Chapter 2: Access Control Models and CVSS Vulnerability Scoring

Learning Objectives

Section 1: Access Control Models

Pre-Quiz — Section 1: Access Control Models

1. Which access control model delegates access decisions to the resource owner rather than a central authority?

2. The Bell-LaPadula model enforces "no write down." What does this prevent?

3. An ABAC policy grants access only to physicians viewing patients on their own ward during business hours. What property makes this impossible with pure RBAC?

Discretionary Access Control (DAC)

Under DAC, the owner of a resource decides who else can access it. Linux file permissions (chmod 640) and Windows ACLs are classic implementations. The owner exercises personal discretion — grant, revoke, and delegate access at will.

Strength: Flexible and familiar. Weakness: Security depends entirely on the owner's judgment; a single mistake by an untrained user can expose sensitive data to the entire organisation.

AttributeDAC
Who controls access?Resource owner
FlexibilityHigh — owners can grant/revoke at will
ScalabilityPoor — fragile in large orgs
Insider threat riskHigh — a malicious owner can leak data
Typical environmentSmall teams, personal workstations

Mandatory Access Control (MAC)

MAC removes access decisions from individual users. A central authority assigns security labels to both subjects (users, processes) and objects (files, ports). No user — not even the owner — can override labels. The Bell-LaPadula model governs classified systems with two core rules:

Modern implementations include SELinux and AppArmor, which enforce type-enforcement labels on every process and file.

graph TD TS["Top Secret (Clearance Level 4)"] S["Secret (Clearance Level 3)"] C["Confidential (Clearance Level 2)"] U["Unclassified (Clearance Level 1)"] TS -->|"No Write Down (Star Property)"| S S -->|"No Write Down (Star Property)"| C C -->|"No Write Down (Star Property)"| U U -->|"No Read Up (Simple Security)"| C C -->|"No Read Up (Simple Security)"| S S -->|"No Read Up (Simple Security)"| TS

Role-Based Access Control (RBAC)

RBAC assigns permissions to roles, then assigns users to roles. A hospital defines physician, nurse, billing_clerk, and system_admin roles. A new hire inherits correct permissions by role assignment alone — no individual ACL management required.

RBAC naturally enforces least privilege: an accountant cannot restart database servers because no accounting role carries that permission. Auditing is simplified — inspect role definitions rather than thousands of individual ACLs.

RoleCustomer RecordsFinancial ReportsNetwork ConfigServer Admin
Sales RepReadNoneNoneNone
Finance AnalystNoneRead/WriteNoneNone
Network EngineerNoneNoneRead/WriteNone
IT AdminNoneNoneRead/WriteRead/Write
CISOReadReadReadRead

Attribute-Based Access Control (ABAC)

ABAC evaluates access requests against rich attributes from the subject, object, action, and environment. A Policy Decision Point (PDP) evaluates policies in real time — enabling rules like "a physician may view a patient record from an internal workstation during business hours, but only for patients on their ward." No static role matrix can capture this context-sensitivity.

Enterprises commonly layer RBAC + ABAC: RBAC for stable job-function policies, ABAC for dynamic conditions like location, device health, and time-of-day.

ScenarioRecommended Model
Small team, personal filesDAC
Classified government systemMAC
Large corporate IT environmentRBAC
Zero-trust cloud platformABAC
Dynamic contractor workforceRBAC + ABAC hybrid
Access Control Model Spectrum Rigidity ← → Flexibility Most Rigid Most Flexible MAC Mandatory Central authority Security labels Bell-LaPadula Govt · Military RBAC Role-Based Job-function roles Least privilege Admin-assigned Enterprise IT ABAC Attribute-Based Context-aware PDP Dynamic policies XACML / OIDC Zero-Trust · Cloud DAC Discretionary Owner decides ACLs · chmod High insider risk Small teams · Home Generic Access Decision Flow Subject user / process Policy Engine label/role/attr Permit or Deny Object file / resource MAC: labels enforced by system · RBAC: roles assigned by admin · ABAC: real-time attribute evaluation · DAC: owner discretion ───────────────────────────────────────────────────────────────── Enterprises often layer RBAC (coarse-grained) with ABAC (fine-grained, dynamic conditions)

