Security Program and

Policies
Principles and Practices

by Sari Stern Greene

Chapter 9: Access Control Management

Objectives

 Explain access control fundamentals

 Apply the concepts of default deny, need-to-know, and
least privilege
 Understand secure authentication
 Protect systems from risks associated with Internet
connectivity, remote access, and telework environments
 Manage and monitor user and administrator access
 Develop policies to support access control management

Copyright 2014 Pearson Education, Inc. 2

Access Control Fundamentals
 Access controls
 Security features that govern how users and processes
communicate and interact with systems and resources
 Primary objective is to protect information and systems
from unauthorized access, modification, or disruption
 Three common attributes of access controls
 Identification scheme – identifies unique records in the
set, subject supplies identifier to the object
 Authentication method – how id is proven to be
genuine
 Authorization method – to carryout certain operations

Copyright 2014 Pearson Education, Inc. 3

What Is a Security Posture?

 It is the organization’s approach to access control

 Gives the default settings to access control, can
be technical(firewalls/pwd) ,
administrative(separation of duties/dual controls)
or physical(locks)
 Two fundamental security postures:
 Secure, which implements the “default deny” model
 Open, which implements the “default allow” model
 Every access control decision for a company is
based on that company’s security posture

Copyright 2014 Pearson Education, Inc. 4

What Is a Security Posture? Cont.

 Default allow versus default deny

 Default allow: By default, out-of-the-box, no
security is deployed, everyone can do everything
 Easier to deploy, works out-of-the-box, interoperability,
 No security
 Default deny
 Aka “deny all”
 Access is unavailable by default until the appropriate
control is altered to allow access- Eg: windows server
OS

Copyright 2014 Pearson Education, Inc. 5

What Is a Security Posture? Cont.
 Determining who to grant access to should be based on the security principle of need-to-
know.
 The level of access required should be based on the security principle of least privilege.
 Need-to-know means that the subject has a demonstrated and authorized reason for
being granted access to information.
 Once a need-to-know has been established, least privilege is the principle of only
assigning required object access permissions
 Principle of Least Privilege
 Definition: The least amount of permissions granted users that still allow them
to perform whatever business tasks they have been assigned, and no more.
 This is a strong foundation for any access control policy.
 Protects the data but also protects users. They can’t be accused of having
deleted a file to which they can’t gain access!
 From a cultural stand point, it is important to explain to employees why they
are not “trusted” with all the company’s data.

Copyright 2014 Pearson Education, Inc. 6

What Is a Security Posture? Cont.

 Need-to-know
 Definition: Having a demonstrated and authorized
reason for being granted access to information
 Should be made a part of the company’s culture
 Should be incorporated in security training
curriculum
 At the least protects the confidentiality of
corporate data, but may also protect integrity and
availability depending on the attack type

Copyright 2014 Pearson Education, Inc. 7

How Is Identity Verified?
 First step to granting access is user identification
 Authentication: Subject must supply verifiable
credentials offered referred as factors - There are
three categories of factors: knowledge (something the user
knows), possession (something a user has), and inherence
(something the user is).
 Single-factor authentication - pwd
 Multifactor authentication – 2 or more factors
 Multilayer authentication – 2 or more same type of factors
 Data classification, regulatory requirements, the impact of unauthorized access, and the likelihood of a
threat being exercised should all be considered when you’re deciding on the level of authentication
required.
 The more factors, the more robust the authentication process.

Copyright 2014 Pearson Education, Inc. 8

How Is Identity Verified? Cont.
 Three categories of factors
 Knowledge: Something you know
 Password
 PIN
 Answer to a question
 Possession: Something you have
 One-time passcodes - OTPs
 Memory cards – Magnetic strip – debit card - pin
 Smart cards – microprocessor – credit cards
 Out-of-band communication – cell phone call- to compromise
access to both computer and phone are needed.
 Inherence: Something you are
 Biometric identification

Copyright 2014 Pearson Education, Inc. 9

Biometrics
 -Biometrics is the identification of humans
by distinctive measurable characteristics or
traits. A biometric identification system
scans an attribute of a person and compares
it to a record that was created in an earlier
enrollment process. Success of the system
depends on accurate and repeatable
measurements of anatomical or
physiological attributes.

Copyright 2014 Pearson Education, Inc. 10

Biometrics contd..

 Anatomical attributes include fingerprint,

finger scan, palm scan, hand geometry,
retina scan, iris scan, facial scan, and DNA.
 Physiological attributes includes handwriting,
keyboard dynamics, and voice print.
 Adv: Biometric authentication is the most
accurate factor;
 Disadv: it is also the most expensive to
implement and maintain
Copyright 2014 Pearson Education, Inc. 11
Forgot password!!
 Reissuing passwords that includes verification that the requester is indeed who he says he is.
Often cognitive passwords are used as secondary verification.
 A cognitive password is a form of knowledge-based authentication that requires a user to
answer a question based on something familiar to them. Common examples are mother’s maiden
name and favorite color.
 The problem, of course, is that this information is very often publicly available.
 This weakness can be addressed using sophisticated questions that are derived from
subscription databases such as credit reports.
 These questions are commonly referred to as out-of-wallet challenge questions. The term was
coined to indicate that the answers are not easily available to someone other than the user, and
that the user is not likely to carry such information in his or her wallet.
 Out-of-wallet question systems usually require that the user correctly answer more than one
question and often include a “red herring” question that is designed to trick an imposter but which
the legitimate user will recognize as nonsensical.

Copyright 2014 Pearson Education, Inc. 12

What Is Authorization?
 The process of assigning authenticated subjects
permission to carry out a specific operation. The
authorization model defines how access rights and
permission are granted.
 Three primary authorization models
 Object capability
 Used programmatically and based on a combination of a
unforgettable reference and an operational message
 Security labels
 Mandatory access controls embedded in object and subject
properties
 Access Control Lists
 Used to determine access based on some criteria

Copyright 2014 Pearson Education, Inc. 13

What Is Authorization? Cont.
 Categories of access control lists
 MAC (Mandatory Access Control): Data is classified, and
employees are granted access according to the sensitivity
of information- security label of the subject and object
should match-
 DAC (Discretionary Access Control): Data owners decide who
should have access to what information - Permissions can be cumulative. For
example, John belongs to the Accounting Group. The Accounting Group is assigned read
permissions to the Income Tax folder and the files in the folder. John’s user account is assigned
write permissions to the Income Tax folder and the files in the folder. Because DAC permissions
are cumulative, John can access, read, and write to the files in the tax folder.
 RBAC (Role-based Access Control): Access is based on
positions (roles) within an organization
 Rule-based access control: Access is based on criteria
that is independent of the user or group account

14
 Infrastructure Access Controls
 A network infrastructure is defined as an interconnected group of hosts
and devices. The infrastructure can be confined to one location or, as often
is the case, widely distributed, including branch locations and home offices.
Access to the infrastructure enables the use of its resources.
 Infra structure access control Include physical and logical network design,
border devices, communication mechanisms, and host security settings
 Network segmentation
 The process of logically grouping network assets, resources, and applications to
have flexibility in implementing security controls.
 Type of network segmentation
 Enclave network – needs higher degree of protection
 Trusted network – internal authorized users can use
 Semi-trusted network, perimeter network, or DMZ – used through internet
 Guest network – visitors use this
 Untrusted network – outside our network- eg: internet

Copyright 2014 Pearson Education, Inc. 15

What Is Layered Border Security?
 Different types of security measures designed to
work in tandem with a single focus – to protect
internal network from external threats.
 Firewall devices
 Intrusion detection systems (IDSs)
 Intrusion prevention systems (IPSs)
 Content filtering and whitelisting/blacklisting
 Border device administration and management
 Normally this work is outsourced to managed
security service providers (MSSP)

