SECURITY+ Chp. 9 (book)
Operation
The action that is taken by the subject over the object is called an operation. For example, a user (subject) may attempt to delete (operation) a file (object).
A common misconception is that access control models are installed by custodians or users. This is not the case. Instead, these models are already embedded in the software and hardware before it is even shipped.
The custodian then uses the model that is part of the software or hardware to configure the device to provide the necessary level of security.
The International Organization for Standardization (ISO) created a standard for directory services known as X.500. The purpose of the X.500 standard was to standardize how the data was stored so that any computer system could access these directories. It provides the capability to look up information by name (a white-pages service) and to browse and search for information by category (a yellow-pages service). The information is held in a directory information base (DIB). Entries in the DIB are arranged in a tree structure called the directory information tree (DIT). Each entry is a named object and consists of a set of attributes.
The purpose of the X.500 standard was to standardize how the data was stored so that any computer system could access these directories. The directory defines the mandatory and optional attributes for each class of object. Each named object may have one or more object classes associated with it.
Kerberos is typically used when a user attempts to access a network service and that service requires authentication. The user is provided a ticket that is issued by the Kerberos authentication server, much as a driver's license is issued by the DMV.
The user is provided a ticket that is issued by the Kerberos
RADIUS, or Remote Authentication Dial In User Service, was developed in 1992 and quickly became the industry standard with widespread support across nearly all vendors of networking equipment. RADIUS is suitable for what are called "high-volume service control applications" such as dial-in access to a corporate network.
The word Remote in RADIUS' name is now almost a misnomer because RADIUS authentication is used for more than just dial-in networks. With the development of IEEE 802.1x port security for both wired and wireless LANs, RADIUS has seen even greater usage.
End user
User who accesses information in the course of routine job responsibilities Follows organization's security guidelines and does not attempt to circumvent security
Authentication
Validate credentials as genuine Mia reads badge to determine it is real User provides password
Verifying the person's credentials to be sure that they are genuine and the user actually is who they claim to be is the process of authentication.
Verifying the person's credentials to be sure that they are genuine and the user actually is who they claim to be is the process of authentication.
All Windows versions use the DAC model and allow users with the appropriate permissions to share resources and to give access to other users.
Yet the MAC model forms the basis of Windows UAC. And although Microsoft Windows Server 2008 does not strictly use the Role Based Access Control model, it can be simulated by using the predefined built-in groups such as Power Users, Server Operators, and Backup Operators, or by creating new roles based on job functions.
As a 20-year employee, Jules' job involved contacting vendors who sold products that the department needed to purchase and then
and then reviewing and approving those purchases for up to $3,000.
access control is
granting or denying approval to use specific resources; it is controlling access. access control is more properly the mechanism used in an information system to allow or restrict access to data or devices.
(If the server performs only authentication, it is called an authentication server.) The most common type of authentication and AAA servers are RADIUS, Kerberos, Terminal Access Control Access Control Systems (TACACS), and generic servers built on the Lightweight Directory Access Protocol (LDAP).
most common type of authentication and AAA servers are: -RADIUS -Kerberos -Terminal Access Control Access Control Systems (TACACS), -and generic servers built on the Lightweight Directory Access Protocol (LDAP).
in radius, the transport protocol is udp. in radius, authentication and authorization is combined. in radius, communication is unencrypted.
radius does not interact w/ kerberos. radius can NOT autnenticate network devices.
sudo stands for
super user do
in TACACS+, the transport protocol is tcp in tacacs+, authentication and authorization is separated. in tacacs+, communication is encrypted.
tacacs+ DOES interact w/ Kerberos tacacs+ can authenticate network devices.
When all the evidence was finally uncovered, it revealed that Jules received only
that Jules received only $2,700 for his four years of fraud, less than 1 percent of the amount that he approved and sent as payment to the vendors.
Controlling access means that
those who need to access data or resources in order to perform their job functions are authorized to do so, while others who do not need that access are restricted
two important foundations in information security.
verifying approved users and controlling their access
ACE includes four items of information:
-A security identifier (SID) for the user account, group account, or logon session. -An access mask that specifies the access rights controlled by the ACE. -A flag that indicates the type of ACE. -A set of flags that determine whether objects can inherit permissions.
DAP and LDAP have some primary differences: -Unlike X.500 DAP, LDAP was designed to run over TCP/IP, making it ideal for Internet and intranet applications. X.500 DAP requires special software to access the network. -LDAP has simpler functions, making it easier and less expensive to implement. -LDAP encodes its protocol elements in a less complex way than X.500 that enables it to streamline requests. -LDAP was originally developed by Netscape Communications and the University of Michigan in 1996.
