Physical Access Controls
Physical access controls are actual barriers deployed to prevent direct contact with systems. The goal is to prevent unauthorized users from gaining physical access to facilities, equipment, and other organizational assets.
Physical access control determines who can enter (or exit), where they can enter (or exit), and when they can enter (or exit).
Examples of physical access controls include the following:
- Guards (Figure 1) monitor the facility
- Fences (Figure 2) protect the perimeter
- Motion detectors (Figure 3) detect moving objects
- Laptop locks (Figure 4) safeguard portable equipment
- Locked doors (Figure 5) prevent unauthorized access
- Swipe cards (Figure 6) allow access to restricted areas
- Guard dogs protect the facility
- Video cameras monitor a facility by collecting and recording images
- Mantraps allow access to the secured area after door 1 closes
- Alarms detect intrusion
Logical Access Controls
Logical access controls are the hardware and software solutions used to manage access to resources and systems. These technology-based solutions include tools and protocols that computer systems use for identification, authentication, authorization, and accountability.
Logical access controls include the following:
- Encryption is the process of taking plaintext and creating ciphertext
- Smart cards have an embedded microchip
- Passwords are protected string of characters
- Biometrics are users’ physical characteristics
- Access Control Lists (ACLs) define the type of traffic allowed on a network
- Protocols are a set of rules that govern the exchange of data between devices
- Firewalls prevent unwanted network traffic
- Routers connect at least two networks
- Intrusion Detection Systems monitor a network for suspicious activities
- Clipping Levels are certain allowed thresholds for errors before triggering a red flag
Administrative Access Controls
Administrative access controls are the policies and procedures defined by organizations to implement and enforce all aspects of controlling unauthorized access. Administrative controls focus on personnel and business practices. Administrative controls include the following:
- Policies are statements of intent
- Procedures are the detailed steps required to perform an activity
- Hiring practices involves the steps an organization takes to find qualified employees
- Background checks are an employment screening that includes information of past employment verification, credit history, and criminal history
- Data classification categorizes data based on its sensitivity
- Security training educates employees about the security policies at an organization
- Reviews evaluate an employee’s job performance
Mandatory Access Control
Mandatory access control (MAC) restricts the actions that a subject can perform on an object. A subject can be a user or a process. An object can be a file, a port, or an input/output device. An authorization rule enforces whether or not a subject can access the object.
Organizations use MAC where different levels of security classifications exist. Every object has a label and every subject has a clearance. A MAC system restricts a subject based on the security classification of the object and the label attached to the user.
For example, take the military security classifications Secret and Top Secret. If a file (an object) is considered top secret, it is classified (labeled) Top Secret. The only people (subjects) that may view the file (object) are those with a Top Secret clearance. It is up to the access control mechanism to ensure that an individual (subject) with only a Secret clearance, never gains access to a file labeled as Top Secret. Similarly, a user (subject) cleared for Top Secret access cannot change the classification of a file (object) labeled Top Secret to Secret. Additionally, a Top Secret user cannot send a Top Secret file to a user cleared only to see Secret information.
Discretionary Access Control
An object’s owner determines whether to allow access to an object with discretionary access control (DAC). DAC grants or restricts object access determined by the object’s owner. As the name implies, controls are discretionary because an object owner with certain access permissions can pass on those permissions to another subject.
In systems that employ discretionary access controls, the owner of an object can decide which subjects can access that object and what specific access they may have. One common method to accomplish this is with permissions, as shown in the figure. The owner of a file can specify what permissions (read/write/execute) other users may have.
Access control lists are another common mechanism used to implement discretionary access control. An access control list uses rules to determine what traffic can enter or exit a network
Role-Based Access Control
Role-based access control (RBAC) depends on the role of the subject. Roles are job functions within an organization. Specific roles require permissions to perform certain operations. Users acquire permissions through their role.
RBAC can work in combination with DAC or MAC by enforcing the policies of either one. RBAC helps to implement security administration in large organizations with hundreds of users and thousands of possible permissions. Organizations widely accept the use of RBAC to manage computer permissions within a system, or application, as a best practice.
