Embed Size (px)
DESCRIPTION
Chapter 9: Access Control. Objectives. Apply the concepts of default deny, need-to-know, and least privilege Secure user accounts throughout the employee lifecycle Understand secure authentication. Objectives Cont. - PowerPoint PPT Presentation
Citation preview
Chapter 9: Access Control
2
Objectives
Apply the concepts of default deny, need-to-know, and least privilege
Secure user accounts throughout the employee lifecycle
Understand secure authentication
3
Objectives Cont.
Protect systems from risks associated with remote access and telecommuting environments
Monitor and log all access-related activities and events
Develop policies to support access control to information assets
4
What Is a Security Posture?
It is the organizational attitude toward security that is reflected in its default position
Two fundamental security postures: Secure, which implements the “default deny” model Reactive, which implements the “default permit” model
Every access control decision for a company is based on that company’s security posture
5
What Is a Security Posture? Cont.
Default permit vs. default deny Default permit: by default, out of the box, no
security is deployed, everyone can do everything. Easier to deploy, works out of the box No security
Default deny A.k.a. “deny all” Access is unavailable by default until the appropriate
control is altered to allow access
6
What Is a Security Posture? Cont.
Principle of Least Privilege Definition: the least amount of permissions granted a user
that still allows them to perform whatever business tasks they have been assigned, and no more
This is a strong foundation for any access control policy Protects the data but also protects the user. They can’t be
accused of having deleted a file to which they can’t gain access!
From a cultural stand point, it is important to explain to employees why they are not “trusted” with all the company’s data
7
What Is a Security Posture? Cont.
Need-to-know Definition: having a demonstrated and authorized
reason for being granted access to information Should be made a part of the company’s culture Should be incorporated in security training
curriculum At the very least protects the confidentiality of
corporate data, but may also protect integrity and availability depending on the attack type
8
What Is a Security Posture? Cont.
Three main access control models MAC (Mandatory Access Control): data is
classified, and employees are granted access according to the sensitivity of information
DAC (Discretionary Access Control): Data owners decide who should have access to what information
RBAC (Role-based Access Control): Access is based on positions (roles) within an organization
Companies need to decide which access control model they will implement
9
What Is a Security Posture? Cont.
Classification models Used in public sector:
Top secret, secret, confidential Used in the private sector:
Sensitive, confidential, public Classification level combined with need-to-
know should define actual access level
10
What Is a Security Posture? Cont.
The role of the information owner The information owner is the one who defines the
access rules pertinent to the information for which they are responsible
They may enlist the assistance of the Information Security Officer
11
Managing User Access
Simple yet important questions that should be asked – and answered! – when managing user access: Who creates the user accounts? How are they created? How will this function be logged? What happens when user situations evolve? How to insure that each user’s account is unique?
12
Managing User Access Cont.
User Account Creation Transcends departmental boundaries Requires involvement & communication between:
Human Resources Information Technology Information Security Officer
13
Managing User Access Cont.
User Access Management Account creation needs to be regulated with an
official, approved process HR should initiate the initial paperwork to require
creation of a new account The request form should include:
Demographic information Employee role Access & equipment requirements
14
Managing User Access Cont.
User Access Management Filled HR form should be sent to appropriate
supervisor / manager for authorization ISO may also be consulted, especially if level of
access for this user account is high Once authorized, form is sent to the department
responsible for user account creation (usually IT) Account should not be created, and privileges
should not be assigned, until full authorization has been granted
15
Managing User Access Cont.
User Access Management Inside the department in charge of account
creation, there should be a position responsible for all user account-related functions, such as creation, modification, deletion.
All user account tasks should be logged and auditable for accountability purposes
All logging should be automated A separate person/department should be in
charge of reviewing this log
16
Managing User Access Cont.
Changes to the user status The accounts and the level of access they are
granted are a reflection of an employee’s status within the company Promotions may imply new responsibilities and/or tasks,
and therefore more/different privileges to be assigned to the account
If the career move is in a different department, the account should be audited to make sure that privileges that applied to the previous position are still needed for the new one. If not, they should be revoked
17
Managing User Access Cont.
