AJ

Sec+ 11-12 Identify Access Control

SECURITY+ GUIDE TO NETWORK SECURITY FUNDAMENTALS

Security+ Domain

Domain: Access Control and Authentication

Chapters:

Chapter 11: Access Control FundamentalsChapter 12: Authentication and Account Management

Overview of Access Control

DefinitionAccess Control: Mechanism that grants or denies approval to use specific resources. It serves to restrict or allow access to data or devices in an information system, ensuring that information integrity, confidentiality, and availability are upheld. Access Control is crucial in managing who has access to certain data and ensures misuse or unauthorized access is minimized.

Access Control Models

Four standard models:

  1. Discretionary Access Control (DAC):

    • Characteristics:

      • Least restrictive model where object owners have total control over their resources.

      • Permissions can be set by end-users, allowing flexibility in access rights management. This enables users to grant access to others based on trust and personal discretion.

    • Common Use:

      • Frequently employed in UNIX and Windows systems, where file-specific permissions can be assigned.

    • Weaknesses:

      • Incorrect permissions may lead to security issues, as users may inadvertently grant access to unauthorized individuals, exposing sensitive data or systems to risks.

  2. Mandatory Access Control (MAC):

    • Characteristics:

      • Most restrictive, designed to enforce a higher level of security. Permissions are granted based on matching labels that indicate security levels, relying on stringent policies.

      • Typically, users do not have the ability to change access settings, ensuring centralized control over the data.

    • Example:

      • Windows User Account Control (UAC) restricts actions based on classification levels to minimize risks from lower classified subjects, enforcing stricter operational policies in sensitive environments such as government or military systems.

  3. Role-Based Access Control (RBAC):

    • Characteristics:

      • Access is granted based on a user’s role within the organization, which aligns permissions with job functions.

      • This model simplifies permission management as roles can be easily modified without changing individual permissions. Importantly, this model aids in regulatory compliance by granting access based on the user’s functions.

    • Common Use:

      • Often used in enterprise environments where users have roles that dictate specific needs for data access, enhancing both security and efficiency.

  4. Rule-Based Access Control:

    • Characteristics:

      • Utilizes predefined rules to dynamically assign roles and permissions as organizational needs change.

      • Rules can be based on user behavior, time, location, or any other operational variable, enhancing adaptability. For example, it could restrict access to sensitive data after business hours or from unrecognized locations.

Best Practices for Access Control

  • Separation of Duties:

    • Requires more than one individual for sensitive processes to mitigate risk. It is a key control in preventing fraud and errors by dividing responsibilities among different individuals, ensuring accountability.

  • Job Rotation:

    • Periodically changing roles can limit access and help detect potential fraudulent activities or misconduct. This practice not only helps in identifying discrepancies but also ensures that different personnel are familiar with various functions, reducing risk.

  • Least Privilege:

    • Users should only have the access necessary to perform their job functions, minimizing potential damage from compromised accounts. This principle effectively reduces the attack surface by limiting accessible resources to the bare minimum required.

  • Implicit Deny:

    • Defaulting to deny access unless explicitly granted encourages a more secure environment by limiting access permissions, ensuring that anything not explicitly authorized remains inaccessible.

  • Mandatory Vacations:

    • Encourages transparency and reduces the risk of single-user fraud by requiring employees to take time off, enabling oversight by peers and allowing detection of any unusual or unauthorized activities.

Authentication Services Overview

Authentication:The process of verifying user credentials to ensure that the user is who they claim to be. Effective authentication is crucial for securing data and maintaining organizational integrity. Common authentication services include:

  • RADIUS (Remote Authentication Dial In User Service):

    • Designed for remote access, it centralizes the authorization, authentication, and accounting services for users, enhancing security in network environments.

  • TACACS (Terminal Access Controller Access-Control System):

    • Allows network devices to communicate with a centralized authentication server and provides more granular control over user commands compared to RADIUS.

  • Kerberos:

    • A ticket-based authentication protocol that uses secret-key cryptography to provide secure authentication over non-secure networks.

Authentication Credentials

Five types:

  1. What You Know:

    • Examples: Passwords, PINs, answers to security questions. These should be complex and changed regularly to enhance security.

  2. What You Have:

    • Examples: Physical tokens, smart cards, and mobile devices. The physical possession of an item adds a layer of security, especially when combined with other credentials.

  3. What You Are:

    • Examples: Biometrics such as fingerprints, facial recognition, or retinal scans. Biometric authentication is gaining traction for its difficulty to replicate, though concerns about privacy and the reliability of the technology persist.

  4. Where You Are:

    • Examples: Geolocation-based authentication used to verify user location as a factor in granting access. This method can aid in detecting suspicious login attempts from unfamiliar locations.

  5. What You Do:

    • Examples: Behavioral patterns that monitor user activity and recognize anomalies to prevent unauthorized access, such as keystroke dynamics or historical access patterns.

Password Management

Weaknesses of Passwords:Human memory limitations can lead to weak passwords, reused login credentials, and poor password management practices that can significantly compromise security. Furthermore, complicated policies designed to enforce expiration and complexity might overwhelm users, resulting in non-compliance and the use of easily remembered, simple passwords instead.

Security Strategies:To improve password security, implementing strong password guidelines is essential. Strong passwords should avoid dictionary words, personal information, and predictability which are easy targets for attackers. Multi-factor authentication (MFA) provides an additional security layer by requiring multiple forms of verification before granting access, addressing various vulnerabilities and dramatically increasing the security posture of systems.

Summary of Access Control and Authentication

Access control ensures that resources are secured and used appropriately, considering the principle of least privilege for effective security implementation. Recognition of various access models assists organizations in deploying proper strategies to safeguard their information. Authentication and account management involve employing diverse techniques to maintain secure access for users, ensuring that only authorized individuals can access sensitive information.