Rule-Based Access Control
Rule-based access control uses access control lists (ACLs) to help determine whether to grant access. A series of rules is contained in the ACL, as shown in the figure. The determination of whether to grant access depends on these rules. An example of such a rule is one that states that no employee may have access to the payroll file after hours or on weekends.
As with MAC, users cannot change the access rules. Organizations can combine rule-based access control with other strategies for implementing access restrictions. For example, MAC methods can utilize a rule-based approach for implementation.
Activity - Identify Access Control Strategies
What is Identification?
Identification enforces the rules established by the authorization policy. A subject requests access to a system resource. Every time the subject requests access to a resource, the access controls determine whether to grant or deny access. For example, the authorization policy determines what activities a user can perform on a resource.
A unique identifier ensures the proper association between allowed activities and subjects. A username is the most common method used to identify a user. A username can be an alphanumeric combination, a personal identification number (PIN), a smart card, or biometric, such as a fingerprint, retina scan, or voice recognition.
A unique identifier ensures that a system can identify each user individually; therefore, allowing an authorized user to perform the appropriate actions on a particular resource.
Identification Controls
Cybersecurity policies determine which identification controls should be used. The sensitivity of the information and information systems determine how stringent the controls. The increase in data breaches has forced many organizations to strengthen their identification controls. For example, the credit card industry in the United States requires all vendors to convert to smart card identification systems.
What You Know
Passwords, passphrases, or PINs are all examples of something that the user knows. Passwords are the most popular method used for authentication. The terms passphrase, passcode, passkey, or PIN are generically referred to as password. A password is a string of characters used to prove a user’s identity. If this string of characters relates back to a user (such as a name, birthdate, or address), it will be easier for cyber criminals to guess a user’s password.
A number of publications recommend that a password be at least eight characters. Users should not create a password that is so long that it is difficult to memorize, or conversely, so short that it becomes vulnerable to password cracking. Passwords should contain a combination of upper and lowercase letters, numbers, and special characters. Click here to test current passwords.
Users need to use different passwords for different systems because if a criminal cracks the user’s password once, the criminal will have access to all of a user’s accounts. A password manager can help a user create and remember strong passwords. Click here to view a strong password generator.
What You Have
Smart cards and security key fobs are both examples of something that users have in their possession.
Smart Card Security (Figure 1) – A smart card is a small plastic card, about the size of a credit card, with a small chip embedded in it. The chip is an intelligent data carrier, capable of processing, storing, and safeguarding data. Smart cards store private information, such as bank account numbers, personal identification, medical records, and digital signatures. Smart cards provide authentication and encryption to keep data safe.
Security Key Fob (Figure 2) – A security key fob is a device that is small enough to attach to a key ring. It uses a process called two-factor authentication, which is more secure than a username and password combination. First, the user enters a personal identification number (PIN). If correctly entered, the security key fob will display a number. This is the second factor, which the user must enter to log in to the device or network.
Who You Are
A unique physical characteristic, such as a fingerprint, retina, or voice, that identifies a specific user is called biometrics. Biometric security compares physical characteristics against stored profiles to authenticate users. A profile is a data file containing known characteristics of an individual. The system grants the user access if his or her characteristics match saved settings. A fingerprint reader is a common biometric device.
There are two types of biometric identifiers:
- Physiological characteristics – these include fingerprints, DNA, face, hands, retina, or ear features
- Behavioral characteristics - include patterns of behavior, such as gestures, voice, typing rhythm, or the way a user walks
Biometrics is becoming increasingly popular in public security systems, consumer electronics, and point-of-sale applications. Implementing biometrics uses a reader or scanning device, software that converts the scanned information into digital form, and a database that stores biometric data for comparison.
Multi-factor Authentication
Multi-factor authentication uses at least two methods of verification. A security key fob is a good example. The two factors are something you know, such as a password, and something you have, such as a security key fob. Take this a step further by adding something you are, such as a fingerprint scan.
Multi-factor authentication can reduce the incidence of online identity theft because knowing the password would not give cyber criminals access to user information. For example, an online banking website might require a password and a PIN that the user receives on his or her smartphone. As shown in the figure, withdrawing cash from an ATM is another example of multifactor authentication. The user must have the bankcard and know the PIN before the ATM will dispense cash.
