Access control provides users with a method of accessing system resources. It also places limits on how users access the resources, what user actions can be performed, and what resources users can access. Access controls limit general public access by requiring identification, verifying or authenticating the identified user, and then authorizing the user, thus providing them with predefined rights and privileges on the system.
The access control system must provide system administrators with the ability to limit and monitor users who have access to a system and to control or restrain the actions that they can perform. Access control systems define what level the user has on a system based on predefined conditions such as the user's authority level or membership in a group or by matching a security level with a specific category of the information being accessed. Various information access models are available to the security practitioner, and several may be used simultaneously within a business or IT system.
The SSCP access control domain requires knowledge of the techniques and mechanisms that allow security practitioners the ability to protect the organization's systems or resource assets.
An important first step of the identification and authentication process is the identification of the individual user. An access control system must be able to accept the user identification in a format it recognizes and be able to convey this information to a processing system where the identification is compared against a list of users authorized to access the resource.
In this chapter about the access control domain, you will learn about access control models that you can use to determine both the access to a resource and who determines the access permissions. You will also learn about the information control models that can be employed to limit what the user can do once they are allowed access to the information or resource.
The security practitioner must be completely proficient with the three types of controls (physical, logical, and administrative) and should be accomplished at employing each of them to provide a layered security and defense in depth environment.
A system administrator or security manager must have the ability to limit risk. Risk is inherent in every IT environment. A threat such as a hacker or intruder identifies and exploits a weakness, referred to as vulnerability. Vulnerabilities exist throughout applications, databases, and entire networks.
The act of limiting risk is referred to as mitigation. The tools available to mitigate a risk are called controls. The access control techniques and mechanisms are described as follows:
In everyday conversations, the word control and the word countermeasures refer to the same item or concept. In most cases, all three types of controls are in use all of the time. (The three types of controls are described in detail in the section “Types of Access Controls” later in this chapter.)
The first step in determining the security for an organization is to determine what resources and assets need to be protected. Resources and assets fall into three general categories: physical assets, digital assets and information assets.
Information assets can be classified based upon the financial value to the business or what harm would be done if information was lost, destroyed, or released to the public. For instance, the business category in which the organization is involved is general public knowledge, but the release of a trade secret identifying exactly how the business creates its product could do irreparable harm to the business. Information assets might be ranked from unclassified to confidential. Or it could be ranked on a valuation scale, such as zero dollars to many millions of dollars of cost in the event of information release or loss.
A task of a security practitioner is to identify the resources and assets requiring protection and rank them using either an asset valuation system or a sensitivity and potential harm system. In risk analysis, there are a number of methods used in performing this task. In all situations, the most valuable asset to be protected is people. For example, in the event of fire, bomb threats, or other life-threatening emergency situations, the safety and well-being of the people in the environment is always the primary concern. People must be evacuated or protected from the threat. Evacuation programs, exit markings, emergency lighting, and fire protection systems as well as emergency evacuation drills must all be part of the general safety policy for the environment or building,
Controlling access is vital to the health of your systems, networks, and data. With access, a user or attacker can do anything to your system. If they cannot get access, they can do nothing to the system. Access controls also provide a level of accountability and the ability to audit what the authorized user is doing while in the system.
Although the concept of access controls may be easy to comprehend, the application is frequently more complex. A balance must be achieved between resource protection, control mechanism cost, and user-friendliness. Controls must be consistent with the organization's security policy; they must provide adequate protection of the resource at a reasonable cost yet not be so arduous that users attempt to find a workaround to save time or effort.
An additional concept of access control is referred to as layered security or defense in depth. This is a simple concept of establishing a number of roadblocks the adversary must cross in order to access the resource.
The defense-in-depth strategy utilizes multiple layers of controls and relies upon a couple of concepts:
This technique is evident with the application of simple versus complex passwords. A simple password may take several hours to crack, and a complex password, utilizing numbers, special characters, and capitalization, may take 1,000 years to crack using the same computing equipment.
The overall consideration of placing various controls in the path of an attacker is cost. Is it prudent to spend $2,500 on controls such as video equipment, special lighting, and police alarm systems just to protect $300 worth of garden tools and equipment? The security practitioner must be constantly aware of how the cost of controls compare to the value of the systems or data being protected.
There are two terms related to access control: subject and object.
In some cases, items may change relationships (Figure 3.1). In such an event, an object becomes a subject and then reverses roles again. For instance, the user (subject) accesses an application requesting information. The application (object), in an effort to respond to the user (subject), requires information from a database. The application now becomes a (subject) to the database (object). Once the data is retrieved, the application once again reverts to an (object) role and responds to the user (subject).
As mentioned earlier, there are three general categories of controls: physical, logical, and administrative. Virtually all controls can be placed in one of these categories. There is a security principle you will hear many times. It is the principle of implicit deny. In simple terms, it refers to excluding everyone except those you have specifically (explicitly) allowed to enter. It is much easier to work with a small group of users or items than it is to work with a large group of items that includes everything. As a simple example, four people work in the server room and require access. It makes sense to give these four people access keys to the room while excluding all other persons.
