1.56k likes | 1.76k Views
ACCESS CONTROL . The most fundamental element of information security is to ensure that only those who have a specific need for an asset, combined with specific authoritative permission, will be able to access that asset. CISSP Expectations.
E N D
ACCESS CONTROL • The most fundamental element of information security is to ensure that only those who have a specific need for an asset, combined with specific authoritative permission, will be able to access that asset.
CISSP Expectations • Access control is the process of allowing only authorized users, programs or other computer systems to observe, modify, or otherwise take possession of the resources of a computer system. It is also a mechanism for limiting the use of some resources to authorized users.
Key Access Control Concepts • Joining C-I-A • Confidentiality, integrity, availability • Determining a Default Stance • Defense in Depth • Access Control---A general process
Access control encompasses all operation levels of an organization: • Facilities: • Support Systems: Power, heating, ventilation, HVAC) • Information Systems: • Personnel: All users should be subject to some form of access control to ensure the wrong people don’t interfere with the right people.
AC enables management to: • Specify: • Which users can access a system • What resources those users can access • What operations those users can perform • Enforce accountability
AC addresses the CIA triad • Confidentiality: Managing access is fundamental to preventing exposure of data by controlling who can see, use, modify, or destroy. • Integrity: Preventing unauthorized access promotes greater confidence in data and system integrity. • Availability: Restricting access reduces the likelihood of damage and loss of use.
Default Stance • Allow-by-default • Deny-by-default
Defense in Depth • The practice of applying multiple layers of security protection between an information resource and the potential attacker. P. 7
AC: A General Process • Many different approaches, however there is a very general approach that is applicable to almost every situation. • 3 step process: • Defining resources • Determining users • Specify the user’s use of the resource
Defining resources • What are we trying to protect? • How each resource may be accessed? • Bind a user, group or entity to a resource • Every resource is an asset that must be afforded protection. Don’t forget printers, faxes, etc.
Determining users • Need a clear understanding of the needs of the user and the level of trust given to the person or entity • An identification process must exist that takes into consideration the validity of the access need in the light of business needs, organizational policy, legal requirements, information sensitivity and security risk.
Specifying Use: • The AC process must specify the level of use for a given resource and the permitted user actions on that resource. Example P. 11
Access Control Principles • Access Control Policy • Separation of duties • Least Privilege • Need to Know • Compartmentalization • Security Domain
AC Policy • Specifies the guidelines for how users are identified and authenticated and the level of access granted to resources. • The absence of a policy will result in inconsistencies in provisioning, management, and administration of AC. • Provides the framework for definition of necessary procedures, guidelines, standards, and best practices.
Separation of Duties • Objective: Prevent fraud and errors • Achieved by distributing the tasks & privileges for a specific process. • The person who requests the expenditure should not be allowed to approve the expenditure. • Another example P.12
Determining Applicability of Separation of Duties (1) • 1st Action: Defining individual elements of a process • Determine element sensitivity • What elements of the process lend themselves to distribution. P.12
Determining Applicability of Separation of Duties (Continued) • 2nd Action: Understand what elements within a function are prone to abuse, which ones are easily segmented without significantly disrupting operations, and what skills are available. • Determine: • Element identification, importance, and criticality • Operational considerations • User Skills & availability
Determining Applicability of Separation of Duties Continued • Element identification, importance, and criticality • Elements within function known as milestone elements • If elements within function don’t offer clear point of segmentation, may need to incorporate a new milestone element as a validation & approval point within function
Determining Applicability of Separation of Duties (Continued) • Operational considerations • Balancing the impact of the function and its role in the business. Ensure that the separation of duties doesn’t hinder the process and make it prone to circumvention. • Weigh the cost of implementation against the overall risk the process represents and whether the benefits of separation outweigh the time & effort costs.
Determining Applicability of Separation of Duties (Continued) • User Skills & availability • Is there enough skilled personnel to perform the separation of duty elements.
Least Privilege • Requires that a user or process be given no more access privilege than necessary to perform a job, task, or function.
