Learners will understand the purpose and methods of controlling access to systems. They will learn about the concepts of identity, authentication, and authorisation, and explore how they are used to manage access control in organisations.
Understand the purpose and concepts of access control.
Purpose of access control, for example: confidentiality, integrity and availability, limiting access to systems (physical and logical aspects), limiting access to data, providing ‘defence in depth’, identifying and classifying data assets.
Primary categories of access control, for example: directive (codes of conduct, security policies and procedures), deterrent (disciplinary procedures, monitoring, reporting), preventative (physically restricting access), compensating (additional guards during periods of heightened threat), detective (intrusion detection systems), corrective (software patches, firewall reconfiguration), recovery (updating of security policies to reflect changes in business).
Types of access control, for example:
Physical: perimeter fences, gates/doorways, security guards/patrols, badge locks/key locks, biometric scanners (retina, palm, finger print scanner).
Logical: firewalls, anti-virus, encryption, user IDs and passwords, passphrases, security tokens, one-time passwords, Remote Access Server (RADIUS).
Administrative: policies and procedures, security clearances, identity validation, staff training, support/helpdesk.
Access control techniques, for example: discretionary controls (DAC), delegated control to the user level (Windows, Unix, Linux), user/group centric, permissions (read/write/execute), Access Control Lists (ACLs).
Mandatory controls (MAC), organisation centric (classification levels and clearances), security labelling for data objects (classification and categories), specially developed operating systems (SELinux).
Non-Discretionary Controls, organisation centric, administrator assigns permissions, role based.
Identity management and authentication methods, for example: ID badges, user Ids, PINs, account numbers, digital certificates, RFID.
Authentication factors: something you know (passwords, passphrases, challenge-response), something you have (Smartcard, fobs and time code devices), something you are (biometrics), somewhere you are (proximity to a scanner, inside a firewall).
Concept of a ‘credential set’ as being the combination of a form of identification and a form of authorisation.
Explain the role of access control in organisations and the primary categories used to define access to data.
Explain the different types of access control from a physical, logical and administrative perspective.
Evaluate different access control techniques used in organisations.
Compare different methods of identity management and authentication.
Be able to apply methods of controlling access.
Implementing authentication to increase the effectiveness and usability, for example: accessibility for authentication, CAPTCHA audio, SweetCaptcha, ReCaptcha.
Password management and policies: complexity (length and non-alpha characters), avoidance of dictionary words, ageing/expiration policy, re-use policy, maximum retry policy, retry delay, single-sign on, password management applications.
Multi-factor authentication: one-time passwords, mobile phone time codes, question/response.
Define and document an authentication policy covering a range of methods: configure password policies for user IDs, test the password policies, specify access permissions for a range of files to enable read/write, read only, read/execute, no access, test user ID authorisation to access the files.
Implement authentication to increase effectiveness and usability.
Define a series of password policies and configure password authentication for multiple user IDs.
Understand the limits of access control.
Limits of access control, for example: dichotomy of organisational needs (government vs business), top-down organisational centric vs bottom-up user centric, cost effectiveness (cost of control vs value of the assets), violation of MAC principles (trusted computing base), lack of effective control in DAC based systems, complexity of administration, biometric accuracy (False Reject Rate, False Accept Rate).
Threats and vulnerabilities to access control:
Internal threats: organisational culture (complacency, lack of effective control), organisational climate, disgruntled employees, industrial espionage, misplaced trust.
Internal vulnerabilities: poor or absent security policies/procedures, lack of adherence to security policy, lack of education and training, lack of adherence to security procedures (poor administration, deliberate avoidance), poor or inadequate vetting of employees and contractors.
External threats: tailgating/piggybacking, social engineering (phishing, baiting/Quid Pro Quo), identity theft, shoulder surfing, spoofing.
Explain the balance between restricting and enabling access for legitimate users.
Assess the organisational and behavioural threats to and vulnerabilities of access control.