The same principle might be applied to children viewing television, persons accessing websites at work, or the general public accessing your private business network on the Internet. It is much easier to list what users can do than it is to list everything they cannot do. In the world of security, the list of what the user can access is referred to as included by exception, a white list, or explicitly allowed. The restricted list, or the list of what is not allowed, is referred to as black list, or implicit deny. Implicit deny is a main feature of most router rule lists. It denies all incoming traffic that has not specifically been allowed by an explicitly written rule.
A physical access control is all the items listed in the backyard shed example earlier in this chapter. The purpose is to keep a physical intruder from penetrating a physical property area. The following physical access controls can be used:
Physical controls are usually independent of computer hardware, software, and communication systems. Locks, gates, lights, and detectors generally do not report in, with the exception of very high-security installations. Of course, there may be locks that use a logical device such as a card reader or other mechanism to trigger (open) a device. These are still classified as physical access controls.
Physical controls restrict or prohibit access to the physical components of the infrastructure such as wiring closets, wireless access points, server rooms, and communication lines. Physical security is an important concern for the security practitioner in maintaining the layered security and defense-in-depth security concepts and works hand in hand with other access controls. A physical access control is usually the first line of defense.
Logical access controls are those controls used to keep a digital intruder out of a network, host, or system. Logical controls are usually established to protect the data, applications, hardware, and network devices from hackers, malware, intruders, and simply mistakes users can make. These types of controls are usually grouped into two categories with much overlap. The categories are hardware and software. Firewalls, intrusion prevention systems (IPSs) and data loss prevention systems are typical logical hardware devices, whereas some firewalls, virus protection software, and Group Policy enforcement by an operating system are software controls. The following items are logical controls:
Administrative access controls consist of policies, directives, regulations, and rules set up by a company to govern activities taken by individuals or to establish operating procedures. Every company or firm requires various policies. In some cases, these policies are imposed by an outside organization or regulation, such as the Sarbanes-Oxley Act (SOX), the Health Insurance Portability and Accountability Act (HIPAA), the Security and Exchange Commission (SEC), and the Payment Card Industry Data Security Standard (PCI DSS).
Administrative controls begin with policies that address a specific subject, all the way down to the person ultimately responsible for carrying out the action. Many new hires are introduced to IT security administrative controls immediately upon joining a company. They must often read, agree to, and sign an authorized use policy (AUP) that specifies how the user must behave when using the networks, information, and IT products of the company (Figure 3.2).
The first step of access control is identification. Many might think that entering a username into a field is the first step in identification. This is not always the case. There may be a preceding step. For instance, in the case of logging into a bank account, the user might be prompted to click a “log in” link on the bank's home page. This click initiates the identification sequence. In such cases, the bank system responds with a login screen featuring a field for the username and a field for a user password (Figure 3.3). The blank for the user name is the request for identification information. In other situations, the swiping of a card in a gas pump or at a grocery store initiates the login sequence. Access control identification may also allow access to specific places by swiping an access card at a doorway reader thus identifying the user and unlocking the door.
The goal of these systems is to differentiate one user from another. A unique username, personal email address, or account number will initiate the identification sequence. During this sequence, the system will compare the received identification information with some sort of internal database; in the case of a Microsoft system, this might be Active Directory (AD). In the event the user is not identified, the system may present an error screen or in some cases a screen offering the user the ability to create a new account. If the user identification is recognized, the system will proceed to the next step. This step usually involves the request for additional authorization information.
The challenge to security practitioners with regard to identification is that the person entering the data or swiping the card may not be the person you want to have access. Anyone knowing that the web page username field requires an email address could easily type someone else's email address. The person swiping the card might have just stolen it. This is why more verification information is required before allowing access into the system or location.
Authentication is the process of proving the identity professed by the user. As you have seen, anyone can enter a username or swipe a card. The next step is to authenticate the user to the system (Figure 3.4). The most common method of authentication is to have the user enter a password. On ATMs and gas pumps, or with various credit cards and debit cards, this might be in the form of a personal identification number (PIN). When a credit card is used at some gas pumps, the billing address zip code may be requested. Because most credit cards require only a PIN to withdraw money, the zip code is utilized as a piece of authentication information that a thief would not know. This password, PIN, or zip code, along with the username or identification, is again compared to the information in a system database to determine that the user is actually the user. This is the authentication step.
The challenge for security practitioners is that besides the attacker using a stolen identification, there are many ways of breaking a password, PIN, or other methods of authentication. If an attacker is both identified and authenticated correctly and allowed into the system, this is referred to in security as a false positive and is a serious situation. It means that an unknown person has been granted permission into the system. To combat this possibility, there are many authentication methods that exist.
Many might think that identification and authentication occur only when the user is logging on to the system or network. There are a great many places on a network where identification and authentication can take place. False positive and false negative errors may occur in a number of different situations. The frequency of these errors is referred to as an error rate. Generally, all access control and authentication is performed by comparing user information with some type of list. Identification and authentication might take place when the following items are used:
Access control not only identifies and authenticates users to allow access to a network or application, it can be made granular enough to inspect packets on a network or specific host machines and grant or deny access based upon a list or other identification/authentication technique.
