Identification and AuthenticationIntegration of AAA

AAA Element Description Example

Identification The act of making a claim about A user enters their username or email
an identity using unique address on a login screen.
identifiers like usernames or
email addresses.

Authentication Proves the identity of the user A user logs in with a password or
or device. biometric scan.

Authorization Determines the resources a A user with a verified identity is granted

user can access based on their access to specific network drives and
identity. applications.

Accounting Monitors and logs user Logging user activities such as login
activities to provide an audit times, accessed resources, and changes
trail. made.
Practical Examples

Physical World Example

Scenario Description Example

Identification A person makes a claim A person tells a bank teller, "Hello, my

about their identity. name is John Doe."

Authentication The process of authenticating The bank teller asks for a driver's license to
the claimed identity. verify the person's identity.

Authorization Grants access based on The bank teller verifies the ID and allows
authenticated identity. the person to withdraw money.

Accounting Tracks and logs the The bank records the transaction details,
transaction for future including the amount withdrawn and the
reference. time.
Digital World Example

Scenario Description Example

Identification Users claim their identity with A user enters their username or email
unique identifiers. address on a login page.

Authentication Users authenticate their identity The user enters their password to log in.
using various means.

Authorization Grants access to resources The user can access their email account
based on the authenticated and specific folders on the company's
identity. network.

Accounting Tracks and records user The system logs the user's login time,
activities, creating an audit trail. accessed files, and any changes made.

Comparing Authentication Factors

Authentication factors are different methods used to verify a user's identity. They are grouped
into categories to better describe their mechanisms and effectiveness. Some factors provide
stronger assurances of a user’s identity than others, and many highly secure systems require
the use of more than one factor to complete the authentication process.

Authentication Factors

Authentication Description Examples

Factor

Something You Knowledge-based authentication, typically Passwords, PINs.

Know referring to a shared secret. This is the least
secure form of authentication because
knowledge can be stolen.

Something You Possession-based authentication, which Smart cards, phones,

Have relies on something the user physically USB tokens.
possesses.

Something You Biometric authentication, which uses unique Fingerprints, facial

Are physical characteristics. recognition, retina scans.
Somewhere You Location-based authentication, which verifies Access granted only from
Are identity based on the user's location. Note: specific geographic
This is usually an additional assurance rather locations like home or
than a standalone factor. office.
Best practice recommendations related to passwords have changed over
the years.NIST SP 800-63B, “Digital Identity Guidelines,” recommends
users create easy-toremember and hard-to-guess passwords.

Authentication Factor Details

Something You Know

Aspect Description Examples

Definition Typically refers to a Passwords, PINs.

shared secret used for
authentication.
Security Least secure form due to If an attacker discovers a user's password,
Considerations the possibility of being they can impersonate the user.
stolen or guessed.

Best Practices Recommendations for - Hash all passwords.

creating strong - Require multi-factor authentication.
passwords and policies - Avoid mandatory password resets.
to enhance security. - Enforce minimum length and complexity.
- Prevent use of common passwords.
- Do not reuse passwords across multiple
sites.
- Allow but do not require special characters.

Password Hashing
Multi Factor Authentication

Something You Have

Aspect Description Examples

Definition Relies on an object the user Smart cards, phones, USB tokens.
possesses for authentication.

Security Provides stronger security as Losing the physical item (e.g., smart
Considerations it requires possession of a card) can result in temporary loss of
physical item. access until replaced.

Best Practices Ensuring physical security and - Issue devices through secure
proper management of the channels.
authentication items. - Regularly update and replace tokens
and devices.
- Use tamper-resistant devices.
Something You Are

Aspect Description Examples

Definition Uses biometric data unique to the Fingerprints, facial recognition, retina
individual for authentication. scans.

Security Highly secure as it relies on - Biometrics are difficult to forge but

Considerations unique physical characteristics, can raise privacy issues.
though it may have privacy and - False positives/negatives can occur.
accuracy concerns.

Best Practices Implementing systems that - Use high-quality sensors.

accurately and securely capture - Securely store biometric data.
and store biometric data. - Ensure compliance with privacy
regulations.
Somewhere You Are

Aspect Description Examples

Definition Verifies identity based on the Access restricted to specific locations

user's geographic location, like home or office.
typically used as an additional
assurance.

