CISSP Rapid Review: Access Control

  • 12/15/2012

Objective 1.3: Assess effectiveness of access controls

Access controls should limit access to resources to only the people who need those resources. Two important elements of assessing the effectiveness of the controls are examining user entitlement and performing periodic access reviews and audits.

Exam need to know…

  • User entitlement

    For example: Which accounts deserve the most attention when considering user entitlement?

  • Access review and audit

    For example: How can you verify whether the principle of least privilege is being enforced?

User entitlement

User entitlement refers to the privileges granted to users when their accounts are first created and during the lifetime of the accounts. One of the primary considerations is ensuring that the principle of least privilege is followed. Users should not have access to more privileges than they need to perform their jobs.

Managing changes during the lifetime of the account can be challenging. Often, the process requires users to submit a request that must go through an approval process, and during this time, the user isn’t able to complete job requirements. Bypassing the process improves productivity but sacrifices security. In some cases, the request process is so cumbersome that it’s rarely followed.

Ideally, all changes are recorded in logs, creating an accurate audit trail. The audit trail can be used during an audit or review to determine whether the approval process is being followed. When someone’s account is granted administrative privileges, the audit trail provides information about who requested the change, who approved it, and who implemented it. It can also identify the source of unauthorized changes.

Administrator and other accounts with elevated privileges deserve the most attention when considering user entitlement. This includes controlling the number of users granted privileged access and limiting the number of users who can grant elevated privileges to others.

It’s common to require administrators to use two accounts. Administrators log on with a regular account to perform typical day-to-day work; this account has limited privileges. They log on with the administrator account only when they need to perform administrative tasks.

True or false? All accounts deserve the same level of attention when managing user entitlement processes.

Answer: False. Administrative and other privileged accounts deserve more attention than regular user accounts. Accounts with privileges can cause the most damage to a company if misused.

Access review and audit

Performing routine access reviews and audits helps an organization know whether security policies related to user accounts are being followed. This includes checks related to entitlement, provisioning, usage, and revocation.

One goal is to determine whether least privilege policies are being followed. A simple method is to periodically check the membership of groups that have a high level of privileges. For example, membership in administrative groups should be limited, and a routine audit will detect whether unauthorized individuals have been added.

Another method is reviewing logs that record user access and user provisioning. An organization will often define procedures for granting additional privileges to any user. A review of the logs used to track this process will determine whether the process is being followed or bypassed.

A security policy will typically specify whether accounts should be disabled or deleted for ex-employees, and a review can determine whether the policy is being followed. Cross-checking active accounts with an employee list can identify potential issues.

These checks can also discover unauthorized accounts. Imagine an administrator who is fired for cause but retains administrative access immediately after the exit interview. It takes less than a minute to create an account and give it full administrative privileges, including the ability to access the network from a remote location. Even if the ex-employee’s account is disabled, 15 minutes later the damage is done.

A review can also determine whether administrators are using their accounts as dictated by the security policy. For example, administrators are commonly required to use two accounts—one for regular day-to-day work and the other for administrative purposes. Administrators might be tempted to use the administrative account all the time and never use the regular account. A review of the logs can identify whether administrators are using the regular accounts and how often they’re using them.

True or false? When performing an access review, access to all data should be examined.

Answer: False. Only access to sensitive data should be examined. A review that examines access to all data will be extremely large and include data available to all users.

Can you answer these questions?

You can find the answers to these questions at the end of the chapter.

  1. A user requires elevated privileges to perform a task once a week. What is the best way to assign these privileges?
  2. What can be reviewed to determine whether an organization is complying with existing access control policies?

This chapter is from the book