Time
48 minutes
Difficulty
Beginner

Video Description

Access Control Fundamentals

Video Transcription

00:21
Hi. Welcome back to the all in one certification video Siris on Mike Redmond, master trainer here to guide you through your successful journey of becoming a Security plus certified professional. We're gonna walk through a variety of subjects like access control and encryption
00:37
all the way down to network security and hardening. The OS is
00:51
in this section will define access controls and list the four access control models. Describe logical access control method explained the different types of physical access controls and define authentication. Service is
01:11
so what is access control? Simply granting or denying approval to use specific resource is information systems mechanisms to allow or restrict access to data or devices. There are four standard models that you must be familiar with
01:30
and some specific practices used to enforce these access control models.
01:37
So it all starts with I d. Often and offthe or identification, authentication and authorization. They must be performed in that order. You cannot perform access control without all three being present.
01:56
Identification is simply presenting your credentials like a delivery driver presenting his employees batch
02:02
Authentication is the checking of those credentials examining the delivery of drivers I D badge and then authorization is the granting of permission to take some sort of action, allowing the delivery driver to pick up a package
02:23
to successfully navigate their security plus examination. You must be familiar with all of these actions. I d often off four and three different types of possible scenarios to present each one user names and passwords and permission levels
02:44
when discussing access controlled. The terminology also extends to specifics of objects, subjects and certain operations. The object is the specific resource, the filer hardware device. The subject is the user of process
03:04
functioning on behalf of a user,
03:06
and the operation is the action taken to the object by the specific subject.
03:16
Some of the rolls and access control would be the owner or the custodian or the end user. The person responsible for the information would be the owner. The individual to whom the day to day actions have been assigned by the owner is the custodian. You might hear him called the data custodian,
03:36
and the end user is the user who accesses information
03:39
in the course of a routine job of responsibility.
03:53
So the different types of access control models that you have to start at the beginning and understanding what these models are. Their standards to provide a predefined framework for hardware and software developers. They're used to implement access control in a device or other type of application, and
04:14
custodians can configure security
04:15
based on the owner's requirement. The four access control models to be familiar with our Mac DAK, are back in a different type of our back, and we'll get to that in a moment. Mandatory access control is Mac.
04:32
DAK is discretionary access control,
04:35
and our back would be role based access control or rule based access control. Let's take a look at each one of these.
04:46
Mandatory access control is the most restrictive access control model. It's typically found in government and military settings. The two basic elements of mandatory access control or labels and levels, often association
05:02
classifications. Top secret secret. So
05:09
Mac grants permissions by matching object labels with subject labels. The labels indicate the level of privilege to determine if a file can be open. You must compare the object and this subject labels. Subjects must have equal or greater van
05:28
the level of
05:29
access to be granted access to that particular object to major implications of Mac or what's identified is the lattice based model or bell lap, a doula model.
05:46
A lattice based model. The subjection objects are assigned to a wrong, much like a lattice or a ladder, if you will, Multiple lattices can be placed beside each other. The bell lap. A doula motto, is one of these such lattice based models. It's
06:05
subjects may
06:08
not create a new object or perform specific functions on a lower level than what the particular object is assigned S O, for instance, you can not at a secret level read above your level to top secret,
06:26
and you cannot, for instance, at a confidential level read above your level.
06:30
Too secret.
06:35
One primary example of eight Mack implementation. The Windows seven or Windows Vista has four security levels. Specific actions by a subject with lower classifications require an administrative permission. For instance, you're logged in as a user
06:53
and you want to install something well.
06:56
Typically, you won't allow your users to install any other type of application. You would need to then raise your privilege level to be an administrator.
07:11
Next is discretionary access control. This is the least restrictive of the models. Every object has an owner, and those owners have total control over their objects. Owners can give permissions to other subjects or other users over the objects in which they control
