Chapter 9. Access Control Management
Chapter Objectives
After reading this chapter and completing the exercises, you will be able to do the following:
Explain access control fundamentals.
Apply the concepts of default deny, need-to-know, and least privilege.
Understand secure authentication.
Protect systems from risks associated with Internet connectivity, remote access, and telework environments.
Manage and monitor user and administrator access.
Develop policies to support access control management.
What could be more essential to security than managing access to information and information systems? The primary objective of access controls is to protect information and information systems from unauthorized access (confidentiality), modification (integrity), or disruption (availability). The access control management domain incorporates the most fundamental precepts in information security: deny all, least privilege, and need-to-know.
We will begin this chapter with a broad discussion of access control concepts and security models with a focus on authentication and authorization. We will examine the factors of authentication with an emphasis on the importance of multifactor authentication. We will look at the mandatory and discretionary authorization options for granting access rights and permission. We will consider the risks associated with administrative and privileged accounts. Reaching past the boundaries of the internal network, we will apply these concepts to the infrastructure, including border security, Internet access, remote access, and the teleworking environment. We will be mindful of the need to audit and monitor entry and exit points and to be prepared to respond to security violations. Throughout the chapter, we will develop policies designed to support user access and productivity while simultaneously mitigating the risk of unauthorized access.
FYI: ISO/IEC 27002:2013 and NIST Guidance
SP 800-94: Guide to Intrusion Detection and Prevention Systems
SP 800-41, R1: Guidelines on Firewalls and Firewall Policy
SP 800-46, R1: Guide to Enterprise Telework and Remote Access Security
SP 800-77: Guide to IPsec VPNs
SP 800-114: User’s Guide to Securing External Devices for Telework and Remote Access
SP 800-113: Guide to SSL VPNs
SP 800-225: Guidelines for Securing Wireless Local Area Networks (WLANs)
Access Control Fundamentals
Access controls are security features that govern how users and processes communicate and interact with systems and resources. The primary objective of access controls is to protect information and information systems from unauthorized access (confidentiality), modification (integrity), or disruption (availability). When we’re discussing access controls, the active entity (that is, the user or system) that requests access to a resource or data is referred to as the subject and the passive entity being accessed or being acted upon is referred to as the object.
An identification scheme, an authentication method, and an authorization model are the three common attributes of all access controls. An identification scheme is used to identify unique records in a set, such as a user name. Identification is the process of the subject supplying an identifier to the object. The authentication method is how identification is proven to be genuine. Authentication is the process of the subject supplying verifiable credentials to the object. The authorization model defines how access rights and permission are granted. Authorization is the process of assigning authenticated subjects the permission to carry out a specific operation.
The security posture of an organization determines the default settings for access controls. Access controls can be technical (such as firewalls or passwords), administrative (such as separation of duties or dual controls), or physical (such as locks, bollards, or turnstiles).
What Is a Security Posture?
A security posture is an organization’s approach to access controls. The two fundamental postures are open and secure. Open, also referred to as default allow, means that access, not explicitly forbidden, is permitted. Secure, also referred to as default deny, means that access, not explicitly permitted, is forbidden. In practical application, default deny means that access is unavailable until a rule, access control list (ACL), or setting is modified to allow access.
The challenge for organizations that adopt a secure posture is that a number of devices on the market today, including tablets and smartphones as well as software applications, come with an out-of -the-box setting of default allow. Why? Interoperability, ease of use, and productively are the three reasons cited. The explosive growth in the use of technology, coupled with increasing awareness of vulnerabilities, is creating a shift in the industry. Organizations have become more security conscious and are beginning to demand more secure products from their vendors. Microsoft is an example of a company that has responded to market requirements. Early Windows server operating systems were configured as default allow. Current Windows server operating systems are configured as default deny.
Need-to-Know and Least Privilege
Determining who to grant access to should be based on the security principle of need-to-know. The level of access required should be based on the security principle of least privilege. Need-to-know means that the subject has a demonstrated and authorized reason for being granted access to information. Once a need-to-know has been established, least privilege is the principle of only assigning required object access permissions. Applied to the workforce, the principle of least privilege means granting users the least amount of access required to perform their job and no more. For example, if a user only needs to read a document, then only the “read” right is granted. If a user needs to be able to edit a document, then the “read” and “modify” permissions would be granted. The objective of both principles is to limit the potential damage of a security breach, whether accidental or malicious.
How Is Identity Verified?
Granting access is a multistep process that begins with the positive identification of the person or process seeking access to a system or resource. The process of authentication requires the subject to supply verifiable credentials. The credentials are often referred to as factors. There are three categories of factors: knowledge (something the user knows), possession (something a user has), and inherence (something the user is). Single-factor authentication is when only one factor is presented. The most common method of single-factor authentication is the password. Multifactor authentication is when two or more factors are presented. Multilayer authentication is when two or more of the same type of factors are presented. Data classification, regulatory requirements, the impact of unauthorized access, and the likelihood of a threat being exercised should all be considered when you’re deciding on the level of authentication required. The more factors, the more robust the authentication process.
Knowledge: Something You Know
Something you know is knowledge-based authentication. It could be a string of characters, referred to as a password or PIN, or it could be an answer to a question. Passwords are the most commonly used single-factor network authentication method. The authentication strength of a password is a function of its length, complexity, and unpredictability. If it is easy to guess or deconstruct, it is vulnerable to attack. Once known, it is no longer useful as a verification tool. The challenge is to get users to create, keep secret, and remember secure passwords. Weak passwords can be discovered within minutes or even seconds using any number of publicly available password crackers or social engineering techniques. Best practices dictate that passwords are a minimum of eight characters in length (preferably longer), include a combination of at least three upper and/or lowercase letters, punctuation, symbols, and numerals (referred to as complexity), are changed frequently, and are unique. Using the same password to log in to multiple applications and sites significantly increases the risk of exposure.
Generally, when users are granted initial access to an information system, they are given a temporary password. Most systems have a technical control that will force the user to change his or her password at first login. Passwords should be changed immediately if there is any suspicion that it has been compromised.
As any help desk person will tell you, users forget their passwords with amazing regularity. If a user forgets his password, there needs to be a process for reissuing passwords that includes verification that the requester is indeed who he says he is. Often cognitive passwords are used as secondary verification. A cognitive password is a form of knowledge-based authentication that requires a user to answer a question based on something familiar to them. Common examples are mother’s maiden name and favorite color. The problem, of course, is that this information is very often publicly available. This weakness can be addressed using sophisticated questions that are derived from subscription databases such as credit reports. These questions are commonly referred to as out-of-wallet challenge questions. The term was coined to indicate that the answers are not easily available to someone other than the user, and that the user is not likely to carry such information in his or her wallet. Out-of-wallet question systems usually require that the user correctly answer more than one question and often include a “red herring” question that is designed to trick an imposter but which the legitimate user will recognize as nonsensical.
