Logical Access Controls

Logical access controls are electronic methods that limit someone from getting access to systems.

These types of electronic tools limit who can get logical access to an asset, even if the person already has physical access.

Types of logical access controls include:

• Passwords

• Biometrics (implemented on a system, such as a smartphone or laptop)

• Badge/token readers connected to a system

Discretionary Access Control (DAC) - specific type of access control policy that is enforced over all subjects and objects in an information system.

Policy specifies that a subject who has been granted access to information can do one or more of the following:

• Pass the information to other subjects or objects

• Grant its privileges to other subjects

• Change security attributes on subjects, objects, information systems or system components

• Choose the security attributes to be associated with newly created or revised objects; and/or

• Change the rules governing access control; mandatory access controls restrict this capability

Rule-based access control systems are usually a form of DAC.

DACs are not very scalable; they rely on the access control decisions made by each individual object owner, and it can be difficult to find the source of access control issues when problems occur.

Mandatory Access Control (MAC) - policy is one that is uniformly enforced across all subjects and objects within the boundary of an information system.

Only properly designated security administrators, as trusted subjects, can modify any of the security rules that are established for subjects and objects within the system.

The organization assigns a subset of total privileges for a subset of objects, such that the subject is constrained from doing any of the following:

• Passing the information to unauthorized subjects or objects

• Granting its privileges to other subjects

• Changing one or more security attributes on subjects, objects, the information system or system components

• Choosing the security attributes to be associated with newly created or modified objects

• Changing the rules governing access control

With Mandatory Access Control, it is mandatory for security administrators to assign access rights or permissions;

With Discretionary Access Control, it is up to the object owner’s discretion.

Example of role-based access control:

1. A role is created and assigned the access required for personnel working in that role.

2. When a user takes on a job, the administrator assigns them to the appropriate role.

3. If a user leaves that role, the administrator removes that user and then access for that user associated with that role is removed.

4. RBAC works well in an environment with high staff turnover and multiple personnel with similar access requirements.

Another one:

1. Only Human Resources staff have access to personnel files

2. only Finance has access to bank accounts

3. each manager has access to their own direct reports and their own department

4. Very high-level system administrators may have access to everything

5. new employees would have very limited access, the minimum required to do their jobs

Role-based access control provides each worker privileges based on what role they have in the organization.

Privilege creep or permissions creep - a junior worker’s permissions might be expanded so they can temporarily act as the department manager—but you forget to change their permissions back when the new manager is hired, then the next person to come in at that junior level might inherit those permissions when it is not appropriate for them to have them

Access is based on three elements:

1. subjects (who)

2. objects (what)

3. rules (how and when)

4. Trustworthiness

5. the need for access also determine access

• Audit - Independent review and examination of records and activities to assess the adequacy of system controls, to ensure compliance with established policies and operational procedures. NIST SP 1800-15B

• Crime Prevention through Environmental Design (CPTED) - An architectural approach to the design of buildings and spaces which emphasizes passive features to reduce the likelihood of criminal activity.

• Defense in Depth - Information security strategy integrating people, technology, and operations capabilities to establish variable barriers across multiple layers and missions of the organization. Source: NIST SP 800-53 Rev 4

• Discretionary Access Control (DAC) - A certain amount of access control is left to the discretion of the object’s owner, or anyone else who is authorized to control the object’s access. The owner can determine who should have access rights to an object and what those rights should be. NIST SP 800-192

• Encrypt - To protect private information by putting it into a form that can only be read by people who have permission to do so.

• Firewalls - Devices that enforce administrative security policies by filtering incoming traffic based on a set of rules.

• Insider Threat - An entity with authorized access that has the potential to harm an information system through destruction, disclosure, modification of data, and/or denial of service. NIST SP 800-32

• iOS - An operating system manufactured by Apple Inc. Used for mobile devices.

• Layered Defense - The use of multiple controls arranged in series to provide several consecutive controls to protect an asset; also called defense in depth. 

• Linux - An operating system that is open source, making its source code legally available to end users.

• Log Anomaly - A system irregularity that is identified when studying log entries which could represent events of interest for further surveillance.

• Logging - Collecting and storing user activities in a log, which is a record of the events occurring within an organization’s systems and networks. NIST SP 1800-25B.

• Logical Access Control Systems - An automated system that controls an individual’s ability to access one or more computer system resources, such as a workstation, network, application or database. A logical access control system requires the validation of an individual’s identity through some mechanism, such as a PIN, card, biometric or other token. It has the capability to assign different access privileges to different individuals depending on their roles and responsibilities in an organization. NIST SP 800-53 Rev.5.

• Mandatory Access Control - Access control that requires the system itself to manage access controls in accordance with the organization’s security policies.

• Mantrap - An entrance to a building or an area that requires people to pass through two doors with only one door opened at a time.

• Object - Passive information system-related entity (e.g., devices, files, records, tables, processes, programs, domains) containing or receiving information. Access to an object (by a subject) implies access to the information it contains. See subject. Source: NIST SP 800-53 Rev 4

• Physical Access Controls - Controls implemented through a tangible mechanism. Examples include walls, fences, guards, locks, etc. In modern organizations, many physical control systems are linked to technical/logical systems, such as badge readers connected to door locks.

• Principle of Least Privilege - The principle that users and programs should have only the minimum privileges necessary to complete their tasks. NIST SP 800-179

• Privileged Account - An information system account with approved authorizations of a privileged user. NIST SP 800-53 Rev. 4

• Ransomware - A type of malicious software that locks the computer screen or files, thus preventing or limiting a user from accessing their system and data until money is paid.

• Role-based access control (RBAC) - An access control system that sets up user permissions based on roles.

• Rule - An instruction developed to allow or deny access to a system by comparing the validated identity of the subject to an access control list.

• Segregation of Duties - The practice of ensuring that an organizational process cannot be completed by a single person; forces collusion as a means to reduce insider threats. Also commonly known as Separation of Duties.

• Subject - Generally an individual, process or device causing information to flow among objects or change to the system state. Source: NIST SP800-53 R4

• Technical Controls - The security controls (i.e., safeguards or countermeasures) for an information system that are primarily implemented and executed by the information system through mechanisms contained in the hardware, software or firmware components of the system.

• Turnstile - A one-way spinning door or barrier that allows only one person at a time to enter a building or pass through an area.

• Unix - An operating system used in software development.

• User Provisioning - The process of creating, maintaining and deactivating user identities on a system.

https://quizlet.com/ISC2Education/sets