Chapter 6, Mapping Business Challenges to Access Control
Chapter 7, Human Nature and Organizational Behavior
This lesson reviews needs for access controls, human
elements in our environment, and controls to manage expected behaviors.
Objectives important to this lesson:
Applying access controls to needs
Solving problems with access controls
Human nature as a cause for access controls
Organizational model for access controls
Separation of duties
Responsibilities of access owners
The text begins with the idea that access controls need to
have a higher purpose than just what they do. They need to exist
because there is a reason that causes an organization to create them.
The authors refer to these as business needs, but they apply to
government and other organization types as well.
Business continuity - Keeping the
operation running regardless of the event, attack, disaster, or mayhem
should be one of our goals. Picking the right balance of choices
that protect us against some risks means deciding which ones make more
sense for our needs. The suggestions in the list below are not all
mutually exclusive, but the typical organization will pick some of them
and reject others.
The text recommends placing our data centers away
from natural threats that occur regularly, like hurricanes and
predicable, frequent floods. Can you name parts of the United States
where these threats are less probable? How about other countries?
Placing our data in more than one location is also
recommended, but with the caveat that running a hot backup site
(always running and up to date) can be expensive.
The text also recommends that we consider cloud
based data centers. This sounds nice, but remember that there
is no cloud, You are simply remotely connecting to someone else's
server farm. If your contract with them includes their storing
information in multiple locations, great. That means you are
subcontracting the service in the bullet item above. There is an
advantage, that you can have thin clients for your cloud services. The
disadvantage is that you are out of luck if you don't have connectivity
to the contracted servers. There is another aspect, too. Is the cloud
storage protected? Are you as protected or better than you would
A lower cost suggestion is to take the time honored
approach of running backups regularly, and storing copies
away from your data site. How often is often enough? How costly will
this be? What about the cost of new hardware when you need to restore,
if that is an issue?
For any strategy or mix of them, choices also must be made
about access controls. Who has access? What kind of access?
what changes need to be made to that access when an emergency occurs?
The text gives us a story on page 112 that should
sound like the one I told you in week 1. In this case, an employee is
believed to be stealing company money. Evidence is gathered and
presented to her. She is asked to resign to avoid prosecution. She asks
for an hour to prepare to leave. She is then left alone in her office
for an hour. She copies account information, deletes date, and plants
viruses and spam bots on the company network. She later offers her
clients a discount if they will come to her new company, which she
presumably just created.
The text then explains what should have been done. This is a
classic case in which business needs and the usual treatment of an
The classic approach to removal of personnel includes removing
their access rights to the company systems and data at or before
the moment they are informed that they are leaving employment.
Such an employee should never be left alone with a
computer on the company network, in case they have installed a back
door, or another identity that could be used to cause the kind of
damage described in the story. She could, of course, already have
prepared a copy of the data she wanted to take, but this would have
removed her means of deleting data directly.
When there is no suspicion that the employee bears
any ill will against the company, there can be some variation in this
procedure. When there is such suspicion, it is prudent to
restrict the employee's rights as soon as possible. This is difficult
to do when the job they hold gives them access to sensitive
information, which is why extreme measures are often taken with
departing system administrators. As the story shows, the employee in
question did not hold such a job, but she knew how to create problems
without elevated rights. Most people are capable of this sort of
action, by intention or by accident.
The text tells us another story on the next page. It is longer
and less detailed than we might like. In the course of a fire at a
company's main office, their web server is taken down due the power
being out. There is no clear way for the Chief Operating Officer to
restore the web site without getting a login ID and other information
from a system administrator. A problem with this story is that it would
never happen that way. In a well run company, there would be an
emergency plan for bringing up an off site server and a backup copy of
the web site, and the COO would probably have nothing to do
with it except to authorize it to happen, long before any such emergency actually occurs. The authors suggest
that the use of emergency phone numbers (cell phones) for such events
would make it more likely that someone receiving such a call would be
receiving it from an authorized caller. Nice idea, but costly, if those
phones were only used in emergencies. Oh, by the way, where is it? My
phone. Where is my emergency phone?
have many reasons to keep their operating procedures and data private
and secret. We are aware of the need to protect a customer's personal
information, but some businesses have their own secrets that they do
not want to share with competitors. The same methods used to protect
other sensitive information should be used to protect trade secrets and
secret recipes as well.
