2 cissp ® Official Study Guide Eighth Edition

Download 19,3 Mb.

Pdf ko'rish

bet	595/881
Sana	08.04.2023
Hajmi	19,3 Mb.
	#925879

1 ... 591 592 593 594 595 596 597 598 ... 881

Bog'liq
(CISSP) Mike Chapple, James Michael Stewart, Darril Gibson - CISSP Official Study Guide-Sybex (2018)

Compartmentalized Environment
Hybrid Environment

Hierarchical Environment
A hierarchical environment
relates various classifi cation labels
in an ordered structure from low security to medium security to high security, such as
Confi dential, Secret, and Top Secret, respectively. Each level or classifi cation label in the
structure is related. Clearance in one level grants the subject access to objects in that level
as well as to all objects in lower levels but prohibits access to all objects in higher levels. For
example, someone with a Top Secret clearance can access Top Secret data and Secret data.
Compartmentalized Environment
In a
compartmentalized environment
, there is no
relationship between one security domain and another. Each domain represents a separate
isolated compartment. To gain access to an object, the subject must have specifi c clearance
for its security domain.
Hybrid Environment
A
hybrid environment
combines both hierarchical and compartmen-
talized concepts so that each hierarchical level may contain numerous subdivisions that are
isolated from the rest of the security domain. A subject must have the correct clearance and
the need to know data within a specifi c compartment to gain access to the compartmental-
ized object. A hybrid MAC environment provides granular control over access, but becomes
increasingly diffi cult to manage as it grows. Figure 14.3 is an example of a hybrid environment.
Understanding Access Control Attacks
As mentioned in Chapter 13, one of the goals of access control is to prevent unauthorized
access to objects. This includes access into any information system, including networks,
services, communications links, and computers, and unauthorized access to data. In addi-
tion to controlling access, IT security methods seek to prevent unauthorized disclosure and
unauthorized alteration, and to provide consistent availability of resources. In other words,
IT security methods attempt to prevent loss of confi dentiality, loss of integrity, and loss of
availability.
Security professionals need to be aware of common attack methods so that they can
take proactive steps to prevent them, recognize them when they occur, and respond

636
Chapter 14
■
Controlling and Monitoring Access
appropriately. The following sections provide a quick review of risk elements and cover
some common access control attacks.
While this section focuses on access control attacks, it’s important to realize that there
are many other types of attacks, which are covered in other chapters. For example, Chapter 6,
“Cryptography and Symmetric Key Algorithms,” covers various cryptanalytic attacks.
Crackers, hackers, and Attackers
Crackers are malicious individuals who are intent on waging an attack against a person or
system. They attempt to crack the security of a system to exploit it, and they are typically
motivated by greed, power, or recognition. Their actions can result in loss of property
(such as data and intellectual property), disabled systems, compromised security, nega-
tive public opinion, loss of market share, reduced profitability, and lost productivity. In
many situations, crackers are simply criminals.
In the 1970s and 1980s, hackers were defined as technology enthusiasts with no mali-
cious intent. However, the media now uses the term
hacker
in place of
cracker
. Its use is
so widespread that the definition has changed.
To avoid confusion within this book, we typically use the term
attacker
for malicious
intruders. An attack is any attempt to exploit the vulnerability of a system and compro-
mise confidentiality, integrity, and/or availability.

Download 19,3 Mb.

Do'stlaringiz bilan baham:

1 ... 591 592 593 594 595 596 597 598 ... 881