat we can say that, with very few exceptions, the old domains are gone. That’s not to say the information isn’t there anymore, its just that the perspectives on that information have shifted. The CISSP certification has always been a managerial-level certification – understanding is required for a lot of topics across a wide range of requirements. With the new update, it zeroes-in on that concept: making it easier to look at things from particular scenarios with a bird’s eye view.
With that in mind, let’s take a look at our fifth domain: Identity and Access Management.
There are three basic categories of software that help to control what users can do with access: Preventive, Detective and Corrective. Preventive blocks users from performing certain actions, and is implemented through methods such as DRM. Detective Controls pick up on actions going on either on individual systems or across the network and act accordingly. An example of this type of control would be something like a Network Intrusion Detection System. Corrective controls are the fail-safe software, such as your automatic backups, that help restore order when things go wrong.
Access Control Techniques
There are a number of different types of access control, and each of them uses a slightly different style of controlling the way that users gain access to data.
Discretionary Access Control – where users have access to grant each other permission directly, such as in an ad-hoc network.
Mandatory Access Control – where every user is granted permissions specifically from a central source.
Role Based Access Control – where users are given roles and assigned to groups, then granted permissions according to their job functions.
Access Control only works when users can’t just get around it, or more appropriately, it is easier to use the authorized method than it is the unauthorized one. In order to keep this balance in order, it is necessary to perform a vulnerability analysis to check where the weak spots in your authentication style are. Do you regularly grant users more permissions than they need to complete their task? Is there a known exploit in the version of Kerberos that your Operations System uses? Can users just boot up a live Linux distro and bypass the authentication entirely?
When performing the vulnerability analysis, it will be necessary to take a look at what you are currently using to authenticate, and see what potential attack vectors can come. This means knowing your environment and knowing what is out there, so you can correctly profile what you are likely to come across. For example, if there is a known issue in the neighborhood where false delivery people come in and steal from nearby organizations, you would want to increase your user training on unauthorized visitors. Likewise, if there is a common attack against your business type right now, it would be good to increase security against that type of situation.
Users, servers and software come and go. When this happens, you need to understand how to grant and remove permissions as needed. For instance, when software that connects out to a 3rd party server is no longer needed, then the software needs to be uninstalled and its associated service account disabled so that that vector is no longer available to exploit. On the other hand, when a new user comes along, there needs to be a specific process to request only the permissions they need, and have that list verified before access is granted.
Users gain new permissions, whether its on a per-project basis, moving from department to department, or a promotion. While not a bad thing in principle, this could potentially grant them more access than is intended. When in this type of situation, looking at the big picture is important. While being granted small permissions in each group they are a member of doesn’t seem like a big thing, they can add up very quickly.
Device and Facility Security
A typical user’s home is not left unlocked when they are not there to protect it, likewise with a running vehicle or other important objects. With this in mind, it is vital to make them understand that leaving a computer logged in, unlocked and unattended is dangerous in the same way that leaving the front door of the office with no one paying attention is dangerous. Anyone could come by and do all sorts of ‘very bad things’, and the user would be the one liable.
A username and password is easily compromised in most situations – looking over a person’s shoulder as they type it in, installing a keylogger, etc. However, adding on another step to that authentication adds quite a bit to the security of that authentication. Multi-factor has two or more methods to verify that the user is who they say they are, based around three ideas: Something the user knows, something the user has, and something that the user is. Something that the user knows would be a login and password. Something that the user has would be something like an RSA authenticator – something that creates a one-time password. Something that the user is would be something like biometric – a thumb reader or an iris scanner.
[download]Click Here to Download the Full CISSP Update eBook![/download]