Security Not strong on its own; usually - Can be bypassed by location

Considerations combined with other factors for spoofing.
better security. - Not reliable as the sole
authentication method.

Best Practices Using in combination with other - Combine with "something you know"
authentication factors to or "something you have" for
enhance security. multi-factor authentication.
- Use geofencing.
Password Policies and Best Practices

Password Length and Complexity

Aspect Description Examples

Password Longer passwords are harder to guess A password with eight lowercase
Length due to the increased number of letters has over 200 billion possible
possible combinations. combinations.

Password Including different character types Using uppercase letters, lowercase

Complexity increases the number of possible letters, numbers, and special
values for each character, making characters.
passwords harder to guess.

Best Ensuring passwords are long enough - Minimum eight characters.

Practices and complex enough to provide - Mix of character types
security without being overly difficult to (uppercase, lowercase, numbers,
remember. special characters).
Password Expiration/Age

Aspect Description Examples

Password Users are required to change their Users must change their
Expiration passwords after a certain period. passwords every 60 days.

Modern Best Recent recommendations suggest not Allowing users to keep their
Practices enforcing regular password changes to passwords indefinitely if
encourage stronger, more memorable multi-factor authentication is
passwords. used.

Password History and Password Reuse

Aspect Description Examples

Password Remembers past passwords to Prevents reusing the last 24 passwords.

History prevent users from reusing them
too soon.

Password Discourages reusing the same Minimum password age setting prevents
Reuse passwords to enhance security. quick cycling through passwords to reuse
the original.

Password Managers

Aspect Description Examples

Password Tools that store and manage Google Chrome's built-in password
Managers passwords in an encrypted format, manager, standalone password vault
reducing the need to remember applications.
multiple passwords.

Best Ensuring password managers use - Use a strong master password.

Practices strong encryption and are backed up - Regularly update the password
securely. manager.
- Backup password vaults securely.
Knowledge-Based Authentication (KBA)

Aspect Description Examples

Static KBA Uses pre-set questions and answers to Questions like "What is your
verify identity, typically for password mother's maiden name?" or "What
recovery. was your first pet's name?"

Dynamic Uses questions generated in real-time Questions like "Which of these

KBA from public and private data sources to addresses have you lived at?" or
verify identity, typically for high-risk "What is the amount of your
transactions. mortgage payment?"

Identity Confirms a new user’s identity during Verifying personal information

Proofing account creation. through dynamic KBA questions
when creating a new account.

Implementing Account Lockout Policies

Account lockout policies are designed to prevent unauthorized access by locking accounts after
a specified number of failed login attempts. This helps in thwarting brute force and dictionary
attacks.

Account Lockout Policies

Policy Description Example

Account The maximum number of failed login If a user enters the wrong
Lockout attempts before the account is locked. password five times, the
Threshold account is locked.

Account The duration for which the account The account is locked for 30
Lockout remains locked before it is minutes after reaching the
Duration automatically unlocked. lockout threshold.

Changing Default Passwords

Changing default passwords is a fundamental security practice to prevent unauthorized access.

Many devices and systems come with default passwords that should be changed before being
connected to a network.

Changing Default Passwords

 Aspect Description Example

Default Default accounts often have Changing the default password

Accounts default passwords that should be "admin" on a wireless router to a
changed to prevent unauthorized unique, strong password.
access.

Administrator Changing the default name of the Renaming the "Administrator"

Account Administrator account to account to "Not4U2Know" to reduce
something less obvious. the chances of successful attacks.

Training Users About Password Behaviors

User training on password security is essential to ensure they understand the importance of
strong passwords and the risks associated with poor password practices.

Training Users

Aspect Description Example

Password Training users to create strong, Encouraging users to create

Creation unique passwords that are difficult passphrases like "ICanCountTo6"
to guess. instead of simple passwords like
"123456".

Password Educating users on not reusing Advising users to use different

Security passwords across multiple systems passwords for their work accounts and
and never sharing their passwords. personal accounts.

