3.2 Access Control Flashcards
3.2.1 Physical Access Controls
Physical access controls are actual barriers deployed to prevent direct physical contact with systems. The goal is to prevent unauthorized users from gaining physical access to facilities, equipment, and other organizational assets.
For example, physical access control determines who can enter (or exit), where they can enter (or exit), and when they can enter (or exit).
3.2.2 Logical Access Controls
Logical access controls are the hardware and software solutions used to manage access to resources and systems. These technology-based solutions include tools and protocols that computer systems use for identification, authentication, authorization, and accounting.
3.2.3 Administrative Access Controls
Administrative access controls are the policies and procedures defined by organizations to implement and enforce all aspects of controlling unauthorized access.
Administrative controls focus on the following personnel and business practices.
Administrative Access ControlPoliciesProceduresHiring PracticesBackground ChecksData ClassificationSecurity TrainingReviews
Policies are approved ideas or actions that guide behavior.
Procedures are the detailed steps required to perform an activity.
Hiring practices define the steps an organization takes to find qualified employees.
Background checks are a type of employee screening that includes verification of past employment, credit history, and criminal history.
Data classification categorizes data based on its sensitivity.
Security training educates employees about the security policies at an organization.
Reviews evaluate an employee’s job performance.
3.2.4 Authentication, Authorization, and Accounting (AAA)
The concept of administrative access controls involves three security services: authentication, authorization, and accounting (AAA).
These services provide the primary framework to control access, preventing unauthorized access to a computer, network, database or other data resource.
AUTHENTICATION
The first A in AAA represents authentication. Authentication is the verification of the identity of each user, to prevent unauthorized access. Users prove their identity with a username or ID. In addition, users need to verify their identity by providing one of the following:
Something they know (such as a password)
Something they have (such as a token or card)
Something they are (such as a fingerprint)
In the case of two factor authentication, which is increasingly becoming the norm, authentication requires a combination of two of the above rather than just one.
AUTHORIZATION
Authorization services determine which resources users can access, along with the operations that users can perform.
Some systems accomplish this by using an access control list, or an ACL. An ACL determines whether a user has certain access privileges once the user authenticates. Just because you can log onto the corporate network does not mean that you have permission to use the high-speed color printer, for example.
Authorization can also control when a user has access to a specific resource. For example, employees may have access to a sales database during work hours, but the system locks them out after hours.
ACCOUNTING
Not related to financial accounting, accounting in AAA keeps track of what users do — including what they access, the amount of time they access it, and any changes they make.
For example, a bank keeps track of each customer account. An audit of that system can reveal the time and amount of all transactions and the employee or system that executed the transactions. Cybersecurity accounting services work the same way. The system tracks each data transaction and provides auditing results. System administrators can set up computer policies to enable system auditing.
The concept of AAA is like using a credit card. The credit card identifies who can use it, how much that user can spend, and accounts for items or services the user purchased.
Cybersecurity accounting tracks and monitors user activities in real time.
3.2.5 What Is Identification?
Identification enforces the rules established by the authorization policy. Every time access to a resource is requested, the access controls determine whether to grant or deny access.
A unique identifier ensures the proper association between allowed activities and subjects. A username is the most common method used to identify a user. A username can be an alphanumeric combination, a personal identification number (PIN), a smart card, or biometric — such as a fingerprint, retina scan or voice recognition.
A unique identifier ensures that a system can identify each user individually, therefore allowing an authorized user to perform the appropriate actions on a particular resource.
3.2.6 Federated Identity Management
Federated identity management (FIM) refers to multiple enterprises that let their users use the same identification credentials to gain access to the networks of all enterprises in the group. While FIM provides convenience to users and administrators, if the system is exploited by hackers, they will have access to many systems instead of just one.
Generally speaking, a federated identity links a subject’s electronic identity across separate identity management systems. This could enable access to several websites using the same social login credentials, for example.
The goal of federated identity management is to share identity information automatically across enterprise boundaries. From the individual user’s perspective, this means a single sign-on to multiple networks.
It is imperative that organizations scrutinize the identifying information that is shared with partners, even within the same corporate group. The sharing of social security numbers, names, and addresses may allow identity thieves the opportunity to steal this information from a partner with weak security to perpetrate fraud. The most common way to protect federated identity is to tie user identity to authorized devices such as workstations and phones.
3.2.7 Authentication Methods
As we mentioned earlier, users prove their identity with a username or ID. In addition, users need to verify their identity by providing one of the following.