There are several types of authentication methods. They are referred to as factors. A factor is an item or attribute that can be specifically linked to the user. Most authentication attributes fall into five main categories:
The attributes are explained in detail in the following sections.
Something you know is the most common form of authentication. In most instances, the user enters a password. Passwords can prove to be the weakest type of authentication. The security practitioner may employ a number of techniques that increases the security of user passwords:
In Exercise 3.1, you will see how to check the strength of passwords. You will also read helpful text concerning the construction of strong passwords.
Something you know can also be a secondary authentication question (Figure 3.5). Many financial accounts require a username for identification, a password for initial authentication, and then some personal information not likely known by many others. This additional personal information is usually in the form of several questions the user is asked upon account setup. Such questions might include mother's maiden name, the street where you lived when you were 10 years old, your favorite teacher, the best man, and the city where you were married. The problem with this is that some of this information is readily available knowledge. Users should select questions and answers that are not easily publicly found, such as favorite teacher or best man.
Another form of something you know authentication is the use of CAPTCHA characters (Figure 3.6). CAPTCHA is the acronym for Completely Automated Public Turing test to tell Computers and Humans Apart. This is a challenge-and-response system featuring a set of numbers and letters in various shapes with varying backgrounds. The challenge is for the user to visually recognize the characters and knowingly retype them into a form. This technique is used to determine if the user is a human or a machine. A machine may be able to break a user's password, but it still would not be able to pass this test. The machine would not be able to visually read or recognize the shapes of the CAPTCHA characters.
Many people carry an ATM card, driver's license, student ID, smartphone, credit card, or proximity card. Each of these can be used to establish authentication. For instance, if you are stopped by the police, you may verbally state your name, but a driver's license or other identification issued by an authority such as a state department of motor vehicles or a university, in the case of a student ID, is used by the officer to establish if you are stating the correct name. This is an example of something you have.
Many corporate and federal employees are issued proximity keys or cards to access facilities. Specific data is embedded within the card. Although they are not internally powered, they feature a type of antenna that receives a signal from a nearby receiver (Figure 3.7). This stimulates the card and provides sufficient energy for the card electronics to respond to the card reader and transmit information. This technique is also utilized on many toll roads across the country. A small device typically placed on the windshield responds to a signal transmitted toward the auto and the device responds with identification and authentication information allowing the toll authority to debit the person's account.
Many businesses provide employees with a personal badge that has a name, ID number, and photo of the employee (Figure 3.8). Many of these badges also contain micro-electronics that allow the individual to access various doors within the facility. Most facilities log the entry and exit of individuals throughout the premises.
Another type of card is a smart card; in government organizations this might be referred to as a common access card (CAC). This type of card features circuitry that stores the user's certificate. The certificate contains the user's public key for authentication as well as encryption, although in this case it is primarily used for authentication. The card is usually placed into a card reader to be read. Since the card might be lost or stolen, a second authentication factor is usually required such as a biometric input, PIN, or password.
Something you are is a physical characteristic that is unique to you and your body. Biometrics is the science and technology of recognizing a user based upon their body. For instance, law enforcement can identify individuals by fingerprints, footprints, palm prints, blood samples, and DNA.
In business today, various biometric techniques are used to identify and authenticate individuals:
There are several challenging aspects to the use of biometrics. Any or all of these might be considered when implementing a biometric system:
Every biometric system faces its own challenges processing information and making decisions to allow or deny access to the user. When specifying a biometric authentication system, various terms and considerations are used.
Something you do is a trait that you have developed over the years. This trait is unique to you and has developed either through training, your upbringing, environment, or perhaps something unique to your body construction. Unique biometric scanning devices have been constructed to measure a variety of personal traits to be able to authenticate an individual. These traits are as follows:
Geolocation and geotagging are now used by many systems to identify where the user actually is located. Many software applications, retail stores, social media sites, and other systems ask for the user to allow themselves to be geolocated. Users may be identified and authenticated by their location. For instance, several major department stores are pushing ads out to cell phones as you walk through the store. You may receive a coupon on your phone as you drive past a coffee shop or another location. Major credit cards such as American Express will act on location anomalies when a charge is made in a foreign country if the user has no history of traveling to that country.
With single-factor authentication, only one factor is used. An example of single-factor authentication is using the password required by a screensaver. The only factor required is something you know, which in this case is the password. Requiring the entry of two or more of the same type of factor is also regarded as single-factor authentication. When a user logs on to a network first thing in the morning, they may be required to enter an identification item such as a username or click a specific icon. The second item requested is usually a password. In this instance, both factors are the same type, something you know. Using two of the same types of factors during authentication is no stronger than using a single factor.
Multifactor authentication refers to using at least two different types of factors for authentication purposes. In many businesses today, employees are issued a pass card or smart card. This card generally allows access to various authorized doors within the building. In other cases, employees are required to authenticate into secure databases, applications, or other sensitive areas.
The two different types of authentication factors might be a typed-in password and a thumb print. A secure room might require a smart card scan and an iris scan. In any event, for it to be multifactor authentication, the factors must be different. The user cannot use a token and a smart card because they are the same type of factor, as are a thumb print and an iris scan. Multifactor means, for example, something I have and something I am, or it could mean something I know and something I have.
