2 cissp ® Official Study Guide Eighth Edition



Download 19,3 Mb.
Pdf ko'rish
bet650/881
Sana08.04.2023
Hajmi19,3 Mb.
#925879
1   ...   646   647   648   649   650   651   652   653   ...   881
Bog'liq
(CISSP) Mike Chapple, James Michael Stewart, Darril Gibson - CISSP Official Study Guide-Sybex (2018)

Entitlement
Entitlement refers to the amount of privileges granted to users, typically when 
first provisioning an account. In other words, when administrators create user accounts, they 
ensure that the accounts are provisioned with the appropriate amount of resources, and this 
includes privileges. Proper user provisioning processes follow the principle of least privilege.
Aggregation
In the context of least privilege, aggregation refers to the amount of privi-
leges that users collect over time. For example, if a user moves from one department to 
another while working for an organization, this user can end up with privileges from each 
department. To avoid access aggregation problems such as this, administrators should 
revoke privileges when users move to a different department and no longer need the previ-
ously assigned privileges.
Transitive Trust
A trust relationship between two security domains allows subjects in one 
domain (named 
primary
) to access objects in the other domain (named 
training
). Imagine 
the training domain has a child domain named training.cissp. A transitive trust extends 
the trust relationship to the child domain. In other words, users in the primary domain can 
access objects in the training domain and in the training.cissp child domain. If the trust 
relationship is nontransitive, users in the primary domain cannot access objects in the child 
domain. Within the context of least privilege, it’s important to examine these trust relation-
ships, especially when creating them between different organizations. A nontransitive trust 
enforces the principle of least privilege and grants the trust to a single domain at a time.
Separation of Duties and Responsibilities
Separation of duties and responsibilities
ensures that no single person has total control over 
a critical function or system. This is necessary to ensure that no single person can com-
promise the system or its security. Instead, two or more people must conspire or collude 
against the organization, which increases the risk for these people.
A separation of duties policy creates a checks-and-balances system where two or more 
users verify each other’s actions and must work in concert to accomplish necessary work 
tasks. This makes it more difficult for individuals to engage in malicious, fraudulent, or 

Applying Security Operations Concepts 
701
unauthorized activities and broadens the scope of detection and reporting. In contrast, indi-
viduals may be more tempted to perform unauthorized acts if they think they can get away 
with them. With two or more people involved, the risk of detection increases and acts as an 
effective deterrent.
Here’s a simple example. Movie theaters use separation of duties to prevent fraud. 
One person sells tickets. Another person collects the tickets and doesn’t allow entry to 
anyone who doesn’t have a ticket. If the same person collects the money and grants entry, 
this person can allow people in without a ticket or pocket the collected money without 
issuing a ticket. Of course, it is possible for the ticket seller and the ticket collector to get 
together and concoct a plan to steal from the movie theater. This is collusion because it 
is an agreement between two or more persons to perform some unauthorized activity. 
However, collusion takes more effort and increases the risk to each of them. Separation 
of duties policies help reduce fraud by requiring collusion between two or more people to 
perform the unauthorized activity.
Similarly, organizations often break down processes into multiple tasks or duties and 
assign these duties to different individuals to prevent fraud. For example, one person 
approves payment for a valid invoice, but someone else makes the payment. If one person 
controlled the entire process of approval and payment, it would be easy to approve bogus 
invoices and defraud the company.
Another way separation of duties is enforced is by dividing the security or administra-
tive capabilities and functions among multiple trusted individuals. When the organization 
divides administration and security responsibilities among several users, no single person 
has sufficient access to circumvent or disable security mechanisms.

Download 19,3 Mb.

Do'stlaringiz bilan baham:
1   ...   646   647   648   649   650   651   652   653   ...   881



Ma'lumotlar bazasi mualliflik huquqi bilan himoyalangan ©hozir.org 2024
ma'muriyatiga murojaat qiling
kiriting | ro'yxatdan o'tish
    Bosh sahifa
юртда тантана
Боғда битган
Бугун юртда
Эшитганлар жилманглар
Эшитмадим деманглар
битган бодомлар
Yangiariq tumani
qitish marakazi
Raqamli texnologiyalar
ilishida muhokamadan
tasdiqqa tavsiya
tavsiya etilgan
iqtisodiyot kafedrasi
steiermarkischen landesregierung
asarlaringizni yuboring
o'zingizning asarlaringizni
Iltimos faqat
faqat o'zingizning
steierm rkischen
landesregierung fachabteilung
rkischen landesregierung
hamshira loyihasi
loyihasi mavsum
faolyatining oqibatlari
asosiy adabiyotlar
fakulteti ahborot
ahborot havfsizligi
havfsizligi kafedrasi
fanidan bo’yicha
fakulteti iqtisodiyot
boshqaruv fakulteti
chiqarishda boshqaruv
ishlab chiqarishda
iqtisodiyot fakultet
multiservis tarmoqlari
fanidan asosiy
Uzbek fanidan
mavzulari potok
asosidagi multiservis
'aliyyil a'ziym
billahil 'aliyyil
illaa billahil
quvvata illaa
falah' deganida
Kompyuter savodxonligi
bo’yicha mustaqil
'alal falah'
Hayya 'alal
'alas soloh
Hayya 'alas
mavsum boyicha

yuklab olish