RCR 052: Knowing Access Control for the CISSP Exam (Domain 5) - CISSP Training and Study!

Description:

Shon Gerber from ShonGerber.com provides you the information and knowledge you need to prepare and pass the CISSP Exam while providing the tools you need to enhance your cybersecurity career.  Shon utilizes his expansive knowledge while providing superior training from his years of training people in cybersecurity. 

In this episode, Shon will talk about the following items that are included within Domain 5 (Identity and Access Management) of the CISSP Exam.

• CISSP Articles – Access Control Types
• CISSP Training –  Access Control Types
• CISSP Exam Questions

BTW - Get access to all my CISSP Training Courses here at:  https://shongerber.com/

CISSP Exam Questions

Reference:  TechTarget

Link:  https://searchsecurity.techtarget.com/quiz/CISSP-Domain-5-quiz-Types-of-access-control-systems?q0=1&q1=2&q2=2&q3=3&q4=2&q5=2&q6=2&q7=2&q8=2&q9=2&x=70&y=11

QUESTION 1

Abstract episodes of interaction between a system and its environment:

• Misuse case
• Web proxies
• Use cases
• Negative testing

CORRECT ANSWER - Use cases 

QUESTION 2

A list of the most widespread and critical errors that can lead to serious vulnerabilities in software:

• Information security continuous monitoring (ISCM)
• CWE/SANS Top 25 most dangerous software errors
• Automated vulnerability scanners
• Real user monitoring (RUM)

CORRECT ANSWER - Information security continuous monitoring (ISCM) 

QUESTION 3

This criteria requires sufficient test cases for each program statement to be executed at least once; however, its achievement is insufficient to provide confidence in a software product's behavior:

• Statement coverage
• Data flow coverage
• Condition coverage
• Path coverage

CORRECT ANSWER - Statement coverage 

Want to find Shon Gerber elsewhere on the internet?

LinkedIn – www.linkedin.com/in/shongerber

Facebook - https://www.facebook.com/CyberRiskReduced/

LINKS: 

• ISC2 Training Study Guide
• https://www.isc2.org/Training/Self-Study-Resources

• Infosec Institute
• https://resources.infosecinstitute.com/category/certifications-training/cissp/domains/identity-and-access-management/access-control-categories/#gref
• TechTarget
• https://searchsecurity.techtarget.com/quiz/CISSP-Domain-5-quiz-Types-of-access-control-systems?q0=1&q1=2&q2=2&q3=3&q4=2&q5=2&q6=2&q7=2&q8=2&q9=2&x=70&y=11
• Vendors:
• LastPass.com
• https://www.lastpass.com/

TRANSCRIPT:

