CISSP Cram Sheet:
Compiled by: Jason Robinett, Ascend Solutions
Last Updated 4/10/02
NOTE:
This guide does not replace in any way the outstanding value of the ISC2 CISSP CBK Seminar,
nor the fact that you must have been directly involved in the security field or one of the 10
domains of expertise for at least 3 years if you intend to take the CISSP exam. This booklet
simply intends to make your life easier and to provide you with a centralized and compiled list of
resources for this particular domain of expertise. Instead of a list of headings, we will attempt to
give you the headings along with the information to supplement the headings.
As with any security related topic, this is a living document that will and must evolve as other
people read it and technology evolves. Please feel free to send comments and input to be added
to this document. Any comments, typo correction, etc… are most welcome and can be sent
directly to jasonr@ascendsolutions.com. Thanks.
Domain 1: Access Control Systems & Methodology
Domain Definition:
Access control is the collection of mechanisms that permits managers of a system to exercise a
directing or restraining influence over the behavior, use, and content of a system. It permits
management to specify what users can do, which resources they can access, and what
operations they can perform on a system.
The CISSP students should fully understand access control concepts, methodologies, and
implementation within centralized and decentralized environments across the entire Enterprise.
Access control techniques, detection and corrective measures should be studied to understand
the potential risks, vulnerabilities, and exposures.
 Accountability - The means of linking individuals to their interactions with an IT product,
thereby supporting identification of and recovery from unexpected or unavoidable failures of
the control objectives.
 Access Control Categories – Each control should be equal or else an imbalance will be
created.




Physical Access Control
Administrative Access Control
Logical Access Control
Data Access Control

Types of Access Controls:





Preventative (in order to avoid occurrence)
Detective (in order to detect or identify occurrence)
Deterrent/Preventative (in order to discourage occurrences)
Corrective (in order to correct or restore controls)
Recovery (in order to restore resources, capabilities, or losses)

Examples:
 Physical Preventive Controls include; Backups, Fences, Security Guards,
Locks and keys, Badge Systems.
 Administrative Preventive Controls include; Security awareness training,
separation of duties, hiring procedures, security policies and procedures, and
disaster recovery.
 Technical Preventive Controls include; Access Control software, Antivirus
software, Library control systems, IDS, Smart cards, and Callback systems.
 Physical Detective Controls include; Motion detectors, smoke alarms, closed
circuit TV, and alarms.
 Administrative Detective Controls include; Security reviews and audits,
rotation of duties, required vacations, and performance evaluations.
 Technical Detective Controls include; audit trails and Intrusion detection
expert systems.
 Access Control Techniques:
 Mandatory Access Control – Defines an imposed access control level. In this type of
control system decisions are based on privilege (clearance) of subject (user) and
sensitivity (classification) of an object (file) through the use of labeling. For example, the
military classifies a document at secret. An user can be granted the secret privilege and
have access to objects with this classification or lower as long as they have a “need to
know”.
 Rule-based Access Control – a type of MAC because this access is determined by
rules (use of classification labels) and not by the identity of the subjects and objects
alone. Usually based on a specific profile for each user, allowing information to be
easily changed for only one user.
 Discretionary Access Control – Access controls that are not policy based. In this
method, the subject has authority, within certain limitations, to specify what object can
be accessible, often through the use of ACL’s.
 Non-Discretionary Access Controls – A central authority determines what subjects
can have access to certain objects based on the organizational security policy. These
controls may be based on the individual’s role (role-based) or the subject’s
responsibilities (task-based). Often useful in organizations where there are frequent
personnel changes.
 Lattice Based Access Control – Pairs of elements that have the least upper bound
of values and greatest lower bound of values. To apply this concept to access
controls, the pair of elements is the subject and the object, and the subject has the
greatest lower bound and the least upper bound of access rights to an object. This
allows one to combine objects from different security classes an d determine the
appropriate classification for the result by showing that any combination of security
objects must maintain the lattice rule between objects.
 Example: A <= A, If A <= B and B <= C, then A <= C.
 Role-Based Access Control – Access decisions are based on the roles that individual
users have as part of an organization. Access rights are grouped by role name, and the
use of resources is restricted to individuals authorized to assume the associated role.
Allows security to be managed at a level that corresponds closely to the organizations
structure. Users with similar jobs are pooled into logical groups for the purposes of
controlling access and access is provided according to business requirements.
 Access Control Lists – A method of coordinating access to resources based on the
listing of permitted (or denied) users, network addresses or groups for each resource.
 Access Control Administration:
 Account Administration – Accounts should be monitored regularly. It is also advisable
to have procedures in place to verify password strength.
 Account, Log, and Journal Monitoring – Log files are usually a good way to find an
indication of abnormal activities.
 Logging – Logging should be done 24/7 on all necessary systems. In order to
provide dependable and secure logging, make sure that:

