Official (ISC)2 Certified in Cybersecurity (CC) Self-Paced Training. (Chapter 3: Access Control Concepts)
Chapter 3: Access Control Concepts
Chapter 3 Agenda
Module 1: Understand Access Control Concepts (D3.1, D3.2)
Module 2: Understand Physical Access Controls (D3.1)
Module 3: Understand Logical Access Controls (D3.2)
Chapter 3 Overview
Let’s take a more detailed look at the types of access control that every information security professional should be familiar with. We will discuss both physical and logical controls and how they are combined to strengthen the overall security of an organization. This is where we describe who gets access to what, why access is necessary, and how that access is managed.
Learning Objectives
Domain 3: Access Control Concepts Objectives
After completing this chapter, the participant will be able to:
L3
Select access controls that are appropriate in a given scenario.
L3.1.1
Relate access control concepts and processes to given scenarios.
L3.2.1
Compare various physical access controls.
L3.3.1
Describe logical access controls.
L3.4.1
Practice the terminology of access controls and review concepts of access controls.
Chapter at a Glance
While working through Chapter 3, Access Controls Concepts, make sure to:
- Complete the Knowledge Check: Roles and Permissions
- Complete the Knowledge Check: Privileged Access Management
- Complete the Knowledge Check: Physical Access Controls
- Complete the Knowledge Check: Reading Users’ Credentials
- View the Chapter 3 Summary
- Take the Chapter 3 Quiz
- View the Terms and Definitions
Module 1: Understand Access Control Concepts
Domain D3.1, D3.1.3, D3.1.5, D3.2, D3.2.1, D3.2.2, D3.2.5
Module Objective
- L3.1.1 Relate access control concepts and processes given scenarios.
Manny: In the last module, we covered all the planning that goes into incident response and
disaster recovery. But how do security professionals protect information from falling into the
wrong hands in the first place?
Tasha: That's the topic of our next module. Information security professionals are like
gatekeepers, controlling who gets access to which systems and data, why they get certain
permissions or not, and how. Let's find out more about these access control concepts.
What is Security Control?
A control is a safeguard or countermeasure designed to preserve Confidentiality, Integrity and Availability of data. This, of course, is the CIA Triad.
Access control involves limiting what objects can be available to what subjects according to what rules. We will further define objects, subjects and rules later in this chapter. For now, remember these three words, as they are the foundation upon which we will build.
One brief example of a control is a firewall, which is included in a system or network to prevent something from the outside from coming in and disturbing or compromising the environment. The firewall can also prevent information on the inside from going out into the Web where it could be viewed or accessed by unauthorized individuals.
Controls Overview
It can be argued that access controls are the heart of an information security program. Earlier in this course we looked at security principles through foundations of risk management, governance, incident response, business continuity and disaster recovery. But in the end, security all comes down to, “who can get access to organizational assets (buildings, data, systems, etc.) and what can they do when they get access?”
Access controls are not just about restricting access to information systems and data, but also about allowing access. It is about granting the appropriate level of access to authorized personnel and processes and denying access to unauthorized functions or individuals.
Access is based on three elements:
Click on each tab to learn more.
Controls and Risks
Narrator: A control serves to reduce the risk to where it is within the risk tolerance of the
individual or organization. A physical control would be a seat belt. An administrative control
would be a law requiring the use of the seatbelt. Both of these serve to reduce the risk of
driving to a degree that is acceptable to the driver and to society.
Another non-technical example is that of a tall bookshelf. Since there is a risk of a tall bookshelf
toppling over and possibly hurting someone, many local building codes or regulations require
bookshelves to be secured to a wall using a strap or a bracket. In this case, the risk is the injury
to people. A logical control is the building code, and the actual attachment of the shelf to the
wall is the physical control. Both logical and physical controls work together to mitigate the
risk.
Controls Assessments
Risk reduction depends on the effectiveness of the control. It must apply to the current situation and adapt to a changing environment.
Consider a scenario where part of an office building is being repurposed for use as a secure storage facility. Due to the previous use of the area, there are 5 doors which must be secured before confidential files can be stored there. When securing a physical location, there are several things to consider. To keep the information the most secure, it might be recommended to install biometric scanners on all doors. A site assessment will determine if all five doors need biometric scanners, or if only one or two doors need scanners. The remaining doors could be permanently secured, or if the budget permits, the doors could be removed and replaced with a permanent wall. Most importantly, the cost of implementing the controls must align with the value of what is being protected. If multiple doors secured by biometric locks are not necessary, and the access to the area does not need to be audited, perhaps a simple deadbolt lock on all of the doors will provide the correct level of control.Defense in Depth
As you can see, we are not just looking at system access. We are looking at all access permissions including building access, access to server rooms, access to networks and applications and utilities. These are all implementations of access control and are part of a layered defense strategy, also known as defense in depth, developed by an organization.
Defense in depth describes an information security strategy that integrates people, technology and operations capabilities to establish variable barriers across multiple layers and missions of the organization. It applies multiple countermeasures in a layered fashion to fulfill security objectives. Defense in depth should be implemented to prevent or deter a cyberattack, but it cannot guarantee that an attack will not occur.
A technical example of defense in depth, in which multiple layers of technical controls are implemented, is when a username and password are required for logging in to your account, followed by a code sent to your phone to verify your identity. This is a form of multi-factor authentication using methods on two layers, something you have and something you know. The combination of the two layers is much more difficult for an adversary to obtain than either of the authentication codes individually.
Another example of multiple technical layers is when additional firewalls are used to separate untrusted networks with differing security requirements, such as the internet from trusted networks that house servers with sensitive data in the organization. When a company has information at multiple sensitivity levels, it might require the network traffic to be validated by rules on more than one firewall, with the most sensitive information being stored behind multiple firewalls.
For a non-technical example, consider the multiple layers of access required to get to the actual data in a data center. First, a lock on the door provides a physical barrier to access the data storage devices. Second, a technical access rule prevents access to the data via the network. Finally, a policy, or administrative control defines the rules that assign access to authorized individuals.
Defense in Depth Practice
Narrator: A data center might have multiple layers of defense. We would have administrative
controls, such as policies and procedures. Then logical or technical controls, which include
programming to limit access. There are also physical controls, which we sometimes forget
about in our highly technical world. Regardless of how much we focus on cloud computing and
virtualization, there is always a physical location where information is being stored or
processed in a physical hard drive in a physical computer. Even in a data center in a large
organization that provides cloud computing services, for example, there is still a physical aspect
of information storage and processing.
Principle of Least Privilege
The Principle of Least Privilege is a standard of permitting only minimum access necessary for users or programs to fulfill their function. Users are provided access only to the systems and programs they need to perform their specific job or tasks.
Tasha: Gabriela is a recent new hire at JavaSip, and she's reached out to Nate for some help.
Gabriela: Hey Nate?
Nate: Yep?
Gabriela: I accidentally submitted my timecard already, and I can't get into the payroll system
to fix it.
Nate: Well, of course you can’t get into the system. Only the manager, that's me, can get into
the payroll system. Otherwise, we'd risk everyone giving themselves raises, not to mention
having access to other employees' confidential information. Here, let me show you. There it is.
Gabriela: Oh. Yeah.
Nate: All good.
Gabriela: Thanks!
Nate: Welcome.
Tasha: Nate explains to Gabriela that her access to the system is limited by her role. She doesn't
have the proper permissions to make changes to her timecard, just to complete and submit it.
That's all she needs to do in her position, so she is restricted from other functions in the system,
but he's happy to help and reassures Gabriela that he will make the necessary changes.
Examples of Least Privilege
To preserve the confidentiality of information and ensure that it is only available to personnel who are authorized to see it, we use privileged access management, which is based on the principle of least privilege. That means each user is granted access only to the items they need and nothing further.
For example, only individuals working in billing will be allowed to view consumer financial data, and even fewer individuals will have the authority to change or delete that data. This maintains confidentiality and integrity while also allowing availability by providing administrative access with an appropriate password or sign-on that proves the user has the appropriate permissions to access that data.
Sometimes it is necessary to allow users to access the information via a temporary or limited access, for instance, for a specific time period or just within normal business hours. Or access rules can limit the fields that the individuals can have access to. One example is a healthcare environment. Some workers might have access to patient data but not their medical data. Individual doctors might have access only to data related to their own patients. In some cases, this is regulated by law, such as HIPAA in the United States, and by specific privacy laws in other countries.
Systems often monitor access to private information, and if logs indicate that someone has attempted to access a database without the proper permissions, that will automatically trigger an alarm. The security administrator will then record the incident and alert the appropriate people to take action.
The more critical information a person has access to, the greater the security should be around that access. They should definitely have multi-factor authentication, for instance.Privileged Access Management
Privileged access management provides the first and perhaps most familiar use case. Consider a human user identity that is granted various create, read, update, and delete privileges on a database. Without privileged access management, the system’s access control would have those privileges assigned to the administrative user in a static way, effectively “on” 24 hours a day, every day. Security would be dependent upon the login process to prevent misuse of that identity. Just-in-time privileged access management, by contrast, includes role-based specific subsets of privileges that only become active in real time when the identity is requesting the use of a resource or service.
