Module 4 - Procedural and People Security Controls
The course is part of this learning path
This course looks at ways in which the threats and vulnerabilities associated with the people who use IT systems can be mitigated. It highlights the important people security implications and how a security culture can be developed, then it investigates how user access controls can be effectively integrated with IT systems. Finally, it looks at the role of security training and awareness.
The objectives of this course are to provide you with and understanding of:
- The people threats facing organizations and the importance of a security culture
- Practical people controls, including employment contracts, service contracts, codes of conduct and acceptable use policies
- Access controls, including authentication and authorization, passwords, tokens and biometrics
- The importance of data ownership, privacy; access points, identification and authentication mechanisms, and information classification
- How organizations can raise security awareness and the different approaches to deliver security-related training
This course is ideal for members of information security management teams, IT managers, security and systems managers, information asset owners and employees with legal compliance responsibilities. It acts as a foundation for more advanced managerial or technical qualifications.
There are no specific pre-requisites to study this course, however, a basic knowledge of IT, an understanding of the general principles of information technology security, and awareness of the issues involved with security control activity would be advantageous.
We welcome all feedback and suggestions - please contact us at firstname.lastname@example.org if you are unsure about where to start or if would like help getting started.
Welcome to this video on user access controls.
Organizations rely on security systems to first identify and then permit only authorized individuals to access their assets. Access controls relate to the mechanisms used to manage and regulate access to systems or information on a network.
This video looks at a range of these controls including:
· Authentication and authorization;
· Tokens; and
It also covers the associated areas of data ownership privacy, access points, identification and authentication mechanisms and information classification.
Let’s start with identification and authentication.
There are different types of user authentication, or factors of authentication. This includes:
· Something a user knows, for example, a password.
· Something a user has, for example, a hardware token to access a PC.
· Something a user is (or does) which relates to biometric information like a fingerprint or voice recognition.
Sometimes, for extra security, more than one factor is used. This is referred to as Multi-Factor Authentication.
When a user logs onto a system and enters their ID usually their username, they are identifying themselves to the system.
They then need to verify the identity that they have claimed. This is often done by entering a password. The verification of the identity claim is what is meant by authentication.
Passwords need to be long, complex and difficult to guess; guessing a weak password is one of the most widely exploited IT system vulnerabilities.
In very basic authentication systems, the username and password are sent over the network and presented to the server. If there’s a match against the server records, the user is allowed in.
However, this basic authentication isn’t secure and is easy to ‘sniff the network’ with the right tools. So, a more secure method, known as ‘challenge and response’ is used.
With this method, the username is sent to the server which obtains the user’s password from a database. The server then encrypts a one-time token with that password and sends it back to the user’s PC.
The authentication service then uses the password the user typed in, to decrypt the token and sends this response back to the server. If there’s a match, the server authenticates the user and lets them in. If there’s no match, access is denied.
‘Challenge and response’ is a complicated mechanism which can be augmented by multiple factors of identification and multiple protocols of authorisation.
In theory, passwords should be a secure mechanism for protecting data. However, as passwords have been the primary mechanism used to authenticate users to systems since the early days of computing, hackers have developed many ways to bypass this control.
There are three primary ways that passwords can be cracked:
· They can be guessed;
· They can be programmatically attacked; and
· They can be socially engineered.
Password guessing is one of the most common attacks. Using your mother’s maiden name or your pet’s name is clearly a bad idea and a little digging around on Facebook is likely to uncover this information. Complex passwords should always be used.
There are many tools that launch targeted and brute force attacks – a repetitive attack using a list – to programmatically identify passwords. A brute force attack might start at ‘aaaaa’ and work up to ‘zzzzzz’, with one character changing at a time.
A dictionary attack relies on trying passwords from a pre-compiled list which can grow to be many gigabytes in size and be created quickly using data mining applications from social networking sites, like Facebook and LinkedIn.
Social engineering is a massive problem for users and for security professionals. The organization’s security awareness programme must make users aware of the nature of these attacks to avoid passwords being shared.
Social engineers use all the skills of a typical con artist. They might use a pretext, like pretending to be from the service management team, or someone from the user’s bank, to encourage a target to give away their password. They could also insert a USB drive into a computer to install a key logger to retrieve the user’s password.
These attacks can only be effectively countered through education; users must know exactly what to do if they become suspicious of any kind of unsolicited approach.
As we’ve seen, tough password complexity rules should be enforced.
· Setting a minimum password length;
· Including upper and lower-case characters, numbers and non-alphanumeric characters, like question marks or brackets;
As we’ve seen, tough password complexity rules should be enforced.
· Forcing passwords to be changed after a maximum usage period, say 60 days; and
· Never writing passwords down.
Longer and more complex passwords take more brute force attempts to crack. If the usage period is short enough it reduces the likelihood of passwords being cracked and the risk of a programmatic attack.
