The two main methods and sub-methods:
- Discretionary – refers to leaving total control to the discretion of the owner. The owner controls who can access the data, and what they can do with it.
- Non Discretionary – anything that’s not discretionary. Sub-methods include the following:
- Mandatory – access decisions are controlled by a central authority.
- Role-based – where access is limited to authorized users based on roles, often where permissions are established based on job functions/duties, for example, Human Resources personnel would be the only employees allowed access to the HR application. Accounting staff would only have access to the accounting application, etc. Permissions within those applications could also be established to ensure separation of duties and least privilege.
- Rule-based – where rules are imposed, such as “no logins after 5:00 p.m.”
- Attribute-based – where a combination of non discretionary methods are used. For example, everyone in the organization can log in as they please, however HR staff can only log into the HR application between the hours of 5:00 a.m. and 5:00 p.m. This demonstrates the combination of roles (HR staff) and rules (logins between such & such hours).
- Risk-based access controls will increase the number of authentication challenges based on risk factors of those attempting to access the system. An example might be making the user login with two factors if they are coming in from the internet, and then force the user to answer additional security questions if they are logging in from an atypical source, or from a known hostile geolocation. Another use would be to increase the challenges for additional information during peak online shopping seasons of the year due to high debit and credit card fraud.
Be sure to understand the difference between and/or the similarities between access control models and access/security control methods. For example, one of the security access control models is Brewer Nash, whereas a method of implementing Brewer Nash might be role-based access controls.
Self-service identity management allows people to request changes to passwords, passphrases and PINs, usually through a browser and a ticketing application.
Just-in-Time provides for real-time creation, provisioning, and deletion of human and non-human user identities, including their privilege escalation and deescalation. It can also focus on the actions of granting access at a specific moment in time, for a single transaction or purpose, with a specific set of privileges. JIT access typically uses SAML.
JIT Use Cases:
- Privileged account management is another JIT-related term to be familiar with; it’s static, meaning it’s assigned and left unchecked.
- JIT-PAM is privileged access with limitations.
- Endpoint privilege management is needed to prevent malicious or accidental attempts to run processes with incorrect privileges, or to invoke services on other nodes on a network.
- Remote help desk operations rely on JIT access management strategies.
User behavior review is where look at our users, and what they’re doing with our system resources. You’d want to set up some type of alerting for use cases that include the following examples of situations:
- The first is Inappropriate use – this could mean you have employees using a lot of bandwidth tha’ts needed for something else, or that you have data that’s ciphened onto a thumb drive for personal use or for personal gain. It should be defined at the policy level, and enforced by user behavior review. You also should make sure anything that’s deemed as inappropriate is made known to your employees through proper training and awareness.
- Identify, alert, and review logs on accounts that attempt to exceed their system permissions.
- Identify any Rogue devices that try to connect to the network or try to masquerade as as wireless access points.
- Identify circumvention of security controls.
- Identify any misuse of applications such as invalid or incomplete input data,
- Identify any abnormal usage patterns, such as logins outside of typical working hours.
Job or Duties Review:
Changes in job duties can lead to what’s called privilege creep. Privilege creep is when users accumulate system permissions for new tasks or new job duties, and when the old permissions are not removed.
The problem with privilege creep should be obvious – you don’t want someone who started out as an accounts payable clerk and then became manager, who can create and then authorize payments, who also maybe worked in accounts receivable as a clerk and then manager to have and retain the ability to create and approve invoices. This opens the door for insider threats, and also external threats in a situation where an attacker can obtain the user’s password.
The recommendation here is that each change in employment status, assigned jobs and duties, or responsibilities should trigger a permissions review.
Another term for privilege creep is Permission Aggregation.
Another concept presented in Domain 5 is Accountability. This is important for IAM topics, especially for identity, since system logs will show who accessed what, the action performed, the outcome, and other system actions. If there is low assurance about the authenticity of identities or authenticators, such as IAL1, or AAL1, then the malicious users may have repudiation, and can deny the actions performed under a given username. On the other hand, if assurances are strong about the identities and authenticators, users have non-repudiation, or the inability to deny their actions.
Dual custody, also known as dual control, requires two or more people to simultaneously perform separate actions to complete a critical action.
Security Identifiers (SIDs) / Access Review:
A security identifier is a built-in user account in Microsoft Windows, that needs to be obscured and it’s activity regularly monitored and reviewed for possible malicious activity. The common body of knowledge gives the following specific accounts to be aware of:
The Administrator account is a user account for the system administrator. By default, it has full control over the system.
The Default account is a built-in user-neutral account that can be used to run processes that are either multi-user aware or user-agnostic.
The Guest account is a user account for people who don’t have individual accounts. The guest account doesn’t require a password. By default, the guest account is disabled.
The Domain Administrator account is automatically added to a global group whose members are authorized to administer the domain. By default, the Chapter Admins group is also a member of the Administrators group on all computers that have joined a domain, including the domain controllers.
Privilege Escalation:
Vertical Privilege Escalation (or privilege elevation) is when an attacker uses an account they have access to, or one they’ve gained unauthorized use of by some means, to run applications or services at higher permission levels. This happens when the applications developers have made incorrect assumptions about the use cases for privileged functions, or if the application allows command injection or exploits to be used. Phishing attacks that lure victims into entering sign-on credentials, are a stepping-stone to vertical privilege escalation.
Horizontal Privilege Escalation, also known as lateral movement is where the attacker uses an account they have access to as a way to discover, fingerprint, and gain access to other resources. For example, a user of applications and data on one server can “jump” horizontally, or sideways, to another server to access data or resources residing therein.
Mitigations include:
- Security education, training, and awareness (SETA)
- Phishing simulations
- Multifactor authentication (MFA)
- Patch/Vulnerability management
- IDS/IPS/SIEM