Page 1062 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1062

Exam Essentials


               Identify common authorization mechanisms. Authorization
               ensures that the requested activity or object access is possible, given
               the privileges assigned to the authenticated identity. For example, it

               ensures that users with appropriate privileges can access files and
               other resources. Common authorization mechanisms include implicit
               deny, access control lists, access control matrixes, capability tables,
               constrained interfaces, content-dependent controls, and context-
               dependent controls. These mechanisms enforce security principles

               such as the need-to-know, the principle of least privilege, and
               separation of duties.

               Know details about each of the access control models. With
               Discretionary Access Control (DAC) models, all objects have owners
               and the owners can modify permissions. Administrators centrally
               manage nondiscretionary controls. Role Based Access Control (RBAC)
               models use task-based roles and users gain privileges when

               administrators place their accounts into a role. Rule-based access
               control models use a set of rules, restrictions, or filters to determine
               access. The Mandatory Access Control (MAC) model uses labels to
               identify security domains. Subjects need matching labels to access
               objects.

               Understand basic risk elements. Risk is the possibility or
               likelihood that a threat can exploit a vulnerability and cause damage to

               assets. Asset valuation identifies the value of assets, threat modeling
               identifies threats against these assets, and vulnerability analysis
               identifies weaknesses in an organization’s valuable assets. Access
               aggregation is a type of attack that combines, or aggregates,
               nonsensitive information to learn sensitive information and is used in
               reconnaissance attacks.

               Know how brute-force and dictionary attacks work. Brute-

               force and dictionary attacks are carried out against a stolen password
               database file or the logon prompt of a system. They are designed to
               discover passwords. In brute-force attacks, all possible combinations
               of keyboard characters are used, whereas a predefined list of possible
   1057   1058   1059   1060   1061   1062   1063   1064   1065   1066   1067