CBROPS 200-201: Chapter 3 - Access Control Models

1. Differences & definitions of subject, object, & access controls

1.1. Subject/Object

1.1.1. A subject makes a request to access an object

1.2. Access Controls

1.2.1. Regulate the subject/object interaction.

2. The key concepts in the identification process

2.1. Secure identities should be

2.1.1. Unique

2.1.1.1. Two users with the same identity should not be allowed.

2.1.2. Non-descriptive

2.1.2.1. It should not be possible to infer the role or function of the user. For example, a user called admin or omar represents a descriptive identity, whereas a user called c3214268 represents a nondescriptive identity.

2.1.3. Issued Securely

2.1.3.1. A secure process for issuing an identity to a user needs to be established.

3. Authentication Methods

3.1. Authentication by knowledge

3.1.1. is something the user knows such as a password or pin.

3.2. Authentication by ownership

3.2.1. is something the user owns such as a smart card, token, or badge.

3.3. Authentication by characteristic

3.3.1. is something the user is or does such as fingerprints, hand geometry, or keystroke dynamics.

4. Defining multifactor authentication

4.1. Multifactor authentication is using more than one authentication method (factor) such as a password & a badge.

5. Access Control Phases

5.1. Identification

5.1.1. The process of providing identity.

5.2. Authentication

5.2.1. The process of proving the identity.

5.3. Authorization

5.3.1. The process of providing access to a resource with specific access rights.

5.4. Accounting

5.4.1. The process of auditing & monitoring user operations on a resource.

6. Access control process key concepts

6.1. Asset/Data Classification

6.1.1. The process of classifying data based on the risk for the organization using on CIA.

6.2. Asset Marking

6.2.1. Marking, & labeling assets.

6.3. Access Policy Definition

6.3.1. The process of defining policies that govern access to an asset.

6.4. Data Disposal

6.4.1. The process of disposing or eliminating an asset or data.

7. Security Roles & Responsibilities

7.1. Executives & Senior Management

7.1.1. Has ultimate responsibility of data/assets.

7.2. Data Owner

7.2.1. Is responsible for a specific piece or subset of data.

7.3. System Owner

7.3.1. Is responsible for the security of systems that handle data owned by various owners.

7.4. Security Administrator

7.4.1. Is responsible for the process of granting rights and maintaining records of access.

7.5. End-User

7.5.1. responsible for adhering to security policies.

7.6. Some additional roles that may be defined in larger organizations

7.6.1. Security Officer

7.6.1.1. in charge of design, implementation, management, & review of security policies.

7.6.2. Information System Security Professional

7.6.2.1. Is responsible for drafting InfoSec policy standards, guidelines, guidance on threats.

7.6.3. Auditor

7.6.3.1. Is responsible for determining compliance to policy.

8. Access control types based on purpose

8.1. Administrative Controls

8.1.1. Policies, procedures around definitions of access controls, definitions of information classifications, roles, responsibilities, and anything needed to manage access control from the administrative perspective.

8.1.2. Subtypes

8.1.2.1. Operational

8.1.2.2. Security Policies & Procedures

8.1.2.3. Security Education & Training

8.1.2.4. Auditing & Monitoring Policies

8.2. Physical Controls

8.2.1. Are aimed at protecting physical boundaries and employee safety.

8.3. Technical Controls

8.3.1. Also called logical controls are technological controls such as firewalls, IPSs, IAM systems, encryption.

9. Access control types based preventative, detective, corrective, deterrent, recovery, compensating capacities

9.1. Preventative Controls

9.1.1. Enforce security policy and should prevent incidents from happening. Examples, ACLs, passwords, & fences.

9.2. Deterrent Controls

9.2.1. Discourages attackers from proceeding. For example, a system banner warning of unauthorized access.

9.3. Detective Controls

9.3.1. Aim at monitoring & detecting any unauthorized behavior or hazard. Useful while an attack is taking place & in post-mortem analysis.

9.4. Detective Controls

9.4.1. Aim at monitoring & detecting any unauthorized behavior or hazard. Useful while an attack is taking place & in post-mortem analysis.

