Chapter 14: Controlling and Monitoring Access
Comparing Access Control Models Comparing permissions, rights, and privileges Understanding authorization mechanisms Defining requirements with a security policy Implementing defense in depth Discretionary access controls Nondiscretionary access controls
Comparing Permissions, Rights, and Privileges Permissions – Access granted for an object Rights – Ability to take action on an object Privileges – Combination of rights and permissions
Understanding Authorization Mechanisms Implicit deny Access control matrix Capability tables Constrained interface Content-dependent control Context-dependent control Need to know Least privilege Separation of duties and responsibilities
Defining Requirements with a Security Policy Clarifies requirements Shows senior leadership support Sets guidelines and parameters
Implementing Defense in Depth Protects against single-focused attacks Technology in combination with physical access controls and administrative access controls Document in security policy Personnel are key Uses combined solution approach
Discretionary Access Controls Owner, create, custodian define access Based on identity Uses ACLs on each object Not centrally managed Supports change
Nondiscretionary Access Controls Centrally administered Changes affect entire environment Not based on identity, instead uses rules Less flexible Rule-based Role-based Attribute-based Lattice-based
Mandatory Access Control A nondiscretionary-based access control Based on classifications Top secret, secret, confidential Confidential/proprietary, private, sensitive, public Compartmentalization Need to know Hierarchical Hybrid
Understanding Access Control Attacks Risk elements Identifying assets Identifying threats Identifying vulnerabilities Common access control attacks Summary of protection methods
Risk Elements Risk Assets Threat Vulnerability Risk management
Identifying Assets Asset valuation Tangible value Intangible value Cost-benefit analysis
Identifying Threats Threat modeling SD3+C Goals: – Reduce number of defects – Reduce severity of remaining defects Focused on assets Focused on attackers Focused on software Advanced persistent threat (APT)
Identifying Vulnerabilities Vulnerability analysis Weakness to threat Technical and administrative Vulnerability scans
Common Access Control Attacks 1/2 Impersonation Access aggregation Password – Dictionary – Brute force – Birthday – Rainbow table Sniffer
Common Access Control Attacks 2/2 Spoofing Social engineering – Phishing – Spear phishing – Whaling – Vishing Smartcard Denial of service
Summary of Protection Methods Control physical access and electronic access Encrypt password files Create a strong password policy Use password masking Deploy multifactor authentication Use account lockout controls Use last logon notification Educate users about security