You are previewing Access Control, Authentication, and Public Key Infrastructure.
O'Reilly logo
Access Control, Authentication, and Public Key Infrastructure

Book Description

PART OF THE NEW JONES & BARTLETT LEARNING INFORMATION SYSTEMS SECURITY & ASSURANCE SERIES! Access control protects resources against unauthorized viewing, tampering, or destruction. They serve as a primary means of ensuring privacy, confidentiality, and prevention of unauthorized disclosure. The first part of Access Control, Authentication, and Public Key Infrastructure defines the components of access control, provides a business framework for implementation, and discusses legal requirements that impact access contol programs. It then looks at the risks, threats, and vulnerabilities prevalent in information systems and IT infrastructures and how to handle them. The final part is a resource for students and professionals which disucsses putting access control systems to work as well as testing and managing them.

Table of Contents

  1. Copyright
  2. Preface
    1. Purpose of This Book
    2. Learning Features
    3. Audience
  3. Acknowledgments
  4. ONE. The Need for Access Control Systems
    1. 1. Access Control Framework
      1. Access and Access Control
        1. What Is Access?
        2. What Is Access Control?
      2. Principal Components of Access Control
        1. Access Control Systems
        2. Access Control Subjects
        3. Access Control Objects
      3. Access Control Process
        1. Identification
        2. Authentication
        3. Authorization
      4. Logical Access Controls
        1. Logical Access Controls for Subjects
          1. Who
          2. What
          3. When
          4. Where
          5. How
        2. Group Access Controls
        3. Logical Access Controls for Objects
      5. Authentication Factors
        1. Something You Know
        2. Something You Have
        3. Something You Are
      6. CHAPTER SUMMARY
      7. KEY CONCEPTS AND TERMS
      8. CHAPTER 1 ASSESSMENT
    2. 2. Assessing Risk and Its Impact on Access Control
      1. Definitions and Concepts
      2. Threats and Vulnerabilities
        1. Access Control Threats
          1. Password Cracking
          2. Heightened Access
          3. Social Engineering
        2. Access Control Vulnerabilities
        3. Assessing the Impact of Threats and Vulnerabilities
          1. Considerations for Designing a Risk Assessment
      3. Value, Situation, and Liability
        1. Potential Liability and Non-Financial Impact
        2. Where Are Access Controls Needed Most?
        3. How Secure Must the Access Control Be?
        4. The Utility of Multilayered Access Control Systems
          1. User Domain
          2. Workstation Domain
          3. LAN Domain
          4. LAN-to-WAN Domain
          5. WAN Domain
          6. Remote Access Domain
          7. System/Application Domain
          8. Examining a Multilayered Approach
      4. Case Studies and Examples
        1. Private Sector
        2. Public Sector
        3. Critical Infrastructure
      5. CHAPTER SUMMARY
      6. KEY CONCEPTS AND TERMS
      7. CHAPTER 2 ASSESSMENT
    3. 3. Business Drivers for Access Controls
      1. Business Requirements for Asset Protection
        1. Importance of Policy
        2. Senior Management Role
      2. Classification of Information
        1. Classification Schemes
          1. National Security Classification
          2. Corporations
          3. Reasons for Classification
          4. Declassification Process and Policy
        2. Personally Identifiable Information (PII)
        3. Privacy Act Information
      3. Competitive Use of Information
        1. Warfare as a Model for Business
          1. Sun Tzu
          2. Clausewitz
            1. Case study.
        2. Valuation of Information
          1. As a Competitive Advantage
            1. Case study.
          2. As Penalties for Improper Disclosure
      4. Business Drivers
        1. Cost-Benefit Analysis
          1. Advantage Gained
          2. Risk Avoided
        2. Risk Assessment
        3. Business Facilitation
          1. Access Levels
            1. Understanding access levels: A newsletter example.
            2. Understanding access levels: An order process example.
          2. Restricting Access
        4. Cost Containment
        5. Operational Efficiency
          1. The Right Information
          2. The Right People
          3. The Right Time
        6. IT Risk Management
          1. Full Asset Inventory
          2. Vulnerability Assessment
          3. Threat Assessment
          4. Mitigation Plans
          5. Risk Assessment Policies