It may seem very convenient when a website or application offers to remember a user’s log on credentials or provide an automatic logon to a system, but this practice should be strictly prohibited. If a user allows websites or software applications to automate the authentication process, then unattended devices can be used by unauthorized people to gain access to information resources.
Possession: Something You Have
The second factor of authentication requires that the subject be in physical possession of a unique identifier. Examples include a one-time passcode, memory cards, smartcard, and out-of-band communication. The most common of the four is the one-time passcode sent to a device in the user’s possession. A one-time passcode (OTP) is a set of characteristics that can be used to prove a subject’s identity one time and one time only. Because the OTP is only valid for one access, if captured, additional access would be automatically denied. OTPs are generally delivered through a hardware or software token device. The token displays the code, which must then be typed in at the authentication screen. Alternatively, the OTP may be delivered via email, text message, or phone call to a predetermined address or phone number.
A memory card is an authentication mechanism that holds user information within a magnetic strip and relies on a reader to process the information. The user inserts the card into the reader and enters a personal identification number (PIN). Generally, the PIN is hashed and stored on the magnetic strip. The reader hashes the inputted PIN and compares it to the value on the card itself. A familiar example of this is a bank ATM card. A smartcard works in a similar fashion. Instead of a magnetic strip, it has a microprocessor and integrated circuits. The user inserts the card into a reader, which has electrical contacts that interface with the card and power the processor. The user enters a PIN that “unlocks” the information. The card can hold the user’s private key, generate an OTP, or respond to a challenge-response.
Out-of-band authentication requires communication over a channel that is distinct from the first factor. A cellular network is commonly used for out-of-band authentication. For example, a user enters her name and password at an application logon prompt (factor 1). The user then receives a call on her mobile phone; the user answers and provides a predetermined code (factor 2). In order for the authentication to be compromised, the attacker would have to have access to both the computer and the phone.
Inherence: Something You Are
The third factor of authentication is you. Biometrics is the identification of humans by distinctive, measurable characteristics or traits. A biometric identification system scans an attribute of a person and compares it to a record that was created in an earlier enrollment process. Success of the system depends on accurate and repeatable measurements of anatomical or physiological attributes.
Anatomical attributes include fingerprint, finger scan, palm scan, hand geometry, retina scan, iris scan, facial scan, and DNA. Physiological attributes includes handwriting, keyboard dynamics, and voice print. Biometric authentication is the most accurate factor; it is also the most expensive to implement and maintain.
In Practice: Authentication Policy
Access to and use of information technology (IT) systems must require an individual to uniquely identify and authenticate him/herself to the resource.
Multiuser or shared accounts are allowed only when there is a documented and justified reason that has been approved by the Office of Information Security.
The Office of Information Security is responsible for managing an annual user account audit of network accounts, local application accounts, and web application accounts.
Data classification, regulatory requirements, the impact of unauthorized access, and the likelihood of a threat being exercised must all be considered when deciding upon the level of authentication required. The Office of Information Security will make this determination in conjunction with the information system owner.
Operating systems and applications will at a minimum be configured to require single-factor complex password authentication:
The inability to technically enforce this standard does not negate the requirement.
Password length, complexity, and expiration will be defined in the company password standard.
The password standard will be published, distributed, and included in the acceptable use agreement.
Web applications that transmit, store, or process “protected” or “confidential” information must at a minimum be configured to require single-factor complex password authentication:
The inability to technically enforce this standard does not negate the requirement.
Password length, complexity, and expiration will be defined in the company password standard.
If available, multifactor authentication must be implemented.
Passwords and PINs must be unique to the application.
Exceptions to this policy must be approved by the Office of Information Security.
All passwords must be encrypted during transmission and storage. Applications that do not conform to this requirement may not be used.
Any mechanism used for storing passwords must be approved by the Office of Information Security.
If any authentication mechanism has been compromised or is suspected of being compromised, users must immediately contact the Office of Information Security and follow the instructions given.
What Is Authorization?
Once authenticated, a subject must be authorized. Authorization is the process of assigning authenticated subjects permission to carry out a specific operation. The authorization model defines how access rights and permission are granted. The three primary authorization models are object capability, security labels, and ACLs. Object capability is used programmatically and is based on a combination of an unforgeable reference and an operational message. Security labels are mandatory access controls embedded in object and subject properties. Access control lists (ACLs) are used to determine access based on some combination of specific criteria, such as a user ID, group membership, classification, location, address, and date. The three categories of ACLs are discretionary access controls, role-based access controls, and rule-based access controls.
Mandatory Access Control (MAC)
Mandatory access controls (MACs) are defined by policy and cannot be modified by information owner. MACs are primarily used in secure military and government systems that require a high degree of confidentiality. In a MAC environment, objects are assigned a security label that indicates the classification and category of the resource. Subjects are assigned a security label that indicates a clearance level and assigned categories (based on need-to-know). The operating system compares the object’s security label with the subject’s security label. The subject’s clearance must be equal to or greater than the object’s classification. The category must match. For example, in order for a user to access a document classified as “Secret” and categorized as “Flight Plans,” the user must have either Secret or Top Secret clearance and have been tagged to the Flight Plan category.
Discretionary Access Control (DAC)
Discretionary access controls (DACs) are defined by the owner of the object. DACs are used in commercial operating systems. The object owner builds an ACL that allows or denies access to the object based on the user’s unique identity. The ACL can reference a user ID or a group (or groups) that the user is a member of. Permissions can be cumulative. For example, John belongs to the Accounting Group. The Accounting Group is assigned read permissions to the Income Tax folder and the files in the folder. John’s user account is assigned write permissions to the Income Tax folder and the files in the folder. Because DAC permissions are cumulative, John can access, read, and write to the files in the tax folder.
Role-Based Access Control (RBAC)
Role-based access controls (RBACs) (also called non-discretionary) are access permissions based on a specific role or function. Administrators grant access rights and permissions to roles. Users are then associated with a single role. There is no provision for assigning rights to a user or group account. For example, Sally is associated with the role of “Programmer.” Sally will inherit all of the permissions assigned to the Programmer role. Sally cannot be assigned any additional permissions.
Rule-based Access Control
In a rule-based access controls environment, access is based on criteria that is independent of the user or group account. The rules are determined by the resource owner. Commonly used criteria include source or destination address, geographic location, and time of day. For example, the ACL on an application requires that it be accessed from a specific workstation. Rule-based access controls can be combined with DACs and RBACs.
