Week 6: Access Control

Created by

High-pitchedBeetle8111

Cards (98)

Access control has 4 parts to consider: identification, authentication, authorization, and accountability.
There are two types of access control: physical and logical.
Physical access control involves controlling access to physical resources, such as buildings. Example: Using a key to access a door.
Logical access control involves controlling access to a computer system or network. Example: Using a username and password to access network resources.
The security kernel is the central part of a computing environment’s hardware, software, and firmware that enforces access control for computer systems. It provides a central point of access control, implements the reference monitor concept, and mediates all access requests and permits access only when the appropriate rules or conditions are met.
Following are the steps the security kernel takes in enforcing access control:
The subject (a user) requests access to an object (an asset). The security kernel then intercepts the request.
The security kernel refers to its rules base, also known as the security kernel database. It uses these rules in this database to determine access rights, which are set according to the policies the organization has defined.
The kernel allows or denies access based on the defined access rules. All access requests handled by the system are logged for later tracking and analysis.
Even though most operating systems provide extensive security guarantees, some computing environments need even more, such as systems that handle extremely sensitive information (e.g., classified information on government servers); therefore, several operating systems have included supplemental controls to address the additional security needs of such systems. These operating systems, referred to as trusted operating systems (TOS), provide features that satisfy specific government requirements for security.
An access control policy is a set of rules that allows a specific group of users to perform a specific set of actions on a specific set of resources.
To manage access control policies well, you must understand their four central components:
Users— the people who use the system or processes that perform some service for other people or processes. A more general term for users is subjects.
Resources —protected objects in the system. Can be accessed only by authorized subjects and used only in authorized ways.
Actions —Activities that authorized users can perform on the resources.
Relationships —optional conditions that exist between users and resources. They are permissions granted to an authorized user, such as read, write, and execute.
Authorization is the process of deciding who has access to which computer and network resources.
In a group membership policy, authorization is defined by what group(s) users are in, which reduces the administrator’s workload by grouping similar users together.
In an authority-level policy, users need a higher degree of authority to access certain resources.
The most detailed authorization policy is based on individual users. In this type of policy, each user has specific assigned privileges, which allow administrators to define approved resource access at a very detailed level. However, maintaining a user-based authentication approach is very difficult because it requires a lot of administration time to stay current.
In most organizations, authorization is based on job roles, background screening, and any government requirements. These conditions or policies are decided primarily by either a group membership policy or an authority-level policy.
The first step in enforcing an authorization policy is to determine the identity of the subject, which is a process called identification. This process allows a subject, which can be a user, a process, or some other entity, to claim to be a specific identity.
The most common method to identify a user to a system is a username, which can be in the form of a user ID, an account number, or some other assigned identifier.
Some applications identify a user using a smart card, which often looks like a plastic credit card. Smart cards make it easy for subjects to provide complex identification credentials without having to remember them.
Another access control method for identifying subjects is biometrics, which can be used to recognize humans based on one or more physical or behavioral traits or to validate identities.
Identification guidelines - To ensure that all actions carried out in a computer system can be associated with a specific user, each user must have a unique identifier. The guarantee that every action is associated with a unique identity is called nonrepudiation, which means that it is important for each user to have a unique user account.
The process of associating an action with a user for later reporting or analysis is called accounting, which, when done properly, must include nonrepudiation.
Authentication verifies that the subject requesting access is really the claimed identity (authentic) and the same subject who has been granted access.
Following are the seven types of authentication:
Knowledge—Something you (the user) know
Ownership—Something you have
Characteristics—Some attribute that is unique to you; "something you are"
Action/performance—Some action that you can perform; "something you can do"
Behavior—Some observable trait or behavior that is unique to you; "something you exhibit"
Location—Somewhere you are
Relationship—A trusted individual with whom you have a relationship; "someone you know"
Because of their simplicity and popularity, passwords are common targets of cyberattacks. The most often used are brute-force and dictionary attacks, which can easily crack weak passwords, such as those that are very short or contain dictionary words.
A brute-force attack involves trying every possible combination of characters, whereas modern password crackers take a more effective approach. First, they measure the entropy (i.e., a measure of randomness) of characters and then test low-entropy, then mediumentropy, and finally high-entropy words.
A dictionary password attack works by hashing all the words in a list of possible passwords (often supplemented with suffixes such as 01, 02, 4u, and so on) and then comparing the hashed value with the system password file to discover a match. The prepared list of possible passwords is called a dictionary. Hackers are familiar with all the usual tricks, such as spelling a name backward or simple substitution of characters (e.g., 3 for e, 0 for o, $ for s, and so on).
A passphrase is somewhat different from a password in that it is longer and generally harder to guess and therefore is considered more secure, particularly against dictionary and brute-force attacks because it usually contains more than one word.
Many systems are configured to disable a user ID after a certain number of consecutive failed logon attempts, often three to five attempts. The number of failed logon attempts that trigger an account action is called the threshold.
Lockout policies help guard against attacks in which the attackers make several attempts to guess a password, but it also enables an intruder to lock out users, which is a form of denial of service (DoS) attack, by entering groups of incorrect passwords.
A restrictive account-lockout policy increases the probability of preventing an attack on the organization, but a stringent policy can unintentionally lock out authorized users, which can be frustrating and costly
One method of keeping track of who is accessing a computing environment is to audit logon events, a practice that provides a record of when every user logs on or off a computer. When you audit failure events in the logon event category (also known as failure auditing), you can see whether the failure event was due to unauthorized users or attackers attempting to log on to a computer or system, the latter of which is an example of intrusion detection.
Authentication by ownership is based on something you have, such as a smart card, a key, a badge, or either a synchronous or asynchronous token.
Synchronous tokens use an algorithm at both the authentication server and the device to calculate a number, which is then displayed on the device’s screen. Users then enter the number as a logon authenticator, just as they would enter a password.
With a time-based synchronization system, the current time is used as the input value.
Biometrics involves measuring various unique parts of a person’s anatomy or physical activities and can be used for both identification (i.e., physical biometrics, also called recognition) and authentication (i.e., logical biometrics).
Following are the two categories into which the common biometric measures can be separated:
Static (e.g., physiological) measures—Physiological biometrics measure what you are, examples of which include reading fingerprint patterns, iris granularity, retina blood vessels, facial geometry, and hand geometry.
Dynamic (e.g., behavioral) measures—Behavioral biometrics measure what you do, examples of which include voice inflections, keyboard strokes, and signature motions. Note that biometrics of this type are sometimes separated into their own category (i.e., authentication by action).
A single sign-on (SSO) strategy allows users to sign on to a computer or network once and then be allowed into all computers and systems where they are authorized, thus making it unnecessary to enter multiple user IDs or passwords.
In the most general case, a cloud service provider (CSP) maintains several (sometimes many) data centers with racks of server computers.
Cost-saving advantages of using a cloud service:
No need to maintain a data center
No need to maintain a disaster recovery site
Outsourced responsibility for performance and connectivity responsibility
On-demand provisioning
Cloud disadvantages include the following:
Greater difficulty in keeping private data secure
Greater danger of private data leakage
Greater demand for constant network access
Greater need for clients to trust outside vendors
With a time-based synchronization system, the current time is used as the input value.