Two factor authentication can be defeated if ________

World Headquarters

Jones & Bartlett Learning

5 Wall Street

Burlington, MA 01803

978-443-5000

info@jblearning.com

www.jblearning.com

Jones & Bartlett Learning books and products are available through most bookstores and online booksellers. To contact Jones & Bartlett Learning directly, call 800-832-0034, fax 978-443-8000, or visit our website, www.jblearning.com.

Substantial discounts on bulk quantities of Jones & Bartlett Learning publications are available to corporations, professional associations, and other qualified organizations. For details and specific discount information, contact the special sales department at Jones & Bartlett Learning via the above contact information or send an email to specialsales@jblearning.com.

Copyright © 2014 by Jones & Bartlett Learning, LLC, an Ascend Learning Company

All rights reserved. No part of the material protected by this copyright may be reproduced or utilized in any form, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without written permission from the copyright owner.

mailto:info@jblearning.com
http://www.jblearning.com
http://www.jblearning.com
mailto:specialsales@jblearning.com
The content, statements, views, and opinions herein are the sole expression of the respective authors and not that of Jones & Bartlett Learning, LLC. Reference herein to any specific commercial product, process, or service by trade name, trademark, manufacturer, or otherwise does not constitute or imply its endorsement or recommendation by Jones & Bartlett Learning, LLC and such reference shall not be used for advertising or product endorsement purposes. All trademarks displayed are the trademarks of the parties noted herein. Access Control, Authentication, and Public Key Infrastructure, Second Edition is an independent publication and has not been authorized, sponsored, or otherwise approved by the owners of the trademarks or service marks referenced in this product.

There may be images in this book that feature models; these models do not necessarily endorse, represent, or participate in the activities represented in the images. Any screenshots in this product are for educational and instructive purposes only. Any individuals and scenarios featured in the case studies throughout this product may be real or fictitious, but are used for instructional purposes only.

This publication is designed to provide accurate and authoritative information in regard to the subject matter covered. It is sold with the understanding that the publisher is not engaged in rendering legal or other professional service. If legal advice or other expert assistance is required, the service of a competent professional person should be sought.

Production Credits

Chief Executive Officer: Ty Field

President: James Homer

SVP, Editor-in-Chief: Michael Johnson

SVP, Curriculum Solutions: Christopher Will

Director of Sales, Curriculum Solutions: Randi Roger

Senior Marketing Manager: Andrea DeFronzo

Associate Marketing Manager: Kelly Thompson

VP, Design and Production: Anne Spencer

VP, Manufacturing and Inventory Control: Therese Connell

Manufacturing and Inventory Control Supervisor: Amy Bacus

Editorial Management: High Stakes Writing, LLC, President: Lawrence J. Goodrich

Senior Editor, HSW: Ruth Walker

Senior Editorial Assistant: Rainna Erikson

Production Manager: Susan Schultz

Composition: Gamut+Hue, LLC

Cover Design: Kristin E. Parker

Director of Photo Research and Permissions: Amy Wrynn

Rights & Photo Research Assistant: Joseph Veiga

Cover Image: © HunThomas/ShutterStock, Inc.

Chapter Opener Image: © Rodolfo Clix/Dreamstime.com

Printing and Binding: Edwards Brothers Malloy

Cover Printing: Edwards Brothers Malloy

ISBN: 978-1-284-03159-1

Library of Congress Cataloging-in-Publication Data

Not available at time of printing.

6048

http://Dreamstime.com
Printed in the United States of America

17 16 15 14 13 10 9 8 7 6 5 4 3 2 1

Contents

Preface

Acknowledgments

PART ONE The Need for Access Control Systems

CHAPTER 1

Access Control Framework

Access and Access Control

What Is Access?

What Is Access Control?

Principal Components of Access Control

Access Control Systems

Access Control Subjects

Access Control Objects

Access Control Process

Identification

Authentication

Authorization

Logical Access Controls

Logical Access Controls for Subjects

Group Access Controls

Logical Access Controls for Objects

Authentication Factors

Something You Know

Something You Have

Something You Are

CHAPTER SUMMARY

KEY CONCEPTS AND TERMS

CHAPTER 1 ASSESSMENT

CHAPTER 2

Assessing Risk and Its Impact on Access Control

Definitions and Concepts

Threats and Vulnerabilities

Access Control Threats

Access Control Vulnerabilities

Risk Assessment

Quantitative Risk Assessment

Qualitative Risk Assessment

Risk Management Strategies

Value, Situation, and Liability

Potential Liability and Non-Financial Impact

Where Are Access Controls Needed Most?

How Secure Must the Access Control Be?

The Utility of Multilayered Access Control Systems

Case Studies and Examples

Private Sector

Public Sector

Critical Infrastructure

CHAPTER SUMMARY

KEY CONCEPTS AND TERMS

CHAPTER 2 ASSESSMENT

CHAPTER 3

Business Drivers for Access Controls

Business Requirements for Asset Protection

Importance of Policy

Senior Management Role

Classification of Information

Classification Schemes

Personally Identifiable Information (PII)

Privacy Act Information

Competitive Use of Information

Valuation of Information

Business Drivers

Cost-Benefit Analysis

Risk Assessment

Business Facilitation

Cost Containment

Operational Efficiency

IT Risk Management

Controlling Access and Protecting Value

Importance of Internal Access Controls

Importance of External Access Controls

Implementation of Access Controls with Respect to Contractors, Vendors, and Third Parties

Examples of Access Control Successes and Failures in Business

Case Study in Access Control Success

Case Study in Access Control Failure

CHAPTER SUMMARY

KEY CONCEPTS AND TERMS

CHAPTER 3 ASSESSMENT

CHAPTER 4

Access Control Policies, Standards, Procedures, and Guidelines

U.S. Compliance Laws and Regulations

Gramm-Leach-Bliley Act (GLBA)

Health Insurance Portability and Accountability Act (HIPAA)

Sarbanes-Oxley (SOX) Act

Family Educational Rights and Privacy Act (FERPA)

Communications Assistance for Law Enforcement Act (CALEA)

Children’s Internet Protection Act (CIPA)

21 CFR Part 11

North American Electric Reliability Council (NERC)

Homeland Security Presidential Directive 12 (HSPD 12)

Access Control Security Policy Best Practices

Private Sector—Enterprise Organizations

Public Sector—Federal, State, County, and City Government

Critical Infrastructure, Including Utilities and Transportation

IT Security Policy Framework

What Policies Are Needed for Access Controls?

What Standards Are Needed to Support These Policies?

What Procedures Are Needed to Implement These Policies?

What Guidelines Are Needed for Departments and End Users?

Examples of Access Control Policies, Standards Procedures, and Guidelines

Private Sector Case Study

Public Sector Case Study

Critical Infrastructure Case Study

CHAPTER SUMMARY

KEY CONCEPTS AND TERMS

CHAPTER 4 ASSESSMENT

ENDNOTE

CHAPTER 5

Security Breaches and the Law

Laws to Deter Information Theft

U.S. Federal Laws

State Laws

Cost of Inadequate Front-Door and First-Layer Access Controls

Access Control Failures

People

Technology

Security Breaches

Kinds of Security Breaches

Why Security Breaches Occur

Implications of Security Breaches

Private Sector Case Studies

Public Sector Case Study

Critical Infrastructure Case Study

CHAPTER SUMMARY

KEY CONCEPTS AND TERMS

CHAPTER 5 ASSESSMENT

PART TWO

Mitigating Risk with Access Control Systems, Authentication, and PKI

CHAPTER 6

Mapping Business Challenges to Access Control Types

Access Controls to Meet Business Needs

Business Continuity

Risk and Risk Mitigation

Threats and Threat Mitigation

Vulnerabilities and Vulnerability Management

Solving Business Challenges with Access Control Strategies

Employees with Access to Systems and Data

Employees with Access to Sensitive Systems and Data

Administrative Strategies

Technical Strategies

Separation of Responsibilities

Least Privilege

Need to Know

Input/Output Controls

Case Studies and Examples

Private Sector Case Study

Public Sector Case Study

Critical Infrastructure Case Study

CHAPTER SUMMARY

KEY CONCEPTS AND TERMS

CHAPTER 6 ASSESSMENT

CHAPTER 7

Human Nature and Organizational Behavior

The Human Element

Dealing with Human Nature

Pre-Employment Background Checks for Sensitive Positions

Ongoing Observation of Personnel

Organizational Structure and Access Control Strategy

Job Rotation and Position Sensitivity

Requirement for Periodic Vacation

Separation of Duties

Concept of Two-Person Control

Collusion

Monitoring and Oversight

Responsibilities of Access Owners

Training Employees

Acceptable Use Policy

Security Awareness Policy

Ethics

What Is Right and What Is Wrong

Enforcing Policies

Human Resources Involvement

Best Practices for Handling Human Nature and Organizational Behavior

Make Security Practices Common Knowledge

Foster a Culture of Open Discussion

Encourage Creative Risk-Taking

Case Studies and Examples

Private Sector Case Study

Public Sector Case Study

Critical Infrastructure Case Study

CHAPTER SUMMARY

KEY CONCEPTS AND TERMS

CHAPTER 7 ASSESSMENT

CHAPTER 8

Access Control for Information Systems

Access Control for Data

Data at Rest

Data in Motion

Object-Level Security

Access Control for File Systems

Access Control List

Discretionary Access Control List

System Access Control List

Access Control for Executables

Delegated Access Rights

Microsoft Windows Workstations and Servers

Granting Windows Folder Permissions

Domain Administrator Rights

Super Administrator Rights

UNIX and Linux

UNIX and Linux File Permissions

Linux Intrusion Detection System (LIDS)

The Root Superuser

Supervisory Control and Data Acquisition (SCADA) and Process Control Systems

Best Practices for Access Controls for Information Systems

Case Studies and Examples

Private Sector Case Study

Public Sector Case Study

Critical Infrastructure Case Study

CHAPTER SUMMARY

KEY CONCEPTS AND TERMS

CHAPTER 8 ASSESSMENT

CHAPTER 9

Physical Security and Access Control

Physical Security

Designing a Comprehensive Plan

Building Security and Access

Points of Entry and Exit

Physical Obstacles and Barriers

Granting Access to Physical Areas Within a Building

Biometric Access Control Systems

Principles of Operation

Types of Biometric Systems

Implementation Issues

Modes of Operation

Biometric System Parameters

Legal and Business Issues

Technology-Related Access Control Solutions

Physical Locks

Electronic Key Management System (EKMS)

Fobs and Tokens

Common Access Cards

Outsourcing Physical Security—Pros and Cons

Benefits of Outsourcing Physical Security

Risks Associated with Outsourcing Physical Security

Best Practices for Physical Access Controls

Case Studies and Examples

Private Sector—Case Studies and Examples

Public Sector Case Study

Critical Infrastructure Case Study

CHAPTER SUMMARY

KEY CONCEPTS AND TERMS

CHAPTER 9 ASSESSMENT

CHAPTER 10

Access Control in the Enterprise

Access Control Lists (ACLs) and Access Control Entries (ACEs)

Access Control Models

Discretionary Access Control (DAC)

Mandatory Access Control (MAC)

Role-Based Access Control (RBAC)

Attribute-Based Access Control (ABAC)

Authentication Factors

Types of Factors

Factor Usage Criteria

Kerberos

How Does Kerberos Authentication Work?