In Practice: Access Control Authorization Policy
Default access privileges will be set to “deny all.”
Access to information and information systems must be limited to personnel and processes with a need-to-know to effectively fulfill their duties.
Access permissions must be based on the minimum required to perform the job or program function.
Information and information system owners are responsible for determining access rights and permissions.
The Office of Information Security is responsible for enforcing an authorization process.
Permissions must not be granted until the authorization process is complete.
Infrastructure Access Controls
A network infrastructure is defined as an interconnected group of hosts and devices. The infrastructure can be confined to one location or, as often is the case, widely distributed, including branch locations and home offices. Access to the infrastructure enables the use of its resources. Infrastructure access controls include physical and logical network design, border devices, communication mechanisms, and host security settings. Because no system is foolproof, access must be continually monitored; if suspicious activity is detected, a response must be initiated.
Why Segment a Network?
Network segmentation is the process of logically grouping network assets, resources, and applications. Segmentation provides the flexibility to implement a variety of services, authentication requirements, and security controls. Working from the inside out, network segments include the following types:
Enclave network—A segment of an internal network that requires a higher degree of protection. Internal accessibility is further restricted through the use of firewalls, VPNs, VLANs, and network access control (NAC) devices.
Trusted network (wired or wireless)—The internal network that is accessible to authorized users. External accessibility is restricted through the use of firewalls, VPNs, and IDS/IPS devices. Internal accessibility may be restricted through the use of VLANs and NAC devices.
Semi-trusted network, perimeter network, or DMZ—A network that is designed to be Internet accessible. Hosts such as web servers and email gateways are generally located in the DMZ. Internal and external accessibility is restricted through the use of firewalls, VPNs, and IDS/IPS devices.
Guest network (wired or wireless)—A network that is specifically designed for use by visitors to connect to the Internet. There is no access from the Guest network to the internal trusted network.
Untrusted network—A network outside your security controls. The Internet is an untrusted network.
Introduced commercially in 1980, Ethernet is the most widely used wired local area network (LAN) technology. The components are mature and the security issues well understood. In contrast, wireless local area network (WLAN) technologies and corresponding security standards for exchanging data through radio communications are emerging. NIST SP 800-153: Guidelines for Securing Wireless Local Area Networks (WLANs) provides recommendations for WLAN security configuration, including configuration design, implementation, evaluation, maintenance, and monitoring.
In Practice: Network Segmentation Policy
The network infrastructure will be segregated into distinct segments according to security requirements and service function.
The Office of Information Security and the Office of Information Technology are jointly responsible for conducting annual network segment risk assessments. The results of the assessments will be provided to the Chief Operating Officer (COO).
Complete documentation of the network topology and architecture will be maintained by the Office of Information Technology, including an up-to-date network diagram showing all internal (wired and wireless) connections, external connections, and end points, including the Internet.
What Is Layered Border Security?
Layered security is the term applied to having different types of security measures designed to work in tandem with a single focus. The focus of layered border security is protecting the internal network from external threats. Layered border security access controls include firewall devices, intrusion detection systems (IDSs), and intrusion prevention systems (IPSs). In order to be effective, these devices must be properly configured and expertly managed. Due to the complexity of and resource requirements associated with maintaining and monitoring border security devices, many organizations have chosen to outsource the function to managed security service providers (referred to as MSSPs). Oversight of in-house administration or of the MSSP is a critical risk management safeguard.
Firewalls
Firewalls are devices or software that control the flow of traffic between networks. They are responsible for examining network entry and exit requests and enforcing organizational policy. Firewalls are a mandatory security control for any network connected to an untrusted network such as the Internet. Without a properly configured firewall, a network is completely exposed and could potentially be compromised within minutes, if not seconds. A firewall policy defines how the firewall should handle inbound and outbound network traffic for specific IP addresses and address ranges, protocols, ports, applications, and content types. The policy is codified in the rule set. The rule set is used by the firewall to evaluate ingress (incoming) and egress (outgoing) network traffic. In keeping with access control best practices, rule sets should be initially set to “deny all” and then strict rules implemented that allow connectivity based on business need.
NIST SP-41, R1: Guidelines on Firewalls and Firewall Policy provides an overview of firewall technologies and discusses their security capabilities and relative advantages and disadvantages in detail. It also provides examples of where firewalls can be placed within networks, and the implications of deploying firewalls in particular locations. The document also makes recommendations for establishing firewall policies and for selecting, configuring, testing, deploying, and managing firewall solutions.
FYI: IP Address, Ports, and Protocols Simplified
An IP address is how a specific network host or device is identified.
A port is how an application or service is identified.
A protocol is a standardized way for hosts and network devices to exchange information.
Intrusion Detection Systems and Intrusion Protection Systems
It is possible for malicious activity to masquerade as legitimate traffic. Intrusion detection systems (IDSs) are passive devices designed to analyze network traffic in order to detect unauthorized access or malevolent activity. Most IDSs use multiple methods to detect threats, including signature-based detection, anomaly-based detection, and stateful protocol analysis. If suspicious activity is detected, IDSs generate an onscreen, email, and/or text alert. Intrusion prevention systems (IPSs) are active devices that sit inline with traffic flow and can respond to identified threats by disabling the connection, dropping the packet, or deleting the malicious content.
There are four types of IDS/IPS technologies:
Network-based IDS/IPS—Monitors network traffic for particular network segments or devices and analyzes the network and application protocol activity to identify suspicious activity
Wireless IDS/IPS—Monitors wireless network traffic and analyzes it to identify suspicious activity involving the wireless networking protocols themselves
Network behavior analysis IDS/IPS—Examines network traffic to identify threats that generate unusual traffic flows, such as distributed denial of service (DDoS) attacks, certain forms of malware, and policy violations (for example, a client system providing network services to other systems)
Host-based IDS/IPS—Monitors the characteristics of a single host and the events occurring within that host for suspicious activity
IDS/IPS has four decision states. True positive occurs when the IDS/IPS correctly identifies an issue. True negative occurs when the IDS/IPS correctly identifies normal traffic. False positive occurs when the IDS/IPS incorrectly identifies normal activity as an issue. False negative occurs when the IDS/ISP incorrectly identifies an issue as normal activity.
NIST SP-94: Guide to Intrusion Detection and Prevention Systems describes the characteristics of IDS and IPS technologies and provides recommendations for designing, implementing, configuring, securing, monitoring, and maintaining them. The types of IDS/IPS technologies are differentiated primarily by the types of events they monitor and the ways in which they are deployed.