Changes to the user status The accounts and the level of access they are
granted are a reflection of an employee’s status within the company In the case of employee termination, HR must
communicate with the proper department in charge of user account management so that the account is at the very least disabled, if not deleted
A lack of communication in this sort of situation can result in a user account still being valid while the employee to whom it was assigned is not in the employ of the company anymore!
18
With Privilege Comes Responsibility The privilege / responsibility correlation
Certain positions in a company require for the employee to have a high level of privilege in order for them to execute the tasks inherent to their job
Accounts with high level of privilege should be monitored and audited
Such employees should be provided two accounts: one with the high privilege level, and another, “regular” account for all non-high privilege tasks such as email and web surfing
19
Keeping Passwords Secure
Password Management Single factor authentication means using only one
way to verify a users identity. This is generally a password
Users should be required to keep their passwords confidential
Passwords should be changed whenever there is a chance they were compromised
Compromising a password may result in unauthorized access as well as identity theft
20
User Authentication for Remote Connections Remote Access
Users who have a demonstrated business-need to access the corporate network remotely and are authorized to do so must be given that privilege
Not all employees should be given this privilege by default
Remote access activities should be monitored and audited
The organization’s business continuity plan must account for the telecommuting environment
21
Monitoring System Access and Use
Auditing should be turned on, and logs generated should be reviewed daily
The policy should define: What will be logged Who will be in charge of reviewing those logged What the log review schedule will be
22
Monitoring System Access and Use Cont. What activity should be monitored?
Four main monitoring areas: Authorized access Privileged operations Unauthorized attempts System alerts or failures
23
Monitoring System Access and Use Cont. What activity should be monitored?
Authorized access: Log when users and systems that have proper
authorization connect and use information resources Information gathered should include
ID of the user or system performing the authorized action Date and time of each important event What kind of event it was Which program/utility was used
24
Monitoring System Access and Use Cont. What activity should be monitored?
Authorized access : Many event kinds associated with authorized access:
Account logon events Account management events Directory service events Logon events Object access events Policy change events Privilege use events Process tracking events System events
25
Monitoring System Access and Use Cont. What activity should be monitored?
Authorized access: For all events recorded, the administrator has to decide
which of the following will be logged: Success of the event Failure of the event Both
The more information logged, the larger the log grows, which often leads to the logs becoming unmanageable and ignored – therefore not reviewed
26
Monitoring System Access and Use Cont. What activity should be monitored?
Privileged operations: Events for activities/operations reserved for those users
with special privilege to perform critical operations The use of the administrator account (or root,
supervisor) must be closely monitored Other critical events to be monitored include:
Startup / shutdown Attachment of devices Hardware installation Software installation
27
Monitoring System Access and Use Cont. What activity should be monitored?
Unauthorized attempts include: Failed attempts at access Access policy violations Also includes events collected from firewall logs
Dropped incoming connections Disallowed outgoing connections
28
Monitoring System Access and Use Cont. What activity should be monitored?
System Alerts or Failures generated by: Hardware failures Application failures Power problems
29
Monitoring System Access and Use Cont. Log Review and retention
How often should the logs be reviewed? By whom?
By an authorized employee who does not have full admin rights on the network for separation of duties purposes
How long will the log files be archived for? How will they be stored securely?
30
Is Monitoring Legal?
Courts have favored an employer’s right to protect their interests over individual privacy rights because: Actions were taken at the employer’s place of work Equipment used – including bandwidth – was company-
provided Monitoring the work also helps ensure the quality of
work The employer has the right to protect property from theft
and/or fraud
31
Is Monitoring Legal? Cont.
Courts indicate that monitoring is acceptable if it is reasonable: Justifiable if serving a business purpose Policies are set forth to define what privacy employees should
expect while on company premises Employees are made aware of what monitoring means are
deployed Acceptable use agreement should include a clause
informing users that the company will and does monitor system activity
Users must agree to company policies when logging on
32
Summary
Access control is a complex domain. Access to information is extremely important to regulate.
User access and user actions on the network must be monitored and logged, whether they be located on premises or gaining access to the network remotely.
Monitoring is useless if the information gathered is not reviewed regularly.
