Domain 5 – Identity and Access Management

Slides:



Advertisements
Similar presentations
CISSP Luncheon Series: Access Control Systems & Methodology
Advertisements

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
Access Control Methodologies
Information Security Policies and Standards
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
Security+ Guide to Network Security Fundamentals, Third Edition
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.
Security Measures Using IS to secure data. Security Equipment, Hardware Biometrics –Authentication based on what you are (Biometrics) –Biometrics, human.
Security Equipment Equipment for preventing unauthorised access to data & information.
Physical Security SAND No C Sandia is a multiprogram laboratory operated by Sandia Corporation, a Lockheed Martin Company, for the United States.
Air Force Association (AFA) 1. 1.Access Control 2.Four Steps to Access 3.How Does it Work? 4.User and Guest Accounts 5.Administrator Accounts 6.Threat.
Security. If I get 7.5% interest on $5,349.44, how much do I get in a month? (.075/12) = * 5, = $ What happens to the.004? =
Tonight 1) Where we are 2) Article Presentation(s) 3) Quiz 4) Lecture 5) In-class lab(s)
(2011) Security Breach Compromises 75,000 Staff/Student Social Security Numbers Image from this Site Presenters: Aron Eisold, Matt Mickelson, Bryce Nelson,
Chapter 10: Computer Controls for Organizations and Accounting Information Systems
SEC835 Database and Web application security Information Security Architecture.
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
Understanding Security Layers
AIS, Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)
Introduction to Information and Computer Science Security Lecture b This material (Comp4_Unit8b) was developed by Oregon Health and Science University,
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
Physical Security By: Christian Hudson. Overview Definition and importance Components Layers Physical Security Briefs Zones Implementation.
Component 4: Introduction to Information and Computer Science Unit 8: Security Lecture 2 This material was developed by Oregon Health & Science University,
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
BUSINESS B1 Information Security.
Tutorial Chapter 5. 2 Question 1: What are some information technology tools that can affect privacy? How are these tools used to commit computer crimes?
Health Insurance Portability and Accountability Act of 1996 (HIPAA) Proposed Rule: Security and Electronic Signature Standards.
Copyright © 2013 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill/Irwin Business Plug-In B6 Information Security.
Information Systems Security Operations Security Domain #9.
Lecture 7 Page 1 CS 236 Online Challenge/Response Authentication Authentication by what questions you can answer correctly –Again, by what you know The.
G061 - Network Security. Learning Objective: explain methods for combating ICT crime and protecting ICT systems.
Physical ways of keeping your system secure. Unit 7 – Assignment 2. (Task1) By, Rachel Fiveash.
Information Systems Security
Lesson 9-Information Security Best Practices. Overview Understanding administrative security. Security project plans. Understanding technical security.
Security Issues and Strategies Chapter 8 – Computers: Understanding Technology (Third edition)
Lecture 7 Page 1 CS 236, Spring 2008 Challenge/Response Authentication Authentication by what questions you can answer correctly –Again, by what you know.
Security Policies. Threats to security and integrity  Threats to information systems include  Human error –keying errors, program errors, operator errors,
Chap1: Is there a Security Problem in Computing?.
Cmpe 471: Personnel and Legal Issues. Personnel Crime is a human issue not a technological one Hiring On-going management Unauthorised access Redundancy.
INTRODUCTION TO BIOMATRICS ACCESS CONTROL SYSTEM Prepared by: Jagruti Shrimali Guided by : Prof. Chirag Patel.
Physical security By Ola Abd el-latif Abbass Hassan.
(2011) Security Breach Compromises 75,000 Staff/Student Social Security Numbers Image from this Site Presenters: Aron Eisold, Matt Mickelson, Bryce Nelson,
“Lines of Defense” against Malware.. Prevention: Keep Malware off your computer. Limit Damage: Stop Malware that gets onto your computer from doing any.
Lecture 7 Page 1 CS 236 Online Challenge/Response Authentication Authentication by what questions you can answer correctly –Again, by what you know The.
Chapter 13: Managing Identity and Authentication.
Access Control for Security Management BY: CONNOR TYGER.
Definition s a set of actions taken to prevent or minimize adverse consequences to assets an entity of importance a weakness in the security system to.
1 Access Control Systems & Methodology. Access control is the collection of mechanisms that permits managers of a system to exercise a directing or restraining.
ASHRAY PATEL Protection Mechanisms. Roadmap Access Control Four access control processes Managing access control Firewalls Scanning and Analysis tools.
Access control Presented by: Pius T. S. : Christian C. : Gabes K. : Ismael I. H. : Paulus N.
Security Methods and Practice CET4884
Lecture 19 Page 1 CS 236 Online 6. Application Software Security Why it’s important: –Security flaws in applications are increasingly the attacker’s entry.
Unit 1: Protecting the Facility (Virtual Machines)
Challenge/Response Authentication
MANAGEMENT of INFORMATION SECURITY, Fifth Edition
Challenge/Response Authentication
Configuring Windows Firewall with Advanced Security
INFORMATION SECURITY The protection of information from accidental or intentional misuse of a persons inside or outside an organization Comp 212 – Computer.
Understanding Security Layers
Security in Networking
Resource Management Chapter 19 9/20/2018 Crowley OS Chap. 19.
County HIPAA Review All Rights Reserved 2002.
Physical Security.
Managing the IT Function
Module 2 OBJECTIVE 14: Compare various security mechanisms.
Welcome to all Participants
PLANNING A SECURE BASELINE INSTALLATION
G061 - Network Security.
6. Application Software Security
Presentation transcript:

Domain 5 – Identity and Access Management Physical and logical assets control – Bar coding and inventory tagging Identification and authentication of people and devices Identity as a server – SAML Third-part identity services – AD questions and how passwords are stored Access control attacks – Know brute=force attacks and everyway to log on as someone else Identity and access provisioning lifecycle (provisioning review)

Physical and logical assets control – Bar coding/Inv RFID, Barcoding and inventory – represents the ability to prevent theft. This reduces risk.