Content Filtering and Whitelisting/Blacklisting
Controls are required to protect the internal network from insider requests that could result in malware distribution, data exfiltration, participation in peer-to-peer (P2P) networks, and viewing of inappropriate or illegal content. The insider request could come from authenticated authorized users or could be a response to a malicious command or instruction. As discussed earlier, border device egress filters can and should be used to restrict outbound traffic by source and destination address, port, and protocol. The filters can be supplemented by self-generated, open source, or subscription-based IP whitelists and/or blacklists. Whitelists are addresses (IP and/or Internet domain names) of known “good” sites to which access should be allowed. Conversely, blacklists are addresses (IP and/or Internet domain names) of known “bad” sites to which access should be denied. It is common practice to block entire ranges of IP addresses specific to geographic regions. Content-filtering applications can be used to restrict access by content category (such as violence, gaming, shopping, or pornography), time factors, application type, bandwidth use, and media.
Border Device Administration and Management
Border device administration and management is a 24/7/365 responsibility. On a daily basis, performance needs to be monitored to enable potential resource issues to be identified and addressed before components become overwhelmed. Logs and alerts must be monitored and analyzed to identify threats—both successful and unsuccessful. Administrators need to be on the watch for security patches and apply them expediently. Border device policies, configurations, and rule sets must be backed up or replicated.
Policy rules and rule sets need to be updated as the organization’s requirements change or when new threats are identified. Changes should be closely monitored because unauthorized or incorrect modifications to the rule set can put the organization at risk. Modifications should be subject to the organization’s change management process. This includes a separation of approval and implementation duties. Configuration and rule set reviews as well as testing should be performed periodically to ensure continued compliance with the organization’s policies. Internal reviews can uncover configuration settings and rules that are outdated, redundant, or harmful. The review should include a detailed examination of all changes since the last regular review, particularly who made the changes and under what circumstances. External penetration testing can be used to verify that the devices are performing as intended.
In Practice: Border Device Security Access Control Policy
Border security access control devices will be implemented and securely maintained to restrict access between networks that are trusted to varying degrees.
The default policy for handling inbound and outbound traffic should be to deny all.
If any situation renders the Internet-facing border security devices inoperable, Internet service must be disabled.
The Office of Information Security is responsible for approving border security access control architecture, configuration, and rule sets.
The Office of Information Technology is responsible for designing, maintaining, and managing border security access control devices:
At the discretion of the COO, this function or part of it may be outsourced to an MSSP.
Oversight of internal or MSSP border security device administrators is assigned to Office of Information Security.
The types of network traffic that must always be denied without exception will be documented in the border device security standards.
Rule sets must be as specific and simple as possible. Rule set documentation will include the business justification for allowed traffic.
All configuration and rule set changes are subject to the organizational change management process.
All rule set modifications must be approved by the Office of Information Security.
All border security access control devices must be physically located in a controlled environment, with access limited to authorized personnel.
To support recovery after failure or natural disaster, the border security device configuration, policy, and rules must be backed up or replicated on a scheduled basis as well as before and after every configuration change.
Border devices must be configured to log successful and failed activity as well as configuration changes.
Border device logs must be reviewed daily by the Office of Information Technology or MSSP, and an activity report must be submitted to the Office of Information Security.
Configuration and rule set reviews must be conducted annually:
The review is to be conducted by an external, independent entity.
Selection of the vendor is the responsibility of the Audit Committee.
Testing results are to be submitted to the COO.
External penetration testing must, at a minimum, be performed semi-annually:
The testing is to be conducted by an external, independent entity.
Selection of the vendor is the responsibility of the Audit Committee.
Testing results are to be submitted to the COO.
Remote Access Security
The need to access internal corporate network resources from external locations has become increasingly common. Matter of fact, for companies with a remote or mobile workforce, remote access has become the norm. The nature of remote access technologies—permitting access to protected resources from external networks and often external hosts as well—is fraught with risk. Companies should start with the assumption that external facilities, networks, and devices contain hostile threats that will, if given the opportunity, attempt to gain access to the organization’s data and resources. Controls, including authentication, must be carefully evaluated and chosen based on the network segment’s information systems and the classification of information that will be accessible. Consideration must be given to ensuring that the remote access communication and stored user data cannot be accessed or read by unauthorized parties (confidentiality), detecting intentional or unintentional modifications to data in transit (integrity), and ensuring that users can access the resources as required (availability). Remote access security controls that must be considered include the physical security of the client devices, use of cryptography in transit, the method of authentication and authorization, and the risks associated with local storage.
NIST SP 800-46, R1: Guide to Enterprise Telework and Remote Access Security provides information on security considerations for several types of remote access solutions, and it makes recommendations for securing a variety of telework and remote access technologies. The publication also provides recommendations for creating telework-related policies and for selecting, implementing, and maintaining the necessary security controls for remote access servers and clients.
Remote Access Technologies
The two most common remote access technologies are virtual private networks (VPNs) and remote access portals. VPNs are generally used to extend the resources of a network to a remote location. Portals are generally used to provide access to specific applications.
A virtual private network (VPN) provides a secure tunnel for transmitting data through an unsecured network such as the Internet. This is achieved using tunneling and encryption in combination to provide high security remote access without the high cost of dedicated private lines. IPsec (short for IP Security) is a set of protocols developed by the Internet Engineering Task Force (IETF) to support secure exchange of packets at the IP layer. IPsec is most commonly associated with VPNs as the protocol providing tunneling and encryption for VPN connections between physical sites or between a site and a remote user. The tunnel can be thought of as a virtual pathway between systems within the larger pathway of the Internet. The popularity of VPN deployments is a result of worldwide low-cost accessibility to the Internet, in contrast to private circuits that are expensive, require long-term contracts, and must be implemented between specific locations. More information on IPsec VPNs is available from NIST SP 800-77: Guide to IPsec VPNs, and more information on SSL tunnel VPNs is available from NIST SP 800-113: Guide to SSL VPNs.
A remote access portal offers access to one or more applications through a single centralized interface. A portal server transfers data to the client device as rendered desktop screen images or web pages, but data is typically stored on the client device temporarily. Portals limit remote access to specific portal-based applications. Another type of portal solution is terminal server access, which gives each remote user access to a separate standardized virtual desktop. The terminal server simulates the look and feel of a desktop operating system and provides access to applications. Terminal server access requires the remote user either to install a special terminal server client application or to use a web-based interface, often with a browser plug-in or other additional software provided by the organization. What’s more, applications such as Teamview and Joinme are specifically designed to create remote desktop sessions.
Remote Access Authentication and Authorization
Whenever feasible, organizations should implement mutual authentication so that a remote access user can verify the legitimacy of a remote access server before providing authentication credentials to it. The presentation of a preselected picture is an example of server-side authentication. Best practices dictate that multifactor authentication be required for remote access authentication. In order for an attacker to gain unauthorized access, he would have to compromise two authentication factors—one of which would either be something the user has or something the user is. Significantly increasing the work factor is a powerful deterrent! Additionally, users should be required to reauthenticate periodically during long remote access sessions or after a period of inactivity.