Consider this scenario explaining why privileged access management is important:
ABC, Inc., has a small IT department that is responsible for user provisioning and administering systems. To save time, the IT department employees added their IDs to the Domain Admins group, effectively giving them access to everything within the Windows server and workstation environment. While reviewing an invoice that was received via email, they opened an email that had a malicious attachment that initiated a ransomware attack. Since they are using Domain Admin privileges, the ransomware was able to encrypt all the files on all servers and workstations. A privileged access management solution could limit the damage done by this ransomware if the administrator privileges are only used when performing a function requiring that level of access. Routine operations, such as daily email tasks, are done without a higher level of access.
Privileged Accounts
Privileged accounts are those with permissions beyond those of normal users, such as managers and administrators.
Broadly speaking, these accounts have elevated privileges and are used by many different classes of users, including:
- Systems administrators, who have the principal responsibilities for operating systems, applications deployment and performance management.
- Help desk or IT support staff, who often need to view or manipulate endpoints, servers and applications platforms by using privileged or restricted operations.
- Security analysts, who may require rapid access to the entire IT infrastructure, systems, endpoints and data environment of the organization.
Other classes of privileged user accounts may be created on a per-client or per-project basis, to allow a member of that project or client service team to have greater control over data and applications.
These few examples indicate that organizations often need to delegate the capability to manage and protect information assets to various managerial, supervisory, support or leadership people, with differing levels of authority and responsibility. This delegation, of course, should be contingent upon trustworthiness, since misuse or abuse of these privileges could lead to harm for the organization and its stakeholders.
Typical measures used for moderating the potential for elevated risks from misuse or abuse of privileged accounts include the following:
- More extensive and detailed logging than regular user accounts. The record of privileged actions is vitally important, as both a deterrent (for privileged account holders that might be tempted to engage in untoward activity) and an administrative control (the logs can be audited and reviewed to detect and respond to malicious activity).
- More stringent access control than regular user accounts. As we will see emphasized in this course, even nonprivileged users should be required to use MFA methods to gain access to organizational systems and networks. Privileged users—or more accurately, highly trusted users with access to privileged accounts—should be required to go through additional or more rigorous authentication prior to those privileges. Just-in-time identity should also be considered as a way to restrict the use of these privileges to specific tasks and the times in which the user is executing them.
- Deeper trust verification than regular user accounts. Privileged account holders should be subject to more detailed background checks, stricter nondisclosure agreements and acceptable use policies, and be willing to be subject to financial investigation. Periodic or event-triggered updates to these background checks may also be in order, depending on the nature of the organization’s activities and the risks it faces.
- More auditing than regular user accounts. Privileged account activity should be monitored and audited at a greater rate and extent than regular usage.
Click on the plus sign + below to learn more.
Let's consider the Help Desk role. In order to provide the level of service customers demand, it may be necessary for your Help Desk personnel to reset passwords and unlock user accounts. In a Windows environment, this typically requires “domain admin” privileges. However, these two permissions can be granted alone, giving the Help Desk personnel a way to reset passwords without giving them access to everything in the Windows domain, such as adding new users or changing a user’s information. These two actions should be logged and audited on a regular basis to ensure that any password resets were requested by the end user. This can be done by automatically generating a daily list of password resets to be compared to Help Desk tickets. This scenario allows the Help Desk personnel to resolve password-related issues on the first call while doing so in a safe and secure manner.Segregation of Duties
A core element of authorization is the principle of segregation of duties (also known as separation of duties). Segregation of duties is based on the security practice that no one person should control an entire high-risk transaction from start to finish. Segregation of duties breaks the transaction into separate parts and requires a different person to execute each part of the transaction. For example, an employee may submit an invoice for payment to a vendor (or for reimbursement to themselves), but it must be approved by a manager prior to payment; in another instance, almost anyone may submit a proposal for a change to a system configuration, but the request must go through technical and management review and gain approval, before it can be implemented.
These steps can prevent fraud or detect an error in the process before implementation. It could be that the same employee might be authorized to originally submit invoices regarding one set of activities, but not approve them, and yet also have approval authority but not the right to submit invoices on another. It is possible, of course, that two individuals can willfully work together to bypass the segregation of duties, so that they could jointly commit fraud. This is called collusion.
Another implementation of segregation of duties is dual control. This would apply at a bank where there are two separate combination locks on the door of the vault. Some personnel know one of the combinations and some know the other, but no one person knows both combinations. Two people must work together to open the vault; thus, the vault is under dual control.
