Access Control Flashcards
Access Control
Methods used to secure data and information by verifying a user has permissions to read, write, delete, or otherwise modify it
Access Control Models
Discretionary Access Control (DAC)
Mandatory Access Control (MAC)
Rule-based Access Control
Lattice-based Access Control
Role-Based Access Control (RBAC)
Attribute-Based Access Control (ABAC)
Discretionary Access Control (DAC)
• The access control policy is determined by the owner
• DAC is used commonly
• 1. Every object in a system must have an owner
• 2. Each owner determines access rights and permissions for each object
Mandatory Access Control (MAC)
• An access control policy where the computer system determines the access control for an object
• The owner chooses the permissions in DAC but in MAC, the computer does
• MAC relies on security labels being assigned to every user (called a subject) and every file/folder/device or network connection (called an object)
• Data labels create trust levels for all subjects and objects
• To access something, you need to meet the minimum level and have a “need-to-know”
• MAC is implemented through the Rule-based and the Lattice based access control methods
Rule-based Access Control
Label-based access control that defines whether access should be granted or denied to objects by comparing the object label and the subject label
Lattice-based Access Control
• Utilizes complex mathematics to create sets of objects and subjects to define how they interact
• Mandatory Access Control is a feature in FreeBSD & SELinux
• Only in high security systems due to its complex configuration
Role-Based Access Control (RBAC)
• An access model that is controlled by the system (like MAC) but utilizes a set of permissions instead of a single data label to define the permission level
• Power Users is a role-based permission
Attribute-Based Access Control (ABAC)
• An access model that is dynamic and context-aware using IF-THEN statements
• If Jason is in HR, then give him access to \fileserver\HR
Best Practices - Access Control
Implicit Deny
Least Privilege
Separation of Duties
Job Rotation
Least Privilege
Users are only given the lowest level of access needed to perform their job functions
Separation of Duties
§ Requires more than one person to conduct a sensitive task or operation
§ Separation of duties can be implemented by a single user with a user and admin account
Permissions in Windows
• Full Control
• Modify
• Read & Execute
• List Folder Contents
• Read
• Write
chmod
§ Program in Linux that is used to change the permissions or rights of a file
or folder using a shorthand number system3
o R (Read) = 4
W (Write) = 2
X (Execute) = 1
o # chmod 760 filename
7 = Owner can RWX
6 = Group can RW
0 = All Users (no access)
o 777 allows everyone to Read, Write, and Execute
Privilege Creep
§ Occurs when a user gets additional permission over time as they rotate through different positions or roles
§ Privilege creep violates the principles of least privilege
User Access Recertification
Process where each user’s rights and permissions are revalidated to ensure they are correct
• Hired
• Fired
• Promoted