Need to Know • A companion to “least privilege”. • requires a person requesting information to establish the need to know such information in terms of the pertinent mission. • if information is given to people on a need-to-know basis, they are given only the details that they need at the time when they need it
Security Domain • An area where common process and security controls are groups together • Example: All systems and users managing financial information might be separated into their own security domain • Based on trust between resources in systems that share a single security policy and single management structure. P.16
Information Classification • Fundamental Information Classification questions • Benefits • Establishing a Information Classification Program • Labeling & Marking • Information Classification Assurance
Purpose of Information Classification • Group an organizations information assets by levels of sensitivity and criticality. Once this is accomplished then the appropriate level of protection controls is assigned to each asset in accordance to its classification.
Fundamental Information Classification questions • Where is the organization’s information? • How should the information be handled and protected? • Who should have access to it? • Who owns the information? • Who makes the decisions around these parameters?
Benefits of Information Classification • Establishes information ownership. This increases the likelihood that it will be used in the proper context and access will be properly authorized. • Increases C-I-A by focusing the limited security funds on the resources requiring the highest level of protection and providing lesser controls for the information with less risk of loss.
Benefits of Information Classification Continued • Increases knowledge and security awareness. • Allows for a greater understanding of the value of the information to be protected and provides a clearer direction for the handling of sensitive information. • Operational benefits, critical information can be identified to support COOP.
Labeling & Marking • Provides the ability to manage the information within the media with the appropriate controls.
Information Classification Assurance • Periodically testing • Random desk checks
Access Control Requirements • Reliability • Transparency • Integrity • Maintainability • Authentication • Auditability
Access Control Categories • Directive • Deterrent • Preventive • Compensating • Detective • Corrective • Recovery
Access Control Categories Continued • Directive • Controls designed to specify acceptable rules of behavior within an organization, sometimes called administrative controls. • Policies, procedures, standards, guidelines,
Deterrent Controls • Designed to prevent specific actions by influencing choices of would-be intruders • Does not prevent or even record events • Signs • Guards, guard dogs • Razor wire
Preventive Controls • Block or control specific events • Firewalls • Anti-virus software • Encryption • Key card systems • Fencing • Bollards • Crash guards
Compensating Controls • Control that is introduced that compensates for the absence or failure of a control • “Compensating” refers to why it is implemented • Can be detective, preventive, deterrent, administrative • Examples • Daily monitoring of anti-virus console • Monthly review of administrative logins
Detective Controls • Monitor and record specific types of events • Does not stop or directly influence events • Video surveillance • Audit logs • Event logs • Intrusion detection system
Corrective Controls • Post-event controls to prevent recurrence • “Corrective” refers to when it is implemented • Can be preventive, detective, deterrent, administrative • Examples • Spam filter • Anti-virus on e-mail server • WPA Wi-Fi encryption
Recovery Controls • Post-incident controls to recover systems • “Recovery” refers to when it is implemented • Can be detective, preventive, deterrent, administrative • Examples • System restoration • Database restoration
Access Control Types • Access control categories classify different access control methods based upon where they fall within the Access Control Time Continuum. F. 1.7 P. 35
Types of Controls • Administrative • Policy, procedures, standards • Technical • Authentication, encryption, firewalls, anti-virus • Physical • Key card entry, fencing, video surveillance
Administrative Controls • Represent all actions, policies, processes, and management of the control system • Operational policies & procedures P.36 • Personnel security, evaluation, & clearances P.40 • Monitoring P.42 • User Access Management P.43 • Privilege Management (rights within your access) P.44
Technical (Logical) Controls • Electronic, digital, & automated controls which enforce the organizations policies. • Network access • Remote access • Application access • Malware control • Encryption
Physical Controls • Controls that protect the physical environment and people. • Locks • Guards • Fences • Cameras • Fire management, gates
System Access Control Strategies • Identification, authentication, authorization • Access control services • Identity Management • Access control technologies
System AC Strategies continued • Identification: The act of designating a known quantity. • Authentication: The process of verifying the identity of a user. • Authorization: Defining the specific resources of an authenticated user.
Identification • User name • User ID • Personal Identification Number (PIN) • Identification badges
Problems with ID Badges • Credential badges • Security doesn’t always check • Access badges • Not physically with a specific person, people can share
User ID • User ID • PIN • MAC address • IP address • RFID (Small tag (like UPC code) • Privacy concerns • Email address