Access Control, Authentication, and Public Key Infrastructure, 2nd Edition

Book description

PART OF THE JONES & BARTLETT LEARNING INFORMATION SYSTEMS SECURITY & ASSURANCE SERIES

Series meets all standards put forth by CNSS 4011 & 4013A!

Access control protects resources against unauthorized viewing, tampering, or destruction. They serve as a primary means of ensuring privacy, confidentiality, and prevention of unauthorized disclosure. Revised and updated with the latest data from this fast paced field, Access Control, Authentication, and Public Key Infrastructure defines the components of access control, provides a business framework for implementation, and discusses legal requirements that impact access control programs. It looks at the risks, threats, and vulnerabilities prevalent in information systems and IT infrastructures and how to handle them. It provides a student and professional resource that details how to put access control systems to work as well as testing and managing them.

New to the Second Edition:

Updated references to Windows 8 and Outlook 2011
A new discussion of recent Chinese hacking incidence
Examples depicting the risks associated with a missing unencrypted laptop containing private data.
New sections on the Communications Assistance for Law Enforcement Act (CALEA) and granting Windows folder permissions are added.
New information on the Identity Theft Enforcement and Restitution Act and the Digital Millennium Copyright Act (DMCA).

Table of contents

  1. Cover
  2. Title Page
  3. Copyright
  4. Contents
  5. Preface
  6. Acknowledgments
  7. About the author
  8. Dedication
  9. Part One The Need for Information Security
    1. Chapter 1 Access Control Framework
      1. Access and Access Control
        1. What Is Access?
        2. What Is Access Control?
      2. Principal Components of Access Control
        1. Access Control Systems
        2. Access Control Subjects
        3. Access Control Objects
      3. Access Control Process
        1. Identification
        2. Authentication
        3. Authorization
      4. Logical Access Controls
        1. Logical Access Controls for Subjects
        2. Group Access Controls
        3. Logical Access Controls for Objects
      5. Authentication Factors
        1. Something You Know
        2. Something You Have
        3. Something You Are
      6. Chapter Summary
      7. Key Concepts and Terms
      8. Chapter 1 Assessment
    2. Chapter 2 Assessing Risk and Its Impact on Access Control
      1. Definitions and Concepts
      2. Threats and Vulnerabilities
        1. Access Control Threats
        2. Access Control Vulnerabilities
      3. Risk Assessment
        1. Quantitative Risk Assessment
        2. Qualitative Risk Assessment
        3. Risk Management Strategies
      4. Value, Situation, and Liability
        1. Potential Liability and Non-Financial Impact
        2. Where Are Access Controls Needed Most?
        3. How Secure Must the Access Control Be?
        4. The Utility of Multilayered Access Control Systems
      5. Case Studies and Examples
        1. Private Sector
        2. Public Sector
        3. Critical Infrastructure
      6. Chapter Summary
      7. Key Concepts and Terms
      8. Chapter 2 Assessment
    3. Chapter 3 Business Drivers for Access Controls
      1. Business Requirements for Asset Protection
        1. Importance of Policy
        2. Senior Management Role
      2. Classification of Information
        1. Classification Schemes
        2. Personally Identifiable Information (PII)
        3. Privacy Act Information
      3. Competitive Use of Information
        1. Valuation of Information
      4. Business Drivers
        1. Cost-Benefit Analysis
        2. Risk Assessment
        3. Business Facilitation
        4. Cost Containment
        5. Operational Efficiency
        6. IT Risk Management
      5. Controlling Access and Protecting Value
        1. Importance of Internal Access Controls
        2. Importance of External Access Controls
        3. Implementation of Access Controls with Respect to Contractors, Vendors, and Third Parties
      6. Examples of Access Control Successes and Failures in Business
        1. Case Study in Access Control Success
        2. Case Study in Access Control Failure
      7. Chapter Summary
      8. Key Concepts and Terms
      9. Chapter 3 Assessment
    4. Chapter 4 Access Control Policies, Standards, Procedures, and Guidelines
      1. U.S. Compliance Laws and Regulations
        1. Gramm-Leach-Bliley Act (GLBA)
        2. Health Insurance Portability and Accountability Act (HIPAA)
        3. Sarbanes-Oxley (SOX) Act
        4. Family Educational Rights and Privacy Act (FERPA)
        5. Communications Assistance for Law Enforcement Act (CALEA)
        6. Children’s Internet Protection Act (CIPA)
        7. 21 CFR Part 11
        8. North American Electric Reliability Council (NERC)
