Access Control. 2 Domain Objectives Provide definitions and key concepts Identify access control categories and types Discuss access control threats Review.

Slides:



Advertisements
Similar presentations
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Fundamentals of Information Systems Security.
Advertisements

Lecture 6 User Authentication (cont)
Computer Security Computer Security is defined as:
CISSP Luncheon Series: Access Control Systems & Methodology
Access Control Chapter 3 Part 3 Pages 209 to 227.
Access Control Methodologies
Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) June 2013 Access Controls.
Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
Information Security Policies and Standards
Network Security Testing Techniques Presented By:- Sachin Vador.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Chapter 15 Computer Security Techniques Patricia Roy Manatee Community College, Venice, FL ©2008, Prentice Hall Operating Systems: Internals and Design.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Department Of Computer Engineering
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
Air Force Association (AFA) 1. 1.Access Control 2.Four Steps to Access 3.How Does it Work? 4.User and Guest Accounts 5.Administrator Accounts 6.Threat.
Tonight 1) Where we are 2) Article Presentation(s) 3) Quiz 4) Lecture 5) In-class lab(s)
Chapter 2 Information Security Overview The Executive Guide to Information Security manual.
Access and Identity Management System (AIMS) Federal Student Aid PESC Fall 2009 Data Summit October 20, 2009 Balu Balasubramanyam.
ACCESS CONTROLS SZABIST – Spring Access Controls This chapter presents the following:  Identification methods and technologies  Authentication.
Chapter 10: Computer Controls for Organizations and Accounting Information Systems
SEC835 Database and Web application security Information Security Architecture.
Information Systems Security
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
Chao-Hsien Chu, Ph.D. College of Information Sciences and Technology The Pennsylvania State University University Park, PA Access.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Environment for Information Security n Distributed computing n Decentralization of IS function n Outsourcing.
Chapter 6 of the Executive Guide manual Technology.
Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.
Intrusion Detection Prepared by: Mohammed Hussein Supervised by: Dr. Lo’ai Tawalbeh NYIT- winter 2007.
Access Control Systems A means of ensuring a system’s C.I.A given the threats, vulnerabilities, & risks its infrastructure.
Information Systems Security Operations Security Domain #9.
Lesson 9-Information Security Best Practices. Overview Understanding administrative security. Security project plans. Understanding technical security.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
Engineering Essential Characteristics Security Engineering Process Overview.
Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) June 2012 Access Controls.
Ingredients of Information Security. - Who has access the asset? - Is the asset correct? - Is the asset accessible? …uncorrupted? …authentic?
2 Information System Security Association ISSA Buffalo Niagara CISSP Study Sessions Domain 1 – Access Control Systems and Methodology.
Identification Authentication. 2 Authentication Allows an entity (a user or a system) to prove its identity to another entity Typically, the entity whose.
Cryptography and Network Security Sixth Edition by William Stallings.
Authentication What you know? What you have? What you are?
© ITT Educational Services, Inc. All rights reserved. IS3230 Access Security Unit 7 Authentication Methods and Requirements.
Access Control / Authenticity Michael Sheppard 11/10/10.
Computer Security: Principles and Practice
COEN 351 Authentication. Authentication is based on What you know Passwords, Pins, Answers to questions, … What you have (Physical) keys, tokens, smart-card.
CSCE 201 Identification and Authentication Fall 2015.
Chapter 14: Controlling and Monitoring Access. Comparing Access Control Models Comparing permissions, rights, and privileges Understanding authorization.
Chapter 13: Managing Identity and Authentication.
Technical Devices for Security Management Kathryn Hockman COSC 481.
Syo-401 Question Answer. QUESTION 1 An achievement in providing worldwide Internet security was the signing of certificates associated with which of the.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
1 Access Control Systems & Methodology. Access control is the collection of mechanisms that permits managers of a system to exercise a directing or restraining.
ASHRAY PATEL Protection Mechanisms. Roadmap Access Control Four access control processes Managing access control Firewalls Scanning and Analysis tools.
SECURITY Prepared By: Dr. Vipul Vekariya.. 2 S ECURITY Secure system will control, through use of specific futures, access to information that only properly.
Unit 4: Authentication and Access Control
Domain 5 – Identity and Access Management
Identity and Access Management
MANAGEMENT of INFORMATION SECURITY, Fifth Edition
Chapter One: Mastering the Basics of Security
Domain 6 – Security Assessment and Testing
ISA 400 Management of Information Security
CompTIA Security+ Study Guide (SY0-401)
2. Access Control Matrix Introduction to Computer Security © 2004 Matt Bishop 9/21/2018.
Managing User Security
Intrusion Detection system
IS4680 Security Auditing for Compliance
PLANNING A SECURE BASELINE INSTALLATION
Protection Mechanisms in Security Management
Presentation transcript:

Access Control

2 Domain Objectives Provide definitions and key concepts Identify access control categories and types Discuss access control threats Review system access control measures

3 Domain Objectives Review data access control measures Understand intrusion detection and intrusion prevention systems Understand access control assurance methods

4 Information Security TRIAD Availability Confidentiality Integrity Information Security

5 Domain Agenda Definitions and Key Concepts Access Control Categories and Type Access Control Threats Access to System Access to Data Intrusion Prevention Systems (IPS) & Intrusion Detection Systems (IDS) Access Control Assurance

6 Basic Requirements Security Reliability Transparency Scalability

7 Key Concepts Separation of Duties Least Privilege Need-to-know Information Classification

8 Objectives Benefits Example of Classification Compartmentalized Information

9 Information Classification Procedures Scope Process Responsibility Declassification Marking and Labeling Assurance

10 Domain Agenda Definitions and Key Concepts Access Control Categories and Type Access Control Threats Access to System Access to Data Intrusion Prevention Systems (IPS) & Intrusion Detection Systems (IDS) Access Control Assurance

11 Access Control Categories Preventive Detective Corrective Directive Deterrent Recovery Compensating

12 Access Control Types Administrative Technical (Logical) Physical Warning Banners Audit Logs IPS/IDS Passwords CCTV Backups Connection Control Technical Tokens Administrative Physical Gates Layered Defense Reconstruct/ Rebuild Fire Extinguisher Sentry Fences Signs Bollards Job Rotation DRP Employee Termination Report Reviews User Registration Procedures Policy

13 Access Control Examples ControlsAdministrativeTechnicalPhysical Directive Policy Warning Banner Security Guard Deterrent DemotionViolation Report‘Beware of Dog’ Preventative User Registration Passwords, Tokens Fences, Bollards Detective Report ReviewsAudit Logs, IDSSensors, CCTV Corrective Employee Termination Connection Management Fire Extinguisher Recovery DRPBackups Reconstruct, Rebuild Compensating Supervision Job Rotation Keystroke Logging Layered Defenses

14 Domain Agenda Definitions and Key Concepts Access Control Categories and Type Access Control Threats Access to System Access to Data Intrusion Prevention Systems (IPS) & Intrusion Detection Systems (IDS) Access Control Assurance

15 Access Control Threats Denial of Service Buffer Overflow Mobile Code Malware Password Crackers Spoofing/Masquerading Sniffers Eavesdroppers

16 Access Control Threats Emanations Shoulder Surfing Tapping Object Reuse Data Remanence Unauthorized Data Mining Dumpster Diving Back Door/Trap Door

17 Access Control Threats Theft Intruders Social Engineering

18 Domain Agenda Definitions and Key Concepts Access Control Categories and Type Access Control Threats Access to System Access to Data Intrusion Prevention Systems (IPS) & Intrusion Detection Systems (IDS) Access Control Assurance

19 System Access Control Identification Authentication Authorization Accountability

20 Identification Methods Guidelines

21 Authentication Methods Knowledge (Something you know) Ownership (Something you have) Characteristics (Something you are)

22 Authentication by Knowledge PASSWORD ******** Password Passphrase

23 Authentication by Ownership Tokens (One-time Passwords) Smartcards Memory Cards

24 Asynchronous Token Device (Challenge-Response) User requests access via Authentication Server (i.e., UserID) Authentication Server issues Challenge # to User User enters Challenge # w/PIN in Handheld Handheld calculates cryptographic response (i.e., “password”) User sends “password” to Authentication Server Authentication Server grants access to Application Server

25 Synchronous Token Event-based Synchronization Time-based Synchronization Authentication Server knows the expected value from the token and the user must input it or be in close proximity

26 Smart Cards Contact Smart Cards Card body Chip Contacts Contactless Smart Cards Card body Chip Antenna

27 Authentication by Characteristic Biometrics Physiological Biometrics Behavioral Biometrics Characteristics Accuracy Acceptability Reaction time

28 Biometric Accuracy False Accept Rate Type II Error False Reject Rate Type I Error Crossover Error Rate Sensitivity Error Rate

29 Static Biometric Types Fingerprint/Palm Print Hand Geometry Retina Scan Iris Scan

30 Dynamic Biometric Types Voice Pattern Facial Recognition Keystroke Dynamics Signature Dynamics

31 Identity and Access Management Need for Identity Management Challenges Identity Management Technologies

32 Need for Identity Management Manual Provisioning Complex Environments Compliance with Regulations & Legislation Outsourcing Risks

33 Identity Management Challenges Consistency Reliability Usability Efficiency Scalability

34 Identity Management Challenges Types of Principals Types of Identity Data Identity Life Cycle

35 Identity Management Benefits Headcount Reduction Productivity Increase Risk Management

36 Identity Management Technologies Directories Web Access Management Password Management Legacy Single Sign-on Account Management Profile Update

