Information Security Chapter 3

Questions and Answers

Study Notes

Chapter 3: Access Control Concepts

• Access control is the heart of an information security program.
• It involves determining who can access organizational assets (buildings, data, systems) and what they can do.
• Access controls involve authorizing authorized personnel and processes, and denying access to unauthorized ones.
• Key elements are objects, subjects, and rules.

Module Overview

• Controls and Risk: Risk reduction depends on effective controls.
• Control Frameworks: Sets of best practices for establishing controls.
• Control Assessments: Evaluations to determine if controls are functioning effectively. Essential for changing environments.
• Defense in Depth: Layering multiple controls from different levels of security.
• Least Privilege: Users and processes should have the lowest level of authority needed for their function. Based on roles.
• User Life Cycle Management: Processes for provisioning, maintaining, and de-provisioning user accounts. Including provisioning devices and identity proofing.
• Privileged Access Management (PAM): Management of high-level access accounts (root, domain admins, etc) to reduce risk.
• Segregation of Duties (SoD): Implementing dual controls—preventing any one person from completing a high-risk transaction by requiring more than one person. Essential for fraud prevention.

What Is a Control?

• A safeguard or countermeasure designed to protect confidentiality, integrity, and availability.
• Meets defined security requirements.

Controls and Risk

• Controls are implemented to mitigate risks.
• Assess the impact of controls before and after implementation on risk appetite.

Control Assessments

• Risk reduction is dependent on effective and functioning controls within changing environments.
• Security control assessments are performed to evaluate control effectiveness (frequency, scope, plan).

Controls Overview

• Objects: A passive device, process, etc. taking no action unless called upon by a subject.
• Subjects: An active entity requesting a service or access to an object.
• Rules: Instructions to allow or deny access to objects based on subject identity and access control lists.

Defense in Depth

• A strategy of layering multiple security controls.
• One control failing won’t compromise the entire system. Training is a control.

Least Privilege

• Limiting user/process access to the minimum necessary to perform their tasks.
• Granular set of permissions. Based on role.

Need to Know

• Linked to least privilege, restricting access to information based on classification levels(e.g., top secret, secret, restricted, public).
• Related to knowledge required to do a job.

Other Important Concepts

• User Life Cycle Management. This includes de-provisioning accounts, voluntary termination, involuntary termination, and using SSO, cloud services, payroll (example uses of accounts).
• Provisioning accounts: Process of setting up new accounts.
• Cloning Accounts: Using templates to expedite account creation.
• Identity proofing: Method for validating users.

Privileged Access Management

• Privileged accounts: Accounts with elevated access rights (system, enterprise admin, root, domain admin).
• Differentiation between identification and authentication.

Segregation of Duties (SoD)

• Critical to prevent fraud.
• Requires separate individuals performing different parts of a transaction.
• Improves security by preventing individuals from completing entire high risk-transactions,
• Dual Controls: Two or more people required to initiate a process.

User Life Cycle Management (Cont.)

• Amending user privileges: Changing access levels.
• Privilege creep: Expanding privileges beyond those needed.
• User access reviews: Periodic checks of access rights.

Identification, Authentication and Authorization

• Identification: Determining who you are. E.g., Username.
• Authentication: Verifying your identity. E.g., password.
• Single Factor Authentication: Using a single form of authentication (e.g. Username).
• Multi-Factor Authentication: Using multiple forms of authentication (e.g. Username + password or code on phone).
• One-time password: Temporary password.
• Strong Authentication: Verified security that meets stringent criteria and standards.
• Auditing: Recording access control activities.

Defense in Depth

• Physical access controls are important: building access, server rooms, networks and applications.
• Layered approach for security. Different controls at different points of entry or sensitive areas prevent someone from going in.

Environmental Design

• Crime Prevention Through Environmental Design (CPTED) principles (e.g., open green spaces, physical barriers, defensive planting.

Biometrics

• Types of biometric controls. This includes throughput, accuracy and invasiveness. Alternative approaches can also be implemented depending on need.
• Considerations of reliability for usage and security.

Physical Security Controls

• Mechanisms for controlling physical access – security guards, fences, motion detectors, card readers, alarms.
• Various physical controls for different physical access points. For example, doors, windows, gates, turnstiles, and mantraps (a "security gate").
• Badge systems, physical access cards, and other technologies to control human traffic. This can include bars and turnstiles.

Alarm Systems

• Passive infrared, magnetic switches, auditory sensors, monitoring/alerts.
• Alerts, often combined with other technologies (such as cameras or guards).

Logging

• What to log, retention schedules, and securing logs.
• What is being logged, how long it is kept, securing the logs/retention.

Monitoring/Examples

• Cameras, sensors (infrared, microwave, laser), are often centrally monitored.
• Logs should be reviewed regularly to identify anomalies.

Security Guards

• Deterring unauthorized personnel and identifying problems.
• Alarm systems can alert guards or security personnel about potential problems.

Closed Circuit Television (CCTV)

• Analog and digital systems, low light/infrared.
• Field of vision (wide-view vs. close-up).
• Retention and media considerations.

Other Examples

• Acceptable use policies, confidentiality agreements, employment contracts, job descriptions, standards, and guidelines.

Policies and Procedures

• C-level sign off.
• The 'What' and 'Why'.
• Procedures are typically created at a business unit level for step-by-step instructions.

Key Concepts

• Critical security concepts for physical and logical access
• Controlling physical access, interdependence of controls, high security areas/data centers, security zones.
• Security zones are for the assets, and the physical security aspects surrounding them (perimeter fencing, etc).

Access Control Models

• Discretionary Access Control (DAC): the owner of the asset controls access
• Mandatory Access Control (MAC): access is controlled by a central function for security.
• Role-Based Access Control (RBAC): access is based on the user's role/permissions.
• ACLs: allow/deny access

Logical Controls

• Hardware, software, and cloud controls, and security models.
• Passwords, biometrics, badge/token readers for logical access control.

Chapter Review

• Risk drives controls—understand controls and their function.
• Defense-in-depth approach layering controls.
• User life cycle and privileged accounts are essential security considerations.

Description

This quiz covers access control concepts crucial for information security programs. It involves identifying who has access to organizational assets and what actions they can perform. Understanding key elements such as objects, subjects, and rules, as well as risk management and control frameworks, is essential for effective security measures.