Use of Symmetric Key and Trusted Third Parties for Authentication

Key Distribution Center (KDC)

Authentication Tickets

Principal Weaknesses

Kerberos in a Business Environment

Network Access Control

Layer 2 Techniques

Layer 3 Techniques

CEO/CIO/CSO Emergency Disconnect Prime Directive

Wireless IEEE 802.11 LANs

Access Control to IEEE 802.11 WLANs

Identification

Confidentiality

Authorization

Single Sign-On (SSO)

Defining the Scope for SSO

Configuring User and Role-Based User Access Control Profiles

Common Configurations

Enterprise SSO

Best Practices for Handling Access Controls in an Enterprise Organization

Case Studies and Examples

Private Sector Case Study

Public Sector Case Study

Critical Infrastructure Case Study

CHAPTER SUMMARY

KEY CONCEPTS AND TERMS

CHAPTER 10 ASSESSMENT

PART THREE

Implementing, Testing, and Managing Access Control Systems

CHAPTER 11

Access Control System Implementations

Transforming Access Control Policies and Standards into Procedures and Guidelines

Transform Policy Definitions into Implementation Tasks

Follow Standards Where Applicable

Create Simple and Easy-to-Follow Procedures

Define Guidelines That Departments and Business Units Can Follow

Identity Management and Access Control

User Behavior, Application, and Network Analysis

Size and Distribution of Staff and Assets

Multilayered Access Control Implementations

User Access Control Profiles

Systems Access

Applications Access

File and Folder Access

Data Access

Access Controls for Employees, Remote Employees, Customers, and Business Partners

Remote Virtual Private Network (VPN) Access—Remote Employees and Workers

Intranets—Internal Business Operations and Communications

Extranets—External Supply Chains, Business Partners, Distributors, and Resellers

Secure E-commerce Portals with Encryption

Secure Online Banking Access Control Implementations

Logon/Password Access

Identification Imaging and Authorization

Best Practices for Access Control Implementations

Case Studies and Examples

Private Sector Case Study

Public Sector Example

Critical Infrastructure Case Study

CHAPTER 11 SUMMARY

KEY CONCEPTS AND TERMS

CHAPTER 11 ASSESSMENT

CHAPTER 12

Access Control Solutions for Remote Workers

Growth in Mobile Work Force

Remote Access Methods and Techniques

Identification

Authentication

Authorization

Access Protocols to Minimize Risk

Authentication, Authorization, and Accounting (AAA)

Remote Authentication Dial In User Service (RADIUS)

Remote Access Server (RAS)

TACACS, XTACACS, and TACACS+

Differences Between RADIUS and TACACS+

Remote Authentication Protocols

Virtual Private Networks (VPNs)

Web Authentication

Knowledge-Based Authentication (KBA)

Best Practices for Remote Access Controls to Support Remote Workers

Case Studies and Examples

Private Sector Case Study

Public Sector Case Study

Critical Infrastructure Case Study

CHAPTER SUMMARY

KEY CONCEPTS AND TERMS

CHAPTER 12 ASSESSMENT

CHAPTER 13

Public Key Infrastructure and Encryption

Public Key Infrastructure (PKI)

What Is PKI?

Encryption and Cryptography

Business Requirements for Cryptography

Digital Certificates and Key Management

Symmetric Versus Asymmetric Algorithms

Certificate Authority (CA)

Ensuring Integrity, Confidentiality, Authentication, and Non-

Repudiation

Use of Digital Signatures

What PKI Is and What It Is Not

What Are the Potential Risks Associated with PKI?

Implementations of Business Cryptography

Distribution

In-House Key Management Versus Outsourced Key Management

Certificate Authorities (CA)

Why Outsourcing to a CA May Be Advantageous

Risks and Issues with Outsourcing to a CA

Best Practices for PKI Use Within Large Enterprises and Organizations

Case Studies and Examples

Private Sector Case Study

Public Sector Case Study

Critical Infrastructure Example

CHAPTER SUMMARY

KEY CONCEPTS AND TERMS

CHAPTER 13 ASSESSMENT

CHAPTER 14

Testing Access Control Systems

Purpose of Testing Access Control Systems

Software Development Life Cycle and the Need for Testing Software

Planning

Requirements Analysis

Software Design

Development

Testing and Integration

Release and Training

Support

Security Development Life Cycle and the Need for Testing Security Systems

Initiation

Acquisition and Development

Implementation and Testing

Operations and Maintenance

Sunset or Disposal

Information Security Activities

Requirements Definition—Testing the Functionality of the Original Design

Development of Test Plan and Scope

Selection of Penetration Testing Teams

Performing the Access Control System Penetration Test

Assess if Access Control System Policies and Standards Are Followed

Assess if the Security Baseline Definition Is Being Achieved Throughout

Assess if Security Countermeasures and Access Control Systems Are Implemented Properly

Preparing the Final Test Report

Identify Gaps and Risk Exposures and Assess Impact

Develop Remediation Plans for Closing Identified Security Gaps Prioritized by Risk Exposure

Prepare Cost Magnitude Estimate and Prioritize Security Solutions Based on Risk Exposure

CHAPTER SUMMARY

KEY CONCEPTS AND TERMS

CHAPTER 14 ASSESSMENT

CHAPTER 15

Access Control Assurance

What Is Information Assurance?

C-I-A Triad

The Five Pillars

Parkerian Hexad

How Can Information Assurance Be Applied to Access Control Systems?

Access Controls Enforce Confidentiality

Access Controls Enforce Integrity

Access Controls Enforce Availability

Training and Information Assurance Awareness

What Are the Goals of Access Control System Monitoring and Reporting?

What Checks and Balances Can Be Implemented?

Track and Monitor Event-Type Audit Logs

Track and Monitor User-Type Audit Logs

Track and Monitor Unauthorized Access Attempts Audit Logs

Audit Trail and Audit Log Management and Parsing

Audit Trail and Audit Log Reporting Issues and Concerns

Security Information and Event Management (SIEM)

Best Practices for Performing Ongoing Access Control System Assurance

Case Studies and Examples

Private Sector Case Study

Public Sector Case Study

Critical Infrastructure Case Study

CHAPTER SUMMARY

KEY CONCEPTS AND TERMS

CHAPTER 15 ASSESSMENT

APPENDIX A

Answer Key

APPENDIX B

Standard Acronyms

Glossary of Key Terms

References

Index

Preface

Purpose of This Book

This book is part of the Information Systems Security & Assurance Series from Jones & Bartlett Learning (www.jblearning.com). Designed for courses and curriculums in IT Security, Cybersecurity, Information Assurance, and Information Systems Security, this series features a comprehensive, consistent treatment of the most current thinking and trends in this critical subject area. These titles deliver fundamental information-security principles packed with real-world applications and examples. Authored by Certified Information Systems Security Professionals (CISSPs), they deliver comprehensive information on all aspects of information security. Reviewed word for word by leading technical experts in the field, these books are not just current, but forward-thinking—putting you in the position to solve the cybersecurity challenges not just of today, but of tomorrow, as well.

The goal of Access Control, Authentication, and Public Key Infrastructure, Second Edition is to provide you with both academic knowledge and real- world understanding of the concepts behind access controls. These are tools you will use to secure valuable resources within your organization’s IT infrastructure. The authors’ goal was to provide you with a book that would teach important concepts first, and act as a useful reference later.

Access control goes beyond the simple username and password. This book approaches access control from a broad perspective, dealing with every aspect of access controls, from the very low-tech to the cutting edge.

Part 1 of this book defines the components of access control, provides a business framework for implementation, and discusses legal requirements that impact access control programs.

In Part 2, the risks, threats, and vulnerabilities that are prevalent in information systems and IT infrastructures are addressed with risk mitigation strategies and techniques. Access control systems and stringent authentication are presented as ways to mitigate risk.

http://www.jblearning.com
Part 3 provides a resource for students and practitioners who are responsible for implementing, testing, and managing access control systems throughout the IT infrastructure. Use of public key infrastructures for large organizations and certificate authorities is presented to solve unique business challenges.

This book is more than just a list of different technologies and techniques. You will come away with an understanding of how and why to implement an access control system. You will know how to conduct an effective risk assessment prior to implementation, and how to test solutions throughout the life cycle of the system.

Learning Features

The writing style of this book is practical and conversational. Each chapter begins with a statement of learning objectives. Step-by-step examples of information security concepts and procedures are presented throughout the text. Illustrations are used both to clarify the material and to vary the presentation. The text is sprinkled with Notes, Tips, FYIs, Warnings, and sidebars to alert the reader to additional helpful information related to the subject under discussion. Chapter assessments appear at the end of each chapter, with solutions provided in the back of the book.

Chapter summaries are included in the text to provide a rapid review or preview of the material and to help students understand the relative importance of the concepts presented.

Audience

The material is suitable for undergraduate or graduate computer science majors or information science majors, or students at a two-year technical college or community college who have a basic technical background, or readers who have a basic understanding of IT security and want to expand their knowledge.

Acknowledgments

The production of a book is a complex effort involving many people. I would like to thank everyone involved in this project, especially those that I never had the opportunity to meet. Special thanks are due to Jim Cavanagh, who served as an excellent technical editor; Larry Goodrich and Randi Roger, who managed the project; and Ruth Walker, our fearless copy editor. I would also like to thank Carole Jelen, my literary agent with Waterside Productions.

Mike Chapple

The authors would like to thank Jones & Bartlett Learning for the opportunity to write this book and be a part of the Information Systems Security & Assurance Series project. Thanks also go to Mike Chapple, our technical reviewer, and Kim Lindros, our project manager. Mike ensured that every sentence in this book was as clear and technically accurate as it could possibly be. Kim managed the project on our behalf, reviewing and ferrying all the pieces that flowed between us, Mike Chapple, and Jones & Bartlett Learning.

Our heartfelt gratitude to our extended family and friends, without whose support we could not have written this book.

Bill and Tricia Ballad

To all my parents for providing the foundation that made this possible. Thank you.

To the Ursos for letting me spend hours in the yellow house and for making coffee. I am truly grateful.

To Mr. Weiss, I hope my words reflect all the guidance and wisdom you provided. I have learned more from you than you will ever know.

To Tarik and my family and friends who listened to me and still missed me. I don’t know what I would do without you.

To Marty Weiss, Carole Jelen, Mike Chapple, Kim Lindros, and all the

editors, for everything you do. Your assistance and advice are truly appreciated.

To RSA, EMC, and all my colleagues: You guys make me love security every day.

Erin K. Banks

About the Authors

MIKE CHAPPLE is senior director for Enterprise Support Services at the University of Notre Dame. In this role, he oversees the information security, IT architecture, project management, strategic planning, and communications functions for the Office of Information Technologies. He also serves as a concurrent assistant professor in the university’s Computer Applications Department, where he teaches an undergraduate course on Information Security. He is a technical editor for Information Security magazine and has written several books, including Information Security Illuminated (Jones & Bartlett, 2005), SQL Server 2008 for Dummies (Wiley, 2008), and the CISSP Prep Guide (Wiley, 2012). He earned his BS and PhD degrees from Notre Dame in computer science and engineering. He also holds an MS degree in computer science from the University of Idaho and an MBA from Auburn University.

BILL BALLAD has been active in the IT security community since the mid- 1990s. He is the coauthor and SME for Securing PHP Web Applications (Addison-Wesley Professional, 2008), and he wrote the security chapters for PHP & MySQL Web Development All-in-One Desk Reference for Dummies (Wiley, 2008). Professionally, Ballad is a senior systems engineer working with mission-critical Windows networks.

TRICIA BALLAD spent several years as a Web applications developer before becoming a full-time freelance writer and technical editor. She has written online courseware on various consumer electronics and computing subjects, and has coauthored PHP & MySQL Web Development All-in-One Desk Reference for Dummies (Wiley, 2008) and Securing PHP Web Applications (Addison-Wesley Professional, 2008).

ERIN K. BANKS is a security technology consultant for EMC, providing security solutions to Fortune 500 companies. She has over 13 years of experience in the network and security fields supporting customers and system integrators across a wide variety of industries. Banks holds a BS in electrical engineering from Northeastern University and is currently working on her MBA from the Isenberg School of Management at the University of Massachusetts Amherst. She holds the CISSP certification, among other

industry certifications.

This book is dedicated to the memory of Dewitt Latimer, my friend, colleague, and mentor.—Mike Chapple

To Will, Alex, Patrick, and Beth

—Bill and Tricia Ballad

To Holly, you will always be my girl

—Erin K. Banks

PART ONE

The Need for Access Control Systems

CHAPTER 1 Access Control Framework

CHAPTER 2 Assessing Risk and Its Impact on Access Control

CHAPTER 3 Business Drivers for Access Controls

CHAPTER 4 Access Control Laws, Policies, and Standards

CHAPTER 5 Security Breaches and the Law

CHAPTER

1 Access Control Framework

ORGANIZATIONS RELY UPON ACCESS CONTROLS to grant and restrict user access to information, systems, and other resources. Access control systems, when properly designed, implement business rules, often direct implementations of policy, in such a manner that individuals have access to the information and resources needed to perform their responsibilities but no more.

