Security+ Guide to Network Security Fundamentals, Third Edition - - PDF document

security guide to network security fundamentals third
SMART_READER_LITE
LIVE PREVIEW

Security+ Guide to Network Security Fundamentals, Third Edition - - PDF document

Sep 19, 2022 48 likes •133 views

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 7 Access Control Fundamentals Objectives Define Access Controls List the four Access Control Models Describe logical Access Control Methods Explain the

slide-1
SLIDE 1

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 7 Access Control Fundamentals Objectives

  • Define Access Controls
  • List the four Access Control Models
  • Describe logical Access Control Methods
  • Explain the different types of physical access control
  • What is Access Control?

Access control – The process by which resources or services are granted or denied on a computer system

  • r network
  • Four standard Access Control models

– Identification

  • User presents credentials or identification (e.g. username)

– Authentication

  • Validate User’s credentials are authentic

– Authorization

  • Granting permission to take the action

– Access

  • Provide only certain services or applications in order

to perform their duties Access Control Terminology (cont.)

  • Computer access control can be accomplished by one of three entities:

– Hardware – Software – Policy

  • Access control can take different forms depending on the resources that are being protected
  • computer systems impose access controls based on:

– Object – Subject – Operation Access Control Models

  • Access control model

– Provides a predefined framework for hardware and software developers who need to implement access control in their devices or applications – Used for hardware / software validation

  • Once an access control model is applied
slide-2
SLIDE 2

– Custodians can configure security based on the requirements set by the owner

  • So that end users can perform

their job functions Access Control Models (cont.)

  • Mandatory Access Control (MAC) model

– Users cannot implement, modify, or transfer any controls – Owner & Custodian responsible for managing access – Most restrictive model because all controls are fixed – In original MAC model, all objects and subjects were assigned a numeric access level

  • The access level of the subject had to be higher than that of the object in order

for access to be granted Access Control Models (cont.)

  • Discretionary Access Control (DAC) model

– The least restrictive – subject has total control over any objects that he or she owns

  • Includes programs associated with those objects
  • Subject can also change the permissions for other subjects over objects
  • Two significant weaknesses

– Relies on subject to set the proper level of security – Subject’s permissions are “inherited” by programs that the subject executes Access Control Models (cont.)

  • User Account Control (UAC)

– Operating systems prompt the user for permission whenever software is installed

  • Access Control Models (cont.)
  • Three primary security restrictions implemented by UAC:

– Run with limited privileges by default – Applications run in standard user accounts – Standard users perform common tasks

  • Another way of controlling DAC inheritance is to automatically reduce the user’s permissions
  • Enforces the Principal of least Privilege

Access Control Models (cont.)

  • Role Based Access Control (RBAC) model

– Sometimes called Non-Discretionary Access Control – Considered a more “real world” approach than the other models – Assigns permissions to particular roles in the organization, and then assigns users to that role – Objects are set to be a certain type, to which subjects with that particular role have access

slide-3
SLIDE 3

Access Control Models (cont.)

  • Rule Based Access Control (RBAC) model

– Also called the Rule-Based Role-Based Access Control (RB-RBAC) model or automated provisioning – Can dynamically assign roles to subjects based on a set of rules defined by a custodian – Each resource object contains a set of access properties based on the rules

  • Rule Based Access Control is often used for managing user access to one or more systems

Practices for Access Control

  • Separation of duties

– Requires that if the fraudulent application of a process could potentially result in a breach of security

  • Then the process should be divided between two or more individuals
  • Job rotation

– Instead of one person having sole responsibility for a function, individuals are periodically moved from one job responsibility to another – Common use is to enforce mandatory vacations; allows a different user to access how security is implemented to prevent collusion Practices for Access Control (cont.)

  • Least privilege

– Each user should be given only the minimal amount of privileges necessary to perform his or her job function

  • Implicit deny

– If a condition is not explicitly met, then it is to be rejected

  • Implementing Access Controls

– Two broad categories

  • Physical access control
  • Logical access control

Logical Access Control Methods

  • Logical access control includes:

– Access control lists (ACLs) – Group policies – Account restrictions – Passwords

  • Access Control Lists (ACLs)

Access control list (ACL) – Permissions assigned to an object – Specifies subjects that are allowed specified access the object

  • Most often viewed in content of the OS
  • Structure behind ACL tables is complex
slide-4
SLIDE 4
  • Access control entry (ACE)

– Each entry in the ACL table in the Microsoft Windows, Linux, and Mac OS X operating systems Access Control Lists (ACLs) (cont.)

  • In Windows, the ACE includes four items of information:

– A security identifier (SID) for the user account, group account, or logon session – An access mask that specifies the access rights controlled by the ACE – A flag that indicates the type of ACE – A set of flags that determine if

  • bjects can inherit permissions

Group Policies

  • Group Policy

– Feature within Microsoft Windows Active Directory (AD) – Provides centralized management and configuration of computers and remote users – Primarily used in enterprise environments to restrict user actions that pose a security risk – Group Policy settings are stored in Group Policy Objects (GPOs) Account Restrictions

  • Time of day restrictions

– Limit when a user can log on to a system – These restrictions can be set through a Group Policy – Can also be set on individual systems

  • Account expiration

– The process of setting a user’s account to expire based on a date – Orphaned accounts are user accounts that remain active after an employee has left an

  • rganization
  • Can be controlled using account expiration

Passwords

  • Password

– The most common logical access control – Sometimes referred to as a logical token – A secret combination of letters and numbers and possible characters that only the user knows

  • A password should never be written down
slide-5
SLIDE 5

– Must also be of a sufficient length and complexity so that an attacker cannot easily guess it (password paradox) Passwords (cont.)