In addition to authenticating the user, remote access devices such as workstations and tablets should be evaluated to ensure they meet the baseline standards required for internal systems. Network access control (NAC) systems can be used to “check” a remote access device based on defined criteria such as operating system version, security patches, antivirus software version, and wireless and firewall configurations before it is allowed to connect to the infrastructure. If the device does not meet the predefined criteria, the device is denied access.
In Practice: Remote Access Security
The Office of Information Security is responsible for approving remote access connections and security controls.
The Office of Information Technology is responsible for managing and monitoring remote access connection.
Remote access connections must use 128-bit or greater encryption to protect data in transit (such as VPN, SSL, or SSH).
Multifactor authentication must be used for remote access. Whenever technically feasible, one factor must be “out of band.”
Remote equipment must be company owned and configured in accordance with company workstation security standards.
Business partners and vendors wishing to obtain approval for remote access to computing resources must have access approved by the COO. Their company sponsor is required to provide a valid business reason for the remote access to be authorized.
Employees, business partners, and vendors approved for remote access must be presented with and sign a Remote Access Agreement that acknowledges their responsibilities prior to being granted access.
Remote access devices must be configured to log successful and failed activity as well as configuration changes.
Remote access logs must be reviewed daily by the Office of Information Technology or designee, and an activity report must be submitted to the Office of Information Security.
Remote access user lists must be reviewed quarterly by the Office of Human Resources.
The result of the review must be reported to both the Office of Information Security and the Office of Information Technology.
External penetration testing must, at a minimum, be performed semi-annually:
The testing is to be conducted by an external independent entity.
Selection of the vendor is the responsibility of the Audit Committee.
Testing results are to be submitted to the COO.
Teleworking Access Controls
The Telework Enhancement Act of 2010, Public Law 111-292, defines teleworking as “a work flexibility arrangement under which an employee performs the duties and responsibilities of such employee’s position, and other authorized activities, from an approved worksite other than the location from which the employee would otherwise work.” In plain language, teleworking allows employees to work offsite, often from their home. According to 2013 research published by MySammy LLC, 20% of the global workforce telecommutes on occasion. Of all teleworkers worldwide, 84% telecommute at least once a month. In the United States, 77% of companies with more than 2,500 employees allow remote working. The Telework Coalition (TelCoa) list of teleworking benefits includes “increased employee productivity and motivation, reduced vehicular pollution, traffic reduction, improved work-life balance, a reduced dependency on imported oil, providing new employment opportunities for the disabled, rural, and older worker, as well as spouses of those in the military and a means to efficiently and effectively establish a decentralized and distributed work force that is necessary as a critical component in business continuity and disaster recovery planning.”
Remote locations must be thought of as logical and physical extensions of the internal network and secured appropriately. Controls to ensure the confidentiality, integrity, and availability (CIA) of the information assets and information systems, including monitoring, must be commensurate with the on-premise environment.
NIST SP 880-114: User’s Guide to Securing External Devices for Telework and Remote Access provides practical, real-world recommendations for securing telework computers’ operating systems (OS) and applications, as well as the home networks that the computers use. It presents basic recommendations for securing consumer devices used for telework. The document also presents advice on protecting the information stored on telework computers and removable media. In addition, it provides tips on considering the security of a device owned by a third party before deciding whether it should be used for telework.
In Practice: Teleworking Policy
Teleworking schedule must be requested in writing by management and authorized by the Office of Human Resources.
The Office of Human Resources is responsible for notifying the Office of Information Security and Office of Information Technology when a user is granted or denied teleworking privileges.
Teleworking equipment, including connectivity devices, must be company owned and configured in accordance with company security standards.
The Office of Information Technology is responsible for managing, maintaining, and monitoring the configuration of and the connection to the teleworking location.
Remote access will be granted in accordance with the remote access policy and standards.
The teleworker is responsible for the physical security of the telecommuting location.
Local storage of information classified as “protected” or “confidential” must be authorized by the Office of Information Security.
Monitoring the teleworker is the responsibility of his or her immediate supervisor.
User Access Controls
The objective of user access controls is to ensure that authorized users are able to access information and resources while unauthorized users are prevented from access to the same. User access control and management is an enterprise-wide security task. Critical to successful user access management is the involvement of and communication between the Office of Human Resources, the Office of Information Technology, and the Office of Information Security and information system owners.
Why Manage User Access?
User access must be managed in order to maintain confidentiality and data integrity. In keeping with the least privilege and need-to-know security precepts, users should be provided access to the information and systems needed to do their job and no more. Humans are naturally curious beings. Given unfettered access, we will peek at that which we know we should not. Moreover, user accounts are the first target of a hacker who has gained access to an organization’s network. Diligent care must be used when designing procedures for creating accounts and granting access to information.
As discussed in Chapter 6, “Human Resources Security,” user provisioning is the process of creating user accounts and group membership, providing company identification and authentication mechanisms, and assigning access rights and permissions. Regardless of the department tasked with the user provisioning process, the information owner is ultimately responsible for authorization and oversight of access. The information owner or designee should review application, folder, or file access controls on a periodic basis. Factors that influence how often reviews should be conducted include the classification of the information being accessed, regulatory requirements, and rate of turnover and/or reorganization of duties. The review should be documented. Issues or inaccuracies should be responded to expediently.
In Practice: User Access Control and Authorization Policy
Default user access permissions will be set to “deny all” prior to the appropriation of specific permissions based on role and/or job function.
Access to company information and systems will only be authorized for workforce personnel with a need-to-know to perform their job function(s).
Access will be restricted to the minimal amount required to carry out the business requirement of the access.
An authorization process must be maintained. Permissions must not be granted until the authorization process is complete.
Information owners are responsible for annually reviewing and reauthorizing user access permissions to data classified as “protected” or “confidential”:
The Office of Information Security is responsible for managing the review and reauthorization process.
An annual report of completion will be provided to the Audit Committee.
Administrative Account Controls
Networks and information systems must be implemented, configured, managed, and monitored. Doing so requires accounts with elevated privileges. Common privileged accounts include network administrators, system administrators, database administrators, firewall administrators, and webmasters. This concentration of power can be dangerous. Mitigating controls include segregation of duties and dual controls. Segregation of duties requires that tasks be assigned to individuals in a manner such that no one individual can control a process from start to finish. Dual control requires that two individuals must both complete their half of a specific task. An example of segregation of duties is allowing a security engineer to modify a firewall configuration file but not upload the configuration into the production environment. An example of dual control is requiring two separate keys to unlock a door. Each key is assigned to an individual user. The theory of both controls it that in order to act maliciously, two or more individuals would need to work together. All administrative or privileged account activity should be logged and reviewed.
