Access control and what it eats
Increasingly, information security issues are brewing in the IT world. Indeed, the world wide web has become a worldwide platform for the exchange and storage of information, and the word Internet is familiar to everyone. In today's world, it is difficult to find a company that would not use Internet technologies: all sorts of applications, gadgets, IOT devices - all this is at risk. Therefore, we will talk about the basics of information security, namely, access control.
I would like to discuss some seemingly obvious aspects of information security. Ironically, many underestimate the importance of security or consider their measures sufficient. It is worth remembering the effect of Dunning-Kruger, the essence of which is that people with low qualifications in a certain field make wrong conclusions. From here follow unsuccessful decisions in business that they are not able to realize. Information security is an area in which it is not permissible to assume anything and act according to the principle “just to do for a species.” Information security should be the goal in the end, a lever in the business that minimizes losses and expenses, protects your data. The greatest danger to the company is the human factor. After all, thanks to the clever manipulation of an employee, an attacker is able to compromise your system. Unfortunately, there is a mistaken opinion that if you have strong technical protection (all kinds of IDS, anti-fraud systems, antiviruses, DLP, firewalls), then your business is safe, but it is not. Our psychology is predictable, and in most cases our impulses work, caused by fear and thoughtlessness of actions. Take, for example, the banal attacks through the mail: the employee received a letter stating that a certain system, where it was registered, was compromised. This news will certainly frighten him, and he is more likely to click on the link, giving his data to the attackers. Therefore, it is important to set up the correct access and improve the skills of employees in information security. A whole “science” is devoted to this topic - social engineering, but about this some time next time, and today we will talk about the organization of access control.
')
It is better to consider any task from a different angle, this also applies to access control: installing antiviruses and other means of protection is not enough. From logical reasoning, as an option, the following formula emerges: A good access control system = administrative measures + technical measures + physical protection.
What is included in the administrative measures? Yes, everything is very simple! This is the proper organization of documentation in the information security management system. A good security policy, risk assessment methodologies, internal audits, procedures, personnel training all contribute to the proper organization of security in business.
In the Security Policy, it is most important to reflect the company's goals and scope (which units this policy covers), as well as take into account the requirements of business, partners and customers. Information assets should be identified in a company, and those assets that require more careful handling should be classified by significance and value. It is possible to determine who has access to the assets and is responsible for the implementation of information security measures using a role table (the table indicates the roles and who is responsible for what). Another important step is training: invite experts or hire those who will tell your employees about the online security rules (for example: what phishing is, how to recognize it, how to get a social engineer and what site is safe). These are very important aspects, because it is the human factor that is the most vulnerable link. Internal audits will help you identify the shortcomings of your information security management system, determine which departments are vulnerable and which units need advanced training, and understand whether the requirements set out in the Policy are being observed. It is important to select a competent auditor who will carefully check the status of your system for compliance with the rules. Thanks to the risk assessment methodology, you can calculate the likelihood of certain threats, as well as detect existing ones and choose further actions regarding risks.
Technical equipment includes various software and hardware, information security services. These can be password systems, firewalls, security scanners, secure protocols, operating systems, and so on. You need to be extremely careful with password systems. Since they are always under the scrutiny of intruders, they are most at risk. Communicating with a huge number of people, I noticed with what ease and negligence they belong to password protection (invent simple passwords, store them in accessible places), not realizing that an attacker can easily crack them. For example, take this type of attack as brute force (which means brute force). Suppose you are not particularly fantasized about your password and took a common, meanwhile hacker, knowing your mail, using various dictionaries will find a match and compromise your system. It's simple! It is also worth remembering and reminding employees about phishing emails: no need to open links and enter a password, inhale and figure it out.
And the third is physical protection: locks, special protection, video cameras, access systems, and so on.
I also want to focus on three access control methods. If your work is related to secret data and sensitive information, a state secret, then you should pay attention to the mandatory access control method. The peculiarity of this method lies in its hierarchy, since a hierarchical level of security is assigned to subjects and objects. The security level of an object characterizes its value and, in accordance with the level, it is assigned a security label.
The level of security characterizes the degree of trust in an employee, as well as his responsibility for this information. The operating system assigns certain attributes to the employee, due to which the employee is granted access within his official powers.
The simplest method is considered to be discretionary, which is considered quite common. The essence of access is simple: the owner of the object decides whom to grant access to and in what form (read, write, etc.). The method can be implemented using access lists or an access matrix, but you need to consider that an employee with certain rights can transfer your object for use to another without notifying you. Therefore, if you are working with important information, you should be wary of this method.
Next, let's talk about role-based access control. The essence of this method is simple: intermediate entities, which are called roles, appear between users of the system and their privileges. The method assumes that several roles can be assigned to each user, providing access to the necessary information. This method eliminates the abuse of rights, since it implements the principle of least privilege.
It provides only that level of access to the employee who is in his area of ​​responsibility. Also, this method implements the principle of separation of duties, which simplifies the management of information assets. The disadvantage of this method is that it is difficult to implement it when there is a huge number of users and roles, since it is expensive.