Key Points — Access Control Models

Section 2: AAA and Advanced Access Controls

Pre-Quiz — Section 2: AAA and Advanced Access Controls

4. Which AAA component answers "What is the user allowed to do?"

5. TACACS+ is preferred over RADIUS for Cisco device administration primarily because:

Authentication, Authorization, and Accounting (AAA)

AAA is the three-part framework governing identity-based access in network infrastructure. Think of it as a nightclub:

Accounting is critical for compliance and forensics. When an auditor asks "who changed the BGP route table at 03:14 on Tuesday?", accounting logs provide the answer.

sequenceDiagram participant U as User / Device participant NAS as Network Access Server (Switch / VPN / AP) participant AAA as AAA Server (RADIUS / TACACS+) participant IdP as Identity Provider (Entra ID / Okta) U->>NAS: 1. Connection request NAS->>U: 2. Authentication challenge U->>NAS: 3. Credentials (username + password / cert) NAS->>AAA: 4. Access-Request (Authentication) AAA->>IdP: 5. Proxy to IdP (optional MFA) IdP-->>AAA: 6. Identity confirmed AAA-->>NAS: 7. Access-Accept + user attributes Note over NAS: Authorization enforced (VLAN, ACL, privilege level) NAS-->>U: 8. Access granted NAS->>AAA: 9. Accounting-Start (session begins) Note over AAA: Logs: user, time, bytes, commands executed NAS->>AAA: 10. Accounting-Stop (session ends)

Rule-Based and Time-Based Access Control

Rule-based access control conditions access on explicitly defined rules regardless of user identity. Cisco ACLs are the canonical example — permit tcp 10.0.0.0 0.0.0.255 any eq 443 applies independent of who sent the packet.

Time-based access control restricts access to defined time windows, reducing attack surface during off-hours:

time-range CONTRACTORS
 periodic weekdays 08:00 to 17:00
!
ip access-list extended CONTRACTOR-VPN
 permit ip any any time-range CONTRACTORS

RADIUS vs. TACACS+

FeatureRADIUSTACACS+
TransportUDP 1645/1646 or 1812/1813TCP 49
EncryptionPassword onlyFull packet body
AAA separationCombined (A+A)Separated (A, A, A)
GranularityLimited command authPer-command authorization
StandardOpen (RFC 2865)Cisco proprietary
Best forNetwork access (802.1X, VPN)Device administration (CLI)

Modern deployments integrate RADIUS and TACACS+ with centralised Identity Providers (IdPs) such as Microsoft Entra ID or Okta. IdPs centralise identity, enforce MFA, and federate via SAML 2.0 or OIDC, giving device-level TACACS+ granularity plus enterprise-wide identity governance.

aaa new-model
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ local
aaa accounting exec default start-stop group tacacs+

Key Points — AAA and Advanced Access Controls

Section 3: CVSS Scoring Framework

Pre-Quiz — Section 3: CVSS Scoring Framework

6. What does CVSS Base Score measure?

7. A vulnerability's CVSS Base Score is 9.1. An analyst applies Environmental metrics, setting Modified Attack Vector to Adjacent and Confidentiality Requirement to Low. What is the expected effect?

8. Log4Shell (CVE-2021-44228) received a CVSS Base Score of 10.0. Which metric, when set to "Changed," most significantly contributed to pushing the score to maximum?

CVSS v3.1 Overview

The Common Vulnerability Scoring System (CVSS) is an open framework published by FIRST for communicating vulnerability characteristics and severity. Version 3.1 produces a numeric score from 0 to 10. A critical distinction: CVSS measures severity, not risk. It evaluates intrinsic, worst-case technical impact independent of exploit likelihood or asset value.

