Authentication

Authentication is verification that the user's claimed identity is valid and is
usually implemented through a user password at log-on time.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the
Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 36.

Authentication server as well as support for Static and Dynamic passwords.

A Network Access Server (NAS) operates as a client of RADIUS. The client
is responsible for passing user information to
designated RADIUS servers, and then acting on the response which is returned.
RADIUS servers are responsible for receiving user connection requests, authenticating the
user, and then returning all
configuration information necessary for the client to deliver service to the user.
RADIUS authentication is based on provisions of simple username/password credentials.
These credentials are encrypted
by the client using a shared secret between the client and the RADIUS server. OIG 2007,
Page 513 RADIUS incorporates an authentication server and can make uses of both dynamic and
static passwords.
Since it uses the PAP and CHAP protocols, it also incluses static passwords.
RADIUS is an Internet protocol. RADIUS carries authentication, authorization, and
configuration information between a Network Access Server and a shared Authentication
Server. RADIUS features and functions are described primarily in the IETF (International
Engineering Task Force) document RFC2138.
The term " RADIUS" is an acronym which stands for Remote Authentication Dial In User
Service The main advantage to using a RADIUS approach to authentication is that it can provide a
stronger form of authentication. RADIUS is capable of using a strong, two-factor form of
authentication, in which users need to possess both a user ID and a hardware or software
token to gain access.
Token-based schemes use dynamic passwords. Every minute or so, the token generates a
unique 4-, 6- or 8-digit access number that is synchronized with the security server. To gain
entry into the system, the user must generate both this one-time number and provide his or
her user ID and password.
Although protocols such as RADIUS cannot protect against theft of an authenticated
session via some realtime attacks, such as wiretapping, using unique, unpredictable
authentication requests can protect against a wide range of active attacks.                                                       RADIUS: Key Features and Benefits
Features Benefits
RADIUS supports dynamic passwords and challenge/response passwords.
Improved system security due to the fact that passwords are not static.
It is much more difficult for a bogus host to spoof users into giving up their passwords or
password-generation algorithms.
RADIUS allows the user to have a single user ID and password for all computers in a
network.
Improved usability due to the fact that the user has to remember only one login
combination. RADIUS is able to:
Prevent RADIUS users from logging in via login (or ftp).
Require them to log in via login (or ftp)
Require them to login to a specific network access server (NAS);
Control access by time of day.
Provides very granular control over the types of logins allowed, on a per-user basis.
The time-out interval for failing over from an unresponsive primary RADIUS server to a
backup RADIUS server is site-configurable.
RADIUS gives System Administrator more flexibility in managing which users can login
from which hosts or devices. Stratus Technology Product Brief
http://www.stratus.com/products/vos/openvos/radius.htm
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the
Ten Domains of Computer Security, 2001, John Wiley & Sons, Pages 43, 44.
Also check: MILLER, Lawrence & GREGORY, Peter, CISSP for Dummies, 2002, Wiley
Publishing, Inc., pages 45-46.