        7. Compliance—Laws, Regulations, and Agreements
      5. Controlling Access and Protecting Value
        1. Importance of Internal Access Controls
        2. Importance of External Access Controls
        3. Implementation of Access Controls with Respect to Contractors, Vendors, and Third Parties
          1. Access Controls with Respect to Contractors
          2. Access Controls with Respect to Vendors
          3. Access Controls with Respect to Other Third Parties
      6. Examples of Access Control Successes and Failures in Business
        1. Case Study in Access Control Success
        2. Case Study in Access Control Failure
      7. CHAPTER SUMMARY
      8. KEY CONCEPTS AND TERMS
      9. CHAPTER 3 ASSESSMENT
      10. ENDNOTES
    4. 4. Access Control Policies, Standards, Procedures, and Guidelines
      1. U.S. Compliance Laws and Regulations
        1. Gramm-Leach-Bliley Act (GLBA)
          1. Requirements
          2. GLBA and Access Control
        2. Health Insurance Portability and Accountability Act (HIPAA)
          1. Privacy Rule
          2. Transactions and Codes Set Rule
          3. Unique Identifier Standards Rule
          4. Security Rule
          5. Enforcement Rule
        3. Sarbanes-Oxley (SOX) Act
        4. Family Educational Rights and Privacy Act (FERPA)
        5. Children's Internet Protection Act (CIPA)
        6. 21 CFR Part 11
        7. North American Electric Reliability Council (NERC)
        8. Homeland Security Presidential Directive 12 (HSPD 12)
          1. Part 1
          2. Part 2
      2. Access Control Security Policy Best Practices
        1. Private Sector—Enterprise Organizations
          1. Defining an Authorization Policy
          2. Access Control for Facilities
          3. Access Control for Systems
          4. Access Control for Applications
          5. Access Control for Data
          6. Access Control for Remote Access
        2. Public Sector—Federal, State, County, and City Government
        3. Critical Infrastructure, Including Utilities and Transportation
          1. Supervisory Control and Data Acquisition (SCADA) Process Control Systems
          2. Threats and Vulnerabilities
      3. IT Security Policy Framework
        1. What Policies Are Needed for Access Controls?
        2. What Standards Are Needed to Support These Policies?
        3. What Procedures Are Needed to Implement These Policies?
        4. What Guidelines Are Needed for Departments and End Users?
      4. Examples of Access Control Policies, Standards Procedures, and Guidelines
        1. Private Sector Case Study
        2. Public Sector Case Study
        3. Critical Infrastructure Case Study
      5. CHAPTER SUMMARY
      6. KEY CONCEPTS AND TERMS
      7. CHAPTER 4 ASSESSMENT
      8. ENDNOTE
    5. 5. Unauthorized Access and Security Breaches
      1. Deterring Information Theft
        1. U.S. Federal Laws
          1. Computer Fraud and Abuse Act (CFAA)
          2. Digital Millennium Copyright Act
        2. State Laws
      2. Cost of Inadequate Front-Door and First-Layer Access Controls
      3. Access Control Failures
        1. People
          1. Rogue Internal Operatives
          2. Other People-Related Threats
        2. Technology
          1. Access Control and Privacy Assessments
            1. Structure of a PIA.
      4. Security Breaches
        1. Kinds of Security Breaches
        2. Why Security Breaches Occur
        3. Implications of Security Breaches
          1. The Impact of a Security Breach Can Be Significant
          2. Financial Impact of Security Breaches
            1. Monster.com security breach.
            2. TJX security breach.
        4. Private Sector Case Studies
          1. LexisNexis
          2. Bank One
        5. Public Sector Case Study
        6. Critical Infrastructure Case Study
      5. CHAPTER SUMMARY
      6. KEY CONCEPTS AND TERMS
      7. CHAPTER 5 ASSESSMENT
  5. TWO. Mitigating Risk with Access Control Systems, Authentication, and PKI
    1. 6. Mapping Business Challenges to Access Control Types
      1. Mapping Business Challenges to Types of Control
        1. Business Continuity
          1. Disaster Prevention
            1. When physical and administrative controls fail.
          2. Disaster Recovery
          3. Customer Access to Data
          4. Maintain Competitive Advantage
        2. Risk and Risk Mitigation
          1. Risk Avoidance
          2. Risk Acceptance
          3. Risk Transference
          4. Risk Mitigation
        3. Threats and Threat Mitigation
        4. Vulnerabilities and Vulnerability Management
      2. Solving Business Challenges with Access Control Strategies