-Unlike X.500 DAP, LDAP was designed to run over TCP/IP, making it ideal for Internet and intranet applications. X.500 DAP requires special software to access the network. -LDAP has simpler functions, making it easier and less expensive to implement. -LDAP encodes its protocol elements in a less complex way than X.500 that enables it to streamline requests. -LDAP was originally developed by Netscape Communications and the University of Michigan in 1996.
There are two major implementations of MAC.
-lattice model -Bell-LaPadula model
RADIUS standards also support the use of what are called RADIUS proxies. A RADIUS proxy is a computer that forwards RADIUS messages among RADIUS clients, RADIUS servers, and other RADIUS proxies.
A RADIUS proxy is a computer that forwards RADIUS messages among RADIUS clients, RADIUS servers, and other RADIUS proxies.
A directory service is a database stored on the network itself that contains information about users and network devices. It contains information such as the user's name, telephone extension, e-mail address, logon name, and other facts. The directory service also keeps track of all of the resources on the network and a user's privileges to those resources, and grants or denies access based on the directory service information. Directory services make it much easier to grant privileges or permissions to network users.
A directory service is a database stored on the network itself that contains information about users and network devices.
Levels in Mandatory Access Control (MAC).
A hierarchy based on the labels is also used, both for objects and subjects. Top secret has a higher level than secret, which has a higher level than confidential.
A limited functional example of the MAC model can be seen in a feature found in Apple Mac OS X, UNIX, and Microsoft Windows 7/Vista.
A limited functional example of the MAC model can be seen in a feature found in Apple Mac OS X, UNIX, and Microsoft Windows 7/Vista.
Subject
A subject is a user or a process functioning on behalf of the user that attempts to access an object.
Account expiration indicates when an account is no longer active; password expiration sets the time when a user must create a new password in order to access his account. Account expiration can be explicit, in that the account expires on a set date, or it can be based on a specific number of days of inactivity.
Account expiration indicates when an account is no longer active; password expiration sets the time when a user must create a new password in order to access his account. Account expiration can be explicit, in that the account expires on a set date, or it can be based on a specific number of days of inactivity.
A Local Group Policy (LGP) has fewer options than a Group Policy. Generally, an LGP is used to configure settings for systems that are not part of Active Directory.
Although Windows XP and previous versions of Windows using LGP cannot be used to apply policies to individual users or groups of users, Windows 7/Vista supports multiple Local Group Policy objects, which allows setting local group policy for individual users.
Although authorization and access are sometimes viewed as synonymous, in access control they are different steps.
Although authorization and access are sometimes viewed as synonymous, in >>access control<< they are >>different steps<<.
Although custodian is the formal term today, the more generic term administrator is commonly used to describe this role
Although custodian is the formal term today, the more generic term >>administrator<< is commonly used to describe this role
An access control list (ACL) is a set of permissions that are attached to an object. This list specifies which subjects are allowed to access the object and what operations they can perform on it. When a subject requests to perform an operation on an object, the system checks the ACL for an approved entry in order to decide if the operation is allowed.
An access control list (ACL) is a set of permissions that are attached to an object. This list specifies which subjects are allowed to access the object and what operations they can perform on it. When a subject requests to perform an operation on an object, the system checks the ACL for an approved entry in order to decide if the operation is allowed. Although ACLs can be associated with any type of object, these lists are most often viewed in relation to files maintained by the operating system.
An access control model
An access control model is a standard that provides a predefined framework for hardware and software developers who need to implement access control in their devices or applications. Once an access control model is applied, then custodians can configure security based on the requirements set by the owner so that end users can perform their job functions.
An access mask is a 32-bit value that specifies the rights that are allowed or denied, and is also used to request access rights when an object is opened.
An access mask is a 32-bit value that specifies the rights that are allowed or denied, and is also used to request access rights when an object is opened.
Object
An object is a specific resource, such as a file or a hardware device.
A computer user may be authorized or granted permission to log on to a system by presenting valid credentials, yet that authorization does >>not<< mean that the user can then access any and all resources.
Being authorized to enter does not always indicate open access; rather, an authorized user is given specific access privileges regarding what actions they can perform.