all computers have their clocks synchronized
 Logs are encrypted when traveling on the network if possible
 Logs are stored on a protected machine
 Logs should not be modified without record of the modification
 Storage - All logs should be kept on archive for a period of time determined by
company policy and must be secured under storage.
 Access Rights and Permissions
 Establishment (Authorization) – Determines whether a particular principal, who
has been authenticated as the source of a request to do something, it trusted for
that operation. Authorization may also include controls on the time at which this
action can take place or which IP address may request it.
 File and Data Owners, Custodians, and Users – All information generated,
or used must have a designated owner. The owner must determine the
appropriate classification and access controls. The owner is also responsible for
ensuring appropriate controls for the storage, handling and distribution of the
data. Custodians are charged by the owners for the everyday care of the data
(backups, etc.). Users are the subject that require their data to perform their
jobs.
 Principle of Least Privilege – Requires that a user be given no more privilege
than necessary to perform a job. Ensuring least privilege requires identifying
what the user’s job is, determining the minimum set of privileges required to
perform that job, and restricting the user to a domain with those privileges and
nothing more.
 Segregation of Duties and Responsibilities – Requires that for particular
sets of transactions, no single individual be allowed to execute transactions
within the set. Can either be static or dynamic.
 Access Control Models:
 Bell-LaPadula (BLP) - The BLP model is built on the state machine concepts. Focuses
on Confidentiality. This concept defines a set of allowable states in a system. The
transition from one state to another upon receipt of an input is defined by transition
functions. The objective of this model is to ensure that initial state is secure and that the
transitions always result in a secure state. BLP defines a secure state through 3 multilevel
properties.
 Simple Security Property (SS) – States that reading of information by a
subject at a lower level from an object at a higher level is not permitted (no read
up).
 * Security Property (Star) – States that writing of information by a subject at
a higher level to an object at a lower level is not permitted (no write down).
 Discretionary Security Property (DS) – Uses an access matrix to specify
discretionary access controls.
 The model prevents users and processes from reading above their security level. In
addition, it prevents processes with any given classification from writing data
associated with a lower classification. The “no write down” prevents placing data that
is not sensitive, but contained in a sensitive document into less sensitive files.

Biba – The Biba model is latticed-based and uses the less than or equal to relation.
Focuses on Integrity. Biba specifies the three following integrity axioms.
 Simple Integrity Axiom – States that a subject at one level of integrity is not
permitted to observe (read) an object of a lower integrity (no read down).
 * Integrity Axiom (Star) – States that an object at one level of integrity is no
permitted to modify (write to) an object of a higher level of integrity (no write
up). For example, if a process can write above its security level, trustworthy data
could be contaminated by the addition of less trustworthy data.
 A subject at one level of integrity cannot invoke a subject at a higher level of
integrity.

