Cybersecurity Essentials - Module 13 Cheat Sheet

# Module 13: Access Control ### 13.1 Access Controls --- #### **13.1.1 Avatar** Access controls consist of physical, logical, and administrative measures to restrict unauthorized access. These controls work with **Authentication, Authorization, and Accounting (AAA)** to protect organizational resources. --- #### **13.1.2 Physical Access Controls** **Definition:** Barriers that prevent direct physical contact with systems. **Examples:** - Guards - Fences - Motion detectors - Laptop locks - Locked doors - Swipe cards - Guard dogs - Video cameras - Mantrap-style entry systems - Alarms --- #### **13.1.3 Logical Access Controls** **Definition:** Hardware and software solutions to manage resource access. **Examples:** - **Encryption**: Converts plaintext to ciphertext. - **Smart cards**: Embedded microchip for secure storage. - **Passwords**: Protected strings of characters. - **Biometrics**: Fingerprints, voice, retina scans. - **Access control lists (ACLs)**: Define allowed network traffic. - **Protocols**: Govern data exchange rules. - **Firewalls**: Prevent unwanted traffic. - **Routers**: Connect multiple networks. - **Intrusion detection systems**: Monitor suspicious activities. - **Clipping levels**: Define error thresholds. --- #### **13.1.4 Administrative Access Controls** **Definition:** Policies and procedures that implement and enforce access control. **Examples:** - Policies: Statements of intent. - Procedures: Step-by-step guides for activities. - Hiring practices: Screening and onboarding methods. - Background checks: Verify employment, credit, and criminal history. - Data classification: Categorize data by sensitivity. - Security training: Educate employees on security policies. - Reviews: Evaluate employee performance. --- #### **13.1.5 AAA Security Services** **Authentication:** Verifies user identity. - Methods: - **Something they know**: Passwords or PINs. - **Something they have**: Tokens or smart cards. - **Something they are**: Biometrics (fingerprint, retina, etc.). - **Two-factor authentication (2FA):** Combines two methods for better security. **Authorization:** Defines access permissions. - Uses **Access Control Lists (ACLs)** to determine what resources users can access and when. - Example: Limited access to a database during work hours. **Accounting:** Tracks user activities. - Logs access times, changes made, and resource usage. - Example: Bank systems track all transactions for auditing. --- #### **13.1.6 Identification** **Definition:** Ensures proper association between users and their actions using unique identifiers. - Common identifiers: Usernames, PINs, smart cards, or biometrics. --- #### **13.1.8 Federated Identity Management** **Definition:** Allows multiple enterprises to use the same credentials for access across their networks. - Example: Using social login credentials to access multiple websites. - **Risk:** Broader scope increases cascading attack effects. - **Security:** Tie login to an authorized device to prevent identity theft. --- #### **13.1.9 Authentication Methods** **What You Know:** - **Passwords:** At least 8 characters, include uppercase, lowercase, numbers, and symbols. Avoid predictable information like birthdates or names. - Use different passwords for different systems. **What You Have:** - **Smart Cards:** Embedded microchip for secure storage (e.g., bank account details). - **Security Key Fobs:** Often used in **2FA**. Generates temporary PINs for login. **Who You Are:** - **Biometrics:** Unique physical (e.g., fingerprints) or behavioral traits (e.g., typing rhythm). - Examples: Fingerprint readers, retina scans. --- #### **13.1.10 Multi-Factor Authentication** **Definition:** Combines two or more verification methods. - Example 1: Online banking requires a password and a PIN sent to the user’s phone. - Example 2: ATMs require both a card and a PIN. - **2FA:** A common form of multi-factor authentication using two factors. --- #### **13.1.12 Authorization** **Definition:** Determines what users can do after successful authentication. **Implementation:** - Authorization rules define user access permissions. - **Group Membership Policy:** Access based on user roles or groups (e.g., swipe cards for employees but restricted server room access). - **Authority-Level Policy:** Access based on user positions. --- #### **13.1.15 Accountability** **Definition:** Traces user actions back to individuals or processes for auditing purposes. **Implementation:** - Technologies: Log files monitor login times, access details, and resource usage. - Policies: Define what actions are recorded and how logs are reviewed. - Data Retention: Store and manage data per compliance standards. **Purpose:** Identifies unauthorized access attempts, tracks resource usage, and ensures compliance with data security regulations. >[!Warning]Recap >There are many types of access controls. This topic covered physical, logical, and administrative controls. Physical access controls are actual barriers deployed to prevent direct physical contact with systems. Examples include guards to monitor the facility, motion detectors, and mantraps. Logical access controls are the hardware and software solutions used to manage access resources and systems. Examples include encryption, ACLs, and intrusion detection