Something You Have

The "something you have" authentication factor involves physical items used for authentication.
These items include smart cards, security keys, and tokens.

Smart Card Authentication

Aspect Description Example

Smart Card A card with an embedded microchip Using a smart card to log
and certificate used for authentication. into a secure network.

Embedded Holds a user's private key and is The smart card contains a
Certificate matched with a public key for secure digital certificate for secure
authentication. login.
Public Key Supports issuing and managing The smart card relies on
Infrastructure (PKI) certificates. PKI to function effectively.

Security Keys

Aspect Description Example

Security Key An electronic device used to A security key attached to a

authenticate to systems, often keychain used for two-factor
connected via USB or wirelessly. authentication.

Cryptographic Contains information that completes A security key that uses a

Information the authentication process. cryptographic process to
authenticate.

Hard Tokens and Soft Tokens

Token Description Example

Type

Hard A physical device that displays a one-time A hardware token with an LCD
Token password (OTP) for authentication. displaying a one-time password.

Soft An application on a smartphone that The Google Authenticator app

Token generates OTPs for authentication. displaying a one-time password.
HOTP and TOTP

Algorithm Description Example

 HOTP HMAC-based One-Time Password algorithm Pressing a button on a token to
changes codes based on a moving counter. generate the next password.

TOTP Time-based One-Time Password algorithm A token that generates a new

changes codes based on the current time. password every 30-60 seconds.

SMS/Push Notifications

Aspect Description Example

SMS Sends one-time passwords via text Receiving a verification code via
message, though it has vulnerabilities. SMS.

Push Sends a request to a registered device, Receiving a push notification on a

Notifications asking the user to approve or decline smartphone to approve a login
access. attempt.

Something You Are

The "something you are" authentication factor uses biometrics to verify identity. Biometrics are
considered the strongest form of authentication.

Biometric Methods

Method Description Example

Fingerprints Scanning and recognizing a Using a fingerprint scanner to

fingerprint. unlock a laptop.

Vein Matching Identifying individuals based on vein Using a palm vein scanner in a
patterns using near-infrared light. healthcare system.

Retina Scanning the retina and using the Using a retina scanner for
Imaging pattern of blood vessels for high-security access.
recognition.

Iris Scanning Capturing the unique patterns of the Using iris scanners for
iris for recognition. passport-free border crossings.

Facial Identifying people based on facial Using Face ID to unlock an

Recognition features. iPhone.

Voice Identifying individuals based on voice Using voice commands to access

Recognition patterns. a virtual assistant like Siri.
Gait Analysis Identifying individuals based on their Using gait analysis to identify
walking pattern. individuals entering a secure
area.

Biometric Efficacy Rates

Metric Description Example

False Percentage of times a biometric A biometric system mistakenly

Acceptance system incorrectly identifies an recognizing an unauthorized
Rate (FAR) unknown user as a registered user. person as an authorized user.

False Rejection Percentage of times a biometric A biometric system failing to

Rate (FRR) system incorrectly rejects a recognize an authorized user.
registered user.

True Correctly identifying a registered A biometric system successfully

Acceptance user. recognizing an authorized user.

True Rejection Correctly rejecting an unknown user. A biometric system successfully

rejecting an unauthorized user.

Crossover Error The point where FAR and FRR are A biometric system with a low
Rate (CER) equal; a lower CER indicates a more CER is considered highly
accurate system. accurate.
Remember This
Key Points Description Example

Account Lockout Prevent unauthorized access by locking Locking an account for 30

Policies accounts after a specified number of minutes after five failed
failed login attempts. login attempts.

Changing Default Essential security practice to prevent Changing the default

Passwords unauthorized access. password "admin" on a
router.

Training Users Educate users on creating strong Teaching users to create

passwords and the importance of passphrases and avoid
password security. reusing passwords.

Smart Cards Often used in two-factor authentication Using a smart card and a
with something you know PIN to access a secure
(password/PIN). system.
 Biometric Strongest individual authentication factor Using fingerprint or facial
Authentication using physical characteristics. recognition for secure
access.

Somewhere You Are

The "somewhere you are" authentication factor identifies a user’s location, typically using
geolocation technologies. This method is often used as an additional layer of security to
enhance authentication.