Clark-Wilson – This model has emphasis on integrity, both internal and external
consistency. Clark-Wilson uses well-formed transactions, separation of duties, and the
labeling of subjects and objects with programs to maintain integrity. BLP is more a
general purpose operating system and Clark-Wilson is an application oriented IT system.
Security properties are partly defined through five certification rules, suggesting the
check that should be conducted so that the security policy is consistent with the
application requirements.
 CDI (Constrained Data Item) – A data item whose integrity must be
preserved.
 IVPs (Initial Verification Procedures) – Confirm that all CDIs are in a valid
integrity state when the IVP is run.
 TP (Transformation Procedure) – Manipulates the CDIs through a wellformed transaction, which transforms a CDI from one valid integrity state to
another.
 UDI (Unconstrained Data Item) – Data items outside of the control area
such as input information.
 Any TP that takes an UDI as input must either convert the UDI into a CDI or
reject the UDI and perform no transformation at all.
 The model consists of subject/program/object triples and rules about data,
application programs, and triples.
 The model incorporates mechanisms to enforce internal and external consistency, a
separation of duty, and a mandatory integrity policy.

Non-Interference Model – This model is related to the information flow model with
restrictions on the information flow. The basic principle of this model is that a group of
users (A), who are using the commands (C), do not interfere with the user group (B),
who are using the commands (D).

State Machine Model – This model captures the state of a systems. A state can
change only at discrete points in time, ie; triggered by a clock or input event.
 How to use state machine models?
 Define the state set so that it captures “security”
 Check that all state transitions starting in a “secure” state yield a “secure
state”
 Check that the initial state of the system is ‘secure”
 A stat transition is secure if it goes from secure state to a secure state.

Access Matrix Model – Defined as the policy for user authentication, and has several
implementations such as access control lists (ACLs) and capabilities. It is used to describe
which users have access to what objects.
 The matrix consists of four major parts:






A list of objects
A list of subjects
A function T that returns an objects type
The matrix itself, with objects making the columns and the subjects making
the rows
The two most used implementations are access control lists and capabilities.
ACLs are achieved by placing on each object a list of users and their associated
rights (Columns). Capabilities are accomplished by storing on each subject a list
of rights the subject as for every object (Rows).
Information Flow Model – This model is based on a state machine, and it consists of
objects, state transitions, and lattice states. In this context, objects can also represent
users. Each object is assigned a security class and value, and information is constrained
to flow in the directions that are permitted by the security policy.
 Identification and Authentication Techniques:
 Identification – The act of a user professing an identity to a system usually in the form
of a logon.
 Authentication – The verification that the users claimed identity is valid and is usually
implemented through a password at logon time.
 Authentication is based on the following three factor types:
 Type 1: Something you know, such as a PIN or password
 Type 2: Something you have, such as a smart card
 Type 3: Something you are, such as a fingerprint

Knowledge-based Passwords, PINs, and Passphrases
 Passwords – Several Schemes can be used:
 User Selected
 Generated
 Token generated
 Default
 Composition – Combination of two, totally unrelated words
 Passphrases – Good way of having very strong passwords
 Password Management Issues
 Lifetime Considerations
 Cost of replacement
 Risk of compromise
 Guessing attacks
 Number of times used
 Password Changing Considerations
 60 days regular user
 30 days privilege users
 15 days security officer
 Use Security Policies to control password management issues

Characteristic-based (biometrics, behavior) – Automated means of identifying or
authenticating the identity of a living person based on physiological or behavioral
characteristics. There are three main performance measures in biometrics:
 False Rejection Rate (FRR) or Type 1 error – The percentage of valid subjects
that are falsely rejected.