SOMETHING YOU KNOW
Passwords, passphrases, or PINs are all examples of something that the user knows. Passwords are the most popular method used for authentication.
The terms passphrase, passcode, passkey, and PIN are all generically referred to as password. A password is a string of characters used to prove a user’s identity. If this string of characters relates back to a user (for instance, if it is their name, birthdate or address), it will be easier for cybercriminals to guess this user’s password.
Several publications recommend that a password be at least eight characters in length. Users should not create a password that is so long that it is difficult to memorize, or conversely, so short that it becomes vulnerable to password cracking. Password complexity should include a combination of upper and lowercase letters, numbers, and special characters.
Users need to use different passwords for different systems because if a criminal cracks the user’s password once, the criminal will have access to all of the user’s accounts. A password manager can help you create and use strong passwords — and makes it unnecessary for you to remember so many complex passwords.
SOMETHING YOU HAVE
Smart cards and security key fobs are both examples of things that users have in their possession that can be used for authentication purposes.
A smart card is a small plastic card, about the size of a credit card, with a small chip embedded in it. The chip is an intelligent data carrier, capable of processing, storing and safeguarding data. Smart cards contain private information, such as bank account numbers, personal identification, medical records and digital signatures, using encryption to keep data safe while providing a means to authenticate.
A security key fob is a device that is small enough to attach to a keyring. In most cases, security key fobs are used for two factor authentication (2FA), which is much more secure than a username and password combination.
For example, let’s say you want to access your e-banking, which uses two-factor authentication. First, you enter your username (identification). Then you enter the password, which is your first authentication factor. After that, you need a second means of authentication, because the system uses 2FA. You enter a PIN to your security fob, and it displays a number. This proves that you have physical access to this device, which was issued to you. This number is the second factor. You then enter it to log in to the e-banking account.
WHO YOU ARE
Unique physical characteristics, such as a fingerprint, retina pattern, or voice print. These personal biometric characteristics uniquely identify a specific person. Biometric security compares physical characteristics against stored profiles to authenticate users. In this case, a profile is a data file containing known characteristics of an individual. The system grants the user access if their characteristics match the information saved in their profile. A fingerprint reader is a common biometric device.
There are two types of biometric identifiers:
Physical characteristics — fingerprints, DNA, face, hands, the retina or ear features.
Behavioral characteristics — patterns of behavior such as gestures, voice, gait, or typing rhythm.
Biometrics is becoming increasingly popular in public security systems, consumer electronics, and point-of-sale applications. Implementing biometrics involves a reader or scanning device, software that converts the scanned information into digital form, and a database that has biometric data stored for comparison.
3.2.8 Passwords
To protect network devices, it is important to use strong passwords. Here are standard guidelines to follow:
Use a password length of at least eight characters, preferably 10 or more characters. A longer password is a more secure password.
Make passwords complex. Include a mix of uppercase and lowercase letters, numbers, symbols, and spaces, if allowed.
Avoid passwords based on repetition, common dictionary words, letter or number sequences, usernames, relative or pet names, biographical information, such as birthdates, ID numbers, ancestor names, or other easily identifiable pieces of information.
Deliberately misspell a password. For example, Smith = Smyth = 5mYth or Security = 5ecur1ty.
Change passwords often. If a password is unknowingly compromised, the window of opportunity for the threat actor to use the password is limited.
Do not write passwords down and leave them in obvious places such as on the desk or monitor.
On Cisco routers, leading spaces are ignored for passwords, but spaces after the first character are not. Therefore, one method to create a strong password is to use the space bar and create a phrase made of many words. This is called a passphrase. A passphrase is often easier to remember than a simple password. It is also longer and harder to guess.
Password Managers
Use a password manager to secure passwords for your online internet activity. Considered to be the best practice to secure passwords, the password manager automatically generates complex passwords for you and will automatically enter them when you access those sites. You only have to enter a primary password to enable this feature.
Multi-Factor Authentication
Use multi-factor authentication when available. This means that authentication requires two or more independent means of verification. For example when you enter a password, you would also have to enter a code that is sent to you through email or text message.
3.2.9 Multi-Factor Authentication
As we’ve touched upon earlier, multi-factor authentication uses at least two methods of verification — such as a password and something you have, for example, a security key fob. This can be taken a step further by adding something you are, such as a fingerprint scan.
Multi-factor authentication can reduce the incidence of online identity theft because it means knowing a password will not give cybercriminals access to a user’s account.
Note that two factor authentication (2FA) is a method of multi-factor authentication that entails two factors in particular, but the two terms are often used interchangeably.