Geolocation and IP Address

Aspect Description Example

Geolocation Technologies used to identify a user’s Determining the country, region, state, city, and
location based on their IP address. sometimes zip code from an IP address.

IP Address Used to provide geolocation A system recognizing an IP address from India

information. and blocking access due to unusual login
location.

Practical Application

Scenario Description Example

Suspicious Detecting and blocking logins from Blocking access when a login
Activity unusual locations. attempt is made from a different
country than usual.

Impossible Identifying logins from different locations Detecting a login from one
Travel Time that are geographically impossible to country and another login from
travel between in a short time. a distant country shortly after.

Limitations and Considerations

Aspect Description Example

 VPNs and IP Users can bypass geolocation by A user in Russia accessing a
Changers using VPNs or IP address website through a VPN with a U.S.
changers. IP address.

MAC Address and Used within an organization to Configuring accounts to only allow
Computer Name restrict login access to specific logins from a specific computer.
devices.

Two-Factor and Multifactor Authentication

Two-factor authentication (2FA) and multifactor authentication (MFA) enhance security by

requiring more than one authentication factor.

Two-Factor Authentication (2FA)

Example Description Factors Involved

Soft Token and A soft token on a smartphone Something you have and
Password combined with a password. something you know.

Fingerprint and PIN A fingerprint scan combined with a Something you are and
PIN. something you know.

Security Key and A security key combined with a Something you have and
Retinal Scan retinal scan. something you are.

Single-Factor Authentication

Example Description Factors

Involved

Password and PIN Both are knowledge-based methods and belong Something you
to the same authentication factor. know.

Thumbprint and Both are biometric methods and belong to the Something you
Retinal Scan same authentication factor. are.

Passwordless Authentication
Passwordless authentication aims to enhance security and user convenience by eliminating the
need for passwords.

Aspect Description Example

Passwordless Uses authentication factors other Using a security key or a

Methods than passwords. biometric scan for login.

Considerations Passwordless authentication is not Using only a biometric scan

necessarily multifactor (something you are) for
authentication. authentication.

Authentication Log Files

Authentication log files track both successful and unsuccessful login attempts, providing
valuable data for monitoring and security analysis.

Log Aspect Description Example

What Indicates whether the login attempt was Logging a failed login attempt.
Happened successful or failed.

When It Timestamp of the login attempt. Recording the date and time of
Happened a login attempt.

Where It Indicates the IP address or computer Logging the IP address of a

Happened name from where the login attempt was remote login attempt.
made.

Who Did It The user account involved in the login Recording the username of the
attempt. individual attempting to log in.

Managing Accounts

Account management involves creating, managing, disabling, and terminating accounts, with
access control methods to control what users can do.

Credential Policies and Account Types

Account Type Description Credential Policies

Personnel Accounts Regular user accounts for Basic password policies such as
employees. minimum length and complexity.
Administrator/Root Privileged accounts with Stronger authentication methods,
Accounts additional rights and such as multifactor authentication.
privileges.

Service Accounts Accounts used by Long, complex passwords that do

applications and services, not expire.
not end users.

Device Accounts Accounts for computers and Managed by Active Directory with
other devices. automated password management.

Third-Party Accounts Accounts from external Strong credential policies and strong
entities with access to the password policies enforced.
network.

Guest Accounts Temporary accounts with Disabled by default, enabled only in

limited access. special situations.

Shared/Generic Accounts used by multiple Basic credential policies applied,

Accounts temporary workers. specific access controls based on
usage needs.

Remember This
Key Points Description Example

Account Lockout Prevent unauthorized access by Locking an account for 30

Policies locking accounts after a specified minutes after five failed login
number of failed login attempts. attempts.

Changing Default Essential security practice to Changing the default password

Passwords prevent unauthorized access. "admin" on a router.

Training Users Educate users on creating strong Teaching users to create

passwords and the importance of passphrases and avoid reusing
password security. passwords.

Smart Cards Often used in two-factor Using a smart card and a PIN to
authentication with something you access a secure system.
know (password/PIN).

