CISSP Cornell Notes

by Col Subhajeet Naha, Retd, CISSP

Domain 5 Identity and Access Management
CISSP CORNELL NOTES

• Domain 5– Identity and Access Management

• By Col Subhajeet Naha, Retd, CISSP Mentor
• How to Prepare for CISSP
• Attend an online boot camp or training session.
• Read prescribed books.
• Don’t cram but keep tab of important points – Main points covered in these
notes
• For experienced professionals, one/two reads are sufficient. The aim is to clear
the concepts.
• Practice questions from Sybex 10th edition and Sybex 4th edition practice test
• Don’t refer to any dumps; they are of no use.
• How to use these notes
• Use these notes as revision notes
• Reading the Reference books is highly recommended
• Scribble your own notes
• Reference Books
• Sybex 10th Edition
• Destination Certification
• Reach out to us if you have any questions
• Future domains being prepared
• Website : learn.protecte.io
• Mob : +91-8800642768
 Control Physical and Logical Access to Assets
Access Control Definition:
• Access Control Definition
• Access control refers to a collection of mechanisms designed to protect
• Fundamental Access Control organizational assets while permitting controlled access to authorized
Principles subjects.
• Applicability of Access Control • The goal is to safeguard information, data, systems, and physical locations,
ensuring only those with permission can access these assets.
• Example: Access control for a company database ensures that only employees
with the appropriate clearance can view or modify sensitive financial data.
Fundamental Access Control Principles:

on
1. Need to Know:
1.
ti
Subjects (users or processes) should only have access to data if they
u
absolutely need it to perform their tasks.
t r i b
2.
i
Example: A HR executive may have access to employee
s salaries but

rD
not detailed technical documentation.
2. Least Privilege:
fo
Users or systems should be granted o thetminimum level of access
, N the risk of abuse or
1.
necessary to perform their jobs, reducing
compromise. a
h on content management may only have
a
t Ndocuments without the ability to modify them.
2. Example: An intern working
e
access to read certain
Separation of Duties:je
ha are broken down into discrete parts, and no single
3.

b
Su process.
• Critical tasks

l
individual has the necessary permissions to perform all aspects of a

C• o Example: In a financial process, one employee might prepare

sensitive

B y payments, while another authorizes them.

I SSPApplicability of Access Control:

C • Access control applies to all levels of an organization and covers both
for physical and logical assets:

tes • Physical Assets: Buildings, server rooms, and sensitive physical

o documents.

ell N • Logical Assets: Databases, networks, applications, and intellectual

rn
property.

C o • Example: Physical access control could be using ID card swipes to enter a

server room, while logical access control involves user authentication (e.g.,
passwords, biometrics) for logging into systems.

• Access control is a set of mechanisms used to protect an organization’s assets,

ensuring that only authorized individuals have access based on need to know, least
privilege, and separation of duties.
• Access control principles apply universally across all organizational levels, covering
both physical and logical assets.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024

 Access Control
Definition of Access Control:
• Definition of Access Control • Access control is a collection of mechanisms designed to protect
• Management Functions of the assets of an organization while enabling controlled access for
Access Control authorized subjects (users or systems).
• Access Control Principles • It allows management to determine who can access certain
resources and how those resources can be used.
Management Functions of Access Control: Access control enables
management to:
• Specify users who can access the system: Defines which
individuals or groups can enter and use a particular system or
resource.
ti on
• Specify what resources they can access: Assigns permissions to
i bu
tr
allow or restrict access to specific files, databases, or physical
s
locations.
D i
•
t for
Specify what operations they can perform: Clarifies what actions

No
(read, write, delete, execute) users are allowed to perform.

a,
• Provide individual accountability: Tracks and logs user actions to
h
ensure that management knows who is doing what. This supports

Na
auditing and investigation of suspicious activity.

jeet
Access Control Principles:

ha
• Need to Know:
b
Su
• Definition: Only personnel who require access to an asset to
l perform their job should be granted access.

y Co
• Example: A marketing employee shouldn’t have access to
B sensitive financial records unless it's necessary for their role.

I SSP • Least Privilege:

• Definition: Grant users or systems only the minimum
r C permissions required to do their job or function.
fo
es • Example: An IT helpdesk employee may have access to reset

ot user passwords but not change network configuration

ll N
settings.

rn e • Separation of Duties:

C o • Definition: Critical tasks should be split so that no single

person can complete a sensitive process alone, reducing risk
of error or fraud.
• Example: One person can authorize a financial transaction,
while another must approve it.

• Access control mechanisms protect an organization’s assets by limiting and controlling who can
access specific resources and what they can do with them.
• The key principles—need to know, least privilege, and separation of duties—are applied throughout
access control strategies to prevent unauthorized access and ensure individual accountability.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024

 Access Control Principles
Need to Know:
• Need to Know
• Least Privilege • Definition: Access is restricted to individuals who have a legitimate
• Separation of Duties and
need to know the information or asset in question, based on their job
role or function.
Responsibilities
• Example: In law enforcement, an undercover agent's true identity is
only known by their supervisor and relevant agents working on the
case. This ensures operational security.
• Application: This principle ensures that individuals are only granted
access to information necessary for their tasks, minimizing exposure to
sensitive data and reducing security risks.
ti on
Least Privilege:
i bu
s r
t required to
i
rD
• Definition: Users are granted the minimum level of access
perform their job functions, and nothing more.
f o
tmight have local
• Example: In many organizations, employees o
, N when they only need
administrator privileges on their computers
standard user access. Applying the a
a hfor their role, such as basic user
least privilege principle would limit

t Nof administrators would have elevated

their access to what is necessary
e
functions, while only a handful
permissions.
h aje
ub access
• Purpose: Limiting
reduces theSpotential
helps prevent misuse of privileges and

threats o
l attack surface, mitigating risks from insider
C or accidental misconfigurations.
y of Duties and Responsibilities:
B
Separation

I SSP• Definition: Responsibilities for critical tasks are divided among

C multiple people to prevent fraud and errors.

for • Example 1: In finance, one employee might enter vendor information

tes into the accounts payable system, while another confirms its accuracy,
o reducing the risk of creating fake vendors.

ell N • Example 2: In software development, developers shouldn’t be

orn responsible for deploying applications to production. A different team

should handle testing, validation, and approval to ensure proper
C oversight.
• Purpose: Separation of duties ensures that no single individual can
control all aspects of a critical process, which helps prevent fraud,
mistakes, and intentional harm.

• The principles of access control—need to know, least privilege, and separation of duties—play
critical roles in protecting organizational assets.
• These principles ensure that access is limited to only those who require it, permissions are kept to
the minimum necessary, and critical tasks are divided to prevent fraud and errors.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024

 Access Control Applicability and Access Control System
Access Control Applicability:
• Access Control Applicability
• Definition: Access control applies to all aspects and levels of an
• Access Control System organization. It is essential for managing access to different types of
• Reference Monitor Concept assets.
(RMC)
• Assets Covered:
• Security Kernel
• Facilities: Physical access to buildings or areas within an
organization.
• Systems/Devices: Access to hardware such as computers,
servers, and other network devices.

on
• Information: Access to sensitive data, whether digital or
physical (e.g., files, databases).
uti
•
r i b
Personnel: Ensuring the right personnel access appropriate
t
resources based on their roles.
D is
for
• Applications: Controlling access to software applications,
t
tools, and platforms used within the organization.
Access Control System:
No
a,
• Definition: The mechanism responsible for controlling a subject's
h
Na
access to an object. A subject refers to a user, while an object is the

et
resource or data the user attempts to access.
je
• Mediation: Access is mediated based on a set of predefined rules. This
ha
can include role-based access control, mandatory access control, or
b
Su
discretionary access control.
l
Co
• Logging and Monitoring: All access attempts and activities are logged
to ensure accountability and assurance that the access control
By system is functioning as expected. Monitoring helps detect

SP
unauthorized access and abnormal behavior.

CI S Reference Monitor Concept (RMC):

for • Definition: The RMC is a theoretical concept in which a decision-

es making tool mediates between subjects and objects. It enforces the

ot
rules of access control and ensures accountability.

ll N
• Functionality: It works by verifying whether a subject has permission to

rn e access an object based on predefined access control rules.

C o • Security Kernel: Any real-world implementation of the Reference

Monitor Concept is called a security kernel. The security kernel
enforces these access control decisions and ensures all access
activities are logged for monitoring.

• Access control applies to all organizational assets—facilities, systems, information, and

applications—and ensures that subjects (users) can only access resources (objects) based on
predefined rules.
• The Reference Monitor Concept (RMC) is central to this system, providing mediation and logging all
activity for accountability.
• The security kernel enforces the RMC in real-world systems, maintaining secure access control and
providing assurance through monitoring.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024

 Logical Access Modes
Granularity of Access Control:
• Granularity of Access
• Definition: Access control is more than just allowing or denying access. It
Control
involves setting specific rules to control exactly how a subject interacts
• Logical Access Modes with an object.
• Need to Know and Least
• Granular Control: Access rules offer precise control over what subjects
Privilege
(users) can access and what actions they are allowed to perform on those
objects. For example, users might be allowed to only read a file but not
edit or delete it.
Logical Access Modes:
•
ti on
Definition: Logical access modes define specific types of interactions that

i bu
a subject can have with an object. These modes enable more precise

str
control based on what actions are required for the subject to perform their
job.
D i
for
• Common Access Modes:
t
No
• Create: The ability to create new objects, such as files,
databases, or records. Example: A user can create a new
a,
document in a shared folder.
h
•
Na
Update: Permission to modify or update existing objects.

je et
Example: A user can edit customer details in a CRM system.

ha
• Read: The ability to view or read objects without making
b
changes. Example: A user can view a financial report but cannot

l Su
edit it.

y C• o Read/Write: Combined permission to both read and modify

B objects. Example: A user can both view and edit a database

SP •
entry.

CI S Execute: Permission to run executable files or programs.

for Example: A user can run a software application installed on a

computer.
es
ot • Delete: The ability to remove or delete objects from the system.

ll N
Example: A user can delete outdated documents from a shared

rn e drive.

C o Need to Know and Least Privilege:

• Application: Access should be granted based on the principles of need to
know and least privilege, meaning users should only have the minimum
level of access required to perform their tasks and no more. This
minimizes potential security risks.

• Logical Access Modes provide granular control over what actions a user can perform on an object,
such as creating, reading, updating, executing, or deleting objects.
• These permissions are defined based on the user's role and responsibilities, following the principles
of need to know and least privilege to ensure that users have the appropriate level of access
without compromising security.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024

 Groups versus Roles
Definition of Groups:
• Definition of Groups
• Definition of Roles • Concept: A group is a collection of users who are generally not
• Key Differences Between associated with a specific job function but may share a common
purpose or project.
Groups and Roles
• Example: A group could include members of a business continuity
management team or a specific leadership group.
• Management: Administrators can assign permissions to the entire
group, simplifying the process of managing access for multiple users.
For example, if a group of users needs access to certain documents,
the admin can give the whole group access rather than assigning it
ti on
individually.
i bu
r
t similar
• Flexibility: Groups offer flexibility in managing users whosshare
access needs but may not have the same job role. Di

t for
Noto a specific job function
Definition of Roles:
• Concept: A role is a set of permissions, tied
a
within an organization, often linked htoa what tasks the job requires.
N to call center agents, giving them
tneed
e
access to the systemsjthey e
• Example: A role might be assigned
to perform their job, such as CRM
h
systems for customer a interaction.
u b
• Management:
o l Srequired
When users are assigned a role, they inherit all the

y
based Con job requirements.
permissions for that role, streamlining access management

P B
I SS permissions required to fulfill those functions, making them less
• Job-Oriented: Roles are tightly focused around job functions and the

C
or
flexible but more structured than groups.

s f
o te Key Differences Between Groups and Roles:

ll N
• Groups: Provide flexibility for organizing users who share common

rn e access needs but aren’t necessarily tied to the same job function.

C o • Roles: Focus specifically on the permissions needed for a particular

job, aligning access rights closely with the actions required by the job.

• Groups and Roles are two different approaches to managing user permissions.
• Groups are more flexible and allow for the organization of users who share access needs but might
not have the same job functions.
• Roles are job-specific, assigning permissions based on the responsibilities of a particular position.
Both approaches are useful in different contexts for efficiently managing access control.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024

 Access Control Administration Approaches
Definition of Access Control Administration Approaches:
• Definition of Access Control • Access control administration refers to the method an organization uses to
Administration Approaches manage and control access to resources.
• Two primary approaches: centralized and decentralized.
• Centralized Administration
• Many organizations now use a hybrid approach, combining elements of both
• Decentralized methods.
Administration Centralized Administration:
• Hybrid Approach • Concept: A single central system controls access to all remote systems.
• Advantages:
• Easier administration and lower overhead.
• Cost reduction through a streamlined process.

on
• Greater flexibility by having one unified control point.
•
ti
Single username and password grant access to multiple systems.
u
b
• Disadvantages:
•
tr i
Single point of failure—if the central system is compromised, it can
affect the entire organization.
D is
for
• Becomes a potential target for attacks due to its importance.
• Example: An Active Directory managing all user access across multiple systems
t
No
in a network.
Decentralized Administration:
a,
• Concept: Control is distributed to multiple systems, allowing management by
h
Na
those closer to the resources.

et
• Advantages:

e
• Granular control over access, tailored to individual departments or
j
ha
systems.
•
bMinimizes risk of complete failure—if one system fails, others remain

Su
functional.
•
l Local teams can manage access specific to their needs.

y Co
• Disadvantages:

B • Increased administrative overhead—managing multiple systems

SP
requires more effort.
• Lack of standardization and possible security holes due to

CI S fragmented control.

for • Potential for overlapping rights.

