Exploring Access Control for Security+ Certification
Access control is the ability to permit or deny the use of an object (a passive entity, such as a system or file) by a subject (an active entity, such as an individual or process).
Access control systems provide three essential services:
- Identification and authentication (I&A): These determine who can log on to a system.
- Authorization: This determines what an authorized user can do.
- Accountability: This identifies what a user did.
Identification and authentication (I&A)
Identification and authentication (I&A) is a two-step process that determines who can log on to a system.
- Identification is how a user tells a system who he or she is (for example, by using a username).
• The identification component of an access control system is normally a relatively simple mechanism based on either Username or User ID.
- In the case of a system or process, identification is usually based on
• Computer name
• Media Access Control (MAC) address
• Internet Protocol (IP) address
• Process ID (PID)
- The only requirements for identification are that the identification
• Must uniquely identify the user.
• Shouldn't identify that user's position or relative importance in an organization (such as labels like president or CEO).
• Should avoid using common or shared user accounts, such as root, admin, and sysadmin.
• Such accounts provide no accountability and are juicy targets for hackers.
- Authentication is the process of verifying a user's claimed identity (for example, by comparing an entered password to the password stored on a system for a given username).
- Authentication is based on at least one of these three factors:
• Something you know, such as a password or a personal identification number (PIN). This assumes that only the owner of the account knows the password or PIN needed to access the account. Unfortunately, passwords are often shared, stolen, or guessed.
• Something you have,such as a smart card or token. This assumes that only the owner of the account has the necessary smart card or token needed to unlock the account.
• Unfortunately, smart cards or tokens can be lost, stolen, borrowed, or duplicated.
• Something you are,such as fingerprint, voice, retina, or iris characteristics. This assumes that the finger or eyeball attached to your body is actually yours and uniquely identifies you.
• The major drawback is user acceptance — many people are uneasy about using these systems.
Authorization (or establishment) defines a user's rights and permissions on a system. After a user (or process) is authenticated, authorization determines what that user can do on the system.
Most modern operating systems define sets of permissions that are variations or extensions of three basic types of access:
- Read (R): The user can
• Read file contents
• List directory contents
- Write (W): The user can change the contents of a file or directory with these tasks:
- Execute (X): If the file is a program, the user can run the program.
These rights and permissions are implemented differently in systems based on discretionary access control (DAC) and mandatory access control (MAC).
Accountability uses such system components as audit trails (records) and logs to associate a user with his actions. Audit trails and logs are important for
- Detecting security violations
- Re-creating security incidents
If no one is regularly reviewing your logs and they are not maintained in a secure and consistent manner, they may not be admissible as evidence.
Many systems can generate automated reports based on certain predefined criteria or thresholds, known as clipping levels. For example, a clipping level may be set to generate a report for the following:
- More than three failed logon attempts in a given period
- Any attempt to use a disabled user account
These reports help a system administrator or security administrator more easily identify possible break-in attempts.
Access control techniques
Access control techniques are generally categorized as either discretionary or mandatory. Understanding the differences between discretionary access control (DAC) and mandatory access control (MAC), as well as specific access control methods under each category, is critical for passing the Security+ exam.
Discretionary access control
Discretionary access control (DAC) is an access policy determined by the owner of a file (or other resource). The owner decides who is allowed access to the file and what privileges they have.
Two important concepts in DAC are
- File and data ownership: Every object in a system must have an owner. The access policy is determined by the owner of the resource (including files, directories, data, system resources, and devices). Theoretically, an object without an owner is left unprotected.
- Normally, the owner of a resource is the person who created the resource (such as a file or directory).
- Access rights and permissions: These are the controls that an owner can assign to individual users or groups for specific resources.
Discretionary access controls can be applied through the following techniques:
- Access control lists (ACLs) name the specific rights and permissions that are assigned to a subject for a given object. Access control lists provide a flexible method for applying discretionary access controls.
- Role-based access control assigns group membership based on organizational or functional roles. This strategy greatly simplifies the management of access rights and permissions:
• Access rights and permissions for objects are assigned any group or, in addition to, individuals.
• Individuals may belong to one or many groups. Individuals can be designated to acquire cumulative permissions (every permission of any group they are in) or disqualified from any permission that isn't part of every group they are in.
Mandatory access control
Mandatory access control (MAC) is an access policy determined by the system, not the owner. MAC is used in multilevel systems that process highly sensitive data, such as classified government and military information. A multilevel system is a single computer system that handles multiple classification levels between subjects and objects.
Two important concepts in MAC are the following:
- Sensitivity labels: In a MAC-based system, all subjects and objects must have labels assigned to them.
- A subject's sensitivity label specifies its level of trust. An object's sensitivity label specifies the level of trust required for access.
- In order to access a given object, the subject must have a sensitivity level equal to or higher than the requested object.
- Data import and export: Controlling the import of information from other systems and export to other systems (including printers) is a critical function of MAC-based systems, which must ensure that sensitivity labels are properly maintained and implemented so that sensitive information is appropriately protected at all times.
Two methods are commonly used for applying mandatory access control:
- Rule-based access controls:This type of control further defines specific conditions for access to a requested object.
- All MAC-based systems implement a simple form of rule-based access control to determine whether access should be granted or denied by matching
• An object's sensitivity label
• A subject's sensitivity label
- Lattice-based access controls: Thesecan be used for complex access control decisions involving multiple objects and/or subjects.
- A lattice model is a mathematical structure that defines greatest lower-bound and least upper-bound values for a pair of elements, such as a subject and an object.