Two-Person Integrity
Authorized Versus Unauthorized Personnel
Subjects are authorized access to objects after they have been
authenticated. Remember from earlier sections that authentication is
confirming the identity of the subject. Once a subject has been
authenticated, the system checks its authorization to see if it is
allowed to complete the action it is attempting. This is usually done
via a security matrix accessed by the system controlling the access,
based on pre-approved levels. For example, when a person presents an ID
badge to the data center door, the system checks the ID number, compares
that to a security matrix within the system, and unlocks the door if
the ID is authorized. If the ID is not authorized to unlock the door, it
will remain locked. In another example, a user attempts to delete a
file. The file system checks the permissions to see if the user is
authorized to delete the file. If the user is authorized, the file is
deleted. If the user is not authorized, an error message is displayed,
and the file is left untouched.
How Users Are Provisioned
Other situations that call for provisioning new user accounts or changing privileges include:
- A new employee—When a new employee is hired, the hiring manager sends a request to the security administrator to create a new user ID. This request authorizes creation of the new ID and provides instructions on appropriate access levels. Additional authorization may be required by company policy for elevated permissions.
- Change of position—When an employee has been promoted, their permissions and access rights might change as defined by the new role, which will dictate any added privileges and updates to access. At the same time, any access that is no longer needed in the new job will be removed.
- Separation of employment—When employees leave the company, depending on company policy and procedures, their accounts must be disabled after the termination date and time. It is recommended that accounts be disabled for a period before they are deleted to preserve the integrity of any audit trails or files that may be owned by the user. Since the account will no longer be used, it should be removed from any security roles or additional access profiles. This protects the company, so the separated employee is unable to access company data after separation, and it also protects them because their account cannot be used by others to access data.
NOTE: Upon hiring or changing roles, a best practice is to not copy user profiles to new users, because this promotes “permission or privilege creep.” For example, if an employee is given additional access to complete a task and that access is not removed when the task is completed, and then that user’s profile is copied to create a new user ID, the new ID is created with more permissions than are needed to complete their functions. It is recommended that standard roles are established, and new users are created based on those standards rather than an actual user.
Tasha: Whether a user is authorized or unauthorized depends on their user provisioning, which is an
identity management process for creating and managing access to resources and information systems.
Manny: While we usually think of user provisioning as creating new accounts, there are several different
situations which require action by a security administrator who is responsible for provisioning user
accounts.
Tasha: In fact, Susan finds herself in a situation that requires changes to a user’s provisioning. Let's
check in with her as she notifies the security administrator of this change.
Susan is talking to her securityadministrator.
Susan: One of my employees will be taking a temporary leave of absence. Dimitra, she’s going to be
taking a sabbaticalfrom work and she’s not going to need access to the systems
Manny: Since Dimitra will not be accessing the systems, the security admin recommends disabling her
accounts while she is not at work. This reduces the risk that her account could be used by an
unauthorized person while she is on leave. He tells Susan to make the request, and then, according to
the company policy and procedures, he will disable Dimitra's login account, so she is not allowed to log
in to the company systems while out on leave.
Susan: So, will this make things complicated when Dimitra returns to work? Oh, I see. Even though the
account is disabled, but not otherwise modified, it will be easy to reactivate it once she returns. That's
great news, because I’m going to need her up and running as soon as she gets back.
Roles and Permissions
The indicates the correct selection.
Privileged Access Management(Question)
Privileged Access Management
The indicates the correct selection.
The Benefit of Multiple Controls
Integrity and Availability of data. We also discussed defense-in-depth as an implementation of
multiple technical controls. Now, we will look at a scenario that uses multiple controls across
the spectrum, including physical, technical and administrative controls.
Payroll is one area in nearly every organization that requires multiple levels of controls to
ensure money is not mishandled. Most will agree that just a single control is too risky, so
multiple controls are often implemented.
To prevent payroll personnel from creating a fictional employee and processing a check for that
employee, a logical (or technical) control is to ensure that a person who processes payroll is not
able to create a new employee record AND process the check print file. A physical control that
helps reinforce that technical control is to ensure the actual paper media that checks are
printed on is secured in a place that is not accessible to the person processing payroll. Both of
these controls can be further enforced by creating an administrative control (or policy) that
regularly audits the technical and physical controls by reviewing new employees added to the
system and by logging and verifying the number on physical checks.
Small and medium businesses have a particular challenge when it comes to technical controls,
as they often do not have sufficient personnel to separate the duties within the payroll system.
In this case, it may become necessary to implement only physical and logical controls that align
with the business needs.