Advice from the UK National Cyber Security Centre is not to use long complex passwords which must be changed frequently. This is because people generally write down difficult passwords and tend to use the same password on multiple sites. Ways to overcome this are to:
· Use long passphrases, composed of words that can be easily memorized;
· Use a password manager, which is software that creates and stores long complex passwords, so the user doesn’t need to remember them; and
· Protecting accounts by locking them after a stated number of failed login attempts. This eradicates brute force attacks.
Some tokens, such as SecurID, provide a personal identification number – a PIN – that must be entered at the time of login together with the username and password of the account holder.
This affords an effective two-factor authentication solution, covering ‘something the user knows’ and ‘something the user has’.
Let’s move on and look at biometrics.
There are many different biometric techniques, including:
· Fingerprint scanners;
· Iris scanners;
· Palm vein scanners;
· Voice recognition; and
· Facial recognition.
However, it’s important not to simply replace one weak security mechanism with another, or one that’s possibly weaker. While passwords have issues, there are plenty of instructions on the internet for how to steal and mimic biometric data, like someone’s fingerprints.
There are other security issues with biometrics which include:
· Ensuring the technique is accurate and doesn’t accept false data;
· Compromised credentials: a password can be changed if it’s compromised but it’s not that easy with fingerprints; and
· Users often consider biometric measures as intrusive and think they might lead to more sensitive information being accessed, like evidence of medical conditions.
Once the identity of the individual has been established, the system then needs to decide which assets they can access – this is known as authorization.
For example, in a typical Windows environment, once the user has entered a successful username and password combination and is authenticated by the Windows Domain Controller, they are issued an access token that stays with them for the duration of the session.
If the user tries to access a server where corporate documents are stored, the authorisation service will check the access token to see if it matches the tokens of the users and groups that are allowed to access the resource.
This process is known as access control.
If there’s a match, the user can access the resource; no match means access is denied.
Once a user has gone through the identification and authentication process, controls should be in place to ensure that they only have access to the systems, assets and information they need to do their job.
It’s a bit like ‘corporate parental controls’ where users are denied access to elements that are inappropriate, or they’re not authorised to see and administrator accounts are tightly controlled to ensure users can’t change their own access rights.
If everyone had administrator rights, they could get any information, go to any server, change configuration, delete log files, install software and override security measures.
The approach to assigning administrator rights is known as ‘least-privilege’. This means giving users only the rights they need to do their job, and no more.
In many cases, for example in a Windows environment, user accounts are created with little access to anything other than personal files. So, access rights are assigned by creating functional groupings of capabilities, called user groups, which are assigned rights to access the asset. This gives each group the privileges they need to perform the tasks on those assets.
If a user needs access to an asset, they’re added to the group, or removed when they no longer need access. This makes administration of the ‘least privilege’ principle straightforward.
There are various methods to explicitly grant access, but system administrators can over-write the access which has been granted implicitly.
Role-based access control relates to functional roles within an organization rather than a person’s individual access. Access rights are assigned to specific roles and a user then has the rights associated with their role, rather than being given rights as an individual user.
The degree of protection which can be extended to an individual file system object – a file or a folder – is only limited by the operating system being used and this dictates the granularity through which an individual’s or group’s access can be controlled.
A Windows system is different to a Linux system, which again is different to Mac OSX. In a Linux system, the basic degree of protection that can be extended to files and folders from an end user perspective is based on a three-level approach:
· Each file has a creator (also known as an owner) who has full control over that object;
· The members of the same default group as the owner can be given specific permissions by the owner; and
· Other users can also be given specific permissions by the owner in relation to the file or folder.
These permissions then take on one or a combination of attributes – Read, Write or Execute:
· The Read attribute means that the user or group can read the folder contents or the file that the permission is applied to;
· Write means that the user can change the contents of the folder or file, including the ability to delete it; and
· Execute means that the user can run an executable application code, or a script, in that folder.
Beneath these three simple attributes, most operating systems allow more granular control.
Some access models are based on the concept of an Access Control Matrix. The Access Control List in Microsoft Windows is an implementation of the Access Control Matrix.
The matrix here illustrates example access rights a subject has to an object. In this example:
· Alice can access her own files, having read, write and execute permissions;
· Bob is Alice’s colleague and she’s given him permission to read her files;
· However, whilst Bob has read, write and execute rights to his own files he hasn’t reciprocated with Alice, so she has no access to his files.
Notice that two of the subjects aren’t users; one is the system and the other is a program. In this example, the system and the accounts program have read, write and execute rights to the accounts program and no other subject has access to this database.
An Access Control List comprises one or more Access Control Entries which is a structure specifying permissions for a single user, group, or other entity.
On the left you can see the basic Linux/Unix model which is based on the concept of a file having an owner and an owning group. For any given file, the permissions that the following subjects would have when accessing it would be specified:
· The owner, who in this case is John Hughes has read and write permissions to the file;
· The owning group, which in this case is ‘johughes’. Members of this group have read access to the file’ and
· Others, sometimes known as ‘world’, specifies the permissions every other user on the system has.
The permissions in the basic Linux/Unix model are read, write and execute.
The Microsoft Windows model is on the right. The users and groups are listed with defined sets of permissions.
