Chapter 3
Domain 1: Access Controls

Access control provides users with a method of accessing system resources. It also places limits on how users access the resources, what user actions can be performed, and what resources users can access. Access controls limit general public access by requiring identification, verifying or authenticating the identified user, and then authorizing the user, thus providing them with predefined rights and privileges on the system.

The access control system must provide system administrators with the ability to limit and monitor users who have access to a system and to control or restrain the actions that they can perform. Access control systems define what level the user has on a system based on predefined conditions such as the user's authority level or membership in a group or by matching a security level with a specific category of the information being accessed. Various information access models are available to the security practitioner, and several may be used simultaneously within a business or IT system.

The SSCP access control domain requires knowledge of the techniques and mechanisms that allow security practitioners the ability to protect the organization's systems or resource assets.

An important first step of the identification and authentication process is the identification of the individual user. An access control system must be able to accept the user ­identification in a format it recognizes and be able to convey this information to a processing system where the identification is compared against a list of users authorized to access the resource.

In this chapter about the access control domain, you will learn about access control models that you can use to determine both the access to a resource and who determines the access permissions. You will also learn about the information control models that can be employed to limit what the user can do once they are allowed access to the information or resource.

The security practitioner must be completely proficient with the three types of controls (physical, logical, and administrative) and should be accomplished at employing each of them to provide a layered security and defense in depth environment.

What Are Controls?

A system administrator or security manager must have the ability to limit risk. Risk is inherent in every IT environment. A threat such as a hacker or intruder identifies and exploits a weakness, referred to as vulnerability. Vulnerabilities exist throughout ­applications, databases, and entire networks.

The act of limiting risk is referred to as mitigation. The tools available to mitigate a risk are called controls. The access control techniques and mechanisms are described as follows:

  1. Physical Controls These include doors, locks, and fences.
  2. Logical Controls These include an access control list (ACL), an intrusion detection system (IDS), firewalls, routers, virus protection software, and activity logging mechanisms.
  3. Administrative Controls These include banners, signs, policies or procedures, directives, rules or regulations, and documents or log-on screens.

In everyday conversations, the word control and the word countermeasures refer to the same item or concept. In most cases, all three types of controls are in use all of the time. (The three types of controls are described in detail in the section “Types of Access Controls” later in this chapter.)

What Should Be Protected?

The first step in determining the security for an organization is to determine what resources and assets need to be protected. Resources and assets fall into three general categories: physical assets, digital assets and information assets.

  1. Physical Assets Tangible things such as the building, property or business equipment (which includes network hardware), and people
  2. Digital Assets Generally consist of the data contained or stored on the IT systems
  3. Digital Assets The content information represented by the digital data

Information assets can be classified based upon the financial value to the business or what harm would be done if information was lost, destroyed, or released to the public. For instance, the business category in which the organization is involved is general public knowledge, but the release of a trade secret identifying exactly how the business creates its product could do irreparable harm to the business. Information assets might be ranked from unclassified to confidential. Or it could be ranked on a valuation scale, such as zero dollars to many millions of dollars of cost in the event of information release or loss.

A task of a security practitioner is to identify the resources and assets requiring ­protection and rank them using either an asset valuation system or a sensitivity and ­potential harm system. In risk analysis, there are a number of methods used in performing this task. In all situations, the most valuable asset to be protected is people. For example, in the event of fire, bomb threats, or other life-threatening emergency situations, the safety and well-being of the people in the environment is always the primary concern. People must be evacuated or protected from the threat. Evacuation programs, exit markings, emergency lighting, and fire protection systems as well as emergency evacuation drills must all be part of the general safety policy for the environment or building,

Why Control Access?

Controlling access is vital to the health of your systems, networks, and data. With access, a user or attacker can do anything to your system. If they cannot get access, they can do nothing to the system. Access controls also provide a level of accountability and the ability to audit what the authorized user is doing while in the system.

Although the concept of access controls may be easy to comprehend, the application is frequently more complex. A balance must be achieved between resource protection, control mechanism cost, and user-friendliness. Controls must be consistent with the organization's security policy; they must provide adequate protection of the resource at a reasonable cost yet not be so arduous that users attempt to find a workaround to save time or effort.

An additional concept of access control is referred to as layered security or defense in depth. This is a simple concept of establishing a number of roadblocks the adversary must cross in order to access the resource.

The defense-in-depth strategy utilizes multiple layers of controls and relies upon a ­couple of concepts:

  1. Discourage an Attack The first concept is to frustrate or deter the attacker. If the prize is not worth the hassle, perhaps the attacker will move on. When this concept is employed, the attacker may perceive that there are just too many obstacles to overcome, that the time to penetrate these obstacles is too long, or finally, that the ultimate value of the prize being sought is insufficient for the amount of effort expended.

    This technique is evident with the application of simple versus complex passwords. A ­simple password may take several hours to crack, and a complex password, utilizing numbers, special characters, and capitalization, may take 1,000 years to crack using the same computing equipment.

  2. Slow the Attacker The second concept is to slow down the attacker. For instance, even if the attacker tripped the house alarm, thus notifying the authorities, scaling a fence and picking the padlock would take enough time for the police to arrive and arrest the attacker.

The overall consideration of placing various controls in the path of an attacker is cost. Is it prudent to spend $2,500 on controls such as video equipment, special lighting, and police alarm systems just to protect $300 worth of garden tools and equipment? The security practitioner must be constantly aware of how the cost of controls compare to the value of the systems or data being protected.

Subjects and Objects

There are two terms related to access control: subject and object.

  1. Subject A subject is the user or entity taking the action or accessing a resource such as a database.
  2. Object An object is the item or resource being acted upon. For instance, a user accessing a software application is the subject, and the software application would be the object.

In some cases, items may change relationships (Figure 3.1). In such an event, an object becomes a subject and then reverses roles again. For instance, the user (subject) accesses an application requesting information. The application (object), in an effort to respond to the user (subject), requires information from a database. The application now becomes a (­subject) to the database (object). Once the data is retrieved, the application once again reverts to an (object) role and responds to the user (subject).

Image described by caption and surrounding text.

Figure 3.1 The relationships between subjects and objects

Types of Access Controls

As mentioned earlier, there are three general categories of controls: physical, logical, and administrative. Virtually all controls can be placed in one of these categories. There is a security principle you will hear many times. It is the principle of implicit deny. In simple terms, it refers to excluding everyone except those you have specifically (explicitly) allowed to enter. It is much easier to work with a small group of users or items than it is to work with a large group of items that includes everything. As a simple example, four people work in the server room and require access. It makes sense to give these four people access keys to the room while excluding all other persons.

The same principle might be applied to children viewing television, persons accessing websites at work, or the general public accessing your private business network on the Internet. It is much easier to list what users can do than it is to list everything they cannot do. In the world of security, the list of what the user can access is referred to as included by exception, a white list, or explicitly allowed. The restricted list, or the list of what is not allowed, is referred to as black list, or implicit deny. Implicit deny is a main feature of most router rule lists. It denies all incoming traffic that has not specifically been allowed by an explicitly written rule.

Physical Access Controls

A physical access control is all the items listed in the backyard shed example earlier in this chapter. The purpose is to keep a physical intruder from penetrating a physical property area. The following physical access controls can be used:

  • Closed doors
  • Locks
  • Chains
  • Bars across doors
  • Cages
  • Earthen berms
  • Driveway spikes
  • Bulletproof glass
  • Fences
  • Earthen berms
  • Lighting
  • Security alarms
  • Video surveillance
  • Guard dogs
  • Human guards
  • Exterior walls
  • Infrared motion detectors
  • Glass breakage detectors
  • Mantraps
  • Intrusion alarms

Physical controls are usually independent of computer hardware, software, and ­communication systems. Locks, gates, lights, and detectors generally do not report in, with the exception of very high-security installations. Of course, there may be locks that use a logical device such as a card reader or other mechanism to trigger (open) a device. These are still classified as physical access controls.

Physical controls restrict or prohibit access to the physical components of the infrastructure such as wiring closets, wireless access points, server rooms, and communication lines. Physical security is an important concern for the security practitioner in maintaining the layered security and defense-in-depth security concepts and works hand in hand with other access controls. A physical access control is usually the first line of defense.

Logical Access Controls

Logical access controls are those controls used to keep a digital intruder out of a network, host, or system. Logical controls are usually established to protect the data, applications, hardware, and network devices from hackers, malware, intruders, and simply mistakes users can make. These types of controls are usually grouped into two categories with much overlap. The categories are hardware and software. Firewalls, intrusion prevention systems (IPSs) and data loss prevention systems are typical logical hardware devices, whereas some firewalls, virus protection software, and Group Policy enforcement by an operating system are software controls. The following items are logical controls:

  • Firewalls
  • Routers
  • IDSs/IPSs
  • Data loss prevention systems
  • Unified Communications security devices
  • Proxy servers
  • Virtual networks
  • Virtual private networks (VPNs)
  • Application firewalls
  • Virus protection software
  • Authentication mechanisms
  • Encryption
  • general

Administrative Access Controls

Administrative access controls consist of policies, directives, regulations, and rules set up by a company to govern activities taken by individuals or to establish operating procedures. Every company or firm requires various policies. In some cases, these policies are imposed by an outside organization or regulation, such as the Sarbanes-Oxley Act (SOX), the Health Insurance Portability and Accountability Act (HIPAA), the Security and Exchange Commission (SEC), and the Payment Card Industry Data Security Standard (PCI DSS).