Token-based access control is based upon a one-time password. Because the password is used only once, it is very difficult for a hacker to obtain it. The password is also only available for a very limited period of time, usually 60 seconds, after which it changes to a different password. Because the password is displayed only once and for a short period of time, it is almost impossible for an attacker to intercept it.
A token, or token device, is usually a small hardware device that displays a number (Figure 3.11). The token is synchronized with the authentication server so that the server always knows the number that is displayed. When the user wishes to log in or access an application, they enter the number that is visible at that moment. This indicates to the authentication server that this person has the token in their possession. This is an example of a something you have authentication factor.
Some hardware tokens are attached to key chains for user convenience. This type of token is referred to as a key fob. The device used to unlock a car door is a type of key fob. It sends a coded message to the car.
Another type of one-time password is OPIE, which is short for One-Time Passwords in Everything. This type of one-time password is based on S/KEY, a one-time password system used to generate passwords on some Unix systems. It is typically the user's actual password combined with other data and passed through a hashing algorithm. This technique generates a one-time password and makes use of the MD4 or MD5 hashing algorithm.
System-level access controls address two very specific requirements.
With discretionary access control (DAC), access is granted to objects (data and applications) based upon the identity of the subject. Each subject is granted specific rights to the data. For example, when you share a folder on your desktop with three of your co-workers, you are exercising discretionary access control. As the data owner, you are granting access to your folder. At any time, you may restrict or revoke access to your folder, but the decision is completely yours. In the slightly more sophisticated environment of a Microsoft SharePoint administrator, the administrator may decide which users can read only, edit, or write to a data file. Again, this is completely discretionary based upon the value of the data in the eyes of the administrator, department head, or company.
In the Microsoft SharePoint example, the identity of the user is established by the user credentials at login to the Microsoft SharePoint system. Again, the Microsoft SharePoint administrator may easily, at their discretion, set the rights and privileges of that individual. Once the individual accesses the data folder or file, the software system checks the user credentials and allows the user to perform actions as established by the administrator or data owner. It is important to note that at any time the data owner or administrator may override the existing selections and make changes to the rights and privileges. Typically, the following actions may be granted to the user for a file:
With discretionary access control, each data file or folder makes use of an access control list (ACL). The ACL lists the user and their permissions on a file or folder. While the ACL is associated with or is attached to an application or resource to control access, the subject may also have a list. This list is referred to as a capabilities list and is, in essence, a list of the rights and privileges granted to the user.
Nondiscretionary access control (non-DAC) is used when a system administrator, management, or an information tagging/labeling system controls access to objects by subjects. In this case, the access might be granted by policy to a specific group of users. The system administrator is carrying out policy administration.
Mandatory access control (MAC) uses labels or tags to identify both subjects and objects and is a nondiscretionary access control model. It is the most secure model and is used by the U.S. military and federal government to protect classified data. With the MAC model, every piece of information (object) and every user (subject) have been given a label.
Currently the U.S. government maintains the following levels of information labels:
In the U.S. government and military, information is “classified” if it is in one of three levels, confidential, secret, or top secret. Individuals with the corresponding labels or clearances may access data. It is not uncommon for data to be compartmentalized. In this case, an individual with a Secret clearance is allowed access only on a “need to know” basis.
Many data labels exist for business data. Most businesses have proprietary information, trade secrets, and internal data that if made public might do substantial harm to the company. Business data may also be classified into compliance categories. Categories such as personal identification information (PII), HIPAA information, and various categories of financial information may be restricted by regulations. The following information security labels are typically used in business:
It has recently been made public that an estimated 4 million people have top secret clearance and an estimated 10.8 million government, private contractor, and military personnel have some sort of U.S. government security clearance. It is reported that an additional half-million security clearance requests are processed annually. Because so many people have access to it, top-secret information is put in separate compartments, accessible only to those people who have a need to know. The system is referred to as sensitive compartmented information (SCI) for intelligence information, while other highly secret and sensitive information specific to the military and other organizations is protected by compartmentalized special access programs (SAPs).
You have seen that discretionary access control is administered through the use of an access control list (ACL) attached to each file or folder with changes that can be made on the fly by the data owner. Mandatory access control must be enforced by a completely different mechanism. Typically, in a mandatory access control system, the sensitivity of the objects being accessed is far greater than the objects in a discretionary access control system. Therefore, greater harm or expense may be incurred should subjects be given improper access to highly sensitive data. In a mandatory access control system, something is required to mediate between the levels of access granted to the subject and the security classification of an object. This mediation or decision-making process must be accomplished in an environment of trust, where the hardware and software providing this mediation is above reproach. The theory and application of this hardware and software mediation platform is referred to as a trusted computing base (TCB).
Mandatory access control (MAC) is traditionally enforced by the system through the use of a trusted computer base (TCB). This is a protected part of the operating system that includes a security kernel and a reference monitor. As you have seen with MAC, users or applications are referred to as subjects and are labeled with a security clearance and are included on a capabilities list. The security clearance represents the highest level of information the subject may access. In addition, all data and information is referred to as an object and is classified as, for example, confidential, secret, or top secret. This security classification system is primarily used by the federal government and military agencies.
