Читать книгу The Official (ISC)2 SSCP CBK Reference - Mike Wills - Страница 172

Two powerful ideas come together when you think about managing access control for groups of devices rather than one by one.

 Trusted classes or groups of devices should serve business functions and have the privileges those devices (and their onboard firmware and software) need in order to fulfill those functions.

 Nefarious or untrustworthy devices can easily masquerade as other types of devices, as part of an attempted intrusion into your systems.

Applying these principles would lead us to doubt the legitimacy of a printer, for example, trying to create or modify the security settings on a user or process ID or to raise alarms when an intrusion detection system is trying to access the company's employee or payroll database. As with people-based identities, device-based identities can be spoofed, and legitimate known devices previously deemed to be trustworthy can be misused (deliberately or accidentally). A lost or stolen smartphone illustrates the need for device-level access control.

This is not just an endpoint problem! Poorly secured systems and their Wi-Fi access points can end up allowing an intruder device to spoof itself as the Dynamic Host Control Protocol (DHCP) server for that LAN segment; you shouldn't normally consider service providers such as DHCP as endpoint functions, so over-focusing your security efforts on just the endpoints may not help you much in such cases.