Biometric Strongest individual authentication Using fingerprint or facial

Authentication factor using physical characteristics. recognition for secure access.
 Authentication Different methods used to verify a Passwords (something you
Factors user's identity, categorized for better know), smart cards (something
understanding. you have), fingerprints
(something you are).

Privileged Access Management (PAM)

Privileged Access Management (PAM) is essential for applying stringent security controls over
accounts with elevated privileges, such as administrator or root-level accounts. PAM systems
help manage and secure privileged accounts by implementing concepts like just-in-time
permissions and logging all elevated privilege usage.

PAM Capabilities

Capability Description Example

Just-in-Time Grants administrative privileges only An administrator requests

Permissions when needed, and removes them elevated privileges for 15 minutes
after a set period. to perform a task.

Password Vault Stores administrative account PAM system retrieves and uses
passwords securely, often preventing the administrator password
direct access to the passwords. without human intervention.

Temporal Creates temporary accounts with A temporary account is created

Accounts administrative privileges for a limited for a user to complete a specific
time. task and then is deleted.

Credential Allows users to check out credentials An administrator checks out

Checkout for a limited time. credentials for a service account
to perform maintenance.

Automatic Periodically changes privileged PAM system changes the

Password account passwords automatically. administrator password every 30
Changes days.

Logging and Logs all access and usage of Recording every action performed
Monitoring privileged accounts for auditing using a privileged account for
purposes. later review.
Requiring Administrators to Use Two Accounts

Account Type Description Example

Regular User Used for day-to-day activities An administrator uses a regular user
Account with limited privileges. account for reading emails and
browsing the web.

Administrative Used only for performing An administrator uses an

Account administrative tasks with administrative account to install
elevated privileges. software and configure systems.

Benefits

Aspect Description Example

Reduced Limits the exposure of Preventing malware from gaining elevated

Risk administrative accounts to privileges if the administrator is logged in
potential attacks. with a regular user account.

Improved Ensures that elevated Reducing the risk of privilege escalation

Security privileges are only used when attacks by using administrative accounts only
necessary. when needed.

Prohibiting Shared and Generic Accounts

Shared and generic accounts are discouraged as they hinder accountability and effective
access control. Each user should have a unique account to ensure proper identification,
authentication, authorization, and accounting.

Concept Description Example

Identification Users claim an identity with a unique Using a unique username for
identifier. each user.

Authentication Users prove their identity using an Entering a password to log in.
authentication method.

Authorization Users are granted access based on Assigning specific permissions to

their proven identity. a user account.

Accounting Logs record activity using the users’ Tracking actions performed by a
claimed identity. specific user.
Deprovisioning

Deprovisioning is the process of disabling a user’s account when they leave the organization to
prevent unauthorized access. This process ensures that data and security keys associated with
the account remain accessible.

Aspect Description Example

Terminated Accounts are disabled as soon as Disabling an ex-employee's

Employee possible after an employee leaves the account immediately after
organization. resignation.

Leave of Accounts are disabled for employees on Disabling an account for an

Absence extended leave. employee on a two-month
medical leave.

Account Accounts are deleted when they are no Deleting accounts that have
Deletion longer needed, usually after a period of been inactive for 90 days.
inactivity.

Time-Based Logins

Time-based logins restrict user access to specific times to enhance security.

Aspect Description Example

Time-of-Day Users can only log on to computers Restricting login access to

Restrictions during specified times. weekdays between 6:00 a.m.
and 8:00 p.m.

Extended Work Users working overtime are not logged Allowing a user to continue
Hours off but cannot create new connections working past 8:00 p.m. but
after restricted time. preventing new logins.

Account Audits

Account audits help enforce the least privilege principle by reviewing user privileges and
identifying unnecessary permissions.

Aspect Description Example

Privilege Creep Occurs when a user A user retains access to HR data even
accumulates unnecessary after transferring to the Sales
privileges over time. department.
 Permission Verifies that users have only Reviewing user permissions annually to
Auditing Review the access they need. ensure they align with current job
responsibilities.

Attestation Formal process for reviewing Managers certify that user permissions
and certifying user are necessary for job responsibilities.
permissions.

Remember This
Key Points Description Example

Privileged Access Implements stringent controls Just-in-time permissions, password

Management over accounts with elevated vaults, logging, and monitoring.
privileges.