False Acceptance Rate (FAR) or Type 2 error – The percentage of invalid
subjects that are falsely accepted.
Crossover Error Rate (CER) – The percent in which the FRR equals the FAR.
Order of Effectiveness
 Iris Scan
 Retina Scan
 Fingerprint
 Hand Geometry
 Voice Pattern
 Keystroke Pattern
 Signature
Token – A software or hardware object used to identify an identity in an authentication
process. This object is used to control access and is passed between cooperating entities
in a protocol that synchronizes use of a shared resource.
Tickets - TBD
One-Time Passwords - TBD
 Smart Card
 Administrative
Single Sign-On (SSO) – Single sign-on addresses the cumbersome situation on logging
on multiple times to access different resources. Users identify only once to a system,
then information needed for future system access to resources is forwarded by the initial
system.
 Pro’s
 More efficient user log-on process
 The ability to use stronger passwords
 Con’s
 Once user has logged on, they can freely roam the network


Kerberos (MIT project Athena) – A trusted, third party authentication protocol
that was developed at MIT. Using symmetric key cryptography, it authenticates
clients to other entities on a network of which a client requires services.
Sesame (Secure European System for Applications in a Multivendor
Environment) – Addresses the weaknesses in Kerberos. Uses public key
cryptography for the distribution of the secret keys and provides additional access
control support. It uses the Needham-Schroeder protocol.
 Access Control Methodologies and Implementation:
 Centralized/Remote Authentication Access Controls
 RADIUS (Remote Authentication Dial In User Server) – A protocol for carrying
authentication, authorization, and configuration information between a Network
Access Server, which desires to authenticate its links and a shared Authentication
Server.
 Uses the Client/Server model
 Transactions between the client and the RADIUS server are authenticated
through the use of a shared secret, which is never sent of the network.
 TACACS – A client/server protocol for handling authentication, authorization, and
accounting messages.
 TACACS+ is the latest Cisco implementation. It provides attribute control
(authorization) and accounting. Authorization can be done on a per-user/pergroup basis, and is dynamic.

Decentralized Access Control – Domains are based on trust, trust relationships
sometimes can be compromised if proper care is not taken.
 Domains – A security domain is a single domain of trust that shares a single
security policy and a single management source. Usually, domains are defined as a
sphere of influence.
 Trust – Trusted Subject is a subject that is part of the TCB.
 File and Data Ownership and Custodianship
 Implementation of data classification requires support from higher management. It is
useless if the policies are not enforced at the highest level.
 The ISO should consider developing the policy as such:
 Define information as an asset of the business unit
 Declare local business managers as owners of the information
 Establish Information Systems staff as custodians of the information
 Clearly define roles and responsibilities
 Determine data classification criteria
 Determine controls for each classification
 Methods of Attack
 Brute Force – Identifying secret data by testing all possible combinations.
 Denial of Service – An attack on the operating system that renders the target to reply
reliably.
 Spoofing – An attack in which on person or process pretends to be another person or
process that has more privileges.
 Dictionary – Password attack involves trying list of possible passwords.
 Spamming – Involves repeatedly sending identical e-messages to a particular address.
 Man-in-the-Middle – Commonly consists of the attacker intercepting or changing
traffic destined for another machine.
 Sniffers – A program or device that monitors data traveling over a network.
 Crackers – Individuals who try to break into computers systems.
 Monitoring
 Intrusion Detection – The process of monitoring the events occurring in a computer
system or network and analyzing them for signs of intrusions.
 IDS Types
 Network-Based IDS – Provides reliable, real-time information without consuming
network or host resources. Listens to the network passively for know attacks.
 Host-Based IDS – Reviews the system and even logs in order to detect an attack
on the host or if the attack was successful.
 IDS Detection Methods
 Signature-Based ID – In a signature-based ID, signatures or attributes of known
attacks are referenced and compared against.
 Statistical Anomaly-Based ID – An IDS acquires data and defines a “normal”
usage profile for the systems.
 Types of Intrusions
 Input Validation Error
 Buffer Overflow
 Boundary Condition
 Access Validation Error
 Exceptional Condition Handling error
 Environmental Error
 Configuration Error
 Race Condition
 Penetration Testing
 Phase 1 – Information Gathering
 Phase 2 – Gaining Access
 Phase 3 – Denying Services
 Phase 4 – Evade Detection
 Phase 5 – Backdoor and Covering Tracks