Activity - Identify Authentication Methods
What is Authorization?
Authorization controls what a user can and cannot do on the network after successful authentication. After a user proves his or her identity, the system checks to see what network resources the user can access and what the user can do with the resources. As shown in the figure, authorization answers the question, “What read, copy, create, and delete privileges does the user have?”
Authorization uses a set of attributes that describes the user’s access to the network. The system compares these attributes to the information contained within the authentication database, determines a set of restrictions for that user, and delivers it to the local router where the user is connected.
Authorization is automatic and does not require users to perform additional steps after authentication. Implement authorization immediately after the user authenticates.
Using Authorization
Defining authorization rules is the first step in controlling access. An authorization policy establishes these rules.
A group membership policy defines authorization based on membership in a specific group. For example, all employees of an organization have a swipe card, which provides access to the facility. If an employee’s job does not require that she have access to the server room, her security card will not allow her to enter that room.
An authority-level policy defines access permissions based on an employee’s standing within the organization. For example, only senior-level employees in an IT department may access the server room.
What is Accountability?
Accountability traces an action back to a person or process making the change to a system, collects this information, and reports the usage data. The organization can use this data for such purposes as auditing or billing. The collected data might include the log in time for a user, whether the user log in was a success or failure, or what network resources the user accessed. This allows an organization to trace actions, errors, and mistakes during an audit or investigation.
Implementing Accountability
Implementing accountability consists of technologies, policies, procedures, and education. Log files provide detailed information based on the parameters chosen. For example, an organization may look at the log for login failures and successes. Login failures can indicate that a criminal tried to hack an account. Login successes tell an organization which users are using what resources and when. Is it normal for an authorized user to access the corporate network at 3:00 a.m.? The organization’s policies and procedures spell out what actions should be recorded and how the log files are generated, reviewed and stored.
Data retention, media disposal, and compliance requirements all provide accountability. Many laws require the implementation of measures to secure different data types. These laws guide an organization on the right way to handle, store, and dispose of data. The education and awareness of an organization’s policies, procedures, and related laws can also contribute to accountability.
Preventive Controls
Prevent means to keep something from happening. Preventive access controls stop unwanted or unauthorized activity from happening. For an authorized user, a preventive access control means restrictions. Assigning user specific privileges on a system is an example of a preventive control. Even though a user is an authorized user, the system puts limits in place to prevent the user from accessing and performing unauthorized actions. A firewall that blocks access to a port or service that cyber criminals can exploit is also a preventive control.
Deterrent Controls
A deterrent is the opposite of a reward. A reward encourages individuals to do the right thing, while a deterrent discourages them from doing the wrong thing. Cyber security professionals and organizations use deterrents to limit or mitigate an action or behavior, but deterrents do not stop them. Access control deterrents discourage cyber criminals from gaining unauthorized access to information systems and sensitive data. Access control deterrents discourage attacking systems, stealing data, or spreading malicious code. Organizations use access control deterrents to enforce cybersecurity policies.
Deterrents make potential cyber criminals think twice before committing a crime. The figure lists common access control deterrents used in the cybersecurity world.
Detective Controls
Detection is the act or process of noticing or discovering something. Access control detections identify different types of unauthorized activity. Detection systems can be very simple, such as a motion detector or security guard. They can also be more complex, such as an intrusion detection system. All detective systems have several things in common; they look for unusual or prohibited activity. They also provide methods to record or alert system operators of potential unauthorized access. Detective controls do not prevent anything from happening; they are more of an after-the-fact measure.
Corrective Controls
Corrective counteracts something that is undesirable. Organizations put corrective access controls in place after a system experiences a threat. Corrective controls restore the system back to a state of confidentiality, integrity, and availability. They can also restore systems to normal after unauthorized activity occurs.
Recovery Controls
Recovery is a return to a normal state. Recovery access controls restore resources, functions, and capabilities after a violation of a security policy. Recovery controls can repair damage, in addition to stopping any further damage. These controls have more advanced capabilities over corrective access controls.