The consequences of weak or nonexistent access controls range from inconvenient to downright disastrous, depending on the nature of the resources being protected. For the average user, it may be annoying and inconvenient to have someone else reading your e-mail. On the other end of the scale, without strong access controls, companies could lose billions of dollars when disgruntled employees bring down mission-critical systems. Identity theft is a major concern in modern life, because so much of our private information is stored in accessible databases. The only way that information can be both useful and safe is through strong access controls.

Chapter 1 Topics

This chapter covers the following topics and concepts:

What access control is

What the principal components of access control are

What the three stages of access control are

What logical access controls are

What the three authentication factors are

Chapter 1 Goals

When you complete this chapter, you will be able to:

Identify the principal components of access control

Define the three stages of access control

Choose the best combination of authentication factors for a given scenario

Access and Access Control

There are two fundamentally important concepts you need to know before diving into the content for this chapter:

1. What does “access” mean?

2. What is an “access control”?

In an ideal world, you wouldn’t need to control access to what’s important to you or of value—you wouldn’t even need to lock your doors. Unfortunately that’s not reality—at home or in the business world. In the real world— especially in business—there is a need to protect precious data, network bandwidth, and other assets from a variety of threats. This chapter will help you understand how to lock your virtual doors.

What Is Access?

Fundamentally, access refers to the ability of a subject and an object to interact. That interaction is the basis of everything we do, both in the information technology (IT) field and in life in general. Access can be defined in terms of social rules, physical barriers, or informational restrictions.

For example, consider a busy executive with an administrative assistant who serves as a gatekeeper, deciding who will be allowed to interact personally with the executive and who must leave a message with the administrative assistant. In this scenario, the visitor is the subject and the executive is the object. The administrative assistant serves as the access control system, restricting what individuals (subjects) may access the executive (object).

Consider another scenario that is a bit closer to home. When you leave your house, you lock the doors. The locked door physically restricts access by

anyone without a key to the assets stored inside your house—your TV, computer, and stereo system. When you come home, you unlock the door and replace the physical restriction of the locking mechanism with a human gatekeeper who decides whether or not to let someone enter the house.

What would happen if data were freely available? After all, open source software has certainly made a convincing case for open information. What if the data in question is your company’s payroll file? If that file is unsecured, anyone could open the file and obtain sensitive information, including your Social Security number and annual salary. Think of the chaos that would ensue if a disgruntled employee decided you did not deserve the money you made, and reset your salary? Data is one of the most valuable assets an organization possesses. IT professionals must invest time and energy in appropriately securing it.

What do executives, deadbolts, and payroll have to do with IT? They are physical counterparts to the technical access control systems that we use to protect digital and electronic resources—sensitive files, servers, and network resources. You might not have specific, documented rules for access when it comes to which visitors you allow into your home, but information systems use formalized systems to grant or restrict access to resources. Computers are not very good at making intuitive decisions, so you have to lay out specific rules for them to follow when deciding whether to grant or deny access.

What Is Access Control?

Access control is the formalization of those rules for allowing or denying access. Access controls define the allowable interactions between subjects and objects. It is based on the granting of rights, or privileges, to a subject with respect to an object.

Principal Components of Access Control

There are three principal components of any access control scenario:

Policies—The rules that govern who gets access to which resources

Subjects—The user, network, process, or application requesting access to

a resource

Objects—The resource to which the subject desires access (e.g., files, databases, printers)

Any time you have to decide whether to allow or deny access by a subject to a resource, you have entered the access control problem domain.

Access Control Systems

A well-defined access control system consists of three elements:

Policies—Clear statements of the business requirements regarding access to resources

Procedures—Nontechnical methods used to enforce policies

Tools—Technical methods used to enforce policies

Organizations typically use procedures and tools together to enforce policies. For example, most companies have strict policies to determine who has access to personnel records. These records contain sensitive and confidential information that could be used to inflict serious harm on individual employees and the company as a whole if those records were compromised. The policy may state that only employees within the human resources department, with a specific need for the information contained within a given record, may have access to it.

To enforce this policy, the company has procedures that state that a record can be given only to employees with the proper credentials (the authentication process) who fill out a form stating their specific need for the information contained in the record they request. When the request is approved, the employees may be given a username and password to access the employee records intranet site (the authorization process). The intranet site, along with the username and password, is the tool required to grant access to personnel records.

Access Control Subjects

The subject in an access control scenario is a person or another application requesting access to a resource such as the network, a file system, or a printer.

There are three types of subjects when it comes to access control for a specific resource:

Authorized—Those who have presented authenticated credentials and have been approved for access to the resource

Unauthorized—Those who have presented authenticated credentials but are not approved for access to the resource

Unknown—Those who have not presented authenticated credentials

Every individual who initially approaches an access control system is unknown until he or she attempts to authenticate. For example, someone might be asked to provide a username and password. If the user does not provide the correct password, the system still does not know who the user is and he or she retains unknown status. On the other hand, if the user’s password is correct, the system now knows with certainty who the user is and must check to see if the user is authorized to access the requested resource. Someone allowed to access the resource moves to the “authorized” state. Otherwise, the user is still known, but now moves to the “unauthorized” state.

This process is known as AAA (or “triple A”) security and involves three components:

Authentication—Ensuring users are who they claim to be

Authorization—Ensuring that an authenticated user is allowed to perform the requested action

Accounting—Maintaining records of the actions performed by authorized users

Users are not the only subjects in access control systems. Technological resources may also serve as subjects. For example:

Networks—A network is a subject when a resource on one network requests access to a resource on another network. A firewall rule that authorizes access to the Internet might use the internal network as a subject, with the Internet as the object.

Systems—A system is a subject when one system requests access to resources on another system or on the network. This usually happens when a PC attempts to access a printer across the network.

Processes—A process is most commonly a subject when an application process requests low-level access to the file system.

Applications—An application can be a subject when it attempts to access other resources on the same computer or over the network.

Technology subjects may use password authentication or may rely upon other forms of identification and authorization. For example, a network may be authenticated by its IP address.

Access Control Objects

There are three main categories of objects to be protected by access controls:

Information—Any type of data asset

Technology—Applications, systems, and networks

Physical location—Physical locations such as buildings and rooms

Information is the most common asset in terms of IT access controls. You put passwords on databases and applications to ensure that only authorized users can access them. Technology objects are just as important, because a malicious user can easily compromise the integrity of data by attacking the technology that stores and uses it. If an unauthorized user gains access to a file server, that user can easily steal, delete, or change the data stored on the file server.

Physical security is the process of ensuring that no one without the proper credentials can access physical resources, including hardware and physical

locations. If all the servers require a password to log on, why bother restricting who can enter the server room? The answer is simple—if a malicious user’s goal is to bring down a server, they don’t need to log in. All they have to do is unplug it, steal it, or destroy it.

NOTE

Consider an automated teller machine (ATM) in a mall. That system deals with highly sensitive data, but in order to fulfill its purpose it must be in an open, easily accessed area. In this type of situation, information-and technology-based access controls become doubly important.

Most server and network systems have “backdoors” that are available to anyone with physical access to the machine. These backdoors allow system administrators to take control of a server that has been corrupted. For example, an individual who is able to gain physical access to a network router can almost always take control of that device, even without knowledge of the correct password. Some locations, such as a server room, are controlled-access locations for the reasons just described. Others must have uncontrolled access in order to be useful.

Access Control Process

There are three steps to the access control process:

1. Identification—The process by which a subject identifies itself to the access control system

2. Authentication—Verification of the subject’s identity

3. Authorization—The decision to allow or deny access to an object

The second step usually happens behind the scenes, so the subject is really only aware of two stages: He or she enters credentials and is either given or denied access to a resource. Figure 1-1 illustrates the access control process using human interaction as an example.

Identification

The first step in any access control process is identification. The system must be able to apply labels to the two parts of the access equation: the subject and the object. In this case, a label is a purely logical description that is easy for the computer to understand. A human might easily recognize that “Beth” and “Elizabeth” are the same individual, but a computer cannot necessarily make that logical connection.

To make things simpler, you can assign a universal label to each subject and object. That label remains with that individual or resource throughout the life cycle of the privileged interaction with the object. The object also has a label to distinguish it from other resources. For example, a network might have six printers available, labeled “printer1,” “printer2,” and so on. A person’s label might be a user ID, his or her e-mail address, his or her employee ID, or some other unique identifier.

FIGURE 1-1

The access control process.

The key is that each label must be unique, because it also provides accountability. When combined with the authentication system (which correlates the identified subject with the resources they are allowed to use) and system logging facilities, unique labels correlate subjects with their actions. This becomes especially important when trying to track down the cause of a system failure. This correlation relies on the trust between the

subject and the access control system. If you do not trust that subjects are who they say they are (and this trust is predicated on proof), the use of a uniquely identifying label is pointless.

NOTE

Trust is a two-way street. The system must trust that a subject has not falsified his or her credentials, but at the same time the subject must be confident that the system will store those credentials securely. If a system stores usernames and passwords insecurely, they can be stolen and used to impersonate legitimate users. This destroys the integrity of the entire access control system.

Authentication

Authentication builds upon identification by requiring that the subject provide proof of its identity. There are many ways to authenticate a subject. The most common ones are:

Password—A secret word or combination of characters that is known only to the subject. A good password is difficult to guess but easy for the subject to remember.

Token—Something the subject has that no one else does, such as a smart card or a challenge-response device.

Fingerprint scan—Optical analysis of a person’s fingerprint compared to a recorded sample to verify identity.

The key to both a password and a shared secret is secrecy. If the subject shares its password or shared secret information with someone else, the authentication system becomes less secure and the ability to correlate an action to a subject becomes less precise. Many companies regulate this problem with a policy that an employee is personally responsible for anything done under his or her credentials. If an employee shares his credentials with a friend, for example, he is personally responsible for anything the friend might do.

Most authentication systems require only a single authentication factor, but those protecting highly sensitive assets might use multiple factors. The three most common factors are:

Something you know—Generally a password or shared secret

Something you have—A token or smart card ID badge

Something you are—Fingerprints or other biometric factors

The last two factors are often used to provide or restrict physical access to secure buildings or rooms within buildings, although they can be used in access control systems protecting data as well. You will learn more about all three authentication factors later in the chapter.

Confidence in any authentication system can be measured by two components: the confidence in the accuracy of the authentication mechanisms and the number of authentication factors. A retinal scan (which is a biometric method) is inherently more secure than a simple password because it is much more difficult to copy or steal an eyeball than it is to guess or steal a password. Using more than one authentication factor increases the security of the system, because if one stage of the authentication system is compromised, the second can still restrict access to those who do not have the proper credentials. This is referred to as “two-factor authentication.”

Authorization

Once a subject has identified itself and the access control system authenticates the subject’s identity, the access control system must determine whether the subject is authorized to access the requested resources. Authorization is a set of rights defined for a subject and an object. They are based on the subject’s identity. For example, a manager in the human resources department might be authorized to view personnel records but not authorized to edit the year-end financial report.

Authorization rules can be simple—anyone with a username and password on the system can access the information stored there. Authorization rules can also be complex, depending on the value of the resources being protected and

the number of people needing access.

In a small organization with a high level of trust between the users and resources that are not sensitive, a simple authorization system is reasonable. An enterprise system with a mixture of highly sensitive data and open printers on the same network needs a more complex authorization system. In this case, you might design a system with multiple levels of authorization—a low-level employee might be given rights to the printers, while a manager would have rights to the printers and some areas of the file system. High- level executives might have all the rights of a manager, as well as rights to view sensitive information. How you define your authorization rules depends upon business needs and the sensitivity of the resources.

Logical Access Controls

Most IT professionals spend their time focusing on logical access controls: the tools used to provide identification, authentication, and authorization for computer systems. While they may be involved in other areas of access control, the nature of logical controls requires a good deal of IT attention.

Logical Access Controls for Subjects

Logical access controls can be based on one or more criteria, including:

Who—The identity of the subject, proven by a username and password combination or other authentication technique

What—The type of access being requested

When—Combined with subject identity, access can be granted during one time period and denied at another time

Where—Either physical or logical location

Why—The defined purpose for which access must be granted to a subject

How—What type of access can be granted to a subject

You should take each of these criteria into account when designing an

authorization system.

Who

The “who” criterion is the most intuitive, as discussed above. One subject may be given access while another is denied.

What

The decisions made by authorization systems must also factor in the type of access being requested by the end user. The object of the authorization request is significant. For example, you might create different access controls around a customer price list on one hand and a listing of your top ten accounts and the revenue generated from each on the other.

