Level 3 Diploma in

Networking and Cybersecurity

Unit 002: Access Control

 This session
Intent:
To understand the purpose and concepts of access control, be able to apply methods of controlling
access and understand the limits of access control.
Implementation:
• Explain the role of access control, primary categories used to define access to data, different
types of access from a physical/logical/administrative perspective.
• Evaluate different access control techniques used and compare methods of identity
management and authentication.
• Implement authentication to increase effectiveness, define series of password policies and
configure password authentication.
• Explain the balance between restricting and enabling access, assess the organisational and
behavioural threats of access control.
Impact:
Learners will understand the purpose/concepts/limits of access control and will be able to apply this
knowledge in practice by completing tasks within given scenario.
Before we start…STARTER
Q1. How often should you backup your data?
• A. Once a week.
• B. Once a month
• C. In accordance with your organisation’s backup policy and the criticality of the data in question
• D. Once a fortnight.
Q2. Where should you store the encryption passphrase for your laptop?
• A. On a sticker underneath your laptop’s battery as it’s not visible to anyone using the laptop.
• B. On a sticky note attached to the base of your laptop.
• C. In a password-protected Word file stored on your laptop.
• D. Use the password management tool supplied/authorised by your organisation.
Q3. Within what period of time is an organisation required to notify a supervising authority
about a data breach within the realm of GDPR?
• A. Within 48 hours
• B. Within 12 hours
• C. Within 24 hours
• D. Within 72 hours
Access Control
What is Access Control?

“Access control is a security

technique that regulates who or
what can view or use resources
in a computing environment. It
is a fundamental concept in
security that minimises risk to
the business or organisation.”
Innovatrics.com
Role of access control in organisations
What is the main aim/role of
access control?
(Click on link below or scan QR
code to share your ideas)

https://jamboard.google.com/d/1
cKTCQpX96OVszAzvh_-gCp2SjCIKL
G66EIH97ebylFk/viewer?f=0
Role of access control in organisations
• Confidentiality
• Integrity and availability
• Limiting access to systems
• Limiting access to data
• Providing “defence in depth”
• Identifying and classifying data
assets
For more information about role of
access control, please click on link
below: What legislation would be related to
https://securityboulevard.com/2020/11 access control?
/the-role-of-access-control-in-informatio
Primary categories used to define access to
data
• Directive (codes of conduct, security policies and procedures)-directs, confines, or
controls the actions of subjects to force or encourage compliance
with security policy.
• Preventative (physically restricting access)- deployed to stop an unwanted or
unauthorised activity from occurring.
• Compensating (additional guards during periods of heightened threat)
• Detective (intrusion detection systems)
• Corrective (software patches, firewall reconfiguration)
• Recovery (updating of security policies to reflect changes in business).

