Did you know Cybrary's video training is FREE? Join more than 2,500,000 IT and cyber security professionals, students, career changers, and more, growing their careers on Cybrary.
Authentication Authorization and Access Control (part 2) In this lesson we continue exploring the lifecycle of Authentication Authorization and Access Control by looking at access control mechanism in use today. For example, we define Common Access Card (CAC), what it is, how it's used and what types of environments deploys it. We contrast the CAC with the Personal Identification Verification Card and discuss examples of that method and how it's used. Then we take a deeper look at how these mechanisms are used within the Rule and Role Based Access Control concept to demonstrate the entire security life cycle as deployed in real time. [toggle_content title="Transcript"] Next we look at the common access card. The common access card is a D.O.D issued card Departmental of Defense issues this card is a card that actually also is smart card it has a chip on it. It allows you to have your ID, your picture, your information, information that could verify your identity it also allows to have . . . your permissions could be stored on that chip. Users could use this as a token; you could have it to authenticate you on a system. You could have it to authenticate your other facility in some elevators you insert it into a slot and it drowns you access to a certain floor. It also could be used to log on to a system whereby you must insert the card into a card reader on the system before you are able to log on. The common access card is issued by the Department of Defense is used for authenticating users. We also have the personal identification verification card. a perfect example of this is the driver's license this is used to verify your identity. It carries your picture of yourself, your name and certain other information to verify your identity. Next we talk about the smart card a smart card is simply a card like the A.T.M card but this card has a chip on it and information could be stored on that chip that allows processing to take place on the card when we insert it into a machine. So the card inserted into machine information can be read off that chip to either allow access to certain resources or permissions of the users on a system. Next we talk about the principle of least privilege. This is a very important principle in information security. Our users want all the access in the world but if we follow the principle of least privilege it dictates that our user should only have the exact permission they need to do their work no more, no less. If you give insufficient permissions they'll end up calling the help desk no productivity. I can't do this, I can't print, I can't reach this server, I can't do that. But if we give sufficient permissions they can do all their work. We should not give excessive permissions or otherwise these will be abused. So we should always follow the principle of least privilege to ensure our users cannot abuse privileged assigned to them. Next we talk about the separation of duty. The principle of separation of duties dictates that critical job processes being broken down into multiple functions. This way you have multiple individuals responsible for these different functions. It allows us to prevent fraud, it allows us to prevent one person starting a critical job functions from the beginning all the way to the end. There will be no checks and balances but if we have multiple individuals responsible in multiple roles then we can keep checks and balances. We should be aware of the collusions that will take place amongst individuals to defeat the principle of separation of duties. So when collusion takes place the people to safe guard each other check some balance might even be working together to defeat the system. So we should put measures in place to watch out for collusion. The principle of a single sign on within organizations you require passwords to log on. Some organizations require very long password complexity rules in place for users to log on. So in the course of one day's work a user needs access to several other systems after logging on to their systems each system requiring a new pass word. So the user logs on with one password. They need access to several other systems now at the end of the day they need to know or learn it different passwords complexity passwords, passwords with uppercase, lowercase, special characters and numbers. The users are frustrated to where they start to try to write down these passwords we know a best practice with passwords we do not write passwords down. The administrators can step in; your administrators could configure a single sign on, on your servers such that when your users log on to this system they only require one log on. The passwords are known to the system and this way subsequent log on to other machines on the network require no more passwords. So the burden of having to learn multiple passwords is taking on the shoulders of your users. However we should be careful there is a downside to these; a malicious person knowing the passwords for your users now has all access to all the locations your users have access to. Well so some other measures should be put in place to ensure that if we put a single sign on in place user's passwords could not easily be compromised. Next we talk about job rotation this principle helps ensure availability. So if one person is absent from work maybe they decide not to show up anymore they are caught up in traffic or some other accidents occur another individual should be available to do their work. So periodically over time we should ensure that staffs are is rotated amongst multiple job functions. Some organizations refer to these as cross training. So Person A learns person B's job and person B will learn person C, person C will learn D job's in the absence of one person another person is available to step in their shoes. So there is no vacuum created by the absence of one individual. Next we talk about mandatory vacations, mandatory vacations required if our staff periodically gone