Bell-LaPadula model
Bell-LaPadula model contains an additional restriction not found in the original lattice model. This protection prevents subjects from creating a new object or performing specific functions on objects that are at a lower level than their own. For example, a user with clearance secret should not have the ability to open a document at the secret level and then paste its contents to a newly created document at the confidential level.
With the DAC model, every object has an owner, who has total control over that object. Owners can create and access their objects freely. In addition, the owner can give permissions to other subjects over these objects.
DAC has two significant weaknesses. First, although it gives a degree of freedom to the subject, DAC poses risks in that it relies on decisions by the end user to set the proper level of security. As a result, incorrect permissions might be granted to a subject or permissions might be given to an unauthorized subject. A second weakness is that a subject's permissions will be "inherited" by any programs that the subject executes. Attackers often take advantage of this inheritance because end users in the DAC model often have a high level of privileges. Malware that is downloaded onto a user's computer would then run in the same context as the user's high privileges. Trojans are a particular problem with DAC.
A lattice is a type of screen or fencing that is used as a support for climbing garden plants.
Different "rungs" on the MAC lattice model have different security levels, and subjects are assigned a "rung" on the lattice just as objects are. Multiple lattices can even be placed beside each other to allow for different groups of labels. For example, one subject label lattice could use the clearances confidential, secret, and top secret, while a corresponding subject label lattice could use public, restricted, and top clearance. The rungs of each subject lattice would still align with the rungs on the object security lattice.
Discretionary Access Control (DAC) Subject has total control over objects Least restrictive model
Discretionary Access Control (DAC) Subject has total control over objects Least restrictive model
Group Policy is usually used in enterprise environments to enforce access control by restricting user actions that may pose a security risk, such as changing access to certain folders or downloading executable files. Group Policy can control an object's script for logging on and off the system, folder redirection, Internet Explorer settings, and Windows Registry settings (the registry is a database that stores settings and options for the operating system).
Group Policy settings are stored in Group Policy Objects (GPOs). These objects may in turn be linked to multiple domains or Web sites, which allows for multiple systems and users to be updated by a change to a single GPO. Group Policies are analyzed and applied for computers when they start up and for users when they log on. Every one to two hours by default, the system looks for changes in the GPO and reapplies them as necessary. The time period to look for changes in the GPO can be adjusted.
LDAP makes it possible for almost any application running on virtually any computer platform to obtain directory information. Because LDAP is an open protocol, applications need not worry about the type of server hosting the directory. Today, many LDAP servers are implemented using standard relational database management systems as the engine, and communicate via the Extensible Markup Language (XML) documents served over the hypertext transport protocol (HTTP).
However, a weakness of LDAP is that it can be subject to LDAP injection attacks. These attacks, similar to SQL injection attacks, can occur when user input is not properly filtered. This may allow an attacker to construct LDAP statements based on user input statements. The attacker could then retrieve information from the LDAP database or modify its content. The defense against LDAP injection attacks is to examine all user input before processing.
The X.500 standard defines a protocol for a client application to access an X.500 directory called the Directory Access Protocol (DAP). However, the DAP is too large to run on a personal computer. The Lightweight Directory Access Protocol (LDAP), sometimes called X.500 Lite, is a simpler subset of DAP.
However, the DAP is too large to run on a personal computer. The Lightweight Directory Access Protocol (LDAP), sometimes called X.500 Lite, is a simpler subset of DAP.
If the information requested is not contained in the directory, DAP only returns an error to the client requesting the information, which must then issue a new search request. By contrast, LDAP servers return only results, making the distributed X.500 servers appear as a single logical directory.
If the information requested is not contained in the directory, DAP only returns an error to the client requesting the information, which must then issue a new search request. By contrast, LDAP servers return only results, making the distributed X.500 servers appear as a single logical directory.
Implicit deny in access control means that if a condition is not explicitly met, then the request for access is rejected.
Implicit deny in access control means that if a condition is not explicitly met, then the request for access is rejected. (Implicit means that something is implied or indicated but not actually expressed.) For example, a network router may have a rule-based access control restriction. If no conditions match the restrictions, the router rejects access because of an implicit deny all clause: any action that is not explicitly permitted is denied. When creating access control restrictions, it is recommended that unless the condition is specifically met, then access should be denied.
Labels in Mandatory Access Control (MAC).
In a system using MAC, every entity is an object (laptops, files, projects, and so on) and is assigned a classification label. These labels represent the relative importance of the object, such as confidential, secret, and top secret. Subjects (users, processes, and so on) are assigned a privilege label (sometimes called a clearance).
