Firewall Unit 11
Standard naming conventions
"Rules" that have been established for creating account names Options typically include: • First initial of first name followed by last name, • First name with a punctuation mark followed by last name • Last name followed by department code In the event two names appear to be the same • A standard policy should be established for resolving conflicts
Employee Onboarding in a Microsoft Windows environment
> Provision the new computer > Create email mailboxes and AD users > Add user accounts to groups > Create home folder > Review security settings
directory service
A database stored on the network itself that contains information about users and network devices.
Authentication Framework Protocols
A framework for transporting authentication protocols is known as the Extensible Authentication Protocol (EAP) EAP was created as a more secure alternative to: • Challenge-Handshake Authentication Protocol (CHAP) • The Microsoft version of CHAP (MS-CHAP) • Password Authentication Protocol (PAP) EAP: • Defines the format of the messages • Uses four types of packets: • Request, response, success, and failure
Clean Desk Policy
A policy designed to ensure that all confidential or sensitive materials are removed from a user's workspace and secured when the items are not in use or an employee leaves her workspace.
Lightweight Directory Access Protocol (LDAP)
A protocol for a client application to access an X.500 directory
Accounting
A record that is preserved of who accessed the network, what resources they accessed, and when they disconnected
Access management ACL
A set of permissions attached to an object Specifies which subjects may access the object and what operations they can perform
Object
A specific resource Example: file or hardware device
Authentication, Authorization, and Accounting (AAA)
A system for tracking user activities on an IP-based network and controlling their access to network resources.
Subject
A user or process functioning on behalf of a user Example: computer user
Employee offboarding
Actions to be taken when an employee leaves an enterprise Steps include: • Back up all employee files from local computer and server • Archive email • Forward email to a manager or coworker • Hide the name from the email address book
Security Assertion Markup Language (SAML)
An Extensible Markup Language (XML) standard that allows secure web domains to exchange user authentication and authorization data.
Kerberos
An authentication system developed by the Massachusetts Institute of Technology (MIT) and used to verify the identity of networked users.
RADIUS
An industry standard authentication service with widespread support across nearly all vendors of networking equipment.
Authentication
Checking the credentials Example: examining the delivery driver's badge
Physical access control
Consists of fencing, hardware door locks, and mantraps to limit contact with devices
Technical access control
Consists of technology restrictions that limit users on computers from accessing data
Custodian or steward
Description: Individual to whom day to- day actions have been assigned by the owner Duties: Periodically reviews security settings and maintains records of access by end users Example: Sets and reviews security settings on SALARY.XLSX
Privacy officer
Description: Manager who oversees data privacy compliance and manages data risk Duties: Ensures the enterprise complies with data privacy laws and its own privacy policies Example: Decides that users can have permission to access SALARY.XLSX
Owner
Description: Person responsible for the information Duties: Determines the level of security needed for the data and delegates security duties as required Example: Determines that the file SALARY.XLSX can be read only by department managers
End user
Description: User who access information in the course of routine job responsibilities Duties: Follows organization's security guidelines and does not attempt to circumvent security Example: Opens SALARY.XLSX
ACE structure (Windows)
Each entry in the ACL table is called access control entry (ACE) • Security identifier (SID) for the user or group account or logon session • Access mask that specifies access rights controlled by ACE • Flag that indicates type of ACE • Set of flags that determine whether objects can inherit permissions
Access Control Entry
Entries in an access control list containing information describing the access rights related to a particular security identifier or user.
MAC Element Labels
Every entity is an object and is assigned a classification label that represents the relative importance of the object Subjects are assigned a privilege label (clearance)
Role-Based Access Control (RBAC)
Explanation: Assigns permissions to particular roles in the organization and then users are assigned to roles Description: Considered a more "realworld" approach
Rule-Based Access Control
Explanation: Dynamically assigns roles to subjects based on a set of rules defined by a custodian Description: Used for managing user access to one or more systems
Mandatory Access Control (MAC)
Explanation: End user cannot set controls Description: Most restrictive model
Discretionary Access Control (DAC)
Explanation: Subject has total control over objects Description: Least restrictive model
Attribute-Based Access Control (ABAC)
Explanation: Uses policies that can combine attributes Description: Most flexible model
Access Control
Granting or denying approval to use specific resources
Authorization
Granting permission to take action Example: allowing delivery driver to pick up package
Least Privilege
Means that only the minimum amount of privileges necessary to perform a job or function should be allocated
Account Auditing
Once accounts have been created, they should be periodically maintained and audited
Group-based access control
Permits the configuration of multiple computers by setting a single policy for enforcement
Location-Based Policies
Policies that establish geographical boundaries where a mobile device can and cannot be used.
Identification
Presenting credentials Example: delivery driver presenting employee badge
Employee Onboarding
Refers to the tasks associated with hiring a new employee Onboarding steps: • Scheduling • Job duties • Socializing • Work space • Training
Mandatory Vacations
Requiring that all employees take vacations Limits fraud, because perpetrator must be present daily to hide fraudulent actions Audit of employee's activities usually scheduled during vacation for sensitive positions
database security
Security functions provided by access control lists (ACLs) for protecting SQL and relational database systems.
file system security
Security functions provided by access control lists (ACLs) for protecting files managed by the operating system.
MAC Bell-LaPadula (BLP) model
Similar to lattice model Subjects may not create a new object or perform specific functions on lower level objects
MAC Lattice model
Subjects and objects are assigned a "rung" on the lattice Multiple lattices can be placed beside each other
Job Rotation
The act of moving individuals from one job responsibility to another.
Operation
The action taken by the subject over an object Example: deleting a file
Separation of duties
The practice of requiring that processes should be divided between two or more individuals.
User Access Control (UAC)
a Windows feature that controls user access to resources
MAC Element Levels
a hierarchy based on the labels is used Top secret has a higher level than secret, which has a higher level than confidential
Dormant account
an account that has not been accessed for a lengthy period
Usage auditing and review
an audit process that looks at the applications that the user is provided, how frequently they are used, and how they are being used
Time-of-day restrictions
can be used to limit when a user can log into their account
Permission auditing and review
intended to examine the permissions that a user has been given to determine if each is still necessary
Terminal Access Control Access Control System+ (TACACS+)
is an authentication service commonly used on UNIX devices that communicates by forwarding user authentication information to a centralized server. • The current version is TACACS+
Recertification
the process of periodically revalidating a user's account, access control, and membership role
Orphaned accounts
user accounts that remain active after an employee has left
MAC Microsoft Windows
uses a MAC implementation called Mandatory Integrity Control (MIC) A security identifier (SID) is issued to the user, group, or session Each time a user logs in, the SID is retrieved from the database for that user SID is used to identify user with subsequent interactions with Windows Windows links the SID to an integrity level
Local Group Policy (LGP)
• Has fewer options than a Group Policy • Used to configure settings for systems not part of AD