Two Accounts for Reduces the risk of privilege An administrator uses a regular
Administrators escalation attacks. account for daily tasks and an
administrative account for elevated
tasks.

Prohibiting Shared Ensures accountability and Each user has a unique account,
Accounts proper access control. preventing multiple users from
sharing a single account.

Deprovisioning Disables user accounts when Disabling an ex-employee's

they leave the organization. account immediately after
departure.

Time-Based Logins Restricts access to specific Preventing logins outside of

times to enhance security. business hours.

Account Audits Reviews user privileges to Performing annual permission

enforce the least privilege auditing reviews to ensure users
principle and detect privilege only have necessary access.
creep.

Single Sign-On (SSO)

Single sign-on (SSO) allows a user to log in once and gain access to multiple systems without
needing to log in again. This increases security and user convenience by reducing the number
of credentials users must remember and manage.
Benefits of SSO

Benefit Description Example

Enhanced Reduces the likelihood of users writing Users use a single strong
Security down passwords by requiring only one password for all network
set of credentials. resources.

User Simplifies the login process by allowing A user logs in once to access
Convenience access to multiple systems with one email, file servers, and internal
login. applications.

Functionality

Aspect Description Example

Secure Token SSO systems create a secure token A user’s SSO token allows access
used for authentication during the to various servers without
login session. additional logins.

Strong Requires strong authentication Implementing multifactor

Authentication methods to ensure security. authentication (MFA) to enhance
security for SSO.
LDAP

Lightweight Directory Access Protocol (LDAP) is a protocol used to access and manage
directory information over an IP network.
 Aspect Description Example

Directory Allows users and applications to Windows domains use LDAP to

Access retrieve information from the query Active Directory.
directory.

Centralized Provides a centralized repository An organization uses LDAP for

Management for user accounts, devices, and centralized user authentication and
other objects. authorization.
SSO and Federation

Federated identity management systems allow SSO to work across different organizations or
networks by linking user identities.

Federation Example

Aspect Description Example

Federated Provides central authentication Employees of Springfield Nuclear

Database for different environments. Power Plant access Springfield school
system resources without additional
logins.

Standard for Members of a federation agree Power plant and school system use a
Federated on a standard for identity federated identity standard to
Identities information exchange. authenticate users.
SAML

Security Assertion Markup Language (SAML) is an XML-based standard used for SSO on web
browsers. It facilitates the exchange of authentication and authorization information between
different parties.

SAML Roles

Role Description Example

Principal The user who logs on and requests Homer logs on at the nuclear power
an identity. plant to access school resources.

Identity Creates, maintains, and manages The nuclear power plant or

Provider (IdP) identity information and Springfield school system acts as
authentication. the IdP.

Service Provides services to principals after Springfield school system hosts

Provider verifying their credentials with the IdP. educational websites accessible to
Homer.
OAuth

OAuth is an open standard for authorization, allowing users to grant one service access to their
information on another service without sharing login credentials.

Aspect Description Example

Authorization Allows secure access to Authorizing a scheduling service (Doodle) to

protected resources. access and edit entries on Google Calendar.
Authorization Models

Authorization models determine how access to resources is granted based on different

schemes.

Remember This! A role-based access control scheme uses roles based on jobs and functions.
A roles and permissions matrix is a planning document that matches the roles with the required
privileges.
Role-Based Access Control (Role-BAC)
Role-based access control (Role-BAC) uses roles to manage rights and permissions for users.
This model is particularly useful for organizations where employees perform distinct job
functions that can be clearly defined within specific roles.

Aspect Description Example

Roles Users are assigned roles Creating roles for Accounting, Sales, and IT
Based on based on their job departments, each with specific access rights.
Jobs functions.

Role-BAC A planning document that Documenting the rights and permissions for
Matrix matches roles with Administrators, Executives, Project Managers, and
required privileges. Team Members in Microsoft Project Server.
Rule-Based Access Control (Rule-BAC)
Rule-based access control (Rule-BAC) uses rules defined by system administrators to
determine access permissions. These rules can be applied at various levels and can be
dynamic, changing in response to different conditions or triggers.