Assign the least necessary privilege to any resource, to
the fewest people possible
Promote/require strong passwords and use other technical
Physically secure our locations, using locks, guards, and
other measures as needed
Deactivate lost devices and ID cards as soon as possible;
require employees to report such losses promptly
Maintain a program of security awareness for staff
The text turns to risk
on page 116. It expands on the ideas it presented in chapter 2 for four
risk strategies. Remember that there are other strategies than the four
the text presents.
avoidance - make
every effort to avoid your vulnerabilities being exploited; make the
attack less possible, make the threat less likely to occur; avoid risk
by avoiding the activity associated with the risk, and by providing an
active defense against it
- this counterintuitive idea makes sense iif the cost of an incident is
minimal, and the cost of each of the other methods is too high to
accept; the basic idea here is that it costs less just to let it happen
in some cases, and to clean up afterward
- in general, letting someone else worry aabout it; engaging a
contracted service to protect us against risk would an example of
transference mitigation (mitigation)
- this method seeks to reduce the effects
of an attack, to minimize and contain the damage that an attack can do;
Incident Response plans, Business Continuity plans, and Disaster
Recovery plans are all part of a mitigation plan
The text repeats some material about protecting confidentiality, integrity, and availability from threats by using access controls. On
the same theme, it considers vulnerabilities
and mentions three areas where vulnerabilities are often found:
Operating systems -
The text points out that most viruses attack the operating system of a
computer. Updated protection software and patches to the OS should be
Applications typically do not receive patches as often as operating
systems, but some are famous for patches, such as Adobe Reader and
Flash Player. Updates to applications that address known
vulnerabilities are required in a well run environment.
Users - The text
advises us to teach users to resist social
engineering, and to create stronger passwords.
The next section of the chapter reminds us about some terms
used to describe the need for access rights:
subject - an entity that requires access rights
to some resource; like the use of the this word in grammar, the subject
takes action on something
object - a resource that some subject needs to
act upon; again, like the grammar use of the word, an object is acted
upon by a subject
The text uses these terms to explain that we can make lists of
the subjects who need
particular kinds of access to particular objects. We can use these lists to
for granting access. We can also use this information to make plans
about the access controls we need to apply to the sensitive, popular,
and necessary objects. The text stresses that we need to make sure we
are covering all subjects and objects in our system, but we should
remember that no environment is stable for very long. There will be new
subjects and objects, and there will be subjects and objects that
should be removed from our system on a regular basis. Everything
For some kinds of access, it makes sense to create groups, assign access rights to those groups, and
to make users members of those
groups for the time they need to access the relevant objects. This
allows us to make one
rights assignment, which can be modified or removed in one place if a
mistake is discovered, affecting the rights of all members of the group
at once. In Active Directory, such a group is typically called a security group. When a user no
longer needs access rights to an object, that user can be removed from the group in question.
When a new user needs those access rights, that user can be made a member of the right security group
to receive the same access as the other members.
was not really news. The strategies listed on page 123 are new to this
subject, at least in this text. The text introduces three kinds of
access control methods, and two review methods:
MandatoryAccess Control (MAC) - themostrestrictive model; the owner defines a security policy, a
security agent (a central authority) implements it, and the end users
cannot change it
Access Control (RBAC) - access is granted to roles (groups) defined on
the systems, end users are assigned to roles so they can access assets
needed for their jobs
DiscretionaryAccess Control (DAC) -leastrestrictive
model; subjects (end users) can own objects, and have total control
over them (like a Sharepoint web server system); end users must set and
maintain security for their assets, which most people will do badly;
processes run by end users inherit their permission levels
Automated account review
- The word "automated" is improperly used to mean that access controls
that have not been used in a specific time period are automatically selected to be
reviewed. The review is done by people,
not by a computer or a program. The program simply finds the accounts
that should be reviewed, and notifies appropriate staff.
Automated expiration of
- Accounts in many systems can be created with expiration dates. This
principle uses this feature to make sure that temporary accounts do not
continue to be usable without human intervention.
124 review two well known principles that address business needs.
- make sure that large purchases and otherr sensitive activities cannot
be accomplished without the approval of at least two areas of
responsibility, such as requiring two signatures on large checks; don't give any one person the ability to defraud the system; checks and balances of power are better
Least privilege -
never assign more access rights than are actually need to perform a
task, in order to reduce the exposure of assets that need not be exposed
Another kind of risk is discussed on page 125. We are
cautioned not to grant administrative rights (the highest level of
rights) to an asset without a good reason. The text warns us that
having this level of permission to a computer, for example, allows the
operator to do almost anything they want, including choosing to install
software. That does not sound so bad, but the main problem is that not
only can the operator do anything, so can any process started by the
operator, including viruses and malware. There is some level of
protection to be had from running a computer as a user who is not
allowed to install new software.
7 returns to the discussion of the effects that human behaviors have
on our organization. The text seems to be on the nature side of the Nature vs. Nurture
argument. If you don't know what I mean, follow that link to some ideas
about a concept that has bothered scientists for a long time. Are some
aspects of humans determined completely by their environment (nurture) or by their biology (nature)? I suspect that the answer is usually a combination of the two, but there is a third idea as well, that we can determine
our own outcomes or actions in some cases. I may not be able to wish
myself into being another kind of creature, but I hope I can decide
to be a better man than I might otherwise be. So, when the authors talk
about some aspects of human nature, we should allow that the meaning of
the passage is about observable human behavior, regardless of its cause.
