320 likes | 463 Views
Chapter 9: Access Control. Objectives. Apply the concepts of default deny, need-to-know, and least privilege Secure user accounts throughout the employee lifecycle Understand secure authentication. Objectives Cont.
E N D
Objectives • Apply the concepts of default deny, need-to-know, and least privilege • Secure user accounts throughout the employee lifecycle • Understand secure authentication
Objectives Cont. • Protect systems from risks associated with remote access and telecommuting environments • Monitor and log all access-related activities and events • Develop policies to support access control to information assets
What Is a Security Posture? • It is the organizational attitude toward security that is reflected in its default position • Two fundamental security postures: • Secure, which implements the “default deny” model • Reactive, which implements the “default permit” model • Every access control decision for a company is based on that company’s security posture
What Is a Security Posture? Cont. • Default permit vs. default deny • Default permit: by default, out of the box, no security is deployed, everyone can do everything. • Easier to deploy, works out of the box • No security • Default deny • A.k.a. “deny all” • Access is unavailable by default until the appropriate control is altered to allow access
What Is a Security Posture? Cont. • Principle of Least Privilege • Definition: the least amount of permissions granted a user that still allows them to perform whatever business tasks they have been assigned, and no more • This is a strong foundation for any access control policy • Protects the data but also protects the user. They can’t be accused of having deleted a file to which they can’t gain access! • From a cultural stand point, it is important to explain to employees why they are not “trusted” with all the company’s data
What Is a Security Posture? Cont. • Need-to-know • Definition: having a demonstrated and authorized reason for being granted access to information • Should be made a part of the company’s culture • Should be incorporated in security training curriculum • At the very least protects the confidentiality of corporate data, but may also protect integrity and availability depending on the attack type
What Is a Security Posture? Cont. • Three main access control models • MAC (Mandatory Access Control): data is classified, and employees are granted access according to the sensitivity of information • DAC (Discretionary Access Control): Data owners decide who should have access to what information • RBAC (Role-based Access Control): Access is based on positions (roles) within an organization • Companies need to decide which access control model they will implement
What Is a Security Posture? Cont. • Classification models • Used in public sector: • Top secret, secret, confidential • Used in the private sector: • Sensitive, confidential, public • Classification level combined with need-to-know should define actual access level
What Is a Security Posture? Cont. • The role of the information owner • The information owner is the one who defines the access rules pertinent to the information for which they are responsible • They may enlist the assistance of the Information Security Officer
Managing User Access • Simple yet important questions that should be asked – and answered! – when managing user access: • Who creates the user accounts? • How are they created? • How will this function be logged? • What happens when user situations evolve? • How to insure that each user’s account is unique?
Managing User Access Cont. • User Account Creation • Transcends departmental boundaries • Requires involvement & communication between: • Human Resources • Information Technology • Information Security Officer
Managing User Access Cont. • User Access Management • Account creation needs to be regulated with an official, approved process • HR should initiate the initial paperwork to require creation of a new account • The request form should include: • Demographic information • Employee role • Access & equipment requirements
Managing User Access Cont. • User Access Management • Filled HR form should be sent to appropriate supervisor / manager for authorization • ISO may also be consulted, especially if level of access for this user account is high • Once authorized, form is sent to the department responsible for user account creation (usually IT) • Account should not be created, and privileges should not be assigned, until full authorization has been granted
Managing User Access Cont. • User Access Management • Inside the department in charge of account creation, there should be a position responsible for all user account-related functions, such as creation, modification, deletion. • All user account tasks should be logged and auditable for accountability purposes • All logging should be automated • A separate person/department should be in charge of reviewing this log
Managing User Access Cont. • Changes to the user status • The accounts and the level of access they are granted are a reflection of an employee’s status within the company • Promotions may imply new responsibilities and/or tasks, and therefore more/different privileges to be assigned to the account • If the career move is in a different department, the account should be audited to make sure that privileges that applied to the previous position are still needed for the new one. If not, they should be revoked
Managing User Access Cont. • Changes to the user status • The accounts and the level of access they are granted are a reflection of an employee’s status within the company • In the case of employee termination, HR must communicate with the proper department in charge of user account management so that the account is at the very least disabled, if not deleted • A lack of communication in this sort of situation can result in a user account still being valid while the employee to whom it was assigned is not in the employ of the company anymore!
