A candidate appearing for the CISSP exam should have knowledge in the following areas that relate to access control:
- Control access by applying concepts, methodologies, and techniques
- Identify, evaluate, and respond to access control attacks such as Brute force attack, dictionary, spoofing, denial of service, etc.
- Design, coordinate, and evaluate penetration test(s)
- Design, coordinate, and evaluate vulnerability test(s)
In accordance with the knowledge expected in the CISSP exam, this domain is broadly grouped under five sections as shown in the following diagram:
Section 1: The Access Control domain consists of many concepts, methodologies, and some specific techniques that are used as best practices. This section coverssome of the basic concepts, access control models, and a few examples of access control techniques.
Section 2: Authentication processes are critical for controlling access to facilities and systems. This section looks into important concepts that establish the relationship between access control mechanisms and authentication processes.
Section 3: A system or facility becomes compromised primarily through unauthorized access either through the front door or the back door. We'll see some of the common and popular attacks on access control mechanisms, and also learn about the prevalent countermeasures to such attacks.
Section 4: An IT system consists of an operating system software, applications, and embedded software in the devices to name a few. Vulnerabilities in such software are nothing but holes or errors. In this section we see some of the common vulnerabilities in IT systems, vulnerability assessment techniques, and vulnerability management principles.
Section 5: Vulnerabilities are exploitable, in the sense that the IT systems can be compromised and unauthorized access can be gained by exploiting the vulnerabilities. Penetration testing or ethical hacking is an activity that tests the exploitability of vulnerabilities for gaining unauthorized access to an IT system.
Today, we'll quickly review some of the important concepts in the Sections 1, 2,and 3.
Access control concepts, methodologies, and techniques
Controlling access to the information systems and the information processing facilities by means of administrative, physical, and technical safeguards is the primary goal of access control domain. Following topics provide insight into someof the important access control related concepts, methodologies, and techniques.
One of the primary concepts in access control is to understand the subject and the object.
A subject may be a person, a process, or a technology component that either seeks access or controls the access. For example, an employee trying to access his business email account is a subject. Similarly, the system that verifies the credentials such as username and password is also termed as a subject.
An object can be a file, data, physical equipment, or premises which need controlled access. For example, the email stored in the mailbox is an object that a subject is trying to access.
Controlling access to an object by a subject is the core requirement of an access control process and its associated mechanisms. In a nutshell, a subject either seeks or controls access to an object.
An access control mechanism can be classified broadly into the following two types:
- If access to an object is controlled based on certain contextual parameters, such as location, time, sequence of responses, access history, and so on, then it is known as a context-dependent access control. In this type of control, the value of the asset being accessed is not a primary consideration. Providing the username and password combination followed by a challenge and response mechanism such as CAPTCHA, filtering the access based on MAC adresses in wireless connections, or a firewall filtering the data based on packet analysis are all examples of context-dependent access control mechanisms.
Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA) is a challenge-response test to ensure that the input to an access control system is supplied by humans and not by machines. This mechanism is predominantly used by web sites to prevent Web Robots(WebBots) to access the controlled section of the web site by brute force methods
The following is an example of CAPTCHA:
- If the access is provided based on the attributes or content of an object,then it is known as a content-dependent access control. In this type of control, the value and attributes of the content that is being accessed determines the control requirements. For example, hiding or showing menus in an application, views in databases, and access to confidential information are all content-dependent.
Access control models
Access control models define methods by which a system controls the access to an object by a subject. The following are some of the models that are predominantly used in the access control domain.
Discretionary access control
Discretionary access control is a control in which the subject has some authority to specify the objects that are accessible to it. In simpler terms, access to an asset is based on the discretion of the owner of the asset.
Access Control List (ACL) is an example of discretionary access control, wherein users and privileges are mapped. The following is a simple example of an ACL that allows or denies a connection from a specific IP addresses by a router:
10 permit 10.1.1.1
20 permit 10.1.1.2
30 permit 10.1.3.0, wildcard bits 0.0.0.255
In this example, the router allows connections from 10.1.1.1, 10.1.1.2, and all IP addresses in the 10.1.3.0 to 10.1.3.255 range, and denies any other connections.
Identity based access control is a form of discretionary access control in which the control is based on an individual's identity. For example, biometrics based access control systems are based on this type.
Non-discretionary access control
When the access to an object is based on certain rules, it is known as a Rule Based Access Control (RBAC). For example, the clearance level of the subject and the classification level of the object determine the access levels. A practical examples includes your college providing Internet access during specific hours of the day. The rule here is based on time.
When the access is controlled based on mandatory rules, it is known as a Mandatory Access Control (MAC). This type of access control is based on security labels. The security label is applicable to a subject as well as an object. A subject should have an equal or a higher level of security label than the object to access it. For example, most of the modern day operating systems such as Vista or certain Linux variants, restrict permissions of applications to access certain process based on integrity or sensitiveness labels
The acronym MAC is also used in computer networking and it denotes Media Access Control. This is an addressing scheme that provides a unique hardware number to the communication cards.