systems. The concept of administrative access controls involves three security services: authentication, authorization, and accounting. Identification enforces the rules established by the authorization process. Multi-factor authentication uses at least two methods of verification. Authorization controls what a user can and cannot do on the network after successful authentication. Accountability traces an action back to a person or process making the change to the system. ### 13.2 Access Control Concepts --- #### **13.2.1 Zero Trust Security** **Definition:** A comprehensive approach to securing access across networks, applications, and environments based on the principle, "never trust, always verify." - **Purpose:** Prevent unauthorized access, contain breaches, and minimize lateral movement in a network. - **Key Principle:** Assume zero trust at every access request. **Key Pillars:** 1. **Zero Trust for the Workforce:** Ensures secure access to applications for employees, contractors, and partners on personal or corporate devices. 2. **Zero Trust for Workloads:** Focuses on secure access between APIs, microservices, containers, and databases in virtualized environments. 3. **Zero Trust for the Workplace:** Protects all devices connecting to enterprise networks, including IoT devices, servers, and industrial systems. --- #### **13.2.2 Access Control Models** **Access Control Models Overview:** 1. **Discretionary Access Control (DAC):** - Least restrictive. - Owners control access to their data using Access Control Lists (ACLs). 2. **Mandatory Access Control (MAC):** - Strictest model, typically used in military or mission-critical settings. - Users access data based on their clearance levels. 3. **Role-Based Access Control (RBAC):** - Access is based on roles and responsibilities within the organization. - A non-discretionary model where roles are assigned security privileges. 4. **Attribute-Based Access Control (ABAC):** - Access is determined by attributes of the user, resource, or environment (e.g., time of day). 5. **Rule-Based Access Control (Rule-Based RBAC):** - Access rules define permitted IPs, protocols, and conditions. 6. **Time-Based Access Control (TAC):** - Restricts access based on specific times or days. **Principle of Least Privilege:** - Grants users/processes the minimum access needed to perform their tasks. - **Risk:** Privilege escalation exploits vulnerabilities to grant unauthorized elevated access. --- #### **13.2.3 Network Access Control (NAC) Systems** **Definition:** NAC systems enforce organizational policies on devices and users attempting to access the network. **Capabilities:** - Enforce access policies based on operational conditions. - Recognize and profile connected devices to prevent damage from malicious software. - Provide secure access to guests via registration portals. - Evaluate compliance with security policies by user type, device type, and OS. - Mitigate incidents by blocking, isolating, or repairing non-compliant devices. **Key Features for BYOD and IoT:** - Automated control for thousands of devices. - Enforcement of organizational policies to grant or deny access based on detected factors. **Integration with Zero Trust:** - NAC systems are essential to zero-trust architecture, ensuring compliance for all users and devices. :::danger **Check Your Understanding** :ballot_box_with_check: You can find the answers to the quiz by clicking [here](https://itexamanswers.net/19-1-4-check-your-understanding-identify-the-access-control-model-answers.html). ::: >[!Warning]Recap >The CIA triad consists of the primary three components of information security: confidentiality, integrity, and availability. Network data can be encrypted (made unreadable to unauthorized users) using a variety of cryptography applications. The trend is that all data be encrypted. Zero trust is a comprehensive approach to securing all access across networks, applications, and environments. The principle of zero trust is “never trust, always verify”. Traditionally, the network perimeter, or edge, was the boundary between inside and outside, or trusted and untrusted. In a zero trust approach, any place at which an access control decision is required should be considered a perimeter. This means that although a user or other entity may have successfully passed access control previously, they are not trusted to access another area or resource until they are authenticated. The pillars of trust are zero trust for workforce, zero trust for workloads, and zero trust for workplace. Access control methods include discretionary access control (DAC), mandatory access control (MAC), role-based access control (RBAC), attribute-based control (ABAC), rule-based access (RBAC), and time-based access control (TAC). A common exploit is known as privilege escalation. In this exploit, vulnerabilities in servers or access control systems are exploited to grant access to an unauthorized user or software process. ### 13.3 Account Management --- #### **13.3.1 Role of Network Administrators** **Purpose:** Network administrators ensure users have appropriate account types based on their roles, adhering to the principle of least privilege. **Account Types:** 1. **User Accounts:** For daily system resource use. 2. **Service Accounts:** For operating system interactions. 