When

Time profiles can be a useful way to prevent an authorized user from using resources for unofficial purposes. For example, an employee may be legitimately authorized to use a network printer, but it should raise questions if that employee begins to print jobs outside of normal business hours. This could mean that the employee is working overtime, or it could be an indication that he or she is using company resources for personal projects. Time profiles are also used when a user has a limited amount of time to perform an action. For example, a journalist may only have until 1 p.m. to submit his or her story for the evening newscast. Restricting the journalist’s access to the story submission system after 1 p.m. prevents the journalist from turning in the story late and forcing the editing staff to scramble to fit the story in.

TIP

If you must use time profiles to meet business needs, design the system to be easy to modify for special cases such as overtime or a breaking news story.

Where

Location can be another way to ensure that only authorized users access

resources, and that those users are performing legitimate tasks. You can determine location either logically or physically.

“Logical location” refers to the Internet Protocol (IP) address or Media Access Control (MAC) address a user connects from.

TIP

“Why does this user need access to this resource?” This is a question you should ask every time you design a set of access controls. Every user should have a well-defined purpose related to his or her job function in order to gain access to resources.

“Physical location” is more obvious—within a certain building or secured facilities. If a user attempts to access resources from his or her corporate laptop on the company network, the system grants access. The same user could try to access those resources from his or her home PC and be denied. This type of restriction is often used with highly sensitive information. If an employee decided to work from the local coffee shop and accessed a confidential file, another patron at the coffee shop could “sniff” that transmission and gain access to confidential information. Restricting access by location ensures that sensitive data is sent only over trusted, secure networks.

How

Once you evaluate all of the above criteria, you can determine how the user will access a resource, that is—what type of access you need to grant. There are four basic access levels:

Administrative—The ability to read, write, create, and delete files

Author—The right to read and write to his or her own files

Read only—Can read but not edit files

No access—Complete denial of access

In some systems, you can define these four access levels with more granularity, but every system includes them.

Group Access Controls

Access controls may often be more efficiently managed through the use of role-based groups. This is especially true in large organizations. Rather than deciding and assigning rights to each individual within an enterprise, you cluster individuals into groups based on department, job title or role, or some other classification.

You can assign individuals to several groups. For example, every person within an enterprise may be a member of the Employees group, with read access to the company intranet and an account on the time card system. A manager might also be a member of the Managers group, and have write access to his or her department’s page on the intranet as well as read access to each of his group’s time card reports. Employees on the corporate retreat committee would have their normal levels of access as well as access to files related to the corporate retreat, regardless of their other job functions. A manager might not have access to those files, despite the fact that employees below him do.

NOTE

Granting access by groups rather than individuals does not reduce individual accountability for activities. An individual still needs to log in with a unique username and password, and the log files catalog actions by username, not by group.

Group access rights are a way of simplifying the management of the rules. When an employee changes roles within an organization, you merely have to change his or her group membership rather than altering the employee’s individual access rights. Similarly, when you create a new resource and want to grant access to a particular role, you can do that using the group mechanism and you don’t need to list all of the individual employees.

Logical Access Controls for Objects

So far you have focused primarily on subjects and access controls. Now you will examine how objects fit into access controls. The biggest difference between a subject and an object is passivity. A subject is active—it acts upon a passive object. An object must contain something of interest to the subject. This is usually information, but can be non-informational as well. Consider a printer. It is passive in that it is the target of a print request and does not generally initiate new contact with the subject after the print job is complete. It contains, or rather produces, something of value—a hard copy of digital information. Printers, however, do not usually have a high level of granularity. They receive a print request and process it. A server, however, can have many elements that must work together to supply the subject with the information it requests.

You can define objects at many levels, depending on your business needs. Some examples of objects include:

Data element—This is the lowest level of granularity for information- based assets. For example, if a database table contains a Social Security number, you may need to place special restrictions on that data element.

Table—You may also define a database table as an object. You could grant users access to tables containing employment information, order information, or other types of information based upon their roles in the organization.

Database—You can also define an entire database as an object. For example, you might grant all employees read-only access to the entire product information database, and give product managers write access to certain tables or rows within that database.

Application—An application is also an object. You might wish to grant some users the ability to run an application, while denying it to other users. Applications may also implement their own access control systems that restrict use of individual components of the application. For example, an administrative user within the application may see a menu that allows them to add or delete other users. A basic user would see this menu and would not have access to that functionality within the application.

System—A system is also a security object. For example, you may restrict

access to the CEO’s laptop so that only the CEO and his or her administrative assistant have permission to log on to it.

Operating system—This provides various user modes, such as privileged or superuser mode, user mode, and guest mode. It also governs configuration files and log files. The operating system also provides write protection on files, subdirectory permissions, and restrictions on the ability to create, delete, access, or execute new files or directories.

Network—This provides access restrictions for resources stored on the network or on a subnetwork. It provides the ability to traverse network connections and restricts external access, either inbound or outbound.

In real-world applications, these levels may work together or separately to provide access rights to resources. A simple example is an application (in this case, the application is the subject) that needs to work with data stored in the database (the object). It makes a request through an application programming interface (API), which handles the communication between the application and the database.

FIGURE 1-2

An example of access rights in action.

A more complex example is that of a user who needs to modify a data file stored on a file server across the network (Figure 1-2). In this case, the user (subject) logs into the operating system (object 1) and requests access to the file server across the network (object 2). The system layer on the file server

(object 3) checks the user’s credentials against its rules to determine if the user has no access, read-only, read/write, or administrative access to the particular data file requested.

Authentication Factors

As described earlier in the chapter, an authentication factor is a way of confirming the identity of the subject. The three primary authentication factors are:

Something you know—Secret knowledge, such as a password

Something you have—A token or device

Something you are—Unique physical characteristics, such as those that can be detected by a retinal scan

Most authentication systems rely solely on the first factor, implemented as a username and password combination. For access to highly sensitive data, you might combine the first two factors, requiring a token just to access the login screen, where the user would enter his or her username and password. The most sensitive data is protected by all three factors. For example, the United States military uses Sensitive Compartmented Information Facilities (SCIFs). Just to walk through the door of a SCIF requires recognition of identifying characteristics such as a retinal or fingerprint scan (the “something you are” factor), swiping an ID badge (the “something you have” factor), and typing in a PIN (the “something you know” factor).

Something You Know

A password is the most common authentication tool. Many people use passwords every day to check e-mail, log into online banking, and use the ATM. The biggest challenge facing administrators of password systems is convincing users to use strong passwords. Users are concerned primarily with convenience. Ideally, you would prefer to have a simple, easy-to-remember password. However, simple passwords or ones based on your name or a dictionary word are also easy for malicious users to guess. An easily guessed password is almost as unsecure as no password at all.

To address this problem, you need to set password requirements on length and composition. For example, you could require that a password have at least eight characters, and that they must contain a combination of uppercase and lowercase characters, as well as numeric or punctuation characters. This system ensures strong passwords, but you might have difficulty remembering them. Because users are primarily concerned with convenience, not with the security of the system, they often write down difficult passwords and post them in obvious locations. A malicious user with physical access to your work space can easily find the desired password.

TIP

One solution to the password problem is the use of a passphrase, such as “INeedToRememberASecurePassword.” It is longer than a typical password, but easier for a human to remember. In systems with maximum password lengths, you can use a passphrase as a mnemonic device to remember complicated passwords. For example, the passphrase “Anyone for some tennis?” could be a reminder for the highly secure password “ne14+10s.”

In addition to addressing password complexity, it is also important to remind users that they should use a separate password for their work account and any personal accounts they may have. One of the most significant security risks facing organizations today is the risk that another Web site, not associated with your company, could be compromised and the attacker could gain access to an improperly protected password list. The attacker may then try logging in to your site with the usernames and passwords on the list. If users have used their work password on other sites, chances are that, with a big enough list, an attacker will stumble upon an active account

Something You Have

Used alone, a physical token or device is generally used to provide physical security. Think of a smart card ID that you wave in front of a reader to gain access to specific floors of an office building. Tokens are also used in conjunction with passwords to provide logical access controls. Tokens can take a variety of forms such as the smart card or a time-variable token such as RSA’s SecurID.

Time-variable tokens change users’ passwords at regular intervals, usually every 30 to 60 seconds. Users have a physical device that tells them what their password is set to at the moment they need to log in. This two-stage authentication process ensures that passwords are not guessed or stolen—and if they are, damage is limited because the password is valid for only a brief period of time.

Possession of the physical device or token is the only way to retrieve the current password. Because the token could be lost or stolen, this type of authentication requires a two-stage login process. For example, a user activates the token to find her active password. She enters the password, along with her username, and is granted access to a secondary login prompt. At this second prompt, she enters a conventional password that does not change. In this way, if the user’s conventional password is guessed or stolen, a malicious user would not have the token and would not be able to access the secondary login prompt to enter the stolen password. If the token is lost or stolen, a malicious user is stopped at the secondary login prompt because he or she presumably does not also have the user’s conventional password.

Challenge-response tokens are similar to time-variable tokens. An authentication system using this type of token will begin with a code (the “challenge”), which the user enters into the token device. The token provides another code (the “response”), which the user enters into the authentication system. Assuming that the response code is correct, the user will be granted access to the secondary login system, where he or she enters a conventional username and password. The challenge is chosen randomly and the token must provide the correct response. This reduces the possibility that an attacker will be able to predict a challenge and generate a response in advance if he or she has temporary access to a token.

Something You Are

This is the most advanced as well as the most time-tested of the three primary authentication factors. It relies upon either physical or behavioral characteristics. Humans have been using characteristics to authenticate each other for millennia. Consider an infant who recognizes its mother or other primary caregiver. The infant uses visual cues, scent, and the sound of the caregiver’s voice to authenticate the caregiver’s identity and determine

whether to settle or scream.

Biometrics is the study of physical human characteristics. Access control systems use biometrics to accurately identify and/or authenticate an individual. There are two primary types of biometric authentication systems: physical and behavioral. Physical biometrics read physical characteristics, such as fingerprints, retinal scans, hand geometry, and facial recognition. Physical biometrics are highly reliable because they measure characteristics that are unique to each individual. Even identical twins do not have the same fingerprints or retinal scans.

NOTE

Biometrics, which includes fingerprints, retinal scans, and so on, is an important “something you are” authentication factor.

Behavioral characteristics may include tempo or speed of typing (or keystroke dynamics), writing rhythms, and voice recognition. Behavioral biometrics requires a significant “training period” for the system to “learn” a legitimate user’s behavior patterns. They are also much more subject to error than physical characteristics.

CHAPTER SUMMARY

In this chapter, you learned the basics of access control. The purpose of access control is to regulate interactions between a subject (such as a human user) and an object (such as data, a network, or a device). The key difference between the subject and the object is passivity: The subject acts upon a passive object. There are three key components of access control: identification, authentication, and authorization. First, both the subject and object must be identified. Second, the subject’s identity must be proven or authenticated. Finally, the authenticated subject is authorized to act upon the object. You can establish logical access controls for individual subjects, groups of subjects, and objects.

Authentication methodologies are based on three factors: something you know, something you have, and something you are. Once the subject is identified and authenticated using one or more of these factors, the

authorization system grants access to an object based on a specified rule base.

KEY CONCEPTS AND TERMS

Access

Access control

Authentication

Authentication factor

Authorization

Biometrics

Identification

Object

Passphrase

Password

Physical security

Policy

Procedures

Shared secret

Subject Token

Tool

CHAPTER 1 ASSESSMENT

1. The three principal components of access control are ________, subjects,

and objects.