Trusted Computer System Evaluation Criteria (TCSEC) defines mandatory access control as "a means of restricting access to objects based on the sensitivity (as represented by a label) of the information contained in the objects and the formal authorization (for example, clearance) of subjects to access information of such sensitivity".
If a centralized authority controls the access based on a specific policy, then the same is known as a non-discretionary access control.
Centralized access control is a facility in which all the core functions for access such as Authentication, Authorization, and Accountability (AAA) are performed from a centralized location.
A Role Based Access Control (RBAC) is a non-discretionary access control based on the subject's role or position in the organization. A majority of applications such as Enterprise Resource Management (ERP), and Manufacturing Execution Systems (MES) use this control as a default or preferred access control.
Rule Based Access Control (RBAC) and Role based Access Control (RBAC) share the same acronym, RBAC.
A task based access control is based on a subject's responsibilities in the organization.
A lattice-based access control is one where there are a pair of values that determine the access rights. The pair values are related to the least upper bound and the greatest lower bound in the lattice model. This is another type of non-discretionary access control. This model is usually represented in a grid-like setup where a subject and object are mapped.
In the following example, User Levels and File levels are mapped in a lattice model to represent access levels:
De-centralized access control, or distributed access control, are the examples where the core functions of access are distributed over a network. A distributed database is an example of such system
Access control and authentication
The access control process consists of two distinctive activities. One is related to the "identification" of the subject by the system and the other is "authentication", which is the system's ability to validate the credential supplied by the subject.
The authentication process may require more than one type of credential to validate the identity. This is known as factoring. Access control security is greater when more than one factor of authentication is used.
When an entity, or subject, is validated against a single credential, it is known as single-factor authentication. For example, providing a username and password to the system is a single-factor authentication. Generally, the username and password combination authenticates the credentials from "what you know" (the username and password).
When an entity, or subject, is validated against two different credentials, then it is known as two-factor authentication. For example, providing a PIN along with the ATM or smart card to the system is a two-factor authentication. In this scenario, the system authenticates the credentials from "what you have" (a smart card) and "what you know" (a PIN number).
When an entity, or subject, is validated against three different credentials, then it is known as three-factor authentication. For example, providing a PIN along with the ATM or smart card and also a swiping you finger to the finger print reader (biometric), the reader is a three-factor authentication. In this case, the system authenticates the credentials from "what you are" (finger print), "what you have" (a smart card), and "what you know" (a PIN number).
Biometric authentication validates biological characteristics to authenticate the entity or user. This follows the principle "what you are". Examples of biometric authentication methods include fingerprint scanning, retina scanning, hand geometry, and face geometry.
There are many malicious codes. The basic functionality of malicious code is to execute itself in the client machine and compromise the security. An important countermeasure is to use and update the anti-virus systems, the firewall, and intrusion detection systems.
A Trojan horse is a type of malicious code that comes disguised inside a trusted program. Once installed, this malicious code can open ports, create backdoors to the system, and do innumerable security breaches. When the Trojan horse is activated on a particular event (such as a particular date), it is known as a logic bomb.
Malicious mobile codes are executed in the client system through the network from a remote server.
Password guessing is one of the attacks that use various methods to obtain the users' passwords. Use of a strong password with a combination of alphanumeric and special characters is a helpful countermeasure. Also, adhering to strict password policies such as frequent password changes, length of passwords, history of passwords are effective against such attacks.
Dictionary attacks are a type of password-guessing attack that check the encrypted password database with words found in a dictionary.
Brute force attacks are the means by which the password database is attacked with all types of letters and combinations.
Hybrid attacks combine the dictionary as well as brute force attacks.
Replay attacks are the ones in which the session (like authentication) is captured and replayed against the system.
Scanning is an attack that probes the network and system to identify vulnerabilities for planning a possible attack to compromise.
Vulnerability exploitation is a way of attacking systems by compromising the holes, or errors in the operating system or application software, to gain access or bypass the security controls.
Spoofing is a type of attack to imitate a trusted entity, thereby making the system trust this imitated entity. IP spoofing is an example of such an attack.
Social engineering is a type of attack to obtain credential information such as passwords, PIN numbers, and so on. by using social skills such as impersonation, fake emails, and so on.
An important countermeasure to vulnerability compromises in systems is to periodically scan and fix the vulnerabilities in the IT systems using vendor-suppliedpatches as well as other means of filtering and protection by using suitable vulnerability management tools.
In this article, we first looked at some of the fundamental access control related concepts, methodologies, and techniques such as RBAC, MAC, as well as centralized and de-centralized access controls.
We've also reviewed some of the authentication concepts in terms offactored authentication.
There are quite a number of attacks such as brute force, spoofing, denial-of-service, etc., which may compromise the access control systems. We've reviewed some of these attacks and their corresponding countermeasures.
If you have read this article you may be interested to view :