Module 2: Understand Physical Access Controls
Domain D3.1, D3.1.1, D3.1.2
Module Objective
- L3.2.1 Compare various physical access controls.
actors, but isn't there a risk of losing information through methods other than technology like break-ins
and stolen laptops?
Tasha: That's right. Simply locking your doors is a great start when protecting data. If a thief can't get
into your building, then there's less opportunity for unauthorized access to your equipment, files, and
personal information. In this module, we will explore and compare the most common physical access
controls employed by organizations to safeguard buildings, property, and people.
What Are Physical Security Controls?
Physical access controls are items you can physically touch. They include physical mechanisms deployed to prevent, monitor, or detect direct contact with systems or areas within a facility. Examples of physical access controls include security guards, fences, motion detectors, locked doors/gates, sealed windows, lights, cable protection, laptop locks, badges, swipe cards, guard dogs, cameras, mantraps/turnstiles, and alarms.
Physical access controls are necessary to protect the assets of a company, including its most important asset, people. When considering physical access controls, the security of the personnel always comes first, followed by securing other physical assets.
Why Have Physical Security Controls?
Physical access controls include fences, barriers, turnstiles, locks and other features that prevent unauthorized individuals from entering a physical site, such as a workplace. This is to protect not only physical assets such as computers from being stolen, but also to protect the health and safety of the personnel inside.
Badge Systems and Gate Entry
Physical security controls for human traffic are often done with technologies such as turnstiles, mantraps and remotely or system-controlled door locks. For the system to identify an authorized employee, an access control system needs to have some form of enrollment station used to assign and activate an access control device. Most often, a badge is produced and issued with the employee’s identifiers, with the enrollment station giving the employee specific areas that will be accessible. In high-security environments, enrollment may also include biometric characteristics. In general, an access control system compares an individual’s badge against a verified database. If authenticated, the access control system sends output signals allowing authorized personnel to pass through a gate or a door to a controlled area. The systems are typically integrated with the organization’s logging systems to document access activity (authorized and unauthorized)
A range of card types allow the system to be used in a variety of environments. These cards include:
- Bar code
- Magnetic stripe
- Proximity
- Smart
- Hybrid
Environmental Design
Crime Prevention through Environmental Design (CPTED) approaches the challenge of creating safer workspaces through passive design elements. This has great applicability for the information security community as security professionals design, operate and assess the organizational security environment. Other practices, such as standards for building construction and data centers, also affect how we implement controls over our physical environment. Security professionals should be familiar with these concepts so they can successfully advocate for functional and effective physical spaces where information is going to be created, processed and stored.
CPTED provides direction to solve the challenges of crime with organizational (people), mechanical (technology and hardware) and natural design (architectural and circulation flow) methods. By directing the flow of people, using passive techniques to signal who should and should not be in a space and providing visibility to otherwise hidden spaces, the likelihood that someone will commit a crime in that area decreases.
Biometrics
To authenticate a user’s identity, biometrics uses characteristics unique to the individual seeking access. A biometric authentication solution entails two processes.
- Enrollment—during the enrollment process, the user’s registered biometric code is either stored in a system or on a smart card that is kept by the user.
- Verification—during the verification process, the user presents their biometric data to the system so that the biometric data can be compared with the stored biometric code.
Even though the biometric data may not be secret, it is personally identifiable information, and the protocol should not reveal it without the user’s consent. Biometrics takes two primary forms, physiological and behavioral.
Physiological systems measure the characteristics of a person such as a fingerprint, iris scan (the colored portion around the outside of the pupil in the eye), retinal scan (the pattern of blood vessels in the back of the eye), palm scan and venous scans that look for the flow of blood through the veins in the palm. Some biometrics devices combine processes together—such as checking for pulse and temperature on a fingerprint scanner—to detect counterfeiting.
Behavioral systems measure how a person acts by measuring voiceprints, signature dynamics and keystroke dynamics. As a person types, a keystroke dynamics system measures behavior such as the delay rate (how long a person holds down a key) and transfer rate (how rapidly a person moves between keys).
Biometric systems are considered highly accurate, but they can be expensive to implement and maintain because of the cost of purchasing equipment and registering all users. Users may also be uncomfortable with the use of biometrics, considering them to be an invasion of privacy or presenting a risk of disclosure of medical information (since retina scans can disclose medical conditions). A further drawback is the challenge of sanitization of the devices.
Monitoring
The use of physical access controls and monitoring personnel and equipment entering and leaving as well as auditing/logging all physical events are primary elements in maintaining overall organizational security.
Monitoring Examples
Select each plus sign hotspot to learn more about each topic.