Can you provide other examples of primary categories? If not, do

your research and share your results with the group.
Types of Access Control
Physical:
Most physical access control systems require identifying credentials to gain access to a space
(perimeter fences, gates/doorways, security guards/patrols, badge locks/key locks, biometric
scanners (retina, palm, finger print scanner).
Logical:
A logical access control system requires the validation of an individual's identity through some
mechanism/software such as firewalls, anti-virus, encryption, user IDs and passwords,
passphrases, security tokens, one-time passwords, Remote Access Server (RADIUS).
Administrative:
Administrative access controls are the policies and procedures defined by an organizations security
policy to implement and enforce overall access control (policies and procedures, security clearances,
identity validation, staff training, support/helpdesk.)
To expand your knowledge about other types of access control, click on link below:
http://cisspstudy.blogspot.com/2007/05/types-of-access-control.html
Access Control techniques
Discretionary controls (DAC)
"It is the principle of restricting access to objects based on the
identity of the subject (the user or the group to which the user
belongs). Discretionary access control is implemented using
access control lists." IBM.com
Mandatory controls (MAC)
"Mandatory access control is a method of limiting access to
resources based on the sensitivity of the information that the
resource contains and the authorization of the user to access
information with that level of sensitivity." IBM.com
Non-Discretionary Controls
"An access control policy that is uniformly enforced across all
subjects and objects within the boundary of an information Can you think of any other examples of
system." nist.gov access control techniques?
Access Control List
Methods of identity management and
authentication
What do you understand by identity
management?
Identity management (IdM), also known as identity and
access management (IAM) ensures that authorised people –
and only authorised people – have access to the technology
resources they need to perform their job functions.
Methods:
• ID badges
• user Ids
• PINs
• account numbers
• digital certificates
• RFID
Methods of identity management and
authentication
What do you understand by authentication method?
"Authentication Method means the process of confirming the
identity of a person that is attempting to access a system"
lawinsider.com
Methods:
• something you know (passwords, passphrases, challenge
response)
• something you have (Smartcard, fobs and time code devices)
• something you are (biometrics)
• somewhere you are (proximity to a scanner, inside a
firewall).
Balance between restricting and enabling
access for legitimate users
In groups, discuss and provide 4
examples of factors that you would
consider balancing between restricting
and enabling access for legitimate
users.
(Click on link below or scan QR code to share
your ideas):
https://jamboard.google.com/d/1cKTCQpX96OV
szAzvh_-gCp2SjCIKLG66EIH97ebylFk/viewer?f=1
Balance between restricting and enabling
access for legitimate users
• Dichotomy of organisational needs (government vs business)
• Top-down organisational centric vs bottom-up user centric
• Cost effectiveness (cost of control vs value of the assets)
• Internal threats: organisational culture (complacency, lack of effective control),
organisational climate, disgruntled employees, industrial espionage, misplaced
trust.
• Internal vulnerabilities: poor or absent security policies/procedures, lack of
adherence to security policy, lack of education and training, lack of adherence to
security procedures (poor administration, deliberate avoidance), poor or
inadequate vetting of employees and contractors.
• External threats: tailgating/piggybacking, social engineering (phishing,
baiting/Quid Pro Quo), identity theft, shoulder surfing, spoofing.
AAA authentication
When it comes to network security, AAA is a requirement. Here is
what each of these are used for and why you should care:
Authentication: Identifies users by login and password using
challenge and response methodology before the user even gains
access to the network. Depending on your security options, it can
also support encryption.
Authorisation: After initial authentication, authorisation looks at
what that authenticated user has access to do. RADIUS or
TACACS+ security servers perform authorisation for specific
privileges by defining attribute-value (AV) pairs, which would be
specific to the individual user rights. In the Cisco IOS, you can
define AAA authorization with a named list or authorisation
method.
Accounting: The last “A” is for accounting. It provides a way of
collecting security information that you can use for billing,
auditing, and reporting. You can use accounting to see what users
do once they are authenticated and authorised. For example, with
accounting, you could get a log of when users logged in and when
they logged out.
Access control IT policies
Restricting or limiting the access to sensitive
data with an access control policy gives the
company total control over its resources.
For example, in a data breach, the system
automatically detects when, where, and
who accessed an otherwise secure asset
without authorization. However, if there is
an absence of an access control policy it
makes the organisation vulnerable to
various internal or external cyber-attacks.

(Beyond identity)
Access control IT policies
Insider Threats
Can be difficult to detect since the users already have
legitimate access to the system. Without an access
control policy in place, these users can widely misuse the
IT resources of the company. They can access top-level
information, steal data for personal gain, spread
malicious code, or initiate attacks.
External Threats
Hackers are always looking for any vulnerability in a
system. Hacked passwords remain one of the most
common ways to gain unauthorized access and create
havoc. Without a rigorous access control policy in place,
a hacker who has stolen credentials of someone with
higher privileges can go undetected and cause very
serious damage to company data.
Scenario activities

Cisco activity, AAA authentication of your network.

Can you improve your security policies on your network considering

you new knowledge and skills in access control?
 Plenary
Take a few minutes to reflect on the following
questions…
• What have you learned
from this unit?
• What skills have you
used/developed?
• What did you find
challenging?
Let’s
share…
 Did we achieve?
Intent:
To understand the purpose and concepts of access control, be able to apply methods of controlling
access and understand the limits of access control.
Implementation:
• Explain the role of access control, primary categories used to define access to data, different
types of access from a physical/logical/administrative perspective.
• Evaluate different access control techniques used and compare methods of identity
management and authentication.
• Implement authentication to increase effectiveness, define series of password policies and
configure password authentication.
• Explain the balance between restricting and enabling access, assess the organisational and
behavioural threats of access control.
Impact:
Learners will understand the purpose/concepts/limits of access control and will be able to apply this
knowledge in practice by completing tasks within given scenario.
Any questions and what’s next?