AAA Controls

Authentication

This involves using some form of verification to confirm that the identity is correct. For example, when you are logging in to your computer, you are providing a username and password that only you know - this is how you prove that you are this user. There are three different types of authentication:

• Something you know

• Something you have

• Something you are

• Somewhere you are (additional)

• Something you do (additional)

Let's take a look at some examples.

Something you know, also known as ‘authentication by knowledge’ is proving your identity using something that you can remember, such as a PIN code when using your bank card, a password when logging into a system, or security question answers such as your first pets name.

This is definitely the easiest to implement (why do you think we all use passwords for everything!) however it is definitely not secure as passwords can be stolen or guessed.

Something you have, or ‘authentication by ownership’ is proving your identity with a physical item that you have with you, such as an ID pass that uses RFID/RFC technology to let you through locked doors at work, or even a set of keys to get into your house or car.

While this is a good control, keys can be stolen, so having a set of keys for a house doesn't actually prove that you own the house. This is why we need a combination of AAA to have secure access controls - but more on this in a minute.

Something you are, or ‘authentication by the characteristic’ is one of the hardest controls to bypass because it is directly associated with an individual. For example, if biometric systems are being used for authentication, this could require an individual's fingerprints, retinal scans, or face identification (such as Face ID used on iPhones). As these characteristics are directly associated with a person (as all our fingerprints are unique) this becomes extremely hard to impersonate and is a great indicator that the individual is the correct one.

But to have strong authentication to ensure that only the right people can gain access to buildings and systems, we need a combination of at least 2, but preferably 3, of these controls. As mentioned earlier, someone can steal your keys, but if your house has an alarm system that requires a 6-digit PIN to disable, someone breaking into the house will trigger the alarm. We also mentioned that passwords can be stolen or cracked, but also having an authenticator app with a time-based access code, you can prevent attackers from getting into your account unless they manage to also obtain your mobile phone!

When we implement controls from 2 or 3 of these categories, we are employing a ‘multi-factor’ approach to access security.

Authorization

Authorization is all about what the authenticated user is permitted to do. For example, Joe Blogs at a company needs access to get through the turnstiles in the building entrance, and to access locked doors that allow him to reach the office room where his team works. Joe does not need access to the kitchens, loading area, or Executive offices. By only providing Joe's ID card with the access he requires, we are limiting where he can go to only necessary areas. This process of identifying what an entity can and can't access is called authorization.

The same applies to account-based permissions in Windows Active Directory, tools, and online services. A normal Tier 1 SOC Analyst needs access to the SIEM interface to investigate and respond to security events, but they likely do not need administrative access to the back-end of the SIEM where rules and log sources are configured.

Using the Principle of Least Privilege, we always want to give individuals only the access they require to complete their job, and nothing more. If we gave everyone unlimited access, if their account is compromised then the attacker is going to have all of that access too - by reducing items that employees can access, we also restrict the access an attacker or insider threat could gain and abuse.

Accountability

Accountability is the process of being able to identify what has happened and when which can be used as evidence during a security event or incident. Let's consider two examples:

An employee logs into his corporate laptop at 2 AM and begins deleting files from SharePoint. To hold that employee accountable, we can show logs from sign-in events, showing that they have logged into their system and SharePoint outside of normal work hours, and we can also look at SharePoint logs to show that files have been deleted by this specific user. The organization is able to provide accountability for the actions conducted.

In another example, if physical equipment is stolen from an office and the physical security team can see that John Smith's ID card was used to access the front gates and internal locked doors, CCTV cameras could be used to confirm if this was actually John, or if someone stole or cloned his ID card, giving them access to the building.

Accountability helps to validate what happened, by who, and in some cases can help to uncover if this was actually the individual or if someone else used this identity to conduct malicious actions.