Chapter III

Controlling and
Monitoring Access
Instructor(s):
Dr. Sarra Berrahal
Email. [Link]@[Link] 1
Definitions of Access Control according to NIST*

▪ NIST SP 800-12 Rev. 1: The process of granting or denying specific requests to:
▪ Obtain and use information and related information processing services; and

▪ Enter specific physical facilities (e.g., federal buildings, military establishments, border crossing
entrances).

▪ NIST SP 800-113: The process of permitting or restricting access to applications at a

granular level, such as per-user, per-group, and per-resources.

▪ NIST SP 800-152: A set of procedures and/or processes, normally automated, which

allows access to a controlled area or to information to be controlled, in accordance

with pre-established policies and rules.

[Link]
Access Control Types
▪ Preventive Access Control : prevents or stops unauthorized activities
occurrence.

▪ Fences and locks,

▪ Biometrics,

▪ Alarm systems,

▪ Smartcards,
Access Control Types
▪ Preventive Access Control : prevents or stops unauthorized activities
occurrence.

▪ Data classification, penetration testing, access control methods, encryption,

auditing,
Access Control Types
▪ Preventive Access Control : prevents or stops unauthorized activities
occurrence.

▪ Antivirus software, firewalls, and intrusion prevention systems.

Access Control Types
▪ Detective Access Control: detects unauthorized activities after their occurrence.

▪ Motion detectors, recording and reviewing of events captured by cameras or CCTV,

▪ Honeypots or honeynets, IDSs, violation reports,

▪ Supervision and reviews of users, and incident investigations.

Access Control Types

▪ Corrective Access Control: attempts to correct any problems that occurred as a

result of a security incident.

▪ Terminating malicious activity or rebooting a system.

▪ Antivirus solutions that can remove or quarantine a virus, backup and restore
plans to
ensure that lost data can be restored,

▪ Active IDS that can modify the environment to stop an attack in progress.
Access Control Types

▪ Deterrent Access Control: attempts to discourage security policy violations.

▪ Locks, fences, security badges, guards, mantraps, and security cameras.

▪ Recovery Access Control: attempts to repair or restore resources, functions, and

capabilities after a security policy violation.

▪ Backups and restores, fault-tolerant drive systems, system imaging, server clustering,

▪ Antivirus software, and database or virtual machine shadowing.

Access Control Types

▪ Deterrent Access Control: attempts to discourage security policy violations.

▪ Locks, fences, security badges, guards, mantraps, and security cameras.

Access Control Types

▪ Recovery Access Control: attempts to repair or restore resources, functions, and

capabilities after a security policy violation.

▪ Backups and restores, fault-tolerant drive systems, system imaging, server clustering,

▪ Antivirus software, and database or virtual machine shadowing.

Access Control Types

▪ Directive Access Control: directs, confines, or controls the actions of subjects to

force or encourage compliance with security policies.
▪ Security policy requirements,

▪ Posted notifications,

▪ Monitoring,

▪ Supervision.
Access Control Types

▪ Compensation Access Control: provides an alternative when it isn’t possible to

use a primary control, or when necessary to increase the effectiveness of a primary

control.

▪ A security policy might dictate the use of smartcards by all employees but it takes a long

time for new employees to get a smartcard.

▪ The organization could issue hardware tokens to employees as a compensating control.

▪ These tokens provide stronger authentication than just a username and password.
Access Control Categories

▪ Management (Administrative) Controls:

▪ Policies, Roles, Standards, Processes, Procedures and Guidelines.

▪ Technical (Logical) Controls:

▪ Access Controls , Identification & Authorization, Confidentiality, Integrity, Availability,

Non-Repudiation

▪ Operational (and Physical) Controls:

▪ Operational Security: Execution of Policies, Standards & Process, Education &

Awareness

▪ Physical Security (Facility or Infrastructure Protection)

Access Control Categories: Implementation (To do)
Access Control Categories: Implementation
Access Control Categories: Implementation
Security Models
▪ Bell-LaPadula Model

▪ The US Department of Defense (DoD) developed the Bell-LaPadula model in

the 1970s to address concerns about protecting classified information.

▪ This multilevel model was derived from the DoD’s multilevel security policies.

▪ A subject with any level of clearance can access resources at or below

its
clearance level.

▪ Within the higher clearance levels, access is granted only on a need-to know basis.