Scores are organized into three metric groups applied in sequence:

Base Score → Temporal Score → Environmental Score

Base Metrics

Exploitability metrics measure how easily an attacker can reach and exploit the vulnerability:

MetricValuesMeaning
Attack Vector (AV)Network, Adjacent, Local, PhysicalHow remotely the attacker must be positioned
Attack Complexity (AC)Low, HighConditions beyond attacker control that must exist
Privileges Required (PR)None, Low, HighPre-existing access level needed
User Interaction (UI)None, RequiredWhether a victim must take an action

Impact metrics measure consequences on the CIA triad. Scope (S) is uniquely important: if exploitation affects components beyond the vulnerable component (Scope: Changed), a higher multiplier (7.52 vs 6.42) substantially inflates the score. Log4Shell's Scope: Changed is what pushed it to 10.0.

Temporal Metrics

Temporal metrics capture factors that change over time — primarily exploit availability and patch status:

MetricValuesEffect
Exploit Code Maturity (E)High, Functional, Proof-of-Concept, UnprovenHigher weaponisation → higher score
Remediation Level (RL)Unavailable, Workaround, Temporary Fix, Official FixAvailable fix → lower score
Report Confidence (RC)Confirmed, Reasonable, UnknownLower confidence → slight reduction
flowchart LR D0["Day 0: Temporal ~7.4\nUnproven exploit\nNo patch\nUnknown confidence"] D7["Day 7: Temporal ~7.9\nProof-of-Concept\nNo patch\nReasonable confidence"] D30["Day 30: Temporal ~8.1\nFunctional exploit\nWorkaround only\nConfirmed"] D90["Day 90: Temporal ~7.5\nFunctional exploit\nOfficial patch\nConfirmed"] D0 -->|"PoC published"| D7 D7 -->|"Metasploit module released"| D30 D30 -->|"Vendor patch issued"| D90

Environmental Metrics

Environmental metrics allow an organisation to contextualise the score for their specific deployment:

A Base Score of 9.1 on an internal staging server with no production data might drop to ~5.2 after Environmental adjustments — still worth patching, but no longer a P1 emergency.

CVSS v3.1 Score Calculation Pipeline Base Metrics Exploitability • Attack Vector (AV) • Attack Complexity (AC) • Privileges Required (PR) • User Interaction (UI) Impact + Scope • Confidentiality / Integrity / Availability • Scope (S) — Changed or Unchanged → Base Score 0–10 Temporal Metrics Optional — changes over time • Exploit Code Maturity (E) High / Functional / PoC / Unproven • Remediation Level (RL) Unavailable → Official Fix • Report Confidence (RC) Unknown → Confirmed → Temporal Score Environmental Metrics Optional — organisation context • Modified Base Metrics Override AV, AC, PR, UI, CIA, Scope • Security Requirements CR: Confidentiality Req. IR: Integrity Req.   AR: Availability Req. High / Medium / Low per asset → Environmental Score CVSS v3.1 Severity Ratings 0.0 — None 0.1–3.9 — Low 4.0–6.9 — Medium 7.0–8.9 — High 9.0–10.0 — Critical CVSS measures severity, not risk. Temporal and Environmental scores add real-world context. Log4Shell: AV:N / AC:L / PR:N / UI:N / S:C / C:H / I:H / A:H → Base Score 10.0 (Critical) ────────────────────────────────────────────────────────────────────────── Scope: Changed uses multiplier 7.52 instead of 6.42 — substantially inflates the final score

Key Points — CVSS Scoring Framework

Section 4: Risk, Threat, Vulnerability, and Exploit

Pre-Quiz — Section 4: Risk, Threat, Vulnerability, and Exploit

9. An unpatched buffer overflow in a production web server is best described as a:

10. In the vulnerability management lifecycle, what is the correct order of the first three steps?

Definitions and Relationships

TermDefinitionExample
VulnerabilityA weakness in a system, design, or processUnpatched buffer overflow in a web server
ThreatA potential cause of unwanted impact — actor or event that could exploit a vulnerabilityA ransomware group scanning for that overflow
ExploitThe technical mechanism by which a threat actor leverages a vulnerabilityMetasploit module or a custom PoC payload
RiskThe potential for loss: threat likelihood × impactP(exploitation) × business impact value

Analogy: A cracked lock (vulnerability) on your back door. A burglar (threat) in the neighbourhood. A crowbar technique (exploit). The probability × value inside (risk). Fix the lock (remediation), install an alarm (compensating control), or accept if nothing valuable is stored.