• Example: Each department in a company having its own access control system.
es
ot
Hybrid Approach:
• Concept: Combination of centralized and decentralized methods.

ell N • Advantages:

rn
• Balances the efficiency of centralized control with the granularity of

C o •
decentralized systems.
Often necessary due to legacy systems that can’t be integrated into
modern centralized control systems.
• Provides flexibility while maintaining some level of central oversight.
• Example: A company using centralized control for core systems but allowing
departments to manage their own access controls for specialized resources.

• Access control administration can follow a centralized approach, which offers simplicity and cost
reduction but introduces risks related to a single point of failure.
• In contrast, decentralized approaches provide granular control but come with administrative
overhead.
• The hybrid approach combines the strengths of both, offering flexibility to manage legacy and
modern systems together effectively.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024

 Design Identification and Authentication Strategy
Seven Laws of Identity Overview:
• Seven Laws of Identity • Developed by Kim Cameron and other security experts.
Overview • The laws address how identity systems should be designed to ensure user privacy
• User Control and Consent and security while enabling seamless authentication and identification.
• Minimal Disclosure and User Control and Consent:
Constrained Use • Principle: Users must control when and how their identifying information is
• Justifiable Parties shared.
• Directed Identity • Example: A social media platform should require explicit consent from users
• Pluralism of Operators and before sharing their personal information with third-party apps.
Technologies Minimal Disclosure and Constrained Use:

on
• Human Integration • Principle: The best identity systems are those that disclose the least amount of
• Consistent Experience Across identifying information.
uti
Contexts
additional personal details.
tr i b
• Example: Using only a username to log into a website instead of revealing

Justifiable Parties:
D is
for
• Principle: Identifying information should only be shared with parties that have a
legitimate reason to be involved.
t
No
• Example: A payment processor receiving credit card details only for the purpose of

a,
processing a transaction, without sharing it with unrelated third parties.
h
Na
Directed Identity:

et
• Principle: Identity systems should support omni-directional identifiers for public

e
entities and uni-directional identifiers for private entities.
j
bha
• Example: A public website having a universal identifier (URL), while a user’s
identifier for logging in remains private and secure from other entities.

l Su
Pluralism of Operators and Technologies:

y Co
• Principle: Identity systems must be interoperable with various identity providers
and technology platforms.
B
SP
• Example: A user should be able to log into different websites using credentials
from Google, Facebook, or another identity provider seamlessly.

CI S Human Integration:

for • Principle: Identity systems must account for the fact that human users are an

es integral part of the system.

ot
• Example: Ensuring user-friendly interfaces and reliable security features such as

ll N
two-factor authentication that protects the communication between the user and
the system.

rn e Consistent Experience Across Contexts:

C o • Principle: Users should have a consistent and intuitive experience across

different platforms and identity providers.
• Example: A user logging into various online services should have a similar
authentication experience (e.g., through Single Sign-On) even if the back-end
systems vary.

• The Seven Laws of Identity outline the fundamental principles for designing identity systems that
protect user privacy, provide security, and ensure seamless user experiences.
• They emphasize the importance of user control, minimal data disclosure, trust in legitimate
parties, and interoperability across different technologies while providing a consistent and
human-centered approach to identity management.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024

 Access Control Services
Definition of Access Control Services:
• Definition of Access Control • Access control services encompass several components to ensure that
Services users and processes interact securely with organizational assets.
• Identification • Core components include identification, authentication, authorization,
• Authentication and accountability.
• Authorization • These are critical in protecting systems, assets, and users while providing
• Accountability a framework for tracking user actions.
• AAA (Authentication, Identification:
Authorization, • Refers to the process of asserting a user’s identity or a process to a
Accountability) system.
• Example: When a user enters their username into a system, they are
ti on
identifying themselves to that system.
i bu
Authentication:
str
i
• Refers to the process of verifying an identity that has been asserted.
D
for
• Authentication methods can be based on something you know
(password), something you have (smart card), or something you are
t
No
(fingerprint).

a,
• Example: After entering a username, the system asks for a password to
h
confirm that the user is who they claim to be.
Authorization:
Na
jeet
• Defines what level of access is granted once the user or process has been

ha
identified and authenticated.
b
• Example: An employee might have access to the company's email system,
Su
but not to financial records unless they are authorized.
l
Co
• Role-Based Access Control (RBAC) or Attribute-Based Access Control

By (ABAC) are examples of how authorization is implemented.

Accountability:

I SSP • Refers to the logging and monitoring of all actions taken by identified and

r C authenticated users.

fo • This ensures users are held responsible for their actions and any misuse

es can be tracked.

ot • Example: If a user accesses sensitive data, the system records the time,

ll N
date, and action to ensure accountability.

rn e AAA (Authentication, Authorization, Accountability):

C o • AAA represents the core of access control, ensuring users are properly
authenticated, authorized, and that their actions are tracked for
accountability.
• These components work together to ensure comprehensive security
within systems.

• Access Control Services are fundamental to ensuring that users and processes interact securely
with organizational assets.
• The core elements—identification, authentication, authorization, and accountability—are
essential in controlling access, verifying identities, and maintaining logs for accountability.
• Proper implementation of these services ensures the security and integrity of organizational
resources.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024

 Identification in Access Control Services
Definition of Identification:
• Definition of Identification
• Importance of Unique • Identification is the first step in Access Control Services. It refers to
the process of asserting an identity—either of a user or process—to
Identifiers
the system.
• Identification Guidelines
• Examples of Identification • Identification allows systems to track user activity back to an
Methods individual, ensuring accountability.
Importance of Unique Identifiers:
• Each user or process needs a unique identifier to ensure their
actions can be traced back to them alone.
t i on
• Shared user accounts should be avoided as they make
i bu
s
accountability difficult and potentially circumvent securitytr principles.
i
Identification Guidelines:
fo rD
• Identification mechanisms should be: ot
• Unique: Each identity relates
a , toNonly one individual or
process.
Nondescriptive ofN
ah
et role. For example, an admin account
• job or role: The user account should not
je
give away the user’s
should notainclude “admin” in its name, and a finance
u
accountbhshouldn’t reveal the job function.
• S securely: Accounts should be created and
lIssued
o
y C manager to generate and store passwords).
distributed using secure processes (e.g., a password
B
I SSPExamples of Identification Methods:
C • User ID: A combination of first and last names or employee numbers.
for
tes • Account ID: Unique numbers or alphanumeric strings assigned to
o each user.

ell N • Access Cards: Physical identification tokens.

orn
C • Biometrics: Use of fingerprints, retina scans, or other biological
markers to identify users.

• Identification is the first component of Access Control Services, ensuring that each user or process
interacting with a system can be uniquely identified.
• The identification must be unique, nondescriptive of roles, and issued through secure methods to
protect organizational security.
• Proper identification ensures that actions can be tracked back to the responsible individual, which
is essential for accountability.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024

 Authentication by Knowledge
Definition of Authentication by Knowledge:
• Definition of Authentication
by Knowledge • Authentication by knowledge is one of the three factors of
• Forms of Authentication by authentication that verifies a user’s identity based on something they
know, like a password, passphrase, or the answers to security
Knowledge
questions.
• Best Practices for
Authentication by • It's often referred to as "something you know".
Knowledge
Forms of Authentication by Knowledge:
• Password: A string of characters that a user provides to gain access to
i
a system. Can range from simple (e.g., "password") to complex (e.g.,
t on
"m{BLB9FF#6h`J#U$"). The more complex, the more secure, but
i bu
complex passwords are often hard to remember.
s r
tor phrase,
i
r Dto remember and
• Passphrase: A longer string of words, typically a sentence
fo
used to authenticate. Passphrases are usually easier

“The quick brown fox jumps over the lazyN ot123!” For example:
can be more secure due to their length and complexity.
dog

h a, that a user answers to verify

Ntoathem.
• Security Questions: Cognitive questions
their identity. These questions are chosen by the user and should have
answers that are known only t
e but theAnuser example could be “What’s
e
your mother’s maidenjname?”,
a “3487487glkjgokjo!(*&”)could answer with a
nonsensical stringh(e.g.,
u b for added security.

l Sfor Authentication by Knowledge:

Best Practices
o
B y C Should be complex, with a mix of upper and lower case
• Passwords:
letters, numbers, and symbols.

I SSP• Passphrases: Can be memorable, but should be long and unique.

C
for • Security Questions: The answers don’t have to be true; they should be

tes unpredictable and difficult for others to guess.

o
ll N
• Avoid writing down passwords or storing them in insecure places (e.g.,

rn e sticky notes on a monitor).

C o

• Authentication by knowledge is a method of verifying a user’s identity based on something they

know, such as a password, passphrase, or response to security questions.
• It's crucial to ensure that passwords and passphrases are complex and unique, and that security
questions are difficult to guess.
• These methods should be securely implemented to prevent unauthorized access.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024

 Authentication by Ownership
Definition of Authentication by Ownership:
• Definition of Authentication • Authentication by ownership refers to verifying a user’s identity
by Ownership based on something they possess, such as a token or a smart card.
• One-Time Passwords (OTP)
• This is often referred to as "something you have" in authentication
• Soft Tokens vs. Hard Tokens mechanisms.
• Smart Cards and Memory
One-Time Passwords (OTP):
Cards
• Synchronous vs. • OTP: A dynamically generated password that can be used only once
and expires after use or after a specified period.
Asynchronous OTP
Generation • Examples include Google Authenticator or RSA SecureID. OTPs

on
provide an extra layer of security as they constantly change.
Soft Tokens vs. Hard Tokens:
uti
• Soft Tokens: Software-based applications (e.g., Google
tr i b
is
Authenticator, Authy) that generate OTPs on smartphones or
D
for
computers.
•
t
Hard Tokens: Physical devices (e.g., RSA SecureID) that generate
No
OTPs, typically used for authentication in high-security
environments.
h a,
Na
Smart Cards and Memory Cards:
•
jeet
Smart Cards: Credit-card-sized cards with an embedded chip. They
are inserted into a smart card reader to authenticate users. Used
ha
often in government or military settings.
b
•
l Su
Memory Cards: Cards with magnetic strips (like ATM cards) that

Co
store basic information, such as account numbers, and are used for
limited access authentication. Less secure compared to smart
By cards.

I SSP Synchronous vs. Asynchronous OTP Generation:

• Synchronous OTP: The more common method, in which the OTP
r C
fo generation is time-based or event-based, synchronized with the

es authentication server.

ot • Asynchronous OTP: Less common and more complex; it uses a

ll N
challenge-response mechanism where the token and server

rn e exchange information to verify identity. More secure but also more

expensive due to the complexity of synchronization.
C o

• Authentication by ownership verifies a user’s identity based on something they possess, such as
soft or hard tokens, smart cards, or memory cards.
• One-time passwords (OTPs) are a key component of this authentication method, providing dynamic
and expiring credentials.
• OTPs can be generated through synchronous (time-based or event-based) or asynchronous
(challenge-response) methods, each offering different levels of security and complexity.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024

 Smart and Memory Cards
Definition of Smart Cards:
• Definition of Smart Cards • Smart Cards contain an integrated circuit (IC) chip that performs
• Definition of Memory Cards calculations and generates unique authentication data for each
• Differences Between Smart transaction.
and Memory Cards • These cards are capable of securely processing information and
• Contact Smart Cards communicating with readers, making them more secure than
• Contactless Smart Cards memory cards.
• Commonly used in modern credit/debit cards, government ID
cards, and corporate security badges.
Definition of Memory Cards:
• Memory Cards store information on a magnetic stripe located on
ti on
the back of the card.
i bu
•
st
The data on the magnetic stripe remains the same for eachr
D i
transaction, making these cards more vulnerable to fraud (e.g.,
skimming).
t for
No
• Older credit cards and access cards primarily relied on memory

a,
cards.
h
Differences Between Smart and Memory Cards:
Na
Smart Cards have the ability to process and store information
et
•
e
securely, while memory cards can only store static information that
j
ha
is read during transactions.
b
Su
• Smart cards generate unique data with each transaction, while
l
memory cards present the same data each time.

y Co
Contact Smart Cards:
B • Require physical contact with the card reader for the embedded

I SSP •
chip to be powered and to process transactions.
Often seen in older chip-and-pin credit cards or government ID
r C systems.
fo
es Contactless Smart Cards:

ot • Utilize a reader that communicates wirelessly with the card,

ll N
powering the chip remotely and enabling transactions without

rn e physical contact.

C o • Used in tap-and-go payment systems, public transportation, and

access control systems.

• Smart cards offer enhanced security by using a chip to process and generate authentication data for
each transaction, while memory cards rely on static data stored on a magnetic stripe.
• Contact smart cards require physical interaction with a reader, whereas contactless smart cards
allow for wireless communication, providing greater convenience and flexibility in secure
transactions.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024

 Authentication by Characteristics
Definition of Authentication by Characteristics:
• Definition of Authentication by • Refers to biometric authentication, which uses physiological or
Characteristics behavioral characteristics to verify an individual’s identity.
• Types of Biometric • Examples include fingerprints, facial recognition, or voice patterns.
Authentication (Physiological Types of Biometric Authentication:
and Behavioral) 1. Physiological Characteristics:
• Biometric Device
• Fingerprints: Used in most modern smartphones and secure
Considerations facilities.
• Crossover Error Rate (CER) • Hand Geometry: Measures the shape and size of a hand.

on
• Facial Features: Used in facial recognition technology, such as
Apple's Face ID.
uti
•
tr i b
Eyes: Includes retina and iris scans for high-security access.
2. Behavioral Characteristics:
D is
for
• Handwriting: The unique way someone writes can be analyzed.

t
• Gait: The way someone walks, often used in surveillance.