2. The subject is always a human user.

A. True

B. False

3. Which of the following describes technical methods used to enforce policies?

A. Access control

B. Procedures

C. Tools

D. Physical security

E. Authentication

4. An organization typically uses procedures and tools together to enforce policies.

A. True

B. False

5. The three states of a subject in an access control scenario are authorized, unauthorized, and ________.

6. Physical security is typically the responsibility of the IT department.

A. True

B. False

7. What is the first step in the access control process?

A. Logging in

B. Authorization

C. Authentication

D. Identification

E. Access

8. Which of the following is an example of the “something you know” authentication factor?

A. Username

B. Token

C. Password

D. Retinal scan

E. Access control list

9. Which of the following is an example of “something you have”?

A. Username

B. Token

C. Password

D. Retinal scan

E. Access control list

10. Which of the following is an example of “something you are”?

A. Username

B. Token

C. Password

D. Retinal scan

E. Access control list

11. Authorization rules can be as simple or complex as business needs require.

A. True

B. False

12. The four basic access levels are ________, author, read only, and no access.

13. Assigning group access controls eliminates individual accountability.

A. True

B. False

14. The two types of biometric authentication methods are ________ and physical.

CHAPTER

2 Assessing Risk and Its Impact on Access Control

RISK ASSESSMENT IS THE CRITICAL first step in designing an access control system. The risk assessment process allows you to identify potential threats and vulnerabilities within the existing system, prioritize them, and determine ways to minimize or mitigate those risks. A good risk assessment takes into account both the value of the assets to be protected and their impact on the overall organization.

Chapter 2 Topics

This chapter covers the following topics and concepts:

What terms and concepts are involved with risk assessments and access control

What threats and vulnerabilities are

How value, situation, and liability affect risk assessments

What some case studies and examples are

Chapter 2 Goals

When you complete this chapter, you will be able to:

Define the key terms and concepts relating to risk assessment

Explain the difference between a threat and a vulnerability

Understand how value, situation, and liability affect risk assessment

Use case studies and examples as models of risk assessment

Definitions and Concepts

Risk is a fact of life. There is no such thing as risk-free activity. Even the most mundane activities, such as walking across your living room, could be risky if, for example, you trip and fall. In IT, we attempt to minimize risk where we can and mitigate the rest.

Before continuing, let’s define some of the key terms you’ll see in this chapter:

Risk—This is the probability that a particular threat will exploit a vulnerability causing harm to an organization; risk is measured in terms of probability and impact.

Asset value—Asset value is the relative value, either in monetary terms or in qualitative value, of the resource being protected by the access control system.

Threat—A threat is a list or description of potential attacks on an asset.

Vulnerability—This is an unintended weakness in a system’s design. A vulnerability makes it possible for an attacker to take control of a system, access resources to which he or she is not authorized, or damage the system in some way.

Probability of occurrence—This is the likelihood that a threat will exploit a vulnerability.

Impact—This is the impact on an organization should a risk materialize.

Control—This is a technical, physical, or administrative process designed to reduce risk.

Risk assessment is the crucial first step in designing any access control system. In a risk assessment, you determine which risks exist in your environment or may occur in the future. You can measure the level of any risk by calculating the probability of occurrence and the potential impact on your environment. The following standard equation determines the level of each risk:

Risk = Probability × Impact

Knowing the level of risk helps you take appropriate steps to prevent the risk or mitigate it. For example, in most cases it’s probably not necessary to design a highly secure, three-stage access control system to protect a desktop printer. The probability that a desktop printer would be exploited is fairly low, and the overall impact of such an exploitation is similarly low. By the same logic, a simple username and password logon system would be inadequate to protect top-secret military documents.

NOTE

You’ll learn about types of risk assessments later in this chapter.

In most organizations, risk is not a single problem that can be solved once and then ignored. It is also not just an IT problem. Risk is a multifaceted issue that affects every part of the organization. A user can create a highly secure password, but the system protected by that password is not considered secure if user passwords are not stored in a secure manner, or if numerous operating system or application-level vulnerabilities allow an attacker to go around the access control system.

FYI

The most effective way to determine which threats are relevant to a given situation is to draw on a combination of research, experience, and brainstorming. Case studies are a good way to understand best practices and missteps to avoid for a given topic. The case studies in this chapter illustrate real-world examples of systems that have been attacked, which could have been avoided with the proper security measures in place.

Threats can take many forms, depending on the nature of the system under attack. Some systems, such as Web servers, are most vulnerable to denial of service (DoS) attacks. Servers that contain sensitive data are more susceptible to data theft and user impersonation attacks. Networks and individual workstations are most often threatened by attackers who gain access to them as a stepping stone to other, more valuable resources such as servers and databases.

Vulnerabilities are the weaknesses in a system that allow an attacker to gain access. Vulnerabilities are often obscure bugs in application or operating system code that allow attackers to gain access to low levels of the file system, but they can also take more obvious forms. Weak passwords and lax physical security measures are also vulnerabilities because they allow attackers to gain access to a system.

TIP

Case studies and background experience can help you identify threats. However, thinking like an attacker is a highly useful way to perceive potential vulnerabilities. If you can look at your infra structure from the point of view of an attacker, you may be able to see possible weaknesses and strengthen those areas before an attacker finds them.

Probability of occurrence is a crucial aspect of risk assessments. In an ideal world, organizations would mitigate every possible vulnerability, but time and resources can be limited. It does not make sense to devote excessive resources to mitigating a vulnerability that has a very low probability of occurrence, while ignoring a vulnerability with a much higher probability. For example, if a security alert is issued concerning a certain virus that’s spreading across the Internet, the probability is high that your systems may be compromised. It makes sense to devote time and resources to scanning your systems for that virus and taking appropriate measures to eliminate it.

Impact describes the potential consequences of an attack. A scenario with a high probability but low impact is a lower priority risk than one with a high probability and high impact.

For example, a virus that has already infected computers in hundreds of other organizations, costing them millions of dollars in lost productivity and lost data, has a high probability (because it is actively spreading) and a high impact (lost productivity and data). This virus would have a high-risk rating. On the other hand, a badly crafted phishing e-mail that asks the reader to click a link that downloads a 10-year-old virus has a low probability (because most people will recognize it as a fake and delete it) and a low impact (the antivirus software installed on a computer will stop a virus that old). Most risks fall somewhere in between, as shown in Figure 2-1. Using a

visualization, such as the one shown here, is a great way to help management understand risks. This process simplifies the risk management process down to, “Start in the upper-right corner and begin addressing each risk, working your way down to the lower-left corner.”

FIGURE 2-1

Risk = Probability × Impact matrix.

IT professionals put controls in place to lower both the probability and impact of a risk. A control, as you just read, is a technical, physical, or administrative process designed to reduce risk. The most useful controls strike a balance between the cost of implementing the control—in terms of actual financial cost and in lost productivity—and the value of the asset being protected. A firewall, for example, adds maintenance and configuration costs to your organization. If the assets behind the firewall are valuable, such as a file server or database storing sensitive data, the cost may be justified.

Controls do not have to be technology-based. Training employees on handling sensitive data is another valuable control because it could lessen the risk of a social engineering ploy. Although employee training is a strategic initiative that takes time and resources to execute, it is an effective method to reduce security breaches and often well worth the investment.

Threats and Vulnerabilities

In this section, you’ll learn about access control threats and vulnerabilities, and how to assess their impact. Access control threats are not something that

can be 100 percent eliminated because new ones are constantly being devised. Instead, security professionals try to minimize their probability and impact by eliminating as much vulnerability as possible. In order to correctly prioritize efforts at mitigating threats and vulnerabilities, we perform risk assessments to accurately decide which threats represent the biggest impact to resources and data.

Access Control Threats

There are three primary threats to any access control system:

Password cracking—Guessing or deciphering passwords

Heightened access—The ability of an attacker to log into a system under one level of access and exploit a vulnerability to gain a higher level of access

Social engineering—The use of manipulation or trickery to convince authorized users to perform actions or divulge sensitive information to the attacker

Password Cracking

Password cracking is a constant game of cat and mouse within IT security. Security administrators set password rules to guarantee that users create secure passwords, and attackers use a combination of brute force and sophisticated algorithms to break those passwords. Security administrators respond by modifying their password policies, and the cycle begins again. Security administrators are hampered by the users’ need for convenience, while attackers are limited only by time and computing cycles.

For example, suppose the security administrator at XYZ, Inc. implements a typical password security policy. The policy states that passwords must be a minimum of eight characters long and may contain uppercase letters, lowercase letters, and numeric characters. This policy ensures that there are at least 628 or 2.18340106 × 1014 possible combinations, as shown in Table 2-1.

TABLE 2-1 Possible combinations of characters.

TABLE 2-2 Time required to break passwords of different lengths.

All these permutations are designed to increase the time it takes for an attacker to crack a password. An attacker uses an application designed to generate all possible permutations of case-sensitive alphanumeric characters and a simple script that inputs a known (or guessed) username with these generated passwords to the access control system. If an attacker’s password guessing application can try 100,000 passwords per second, it will take a matter of days to break a very simple password, or thousands of years to break a complex one, as shown in Table 2-2.

Given enough time, the attacker will eventually find a valid username and password combination, thus breaking into the system. The role of a security

administrator is to identify this vulnerability and modify the password creation policy to require a longer minimum length and the use of at least one non-alphanumeric character. This does not necessarily make it more difficult for the attacker to break in—the attack is not really difficult to begin with because the cracking software does all the work behind the scenes. However, the longer, more secure password policy simply makes the process take longer. The goal is to push the time frame beyond one of two limits:

The time it takes for the security administrator to realize the attack is occurring and disable the account under attack

The expected lifespan—or at least the attention span—of the attacker

Even with the most sophisticated computing equipment available, it can take years or decades to crack a strong password. However, computer manufacturers are constantly developing more powerful systems, so a password that takes an average of 10 years to crack today may only take a few months to crack five years from now.

Heightened Access

Continuing with the example in the last section, once the attacker cracks a user’s password and can log into the system, the next step is to obtain heightened access. Chances are the really valuable assets on a system— sensitive data, for example—are protected by file and group permissions that do not allow every user on a system to read or write to them. However, attackers can exploit vulnerabilities in the operating system as well as within application code to achieve access levels normally denied to the user they are logged in as. You’ll learn about these vulnerabilities in more detail in the next section.

Social Engineering

Social engineering is the single most common strategy attackers use to compromise secure systems. Social engineering is any strategy that tricks a user into giving up his or her password or granting access to an attacker.

Not all social engineering tactics are technological. In fact, some of the most

effective tactics are the simplest and exploit people’s general sense of trust and helpfulness. How many times have you held the door open for someone following you into a building? It is simply the polite, helpful thing to do. In a public place, such as the local mall, there is no security threat from such a simple act. But in a corporate environment where access to buildings or floors is limited to authorized personnel, simply holding the door open for someone could be a serious security breach.

NOTE

Phishing is a very common social engineering tactic in which the attacker creates an authentic-looking e-mail or Web page that convinces users to enter their confidential information or install software on their computer that secretly records information and sends it back to the attacker.

Consider the following scenario: It is 8 a.m. on a typical Tuesday morning. Hundreds of people are filtering into the office to begin their work day. To enter the building, you must swipe your smart card ID badge. The person behind you has his hands full with his briefcase, coffee cup, keys, and a box of doughnuts. He smiles and asks you to hold the door. “Sure, no problem,” you answer as you hold open the door for him, assuming he is a fellow employee. He nods his head, smiles again, and thanks you as he heads confidently into another area of the building. This particular threat, where one person uses the successful authentication of another to gain access to a facility, is known as tailgating or piggybacking

NOTE

A smart card ID badge has an embedded radio frequency identification (RFID) chip that stores basic identification and authentication information.

As you turn on your computer and check your morning e-mail, the person who followed you into the building roams the hallways looking for unlocked offices and unsecured workstations. Often, employees keep sensitive information on their desks, which could help an attacker obtain access to assets stored on the corporate network.

Access Control Vulnerabilities

Vulnerabilities are the weaknesses in any security system that make a threat threatening. Without a vulnerability, a threat is simply a theoretical danger. For example, you live with the risk of electrocution every time you turn on the lights. The threat in this scenario is the electrical current running through the wires in your home. The vulnerability here is potentially bad wiring. If the wiring is bad, you could get a shock when you turn on the lights. However, if you were to build a home without that vulnerability—without wiring—you would face virtually no chance of electrocution. Yes, in theory you could still be electrocuted if lightning were to strike you while sitting in your electricity-free home, but the probability of that occurring is low enough to be insignificant.

The primary vulnerabilities you need to mitigate to avoid a password- cracking attack are insecure passwords and insecure storage. Users want passwords that are easy to type and easy to remember. Unfortunately, these parameters do not usually lead to passwords that are difficult to guess or crack.

NOTE

Microsoft Windows XP used a weak hashing algorithm to store passwords up to 15 characters in length. The algorithm converted the password to all uppercase, then divided it into two fields, which were encoded separately. This allowed attackers to crack each half of the password separately using lookup tables.