9.5. Recovery Controls

9.5.1. Used after an environment or system has been modified because of unauthorized access, restores initial behavior. Examples, back, redundancy, disaster recovery plan.

9.6. Compensating Controls

9.6.1. Offer an alternative to primary control, usually as a temp solution. For example, a security guard checking a badge because a card reader is temporarily out-of-order.

10. Overview of Access Control Models // Pros & Cons of Access Control Models // Main Characteristics of each

10.1. Discretionary Access Control (DAC)

10.1.1. Access decisions & permissions are decided by the object owner (DoD - Trusted Computer System Evaluation Criteria).

10.1.1.1. Pro

10.1.1.1.1. Is simpler than other models

10.1.1.2. Con

10.1.1.2.1. Not centralized

10.1.1.2.2. Security policy may be bypassed

10.1.2. Main Characteristic

10.1.2.1. In the DAC model authorization is decided by the object owner, access permissions are associated with the object, and access control is enforced by access control lists.

10.2. Mandatory Access Control (MAC)

10.2.1. Access decisions are enforced by the access policy enforcer (example, the OS), use security labels (DoD - Trusted Computer System Evaluation Criteria).

10.2.1.1. Pro

10.2.1.1.1. Offers strict control over information

10.2.1.2. Con

10.2.1.2.1. Complex administration

10.2.2. Main Characteristic

10.2.2.1. In the MAC model the OS or policy enforcer decides on whether to grant access, not the owner, this policy is enforced by security labels.

10.3. Role-based Access Control (RBAC)

10.3.1. Access decisions are based on the role or function of the subject (INCITS 359-2004).

10.3.1.1. Pro

10.3.1.1.1. Scalable & Easy to Manage

10.3.1.2. Con

10.3.1.2.1. Increases role definitions

10.3.2. Main Characteristic

10.3.2.1. In the RBAC model decisions are based on the role of the subject which an organization assigns based on policy, permissions are tied to roles, not users.

10.4. Attribute-based Access Control (ABAC)

10.4.1. Access decisions are based on the attributes or characteristics of the subject, object, & environment (NIST SP 800-162).

10.4.1.1. Pro

10.4.1.1.1. Flexible

10.4.1.2. Con

10.4.1.2.1. More complex than DAC or MAC

10.4.2. Main Characteristic

10.4.2.1. In the ABAC model decisions are made based on the attributes associated with subjects, objects, or the environment. These attributes are characteristics of subject, object, or environment. User role, identitty, security classification can all be considered attributes.