No
• Voice Recognition: Identifies a person based on their voice
pattern.
h a,
Na
• Typing Patterns: Measures keystroke dynamics, which are

et
unique to each user.

je
Biometric Device Considerations:
ha
• Processing Speed: Biometric systems can be slower than other
b
Su
authentication methods due to the time required for analysis.
l
Co
• User Acceptance: Some users may resist biometric systems due to
privacy concerns or inconvenience.
By • Protection of Biometric Data: Storing biometric data securely is essential

I SSP since this data is uniquely tied to individuals and cannot be changed like
passwords.
r C • Accuracy: The effectiveness of biometric systems is measured by how
fo accurately they can identify users without errors.
es
ot
Crossover Error Rate (CER):

ll N
• CER is the point at which the rate of false rejections (Type 1 errors) and

rn e false acceptances (Type 2 errors) is equal.

C o • A lower CER indicates a more accurate biometric system. It’s used to

gauge the overall reliability of a biometric system.

• Authentication by characteristics involves using biometric data, such as fingerprints or voice

patterns, to verify a user's identity.
• While physiological attributes like facial features are widely used, behavioral factors such as typing
patterns also provide unique identification methods.
• \When implementing biometric authentication, factors like processing speed, user acceptance,
and data protection must be carefully considered to ensure accuracy and security.
• The Crossover Error Rate (CER) is a key metric to assess the performance and reliability of these
systems.
Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024
 Biometric Device Accuracy/Types of Errors
Biometric System Accuracy:
• Biometric System Accuracy • Biometric systems are not 100% binary, meaning they are not always
• Type 1 and Type 2 Errors completely accurate.
• Crossover Error Rate (CER) • Unlike traditional password systems, biometric systems may falsely
• Biometric Templates reject valid users or falsely accept invalid users, depending on how they
are tuned.
Type 1 and Type 2 Errors:
• Type 1 Error (False Rejection): This occurs when a valid user is
incorrectly rejected by the system. The False Rejection Rate (FRR)
measures how often this happens. Example: A legitimate user

on
attempting to access a system but being denied.
•
t
Type 2 Error (False Acceptance): This occurs when an unauthorized
u i
tr b
user is wrongly accepted by the system. The False Acceptance Rate
i
(FAR) measures how frequently this occurs. Type 2 errors are far more

D is
dangerous because they allow unauthorized individuals to gain access

for
to secure systems. Example: An attacker gaining access due to system
misidentification.
t
Crossover Error Rate (CER):
No
•
h a,
CER is the point where the FRR and FAR intersect. It indicates the overall

Na
accuracy of a biometric system.

et
• A lower CER suggests a more accurate system, while a higher CER
e
indicates less reliability.
j
•
bha
Biometric systems can be tuned, but reducing one error type increases
the other, creating an inverse relationship.

l Su
Biometric Templates:

y
•
Co
Biometric Templates are digital representations of a user’s biometric

B features, created through one-way mathematical functions.

SP
• Raw biometric data (like fingerprints or facial scans) should never be

CI S stored due to privacy risks. Templates are used instead to protect the
individual's biometric information.

for 1 : N Identification:

es • In this method, biometric data from a new scan is compared to a

ot database of many templates to identify the individual. Example: A

ll N
fingerprint scanner at a door tries to match the fingerprint to a known

rn e template in a database.

C o 1 : 1 Authentication:
• In this method, the system already knows the user's identity, and it
compares the newly generated biometric template to a stored template
for authentication. Example: A laptop scans a user’s fingerprint and
compares it to their stored fingerprint data.

• Biometric systems use physiological or behavioral attributes for authentication. While not 100%
accurate, they introduce the risk of Type 1 (false rejection) and Type 2 (false acceptance) errors, with
Type 2 errors being the most serious.
• The Crossover Error Rate (CER) is a key metric for measuring a system's overall accuracy. To
protect privacy, biometric data is stored as templates rather than raw data, and these templates
can be used for identification (1 : N) or authentication (1 : 1) purposes.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024

 Biometric Devices
Physiological Biometric Devices:
•Physiological Biometric
Devices •Fingerprint Scanners: Analyze the unique patterns of a
person’s fingerprint. Common on devices like smartphones and
•Behavioral Biometric Devices computers. Used in border security (e.g., US-Canada).
•Hand Geometry Scanners: Rarely used but seen in movies.
Scan the geometry of the hand. Some scanners examine ridges
while others focus on hand geometry. Utilized in specialized
environments.
•Vascular Pattern Scanners: Analyze vein patterns in a
person’s hand. Often used in high-security environments like
testing centers (e.g., CISSP exams) to verify identity during an
ti on
exam.
i bu
tr
•Facial Recognition Scanners: Examine an individual’s facial
s
features and patterns. Becoming more common in mobile
D i
for
devices and security systems.
t
No
•Iris Scanners: Examine the colored ring (iris) of the eye for
unique patterns. Non-invasive and widely accepted in security
a,
settings.
h
Na
•Retina Scanners: Examine the vein patterns at the back of the

jeet
eye. Extremely accurate but controversial. Retina scans are
invasive (bright light flashed into the eye) and can reveal
ha
personal health issues, causing privacy concerns. Rarely used
b
Su
due to discomfort and potential privacy risks.
l
Co
Behavioral Biometric Devices:

B y •Voice Recognition: Analyzes how a person speaks, focusing

on vocal tone, pitch, and cadence.
I SSP •Signature Recognition: Identifies unique aspects of how a
r C person signs their name, such as pressure, speed, and style.
fo
es •Keystroke Dynamics: Monitors how a person types on a
ot keyboard, identifying patterns like typing speed and key-press
ll N
timing.

rn e •Gait Analysis: Analyzes how a person walks, focusing on their

C o stride, posture, and movement.

• Biometric devices can be categorized into physiological (e.g., fingerprint, iris, retina
scanners) and behavioral (e.g., voice, signature, keystroke dynamics). While
physiological biometrics focus on a person's physical attributes, behavioral
biometrics analyze how individuals perform actions. Each type of biometric device has
its own use cases and accuracy, with some systems like retina scanners being highly
accurate but invasive and controversial due to privacy concerns.
Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024
 Factors of Authentication
Factors of Authentication:
• Factors of Authentication
• Single-Factor • Authentication by Knowledge: Something you know, like a password,
Authentication passphrase, or security questions.
• Multifactor Authentication • Authentication by Ownership: Something you have, such as a smart
(MFA) card, RSA token, or one-time password (OTP).
• Authentication by Characteristic: Something you are, involving
physiological (fingerprint, retina scan) or behavioral (keystroke
dynamics, voice) biometrics.
Single-Factor Authentication:
ti on
u
• Utilizes only one factor of authentication from any of the threebtypes.
i
st r
i
rD
• Example: Logging in with a password alone or using a fingerprint
scanner by itself.
fo
tit's based on a single
• Drawback: More vulnerable to attacks since o
security measure.
a ,N
Multifactor Authentication (MFA):ah

e t Nfrom different categories (knowledge,

aje
• Involves two or more factors
ownership, characteristic).
h
b in with a password (something you know) and a
S u
• Example: Logging
fingerprintl scan (something you are) or using a password and an RSA
o
tokenC(something you know + something you have).
• B
y
S P Provides stronger security as it combines different authentication

CI S types, making it harder for attackers to compromise.

for Important Distinction:

tes • If both authentication methods belong to the same factor (e.g.,

o password and security question), it's still single-factor

ell N authentication.

orn • Example: A username/password combo and a security question are

C both forms of knowledge-based authentication, so this would still be
considered single-factor.

• Authentication can be categorized into three factors: knowledge, ownership, and characteristic.
Single-factor authentication involves using only one type, whereas multifactor authentication
(MFA) requires using two or more types from different categories.
• MFA is much more secure, as it requires attackers to compromise multiple factors to gain access.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024

 Password-less Authentication
Password-less Authentication Overview:
• Password-less
• Refers to authentication methods that don't rely on traditional
Authentication Overview
passwords.
• Common Password-less
Options • Aims to reduce friction, prevent weak password creation, and mitigate
phishing risks.
• Advantages of Password-
less Authentication • Example: Instead of entering a password, a user could authenticate
• Challenges and Downsides via biometrics, a mobile device, or a security token.
Common Password-less Options:
• Biometrics: Facial recognition, fingerprint scans, or iris scans used for
authentication.
ti on
bu
• Mobile Devices: The user’s personal device (e.g., smartphone) used
i
for authentication through a PIN or biometrics.
str
D i
• Security Tokens: Physical hardware tokens like FIDO2 keys or USB
for
devices used to authenticate without needing a password.
t
No
• Passkeys: A newer option where users authenticate through

a,
biometrics or a PIN directly on their device, rather than remembering a
password.
h
Na
Advantages of Password-less Authentication:

jeet
• Reduced Friction: Easier and quicker for users to authenticate without
ha
needing to remember complex passwords.
b
Su
• Increased Security: Limits weak passwords and helps to prevent
l
Co
password-based attacks such as phishing.

By • User Convenience: Eliminates the need to reset forgotten passwords

or deal with account lockouts caused by incorrect passwords.

I SSP Challenges and Downsides:

r C • Biometric Vulnerabilities: While more secure, biometric data is not

fo perfect and can sometimes produce false positives or negatives.
es
ot
• Loss of Device or Token: If a user loses their mobile device or

ll N
hardware token, they may be locked out of their account.

rn e • Implementation Costs: Password-less methods like hardware tokens

can be expensive to implement, especially across large organizations.
C o

• Password-less authentication methods, such as biometrics, mobile devices, and security tokens,
provide a secure alternative to passwords, reducing risks like phishing and weak passwords.
• While convenient, challenges such as device loss, biometric limitations, and higher costs must be
carefully considered.
• Passkeys are one of the more recent innovations in password-less security.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024

 Credential Management Systems and Password Vaults
Credential Management Systems:
• Credential Management • Credential management systems are tools used to manage, grant, and
Systems revoke credentials at scale.
• Password Vaults • Typically involve strong two-factor authentication and public key
(Password Managers) infrastructure (PKI) to ensure secure credential handling.
• Advantages of Password • Manage credentials for people, devices, and processes, ensuring that
Vaults each has unique identifiers and preventing unauthorized access.
• Potential Risks of • Credentials can be tied to trusted digital identities, and these systems
Password Vaults help bind those identities securely to their respective credentials.

on
Password Vaults (Password Managers):
• Password vaults, also known as password managers, are applications
uti
designed to generate, store, and manage passwords securely.
tr i b
is
• Passwords are stored in an encrypted database that is protected by a
D
for
master password.

t
• The idea is that users can generate strong, unique passwords for all

No
their accounts without having to remember each one—only the master

a,
password.
h
Na
• Example: A user with 20 accounts can store passwords for each
account in the vault and only needs to remember their vault's master
password.
jeet
ha
Advantages of Password Vaults:
b
Su
• Increased Security: Makes it easier for users to have unique and
l
strong passwords for each account, which helps protect against

y Co
attacks like credential stuffing.
B • Convenience: Simplifies the user experience by requiring users to

I SSP remember only one password (the master password).

• Cross-device Syncing: Many password managers allow for passwords
r C to be synced across multiple devices, offering easy access to stored
fo credentials.
es
ot Potential Risks of Password Vaults:

ll N
• Single Point of Failure: If an attacker gains access to the password

rn e vault (e.g., by guessing or stealing the master password), they can

C o access all stored passwords.

• Mitigation: It’s crucial to enable multifactor authentication (MFA) for
accounts, so even if the password vault is compromised, additional
security layers remain in place.

• Credential management systems, especially those using strong authentication methods, help
organizations manage access at scale.
• Password vaults enable users to securely store and manage unique passwords, but they introduce a
single point of failure that can be mitigated through multifactor authentication.
• These systems are essential for securing modern digital identities and assets.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024

 Single Sign-On (SSO)
Definition of Single Sign-On (SSO):
• Definition of Single Sign-On
• Single sign-on (SSO) refers to a system where users authenticate once
(SSO) and are then granted access to multiple systems without needing to re-
• Advantages of SSO enter credentials.
• Disadvantages of SSO • It simplifies the user experience, as they only need to log in once to
• Kerberos as an SSO access various services or applications.
Protocol Advantages of SSO:
• SESAME Protocol • Convenience: Users only need to remember one set of credentials,
reducing the chance of forgetting passwords.
Streamlined Access: After authentication, users can access multiple
on
•
systems or applications seamlessly without repeated logins.
uti
Disadvantages of SSO:
tr i b
•
D is
Single Point of Failure: If the central authentication service fails or is
compromised, users could lose access to all systems, or worse,

for
attackers could gain access to all systems with just one breach.
t
No
• Centralized Administration: SSO relies on centralized management of
user access, which can become a target for attackers.
Kerberos as an SSO Protocol:
h a,
•
Na
Kerberos is one of the primary protocols used for single sign-on. It
provides:
jeet
ha
• Authentication: Verifies user identities.
•
bAuthorization: Determines what resources users can access.
•
l Su Auditing: Tracks user activity for accountability.

y
•
Co
How Kerberos Works:

B • It uses tickets to authenticate users to different services within

SP
a network.