on vacation, this is to help prevent fraud. So it allows us the opportunity to audit the job functions of a certain individual what exactly are they doing as we will see individuals that have long resisted going on vacation are probably carrying out some malicious activities within the network. So they want to be the first person there every day, they never miss a day they are also the last person to leave. So if they go on vacation it allows us time to audit their work, it allows us opportunity for somebody else to step in their shoes and carry out their functions. So if they've been carrying out some malicious activities on the network this could be discovered and disclosed in the time they're away. Next we talk about time of day restrictions. It is possible to limit access to network resources based on this certain day of the week and time of the day. It could be that we want to limit access to network printers, systems, or facility so by putting in proper controls use can be done at the system locally or from the server we could limit access to certain days of the week and certain times of the day. We call this time of day restrictions you don't want your users coming in at times; they're not required to come in then claiming overtime so you could put in time of day restrictions. You don't want certain individuals printing to very sensitive printers unless there are multiple people in the room you could use time of day restrictions. So we could do time of the restrictions to limit access to printers, workstations, or certain locations in the facility. Then we talk about implicit deny, the principal of implicit deny requires us to consider everything suspicious. We deny everything until explicitly allowed so if something is not explicitly allowed into the facility someone is not explicitly allowed onto the network the principle of implicit deny dictates that we deny access. So it is not sufficient that they are not on the, "do not allow list" they must also be on the allow least otherwise no access. Access control lists. These are list that contain the matrices for which our users can do what they can do on the system when they log on, what they can do on the network when they log on, so these are lists that we generate to dictate the permission and authorization of all our users our users would want to have all access, but do we generate the access control list to limit their access based on their job description? That we have access control; we're controlling access to our resources, we're controlling access to the facility so every time you try to access a facility or a resource that you are prompted to authenticate it means we have access control in place. You are prompted via a lock, you are prompted by a log on dialogue box, and you are prompted by guard to identify yourself which means we have access control in place. Best practice should always be done to ensure access control; access control could also be ensured using solutions like man traps. A man trap is a system of two doors where you must identify yourself there you go into the trap the door behind will shut before the next one would open this way the system ensures that only you is going into the facility and you are properly identified. Next we have several models of access control. We have the mandatory access control these are based on security levels. We should do proper data classification and when we talk about that classification we do classification in terms of secret, top secret, classified, and secure button classified. We do classification for our personnel, and we also do classification for our data. So using the access matrices the system can enforce the access, the system can control who has access to what. So if a subject tries to access the object the object is the entity being accessed examples could be files or resources on the network. If the subject tries to access the object the system will check the security levels so to determine if access should be granted or denied. So the access is based on the security labels and it is enforced by the system in mandatory access control. For discretionary access control we talk about the owner of the resource if a user decides to place a file on the network in the network share the user can then dictate who has access to that file and what they can do with it. So access to the file and what they can do to that file is based on the discretion of the owner the owner is the author or the person creating the document and putting it on the network making it available for sharing. For rule based access control this is access control based on a certain set of rules. It could be access control through our fire walls, it could be access control to the facility so we provide the rules by which we can allow or prevent access. We usually do rule based access control for our fire walls we set the rules for which the fire wall would allow the traffic or block the traffic. We could also have a rule based access controls they're put in place and enforced by our security guards. You don't want people coming into the facility with weapons the security guards site them or check them for weapons and if they are found to have these weapons they're not allowed access. If they have no such weapons on them they are allowed access so these are how we implement rule based access control. Now for role based access control this is access control based on the role you play What role do you play if you are a basic user you might have all need specific access to the data base your job description does not require you seeing everything. So using what we call data base views we can block your access to a certain fields within the database. But a hike kind of staff might require full access to everything in the database then we grant them access to everything they require to see as per their job description. And this is how we implement rule based access control what the role you play determines the access you have. [/toggle_content]
CISSP CISM CISA CHFI CSXF CEH, Cyber Security Specialist & Trainer
Subscribe to become an Insider Pro and get access to premium content such as: