When access to objects is under discussion, three key subject labels are often used—namely, user, owner, and custodian. The user is a subject who accesses objects on a system pursuant to performing an action or accomplishing some work task. The owner is the subject responsible for classifying and labeling objects, and protecting and storing data. A custodian is a subject to whom responsibility for properly storing and protecting objects is assigned or delegated.
Separation of duties provides a necessary set of check and balances whereby multiple sub- jects must verify each other’s actions on objects, and work together to accomplish necessary work tasks. Separation of duties helps to reduce the possibility (and the perpetration) of mali- cious, fraudulent, and other unauthorized uses of objects. Proper separation and segregation of duties ensures that no single individual obtains sufficient access to violate security policy without involving other individuals.
Exam Essentials
Know the common access control techniques. Common access control techniques include
discretionary, mandatory, nondiscretionary, rule-based, role-based, and lattice-based. Access controls are used to manage the type and extent of access subjects have to objects. This is important to system security because such controls define who has access to what.
Understand access control administration. Securely creating new user accounts, managing and
maintaining user accounts on an ongoing basis, auditing/logging/monitoring subject activity, and assigning and managing subject access are important aspects of keeping a system secure. Security is an ongoing task, and administration is how you keep a system secure over time.
Know details about each of the access control models. There are two primary categories of
access control techniques: discretionary and nondiscretionary. Nondiscretionary can be further subdivided into specific techniques, such as mandatory, role-based, and task-based access control.
Understand the processes of identification and common identification factors. The processes
of identification include subject identity claims by using a username, user ID, PIN, smart card, biometric factors, and so on. They are important because identification is the first step in authen- ticating a subject’s identity and proper access rights to objects.
Understand the processes of authentication and the various authentication factors. Authenti-
cation involves verifying the authentication factor provided by a subject against the authentica- tion factor stored for the claimed identity, which could include passwords, biometrics, tokens, tickets, SSO, and so on. In other words, the authentication process ensures that a subject is who they claim to be and grants object rights accordingly.
Understand the processes of authorization. Authorization ensures that the requested activity
or object access is possible given the rights and privileges assigned to the authenticated identity. This is important because it maintains security by providing proper access rights for subjects.
Understand the strengths and weaknesses of passwords. Users typically choose passwords
that are easy to remember and therefore easy to guess or crack, which is one weakness often
36 Chapter 1 Accountability and Access Control
associated with passwords. Another is that randomly generated passwords are hard to remem- ber, and thus many users write them down. Passwords are easily shared and can be stolen through many means. Additionally, passwords are often transmitted in clear text or with easily broken encryption protocols, and password databases are often stored in publicly acces- sible online locations. Finally, short passwords can be discovered quickly in brute-force attacks. On the other hand, passwords can be effective if selected intelligently and managed properly. It is important to change passwords frequently; the more often the same password is used, the more likely it will be compromised or discovered.
Know the two access control methodologies and implementation examples. Access con-
trol methodologies include centralized access control, in which authorization verification is performed by a single entity within a system, and decentralized access control, in which autho- rization verification is performed by various entities located throughout a system. Remote authentication mechanisms such as RADIUS and TACACS are implementation examples; they are used to centralize the authentication of remote dial-up connections.
Understand the use of biometrics. Biometric factors are used for identification or authenti-
cation. FRR, FAR, and CER are important aspects of biometric devices. Fingerprints, face scans, iris scans, retina scans, palm topography, palm geography, heart/pulse pattern, voice pattern, signature dynamics, and keystroke patterns are often used along with other authen- tication factors, such as a password, to provide an additional method to control authentica- tion of subjects.
Understand single sign-on. Single sign-on (SSO) is a mechanism that allows a subject to be
authenticated only once on a system and be able to access resource after resource unhindered by further authentication prompts. Kerberos, SESAME, KryptoKnight, NetSP, thin clients, directory services, and scripted access are all SSO mechanisms.
Understand access control administration Access control administration breaks down into
three areas of administrative responsibility: user account management, activity tracking, and access rights and permission management. It’s important to understand the tasks and activities related to each of these three areas, and how they can impact security.
Appreciate how account, log and journal monitoring enforce accountability Managing
access control also means holding subjects accountable for their actions. Account, log, and journal monitoring and auditing tools provide the means whereby accountability may be assigned to specific subjects.
Understand key concepts involved in assigning object access The principle of least privilege
dictates that subjects be granted no more permissions than they absolutely need to perform their assigned work duties. Need to know means they subjects should only be granted object access when they require such access to do their jobs (and adds a specific dimension to individual objects that general security classification schemes cannot provide). In general, the default access rule for objects should be to deny them unless specific subjects require access to do their jobs (and then such access should permit only those actions that the job entail, and no more).