CI S • Once a user logs in, they receive a Ticket-Granting Ticket

for (TGT), which they can use to obtain service tickets for
accessing resources without needing to re-enter credentials.
es
ot
SESAME Protocol:

ll N
• SESAME is an enhanced version of Kerberos that offers additional

rn e functionality like public key cryptography and better scalability.

However, SESAME has not been widely adopted, primarily because
o
•
C Kerberos is built into Microsoft Windows by default, making it the more
dominant protocol.

• Single sign-on (SSO) simplifies user authentication by allowing access to multiple systems with a
single login, offering convenience and ease of use.
• However, the centralization of access introduces potential risks, as a failure or compromise of the
authentication system could lead to widespread access issues.
• Kerberos is the most widely used SSO protocol, and while SESAME offers improvements, its
adoption has been limited due to Kerberos’ integration into major operating systems.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024

 Single Sign-On (SSO)
Premise of Single Sign-On (SSO):
• Premise of Single Sign-On • SSO allows users to authenticate once and gain access to multiple systems
(SSO) without needing to log in repeatedly.
• SSO User Experience • For example, a user might log in with a username and password or through a two-
factor method like Microsoft Authenticator and then access all systems they're
• Advantages of SSO authorized to use.
• Disadvantages of SSO SSO User Experience:
• SSO Process Steps • Users typically favor SSO because it simplifies their login experience. Instead of
juggling multiple passwords for different systems, they can use one secure
method for all.
• This ease of use can encourage users to create stronger, more secure

on
passwords since they only need to remember one.
Advantages of SSO:
uti
i b
• Convenience: Users need to log in only once to access multiple systems.
tr
have one login to worry about.
D is
• Stronger Security: Users are more likely to use a strong password if they only

for
• Improved User Experience: Simplifies access and reduces login-related friction.
t
• Centralized Control: SSO systems make it easier for IT administrators to manage
access across an organization.
No
Disadvantages of SSO:
h a,
Na
• Single Point of Failure: If the SSO system is compromised, attackers may gain
access to all systems. If it goes down, users lose access to everything.

jeet
• Security Risks: Centralizing authentication makes it a more attractive target for

ha
attackers.

b
• Legacy Systems: Some older systems may not integrate well with modern SSO

Su
setups, leading to security gaps or exclusions.
l
Co
SSO Process Steps:
1. Login Request: A user requests to log in to an application.

By 2. Authentication Redirection: If not already authenticated, the user is redirected

SP
to the authentication server.

CI S 3. Authentication: The user authenticates with knowledge, ownership, or

characteristic (or a combination). Upon successful authentication, the user is

for issued a ticket or token.

es 4. Ticket/Token Presentation: The user returns to the application and presents the

ot
ticket/token.

ll N
5. Authorization: If the token is valid, the application authorizes access, and the

e
user can now access the system.

orn Summary of Pros and Cons:

C • Pros: Better user experience, stronger passwords, centralized management,

easier enforcement of security policies.
• Cons: Vulnerable to single point of failure, potential compatibility issues with
legacy systems, increased risk if compromised.

• Single sign-on (SSO) enhances the user experience by reducing the number of logins, promoting
stronger password usage, and streamlining administrative control.
• However, the system's centralization introduces risks, making it a single point of failure both in terms
of availability and security.
• Proper management and security protocols are essential to mitigate these risks.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024

 Kerberos - 1
What is Kerberos?
• What is Kerberos? • Kerberos is one of the major Single Sign-On (SSO) authentication
• Main Components of protocols, originally developed at MIT.
Kerberos
• The name comes from Greek Mythology: Kerberos (or Cerberus) was a
• How Kerberos Works three-headed dog that guarded the gates of Hell. Similarly, the
• Strengths and Kerberos protocol guards access to resources.
Disadvantages of Kerberos
• Kerberos provides three primary functionalities:
• Authentication
• Accounting
• Auditing
ti on
Main Components of Kerberos:
i bu
s r
t a
i
• Authentication Service (AS): Authenticates users and provides
Ticket Granting Ticket (TGT).
o r D to access
• Ticket Granting Service (TGS): Issues ServicefTickets
specific resources. o t
a, Ncomponent that houses
• Key Distribution Center (KDC): A central
both the AS and TGS and manages
a hticket distribution.
t Nused to prove identity without sending a
• Tickets: Encrypted messages
e
aje
password over the network.
h
ub Alice (the client) sends an authentication request to
How Kerberos Works:
S
ol
1. Initial Request:
the Authentication Service (AS).
C
y Granting Ticket (TGT): The AS verifies Alice's identity and
B
2. Ticket

SP
returns two messages:

CI S 1. One encrypted with Alice's password (verifying she knows it).

for 2. A Ticket Granting Ticket (TGT) encrypted with the TGS’s key,

tes which Alice can’t decrypt.

o 3. Decrypting with Password: Alice decrypts her message using her

ll N
password, confirming her identity. She then sends the TGT to the

rn e Ticket Granting Service (TGS).

C o 4. Service Ticket: The TGS verifies Alice and provides her with a Service
Ticket, which she uses to request access to the service.
5. Service Access: Alice presents the Service Ticket to the target
service. The service verifies the ticket and grants access.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024

 Kerberos - 2
Strengths and Disadvantages of Kerberos:
• What is Kerberos? • Strengths:
• Main Components of • Provides Single Sign-On (SSO), meaning users authenticate
Kerberos once and gain access to multiple services.
• How Kerberos Works • Prevents passwords from being sent across the network in
• Strengths and plaintext.
Disadvantages of Kerberos • Disadvantages:
• Symmetric Encryption Only: Kerberos only supports
symmetric encryption (e.g., AES, DES), which can present key
distribution challenges.
• TOCTOU Attacks: Kerberos is vulnerable to Time Of Check
ti on
i bu
Time Of Use (TOCTOU) attacks since only one ticket is used for

tr
a session. Frequent re-authentication can mitigate this, but it
s
adds user burden.
D i
for
• Ticket Expiration: For high-value systems, frequent ticket

t
expiration is necessary to ensure security, but this can frustrate

No
users who need to log in repeatedly.

h a,
Na
jeet
bha
l Su
y Co
B
I SSP
r C
fo
es
ot
ell N
orn
C

• Kerberos is a widely used Single Sign-On (SSO) authentication protocol that ensures
secure access to multiple systems using tickets instead of repeatedly transmitting
passwords. Its major components—the Authentication Service (AS) and Ticket Granting
Service (TGS)—allow for efficient credential verification. However, challenges like key
distribution and the potential for TOCTOU attacks highlight the need for careful
management of ticket lifespans and re-authentication for critical systems.
Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024
 SESAME
What is SESAME?
• What is SESAME?
• Advantages of SESAME over • SESAME stands for Secure European System for Applications in a
Kerberos Multi-Vendor Environment.
• Why Kerberos is more • It is an improved version of Kerberos and enables Single Sign-On
prevalent (SSO) like Kerberos, but with additional features.
Advantages of SESAME over Kerberos:
• Supports Symmetric and Asymmetric Cryptography: Unlike
Kerberos, which only uses symmetric encryption, SESAME supports
both symmetric and asymmetric encryption, which enhances
ti on
security and solves the problem of key distribution.
i bu
s r
tTime Of Use
• Multiple Tickets: SESAME issues multiple tickets for authentication.
i
rD
This mitigates vulnerability to attacks like Time Of Check
fo
(TOCTOU), where a single ticket session could be compromised.
t
o
, N is more widely used
Why Kerberos is more prevalent:
• Despite the advantages of SESAME,aKerberos
h like Windows, macOS,
because it is built into prevalentasystems
N
Linux, and Unix operating tsystems.
e
je with Active Directory in Windows
h a
• Kerberos is also integrated
b makes it easier for organizations using Microsoft
uadopt.
environments, which
ecosystemsSto
l
ohas
C
y secure not
• SESAME been widely adopted, even though it is technically
B
more and robust compared to Kerberos.

I SSP
C
for
tes
o
ell N
orn
C

• SESAME improves upon Kerberos by supporting both symmetric and asymmetric cryptography,
addressing key distribution challenges, and issuing multiple tickets for better security.
• However, Kerberos remains the dominant Single Sign-On (SSO) protocol due to its integration with
widely used operating systems like Windows, macOS, and Linux, particularly through Active
Directory in Windows environments.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024

 CAPTCHA
What is CAPTCHA?
• What is CAPTCHA?
• Why CAPTCHA is used • CAPTCHA stands for Completely Automated Public Turing test to
tell Computers and Humans Apart.
• It is a security measure typically used on websites to distinguish
between humans and automated programs (bots).
• The test usually involves tasks like reading and entering distorted
characters, selecting images with specific objects, or even solving
simple logic puzzles.
Why CAPTCHA is used:
ti on
• CAPTCHA is primarily used to prevent automated account creation,
i bu
where bots create multiple accounts on websites, often for
s trmalicious
purposes.
D i
fo rmight
o t sections.
• It is also used to protect against spam, where bots send

, N password decryption
unsolicited messages or post content in comment
a
hto guess a user's password by
• CAPTCHA helps defend against brute-force
N a
attacks, which involve bots trying
automatically testing manytcombinations.
e
je humans can proceed through specific
• By ensuring that onlyareal
h
b or forms, CAPTCHA enhances security and user
protection. Su
sections of websites

C ol
B y
I SSP
r C
fo
es
ot
ell N
orn
C

• CAPTCHA is a widely used security mechanism that protects websites from automated programs or
bots by requiring users to complete a simple test, proving they're human.
• This technique helps prevent spam, automated account creation, and brute -force password attacks.
It is a simple yet effective way to enhance website security.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024

 Session Management
Definition of Session Management:
• Definition of Session
• Session management refers to overseeing and managing user
Management sessions that are created after successful identification,
• What is session hijacking? authentication, and authorization processes.
• How to prevent session
hijacking • A session represents the interaction between a user and a system, and
it remains active until the user manually logs out or the session
• Session termination automatically terminates.
methods
What is session hijacking?:
• Session hijacking occurs when a malicious actor takes control of a
legitimate user's session without their permission.
t i on
• Without proper session management, attackers can exploit sessions
i burisks.to
tr
gain unauthorized access to systems, posing significant security
s
i
How to prevent session hijacking:
fo r D measure
• Re-authentication during the session is the best
o tVPNs, implement
preventive

, Nthat the user remains

for session hijacking. Many systems, such as
continuous re-authentication to ensure
authorized throughout the session. h a
a
et Nduring
• Additionally, session encryption plays a role, as encryption keys can
communication. aje
be periodically re-established the session to further secure the

u bhMethods:
S
Session Termination
l Limitations:
that C
• Schedule o Administrators can set schedule limitations
y log users out of a system at a set time (e.g., every evening at 5
Bp.m.).
P
S • Login Limitation: Prevents simultaneous logins using the same user
CI S ID, ensuring that one account cannot be used by multiple individuals
for concurrently.

tes • Time-Outs: If a user is inactive for a specific amount of time, the

o session will automatically expire (time out).

ell N • Screensavers: A screensaver can be triggered after a period of

orn inactivity, requiring the user to re-authenticate to resume the session.
C

• Session management is critical for ensuring secure, active user sessions. Without it, attackers may
hijack sessions, leading to unauthorized access.
• Effective session management involves frequent re-authentication and session termination methods
like schedule limitations, login restrictions, time-outs, and screensavers to prevent session hijacking
and enhance overall system security.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024

 Registration and Proofing of Identity
Definition of Identity Proofing (Registration):
• Definition of Identity
Proofing (Registration) • Identity proofing, also known as registration, is the process of
• When does identity proofing verifying that someone is who they claim to be before granting access
take place? to resources or systems.
• Examples of identity • It is a crucial part of the identity lifecycle and is typically a step in
proofing provisioning, ensuring that individuals have the necessary credentials
to access systems securely.
When does identity proofing take place?:
• Before access to resources: Identity proofing occurs before
t i on
individuals are granted access to sensitive resources such as
i bu
r
ist prior to
employee accounts, systems, or digital certificates.
• It is often part of onboarding for new employees andD
forbadges or
happens
granting access to organizational assets or issuing
t
No
credentials.
• Digital certificate issuance: When a ,user applies for a digital
h a (RA) verifies the applicant’s
a
certificate, the Registration Authority
t NAuthority (CA) issues the certificate.
identity before the Certificate
e
aje
Examples of Identity Proofing:
h
b
Su for government-issued identification such as a
• Employee Onboarding: An organization verifies a new employee’s
identity byl asking

y Co driver’s
passport, license, or national ID card before issuing them an

P B
employee badge or access credentials.