Custodian
Individual to whom day-to-day actions have been assigned by the owner Periodically reviews security settings and maintains records of access by end users
job rotation
Instead of one person having sole responsibility for a function, individuals are periodically moved from one job responsibility to another. Employees can rotate either within their home department or across positions in other departments. The best rotation procedure involves multiple employees rotating across many positions for different lengths of time to gain exposure to different roles and functions.
Role Based Access Control (RBAC), sometimes called Non-Discretionary Access Control. RBAC is considered a more "real world" access control than the other models because the access under RBAC is based on a user's job function within an organization.
Instead of setting permissions for each user or group, the ROLE-BAC model assigns permissions to particular roles in the organization, and then assigns users to those roles. Objects are set to be a certain type, to which subjects with that particular role have access. Roles are different from groups. While users may belong to multiple groups, a user under ROLE BAC can be assigned only one role. In addition, under RBAC, users cannot be given permissions beyond those available for their role.
a foundational principle of computer access control is not to give one person total control. Known as separation of duties
Known as separation of duties, this practice requires that if the fraudulent application of a process could potentially result in a breach of security, then the process should be divided between two or more individuals.
principle of least privilege
Least privilege in access control means that only the minimum amount of privileges necessary to perform a job or function should be allocated. This helps reduce the attack surface by eliminating unnecessary privileges that could provide an avenue for an attacker. Least privilege should apply both to users as well as to processes running on the system.
MAC grants permissions by matching object labels with subject labels based on their respective levels. The subject must have an equal or greater level than the object in order to be granted access.
MAC grants permissions by matching object labels with subject labels based on their respective levels. The subject must have an equal or greater level than the object in order to be granted access.
The most restrictive access control model is Mandatory Access Control (MAC).
MAC is typically found in military settings in which security is of supreme importance. MAC has two key elements: -Labels -Levels
Mandatory Access Control (MAC) End user cannot set controls Most restrictive model
Mandatory Access Control (MAC) End user cannot set controls Most restrictive model
four major access control models
Mandatory Access Control (MAC), Discretionary Access Control (DAC), Role Based Access Control (RBAC), and Rule Based Access Control (RBAC).
Group policy is a
Microsoft Windows feature that provides centralized management and configuration of computers and remote users using the Microsoft directory services Active Directory (AD).
In an organization with hundreds of computers, how can access control be implemented?
Microsoft products is to use Group Policy.
Kerberos is an authentication system developed by the Massachusetts Institute of Technology (MIT) and used to verify the identity of networked users. Named after a three-headed dog in Greek mythology that guarded the gates of Hades, Kerberos uses encryption and authentication for security. Kerberos will function under Windows 7/Vista, Windows Server 2008, Apple Mac OS X, and Linux.
Named after a three-headed dog in Greek mythology that guarded the gates of Hades, Kerberos uses encryption and authentication for security. Kerberos is most often used by universities and government agencies.
One method of controlling DAC inheritance is to automatically reduce the user's permissions
One method of controlling DAC inheritance is to automatically reduce the user's permissions
One study revealed that 42 percent of businesses do not know how many orphaned accounts exist within their organization, and 30 percent of respondents said they have no procedure in place to locate orphaned accounts. The study also said that 27 percent of respondents estimated they currently had over 20 orphaned accounts, 12 percent said it takes longer than one month to terminate an account, and 15 percent said that former employees had accessed their orphaned account at least once.
One study revealed that 42 percent of businesses do not know how many orphaned accounts exist within their organization, and 30 percent of respondents said they have no procedure in place to locate orphaned accounts. The study also said that 27 percent of respondents estimated they currently had over 20 orphaned accounts, 12 percent said it takes longer than one month to terminate an account, and 15 percent said that former employees had accessed their orphaned account at least once.
Orphaned accounts are user accounts that remain active after an employee has left an organization, while a dormant account is one that has not been accessed for a lengthy period of time.
Orphaned accounts are user accounts that remain active after an employee has left an organization, while a dormant account is one that has not been accessed for a lengthy period of time. Dormant accounts that are left unchecked can provide an avenue for an attacker to exploit without the fear of the actual user or a system administrator noticing.
Authorization
Permission granted for admittance Mia opens door to allow delivery person in User authorized to log in
Owner
Person responsible for the information Determines the level of security needed for the data and delegates security duties as required
RADIUS allows an organization to maintain user profiles in a central database that all remote servers can share.
