Network Defence – Physical and Logical Access Controls
Physical access controls refer to tangible measures put in place to obstruct any direct physical interaction with systems. The primary objective is to hinder unauthorized individuals from obtaining physical entry to facilities, machinery, and other assets within an organization. To illustrate, physical access control governs who is permitted to enter or exit, specifies the locations at which entry or exit is allowed, and dictates the times at which entry or exit is granted.
Here are some examples of physical access controls:
- Security personnel for facility monitoring
- Perimeter barriers such as fencing for protection
- Motion sensors designed to identify moving objects
- Locks for laptops to secure portable equipment
- Secured doors to prohibit unauthorized entry
- Access cards (swipe cards) for entry into restricted zones
- Trained guard dogs for facility protection
- Video surveillance cameras for continuous facility monitoring and image recording
- Entry systems employing a mantrap-style approach to control the flow of individuals into secure areas and prevent unwanted access
- Intrusion alarms for detecting unauthorized entry
Logical Access Controls
Logical access controls encompass both hardware and software solutions employed to oversee access to resources and computer systems. These technology-driven solutions encompass the tools and protocols utilized by computer systems to handle processes such as identification, authentication, authorization, and accountability.
Logical access control examples include:
- Encryption involves taking regular text and transforming it into coded text.
- Smart cards contain a tiny microchip inside them.
- Passwords are secure combinations of characters.
- Biometrics refers to physical traits of users.
- Access control lists (ACLs) specify the kinds of data that can pass through a network.
- Protocols are a set of rules governing how devices exchange data.
- Firewalls block unwanted network traffic.
- Routers link together at least two networks.
- Intrusion detection systems keep an eye on a network for suspicious activities.
- Clipping levels are predetermined limits for errors before they raise a warning.
Administrative Access Controls
Administrative access controls consist of the guidelines and protocols established by organizations to effectively carry out and uphold measures for preventing unauthorized access in all aspects.
Administrative controls focus on personnel and business practices.
Policies
- Policies are declarations of an organization’s intentions.
- Procedures encompass the specific steps necessary to carry out a task.
- Hiring practices outline an organization’s process for identifying qualified employees.
- Background checks involve employee screening, including verification of past employment, examination of credit history, and assessment of criminal history.
- Data classification involves categorizing data according to its level of sensitivity.
- Security training provides employees with education regarding an organization’s security policies.
- Reviews assess an employee’s performance in their job.
Procedures
- Policies are declarations of an organization’s objectives.
- Procedures entail the specific, in-depth actions necessary to complete a task.
- Hiring practices outline the measures an organization follows to locate competent employees.
- Background checks constitute a form of employee assessment, encompassing verification of prior employment, scrutiny of credit history, and examination of criminal records.
- Data classification involves the organization of data according to its level of confidentiality.
- Security training imparts knowledge to employees about an organization’s security protocols.
- Reviews assess an employee’s performance in their job role.
Hiring Practices
- Policies represent expressions of an organization’s intentions.
- Procedures encompass the intricate steps necessary to carry out a task.
- Hiring practices delineate the processes an organization follows to identify suitable candidates.
- Background checks constitute a form of employee assessment, encompassing past employment verification, credit history, and criminal record examination.
- Data classification involves the categorization of data according to its level of sensitivity.
- Security training imparts knowledge to employees regarding an organization’s security guidelines.
- Reviews assess an employee’s performance in their job role.
Background Checks
- Policies are declarations of an organization’s objectives.
- Procedures outline the specific, intricate steps necessary to complete an activity.
- Hiring practices encompass the processes an organization employs to locate skilled employees.
- Background checks constitute a form of employee assessment, encompassing past employment verification, credit history, and criminal history.
- Data classification involves organizing data based on its level of sensitivity.
- Security training imparts knowledge to employees regarding an organization’s security guidelines.
- Reviews assess an employee’s performance in their job role.
Data Classification
- Policies represent expressions of an organization’s intentions.
- Procedures encompass the specific, intricate steps needed to carry out an activity.
- Hiring practices delineate the methods an organization employs to identify qualified employees.
- Background checks involve employee screenings that include verification of past employment, credit history, and criminal records.