I SS Digital
• Certificate Issuance: A person applying for a digital certificate
C may be asked to provide documentation to prove their identity, which

for the RA will verify before the certificate is issued by the CA.

tes
o
ell N
orn
C

• Identity proofing (registration) is verifying someone's identity before granting access to important
resources or systems.
• It is a critical step in the identity lifecycle, ensuring that credentials and access are only granted to
individuals whose identities have been properly confirmed.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024

 Authenticator Assurance Levels (AAL)
Definition of AAL:
• Definition of AAL • Authenticator Assurance Levels (AAL) refer to the strength and
• AAL Levels Overview robustness of an authentication process.
• AAL1: Some Assurance
• AALs are defined by the National Institute of Standards and
• AAL2: High Confidence Technology (NIST) in their SP 800-63B document, which outlines
• AAL3: Very High Confidence different levels based on the assurance provided by the
authentication system.
AAL Levels Overview:
• The levels range from AAL1 (the least secure) to AAL3 (the most
secure).
•
ti
Higher AAL levels indicate stronger authentication mechanisms and on
higher confidence in the security of the authentication.
i bu
str
AAL1: Some Assurance:
D i
for
• Single-factor authentication is used at this level.
•
t
A secure authentication protocol is employed but does not require
multifactor authentication.
No
•
h a,
This level provides minimal assurance of the authenticity of the

Na
identity, suitable for low-risk transactions.

jeet
AAL2: High Confidence:

ha
• Multifactor authentication is required at this level, which
significantly increases security.
b
•
l Su
AAL2 uses approved cryptographic techniques to ensure stronger

Co
authentication.

By • It provides high confidence in the authentication process, suitable

for moderate-risk environments.

I SSP AAL3: Very High Confidence:

r C • This is the most robust level, where multifactor authentication is

fo used, and a "hard" cryptographic authenticator is employed to
es provide proof of possession of the key.
ot • Impersonation resistance is required at this level, ensuring that

ell N even sophisticated attackers cannot easily take over accounts.

orn • AAL3 offers very high confidence and is suitable for high-risk
C transactions.

• Authenticator Assurance Levels (AAL) measure the robustness of authentication processes.

• AAL1 offers basic assurance with single-factor authentication, AAL2 adds multifactor authentication
with high confidence.
• AAL3 provides the highest level of confidence with cryptographic methods that resist impersonation,
making it ideal for the most sensitive systems.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024

 Federated Identity Management (FIM)
Definition of FIM:
• Definition of FIM • Federated Identity Management (FIM) allows a user to authenticate
• Single Sign-On vs. FIM once and gain access to systems across multiple organizations.
• Trust Relationships in FIM • It extends the concept of Single Sign-On (SSO) beyond one
• Key Components of FIM organization by allowing cross-organizational authentication.
• FIM enables the secure sharing of identity data between trusted
entities.
Single Sign-On vs. FIM:
• Single Sign-On (SSO) allows users to authenticate once to access
multiple systems within a single organization.
• FIM goes a step further, enabling authentication across systems
ti on
i bu
belonging to multiple organizations. For example, if you log into a
s
service provided by your bank and can also access a paymenttr
D i
provider's system without re-authentication, FIM is at work.
Trust Relationships in FIM:
t for
No
• FIM relies heavily on trust relationships between entities. These

a,
relationships allow identities to be shared and recognized across
h
different systems without needing multiple authentication events.
Key Components of FIM: Na
1. Principal/User:
jeet
•
bha
This is the person who wants to access a system. The user

Su
only needs to authenticate once, after which they can access
l multiple systems without re-authenticating.

y Co
2. Identity Provider (IdP):
B • The identity provider is the entity that verifies the user's

I SSP identity. It owns the identity data and performs the

authentication. For example, your workplace's
r C authentication server acts as the IdP when you access
fo internal systems.
es
ot
3. Relying Party (RP):

ll N
• Also known as the service provider, the relying party trusts

rn e the identity provider's authentication of the user. After the IdP

authenticates the user, the relying party allows access to its
C o system without requiring a separate authentication event.

• Federated Identity Management (FIM) enables cross-organizational access through a single

authentication event, extending the functionality of SSO across multiple organizations.
• FIM relies on a trust relationship between the user (principal), the identity provider (IdP), and the
service provider (relying party).

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024

 Federated Identity Management (FIM)
Definition of FIM:
• Definition of FIM
• FIM vs. SSO • Federated Identity Management (FIM) allows users to authenticate
• Trust Relationships in FIM once and access multiple systems across various organizations, unlike
• Components of Federated Single Sign-On (SSO), which is restricted to systems within a single
organization.
Access
FIM vs. SSO:
• SSO provides access to multiple systems within one organization using
one-time authentication.
•
i on
FIM extends SSO capabilities across multiple organizations, allowing
t
i bu
access to external systems, such as logging into Pinterest using a
Google account.
str
Trust Relationships in FIM: D i
•
t for
FIM depends on trust relationships between different entities.
N o check performed at one
ain, a different location, even though
• For example, when travelling by air, a security
h
airport is trusted by another airport
Na
both are run by separate organizations.
t
Components of Federated
jeeAccess:
1. Principal/User:bha
•
l Suuser or principal who wants to access a system (e.g., a
The

y Co user logging into Pinterest using their Google account).

2. B Identity Provider (IdP):
S P
CI S • The identity provider authenticates the user’s identity (e.g.,
Google authenticating the user).
for
tes 3. Relying Party (RP):

o • The relying party, also called the service provider, trusts the

ll N
authentication performed by the IdP (e.g., Pinterest trusting

rn e Google’s authentication of the user).

C o

• Federated Identity Management (FIM) allows for one-time authentication across multiple
organizations by leveraging trust relationships between the user (principal), identity provider (IdP),
and relying party (RP).
• This system provides convenience by reducing the need for multiple logins and passwords while
maintaining a secure flow of information across disparate systems.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024

SAML and its Importance in Federated Identity Management (FIM)
-1
SAML Overview:
• SAML Overview
• Authentication and • Security Assertion Markup Language (SAML) is a critical protocol in
Federated Identity Management (FIM), providing authentication and
Authorization Process authorization services. It allows a user to authenticate once via an
• SAML Assertion Ticket identity provider and gain access to multiple services.
• Key Components of SAML
• Important Characteristics of Authentication and Authorization Process:
SAML 1. User Requests Access:
• A user (principal) who is not logged in requests access to a

on
service from a service provider. The request is redirected to
the identity provider for authentication.
uti
2. Identity Provider Authenticates User:
tr i b
is
•
f
standard identification and authenticationo r Dprocedures. Once
The identity provider verifies the user’s identity through

authenticated, the user is issued a tSAML assertion ticket.

N o
3. SAML Assertion Ticket: ,
The assertion ticket isa hato the user, but it does not contain
t Nstatements
• sent

je e
sensitive information
contains assertion
like the user’s password. Instead, it
about the user (e.g.,
a
bhAuthorization:
username, role).

S u
l
4. Service Provider
o
y C• The user passes the assertion ticket to the service provider

P B (relying party). The service provider evaluates the assertions

and makes an authorization decision based on the provided
I SS information, determining the level of access the user will
r C have.
fo
es
ot
ell N
orn
C

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024

SAML and its Importance in Federated Identity Management (FIM)-
2
SAML Assertion Ticket:
• SAML Overview •A SAML assertion ticket is a token containing assertions or statements
• Authentication and about the user. It is used by the service provider to make decisions
Authorization Process regarding authorization.
• SAML Assertion Ticket Key Components of SAML:
• Key Components of SAML 1.Assertion:
• Important Characteristics of
1. Provides details on authentication, authorization, and other
SAML user attributes.
2.Protocol:

on
1. Defines how requests and responses are structured
between entities.
uti
3.Bindings:
tr i b
1. Maps SAML messages onto standard communication
D is
for
protocols (e.g., HTTP).
4.Profiles:
t
No
1. Specifies how SAML is used for various business use cases
like Web SSO or LDAP.
h a,
Important Characteristics of SAML:
Na
jeet
•SAML Assertion Tickets:

ha
• SAML relies on tokens, called assertion tickets, to
b
communicate the user’s authentication and authorization

l Su
details.

y Co
•Written in XML:

B • SAML assertions are written in Extensible Markup Language

SP
(XML), a machine and human-readable format that ensures

CI S interoperability across different systems.

for
es
ot
ell N
orn
C

• SAML is a crucial protocol in Federated Identity Management, enabling secure authentication and
authorization across multiple service providers.
• It uses SAML assertion tickets to communicate user information without revealing sensitive details
like passwords.
• SAML’s components (assertions, protocols, bindings, profiles) make it versatile for different
business use cases, and its use of XML ensures both human and machine readability.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024

 Accountability and the Principle of Access Control
Accountability in Access Control:
• Accountability in Access • Accountability is fundamental to access control and refers to ensuring
Control that actions within a system can be traced back to a responsible
• Principle of Access Control individual or entity.
• Steps to Achieve Principle of Access Control:
Accountability • The Principle of Access Control is synonymous with accountability.
• It ensures that individuals who access or modify system resources can
be held responsible for their actions.
• Without accountability, there is no reliable way to trace misuse or errors
within a system.
Steps to Achieve Accountability:
ti on
1. Unique Identification of Users:
i bu
•
str
Every user accessing the system must have a unique identity
that differentiates them from others.
D i
•
t for
This is critical for tracking actions back to the correct user.

No
• Example: Assigning a unique username to each employee.

a,
2. Proper Authentication:
h
Na
• Users must be authenticated before gaining access to any
system resources.
•
eet
This ensures that the person using the identity is actually who
j
ha
they claim to be.
b
Example: Requiring a password, smart card, or biometric scan
Su
•

l for login.

y
3.
Co
Authorization:

B • Once authenticated, users must be granted appropriate

SP
permissions based on their role or need-to-know.

CI S • This ensures users only access what they are allowed to,

for •
preventing misuse.
Example: Restricting access to financial data to only authorized
es personnel.
ot
ll N
4. Logging and Monitoring:

rn e • All actions performed by users should be logged and

monitored for later review.
C o • This ensures that a history of user actions exists for audit
purposes, enabling investigations into any suspicious behavior.
• Example: Recording system login times, file modifications, and
data access in audit logs.

• The Principle of Access Control is achieved through accountability, which requires identifying,
authenticating, authorizing, and monitoring users.
• These measures ensure that all actions within a system can be traced back to the responsible
individual, which is crucial for security, audits, and compliance.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024

 Just-in-time (JIT) Access
Definition of Just-in-time Access:
• Definition of Just-in-time • Just-in-time (JIT) access is a security approach where a user is temporarily
Access granted elevated privileges for a specific period of time to complete tasks
that require higher access levels.
• Purpose of Just-in-time
Access • These tasks are usually infrequent and limited in scope.
• Benefits and Risks Purpose of Just-in-time Access:
• JIT access aims to reduce security risks by limiting the amount of time a user
has elevated privileges.
• This ensures that elevated permissions are not held long-term, thus reducing
the potential for misuse or accidental actions.

on
Example:
•
ti
A finance manager needs to access a sensitive database once a month to
u
tr i b
generate financial reports. Instead of having constant access to the
database, the manager's privileges are elevated for the specific time window
during which they need to complete the task.
D is
for
Benefits of Just-in-time Access:
t
No
1. Minimizes Long-term Privilege Risks:
• By granting elevated access only when needed, JIT access prevents
a,
users from having continuous administrative or privileged access,
h
Na
which could be exploited in the case of an insider threat or account
compromise.
2.
eet
Automated and Efficient:
j
•
bha
Many JIT systems are automated, allowing for automatic elevation
of privileges based on predefined criteria (e.g., a scheduled report

l Su or request). This removes the need for manual intervention while still

Co
maintaining tight security controls.

By 3.Reduces Attack Surface:

SP
• By limiting access time, the window of opportunity for an attacker
to exploit privileged accounts is significantly reduced.

CI S 4. Compliance and Auditing:

for • JIT access supports compliance efforts by ensuring that access

es control principles (like least privilege and need-to-know) are

ot
enforced. Logs of when privileges were elevated are kept for auditing

ll N
purposes.

rn e Risks of Long-term Privilege Elevation:

C o • Without JIT access, a user who holds continuous elevated privileges

increases the risk of misuse, data breaches, or administrative errors that
could expose sensitive data.

• Just-in-time (JIT) access enhances security by granting temporary elevated privileges to users only
when they are needed.
• This reduces the risks associated with long-term elevated access, minimizes the attack surface, and
supports compliance through proper logging and auditing.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024

 Identity as a Service (IDaaS)
Definition of Identity as a Service (IDaaS):
• Definition of Identity as a • IDaaS refers to identity management services hosted in a cloud-based
Service (IDaaS) environment, where critical functions like identification, authentication,
• Capabilities of IDaaS authorization, and access control are managed. The core premise is to
handle these identity functions centrally but accessible via the cloud.
• Types of Identities in IDaaS
• Risks of IDaaS Why IDaaS is used:
• Organizations use IDaaS to simplify identity management, particularly for
cloud-based and hybrid environments. IDaaS ensures consistent and
secure management of user identities, regardless of whether resources are
on-premises or in the cloud.
Capabilities of IDaaS:
1.
t
Provisioning: Automated setup and management of user accounts across
i on
cloud and on-premises environments.
i bu
2.
tr
Administration: Management of identity lifecycle and access controls.
s
3.
D i
Single Sign-On (SSO): Allowing users to authenticate once and gain

for
access to multiple systems.
4. t
Multifactor Authentication (MFA): Adding a layer of security by requiring
two or more factors to verify identity.
No
5.
a,
Directory Services: Managing user identities, credentials, and other
h
Na
information in both on-premises and cloud environments.

et
Types of Identities in IDaaS:
•
je
Cloud Identity: Identity created and managed in the cloud, authenticated
ha
by a cloud service.
b
Su
• Synced Identity: Identity created locally (e.g., via Active Directory) and
l
synced to the cloud.

y
•
Co
Linked Identity: Two separate accounts, one local and one cloud-based,
that are linked together for access.
B
SP
• Federated Identity: Managed by a third-party Identity Provider (IdP) and

CI S allows for federated access.

