Chapter 4 - 01 - Discuss Access Control Principles, Terminologies, and Models_fax_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Exam 212-82 Identification, Authentication, and Authorization Module Flow 0O Discuss Access Control Principles, Terminologies, and Models ! 0,0 l \ L Discuss Identity and Access Management (IAIM) Copyright © by EC-{ L All Rights Reserved. Reproduction is Strictly Prohibited Discuss Access Control Principles, Terminologies, and Models The objective of this section is to explain the concept of access control by introducing the principles of access control, the terminologies used, and the different models that describe how access control helps in controlling the access of users to specific resources in a network. Module 04 Page 450 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Identification, Authentication, and Authorization Access Control O Access control is the selective restriction of access to an asset or a system/network resource O It protects the information assets by determining who can access what O Access control mechanism uses user identification, authentication, and authorization to restrict or grant access to a specific asset/resource Grrrraassassssnsannrnninn - Authorization Database Administrator ‘ Authentication :. Authentication Function |..... aeeenap 5 Access Control v iz Control emction Sesscsnansvnnsl » A A System Resources Copyright © by EC L All Rights Reserved, Reproduction is Strictly Prohibited Access Control Access control is a method of limiting the access of an organization’s resources for the users. A crucial aspect of implementing an access control is to maintain the integrity, confidentiality, and availability of the information. An access control function uses identification, authentication, and mechanisms to identify, authenticate, and authorize the user requesting access to a specific resource. The access permissions determine the approvals or permissions provided to a user for accessing a system and other resources. The general steps involved in the access control mechanism are as follows: = Step 1: A user provides their credentials/identification while logging into the system. = Step 2: The system validates the user with the database on the basis of the provided credentials/identification such as a password, fingerprint, etc. = Step 3: Once the identification is successful, the system provides the user access to use the system. = Step 4: The system then allows the user to perform only those operations or access only those resources for which the user has been authorized. Module 04 Page 451 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Identification, Authentication, and Authorization ,‘. s gpessssssssssnssnsssssssssnad Authorization Database A H Authentication 3 ‘.‘.....'." j ) ment'non Function ' '......:......’: 5 r ,Amss Contl’ol Fction User Access Control :.’"""':’""I’ [ENER A s. Administrator SE=s System Resources Figure 4.1: Access Control Mechanism Module 04 Page 452 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Identification, Authentication, and Authorization Exam 212-82 Access Control Terminologies This refers to a particular user or process that wants to access a resource This refers to a specific resource that the user wants to access such as a file or a hardware device It checks the access control rule for specific restrictions It represents an action taken by a subject on an object.... A)I Authentication Reference Monitor | Authorization Copyright © by EC cll All Rights Reserved. Reproduction is Strictly Prohibited Access Control Terminologies The following terminologies are used to define the access control on specific resources: Subject A subject can be defined as a user or a process that attempts to access the objects. The subjects are those entities that perform certain actions on the system. Object An object is an explicit resource on which an access restriction is imposed. The access controls implemented on the objects further control the actions performed by the user. Examples of an object are a file or a hardware device. Reference Monitor A reference monitor monitors the restrictions imposed on the basis of certain access control rules. It implements a set of rules on the ability of the subject to perform certain actions on the object. Operation An operation is an action performed by a subject on an object. A user trying to delete a file is an example of an operation. Here, the user is the subject, the action of deleting refers to the operation, and the file is the object. Module 04 Page 453 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Identification, Authentication, and Authorization m Request Exam 212-82 A R ce Monitor [eeeeeeeninasd Authentication goquest A Authorization Figure 4.2: Access Control Terminologies Module 04 Page 454 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Identification, Authentication, and Authorization Access Control Principles Separation of Duties (SoD) » Involves a breakdown of the authorization process into various steps » Different privileges are assigned at each step to the individual subjects requesting for a resource iQ » This ensures that no single individual has the authorization rights to perform all functions and simultaneously denies access of all the objects to a single individual 4 r Need-to-know » Under the need-to-know access control principle, access is provided only to the information that is required for performing a specific task H 0 Principle of Least Privilege (POLP) » Principle of least privilege extends the need-to-know principle in providing access to a system » POLP believes in providing employees a need-to-know access, i.e., not more, not less; @ » It helps an organization by protecting it from malicious behavior, achieving better system stability, and system security cll ANl Rights Reserved. Reproduction is Strictly Prohibited Access Control Principles The principles of access control describe the access permission levels of users in detail. By enabling the access control process, the security of the processes and resources can be ensured. The process of access control should be based on the following principles: = Separation of Duties (SoD) This involves a breakdown of the authorization process into various steps. Different privileges are assigned at each step to the individual subjects requesting for a resource. This ensures that no single individual has the authorization rights to perform all functions and simultaneously denies access of all the objects to a single individual. This division ensures that a single person is not responsible for a larger process. For example, granting web server administrator rights to only configure a web server without granting administrative rights to other servers. = Need-to-know Under the need-to-know access control principle, access information that is required for performing a specific task. = is provided only to the Principle of Least Privilege (POLP) The principle of least privilege (POLP) extends the need-to-know principle in providing access to a system. In other words, POLP is based on providing employees exactly the need-to-know level of access i.e., not more and not less. It helps an organization by protecting it from malicious behavior as well as improving system stability and system security. Module 04 Page 455 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Identification, Authentication, and Authorization Least privilege provides access permissions to only those users who really need the access and resources. The permissions granted depend on the roles and responsibilities of the user requesting the access. There are two underlying principles involved in the least privilege method: low rights and low risks. On the basis of these principles, a user needs to complete a task using the limited number of resources in a limited amount of time provided to them. This approach reduces the probability of unauthorized access to the system resources. Module 04 Page 456 Certified Cybersecurity Technician Copyright © by EC-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Identification, Authentication, and Authorization Q Access control models are the standards which provide a predefined framework for implementing the necessary level of access control Mandatory Access Control (MAC) ¥ Only the administrator/system owner has the rights to assign privileges ¥ It does not permit the end user to decide who can access the information Discretionary Access Control (DAC) A ¥ End user has complete access to the information they own Role-based Access Control (RBAC) v Permission are assigned based on user roles Rule-based Access Control (RB-RBAC) v Permissions are assigned to a user role dynamically based on a set of rules defined by the administrator Copyright © by EC-C cIL All Rights Reserved. Reproductionis Strictly Prohibited Access Control Models Access control models are the standards implementing the necessary level of access subject can access an object. = which provide a predefined framework for control. Access control models specify how a Mandatory Access Control The mandatory access control (MAC) determines the usage and access policies for the users. A user can access a resource only if they have the access rights to that resource. MAC is applied in the case of data that has been marked as highly confidential. The administrators impose MAC depending on the operating system and the security kernel. It does not permit the end-user to decide who can access the information. The following are the advantages and disadvantages of MAC: o It provides a high level of security since the network defenders determine the access controls. o The MAC policies minimize the chances of errors. o Depending on the MAC, an operating system marks and labels the incoming data, thereby creating an external application control policy. Examples of MAC include Security-Enhanced Linux (SELinux) and Trusted Solaris. = Discretionary Access Control Discretionary access control (DAC) determines the access control taken by any possessor of an object in order to decide the access control of a subject on that object. DAC is Module 04 Page 457 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Identification, Authentication, and Authorization alternatively named as a need-to-know access model. The decision taken by the owner depends on the following measures: o File and data ownership: Determines the access policies of the user o Access rights and permissions: Involves the possessor setting the access privileges to other subjects An owner can provide or deny access to any particular user or a group of users. The attributes of a DAC include the following: o The owner of an object can transfer the ownership to another user. o The access control prevents multiple unauthorized attempts to access an object. o The DAC prevents unauthorized filename, directory path, etc. o The DAC uses access control lists in order to identify and authorize users. Disadvantage: A DAC requires from