What is access control?

Access control is the process by which resources or services are granted or denied to a system

or user on a computer system or network. In other words, it controls who or what is allowed to

access resources and systems.

First, a system or user must identify themselves, then they must verify that they are who they

say they are. Once their credentials are verified to be both accurate and authentic, the users are

authenticated. From here, they can begin to request resources. Once a request is made, the user

must be vetted to ensure they have the proper authorization (permissions) to access the

resources.

For example, a computer user signs on to the computer, requests access to applications to do

their work, is verified that they have the appropriate permissions and is granted access only to

the requested applications in order to perform their duties. In the image below, we can see that

the rules for accessing the SALARY Excel file is that only department managers are allowed to

read it. If MWiley is a department manager, then she would be able to read the SALARY file.
How to Implement Access Control
Computer access control can be accomplished by using hardware, software or policy.

Hardware Access Control

An example of hardware access control is a firewall which only allows traffic from certain

devices to access a particular resource.

Software Access Control

A software example is using permissions in an accounting software to allow only certain users to

edit the payroll data.

Policy Access Control

Policy access control may be requiring that all visitors check in at the reception desk and must

be escorted while in the building. Access control can take different forms depending on the

resources being protected.

Other Access Control Terminology

Other terminology used to describe how computer systems impose access control are object,

subject, and operation. The subject is the person or system making the request. The object is

the resource being requested. The operation is what action the subject wants to make on the

object. In the above image, MWiley is the subject and she is requesting to access (operation) the

SALARY file (object).

Access Control Practices

Separation of duties

Separation of duties requires that if the fraudulent application of a process could potentially

result in a breach of security, the process should be divided between two or more

individuals. This is often the case used when an organization is processing payments.

Job rotation

Instead of one person having sole responsibility for a function, individuals are periodically

moved from one job responsibility to another. This not only allows employees to be cross-

trained, but makes it easier for the organization to detect if an employee has been misusing their

permissions.

Least privilege

The principle of least privilege states that each user should be given only the minimal amount of

privileges necessary to perform his or her job function. In this way it is less likely that a mistake

or malicious activity would have significant impact.

Implicit deny

When using an implicit deny practice, if a condition is not explicitly met, then it is to be

rejected. This is often the case with networking access controls like firewalls where, by default,

all connections are blocked. This means that a device or resource starts in the most secure state

where it is completely inaccessible.

Mandatory Access Control (MAC)
In a Mandatory Access Control model, the end user cannot implement, modify, or transfer any

controls. Only owners and custodians are responsible for managing access controls. This model

is typically used when a high level of security is needed. It is commonly used in military and

government organization. MAC is the most restrictive model because all controls are fixed. In

this model, the operating system constrains the ability of a subject or initiator to access or

generally perform some sort of operation on an object or target.

Discretionary Access Control (DAC)

Discretionary Access Control is the least restrictive means of control. In this model, the subject

has total control over any objects and programs he or she owns. Microsoft Windows typically

uses this model where the creator or owner of a file or folder can grant and revoke permissions

as required. Depending on the level of permissions you allow a subject to have, they may be able

to assign permissions to other subjects. DAC scenarios allow individual resources to be

individually made available or secured against access. Access rights are configured at the

discretion of the accounts that have the authority over each resource, including the capability to

extend administrative rights through the same mechanism.

DAC has two significant weaknesses. It relies on the end-user subject to set the proper level of

security and a subject’s permissions will be “inherited” by any programs that the subject

executes.

Attribute-based Access Control (ABAC)

The Federal Identity, Credential, and Access Management (FICAM) Roadmap recommends the

attribute-based control model for sharing information among diverse organizations. It is based

on Extensible Access Control Markup Language (XACML). Attributes are characteristics that

define specific aspects of an entity. When authorization is requested, the rules and policies
against the entity's attributes, like subject, object, operation, or environment, are evaluated.

When attribute values are changed, access is changed to match the values of the attribute. ABAC

systems are capable of enforcing both MAC and DAC, making them a good fit for large and

federated enterprise organizations.

Rule Based Access Control

RBAC is often used to refer to both Rule-based and Role-based Access Control. Rule-based

Access Control dynamically assign roles to users based on a set of rules defined by a

custodian. Each asset object contains a set of access properties based on the rules. Rule-based

Access Control is often used for managing user access to one or more systems and it includes

controls such as the time of day, day of the week, access to a specific host, geographical location

of the user, and many other factors. These rules are often based on organizational policy.