Administrative controls begin with policies that address a specific subject, all the way down to the person ultimately responsible for carrying out the action. Many new hires are introduced to IT security administrative controls immediately upon joining a company. They must often read, agree to, and sign an authorized use policy (AUP) that specifies how the user must behave when using the networks, information, and IT products of the company (Figure 3.2).

Screenshot of the Internet Explorer window displaying the College of East Hills IT Acceptable Use Policy web page.

Figure 3.2 A typical authorized use policy screen

Identification

The first step of access control is identification. Many might think that entering a username into a field is the first step in identification. This is not always the case. There may be a preceding step. For instance, in the case of logging into a bank account, the user might be prompted to click a “log in” link on the bank's home page. This click initiates the identification sequence. In such cases, the bank system responds with a login screen featuring a field for the username and a field for a user password (Figure 3.3). The blank for the user name is the request for identification information. In other situations, the swiping of a card in a gas pump or at a grocery store initiates the login sequence. Access control identification may also allow access to specific places by swiping an access card at a doorway reader thus identifying the user and unlocking the door.

Screenshot of a log in screen presenting the data entry fields for email address, password, and CAPTCHA authentication and a LOGIN button at the bottom left.

Figure 3.3 A typical login screen

The goal of these systems is to differentiate one user from another. A unique username, personal email address, or account number will initiate the identification sequence. During this sequence, the system will compare the received identification information with some sort of internal database; in the case of a Microsoft system, this might be Active Directory (AD). In the event the user is not identified, the system may present an error screen or in some cases a screen offering the user the ability to create a new account. If the user identification is recognized, the system will proceed to the next step. This step usually involves the request for additional authorization information.

The challenge to security practitioners with regard to identification is that the person entering the data or swiping the card may not be the person you want to have access. Anyone knowing that the web page username field requires an email address could easily type someone else's email address. The person swiping the card might have just stolen it. This is why more verification information is required before allowing access into the system or location.

Authentication

Authentication is the process of proving the identity professed by the user. As you have seen, anyone can enter a username or swipe a card. The next step is to authenticate the user to the system (Figure 3.4). The most common method of authentication is to have the user enter a password. On ATMs and gas pumps, or with various credit cards and debit cards, this might be in the form of a personal identification number (PIN). When a credit card is used at some gas pumps, the billing address zip code may be requested. Because most credit cards require only a PIN to withdraw money, the zip code is utilized as a piece of authentication information that a thief would not know. This password, PIN, or zip code, along with the username or identification, is again compared to the information in a system ­database to determine that the user is actually the user. This is the authentication step.

Image described by caption.

Figure 3.4 User entering PIN into a reader device

The challenge for security practitioners is that besides the attacker using a stolen ­identification, there are many ways of breaking a password, PIN, or other methods of authentication. If an attacker is both identified and authenticated correctly and allowed into the system, this is referred to in security as a false positive and is a serious situation. It means that an unknown person has been granted permission into the system. To combat this possibility, there are many authentication methods that exist.

Many might think that identification and authentication occur only when the user is logging on to the system or network. There are a great many places on a network where identification and authentication can take place. False positive and false negative errors may occur in a number of different situations. The frequency of these errors is referred to as an error rate. Generally, all access control and authentication is performed by comparing user information with some type of list. Identification and authentication might take place when the following items are used:

  1. Firewalls and Routers Firewalls and routers compare incoming access requests to a set of rules. The rules are established by an administrator and maybe be either broad in nature or very restrictive. For instance, many firewalls might allow HTTP traffic yet restrict traffic from specific URLs. A router may allow or disallow a specific IP address through the use of an access rule programmed into the router.
  2. Intrusion Prevention System An intrusion prevention system (IPS) inspects packets on a network. Packet construction and contents are compared to a type of list called a signatures list. Packets represent the data that a user is sending over a network. An IPS is inspecting packets as if each packet is requesting access. Packets identified by the IPS as being threats to the system are not allowed to pass and are dropped.
  3. Switches A switch is a device that routes network communications based upon the Media Access Control (MAC) address of a device. Switches are programmed with an access list of MAC addresses that may pass through or be denied by the switch.
  4. Virus Protection Software Similarly to the IPS, virus protection software inspects data coming into a network, on a host computer, or currently in storage against a type of list called a signatures list. The signature data file contains profiles of known malicious ­software. The virus protection software then takes steps to deny access or trigger an alert.

Access control not only identifies and authenticates users to allow access to a network or application, it can be made granular enough to inspect packets on a network or specific host machines and grant or deny access based upon a list or other identification/authentication technique.

Factors of Authentication

There are several types of authentication methods. They are referred to as factors. A factor is an item or attribute that can be specifically linked to the user. Most authentication attributes fall into five main categories:

  1. Something You Know This includes any information committed to memory or in written form, such as passwords, PINs, the street you grew up on, your favorite teacher, or personal information such as your zip code or account number.
  2. Something You Have This includes credit cards, digital proximity cards, radio-frequency identification (RFID) devices, hardware tokens, photo ID badges, and smartphones for SMS/text messages.
  3. Something You Are This includes the use of a biometric system to verify the user's physical characteristics such as fingerprints, palm scans, iris or retina scans, facial feature scans, key stroke dynamics, weight, or speech recognition.
  4. Somewhere You are This uses a geolocation or geotagging system to physically locate the user by recognizing the user access point or terminal, IP address, satellite triangulation, or cell towers in use.
  5. Something You Do This makes use of various traits exhibited by the individual. These traits include voice patterns, heart rhythms, handwriting analysis, and keyboard typing characteristics.

The attributes are explained in detail in the following sections.

Something You Know

Something you know is the most common form of authentication. In most instances, the user enters a password. Passwords can prove to be the weakest type of authentication. The security practitioner may employ a number of techniques that increases the security of user passwords:

  1. Never use default passwords. Users, as well as network administrators, should not use the password that came from the factory. Passwords must be changed on all network ­hardware items. Users must never be allowed to use pass or password as a password.
  2. Change passwords often. Many organizations establish a password change period within a password policy document. This may be as often as every 30 days but should be no longer than every 90 days. Group Policy Manager is usually used to enforce password change policy.
  3. Make passwords sufficiently strong. Passwords should never be common dictionary words of any language, names, personal identification numbers, pet names, or anything that can easily be guessed. Passwords should be a minimum of seven characters in length and consist of upper- and lowercase letters, numbers, and special characters.
  4. Never write passwords down. Frequently passwords are found around the user's work area on sticky notes, note pads, diaries, or even books or papers. As a security practitioner, never make a password so complex that it forces the user to write it down and refer to the note.
  5. Never tell your password to anyone. One of the most popular social engineering attacks is a call from a tech department requesting the user's password. Frequently, someone is away from the office and calls to ask a friend to access their system using their password. Or, a temporary employee is given the password of the permanent employee they are replacing.
  6. Use audit tools to verify password strength. There are many third-party applications as well as operating system tools that allow the security practitioner to scan passwords and verify the strength by checking for special characters, password length, numbers, and ­duration on the system.

In Exercise 3.1, you will see how to check the strength of passwords. You will also read helpful text concerning the construction of strong passwords.

Something you know can also be a secondary authentication question (Figure 3.5). Many financial accounts require a username for identification, a password for initial authentication, and then some personal information not likely known by many others. This additional personal information is usually in the form of several questions the user is asked upon account setup. Such questions might include mother's maiden name, the street where you lived when you were 10 years old, your favorite teacher, the best man, and the city where you were married. The problem with this is that some of this information is readily available knowledge. Users should select questions and answers that are not easily publicly found, such as favorite teacher or best man.

Screenshot of a log in verification page presenting a user's registered UserID with a challenge question and an empty field for the answer. Checkbox for future log in access and Submit button are located below.

Figure 3.5 Typical login verification question

Another form of something you know authentication is the use of CAPTCHA characters (Figure 3.6). CAPTCHA is the acronym for Completely Automated Public Turing test to tell Computers and Humans Apart. This is a challenge-and-response system featuring a set of numbers and letters in various shapes with varying backgrounds. The challenge is for the user to visually recognize the characters and knowingly retype them into a form. This technique is used to determine if the user is a human or a machine. A machine may be able to break a user's password, but it still would not be able to pass this test. The machine would not be able to visually read or recognize the shapes of the CAPTCHA characters.

Image described by caption.

Figure 3.6 This figure illustrates CAPTCHA characters

Something You Have

Many people carry an ATM card, driver's license, student ID, smartphone, credit card, or proximity card. Each of these can be used to establish authentication. For instance, if you are stopped by the police, you may verbally state your name, but a driver's license or other identification issued by an authority such as a state department of motor vehicles or a university, in the case of a student ID, is used by the officer to establish if you are stating the correct name. This is an example of something you have.

Many corporate and federal employees are issued proximity keys or cards to access facilities. Specific data is embedded within the card. Although they are not internally powered, they feature a type of antenna that receives a signal from a nearby receiver (Figure 3.7). This stimulates the card and provides sufficient energy for the card electronics to respond to the card reader and transmit information. This technique is also utilized on many toll roads across the country. A small device typically placed on the windshield responds to a signal transmitted toward the auto and the device responds with identification and authentication information allowing the toll authority to debit the person's account.