- Data classification involves the categorization of data based on its level of sensitivity.
- Security training imparts knowledge to employees about an organization’s security protocols.
- Reviews assess an employee’s performance in their job role.
Security Training
- Policies represent an organization’s intentions as stated.
- Procedures encompass the specific, comprehensive steps necessary for performing a task.
- Hiring practices lay out the processes through which an organization identifies qualified employees.
- Background checks involve screening employees, including verifying past employment, reviewing credit history, and examining criminal records.
- Data classification involves organizing data according to its level of sensitivity.
- Security training provides employees with knowledge about an organization’s security policies.
- Reviews assess an employee’s performance in their job role.
Review
- Policies serve as declarations of an organization’s objectives.
- Procedures encompass the specific, intricate steps needed to execute an activity.
- Hiring practices outline the processes an organization follows to identify competent employees.
- Background checks constitute a form of employee screening, covering past employment verification, credit history, and criminal history.
- Data classification involves the categorization of data according to its level of sensitivity.
- Security training imparts knowledge to employees regarding an organization’s security guidelines.
- Reviews assess an employee’s performance in their job role.
Administrative Access Controls in Detail
Let’s delve deeper into the specifics of administrative access controls. The concept of administrative access controls revolves around three fundamental security services: authentication, authorization, and accounting, often referred to as AAA. These services form the core framework for managing access, effectively thwarting any unauthorized entry into a computer, network, database, or other data resources.
Authentication
The initial “A” in AAA stands for authentication, a process that validates the identity of each user to prevent unauthorized access. Users establish their identity using a username or ID, and they are also required to confirm their identity by providing one of the following:
- Something they remember (like a password)
- Something they possess (such as a token or card)
- Something inherent to them (such as a fingerprint)
With the rise of two-factor authentication, which is now more commonly practiced, the system mandates the use of a combination of two of the aforementioned methods instead of relying on just one to confirm an individual’s identity.
Authorization
Authorization services are responsible for establishing which resources users are allowed to access and what actions they can perform. In certain systems, this is achieved through the utilization of an access control list (ACL). An ACL assesses whether a user possesses specific access privileges after their authentication. It’s important to note that simply logging onto the corporate network does not automatically grant permission for activities like using a high-speed color printer.
Authorization can also dictate when a user is granted access to a particular resource. For instance, employees may have access to a sales database during their work hours, but the system restricts access after regular working hours.
Accounting
Unrelated to financial accounting, within the realm of AAA (Authentication, Authorization, and Accounting), accounting focuses on monitoring user activities, which includes tracking their actions, the duration of resource access, and any alterations they make.
For instance, consider a bank that meticulously records every customer account. An audit of this system can unveil the timing and amounts of all transactions, as well as the employee or system responsible for carrying out these transactions. Cybersecurity accounting services operate in a similar fashion. The system logs each data transaction and generates audit reports. System administrators have the capability to establish computer policies to facilitate system auditing.
The AAA concept can be likened to using a credit card. Much like how a credit card specifies who can utilize it, sets spending limits for the user, and documents the items or services acquired, AAA systems encompass the identification of users, the control of their actions, and the recording of their activities.
What Is Identification?
Identification is the process that upholds the rules set forth by the authorization policy. Whenever there’s a request for access to a resource, the access controls step in to decide whether access should be granted or denied.
A distinct identifier plays a crucial role in ensuring the correct association between authorized activities and individuals. The most common means of identifying a user is through a username, which can take the form of an alphanumeric combination, a personal identification number (PIN), a smart card, or a biometric method such as fingerprint recognition, retina scanning, or voice recognition.
The presence of a unique identifier guarantees that the system can individually recognize each user, thus enabling authorized users to carry out appropriate actions on specific resources.
Federated Identity Management
Federated identity management involves multiple enterprises enabling their users to utilize the same identification credentials to access the networks of all enterprises within the group. However, this practice broadens the scope and raises the likelihood of a cascading effect in the event of an attack.
In a broader sense, federated identity links an individual’s electronic identity across distinct identity management systems, enabling them to access various websites using the same social login credentials.
