Security Controls PDF

Security Controls Fundamental Concepts of Data Security COMMONWEALTH OF AUSTRALIA Copyright Regulation 1969 WARNING This material has been copied and communicated to you by or on behalf of Curtin University of Technology pursuant to Part VB of the Copyright Act 1968 (the Act) The material in this communication may be subject to copyright under the Act. Any further copying or communication of this material by you may be the subject of copyright protection under the Act. Do not remove this notice Access Control Concepts Access Controls are security features that control how users and systems communicate and interact with other systems and resources. They protect the systems and resources from unauthorized access and can be components that participate in determining the level of authorization after an authentication procedure has successfully completed. Access control is extremely important because it is one of the first lines of defense in battling unauthorized access to systems and network resources. Access Control Concepts Identity Identification Authentication Authorization Accountability Password management Identity Set of attributes related to an entity used by computer systems Represents: a person, an organisation, an application, or a device Identification component requirements Uniqueness Standard naming scheme Non-descriptive Not to be shared between users Identification The first step in applying access controls The assurance that the entity requesting access is accurately associated with the role defined within the system Binds a user to appropriate controls based on the identity Common methods: User ID, MAC address, IP address, Personal Identification Number (PIN), Identification Badges, Email Address Authentication The second step in applying access controls The process of verifying the identity of a user Using information secret to the user only Three authentication factors Something a person knows (knowledge) Something a person has (ownership) Something a person is (characteristic) Strong authentication Combination of at least two factors Authentication Authorization The final step in applying access controls Defines what resources a user needs and type of access to those resources Three access control models that assist authorization: DAC: Discretionary access control (identity) MAC: Mandatory access control (policy) RBAC: Role-based access control (role) Access Control Models – Discretionary AC Based on Identity A system that uses discretionary access control (DAC) enables the owner of the resource to specify which subjects can access specific resources. This model is called discretionary because the control of access is based on the discretion of the owner. DAC systems grant or deny access based on the identity of the subject. The identity can be a user identity or a group membership. So, for example, a data owner can choose to allow Bob (user identity) and the Accounting group (group membership identity) to access his file. Access Control Models – MAC: Mandatory AC Based on policy In a MAC model, users do not have the discretion of determining who can access objects as in a DAC model. An operating system that is based upon a MAC model greatly reduces the amount of rights, permissions, and functionality a user has for security purposes. In most systems based upon the MAC model, a user cannot install software, change file permissions, add new users, etc. The system can be used by the user for very focused and specific purposes. These systems are usually very specialized and are in place to protect highly classified data. The MAC model is based on a security label system. Users are given a security clearance (secret, top secret, confidential, and so on), and data is classified in the same way. The clearance and classification data are stored in the security labels, which are bound to the specific subjects and objects. When the system makes a decision about fulfilling a request to access an object, it is based on the clearance of the subject, the classification of the object, and the security policy of the system. The rules for how subjects access objects are made by the organization’s security policy, configured by the security administrator, enforced by the operating system, and supported by security technologies. Access Control Models – Role-Based AC Based on roles A role-based access control (RBAC) model uses a centrally administrated set of controls to determine how subjects and objects interact. The access control levels can be based upon the necessary operations and tasks a user needs to carry out to fulfil their responsibilities without an organization. This type of model lets access to resources be based on the role the user holds within the company. In an RBAC model, a role is defined in terms of the operations and tasks the role will carry out, whereas a DAC model outlines which subjects can access what objects based upon the individual user identity. In a Windows or UNIX/Linux environment this is typically done by developing Groups. The Group has individual file permissions, and each individual is then assigned as a member of that Group. An RBAC model is the best system for a company that has high employee turnover. For example, If John, who is mapped to the contractor role, leaves the company, then Chrissy, his replacement, can be easily mapped to this role. That way, the administrator does not need to continually change the ACLs on the individual objects. He only needs to create a role (contractor), assign permissions to this role, and map the new user to this role. Accountability Ensuring that users are accountable for their actions Verifying that security policies are enforced. Used for investigation of security incidents. Tracked by recording activities of users, system, and applications. Audit trails, log files, audit tools How to manage What to record How to keep them safe Password Management Password security approach: Password generation: system vs user Password strength: length, complexity, dynamic… Password aging & rotation Limit log-on attempts Password management approach: Password synchronisation Self-service password reset Assisted password reset Security Controls Safeguards to prevent, detect, correct or minimise security risks. Set of actions for data