▪ Any person with a secret security clearance can access secret,

Security Models
▪ Bell-LaPadula Model

▪ To access a document within the secret level, the person seeking access must also
have a need to know for that document.

▪ Prevents the leaking or transfer of classified information to less secure

clearance levels.

▪ Blocks lower-classified subjects from accessing higher-classified objects.

▪ With these restrictions, the Bell-LaPadula model is focused on maintaining

the confidentiality of objects.

▪ Bell-LaPadula does not address the aspects of integrity or availability for objects.
Security Models
▪ Bell-LaPadula Model

▪ The Simple Security Property states that a subject may not read information at a
higher sensitivity level (no read up).

▪ The * (star) Security Property states that a subject may not write information to an object at
a lower sensitivity level (no write down). This is also known as the Confinement Property.

▪ The Discretionary Security Property states that the system uses an access matrix to
enforce discretionary access control.
Security Models
▪ Bell-LaPadula Model
Security Models
▪ Bell-LaPadula Model
Exercise:
Security levels Subject Object
Top secret Ahmed Personnel files
Security Security
Clearance L (S) secret Salma E-mail files Classification L (O)
confidential Georges Activity logs
unclassified Hana Telephone lists

▪ Answer the following questions with True (T) or False (f):

Ahmed can only read personnel F

files. Hana can read all files. F
Georges cannot read personnel or e- T
mail files. F
Ahmed can modify e-mail files or activity T
logs. Hana can only read Telephone lists.
Security Models
▪ Biba Model

▪ Integrity-focused security models: Biba and Clark-Wilson.

▪ The Biba model was designed after the Bell-LaPadula model.

▪ The Biba model addresses integrity.

▪ The Biba model is also built on a state machine concept, is based on information flow, and is
a multilevel model.

▪ Biba appears to be pretty similar to the Bell-LaPadula model, except inverted.

▪ Both use states and transitions. Both have basic properties.

▪ The biggest difference is their primary focus: Biba primarily protects data integrity.
Security Models
▪ Biba Model

▪ Biba appears to be pretty similar to the Bell-LaPadula model, except inverted.

▪ Both use states and transitions. Both have basic properties.

▪ The biggest difference is their primary focus: Biba primarily protects data integrity.
Security Models
▪ Biba Model

▪ The basic properties or axioms of the Biba model state machine:

▪ The Simple Integrity Property states that a subject cannot read an object at a lower
integrity level (no read-down).

▪ The * (star) Integrity Property states that a subject cannot modify an object at a
higher integrity level (no write-up).
Security Models
▪ Lattice-Based Access Control

▪ Is a general category for nondiscretionary access controls.

▪ Subjects under lattice-based access controls are assigned positions in a lattice.

▪ These positions fall between defined security labels or classifications.

▪ Subjects can access only those objects that fall into the range between:

▪ The least upper bound – LUB (the nearest security label or

classification higherthan their lattice position) and

▪ The highest lower bound – HLB (the nearest security label or classification lower than their
lattice position) of the labels or classifications for their lattice position.
Security Models
▪ Lattice-Based Access Control

▪ Lattice-based access controls also fit into the general category of information flow models
and deal primarily with confidentiality (that’s the reason for the connection to Bell-LaPadula).
Security Models
▪ Graham-Denning: An information access control model operates on a set of
subjects, objects, rights and an access capability matrix.

▪ How to securely create/delete an object/subject.

▪ How to securely provide the read/grant/delete/transfer access right.

▪ Capability Table = Access Control Matrix + Access Permissions

▪ Row = Capability List (Subject’s access permission)

▪ Column = Control List (Objects)

Security Models
▪ Clarck & Wilson Integrity Model:

▪ Addresses three integrity goals

▪ Authentication & Authorization (ACL) are both used.
▪ Prevents both unauthorized and authorized users/processes from making improper actions or
modifications.
▪ Maintains internal and external consistency through the use of “well formed transactions”

▪ All steps are performed in a defined order

▪ Users performing these steps have to be authenticated
▪ Calls for Separation of Duties (SoD) between administrators and users
Security Models
▪ Clarck & Wilson Integrity Model:

▪ A program decides if subjects have rights to objects and enforces rules for Separation of
Duties (SoD), and creates well-formed (high integrity) transactions using 3 rules (TLC):

▪ T – No Tampering of Transactions
▪ L – Proper Logging of Transactions
▪ C – Consistency (Internal & External) of Transactions
Security Models
▪ Clarck & Wilson Integrity Model: Use Cases

▪ Enterprise resource planning (ERP) systems integrate different business processes

and functions into a single system.
▪ The Clark-Wilson model can be integrated into an ERP system to ensure that data is only

accessed and modified by authorized individuals, and to prevent unauthorized access or

modification of data.