        1. Employees with Access to Systems and Data
          1. Who Needs Access to Which Resources?
          2. Creating Groups and Roles
          3. External Access to Systems and Data
        2. Employees with Access to Sensitive Systems and Data
        3. Administrative Strategies
        4. Technical Strategies
        5. Separation of Responsibilities
        6. Least Privilege
          1. Risks Associated with Users Having Administrative Rights
          2. Common Roles
            1. Administrator.
            2. User.
            3. Guest.
        7. Need to Know
        8. Input/Output Controls
          1. Input Controls
          2. Output Controls
      3. Case Studies and Examples of Access Control Systems That Uniquely Solve Business Challenges
        1. Private Sector Case Study
        2. Public Sector Case Study
        3. Critical Infrastructure Case Study
      4. CHAPTER SUMMARY
      5. KEY CONCEPTS AND TERMS
      6. CHAPTER 6 ASSESSMENT
    2. 7. Human Nature and Organizational Behavior
      1. The Human Element
        1. Dealing with Human Nature
          1. The Unintentional Threat
          2. Hackers and Motivation
          3. Social Engineering
        2. Pre-Employment Background Checks for Sensitive Positions
          1. What Information Can Be Considered in an Employment Decision
          2. What Information Cannot be Considered in an Employment Decision
          3. Applicant's Rights
          4. Consequences of a Bad Hiring Decision
        3. Ongoing Observation of Personnel
          1. Identify Potentially Disgruntled Employees
          2. Proper Way to Terminate Access upon Termination of Employment
      2. Organizational Structure
      3. Job Rotation and Position Sensitivity
      4. Requirement for Periodic Vacation
      5. Separation of Duties
        1. Concept of Two-Person Control
        2. Collusion
        3. Monitoring and Oversight
      6. Responsibilities of Access Owners
      7. Training Employees
        1. Acceptable Use Policy
        2. Security Awareness Policy
      8. Ethics
        1. What Is Right and What Is Wrong
          1. Ethics Go Beyond "Do Not Steal"
        2. Enforcing Policies
        3. Human Resources Involvement
      9. Best Practices for Handling Human Nature and Organizational Behavior
        1. Make Security Practices Common Knowledge
        2. Foster a Culture of Open Discussion
        3. Encourage Creative Risk-Taking
      10. Case Studies and Examples of Access Control Systems That Uniquely Solve Business Challenges
        1. Private Sector Case Study
        2. Public Sector Case Study
        3. Critical Infrastructure Case Study
      11. CHAPTER SUMMARY
      12. KEY CONCEPTS AND TERMS
      13. CHAPTER 7 ASSESSMENT
    3. 8. Access Control for Information Systems
      1. Access Control for Data
        1. Data at Rest
          1. Securing DAR
        2. Data in Motion
          1. Securing DIM
        3. Object-Level Security
      2. Access Control for File Systems
        1. Access Control List
        2. Discretionary Access Control List
        3. System Access Control List
      3. Access Control for Executables
        1. Delegated Access Rights
      4. Microsoft Windows Workstations and Servers
        1. Domain Administrator Rights
        2. Super Administrator Rights
      5. UNIX and Linux
        1. UNIX and Linux File Permissions
        2. Linux Intrusion Detection System (LIDS)
        3. The Root Superuser
        4. Network Information Service (NIS) and NIS+
      6. Supervisory Control and Data Acquisition (SCADA) and Process Control Systems
      7. Best Practices for Access Controls for Information Systems
      8. Case Studies and Examples of Access Control Solutions That Uniquely Solve Business Challenges
        1. Private Sector Case Study
        2. Public Sector Case Study
        3. Critical Infrastructure Case Study
      9. CHAPTER SUMMARY
      10. KEY CONCEPTS AND TERMS
      11. CHAPTER 8 ASSESSMENT
    4. 9. Physical Security and Access Control
      1. Physical Security
      2. Designing a Comprehensive Plan
        1. Building Security and Access
        2. Points of Entry and Exit
        3. Physical Obstacles and Barriers
        4. Granting Access to Physical Areas Within a Building
          1. Generic Work Areas
          2. Sensitive Work Areas
          3. Classified Government Facilities
          4. Computer Rooms and Data Centers
      3. Biometric Access Control Systems
        1. Principles of Operation
        2. Types of Biometric Systems
          1. Physiological Types
            1. Fingerprint.
            2. retina.