11. RADIUS vs. TACACS+ Comparison

11.1. RADIUS

11.1.1. UDP Based

11.1.2. Encrypts user password in ACCESS REQUEST

11.1.3. Authentication & authorization in same exchange, accounting in another

11.1.4. No command authorization

11.1.5. Strong Accounting

11.1.6. RFC 2865 (authentication and authorization)

11.1.7. RFC 2866 (accounting)

11.2. TACACS+

11.2.1. TCP Based

11.2.2. Full Payload Encryption

11.2.3. AAA all performed in own exchange

11.2.4. Allows command authorization

11.2.5. Basic accounting

11.2.6. Cisco proprietary

12. The main characteristics of IPS/IDS

12.1. IDS

12.1.1. Works with a packet copy (promiscuous mode)

12.1.2. No traffic delay

12.1.3. Cannot stop traffic but can work with other security devices to block traffic

12.1.4. Some malicious traffic may pass even if flagged.

12.2. IPS

12.2.1. Inline mode

12.2.2. Adds latency due to packet processing

12.2.3. Can stop malicious traffic

12.2.4. Drops malicious packets

13. Categories of IPS/IDS events

13.1. False Positive

13.1.1. The system raises an event on legitimate traffic that is not malicious.

13.2. False Negative

13.2.1. Failure to recognize a malicious event.

13.3. True Positive

13.3.1. Correct behavior when threat is detected.

13.4. True Negative

13.4.1. Correct behavior when no event is triggered on non-malicious traffic.

14. The main characteristics of network IDS/IPS

14.1. Detection Methodologies

14.1.1. Pattern matching

14.1.2. Stateful pattern-matching recognition

14.1.3. Protocol analysis

14.1.4. Heuristic-based analysis

14.1.5. Anomaly-based analysis

14.1.6. Global threat correlation

15. The main characteristics of host-based IDS/IPS

15.1. Used on the host endpoint and interacts with the host OS but may also provide protection on the host NIC.

15.2. Used for end-host security policy enforcement and or compliance/audit control.

16. Network-Based vs. Host-Based Detection/Prevention Systems

16.1. NIDS/NIPS

16.1.1. Software deployed on a dedicated machine

16.1.2. Easy to update

16.2. HIDS/HIPS

16.2.1. Software installed on-top of host OS, may require multi-OS support.

16.2.2. May require an update of several endpoints

17. Network-Based vs. Host-Based Antivirus/Antimalware Systems

17.1. Network-based Antivirus/Antimalware

17.1.1. Dedicated Machine

17.1.2. Easy to maintain/update

17.1.3. Visibility into all network traffic

17.1.4. Delay due to packet processing

17.1.5. No visibility into whether or not attack was successful

17.1.6. No visibility into encrypted traffic

17.1.7. Can block at network entry point

17.2. Host-based Antivirus/Antimalware

17.2.1. Software installed on-top of OS

17.2.2. may require support for multiple OS's

17.2.3. updating multiple endpoints

17.2.4. only host visibility

17.2.5. can slow OS

17.2.6. can verify the success of the attack

17.2.7. visibility after dencryption

17.2.8. block encrypted packets

17.2.9. an attacker able to reach host before block

18. Definitions

18.1. Subject

18.1.1. The active entity that requests access to an object. The subject usually performs requests on behalf of the principal.

18.2. Object

18.2.1. A passive entity that is, or contains information needed by the subject. The role of the subject or object is purely determined by the entity that requests access.

18.3. Access Control

18.3.1. The process of granting, preventing, or revoking access to an object.

18.4. Identification

18.4.1. The process of providing identity to the access control enforcer.

18.5. Authentication

18.5.1. The process of proving the identity of an entity.

18.6. Authorization

18.6.1. The process of providing access to a resource with specific access rights.

18.7. Accounting

18.7.1. The process of auditing and monitoring user operations on a resource.

18.8. Asset Classification

18.8.1. The process of classifying an asset or data based on the potential damage a breach of the confidentiality, integrity, or availability of that data could cause.

18.9. Information or Data Owner

18.9.1. The person who maintains ownership and responsibility over a specific piece or subset of data.

18.9.2. Part of the responsibility of this role is to determine the appropriate classification of the information, ensure that the information is protected with controls, periodically review classification and access rights, and understand the risk associated with the information he or she owns.

18.9.3. Together with senior management, the information or data owner holds the responsibility for the security on the asset.

18.10. Discretionary Access Control (DAC)

18.10.1. An access control model where the access decision and permission are decided by the object owner.

18.11. Mandatory Access Control (MAC)

18.11.1. An access control model where the access decision is enforced by the access policy enforcer (for example, OS). Uses labels.

18.12. Role-Based Access Control (RBAC)

18.12.1. An access control model where the access decision is based on the role or function of the subject.

18.13. Attribute-Based Access Control (ABAC)

18.13.1. An access control model where the access decision is based on the attributes or characteristics of the subject, object, and environment.

18.14. Network-Based Intrusion Prevention

18.14.1. A system or software designed to detect and prevent cybersecurity threats by analyzing network traffic.

18.15. Host-Based Intrusion Prevention System (HIPS)

18.15.1. Specialized software that interacts with the host operating system to provide access control and threat protection.

18.15.2. In most cases, it also includes network detection and protection capabilities on the host network interface cards.

18.15.3. If there are no prevention capabilities but the system can only detect threats, it is referred to as a host-based intrusion detection system (HIDS).

18.16. Antivirus & Antimalware

18.16.1. Terms generally used interchangeably to indicate software that can be used to detect and prevent the installation of computer malware and in some cases quarantine affected computers or eradicate the malware and restore the operation of the system.