maintenance permissions for the users. Examples control. = users viewing of the details access like control the file size, list and access of DAC include UNIX, Linux, and Windows access Role-Based Access Control In a role-based access control (RBAC), the access permissions are available based on the access policies determined by the system. The access permissions are beyond the user control which implies that users cannot amend the access policies created by the system. The rules for determining the role-based access controls are as follows: o Role assignment: A certain role is required to be assigned to a user which enables them to perform a transaction. o Role authorization: A user needs to perform a role authorization in order to achieve a particular role. o Transaction authorization: Transaction authorization allows the users to execute only those transactions for which they have been authorized. * Rule-based Access Control (RB-RBAC) Permissions are assigned to a user role dynamically based on a set of rules defined by the administrator. Module 04 Page 458 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Identification, Authentication, and Authorization Logical Implementation of DAC, MAC, O DAC Implementation: Windows Logical implementation of access control is performed File Permissions using access control lists (ACLs), group policies, passwords, and account restrictions | ® Oums/Propaties Gererdl OS X Do you want to allow this app to make changes to C\Demo Admrestrator your To change permiasions. cick Ede Permussons for SYSTEM Program name: EaseUS Data Recovery Wizard Verfied publisher. CHENGDU YIWO Tech Development Co., Ltd. File ongin: Hard drrve on this computer thei Ed MNew Ful contral v Mogty v Fead§ execite Lt folder corterts Read v v v | vize T o =] hange when Customize £2 Admratraton CND Admnatraton) PC S Previcus Versors & Mot matn@CND com) User Account Contrel ) Securty Growp or uter names ‘ 0 Shamng Otectname. MAC Implementation: The User Account Control (UAC) tool of Windows and RBAC For v Cermizsons of 3 anced setngs Dery “I o v ) notdications appear Copyright © by Logical Implementation of DAC, MAC, L All Rights Reserved. and RBAC Reproductionis Strictly Prohibited (Cont’d) RBAC Implementation: Just Enough Administration (JEA) st RBAC Implementation:Windows Admin Center (WAC) Copyright © by Logical Implementation of DAC, MIAC, L All Rights Reserved. Reproductions Strictly Prohibited and RBAC In the Windows operating system (0S), the User Account Control (UAC) feature implements the MAC security model. It restricts the installation of any application software only through administrator authorizations. In other words, users without administrative privileges are restricted to install any application on the system. Module 04 Page 459 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Identification, Authentication, and Authorization. Exam 212-82 User Account Control X Program name: EaseUS Data Recovery Wizard Verified publisher: CHENGDU YIWO Tech Development Co. Ld. File origin: Haed drive on this computer Show detsls e Figure 4.3: Mac Implementation: The User Account Control tool of Windows OS Logical Implementation of DAC: Windows File Permissions In the Windows OS, DAC is implemented for assigning file permissions to specific groups/users. Permissions to access files and folders on a system, to access files that exist on an old account of a user, or to edit system files are all controlled using DAC. ~ Demo Properties General Sharing Object name: X Securly Previous Versions Customize C:\Demo Gr!_xp of user names: | SY EM & Madin (matin@CND com) 2 Administrator !l 82 Administrators (CND\Administrators) To change permissions, ciick Edt. Ede. Pemissions for SYSTEM Full control Figure 4.4: DAC Implementation: Windows File Permissions Logical Implementation of RBAC: Just Enough Administration (JEA) The Just Enough Administration (JEA) management framework of in the Windows OS implements RBAC to restrict the rights of IT administrators in remote PowerShell sessions. Using JEA a fine-grained access control can be implemented for non-administrators to run specific commands, scripts, and executables. Module 04 Page 460 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Identification, Authentication, and Authorization Exam 212-82 B Adriritrpze Wndows Ponerihet 15 Fle » Ede View < Toohh | Debug Addoms o. Help ‘ » " &R - — - - &n e Unttied! pst*(Recovered) X € New-1tem New-PiRo ‘ e 2 14 7S NOUserAccess TeCagabr Ity i le. \CNOUserAccess RoleCapa ~Path New-Pilessionlonfigurationiile Y Teit-FiSessrononfigurationfile 150 CNOE Stetsr0n g = Copy-1tes £33 4 0 -Path Doma 1 (NDUsericcess C:\Wners\Administrator> : ! e PS «Path Reat c o. 2 JEARole. pare eMemiteler o ve M Ces Fat» A. " NOE~dpoint. psac erolle ~Destination 5% 4 DosainControlle): '\ B onduseraccess tenType 2.9%8 New-Pifens Con e CNOLserACcCess foleCapabilitien’ 4 s 11 & «Path -0 Enter-PSSession 'Ci'\Progras L1900 ¢ ~ComputerNane Ci:\Users\Adeinistrator Files \Documsents» windowsPower Shell modules” ~-ToSess19n [Regrater -Pite Ssessron -Force rath « -Recurse -ToSession NOC Ssession Name -Force "CNDUserAccess” DomainComtrolle Cet -PSSessronlonfiguration ONDUserAccess 5.1 COND\alirce AccessA) lowed microsof t, powershell : NT AUTHORITY AccessAl : INTIRACTIVE AccensAllowed, BUILTIN\Administrators AccessAllowed, BUILTIN\Remote Management Us Jowed microsoft, powershel ]l. workflow : BUILTIN\Adwinistrators AccessAllowed, BUILTIN\Remote Masagement Users of t, powershel 132 (CRAR