podcast why you the training tools you need to pass the cissp exam while enhancing your cybersecurity career hi my name is Sean Gerber and I'm your host for this action-packed informative podcasts each week cuz I provide the information you need to grow your cybersecurity knowledge so that you're better prepared to pass the cissp exam all right real shark ever get with reduce cyber risk and today we already talkin about domain 5 is RCR 52 Access Control types to main 5.1 hope you all are having a great wonderful day today and it's a beautiful day here in Wichita Kansas get ready for the Christmas holiday season and so therefore it is fun in the sun actually it's son but kind of snowy but it hasn't snowed yet just got cold cannot complain at all and as we're talking about various aspects if they were to be getting into access controls and and how are those important with your cissp and so this is kind of The Next Step domain five we talked about doing for last week and some of the exam questions that you will see our around domain this coming week will be around domain 5 and this is our ongoing effort to teach you how to pass the cissp the first time aspects around Access Control types and so they'll you'll be able to see these links in the show notes and just kind of wanted to go and give a plug out to them but the first thing we're going to talk about his administrative access control of these are laid out by top management of an organization so these administrative Access Control are set up through the organization and they'll say what they want to have people to have access to know you was a security person may have to help them ladies out or put these these place and put these together and so therefore these administrative controls are very very important when you're trying to limit income limit access to an environment now procedures and policy every organization should have its own security policy to which all the employees must adhere to deal with this on a daily basis they really have to adhere to it now your organization you may have a lot of policies you may not you may have some just a few but it is a high-level plan that kind of sets out how management plans to have people utilize this equipment or this the aspects of their environment the policy can include actions that are deemed acceptable and the level of risk to companies willing to Undertaker accept so those are key pieces so is is your building your security policy out the company may decide that they want they were not going to accept some level of risk or they may not they may have another penalty in the event of a breach that say for instance who are they going to let know how is that going to affect their company and these policies are normally compiled by a security person and they would work potentially with compliance and legal on this and I don't say potentially I'd highly recommended so if you're building flirt procedures and policies for your organization definitely work with your compliance and legal folks around that play your policy and procedure piece you also have your supervisory structure which all organizations will have some level of organizational structure around this and you needed to find what that looks like this depending upon your organs with your knowledge around this a supervisor is typically someone who played is placed above employee from a supervisory standpoint to help them work and so therefore that you may want to call out how is that spelled out within your procedures in your policy of the supervisor will approve all administrative control editions do you have to have admin access to an environment that a supervisor will approve it and then also the supervisor could be the person that for everybody or could go to security as well how does management get involved in this management another one is Personnel control Shelly's Personnel controls describe the expectations of an organization towards its employees okay so these what is it where the employees going to do what is it as management expecting of the employees and it's also use these personal controls for addressing non-compliance with with meeting to these expectations right so those are all aspects that are in place change the status Ronnie's access controls they can be someone higher they suspended or they terminated are they promoted promoted depend on the access control right and if if someone is terminated what happens to their axes is removed if they're suspended what happens to their access if there migrant they moved to a new role within a different company if you have a multinational or multi companies got a large bunch of companies involved in it you are a different organization within your company how what happens to the access control separation of Duties is well and these are aspects that you want to make sure that you and poor or import into your environment that you have a separation of Duties that are in place so for an example of someone wants to transfer money to another company they have to have supervisor approval I can't just do that on their own that would be a separation of Duties and I highly recommend that you do put that level of control within your organization if you do not already have it rotation so you may be in a situation where employees are in the one job for quite a period of time you may want to rotate them out of that job into a new job into a one that has a different position that this is a way that you can want you can find out if they've been doing things they shouldn't be doing to give them opportunity to expand their their capabilities but especially when you're dealing with rolls at may have significant risk where they they have access to a lot of different aspect you may consider putting that in place quarters by not good but every 6 months to a year you moved into a different role I guess that's it that's a pretty broad thing to do is pretty large but it's something to consider similar examples of administrative controls or information classification procedure personal procedures investigations testing security awareness and training those are some different administrative controls that you can put in place around individuals what's the second aspect is a technical Access Control trolls are typically like a logical control their there to land our software that can be used to enforce restrictions so those are control that you put in place it could be a specific tool you have to log into like if you had a remote access you utilize a citrus product or another remote access capability some of the most important please network access controls Define the mechanisms an authorized access into network resources like switches routers bridges excetera that is your network access that's what allows you into the environment their system access which is data sensitivity rights of urine allow them access into a certain system you may utilize username password Biometrics smartcard all of those aspects could be utilized for system access auditing in such cases you want to go back and you want to audit that Network recommend that you build an auditing plan environments that goes back and especially on these high-risk systems and re-evaluate whether or not they're the controls are in place encryption and other protocols you need to make sure that you have those in place for your networks whether it's going on through the network itself the encryption to the tunneling or if it's encryption on the device itself as well but you need to make sure that you would do lies encryption in your environment we talked about architecture in the last reduce ever risk podcast the physical and logical layout of your network is it properly architected in a way that adds level of security or is it are connected in a way that just cause confusion of pandemonium that depends so you want to make sure that you have that protect properly protected in properly put in place sometime ids's antivirus software as well as your dial-up callback systems all of those things need to be in place from a technical control now you do have physical access controls there is Network segregation in you want to make sure we talked about that in previous episodes where you want to segregate your networks in a proper format this could be fruitful and it could be through just firewalls but you want to make sure that it is at adequately separated and where that not everybody has full access to everything this is just really important to do you also need to look at security on the of the perimeter depending on the organization the perimeter security needs to be carried out to ensure that there's no unwarranted people getting into your environment there's no way to make it into the premises similar physical Access Control components computer controls physical aspects that could be put in place to limit the access control not so young and example around that would be fences badges security guards TV alarms backups all those things now you're carrying out different access controls there's there's things that consider around that you can ferment system-wide and this should be integrated into your operating procedures that you have at your location I need to access control should be defined and written out a typical Access Control process would be identification of the subject authentication privilege Ackles which is Access Control us and then audits so these are very these are steps that need to be performed as well to do that and so therefore you put these in place and it's a way that you can set up some level of authentication within your environment authentication can work is through matching credentials found at that are within a database so if you're dealing with cissp you know that you have to you have to have some level of authentication when it comes to your database and this is how those things can be done these credentials aren't found a database obviously that you can't be gained access to that database you cannot access point Aprilia jackals they offer authentication the system checks at nurture privileges that are to be granted a subject will not be allowed to perform actions on an object that they don't hold a privilege to perform until again these are pieces that you need to consider a hydrogen with privileged Ackles and then audit need to perform for periodic audits that need to be for in order to ensure there are any security vulnerabilities I highly recommend some level of auditing to occur within your environment that's just really really important to do that's the basically around a synopsis that was with the access control types from infosec Institute. Com check out what they've got their now it's roll into the cissp training and let's get going Domaine 5.1 which is Access Control types now there's the thing we start with all this was kind of give it a little bit of an overview is that controlling access is instrumental in controlling what you do as relates to access control I said controlling three times as much as possible and many of these aspects do work together when you're controlling the various aspects around it so when you're talking a hardware or software policies all of these work interchangeably to control the access that you want to to accomplish in his these assets can be Information Systems devices facilities all these all of these aspects are considered an asset so that's one thing you want to consider when you're dealing with access now there's some key aspects around this is it does include all of the data where your storage of your data is at includes everything could be storage on your PC could be storage in Amazon S3 buckets it could be pretty much anywhere so you want to make sure that you understand where your date is at and I was in a meeting that too long ago and we're talkin about protecting of data and SharePoint migration and was removing data from one location to the next one of the things that came up and it was kind of an epiphany for an individual in the room was it's really about all the all about the data and it truly is it's really always all about the data so you need to consider these different storage locations and does it goes from thumb drive to S3 buckets Is All I'll need to be incorporated into what you're doing controls you also are designed to attempt to restrict unauthorised access that is the goal of access controls is keep people out that don't belong now there's different processes that are involved with Access Control first identify the individuals or users that need this access so if you got a individual who need specific access to a SharePoint site or needs access to a folder you need to identify them it may not be you but it may be the be the supervisor that may have to Define who that person what kind of axes that person needs determine if this access is authorized does a person may