Identification and authentication of people and devices Know brute force attacks – best on spreadsheets and their passwords. Biometrics: False Rejecion – Failure to recognize a legitimate user – Type I error False Acceptance – Erroneous recognition, either by confusing one user with another or accepting an imposter as a legitimate user – Type II error Fingerprint readers Facial recognition Hand geometry Voice recognition Iris pattern Retinal scanning Signature dynamics Vascular patterns – difficult to forge, contactless, varied uses, 1:1 or 1:many matches Keystroke dynamics

Identification and authentication of people and devices CER – Crossover error rate (also called equal error rate) Object reuse Space on a disk, allocated and not given back to OS Tempest attack and white noise Few questions on tempest attack, which is reading a screen at a distance and White noise, which you can pump down a wire to scramble or mask an attack

SAML and OAUTH Security Assertion Markup Language (SAML) – XML based, open- standard data format for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. Oauth is an open standard for authorization, commonly used as a way for internet users to log into third party websites using their Microsoft, Google, Facebook, etc. accounts without exposing their password.

AD Passwords AD passwords are stored as a hash. Kerberos Reply attacks happen here. A replay attack occurs when an intruder steals a packet from the network and forwards that packet to a service or application as if the intruder was the user who originally sent the packet. When the packet is an authentication packet, the intruder can use the replay attack to authenticate on another person's behalf and consequently access that person's resources or data.

Access Controls Preventative access control – A preventative access controls is deployed to stop unwanted or unauthorized activity from occurring. Examples: Fences, locks, biometrics, mantraps, lighting, alarm systems, separation of duties, job rotation, data classification, penetration testing, AC methods, encryption, auditing, presence of security cameras or CCTV, smart cards, callback, security policies, security awareness training, AV. Deterrent access control – Deployed to discourage the violation of security policies. Picks up where prevention leaves off. The deterrent doesn’t stop with trying to prevent an action, it goes further to exact consequences in the event of an attempted or successful violation. Examples: locks, fences, security badges, security guards, mantraps, cameras, trespass or intrusion alarms, separation of duties, work task procedures, awareness training, encryption, auditing and firewalls.

Access Controls, cont. Detective access control – Deployed to discover unwanted or unauthorized activity. Are often after the fact rather than real time controls. Examples: security guards, guard dogs, motion detectors, recording and reviewing of events by cameras/CCTV, job rotation, mandatory vacations, audit trails, IDS, violation reports, honey pots, supervision and review of users, incident investigations. Corrective Access Control – Deployed to restore systems to normal after an unwanted or unauthorized activity has occurred. Minimal capability to respond to access violations. Examples: IDS, AV, alarms, mantraps, BCP, security policies.

Access Controls, cont. Recovery access control – Deployed to repair or restore resources, functions, and capabilities after a violation of security policies. They have more advanced or complex capability to respond to access violations than a corrective access control. Recovery access control can repair damage as well as stop further damage. Examples: backups and restores, fault tolerant drive systems, server clustering, AV, database shadowing. Compensation access control – Provides varios options to other existing controls to aid in the enforcement and support of a SP. Examples: security policy, personnel supervision, monitoring, work task procedures.

Access Controls, cont. Directive access control – Deployed to direct, confine, or control the actions of subject to force or encourage compliance with SPs. Examples: security guards, guard dogs, security policy, posted notifications, escape route exit signs, monitoring, supervising, work task procedures, and awareness training. Administrative access controls – Policies and procedures defined by an organizations security policy to implement and enforce overall AC. Focuses on two areas: personnel and business practices. Examples: policies, procedures, hiring practices, background checks, data classification, security training, vacation history, reviews, work supervision, personnel controls, and testing.

Access Controls, cont. Administrative access controls – policies and procedures defined by an organizations security policy to implement and enforce overall AC. Administrative AC focuses on two areas : personnel and business practices. Examples: policies, procedures, hiring practices, background checks, data classification, security training, vacation history, reviews, work supervision, personnel controls, and testing. Logical/technical AC – hardware or software mechanisms used to manage access to resources and systems and provide protection for those resources and systems. Examples: encryption, ACLs, protocols, firewalls, routers, IDS and clipping levels.

Access Controls, cont. Physical Access control – physical barriers deployed to prevent direct contact with systems or portions of a facility. Examples: guards, fences, motion detectors, locked doors, sealed windows, lights, cable protections, laptop locks, swipe cards, guard dogs, video cameras, mantraps, and alarms.

Access Control Attacks Dictionary attacks – These are programs with built in dictionaries. They would use all dictionary works in an attempt to find the right password. Brute Force – All possible combinations of the alphabet, numbers, etc. Could takes days, months, years to crack a complex password with 8 characters or more. Spoofed logon screens – Phishing sites, etc. Will send credentials to the hacker. Prevention against authentication and access control attacks – Passwords should be long and complex and changed every so often. Secure your endpoints!

Identity and Access Provisioning Lifecycle

Identity and Access Provisioning Lifecycle

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.