Identification

Identification is the act of a user professing an identity to a system, usually in
the form of a log-on ID to the system.
Identification is nothing more than claiming you are somebody. You identify yourself when
you speak to someone on the phone that you don’t know, and they ask you who they’re
speaking to. When you say, “I’m Jason.”, you’ve just identified yourself.
In the information security world, this is analogous to entering a username. It’s not
analogous to entering a password. Entering a password is a method for verifying that you
are who you identified yourself as.
NOTE: The word "professing" used above means: "to say that you are, do, or feel
something when other people doubt what you say". This is exactly what happen when you
provide your identifier (identification), you claim to be someone but the system cannot take
your word for it, you must further Authenticate to the system to prove who you claim to be.                     The following are incorrect answers:
Authentication: is how one proves that they are who they say they are. When you claim to
be Jane Smith by logging into a computer system as “jsmith”, it’s most likely going to ask
you for a password. You’ve claimed to be that person by entering the name into the
username field (that’s the identification part), but now you have to prove that you are really
that person.
Many systems use a password for this, which is based on “something you know”, i.e. a
secret between you and the system.
Another form of authentication is presenting something you have, such as a driver’s license, an RSA token, or a smart card.
You can also authenticate via something you are. This is the foundation for biometrics.
When you do this, you first identify yourself and then submit a thumb print, a retina scan, or
another form of bio-based authentication.
Once you’ve successfully authenticated, you have now done two things: you’ve claimed to
be someone, and you’ve proven that you are that person. The only thing that’s left is for the
system to determine what you’re allowed to do.
Authorization: is what takes place after a person has been both identified and
authenticated; it’s the step determines what a person can then do on the system.
An example in people terms would be someone knocking on your door at night. You say,
“Who is it?”, and wait for a response. They say, “It’s John.” in order to identify themselves.
You ask them to back up into the light so you can see them through the peephole. They do
so, and you authenticate them based on what they look like (biometric). At that point you decide they can come inside the house.
If they had said they were someone you didn’t want in your house (identification), and you
then verified that it was that person (authentication), the authorization phase would not
include access to the inside of the house.
Confidentiality: Is one part of the CIA triad. It prevents sensitive information from reaching
the wrong people, while making sure that the right people can in fact get it. A good example
is a credit card number while shopping online, the merchant needs it to clear the
transaction but you do not want your informaiton exposed over the network, you would use
a secure link such as SSL, TLS, or some tunneling tool to protect the information from
prying eyes between point A and point B. Data encryption is a common method of ensuring
confidentiality.
The other parts of the CIA triad are listed below: Integrity involves maintaining the consistency, accuracy, and trustworthiness of data over
its entire life cycle. Data must not be changed in transit, and steps must be taken to ensure
that data cannot be altered by unauthorized people (for example, in a breach of
confidentiality). In addition, some means must be in place to detect any changes in data
that might occur as a result of non-human-caused events such as an electromagnetic pulse
(EMP) or server crash. If an unexpected change occurs, a backup copy must be available
to restore the affected data to its correct state.  Availability is best ensured by rigorously maintaining all hardware, performing hardware
repairs immediately when needed, providing a certain measure of redundancy and failover,
providing adequate communications bandwidth and preventing the occurrence of
bottlenecks, implementing emergency backup power systems, keeping current with all
necessary system upgrades, and guarding against malicious actions such as denial-ofservice
(DoS) attacks. Reference used for this question:
http://whatis.techtarget.com/definition/Confidentiality-integrity-and-availability-CIA
http://www.danielmiessler.com/blog/security-identification-authentication-and-authorization
http://www.merriam-webster.com/dictionary/profess
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten
Domains of Computer Security, 2001, John Wiley & Sons, Page 36.

the value of information that is protected

The cost of access control must be commensurate with the value of the
information that is being protected.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the
Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 49.

Once an individual obtains access to the system through the initial log-on, they have
access to all resources within the environment that the account has access to.

.

Single Sign-On is a distrubuted Access Control methodology where an
individual only has to authenticate once and would have access to all primary and
secondary network domains. The individual would not be required to re-authenticate when
they needed additional resources. The security issue that this creates is if a fraudster is
able to compromise those credential they too would have access to all the resources that
account has access to.
All the other answers are incorrect as they are distractors.

Memory cards have no processing power

The main difference between memory cards and smart cards is their capacity
to process information. A memory card holds information but cannot process information. A
smart card holds information and has the necessary hardware and software to actually
process that information.
A memory card holds a user’s authentication information, so that this user needs only type
in a user ID or PIN and presents the memory card to the system. If the entered information and the stored information match and are approved by an authentication service, the user
is successfully authenticated.
A common example of a memory card is a swipe card used to provide entry to a building.
The user enters a PIN and swipes the memory card through a card reader. If this is the
correct combination, the reader flashes green and the individual can open the door and
enter the building.
Memory cards can also be used with computers, but they require a reader to process the
information. The reader adds cost to the process, especially when one is needed for every
computer. Additionally, the overhead of PIN and card generation adds additional overhead
and complexity to the whole authentication process. However, a memory card provides a
more secure authentication method than using only a password because the attacker
would need to obtain the card and know the correct PIN. Administrators and management need to weigh the costs and benefits of a memory card
implementation as well as the security needs of the organization to determine if it is the
right authentication mechanism for their environment.
One of the most prevalent weaknesses of memory cards is that data stored on the card are
not protected. Unencrypted data on the card (or stored on the magnetic strip) can be
extracted or copied. Unlike a smart card, where security controls and logic are embedded
in the integrated circuit, memory cards do not employ an inherent mechanism to protect the
data from exposure.
Very little trust can be associated with confidentiality and integrity of information on the
memory cards.
The following answers are incorrect: "Smart cards provide two-factor authentication whereas memory cards don't" is incorrect.
This is not necessarily true. A memory card can be combined with a pin or password to
offer two factors authentication where something you have and something you know are
used for factors.
"Memory cards normally hold more memory than smart cards" is incorrect. While a memory
card may or may not have more memory than a smart card, this is certainly not the best
answer to the question.
"Only smart cards can be used for ATM cards" is incorrect. This depends on the decisions
made by the particular institution and is not the best answer to the question. Reference(s) used for this question:
Shon Harris, CISSP All In One, 6th edition , Access Control, Page 199 and also for people
using the Kindle edition of the book you can look at Locations 4647-4650.
Schneiter, Andrew (2013-04-15). Official (ISC)2 Guide to the CISSP CBK, Third Edition :
Access Control ((ISC)2 Press) (Kindle Locations 2124-2139). Auerbach Publications.
Kindle Edition

depending on the criticality of the information needing protection and the password's
frequency of use