        9. Homeland Security Presidential Directive 12 (HSPD 12)
      2. Access Control Security Policy Best Practices
        1. Private Sector—Enterprise Organizations
        2. Public Sector—Federal, State, County, and City Government
        3. Critical Infrastructure, Including Utilities and Transportation
      3. IT Security Policy Framework
        1. What Policies Are Needed for Access Controls?
        2. What Standards Are Needed to Support These Policies?
        3. What Procedures Are Needed to Implement These Policies?
        4. What Guidelines Are Needed for Departments and End Users?
      4. Examples of Access Control Policies, Standards Procedures, and Guidelines
        1. Private Sector Case Study
        2. Public Sector Case Study
        3. Critical Infrastructure Case Study
      5. Chapter Summary
      6. Key Concepts and Terms
      7. Chapter 4 Assessment
      8. Endnote
    5. Chapter 5 Security Breaches and the Law
      1. Laws to Deter Information Theft
        1. U.S. Federal Laws
        2. State Laws
      2. Cost of Inadequate Front-Door and First-Layer Access Controls
      3. Access Control Failures
        1. People
        2. Technology
      4. Security Breaches
        1. Kinds of Security Breaches
        2. Why Security Breaches Occur
        3. Implications of Security Breaches
        4. Private Sector Case Studies
        5. Public Sector Case Study
        6. Critical Infrastructure Case Study
      5. Chapter Summary
      6. Key Concepts and Terms
      7. Chapter 5 Assessment
  10. Part Two Mitigating Risk with Access Control Systems, Authentication, and PKI
    1. Chapter 6 Mapping Business Challenges to Access Control Types
      1. Access Controls to Meet Business Needs
        1. Business Continuity
        2. Risk and Risk Mitigation
        3. Threats and Threat Mitigation
        4. Vulnerabilities and Vulnerability Management
      2. Solving Business Challenges with Access Control Strategies
        1. Employees with Access to Systems and Data
        2. Employees with Access to Sensitive Systems and Data
        3. Administrative Strategies
        4. Technical Strategies
        5. Separation of Responsibilities
        6. Least Privilege
        7. Need to Know
        8. Input/Output Controls
      3. Case Studies and Examples
        1. Private Sector Case Study
        2. Public Sector Case Study
        3. Critical Infrastructure Case Study
      4. Chapter Summary
      5. Key Concepts and Terms
      6. Chapter 6 Assessment
    2. Chapter 7 Human Nature and Organizational Behavior
      1. The Human Element
        1. Dealing with Human Nature
        2. Pre-Employment Background Checks for Sensitive Positions
        3. Ongoing Observation of Personnel
      2. Organizational Structure and Access Control Strategy
      3. Job Rotation and Position Sensitivity
      4. Requirement for Periodic Vacation
      5. Separation of Duties
        1. Concept of Two-Person Control
        2. Collusion
        3. Monitoring and Oversight
      6. Responsibilities of Access Owners
      7. Training Employees
        1. Acceptable Use Policy
        2. Security Awareness Policy
      8. Ethics
        1. What Is Right and What Is Wrong
        2. Enforcing Policies
        3. Human Resources Involvement
      9. Best Practices for Handling Human Nature and Organizational Behavior
        1. Make Security Practices Common Knowledge
        2. Foster a Culture of Open Discussion
        3. Encourage Creative Risk-Taking
      10. Case Studies and Examples
        1. Private Sector Case Study
        2. Public Sector Case Study
        3. Critical Infrastructure Case Study
      11. Chapter Summary
      12. Key Concepts and Terms
      13. Chapter 7 Assessment
    3. Chapter 8 Access Control for Information Systems
      1. Access Control for Data
        1. Data at Rest
        2. Data in Motion
        3. Object-Level Security
      2. Access Control for File Systems
        1. Access Control List
        2. Discretionary Access Control List
        3. System Access Control List
      3. Access Control for Executables
        1. Delegated Access Rights
      4. Microsoft Windows Workstations and Servers
        1. Granting Windows Folder Permissions
        2. Domain Administrator Rights
        3. Super Administrator Rights
      5. UNIX and Linux
        1. UNIX and Linux File Permissions
        2. Linux Intrusion Detection System (LIDS)
        3. The Root Superuser
      6. Supervisory Control and Data Acquisition (SCADA) and Process Control Systems
      7. Best Practices for Access Controls for Information Systems
      8. Case Studies and Examples
        1. Private Sector Case Study
        2. Public Sector Case Study
        3. Critical Infrastructure Case Study
      9. Chapter Summary
      10. Key Concepts and Terms
      11. Chapter 8 Assessment
