ACCESS CONTROL

Identity and AAA
1. identity
  1. factors
  2. identity management
    1. directories
      1. standards
      2. x500
      3. namespaces
      4. metadata directory
      5. virtual directory
    2. web access management
      1. cookies
    3. password management
      1. password synch
      2. self service pwd reset
      3. assisted pwd reset
    4. legacy SSO
      1. spof/bottleneck
    5. account management
    6. provisioning
      1. ASOR
    7. profile update
    8. federation
      1. portals
  3. markup languages
    1. xml
    2. spml
    3. saml
    4. soa
    5. xacml
2. authentication
  1. biometrics
    1. ratings
      1. CER/ERR
      2. Type I FRR
      3. Type II FAR
    2. behavioural
      1. signature dynamics
      2. keystroke
      3. gait
      4. voice
    3. physological
      1. fingerprints
      2. palmscan
      3. iris
      4. retina
      5. hand topography
      6. hand geometry
      7. facial scan
  2. passwords
    1. attacks
      1. electronic monitoring
      2. access pwd file
      3. brute force attacks
      4. dictionary attacks
      5. social engineering attacks
      6. rainbow table
    2. protection
      1. hashing/encryption
      2. pwd aging
      3. pwd checkers
      4. limit logon attempts
    3. one time password
      1. token
      2. synch
      3. async
      4. nonce challenge
  3. cryptokeys
  4. cards
    1. memory
    2. smart
      1. contact
      2. contactless
    3. attacks
    4. rfid
  5. passphrases
3. authorisation
  1. Access criteria
    1. role,groups,location,time,transaction
  2. default no access
  3. need to know
  4. authorisation creep
  5. SSO
  6. Kerberos
    1. weakness
      1. sym key
      2. Sesame
      3. timestamps
      4. kryptoknight
      5. SPOF for KDC
  7. Security domains
  8. thin clients
4. Accountability
  1. auditing
  2. thresholds
  3. tools
  4. SIEM
Access Control Models
1. DAC
  1. ID Based
2. MAC
  1. Sensitivity Label
    1. classification
    2. categories
  2. multilevel security(mls)
3. NDAC
  1. rulebased
  2. rolebased
    1. core RBAC
    2. hierarchical
      1. static sep.of.dut
      2. dyn spe.of.dut
4. Techniques
  1. Rule-based
  2. CUI
    1. from clark wilson
    2. shell
  3. AC Matrix
    1. capability table
  4. ACLs
5. Content dependent AC
  1. nbar
6. Context dependent AC
Administration
1. Centralised
  1. Radius
  2. Tacacs
  3. Diameter
2. Decentralised
Controls
1. Administrative Controls
2. Technical Controls
3. Physical Controls
4. Security Controls
  1. preventive
  2. detective
  3. corrective
  4. deterrent
  5. recovery
  6. compensating
Monitoring and Practices
1. Practices
2. IDS
  1. host-based
  2. network based
  3. engines
    1. knowledge/signature
    2. statistical/anomaly
      1. protocol
      2. traffic
    3. rule-based
3. IPS
4. Honeypots
5. threat modelling
Threats
1. Authorisation disclosure
  1. object reuse
  2. emanations
2. accountability
  1. scrubbing
  2. keystroke monitoring
3. dictionary attacks
4. brute force attacks
5. phishing and pharming
6. spoofing at logon
7. Identity Theft