Administrative accounts should be used only when the activity being performed requires elevated rights and permissions. There is no need to use this type of account to perform routine activities such as checking email, writing reports, performing research on the Internet, and other activities for which a basic user account will suffice. This is important because viruses, worms, and other malicious code will run in the security context of the logged-in user. If a user is logged in as a system administrator and her computer is infected with malicious code, then the criminal that controls the malware has administrative privilege as well. To address this very real risk, every person with a special privilege account should also have a basic user account with which to perform duties that do not require administrative access.
In Practice: Administrative and Privileged Account Policy
Request for assignment of administrator-level accounts or changes to privileged group membership must be submitted to the Office of Information Security and approved by the COO.
The Office of Information Security is responsible for determining the appropriate use of administrator segregation of duties and dual controls.
Administrative and privileged user accounts will only be used when performing duties requiring administrative or privileged access.
All administrative and privileged account holders will have a second user account for performing any function where administrative or privileged access is not required.
User accounts assigned to contractors, consultants, or service providers who require administrative or privileged access will be enabled according to documented schedule and/or formal request, and disabled at all other times.
Administrative and privileged account activity will be logged daily and reviewed by the Office of Information Security.
Administrative and privileged account assignments will be reviewed quarterly by the Office of Information Security.
What Types of Access Should Be Monitored?
Monitoring access and use is a critical component of information security. What is most unfortunate is that many organizations deploy elaborate systems to gather data from many sources and then never look at the data. Mining log data results in a wealth of information that can be used to protect your organization. Log data offers clues about activities that have unexpected and possibly harmful consequences, including the following:
At-risk events, such as unauthorized access, malware, data leakage, and suspicious activity
Oversight events, such as reporting on administrative activity, user management, policy changes, remote desktop sessions, configuration changes, and unexpected access
Security-related operational events, such as reporting on patch installation, software installation, service management, reboots bandwidth utilization, and DNS/DHCP traffic
At a minimum, three categories of user access should be logged and analyzed: successful access, failed access, and privileged operations. Successful access is a record of user activity. Reporting should include date, time, and action (for example, authenticate, read, delete, or modify). Failed access is indicative of either unauthorized attempts or authorized user issues. In the first instance, it is important to know whether an intruder is “testing” the system or has launched an attack. In the second, from an operational standpoint, it is important to know if users are having problems logging in, accessing information, or doing their jobs. Oversight of administrative or privileged accounts is critical. Administrators hold the keys to the kingdom. In many organizations, they have unfettered access. Compromise or misuse of administrator accounts can have disastrous consequences.
Is Monitoring Legal?
As we discussed in Chapter 6, employees should have no expectation of privacy in respect to actions taken on company time or with company resource. The United States judiciary system has favored employers’ right to monitor in order to protect their interests. Among the reasons given in the Defense Counsel Journal are the following:
The work is done at the employer’s place of business.
The employer owns the equipment.
The employer has an interest in monitoring employee activity to ensure the quality of work.
The employer has the right to protect property from theft and fraud.
Court rulings suggest that reasonableness is a standard applying to surveillance and monitoring activities. Electronic monitoring is reasonable when there is a business purpose, policies exist to set the privacy expectations of employees, and employees are informed of organizational rules regarding network activities and understand the means used to monitor the workplace.
Acceptable use agreements should include a clause informing users that the company will and does monitor system activity. A commonly accepted practice is to present this statement to system users as a legal warning during the authentication process. Users must agree to company monitoring as a condition of logging on.
In Practice: Monitoring System Access and Use Policy
The Office of Information Technology, the Office of Information Security, and the Office of Human Resources are jointly responsible for determining the extent of logging and analysis required for information systems storing, processing, transmitting, or providing access to information classified as “confidential” or “protected.” However, at a minimum the following must be logged:
Successful and failed network authentication
Successful and failed authentication to any application that stores or processes information classified as “protected”
Network and application administrative or privileged account activity
Exceptions to this list must be authorized by the COO.
Access logs must be reviewed daily by the Office of Information Technology or designee, and an activity report must be submitted to the Office of Information Security.
Summary
Access controls are security features that govern how users and processes communicate and interact with systems and resources. The objective of implementing access controls is to ensure that authorized users and processes are able to access information and resources while unauthorized users and processes are prevented from access to the same. Access control models refer to the active entity that requests access to an object or data as the subject and the passive entity being accessed or being acted upon as the object.
An organization’s approach to access controls is referred to as its security posture. There are two fundamental approaches—open and secure. Open, also referred to as default allow, means that access not explicitly forbidden is permitted. Secure, also referred to as default deny, means that access not explicitly permitted is forbidden. Access decisions should consider the security principles of need-to-know and least privilege. Need-to-know means having a demonstrated and authorized reason for being granted access to information. Least privilege means granting subjects the minimum level of access required to perform their job or function.
Gaining access is a three-step process. The first step is for the object to recognize the subject. Identification is the process of the subject supplying an identifier such as a user name to the object. The next step is to prove that the subject is who they say they are. Authentication is the process of the subject supplying verifiable credentials to the object. The last step is determining the actions a subject can take. Authorization is the process of assigning authenticated subjects the rights and permissions needed to carry out a specific operation.
Authentication credentials are called factors. There are three categories of factors: knowledge (something the user knows), possession (something a user has), and inherence (something the user is). Single-factor authentication is when only one factor is presented. Multifactor authentication is when two or more factors are presented. Multilayer authentication is when two or more of the same type of factors are presented. Out-of-band authentication requires communication over a channel that is distinct from the first factor. Data classification, regulatory requirement, the impact of unauthorized access, and the likelihood of a threat being exercised must all be considered when deciding on the level of authentication required.
Once authentication is complete, an authorization model defines how subjects access objects. Mandatory access controls (MACs) are defined by policy and cannot be modified by the information owner. Discretionary access controls (DACs) are defined by the owner of the object. Role-based access controls (RBACs) (also called nondiscretionary) are access permissions based on a specific role or function. In a rule-based access controls environment, access is based on criteria that are independent of the user or group account, such as time of day or location.
A network infrastructure is defined as an interconnected group of hosts and devices. The infrastructure can be confined to one location or, as often is the case, widely distributed, including branch locations and home offices. Network segmentation is the process of logically grouping network assets, resources, and applications in order to stratify authentication requirements and security controls. Segments include enclaves, trusted networks, guest networks, perimeter networks (also referred to as a DMZ), and untrusted networks (including the Internet).