Even the most secure password is worthless from a security standpoint if it is stored insecurely. Some applications store user passwords as plain text, either in a database or a flat file. This is becoming less common, but you may still run into this situation with legacy code. The more common problem is insecure password hashes. Most passwords are stored in an encrypted form. To decide whether the password entered by the user matches what the system has stored, the user-entered password is passed through a hashing algorithm. If this hashing algorithm is weak, an attacker can steal even the most secure password easily.

The most common vulnerabilities that allow an attacker to obtain heightened access are insecure applications that are run at too high of a privilege level. A

common example of this problem is a Web server such as Apache or Microsoft Internet Information Services (IIS) that is run as the administrative or root user. Often, when installing an application, a system administrator may be tempted to run the application under a privileged user account. This prevents problems when the application tries to write to the file system or access the network, but it also makes that privileged user account vulnerable to attack.

Ultimately, the biggest vulnerability in any access control system is its users. As discussed in the previous section, people generally want to be helpful and trusting, which makes them perfect targets for social engineering. Thorough and repeated training is the best defense against social engineering.

Risk Assessment

Once you’ve identified the threats and vulnerabilities facing an organization, you should turn to a formal risk assessment process that identifies the priority of addressing each risk. You may choose to do this by performing either a quantitative risk assessment or a qualitative risk assessment.

Quantitative Risk Assessment

In a quantitative risk assessment, you rely upon numeric data and calculations to identify and rank the risks facing an organization. You first need to identify several items:

You must first determine the asset value (AV) for each asset in your scope of work. This is normally done as a dollar value that may be determined based upon:

Replacement cost—What would it cost the organization to replace the asset if it were damaged or lost?

Purchase cost—What did it cost the organization to obtain the asset in the first place?

Depreciated cost—This is the original cost reduced by an aging factor.

You next determine the exposure factor (EF) for each risk/asset pair. This is the expected amount of damage that an asset would incur if a risk materialized. The exposure factor is normally described as a percentage. For example, if you expect that a burglary at your data center would result in 5 percent of your equipment being stolen, your exposure factor is 5 percent.

NOTE

You calculate ALE by multiplying the SLE by the ARO with the following formula:

ALE = SLE × ARO

Using the database with 1,000 records discussed above as an example, the SLE is $50,000. If we expect that the database will be compromised twice per year, the ARO is 2, and the ALE is $100,000:

$50,000 × 2 = $100,000

You then identify the annualized rate of occurrence (ARO) by determining the likelihood that a risk will occur in a given year. You write this as the number of times you expect that the risk will materialize in any year. For example, if you expect two robberies per year, your ARO is 2. If you expect one robbery every five years, your ARO is 0.2.

You then calculate the single loss expectancy (SLE) by multiplying the asset value by the exposure factor. This gives you the amount of money you expect to lose each time the risk materializes and is represented by the formula: SLE = AV × EF

Finally, you compute the annualized loss expectancy (ALE), or the amount of money you expect to lose each year to a given risk, by using this formula: ALE = SLE × ARO

Organizations that perform quantitative risk assessments can begin with those risks with the highest ALE. If you can find a way to control the risk where

the cost of the control is less than the ALE, it is normally appropriate to implement that control.

Qualitative Risk Assessment

Qualitative risk assessment processes rely upon expert opinion rather than cold, hard math. When performing a qualitative assessment, you ask an expert or group of experts to estimate the probability and impact of each risk/asset pair. You may then use this information in a manner similar to the way a quantitative risk assessment uses ALE to evaluate the types of controls you should put in place.

Risk Management Strategies

Once you have identified and prioritized your risks, you can move on to managing them with appropriate action. You have four basic options when performing risk management:

Risk avoidance—In this approach, you simply change your business activities so that you no longer incur the risk. For example, if you are concerned about the risk of a fire in your data center, you might choose to shut down your data center! Risk avoidance is not always practical, for obvious reasons.

Risk acceptance—You may choose to acknowledge that a risk exists but deliberately decide to take no action because the costs of other risk management strategies outweigh the benefit.

Risk mitigation—This is the strategy most commonly used by IT professionals.

In risk mitigation, you implement controls designed to lessen the probability and/or impact of a risk.

Risk transference—In the final risk management strategy, you transfer the risk to a third party. The most common example of this is purchasing insurance.

You can take any possible response to a risk and classify it into one or more of these basic strategies.

The Importance of Using a Structured Approach to Risk Assessment

It is important to use a structured approach to any risk assessment. Without an underlying system, it is easy to become too subjective and assign every scenario a high risk rating. For example, suppose you have been asked to do a risk assessment on the customer orders database for a manufacturing company. The cost of impact and the cost of replacement for that database are roughly one-third of the annual budget of the organization, so your initial reaction might be to call it a high level of risk. To mitigate this temptation, you should follow predetermined workflows and use risk assessment models.

Considerations for Designing a Risk Assessment

There are many risk assessment best practices to draw from. The most effective way to perform one depends upon the scope of the IT infrastructure and assets, as well as the business needs of the organization. Below are some ideas for you to consider while designing a risk assessment approach:

Create a risk assessment policy—This policy governs how risk assessments should be performed, both immediately and in the future. It also specifies how frequently to perform risk assessments and the appropriateness of each of the four risk management strategies—avoidance, acceptance, transference, and mitigation. Many companies create this policy after their first risk assessment.

NOTE

The four risk management strategies—avoidance, acceptance, transference, and mitigation—are important to keep in mind.

Define goals and objectives—This allows you to determine the success of the risk assessment. These will vary by organization, but might include things like “reduce the number of significant virus incidents to three per year.”

Describe a consistent approach or model—Using the same approach or

risk assessment model every time a risk assessment is performed is the only way to accurately define trends within the organization. For example, if the first risk assessment used a quantitative model, and the next used a qualitative model, it would be difficult to decide if the overall risk to the organization had gone up or down.

Inventory all IT infrastructure and assets—If no one remembers the router sitting behind a stack of boxes in the network closet exists, it is unlikely that the password to administer it will be changed regularly. It seems unlikely that a major component of IT infrastructure, such as a router, could be simply forgotten, but it does happen.

Determine the value (either quantitatively or qualitatively) of each asset—This value helps you prioritize risk mitigation projects.

Do You Have Servers in Your Walls?

A company ran a Novell server that never went down, and for years no one needed to work with it directly. It was located in a small wiring closet that was closed up during an office remodel. When an IT technician performed an inventory audit a few years later, he realized the server was missing. He knew it hadn’t been stolen, and was still running, because the functionality was available. Eventually he found the wires and followed them to a blank wall where the wiring closet had been. The company had to cut through the wall to get to the server. This could have been avoided had the company maintained a complete IT inventory and kept it up to date.

Determine a “yardstick” or consistent measurement to determine the criticality of an asset—This yardstick can be monetary value, as described above, or it can take into consideration the importance of an asset to the organization, or even whether a particular asset is mandated through industry regulation. The key is consistency. Without a standard way of determining criticality, it is impossible to really know whether the router that one member of the risk assessment team deemed “critical” is really more important than the server that another team member deemed “major.”

Categorize each asset’s place within the infrastructure as “critical,” “major,” or “minor”—This exercise is useful if your organization does not

have the resources (either time or budget) to thoroughly secure every asset in the infrastructure. This is very common, in fact. Most organizations have budgetary or staff limitations that preclude securing every single asset. In this case, a multilayered approach on the most critical or major components offers a reasonable overall level of security. You’ll learn about multilayered systems later in this chapter.

Because the risks faced by any given organization are unique to that organization, there is no one right way to conduct a risk assessment. Instead, consider the outcome of the risk assessment: What do you (or your manager) need to know? Often, a risk assessment is done to justify spending on IT security infrastructure. In this case, you would need to concentrate on the quantitative aspect of risk—how much a breach could cost the organization compared to the proposed investment.

Another common driver for risk assessment is an actual security incident. In this situation, your manager wants to know how likely it is that another incident will occur, and how your proposed solution will mitigate that risk. Here, a qualitative approach is more appropriate (although a cost analysis would also be an important aspect of the analysis).

Next, consider the assets you are trying to protect. What are they worth, both monetarily and in terms of impact to the organization? Ideally, every asset would be protected, but you should always weigh the cost of protection against the value of the asset. Unless a desktop printer has a deeply strategic importance to the organization, it is unlikely that the asset is worth enough to justify a sophisticated access control system. Such a system is expensive to implement and costs the user time and energy that is probably not justified. A database containing sensitive information that falls under governmental regulation, on the other hand, is important enough to justify significant efforts to protect it.

Value, Situation, and Liability

Once you have assessed the potential risks to a system, the next step is to design an appropriate access control system to mitigate those risks. In the following sections, you’ll first consider the financial aspect of risk. This is where you get the clearest picture of the worst-case scenario, the crisis you

are working to avert. You’ll then evaluate where access controls are most needed, and how secure those controls must be in order to protect the assets at risk. Finally, you’ll examine a multilayered approach to access control.

Potential Liability and Non-Financial Impact

You read about determining the financial impact of a security breach earlier in the chapter. Security breaches are not only a financial risk, however. Depending upon the information being protected, a security breach could also result in criminal prosecution. Governmental regulations of the health care and banking industries, for example, carry heavy criminal penalties as well as fines for companies that fail to prevent a security breach. If you are responsible for securing systems in a regulated industry, the financial impact of a loss is likely less of a concern than the non-financial consequences, such as prison time.

Where Are Access Controls Needed Most?

You cannot secure everything, so you must prioritize. At the same time, many resources can be grouped to share a single access control. For example, a single point of access control at the entry point of the network may be sufficient to protect all the assets on the network. Unless there is an asset of special importance stored on the network, it is unnecessary to place separate access controls on each asset.

A network diagram, such as the one shown in Figure 2-2, is a helpful tool in determining where to place access controls on a network. In Figure 2-2, each of the elements shown is an access control point. The workstations and servers all may have access controls limiting who may log on. The firewall has access controls limiting the traffic that may enter and leave the network. The switch may control which ports are able to view traffic. Finally, the printer may be restricted so that only certain users may access it.

FIGURE 2-2

Network diagram.

How Secure Must the Access Control Be?

Once you know where the access controls should be placed within the system, the next step is to determine how secure they must be. Again, you should weigh the value of the assets and their relative risk level against the cost and inconvenience of the access control. A high priority asset with a risk level of “high” justifies a more sophisticated (and probably more expensive and inconvenient) level of access control than a low priority asset.

In many cases, a simple username and password system is sufficient to protect the assets in question. For more critical assets, two or more layers of access control provide additional protection. For example, the U.S. government uses a multilayered approach to securing classified information. Classified documents may only be opened and discussed within areas defined as Sensitive Compartmented Information Facilities, or SCIFs. These areas have physical and informational security measures around the perimeter, including armed guards and smart card ID scanners. Once inside the SCIF, a user must provide a fingerprint or retinal scan, as well as a username and password to access the computers and files stored within the SCIF.

You may not ever deal with classified documents, but you should be able to design a multilayered access control system for sensitive information such as health records or banking information. In the private sector, the most common multilayered access control systems use a token or challenge- response device coupled with a username and password.

The Utility of Multilayered Access Control Systems

A multilayered approach to access control is one way to mitigate budget and staff limitations to risk mitigation. Rather than trying to secure every asset, you should layer your security efforts. By layering, you ensure that another layer covers any gaps in a given layer of defense. Ideally, these layers should cover the seven domains of a typical IT infrastructure, shown in Figure 2-3. Each domain plays a part in a multilayered access control system.

User Domain

The primary layer in the User Domain is in training. Users should be trained to recognize common social engineering tactics, as discussed earlier in this chapter. They should also be trained to create strong passwords, and change them regularly.

Workstation Domain

There are three elements of security in the Workstation Domain: virus scanning, operating system patching, and host firewall. Workstation-level virus scanning insures that viruses coming in from e-mails, files downloaded from the World Wide Web, and other unsecure areas do not infect the host workstation. If the virus is stopped at the entry workstation, it cannot infect the rest of the workstations on the network. Regularly patching the operating system will harden against known vulnerabilities and make it harder for an attacker that gets through the outer layers of security to affect the workstation.

NOTE

A host firewall is a software-based firewall solution. It is designed to protect a single machine from unauthorized access.