    4. Chapter 9 Physical Security and Access Control
      1. Physical Security
      2. Designing a Comprehensive Plan
        1. Building Security and Access
        2. Points of Entry and Exit
        3. Physical Obstacles and Barriers
        4. Granting Access to Physical Areas Within a Building
      3. Biometric Access Control Systems
        1. Principles of Operation
        2. Types of Biometric Systems
        3. Implementation Issues
        4. Modes of Operation
        5. Biometric System Parameters
        6. Legal and Business Issues
      4. Technology-Related Access Control Solutions
        1. Physical Locks
        2. Electronic Key Management System (EKMS)
        3. Fobs and Tokens
        4. Common Access Cards
      5. Outsourcing Physical Security—Pros and Cons
        1. Benefits of Outsourcing Physical Security
        2. Risks Associated with Outsourcing Physical Security
      6. Best Practices for Physical Access Controls
      7. Case Studies and Examples
        1. Private Sector—Case Studies and Examples
        2. Public Sector Case Study
        3. Critical Infrastructure Case Study
      8. Chapter Summary
      9. Key Concepts and Terms
      10. Chapter 9 Assessment
    5. Chapter 10 Access Control in the Enterprise
      1. Access Control Lists (ACLs) and Access Control Entries (ACEs)
      2. Access Control Models
        1. Discretionary Access Control (DAC)
        2. Mandatory Access Control (MAC)
        3. Role-Based Access Control (RBAC)
        4. Attribute-Based Access Control (ABAC)
      3. Authentication Factors
        1. Types of Factors
        2. Factor Usage Criteria
      4. Kerberos
        1. How Does Kerberos Authentication Work?
        2. Use of Symmetric Key and Trusted Third Parties for Authentication
        3. Key Distribution Center (KDC)
        4. Authentication Tickets
        5. Principal Weaknesses
        6. Kerberos in a Business Environment
      5. Network Access Control
        1. Layer 2 Techniques
        2. Layer 3 Techniques
        3. CEO/CIO/CSO Emergency Disconnect Prime Directive
      6. Wireless IEEE 802.11 LANs
        1. Access Control to IEEE 802.11 WLANs
        2. Identification
        3. Confidentiality
        4. Authorization
      7. Single Sign-On (SSO)
        1. Defining the Scope for SSO
        2. Configuring User and Role-Based User Access Control Profiles
        3. Common Configurations
        4. Enterprise SSO
      8. Best Practices for Handling Access Controls in an Enterprise Organization
      9. Case Studies and Examples
        1. Private Sector Case Study
        2. Public Sector Case Study
        3. Critical Infrastructure Case Study
      10. Chapter Summary
      11. Key Concepts and Terms
      12. Chapter 10 Assessment
  11. Part Three Implementing, Testing, and Managing Access Control Systems
    1. Chapter 11 Access Control System Implementations
      1. Transforming Access Control Policies and Standards into Procedures and Guidelines
        1. Transform Policy Definitions into Implementation Tasks
        2. Follow Standards Where Applicable
        3. Create Simple and Easy-to-Follow Procedures
        4. Define Guidelines That Departments and Business Units Can Follow
      2. Identity Management and Access Control
        1. User Behavior, Application, and Network Analysis
      3. Size and Distribution of Staff and Assets
      4. Multilayered Access Control Implementations
        1. User Access Control Profiles
        2. Systems Access
        3. Applications Access
        4. File and Folder Access
        5. Data Access
      5. Access Controls for Employees, Remote Employees, Customers, and Business Partners
        1. Remote Virtual Private Network (VPN) Access—Remote Employees and Workers
        2. Intranets—Internal Business Operations and Communications
        3. Extranets—External Supply Chains, Business Partners, Distributors, and Resellers
        4. Secure E-commerce Portals with Encryption
        5. Secure Online Banking Access Control Implementations
        6. Logon/Password Access
        7. Identification Imaging and Authorization
      6. Best Practices for Access Control Implementations
      7. Case Studies and Examples
        1. Private Sector Case Study
        2. Public Sector Example
        3. Critical Infrastructure Case Study
      8. Chapter 11 Summary
      9. Key Concepts and Terms
      10. Chapter 11 Assessment
    2. Chapter 12 Access Control Solutions for Remote Workers
      1. Growth in Mobile Work Force
      2. Remote Access Methods and Techniques
        1. Identification
        2. Authentication
        3. Authorization
      3. Access Protocols to Minimize Risk
        1. Authentication, Authorization, and Accounting (AAA)
        2. Remote Authentication Dial In User Service (RADIUS)
        3. Remote Access Server (RAS)