Cameras
Cameras are normally integrated into the overall security program and centrally monitored. Cameras provide a flexible method of surveillance and monitoring. They can be a deterrent to criminal activity, can detect activities if combined with other sensors and, if recorded, can provide evidence after the activity They are often used in locations where access is difficult or there is a need for a forensic record.
While cameras provide one tool for monitoring the external perimeter of facilities, other technologies augment their detection capabilities. A variety of motion sensor technologies can be effective in exterior locations. These include infrared, microwave and lasers trained on tuned receivers. Other sensors can be integrated into doors, gates and turnstiles, and strain-sensitive cables and other vibration sensors can detect if someone attempts to scale a fence. Proper integration of exterior or perimeter sensors will alert an organization to any intruders attempting to gain access across open space or attempting to breach the fence line.
Logs
In this section, we are concentrating on the use of physical logs, such as a sign-in sheet maintained by a security guard, or even a log created by an electronic system that manages physical access. Electronic systems that capture system and security logs within software will be covered in another section.
A log is a record of events that have occurred. Physical security logs are essential to support business requirements. They should capture and retain information as long as necessary for legal or business reasons. Because logs may be needed to prove compliance with regulations and assist in a forensic investigation, the logs must be protected from manipulation. Logs may also contain sensitive data about customers or users and should be protected from unauthorized disclosure.
The organization should have a policy to review logs regularly as part of their organization’s security program. As part of the organization’s log processes, guidelines for log retention must be established and followed. If the organizational policy states to retain standard log files for only six months, that is all the organization should have.
A log anomaly is anything out of the ordinary. Identifying log anomalies is often the first step in identifying security-related issues, both during an audit and during routine monitoring. Some anomalies will be glaringly obvious: for example, gaps in date/time stamps or account lockouts. Others will be harder to detect, such as someone trying to write data to a protected directory. Although it may seem that logging everything so you would not miss any important data is the best approach, most organizations would soon drown under the amount of data collected.
Business and legal requirements for log retention will vary among economies, countries and industries. Some businesses will have no requirements for data retention. Others are mandated by the nature of their business or by business partners to comply with certain retention data. For example, the Payment Card Industry Data Security Standard (PCI DSS) requires that businesses retain one year of log data in support of PCI. Some federal regulations include requirements for data retention as well.
If a business has no business or legal requirements to retain log data, how long should the organization keep it? The first people to ask should be the legal department. Most legal departments have very specific guidelines for data retention, and those guidelines may drive the log retention policy.
Security Guards
Security guards are an effective physical security control. No matter what form of physical access control is used, a security guard or other monitoring system will discourage a person from masquerading as someone else or following closely on the heels of another to gain access. This helps prevent theft and abuse of equipment or information.Alarm Systems
Alarm systems are commonly found on doors and windows in homes and office buildings. In their simplest form, they are designed to alert the appropriate personnel when a door or window is opened unexpectedly.
For example, an employee may enter a code and/or swipe a badge to open a door, and that action would not trigger an alarm. Alternatively, if that same door was opened by brute force without someone entering the correct code or using an authorized badge, an alarm would be activated.
Another alarm system is a fire alarm, which may be activated by heat or smoke at a sensor and will likely sound an audible warning to protect human lives in the vicinity. It will likely also contact local response personnel as well as the closest fire department.
Finally, another common type of alarm system is in the form of a
panic button. Once activated, a panic button will alert the appropriate
police or security personnel.
Physical Access Controls
Correct answer: C. Badges
Badges are not a source of biometric data. All other options presented are considered unique identifiers that are commonly accepted by biometric authentication systems.
Users’ Credentials
Correct answer: D.
Swiped, inserted and placed on or near a reader are all ways the user’s credentials are read so they can be transmitted to a logical access control system.
Module 3: Understand Logical Access Controls
Domain D3.2, D3.2.3, D3.2.4, D3.2.5
Module Objective
- L3.3.1 Describe logical access controls.
Manny: It's pretty easy to picture physical controls, and we've all used passwords and other kinds of
access controls, but what are logical access controls?
Tasha: This gets a little more technical. The parameters that are set up within a system can affect who
has access to certain information and what they can do with it. For example, a system could be
configured so that anyone who has permission to edit a file also has permission to copy it and share it
with someone else.
Manny: We'll learn more in this module about different types of logical controls.
What are Logical Access Controls?
Whereas physical access controls are tangible methods or mechanisms that limit someone from getting access to an area or asset, logical access controls are electronic methods that limit someone from getting access to systems, and sometimes even to tangible assets or areas. Types of logical access controls include:
- Passwords
- Biometrics (implemented on a system, such as a smartphone or laptop)
- Badge/token readers connected to a system
These types of electronic tools limit who can get logical access to an asset, even if the person already has physical access.