Layered security is the term applied to having different types of security measures designed to work in tandem with a single focus. The focus of layered border security is protecting the internal network from external threats. Firewalls are devices or software that control the flow of traffic between networks using ingress and egress filters. Egress filters can be supplemented by self-generated, open source, or subscription-based IP whitelists or blacklists. Whitelists are addresses (IP and/or Internet domain names) of known “good” sites. Conversely, blacklists are addresses (IP and/or Internet domain names) of known “bad” sites. Content-filtering applications can be used to restrict access by content category (such as violence, gaming, shopping, or pornography), time factors, application type, bandwidth use, and media. Intrusion detection systems (IDSs) are passive devices designed to analyze network traffic in order to detect unauthorized access or malevolent activity. Intrusion prevention systems (IPSs) are active devices that sit inline with traffic flow and can respond to identified threats by disabling the connection, dropping the packet, or deleting the malicious content.
The need to access internal corporate network resources from remote location has become increasingly common. Users who work remotely (often from home) on a scheduled basis are referred to as teleworkers. VPNs and remote access portals can be used to provide secure remote access for authorized users. A virtual private network (VPN) provides a secure tunnel for transmitting data through an unsecured network such as the Internet. IPsec (short for IP Security) is a set of protocols developed by the Internet Engineering Task Force (IETF) to support secure exchange of packets at the IP layer and is used by VPN devices.
A remote access portal offers access to one or more applications through a single centralized interface. Both mechanisms authenticate and authorize subjects. Best practices dictate that multifactor authentication is used for remote access connections. Network access control (NAC) systems can be used to “check” a remote access device based on defined criteria such as operating system version, security patches, antivirus software and DAT files, and wireless and firewall configurations before it is allowed to connect to the infrastructure.
Organizations are dynamic. New employees are hired, others change roles, some leave under friendly conditions, and others are involuntarily terminated. The objective of user access controls is to ensure that authorized users are able to access information and resources while unauthorized users are prevented from access to the same. Information owners are responsible for the authorization of access and ongoing oversight. Access control reviews should be conducted periodically, commensurate with the classification of the information being accessed, regulatory requirements, and the rate of turnover and/or reorganization of duties.
Access controls are configured and managed by users with administrative or elevated privileges. Although this is necessary, the concentration of power can be dangerous. Mitigating controls include segregation of duties and dual controls. Segregation of duties requires that tasks be assigned to individuals in a manner such that no one individual can control a process from start to finish. Dual control requires that two individuals must both complete their half of a specific task.
Oversight of user and administrator access reflects best practices and, in many cases, a regulatory requirement. At a minimum, three categories of user access should be logged and analyzed: successful access, failed access, and privileged operations. It is incumbent on the organization to institute a log review process as well as incident responsive procedures for at-risk or suspicious activity.
Access control management policies include Authentication Policy, Access Control Authorization Policy, Network Segmentation Policy, Border Device Security Policy, Remote Access Security Policy, Teleworking Policy, User Access Control and Authorization Policy, Administrative and Privileged Account Policy, and Monitoring System Access and Use Policy.
Test Your Skills
Multiple Choice Questions
1. Which of the following terms best describes access controls that are security features that govern how users and processes interact?
A. Objects
B. Resources
C. Processes
D. All of the above
2. Which of the following terms best describes the process of verifying the identity of a subject?
A. Accountability
B. Authorization
C. Access model
D. Authentication
3. Which of the following terms best describes the process of assigning authenticated subjects permission to carry out a specific operation?
A. Accountability
B. Authorization
C. Access model
D. Authentication
4. Which of the following terms best describes the active entity that requests access to an object or data?
A. Subject
B. Object
C. Resource
D. Factor
5. Which of the following security principles is best described as giving users the minimum access required to do their jobs?
A. Least access
B. Less protocol
C. Least privilege
D. Least process
6. Which of the following security principles is best described as prohibiting access to information not required for one’s work?
A. Access need security principle
B. Need-to-monitor security principle
C. Need-to-know security principle
D. Required information process security principle
7. Which type of access is allowed by the security principle of default deny?
A. Basic access is allowed.
B. Access that is not explicitly forbidden is permitted.
C. Access that is not explicitly permitted is forbidden.
D. None of the above.
8. Which of the following statements best describes the access rights of a user who has been granted Top Secret clearance at an organization that is using the mandatory access control (MAC) model?
A. The user can automatically access all Top Secret information.
B. The user can access only Top Secret information.
C. The user can access specific categories of Top Secret information.
D. The user can only access information up to the Top Secret level.
9. Who is responsible for DAC decisions?
A. Data owners
B. Data administrators
C. Data custodians
D. Data users
10. Which of the following terms best describes the control that is used when the SOP for user provisioning requires the actions of two systems administrators—one who can create and delete accounts and the other who assigns access permissions?
A. Least privilege
B. Segregation of duties
C. Need to know
D. Default deny all
11. Which of the following types of network, operating system, or application access controls is user agnostic and relies on specific criteria such as source IP address, time of day, and geographic location?
A. Mandatory
B. Role-based
C. Rule-based
D. Discretionary
12. Which of the following is not considered an authentication factor?
A. Knowledge
B. Inheritance
C. Possession
D. Biometric
13. Which of the following terms best describes authentication that requires two or more factors?
A. Dual control
B. Multifactor
C. Multiple-factor
D. Multilayer
14. Which of the following statements best describes reasons to change a password?
A. Passwords should be changed in order to increase the complexity of the password.
B. Passwords should be changed when there is a suspicion that the password has been compromised.
C. Passwords should be changed in order to create a unique password after a user initially logs on to a system using a default or basic password.
D. All of the above.
15. Which of the following terms best describes a type of password that is a form of knowledge-based authentication that requires a user to answer a question based on something familiar to them?