Risks of IDaaS:

for 1. Availability Risks: If the IDaaS provider suffers an outage, users may be

es unable to authenticate or access services.

ot 2. Data Protection Risks: Sensitive identity information must be securely

ell N managed by the third-party IDaaS provider, requiring strong encryption

and compliance with data protection regulations.

orn 3. Trust Risks: Trusting a third party to handle the organization’s sensitive or
C proprietary identity data introduces potential risks related to control,
security, and regulatory compliance.

• IDaaS offers cloud-based identity management services that centralize and simplify user
authentication, provisioning, and administration across cloud and on-premises environments.
• While it enhances security and operational efficiency, organizations must assess availability, data
protection, and trust risks when relying on third-party providers for critical identity functions.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024

 Identity and Access Management (IAM) Solutions
On-Premises IAM Solutions:
• On-Premises IAM • These systems are managed and controlled entirely by the
Solutions organization within its private infrastructure.
• Cloud-Based IAM • Not dependent on internet connectivity, making them a more
Solutions reliable option in environments where internet outages are common.
• Hybrid IAM Solutions • Security is typically stronger due to control over all aspects of the
system, including hardware, software, and network protections.
• Example: A large corporation that houses its own data centers and
manages its own Active Directory for all employees.

on
Cloud-Based IAM Solutions:
• IAM services are provided through a cloud service provider.
uti
•
r i
Leverages Federated Identity protocols like SAML to integrate
t b
is
cloud-based services with the organization’s existing identity
D
for
credentials, allowing seamless authentication.
•
t
Availability risk exists since access to identity services depends on

No
the availability of the cloud provider.
•
h a,
Security concerns arise due to the multitenant nature of cloud

Na
infrastructure, where multiple organizations share the same
underlying resources.
•
jeet
Example: A startup using AWS IAM for cloud-based applications and
storage.
bha
Su
Hybrid IAM Solutions:
l
Co
• Combines the best features of both on-premises and cloud-based
IAM.
By • Allows greater flexibility and scalability, making it ideal for

I SSP organizations that are dynamic or growing rapidly.

r C • A hybrid approach ensures that mission-critical applications and

fo sensitive information remain on-premises, while other less sensitive

es services can be managed in the cloud.

ot • Example: An organization that uses on-premises IAM for internal

ll N
applications and cloud-based IAM for external services like Microsoft

rn e Azure Active Directory.

C o

• IAM solutions can be implemented using on-premises, cloud-based, or hybrid models. On-
premises systems offer more control and security but lack the flexibility of cloud-based solutions.
• Cloud IAM offers scalability and remote access but comes with risks of availability and multitenancy.
• Hybrid IAM solutions blend the strengths of both models to provide flexibility and control, making
them ideal for organizations with evolving needs.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024

 Identity and Access Management Solutions (IAM) and IDaaS Risks

On-Premises IAM Solutions:

• On-Premises IAM Solutions • Managed by the organization within its own infrastructure.
• Cloud-Based IAM Solutions • Not reliant on the internet, ensuring continued functionality during internet
• Hybrid IAM Solutions outages.
• IDaaS Risks • Provides higher security control since the organization manages all IAM
components directly.
• Example: A bank running its identity management from its internal data
centers.
Cloud-Based IAM Solutions:
• Hosted by a cloud service provider, leveraging protocols like SAML for

on
federated access.
• Facilitates remote access and scalability, which is advantageous for
uti
b
organizations with geographically dispersed users.
•
tr i
Subject to availability risks—if the cloud service goes down, users may lose
access to critical systems.
D is
for
• Example: A company using Microsoft Azure Active Directory for external cloud
apps.
t
Hybrid IAM Solutions:
No
•
h a,
Combines on-premises and cloud-based IAM features.

Na
• Provides flexibility and scalability, ideal for growing organizations with diverse
needs.
•
eet
Sensitive systems are managed on-premises, while cloud services handle less
j
ha
sensitive operations.
•
b
Example: An enterprise running internal HR systems on-premises while
Su
integrating cloud-based apps like Office 365.
l
Co
IDaaS Risks:

By • Availability of Service: If the cloud provider suffers an outage, users may not
be able to access their systems.

I SSP • Example: If an IDaaS provider experiences downtime, employees might not be

able to log into key platforms.
r C Protection of Critical Identity Data: The cloud provider is responsible for
o
•

s f safeguarding sensitive data like Personally Identifiable Information (PII).

ote • Example: A data breach at the cloud provider could expose users' personal
and authentication data.

ell N • Trusting a Third Party with Sensitive Information: Entrusting proprietary

rn
information to a third-party provider can pose risks if data protection controls

C o •
are inadequate.
Example: Intellectual property might be vulnerable if the cloud provider’s
security practices are not robust enough.

• IAM solutions can be deployed through on-premises, cloud, or hybrid models, each with varying
degrees of control, security, and flexibility.
• On-premises solutions provide more direct control, while cloud IAM solutions offer scalability but
come with availability risks.
• Hybrid IAM solutions offer the best of both worlds.
• In the context of IDaaS, organizations should be aware of risks related to service availability, data
protection, and third-party trust, ensuring that safeguards are in place to mitigate these
vulnerabilities.
Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024
 Authorization Mechanisms - 1
Discretionary Access Control (DAC):
• Discretionary Access • The asset owner determines access and grants permissions based on
Control (DAC) their discretion.
• Rule-based Access Control • Flexibility is key, but it can lead to security risks as owners might
• Role-based Access Control accidentally give broad access.
• Attribute-based Access • Example: A file owner allowing a colleague to read or modify a file based
Control (ABAC) on their judgment.
• Context-based and Risk- Rule-based Access Control:
based Access Controle • Access is controlled by rules set by administrators.
• Xtensible Access Control
on
• Can be highly granular, providing specific access based on conditions,
Markup Language (XACML) such as time of day or network location.
uti
updates.
tr b
• Administrative overhead is high due to the need for constant rule
i
D is
• Example: Firewall rules that only allow access to certain servers during

for
business hours.
t
No
Role-based Access Control (RBAC):

a,
• Access is granted based on roles or job functions within an
organization.
h
Na
• Simplifies administration by assigning users to roles with predefined
permissions.
jeet
ha
• Scalability is a major advantage, especially in large organizations.
b
• Example: An IT administrator role that automatically grants access to
Su
system management tools.
l
y Co
Attribute-based Access Control (ABAC):

B • Access decisions are made based on multiple attributes, such as job

SP
function, device type, working hours, and security clearance.

CI S • Provides fine-grained control over access, ensuring only users with

specific attributes can access certain resources.
for • Example: A user accessing sensitive data only during work hours from a
es corporate device with proper security patches.
ot
ell N
orn
C

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024

 Authorization Mechanisms - 2
Context-based Access Control:
• Discretionary Access • Contextual factors like location or network type determine access.
Control (DAC)
• Rule-based Access Control • Often implemented in firewall rules to allow or block connections based
on whether they originate from within or outside the organization.
• Role-based Access Control
• Attribute-based Access • Example: Allowing VPN access only to employees connecting from
Control (ABAC) specific geographic regions.
• Context-based and Risk- Risk-based Access Control:
based Access Controle • Dynamic access control based on the risk profile of a connection.
• Xtensible Access Control
on
• Looks at factors such as IP address, time of access, and location to
Markup Language (XACML)
ti
assess risk, and additional authentication may be required for high-risk
u
connections.
tr i b
s
• Example: A user trying to access sensitive systems from an unusual
location may be prompted for multi-factor authenticationi(MFA).
eXtensible Access Control Markup Language (XACML):
f o rD
o t attribute-based
,N
• A standard language used to define and enforce
access control (ABAC).
h a
a
• XACML enables flexible policy enforcement based on the attributes

e t N using XACML to define access policies

defined in an organization’s access control policy.

h ajeand devices.
• Example: A cloud service
for different user groups
provider

S ub
C ol
B y
I SSP
C
for
tes
o
ell N
orn
C

• Authorization mechanisms vary from Discretionary Access Control (DAC), where asset owners
grant permissions, to more structured approaches like Rule-based, Role-based, and Attribute-
based Access Control (ABAC).
• Context-based and Risk-based access controls provide dynamic and adaptive security measures,
adjusting based on the connection's environment or perceived risk.
• Tools like XACML enable organizations to enforce sophisticated access policies, particularly in
complex environments requiring fine-grained controls.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024

 Access Control Types
Discretionary Access Control (DAC):
• Discretionary Access • Owner-driven: The owner of an asset decides who can access it and what
Control (DAC) permissions they have.
• Role-Based Access Control • Flexible but risky: While flexible, DAC can lead to security vulnerabilities if
(RBAC) owners give broad access rights inadvertently.
• Rule-Based Access Control • Example: A project manager granting team members access to a specific
folder.
• Attribute-Based Access Role-Based Access Control (RBAC):
Control (ABAC) • Role-centric: Access is determined by the user’s role within the organization.
• Mandatory Access Control • Simplifies management: Users assigned to specific roles (e.g., admin,
(MAC)Risk-Based Access
on
finance, HR) gain predefined permissions.
Control • Example: A systems administrator automatically has access to network
uti
b
configuration tools due to their role.
Rule-Based Access Control:
tr i
•
D is
Rule-driven: Access is based on predefined rules such as Access Control

for
Lists (ACLs) or firewall rules.
•
t
Highly granular: This approach can be very specific, but it requires regular
updating to stay relevant.
No
•
and 6 PM.
h a,
Example: A firewall rule that only allows access to a network between 9 AM

Na
Attribute-Based Access Control (ABAC):
•
eet
Attribute-centric: Decisions are based on multiple user attributes like job
j
ha
role, location, time, and device security.
•
b
Highly flexible and suitable for dynamic environments, providing very fine-
Su
grained access control.
l
Co
• Example: A user can only access sensitive files if they are using a company-

By approved device and are physically located within the office.

Mandatory Access Control (MAC):

I SSP • System-enforced: Access is determined by the system using security labels

or classifications, such as Top Secret or Confidential.
r C High security, less flexibility: Typically used in government or military
o
•

s f settings where classification levels dictate access.

ote • Example: An employee can only view classified documents if they hold a
security clearance that matches the classification of the document.

ell N Risk-Based Access Control:

orn • Dynamic control: Factors like the IP address, time of access, and location
are evaluated to assess the risk of a user’s request.
C • Adaptive security: Based on the perceived risk, additional security measures
(such as multi-factor authentication) may be required.
• Example: A remote access request from a previously unseen location might
trigger an extra authentication step.

• The different types of access control provide varying levels of security, flexibility, and management
complexity.
• Discretionary Access Control (DAC) offers flexibility but can be risky, while Role-Based Access Control
(RBAC) simplifies management by aligning permissions with roles.
• Rule-based and Attribute-based access controls (ABAC) provide greater granularity and adaptability.
• Mandatory Access Control (MAC) offers strong security in highly classified environments.
• Risk-Based Access Control provides dynamic responses based on user behavior and context. Each
method should be chosen based on the specific security needs and risk profile of the organization.
Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024
 Discretionary Access Control (DAC)
Discretionary Access Control (DAC):
• Discretionary Access Control
• Owner-driven access control: The asset owner determines who can
(DAC) Definition access an asset and the level of access, based on their discretion.
• Rule-Based Access Control
(DAC Type 1) • Flexibility and accountability: Since the owner is responsible for the
• Role-Based Access Control asset, they are in the best position to determine access, which fosters
accountability.
(RBAC) (DAC Type 2)
• Attribute-Based Access • Best practice: Encouraged in environments where asset owners are
Control (ABAC) (DAC Type 3) knowledgeable and directly responsible for the data or system.
• Example: A document owner granting specific team members "read"

on
access while granting others "edit" access.
Rule-Based Access Control (DAC Type 1): ti
urules
tr
• Rule-centric: Access to an object is determined based on specific i b
set by the asset owner. is
Dgranting or
• Highly structured: Owners can create detailed rulesrfor
denying access based on various criteria. t fo
o
Nof this timeframe.
,
• Example: An owner might create a rule that allows access only during

ha
business hours, restricting access outside
Role-Based Access Control (RBAC)a(DAC Type 2):
e t N by the user's job role or function
aje
• Role-centric: Access is determined

h
within the organization.

roles ratherS
ub
• Simplified management: The owner grants access based on predefined

olA database administrator automatically gets permission to

than individual user permissions.
C
y database configurations, while a finance analyst only gets access
• Example:
Bmodify
P to financial reports.
S
CIS Attribute-Based Access Control (ABAC) (DAC Type 3):
for • Attribute-driven: Access is controlled based on multiple attributes,

tes such as the user’s job function, device used, time of day, and more.
o • Granular control: Allows very specific and fine-grained access controls,

ell N enhancing security by considering various contextual factors.

orn • Example: A user accessing sensitive financial data may need to be using
C a company-issued laptop, be on the corporate network, and be working
within business hours to gain access.