Aspect Description Example

Rules in Uses rules within access control A router uses rules to allow HTTP traffic
ACLs lists to define access. while blocking other traffic.

Dynamic Rules that trigger changes in An intrusion prevention system modifies

Rules response to specific events. rules to block traffic from attackers.

Discretionary Access Control (DAC)

Discretionary access control (DAC) is a type of access control system where the owner of the
resource determines who can access it and what privileges they have. This model is often used
in environments where flexibility and ease of management are important.

Remember This! The DAC scheme specifies that every object has an owner, and the owner
has full, explicit control of the object. Microsoft NTFS uses the DAC scheme.

Aspect Description Example

Owner-Controll The owner of an object Users control access to files they own
ed Access establishes access permissions. on a Windows system using NTFS
permissions.

DACL A discretionary access control list A folder with permissions for Lisa (Full
contains access control entries Control), Bart (Read), and Maggie
(ACEs). (Modify).
Mandatory Access Control (MAC)
Mandatory access control (MAC) is a strict access control model that uses labels and
clearances to determine access permissions. It is commonly used in environments requiring
high security, such as military and governmental systems.
Aspect Description Example

Sensitivity Uses labels to determine Homer has a Top Secret clearance with access
Labels access based on clearance to Nuclear Power Plant data but not to 007 or
levels. Forbidden Donut compartments.

Lattice Defines security levels and A lattice model with compartments for Top
Model compartments to control Secret, Secret, Confidential, and For Official
access. Use data.

Remember This! The MAC scheme uses sensitivity labels for users and data. It is commonly
used when access needs to be restricted based on a need to know. Sensitivity labels often
reflect classification levels of data and clearances granted to individuals.
SELinux in Mandatory Access Control (MAC)
SELinux (Security-Enhanced Linux) is an implementation of the MAC model that enforces
security policies on Linux systems.
Aspect Description Example
 SELinux SELinux enforces MAC SELinux policy restricts a web server process
Policies policies to control access. to only access specific directories.

Modes of SELinux operates in In Enforcing mode, SELinux policies are

Operation Enforcing, Permissive, or enforced; in Permissive mode, violations are
Disabled modes. logged but not enforced.

Use of SELinux assigns labels to A file labeled as httpd_sys_content_t can

Labels files and processes to be accessed by the Apache web server
control access. process.

Security Provides a high level of Prevents compromised processes from

Benefits security by enforcing strict accessing unauthorized files.
access controls.

Challenges Can be complex to Requires detailed knowledge of SELinux

configure and manage. policies and labels.
Remember This! The MAC scheme uses sensitivity labels for users and data. It is commonly
used when access needs to be restricted based on a need to know. Sensitivity labels often
reflect classification levels of data and clearances granted to individuals.

Attribute-Based Access Control (ABAC)

Attribute-Based Access Control (ABAC) uses policies that evaluate attributes of subjects,
objects, and environmental conditions to make access control decisions. This model allows for
highly granular and flexible access control.
Aspect Description Example

Policy-Based Grants access based on Granting access to a share for users with
Evaluation attributes defined in attributes of employee, inspector, and
policies. nuclear aware.

Elements of Subject, object, action, and Policy statement: “Allow logged-on

Policy environment. researchers to access research sites via
Statements the main network.”

Remember This! The ABAC scheme uses attributes defined in policies to

grant access to resources. It’s commonly used in software-defined
networks (SDNs).

Example of Attribute-Based Access Control (ABAC)

ABAC uses attributes to determine access permissions. Below is an example scenario involving
Homer, a Nuclear Safety Inspector at the Springfield Nuclear Power Plant, demonstrating how
ABAC policies work.

ABAC Policy Example for Homer

Element Description Example

Subject Attributes of the user Homer is an employee, inspector, and

requesting access. nuclear aware.

Object The resource the user wants to Inspector file share on the file server.
access.

Action The action the user wants to Read and modify documents.
perform.

Environment The context of the access Accessing from the company network
request. during work hours.

ABAC Policy Rule Example: "Grant access to the Inspector file share for subjects with the
attributes employee, inspector, and nuclear aware, when accessing from the company network
during work hours."