Discretionary Access Control (DAC)
Discretionary access control (DAC) is a specific type of access control policy that is enforced over all subjects and objects in an information system. In DAC, the policy specifies that a subject who has been granted access to information can do one or more of the following:
- Pass the information to other subjects or objects
- Grant its privileges to other subjects
- Change security attributes on subjects, objects, information systems or system components
- Choose the security attributes to be associated with newly created or revised objects; and/or
- Change the rules governing access control; mandatory access controls restrict this capability
Most information systems in the world are DAC systems. In a DAC system, a user who has access to a file is usually able to share that file with or pass it to someone else. This grants the user almost the same level of access as the original owner of the file. Rule-based access control systems are usually a form of DAC.
Discretionary Access Control (DAC)
DAC Example
Discretionary access control systems allow users to establish or change these permissions on files they create or otherwise have ownership of.
Steve and Aidan, for example, are two users (subjects) in a UNIX environment operating with DAC in place. Typically, systems will create and maintain a table that maps subjects to objects, as shown in the image. At each intersection is the set of permissions that a given subject has for a specific object. Many operating systems, such as Windows and the whole Unix family tree (including Linux) and iOS, use this type of data structure to make fast, accurate decisions about authorizing or denying an access request. Note that this data can be viewed as either rows or columns:
- An object’s access control list shows the total set of subjects who have any permissions at all for that specific object.
- A subject’s capabilities list shows each object in the system that said subject has any permissions for.
This methodology relies on the discretion of the owner of the access control object to determine the access control subject’s specific rights. Hence, security of the object is literally up to the discretion of the object owner. DACs are not very scalable; they rely on the access control decisions made by each individual object owner, and it can be difficult to find the source of access control issues when problems occur.
DAC in the Workplace
Most information systems are DAC systems. In a DAC system, a user who has access to a file is able to share that file with or pass it to someone else. It is at the discretion of the asset owner whether to grant or revoke access for a user. For access to computer files, this can be shared file or password protections. For example, if you create a file in an online file sharing platform you can restrict who sees it. That is up to your discretion. Or it may be something low-tech and temporary, such as a visitor’s badge provided at the discretion of the worker at the security desk.
Mandatory Access Control (MAC)
A mandatory access control (MAC) policy is one that is uniformly enforced across all subjects and objects within the boundary of an information system. In simplest terms, this means that only properly designated security administrators, as trusted subjects, can modify any of the security rules that are established for subjects and objects within the system. This also means that for all subjects defined by the organization (that is, known to its integrated identity management and access control system), the organization assigns a subset of total privileges for a subset of objects, such that the subject is constrained from doing any of the following:
- Passing the information to unauthorized subjects or objects
- Granting its privileges to other subjects
- Changing one or more security attributes on subjects, objects, the information system or system components
- Choosing the security attributes to be associated with newly created or modified objects
- Changing the rules governing access control
Although MAC sounds very similar to DAC, the primary difference is who can control access. With Mandatory Access Control, it is mandatory for security administrators to assign access rights or permissions; with Discretionary Access Control, it is up to the object owner’s discretion.
MAC in the Workplace
Mandatory access control is also determined by the owner of the assets, but on a more across-the-board basis, with little individual decision-making about who gets access.
For example, at certain government agencies, personnel must have a certain type of security clearance to get access to certain areas. In general, this level of access is set by government policy and not by an individual giving permission based on their own judgment.
Often this is accompanied by separation of duties, where your scope of work is limited and you do not have access to see information that does not concern you; someone else handles that information. This separation of duties is also facilitated by role-based access control, as we will discuss next.
Role-Based Access Control (RBAC)
Role-based access control (RBAC),
as the name suggests, sets up user permissions based on roles. Each
role represents users with similar or identical permissions.
Narrator: A role is created and assigned the access required for personnel working in that role. When a
user takes on a job, the administrator assigns them to the appropriate role. If a user leaves that role, the
administrator removes that user and then access for that user associated with that role is removed.
RBAC works well in an environment with high staff turnover and multiple personnel with similar access
requirements.
RBAC in the Workplace
Role-based access control provides each worker privileges based on what role they have in the organization. Only Human Resources staff have access to personnel files, for example; only Finance has access to bank accounts; each manager has access to their own direct reports and their own department. Very high-level system administrators may have access to everything; new employees would have very limited access, the minimum required to do their jobs.