3. **Guest Accounts:** Temporary accounts for limited access. --- #### **13.3.2 Account Types and Best Practices** 1. **Default Accounts:** - Replace default accounts (e.g., guest, admin) to improve security. - Require passwords for all accounts. 2. **Best Practices:** - Create identity profiles for new employees and register devices. - Deactivate unused accounts and recover company data. - Implement least privilege for task-specific access. - Use time-of-day or location restrictions for account access. - Employ geofencing, geolocation, and geotagging for security. --- #### **13.3.3 Securing Privileged Accounts** **Definition:** Privileged accounts have elevated access and are critical for system and application management. **Best Practices:** - Minimize the number of privileged accounts. - Enforce least privilege principles. - Revoke access when employees leave or change roles. - Prohibit shared credentials and enforce password expiration. - Log and monitor all privileged activity. - Use multi-factor authentication (MFA) for administrative access. - Secure passwords and embedded credentials. - Regularly evaluate and improve security measures. --- #### **13.3.4 File Access Control** **Permission Levels:** 1. **Full Control:** View, modify, create, and delete files. 2. **Modify:** Change or delete files without creating new ones. 3. **Read and Execute:** View files and run programs. 4. **Write:** Create and edit files. 5. **Read:** View contents of files and folders. **Propagation Rules:** - Data moved within the same volume retains permissions. - Data copied or moved to a different volume inherits new permissions. --- #### **13.3.7 Account Policies in Windows** **Policy Configuration Tools:** - **Active Directory:** Used for domain security policies. - **Local Security Policy:** Configured using `secpol.msc` in non-domain setups. **Policies Overview:** 1. **Password Policy:** - Enforce complexity and reuse restrictions. - Example: Passwords must be 8+ characters and changed every 90 days. 2. **Account Lockout Policy:** - Lock accounts after failed login attempts. - Example: Lock for 30 minutes after five incorrect attempts. 3. **Audit Policies:** - Tracks events like logins, account changes, and system processes. --- #### **13.3.8 Authentication Management** **Solutions:** - **Single Sign-On (SSO):** Use one credential set across multiple apps. - **OAuth:** Enables third-party access using a single login. - **Password Vaults:** Securely store multiple credentials. - **Knowledge-Based Authentication (KBA):** Reset passwords using personal questions. --- #### **13.3.10 Hash-Based Message Authentication Code (HMAC)** **Definition:** HMAC uses a hash function with an encryption key for user authentication. **Applications:** - **VPNs and IPsec:** Authenticate packets and verify data integrity. - **Cisco Products:** Use HMAC for routing updates and image integrity. --- #### **13.3.12 Authentication Protocols** 1. **EAP:** Uses a hashed password for authentication. 2. **PAP:** Sends plaintext usernames and passwords (least secure). 3. **CHAP:** Uses one-way hashing and periodic revalidation during sessions. 4. **802.1x:** Relies on credentials or certificates for network access. 5. **RADIUS:** Encrypts passwords but sends other data in plaintext. 6. **TACACS+:** Encrypts all communication, ideal for corporate use. 7. **Kerberos:** Uses encrypted tickets for mutual authentication. --- #### **13.3.13 Applications of Cryptographic Hash Functions** **Use Cases:** - **Authentication:** Generate one-time responses for secure login. - **Data Integrity:** Verify contracts and certificates (e.g., PKI). - **Preferred Algorithms:** Use SHA-256 or higher. Avoid SHA-1 and MD5. --- #### **13.3.15 Access Control Strategies** 1. **Mandatory Access Control:** - Restricts access based on security classifications. - Labels objects and users with clearance levels. 2. **Discretionary Access Control:** - Object owners decide access permissions. - Uses ACLs and permission lists. 3. **Role-Based Access Control:** - Assigns permissions based on job roles. - Ideal for large organizations with complex permissions. 4. **Rule-Based Access Control:** - Grants access based on predefined rules (e.g., time-based rules). - Often combined with other control strategies. >[!Warning]Recap >Account types can include administrator accounts, user accounts, service accounts, and guest accounts. In addition to granting users no more access than is required, it is also important to disable accounts that are no longer needed. The principle of least privilege is closely connected to the concept of “need to know” access. Permission levels can be assigned to files and folders to include full control, modify, read and execute, write, and read. On a Windows computer, an administrator configures a domain security policy that applies to all domain members. Privileged accounts are used by administrators to deploy and manage operating systems, applications, and network devices. Robust practices for securing privileged accounts must be taken because they are often the target of cybercriminals. Authentication management aims to ensure secure sign in while still providing ease of use. Methods include SSO, Oath, a password vault, and KBA. HMAC uses an encryption key with a hash function to authenticate a web user. An authentication protocol authenticates data between two entities to prevent unauthorized access. Secure protocols include EAP, PAP, CHAP, 802.1x, RADIUS, TACACS+, and Kerberos. ### 13.4 AAA Usage and Operation --- #### **13.4.1 AAA Operation** **Overview:** Authentication, Authorization, and Accounting (AAA) is a framework used to enforce scalable access control and track user activities on a network. **AAA Components:** 1. **Authentication:** Verifies user identity. - Methods: Username/password, token cards, challenge/response, etc. - Example: “User logs in with their credentials.” 