CISSP Cram Sheet:

Compiled by: Jason Robinett, Ascend Solutions

Last Updated 4/10/02
NOTE:
This guide does not replace in any way the outstanding value of the ISC2 CISSP CBK
Seminar, nor the fact that you must have been directly involved in the security field
or one of the 10 domains of expertise for at least 3 years if you intend to take the
CISSP exam. This booklet simply intends to make your life easier and to provide you
with a centralized and compiled list of resources for this particular domain of
expertise. Instead of a list of headings, we will attempt to give you the headings
along with the information to supplement the headings.
As with any security related topic, this is a living document that will and must evolve
as other people read it and technology evolves. Please feel free to send comments
and input to be added to this document. Any comments, typo correction, etc are
most welcome and can be sent directly to jasonr@ascendsolutions.com. Thanks.

Domain 1: Access Control Systems & Methodology

Domain Definition:
Access control is the collection of mechanisms that permits managers of a system to
exercise a directing or restraining influence over the behavior, use, and content of a
system. It permits management to specify what users can do, which resources they
can access, and what operations they can perform on a system.
The CISSP students should fully understand access control concepts, methodologies,
and implementation within centralized and decentralized environments across the
entire Enterprise. Access control techniques, detection and corrective measures
should be studied to understand the potential risks, vulnerabilities, and exposures.
Accountability - The means of linking individuals to their interactions with an IT
product, thereby supporting identification of and recovery from unexpected or
unavoidable failures of the control objectives.
Access Control Categories Each control should be equal or else an imbalance
will be created.

Physical Access Control

Administrative Access Control
Logical Access Control
Data Access Control

Types of Access Controls:

Preventative (in order to avoid occurrence)

Detective (in order to detect or identify occurrence)
Deterrent/Preventative (in order to discourage occurrences)
Corrective (in order to correct or restore controls)
Recovery (in order to restore resources, capabilities, or losses)

Examples:
Physical Preventive Controls include; Backups, Fences, Security
Guards, Locks and keys, Badge Systems.
Administrative Preventive Controls include; Security awareness
training, separation of duties, hiring procedures, security policies
and procedures, and disaster recovery.
Technical Preventive Controls include; Access Control software,
Antivirus software, Library control systems, IDS, Smart cards, and
Callback systems.
Physical Detective Controls include; Motion detectors, smoke
alarms, closed circuit TV, and alarms.
Administrative Detective Controls include; Security reviews and
audits, rotation of duties, required vacations, and performance
evaluations.
Technical Detective Controls include; audit trails and Intrusion
detection expert systems.

Access Control Techniques:

Mandatory Access Control Defines an imposed access control level. In
this type of control system decisions are based on privilege (clearance) of
subject (user) and sensitivity (classification) of an object (file) through the use
of labeling. For example, the military classifies a document at secret. An user
can be granted the secret privilege and have access to objects with this
classification or lower as long as they have a need to know.
Rule-based Access Control a type of MAC because this access is
determined by rules (use of classification labels) and not by the identity of
the subjects and objects alone. Usually based on a specific profile for each
user, allowing information to be easily changed for only one user.
Discretionary Access Control Access controls that are not policy based. In
this method, the subject has authority, within certain limitations, to specify
what object can be accessible, often through the use of ACLs.
Non-Discretionary Access Controls A central authority determines what
subjects can have access to certain objects based on the organizational
security policy. These controls may be based on the individuals role (rolebased) or the subjects responsibilities (task-based). Often useful in
organizations where there are frequent personnel changes.
Lattice Based Access Control Pairs of elements that have the least
upper bound of values and greatest lower bound of values. To apply this
concept to access controls, the pair of elements is the subject and the
object, and the subject has the greatest lower bound and the least upper
bound of access rights to an object. This allows one to combine objects
from different security classes an d determine the appropriate
classification for the result by showing that any combination of security
objects must maintain the lattice rule between objects.
Example: A <= A, If A <= B and B <= C, then A <= C.
Role-Based Access Control Access decisions are based on the roles that
individual users have as part of an organization. Access rights are grouped by
role name, and the use of resources is restricted to individuals authorized to
assume the associated role. Allows security to be managed at a level that
corresponds closely to the organizations structure. Users with similar jobs are
pooled into logical groups for the purposes of controlling access and access is
provided according to business requirements.

Access Control Lists A method of coordinating access to resources based

on the listing of permitted (or denied) users, network addresses or groups for
each resource.