With Privilege Comes Responsibility • The privilege / responsibility correlation • Certain positions in a company require for the employee to have a high level of privilege in order for them to execute the tasks inherent to their job • Accounts with high level of privilege should be monitored and audited • Such employees should be provided two accounts: one with the high privilege level, and another, “regular” account for all non-high privilege tasks such as email and web surfing
Keeping Passwords Secure • Password Management • Single factor authentication means using only one way to verify a users identity. This is generally a password • Users should be required to keep their passwords confidential • Passwords should be changed whenever there is a chance they were compromised • Compromising a password may result in unauthorized access as well as identity theft
User Authentication for Remote Connections • Remote Access • Users who have a demonstrated business-need to access the corporate network remotely and are authorized to do so must be given that privilege • Not all employees should be given this privilege by default • Remote access activities should be monitored and audited • The organization’s business continuity plan must account for the telecommuting environment
Monitoring System Access and Use • Auditing should be turned on, and logs generated should be reviewed daily • The policy should define: • What will be logged • Who will be in charge of reviewing those logged • What the log review schedule will be
Monitoring System Access and Use Cont. • What activity should be monitored? • Four main monitoring areas: • Authorized access • Privileged operations • Unauthorized attempts • System alerts or failures
Monitoring System Access and Use Cont. • What activity should be monitored? • Authorized access: • Log when users and systems that have proper authorization connect and use information resources • Information gathered should include • ID of the user or system performing the authorized action • Date and time of each important event • What kind of event it was • Which program/utility was used
Monitoring System Access and Use Cont. • What activity should be monitored? • Authorized access : • Many event kinds associated with authorized access: • Account logon events • Account management events • Directory service events • Logon events • Object access events • Policy change events • Privilege use events • Process tracking events • System events
Monitoring System Access and Use Cont. • What activity should be monitored? • Authorized access: • For all events recorded, the administrator has to decide which of the following will be logged: • Success of the event • Failure of the event • Both • The more information logged, the larger the log grows, which often leads to the logs becoming unmanageable and ignored – therefore not reviewed
Monitoring System Access and Use Cont. • What activity should be monitored? • Privileged operations: • Events for activities/operations reserved for those users with special privilege to perform critical operations • The use of the administrator account (or root, supervisor) must be closely monitored • Other critical events to be monitored include: • Startup / shutdown • Attachment of devices • Hardware installation • Software installation
Monitoring System Access and Use Cont. • What activity should be monitored? • Unauthorized attempts include: • Failed attempts at access • Access policy violations • Also includes events collected from firewall logs • Dropped incoming connections • Disallowed outgoing connections
Monitoring System Access and Use Cont. • What activity should be monitored? • System Alerts or Failures generated by: • Hardware failures • Application failures • Power problems
Monitoring System Access and Use Cont. • Log Review and retention • How often should the logs be reviewed? • By whom? • By an authorized employee who does not have full admin rights on the network for separation of duties purposes • How long will the log files be archived for? • How will they be stored securely?
Is Monitoring Legal? • Courts have favored an employer’s right to protect their interests over individual privacy rights because: • Actions were taken at the employer’s place of work • Equipment used – including bandwidth – was company-provided • Monitoring the work also helps ensure the quality of work • The employer has the right to protect property from theft and/or fraud
Is Monitoring Legal? Cont. • Courts indicate that monitoring is acceptable if it is reasonable: • Justifiable if serving a business purpose • Policies are set forth to define what privacy employees should expect while on company premises • Employees are made aware of what monitoring means are deployed • Acceptable use agreement should include a clause informing users that the company will and does monitor system activity • Users must agree to company policies when logging on
Summary • Access control is a complex domain. Access to information is extremely important to regulate. • User access and user actions on the network must be monitored and logged, whether they be located on premises or gaining access to the network remotely. • Monitoring is useless if the information gathered is not reviewed regularly.