Monitoring these role-based permissions is important, because if you expand one person’s permissions for a specific reason—say, a junior worker’s permissions might be expanded so they can temporarily act as the department manager—but you forget to change their permissions back when the new manager is hired, then the next person to come in at that junior level might inherit those permissions when it is not appropriate for them to have them. This is called privilege creep or permissions creep. We discussed this before, when we were talking about provisioning new users.
Having multiple roles with different combinations of permissions can require close monitoring to make sure everyone has the access they need to do their jobs and nothing more. In this world where jobs are ever-changing, this can sometimes be a challenge to keep track of, especially with extremely granular roles and permissions. Upon hiring or changing roles, a best practice is to not copy user profiles to new users. It is recommended that standard roles are established, and new users are created based on those standards rather than an actual user. That way, new employees start with the appropriate roles and permissions.
Chapter 3: Terms and Definitions
- Audit - Independent review and examination of records and activities to assess the adequacy of system controls, to ensure compliance with established policies and operational procedures. NIST SP 1800-15B
- Crime Prevention through Environmental Design (CPTED) - An architectural approach to the design of buildings and spaces which emphasizes passive features to reduce the likelihood of criminal activity.
- Defense in Depth - Information security strategy integrating people, technology, and operations capabilities to establish variable barriers across multiple layers and missions of the organization. Source: NIST SP 800-53 Rev 4
- Discretionary Access Control (DAC) - A certain amount of access control is left to the discretion of the object’s owner, or anyone else who is authorized to control the object’s access. The owner can determine who should have access rights to an object and what those rights should be. NIST SP 800-192
- Encrypt - To protect private information by putting it into a form that can only be read by people who have permission to do so.
- Firewalls - Devices that enforce administrative security policies by filtering incoming traffic based on a set of rules.
- Insider Threat - An entity with authorized access that has the potential to harm an information system through destruction, disclosure, modification of data, and/or denial of service. NIST SP 800-32
- iOS - An operating system manufactured by Apple Inc. Used for mobile devices.
- Layered Defense - The use of multiple controls arranged in series to provide several consecutive controls to protect an asset; also called defense in depth.
- Linux - An operating system that is open source, making its source code legally available to end users.
- Log Anomaly - A system irregularity that is identified when studying log entries which could represent events of interest for further surveillance.
- Logging - Collecting and storing user activities in a log, which is a record of the events occurring within an organization’s systems and networks. NIST SP 1800-25B.
- Logical Access Control Systems - An automated system that controls an individual’s ability to access one or more computer system resources, such as a workstation, network, application or database. A logical access control system requires the validation of an individual’s identity through some mechanism, such as a PIN, card, biometric or other token. It has the capability to assign different access privileges to different individuals depending on their roles and responsibilities in an organization. NIST SP 800-53 Rev.5.
- Mandatory Access Control - Access control that requires the system itself to manage access controls in accordance with the organization’s security policies.
- Mantrap - An entrance to a building or an area that requires people to pass through two doors with only one door opened at a time.
- Object - Passive information system-related entity (e.g., devices, files, records, tables, processes, programs, domains) containing or receiving information. Access to an object (by a subject) implies access to the information it contains. See subject. Source: NIST SP 800-53 Rev 4
- Physical Access Controls - Controls implemented through a tangible mechanism. Examples include walls, fences, guards, locks, etc. In modern organizations, many physical control systems are linked to technical/logical systems, such as badge readers connected to door locks.
- Principle of Least Privilege - The principle that users and programs should have only the minimum privileges necessary to complete their tasks. NIST SP 800-179
- Privileged Account - An information system account with approved authorizations of a privileged user. NIST SP 800-53 Rev. 4
- Ransomware - A type of malicious software that locks the computer screen or files, thus preventing or limiting a user from accessing their system and data until money is paid.
- Role-based access control (RBAC) - An access control system that sets up user permissions based on roles.
- Rule - An instruction developed to allow or deny access to a system by comparing the validated identity of the subject to an access control list.
- Segregation of Duties - The practice of ensuring that an organizational process cannot be completed by a single person; forces collusion as a means to reduce insider threats. Also commonly known as Separation of Duties.
- Subject - Generally an individual, process or device causing information to flow among objects or change to the system state. Source: NIST SP800-53 R4
- Technical Controls - The security controls (i.e., safeguards or countermeasures) for an information system that are primarily implemented and executed by the information system through mechanisms contained in the hardware, software or firmware components of the system.
- Turnstile - A one-way spinning door or barrier that allows only one person at a time to enter a building or pass through an area.
- Unix - An operating system used in software development.
- User Provisioning - The process of creating, maintaining and deactivating user identities on a system.
Comments
Post a Comment