Instructions: Answer all questions in a single document. Then submit to the appr
ID: 3815626 • Letter: I
Question
Instructions: Answer all questions in a single document. Then submit to the appropriate assignment folder. Each response to a single essay question should be about a half-page in length (about 150 words). PLEASE CITE YOUR WORK IN APA.
1. Access controls are security features that are usually considered the first line of defense in asset protection. They are used to dictate how subjects access objects, and their main goal is to protect the objects from unauthorized access. Access control models are frameworks that use access controls to enforce the rules and objectives of the model. In your essay response, compare the different Access Control Models and give an example of one that you have used in a work situation or if that is not possible, one that you’ve read about in a scholarly article.
2. Relying on a password to secure access to a system does not provide enough security in today’s complex world. The Office of Personnel Management learned this the hard way in 2015. Since OPM was hacked and it was learned that the attackers compromised their system administrator accounts that were protected only with passwords, the Federal government has required the use of multifactor authentication for privileged accounts. Describe the three factors that can be used in authentication and give at least two examples for each.
3. There are two main methods of access control administration that an organization can choose between to achieve the level of protection that they need to secure their assets and information: centralized and decentralized. Describe the RADIUS, TACACS, and DIAMETER forms of centralized access control administration. What are the advantages and disadvantages of decentralized administration.
Explanation / Answer
The three answers required are given below:
1. Access Control models :
Access control is basically identifying a person doing a specific job, authenticating them by looking at their identification, then giving that person only the key to the door or computer that they need access to and nothing more. In the world of information security, one would look at this as granting an individual permission to get onto a network via a user-name and password, allowing them access to files, computers, or other hardware or software the person requires, and ensuring they have the right level of permission (i.e. read only) to do their job. So, how does one grant the right level of permission to an individual so that they can perform their duties? This is where access control models come into the picture.
Access control models have four flavors: Mandatory Access Control (MAC), Role Based Access Control (RBAC), Discretionary Access Control (DAC), and Rule Based Access Control (RBAC or RB-RBAC). Let’s look at each of these and what they entail.
The Mandatory Access Control, or MAC, model gives only the owner and custodian management of the access controls. This means the end user has no control over any settings that provide any privileges to anyone. Now, there are two security models associated with MAC: Biba and Bell-LaPadula. The Biba model is focused on the integrity of information, whereas the Bell-LaPadula model is focused on the confidentiality of information. Biba is a setup where a user with low level clearance can read higher level information (called “read up”) and a user with high level clearance can write for lower levels of clearance (called “write down”). The Biba model is typically utilized in businesses where employees at lower levels can read higher level information and executives can write to inform the lower level employees.
Bell-LaPadula, on the other hand, is a setup where a user at a higher level (i.e. Top Secret) can only write at that level and no lower (called “write up”), but can also read at lower levels (called “read down”). Bell-LaPadula was developed for governmental and/or military purposes where if one does not have the correct clearance level and does not need to know certain information, they have no business with the information. At one time, MAC was associated with a numbering system which would assign a level number to files and level numbers to employees. This system made it so that if a file (i.e. myfile.ppt) had is level 400, another file (i.e. yourfile.docx) is level 600 and the employee had a level of 500, the employee would not be able to access “yourfile.docx” due to the higher level (600) associated with the file. MAC is the highest access control there is and is utilized in military and/or government settings utilizing the classifications of Classified, Secret, and Unclassified in place of the numbering system previously mentioned.
The Role Based Access Control, or RBAC, model provides access control based on the position an individual fills in an organization. So, instead of assigning John permissions as a security manager, the position of security manager already has permissions assigned to it. In essence, John would just need access to the security manager profile. RBAC makes life easier for the system administrator of the organization. The big issue with this access control model is that if John requires access to other files, there has to be another way to do it since the roles are only associated with the position; otherwise, security managers from other organizations could possibly get access to files they are unauthorized for.