need to ask that doesn't mess depend on the identity of the individual that access would also need to be I would have to be granted based on their identity you'll see the Monitor and record access they go in your watching what they do you're also going to record it and you're going to annotate where it would go are having access to a why they have access to it and then you're logging that information for future reference does some various Access Control types that you've got a preventative give detective physical compensating corrective administrative deterrent logical technical Access Control type so we're going to each individual one when you're done with the preventive Access Control knives types these are designed to prevent unauthorized access you preventing somebody from getting in could be as simple as the other gate and physical access your way to prevent them from getting in do you have there's a computer system is got a specific log on for you you username password that would be designed to prevent unauthorized access unauthorized access so do you have a means to determine if someone is trying to gain access that shouldn't have it so they could be CCTV cameras security guards could be your security in incident event management system all of these aspects could be in place to prevent or to detect if someone's trying to gain access I shouldn't have it another one is physical so I'm physical this controls that require physical contact contact us to be fences security guards badges all of that would be a physical restriction now it could be as simple as when you get to the the keyboard maybe you have a Biometrics involved on the keyboard that would be another physical way so those are different access controls or preventative detective physical compensating these are alternate controls when the original is not available so for example when you have a new start new account start up and you notice that when you do that if you go to a website and they want a new account that's getting stood up you have to enter in a temporary password and that temporary password would give you can you access but then you going to have to make changes to your account to have continued ongoing access well that is something that is is a compensating control type that would keep you from Gaining access to Something in the short-term but it's not the original one that you want to keep for a long-term there's corrective has occurred is an example would be you deploy it in EDR solution which is your basically input detection respond solution that would happen for breach so you've had a breach occur you know we got to stop your turo bleeding again know what's going on you would potentially deployed DVR solution for that breach administrative fees are policies and procedures Woodbine organization that would be designed specifically for access to information background checks classification data classification all of those pieces would be considered administrative deterrent is designed to discourage violations of a security policy this would be a security badges security training you name it bad idea to do it and one of the things that I talk about when we are working with individuals that we're going to be doing logging and monitoring on one of the one of the aspects around actually logging information of people going through people gaining access to sensitive data is the fact that you want people to know that you're doing it and I do it by saying that it would happen this is then people will will understand that you're watching so it's kind of like the the statement of the Jedi mind trick right you want them to be able to know that you're watching because hopefully that will be a someone of a deterrent to discourage violations against what you're trying to accomplish logical and Technical technical control to limit or restrict access what is your username password firewall so those are some of the big different access types Access Control types that are available preventive detective physical compensating corrective administrative deterrent and logical / technical authentication factors these are things that you do with passwords tokens voice voice fingerprints and so forth and there's keep pieces there just for key basics for you to keep in mind when you're understanding authentication factors I could be your thumb print those were two sentences with something you have but it's like more like thumbprints more like your phone itself as something you do put in your phone Prince or a voice eyeballs facial recognition and then something uro should be Biometrics your eyeball those kind of things something you know something you have when you do something you are so no have to R really bad movie so those are the things around Authentication now logical and Technical Access Control we talked about passwords up there above the passwords or something you know and it's typically a string of characters I know this is not hard but these are just some key things you need to consider when it comes to the cissp test you need to be aware of the logical and Technical access controls these are a password is something you know the string of characters and is typically associated with a username is the weakest security mechanism out there they were designed in the initial things to have something to do to restrict people showing computers first came out they wanted some way to add have a control type control around who could gain access to these computer systems so what are they do they use the username and a password well in the seventies yeah that's fine it worked out okay but now that everything's interconnected is actually a terrible mechanism to control access is one of the weakest ones you can have because people use the same one because there's just so many of them my passwords are so bad is because there were you who shared their easy guessable and a tree emails text excetera and I I noticed that was an interesting time when I was talking with a friend of mine who is a bank manager at a bank that to we are connected with and his bank manager at the time said I said ask him if it where do you store all your passwords and you pause for a second and he goes well you know I storm really secure place until where's that nice it's in my email inbox I'm just like oh my gosh that's not good don't talk but needless to say that's where passwords are typically store their stores and all kinds