Compensative Controls
Compensate means to make up for something. Compensative access controls provide options to other controls to bolster enforcement in support of a security policy.
A compensative control can also be a substitution used in place of a control that is not possible under the circumstances. For example, an organization may not be able to have a guard dog, so instead it deploys a motion detector with a spotlight and a barking sound.
Activity – Compare Types of Security Controls
What is Data Masking?
Data masking technology secures data by replacing sensitive information with a non-sensitive version. The non-sensitive version looks and acts like the original. This means that a business process can use non-sensitive data and there is no need to change the supporting applications or data storage facilities. In the most common use case, masking limits the propagation of sensitive data within IT systems by distributing surrogate data sets for testing and analysis. Information can be dynamically masked if the system or application determines that a user request for sensitive information is risky.
Data Masking Techniques
Data masking can replace sensitive data in non-production environments to protect the underlying information.
There are several data masking techniques that can ensure that data remains meaningful but changed enough to protect it.
- Substitution replaces data with authentic looking values to apply anonymity to the data records.
- Shuffling derives a substitution set from the same column of data that a user wants to mask. This technique works well for financial information in a test database, for example.
- Nulling out applies a null value to a particular field, which completely prevents visibility of the data.
What is Steganography?
Steganography conceals data (the message) in another file such as a graphic, audio, or other text file. The advantage of steganography over cryptography is that the secret message does not attract any special attention. No one would ever know that a picture actually contained a secret message by viewing the file either electronically or in hardcopy.
There are several components involved in hiding data. First, there is the embedded data, which is the secret message. The cover-text (or cover-image or cover-audio) hides the embedded data producing the stego-text (or stego-image or stego-audio). A stego-key controls the hiding process.
Steganography Techniques
The approach used to embed data in a cover-image is using Least Significant Bits (LSB). This method uses bits of each pixel in the image. A pixel is the basic unit of programmable color in a computer image. The specific color of a pixel is a blend of three colors—red, green, and blue (RGB). Three bytes of data specify a pixel’s color (one byte for each color). Eight bits make up a byte. A 24-bit color system uses all three bytes. LSB uses a bit of each of the red, green, and blue color components. Each pixel can store 3 bits.
The figure shows three pixels of a 24-bit color image. One of the letters in the secret message is the letter T, and inserting the character T changes only two bits of the color. The human eye cannot recognize the changes made to the least significant bits. The result is a hidden character.
On average, not more than half of the bits in an image will need to change to hide a secret message effectively.
Social Steganography
Social steganography hides information in plain sight by creating a message that can be read a certain way by some to get the message. Others who view it in a normal way will not see the message. Teens on social media use this tactic to communicate with their closest friends while keeping others, like their parents, unaware of what the message actually means. For example, the phrase “going to the movies” might mean “going to the beach”.
Individuals in countries that censor media also use social steganography to get their messages out by misspelling words on purpose or making obscure references. In effect, they communicate to different audiences simultaneously.
Detection
Steganalysis is the discovery that hidden information exists. The goal of steganalysis is to discover the hidden information.
Patterns in the stego-image create suspicion. For example, a disk may have unused areas that hide information. Disk analysis utilities can report on hidden information in unused clusters of storage devices. Filters can capture data packets that contain hidden information in packet headers. Both of these methods are using steganography signatures.
By comparing an original image with the stego-image, an analyst may pick up repetitive patterns visually.
Obfuscation
Data obfuscation is the use and practice of data masking and steganography techniques in the cybersecurity and cyber intelligence profession. Obfuscation is the art of making the message confusing, ambiguous, or harder to understand. A system may purposely scramble messages to prevent unauthorized access to sensitive information.
Applications
Software watermarking protects software from unauthorized access or modification. Software watermarking inserts a secret message into the program as proof of ownership. The secret message is the software watermark. If someone tries to remove the watermark, the result is nonfunctional code.
Software obfuscation translates software into a version equivalent to the original but one that is harder for attackers to analyze. Trying to reverse engineer the software gives unintelligible results from software that still functions.
Ref : [1]