Information Security, Access Control, and the Parkerian Hexad..oh my!

Happy Sunday everyone!

Today I will be focusing on what I have learned in the first part of my new "Fundamentals of Information Security" class at #wgu.

So far, quite a bit of the material is being sourced from the book, "Foundations of Information Security: A Straightforward Introduction" by Jason Andress (highly recommended!) along with Udemy supplementation using the course "Information Security Management Fundamentals for Non-Techies" by Alton Hardin.

As in most things with data security, we start by focusing on the CIA triad, which is a model that can be used as a baseline that we can often refer to. Here's a quick refresher on what the CIA triad is:

• Confidentiality - The first part of the triad that focuses on protecting our data from users and threat actors that are not allowed to view it.
• Integrity - Stopping the alteration of our data, and being able to reverse it if necessary to undo the unwanted changes.
• Availability - Ensuring that the data is accessible whenever we need it.

Of course, I've been exposed to this framework for several months now and was not in the least bit surprised it would show up. However, there was another model introduced that I have not heard of yet: The Parkerian Hexad.

Apparently, this lesser known model (named after Donn Parker) has six principles. The first three are the same as the CIA triad, but adds three more:

• Possession or control - Who physically has access to the data and the physical medium it is on.
• Authenticity - Whether you've attributed the data to the correct owner or creater. For example, sending an email from a different address than what it shows coming from.
• Utility - How useful the data is to you.

This was a pretty neat learning opportunity, but diving further into each is beyond the scope of this article or its intent. I learned further about the types of attacks that could be used, identifying threats and vulnerabilities, their impact, and a little bit about the incident response framework.

Moving on to a term I've heard often in the military, and even in the context of cybersecurity, is 'Defense-In-Depth'. This is essentially having multiple layers of security between your data and the external network. For example, on the external network you would put a DMZ or VPN and further down to the data layer you would have encryption, verified backups and access controls.

Access controls come in mainly two types (however, there is a third type mentioned in my book: Administrative): Physical and Logical. This seems pretty straightforward, in that physical measures stop physical access. Some physical access control measures are:

• hardware locks
• ID Badges
• Physical access logs + lists
• Door Access Systems
• Proximity Card (just like the one I use at my current job to access door locks and the parking lot)
• Guards
• Mantrap (A locked door, followed by a small area with another door that cannot be unlocked until the previous door has closed and locked. This is to help prevent the social engineering tactic of tailgating/piggybacking.)
• Cameras

As you can see, businesses have several physical measures that they can implement to add defense in depth security to safeguard data.

Now we move on to Logical Access Controls. Access Control Lists (allow/deny users), password, device and account policies. I've learned about a term called 'confused deputy problem' that refers to a weakness in ACL's. It is when the software controlling the access to data has a greater permission level than the user accessing the data. This could lead to attacks such as 'cross-site request forgery' (CSRF) and clickjacking.

CSRF is quite fascinating in that it uses that authority of the browser on a victim's computer. If a victim stays logged into a resource, then the attacker can send an image in an email or embed a link that will make the victim's computer run those commands, and then allows the attacker to log into that resource. The very scary example in the book is when the attacker has embedded a request to transfer funds from the victim's bank account using the already authenticated and authorized user's browser and proceeds to transfer the funds.

I then learned a bit about some access control models, such as:

• Mandatory Access Control - this is the strictest, and designed for the Government. Each object has a classification assigned to it.
• Discretionary Access Control - Every object has an owner, and that owner decides who access it.
• Role-Based Access Control - Access is given based on the role of the subject (user) for what they absolutely need to perform the job function. This is known as the 'Principle of Least Privilege'.

In the end, the main concept I needed to learn is that Identification is who we claim to be, and Authentication establishes whether that claim is true or not by providing something we know, have, are, do, or where we are.

The end of the section concludes with the neat little lab using Skillsoft that walks you through creating a user, and then modifying their permissions to allow them to back up their work computer as necessary. Then, we moved to the domain controller, where I created another user and gave them permissions to modify printers on the network.

It was nice to do a practical hands-on lab! Once that was done, I went ahead and searched "access" on #THM and completed the Identity and Access Management room to help further solidify the concepts taught in Section 2 of my class.

I am enjoying learning about this and typed this basic outline up as a way to solidify my learning and share what I've been up to today. Feel free to add comments or ask questions as necessary.