Upload
jemtallon
View
703
Download
2
Embed Size (px)
DESCRIPTION
StaridLabs CISSP Study slides for week 1
Citation preview
Access Control
Week 1 (pages 1-80)
Jem Jensen
Overview
Access Control - Only authorized users, programs, and systems are allowed to access resources
Not surprisingly, the process for defining access control is:1. Define Resources2. Define Users3. Specify Access between users and resources
Overview
"Joining the CIA"
Confidentiality - Is it secret?Integrity - Is it safe?Availability - Does Sauron have it?
Stances1. Allow-By-Default
1. Easy to set up, hard to secure2. Deny-By-Default
1. Easy to secure, hard to set up
Defence in Depth• Layer different access control styles• Every layer reduced the chance that a single attacker will
find a hole through all of the layers
Overview
Separation Of Duties
Separation of Duties - 2 keys to launch the nuke!Process/Concerns:• Element identity, importance and criticality
• Identify areas at risk/prone to abuse• Add an "approval" step
• Operational considerations• Efficiency
• Cost vs. Risk• User skill/availability• Must be enough personnel
Least Privilege
Only give enough access for users to perform their jobs
Need to know• Simple way to implement least privilege• Only share information with a user if they "need" it
Compartmentalization• Isolate groups from each other so information doesn't get
leaked
Security Domain
Set up a hierarchy of access
PC user accounts example:1. Guest2. User3. Power user4. Admin
Information Classification
Different security levels for different information
Benefits:• Establish ownership of info• Reduce waste• Focus resources on the highest risk• Easier to find areas which are lacking• Can quickly reveal info's worth• Easier to raises awareness• Easier to train/retrain staff
Information Classification
The Process:1. Determine Objectives
1. This is a process, not a project! It will be ongoing forever
2. Defining objectives on each iteration helps you keep track of the work and celebrate the victories along the way
2. Establish Organizational Support1. Get buy-in on the objectives from management2. If they can't see the cost-to-benefit they may not you
work3. Develop Info Class Policy & Procedures
1. Requirements, scope, purpose, definitions
(Mostly high-level up to this point)
Information Classification
4. Process Flows1. Document the process, flow charts
5. Tools1. Make sure everyone is speaking the same language
6. Identify Application Owners1. Custodians of data. They can help identify stakeholders
7. Identify Info Owners1. They know the data, decide who can access data
8. Distribute templates1. Info owners fill them out to identify the data they
manage
(Mid-level up to this point)
Information Classification
9. Classify Info1. Is it public? Internal only? Confidential? Restricted?
10.Develop Auditing1. Perform this process again on new data2. Do "spot" checks (check track, locked screens)
11.Load Classification Info Into A Repository1. Allows analysis
12.Train1. What classifications mean, importance, scenarios
13.Review and Update1. Improve quality, keep the process ongoing
Labeling
Use your classification system
Create silos if it's easier:• Mark all backup tapes as "confidential" instead of
separating out the confidential data to it's own tapes
Access Control Requirements
1. Reliability2. Transparency3. Scalability4. Integrity5. Maintainability6. Auditability7. Authentication Data Security
Access Control Types & Cats
2 Methods of defining Access Controls1. By Type
1. What the control itself is doing2. By Category
1. Who is implementing the control -or-2. How the control is used
Access Control Categories
Categories1. Administrative
1. Management-style controls like firing people, holding employee reviews, performing trainings
2. Technical/Logical1. Electronic controls like enforcing passwords, badges,
logging3. Physical
1. Locks, gates, guards, etc
Administrative Controls
• Policies And Procedures• Personnel Evaluation/Clearance• Security Policies• Monitoring• User Access Management• Privilege Management
Logical Controls
• Network Access• Remote Access• System Access• Application Access• Malware Control• Cryptography
Physical Controls
Are apparently self-explanatory since the book skipped them :P
Next week:
Pages 81 - 148