The primary information framework utilized in MAC requires that a subject that is granted a secret clearance may not access top secret information “read up” from the clearance they currently possess and, once accessing secret information, cannot “write down” that information to a level such as confidential or unclassified, thereby reducing the secret information to a lower security classification. In practice, the trusted computing base is engaged in the comparison between the security clearance labels of subjects and the security sensitivity labels placed on objects.
There are several components to a trusted computing base:
The MAC architecture model provides a framework that can be applied to various types of information systems. In general, these models provide rules that can be applied to subjects before they are allowed to read or write sensitive information. Each of the four models provides a primary goal of either confidentiality or integrity. Each of the models is named after the individuals who created it.
The Bell-LaPadula model enforces information confidentiality. It does this by enforcing security through two rules called no read up and no write down.
With the Bell-LaPadula model, an individual with a secret security clearance cannot read top secret information and cannot write secret information down to a security level below secret, such as unclassified.
As expected, the Bell-LaPadula model is used extensively in the federal government and U.S. military where confidentiality of information is the primary concern.
The Biba information model is primarily concerned with information integrity. The rules are reversed from the Bell-LaPadula model. In the Bell-LaPadula model, we do not want to reduce the security classification of sensitive information. The Biba model seeks to not increase the integrity of information at a lower level.
The goal is that an individual at a certain security level may not read information at a lower level and the individual may not create (write) information at a higher level than their security level.
The Biba model is used primarily in the business environment where data and object integrity is of primary concern. In this model, individuals at a lower level may not create or modify data at a higher level.
The goal of the Clark-Wilson model is to enforce separation of duties through integrity rules. This model places a mechanism such as a software program between the subject and object. The software program separates the subject and object. This model enforces data integrity by checking, screening, or formatting data prior to it being placed in the object, such as a database. The Clark-Wilson model enforces what is called “well-formed transactions.” This model also enforces such integrity policies as authorized users may not take unauthorized actions and unauthorized users will not be allowed access.
The Brewer-Nash model is used in many business organizations to prevent conflict of interest situations within the same business. Objects are classified in a manner that indicates conflicts of interest. For example, if a business is providing different services for the same client, each branch or department is isolated from the other with no knowledge of the other departments' activities. This eliminates the possibility of a conflict of interest. This is also referred to as providing a Chinese wall between the two groups. Each group's information (objects) is classified so that it may not be accessed by the other.
In any business, there are a number of individuals requiring different access privileges based upon their responsibilities and roles within the organization. Account-level access control allows for a more detailed or granular control ability down to the group or individual level. This is the basis for role-based access control.
Dual control refers to an access mechanism whereby two individuals must work together to gain access. In some cases it is referred to as split knowledge as well as separation of duties. Dual control may be specifically utilized for access to encryption keys when two or more individuals maintain partial knowledge. When their knowledge is combined access is granted to the item, such as access to an encryption key or encrypted message authentication codebook or physical access. Dual-control access mechanisms are highly relied upon in the U.S. military where total responsibility for access by one individual must be avoided.
In many security situations it is desirable to authenticate not only the individual but also the machine or device they are using. Certificate-based authentication requires that a valid digital certificate be maintained on a machine or device from which the user authenticates. Authentication relies upon the certificate information and encrypted user password. This combination authenticates not only the user but the device that they are using. In device-to-device authentication, a similar scenario is used during the authentication process; valid certificate information is used to authenticate devices to each other. Certificate-based authentication may be accomplished through a commercial certificate issued by certificate authorities (CAs) such as VeriSign or through internal corporate CAs managed by the organization.
A very lightweight version of device authentication may be accomplished through the use of cookies. Cookies can be installed on various devices to identify them. Although not significantly utilized for communication encryption, devices may be initially authenticated by banks, financial institutions, and e-commerce sites as having been previously used by the user requesting initial authentication into their system.
With reverse authentication and mutual authentication, not only does the user authenticate to the system when requesting access, they also have knowledge that the system they are contacting is in fact a genuine site. Various techniques have been used, from complex mutual handshake technology to visual cues.
Banks and financial institutions have utilized visual identification cues that only the logging-in user would recognize. It consists of a simple picture they selected upon account initialization. The user is then presented with the picture during login.
The unfortunate downside of this technique is that the end user may not realize that this is an authentication technique or cannot remember that this was a picture that they selected, and other than terminating the session, they have no method of communication or validation other than contacting the institution's customer service department. A more successful method of reverse authentication is actually through the use of personal security questions. Personal security questions have been primarily intended as an initial factor of authentication of the user by the institution. But, a spoofing website will not have access to the correct answers to the user's questions. Thereby, even if the spoofing website is capable of obtaining login and password information, access to the real website will still be denied.
Privileged users are typically super-users or administrators who have an elevated level of rights, privileges, and access capability to applications and data. Throughout the IT security organization, privileged account users present special access control concerns. Possessing the ability to bypass many access control methodologies, they may be capable of modifying many normal system controls. Privileged users should always be required to log on to two accounts: their privileged user account and their normal user account which allows access to email and regular daily applications. All privileged accounts should be closely monitored and audited regularly for privilege escalation or de-escalation as the situation requires.