  • Password Attacks:

– Brute force attack

  • Guess a password through combining random characters
  • Passwords typically are stored as a “hash”

– Attackers try to steal the file of hashed passwords and break the hash

  • ffline

– Dictionary attack

  • Attacker obtains hashes of common dictionary words

– Compares hashed dictionary words against stolen password file – Rainbow tables

  • Large tables of pre-generated hash values

– Passwords (cont.) Rainbow Tables (Cont.) – Generating a rainbow table requires a significant amount of time – Rainbow table advantages:

  • Can be used repeatedly
  • Faster than dictionary attacks
  • Memory needed on the attacking machine is reduced

– Success of rainbow tables tied to older Windows OS password hashing algorithms

  • A defense against breaking encrypted passwords with rainbow tables

– Add complexity to hash by including a random sequence of bits as input along with the user-created password

  • These random bits are known as a salt

– Make brute force, dictionary, and rainbow table attacks much more difficult Passwords (cont.)

  • Password policy

– A strong policy can provide defenses against attacks – First policy: Create and use strong passwords

  • Best defenses against rainbow tables: Prevent attacker from capturing password hashes
  • Use 3rd party applications to track passwords complexity and life
  • Domain Password Policies
  • Domain password policy

– Restrictions set through Domain password policy – There are six common Windows domain password policy settings, called password setting objects

  • Used to build a domain password policy
slide-6
SLIDE 6

– Physical Access Control Physical access control primarily protects computer equipment – Designed to prevent unauthorized users from gaining physical access to equipment in

  • rder to use, steal, or vandalize it
  • Physical access control includes:

– Computer security – Door security – Mantraps – Video surveillance – Physical access logs Computer Security

  • The most fundamental step in physical security is to secure the system itself
  • Securing network servers in an organization is important
  • Rack-mounted servers

– 4.45 centimeters (1.75 inches) tall – Can be stacked with up to 50 other servers in a closely confined area Door Security

  • Hardware locks

– Preset lock

  • Also known as the key-in-knob lock
  • The easiest to use because it requires only a key for unlocking the door from the
  • utside
  • Automatically locks behind the person, unless it has been set to remain

unlocked

  • Security provided by a preset lock is minimal

Hardware locks (continued) – Deadbolt lock

  • Extends a solid metal bar into the door frame for extra security
  • Is much more difficult to defeat than preset locks
  • Requires key be used to both open and lock the door

Door Security (cont.)

  • Most organizations observe the following practices:

– Change locks immediately upon loss or theft of keys – Inspect all locks on a regular basis – Issue keys only to authorized persons – Keep records of who uses and turns in keys – Keep track of keys issued, with their number and identification – Master keys should not have any marks identifying them

slide-7
SLIDE 7

– Secure unused keys in a locked safe – Set up a procedure to monitor the use of all locks and keys Instructors Note: You should rekey locks annually to reduce likelihood of duplicate key use Door Security (cont.)

  • Door access systems

– Cipher lock

  • Combination locks that use buttons pushed in the proper sequence to open the

door

  • Programmable – By individual, time, date
  • keep record of when door was opened by which code
  • Cipher locks typically networked to a computer system
  • Can be monitored and controlled from one

central location – Cipher lock Disadvantages

  • Basic models cost several hundred dollars
  • Advanced models can be thousands
  • Users must be careful to conceal buttons when using

to prevent exposing their code

  • Door Security (cont.)

Door access systems (continued) – Tailgate sensor

  • Multiple infrared beams aimed across a doorway and positioned so that as a

person walks through the doorway – Some beams are activated and then other beams are activated a short time later

  • Can detect if a second person walks through the beam array immediately

behind (“tailgates”) the first person without presenting credentials Door Security (cont.)

  • Physical tokens

– Objects to identify users

  • ID badge

– The most common types of physical tokens – ID badges originally were visually screened by security guards – Today, ID badges can be fitted with tiny radio frequency identification (RFID) tags

  • Can be read by an RFID transceiver as the

user walks through the door with the badge in her pocket

slide-8
SLIDE 8

Mantraps

  • Mantrap

– A security device that monitors and controls two interlocking doors to a small room (a vestibule) that separates a non-secured area from a secured area

  • Mantraps are used at high-security areas where only authorized persons are allowed to enter

– Such as sensitive data processing areas, cash handling areas, critical research labs, security control rooms, and automated airline passenger entry portals

  • Video Surveillance

Closed circuit television (CCTV) – Video cameras used to signal to a specific and limited set of receivers

  • Cameras can be fixed in a single position or movable using a Pan-Tilt-Zoom (PTZ) device
  • Physical Access Log

Physical access log – Record of individuals who entered a secure area including time date or entry and exit – Can also identify if unauthorized personnel have accessed a secure area

  • Physical access logs originally were paper documents

– Today, door access systems and physical tokens can generate electronic log documents Summary

  • Access control is the process by which resources or services are denied or granted
  • Best practices for implementing access control include separation of duties, job rotation, using

the principle of least privilege, and using implicit deny

  • Logical access control methods include using access control lists (ACLs), which are provisions

attached to an object

  • Passwords, sometimes known as logical tokens, are a secret combination of letters and numbers

that only the user should know

  • Physical access control attempts to limit access to computer equipment by unauthorized users