Passwords can be compromised and must be protected. In the ideal case, a
password should only be used once. The changing of passwords can also fall between
these two extremes. Passwords can be required to change monthly, quarterly, or at other
intervals, depending on the criticality of the information needing protection and the
password's frequency of use. Obviously, the more times a password is used, the more
chance there is of it being compromised.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the
Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 36 & 37.

Mandatory access control

With mandatory access control (MAC), the authorization of a subject's
access to an object is dependant upon labels, which indicate the subject's clearance, and
classification of objects.
The Following answers were incorrect:
Identity-based Access Control is a type of Discretionary Access Control (DAC), they are
synonymous.
Role Based Access Control (RBAC) and Rule Based Access Control (RuBAC or RBAC)
are types of Non Discretionary Access Control (NDAC).
Tip:
When you have two answers that are synonymous they are not the right choice for sure.
There is only one access control model that makes use of Label, Clearances, and
Categories, it is Mandatory Access Control, none of the other one makes use of those
items.  Reference(s) used for this question:
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten
Domains of Computer Security, John Wiley & Sons, 2001, Chapter 2: Access control
systems (page 33).D

The owner identity is authenticated by the token

Password Tokens
Tokens are electronic devices or cards that supply a user's password for them. A token
system can be used to supply either a static or a dynamic password. There is a big
difference between the static and dynamic systems, a static system will normally log a user
in but a dynamic system the user will often have to log themselves in.
Static Password Tokens:
The owner identity is authenticated by the token. This is done by the person who issues the
token to the owner (normally the employer). The owner of the token is now authenticated
by "something you have". The token authenticates the identity of the owner to the
information system. An example of this occurring is when an employee swipes his or her
smart card over an electronic lock to gain access to a store room.
Synchronous Dynamic Password Tokens:
This system is a lot more complex then the static token password. The synchronous
dynamic password tokens generate new passwords at certain time intervals that are
synched with the main system. The password is generated on a small device similar to a
pager or a calculator that can often be attached to the user's key ring. Each password is
only valid for a certain time period, typing in the wrong password in the wrong time period will invalidate the authentication. The time factor can also be the systems downfall. If a
clock on the system or the password token device becomes out of synch, a user can have
troubles authenticating themselves to the system.
Asynchronous Dynamic Password Tokens:
The clock synching problem is eliminated with asynchronous dynamic password tokens.
This system works on the same principal as the synchronous one but it does not have a
time frame. A lot of big companies use this system especially for employee's who may work
from home on the companies VPN (Virtual private Network).
Challenge Response Tokens:
This is an interesting system. A user will be sent special "challenge" strings at either
random or timed intervals. The user inputs this challenge string into their token device and
the device will respond by generating a challenge response. The user then types this
response into the system and if it is correct they are authenticated. Reference(s) used for this question:
http://www.informit.com/guides/content.aspx?g=security&seqNum=146
and KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten
Domains of Computer Security, 2001, John Wiley & Sons, Page 37.

If access is not explicitly denied, it should be implicitly allowed.

Access control mechanisms should default to no access to provide the
necessary level of security and ensure that no security holes go unnoticed. If access is not
explicitly allowed, it should be implicitly denied.
Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-
Hill/Osborne, 2002, Chapter 4: Access Control (page 143).

Synchronous token

A Synchronous token generates a one-time password that is only valid for a
short period of time. Once the password is used it is no longer valid, and it expires if not
entered in the acceptable time frame.  The following answers are incorrect:
Variable callback system. Although variable callback systems are more flexible than fixed
callback systems, the system assumes the identity of the individual unless two-factor
authentication is also implemented. By itself, this method might allow an attacker access as
a trusted user.
Fixed callback system. Authentication provides assurance that someone or something is
who or what he/it is supposed to be. Callback systems authenticate a person, but anyone
can pretend to be that person. They are tied to a specific place and phone number, which
can be spoofed by implementing call-forwarding Combination of callback and Caller ID. The caller ID and callback functionality provides
greater confidence and auditability of the caller's identity. By disconnecting and calling back
only authorized phone numbers, the system has a greater confidence in the location of the
call. However, unless combined with strong authentication, any individual at the location
could obtain access.
The following reference(s) were/was used to create this question:
Shon Harris AIO v3 p. 140, 548
ISC2 OIG 2007 p. 152-153, 126-127

