Security and Access control

Prepared By Miangul Shafiq Ahmad Jan

Contents:

• Basics of Information Security

• Understanding access control
• Components of access control
• Types of access control models
• Access control mechanism and technology
• Threats and challenges in access control
• Best Practices for Effective Access Control
• Case Studies in Access Control Failures
I. Basics of Information Security
1. What is Security?

o Security refers to the measures taken to protect information, resources, and systems from unauthorized
access, misuse, or damage. This is vital for organizations to prevent data breaches, fraud, and maintain trust
with users and customers.

2. The CIA Triad

o The CIA Triad is a foundational model in information security, representing three key principles:

▪ Confidentiality: Ensures that data is only accessible by authorized users.

▪ Integrity: Ensures that data remains accurate and unaltered by unauthorized sources.

▪ Availability: Ensures that data and resources are accessible to authorized users whenever needed

3. Importance of Access Control

o Access control is a critical aspect of security that directly impacts the confidentiality and integrity of data. It
helps prevent unauthorized access, restricts system usage, and protects sensitive information.
II. Understanding Access Control
Definition

o Access control is the process of regulating who or what can view or use resources in a
computing environment. It involves both identification and authorization to access
specific data or applications.

Objectives of Access Control

o Ensure that only authorized individuals can access or modify resources.

o Protect sensitive data from breaches.

o Monitor access to identify and address unauthorized access attempts.

III. Components of Access Control
1. Identification
o Identification is the process where users provide a unique identifier, like a username, to declare their identity
to a system.
2. Authentication
o Authentication is the process of verifying that a user's identity is legitimate, typically through:
▪ Something you know (e.g., password, PIN).
▪ Something you have (e.g., security token, smart card).
▪ Something you are (e.g., biometric data like fingerprints or facial recognition).
3. Authorization
o Authorization determines what an authenticated user is permitted to do on a system. Once users are
authenticated, the system checks their privileges or permissions before granting access to resources.
4. Accounting (or Auditing)
o Accounting tracks and records user activities, enabling the system to monitor access patterns and detect
unusual behavior. Logging access attempts, both successful and failed, is essential for troubleshooting and
forensic analysis.
IV. Types of Access Control Models
1. Discretionary Access Control (DAC)

o In DAC, the owner of a resource has the flexibility to set permissions for others. This approach is highly
customizable but can be prone to accidental or intentional unauthorized sharing.

2. Mandatory Access Control (MAC)

o In MAC, access decisions are based on rules set by a central authority. Users cannot alter permissions on files
or resources. Often used in high-security environments (e.g., military), MAC enforces strict controls based on
labels and classifications.

3. Role-Based Access Control (RBAC)

o In RBAC, access is granted based on the user's role within the organization, such as "admin," "manager," or
"user." This method simplifies permissions management and aligns with organizational hierarchy.

4. Attribute-Based Access Control (ABAC)

o ABAC uses policies that consider multiple attributes, such as user role, location, time of access, and data type.
It is more flexible and granular than RBAC and often used in complex and dynamic environments.
V. Access Control Mechanisms and Technologies
1. Passwords and PINs

o Strength: Simple and widely used.

o Weakness: Vulnerable to phishing, guessing, and brute-force attacks.

2. Two-Factor and Multi-Factor Authentication (2FA & MFA)

o Requires two or more authentication factors, greatly enhancing security.

o Examples: Password + OTP (One-Time Password), biometric + token.

3. Biometric Systems

o Includes fingerprint, retina scan, and facial recognition.

o Strengths: Harder to replicate; users do not need to remember anything.

• Weaknesses: Privacy concerns and risk of data theft

V. Access Control Mechanisms and Technologies (cont.)
4. Access Control Lists (ACLs)

o ACLs specify which users or groups can access certain resources and what actions they can perform.

o Common in network security, especially in controlling permissions in filesystems.

5. Firewalls and Network Security Controls

o Firewalls regulate traffic between trusted and untrusted networks based on predefined rules.

o Examples: Packet filtering, stateful inspection, proxy firewalls.

6. Encryption

o Encrypts data to make it unreadable without the decryption key. Even if unauthorized access occurs,
encrypted data remains secure.

o Common protocols include SSL/TLS for web traffic, AES for data encryption.
VI. Threats and Challenges in Access Control
1. Insider Threats
o Individuals within an organization, such as employees or contractors, may abuse their
access. Access control models must be designed to minimize the risk posed by insiders.
2. Phishing Attacks
o Phishing deceives users into revealing their credentials. Implementing 2FA can help
mitigate phishing risks.
3. Password Weaknesses
o Poor password hygiene, such as using weak or reused passwords, remains a significant
challenge.
4. Social Engineering
o Attackers manipulate users into revealing sensitive information. Training users to recognize
and resist social engineering tactics is critical.
VII. Best Practices for Effective Access Control
1. Principle of Least Privilege

o Users should have the minimum access necessary to perform their duties. This reduces the risk of accidental or
intentional misuse.

2. Regular Audits and Monitoring

o Auditing access logs helps detect unusual patterns, potential breaches, and enforce accountability.

3. Implementing Multi-Factor Authentication (MFA)

o Adding multiple layers of authentication significantly strengthens security, especially for sensitive systems.

4. Periodic Reviews of Access Rights

o Regularly reviewing and updating access rights helps ensure that only current employees retain access, while
former employees or role changes are accounted for.

5. Employee Training and Awareness

o Ensuring employees understand security policies and the importance of secure access controls reduces
vulnerability to social engineering and insider threats.
VIII. Case Studies in Access Control Failures
1. Equifax Data Breach (2017)

o One of the largest data breaches, due to unpatched software and weak access control,
exposed the personal information of 147 million people.

2. Target Data Breach (2013)

o Attackers gained access through a third-party vendor, highlighting the importance of

securing third-party access.

3. Capital One (2019)

o A misconfigured firewall led to a massive data breach, showing the importance of correctly
configuring access controls.