security. The following controls should be utilized to achieve management’s security directives: Controls Each of the controls can be further classified: Deterrent: Controls to discourage attacks at the first place, e.g warning, banner, logon message. Preventative: Controls that make it hard for attacks to succeed, e.g. firewall, encryption. Detective: Controls that detect if an attack has occurred, e.g. checksum, intrusion detection system, rotation of duties, security audits Corrective: Controls that reverse the damage, e.g. version control, incident handling procedures, fire extinguishers, undo, recycle bin Recovery: Controls that bring the system back after a major disaster, e.g. disaster recovery plan, hot/cold/warm sites, backup power Administrative Controls These include the developing and publishing of policies, Standards procedures, guidelines; risk management; the screening of personnel conducting security-awareness training Implementing change control procedures. The process of developing and ensuring compliance with policy and procedures. They tend to be things that employees may do, or must always do, or cannot do. Technical Controls Another class of controls in security that are carried out or managed by computer systems. also called logical controls These consist of : implementing and maintaining access control mechanisms, password and resource management, identification and authentication methods, security devices, configuration of the infrastructure. Technical Controls Detective Preventative Security logs Encryption NIDS Network authentication HIDS Access control lists (ACLs) File integrity auditing Corrective/Recovery software IPS patching Restore from backups IPS patching Physical Controls Controlling individual access into the facility and different departments Locking systems and removing unnecessary drives/peripheral devices Protecting the perimeter of the facility Monitoring for intrusion environmental controls Physical security breaches can result in more issues than a worm attack easily concealable USB drives ability so synchronize files across all devices countermeasures will vary Physical Controls Automated barriers & bollards Building management systems like Heating, HVAC, lifts/elevators control, etc. CCTV- Closed Circuit TV Electronic article surveillance - EAS Fire detection GIS mapping systems Intercom & IP phone Lighting control system Perimeter intrusion detection system Radar based detection & Perimeter surveillance radar Security alarm Video wall Power monitoring system Laptop Locks Controls Access Control Practices Deny access to systems to undefined users or anonymous accounts. Limit and monitor the usage of administrator and other powerful accounts. Suspend or delay access capability after a specific number of unsuccessful logon attempts. Remove obsolete user accounts as soon as the user leaves the company. Suspend inactive accounts after 30 to 60 days. Enforce strict access criteria. Enforce the need-to-know and least-privilege practices. Disable unneeded system features, services, and ports. End of Week 5 Start of Week 9 Access Control Practices Replace default password settings on accounts. Limit and monitor global access rules. Remove redundant resource rules from accounts and group memberships. Remove redundant user IDs, accounts, and role-based accounts from resource access lists. Enforce password rotation. Enforce password requirements (length, contents, lifetime, distribution, storage, and transmission). Audit system and user events and actions, and review reports periodically. Protect audit logs. Top 4 Controls Application whitelisting Patch applications Patch operating systems Restrict administrative privileges Commonly Used Security Methods To address the key requirements of the AIC triad, one can employ a number of commonly used security methods: Least privilege Defense-in-depth Minimization Keep things simple Compartmentalization Use choke points Fail securely/safely Leverage unpredictability Separation of duties Commonly Used Security Methods 1. Principle of Least Privilege Do not provide more privileges than are required this applies to both users and applications The principle of least privilege (PoLP) is an information security concept which maintains that a user or entity should only have access to the specific data, resources and applications needed to complete a required task. Commonly Used Security Methods 2. Defense in Depth A series of defensive mechanisms are layered in order to protect valuable data and information. If one mechanism fails, other step up immediately to thwart an attack. Defense in depth is a comprehensive approach that employs a combination of advanced security tools to protect an organization's endpoints, data, applications, and networks. The security system should have multiple layers and the defense layers should be of different types The security setup should use a mixture of measures which enable both the prevention and monitoring of the security system Commonly Used Security Methods 3. Minimization The system should not run any applications that are not strictly required to complete its assigned task 4. Keep things simple A security system should be kept simple as any complexity introduced leads to insecurity in the overall system Commonly Used Security Methods 5. Compartmentalization To prevent the compromise of the entire system, use a compartment approach to the system design and implementation 6. Use choke points The traffic can be easier to analyse and control by using choke points 7. Fail securely/safely: Analyse the failure modes and ensure that in case of a system failure, the loss/damage is minimized Commonly Used Security Methods 8. Leverage unpredictability Do not provide any information about the system's security setup - users and clients can know that a system is in place but they do not need any specific details 9. Separation of duties The security system should not use a single staff member to do multiple security related duties - separate duties and employ a rotation mechanism for security duties Mid Term test 1 Content – Week 1 - 5 Date: 13 February 2024 Duration: 1 hour 5 mins Time: Lecture time Open Book exam Mcq and written questions

Security Controls PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue