Research Paper
Chapter 14 Controlling and Monitoring Access
Comparing Access Control Models
Comparing Permissions, Rights, and Privileges
Understanding Authorization Mechanisms
Defining Requirements with a Security Policy
Implementing Defense in Depth
Summarizing Access Control Models
Discretionary Access Controls
Nondiscretionary Access Controls
overview
Comparing Permissions, Rights, and Privileges
Permissions
Access granted for an object
Rights
Ability to take action on an object
Privileges
Combination of rights and permissions
Understanding Authorization Mechanisms
Implicit deny
Access control matrix
Capability tables
Constrained interface
Content-dependent control
Context-dependent control
Need to know
Least privilege
Separation of duties and responsibilities
Defining Requirements with a Security Policy
Clarifies requirements
Shows senior leadership support
Sets guidelines and parameters
Implementing Defense in Depth
Protects against single-focused attacks
Document in security policy
Personnel are key
Uses combined solution approach
Summarizing Access Control Models
Discretionary Access Control (DAC)
Role Based Access Control (RBAC)
Rule-based access control (rule BAC)
Attribute Based Access Control (ABAC)
Mandatory Access Control (MAC)
Discretionary Access Controls
Owner, create, custodian define access
Based on identity
Uses ACLs on each object
Not centrally managed
Supports change
Nondiscretionary Access Controls
Centrally administered
Changes affect entire environment
Not based on identity, instead uses rules
Less flexible
Role Based Access Control
Based on subject’s role or assigned tasks
Enforces principle of least privilege
Related to job descriptions and work functions
Useful in dynamic environments
Often implemented using groups (via DAC)
Task based access control (TBAC)
Rule-Based Access Controls
Rules, restrictions, filters
Global rules apply to all subjects
Firewall and router rules/filters
Attribute Based Access Controls
Characteristics are used to determine rule applications
Can relate to users, groups, network, or devices
Mandatory Access Control
Based on classifications
Top Secret, Secret, Confidential
Confidential/Proprietary, Private, Sensitive, Public
Need to know
Prohibitive rather than permissive
Hierarchical
Compartmentalization
Hybrid
Understanding Access Control Attacks
Risk Elements
Identifying Assets
Identifying Threats
Threat Modeling Approaches
Identifying Vulnerabilities
Common Access Control Attacks
Summary of Protection Methods
overview
Risk Elements
Risk
Assets
Threat
Vulnerability
Risk Management
Identifying Assets
Asset valuation
Tangible value
Intangible value
Cost-benefit analysis
Identifying Threats
Threat modeling
Secure by Design, Secure by Default, Secure in Deployment and Communication (SD3+C)
Goals:
Reduce number of defects
Reduce severity of remaining defects
Advanced Persistent Threat (APT)
Threat Modeling Approaches
Focused on assets
Focused on attackers
Focused on software
Identifying Vulnerabilities
Vulnerability analysis
Weakness to threat
Technical and administrative
Vulnerability scans
Common Access Control Attacks 1/2
Impersonation
Access aggregation
Password
Dictionary
Brute force
Birthday
Rainbow table
Sniffer
Common Access Control Attacks 2/2
Spoofing
Social engineering
Phishing
Drive-by download
Spear phishing
Whaling
Vishing
Smartcard
Side-channel attack
Summary of Protection Methods
Control physical access and electronic access
Create a strong password policy
Hash and salt passwords
Use password masking
Deploy multifactor authentication
Use account lockout controls
Use last logon notification
Educate users about security
Conclusion
Read the Exam Essentials
Review the chapter
Perform the Written Labs
Answer the Review Questions