The following are guidelines for privileged accounts:
All corporate employees fall under the user accounts umbrella. Identity management refers to the management of all of the accounts within the corporate domain. Each account has an account life cycle that must be managed by the IT department. This management of user accounts during the account life cycle is called identity management. A general account policy should be established with standards and procedures to be followed during the account life cycle. Finally, a person or department should be specified to carry out the account life cycle tasks. The following events or activities are included as account maintenance during the account life cycle:
This grouping of roles also involves assigning various security privileges, which in this case is role-based access control (RBAC). Some organizations use an automated provisioning application where the HR department enters various new-hire information, including an assigned group or role, and the software application provisions the account using this department-supplied information.
The account lockout policy may generally fall under the account password policy. It features an ability to prohibit resource access after a preset number of attempts to log in. This policy directly addresses brute-force password hacking attempts. There are several provisions of this type of policy:
The last login notification is a security check. Upon login, the returning user is greeted with a message such as “Your last login was Sunday, May 21, 2014.” This may alert the user that there has been a violation on that machine if they did not log in on that day. This technique is popular in high-security environments and the banking industry.
Some companies enforce user policies by flashing a warning screen on the user machine (Figure 3.13). This may be in response to an attempt to access secure information or a blacklisted website or even inserting a USB drive into the machine.
This process originally began as a telephone callback when a remote user called in for modem access to a computer system. The system would terminate the call and call the user back to verify their location. Today, many banks and financial and other important institutions will email or text the user with a passcode that must be entered into the account logon screen to further the authentication process.
Many companies establish a guest login on a separate VLAN for guest-level Wi-Fi services within the premises. The guest account may be general in nature and only allow the user to connect with the Internet via a temporary account
This type of account may be assigned to a temporary worker or someone who might be replacing an employee on medical or maternity leave. Based upon the principle of least privileges, this account is usually short term and is allowed access to only the tasks of the person they are replacing but not to items such as the user's email, personal information file, storage locations, or nontask applications.
A contractor account is a temporary account established for a contractor of a business. A contractor might be a temporary team of individuals, a programmer, or another person who is not a full-time employee of the business. A contractor account may be hosted on a VLAN. These accounts are based upon the principle of least privilege and are usually tracked with logs. Some contractor accounts may have a duration of several years.
The authorized use policy (AUP) is a screen that is displayed to an account at login notifying the user of various requirements or policies they must agree to prior to and during the use of the company resources.
Role-based access control (RBAC) is similar to and can be enforced by Group Policy manager (Figure 3.14). Typically, users with very similar or identical roles are identified and placed in a group. Access control is granted to all individuals in the group based upon their membership in the group. This type of administration is ideal for large groups such as call center employees, bank tellers, store clerks, and stock traders or with groups in which numerous adds and drops occur frequently. Once a user is assigned to the group, they receive all the rights and privileges anyone in the group has received.
Rule-based access control (RBAC or RAC) is based upon explicit rules that have been established to control the activities of subjects. Various rules may be created to allow or restrict access to objects. One such rule is the time of day restriction. This rule establishes when a resource or object may be accessed. For example, if the user is never required to access a database on a Saturday or Sunday from either within the building or a remote location, a rule may be established restricting access. It is important to note that role-based access control and rule-based access control may both be referred to as RBAC.
Session-level access controls restrict or allow actions during a specific communication session. These controls terminate when the session is terminated. A session is a one-time or individual login or access to a resource that involves a beginning and an end and is of a specific duration of time. For example, when you wish to check your bank account balance, you log in to your bank, view the account page, and log off. This defines one session. The following is a list of commonly implemented session-level access controls:
View-based access control, sometimes referred to as a constrained view control, is a feature of many software applications as well as databases. Typically a “view” is the screen or page displayed to the user resulting from an application access or database query. This screen or view may have form blanks for the user to enter information or display specific data retrieved from a database. A view is a specific security control mechanism that restricts the user's actions or displays only the data available to them based upon their rights and privileges.
An example of a typical application might be that of a bank teller. Upon entering the customer account number, the bank teller may view a page originating in the database server that specifically outlines the customer's name, address, and current bank account balance. What is restricted from the bank teller but contained in the same database is the customer's credit information, loan payment history, loan balances, other related accounts, and some personal information. The bank teller, based upon their access capability, cannot make any adjustments or changes to the customer's bank loans. Similarly, in the same bank, upon entering customer-specific information, a loan officer will be sent a view from the same database that may include loan history, payments, collateral information, and customer credit scores. All of this information is contained in the same database, yet each user, based upon their role, was served a different view screen and had different capabilities for altering information.
View-based access control may also restrict access to certain data or certain functions provided on application programs. A typical example of this is the sheet or workbook protection mechanism that can be employed in Microsoft Excel. You can lock the entire sheet or just selected cells by using a password so that other users viewing the same sheet do not have the ability to either enter or change data. This could be handy, for instance, if the Microsoft Excel sheet is to be distributed between departments within the company to gather information. The departments will have access to the spreadsheet cells that are unlocked yet be restricted from changing any other information on the sheet. The other restricted information on the sheet may be generated by the originator or designer of the spreadsheet.
