pirate.moo's gitbook
  • 🏴‍☠️pirate.moo's gitbook
  • WEB
    • OWASP TOP 10
    • Notes
    • Lab Write-Ups
      • SQLi in WHERE clause
  • PENTESTING
    • CHECKLIST
    • REPORTING
    • SCRIPTS
  • EXPLOITATION
    • reverse shells
    • dns/subdomain
    • ssl
    • Handy cmds
    • VULNERABILITIES
      • Log4Shell
      • Dirty Pipe
      • Pwnkit
  • CTF
    • CTF Tools
  • CERTIFICATIONS
    • PNPT
    • CPTS
      • 1. Process
      • 2. Getting Started
      • 3. NMAP
      • 4. Footprinting
        • FTP
        • SNMP
        • SMB
        • NFS
        • MySQL/MSSQL
        • Oracle TNS
    • CPTS Machines
      • Nibbles
    • OSCP
    • ISC2-cc
      • 1. Security Principles
      • 2. Incident Response
      • 3. Access Control
      • 4. Network Security
      • 5. Security Operations
  • MOBILE
    • History
    • Forensics
  • MOOSINT
Powered by GitBook
On this page
  1. CERTIFICATIONS
  2. ISC2-cc

3. Access Control

What is a Security Control?

A safeguards designed to preserve CIA

Access control: Limiting what is available to who:

  • Not only restriction but granting

Denying access is based on three elements:

Any entity that requests access to assets: User/client/process/program

  • Active: Initiates request

  • Should have a relational level of clearance (perms)

Anything a subject attempts to access: Device, process, person, user, program, server, client, entity

  • Passive: Takes no action until called on by subject

  • Objects respond to requests received

  • Objects don't contain their own access control logic

    • Building, computer, file, db, printer, server, etc..

  • Anything that provides service to a user and responds to a request

An instruction to allow/deny access to an object by comparing ID to ACL

  • Can: Compare multiple attributes to determine appropriate access

    • Allow/deny access to an object, apply time-based access

    • Define how much access allowed

Controls Assessments: Risk reduction on the effectiveness of a control

Integrates people, tech, ops, to establish barriers across many layers

  • Multiple countermeasures in layered fashion to fulfill objectives

Principle of Least Privilege

Permitting only min access needed for users, programs to function

Privileged Access Management Privileged Accounts:

  • Perms beyond normal: Managers, admins, help desk, analysts

  • More extensive and detailed logging

  • More stringent access than regular users, more auditing

Segregation of Duties: No person should control high-risk transactions from start to finish

Dual control: Two separate combination locks on door of vault Two-Person Integrity: 2 ppl in an area, making it impossible to be alone

Authorized vs. Unauthorized Personnel

New employee: Requests from management to create new user IDs

  • Instructions on access levels: Auth required for elevated perms

Change of position: Perm/access rights might change by role

  • Any access no longer needed removed and vice versa

Separation of employment: Accounts disabled after termination

  • Recommended accts be disabled for a period before deletion

Physical Access Controls

Mechanisms to prevent, monitor, areas in a facility

Guards, fences, detectors, doors, gates, badges, cameras, mantraps, turnstiles, alarms

Badge: Issued with employee identifiers, giving access

  • May include biometric characteristics compared against a db

  • Integrated with logging to doc access activity

  • Some devices combine processes to detect counterfeiting

Include: Barcodes, magnetic stripes, proximity lights

Crime Prevention through Environmental Design:

  • Creating safer workspaces through passive design elements

  • Helps solve challenges of crime via design methods

Uses characteristics unique to individuals

2 Processes for verification:

  1. Enrollment: User’s registered biometric code is stored/kept by user

  2. Verification: User presents biometric data so it can be compared

Physiological systems: Measure characteristics like fingerprints

Measure how a person acts by signature and keystroke dynamics

  • Logs may be needed to prove compliance with regulations

    • Must be protected from manipulation

  • Guidelines for log retention must be established and followed

Log anomaly: Anything out of the ordinary in a log

PCI DSS: Payment Card Industry Data Sec Standard:

  • Requires businesses retain 1 year of log data

Logical Access Controls

Electronic ways someone is limited from access

Passwords, biometrics, badges, tokens

Enforced over all subjects, objects in a system

Policy specifies those who have access can:

  • Pass info and grant privs to others

  • Change, choose attributes with newly created, revised objects

  • Change rules governing access control

    • Rule-based access controls: Usually form of DAC

  • An object’s ACL shows total set of subjects who have perms

  • A capabilities list shows each object the subject has perms

Policy enforced across all subjects, objects within the boundary of a system

Constrained from:

  • Passing info or granting access to unauthorized subjects

  • Changing attributes on subjects, objects, components

  • Choosing attributes associated with newly created, modified objects

  • Changing rules governing access control

  • Who can control access

Sets up perms on roles; Each represents users with similar perms

Previous2. Incident ResponseNext4. Network Security

Last updated 1 year ago