FIGURE 2-3

The seven domains of a typical IT infrastructure.

LAN Domain

On the local area network (LAN), security layers involve an intrusion detection/prevention system, as well as e-mail scanning and server-level virus scanning. Many organizations add a second layer of security to user training and workstation virus scanning by scanning all e-mail messages when they enter the LAN. The virus threat is not restricted to users downloading files from the Internet and receiving infected e-mails. Servers—especially Windows servers—are also vulnerable to a wide variety of viruses. It simply makes sense to have a virus scanner running on every server, as well as on every workstation.

An intrusion detection system (IDS) analyzes traffic patterns and compares them to known patterns of malicious behavior. An intrusion detection system is most useful in tracking down the mode of attack after the fact. An intrusion prevention system (IPS) is more sophisticated in that it analyzes

traffic patterns and reacts to that analysis in real time, blocking suspicious traffic. You can configure an IDS or an IPS to alert systems and network administrators when suspicious activity is present. Modern systems combine IDS and IPS functionality into a single system, allowing administrators to configure flexible responses based upon the type of threat.

LAN-to-WAN Domain

This domain represents the intersection between the local area network and the wide area network (WAN). In this domain, the firewall is the primary security layer. The firewall prevents unauthorized traffic from moving from one side of the firewall (the LAN, for example) to the other side (the WAN), while allowing authorized traffic to flow freely. Figure 2-4 shows how a firewall controls network traffic.

There are several types of firewalls. The four most common types of firewalls are packet filters, stateful inspection firewalls, application gateways, and proxy servers. They are described as follows:

A packet filter firewall scans every packet that passes through the firewall and either rejects it or allows it to pass. It uses a custom rule set to determine which packets to allow and which to reject.

A stateful inspection firewall performs the same tasks as a packet filtering firewall but also understands connection state. It will automatically allow traffic from a previously established connection instead of requiring repeated comparisons against firewall rules

An application gateway monitors traffic going to and from a specific application, such as File Transfer Protocol (FTP) or Secure Sockets Layer (SSL). This is most commonly used for communications applications.

A proxy server intercepts all messages entering and leaving the protected network. It effectively hides the location and details of the protected network from the outside world. Proxy servers are often used to monitor and restrict Web browsing in companies. Specific Web sites and search terms can be blocked by a proxy server, or it can be set up to allow only specified uniform resource indicators (URIs).

FIGURE 2-4

A firewall controls network traffic.

FIGURE 2-5

A VPN using IP tunneling.

Remote Access Domain

In this domain, IP tunneling and virtual private networking are the primary layers of security. An Internet Protocol (IP) tunnel is created by encapsulating packets within a new IP packet, then sending the encapsulated packets via a secured route across the Internet. A virtual private network (VPN) uses IP tunneling the same way a LAN uses Ethernet cable or wireless connections. Figure 2-5 shows how a VPN is created via IP tunneling through the public Internet. While the data passes through the public network infrastructure over

a VPN connection, it is likely more secure than data passed through a private network due to the encryption technology used to protect it.

System/Application Domain

In this domain, the primary security activity is patching on a regular basis. This requires keeping up with each application vendor, checking for updates and new patches on a regular basis, and testing those patches thoroughly before implementing them. Large enterprise environments use patch management software that automatically checks for updates from multiple application vendors, taking some of the burden off the IT staff. However, you should not automatically install every patch that is released. Many patches contain new or changed functionality that can significantly change your environment. They can also update shared dynamic-link libraries (DLLs) or libraries that are used by multiple applications. If the patch does not contain a security fix or functionality that you really need, it is often a good idea not to install new patches because they introduce volatility to the environment.

Many large IT environments, especially those in heavily regulated industries, require that any change to the environment first be implemented in a test environment where it must undergo thorough regression and user acceptance testing to be sure that the patch to one application does not adversely affect other applications running in the environment by changing shared DLLs or libraries. Unless a patch contains a crucial security fix or updates critical functionality, it is often not worth putting it through such extensive testing. The benefits do not outweigh the necessary testing costs.

Examining a Multilayered Approach

Within a multilayered approach, for example, you might institute a training policy for all new users that teaches them not to open suspicious e-mail attachments or download files from unknown Web sites. You would also place a virus scanner on every workstation on the network. Then you would install a firewall on the network to protect every workstation as well as other assets on the network. In this way, most unauthorized traffic will be caught at the firewall before it ever sees the workstations, and the virus scanner on the workstations will presumably catch any viruses that get past the firewall.

There is a lot of overlap between various layers of defense. This is intentional, and provides a high level of security in those areas of overlap. This type of access control system, called a defense-in-depth strategy, is designed to handle failure. Every access control system fails at some point. A multilayered approach ensures that if one element or layer fails, an attacker will only run into another line of defense. Eventually, only the most dedicated and motivated attacker will break through.

NOTE

No access control system is 100 percent secure. A determined attacker, with plenty of resources and time, can break into just about any system. The key is to deter the casual attacker and to make your organization a hard enough target to encourage even dedicated attackers to look elsewhere. This way, only an attacker with a specific interest in your organization will continue the attack.

Case Studies and Examples

Case studies are an invaluable tool when performing a risk assessment. Rather than trying to re-invent the wheel, you can use case studies to learn how others assessed risk in similar situations to yours. In this section, you will see how risk assessments are performed in real-world situations.

Private Sector

In private industry, risk is understood in terms of profit and loss, and business continuity. How would a security breach affect the ability of the business to continue to run? What would it cost the company in lost revenue?

Let’s look at the example of Acme Pharma, a large pharmaceutical company in the United States. Acme Pharma needed to update their network security infrastructure to bring them into compliance with new federal regulations. The first step was to identify what needed updating and the risks they were intending to mitigate. The existing system consisted of a border firewall with a demilitarized zone (DMZ) for Web servers. There was e-mail antivirus and antispam software and some access controls implemented on the internal network.

The first step in the update was assessing what the risks to the environment were, and what the highest-risk systems were. Their IT department determined that some of the highest-risk systems did not need to be on the corporate intranet and were segmented off into their own protected LAN. From there, extra layers of security were implemented in case of border network breaches. Network-based intrusion detection systems and intrusion prevention systems were implemented.

On Web-facing systems, automated patching was implemented, as well as host-based firewalls and host-based intrusion prevention systems. It was also determined that the servers themselves exposed too much information. Each Web site hosted on the server was given its own users, with rights limited to the directories that Web site needed to have access to.

The risk assessment showed that certain Web sites were actively targeted for attacks. These systems were segmented away from the rest of the DMZ and further protected with pass-through proxies and application-level firewalls. It was then determined that security needed to be an ongoing priority. To achieve this goal, a new monitoring team was formed. Log shipping (automatic backup of transaction logs) was implemented, and automated monitors were created. Procedures for manual monitoring were also created, and there was active human monitoring of the network done to augment the automated monitors.

Finally, they performed a full audit of user rights and file access controls. Any user with enhanced rights was closely examined to determine the need for those rights. New user groups were formed based on the different roles in the company, and document access was regulated by these groups. Users with a need for heightened rights, such as systems administrators, were not automatically granted rights to all files—they also had to be a member of the appropriate role group.

A new file team was created to handle the roles and access rights. They were tasked with reorganizing electronic document storage. To verify user rights levels and create forms to request elevated rights, they established who in each department could authorize access requests, and established a policy for adding and revoking rights.

Through honest and accurate risk assessment, Acme Pharma was able to secure their infrastructure and move from a border-only security system to a defense-in-depth environment. The most valuable systems were determined to be too important and removed from the intranet, removing any possibility of outside intrusion. They also established an access control policy to handle information access inside the organization.

Public Sector

In the public sector, threats are sometimes literally about life and death. Consider the U.S. Department of Defense. If an unauthorized user accesses sensitive battle plans, soldiers’ lives could be at risk. Of course, the public sector encompasses far more than just the military. The U.S. Department of Energy is a very high-profile target—especially the various research labs they maintain around the country.

Consider the Pacific Northwest National Laboratory (PNNL). PNNL is a U.S. Department of Energy Office of Science National Laboratory. It works on solving problems in energy, the environment, and national security. It has over 4,000 employees conducting research that translates into practical solutions to some of the most vital challenges facing the United States. This makes PNNL a very tempting target.

According to Jerry Johnson, CIO of PNNL, 10 percent of their connection requests are attacks. That translates to around 3 million attacks a day. They also receive over 1 million spam messages a day—around 97 percent of all e- mail sent to the laboratory.

These intrusion attempts come from a wide range of attackers, including organized crime and foreign governments, as well as skilled individuals. Motives for these attacks include economic, national security, and the challenge of breaking into a government facility. The targets of the attack include intellectual property, other proprietary data, and valuable employee information such as Social Security numbers.

To add further complexity to the problem, the lab needs the ability to share data and computer resources with authorized scientists around the world. Security is important, but collaboration is vital. The attackers are also

evolving and becoming more sophisticated. Given time, they could defeat any one security mechanism put in place.

To handle this difficult situation, PNNL has implemented a seven-layer defense-in-depth strategy. Each layer is intended to stop any attacks that defeated the layer above it:

Layer 1 is the implementation of enclaves. They have extranet enclaves to host their publicly accessible servers, as most companies do. Unlike most companies, they also utilize intranet enclaves. There are three internal security enclaves based on the sensitivity of the information and the threat to it. This allows PNNL to further secure its most sensitive information from security breaches.

Layer 2 consists of border firewalls. They use a traditional network layer firewall both between the Internet and intranet and between the intranet enclaves. Application layer firewalls scan and remove known malware before it reaches the Internet. Over 4 million attacks a day are filtered out by the firewalls.

Layer 3 is strong authentication. PNNL follows the recommendations of the National Institute of Standards and Technology. They require at least eight characters, using mixed case and a numeric or special character. Users are also required to change their password every six months. All user- generated passwords are tested to make sure they cannot be easily guessed.

NOTE

PNNL requires two-factor authentication for any remote access to the PNNL network. PNNL utilizes a token system that requires a user to know a PIN and have the token. This is a little inconvenient to the users, but adds very strong protection against session attacks and keystroke loggers.

Layer 4 is configuration and patch management. It is vital to effectively manage your security devices. A border firewall does no good if it has an exploitable bug. PNNL utilizes automated patch and configuration updates to every network device, from firewall to network printer. The organization also utilizes a least-user privilege policy, which mandates that users be given the

most restrictive set of privileges possible to perform necessary functions. This reduces the risk of users intentionally or accidentally introducing security flaws.

Layer 5 is host-based firewalls. Malware can enter your network through numerous channels that circumvent your border protections. Web sites, thumb drives, and installation disks are some examples. There is also the risk of insider threats. To defend against this, the PNNL utilizes host-based firewalls. These serve two purposes:

They protect workstations from attacks that have defeated the border protections.

They isolate infected workstations.

If malware gets onto a workstation through an unknown attack vector, the host-based firewall keeps it from spreading to the intranet.

Layer 6 is data encryption. Any mobile device that stores data at the PNNL is required to have full disk encryption. This extends past laptops and includes smart phones, PDAs, and USB thumb drives.

Layer 7 is one of the most important and least technical: awareness and training. Users are the weakest link in any network security effort. People can make mistakes and can override controls. Effective user training is the only defense against phishing attacks, especially sophisticated spear phishing attacks tailored to attack specific users. These can get malware, especially malware that attacks unknown vulnerabilities, into an intranet. PNNL’s aggressive user awareness program has reduced its phishing victimization rate far below that of similar organizations.

No network is 100 percent secure, but by using a defense-in-depth strategy PNNL can reliably secure their sensitive infrastructure. This strategy allows them to further secure data and facilities that are at the highest risk.

Critical Infrastructure

In some cases, the biggest factor in a risk assessment does not directly affect

profit and loss or even injury to patrons, but damage to critical infrastructure. That infrastructure can include loss of IT resources such as a network or intranet site, or it can refer to physical infrastructure like the controllers for a hospital’s emergency power generators. In these cases, risk assessment should be focused on the loss of productivity or the ability of an organization to fulfill its core mission, rather than on loss of revenue. Let’s look at a case where a failure to assess the risks to the system led to lax access controls with unfortunate consequences.