▪ Electronic medical records (EMR) systems manage patient health records.

▪ The Clark-Wilson model can be integrated into an EMR system to ensure that patient data is kept

confidential and that only authorized healthcare professionals can access the data.
Security Models
▪ Brewer and Nash Model (Chinese Wall)
▪ Focuses on preventing conflict of interest among classes of data / groups using dynamic
rules.

▪ Defines a virtual wall to classify and segment data types.

▪ Supports separation of duties (SoD) to ensure that subjects do not make
fraudulent modifications to objects
▪ Users are only allowed to access data that is

not in conflict with previously accessed data.

▪ For example, Doctors don’t share patient’s data

between patients.
Security Models
▪ Brewer and Nash Model (Chinese Wall)
▪ The model is based on three main principles:
▪ The "read" principle: A user can only read information if the user has not

previously accessed information that creates a conflict of interest.

▪ The "write" principle: A user can only modify information if the user has not

previously accessed information that creates a conflict of interest.

▪ The "no-transfer" principle: Information cannot be transferred between two

categories of information if the transfer would create a conflict of interest.

Authorization
▪ Authorization: who is trusted to perform specific operations based on the proven identity.

▪ Concepts

▪ Need-to-know: based on subject’s job duties / requirements, the authorization is given (least
privileges)

▪ Authorization Creep: when lateral movement occurs new access rights and permissions
are assigned (read/write privileges should be reviewed)

▪ Access Control List (ACL): specifies subjects which are granted access to assets and
which
operations are allowed

▪ Default to zero: Access control should start with zero access and then build on it
Authorization
▪ Authorization Mechanisms:

▪ Implicit Deny:
▪ Ensures that access to an object is denied unless access has been explicitly granted to
a subject.

▪ Access Control Matrix:

▪ Is a table that includes subjects, objects, and assigned privileges.

▪ When a subject attempts an action, the system checks the access

control matrix to determine if the subject has the appropriate privileges to perform the
action.
Authorization
▪ Authorization Mechanisms

▪ Capability Tables: (Graham-Denning)

▪ Are another way to identify privileges assigned to subjects.

▪ Are different from ACLs in that a capability table is focused on subjects (e.g., users, groups,

or roles).

▪ Access Control Matrix + Access Permissions

▪ Constrained Interface Applications:

▪ Use constrained interfaces or restricted interfaces to restrict what users can do or see based
on
their privileges.

▪
Authorization
▪ Authorization Mechanisms

▪ Content-Dependent Control: restricts access to data based on the content within

an object. A database view is a content-dependent control.
▪ A view retrieves specific columns from one or more tables, creating a virtual table.

▪ Context-Dependent Control: requires specific activity before users

granting
access.
▪ Need to Know: ensures that subjects are granted access only to what they need to

know for their work tasks and job functions.

▪ Subjects may have clearance to access classified or restricted data but are not
granted authorization to the data unless they actually need it to perform a job.
Authorization
▪ Authorization Mechanisms

▪ Least Privilege: ensures that subjects are granted only the privileges they need, to
perform their work tasks and job functions.
▪ This is sometimes lumped together with need to know. The only difference is that least privilege

will also include rights to take action on a system.

▪ Separation of Duties and Responsibilities: ensures that sensitive functions

are split into tasks performed by two or more employees.
▪ It helps to prevent fraud and errors by creating a system of checks and balances.
Access Control Administration
▪ Centralized access control: authorization verification is performed by a single entity within
a system (SSO, AAA, …).
▪ Low overhead: Changes are made in a single location

▪ Strict control and access uniformity

▪ A single change affects the entire system.

▪ Decentralized (distributed) access control: various entities located throughout a system

perform authorization verification
▪ Flexible Access Control

▪ High overhead because changes must be implemented across numerous locations.

▪ Maintaining consistency across a system becomes more difficult as the number of access
control
points increases.
▪ Changes made to any individual point need to be repeated at every access point.
Access control mechanisms

▪ Mandatory access control

▪ Discretionary access control

▪ Entitlement/Task based access control

▪ Role based access control

▪ Attribute based access control

35
Mandatory access control (MAC)
▪ Is the traditional mechanism to define the access rights of users.

▪ Gives access permission through the operating system or security kernel.

