Tonight 1) Where we are 2) Article Presentation(s) 3) Quiz 4) Lecture 5) In-class lab(s)

Slides:



Advertisements
Similar presentations
Chapter 15 Computer Security Techniques
Advertisements

© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Fundamentals of Information Systems Security.
Lecture 6 User Authentication (cont)
CISSP Luncheon Series: Access Control Systems & Methodology
Access Control Chapter 3 Part 3 Pages 209 to 227.
Access Control Methodologies
Chapter 4 McGraw-Hill/Irwin Copyright © 2011 by The McGraw-Hill Companies, Inc. All rights reserved. Ethics and Information Security.
Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
Chapter 3 Passwords Principals Authenticate to systems.
Access Control Dr.Talal Alkharobi.
Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authentication.
Chapter 15 Computer Security Techniques Patricia Roy Manatee Community College, Venice, FL ©2008, Prentice Hall Operating Systems: Internals and Design.
SE571 Security in Computing
7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.
IT 4823 – Information Security Administration
Authentication, Authorization and Accounting
Chapter 2 Information Security Overview The Executive Guide to Information Security manual.
ACCESS CONTROLS SZABIST – Spring Access Controls This chapter presents the following:  Identification methods and technologies  Authentication.
70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory Chapter 9: Active Directory Authentication and Security.
Information Systems Security
CN1260 Client Operating System Kemtis Kunanuraksapong MSIS with Distinction MCT, MCITP, MCTS, MCDST, MCP, A+
Tutorial Chapter 5. 2 Question 1: What are some information technology tools that can affect privacy? How are these tools used to commit computer crimes?
Chao-Hsien Chu, Ph.D. College of Information Sciences and Technology The Pennsylvania State University University Park, PA Access.
Slides copyright 2010 by Paladin Group, LLC used with permission by UMBC Training Centers, LLC.
Access Control. 2 Domain Objectives Provide definitions and key concepts Identify access control categories and types Discuss access control threats Review.
Designing Authentication for a Microsoft Windows 2000 Network Designing Authentication in a Microsoft Windows 2000 Network Designing Kerberos Authentication.
Networking and Health Information Exchange Unit 9b Privacy, Confidentiality, and Security Issues and Standards.
G53SEC 1 Authentication and Identification Who? What? Where?
Module 8: Designing Security for Authentication. Overview Creating a Security Plan for Authentication Creating a Design for Security of Authentication.
Protection in General- Purpose OS Week-3. Our Main Concern In what way do operating systems protect one user’s process from inadvertent or malicious interaction.
Lecture 7 Page 1 CS 236, Spring 2008 Challenge/Response Authentication Authentication by what questions you can answer correctly –Again, by what you know.
Operating System Security Fundamentals Dr. Gabriel.
CSCE 522 Identification and Authentication. CSCE Farkas2Reading Reading for this lecture: Required: – Pfleeger: Ch. 4.5, Ch. 4.3 Kerberos – An Introduction.
Module 14: Securing Windows Server Overview Introduction to Securing Servers Implementing Core Server Security Hardening Servers Microsoft Baseline.
Security in Computing Protection in General-Purpose Operating Systems.
G53SEC 1 Authentication and Identification Who? What? Where?
Identification Authentication. 2 Authentication Allows an entity (a user or a system) to prove its identity to another entity Typically, the entity whose.
Access Controls Henry Parks SSAC 2012 Presentation Outline Purpose of Access Controls Access Control Models –Mandatory –Nondiscretionary/Discretionary.
Authentication What you know? What you have? What you are?
INTRODUCTION TO BIOMATRICS ACCESS CONTROL SYSTEM Prepared by: Jagruti Shrimali Guided by : Prof. Chirag Patel.
Information Security In the Corporate World. About Me Graduated from Utica College with a degree in Economic Crime Investigation (ECI) in Spring 2005.
Access Control / Authenticity Michael Sheppard 11/10/10.
Privilege Management Chapter 22.
COEN 351 Authentication. Authentication is based on What you know Passwords, Pins, Answers to questions, … What you have (Physical) keys, tokens, smart-card.
CSCE 201 Identification and Authentication Fall 2015.
Access Control Chapter 3 Part 4 Pages 227 to 241.
Chapter 14: Controlling and Monitoring Access. Comparing Access Control Models Comparing permissions, rights, and privileges Understanding authorization.
LEARNING AREA 1 : INFORMATION AND COMMUNICATION TECHNOLOGY PRIVACY AUTHENTICATION VERIFICATION.
Chapter 13: Managing Identity and Authentication.
Technical Devices for Security Management Kathryn Hockman COSC 481.
Access Control for Security Management BY: CONNOR TYGER.
Access Controls Mandatory Access Control by Sean Dalton December 5 th 2008.
1 Access Control Systems & Methodology. Access control is the collection of mechanisms that permits managers of a system to exercise a directing or restraining.
ASHRAY PATEL Protection Mechanisms. Roadmap Access Control Four access control processes Managing access control Firewalls Scanning and Analysis tools.
CSEN 1001 Computer and Network Security Amr El Mougy Mouaz ElAbsawi.
Access control Presented by: Pius T. S. : Christian C. : Gabes K. : Ismael I. H. : Paulus N.
SECURITY Prepared By: Dr. Vipul Vekariya.. 2 S ECURITY Secure system will control, through use of specific futures, access to information that only properly.
7/10/20161 Computer Security Protection in general purpose Operating Systems.
Unit 4: Authentication and Access Control
Domain 5 – Identity and Access Management
Identity and Access Management
MANAGEMENT of INFORMATION SECURITY, Fifth Edition
Challenge/Response Authentication
INFORMATION SECURITY The protection of information from accidental or intentional misuse of a persons inside or outside an organization Comp 212 – Computer.
2. Access Control Matrix Introduction to Computer Security © 2004 Matt Bishop 9/21/2018.
Chapter 13 Access Control
PLANNING A SECURE BASELINE INSTALLATION
Computer Security Protection in general purpose Operating Systems
COEN 351 Authentication.
Protection Mechanisms in Security Management
Presentation transcript:

Tonight 1) Where we are 2) Article Presentation(s) 3) Quiz 4) Lecture 5) In-class lab(s)

Access Control and Physical Security IS 380 Chapter 4 (Class 3)

CIA Review AvailabilityIntegrityConfidentiality

Access Control How we provision resources In large scale environments, use identity management (IdM) Covers a wide variety of technologies – every system has a way to provide access

3 steps to providing access Identification – The subject indicates who they are (username, badge, other public info) Authentication – The subject provides information only they would know or have (PIN, password, fingerprint, cryptographic key) Authorization – the system determines where the subject can go

Multi-factor authentication Use two or more of: Something you are Something you know Something you have Provides a stronger security model

Authentication methods Biometrics (Palm scan, iris scan, facial recognition, voice print, signature dynamics) Passwords (How do we secure them?) Token devices Digital signatures (PGP)

Biometrics Type I error – false rejection Type II error – false acceptance rate CER - crossover error rate – the point where the rejection rate equals the false acceptance rate. Lower is better. Iris scan – highest accuracy potential

Passwords Most common and one of the weakest Password checker - L0phtcrack Password cracker - Rainbow tables – basically a reverse lookup table. – lm/ 1.5TB for NTLM. 99.9% success rate. lm/ lm/ –REF: rainbowcrack.com/tutorial_gui.htm rainbowcrack.com/tutorial_gui.htmhttp://project- rainbowcrack.com/tutorial_gui.htm Are your passwords using Salt? –Unix was 12-bit

Password management Password synchronization Self-service password reset (Cognitive password?) Assisted password reset Single-sign on

Token Devices RSA/Authentix, etc Bloomberg token

Smart Card Not a memory card (swipe card to enter a building), but could be coupled with one. Stevenson card is a memory card. –Prox cards suck. Smart card has a small CPU on it. 2-factor auth (PIN). –Contact – insert into a card reader –Contactless – has an antenna. –Microprobing?

Authorization Access criteria may include: Roles – job assignment/function Groups Physical or logical (network address) location Time of day Transaction type

Authorization (Continued) Default to no access Need to know (Least privilege) Single sign-on models (Kerberos, thin clients...) Authorization creep

Kerberos Uses symmetric crypto KDC (Key Distribution Center) – holds all keys. EVERYONE TRUSTS THE KDC Principals – users, computers, services, etc. Ticket – Ticket Granting Service on KDC gives a principal a ticket to authenticate to another principal. Services never contact the KDC.

Source: l.html

Access Control Technologies Directory services (Active Directory) Web access management Password management Single sign-on

Directory services A collection of unique objects Each object has a series of attributes Controls Identification, authentication, and access control rules

Access control models Discretionary access control (ACL’s, user assigned rights, i.e. Windows) Mandatory access control (Security labels are assigned by classification level, and users must be at that level or higher and satisfy need-to-know. Controlled by the OS) Role-Based access control – Defining what each role in the company does and assigning rights as a group

Access Control Techniques Rule-based (if X, then Y) Constrained user interfaces (Restricted database views) Content-dependent (object content – SS#) Context-dependent (Firewall and TCP setup)

Access Control Techniques (Cont.) Capability tables vs. ACLs Both are forms of access matrices Capability tables are applied to subjects (People) ACLs are applied to objects (hardware)

Accountability Auditing System level, Application level, user level events Protect audit logs –Scrubbing? –WORM media... Syslog...etc. Post-breach is too late to start auditing Need to establish clipping levels

Auditing tools Audit reduction tool – removes mundane events Variance detection Attack-signature detection

Controls Administrative – Personnel, Supervisory, Training Technical – Network architecture, encryption Physical – Perimeter security, work area separation, network segregation

In-Class Lab Define an access control security policy for logging onto windows-based systems You will be either a military, educational, or corporate entity Define administrative, physical, and technical controls Reference Harris

Access control monitoring IDS/IPS (Network or host based) –Signature based no 0-day –Anomaly (Statistical/Protocol anomaly, traffic anomaly) 0-day –Rule based – if/then and draws on a knowledgebase – no 0-day Honeypot – liability Network sniffers Again, we are looking for anomalies from our baseline

Access Control threats Dictionary Attack Brute force attack Logon spoofing (Stealing credentials) Phishing attacks Identity theft est.cgi?th frontierphishingiqtest est.cgi?th frontierphishingiqtest

TEMPEST Electromagnetic emanations Faraday cage White noise Control zone (metallic paint, etc)

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.