of goofy locations can you create a strong password you need to have complexity special characters in to be at least 12 characters that need to be changed frequently each day but realistically that's what would be the best password phrases they should be long passwords they should be sentences they should they basically should have different generators or personal accounts that will create these these long passwords if you can do them in a passphrase where you have something such as culture Wings barely tool group Griffin nascent okay so I wouldn't have any idea what that means but that's a couple using words together to create a very long nasty password now you may want to add some that just to make it a little bit harder but bottom line is you want to use words to create a long sentence or a long structure to help you add some level of depth to your password now smart cars and tokens a smart card is kind of about the size of a credit card you'll see that military uses these a lot but they're basically having an integrated circuit chip built into them are certificates based on who they are are located on this chip so when you deal with login your send an email but they'll do as well use this chip that uses smart card to authenticate who they specifically are with their certificates that your to utilize the certificate however it's another way of zits something you have with you I don't think that's a smart car it allows you access does asynchronous it which is algorithm base and it's based on how and I getting smart people with lots of big math I figured out how that all works but it's basically the difference I consider is is synchronous is an authentication piece with a clock asynchronous is algorithm-based Bayside comes down to something you are it's not infallible there's people that you can get around I noticed recently that there was a way to get around the windows are should say the face recognition of the iPhone 10 but bottom line is it it's still a very good mechanism your thumbprints actually it's harder to do your face obviously cuz there's so many Contour but your your fingerprint can be spoofed it's so that there are some things to consider around that now some examples of that would be fingerprints your face heart patterns voice recognition all those fall into the Biometrics space get training for the cissp based on the is c squared training manual and the study aspects you need to pass the cissp the first time let's go roll into some cissp now this Guinness comes from techtarget and this is some questions that they have it come out there and so let's go ahead and roll right into those abstract episodes of interaction between and its environment abstract episodes basically episodes of interaction between a system and its environment misuse cases web proxy for misuse cases a web proxies is b c is use cases B is negative testing so misuse cases is a web proxies is B use cases is C and negative testing is d use cases so have the military I didn't really understand this until I got into Corporate America but realistically that's to use that term is used all the time in Corporate America but it's basically as track episodes of interaction between a system in its environment things that happened it's a use case occurred and how it turned out the way it did in Corporate America compared to what happened in the middle hope is the biggest aspect I had to work through but use case that's what it is critical errors that can be can lead to Serious vulnerabilities in software a information security continuous monitoring be cwe Sans top 25 most dangerous software errors C automated vulnerability scanners D real user monitoring okay so the list of the most widespread and critic what can lead to Serious vulnerabilities in software information security is cm 25 most dangerous software errors hey that would be very subjective Seas automated vulnerability scanners the list of most critical errors way that works right it's a scanner that doesn't work for you or D real user monitoring doesn't make a lot of sense so they correct answer is a information security continuous monitoring alright question 3 future require sufficient test cases for each program statement execute at least once however it is achievement in insufficient to provide coincidence confidence in software products Behavior that's a lot of big words that really gonna run together that don't make a whole lot of sense so let's read one more time I was coming from techtarget sorry should have put their protect argot but this criteria require sufficient test cases for each program statement to be executed at least once his criteria provides sufficient test cases for each program statement to be executed at least once however it's a treatment is insufficient to provide confidence in the software product Behavior basically trying to do test cases and then when after it occurs it says it's insufficient to provide confidence that the software products is actually doing what it's supposed to be doing statement coverage be dataflow coverage see condition coverage the pass coverage so that one's got to work through don't know this one then you can have the narrow down something dataflow coverage that doesn't my wouldn't make sense right cuz it's a crunchy that comes to the cissp question that's all I've got for today do you have a wonderful week this coming week and you know what is is great here in the wonderful state of Kansas so it'll be great next week's well I know but hey if you get it get a chance to go out to reduce cyber risk podcast and you leave have you or go to Sean gerber.com I have some great things out there at Shawn gerber.com to hell passing the cissp the first time it's going to have all kinds of aspects out there I've got free training is available for you also got free slick videos from Des Moines 1 through 4 and there were building up their various free content for the cissp domains all right I hope you all have a wonderful day and I will catch you on the flip side see you thanks so much for my podcast I appreciate the feedback also check out my cissp videos that you can find out on YouTube just search for Shawn s h o n Gerber like the baby food toilet or whatever you choose and then you will find a plethora of content to help you pass the cissp exam the first time Leslie head over to Sean gerber.com and look at the Cornucopia all my email subscribers thanks again for listening