Some threat types are described in the first pages of the chapter:
Unintentional threats - People often do not think about security. They don't worry about opening an email attachment, following a link, leaving equipment unprotected, or exposing themselves and their workplace to other threats.
They don't mean to cause any harm, but they can become the vulnerable
avenue for an exploit without meaning harm themselves. The text warns
us to train people in security awareness, to remind them often enough to do some good, and to install security controls to minimize these risks.
- This text simplifies hackers into two caategories: those who are after
money and those who are after status. The ones who want "money" may be
after something they want themselves (and would not pay for) or
something they hope to sell or ransom back to the owner.
- A social engineer is what we used to calll a con artist. He or she is
someone trying to get someone else to do something they should not do.
On the other hand, you could use social engineering techniques to get
someone to do something they should do, but that is another topic. The
text presents an outline of features commonly seen in social
Assumed identity - The social engineer often pretends to
be someone the victim will or should trust, such as an IT support
person, an executive with a problem, or a new employee who needs help.
Believability - A background story that explains what the
social engineer is doing there, why we should supply what they want,
and why we should do it right away is very helpful in getting the
victim's cooperation. In con artist terms, this part may be called
telling the mark the tale.
Multiple contacts - Some social engineering exploits
involve one contact with the victim, because that is all it takes to
get the desired outcome. Others require a bit more familiarity with the
victim, so the social engineer may make a series of contacts, either
gathering data with each one, or preparing the victim with the earlier
contacts for the moment of trust that the real exploit requires.
Request for help - The classic exploit involves a request
to grant access, to change a password, or to reveal something the
victim can access or already knows. The social engineer presents a
reasonable need for that information or access, which should be granted
as a favor for the poor helpless person they are portraying.
The text has a few pages with ideas about
hiring the right people for sensitive positions. From the perspective
of a student looking for work, you will want to know about the
generally accepted factors that go into a hiring decision.Read this material, and believe that the prospective employer really will ask for and check this data.
The next main topic in the chapter starts on page 141. It
links back to the material on social engineering. The text explains
that an organization's structure usually has three or more layers.
Staff, who have the fewest access rights
Operational management, who have more access rights
Upper level or senior management, who typically have the most rights
This common structure explains why a social engineer may
pretend to be a member of senior management, who has forgotten a
password, or who has lost rights to some asset that is needed for a
pressing task immediately. Of course, the poor victim will feel the
need to do the senior person a favor, is the request is made artfully.
A better model to follow is to grant access based on the needs
of one's job. Of course, this makes it more difficult for the social
engineer, but it only means the grifter has to do deeper research to find the right person to impersonate. Three suggestions are presented to counteract this problem:
Job rotation - If
people in sensitive positions are moved on a regular basis, a rogue
employee will only be in one position for the time allowed, and a
social engineer may have trouble finding out who to impersonate
- This concept addresses the same one thatt rotation does: don't allow
anyone to continue in a sensitive role indefinitely. A required
vacation presumes a substitute or backup person, who must know the job
well enough to do it and to notice if the usual person were doing
Separation of duties
- As noted in most texts, a common controll on money is to make sure it
cannot be moved or spent without the cooperation of several agents.
This does not apply equally in terms of data. Money cannot be copied,
but data can. This concept applies to the world of data by making sure
that reviews and audits are done regularly, by people in a different
branch of the organization.
The text makes a point of explaining that the people called access owners (or data owners, or other titles) have a responsibility to protect their data, which includes the proper oversight
of granting access rights. In practice, this may mean that such a
person is interviewed by IT staff who translate the owner's business
requirements into program code or procedures that IT staff can follow.
You should review the bullet points on page 145 about this, and
understand that the actual performance of each of those points will involve business staff, general IT staff, and IT security staff.
The text moves on to discuss training employees in security
issues, such as resisting social engineering (the authors seem very
afraid of this) and maintaining awareness of security needs. The main
idea is that there should be clear training, employees should be able
to look up rules when they are needed, and there should be multiple
ways to ask for help in this area, including web resources, other
employees, and security staff who may be consulted with questions.
The text offers two suggestions that cover many situations:
Acceptable use policy - A well crafted acceptable use
policy should give employees a sense of how protective of our
environment we need to be. It is a starting point, in many cases, not
an end point.
Security awareness policy - This is a daily problem, so one
session talking about security is not enough. Reminders, preferably in
different formats and media, should be offered to employess regularly.
As we have discussed before, the security policies of your
organization should be made available to all employees, and efforts
should be made to make compliance a default behavior.
Assignments for Chapters 6 and 7
Complete the Review Questions posted for these
chapters, numbers 13 through 28.
one of the case studies at the end of the chapter. Briefly explain what
you see as right and wrong about the situation and the solution
proposed by the authors. Is there another recommendation you would make?