What You Should Know about Access Control for a Job in Information Security

By Peter H. Gregory

At its heart, access control in information security is all about who (or what) is allowed to access something. When access control is performed correctly, unauthorized personnel are denied access to sensitive data. Often, access controls are the only defense between sensitive data and criminals who want it.

Authentication

Authentication is the process of asserting one’s identity to a system to access its resources. The identity takes the form of a user ID, which is a value assigned to a person or machine.

Single-factor authentication generally involves the presentation of a user ID and password. This common form of authentication is vulnerable to attack by adversaries.

A password is a secret word, phrase, or random characters used as a part of single-factor authentication. The quality of a password is an important factor that helps resist some forms of attack. Characteristics of password quality include length, complexity, expiration, recovery, and reuse.

Passwords are typically stored in hashed form. Hashing is an irreversible cryptographic function that facilitates the confirmation of a correct password during the login process but prevents the extraction of passwords.

Multifactor authentication generally involves the presentation of a user ID, together with a token or biometric. This type of authentication is generally stronger than single-factor authentication. A token is a hardware device that is used in multifactor authentication, and represents a far stronger form of authentication than single factor. Some form of a biometric can also be used in multifactor authentication, such as a fingerprint, a palm scan, an iris scan, or a voiceprint.

Access control attacks and countermeasures

Adversaries who are attempting to access resources in a target system frequently attack access controls. Methods of attack include the following:

  • Replay attack: An attacker intercepts an authentication, typically over a network, and replays the captured login credentials to try to gain unauthorized access to the target system. A replay attack can be successful even when some forms of token authentication are used, provided the attacker replays the captured login credentials soon after capturing them.

  • Stealing password hashes: The attacker obtains the database of hashed passwords from a system. If the hashing method used is weak, the attacker may be able to employ rainbow tables or other techniques to obtain account passwords. A rainbow table is a simple lookup table containing all possible password hashes and their corresponding passwords. The technique known as salting (mixing in random numbers when storing the hash of a new password) prevents the use of rainbow tables.

  • Interception of passwords in transit: An attacker may be able to intercept login credentials if they are transmitted “in the clear” (unencrypted) over a network. Older but still-used protocols such as Telnet and FTP (File Transfer Protocol) employ the transmission of login credentials without encryption. Discontinuing Telnet and FTP in favor of ssh (Secure SHell), FTPS (File Transfer Protocol Secure), and SFTP (Secure File Transfer Protocol) eliminates this threat.

  • Session hijacking: An attacker attempts to steal session cookies from a user’s web session. If successful, the attacker may then be able to perform all functions that the user could perform. Proper session management, including full session encryption and encryption of session cookies, can prevent session hijacking.

  • Key logger: An adversary may be able to use one of several methods to get key logger malware installed on a user’s system. If successful, the key logger will be able to intercept typed login credentials and transmit them to the adversary, who can use them later to access those same systems. Multifactor authentication and advanced malware prevention (AMP) tools can help thwart key loggers.

  • Social engineering: Adversaries have a number of techniques available to trick users into providing their login credentials. Techniques include

    • Phishing: The attacker sends an email that attempts to trick the user into clicking a link that takes the user to a phishing site, which is an imposter site used to request login credentials that the attacker can use to access the real site.

    • Watering hole attack: An attacker selects a website that he or she believes is frequented by targeted users. The attacker attacks the website and plants malware on the site that can, if successful, install a key logger or other malware on the victim’s workstation.

Access control processes

The business processes supporting access controls are critical. If not implemented and managed correctly, the best access control technology is of little use.

Key processes in access control include the following:

  • Access provisioning: The process of provisioning access for a user should follow a strict, documented process. Every request should be properly approved by one person/group and performed by a different person/group. Records for all steps must be retained.

  • Internal transfers: Access management personnel need to be notified when an employee is transferred to another position, so that the issue of accumulation of privileges can be prevented.

  • Employee termination: Access management personnel need to be notified immediately when an employee leaves the organization. All user accounts should be locked or removed and then double-checked.

  • Managing access controls for contractors, temps, and others: All personnel with access to organization systems and applications need to be managed using the same set of processes. Too many organizations do a substandard job of managing temporary workers. The result is the existence of user accounts for personnel who no longer work in the organization.

  • Password recovery: Organizations need a solid process for users who forget their passwords. Otherwise, attackers may be able to use this process to take over employees’ user accounts.

  • Periodic access reviews: Every aspect of access management needs to be periodically reviewed to ensure that every instance of access provisioning, termination, and transfers are performed correctly. The consequences of messing up access control processes can result in active user accounts with excessive privileges, and user accounts still associated with terminated personnel.