Fundamental Concepts of Data Security: Security Controls 1 Notes

Access Control Concepts Steps

1. Identification
2. Authentication
3. Authorization
4. Resource
5. Accountability

Access Control Concepts Explained

 Identity
o Set of attributes related to an entity used by computer system
i.e student id
o Represents a person, an organisation, an application, or a
device
o Identification component requirements
 Uniqueness
 Standard naming scheme
 Non-descriptive
 Not to be shared between users
 Identification
o The first step in applying access control
o The assurance that the entity requesting access is accurately
associated with the role defined within the system
o Binds a user to appropriate controls based on the identity
o Common methods: User ID, MAC address, IP address, Personal
Identification Number (PIN), Identification Badges, Email
Address
 Authentication
o The second step in applying access controls
o The process of verifying the identify of a user
o Using information secret to the user only
o Three authentication factors
 Something a person knows (knowledge)
 Something a person has (ownership)
 Something a person is (characteristics)
o Strong authentication
 Combination of at least two factors
  Authorization
o The final step in applying access controls
o Defines what resources a user needs and type of access to
those resources
o Three access control methods
 DAC: Discretionary access control (identity)
 MAC: Mandatory access control (policy)
 RBAC: Role-based access control (role)
 Accountability
o Ensuring that users are accountable for their actions
o Verifying that security policies are enforced
o Used for investigation of security incidents
o Tracked by recording activities of users, system and
applications
o Audit trails, log files, audit tools
 How to manage
 What to record
 How to keep them safe

Password Management
 Password Security
o Password generation: system vs user
o Password strength: length, complexity, dynamic
o Password aging & rotation
o Limit log-on attempts
 Password management
o Password synchronisation
o Self-service password reset
o Assisted password reset

Security Controls
 Safeguards to prevent, detect, correct or minimise security risks
 Set of actions for data security

Types of Security Controls

  Administrative Controls
o Policy and procedures
o Standards
o Guidelines
o Risk management
o Screening of personnel
o Change control procedures
o Personal controls
o Supervisory structure
o Security awareness training
o Testing
 Technical/Logical Controls
o System access
o Network architecture
o Network access
o Encryption and protocols
o Auditing
o Implementing and maintain access control mechanisms
o Password and resource management
 Physical Controls
o Network segregation
o Perimeter security
o Computer controls
o Work area separation
o Data backups
o Cabling
o Control zone

Each of the controls can be further classified

 Deterrent
 Preventative
 Detective
 Corrective
 Recovery
Common Access Control Practices
 Deny access to systems to undefined users or anonymous accounts
 Limit and monitor the usage of administrator and other powerful
accounts
 Suspend or delay access capability after a specific number of
unsuccessful logon attempts
 Remove obsolete user accounts as soon as the user leaves the
company
 Suspend inactive accounts after 30 to 60 days
 Enforce strict access criteria
 Enforce the need to know and least privilege practices
 Disable unneeded system features, services, and ports
 Replace default passwords settings on accounts
 Limit and monitor global access rules
 Remove redundant resource rules from accounts and group
memberships
 Remove redundant user IDs, accounts, and role-based accounts
from resource access list
 Enforce password rotation
 Enforce password requirements (length, contents, lifetime,
distribution, storage, and transmission)
 Audit system and user events and actions, and review reports
periodically
 Protect audit logs

Top four controls

 Application Whitelisting
 Patch applications
 Patch operating systems
 Restrict administrative privileges