Data-level access control specifically deals with protecting data in any of its three states: in process, in transit, and at rest.
Data-level access control may also be based upon the form or content of the actual data. This type of access control, referred to as contextual-based access control or content-based access control, is constructed using data content rules. Content-based access control may be illustrated by using lab reports in a major hospital. A specific blood test report might be accessible by the entire nursing staff assigned to a particular unit or floor. But if the same blood test report contained information concerning a specific infectious disease, it might be restricted to only the attending physician. These types of contextual access control rules are difficult to write and maintain, but depending upon the information to be accessed, they can be highly useful.
Access controls for data stored on removable items such as magnetic tape, magnetic disk, electronic memory devices, optical media, and printed media are normally categorized as handling and storage access procedures. Corporate information that has been identified as requiring any type of security should be physically marked and then treated according to the procedures associated with the category under which it falls. Removable items containing data should require the same identification and authentication access controls and protection as any information accessible on a network.
A variety of corporate policies such as a corporate data retention policy, storage policy, and destruction policy should be created. Sensitive information should be placed in a separate collection bin for sensitive documents, papers, and magnetic media. The following external data and media access controls are typically used:
Accountability is the end result of the identification and authentication system. The assurance of accountability is the guarantee that the user or subject has been proven to be who they say they are. When you use a strong identification and authentication system, users of the system may not deny their actions. With the concept of nonrepudiation, strong identification and authentication plus the implementation of log files are used so that the receiver cannot deny receiving a message.
A trust architecture is a relationship that is established between domains that allows users in one domain access to shared resources that are contained in another domain based upon authentication and authorization. Many organizations establish number of domains on their internal network. The combination of all of these domains is referred to as an internetwork. For example, domains may be established for the marketing department, sales department, and accounting department. It may be obvious that individuals within the sales department may not require access to resources within the accounting department domain. However, users within the accounting department may require access to servers in the sales department domain in order to create daily sales reports. In this case, a type of internetwork trust relationship is established between the accounting department domain and sales department domain.
Trust is a logical relationship between domains that utilizes an authentication process that verifies the identity of the user and an authorization process that determines the rights and privileges the user is granted on the resource domain. Here are some of the terms used in this process.
The security practitioner must be familiar with a variety of methods available to identify and authenticate users requesting access to data and resources. In the event the user is in a remote location from the company network, the authentication procedure is referred to as remote authentication.
Centralized authentication is a method by which users can log onto a network one time using identification and authentication techniques. Centralized refers to the technique of having one central authentication server providing user lookup services and allowing or disallowing access to the data and resources. One centralized system may be used by thousands or tens of thousands of users to access organizational resources.
With decentralized authentication, every server or application is required to verify the identification and authentication of the user requesting access. As you may imagine, this may be a huge task to maintain adequate access control lists on each and every application and resource within an organization. Decentralized authentication may be applied in very specific and vertical instances where a limited number of users have been given rights and privileges to the resource. As the number of users grows, the more arduous the task of administering user rights becomes.
Single sign-on (SSO) is an identification authentication technique whereby the user signs on one time and has access to multiple applications. The user authenticates one time, and the system passes this authentication to applications and other entities. This is known as single sign-on authentication. It increases password security by reducing the number of passwords a user must remember. The risk in this process is that an attacker has access to multiple applications if the user password is discovered. Several single sign-on authentication mechanisms exist. One of the most popular is Kerberos.
Kerberos a computer network authentication protocol is named after a three-headed Greek god named Cerberus, known as the hound of Hades. It was originally programmed for Unix by a group from the Massachusetts Institute of Technology (MIT) in the late 1980s. All Microsoft Windows implementations after Windows 2000 use Kerberos as the default authentication protocol.
The current gross model is based on a transitive trust system. In such a system, if A trusts B and C trusts B, then A trusts C. In this example, B is represented by a Kerberos server and A, desiring to access C, would be authenticated by the Kerberos server. All of this is performed through the use of tickets.
The use of this system would be to achieve the following scenario:
The user sends an authentication request to the Kerberos authentication server.
The Kerberos server responds with a secret symmetric key and a ticket-granting ticket (TGT), which is time stamped.
When the user desires access to a specific application, the user sends the request to a Kerberos ticket-granting server.
Upon receiving the ticket granting ticket, the ticket-granting server responds with a ticket for use with the target application. This ticket contains the symmetric key of the ticket granting server.
The user presents the time-stamped session ticket to the application.
The application server verifies the session ticket by comparing the symmetric key contained in the ticket with the pre-shared key it has stored. If they match the application server, it has authenticated the user and authentication of the ticket.
In the preceding scenario, the user is authenticated by a server one time. The server issues a ticket granting ticket to the user that can be used to request session tickets or access to servers. When the user wishes to access another server resource, the user issues the ticket-granting ticket and specifies the resource. A resource-specific session ticket is issued to the user. The user presents this ticket to the requested application server. Through the use of pre-shared symmetric encryption keys, the application server verifies the authentication of the user and ticket.
Federated access allows users to be identified and authenticated to multiple networks or systems. Where single sign-on allows users to access servers and applications within a single network system, federated access is an agreement between different companies or networks to allow the identified and authenticated user on one network to access another network.