07:34
Discretionary access control is used in operating systems, such as most types of units in Microsoft Windows. The primary weaknesses of DAK is it relies on decisions by the end users to set proper security levels. The labels all of a sudden just aren't as important,
07:55
and the subjects permissions will be inherited by any program the subject execute.
08:01
This is why Trojans are a particular problem when employing and discretionary access control model
08:16
next or the to our backs. Role based and rule based Roll Base access control, also called nondiscretionary access control
08:26
accesses permissions are based on the user's job function on Administrator is an administrator, and all administrators have
08:35
the same permission levels, whereas rule based Access Control is dynamically, assigns rolls two subjects based on a set of rules pre defined by the data custodian
08:54
with rule based access control. Each resource object contains access properties based on the rules. When a user attempt access, the system checks objects rules to determine the access permission levels either grant or grant partial.
09:11
You might see these as read, write, read right execute.
09:16
Often used for managing user access to one arm or systems. Business changes may trigger application of the rules specifying thes different access changes.
09:31
To successfully navigate the security plus examination, you must be familiar with the names, the different types of restrictions and descriptions of these four access control models.
09:48
Some of the best practices for access control is establishing the limiting of the access it can help secure systems and their data. Some of these examples are separations of duty and job rotation or implicit deny or mandatory vacations.
10:11
Separation of duty primarily is employed to prevent fraud. Fraud can result from a singer user being trusted with complete control of a process. For instance, that's why we have accounts receivable and accounts payable. It takes both
10:31
to complete
10:31
an entire transaction job rotation. However, individuals periodically move between different job responsibilities
10:43
with job rotations. Employees can rotate within their department or across other departments. Some of the primary advantages is that limits the amount of time individuals are in a position to manipulate anyone orm or security configurations.
10:58
This also helps to expose potential avenues for fraud and
11:03
reduces employees. Burnout
11:09
least privilege is the limiting of access to information based on what is needed to perform a job function. No person should have any more or any less than what is exactly required to perform that particular job function. It helps reduce the attack surface by
11:30
eliminating unnecessary privileges.
11:33
And the temptation to assign user higher levels of privilege is great, especially in a time where we're being told to do more with less. However, you need to weigh out the advantages and disadvantages of assigning
11:50
higher levels of permission than what is absolutely required
11:54
to perform any one job function.
11:58
Some of the additional challenges with least privileges lie in legacy application and common administrators tasks as well as software installation in some upgrades. Many older software applications were designed to run on Lee with a high level off
12:16
privilege. Many of these applications were internally developed and
12:20
no longer maintained or our third party applications that are no longer supported. For instance,
12:31
next would be the implicit deny and mandatory vacations with the implicit deny. If a condition is not explicitly met, access requests is rejected. An example of this one would be a network router rejecting access to all except for conditions
12:48
matching a specific rule.
12:52
Mandatory vacations again limits the attack surface for fraud because penetrators must be present daily to hide most fraudulent actions. Audit of employees activities usually scheduled during vacation, for instance, for some sensitive positions
13:11
and access control list. They are a set of permissions attached to an object. It specifies which subjects may access the object and what operations they can perform. Access control issue, usually reviewed in relation to the operating system, files
13:37
each entry and then access control table is called Access control entry, or the ACE, the ACE structure primarily for Windows. Their security. Identify air for the user group. A counter log on session access mask that specifies access rice controlled by a CE,
13:58
a flag that indicates the type of ace and
14:01
a set of flags that determine whether objects can inherit permissions.
14:09
Next is group policy with Microsoft Windows, for instance, it provides a centralized management configuration of computers and remote users using active directory.
14:22
You also have local group policy. Fewer options thin the global group policy, but also used to configure settings for systems not part of active directory.
14:37