• Discretionary Access Control (DAC) allows the owner of an asset to determine who can access it
and under what conditions.
• DAC provides flexibility, enabling owners to use rules, roles, or attributes to control access, making
it adaptable to different environments.
• Rule-Based, Role-Based, and Attribute-Based access controls provide different levels of
granularity and flexibility, with ABAC offering the most detailed control by factoring in multiple user
and asset attributes.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024

 Types of Discretionary Access Control (DAC)
Rule-Based Access Control:
• Rule-Based Access Control • How it works: Access is determined by specific rules created by the asset
(DAC Type 1) owner. Each rule dictates who can perform certain actions on specific
resources.
• Role-Based Access Control
• Granularity: Allows precise control over what users can do with various
(RBAC) (DAC Type 2) resources, making it very granular but administratively intensive.
• Attribute-Based Access
• Example: Alice can only read Bob’s directory, but she has both read and write
Control (ABAC) (DAC Type 3) access to her home directory.
• Pro: Provides detailed and customizable access control.
• Con: High administrative overhead due to the need for creating and managing
multiple rules for every user/resource combination.
Role-Based Access Control (RBAC):
ti on
How it works: Access is based on user roles or job functions withinb
i u
•
r the

ist to roles
organization. Users assigned to a role inherit that role's permissions.
Simplifies management: Reduces overhead by assigningD
instead of managing each user individually. This makes itreasier to administer
• permissions
permissions for large groups of users.
t fo
•
N
Example: Call center agents all receive the same opermissions based on their
a,
shared role in the organization.
•
a
Pro: Great for organizations with clearh roles, such as call centers or
N
departments with uniform responsibilities.
t
• Con: Can become complex
je ein organizations with many roles or overlapping job
a (ABAC):
functions, potentially creating
hControl
more roles than employees.

b
SuAccess
Attribute-Based Access
•
o l
How it works: is determined by a set of attributes such as the user’s
C and context-based: ABAC allows access decisions based on a wide
job role,
yGranular
device type, location, time of access, and asset classification.
•
B
P are accessible from different locations and devices.
range of factors, making it ideal for cloud environments where applications
S
CIS • Example: A user may need to be using a company-issued device, be on the

or
corporate network, and working during business hours to gain access to

s f sensitive data.

o te • Pro: Offers the most detailed control, especially useful in dynamic cloud
environments where access decisions require more contextual factors.

ell N • Con: Can be complex to implement and manage, as it requires defining and

rn
maintaining many different attributes and policies.

C o

• Each type of Discretionary Access Control (DAC) has its own strengths and weaknesses. Rule-
Based Access Control is highly granular but can be cumbersome to manage.
• Role-Based Access Control (RBAC) simplifies management through roles but may become
complex in organizations with many roles.
• Attribute-Based Access Control (ABAC) offers the most detailed and context-sensitive control,
making it highly useful for cloud environments, but it can be complex to administer due to the need
for defining multiple attributes and policies.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024

 eXtensible Access Control Markup Language (XACML)
Purpose of XACML:
• Purpose of XACML • Definition: XACML stands for eXtensible Access Control Markup
• Components of XACML Language. It is a standard designed to define and enable attribute-
• Use of XACML in ABAC based access control (ABAC).
• Primary Role: XACML provides a way to create and manage access
control policies based on attributes. It helps implement ABAC in a
standardized and interoperable manner.
• Functionality: XACML defines a policy language, architecture, and
processing model for ABAC. This allows systems to enforce access
control based on attributes like user roles, device types, time of

on
access, and more.
• Example: In a corporate network, XACML could be used to enforce
uti
i b
policies that only allow access to a specific database if a user is in a
tr
certain hours.
D is
particular location, using a secure device, and performing tasks within

Components of XACML:
t for
No
• Policy Language: Defines access control policies using attributes. This

a,
language is flexible and allows for complex rule sets to govern access.

h
• Architecture: Provides a framework for attribute-based decisions. It

Na
includes various components such as a Policy Decision Point (PDP) and

jeet
Policy Enforcement Point (PEP).

ha
• Processing Model: Specifies how requests are processed, how policies

b
are evaluated, and how access decisions are made based on those
policies.
l Su
Co
Use of XACML in ABAC:

By • Standardization: XACML allows organizations to implement ABAC in a

consistent and interoperable manner across different systems and

I SSP environments.

r C • Scalability: It is designed to scale with large, dynamic environments,

such as cloud-based systems, where access rules need to be more
fo
es dynamic and context-aware.

ot • Example: An organization might use XACML to grant access to certain

ll N
financial records based on a user’s department, job function, and

rn e clearance level. The access control policy would be defined and

enforced using XACML’s framework.

C o

• XACML plays a critical role in implementing attribute-based access control (ABAC).

• It provides a standardized policy language, architecture, and processing model, enabling complex
access rules based on attributes such as user roles, device types, and environmental conditions.
• XACML ensures that ABAC can be implemented in a scalable and consistent way across different
systems, making it particularly useful in cloud and dynamic environments.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024

 Risk-Based Access Control
Definition of Risk-Based Access Control:
• Definition of Risk-Based • Risk-Based Access Control (RBAC) is a method that assesses the risk level
Access Control (RBAC) associated with a user’s request for access. It evaluates various factors
related to the connection request and then decides whether additional
• Factors Considered in Risk- authentication measures are required before access is granted.
Based Access Control
• Example: If a user tries to access a corporate system from an unfamiliar IP
• Operation of Risk-Based address or at an unusual time (e.g., late at night), the system may flag this as
Access Control risky and require the user to complete additional authentication such as
• Advantages of Risk-Based entering a one-time password or responding to a challenge question.
Access Control Factors Considered in Risk-Based Access Control:
• IP Address: The geographical location or origin of the connection request.
• Time of Access Request: The time of day or the day of the week that the
access request is made, compared to the user’s normal activity.
ti on
i bu
•
trusted.
str
Device Type: Whether the device used for access is recognized or previously

D i
User Behavior: Behavioral patterns such as typing speed, typical access

for
•
patterns, etc.
t
No
• Location: Physical location of the user, determined by GPS or network
information.
•
h a,
Example: A user working from home on a known device during regular hours

Na
would face less scrutiny than a user logging in from a foreign country on a new

et
device.

je
Operation of Risk-Based Access Control:
•
bha
Risk Profiling: When a user requests access, the system generates a risk
profile based on the elements mentioned above.
•
l Su
Dynamic Authentication: Based on the risk profile, the system may request

Co
further authentication challenges for higher-risk requests (such as MFA or

By challenge questions), or it may grant access with minimal friction for low-risk
requests.

I SSP • Real-Time Decision Making: The system makes dynamic, real-time

decisions about access control, enhancing both security and user

r C convenience.

fo Advantages of Risk-Based Access Control:

es
ot
• Enhanced Security: RBAC allows for more granular control, increasing
security by adapting authentication requirements based on perceived risk.

ell N • Improved User Experience: Low-risk users do not need to go through extra

rn
layers of authentication, making the system more user-friendly while

C o •
maintaining security.
Example: A sales executive logging into the CRM from their office may
experience smooth access, while the same user attempting access from a
different country might be required to go through additional verification steps.

• Risk-Based Access Control enhances security by evaluating risk factors such as IP address, time,
location, and device type, creating a risk profile for each access request.
• Based on the risk level, further authentication may be required before granting access.
• This method improves security while maintaining a user-friendly experience, dynamically adjusting
authentication challenges based on real-time risk assessments.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024

 Mandatory Access Control (MAC)
Definition of Mandatory Access Control (MAC):
• Definition of Mandatory • Mandatory Access Control (MAC) is a highly structured and rigid
Access Control (MAC) access control model used to ensure the highest level of security,
• Clearance Levels and especially where confidentiality is paramount.
Classifications • Unlike discretionary models, users cannot modify or grant access
• Operation of Mandatory to resources they own. Instead, access is dictated by system-
Access Control enforced policies based on strict rules.
• Use Cases for MAC Clearance Levels and Classifications:
• Clearance Level: Each user or subject is assigned a security
clearance, representing the level of trust or access they are granted
within the organization.
ti on
bu
• Classification: Every asset (file, document, database) is assigned a
i
tr
classification based on its sensitivity, such as Top Secret,
s
Confidential, or Unclassified.
D i
for
• Example: A user with a "Secret" clearance cannot access assets
t
No
classified as "Top Secret," even if they are a high-ranking member of
the organization.

h a,
Operation of Mandatory Access Control:

Na
• Access Decision: MAC systems automatically enforce access

jeet
control decisions based on the relationship between a user's

ha
clearance and the asset's classification.
b
• If the user's clearance level matches or exceeds the classification
Su
of the asset, access may be granted; otherwise, it will be denied.
l
y Co
• Example: A user with a "Confidential" clearance cannot access
"Secret" documents, regardless of their need to perform a job
B function, because the system enforces access rules automatically.

I SSP Use Cases for MAC:

r C • Government Agencies: MAC is most often found in government

fo organizations and defense sectors where confidentiality and
es control over classified information are of critical importance.
ot
ll N
• Strict Control Environments: It is useful in environments where
absolute control over access to information is required, such as in
rn e military operations or intelligence agencies.
C o • Example: The Department of Defense might use MAC to control
access to highly classified military intelligence, ensuring only
authorized personnel with the right clearance can view or edit
sensitive information.

• Mandatory Access Control (MAC) is a stringent access control model where users have no
discretionary power over the access to resources.
• Access is determined solely based on a user’s security clearance and the asset’s classification
level.
• MAC is commonly used in government and military settings where confidentiality is the highest
priority, ensuring only those with appropriate clearance can access sensitive information.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024

 Defining Characteristics of Mandatory Access Control (MAC)
Characteristics of Mandatory Access Control (MAC):
• Characteristics of • MAC is a system-enforced access control model where access decisions are
Mandatory Access Control not at the discretion of individual users.
(MAC) • The system determines access based on predefined policies that relate to the
• Classification of Objects classification of objects and the clearance of subjects.
• Clearance Levels of Users • This model is designed to protect confidentiality and enforce strict control over
sensitive information.
• Decision-Making by the
Classification of Objects:
System
• Every object (file, database, document, etc.) in a MAC environment is assigned a
• Why MAC is Rarely Used in classification label that defines its sensitivity.
Private Organizations
on
• Examples of classifications: Public, Confidential, Secret, Top Secret.
• Use Cases for MAC in
Government
•
ti
The classification of objects dictates who can access them, based on the
u
b
clearance level of the users requesting access.
Clearance Levels of Users:
tr i
•
D is
Every user is assigned a security clearance level, which is aligned with the

for
classification system.
•
t
Example: A user with “Confidential” clearance can only access assets labeled at
or below the “Confidential” level.
No
Decision-Making by the System:
h a,
Na
• The system automatically enforces access decisions, ensuring that only users
with the appropriate clearance can access classified information.
•
eet
Example: If a user with “Public” clearance attempts to access an object
j
ha
classified as “Secret,” the system denies access.

b
Why MAC is Rarely Used in Private Organizations:
•
l Su
MAC is administratively complex and difficult to implement in organizations

Co
where employees do not have clearly defined clearance levels and assets are not

By •
routinely classified.
In most private sector organizations, access control is more flexible, and less

I SSP rigid models like DAC or RBAC are preferred.

Use Cases for MAC in Government:
r C
o
• MAC is typically used in government settings, particularly in military or

s f intelligence operations, where protecting the confidentiality of information is

ote •
critical.
Example: A military organization might use MAC to ensure that only individuals

ell N with “Top Secret” clearance can access highly classified intelligence.

orn
C

• Mandatory Access Control (MAC) is a system-enforced access model that focuses on protecting
confidentiality.
• Access decisions are based on the classification of objects and the clearance level of users.
• MAC is rare in the private sector due to its complexity and is typically used in government and
military environments where the protection of sensitive information is paramount.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024

 Non-discretionary Access Control
Definition of Non-discretionary Access Control:
• Definition of Non-
discretionary Access • In Non-discretionary Access Control, someone other than the asset
owner determines who gets access to the resource.
Control
• Differences from • This form of access control contrasts with DAC, where the asset owner
Discretionary Access has control over access.
Control (DAC) Differences from Discretionary Access Control (DAC):
• Why Non-discretionary
Access Control Should Be • In DAC, the owner of the asset decides who can access or modify the
Avoided resource. However, in Non-discretionary Access Control, another party,

on
often from IT or a similar department, grants access on behalf of the
• Examples of Non-
discretionary Access
owner.
ti
u the
The key difference is that Non-discretionary Access Controlitakes
r b
it tin the hands
Control in Practice •
decision-making power away from the owner and placesis
of someone else, like a system administrator.
f o rD
Why Non-discretionary Access Control Should Be
o t Avoided:
N
•
practice, because it removes theh a, considered
Non-discretionary Access Control is not a security best

Na
accountability of access control from
the asset owner.
t
e access being granted, as decisions about
•
who should accessaan jeasset
It can lead to unnecessary

bh or sensitivity.
may be made without full knowledge of the

Su
asset's importance

o
Examples of l
Non-discretionary Access Control in Practice:
C
y Department-Assigned Access: In many organizations, when new
•
B IT

SP to various systems, often without direct input from the asset owners.
employees are hired, IT departments create accounts and assign access

CI S This can lead to over-permissioning, where users have access to more

for resources than needed.

tes • Delegated Responsibility: In some cases, the asset owner may

o
ll N
delegate access control responsibility to IT staff but may not follow up
on who should or shouldn't have access, leaving IT to make these

rn e decisions without context.

C o • No Clear Owner Identified: In systems where no clear owner of the

asset exists, IT or administrative departments may handle access
control by default, leading to Non-discretionary Access Control
practices.