Copyright 2014 Pearson Education, Inc. 16

Firewalls
 Firewalls are devices or software that control the flow of traffic between
networks. They are responsible for examining network entry and exit
requests and enforcing organizational policy.
 Firewalls are a mandatory security control for any network connected to an
untrusted network such as the Internet.
 Without a properly configured firewall, a network is completely exposed and
could potentially be compromised within minutes, if not seconds
 The rule set is used by the firewall to evaluate ingress (incoming) and
egress (outgoing) network traffic. In keeping with access control best
practices, rule sets should be initially set to “deny all” and then strict rules
implemented that allow connectivity based on business need.
 NIST SP-41, R1: Guidelines on Firewalls and Firewall Policy provides an
overview of firewall technologies

Copyright 2014 Pearson Education, Inc. 17

Intrusion Detection Systems and
Intrusion Protection Systems
 Intrusion detection systems - (IDSs) are passive devices
designed to analyze network traffic in order to detect unauthorized
access or malevolent activity. Most IDSs use multiple methods to
detect threats, including signature-based detection, anomaly-based
detection, and stateful protocol analysis. If suspicious activity is
detected, IDSs generate an onscreen, email, and/or text alert.
 Intrusion prevention systems (IPSs) are active devices that sit
inline with traffic flow and can respond to identified threats by
disabling the connection, dropping the packet, or deleting the
malicious content

Copyright 2014 Pearson Education, Inc. 18

IDS / IPS Technologies- Types
 Network-based IDS/IPS—Monitors network traffic for particular network segments or
devices and analyzes the network and application protocol activity to identify suspicious
activity
 Wireless IDS/IPS—Monitors wireless network traffic and analyzes it to identify suspicious
activity involving the wireless networking protocols themselves
 ■■ Network behavior analysis IDS/IPS—Examines network traffic to identify threats that
generate unusual traffic flows, such as distributed denial of service (DDoS) attacks,
certain forms of malware, and policy violations (for example, a client system providing
network services to other systems)
 ■■ Host-based IDS/IPS—Monitors the characteristics of a single host and the events
occurring within that host for suspicious activity
 IDS/IPS has four decision states. True positive occurs when the IDS/IPS correctly
identifies an issue. True negative occurs when the IDS/IPS correctly identifies normal
traffic. False positive occurs when the IDS/IPS incorrectly identifies normal activity as an
issue. False negative occurs when the IDS/ISP incorrectly identifies an issue as normal
activity.
 NIST SP-94: Guide to Intrusion Detection and Prevention Systems describes the
characteristics of IDS and IPS technologies

19
Content Filtering and
Whitelisting/Blacklisting
 The filters can be supplemented by self-generated, open source, or
subscription-based IP whitelists and/or blacklists.
 Whitelists are addresses (IP and/or Internet domain names) of
known “good” sites to which access should be allowed. Conversely,
blacklists are addresses (IP and/or Internet domain names) of
known “bad” sites to which access should be denied. It is common
practice to block entire ranges of IP addresses specific to
geographic regions.
 Content-filtering applications can be used to restrict access by
content category (such as violence, gaming, shopping, or
pornography), time factors, application type, bandwidth use, and
media.

Copyright 2014 Pearson Education, Inc. 20

Border Device Administration and
Management
 Border device administration and management is a
24/7/365 responsibility.
 On a daily basis, performance needs to be monitored to
enable potential resource issues to be identified and
addressed before components become overwhelmed.
Logs and alerts must be monitored and analyzed to
identify threats—both successful and unsuccessful.
 Administrators need to be on the watch for security
patches and apply them expediently.
 Border device policies, configurations, and rule sets
must be backed up or replicated.