Photos of a U.S. toll authority RFID tag facing the windshield (left) and facing the driver (right).

Figure 3.7 Toll authority RFID device

Many businesses provide employees with a personal badge that has a name, ID number, and photo of the employee (Figure 3.8). Many of these badges also contain ­micro-electronics that allow the individual to access various doors within the facility. Most facilities log the entry and exit of individuals throughout the premises.

Image described by caption.

Figure 3.8 Standard ID badge with proximity chip

Another type of card is a smart card; in government organizations this might be referred to as a common access card (CAC). This type of card features circuitry that stores the user's certificate. The certificate contains the user's public key for authentication as well as encryption, although in this case it is primarily used for authentication. The card is usually placed into a card reader to be read. Since the card might be lost or stolen, a second authentication factor is usually required such as a biometric input, PIN, or password.

Something You Are

Something you are is a physical characteristic that is unique to you and your body. Biometrics is the science and technology of recognizing a user based upon their body. For instance, law enforcement can identify individuals by fingerprints, footprints, palm prints, blood samples, and DNA.

In business today, various biometric techniques are used to identify and authenticate individuals:

  1. Fingerprints Fingerprints have been used for identification by law enforcement for many decades. A fingerprint is obtained by scanning one or more fingers several times. This digital finger print image is used to generate a finger image identifier record that can be used to compare with future scans. Fingerprint recognition in biometrics is one of the most widely used techniques now being used on laptops, tablets, and personal cell phones. In finger-scan technology, only the features extracted from the fingerprint are stored. This allows one to many rapid fingerprint data searches. In fingerprint technology, entire fingerprints are stored on a system, requiring large amounts of storage.
  2. Iris and Retina Scans Iris scans map the colored part of the eye, recording the unique color, patterns, and textures (Figure 3.9). A retina scan has proven to be extremely reliable, more reliable than using fingerprints and other biometric techniques. Retina scans are utilized by the government for access into sensitive locations and systems.
    Diagram of the retina scanning technique displaying a photo of an eye in the middle with steps 1 and 2 at the right and steps 3 and 4 at the left. Lines from steps 1 and 2 point to spots on the eye.

    Figure 3.9 Retina scanning technique

  3. Facial Recognition Similar to mapping points on a fingerprint, a facial scan records and traces various key points on the human face. Using measurements and placement of various features, a video or photograph of a face may be matched to facial signatures in a database.
  4. Weight Although not as popular as other biometrics, weight recognition has been utilized in mantraps to both authenticate an individual and alert authorities in the event of two persons in the mantrap, called “piggybacking.” Weight has also been used as alarm systems to warn if an intruder has placed weight on a room floor or object.
  5. Palm Prints and Palm Geometry This biometric method uses the physical palm geometry of the palm and fingers to uniquely verify an individual. In systems known as palm scans, a bright light is used to scan and map blood vessels within the hand to create a unique palm signature.

There are several challenging aspects to the use of biometrics. Any or all of these might be considered when implementing a biometric system:

  1. Enrollment Time Every biometric system must initially be set up with every user's unique information. For instance, for a retina scan device, every user must submit to an initial scan.
  2. Error Rate Every biometric device is comparing a current reading or capture with a saved signature. In some cases, an error can occur that prohibits passage or allows passage when it should not occur.
  3. Acquire Time Each user wanting access must submit to an acquisition of biometric information. This could be as simple as a fingerprint scan or palm scan or as complex as a retina scan or voice scan. Each scan requires an increment of time to acquire the sample information, and in each case the user must be present and wait during the scanning process.
  4. Throughput Time Once the biometric sample has been acquired from the user, it must be compared to the stored sample signature in the system database. This requires a period of processing time during which the user remains waiting for access. Should the system ­malfunction or service be denied, access to the facility or resource might be denied.
  5. One-to-One Search In this type of database search, the acquired information scan is compared against stored signatures or data samples for a potential match. Only specific data points of the acquired sample information are compared against similar data points stored in the system to speed the sort. Errors may occur when not enough points match.

Every biometric system faces its own challenges processing information and making decisions to allow or deny access to the user. When specifying a biometric authentication system, various terms and considerations are used.

  1. False Rejection Rate (FRR) FRR is referred to as a Type I error. This is the percentage of time a biometric system rejects a known good user, thus not allowing access.
  2. False Acceptance Rate (FAR) FAR is referred to as a Type II error. This is the percentage of time a biometric system falsely identifies as good an unknown user, thus allowing access.
  3. Crossover Error Rate (CER) The CER is where the false rejection rate (FRR) and false acceptance rate (FAR) cross over (Figure 3.10). A lower CER indicates a better biometric authentication system.
    Line graph of the relationship of errors versus sensitivity, with downward curve labeled False Acceptance Rate (FAR), upward curve False Rejection Rate (FRR), and their intersection Crossover Error Rate (CER).

    Figure 3.10 The crossover error rate (CER) is where the FAR and FRR intersect. The lower the CER, the better the biometric system.

Something You Do

Something you do is a trait that you have developed over the years. This trait is unique to you and has developed either through training, your upbringing, environment, or perhaps something unique to your body construction. Unique biometric scanning devices have been constructed to measure a variety of personal traits to be able to authenticate an individual. These traits are as follows:

  1. Signature Dynamics This recognizes how the subject creates letters and words. The subject is requested to sign their name or to write out a specific group of words. Items tested may include pen pressure, direction of strokes, and points where the pen was lifted from the page. The scanning system then examines the result and matches specific test points with those saved in memory. Signature dynamics is the biometric factor of handwriting analysis.
  2. Voice Pattern Recognition This acquisition system requires the individual to speak a phrase into a recording device. This is the same phrase that was originally recorded and stored in memory. The system examines features such as inflection points, volume, speaking speed, and pauses. The stored voice phrase in the biometric system is referred to as a voiceprint.
  3. Keystroke Dynamics Keystroke dynamics, also known as keyboard pattern recognition, recognizes how an individual types on the keyboard. Various biometric systems measure flight time and dwell time to generate a typing signature. The signature generally captures flight time, or the time a user takes between key depressions, and dwell time, which is the length of time a key is depressed. The results of using keystroke dynamics as a biometric recognition system are inconsistent because users' typing methods change depending upon mood or environment.
  4. Heart/Pulse Pattern Researchers have identified that each person's heart beats in the unique pattern. This pattern may be detected with recognition software and used as a ­biometric authentication system. Typically this is achieved by the user wearing a wristband that monitors their heartbeat and its unique pattern and uses it to unlock phones, computers, and other nearby devices that belong to the user. This technique is somewhat similar to health and fitness trackers, with the current measurement of the user being compared to a stored signature for authentication purposes. Heart/pulse pattern recognition is a biometric authentication technique.

Somewhere You Are

Geolocation and geotagging are now used by many systems to identify where the user actually is located. Many software applications, retail stores, social media sites, and other systems ask for the user to allow themselves to be geolocated. Users may be identified and authenticated by their location. For instance, several major department stores are pushing ads out to cell phones as you walk through the store. You may receive a coupon on your phone as you drive past a coffee shop or another location. Major credit cards such as American Express will act on location anomalies when a charge is made in a foreign country if the user has no history of traveling to that country.

Single-Factor Authentication

With single-factor authentication, only one factor is used. An example of single-factor authentication is using the password required by a screensaver. The only factor required is something you know, which in this case is the password. Requiring the entry of two or more of the same type of factor is also regarded as single-factor authentication. When a user logs on to a network first thing in the morning, they may be required to enter an identification item such as a username or click a specific icon. The second item requested is usually a password. In this instance, both factors are the same type, something you know. Using two of the same types of factors during authentication is no stronger than using a single factor.

Multifactor Authentication

Multifactor authentication refers to using at least two different types of factors for authentication purposes. In many businesses today, employees are issued a pass card or smart card. This card generally allows access to various authorized doors within the building. In other cases, employees are required to authenticate into secure databases, applications, or other sensitive areas.

The two different types of authentication factors might be a typed-in password and a thumb print. A secure room might require a smart card scan and an iris scan. In any event, for it to be multifactor authentication, the factors must be different. The user cannot use a token and a smart card because they are the same type of factor, as are a thumb print and an iris scan. Multifactor means, for example, something I have and something I am, or it could mean something I know and something I have.

Token-Based Access Controls

Token-based access control is based upon a one-time password. Because the password is used only once, it is very difficult for a hacker to obtain it. The password is also only available for a very limited period of time, usually 60 seconds, after which it changes to a different password. Because the password is displayed only once and for a short period of time, it is almost impossible for an attacker to intercept it.

A token, or token device, is usually a small hardware device that displays a number (Figure 3.11). The token is synchronized with the authentication server so that the server always knows the number that is displayed. When the user wishes to log in or access an application, they enter the number that is visible at that moment. This indicates to the authentication server that this person has the token in their possession. This is an example of a something you have authentication factor.

A key-like device with its rectangular body displaying a six-digit number.