There are other methods, but talked about the most key. All of the above methods of organizing access are an important step in the security of your company and therefore they should pay close attention.
I would like to discuss some seemingly obvious aspects of information security. Ironically, many underestimate the importance of security or consider their measures sufficient. It is worth remembering the effect of Dunning-Kruger, the essence of which is that people with low qualifications in a certain field make wrong conclusions. From here follow unsuccessful decisions in business that they are not able to realize. Information security is an area in which it is not permissible to assume anything and act according to the principle “just to do for a species.” Information security should be the goal in the end, a lever in the business that minimizes losses and expenses, protects your data. The greatest danger to the company is the human factor. After all, thanks to the clever manipulation of an employee, an attacker is able to compromise your system. Unfortunately, there is a mistaken opinion that if you have strong technical protection (all kinds of IDS, anti-fraud systems, antiviruses, DLP, firewalls), then your business is safe, but it is not. Our psychology is predictable, and in most cases our impulses work, caused by fear and thoughtlessness of actions. Take, for example, the banal attacks through the mail: the employee received a letter stating that a certain system, where it was registered, was compromised. This news will certainly frighten him, and he is more likely to click on the link, giving his data to the attackers. Therefore, it is important to set up the correct access and improve the skills of employees in information security. A whole “science” is devoted to this topic - social engineering, but about this some time next time, and today we will talk about the organization of access control.
')
It is better to consider any task from a different angle, this also applies to access control: installing antiviruses and other means of protection is not enough. From logical reasoning, as an option, the following formula emerges: A good access control system = administrative measures + technical measures + physical protection.
What is included in the administrative measures? Yes, everything is very simple! This is the proper organization of documentation in the information security management system. A good security policy, risk assessment methodologies, internal audits, procedures, personnel training all contribute to the proper organization of security in business.
In the Security Policy, it is most important to reflect the company's goals and scope (which units this policy covers), as well as take into account the requirements of business, partners and customers. Information assets should be identified in a company, and those assets that require more careful handling should be classified by significance and value. It is possible to determine who has access to the assets and is responsible for the implementation of information security measures using a role table (the table indicates the roles and who is responsible for what). Another important step is training: invite experts or hire those who will tell your employees about the online security rules (for example: what phishing is, how to recognize it, how to get a social engineer and what site is safe). These are very important aspects, because it is the human factor that is the most vulnerable link. Internal audits will help you identify the shortcomings of your information security management system, determine which departments are vulnerable and which units need advanced training, and understand whether the requirements set out in the Policy are being observed. It is important to select a competent auditor who will carefully check the status of your system for compliance with the rules. Thanks to the risk assessment methodology, you can calculate the likelihood of certain threats, as well as detect existing ones and choose further actions regarding risks.
Technical equipment includes various software and hardware, information security services. These can be password systems, firewalls, security scanners, secure protocols, operating systems, and so on. You need to be extremely careful with password systems. Since they are always under the scrutiny of intruders, they are most at risk. Communicating with a huge number of people, I noticed with what ease and negligence they belong to password protection (invent simple passwords, store them in accessible places), not realizing that an attacker can easily crack them. For example, take this type of attack as brute force (which means brute force). Suppose you are not particularly fantasized about your password and took a common, meanwhile hacker, knowing your mail, using various dictionaries will find a match and compromise your system. It's simple! It is also worth remembering and reminding employees about phishing emails: no need to open links and enter a password, inhale and figure it out.
And the third is physical protection: locks, special protection, video cameras, access systems, and so on.
I also want to focus on three access control methods. If your work is related to secret data and sensitive information, a state secret, then you should pay attention to the mandatory access control method. The peculiarity of this method lies in its hierarchy, since a hierarchical level of security is assigned to subjects and objects. The security level of an object characterizes its value and, in accordance with the level, it is assigned a security label.
The level of security characterizes the degree of trust in an employee, as well as his responsibility for this information. The operating system assigns certain attributes to the employee, due to which the employee is granted access within his official powers.
The simplest method is considered to be discretionary, which is considered quite common. The essence of access is simple: the owner of the object decides whom to grant access to and in what form (read, write, etc.). The method can be implemented using access lists or an access matrix, but you need to consider that an employee with certain rights can transfer your object for use to another without notifying you. Therefore, if you are working with important information, you should be wary of this method.
Next, let's talk about role-based access control. The essence of this method is simple: intermediate entities, which are called roles, appear between users of the system and their privileges. The method assumes that several roles can be assigned to each user, providing access to the necessary information. This method eliminates the abuse of rights, since it implements the principle of least privilege.
It provides only that level of access to the employee who is in his area of ​​responsibility. Also, this method implements the principle of separation of duties, which simplifies the management of information assets. The disadvantage of this method is that it is difficult to implement it when there is a huge number of users and roles, since it is expensive.
There are other methods, but talked about the most key. All of the above methods of organizing access are an important step in the security of your company and therefore they should pay close attention.
Source: https://habr.com/ru/post/443026/
All Articles