The permissions for the group called Users are set to read and read and execute. These permissions are more granular than those of basic Linux/Unix. Most modern implementations of Linux support more granular access mechanisms.
Windows can also specify a ‘deny’, where a group or individual can be made an exception to the rule. An additional ‘full control’ permission allows subjects to have full control over the setting of permissions to that resource.
A further security consideration is that of privileged system users, which might be, for example, system administrators.
The duties of privileged account holders should be segregated so that no individual can completely undermine an organization’s security. Just because an administrator needs to reset passwords or unlock accounts, it shouldn’t automatically mean that the same administrator should be granted database administrator rights.
One of the biggest security threats organizations face today is insider attack. The more privileges a user has the more they could undermine security.
Segregation of privileges should be supported by monitoring and many organizations also conduct extensive background checks, psychometric evaluations and even financial audits to ensure that individuals aren’t open to coercion, bribery or corruption.
Some organizations also force their privileged users to take mandatory holidays. During this time, someone else will move into their role and check what they’ve been doing. This two-person check is a useful method to deter rogue administrators.
Let’s move on to look at data ownership and access controls.
Establishing who owns an information asset within an organization is essential to controlling and protecting it. This is important when technical measures are being designed to protect sensitive and confidential material.
However, ownership controls spanning beyond the reach of the IT system are also important. For example, if there are files on a system that are protected by user groups and only a few users have access, when a user prints out one of those documents there are other considerations like:
· How is it protected?
· How is the location of the printed copy monitored?
· Where is the printed document filed?
· If it’s in a locked cabinet, who knows where the key is?
Access to data can be assigned to a functional group within an organization, or an individual user. There are security implications when considering which groups can access which areas of the system. For example, Finance might have a group location to store information for members of their team, and the same folder may have access blocked to the HR team. Similarly, where the HR team needs access to confidential employee records, this information should be protected from other staff members.
The concept of using groups, rather than directly applying users to information assets is encouraged. This makes protecting information easier.
Remember that it’s not only people that access an organization’s information. There are numerous services, like back-ups, anti-virus software, auditing software and integrity checkers which run in the background to check files are where they should be and doing what they should do.
However, any one of these ‘services’ can potentially cause a problem and expose a threat vector. If malware infects the back-up system and tampers with the read capability, it could potentially offer access to that data from an unauthorized source.
All these aspects of the system need to be analysed in terms of the access they provide and the strength of the security controls.
Administering user access to a system can be a complex task for the system management team, especially considering the entire lifecycle of a single user account, from the day the user joins until the day they leave the organization.
During this time, they might be promoted, change roles, move into other parts of the business, become mobile or remote workers, take extended sick leave, and ultimately leave the organization.
The admin team must ensure:
· Users have accounts, can gain access to the right resources and system objects, and have the correct rights on those files and folders so that they can carry out their duties;
· Old privileges are revoked, and new ones assigned if the user changes to a different role;
· Overrides are used if emergency access is required, for example, a team leader needing to access to an individual’s personal file store when they’re off sick; and
· Reversion to previous access rights is as quick as possible after an issue is resolved to ensure the principle of ‘least privilege’ is maintained.
In addition to administering user access controls, network access controls are required for the network and operating system layers. These grant access to a network based on where the user’s coming from, the identity of their machine and what state the machine is in.
Network Access Protection can be used to perform vulnerability scans and assessments of antivirus signatures prior to the computer being allowed to connect properly. Where a computer is deemed unfit to join the network, it can be quarantined until the necessary patches have been applied.
As mobile working increases, additional security implications arise because of the variety of locations corporate systems can be accessed from.
An access point is defined as any location from which the internal IT systems of an organization can be accessed. There are three primary ways that access can be gained, each with its own set of security concerns:
· Directly by connecting to the corporate network;
· Wireless access through a trusted wireless access point run on the premises; and
· Remotely through a third-party network, which could be from home or third-party premises, for example a hotel or coffee shop.
There’s a big difference between connecting to the corporate network from a hard-wired access point at a desk in the office to connecting remotely through an untrusted network connection in a hotel. The solution for remote access connection needs to account for the nature of the threat the user will be subject to, depending on their location.
At the client end, downloading data can be restricted by offering only thin client access to add a layer of additional security, or an encrypted link might be established to a virtual private network (or VPN) connection.
Wireless networks can also be problematic from a security perspective, so strong encryption and strong authentication processes to identify and authenticate remote users are important.
That’s the end of this video on user access controls.
About the Author
Fred is a trainer and consultant specializing in cyber security. His educational background is in physics, having a BSc and a couple of master’s degrees, one in astrophysics and the other in nuclear and particle physics. However, most of his professional life has been spent in IT, covering a broad range of activities including system management, programming (originally in C but more recently Python, Ruby et al), database design and management as well as networking. From networking it was a natural progression to IT security and cyber security more generally. As well as having many professional credentials reflecting the breadth of his experience (including CASP, CISM and CCISO), he is a Certified Ethical Hacker and a GCHQ Certified Trainer for a number of cybersecurity courses, including CISMP, CISSP and GDPR Practitioner.