▪ Controls the ability of data owners to grant or deny access rights to clients for the file
system.
▪ Each file system object has a classification label (Hierarchical security levels): unclassified <
confidential < secret < top secret.

▪ Each device and client is assigned a similar classification and clearance level (DRH, DRF, etc).

▪ The security kernel determines the classification label of clients and resources.

▪ The OS checks the credentials of each person or system while accessing a particular resource to
determine the access rights of that specific person or 36

device.
Mandatory access control (MAC)
▪ Labels: Objects have Labels assigned to them, the subjects clearance
must dominate the objects label.

a) The label is used to allow Subjects with the right clearance access them.

b) Labels are often more granular than just “Top Secret”, they can be “Top Secret –
Nuclear”.

▪ Clearance: Subjects have Clearance assigned to them.

a) Based on a formal decision on a subjects current and future trustworthiness.

b) The higher the clearance the more in depth the background checks should be.

37
Mandatory access control (MAC)
▪ MAC provides more security in accessing the resources,

▪ Careful planning and frequent monitoring are needed to keep all the classification
labels up-to-date,

▪ MAC has less flexible environment to process the access rights.

38
Discretionary access control (DAC)
▪ Decentralized model

▪ Controls the access permissions through data owner.

▪ The access rights of each user are performed during authentication by validating the
username and password.

▪ DACs are discretionary as owner determines the privileges of access.

▪ File or data has owner, which manages the data access policies.

▪ DAC is more flexible than MAC,

▪ DAC is complex and provides less security than MAC.

39
Entitlement/Task based access control
▪ A specific access permission is required for each task, action or process that
is represented by a task.

▪ Handle complex access conditions to determine whether the access rights need
to be granted

▪ The users need to raise separate request and get the approval for each entitlement.

▪ Role-based access control

▪ Attribute-based access control.

40
Role based access control (RBAC)
▪ Access rights based on roles and privileges of the users are provided.

▪ User permissions are given by different parameters (user-roles, role

permissions
and role-role relationships). 41
Role based access control (RBAC)
▪ RBAC contains mainly three rules: role assignment, role authorization and
permission authorization.

▪ The permissions for accessing the data are provided to users based on these rules.

▪ Roles’ classification:

▪ An application/technical role: contains the combination of different application specific tasks

based permissions and its scope is limited to the specific application.

▪ An organizational/business role: is generated based on different job functions and access

rights assigned to an employee.

▪ It is a combination of different application/ technical roles.

▪ A real-time environment to check and validate roles’ assignment changes need to be considered.
42
Attribute based access control (ABAC)
▪ The access control mechanism is defined by the use of policies which determines different

sets of attributes to check the access rights of each user.

From Static
Roles to
Dynamic
Rules

43

▪ Roles and privileges of each user are pre-defined.

Attribute based access control (ABAC)
▪ Implements business rules in context-aware and risk-mitigating policies.

▪ Resolves many authorization problems,

▪ Achieves an efficient regulatory compliance,

▪ Allows flexibility in implementation.

Rules combined in policies and policy sets become an exact definition

rather than an approximation of authorizations based on business rules.

44
Access control attacks
▪ Computing threats:

▪ Denial of services (DoS) threats

▪ Ping of death | Smurfing | SYN flood | Distributed DoS (DDoS)

▪ Unauthorized software

▪ Malicious code | Mobile code

▪ Software defects

▪ Buffer overflows | Covert channel | Trapdoor

Access control attacks
▪ Physical threats:

▪ Unauthorized physical access

▪ Dumpster diving | Shoulder surfing | Eavesdropping

▪ Electronic emanations

▪ Personnel/Social engineering threats:

▪ Disgruntle/ careless employees

▪ Targeted data mining/ “browsing” | Spying | Impersonation

-
Access control Tools
▪ SolarWinds Access Rights Manager

▪ PRTG Active Directory Monitor

▪ Apache Directory

▪ ManageEngine AD360

▪ ManageEngine ADAudit Plus

▪ 389 Directory Server

▪ FreeIPA

▪ LDAP Account Manager

▪ AWS Directory Service

▪ JumpCloud DaaS
SolarWinds Access Rights Manager

48
PRTG Active Directory Monitor

49
Apache Directory

50
FreeIPA

51
KEYCLOAK

51
KEYCLOAK

51
Conclusion
52