        4. TACACS, XTACACS, and TACACS+
        5. Differences Between RADIUS and TACACS+
      4. Remote Authentication Protocols
      5. Virtual Private Networks (VPNs)
      6. Web Authentication
        1. Knowledge-Based Authentication (KBA)
      7. Best Practices for Remote Access Controls to Support Remote Workers
      8. Case Studies and Examples
        1. Private Sector Case Study
        2. Public Sector Case Study
        3. Critical Infrastructure Case Study
      9. Chapter Summary
      10. Key Concepts and Terms
      11. Chapter 12 Assessment
    3. Chapter 13 Public Key Infrastructure and Encryption
      1. Public Key Infrastructure (PKI)
        1. What Is PKI?
        2. Encryption and Cryptography
        3. Business Requirements for Cryptography
        4. Digital Certificates and Key Management
        5. Symmetric Versus Asymmetric Algorithms
        6. Certificate Authority (CA)
      2. Ensuring Integrity, Confidentiality, Authentication, and Non-Repudiation
        1. Use of Digital Signatures
      3. What PKI Is and What It Is Not
      4. What Are the Potential Risks Associated with PKI?
      5. Implementations of Business Cryptography
        1. Distribution
        2. In-House Key Management Versus Outsourced Key Management
      6. Certificate Authorities (CA)
        1. Why Outsourcing to a CA May Be Advantageous
        2. Risks and Issues with Outsourcing to a CA
      7. Best Practices for PKI Use Within Large Enterprises and Organizations
      8. Case Studies and Examples
        1. Private Sector Case Study
        2. Public Sector Case Study
        3. Critical Infrastructure Example
      9. Chapter Summary
      10. Key Concepts and Terms
      11. Chapter 13 Assessment
    4. Chapter 14 Testing Access Control Systems
      1. Purpose of Testing Access Control Systems
      2. Software Development Life Cycle and the Need for Testing Software
        1. Planning
        2. Requirements Analysis
        3. Software Design
        4. Development
        5. Testing and Integration
        6. Release and Training
        7. Support
      3. Security Development Life Cycle and the Need for Testing Security Systems
        1. Initiation
        2. Acquisition and Development
        3. Implementation and Testing
        4. Operations and Maintenance
        5. Sunset or Disposal
      4. Information Security Activities
        1. Requirements Definition—Testing the Functionality of the Original Design
        2. Development of Test Plan and Scope
        3. Selection of Penetration Testing Teams
      5. Performing the Access Control System Penetration Test
        1. Assess if Access Control System Policies and Standards Are Followed
        2. Assess if the Security Baseline Definition Is Being Achieved Throughout
        3. Assess if Security Countermeasures and Access Control Systems Are Implemented Properly
      6. Preparing the Final Test Report
        1. Identify Gaps and Risk Exposures and Assess Impact
        2. Develop Remediation Plans for Closing Identified Security Gaps Prioritized by Risk Exposure
        3. Prepare Cost Magnitude Estimate and Prioritize Security Solutions Based on Risk Exposure
      7. Chapter Summary
      8. Key Concepts and Terms
      9. Chapter 14 Assessment
    5. Chapter 15 Access Control Assurance
      1. What Is Information Assurance?
        1. C-I-A Triad
        2. The Five Pillars
        3. Parkerian Hexad
      2. How Can Information Assurance Be Applied to Access Control Systems?
        1. Access Controls Enforce Confidentiality
        2. Access Controls Enforce Integrity
        3. Access Controls Enforce Availability
        4. Training and Information Assurance Awareness
      3. What Are the Goals of Access Control System Monitoring and Reporting?
      4. What Checks and Balances Can Be Implemented?
        1. Track and Monitor Event-Type Audit Logs
        2. Track and Monitor User-Type Audit Logs
        3. Track and Monitor Unauthorized Access Attempts Audit Logs
      5. Audit Trail and Audit Log Management and Parsing
      6. Audit Trail and Audit Log Reporting Issues and Concerns
      7. Security Information and Event Management (SIEM)
      8. Best Practices for Performing Ongoing Access Control System Assurance
      9. Case Studies and Examples
        1. Private Sector Case Study
        2. Public Sector Case Study
        3. Critical Infrastructure Case Study
      10. Chapter Summary
      11. Key Concepts and Terms
      12. Chapter 15 Assessment
  12. Appendix A Answer Key
  13. Appendix B Standard Acronyms
  14. Glossary of Key Terms
  15. References
  16. Index

Product information

  • Title: Access Control, Authentication, and Public Key Infrastructure, 2nd Edition
  • Author(s): Mike Chapple, Bill Ballad, Tricia Ballad, Erin Banks
  • Release date: August 2013
  • Publisher(s): Jones & Bartlett Learning
  • ISBN: 9781284031607