Developing Cybersecurity Programs and Policies

Developing Cybersecurity Programs and Policies

Cybersecurity Curriculum

  • Written by Omar Santos

  • Covers Chapter 9: Access Control Management

Objectives

  • Explain access control fundamentals.

  • Apply concepts such as default deny, need-to-know, and least privilege.

  • Understand secure authentication methods.

  • Protect systems from risks associated with Internet connectivity, remote access, and telework environments.

  • Manage and monitor user and administrator access.

  • Develop policies necessary to support access control management.

Access Control Fundamentals

  • Access Controls: Security features that govern user and process communication and interaction with systems and resources.   - Primary Objective: Protect information and systems from unauthorized access, modification, or disruption.

  • Three Common Attributes of Access Controls:   1. Identification Scheme: Establishes who the user is.   2. Authentication Method: Verifies user identity.   3. Authorization Model: Determines what users can do.

Security Posture

  • Security Posture: The organization’s overarching approach to access control.

  • Every access control decision is based on the company’s security posture.

  • Two Fundamental Security Postures:   1. Secure: Implements the "default deny" model.   2. Open: Implements the "default allow" model.

Default Allow vs. Default Deny

  • Default Allow:   - By default, no security is deployed; all users have unrestricted access.   - Easier to deploy and works out-of-the-box; lacks inherent security.

  • Default Deny:   - Also known as "deny all".   - Access is blockaded by default until specific controls are altered to permit access.

Principle of Least Privilege

  • Principle of Least Privilege: Users are granted the least amount of permissions necessary to perform their assigned tasks, and no more.

  • Forms a robust foundation for any access control policy.

  • Benefits:   - Protects data integrity and availability.   - Prevents users from accidentally deleting important files they cannot access.

  • Important for employees to understand why they do not have unrestricted access to all company data.

Need-to-Know

  • Need-to-Know: Authorization for access based on a demonstrated reason for requiring information.

  • Should be incorporated into the company culture and security training.

  • Protects the confidentiality of corporate data and can also protect integrity and availability based on the attack type.

Key Concepts of Identification

  • Identities should have the following characteristics:   - Uniqueness: Each identity must be distinct within the system.   - Nondescript: Identities should not reveal personal information.   - Securely Issued: Identities must be distributed securely to prevent impersonation.   - Location-based: Identities can be tied to specific locations or contexts.

Verifying Identity: Authentication

  • Authentication: The process requiring subjects to supply verifiable credentials.

  • Types of Authentication:   - Single-Factor Authentication: Utilizes one credential factor for verification.   - Multifactor Authentication: Employs two or more credential factors for user verification.   - Multilayer Authentication: Utilizes two or more of the same type of credentials (e.g., multiple passwords).

Three Categories of Authentication Factors

  1. Knowledge: What the user knows.    - Examples: Password, PIN, security question answers.

  2. Possession: What the user has.    - Examples: One-time passcodes, memory cards, smart cards, out-of-band communication.

  3. Inherence: What the user is.    - Examples: Biometric identification (fingerprints, facial recognition).

Authorization

  • Authorization: The method of assigning permissions to authenticated subjects for specific operations.

  • Three Primary Authorization Models:   1. Object Capability: Programmatically grants access based on a unique reference and an operational message.   2. Security Labels: Uses mandatory access controls embedded within object and subject properties.   3. Access Control Lists (ACLs): Determines access rights based on established criteria.

Categories of Access Control Lists

  • Mandatory Access Control (MAC): Data is classified, and access is granted based on information sensitivity.

  • Discretionary Access Control (DAC): Data owners determine who has access to specific data.

  • Role-Based Access Control (RBAC): Access rights are determined by user roles within the organization.

  • Rule-Based Access Control: Access given based on criteria that exists outside of user or group accounts.

  • Attribute-Based Access Control: Access is determined by evaluating rules against attributes of entities, operations, and the environment.