Figure 3.11 An example of a token

Some hardware tokens are attached to key chains for user convenience. This type of token is referred to as a key fob. The device used to unlock a car door is a type of key fob. It sends a coded message to the car.

Another type of one-time password is OPIE, which is short for One-Time Passwords in Everything. This type of one-time password is based on S/KEY, a one-time password ­system used to generate passwords on some Unix systems. It is typically the user's actual password combined with other data and passed through a hashing algorithm. This technique generates a one-time password and makes use of the MD4 or MD5 hashing algorithm.

System-Level Access Controls

System-level access controls address two very specific requirements.

  1. The Value of the Information The first requirement is the value of the information. Information value is strictly in the eye of the beholder. If you are in business, financial and customer data is of utmost concern and value to you, but if you are in the government or military, data concerning troop movements, targets to attack, and logistics may be of utmost concern.
  2. The Method of Accessing the Information The second requirement is how the information is made available. For instance, can a database owner decide who has access to the data or work object and is there another means of relating the data specifically to the user or subject allowed to access it?

Discretionary Access Control (DAC)

With discretionary access control (DAC), access is granted to objects (data and applications) based upon the identity of the subject. Each subject is granted specific rights to the data. For example, when you share a folder on your desktop with three of your ­co-workers, you are exercising discretionary access control. As the data owner, you are granting access to your folder. At any time, you may restrict or revoke access to your folder, but the ­decision is completely yours. In the slightly more sophisticated environment of a Microsoft SharePoint administrator, the administrator may decide which users can read only, edit, or write to a data file. Again, this is completely discretionary based upon the value of the data in the eyes of the administrator, department head, or company.

In the Microsoft SharePoint example, the identity of the user is established by the user credentials at login to the Microsoft SharePoint system. Again, the Microsoft SharePoint administrator may easily, at their discretion, set the rights and privileges of that individual. Once the individual accesses the data folder or file, the software system checks the user credentials and allows the user to perform actions as established by the administrator or data owner. It is important to note that at any time the data owner or administrator may override the existing selections and make changes to the rights and privileges. Typically, the following actions may be granted to the user for a file:

  • Full Control
  • Modify
  • Read & Execute
  • List Folder Contents
  • Read
  • Write
  • Special

With discretionary access control, each data file or folder makes use of an access control list (ACL). The ACL lists the user and their permissions on a file or folder. While the ACL is associated with or is attached to an application or resource to control access, the subject may also have a list. This list is referred to as a capabilities list and is, in essence, a list of the rights and privileges granted to the user.

Nondiscretionary Access Control

Nondiscretionary access control (non-DAC) is used when a system administrator, management, or an information tagging/labeling system controls access to objects by subjects. In this case, the access might be granted by policy to a specific group of users. The system administrator is carrying out policy administration.

Mandatory Access Control

Mandatory access control (MAC) uses labels or tags to identify both subjects and objects and is a nondiscretionary access control model. It is the most secure model and is used by the U.S. military and federal government to protect classified data. With the MAC model, every piece of information (object) and every user (subject) have been given a label.

Currently the U.S. government maintains the following levels of information labels:

  1. Top Secret Release of this information is listed as causing “exceptionally grave damage” to national security.
  2. Secret Release of this information would do “serious damage” to national security.
  3. Confidential Release of this information would cause “damage” to national security.
  4. Unclassified This is not a security label but a general catchall for any information not labeled.

In the U.S. government and military, information is “classified” if it is in one of three levels, confidential, secret, or top secret. Individuals with the corresponding labels or clearances may access data. It is not uncommon for data to be compartmentalized. In this case, an individual with a Secret clearance is allowed access only on a “need to know” basis.

Many data labels exist for business data. Most businesses have proprietary information, trade secrets, and internal data that if made public might do substantial harm to the company. Business data may also be classified into compliance categories. Categories such as personal identification information (PII), HIPAA information, and various categories of financial information may be restricted by regulations. The following information security labels are typically used in business:

  1. Confidential Disclosure of this information may cause irreparable harm to the company.
  2. Internal Use Disclosure of this information may cause harm to the company.
  3. Public This classification of information is generally known to the public.

It has recently been made public that an estimated 4 million people have top secret ­clearance and an estimated 10.8 million government, private contractor, and military personnel have some sort of U.S. government security clearance. It is reported that an additional half-million security clearance requests are processed annually. Because so many people have access to it, top-secret information is put in separate compartments, accessible only to those people who have a need to know. The system is referred to as sensitive compartmented information (SCI) for intelligence information, while other highly secret and sensitive information specific to the military and other organizations is protected by compartmentalized special access programs (SAPs).

  1. Sensitive Compartmented Information (SCI) SCI is divided into 200 to 300 SCI compartments and subcompartments, and each compartment is named with a single code word. These compartments contain information specific to the intelligence community, such as the NSA, CIA, FBI, and other “alphabet” agencies. A famous top-secret SCI compartment is named UMBRA. This code word has been in constant use since 1968 and is used to ­protect the most sensitive intercepts of communications intelligence. Although officially ­terminated in 1999, recent NSA leaks indicate that the code word is still in use.
  2. Special Access Programs (SAPs) SAPs have been created to control access, distribution, and protection of particularly sensitive information, which includes top-secret military information. Each SAP is identified by code words that consist of two unassociated, unclassified words. There are over 100 SAPs, with many having numerous compartments and subcompartments. An example of a top-secret special access program is Yankee White. Persons who have been cleared for this SAP have complete access to presidential workspaces that might contain classified information at any level up to “Presidential Eyes Only” and may also carry a loaded weapon in the presence of the president. This clearance requires the most extensive and thorough background investigation possible.

Administering Mandatory Access Control

You have seen that discretionary access control is administered through the use of an access control list (ACL) attached to each file or folder with changes that can be made on the fly by the data owner. Mandatory access control must be enforced by a completely different mechanism. Typically, in a mandatory access control system, the sensitivity of the objects being accessed is far greater than the objects in a discretionary access control system. Therefore, greater harm or expense may be incurred should subjects be given improper access to highly sensitive data. In a mandatory access control system, something is required to mediate between the levels of access granted to the subject and the security classification of an object. This mediation or decision-making process must be accomplished in an environment of trust, where the hardware and software providing this mediation is above reproach. The theory and application of this hardware and software mediation platform is referred to as a trusted computing base (TCB).

Trusted Systems

Mandatory access control (MAC) is traditionally enforced by the system through the use of a trusted computer base (TCB). This is a protected part of the operating system that includes a security kernel and a reference monitor. As you have seen with MAC, users or applications are referred to as subjects and are labeled with a security clearance and are included on a capabilities list. The security clearance represents the highest level of information the subject may access. In addition, all data and information is referred to as an object and is classified as, for example, confidential, secret, or top secret. This security classification system is primarily used by the federal government and military agencies.

The primary information framework utilized in MAC requires that a subject that is granted a secret clearance may not access top secret information “read up” from the clearance they currently possess and, once accessing secret information, cannot “write down” that information to a level such as confidential or unclassified, thereby reducing the secret information to a lower security classification. In practice, the trusted computing base is engaged in the comparison between the security clearance labels of subjects and the security sensitivity labels placed on objects.

There are several components to a trusted computing base:

  1. Secure Hardware and Software Environment This may take the form of an isolated server stripped of all services and capabilities not required of the mediation process. The isolation means that it should not be possible for an attacker to be able to change the logic of the ­reference monitor or access and change the contents of the security kernel.
  2. Reference Monitor The abstract machine concept that mediates all access by subjects to objects (Figure 3.12). As part of the TCB, it must always be invoked and available, be verifiable as correct, be protected from modification, and mediate all access requests. Once a subject requests access to an object, the reference monitor accesses a file, known as the security kernel database, that lists the access privileges or security clearance of each subject and the security classification attributes of each object.
    A diagram depicting reference monitor (center) mediating all transactions between subjects such as users, applications, and security clearance and objects such as various files and security classification.

    Figure 3.12 The reference monitor mediates all transactions between subjects and objects.

  3. Security Kernel The component of the trusted computing base consisting of hardware, software and firmware elements that implements an authorized control list (ACL) database, usually referred to as a security kernel database. This database is utilized when mediating (comparing) subject and object labels in a Mandatory Access Control (MAC) authentication system.
  4. Audit The final requirement is to provide a complete audit file recording attempted ­security violations, authorized data accesses, data file changes, and authorized changes to the security kernel database.

Mandatory Access Control Architecture Models

The MAC architecture model provides a framework that can be applied to various types of information systems. In general, these models provide rules that can be applied to subjects before they are allowed to read or write sensitive information. Each of the four models ­provides a primary goal of either confidentiality or integrity. Each of the models is named after the individuals who created it.

Bell-LaPadula Model

The Bell-LaPadula model enforces information confidentiality. It does this by enforcing security through two rules called no read up and no write down.

With the Bell-LaPadula model, an individual with a secret security clearance cannot read top secret information and cannot write secret information down to a security level below secret, such as unclassified.

