Scribd
Upload
117 views

Cissp Domain 6 Security Assessment and Testing

This document discusses security assessment and testing in six domains: assessment and test strategies; security process data; security control testing; security architectures vulnerabilities; control models including MAC, DAC, role-based access control, and lattice-based access control; control types including centralized and decentralized models and hybrid models; and single sign-on using Kerberos. Key points covered include penetration testing techniques, employment policies and security awareness training, mandatory access control rules, identity-based access control, and the Kerberos authentication process.

Uploaded by

srivatsan_ece
Copyright
© © All Rights Reserved
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
117 views

Cissp Domain 6 Security Assessment and Testing

This document discusses security assessment and testing in six domains: assessment and test strategies; security process data; security control testing; security architectures vulnerabilities; control models including MAC, DAC, role-based access control, and lattice-based access control; control types including centralized and decentralized models and hybrid models; and single sign-on using Kerberos. Key points covered include penetration testing techniques, employment policies and security awareness training, mandatory access control rules, identity-based access control, and the Kerberos authentication process.

Uploaded by

srivatsan_ece
Copyright
© © All Rights Reserved
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 8

Domain 6 – Security Assessment and

Testing
 Assessment and test strategies – what kind of testing, test cases help security
 Security process data (management and operational controls)
 Security control testing
 Security architectures vulnerabilites
Assessment and Test strategies

 Pen Test
 War dialing – bank of medems
 Sniffing – monitoring network traffic
 Eavesdropping – listening
 Dumpster diving – sifting through discarded documents, etc.
 Social engineering – Human manipulation
Security process data

 Employment policies and practices – termination process and background checks


 Roles and responsibilities – management sets the standard and verbalizes the
policy
 Security awareness training – prevents social engineering
Control Models - MAC

 Mandatory set of rules


 Rule based Access control
 Data owners have less freedom than DAC
 Access Granted on rules or security labels
 More secure (government)
 Every resource has a label, every user has a clearance
 Embodies the concept of need to know
Control Models - DAC

 Indentity based Access Control


 Owner specifies access levels
 Unix and Windows
 Most common access control
Control Models – Non Discretionary

 Role based access control


 Access based on job description
 Good for high staff turnover
 Lattice Based ACL
 Access based on job role and the task
Control Types – Centralized and De-
centralized
 Centralized
 All objects controlled at a central point
 Very strict access control
 Ease of administration
 Types:
 RADIUS – Serves dial in users, incorporates authentication server and dynamic password
 TACACS – static password
 TACACS+ - supports token authentication
 Decentralized
 Remote authentication
 Decistion is closer to the objects
 More administration overhead
 Different user rights around the network
 Hybrid model
 A mixture of centralized and decentralized
Single Sign On - Kerberos

 Symmetric key cryptography


 Components
 KDC – holds the cryptographic keys
 Tickets
 TGS
 Process
 Subject requests access to an object
 Request goes via the KDC – includes a session key derived from user PW
 KDC generates a ticket for the subject and the object
 Subject validates the ticket came from the KDC
 Subject sends ticket to object
 Object validates the ticket
 Object grants access to the subject – kerberized session is established

You might also like