Risk Scoring and Reduction Strategies

The quantitative risk formula: Risk = Threat Likelihood × Vulnerability Severity × Asset Value

StrategyDescriptionExample
RemediationEliminate the vulnerabilityApply the vendor patch
MitigationReduce likelihood or impactWAF rule to block the attack vector
AcceptanceAcknowledge and tolerate the riskLow-criticality internal dev server
TransferShift financial impactCyber insurance policy

Threat Actors

CategoryMotivationCapabilityExamples
Nation-stateEspionage, disruptionVery highAPT28, APT41, Lazarus Group
Organised crimeFinancialHighConti, FIN7, REvil
HacktivistIdeologicalMediumAnonymous, GhostSec
Insider threatGrievance, profitVariableDisgruntled employee, contractor
Script kiddieNotorietyLowAutomated scanning toolkits

Vulnerability Management Lifecycle

  1. Asset Discovery: Inventory all systems (network scanning, CMDB, cloud asset APIs)
  2. Vulnerability Scanning: Authenticated scans (Nessus, Qualys, OpenVAS) identify CVEs present in the environment
  3. Prioritization: Apply CVSS Environmental scores, asset criticality, and threat intelligence to rank findings
  4. Remediation: Patch, reconfigure, or mitigate high-priority findings; track SLAs (Critical: 24h, High: 7d, Medium: 30d)
  5. Verification: Re-scan to confirm remediation; run penetration tests for critical findings
  6. Reporting: Communicate risk posture to leadership; feed metrics into GRC platforms
flowchart TD A["1. Asset Discovery\nNetwork scan · CMDB · Cloud APIs"] B["2. Vulnerability Scanning\nNessus · Qualys · OpenVAS\nAuthenticated scan → CVE list"] C["3. Prioritization\nCVSS Environmental Score\n+ Asset Criticality\n+ Threat Intelligence"] D{"4. Remediation Decision"} E["Patch / Remediate\nApply vendor fix\nSLA: Critical 24h · High 7d"] F["Mitigate\nWAF rule · Network segment\nCompensating control"] G["Accept Risk\nDocument · Sign off\nReview at next cycle"] H["5. Verification\nRe-scan · Pen test\nConfirm closure"] I["6. Reporting\nRisk posture dashboard\nGRC platform · Leadership"] A --> B --> C --> D D -->|"High severity"| E D -->|"Medium / constrained"| F D -->|"Low / accepted"| G E --> H F --> H G --> I H --> I I -->|"Continuous loop"| A

Key Points — Risk, Threat, Vulnerability, and Exploit

Section 5: Defense-in-Depth and Detection Approaches

Pre-Quiz — Section 5: Defense-in-Depth and Detection Approaches

11. A UEBA system flags a user downloading 10 GB at 02:00 when their baseline is under 100 MB/day. Which detection paradigm does this exemplify?

12. What is the 5-tuple in network flow analysis?

13. Signature-based detection (e.g., Snort rules) has a significant blind spot compared to behavioral detection. What is it?

Defense-in-Depth Strategy

Defense-in-depth (DiD) layers security controls so no single failure compromises the entire system — analogous to a medieval castle's concentric walls, moat, keep, and vault.

LayerControlsExamples
PerimeterBoundary filteringEdge firewall, DDoS scrubbing, BGP RTBH
NetworkSegmentation, inspectionInternal firewalls, IPS, VLANs, micro-segmentation
HostEndpoint protectionEDR, host firewall, patch management, FIM
ApplicationInput validation, authWAF, SAST/DAST, secure SDLC, MFA
DataClassification, encryptionDLP, TLS, encryption at rest, data labelling
IdentityIAM governanceRBAC, ABAC, MFA, PAM, just-in-time access
PhysicalFacility controlsBadge readers, CCTV, locked server rooms