            3. Iris.
            4. Hand geometry.
            5. Facial recognition.
          2. Behavioral Types
            1. Typing tempo.
            2. Signature analysis.
            3. Voice recognition.
        3. Implementation Issues
          1. False Acceptance Rate
          2. False Rejection Rate
          3. Crossover Error Rate
          4. Failure to Enroll Rate
          5. Failure to Capture Rate
        4. Modes of Operation
          1. Verification
          2. Identification
        5. Parameters
          1. Universality
          2. Uniqueness
          3. Permanence
          4. Collectability
          5. Performance
          6. Acceptability
          7. Circumvention
        6. Legal and Business Issues
          1. Privacy Concerns
          2. Cost-Effectiveness of Biometric Solution
          3. Cost of Deployment and Maintenance
          4. Database Storage and Transmission
          5. Law Enforcement Databases
          6. Personal Danger Issues
      4. Technology-Related Access Control Solutions
        1. Traditional
        2. Electronic Key Management System (EKMS)
        3. Fobs and Tokens
        4. Common Access Cards (CAC)
      5. Outsourcing Physical Security—Pros and Cons
        1. Benefits of Outsourcing Physical Security
        2. Risks Associated with Outsourcing Physical Security
      6. Best Practices for Physical Access Controls
      7. Case Studies and Examples of Physical Security and Access Control Systems That Uniquely Solve Business Challenges
        1. Private Sector—Case Studies and Examples
        2. Public Sector Case Study
        3. Critical Infrastructure Case Study
      8. CHAPTER SUMMARY
      9. KEY CONCEPTS AND TERMS
      10. CHAPTER 9 ASSESSMENT
    5. 10. Access Control in the Enterprise
      1. Access Control Lists (ACLs) and Access Control Entries (ACEs)
      2. Access Control Models
        1. Discretionary Access Control (DAC)
        2. Mandatory Access Control (MAC)
        3. Role-Based Access Control (RBAC)
        4. Attribute-Based Access Control (ABAC)
      3. Authentication Factors
        1. Types of Factors
          1. Something You Know
            1. Weaknesses of knowledge-based methodologies.
          2. Something You Have
            1. Smart card.
            2. Time-variable token.
            3. Challenge-response device.
          3. Something You Are
            1. Physiological-based biometrics.
            2. Behavior-based biometrics.
        2. Factor Usage Criteria
          1. Single-Factor Authentication
          2. Two-Factor Authentication
          3. Three-Factor Authentication
      4. Kerberos
        1. How Does Kerberos Authentication Work?
        2. Use of Symmetric Key and Trusted Third Parties for Authentication
        3. Key Distribution Center (KDC)
        4. Authentication Tickets
        5. Principal Weaknesses in Implementation
        6. When Appropriate for Business Use
      5. Network Access Control
        1. Layer 2 Techniques
          1. MAC Address Database for LAN Switches
          2. Defining Broadcast Domains
          3. IEEE 802.1q Virtual Local Area Networks (VLANs)
        2. Layer 3 Techniques
          1. Access Control Lists
          2. Route Maps
          3. Disabling IP Routing for Complete IP Traffic Isolation
        3. CEO/CIO/CSO Emergency Disconnect Prime Directive
      6. Wireless IEEE 802.11 LANs
        1. Access Control to IEEE 802.11 WLANs
        2. Identification
        3. Confidentiality
        4. Authorization
      7. Single Sign-On (SSO)
        1. Defining the Scope for SSO
        2. Configuring User and Role-Based User Access Control Profiles
        3. Common Configurations
        4. Enterprise SSO
      8. Best Practices for Handling Access Controls in an Enterprise Organization
      9. Case Studies and Examples of Enterprise Access Control Solutions That Uniquely Solve Business Challenges
        1. Private Sector Case Study
        2. Public Sector Case Study
        3. Critical Infrastructure Case Study
      10. CHAPTER SUMMARY
      11. KEY CONCEPTS AND TERMS
      12. CHAPTER 10 ASSESSMENT
      13. ENDNOTES
  6. THREE. Implementing, Testing, and Managing Access Control Systems
    1. 11. Access Control System Implementations
      1. Transforming Access Control Policies and Standards into Procedures and Guidelines
        1. Transform Policy Definitions into Implementation Tasks
          1. Approaches
          2. Implementation
        2. Follow Standards Where Applicable
          1. IEEE
          2. National Institute of Standards and Technology (NIST)
          3. Federal Information Security Management Act (FISMA)
          4. ISO
          5. Internet Engineering Task Force (IETF)
          6. PCI Security Standards Council
          7. Center for Internet Security
        3. Create Simple and Easy-to-Follow Procedures
        4. Define Guidelines That Departments and Business Units Can Follow
      2. Identity Management and Access Control
        1. User Behavior, Application, and Network Analysis
      3. Size and Distribution of Staff and Assets
      4. Multilayered Access Control Implementations
        1. User Access Control Profiles
        2. Systems Access
        3. Applications Access
        4. File and Folder Access
        5. Data Access
      5. Access Controls for Employees, Remote Employees, Customers, and Business Partners
        1. Remote Virtual Private Network (VPN) Access—Remote Employees and Workers
        2. Intranets—Internal Business Operations and Communications
        3. Extranets—External Supply Chains, Business Partners, Distributors, and Resellers
        4. Secure E-commerce Portals with Minimum SSL 128-Bit Encryption Web Portals
        5. Secure Online Banking Access Control Implementations
        6. Encryption—Minimum SSL 128-Bit Encryption Web Portal
        7. Logon/Password Access
        8. Identification Imaging and Authorization
      6. Best Practices for Access Control Implementations
      7. Case Studies and Examples of Access Control Implementations That Uniquely Solve Business Challenges
        1. Private Sector Case Study
        2. Public Sector Example
        3. Critical Infrastructure Case Study
      8. CHAPTER SUMMARY
      9. KEY CONCEPTS AND TERMS
      10. CHAPTER 11 ASSESSMENT
      11. ENDNOTES
    2. 12. Access Control Solutions for Remote Workers
      1. Growth in Mobile Work Force
      2. Remote Access Methods and Techniques
        1. Identification
        2. Authentication
        3. Authorization
      3. Access Protocols to Minimize Risk
        1. Authentication, Authorization, and Accounting (AAA)
        2. Remote Authentication Dial In User Service (RADIUS)
        3. Remote Access Server (RAS)
        4. TACACS, XTACACS, and TACACS+
        5. Differences Between RADIUS and TACACS+
      4. Remote Authentication Protocols
      5. Virtual Private Networks (VPNs)
      6. Web Authentication
        1. Knowledge-Based Authentication (KBA)
      7. Best Practices for Remote Access Controls to Support Remote Workers
      8. Case Studies and Examples of Remote Access Control Solutions That Uniquely Solve Business Challenges
        1. Private Sector Case Study
        2. Public Sector Case Study
        3. Critical Infrastructure Case Study
      9. CHAPTER SUMMARY
      10. KEY CONCEPTS AND TERMS
      11. CHAPTER 12 ASSESSMENT
    3. 13. Public Key Infrastructure and Encryption
      1. Public Key Infrastructure (PKI)
        1. What Is PKI?
        2. Encryption and Cryptography
          1. A Review of Symmetric and Asymmetric Encryption
        3. Business Requirements for Cryptography
        4. Digital Certificates and Key Management
        5. Symmetric Versus Asymmetric Algorithms
        6. Certificate Authority (CA)
      2. Ensuring Integrity, Confidentiality, Authentication, and Non-Repudiation
        1. Use of Digital Signatures
      3. What PKI Is and What It Is Not
      4. What Are the Potential Risks Associated with PKI?
      5. Implementations of Business Cryptography
        1. Distribution
        2. In-House Key Management Versus Outsourced Key Management
      6. Certificate Authorities (CA)
        1. Why Outsourcing to a CA May Be Advantageous
        2. Risks and Issues with Outsourcing to a CA