Access Control Administration:

Account Administration Accounts should be monitored regularly. It is also
advisable to have procedures in place to verify password strength.
Account, Log, and Journal Monitoring Log files are usually a good way to
find an indication of abnormal activities.
Logging Logging should be done 24/7 on all necessary systems. In order
to provide dependable and secure logging, make sure that:

all computers have their clocks synchronized

Logs are encrypted when traveling on the network if possible
Logs are stored on a protected machine
Logs should not be modified without record of the modification
Storage - All logs should be kept on archive for a period of time
determined by company policy and must be secured under storage.
Access Rights and Permissions
Establishment (Authorization) Determines whether a particular
principal, who has been authenticated as the source of a request to do
something, it trusted for that operation. Authorization may also include
controls on the time at which this action can take place or which IP
address may request it.
File and Data Owners, Custodians, and Users All information
generated, or used must have a designated owner. The owner must
determine the appropriate classification and access controls. The
owner is also responsible for ensuring appropriate controls for the
storage, handling and distribution of the data. Custodians are charged
by the owners for the everyday care of the data (backups, etc.). Users
are the subject that require their data to perform their jobs.
Principle of Least Privilege Requires that a user be given no more
privilege than necessary to perform a job. Ensuring least privilege
requires identifying what the users job is, determining the minimum
set of privileges required to perform that job, and restricting the user
to a domain with those privileges and nothing more.
Segregation of Duties and Responsibilities Requires that for
particular sets of transactions, no single individual be allowed to
execute transactions within the set. Can either be static or dynamic.
Access Control Models:
Bell-LaPadula (BLP) - The BLP model is built on the state machine concepts.
Focuses on Confidentiality. This concept defines a set of allowable states in a
system. The transition from one state to another upon receipt of an input is
defined by transition functions. The objective of this model is to ensure that
initial state is secure and that the transitions always result in a secure state.
BLP defines a secure state through 3 multilevel properties.
Simple Security Property (SS) States that reading of information
by a subject at a lower level from an object at a higher level is not
permitted (no read up).
* Security Property (Star) States that writing of information by a
subject at a higher level to an object at a lower level is not permitted
(no write down).

Discretionary Security Property (DS) Uses an access matrix to

specify discretionary access controls.
The model prevents users and processes from reading above their security
level. In addition, it prevents processes with any given classification from
writing data associated with a lower classification. The no write down
prevents placing data that is not sensitive, but contained in a sensitive
document into less sensitive files.

Biba The Biba model is latticed-based and uses the less than or equal to
relation. Focuses on Integrity. Biba specifies the three following integrity
axioms.
Simple Integrity Axiom States that a subject at one level of
integrity is not permitted to observe (read) an object of a lower
integrity (no read down).
* Integrity Axiom (Star) States that an object at one level of
integrity is no permitted to modify (write to) an object of a higher level
of integrity (no write up). For example, if a process can write above its
security level, trustworthy data could be contaminated by the addition
of less trustworthy data.
A subject at one level of integrity cannot invoke a subject at a higher
level of integrity.

Clark-Wilson This model has emphasis on integrity, both internal and

external consistency. Clark-Wilson uses well-formed transactions, separation of
duties, and the labeling of subjects and objects with programs to maintain
integrity. BLP is more a general purpose operating system and Clark-Wilson is
an application oriented IT system. Security properties are partly defined
through five certification rules, suggesting the check that should be conducted
so that the security policy is consistent with the application requirements.
CDI (Constrained Data Item) A data item whose integrity must be
preserved.
IVPs (Initial Verification Procedures) Confirm that all CDIs are in
a valid integrity state when the IVP is run.
TP (Transformation Procedure) Manipulates the CDIs through a
well-formed transaction, which transforms a CDI from one valid
integrity state to another.
UDI (Unconstrained Data Item) Data items outside of the control
area such as input information.
Any TP that takes an UDI as input must either convert the UDI into a
CDI or reject the UDI and perform no transformation at all.
The model consists of subject/program/object triples and rules about data,
application programs, and triples.
The model incorporates mechanisms to enforce internal and external
consistency, a separation of duty, and a mandatory integrity policy.

Non-Interference Model This model is related to the information flow

model with restrictions on the information flow. The basic principle of this
model is that a group of users (A), who are using the commands (C), do not
interfere with the user group (B), who are using the commands (D).

State Machine Model This model captures the state of a systems. A state
can change only at discrete points in time, ie; triggered by a clock or input
event.

How to use state machine models?

Define the state set so that it captures security
Check that all state transitions starting in a secure state yield a
secure state
Check that the initial state of the system is secure
A stat transition is secure if it goes from secure state to a secure
state.

Access Matrix Model Defined as the policy for user authentication, and
has several implementations such as access control lists (ACLs) and
capabilities. It is used to describe which users have access to what objects.
The matrix consists of four major parts:
A list of objects
A list of subjects
A function T that returns an objects type
The matrix itself, with objects making the columns and the subjects
making the rows
The two most used implementations are access control lists and
capabilities. ACLs are achieved by placing on each object a list of users
and their associated rights (Columns). Capabilities are accomplished by
storing on each subject a list of rights the subject as for every object
(Rows).

Information Flow Model This model is based on a state machine, and it

consists of objects, state transitions, and lattice states. In this context, objects
can also represent users. Each object is assigned a security class and value,
and information is constrained to flow in the directions that are permitted by
the security policy.