  1. Simple Security Property Rule (No Read Up) Subjects cannot read information classified at a higher level than theirs. For example, a person with a unclassified security clearance cannot read a document classified as secret.
  2. The Star Property Rule (No Write Down) Subjects with access to information at a certain security level cannot write that information to a lower security level. For example, a person accessing documents classified as secret cannot reduce the classification level by writing the information to a lower level. Usually an asterisk (*) is used as a star, as in the * property rule.
  3. The Strong Star Rule This rule states that if you have read and write capabilities, you are restricted to read and write your data at your level of secrecy, but you cannot read and write to levels of higher or lower secrecy. This is sometimes referred to as the constrained or tranquility property.

As expected, the Bell-LaPadula model is used extensively in the federal government and U.S. military where confidentiality of information is the primary concern.

Biba Model

The Biba information model is primarily concerned with information integrity. The rules are reversed from the Bell-LaPadula model. In the Bell-LaPadula model, we do not want to reduce the security classification of sensitive information. The Biba model seeks to not increase the integrity of information at a lower level.

The goal is that an individual at a certain security level may not read information at a lower level and the individual may not create (write) information at a higher level than their security level.

  1. Simple Integrity Axiom (No Read Down) Subjects granted access to any security level may not read objects at a lower security level. For example, a business manager may not read or accept actionable orders from an assembly line worker, but the president of the company may issue actionable orders to the manager.
  2. The Star Integrity Axiom (No Write Up) Subjects at a certain security level may not write to a higher level. Continuing our example, the assembly line worker cannot write actionable orders for the manager and the manager cannot write actionable orders for the president. (Usually an asterisk [*] is used as a star, as in the * integrity axiom.)
  3. The Invocation Property The invocation property prevents a user at one level from using or invoking the powers or privileges of the user at a higher level.

The Biba model is used primarily in the business environment where data and object integrity is of primary concern. In this model, individuals at a lower level may not create or modify data at a higher level.

Clark-Wilson Model

The goal of the Clark-Wilson model is to enforce separation of duties through integrity rules. This model places a mechanism such as a software program between the subject and object. The software program separates the subject and object. This model enforces data integrity by checking, screening, or formatting data prior to it being placed in the object, such as a database. The Clark-Wilson model enforces what is called “well-formed transactions.” This model also enforces such integrity policies as authorized users may not take unauthorized actions and unauthorized users will not be allowed access.

Brewer-Nash Model (Chinese Wall)

The Brewer-Nash model is used in many business organizations to prevent conflict of interest situations within the same business. Objects are classified in a manner that indicates conflicts of interest. For example, if a business is providing different services for the same client, each branch or department is isolated from the other with no knowledge of the other departments' activities. This eliminates the possibility of a conflict of interest. This is also referred to as providing a Chinese wall between the two groups. Each group's information (objects) is classified so that it may not be accessed by the other.

Account-Level Access Control

In any business, there are a number of individuals requiring different access privileges based upon their responsibilities and roles within the organization. Account-level access control allows for a more detailed or granular control ability down to the group or individual level. This is the basis for role-based access control.

Dual Control

Dual control refers to an access mechanism whereby two individuals must work together to gain access. In some cases it is referred to as split knowledge as well as separation of duties. Dual control may be specifically utilized for access to encryption keys when two or more individuals maintain partial knowledge. When their knowledge is combined access is granted to the item, such as access to an encryption key or encrypted message authentication codebook or physical access. Dual-control access mechanisms are highly relied upon in the U.S. military where total responsibility for access by one individual must be avoided.

Device Authentication, Certificate-Based Authentication

In many security situations it is desirable to authenticate not only the individual but also the machine or device they are using. Certificate-based authentication requires that a valid digital certificate be maintained on a machine or device from which the user authenticates. Authentication relies upon the certificate information and encrypted user password. This combination authenticates not only the user but the device that they are using. In device-to-device authentication, a similar scenario is used during the authentication process; valid certificate information is used to authenticate devices to each other. Certificate-based authentication may be accomplished through a commercial certificate issued by certificate authorities (CAs) such as VeriSign or through internal corporate CAs managed by the organization.

A very lightweight version of device authentication may be accomplished through the use of cookies. Cookies can be installed on various devices to identify them. Although not significantly utilized for communication encryption, devices may be initially authenticated by banks, financial institutions, and e-commerce sites as having been previously used by the user requesting initial authentication into their system.

Reverse Authentication

With reverse authentication and mutual authentication, not only does the user authenticate to the system when requesting access, they also have knowledge that the system they are contacting is in fact a genuine site. Various techniques have been used, from complex mutual handshake technology to visual cues.

Banks and financial institutions have utilized visual identification cues that only the logging-in user would recognize. It consists of a simple picture they selected upon account initialization. The user is then presented with the picture during login.

The unfortunate downside of this technique is that the end user may not realize that this is an authentication technique or cannot remember that this was a picture that they selected, and other than terminating the session, they have no method of communication or validation other than contacting the institution's customer service department. A more successful method of reverse authentication is actually through the use of personal security questions. Personal security questions have been primarily intended as an initial factor of authentication of the user by the institution. But, a spoofing website will not have access to the correct answers to the user's questions. Thereby, even if the spoofing website is capable of obtaining login and password information, access to the real website will still be denied.

Privileged Accounts

Privileged users are typically super-users or administrators who have an elevated level of rights, privileges, and access capability to applications and data. Throughout the IT security organization, privileged account users present special access control concerns. Possessing the ability to bypass many access control methodologies, they may be capable of modifying many normal system controls. Privileged users should always be required to log on to two accounts: their privileged user account and their normal user account which allows access to email and regular daily applications. All privileged accounts should be closely monitored and audited regularly for privilege escalation or de-escalation as the situation requires.

The following are guidelines for privileged accounts:

  1. Account Creation Assign privileged accounts only as required. Screen, background check, and document users assigned to privileged accounts.
  2. Policies and Procedures Privileged account holders transcend everyday users and even ­corporate executives with their access capability. Consider requiring more stringent authorized use policies, nondisclosure agreements, noncompete agreements, and confidentiality agreements for these individuals.
  3. Account Provisioning Using the “least privilege” concept gives a privileged account only the minimum rights and capabilities required for the role. For example, do not give a database administrator the same rights as a server administrator or system administrator.
  4. Account Monitoring Always monitor and log all privileged account accesses and actions. Store these logs on a remote server to which the privileged account holder does not have access (separation of duties). Assign an individual to monitor and report on the logs regularly.
  5. Dual Accounts Always provide the privileged account holder with a regular personal account for email and daily routine access. Never log into a privileged account to perform personal business.
  6. Separate Machines Ideally, establish a virtual machine to log into the privileged account. This eliminates the possibility of any malware migration onto the privileged machine or the servers and applications being administered.
  7. Escrow Passwords Passwords, encryption keys, and other account login information may be placed in blind escrow in the event of incapacity or termination.
  8. Account Deprovisioning Establish a deprovisioning plan to use in the event of incapacity or termination for privileged accounts. The plan should restrict access and change passwords but securely retain information for future access if required.

User Accounts

All corporate employees fall under the user accounts umbrella. Identity management refers to the management of all of the accounts within the corporate domain. Each account has an account life cycle that must be managed by the IT department. This management of user accounts during the account life cycle is called identity management. A general account policy should be established with standards and procedures to be followed during the account life cycle. Finally, a person or department should be specified to carry out the account life cycle tasks. The following events or activities are included as account maintenance during the account life cycle:

  1. Provisioning During the provisioning phase, accounts are created, and the appropriate application licenses, system rights, and privileges are assigned to the account. User entitlement refers to the rights and privileges provided to a user. An important consideration when establishing a new user account is naming and identifying standards established by the policies. This maintains a consistency of account names, email addresses, and private folder names. To speed this provisioning process, many IT departments have established a number of user groups of like roles or privileges and assigned the individual to the appropriate group. These groups might be the accounting department, sales department, senior executives, marketing department, and so on.

    This grouping of roles also involves assigning various security privileges, which in this case is role-based access control (RBAC). Some organizations use an automated provisioning application where the HR department enters various new-hire information, including an assigned group or role, and the software application provisions the account using this department-supplied information.

  2. Password Maintenance This is generally a corporate policy that is usually enforced by a Windows Server Group Policy manager. Passwords should conform to the length and ­complexity, expiration date, minimum password age, password history, and other provisions within the corporate password policy.
  3. Account Audit Accounts should be audited on a schedule as specified in a corporate account policy to determine if the current account access rights and privileges match the current role and requirements of the existing position. This prevents privilege escalation with job rotation or reassignment.
  4. Account Proofing The term account proofing has various meanings in different circles. Microsoft has used it to mean requiring an authentication validation, such as a phone ­number, address, or zip code. In other scenarios, the term refers to verifying that the account belongs to the stated individual through the use of various authentication tests and audit techniques.
  5. Account Privilege Change A change management process should be established to service the requirements of assigning additional rights and privileges to an individual account.
  6. Account Entitlement Account entitlement refers to the access enabled or available for any user account. Various government and financial institution regulations require regular annual audits be performed on user accounts that access sensitive applications and data.
  7. Account Deactivation This is a procedure undertaken immediately upon resignation or termination of an account owner. A corporate policy or service-level agreement (SLA) should be established that triggers account deactivation immediately upon a separation event. All managers and HR individuals must be aware of the policy and how to take immediate action to protect the company assets. Account deactivation removes only the password and user access. All underlying folders and information remain intact.
  8. Account Deprovisioning This is an organized disassembling of rights and privileges of the user account as well as archiving any folders, data, applications, user history, logs, or other user-specific information as required by policy. Ultimately, hardware is recycled, disposed of, or destroyed as required by policy.