The incident happened in April 2000 at a local water treatment facility in Maroochy Shire, Queensland. A large amount of sewage was released into parks, rivers, and the grounds of a hotel by a former contractor who worked for the facility, causing major environmental and economic damage. While he was eventually caught, the damage was already done.

The attacker had several advantages, because he was familiar with the system and had a copy of the software needed to communicate with the controllers. However, several vulnerabilities contributed to the incident. The system used inadequately protected wireless communication, giving the attacker an easy vector to compromise the system. The administrators at the treatment facility also failed to have a proper access control policy in place. As it turned out, the contractor still had full security rights to the system even after he was terminated. A proper access control policy would incorporate procedures for quickly removing accounts that should no longer have rights, thereby preventing or complicating an attack.

The administrators of the system also never considered the threat of an inside attack. They assumed that the proprietary nature of the controlling software and complexity of systems would keep the systems secure. An access control policy that included provisions for removing access when necessary would have greatly reduced the possibility for this attack. Had the risks to this system been accurately assessed, the access control policy would have been expanded and an effective wireless security system could have been implemented.

CHAPTER SUMMARY

Risk assessments are used to identify potential threats and vulnerabilities, and prioritize steps designed to minimize or mitigate those risks. There are two basic types of risk assessment: qualitative and quantitative. Qualitative risk assessments are the more subjective of the two types. In a qualitative risk assessment, you assign a label of high, medium, or low based on a number of factors including overall impact of a perceived threat, its probability of occurrence, and the value of the assets being threatened. In a quantitative risk assessment, you would assign a dollar value to each element of risk, making it easy to prioritize mitigation projects.

Case studies are a good place to start when considering a risk assessment project. Rather than re-inventing the wheel, you can learn from what others have done and apply those lessons to your own situation. Assessment models are another useful tool. They help ensure that you analyze risks logically and do not overestimate the true risk.

KEY CONCEPTS AND TERMS

Annualized rate of occurrence (ARO)

Annualized loss expectancy (ALE)

Asset value (AV)

Control

Cost of impact

Cost of replacement

Defense-in-depth strategy

Exposure factor (EF)

Heightened access

Intrusion detection system (IDS)

Intrusion prevention system (IPS)

IP tunneling

Local area network (LAN)

Multilayered access control

Password cracking

Password hash

Phishing

Probability of occurrence

Qualitative risk assessment

Quantitative risk assessment

Risk

Risk assessment

Single loss expectancy (SLE)

Smart card

Social engineering

Spear phishing

Threat

Virtual private network (VPN)

Vulnerability

Wide area network (WAN)

CHAPTER 2 ASSESSMENT

1. Risk is measured in terms of ________ and impact.

2. Risk assessment is the first step in designing any access control system.

A. True

B. False

3. The two types of risk assessments are qualitative and ________.

4. Vulnerabilities and threats are synonymous.

A. True

B. False

5. A vulnerability is a weakness purposely designed into the system.

A. True

B. False

6. You should consider probability of occurrence in order to prioritize limited time and resources.

A. True

B. False

7. What are the three primary threats to any access control system?

A. Password cracking

B. Heightened access

C. Social engineering

D. Forgotten passwords

8. A strong password that would take an attacker 10 years to crack in 1990 would take 10 years to crack today.

A. True

B. False

9. As long as users choose strong, secure passwords, how those passwords are stored is irrelevant.

A. True

B. False

10. Insecure applications run as the administrative user are the most common heightened access vulnerability.

A. True

B. False

11. You should weigh the value of the assets and their relative risk level against the cost and inconvenience of the access control.

A. True

B. False

12. You calculate ALE by multiplying SLE by 12.

A. True

B. False

13. You should install every patch that is released for the applications running in your environment.

A. True

B. False

14. Calculate the ALE of a threat that can be expected to occur three times per year, and will cost the organization $50,000 per incident.

15. You are evaluating the risk of an attack on your data center. You estimate that an attack attempt will succeed three times per year. The value of the data center is $1.5 million and a successful attack will damage 10 percent of the data center.

a. What is the asset value?

b. What is the exposure factor?

c. What is the SLE?

d. What is the ARO?

e. What is the ALE?

CHAPTER

3 Business Drivers for Access Controls

AWELL-THOUGHT-OUT APPROACH to access control implementation furthers the goals of an organization. In this chapter, we will discuss the reasons behind access controls in both the public and private sectors. In the public sector, access controls and the information they protect could save a soldier’s life or keep the public infrastructure running smoothly. In business, or the private sector, access controls help protect valuable assets such as trade secrets. This chapter covers how information can have value, and what role secrecy and access controls play in protecting that value.

Chapter 3 Topics

This chapter covers the following topics and concepts:

What the business requirements for asset protection are

How information is classified

How information can be used competitively

What the business drivers for access control are

How access is controlled and value protected

What some examples of access control successes and failures in business are

Chapter 3 Goals

When you complete this chapter, you will be able to:

Identify business requirements for asset protection

Explain how and why information is classified

Understand the competitive use of information

Identify various business drivers for access controls

Control access and protect value internally, externally, and with respect to third parties

Give examples of access control successes and failures in business

Business Requirements for Asset Protection

In business, it is vital to protect the assets that make doing business possible. Inventory and raw materials are kept in secure locations to avoid theft or damage. Information assets are no different—they must be kept secure to avoid compromise.

Importance of Policy

In our knowledge-based economy, many organizations place intellectual property among their most valuable business assets. Firms seeking to ensure their competitive advantage must control access to information to ensure their ongoing survival. Protecting confidential information involves more than just technical controls. It also requires clear policies and sound business processes that implement those policies. Developing and implementing these policies and processes can protect an organization against security incidents.

For example, a chemical company may have a policy that states that only those employees with a legitimate purpose can enter the labs. This policy should ensure that secret chemical formulas are not leaked to unauthorized personnel. For this policy to be effective, it must be enforced by a combination of controls. The firm may use technical measures, such as an RFID-enabled badge reader, combined with administrative measures, such as training employees to scrutinize the identity badges of people they don’t recognize. A policy cannot prevent an information leak if employees regularly hold open the lab doors and allow each other to enter without swiping their ID badge.

Senior Management Role

As with any policy-based initiative, access control policies will be effective only if they have the explicit and implicit support of senior executives. When organizations first issue access control policies, they should consider asking a very senior executive to send the message promulgating the policy. This is especially important if the policy requires employees to engage in unpopular or inconvenient behaviors. Similarly, senior managers must serve as models of policy adherence. If the CEO is seen holding the door open for other people, rather than expecting them to swipe their badge, or asking that policy be implemented differently or waived for him due to his position, line staff will assume that this is acceptable and will do the same thing.

Classification of Information

Information classification assigns information to different categories based upon its sensitivity. Both nations and many major corporations have sensitive information that gets classified, limiting its availability both to the organization and the outside world.

Classification Schemes

A classification scheme is a method of organizing sensitive information into various access levels. Only a person with the approved level of access is allowed to view the information. This access is called clearance. Every organization has its own method of determining clearance levels. The methods usually include a background check, interviews, and a determination of the user’s need for the information. Most nations and some corporations have classification schemes set up to handle the organization and access of sensitive information.

Need to Know and Least Privilege

“Need to know” is a major component in accessing sensitive information. The requester should not receive access just because of his or her clearance, position, or rank. The requester must also establish a valid need to see the information. Access should be granted only if the information is vital for the requester’s official duties. This further secures the information and reduces the risk of one rogue official with security clearance compromising sensitive information. This concept is also seen in computer access controls with the

principle of least privilege.

Following the principle of least privilege, a computer user or program should have only the access needed to carry out its job. For example, a Web server service may run as a non-administrative user with access only to the Web directories. If the program is compromised, the attacker has access to only a limited part of the system.

National Security Classification

The United States government classifies sensitive information into four main categories based upon the degree of damage that would occur to national security if the information were disclosed in an unauthorized manner. Individuals cleared for a particular classification level may access information at that level and below, provided that they have a specific need to know the particular information in question. The four classification levels used by the US government are:

NOTE

The FOIA was passed in 1966 and requires the government to provide access to any governmental information to any requesting party. Certain information, such as classified and CUI information, is exempt from these requests. This law applies only to federal documents, but many states have similar laws.

Unclassified—Information that has not otherwise been assigned a sensitivity level under the national security classification scheme. Generally speaking, unclassified information is subject to public release under the Freedom of Information Act (FOIA). Under certain circumstances, government agencies may designate unclassified information as Controlled Unclassified Information (CUI). CUI information is exempt from disclosure under FOIA.

Confidential—Information that, if disclosed, could reasonably be expected to cause damage to national security.

Secret—Information that, if disclosed, could reasonably be expected to

cause serious damage to national security.

Top Secret—Information that, if disclosed, could reasonably be expected to cause exceptionally grave damage to national security.

Information may change classifications at any time, as circumstances warrant. Information that may have been deemed confidential in 1992 may be considered Secret or even Top Secret today. Likewise, information that was of Top Secret importance in 1939 may no longer be sensitive enough to be classified at all.

Corporations

The classification schemes used by private organizations vary widely, but often share some elements with the government scheme. One commonly used approach to corporate classification has the following classification levels:

Public—Information that the company freely releases to the public. This category would include information that is published on the organization’s Web site or distributed in sales materials.

Internal—Information that is not normally released to the general public but may be disclosed without damaging the company. This may include information about product road maps or pricing that is released to customers, but not widely published.

Sensitive—Information that, if disclosed, could cause serious damage to the firm. This may include new product development plans or internal marketing strategies. Sensitive information is often not released outside the company except under the terms of a formal nondisclosure agreement (NDA).

Highly sensitive—Information that, if disclosed, would be extremely damaging to the company. This may include customer Social Security numbers, credit card numbers, or other very sensitive information. Highly sensitive information is often encrypted at all times and requires special permission to access.

Reasons for Classification

Information is generally classified if disclosure could harm the controlling organization. Corporations classify information to try to keep a competitive advantage over other companies. A soup company, for example, may want to keep its recipes as trade secrets. A company that tests the strength of materials may want to keep its testing methodology proprietary. Governments want to classify any information that would damage their security, such as troop locations and movement, facility locations, and so on.

Declassification Process and Policy

Declassification is the process used to move a classified document into the public domain. Every country and organization that classifies documents has a method of declassification. Let’s look at the U.S. model as a baseline.

There are four ways a U.S. government document can become declassified:

Automatic declassification—Automatic declassification happens with any document over 25 years old. Unless it meets strict criteria, the document is automatically declassified after the department that owns the document reviews it. The document is then moved to the publicly accessible shelves of the national archives.

Systematic declassification—With systematic declassification, any document that is under 25 years old but of significant importance to the historic record of the United States is reviewed for early declassification. Once identified, these documents go through the same procedures as automatically declassified documents.

Mandatory declassification review—A mandatory declassification review is instigated when an individual attempts to get a document declassified. After the review request has been filed, the owning organization must respond with approval, denial, or the inability to confirm or deny the existence or nonexistence of the document. If the request is denied, the requester can appeal to the interagency security classification appeals board.

Freedom of Information Act request—A Freedom of Information Act

request is an attempt by a member of the general public to get a document declassified. The act allows for full or partial disclosure of the document; if the owning organization refuses the request, the decision can be appealed in a judicial review.

Personally Identifiable Information (PII)

On its Web site, the U.S. Department of Commerce defines personally identifiable information (PII) as:

Information which can be used to distinguish or trace an individual’s identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc.

This is usually sensitive information for a corporation and must be safeguarded. This is also information that is targeted for theft, as it is the key to identity theft. Protection of this information is mandated by numerous federal and state laws, and any security breaches must be disclosed in a timely manner. This information is especially tightly controlled in the health care and financial industries.

Privacy Act Information

This is any information that is covered by the Privacy Act of 1974. The act covers the collection, maintenance, and dissemination of personally identifiable information (PII) inside the federal government. Information covered in this act includes Social Security number (SSN), payroll number, information on education, financial transactions, medical history, criminal history, and employment history. This information can be disclosed only with the written consent of the subject or if the use fits into one of the following exceptions:

By the U.S. Census Bureau or the U.S. Bureau of Labor Statistics for statistical purposes

Routine use within a U.S. government agency

A document with significant historical value for archival purposes

For law enforcement

Congressional investigation

Other administrative purposes

It is important to remember that this act applies only to organizations inside the federal government. State government and private entities are not governed by the Privacy Act of 1974.