Role-based Access Control

In role-based access control, permissions and access rights are first assigned to roles within the

organization. When user accounts become associated with these roles, there is no need to

directly assign any rights for specific users. Scalability is a great benefit to using role-based

access control. In large organizations with hundreds or thousands of employees, it would not be

at all efficient to explicitly grant rights to individual users. One thing to keep in mind when using

role-based access control is the movement of employees within the organization. If an employee

changes roles, an administrator must make those changes in the system to prevent unauthorized

access to data.
Privileged Access Management (PAM)

Privileged Access Management addresses the need to ensure least privilege. It is used to prevent

attackers from escalating their privileges in order to gain access and disrupt the network. PAM

is instrumental in maintaining privileged access to sensitive data and critical functions:

Privileged account discovery

PAM is able to identify privileged accounts as those which use administrative login credentials

Governing access

PAM allows for account management throughout its lifecycle, including how accounts gain

access and their required privileges

Auditing Activity

PAM is capable of logging all activity of privileged access use and attempts. It also is able to track

network anomalies.
Automated task management

PAM is able to automate tasks that happen repeatedly, such as software installation, scheduled

tasks, and interactions with service accounts.

1. Computer-based measures that you might encounter in everyday hands-on security, such as
firewalls, encryption technologies, router ACLs, and secure protocols are what type of control?

 Administrative
 Deterrent
 Physical
 Technical

2. Which of the following states that users should be given only the level of access needed to
perform their duties?

 Separation of duties
 Accountability
 Principle of least privilege
 Authorization

3. Which of the following access control models allows object creators and owners to reassign
permissions to users?

 Rule-based access control

 Discretionary access control
 Mandatory access control
 Role-based access control

4. Physical access control includes which of the following?

 Group policies
 Passwords
 Mantraps
 Firewalls

5. Mandatory access control is

  The least restrictive access control model
 Use to assign permissions to particular roles
 The most restrictive access control model
 Implemented by users with least privilege

After this lesson, you will be able to:

 Discuss how to approach risk management

 List and explain the steps of managing an organization’s risks

What is Risk Management?

Risk management is the process to identify and evaluate potential losses within an

organization. Once the risks are identified, an organization must decide the best way to handle

these risks. A generalized approach is:

1. Identify business assets

2. Determine what damage to the organization an attack could cause

3. Identify security vulnerabilities the attack could exploit

4. Determine how to minimize the risk of attack by implementing appropriate controls

A more detailed risk management process for an organization is shown in the diagram below:
Protect Life

Every organization’s first priority should be human life and safety.

Contain

Being able to contain the harm caused by an attack will help to limit additional damage and loss

Assess

Following an attack, determine the extent of the damage. This should be done immediately after

the situation is contained and a system backup is performed

Determine Cause
Understand the resources at which the attack was aimed and what vulnerabilities were

exploited to gain access or disrupt services

Repair

Damage should be repaired as quickly as possible to restore normal business operations and

recover data lost during the attack

Review

Review the process thoroughly. Determine with your team the steps that were executed

successfully and what can be improved

Quantitative Risk Analysis

Quantitative risk analysis focuses on assigning a discrete monetary or other value to assets, then

uses those values to determine the next steps. The goal is to calculate objective numeric values

for each of the components gathered during the risk assessment and cost benefit analysis by

determining the following:

Asset Value (AV)

Overall value of asset to organization; immediate financial impact of losing asset; indirect

business impact of losing asset.

Single Loss Expectancy (SLE)

SLE is the total amount of revenue that is lost from a single occurrence of the risk.

Annual Rate of Occurrence (ARO)

How many times you reasonably expect the risk to occur during one year.
Annual Loss Expectancy (ALE)

Total amount of money your organization will lose in one year if nothing is done to mitigate the

risk.

Cost of Controls

Accurate estimates for cost of acquiring, testing, deploying, operating, and maintaining each

control.

Return on Security Investment (ROSI)

ROSI = ALE before control – ALE after control – annual cost of controls.

Exposure Factor (EF)

The proportion of an asset’s value that would be lost due to a particular risk, expressed as a

percentage.

Example: You have an asset valued at $100,000 and the Exposure Factor (EF) for this asset is

25%. If the Annual Rate of Occurrence for an incident is 3, what is the Annual Loss Expectancy?

SLE = AV x EF = ($100,000) x (0.25) = $25,000

ALE = SLE x ARO = ($25,000) x 3 = $75,000

So, we can expect to lose ~$75,000 each year if this risk isn't mitigated. How much would you

spend to avoid losing $75,000 each year?

After performing a quantitative risk analysis, you should have the following information:
  Assigned monetary values for asset

 A comprehensive list of significant threats

 The probability of occurrence of each threat

 The loss potential for the company on a per-threat basis over 12 months

 Recommended safeguards, controls, and actions

Qualitative Risk Analysis

Qualitative risk analysis focuses more on understanding the risks and how to mitigate them

instead of objective costs. The basic process is very similar to what happens in the quantitative

approach. For example, in qualitative risk management, we calculate relative values and don’t

assign hard financial values to assets, expected losses, and cost of controls.

Qualitative risk analysis is usually conducted through a combination of questionnaires and

collaborative workshops involving people from a variety of groups within the organization. It is

important to carefully identify who should be a part of this process to ensure that you have a

representation of all stakeholders.

