So, Like I said, Here are the main points from the first chapter.
Types of Access Control
Implementations Areas of Access Controls
Too Sensitive = Type 1 Error
Ratio of Type 1 errors to valid authentications is the
False Rejection Rate (FRR)
Not Sensitive Enough = Type 2 Error
When someone who shouldn't get authenticated did,
This ratio is the False Acceptance Rate (FAR)
When the FRR == FAR you get the Cross Over Error Rate (CER)
Lower CER is Better
Type 1 - Something you Know
Type 2 - Something you Have(Includes somewhere you are)
Type 3 - Something you Are (includes something you do)
Type 1 is least secure, Type 3 is most secure.
To be effective, Multifactor Authentication needs to contain authentication factors from more than 1 type.
Access Control(AC) Techniques
-How subjects can interact with objects
DiscretionaryAC, - user defines access
NonDiscretionaryAC, - rule based, like a Firewall
MandatoryAC, - think of gov't clearance levels
RoleBasedAC, - assigned by job duty
TaskBasedAC - assigned by tasks you can perform
Know Centralized vs Decentralized
RADIUS = Remote authentication dial in user service
TACAS = Terminal access controller access control system
Single Sign On - easy for users and administrators, but single point of failure for security
Directory Services - LDAP ..Active Directory, manages resources
Security Domain - is a set of resources that administer a single security policy.