Account Lockout Policy

The account lockout policy may generally fall under the account password policy. It features an ability to prohibit resource access after a preset number of attempts to log in. This policy directly addresses brute-force password hacking attempts. There are several provisions of this type of policy:

  1. Request to Reset This is a procedure the user must follow in an effort to reset a password. The help desk or other IT contact verifies the user information and, upon authentication, issues either a replacement or temporary password to the user. In many cases, an automated system may be accessed by the user to access a forgotten password or reset a password.
  2. Threshold of Entry Attempts This is the number of times an incorrect password may be attempted before the user account is locked out. The lockout may be resolved through a help desk contact procedure or through a wait period.
  3. Wait Period This is the time duration after the threshold of entry attempts has been reached. In many cases, this period is 30 minutes, after which the user may attempt to enter their password.
  4. Reset Interval This is the time required that must elapse between password resets. It is typically set at two days. This prohibits the user from resetting their password several times in the same day.

Last Login Notification

The last login notification is a security check. Upon login, the returning user is greeted with a message such as “Your last login was Sunday, May 21, 2014.” This may alert the user that there has been a violation on that machine if they did not log in on that day. This technique is popular in high-security environments and the banking industry.

Violation Warning Screen

Some companies enforce user policies by flashing a warning screen on the user machine (Figure 3.13). This may be in response to an attempt to access secure information or a blacklisted website or even inserting a USB drive into the machine.

Image described by caption and surrounding text.

Figure 3.13 Warning screen

Account Callback

This process originally began as a telephone callback when a remote user called in for modem access to a computer system. The system would terminate the call and call the user back to verify their location. Today, many banks and financial and other important institutions will email or text the user with a passcode that must be entered into the account logon screen to further the authentication process.

Guest Account

Many companies establish a guest login on a separate VLAN for guest-level Wi-Fi services within the premises. The guest account may be general in nature and only allow the user to connect with the Internet via a temporary account

This type of account may be assigned to a temporary worker or someone who might be replacing an employee on medical or maternity leave. Based upon the principle of least privileges, this account is usually short term and is allowed access to only the tasks of the person they are replacing but not to items such as the user's email, personal information file, storage locations, or nontask applications.

Contractor Account

A contractor account is a temporary account established for a contractor of a business. A contractor might be a temporary team of individuals, a programmer, or another person who is not a full-time employee of the business. A contractor account may be hosted on a VLAN. These accounts are based upon the principle of least privilege and are usually tracked with logs. Some contractor accounts may have a duration of several years.

Authorized Use Policy (AUP)

The authorized use policy (AUP) is a screen that is displayed to an account at login notifying the user of various requirements or policies they must agree to prior to and during the use of the company resources.

Role-Based Access Control

Role-based access control (RBAC) is similar to and can be enforced by Group Policy manager (Figure 3.14). Typically, users with very similar or identical roles are identified and placed in a group. Access control is granted to all individuals in the group based upon their membership in the group. This type of administration is ideal for large groups such as call center employees, bank tellers, store clerks, and stock traders or with groups in which numerous adds and drops occur frequently. Once a user is assigned to the group, they receive all the rights and privileges anyone in the group has received.

Organizational chart presenting various RBAC groups of an organization such as the senior executive group (top), junior executive group (middle), and phone center, marketing, and tech support groups (bottom).

Figure 3.14 Various groups under role-based access control

Rule-Based Access Control

Rule-based access control (RBAC or RAC) is based upon explicit rules that have been established to control the activities of subjects. Various rules may be created to allow or restrict access to objects. One such rule is the time of day restriction. This rule establishes when a resource or object may be accessed. For example, if the user is never required to access a database on a Saturday or Sunday from either within the building or a remote location, a rule may be established restricting access. It is important to note that role-based access control and rule-based access control may both be referred to as RBAC.

A timetable titled Phone Center Time of Day Authorized Network Access, with highlighted sections 6:00 AM–6:00 PM from Monday to Wednesday, 6:00 AM–8:00 PM from Thursday to Friday, and 7:00 AM–12:00 PM on Saturday.

Session-Level Access Control

Session-level access controls restrict or allow actions during a specific communication ­session. These controls terminate when the session is terminated. A session is a one-time or individual login or access to a resource that involves a beginning and an end and is of a specific duration of time. For example, when you wish to check your bank account balance, you log in to your bank, view the account page, and log off. This defines one session. The following is a list of commonly implemented session-level access controls:

  1. Login Notification The system provides the user with the last login date and time for user verification.
  2. User Inactivity The account automatically logs the user off after a period of inactivity.
  3. Multiple Logon Control Some systems allow the user to establish multiple logins simultaneously. The system should be set to allow only one login from a specific user at one time.
  4. Origination Location The origination of a connection can easily be established and disallowed per policy. For example, many companies disallow any connection requests from URLs originating outside the United States.
  5. Session Connection Time Limit Users may be allowed to access a system for a set period of time, after which the session is terminated. This is popular with libraries, coffee shops, hotels, gaming sites, and other paid sites.
  6. Continuous Authentication Continuous authentication is a technique whereby the user is authenticated through every packet sent to the receiver. IPsec, a series of communication and encryption protocols, may be utilized to authenticate each packet as having been sent by the user. IPsec may also be configured to provide message integrity verification, thereby immediately alerting of changes you made to a message en route.

View-Based Access Control

View-based access control, sometimes referred to as a constrained view control, is a ­feature of many software applications as well as databases. Typically a “view” is the screen or page displayed to the user resulting from an application access or database query. This screen or view may have form blanks for the user to enter information or display specific data retrieved from a database. A view is a specific security control mechanism that restricts the user's actions or displays only the data available to them based upon their rights and privileges.

An example of a typical application might be that of a bank teller. Upon entering the customer account number, the bank teller may view a page originating in the database server that specifically outlines the customer's name, address, and current bank account balance. What is restricted from the bank teller but contained in the same database is the customer's credit information, loan payment history, loan balances, other related accounts, and some personal information. The bank teller, based upon their access capability, cannot make any adjustments or changes to the customer's bank loans. Similarly, in the same bank, upon entering customer-specific information, a loan officer will be sent a view from the same database that may include loan history, payments, collateral information, and customer credit scores. All of this information is contained in the same database, yet each user, based upon their role, was served a different view screen and had different capabilities for altering information.

View-based access control may also restrict access to certain data or certain functions provided on application programs. A typical example of this is the sheet or workbook ­protection mechanism that can be employed in Microsoft Excel. You can lock the entire sheet or just selected cells by using a password so that other users viewing the same sheet do not have the ability to either enter or change data. This could be handy, for instance, if the Microsoft Excel sheet is to be distributed between departments within the company to gather information. The departments will have access to the spreadsheet cells that are unlocked yet be restricted from changing any other information on the sheet. The other restricted information on the sheet may be generated by the originator or designer of the spreadsheet.

Data-Level Access Control

Data-level access control specifically deals with protecting data in any of its three states: in process, in transit, and at rest.

  1. Data In Process This is data that is currently in use or being acted upon by an application. Many applications feature “rollback” provisions in the event of a transaction error, application malfunction, or hardware failure. This returns the data to the last known good state. Other controls are at the application level and feature error flags and warnings depending upon various conditions established within the application. Input data at the beginning of a transaction is very vulnerable. Controls should be established to validate the input and verify the data prior to beginning a transaction. Some data in process controls feature integrity checking, using a number of techniques such as CRC, parity, or hashing to compare and validate that the data is correct and has complete integrity.
  2. Data In Transit Of course, data in transit is transmitted from one location to another. The transmitting location must verify the identity and authenticate the receiving user or system. In some cases, the transmitting entity and the receiving entity authenticate each other. Data in transit should be encrypted to prohibit access by any entity other than the authorized receiver, and the transmission process should guarantee integrity that none of the data has changed during transmission.
  3. Data At Rest Data at rest is in storage. Access to this data should be allowed only by proper identification and authentication. While data is at rest, it should be encrypted and backed up for safety. To prohibit access, such as when a cell phone is lost, a provision should be available to “wipe” or destroy the data at rest. Data at rest on USB drives, ­laptops, and tablets should always be encrypted.

Contextual- or Content-Based Access Control

Data-level access control may also be based upon the form or content of the actual data. This type of access control, referred to as contextual-based access control or content-based access control, is constructed using data content rules. Content-based access control may be illustrated by using lab reports in a major hospital. A specific blood test report might be accessible by the entire nursing staff assigned to a particular unit or floor. But if the same blood test report contained information concerning a specific infectious disease, it might be restricted to only the attending physician. These types of contextual access control rules are difficult to write and maintain, but depending upon the information to be accessed, they can be highly useful.

Physical Data and Printed Media Access Control

Access controls for data stored on removable items such as magnetic tape, magnetic disk, electronic memory devices, optical media, and printed media are normally categorized as handling and storage access procedures. Corporate information that has been identified as requiring any type of security should be physically marked and then treated according to the procedures associated with the category under which it falls. Removable items containing data should require the same identification and authentication access controls and protection as any information accessible on a network.