An example of federated access is evident during the use of popular flight and hotel room booking websites. Once you log on and make your flight or room reservation, you might be asked if you would like to rent a car. When you select a car rental company, your identification and authentication information is passed by means of the federated database to the federated partner. That auto rental company will then allow you to book a rental car using your original sign-on information.
The cloud is defined as hardware and software provided to a user on a requested basis. The cloud may be both internal to the organization and external, as provided by a cloud service provider. The advantage to using the cloud is that the user generally does not have to own the equipment that provides the cloud services. Also, the user pays only for the services they utilize. In other words, the cloud may expand and contract depending upon what the user is willing to pay.
There are two primary types of cloud services:
The concept of the cloud is predicated on the concept of virtualization. Virtualization is primarily running an application, database, or operating system that is completely separate from the hardware on which it is running. For instance, a number of virtualized application servers may be running on one physical server. This is the basis for cloud computing.
The following list includes some of the concepts of cloud computing:
Cloud security is concerned with the following vulnerabilities:
Controls are put in place to limit risk. Access controls are used to establish the methods by which users, called subjects, may access resources, called objects. There are three types of controls. Physical controls in the form of locks, doors, and fences physically provide barriers to entry by locking or securing an entrance. Logical controls in the form of firewalls, routers, and other computer hardware control access to digital resources such as networks and data. Administrative controls in the form of policies and enforced by rules, AUPs, and signs convey information concerning access to either physical or digital assets and resources.
In this chapter we discussed what should be protected within a business or agency. Assets and resources fall into three general categories: digital assets, physical assets, and information assets. Protection of these assets is based upon their value. This value may be expressed purely in monetary terms or may also include subjective expense based upon the harm to the business if an asset was damaged or released to the public. During a risk assessment process, a threat is identified and a control is placed to reduce a vulnerability of the asset. During active access control, we are not only controlling the access by authorized users but also limiting access by unauthorized users, bad actors, and the malware they may send in the direction of our resources and assets.
The security practitioner has a variety of tools and methods available to control access. Foremost is the ability to identify and authenticate the user or system requesting access. The identification and authentication process makes use of one or more factors of information. The use of multiple factors ensures that the user or system requesting access is actually who they claim to be. Users may be authorized to access resources based upon various security access models. These models include discretionary access control, during which the data owner assigns access; mandatory access control, which labels both the user and the data and uses a matching system to allow access; and finally, role-based access control, where users are granted access as members of a group. Various rules may be established, such as time of day access, and this is referred to as ruled-based access control.
The security practitioner should completely understand the requirements for access control and the methods, products, policies, and actions that may be implemented to provide access control and therefore security and protection for assets and resources.
You can find the answers in Appendix A.
You can find the answers in Appendix B.
A. Evaluation
B. Identification
C. Authentication
D. Authorization
A. Authorization
B. Single Sign-on
C. Multi-factor
D. Enrollment
A. The encryption password should be changed more frequently
B. The data should be used less frequently
C. The data should be hidden from other processes
D. Users should be provided public encryption keys
A. Physical, detective, and logical (technical)
B. Administrative, physical, and preventative
C. Administrative, logical (technical), and physical
D. Physical, logical (technical), and administrative
A. The password must be used within a variable time interval
B. The password must be used within a fixed time interval
C. The password is not dependent upon time
D. The password is of variable length
A. Reduction a social networking
B. The elimination of risk when allowing users on a network
C. The use of identification and authorization techniques
D. The use of federated identities
A. Mandatory access control
B. Rule-based access control
C. Sensitivity-based access control
D. Discretionary access control
A. Mandatory Access Control
B. Role-based Access Control
C. Rule-Based Access Control
D. Label-based Access Control
A. Setup time
B. Login time
C. Enrollment time
D. Throughput time
A. Authentication
B. Accounting review
C. Authorization
D. availability
A. All systems and data should be available
B. Any changes to applications for equipment must be approved
C. All data should be encrypted in transit
D. Data should not change between sender and receiver
A. The concept of hiding data from view while in storage
B. Limiting the data the user may observe on a computer screen produced from a database
C. Allowing a user to only view unencrypted data
D. A rule-based control of a database
A. They are anonymous users
B. They are super-users or administrators
C. They all must work in the IT department
D. By default have access to everything on the network
A. The full palm print is stored in memory.
B. A number of points extracted from the item scanned are stored.
C. Scan data is always stored in the cloud for rapid retrieval.
D. It is always used with a second method of authentication.
A. Identity and voice prints
B. Roles and rules
C. Subject and object labels
D. Identity and several factor authentication
A. A password and user name
B. An user ID and an account number
C. A PIN and an RFID card
D. A fingerprint and signature
A. Database usage rate
B. Employee opt-out rate
C. Symmetric and asymmetric rate
D. False rejection rate and false acceptance rate
A. Cost of the device
B. False acceptance rate and false rejection rate
C. Limitation of the enrollment database
D. Requirement for continuous adjustment
A. Role-based logon controls
B. Identification and integrity control
C. Mandatory access controls
D. Log-off due to the user inactivity
A. Session level password
B. Self assigned password
C. Dynamic password
D. Variable password
18.189.180.43