Role-based access control

RBAC is sometimes also called non-discretionary access control (NDAC) (as
Ferraiolo says "to distinguish it from the policy-based specifics of MAC"). Another model
that fits within the NDAC category is Rule-Based Access Control (RuBAC or RBAC). Most
of the CISSP books use the same acronym for both models but NIST tend to use a
lowercase "u" in between R and B to differentiate the two models You can certainly mimic MAC using RBAC but true MAC makes use of Labels which
contains the sensitivity of the objects and the categories they belong to. No labels means
MAC is not being used.
One of the most fundamental data access control decisions an organization must make is
the amount of control it will give system and data owners to specify the level of access
users of that data will have. In every organization there is a balancing point between the
access controls enforced by organization and system policy and the ability for information
owners to determine who can have access based on specific business requirements. The
process of translating that balance into a workable access control model can be defined by
three general access frameworks: Discretionary access control
Mandatory access control
Nondiscretionary access control
A role-based access control (RBAC) model bases the access control authorizations on the
roles (or functions) that the user is assigned within an organization. The determination of
what roles have access to a resource can be governed by the owner of the data, as with
DACs, or applied based on policy, as with MACs.
Access control decisions are based on job function, previously defined and governed by
policy, and each role (job function) will have its own access capabilities. Objects associated
with a role will inherit privileges assigned to that role. This is also true for groups of users,
allowing administrators to simplify access control strategies by assigning users to groups
and groups to roles.
There are several approaches to RBAC. As with many system controls, there are variations
on how they can be applied within a computer system. There are four basic RBAC architectures:
1. Non-RBAC: Non-RBAC is simply a user-granted access to data or an application by
traditional mapping, such as with ACLs. There are no formal “roles” associated with the
mappings, other than any identified by the particular user.
2. Limited RBAC: Limited RBAC is achieved when users are mapped to roles within a
single application rather than through an organization-wide role structure. Users in a limited
RBAC system are also able to access non-RBAC-based applications or data. For example,
a user may be assigned to multiple roles within several applications and, in addition, have direct access to another application or system independent of his or her assigned role. The
key attribute of limited RBAC is that the role for that user is defined within an application
and not necessarily based on the user’s organizational job function.
3. Hybrid RBAC: Hybrid RBAC introduces the use of a role that is applied to multiple
applications or systems based on a user’s specific role within the organization. That role is
then applied to applications or systems that subscribe to the organization’s role-based
model. However, as the term “hybrid” suggests, there are instances where the subject may
also be assigned to roles defined solely within specific applications, complimenting (or,
perhaps, contradicting) the larger, more encompassing organizational role used by other
systems. 4. Full RBAC: Full RBAC systems are controlled by roles defined by the organization’s
policy and access control infrastructure and then applied to applications and systems
across the enterprise. The applications, systems, and associated data apply permissions
based on that enterprise definition, and not one defined by a specific application or system.
Be careful not to try to make MAC and DAC opposites of each other - they are two
different access control strategies with RBAC being a third strategy that was defined later
to address some of the limitations of MAC and DAC.
The other answers are not correct because:
Mandatory access control is incorrect because though it is by definition not discretionary, it
is not called "non-discretionary access control." MAC makes use of label to indicate the
sensitivity of the object and it also makes use of categories to implement the need to know. Label-based access control is incorrect because this is not a name for a type of access
control but simply a bogus detractor.
Lattice based access control is not adequate either. A lattice is a series of levels and a
subject will be granted an upper and lower bound within the series of levels. These levels
could be sensitivity levels or they could be confidentiality levels or they could be integrity
levels.
Reference(s) used for this question:
All in One, third edition, page 165.
Ferraiolo, D., Kuhn, D. & Chandramouli, R. (2003). Role-Based Access Control, p. 18.
Ferraiolo, D., Kuhn, D. (1992). Role-Based Access Controls. http://csrc.nist.gov/rbac/Role_Based_Access_Control-1992.html
Schneiter, Andrew (2013-04-15). Official (ISC)2 Guide to the CISSP CBK, Third Edition :
Access Control ((ISC)2 Press) (Kindle Locations 1557-1584). Auerbach Publications.
Kindle Edition.
Schneiter, Andrew (2013-04-15). Official (ISC)2 Guide to the CISSP CBK, Third Edition :
Access Control ((ISC)2 Press) (Kindle Locations 1474-1477). Auerbach Publications.
Kindle Edition.