The CISSP objectives are changing effective January 1, 2012. I recently analyzed the Access Control domain and noticed several noteworthy changes. It is more direct on rights and permissions, adds more on account management and includes several specifics on access control attacks.
First, the introduction is much more direct on accessing and revoking permissions. In general, permissions refer to what you can do with resources such as reading, modifying, or deleting a file and rights refer to what you can do on a system such as changing the time or backing up data. The Access Control domain intertwines these by referring to application permissions that give a user the right to execute a program, and data rights that give the right to retrieve or update information in a database.
This reminds me of the basics of what you can do with data in a database: CRUD.
- Create (data)
- Read (data)
- Update (data)
- Delete (data)
I’m most familiar with Microsoft’s SQL Server and its databases. It includes the ability to grant permissions to databases, tables, and other objects within a database. Some of these permissions provide the ability to access data (such as Select permission to read data. Other permissions provide the ability to execute a right (such as Execute on a stored procedure). Database applications are often granted the right to access data and objects within the database using role-based access control.
Second, access control attacks are expanded with the following four bullets:
- Threat modeling
- Asset valuation
- Vulnerability analysis
- Access aggregation
I don’t think that this is a significant change as much as a clarification of what (ISC)2 is trying to address in the Understanding Access Control Attacks section. Most CISSP books that I’ve run across hit these topics, but during your studies, you may like to double-check to ensure that the book is covering these topics directly.
Last, there is much deeper focus on account management. The Assess Effectiveness of Access Controls topic is expanded to include the following two bullets:
- User entitlement
- Access review & audit
Additionally, a new topic has been added: Identity and access provisioning lifecycle (e.g., provisioning, review, revocation).
This indicates a strong focus on account management through the lifetime of an account. Items to consider are:
- Are procedures in place to ensure that users are granted only the access they need and no more? Roles or groups are commonly used so they are important to understand.
- Are inactive accounts disabled or deleted? If not, they are a significant vulnerability. Think about what can be done with ex-employee account that remains enabled.
- Are procedures in place to ensure users have only the access they need and no more? Think about least privilege and need to know. Permission and rights bloat can be a problem if users move jobs gaining new rights and permissions but previously assigned permissions and rights are not revoked?
- Are accounts reviewed/audited regularly? This can verify if inactive accounts are disabled, and if principle of least privilege is followed.