ABAC Policy Example for Researchers

Element Description Example

Subject Attributes of the user requesting Logged-on researchers.

access.

Object The resource the user wants to access. Research sites on the Internet.

Action The action the user wants to perform. Access research websites.

Environment The context of the access request. Accessing via the main network.

ABAC Policy Rule Example: "Allow logged-on researchers to access research sites via the
main network."

Summary of ABAC Policy Elements

Element Description

Subject This is typically a user. Attributes can include employment status, group
memberships, job roles, logged-on status, and more.
 Object This is the resource, such as a file, database, or application, that the user is
trying to access.

Action This is what the user is attempting to do, such as reading or modifying a file,
accessing specific websites, and accessing website applications.

Environment This includes everything outside of the subject and object attributes, such
as the time, location, protocols, encryption, devices, and communication
method.

Remember This! The ABAC scheme uses attributes defined in policies to grant access to
resources. It’s commonly used in software-defined networks (SDNs).
Access Description Examples Advantages Disadvantages
Control
Model

RBAC Access rights are - A hospital - Simplifies - Not flexible for

(Role-Based based on roles system where management of complex
Access assigned to users. doctors, permissions policies that do
Control) Roles represent a nurses, and when users not align well
collection of administrative have clearly with role
permissions staff have defined roles. definitions.
designed to perform different access
specific job levels. - Scalable for - Role creep
functions. large can occur when
- Corporate organizations. roles
networks where accumulate
access is more
granted based permissions
on job title like than intended
Manager, HR, over time.
etc.
DAC The owner of the - File systems - Provides - Can be less
(Discretionary resource specifies where the users control secure as it
Access who is allowed to owner can set over their own relies on users
Control) access the permissions resources. to manage
resource. Access (read, write, security
control is based on execute) on a - Flexible, as appropriately.
the discretion of the file or folder to permissions
resource owner. other users. can be easily - Vulnerable to
- Shared changed by the Trojan horse
databases owner. attacks since
where owners users can pass
can grant permissions to
access rights to others.
specific users.
MAC Access rights are - Government - Highly secure, - Lack of
(Mandatory regulated by a or military suitable for flexibility;
Access central authority networks where environments cannot be
Control) based on different information is requiring easily adjusted
levels of security classified and stringent to
clearance. Users access is security accommodate
cannot change based on measures. individual user
access permissions. security needs.
clearance - Users cannot
levels. modify - Complex to
controls, manage and
- Systems reducing the implement.
handling risk of
sensitive data accidental
like classified breaches.
documents
where labels
(top secret,
secret,
confidential)
are used.
ABAC Access rights are - Cloud - Extremely - Can be
(Attribute-Bas based on policies services where flexible and can complex to
ed Access that combine access enforce implement and
Control) attributes (user, depends on complex maintain due to
resource, and attributes like policies based the need for
environment). The the location, on numerous detailed
system evaluates time of access, attributes. attribute data
rules against these and the type of and policies.
attributes to grant or device used. - Suitable for
deny access. dynamic and - Potentially
- IoT varied higher
environments environments. performance
where device overhead from
type, firmware real-time
version, and evaluation of
current load attributes.
can influence
access control
decisions.

Analyzing Authentication Indicators

Authentication logs provide valuable data for identifying potential malicious activity.

Indicator Description Example

Account Repeated failed login Investigating multiple failed login

Lockouts attempts resulting in account attempts for an administrator account.
lockouts.
Concurrent Detecting simultaneous Identifying that a user is logged in from
Session Usage logins from different both the home office and a remote office
locations. at the same time.

Impossible Travel Logins from geographically A user logs in from New York and then
Time distant locations in a short from London within a few minutes.
period.

Blocked Content Unusual levels of blocked High volume of blocked phishing

malicious content. attempts detected by the content filter.

Resource Excessive use of resources Unexpectedly high CPU usage on a

Consumption indicating potential malware. server.

Resource Services becoming A website going down due to a

Inaccessibility unavailable due to malicious denial-of-service attack.
interference.

Log Anomalies Unusual log entries or Sudden increase in log entries during
missing log files. off-hours or missing logs indicating
tampering.