Additional account restrictions would include things such as time of day restriction and account expiration. The time of day restriction limits the time of day user may log on to a system the time blocks for permitting access or chosen by the administrator and can be set on individual systems.
14:56
Account expirations prevent orphaned accounts. Accounts that remain active after an employee, for instance, have left the organization or dormant accounts not access for a lengthy period of time. Both of these are significant security risk.
15:22
Some basic recommendations for account restriction dealing with orphan or dormant accounts is to establish a formal process of establishing and terminating account and then also monitoring all audit logs. Orphan accounts remain a problem in most of today's organizations because
15:41
of the highly transitive nature of our work force
15:46
account expiration that it sets the user's account to expire upon departure from the organization. This should be common practice. For instance, if your organization uses contractors or seasonal workers,
16:03
password expiration sets a time when a user must create a new password. It's different from account. Expiration account expiration can be set a date or a number of days of an activity where password expiration that indicates that
16:22
a user must change their password, for instance, every 30 or 90 days
16:30
next, we'll talk about some of the authentication service is Remember. Authentication is the process of verifying credential. Authentication service is provide on a network in, for instance, they dedicated authentication server or triple A server
16:48
if it's also part of an authorization in accounting service.
16:52
Common types of authorization in Triple A servers are Curb Rose Radius Tactics and Tak X Plus and L Dap
17:03
Radius. Remote authentication. Dialling user service has become the industry standard. It's suitable for high volume service control of applications such as Dia Linn access to a corporate network. It's still used widely today.
17:19
The Radius client. It's typically a device such as a wireless access point that's responsible for sending users credentials and connection parameters
17:30
to the n lying radius server
17:38
radius User profiles are stored in a central database. All remote servers can share this day. Today's the advantage of a central service is it increases the security due to a single administered network point. It's also easier to track usage for billing and keep
17:57
network statistics.
18:06
Next is curb rose. It's an authentication system developed at M. I T. Uses encryption and authentication as its primary mode of security, most often used in educational and governmental settings. Works like using a driver's license to cash a check.
18:25
It uses items called ticket to the curb rose tickets. It
18:30
contains information linking it to that specific user, and the user presents the ticket to the network for a service. These topics are extremely resilient and difficult to copy and expire after a few hours. They are
18:45
synchronous in nature or relying on time synchronization.
18:49
Four Authentication and Security
18:55
Tak axe terminal access Control access control systems There. Authentication service similar to Radius developed by Cisco Systems commonly used on UNIX devices, communicates by forging user authentication information again to a centralized server
19:18
to successfully navigate the security plus examination. It is important, and you must be able to distinguish the different features primarily between Radius and Tactics and Tak X plus as well. A Scarborough's
19:34
L Dapper lightweight directory Access Protocol is a directory service primarily again employed on UNIX and Lennox devices. It's a database stored on the network. You might think of it as a role. The decks if you will. It contains information about users and network devices and grants or denies access
19:55
based on its information.
19:56
The standard for directory service is it is ex 0.500. That is the L DAP Protocol.
20:07
The extra 500 standard defines the protocol for client application to access l'd APS service is the weakness of l dap is can be subject to l DAP injection attacks. It's similar to sequel injection attacks and occurs when
20:23
user input is not properly filtered. Invalidated.
20:29
There you have it.
20:30
Pretty simple, right?
20:32
I told you. Itwas
20:34
I know it seems like a lot of information all at once. But remember, study hard,
20:41
lots of practice questions
20:44
and you will succeed.
20:47
You will become a security plus certified professional.
20:52
I'll see you next time.
24:29
There you have it.
24:30
Pretty simple, right?
24:32
I told you. Itwas
24:34
I know it seems like a lot of information all at once. But remember, study hard.
24:41
Lots of practice questions
24:45
and you will succeed.
24:47
You will become a security plus certified professional.
24:52
I'll see you next time

Up Next

Access Control and Identity Management

In the Access Control and Identity Management Course taught by Michael Redman, students will get a thorough deep dive into authentication and access control fundamentals, focusing on Security+ exam objectives, which will help them pass the exam.

Instructed By

Instructor Profile Image
Michael Redman
Sr. ISSM at deciBel Research, Inc.
Instructor