CompTIA Security_ Deluxe Study Guide_ SY0-201 - Emmett Dulaney [161]
User The user is the person or department that uses data. Users of data may perform input, output, editing, and other functions allowed by the role they have in the process.
Two additional roles warrant discussion, and you may find yourself doing one or both of them:
Security professional Security professionals are concerned with one or more aspects of the process. They may be investigators, implementers, testers, or policy developers. Investigators become involved in the process when a security problem has been identified. Testers, on the other hand, may be called to look for exploits or to test security processes for weaknesses. Policy developers help management develop and implement policies for the organization.
Security professionals frequently encounter information they normally wouldn’t need to know. Discretion is a critical skill for a security professional. For example, you may be asked to deny the existence of certain information in an organization. This implicit trust relationship shouldn’t be taken lightly.
Auditor Auditors are involved in the process of ensuring that practices, policies, mechanisms, and guidelines are followed within an organization. This function may involve reviewing documentation, reviewing activity logs, conducting interviews, and performing any number of other tasks necessary to ensure that organizational security policies are followed. The role of the auditor isn’t that of a police officer but rather a consultant. An auditor can help an organization identify and correct deficiencies in security.
Each of these roles presents a special challenge and exposes you to information and processes that most individuals wouldn’t encounter in an organization. It’s important that you take these responsibilities seriously; you shouldn’t divulge the information or processes you uncover to any unauthorized individuals. You must hold yourself to a higher standard than those around you.
Information Access Controls
Access control defines the methods used to ensure that users of your network can access only what they’re authorized to access. The process of access control should be spelled out in the organization’s security policies and standards. Several models exist to accomplish this. Regardless of the model you use, a few concepts carry over among them:
■ Implicit denies are those wherein you specifically lock certain users out. In Unix, and Linux, for example, you can choose who can use the at service by configuring either an at.allow or at.deny file. If you configure the at.allow file, then only those users specifically named can use the service and all others cannot. Conversely, if you configure the at.deny file, then only the users named in that file cannot use the service (you are implicitly denying them) and all others can.
■ Least privilege is the model you should use when assigning permissions. Give users only the permissions they need to do their work and no more.
■ Rotate jobs on a frequent enough basis that you are not putting yourself—and your data—at the mercy of any one administrator. Just as you want redundancy in hardware, you want redundancy in abilities.
The following sections will briefly explain these models:
■ Bell La-Padula model
■ Biba model
■ Clark-Wilson model
■ Information Flow model
■ Noninterference model
Noninterference Bell La-Padula Model
The Bell La-Padula model was designed for the military to address the storage and protection of classified information. The model is specifically designed to prevent unauthorized access to classified information. The model prevents the user from accessing information that has a higher security rating than they’re authorized to access. The model also prevents information from