A variety of corporate policies such as a corporate data retention policy, storage policy, and destruction policy should be created. Sensitive information should be placed in a separate collection bin for sensitive documents, papers, and magnetic media. The following external data and media access controls are typically used:

  1. Offsite Commercial Storage Specific storage companies offer services to warehouse secure information.
  2. Formal Access Policy A formal sign-out or access control policy should be followed.
  3. Data Retention Period Data should be destroyed at the end of a retention period. In many cases, the retention period is specified by a regulatory agency. In some corporations, retention and destruction dates are strictly adhered to by the legal department to counter e-discovery searches.
  4. Media Destruction Policy A policy should outline the proper destruction or recycling techniques for all paper, hard drives, optical media, PCs, cell phones, and magnetic tapes. Strict attention should be given to the procedures and methodology of device destruction. In many cases today, data storage devices are completely shredded and destroyed rather than erased and reused.

Assurance of Accountability

Accountability is the end result of the identification and authentication system. The assurance of accountability is the guarantee that the user or subject has been proven to be who they say they are. When you use a strong identification and authentication system, users of the system may not deny their actions. With the concept of nonrepudiation, strong identification and authentication plus the implementation of log files are used so that the receiver cannot deny receiving a message.

Manage Internetwork Trust Architectures

A trust architecture is a relationship that is established between domains that allows users in one domain access to shared resources that are contained in another domain based upon authentication and authorization. Many organizations establish number of domains on their internal network. The combination of all of these domains is referred to as an internetwork. For example, domains may be established for the marketing department, sales department, and accounting department. It may be obvious that individuals within the sales department may not require access to resources within the accounting department domain. However, users within the accounting department may require access to servers in the sales department domain in order to create daily sales reports. In this case, a type of internetwork trust relationship is established between the accounting department domain and sales department domain.

Trust is a logical relationship between domains that utilizes an authentication process that verifies the identity of the user and an authorization process that determines the rights and privileges the user is granted on the resource domain. Here are some of the terms used in this process.

  1. Trusted Domain The trusted domain contains the user requesting access to a resource in another domain. The domain containing the resource “trusts” the domain containing the user. Therefore, the user's domain is referred to as a trusted domain.
  2. Trusting Domain The trusting domain, otherwise referred to as the resource domain, contains the resource to which access is desired. For example, a user would be blocked from the trusting domain if they were requesting access to resources and were not a ­member of a trusted domain.
  3. Simple Trust Relationship In a simple trust relationship, the user in a trusted domain requests access to a resource in the trusting domain. A process is undertaken by the trusting domain to authenticate the user and determine the permissions assigned or authorized to the user by the resource. The resource maintains an access control list (ACL) that identifies authorized users with access levels and permissions for the resource.
  4. One-Way Trust The simple trust relationship illustrates a one-way trust in practice. This means that users in one domain may access resources in a second domain. But since this is a one-way relationship, users in the second domain may not access resources in the first domain. This type of trust relationship is established only for specific purposes.
  5. Two-Way Trust A two-way trust relationship is one in which both domains trust each other and each user in either domain may access the resources of the other. In Microsoft Active Directory, all domain trusts are automatically established as two-way trusts.
  6. Transitive Trust A transitive trust relationship is defined by a simple logical equation that if domain A trusts domain B and domain B trusts domain C, then domain A trusts domain C. The transitive trust relationship is specifically used when new domains are created in Active Directory. Domains within Active Directory may be represented as a domain tree or a top-down hierarchical structure. As new domains are created, they inherit a bidirectional trust relationship with the domains above them.

The security practitioner must be familiar with a variety of methods available to identify and authenticate users requesting access to data and resources. In the event the user is in a remote location from the company network, the authentication procedure is referred to as remote authentication.

Centralized Authentication

Centralized authentication is a method by which users can log onto a network one time using identification and authentication techniques. Centralized refers to the technique of having one central authentication server providing user lookup services and allowing or disallowing access to the data and resources. One centralized system may be used by ­thousands or tens of thousands of users to access organizational resources.

Decentralized Authentication

With decentralized authentication, every server or application is required to verify the identification and authentication of the user requesting access. As you may imagine, this may be a huge task to maintain adequate access control lists on each and every application and resource within an organization. Decentralized authentication may be applied in very specific and vertical instances where a limited number of users have been given rights and privileges to the resource. As the number of users grows, the more arduous the task of administering user rights becomes.

Single Sign-On

Single sign-on (SSO) is an identification authentication technique whereby the user signs on one time and has access to multiple applications. The user authenticates one time, and the system passes this authentication to applications and other entities. This is known as single sign-on authentication. It increases password security by reducing the number of passwords a user must remember. The risk in this process is that an attacker has access to multiple applications if the user password is discovered. Several single sign-on authentication mechanisms exist. One of the most popular is Kerberos.

Kerberos

Kerberos a computer network authentication protocol is named after a three-headed Greek god named Cerberus, known as the hound of Hades. It was originally programmed for Unix by a group from the Massachusetts Institute of Technology (MIT) in the late 1980s. All Microsoft Windows implementations after Windows 2000 use Kerberos as the default authentication protocol.

The current gross model is based on a transitive trust system. In such a system, if A trusts B and C trusts B, then A trusts C. In this example, B is represented by a Kerberos server and A, desiring to access C, would be authenticated by the Kerberos server. All of this is performed through the use of tickets.

The use of this system would be to achieve the following scenario:

  1. Scenario The user requests authentication by the Kerberos system and requires access to any or all of four applications they have permissions to access.
  2. Process
    1. Authentication request.

      The user sends an authentication request to the Kerberos authentication server.

    2. Authentication reply.

      The Kerberos server responds with a secret symmetric key and a ticket-granting ticket (TGT), which is time stamped.

    3. Application access request.

      When the user desires access to a specific application, the user sends the request to a Kerberos ticket-granting server.

    4. Session ticket reply.

      Upon receiving the ticket granting ticket, the ticket-granting server responds with a ticket for use with the target application. This ticket contains the symmetric key of the ticket granting server.

    5. Presentation of ticket.

      The user presents the time-stamped session ticket to the application.

    6. Ticket verification.

      The application server verifies the session ticket by comparing the symmetric key contained in the ticket with the pre-shared key it has stored. If they match the application server, it has authenticated the user and authentication of the ticket.

In the preceding scenario, the user is authenticated by a server one time. The server issues a ticket granting ticket to the user that can be used to request session tickets or access to servers. When the user wishes to access another server resource, the user issues the ticket-granting ticket and specifies the resource. A resource-specific session ticket is issued to the user. The user presents this ticket to the requested application server. Through the use of pre-shared symmetric encryption keys, the application server verifies the authentication of the user and ticket.

Federated Access

Federated access allows users to be identified and authenticated to multiple networks or systems. Where single sign-on allows users to access servers and applications within a single network system, federated access is an agreement between different companies or networks to allow the identified and authenticated user on one network to access another network.

An example of federated access is evident during the use of popular flight and hotel room booking websites. Once you log on and make your flight or room reservation, you might be asked if you would like to rent a car. When you select a car rental company, your identification and authentication information is passed by means of the federated database to the federated partner. That auto rental company will then allow you to book a rental car using your original sign-on information.

Cloud-Based Security

The cloud is defined as hardware and software provided to a user on a requested basis. The cloud may be both internal to the organization and external, as provided by a cloud service provider. The advantage to using the cloud is that the user generally does not have to own the equipment that provides the cloud services. Also, the user pays only for the services they utilize. In other words, the cloud may expand and contract depending upon what the user is willing to pay.

There are two primary types of cloud services:

  1. Public Cloud Public clouds are hosted by cloud service providers and made available either as a free service or as a pay-per-use service. Users purchase various storage sizes and other services from the cloud service provider.
  2. Private Cloud Private clouds are essentially the same as public clouds, the difference being that private clouds are hosted within an organization and the general public is restricted from access.

The concept of the cloud is predicated on the concept of virtualization. Virtualization is primarily running an application, database, or operating system that is completely separate from the hardware on which it is running. For instance, a number of virtualized application servers may be running on one physical server. This is the basis for cloud computing.

The following list includes some of the concepts of cloud computing:

  1. Platform as a Service Platform as a Service (PaaS) provides the user with a virtual ­computer. The user can install software and databases and operate the system as if it were a purchased hardware device sitting on their desk.
  2. Software as a Service Software as a Service (SaaS) makes available a software application that is hosted on a remote server and made available on demand by the user. One advantage to the system is that, as the application programming team makes upgrades and updates to the application, the updates are immediately available to the end user. This reduces the requirements for service packs and updates to be installed by the end users. An example of SaaS is Microsoft Office 365. Another advantage of Software as a Service is that the application is not required to be resident on the end-user device, whether a pad, tablet, or cell phone, in order for the user access the application. This reduces the requirement for memory or processing power on a small device.
  3. Infrastructure as a Service With Infrastructure as a Service (IaaS), the cloud provider supplies the capability of creating cloud based networks utilizing standard or virtualized networking components. Infrastructure as a Service allows a company to expand very rapidly without having to purchase vast amounts of expensive hardware.