Accounting

  • Accounting: The process of auditing and monitoring user actions after accessing resources.

  • Audit Trail Logs must capture:   - When the user accessed the resource.   - What actions the user performed with that resource.   - When the user ceased using the resource.

Infrastructure Access Controls

  • Network Infrastructure: Comprised of interconnected hosts and devices.

  • Infrastructure Access Controls include:   - Physical and logical network design.   - Border devices (firewalls, gateways).   - Communication mechanisms (protocols).   - Host security settings (firewalls within systems).

Network Segmentation

  • Network Segmentation: Logical grouping of network assets, resources, and applications.

  • Types of Network Segments:   1. Enclave Network: Secure and isolated network segment.   2. Trusted Network: Network trusted by the organization.   3. Semi-Trusted Network: Includes perimeter networks or demilitarized zones (DMZ).   4. Guest Network: Network available to visitors (can be wired or wireless).   5. Untrusted Network: External networks not trusted by the organization.

Layered Border Security

  • Layered Border Security: Multiple security measures working in concert, focusing on a single objective.

  • Components include:   - Firewall devices.   - Intrusion Detection Systems (IDS).   - Intrusion Prevention Systems (IPS).   - Content filtering and validations (whitelisting/blacklisting).   - Management of border devices.

Remote Access

  • Remote Access: Authorized users with a business need must be allowed to access the corporate network remotely.   - Not all employees should have remote access by default.   - Remote activities should be monitored and audited.   - Organization's business continuity plan must consider telecommuting environments.

Remote Access Technologies

  1. Virtual Private Networks (VPNs): Establishes a secure tunnel for transmitting data over unsecure networks (e.g., the Internet).    - Creates a virtual pathway connecting systems through a broader Internet infrastructure.

  2. Remote Access Portals:    - Portal Server: Centralized access point for applications.    - Terminal Server: Provides each remote user access to a standardized virtual desktop.S

User Access Controls

  • User Access Controls: Ensure authorized users can access necessary information and resources while preventing unauthorized users from accessing limited information.

  • Users should only have access to information necessary for their roles and responsibilities.

Administrative Account Controls

  • Administrative Account Controls: Certain accounts with elevated privileges are essential (e.g., network admin, system admin, etc.).

  • Mitigating Controls:   - Segregation of Duties: Assigning different tasks to different individuals to prevent fraud.   - Dual Control: Requiring two individuals to perform a task together for greater security.

Types of Access to be Monitored

  • Access Monitoring Types:   - Successful access attempts.   - Failed access attempts.   - Privileged operations conducted.

Is Monitoring Legal?

  • Employees should have no expectation of privacy during company time or when using company resources.

  • Courts prioritizing employer interests over individual privacy rights based on factors such as:   - Actions taken at work.   - Use of company-provided equipment and bandwidth.   - Quality assurance in work performance.   - Employer rights to protect property from theft and fraud.

Legal Guidelines for Monitoring

  • Monitoring is acceptable when:   - It serves a legitimate business purpose.   - Clearly defined policies set expectations for employee privacy.   - Employees are informed about monitoring practices and policies.

  • Acceptable Use Agreement: Must include a clause about monitoring with user consent required upon login.

Summary

  • Three Attributes of Access Control: Identification scheme, authentication method, and authorization model.

  • Two Fundamental Security Postures: Secure and Open.

  • Principle of Least Privilege: Essential for effective access control policies.

  • Identity characteristics: Unique, nondescriptive, and securely issued.

  • Authentication Types: Single-factor, multifactor, multilayer.

  • Authentication Factors: Knowledge, possession, and inherence.

  • Authorization Models: Object capability, security labels, access control lists.

  • Network Segment Types: Enclave, trusted, semi-trusted, guest, and untrusted networks.

  • Remote Access Technologies: VPNs and remote access portals.

  • Access Monitoring Types: Successful, failed, and privileged operations.