      7. Best Practices for PKI Use Within Large Enterprises and Organizations
      8. Case Studies and Examples of PKI Use Within Large Organizations to Uniquely Solve Business Challenges
        1. Private Sector Case Study
        2. Public Sector Case Study
        3. Critical Infrastructure Examples
      9. CHAPTER SUMMARY
      10. KEY CONCEPTS AND TERMS
      11. CHAPTER 13 ASSESSMENT
    4. 14. Testing Access Control Systems
      1. Purpose of Testing Access Control Systems
      2. Software Development Life Cycle and the Need for Testing Software
        1. Planning
        2. Requirements Analysis
        3. Software Design
        4. Development
        5. Testing and Integration
        6. Release and Training
        7. Support
      3. Security Development Life Cycle and the Need for Testing Security Systems
        1. Initiation
        2. Acquisition and Development
        3. Implementation and Testing
        4. Operations and Maintenance
        5. Sunset or Disposition
      4. Information Security Activities
        1. Requirements Definition—Testing the Functionality of the Original Design
        2. Development of Test Plan and Scope
          1. Intrusive Versus Nonintrusive Testing
          2. Vulnerability Assessment Scanning
            1. Nmap.
            2. Nessus.
            3. Retina.
          3. Unauthorized Access and Security Breach Attack Plan
          4. Gap Analysis Within the Seven Domains of a Typical IT Infrastructure
            1. User Domain.
            2. Workstation Domain.
            3. LAN Domain.
            4. LAN-to-WAN Domain.
            5. WAN Domain.
            6. Remote Access Domain.
            7. System/Application Domain.
        3. Selection of Penetration Testing Teams
          1. Red Team
          2. Blue Team
          3. Tiger Teams
      5. Performing the Access Control System Penetration Test
        1. Assess if Access Control System Policies and Standards Are Followed
        2. Assess if the Security Baseline Definition Is Being Achieved Throughout
        3. Assess if Security Countermeasures and Access Control Systems Are Implemented Properly
      6. Preparing the Final Test Report
        1. Identify Gaps and Risk Exposures and Assess Impact
        2. Develop Remediation Plans for Closing Identified Security Gaps Prioritized by Risk Exposure
        3. Prepare Cost Magnitude Estimate and Prioritize Security Solutions Based on Risk Exposure
      7. CHAPTER SUMMARY
      8. KEY CONCEPTS AND TERMS
      9. CHAPTER 14 ASSESSMENT
    5. 15. Access Control Assurance
      1. What Is Information Assurance?
        1. CIA Triad
          1. Confidentiality
          2. Integrity
          3. Availability
        2. Five Pillars of IA
          1. Authentication
          2. Non-Repudiation
        3. Parkerian Hexad
          1. Possession or Control
          2. Authenticity
          3. Utility
      2. How Can Information Assurance Be Applied to Access Control Systems?
        1. Access Controls Enforce Confidentiality
        2. Access Controls Enforce Integrity
        3. Access Controls Enforce Availability
        4. Training and Information Assurance Awareness
      3. What Are the Goals of Access Control System Monitoring and Reporting?
      4. What Checks and Balances Can Be Implemented?
        1. Track and Monitor Event-Type Audit Logs
        2. Track and Monitor User-Type Audit Logs
        3. Track and Monitor Unauthorized Access Attempts Audit Logs
      5. Audit Trail and Audit Log Management and Parsing
      6. Audit Trail and Audit Log Reporting Issues and Concerns
      7. Security Information and Event Management (SIEM)
      8. Best Practices for Performing Ongoing Access Control System Assurance
      9. Case Studies and Examples of Access Control System Assurance Strategies to Solve Business Challenges
        1. Private Sector Case Study
        2. Public Sector Case Study
        3. Critical Infrastructure Case Study
      10. CHAPTER SUMMARY
      11. KEY CONCEPTS AND TERMS
      12. CHAPTER 15 ASSESSMENT
      13. ENDNOTES
  7. A. Answer Key
  8. B. Standard Acronyms
  9. Glossary of Key Terms
  10. References