The Discretionary Access Control, or DAC, model is the least restrictive model compared to the most restrictive MAC model. DAC allows an individual complete control over any objects they own along with the programs associated with those objects. This gives DAC two major weaknesses. First, it gives the end user complete control to set security level settings for other users which could result in users having higher privileges than they’re supposed to. Secondly, and worse, the permissions that the end user has are inherited into other programs they execute. This means the end user can execute malware without knowing it and the malware could take advantage of the potentially high level privileges the end user possesses.
The fourth and final access control model is Rule Based Access Control, also with the acronym RBAC or RB-RBAC. Rule Based Access Control will dynamically assign roles to users based on criteria defined by the custodian or system administrator. For example, if someone is only allowed access to files during certain hours of the day, Rule Based Access Control would be the tool of choice. The additional “rules” of Rule Based Access Control requiring implementation may need to be “programmed” into the network by the custodian or system administrator in the form of code versus “checking the box.”
Now that I have covered access control and its models, let me tell you how they are logically implemented.
[ source : "Access Control: Models and Methods" (2012, November 28) Retrieved from http://resources.infosecinstitute.com/access-control-models-and-methods/#gref ]
2. The three factors of 3FA authentication with examples :
[ source : M.Rouse, "three-factor authentication (3FA)" Retrieved from http://searchsecurity.techtarget.com/definition/three-factor-authentication-3FA ]
3A. RADIUS, TACACS, and DIAMETER :
RADIUS, TACACS, and DIAMETER are classified as authentication, authorization, and accounting (AAA) servers. The Internet Engineering Task Force (IETF) chartered an AAA Working Group in 1998 to develop the authentication, authorization, and accounting requirements for network access. The goal was to produce a base protocol that supported a number of different network access models, including traditional dial-in network access servers (NAS), Mobile-IP, and roaming operations (ROAMOPS). The group was to build upon the work of existing access providers like Livingston Enterprises.
Livingston Enterprises originally developed RADIUS (Remote Authentication Dial-in User Service) for their line of network access servers (NAS) to assist timeshare and Internet service providers with billing information consolidation and connection configuration. Livingston based RADIUS on the IETF distributed security model and actively promoted it through the IETF Network Access Server Requirements Working Group in the early 1990s. The client/server design was created to be open and extensible so it could be easily adapted to work with other thirdparty products. At this writing, RADIUS version 2 was a proposed IETF standard managed by the RADIUS Working Group.
The origin of the Terminal Access Controller Access Control System (TACACS) daemon used in the early days of ARPANET is unknown. Cisco Systems adopted the protocol to support AAA services on its products in the early 1990s. Cisco extended the protocol to enhance security and support additional types of authentication requests and response codes. They named the new protocol TACACS+. The current version of the TACACS specification is a proposed IETF Standard (RFC 1492) managed by the Network Working Group. It was developed with the assistance of Cisco Systems.
Pat Calhoun (Sun Laboratories) and Allan Rubens (Ascend Communications) proposed the DIAMETER AAA framework as a draft standard to the IETF in 1998. The name DIAMETER is not an acronym but rather a play on the RADIUS name. DIAMETER was designed from the ground up to support roaming applications and to overcoming the extension limitations of the RADIUS and TACACS protocols. It provides the base protocols required to support any number of AAA extensions, including NAS, Mobile-IP, host, application, and Web-based requirements. At this writing, DIAMETER consisted of eight IETF draft proposals, authored by twelve different contributors from Sun, Microsoft, Cisco, Nortel, and others. Pat Calhoun continues to coordinate the DIAMETER effort.
[ source : B.Stackpole, "CENTRALIZED AUTHENTICATION SERVICES (RADIUS, TACACS, DIAMETER)" Retrieved from https://pdfs.semanticscholar.org/385d/c1ec37b14e4a366d737eb0e69c24413368aa.pdf ]
3B. Advantages and disadvantages of decentralized authentication system:
[ source : Piltzecker T., "Access Control Methodologies" Retrieved from http://flylib.com/books/en/4.283.1.15/1/ ]
[ source : "Access Control Methodologies" (10-12-04) Retrieved from http://flylib.com/books/en/4.283.1.15/1/ ]