The primary objective of federated identity management is to automatically share identity information across different domains. For users, this translates to a single sign-on experience on the web.
It is essential for organizations to carefully examine the information shared with their partners, even if they belong to the same corporate group. Sharing sensitive data like social security numbers, names, and addresses could potentially provide identity thieves with an opportunity to commit fraud. The most common method for safeguarding federated identity is to associate login capabilities with an authorized device.
Authentication Methods
As previously mentioned, users establish their identity through a username or ID. Additionally, users are required to confirm their identity by furnishing one of the following:
What you know
Passwords, passphrases, or PINs represent examples of information known to the user, with passwords being the most widely used method for authentication.
Terms like passphrase, passcode, passkey, and PIN are all collectively referred to as passwords. A password is essentially a sequence of characters used to confirm a user’s identity. However, if this character sequence is related to the user in an obvious way, such as using their name, birthdate, or address, it becomes easier for cybercriminals to guess.
Numerous sources recommend that a password should consist of at least eight characters. Users should strike a balance between creating a password that is long enough for security but not so long that it becomes difficult to remember. Additionally, it’s essential for passwords to incorporate a mix of uppercase and lowercase letters, numbers, and special characters.
To enhance security, users should employ different passwords for various systems. This precaution is crucial because if a cybercriminal manages to crack one password, they would gain access to all of the user’s accounts. Utilizing a password manager can assist in generating and managing strong passwords, eliminating the need to remember each one individually.
What You have
Smart cards and security key fobs serve as examples of physical items that users possess and can use for authentication purposes.
A smart card is a compact plastic card, roughly the size of a credit card, containing a small embedded chip. This chip functions as an intelligent data carrier, capable of processing, storing, and safeguarding data. Smart cards hold sensitive information like bank account numbers, personal identification, medical records, and digital signatures. They employ encryption to secure data while also providing a means for authentication.
On the other hand, a security key fob is a small device that can be easily attached to a keyring. Security key fobs are typically employed for two-factor authentication (2FA), which is notably more secure than relying solely on a username and password combination.
For instance, let’s consider a scenario where you wish to access your e-banking account, which utilizes two-factor authentication. First, you enter your username (the first identification step), followed by your password, serving as the initial authentication factor. Then, you require a second factor, as it’s 2FA. To complete this, you input a PIN or insert your smart card into the security key fob, which then displays a number. By demonstrating that you possess this device, which was assigned to you, this number serves as the second factor. You subsequently enter this number to log in to your e-banking account, as illustrated in this example.
What You are
Biometrics refers to distinctive physical traits like fingerprints, retinas, or voices that serve as unique identifiers for individuals. Biometric security involves comparing these physical characteristics to stored profiles in order to verify users’ identities. In this context, a profile is a data file containing recognized attributes of an individual. If a user’s characteristics align with the stored data, the system grants them access. A fingerprint reader is a widely used biometric device for this purpose.
There are two types of biometric identifiers:
- Physiological characteristics — fingerprints, DNA, face, hands, the retina or ear features.
- Behavioral characteristics —patterns of behavior such as gestures, voice, gait or typing rhythm.
Biometrics is gaining growing popularity in various fields, including public security systems, consumer electronics, and point-of-sale applications. To implement biometrics, you typically need a reader or scanning device, software that transforms scanned data into digital format, and a database containing biometric data for comparison.
Multi-Factor Authentication
As mentioned earlier, multi-factor authentication involves using at least two verification methods, such as a password and a physical item like a security key fob. It can be enhanced further by including a biometric factor, such as a fingerprint scan.
Multi-factor authentication significantly reduces the risk of online identity theft because merely knowing a password will not grant cybercriminals access to a user’s account.
For instance, consider an online banking website that requires both a password and a one-time PIN received on the user’s smartphone. In this scenario, the password serves as the first factor, while the temporary PIN serves as the second factor, confirming the user’s access to their registered phone.
Another straightforward example of multi-factor authentication is cash withdrawal from an ATM, where the user must possess the bank card and know the associated PIN before the ATM dispenses cash.
It’s important to note that two-factor authentication (2FA) is a specific form of multi-factor authentication that involves precisely two factors. However, these terms are often used interchangeably.