August 31, 2016

Access Control (PR.AC)

Objectives of Access Control

Access to assets and associated facilities is limited to authorized users, processes, or devices, and to authorized activities and transactions.

  • PR.AC-1: Identities and credentials are managed for authorized devices and users
  • PR.AC-2: Physical access to assets is managed and protected
  • PR.AC-3: Remote access is managed
  • PR.AC-4: Access permissions are managed, incorporating the principles of least privilege and separation of duties
  • PR.AC-5: Network integrity is protected, incorporating network segregation where appropriate

Things to Know

Assets include:

  • Information : data.
  • Systems : file servers, web servers, databases.
  • Devices : desktops, servers, laptops, tablets, phones, printers, etc.
  • Facilities : buildings, data centers.
  • Personnel : people, employees.

A subject : users, applications, processes, or anything that can access an object.
An object : a passive entity provides information to subjects.  Things like files for instance.
There are 7 Access Control types.  The 3 primary control types are preventive, detective, and corrective:

  • Preventive : this access control type attempts to stop the access from happening in the first place.  Examples:
    • Fences
    • Locks
    • Biometric devices
    • Mantraps
    • Policy of separation of duties
    • Policy of job rotation
    • Data classification
    • Penetration testing
    • Encryption
    • Smartcards
    • Callback procedures
    • Anti-virus
    • Firewalls
    • Intrusion Prevention System (IPS)
    • Some that I think are classified wrong because they won’t actually prevent the action from happening, are lighting, alarm system, auditing, penetration testing, auditing, the presence of cameras or CCTV, security awareness training.
  • Detective : this access control type alerts you when the unwanted access DOES happen.  Examples are:
    • Security guards
    • Motion detectors
    • The recordings of security cameras (DVR) or CCTV
    • Policy of job rotation
    • Policy of mandatory vacations
    • Audit trails
    • Honeypots and honeynets
    • Intrusion Detection Systems (IDS)
    • Incident investigations
  • Corrective : this access control type modifies the environment to return the system to normal. Examples are:
    • Terminating malicious session
    • Rebooting a system
    • Quarantine a virus
    • Restoring from backup
    • An active IDS that can change the ACLs

The 4 other access control types:

  • Deterrent
  • Recovery
  • Directive
  • Compensation

Steps for implementing Access Control

  1. Identify and authenticate users or other subjects attempting to access resources.
  2. Determine whether the access is authorized.
  3. Grant or restrict access based on the subject’s identity.
  4. Monitor and log access attempts.