1. Access Control Overview
    1. Access
      1. The transfer of information from an object to a subject
    2. Subjects
      1. active entities that seek information about or data from passive entities, or objects
    3. Objects
      1. entity that provides or hosts information
  2. Types of Access Control
    1. Confidentiality
      1. ensures that only authorized subjects can access objects
    2. Integrity
      1. unauthorized or unwanted changes to objects are denied
    3. Availability
      1. addresses the ability to obtain access within a reasonable amount of time upon request
  3. Access controls categories:
    1. Preventive access control
      1. to stop unwanted or unauthorized activity from occurring
    2. Directive access control
      1. to direct or control the actions of subjects to force compliance with security policies
    3. Detective access control
      1. to discover unwanted or unauthorized activity
    4. Corrective access control
      1. to restore systems to normal after an unwanted or unauthorized activity has occurred
    5. Deterrent access control
      1. to discourage violation of security policies
    6. Compensation access control
      1. to aid in enforcement and support of security policy
    7. Recovery access control
      1. to repair or restore resources, functions, and capabilities after a violation of security policies
    8. Administrative access controls
      1. policies and procedures to implement and enforce overall access control
    9. Logical/technical access controls
      1. hardware or software mechanisms used to manage access
    10. Physical access controls
      1. physical barriers deployed to prevent direct contact with systems or areas
  4. The Process of Accountability
    1. Identification
      1. process by which a subject professes an identity
    2. Authentication
      1. Type 1 (something you know)
      2. Type 2 (something you have)
      3. Type 3 (something you are)
      4. “ Something ” and “ Somewhere ”
      5. Multiple Factor Authentication
    3. Authorization
      1. ensures that the requested activity or object access is possible
    4. Auditing and Accountability
      1. the process by which online activities of user accounts and processes are tracked
  5. Identification and Authentication Techniques
    1. Passwords
      1. Risks
        1. sniffing
        2. Brute - force and dictionary attacks
        3. dictionary attack
        4. brute - force attack
        5. hybrid attack
        6. social - engineering attack
      2. Improve
        1. encryption
        2. Use password verification tools
        3. Disable idle user accounts
        4. train users
        5. change passwords regularly
        6. Longer password
        7. compromised password should be changed
        8. Hand out passwords in person
    2. Biometrics
      1. Fingerprints
      2. Face scans
      3. Retina scans
      4. Iris scans
      5. Palm scans
      6. Hand geometry
      7. Heart/pulse patterns
      8. Voice pattern recognition
      9. Signature dynamics
      10. Keystroke patterns (keystroke dynamics)
    3. Tokens
      1. Static tokens
      2. Synchronous dynamic password tokens
      3. Asynchronous dynamic password tokens
      4. Challenge - response tokens
    4. Tickets
      1. a mechanism that employs a third - party entity to prove identification
    5. Single Sign - On
      1. a mechanism that allows a subject to be authenticated only once on a system
        1. Kerberos
          1. authentication protocol that can be used to provide a single sign
        2. Directory Service
          1. centralized database of objects and info about subjects
  6. Access Control Techniques
    1. Discretionary Access Controls
      1. allows the owner of an object to control and define which subject to access that object
    2. Nondiscretionary Access Controls
      1. a set of rules defines what can and cannot occur on the system
    3. Mandatory Access Controls
      1. rely upon the use of classification labels (top secret, secret, confidential, sensitive but unclassified (SBU), and unclassified)
        1. Hierarchical environments
        2. Compartmentalized environments
        3. Hybrid environments
    4. Role - Based Access Control
      1. define a subject's ability to access an object via subject roles (Tasks, Job Descriptin)
    5. Lattice - Based Access Controls
      1. define upper and lower bounds of access for every relationship between a subject and an object
  7. Access Control Methodologies and Implementations
    1. Methodologies
      1. Centralized access control (all authorization verification is performed by a single entity)
    2. Implementations
      1. Decentralized (RADIUS and TACACS)
  8. Access Control Administration
    1. three main responsibilities:
      1. User account management
      2. Activity tracking
      3. Access rights and permissions management
    2. The Principle of Least Privilege
    3. Need - to - Know Access
    4. Users, Owners, and Custodians
      1. user: is any subject who accesses objects
      2. owner: responsible for classifying ,labeling objects and protecting and storing data
      3. Custodian: is a subject who responsible for properly storing and protecting objects
    5. Separation of Duties and Responsibilities