• Non-discretionary Access Control involves access decisions being made by someone

other than the asset owner, typically an IT or administrative department.
• While it exists in many organizations, it’s not considered a security best practice, as it
can lead to over-permissioning and lack of accountability.
• The asset owner should always retain control over access decisions to ensure security
and proper resource management.
Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024
 Access Policy Enforcement
Definition of Policy Enforcement Point (PEP):
• Definition of Policy • A Policy Enforcement Point (PEP) is a component of an
Enforcement Point (PEP) application that acts as a gatekeeper.
• Definition of Policy Decision • It receives authorization requests for access to protected
Point (PDP) systems or data.
• How PEP and PDP Work • The PEP sends these requests to the Policy Decision Point
Together (PDP) for evaluation.
• Importance of Access Policy • After receiving the decision from the PDP, the PEP
enforces the decision, either granting or denying access.
Enforcement in Applications
• PEPs are strategically placed throughout an application’s
access points to ensure controlled access.
Definition of Policy Decision Point (PDP):
ti on
• A Policy Decision Point (PDP) is responsible for making
i bu
decisions on authorization requests received from the
str
PEP.
D i
for
• It evaluates requests based on pre-defined rules (e.g.,
access control policies, user roles).
t
• No
PDPs are typically centralized within the system, ensuring
application. h a,
consistent application of rules across the entire
How PEP and PDP Work Together: Na
•
e et
The PEP and PDP work in tandem to enforce access
j
ha as the gatekeeper, controlling which
control policies within an application.
• PEPbacts
l Su
requests for access are sent for evaluation.
• o PDP makes the final decision regarding access
y C
based on established rules and policies.
P B • Once the PDP makes a decision, the PEP
I SS enforces it by allowing or denying access to the
r C resource.

s fo Importance of Access Policy Enforcement in Applications:

o te • Access
users
Policy
only have
Enforcement is critical for ensuring that
access to the resources they are

ell N authorized to use.

rn
• By having a PEP and PDP structure, organizations can
C o •
ensure centralized and consistent decision-making.
This approach minimizes risks associated with
unauthorized access and ensures that the system is
compliant with security policies and regulations.

• Access policy enforcement involves two critical components: the Policy Enforcement
Point (PEP), which acts as the gatekeeper for access requests, and the Policy Decision
Point (PDP), which evaluates and makes decisions on those requests based on pre-
defined rules.
• Together, they ensure that only authorized users are granted access to resources,
enhancing security and compliance in applications.
Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024
 Vendor Access
Importance of Vendor Identity and Access Provisioning:
• Importance of Vendor
Identity and Access • Vendor identity and access provisioning must be handled with
equal or greater care than employee provisioning.
Provisioning
• Third-Party Vendor • Vendors often have access to critical systems and data, such as IT
Relationships and services, finance, marketing, or supply chain systems.
Associated Risks
Third-Party Vendor Relationships and Associated Risks:
• Security Review for Vendor
Access • Third-party vendor relationships can introduce significant risks to
• Comparison to Employee an organization, including potential breaches or unauthorized
Access Provisioning access.
ti on
• As vendors may have access to sensitive information, strict
i buaccess
s tr
control measures must be applied to ensure proper security.
i
Security Review for Vendor Access:
fo rD
• Vendor access provisioning should includeo t a security review
process, which might entail:
, N
a
hvendor's own security practices.
•
a
A deeper review of the
•
et N of the vendor’s facilities, systems,
An onsite inspection

aje of the vendor's relationships with other

and procedures.
• h
Assessment
b to ensure no additional security risks are
u
entities
S
ol introduced.
C to Employee Access Provisioning:
By
Comparison
P•
S Vendor access provisioning often requires more thorough scrutiny

CIS
than employee provisioning, as the scope of access and potential

or
impact on the organization can be far greater.

s f
o te • Vendor provisioning must also include regular reviews and timely
revocation when access is no longer required.

ell N
orn
C

• Vendor identity and access provisioning should be managed with greater care than
employee access, given the potential risks posed by third-party relationships.
• It involves stringent processes, including security reviews and onsite inspections to
ensure that vendors maintain secure practices and that their access is properly
controlled and monitored.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024

 Identity Life Cycle
Identity Life Cycle Overview:
• Identity Life Cycle Overview • The identity life cycle consists of three main parts:
• Provisioning
• Provisioning
• Review (User Access
Review) • Review
• Revocation • Revocation
• Managing the identity life cycle is crucial for ensuring security and
access control within an organization.
Provisioning:
• Provisioning refers to the process of assigning access when a new
employee is hired or when an employee changes roles.
ti on
• New hires are provisioned with access to necessary
i bu
systems and resources required for their role.
str
•
D i
When an employee changes roles, their access should be

for
updated or modified to match the new role's
requirements. t
• No
Proper role-based access control (RBAC) often guides
a,
provisioning to ensure least privilege is applied.
h
Review (User Access Review):
Na
•
jeet
User access review involves periodically checking that users have

ha
the appropriate access based on their current roles.
• bHigh-privilege accounts should be reviewed more
l Su frequently due to the potential risks they pose.

y Co
• Regular reviews help ensure access is not abused,
unnecessary permissions are removed, and that users
B
SP
maintain the right level of access.

CI S Revocation:

for • Revocation occurs when access is removed from a user, typically

in the case of termination (either voluntary or involuntary).
es
ot
• It is important that revocation happens immediately upon

ll N
termination to prevent any unauthorized access to

rn e systems or data.
Revocation can also occur when an employee changes
C o •
roles and no longer requires access to specific systems.

• The Identity Life Cycle involves provisioning, review, and revocation of user access.
Provisioning ensures new employees or those changing roles have the access they
need.
• Regular user access reviews ensure that permissions remain appropriate, particularly
for high-privilege accounts.
• Finally, revocation guarantees timely removal of access when no longer needed, such
as in cases of termination or role changes, minimizing security risks.
Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024
 Identity Life Cycle
Definition of Identity Life Cycle:
• Definition of Identity Life • The Identity Life Cycle refers to the process of managing user access
Cycle from the beginning to the end of their involvement with an organization.
• Stages of the Identity Life • It consists of three main stages: Provisioning, Review, and Revocation.
Cycle
Stages of the Identity Life Cycle:
• Importance of Review
Process 1. Provisioning:
• Revocation Process 1. Creation of user access when a new employee is hired or
when an existing employee changes roles.
2. Activities during provisioning include background checks,

on
identity proofing, and ensuring the user has the skills and
clearance to access the system.
uti
3. Ensures users have access only to the necessary systems
tr i b
and resources according to their roles, applying the principle
of least privilege.
D is
for
2. Review:
t
No
• A periodic check of the user’s access to ensure they have
appropriate permissions based on their role.
•
h a,
Asset or system owners should review the user's access and

Na
determine if it is still necessary or needs modification.
•
jeet
The timing of access reviews is driven by the value of the
assets or systems involved. For example, high-risk accounts

bha
(e.g., admin or root) should be reviewed more frequently than

Su
standard user accounts.
l
Co
Importance of Review Process:

By
• High-value systems or accounts, such as administrator or root
accounts, pose greater risks and therefore require more frequent

I SSP reviews to ensure access is still necessary.

• Infrequent reviews for lower-value systems may be appropriate but can
r C lead to unauthorized access if users retain permissions they no longer
fo need.
es
ot
Revocation Process: 3. Revocation (Deprovisioning):

ll N
• Revocation is the removal of access, typically during termination (either

rn e voluntary or involuntary) or when an employee changes roles.

C o • It is critical to revoke access promptly upon termination to ensure

unauthorized access does not occur.
• In some cases, when an employee changes roles, it may be necessary to
revoke previous access and re-provision access to prevent over-
privileged access.

• The Identity Life Cycle consists of Provisioning, Review, and Revocation of user
access. Provisioning assigns access when employees are hired or change roles.
• Periodic reviews ensure that access remains appropriate, especially for high-risk
accounts.
• Finally, revocation promptly removes access upon termination or role changes,
reducing the risk of over-privileged users and preventing security breaches.
Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024
 Access Reviews and Privilege Escalation
Timing of Access Reviews:
• Timing of Access Reviews • Annual reviews: User access should be reviewed at least annually.
• Considerations for Role • More frequent reviews: Some accounts, such as admin or superuser
Changes roles, should be reviewed more frequently, potentially as often as
• Privileged Accounts and weekly, due to the high-risk nature of these accounts.
Administrative Roles Role Changes:
• Privilege Escalation (e.g., use • When a user changes roles, their access should be reviewed
of sudo) immediately.
• New access should be granted as needed.
• Old access that is no longer relevant should be removed.
• Reviews must always be approved by the owner to ensure access is
ti on
appropriate.
i bu
Terminations:
str
•
D i
In the case of voluntary or involuntary termination, the user’s access

for
should be reviewed, and all access should typically be removed to
prevent unauthorized access.
t
No
High-Risk Accounts:

a,
• Admin and superuser accounts: Because these accounts have
h
broader and more powerful access, their access should be reviewed
Na
more frequently, with some reviews potentially taking place weekly or
monthly.
jeet
ha
Privilege Escalation:
•
b
Best Practice: Administrators should have two accounts:

l
•
Su A standard user account for regular tasks (e.g., checking

Co
emails, browsing).

By • A privileged account for administrative tasks that require

higher levels of access.

I SSP • Privilege Escalation Tools:

r C • On Unix/Linux systems, administrators should use commands

fo like sudo ("superuser do") to execute tasks requiring elevated

es privileges only when necessary.

ot • On Windows systems, the RunAs command serves a similar

ll N
purpose, allowing the administrator to run programs as a

rn e •
different user with higher privileges.
This separation of duties helps reduce the risk of privileged accounts
C o being compromised during routine activities like checking emails or
browsing the web, which are often vulnerable points for attacks.

• Access reviews should be conducted at least annually, but high-risk accounts like
admin accounts may need more frequent reviews (weekly or monthly).
• When a user changes roles or leaves the company, their access should be reviewed
immediately to ensure appropriate privileges.
• Privilege escalation strategies, such as using sudo or RunAs, minimize the risk of
compromising privileged accounts during routine tasks.
Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024
 Service Account Management
Definition of Service Accounts:
• Definition of Service • Service accounts are accounts used by services, applications, or
Accounts workloads rather than by humans. These accounts facilitate the
• Importance of Managing operation of automated tasks within an IT infrastructure.
Service Accounts
Importance of Managing Service Accounts:
• Best Practices for Service
Account Management • Even though service accounts are not used by humans, they require
human oversight to ensure they are secure.
• Without proper management, these accounts can become
targets for attacks like privilege escalation and spoofing.

on
• Misconfigured or over-privileged service accounts could be
ti
exploited by attackers to gain unauthorized access or cause
u
other security breaches.
tr i b
Best Practices for Service Account Management:
D is
for
• Limit service accounts to single purposes: Service accounts
should be set up to only perform a specific function. This reduces
t
No
the risk of them being used for malicious purposes.

a,
• Reduce privileges: Grant only the necessary permissions for
h
service accounts to function. This concept is aligned with the
principle of least privilege.
Na
•
eet
For example, if a service account only needs read access to
j
ha
a database, it should not be granted write or delete
b
permissions.
•
l Su
Monitor and audit service accounts regularly: Continuous

y Co
monitoring and auditing of service accounts help detect suspicious
behavior early on.
B
SP
• Ensure logging is enabled for service accounts, capturing

CI S events like access attempts and modifications.

for
es
ot
ell N
orn
C

• Service accounts are not used by humans but require oversight to ensure security.
Best practices include limiting each account to a single purpose, reducing privileges to
the minimum necessary, and regularly monitoring these accounts to prevent security
risks like privilege escalation.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024

 Authentication Systems
Definition of Authentication Systems:
• Definition of Authentication • Authentication systems are tools used to verify an identity or a system
Systems assertion. They play a key role in protecting organizations by ensuring only
• Popular Authentication authorized users or systems can access resources.
Systems • Popular Authentication Systems:
• Overview of OAuth and 1. OpenID Connect (OIDC):
OIDC • Built on top of OAuth 2.0, OIDC is used to verify the identity of an
end user and obtain basic profile information.
• OIDC focuses on user authentication, not just resource access.

on
• Example: When you log in to a new website using your Google
account, OIDC is verifying your identity via Google.
u ti
2. OAuth (Open Authorization):
r i
t andb
resources without needing to share credentials. is
• OAuth 2.0 allows secure, delegated access to applications

It uses access tokens instead of passwords

f o rD
or other sensitive data to
t
•
authorize access.
N o access to your Google Drive
a,credentials, OAuth is in play.
• Example: When an application requests
h
without asking for your Google
aLanguage):
3. SAML (Security Assertion Markup
SAML provides e t N
•
a je single sign-on (SSO) by facilitating authentication
and authorization across different organizations.
Usedb h
•
S u widely in federated identity management to allow users to

ol
access multiple services with one login.

C
4. Kerberos:

By • A ticket-based system used for single sign-on within an

SP
organization. It uses symmetric encryption to verify users' identities.

CI S • Commonly used in Windows environments with Active Directory.

for 5. RADIUS (Remote Authentication Dial-In User Service):

tes • Used for remote access authentication, RADIUS provides

o authentication, authorization, and accounting (AAA) services.

ell N • Example: When users connect to a VPN, RADIUS may be used to

authenticate them.

orn 6. TACACS+ (Terminal Access Controller Access Control System Plus):

C 1. A Cisco-proprietary protocol used for network device
authentication, providing granular control over access to devices.

• Authentication systems help verify identities and ensure that only authorized users
gain access to resources.
• OAuth provides access delegation via tokens, while OIDC adds user authentication.
SAML and Kerberos are popular in single sign-on (SSO) environments, and RADIUS
and TACACS+ are commonly used for network authentication.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024