The path to growth of cissp (19th): detailed security threat Control Measures

In 51cto Security J0ker introduced the threat information in the previous article "detail network threat types" in the cissp's growth path series specially planned by the channel. Assets Confidentiality, integrity, and availability threats. Controlling access to information resources is an effective means to defend against these threats. Therefore, j0ker intends, this section describes in detail the threat control methods and existing technologies and tools in the cissp Access Control CBK.

Traditionally, access control methods can be divided Management Administrative access control (including personnel control), physical access control (physical access control), and logical access control (logical access control ), they are controlled by limiting access to information systems and resources.

Management access control measures are mainly imposed on the management layer, such as the security policies of the Organization and the information system usage process. The management of access control also includes personnel control, which is mainly based on the background of recruitment work hours. Check And sign security and confidentiality agreements to ensure the reliability of people who can access information systems and resources.

Physical access control includes tangible objects such as locks and creden. logical access control is installed in the information system and serves as a part of the information system to implement access control, such as anti-virus software, password restrictions, and encryption technology. The following is a list of implementation methods of access control:

◆ Logical control (Technical/logical controls)

Access control software, such as firewalls and proxy servers

Anti-Virus Software

Password Control

Smart Card/biometric identification/credential

Encryption

Dial-up call-back system

Log auditing

Intrusion Detection System

◆ Administrative control (administrative controls)

Security policies and procedures

Security awareness training

Separation of duties

Security review and audit

Duty rotation

Employee employment and dismissal policies

Security and confidentiality agreement

Background check ◆ users are responsible for their own behaviors

The unique personal identity used by a user has different names in different scenarios, such as the logon ID (logon ID), user ID (User ID), and account number (account number, however, the most common name is the user name. A user provides the user name to the system, so that the system can identify who the user is. Similarly, many entities in the system also need to have unique Identity Identifier, such as system services and hardware devices. A unique identifier must be assigned to any function or requirement that accesses the system.

Because of the wide distribution of the network and the large number of users in the Network, some simple Management Methods are often introduced into the identity recognition management process to reduce management costs, such as writing the user name naming method in the system. Some organizations use the user's last name and the first letter of the name to form a user name. Some organizations also use the user's full name and add an underscore between the last name and the name to form a user name. Regardless of the naming method used by the organization, the principles used are based on the Organization's procedures, rather than the type of the system in use.

In addition to the logic of identity recognition, physical cards or document systems often perform identity recognition functions. physical identity recognition systems are often used to restrict access to and access to certain areas, for example, for a building or server room. In some organizations, card or document systems are also used as a means of network access control, for example, smart card systems are often used in organizations to restrict access to server rooms or network terminal data centers that can access the network. If you do not have a valid smart card, you cannot access the enterprise network from the data center. Biometric identification systems, such as fingerprint recognition, palm print recognition, and voice recognition systems, are often used to implement user identity recognition functions of physical access control systems.

Another important feature of the identity recognition function is to ensure auditability. A unique identity enables the Administrator to pass the log audit function, tracks the actions performed by the user or system service, the entity to which the identity belongs. At the same time, a unique identity also enables the user to perform system access and specific Operation Is responsible for your own behaviors.

 

2. Identity Recognition instructions:

Issuance: the process of generating identity recognition must be secure and documented. Basically, the efficiency and security of identity recognition are closely related to the process of generating identity recognition.

Naming Standard: the identity of a user or other system entities must comply with the same naming standard, for example, the format of all user names in the system must be the first letter of the name + Surname, so John Smith's user name should be smithj.

Non-descriptive for user's job function, for example, it is better for the system administrator not to use the name "Administrator" or "manager" as the user name.

Non-shared principle (no sharing): An identity should be owned by only one user or entity in the entire system or network. Otherwise, authorization or audit may be troublesome.

Verifiable: identity recognition must be verified through simple and effective methods. The verification method should also be available and automated at any time in any part of the system.

Uniqueness: the identity of a user or entity must be unique throughout the system or network.

Performance Evaluation

Forced vacation

◆ Physical controls)

ID card

Turnstiles)

Restrict access to physical resources by means of locks, doors, and guards

For most organizations, deploying all available access control means is neither economical nor necessary. Therefore, the Organization must balance the access control measures to be deployed with the available access control measures, and finally make the deployment of access control measures meet the security policies of the Organization.

System Access through access control means

To make it easier for everyone to understand various access control methods, we can divide them into two types based on the control objects: system access and data access. Let's first look at system access.

Access Control for system access is used to restrict or control access to system resources. Its process includes access to system resources. Identity Authentication, that is, the identification and authentication processes.

In our daily work, we often need to enter the user name and password. This process is the process of user identification and verification. In the process of identification and verification, the user must first let the system know who the visitor is. Generally, this step is for the user to provide the user name in the system, the subsequent steps are provided by the system according to the user's Information To verify the first step. Here, we would like to remind you not to confuse the words authentication and authorization. The authentication is to confirm that the user's identity is correct, after the authorized action is identified and verified by the user, confirm what the user can do and what it cannot do.

1. Identity Recognition

Identity recognition is the foundation of all information system security functions. All entities in the information system must have a unique identifier to distinguish it from other entities. A unique identity is an important part of the access control process. It provides the following functions:

1. Confirm the user's identity

2. Combined with the log audit function to provide the audit capability (accountability)

◆ Provide user behavior tracking capabilities