Copyright 2014 Pearson Education, Inc. 21

Remote Access Security
 Remote Access
 Users who have a demonstrated business-need to access the corporate
network remotely and are authorized to do so must be given that
privilege
 Not all employees should be given this privilege by default
 Remote access activities should be monitored and audited
 The organization’s business continuity plan must account for the
telecommuting environment
 Remote access technologies
 Virtual Private Networks (VPNs)
 Secure tunnel for transmitting data over unsecure network, such as the Internet – IPSec
Protocol- Eg for security protocol
 Remote access portals
 Offers access to one or more applications through a single centralized interface – needs
special kind of software for access Eg: - teamview,

Copyright 2014 Pearson Education, Inc. 22

Remote Access Authentication and
Authorization
 Whenever feasible, organizations should implement mutual
authentication so that a remote access user can verify the
legitimacy of a remote access server before providing authentication
credentials to it.
 In addition to authenticating the user, remote access devices such
as workstations and tablets should be evaluated to ensure they
meet the baseline standards required for internal systems. Network
access control (NAC) systems can be used to “check” a remote
access device based on defined criteria such as operating system
version, security patches, antivirus software version, and wireless
and firewall configurations before it is allowed to connect to the
infrastructure. If the device does not meet the predefined criteria,
the device is denied access.

Copyright 2014 Pearson Education, Inc. 23

Teleworking Access Controls
 The Telework Enhancement Act of 2010, defines teleworking as “a work
flexibility arrangement under which an employee performs the duties and
responsibilities of such employee’s position, and other authorized activities,
from an approved worksite other than the location from which the employee
would otherwise work.”
 In plain language, teleworking allows employees to work offsite, often from
their home.
 Remote locations must be thought of as logical and physical extensions of
the internal network and secured appropriately. Controls to ensure the
confidentiality, integrity, and availability (CIA) of the information assets and
information systems, including monitoring, must be commensurate with the
on-premise environment.
 NIST SP 880-114: User’s Guide to Securing External Devices for Telework
and Remote Access provides practical, real-world recommendations for
securing telework computers’ operating systems (OS) and applications, as
well as the home networks that the computers use.

Copyright 2014 Pearson Education, Inc. 24

User Access Controls
 Used to ensure authorized users can access information
and resources while unauthorized users cannot access
information and resources
 Users should have access only to information they need to
do their job and no more – (principle of least privilege)
 Administrative account controls- privileged accounts – eg:
admin, sys admin, network admin, webmaster, firewall
admin
 Segregation of duties– no single individual can control from start
to finish
 Dual control - two individuals must both complete their half of a specific task

Copyright 2014 Pearson Education, Inc. 25

What Types of Access Should Be
Monitored?
 Three main monitoring areas:
 Successful access – record of user activity
 Failed access- whether it is an attempt by attacker or
users having difficulty in accessing their accounts
 Privileged operations – compromised admin account will
have negative effect

Copyright 2014 Pearson Education, Inc. 26

Is Monitoring Legal?
 Employees should have no expectation of privacy
while on company time or when using company
resources
 Courts have favored an employer’s right to protect
their interests over individual privacy rights
because:
 Actions were taken at the employer’s place of work
 Equipment used – including bandwidth – was company-
provided
 Monitoring the work also helps ensure the quality of work
 The employer has the right to protect property from theft
and/or fraud

Copyright 2014 Pearson Education, Inc. 27

Is Monitoring Legal? Cont.

 Courts indicate that monitoring is acceptable if it is

reasonable:
 Justifiable if serving a business purpose
 Policies are set forth to define what privacy employees should
expect while on company premises
 Employees are made aware of what monitoring means are
deployed
 Acceptable use agreement should include a clause
informing users that the company will and does monitor
system activity
 Users must agree to company policies when logging on

Copyright 2014 Pearson Education, Inc. 28

Summary

 Access control is a complex domain. Access to

information is extremely important to regulate.
 User access and user actions on the network
must be monitored and logged, whether they
are located on premises or gaining access to
the network remotely.
 Monitoring is useless if the information
gathered is not reviewed regularly.

Copyright 2014 Pearson Education, Inc. 29