The results are presented to management for consideration during a cost-benefit analysis.

Comparing Quantitative & Qualitative Risk Analysis

Quantitative Qualitative

Benefits  Risks prioritized by  Enables visibility and

financial impact; assets understanding of risk
prioritized by financial ranking.
values.  Easier to reach consensus.
  Results facilitate  Not necessary to quantify
management of risk by threat frequency.
return on security  Not necessary to
investment. determine financial values
 Results expressed in of assets.
management-specific  Easier to involve people
terminology (e.g., monetary who are not experts on
values and probability security or computers.
expressed as a specific
percentage).
 Accuracy tends to increase
over time as the
organization builds historic
records of data while
gaining experience.

Drawbacks  Impact values assigned to  Insufficient differentiation

risks are based on between important risks.
subjective opinions of  Difficult to justify investing
participants. in control implementation
 Process to reach credible because there is no basis
results and consensus is for a cost-benefit analysis.
very time consuming.
 Calculations can be
complex and time
consuming.
 Process requires expertise
Make a plan for each risk
Now that we have identified and prioritized what to protect, we need to decide how to

respond. For this, we have 4 basic decisions. We can choose to avoid, transfer, accept, or

mitigate each of the risks.

Risk Avoidance

The most effective way to deal with risk is to avoid it, but this isn't always possible. When it is

possible, we work to eliminate the vulnerability that causes the risk.

Risk Transference

The risk or effect of the risk can be transferred to another party responsible for restoration and

recovery in the event that the threat manifests. For example, an organization may purchase

insurance to cover for a specific risk or outsource responsibility to another organization.

Risk Acceptance

Perhaps we do not need to do anything at all. If the organization recognizes a risk, identifies it,

and accepts that it will have limited impact, then we have accepted the risk.

Risk Mitigation

The most common response to a particular risk is reducing the likelihood or impact of a risk’s

exposure. For example, to mitigate the risk of a ransomware attack, we ensure that all systems

are up-to-date and start an employee cybersecurity awareness program. We may also segment

our network to minimize the spread of malware during a ransomware attack.

Implementing controls
Now that we have decided how to handle the risk, we can implement controls for those risks for

which we are planning to mitigate. To do this we will deploy and operate control solutions to

reduce risk to the business. We will try to seek holistic approaches which will incorporate

people, process, and technology into the mitigating solution. We will also organize by defense-

in-depth by working across the organization to integrate this solution with other implemented

solutions.

Measuring Program Effectiveness

And finally we will need to ensure that the risk management process and resulting decisions are

effective. This is an ongoing phase in which the Security Risk Management Team periodically

verifies that the controls implemented during the preceding phase are actually providing the

expected degree of protection. The team will analyze the risk management process for

effectiveness and verify that controls are providing the expected degree of protection. And they

will evaluate the risk management program for opportunities to improve.

1. Which of the following is the monetary loss that can be expected for an asset from risk for the
entire year?

 ALE
 SLE
 ARO
 BIA

2. An organization is increasingly subject to compliance regulations and is making strong efforts

To comply with them but is still concerned about issues that might occur. Management Decides
to buy insurance to help cover the costs of a potential breach. Which of the Following risk
response techniques is the organization using?

 Avoidance
 Transference
  Acceptance
 Mitigation

3. Which of the following is NOT a risk assessment step?

 Identify threats
 Identify vulnerabilities
 Determine the risk
 Determine the response

4. Financial is one type of business impact. Which of the following is another type?

 Pride
 Technical
 Device
 Reputation

5. Which of the following equations is correct?

 (Single Loss Expectancy) = (Asset Value) x (Exposure Factor)

 (Annual Rate of Occurrence) = (Asset Value) x (Exposure Factor)
 (Annual Loss Expectancy) = (Asset Value) x (Exposure Factor)
 (Single Rate of Occurrence) = (Asset Value) x (Exposure Factor)

 A friend sends you an email that says you must forward it to 20 other friends or else you

will have bad luck for the rest of your life. This is an example of

o Phishing

o Whaling

o Rabbit

o Hoax

 Which type of malware requires the user to pay to remove the malware?

o Trojan

o Ransomware

o Adware

o Keylogger
 You download a new game from a website. You begin installing the game, then walk

away from your computer to answer the phone. When you come back to play the new

game, you notice your computer is extremely slow to respond and it crashes. What most

likely happened?

o Your computer failed to install necessary updates

o The game is still downloading in the background

o The game file you downloaded and installed was a trojan

o The game takes up too much space on your hard drive

 Which of the following is NOT a desirable property of a virus?

o Easy to deactivate

o Easy to create

o Difficult to detect with anti-virus software

o Able to reinfect

 Which of the following does NOT require any user interaction to spread?

o Hoax

o Trojan

o Virus

o Worm