RADIUS allows an organization to maintain user profiles in a central database that all remote servers can share.
Redeveloping the application may be seen as too costly; an alternative is to run the application in a virtualized environment
Redeveloping the application may be seen as too costly; an alternative is to run the application in a virtualized environment
Identification
Review of credentials Delivery person shows employee badge User enters username
Access
Right given to access specific resources Delivery person can only retrieve box by door User allowed to access only specific data
Role Based Access Control (RBAC) Assigns permissions to particular roles in the organization and then users are assigned to roles Considered a more "real-world" approach
Role Based Access Control (RBAC) Assigns permissions to particular roles in the organization and then users are assigned to roles Considered a more "real-world" approach
Rule Based Access Control (RBAC) Dynamically assigns roles to subjects based on a set of rules defined by a custodian Used for managing user access to one or more systems
Rule Based Access Control (RBAC) Dynamically assigns roles to subjects based on a set of rules defined by a custodian Used for managing user access to one or more systems
Rule Based Access Control is often used for managing user access to one or more systems, where business changes may trigger the application of the rules that specify access changes.
Similar to MAC, Rule Based Access Control cannot be changed by users. All access permissions are controlled based on rules established by the custodian or system administrator
Microsoft Windows has four security levels—low, medium, high, and system—with nonadministrative user processes running by default at the medium level.
Specific actions (such as installing application software) by a subject with a lower classification (such as a standard user) may require a higher level (such as high) of approval. This need for approval invokes the Windows User Account Control (UAC) function. The standard user who attempts to install software is required by UAC to enter the higher-level administrative password before being allowed to proceed (which elevates the action to a higher security level).
Terminal Access Control Access Control System (TACACS) is an authentication service commonly used on UNIX devices that communicates by forwarding user authentication information to a centralized server. The centralized server can either be a TACACS database or a database such as a Linux or UNIX password file with TACACS protocol support.
TACACS is a proprietary system developed by Cisco Systems. The first version was simply called TACACS, while a later version introduced in 1990 was known as Extended TACACS (XTACACS). The current version is TACACS+. TACACS+ is not compatible with TACACS or XTACACS.
A wireless device, called the supplicant (it makes an "appeal" for access), sends a request to an AP requesting permission to join the WLAN. The AP prompts the user for the user ID and password.
The AP, serving as the authenticator that will accept or reject the wireless device, creates a data packet from this information called the authentication request This packet includes information such as identifying the specific AP that is sending the authentication request and the username and password.
The DAC models that use explicit deny have stronger security because access control to all users is denied by default and permissions must be explicitly granted to approved users.
The DAC models that use explicit deny have stronger security because access control to all users is denied by default and permissions must be explicitly granted to approved users.
The Discretionary Access Control (DAC) model is the least restrictive.
The Discretionary Access Control (DAC) model is the least restrictive.
The Last Logon attribute in Microsoft Active Directory (AD) does not store the date and time of when an account was last accessed, but instead records a value such as 128271382542862359, which is the number of 100-nanosecond intervals that have elapsed since January 1, 1601.
The Last Logon attribute in Microsoft Active Directory (AD) does not store the date and time of when an account was last accessed
A RADIUS client is not the device requesting authentication, such as a desktop system or wireless notebook computer. Instead, a RADIUS client is typically a device such as a wireless access point (AP) or dial-up server that is responsible for sending user credentials and connection parameters in the form of a RADIUS message to a RADIUS server.
The RADIUS server authenticates and authorizes the RADIUS client request, and sends back a RADIUS message response. RADIUS clients also send RADIUS accounting messages to RADIUS servers. The strength of RADIUS is that messages are never directly sent between the wireless device and the RADIUS server. This prevents an attacker from penetrating the RADIUS server and compromising security.
The Rule Based Access Control (RBAC) model, also called the Rule-Based Role-Based Access Control (RB-RBAC) model or >>automated provisioning<<
The Rule Based Access Control (RBAC) model... can dynamically assign roles to subjects based on a set of rules defined by a custodian. Each resource object contains a set of access properties based on the rules. When a user attempts to access that resource, the system checks the rules contained in that object to determine if the access is permissible.
The X.500 standard itself does not define any representation for the data stored like usernames. What is defined is the structural form of names. Systems that are based on the X.500, such as Microsoft Active Directory, define their own representation.
The X.500 standard itself does not define any representation for the data stored like usernames. What is defined is the structural form of names. Systems that are based on the X.500, such as Microsoft Active Directory, define their own representation.