Access Control Systems & Methodology

We live in the world filled with threats and evil. At first, it conquered the life of the mankind and now the virtual world of the Internet is in danger. How hard programmers try to overcome the problem, how many efforts do they make for that, the situation is becoming worse from day to day. Every computer as well as every network can be attacked by hackers. Not without reason do many organizations and companies strain every nerve to create a reliable protection of their personal data, passwords and essential information. But such kind of work requires professional skills and qualification. The question is how to obtain it. The idea of CISSP examination was suggested by ISC organization. Those who pass the exam are considered professionals. The exam is pretty difficult but it opens all the doors for your job placement. It lasts six hours, includes 250 questions covering 10 Security Domains. So if you are eager to gain the CISSP certification, let’s take a look at these domains. All of them are listed below:
• Access Control & Methodology
• Applications & Systems Development
• Business Continuity & Disaster Recovery Planning
• Cryptography
• Law, Investigation & Ethics
• Operations Security
• Physical Security
• Security Architecture & Models
• Security Management Practices
• Telecommunications & Network Security
Now we will have a good look at one of these 10 security domains – Access Control & Methodology. The nature of Access Control is learning access control techniques, which include authorization, authentication and audit. The means involved in the process are biometric scans, metal locks, digital signatures, monitoring and so on.
The goal of access control subject area is protection of critical system components from disclosures and modifications. The restriction refers only to unauthorized users while authorized ones can use this information free. Among the most obvious and familiar mechanisms of access control there are passwords, user names, access permissions and so on.
The structure of Access Control domain includes:
• Authentication, or Identification and authentication (I&A).The system identifies a user as an authorized or unauthorized one thus giving access only to the first group of users. Some examples of access control that include authentication are utilizing of conformation e-mail to identify an e-mail address, or using of a blind credential for authentication of one program by another one. Keep in mind that if you are not asked an identification number of a credit card or your signature, do not think of vulnerability of security system. It may mean that a number of the system’s users is limited and there is no problem to verify a violator. There are companies where as an authentication system is used Windows domain controller. Such systems are used to intensify users’ limit to authorized data. But other organizations use Kerberos or a Novell server. Nevertheless, having a Windows system installed on a computer, nothing can do better than Windows domain controller. That is why, both systems are used and synchronized as a rule.
The factors used for authentication are the following: a password or an identification number; a smart card; a fingerprint or voice; a company firewall.
• Authorization. It functions as a program that specifies access rights to data and information. As we know, access control can be divided into two stages. The first one is policy definition and the second is policy enforcement. So authorization is part and parcel of the first stage where access can be gained or rejected. And the stage is under the influence of the results of policy definition. I suppose you have seen that if you are not authorized you are considered an anonymous user or a guest. Thus first authentication then authorization is necessary to become a trusted user. It is worth mentioning here that there are three types of access. The name of the first one is read, which means that file and directory is available for a user. The second type is Write, which allows a user to change a content, in other words, a user can rename, add, delete or create some information.
• Accountability, or Audit. Accountability utilizes audit records and logs, which is represented by a list of audit records of a process or a system. As a rule audit records are the records of communications or transactions. They are recorded by a user, account or a system. These records are made to have a possibility to reconstruct and examine the sequence of events or some changes. Thanks to audit records an administrator can detect intrusion attempts.

Links

• bin diff
• ida pro
• logoed golf
• malware reversing
• reverse engineering malware
• reversing malware
• white sox
• cissp domains
• telecommunications and network security
• security management practices
• security architecture and models
• law investigation and ethics
• computer operations security
• cisa certification training
• shellcode
• ftk training
• cryptcat