Identification and Authentication Techniques:

Identification The act of a user professing an identity to a system usually in
the form of a logon.
Authentication The verification that the users claimed identity is valid and
is usually implemented through a password at logon time.
Authentication is based on the following three factor types:
Type 1: Something you know, such as a PIN or password
Type 2: Something you have, such as a smart card
Type 3: Something you are, such as a fingerprint

Knowledge-based Passwords, PINs, and Passphrases

Passwords Several Schemes can be used:
User Selected
Generated
Token generated
Default
Composition Combination of two, totally unrelated words
Passphrases Good way of having very strong passwords
Password Management Issues
Lifetime Considerations
Cost of replacement

Characteristic-based (biometrics, behavior) Automated means of

identifying or authenticating the identity of a living person based on
physiological or behavioral characteristics. There are three main performance
measures in biometrics:
False Rejection Rate (FRR) or Type 1 error The percentage of valid
subjects that are falsely rejected.
False Acceptance Rate (FAR) or Type 2 error The percentage of
invalid subjects that are falsely accepted.
Crossover Error Rate (CER) The percent in which the FRR equals the
FAR.

Risk of compromise
Guessing attacks
Number of times used
Password Changing Considerations
60 days regular user
30 days privilege users
15 days security officer
Use Security Policies to control password management issues

Order of Effectiveness
Iris Scan
Retina Scan
Fingerprint
Hand Geometry
Voice Pattern
Keystroke Pattern
Signature

Token A software or hardware object used to identify an identity in an

authentication process. This object is used to control access and is passed
between cooperating entities in a protocol that synchronizes use of a shared
resource.
Tickets - TBD
One-Time Passwords - TBD
Smart Card
Administrative
Single Sign-On (SSO) Single sign-on addresses the cumbersome situation
on logging on multiple times to access different resources. Users identify only
once to a system, then information needed for future system access to
resources is forwarded by the initial system.
Pros
More efficient user log-on process
The ability to use stronger passwords
Cons
Once user has logged on, they can freely roam the network

Kerberos (MIT project Athena) A trusted, third party authentication

protocol that was developed at MIT. Using symmetric key cryptography, it
authenticates clients to other entities on a network of which a client
requires services.

Sesame (Secure European System for Applications in a

Multivendor Environment) Addresses the weaknesses in Kerberos.
Uses public key cryptography for the distribution of the secret keys and
provides additional access control support. It uses the Needham-Schroeder
protocol.

Access Control Methodologies and Implementation:

Centralized/Remote Authentication Access Controls
RADIUS (Remote Authentication Dial In User Server) A protocol for
carrying authentication, authorization, and configuration information
between a Network Access Server, which desires to authenticate its links
and a shared Authentication Server.
Uses the Client/Server model
Transactions between the client and the RADIUS server are
authenticated through the use of a shared secret, which is never sent
of the network.
TACACS A client/server protocol for handling authentication,
authorization, and accounting messages.
TACACS+ is the latest Cisco implementation. It provides attribute
control (authorization) and accounting. Authorization can be done on a
per-user/per-group basis, and is dynamic.

Decentralized Access Control Domains are based on trust, trust

relationships sometimes can be compromised if proper care is not taken.
Domains A security domain is a single domain of trust that shares a
single security policy and a single management source. Usually, domains
are defined as a sphere of influence.
Trust Trusted Subject is a subject that is part of the TCB.

File and Data Ownership and Custodianship

Implementation of data classification requires support from higher
management. It is useless if the policies are not enforced at the highest
level.
The ISO should consider developing the policy as such:
Define information as an asset of the business unit
Declare local business managers as owners of the information
Establish Information Systems staff as custodians of the information
Clearly define roles and responsibilities
Determine data classification criteria
Determine controls for each classification
Methods of Attack
Brute Force Identifying secret data by testing all possible combinations.
Denial of Service An attack on the operating system that renders the
target to reply reliably.
Spoofing An attack in which on person or process pretends to be another
person or process that has more privileges.
Dictionary Password attack involves trying list of possible passwords.
Spamming Involves repeatedly sending identical e-messages to a particular
address.
Man-in-the-Middle Commonly consists of the attacker intercepting or
changing traffic destined for another machine.
Sniffers A program or device that monitors data traveling over a network.

Crackers Individuals who try to break into computers systems.

Monitoring
Intrusion Detection The process of monitoring the events occurring in a
computer system or network and analyzing them for signs of intrusions.
IDS Types
Network-Based IDS Provides reliable, real-time information without
consuming network or host resources. Listens to the network passively for
know attacks.
Host-Based IDS Reviews the system and even logs in order to detect an
attack on the host or if the attack was successful.
IDS Detection Methods
Signature-Based ID In a signature-based ID, signatures or attributes of
known attacks are referenced and compared against.
Statistical Anomaly-Based ID An IDS acquires data and defines a
normal usage profile for the systems.
Types of Intrusions
Input Validation Error
Buffer Overflow
Boundary Condition
Access Validation Error
Exceptional Condition Handling error
Environmental Error
Configuration Error
Race Condition
Penetration Testing
Phase 1 Information Gathering
Phase 2 Gaining Access
Phase 3 Denying Services
Phase 4 Evade Detection
Phase 5 Backdoor and Covering Tracks