A. Categorical
B. Cognitive
C. Complex
D. Credential
16. Which of the following types of authentication requires two distinct and separate channels to authenticate?
A. In-band authentication
B. Mobile authentication
C. Out-of-band authentication
D. Out-of-wallet authentication
17. Which of the following terms best describes the internal network that is accessible to authorized users?
A. Trusted network
B. DMZ
C. The Internet
D. Semi-trusted network
18. Rules related to source and destination IP address, port, and protocol are used by a(n) _____ to determine access.
A. firewall
B. IPS
C. IDS
D. VPN
19. Which of the following statements is true of an intrusion detection system (IDS)?
A. An IDS can disable a connection.
B. An IDS can respond to identified threats.
C. An IDS uses signature-based detection and/or anomaly-based detection techniques.
D. An IDS can delete malicious content.
20. Which of the following terms best describes a VPN?
A. A VPN provides a secure tunnel for transmitting data through a untrusted network.
B. A VPN is a cost-effective solution for securing remote access.
C. Both A and B.
D. Neither A nor B.
21. Which of the following statements best describes mutual authentication?
A. Mutual authentication is used to auto-save passwords.
B. Mutual authentication is used to verify the legitimacy of the server before providing access credentials.
C. Mutual authentication is used to eliminate the need for multifactor authentication.
D. Mutual authentication is used to authorize access.
22. Network access controls (NAC) systems are used to “check” a remote device for which of the following?
A. Operating system version
B. Patch status
C. Wireless configuration
D. All of the above
23. Which of the following statements best describes teleworking?
A. An employee who talks on the telephone
B. An employee who uses his cell phone to access the Internet
C. An employee who works from a remote location on a scheduled basis
D. An employee who uses a mobile device to check email
24. Which of the following statements is not true of monitoring access?
A. Monitoring access mitigates the risks associated with misuse of privileges.
B. Monitoring access is illegal.
C. Monitoring access can identify user issues.
D. Monitoring access can provide oversight of administrative activities.
25. The objective of user access controls is to ensure that authorized users are able to access information and resources and that _______________________.
A. authorized users are able to work uninterrupted
B. unauthorized users are prevented from accessing information resources
C. authorized users can access the Internet
D. unauthorized activity is logged
26. Which of the following statements best describes whitelists?
A. Whitelists are IP addresses or Internet domain names of sites that are allowed.
B. Whitelists are IP addresses or Internet domain names of frequently used sites.
C. Whitelists are IP addresses or Internet domain names of known malware sites.
D. Whitelists are IP addresses or Internet domain names of sites that should be blocked.
27. Which of the following passwords is the strongest?
A. PetNameBob
B. PetN@meB0b
C. 8579377
D. H8djwk!!j4
28. Which type of information about user access should be logged and analyzed?
A. Successful access
B. Failed access
C. Privileged operations
D. All of the above
29. Which of the following types of authentication requires a user to enter a password and answer a question?
A. Single-factor authentication
B. Multifactor authentication
C. Multi-layer authentication
D. Out-of-band authentication
30. Access logs should be reviewed ______________.
A. daily
B. annually
C. when there is a suspicion of malicious activity
D. only by law enforcement personnel
1. Define the following access control management terminology:
2. Provide an example of an authentication control that affects you.
3. Provide an example of an authorization control that affects you.
Exercise 9.2: Managing User Accounts and Passwords
1. How many authentication factors does the email program you use require?
2. What are the required password characteristics for the email program you use? Include length, complexity, expiration, and banned words or phrases.
3. In your opinion, are the requirements adequate?
Exercise 9.3: Understanding Multifactor and Mutual Authentication
1. Find an image of or take a picture of a possession or inherence authentication device.
2. Find and describe an example of mutual authentication.
3. Explain how one of the preceding works.
Exercise 9.4: Analyzing Firewall Rule Sets
Firewall rule sets use source IP addresses, destination addresses, ports, and protocols.
1. Describe the function of each.
2. What is the purpose of the following rule?
Allow Src=10.1.23.54 dest=85.75.32.200 Proto=tcp 21
3. What is the purpose of the following rule?
Deny Src=ANY dest=ANY Proto=tcp 23
Exercise 9.5: Granting Administrative Access
1. Do you have administrative rights on your laptop, workstation, or tablet?
2. If yes, do you have the option to also have a normal user account? If no, who does?
3. Explain what is meant by the phrase “security context of the currently logged-in user.”
Projects
Project 9.1: Creating an RFP for Penetration Testing
You have been asked to send out a Red Team penetration testing Request for Proposal (RFP) document.
1. Explain what is meant by “Red Team.”
2. Find three companies to send the RFP to. Explain why you chose them.
3. The selected vendor will potentially have access to your network. What due diligence criteria should be included in the vendor-selection process? Select one of the companies from the previous step and find out as much as you can about them (for example, reputation, history, credentials).
Project 9.2: Reviewing User Access Permissions
Reviewing user access permissions can be a time-consuming and resource-intensive process and is generally reserved for applications or systems that have information classified as “protected” or “confidential.”
1. Should the student portal at your school be subject to an annual user access permission audit? If yes, why? If no, why not?
2. Automating review processes contribute to efficiency and accuracy. Research options for automating the user access review process and make a recommendation.
Project 9.3: Developing Telecommuting Best Practices
Your organization has decided to allow users the option of working from home.
1. Make a list of six security issues that must be considered.
2. Note your recommendations for each issue and detail any associated security control.
3. Assume that your recommendations have been accepted. You have now been tasked with training teleworkers. Create a presentation that explains “work from home” security best practices.
References
Regulations Cited
“Supplement to Authentication in an Internet Banking Environment,” issued by the Federal Institutions Examination Council, 6/28/2011.
“The Telework Enhancement Act of 2010, Public Law 111-292,” official website of the Government Printing Office, accessed 07/2013, www.gpo.gov/fdsys/pkg/PLAW-111publ292/.../PLAW-111publ292.pdf.
Other References
“IDS vs. IPS Explained,” accessed 07/2013,/www.comparebusinessproducts.com/fyi/ids-vs-ips.
“Mandatory, Discretionary, Role and Rule Based Access Control,” accessed 07/2013, www.techotopia.com/index.php/Mandatory,_Discretionary,_Role_and_Rule_Based_Access_Control.
Mohindra, Dhruv. “POS02-C. Follow the principle of least privilege,” accessed 07/2013, www.securecoding.cert.org/confluence/display/seccode/POS02-C.+Follow+the+principle+of+least+privilege.
Nilssonandeers. “Statistics of 450,000 leaked Yahoo Accounts,” Pastebin, accessed 07/2013, http://pastebin.com/2D6bHGTa.
Protalinski, Emil, “Yahoo Hack: Is yours one of them?” ZDNet, July 12, 2012, accessed 07/2013, www.zdnet.com/the-top-10-passwords-from-the-yahoo-hack-is-yours-one-of-them-7000000815/.
Saltzer, J. H. and Schroeder, M. D. “The Protection of Information in Computer Systems,” Proceedings of the IEEE, Vol. 63, No. 9 (Sept. 1975).
“The Telecommuter Infographic, An Analysis of the World’s Remote Workforce,” MySammy LLC, accessed 07/2013, www.mysammy.com/infographics-telecommuter.
“Our Vision and Mission,” TelCoa, accessed 07/2013, www.telcoa.org/about-us/our-vision-and-mission/.
“What is Telecommuting?” Emory University WorkLife Resource Center, accessed 07/2013, www.worklife.emory.edu/workplaceflexibility/telecommuting/whatis.html.