Security + CH7

access control
The process by which resources or services are granted or denied on a computer system or network
Four standard access control models used to enforce access control
Identification, authentication, authorization, access
A user accessing a computer system would present credentials or identification, such as a username
Checking the user's credentials to be sure that they are authentic and not fabricated
Granting permission to take the action
right given to right of entry specific resources
a specific resource, such as a file or a hardware device
a user or a process functioning on behalf of the user who attempts to access an object
the action that is taken by the subject over the objected.
Access Control Models
Provides a predefined framework for hardware and software developers who need to implement access control in their devices or applications
Mandatory Access Control (MAC) Model
The end user cannot implement, modify, or transfer any controls. Most restrictive model because all controls are fixed
Discretionary Access Control (DAC) model
A subject has total control over any objects that he or she owns. Least Restrictive
DAC has two significant weaknesses
1. It relies on the end-user subject to set the proper level of security 2. A subject's permissions will be "inherited" by any programs that the subject executes
User Account Control (UAC)
Operating systems prompt the user for permission whenever software is installed
Three primary security restrictions implemented by UAC
1. Run with limited privileges by default 2. Applications run in standard user accounts 3. Standard users perform common tasks
Role Based Access Control (RBAC) model
an based on a user's job junction within the organization. Sometimes called Non-Discretionary Access Control. Considered a more "real world" approach than the other models. Assigns permissions to particular roles in the organization, and then assigns users to that role. Objects are set to be a certain type, to which subjects with that particular role have access
Rule Based Access Control (RBAC) model
can dynamically assign roles to subjects based on a set of rules defined by a custodian. Also called automated provisioning.
Practices for Access Control
separation of duties, job roation, least privilege, implicit deny
Separation of duties
Requires that if the fraudulent application of a process could potentially result in a breach of security
Job rotation
Instead of one person having sole responsibility for a function, individuals are periodically moved from one job responsibility to another
Least privilege
Each user should be given only the minimal amount of privileges necessary to perform his or her job function
Implicit deny
If a condition is not explicitly met, then it is to be rejected
Logical Access Control Methods
includes ACLs, group polices, account restrictions, and passwords
Methods to implement access control are divided into two broad categories
Physical access control and logical access control
Access control list (ACL)
A set of permissions that is attached to an object that specifies which subjects are allowed to access the object, and what operations they can perform on it
Access control entry (ACE)
Each entry in the ACL table in the Microsoft Windows, Linux, and Mac OS X operating systems
Group Policy
A Microsoft Windows feature that provides centralized management and configuration of computers and remote users using the Microsoft directory services known as Active Directory (AD)
the location where group policy settings are stored
Account Restrictions
method to restrict user accounts
Two common account restrictions
time of day restrictions, account expiration
Time of day restrictions
Limit when a user can log on to a system
Account expiration
The process of setting a user's account to expire
A secret combination of letters and numbers that only the user knows
Logical token
The most common logical access control
Attacks on passwords
brute force, dictionary, rainbow
Brute force attack
Simply trying to guess a password through combining a random combination of characters
Dictionary attack
Begins with the attacker creating hashes of common dictionary words
Rainbow tables
Make password attacks easier by creating a large pre-generated data set of hashes from nearly every possible password combination
Domain password policy
Sets password restrictions for a Windows domain
Physical Access Control
primarily protects computer equipment and is designed to prevent unauthorized users from gaining physical access to equipment in order to use, steal, or vandalize it
Computer security
The most fundamental step in physical security is to secure the system itself
Rack-mounted servers
4.45 centimeters (1.75 inches) tall, can be stacked with up to 50 other servers in a closely confined area
Two types of Door Security
preset lock and deadbolt lock
Preset lock
a lock that requires only a key for unlocking the door from the outside
Deadbolt lock
a lock that extends a solid metal bar into the door frame for extra security
Cipher lock
Combination locks that use buttons that must be pushed in the proper sequence to open the door
Tailgate sensor
Use multiple infrared beams that are aimed across a doorway and positioned so that as a person walks through the doorway
Physical tokens
Objects to identify users
ID badge
The most common types of physical tokens
A security device that monitors and controls two interlocking doors to a small room (a vestibule) that separates a nonsecured area from a secured area
Closed circuit television (CCTV)
Using video cameras to transmit a signal to a specific and limited set of receivers
Physical access log
A record or list of individuals who entered a secure area, the time that they entered, and the time they left the area