Cloud security is concerned with the following vulnerabilities:

  1. Cloud Vendor Reliability Cloud vendor reliability encompasses not only the financial ­viability of a cloud provider but also their ability to provide adequate safeguards and ­security controls on the cloud equipment.
  2. Data Clearing and Cleansing Data clearing and cleansing refers to company data that may remain on cloud storage devices after a cloud size is reduced. For instance, a benefit of the cloud is the ability to expand as required. If the space is no longer required and the company elects to contract the cloud size, the question is what happens to the data that remains on the cloud.
  3. Cloud Client Encroachment Cloud client encroachment refers to a couple of concepts unique to the cloud. Because the cloud is virtualized, a number of clients may all be running on the same hardware. If one client runs afoul of the law, there's a chance that could impact other clients running on the exact same hardware. The second aspect is if one client is attacked, the attacker might access other clients on the same virtualized system.
  4. Regulations and Jurisdiction Regulations and jurisdiction must be taken into account as cloud providers offer their services worldwide. Data stored on a cloud server system based in Spain may come under the jurisdiction of the Spanish legal system. This may be a primary consideration during a forensic investigation or a security incident response.

Summary

Controls are put in place to limit risk. Access controls are used to establish the methods by which users, called subjects, may access resources, called objects. There are three types of controls. Physical controls in the form of locks, doors, and fences physically provide ­barriers to entry by locking or securing an entrance. Logical controls in the form of ­firewalls, routers, and other computer hardware control access to digital resources such as networks and data. Administrative controls in the form of policies and enforced by rules, AUPs, and signs convey information concerning access to either physical or digital assets and resources.

In this chapter we discussed what should be protected within a business or agency. Assets and resources fall into three general categories: digital assets, physical assets, and information assets. Protection of these assets is based upon their value. This value may be expressed purely in monetary terms or may also include subjective expense based upon the harm to the business if an asset was damaged or released to the public. During a risk assessment process, a threat is identified and a control is placed to reduce a vulnerability of the asset. During active access control, we are not only controlling the access by authorized users but also limiting access by unauthorized users, bad actors, and the malware they may send in the direction of our resources and assets.

The security practitioner has a variety of tools and methods available to control access. Foremost is the ability to identify and authenticate the user or system requesting access. The identification and authentication process makes use of one or more factors of ­information. The use of multiple factors ensures that the user or system requesting access is actually who they claim to be. Users may be authorized to access resources based upon various security access models. These models include discretionary access control, during which the data owner assigns access; mandatory access control, which labels both the user and the data and uses a matching system to allow access; and finally, role-based access control, where users are granted access as members of a group. Various rules may be established, such as time of day access, and this is referred to as ruled-based access control.

The security practitioner should completely understand the requirements for access ­control and the methods, products, policies, and actions that may be implemented to ­provide access control and therefore security and protection for assets and resources.

Exam Essentials

  1. Three States of Data Understand that the three states of data include data in transit, data at rest, and data in process.
  2. Categories of Resources and Assets Know that the categories of resources and assets to be protected include physical assets, data assets, and information assets.
  3. Controls Be able to explain that controls are items used to control risk by reducing ­vulnerability. Controls may be physical, logical, or administrative.
  4. Defense in Depth Know that defense in depth and layered security refers to the use of a number of controls placed in sequence through which a threat must penetrate.
  5. Subjects and Objects Understand that the subject is the user or system (actively) requesting access. An object is the (passive) resource or asset of which the subject is requesting access. These roles may change or flip.
  6. Authentication Factors Be able to explain that a factor represents the source of information presented for either identification or authentication. Factors may be something you know, something you have, something you are, or somewhere you are. Multifactor authentication is the use of information from different factor sources.
  7. Biometrics Know that biometrics is the type of factor that provides information on something you are. During data acquisition at the time of access, the data may be flawed and two types of errors may occur. A Type I error is a false rejection. A false rejection rate (FRR) is the frequency with which the system rejects a known good person. This restricts entry of a person who should be allowed to enter. The Type II error is a false acceptance. A false acceptance rate (FAR) is the frequency with which an unknown person is allowed to enter. On a graph, the point where Type I errors and Type II errors cross indicates the crossover error rate (CER). The lower the CER, the more reliable the biometric system.
  8. Internetwork Trust Architectures Understand that a one-way and a two-way trust relationships deal with the sharing and access of resources between domains within an organization. A transitive trust relationship is established logically; if A trusts B and B trusts C, then A trusts C. This relationship is established when domains are created within Microsoft Active Directory.
  9. Access Control Models Understand that various access control models exist. Discretionary access control (DAC) is based upon the resource owner deciding who may have access. Nondiscretionary access control is based upon a system administrator or management deciding who may assign access. Mandatory access control (MAC) is performed by applying labels or tags to both the information and the users or subjects requesting access. Role-based access control (RBAC) is based upon the user or subject being a member of a specific group. Rule-based access control (RBAC or RAC) is based upon rules such as those that restrict access at a certain time of day.
  10. Architectural Models Be able to answer questions concerning the access control architectural models. The Bell-LaPadula model enforces information security. The Biba model enforces information integrity. The Clark-Wilson model enforces information integrity and separation of duties. The brewer-Nash model provides the concept of a Chinese wall to restrict conflict of interest.

Written Lab

You can find the answers in Appendix A.

  1. Write a paragraph explaining federated access.
  2. What is a primary vulnerability of the single sign-on process?
  3. Briefly explain the difference between MAC and DAC.
  4. List the three primary categories of access controls.

Review Questions

You can find the answers in Appendix B.

  1. When a user is asked for a password by a system, what process is the system performing?

    A. Evaluation

    B. Identification

    C. Authentication

    D. Authorization

  2. Authorization for multiple applications using one set of credentials is best described by which of the following?

    A. Authorization

    B. Single Sign-on

    C. Multi-factor

    D. Enrollment

  3. If information being protected is critical, which is the best course of action?

    A. The encryption password should be changed more frequently

    B. The data should be used less frequently

    C. The data should be hidden from other processes

    D. Users should be provided public encryption keys

  4. What are the three categories of controls?

    A. Physical, detective, and logical (technical)

    B. Administrative, physical, and preventative

    C. Administrative, logical (technical), and physical

    D. Physical, logical (technical), and administrative

  5. Which of the following best describes the use of the password generated by a synchronous token device?

    A. The password must be used within a variable time interval

    B. The password must be used within a fixed time interval

    C. The password is not dependent upon time

    D. The password is of variable length

  6. Access control is best described as which of the following?

    A. Reduction a social networking

    B. The elimination of risk when allowing users on a network

    C. The use of identification and authorization techniques

    D. The use of federated identities

  7. What is the type of access control in the default access control method found in Microsoft Windows which allows users to share files?

    A. Mandatory access control

    B. Rule-based access control

    C. Sensitivity-based access control

    D. Discretionary access control

  8. Which of the following types of access control is preferred for its ease of administration when there are a large number of personnel with the same job in an organization?

    A. Mandatory Access Control

    B. Role-based Access Control

    C. Rule-Based Access Control

    D. Label-based Access Control

  9. Which of the following best describes the time that it takes to register with a biometric system, by providing samples of a personal characteristic?

    A. Setup time

    B. Login time

    C. Enrollment time

    D. Throughput time

  10. Which technique best describes a one-to-one search to verify an individual's claim of ­identity?

    A. Authentication

    B. Accounting review

    C. Authorization

    D. availability

  11. Which of the following is a goal of integrity?

    A. All systems and data should be available

    B. Any changes to applications for equipment must be approved

    C. All data should be encrypted in transit

    D. Data should not change between sender and receiver

  12. View-based access control is best described as which of the following?

    A. The concept of hiding data from view while in storage

    B. Limiting the data the user may observe on a computer screen produced from a database

    C. Allowing a user to only view unencrypted data

    D. A rule-based control of a database

  13. Which of the following best describes privileged users?

    A. They are anonymous users

    B. They are super-users or administrators

    C. They all must work in the IT department

    D. By default have access to everything on the network

  14. Which of the following is true about biometric scan technology?

    A. The full palm print is stored in memory.

    B. A number of points extracted from the item scanned are stored.

    C. Scan data is always stored in the cloud for rapid retrieval.

    D. It is always used with a second method of authentication.

  15. Mandatory access control uses which of the following to authorize access to information?

    A. Identity and voice prints

    B. Roles and rules

    C. Subject and object labels

    D. Identity and several factor authentication

  16. Which of the following is an example of two-factor authentication?

    A. A password and user name

    B. An user ID and an account number

    C. A PIN and an RFID card

    D. A fingerprint and signature

  17. Crossover error rate (CER) refers to which of the following graphical intersections?

    A. Database usage rate

    B. Employee opt-out rate

    C. Symmetric and asymmetric rate

    D. False rejection rate and false acceptance rate

  18. The sensitivity adjustment on a biometric authentication device affects which of the following?

    A. Cost of the device

    B. False acceptance rate and false rejection rate

    C. Limitation of the enrollment database

    D. Requirement for continuous adjustment

  19. Which of the following best describes session level controls?

    A. Role-based logon controls

    B. Identification and integrity control

    C. Mandatory access controls

    D. Log-off due to the user inactivity

  20. Which of the following best describes a password that changes on each logon?

    A. Session level password

    B. Self assigned password

    C. Dynamic password

    D. Variable password

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.189.180.43