2. **Authorization:** Determines what resources and operations users are allowed to access. - Example: “User can access server XYZ using SSH only.” 3. **Accounting:** Tracks user activities, including time, resource access, and changes made. - Example: “User accessed server XYZ via SSH for 15 minutes.” --- #### **13.4.2 AAA Authentication** **Implementation Methods:** 1. **Local AAA Authentication:** - Self-contained authentication using locally stored usernames and passwords. - Suitable for small networks. - **Example:** A router checks its local database for user credentials. ![image](https://hackmd.io/_uploads/rJ9jgqzVyx.png) 2. **Server-Based AAA Authentication:** - Centralized system with a dedicated AAA server. - Uses external protocols like RADIUS or TACACS+. - Scalable and suitable for medium to large networks. - **Example:** A router queries the central AAA server to authenticate a user. ![image](https://hackmd.io/_uploads/SyU2e5M4kg.png) **Centralized AAA Benefits:** - Scalability and manageability. - Supports integration with **Active Directory** or **LDAP**. - Separate databases for authentication, authorization, and accounting. **Differences Between TACACS+ and RADIUS** | Feature | TACACS+ | RADIUS | |--------------------|-----------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------| | **Functionality** | Separates authentication, authorization, and accounting for modularity. | Combines authentication and authorization; accounting is less flexible. | | **Standard** | Cisco-supported. | Open/RFC standard. | | **Transport** | TCP port 49. | UDP ports 1812, 1813 (or 1645, 1646). | | **Protocol (CHAP)**| Supports bidirectional challenge-response authentication. | Supports unidirectional challenge-response from the server to the client. | | **Confidentiality**| Encrypts the entire packet body (excluding the header). | Encrypts only passwords; other data like usernames and authorized services are unencrypted. | | **Customization** | Authorizes router commands on a per-user or per-group basis. | Does not support per-user or per-group command authorization. | | **Accounting** | Limited accounting capabilities. | Extensive accounting capabilities. --- #### **13.4.3 AAA Accounting Logs** **Purpose:** Tracks and records user actions for auditing and troubleshooting. **Accounting Process:** 1. Start message: Sent when a user session begins. 2. Stop message: Sent when the session ends. **Collected Data:** - Start/stop connection times. - Executed commands. - Packet and byte counts. **Accounting Types:** 1. **Network Accounting:** Tracks PPP sessions, including packet and byte counts. 2. **Connection Accounting:** Logs outbound connections (e.g., SSH). 3. **EXEC Accounting:** Records details about user terminal sessions. 4. **System Accounting:** Tracks system-level events (e.g., reboots). 5. **Command Accounting:** Captures EXEC commands, timestamps, and user details. 6. **Resource Accounting:** Monitors both authenticated and failed connection attempts. :::danger **Check Your Understanding** :ballot_box_with_check: You can find the answers to the quiz by clicking [here](https://itexamanswers.net/7-1-6-check-your-understanding-identify-the-characteristics-of-aaa-answers.html). ::: >[!Warning]Recap >A network must be designed to control who is allowed to connect to it and what they are allowed to do when they are connected. These design requirements are identified in the network security policy. The policy can also mandate the implementation of an accounting system that tracks who logged and when and what they did when they were logged in. Authentication, Authorization, and Accounting (AAA) systems provide the necessary framework to enable scalable security. AAA authentication can be used to authenticate users for local access, or it can be used to authenticate users for remote network access. Cisco provides two common methods of implementing AAA services: Local AAA Authentication and Server-based AAA Authentication. Centralized AAA is more scalable and manageable than local AAA and is the preferred AAA implementation. A centralized AAA system can leverage Active Directory or Lightweight Directory Access Protocol (LDAP) for user authentication and group membership, while maintaining its own authorization and accounting databases. Devices communicate with the centralized AAA server using with the Remote Authentication Dial-In User Service (RADIUS) or Terminal Access Controller Access Control Systems (TACACS+) protocols. Centralized AAA also enables the use of the accounting method. AAA accounting collects and reports usage data in AAA logs. Various types of accounting information that can be collected are network accounting, connection accounting, EXEC accounting, system accounting, command accounting, and resource accounting.