Detection Paradigms

Detection TypeStrengthsWeaknessesTooling
Rule-based / SignatureLow FP for known threats, fast, deterministicZero-day blind spot, requires constant updatesSnort, Suricata, YARA
Behavioral / UEBADetects novel attacks and insider threatsHigher FP rate, baseline requiredSplunk UBA, Microsoft Sentinel
Statistical / MLScales to volume, uncovers subtle signalsOpaque models, requires labeled dataDarktrace, Vectra AI, Elastic ML

5-Tuple Analysis and Data Loss Detection

The 5-tuple — Source IP, Destination IP, Source Port, Destination Port, Protocol — is the fundamental unit of network flow identification. Stateful firewalls use the 5-tuple to track connection state; security analysts use it for exfiltration detection:

Alert trigger: Outbound flow volume > 1 GB to single external IP
5-tuple:        (10.10.5.42, 185.220.101.5, 49152, 443, TCP)
Duration:       47 minutes
Bytes sent:     1.4 GB
Bytes received: 0.8 MB

Analysis:
- Source: Marketing workstation (low classification)
- Destination: 185.220.101.5 → Tor exit node (threat intel)
- Ratio: 1400:0.8 MB (upload-heavy = exfiltration profile)
- Preceded by large SMB access to \\fileserver\HR

Action: Isolate 10.10.5.42, block 185.220.101.5/32 at
        perimeter firewall, preserve PCAP, escalate to CSIRT.
5-Tuple Flow Tracking and Host Isolation Workstation Src: 10.10.5.42 Src Port: 49152 Firewall 5-tuple inspection NetFlow export NetFlow IDS / SIEM Correlates 5-tuples Anomaly detection 1.4 GB Tor Exit Node Dst: 185.220.101.5 Dst Port: 443 Identified 5-Tuple ( 10.10.5.42 | 185.220.101.5 | 49152 | 443 | TCP ) Src IP Dst IP Src Port Dst Port Protocol ALERT: Exfiltration Upload-heavy flow to Tor exit node Action: Isolate Host Block 5-tuple at perimeter · Preserve PCAP 5-tuple is consistent across all hops — enables end-to-end flow correlation Stateful firewalls track 5-tuples to maintain session state and permit return traffic Upload:download ratio of 1400:0.8 MB is a strong exfiltration signature even with TLS encryption ────────────────────────────────────────────────────── DNS tunneling: large UDP/53 responses (>512 bytes) from a workstation → C2 indicator

Key Points — Defense-in-Depth and Detection Approaches

Post-Quiz: Test Your Understanding

Post-Quiz — Section 1: Access Control Models

1. Which access control model delegates access decisions to the resource owner rather than a central authority?

2. The Bell-LaPadula model enforces "no write down." What does this prevent?

3. An ABAC policy grants access only to physicians viewing patients on their own ward during business hours. What property makes this impossible with pure RBAC?

Post-Quiz — Section 2: AAA and Advanced Access Controls

4. Which AAA component answers "What is the user allowed to do?"

5. TACACS+ is preferred over RADIUS for Cisco device administration primarily because:

Post-Quiz — Section 3: CVSS Scoring Framework

6. What does CVSS Base Score measure?

7. A vulnerability's CVSS Base Score is 9.1. An analyst applies Environmental metrics, setting Modified Attack Vector to Adjacent and Confidentiality Requirement to Low. What is the expected effect?

8. Log4Shell (CVE-2021-44228) received a CVSS Base Score of 10.0. Which metric, when set to "Changed," most significantly contributed to pushing the score to maximum?

Post-Quiz — Section 4: Risk, Threat, Vulnerability, and Exploit

9. An unpatched buffer overflow in a production web server is best described as a:

10. In the vulnerability management lifecycle, what is the correct order of the first three steps?

Post-Quiz — Section 5: Defense-in-Depth and Detection Approaches

11. A UEBA system flags a user downloading 10 GB at 02:00 when their baseline is under 100 MB/day. Which detection paradigm does this exemplify?

12. What is the 5-tuple in network flow analysis?

13. Signature-based detection (e.g., Snort rules) has a significant blind spot compared to behavioral detection. What is it?

Your Progress

Answer Explanations