37 Access Control Technologies Single Sign-on (SSO) Kerberos and SESAME Directory Services Security Domains

38 Single Sign-on Process UserID and password transmitted to Authentication Server Authentication Server verifies User’s identity Authentication Server authorizes access to requested resource User enters ID and password Authentication Server Application Servers

39 Kerberos Process KDC - Auth Server - Ticket Granting Server Principal - P1 - User Workstation Principal - P2 - Application Server P1Key (Request – Access to P2) P1Key(SK1, P2Key (Client ID, (SK1)) P2Key(Client ID, SK1) Ticket, SK1 SK1(Authentication) Ticket Granting Ticket

40 Kerberos and SESAME Kerberos Key Distribution Center Kerberos Issues SESAME

41 Directory Services Security Domains Hierarchical Domain Relationship Equivalence Classes of Subjects Directory Services and Security Domains Subject “High” Subject “Low” Domain “High” Domain “Low” X Server

42 Domain Agenda Definitions and Key Concepts Access Control Categories and Type Access Control Threats Access to System Access to Data Intrusion Prevention Systems (IPS) & Intrusion Detection Systems (IDS) Access Control Assurance

43 Mandatory and Temporal Access Control Mandatory Access Control Joint participation in the decision- making process Labels Temporal (Time-based) Isolation

44 Discretionary Access Control Access authorization based on Information Owner System enforces rules

45 Access Control Lists (ACLs) Hal User Hal Directory User Kevin Directory User Kara Directory Printer 001 Full Control Write No Access Execute Kevin User Hal Direct User Kevin Directory User Kara Directory Printer 001 Write Full Control No Access Kara User Hal Directory User Kevin Directory User Kara Directory Printer 001 Printer 002Read/Write Full ControlExecute Access permissions based on individual user rights

46 Access Control Matrix Subject File A File B App A App B App C Proc A Proc B HalXXX KaraXXXXXXX KevinXXX LeoXX

47 Rule Based Access Control Users Rules Customer Service Application Inventory Application Accounting Application Jane Fred Albert Explicit rules grant access

48 Role Based Access Control Users Customer Service Application Inventory Application Accounting Application Jane Fred Albert Customer Service Agent Role Implicit rules grant access

49 Content Dependent Access Control Payroll Server Local Manager Human Resources Manager Can see data on all employees Can only see data on employees in the same department Access based on values in data (i.e., Department)

50 Rights granted for access according to objects Capability Tables Subject File A File B App B App B App C Proc A Proc B HalReadX Kara Read/ Write Read/ Write XXXXX KevinRead X XX Leo Read/ Write XX X = Execute

51 Non-discretionary Access Control Operating System Protection Security Administrator Control Ensures system security enforced

52 Constrained User Interface Menus Database Views Physically Constrained User Interfaces Encryption

53 Centralized/Decentralized Access Control Centralized Access Control RADIUS TACACS+ Diameter Decentralized Access Control

54 Domain Agenda Definitions and Key Concepts Access Control Categories and Type Access Control Threats Access to System Access to Data Intrusion Prevention Systems (IPS) & Intrusion Detection Systems (IDS) Access Control Assurance

55 Intrusion Detection Systems Primary Types Network-Based IDS (NIDS) Host-Based IDS (HIDS) Application-Based IDS (AIDS)

56 Intrusion Prevention Systems Primary Types Host-Based IPS (HIPS) Network-Based IPS (NIPS) Content-Based Rate-Based

57 Analysis Engine Methods Pattern (Signature) Based Pattern Matching Stateful Matching Anomaly Based Statistical Traffic Protocol Heuristic Scanning

58 IDS/IPS Summary Anomaly Examples Response Examples Alert Types Management

59 Domain Agenda Definitions and Key Concepts Access Control Categories and Type Access Control Threats Access to System Access to Data Intrusion Prevention Systems (IPS) & Intrusion Detection Systems (IDS) Access Control Assurance

60 Access Control Assurance Audit Trail Monitoring Assessment Tools

61 Penetration Testing Definition Areas to test Methods of testing Testing procedures Testing hazards

62 Areas to Test Application Security Denial of Service (DoS) War Dialing Wireless Network Penetration Social Engineering PBX and IP Telephony

63 Penetration Testing Methods External Zero-knowledge (Blind) Partial-knowledge Internal Full-knowledge Targeted Blind Double-blind

64 Testing Steps Discovery Enumeration Vulnerability Mapping Exploiting

65 Testing Hazards and Reporting Production interruption Application abort System crash Documentation Identified vulnerabilities Countermeasure effectiveness Recommendations

66 Domain Summary Definitions and Key Concepts Access Control Categories and Types Access Control Threats System Access Data Access Intrusion Detection and Prevention Systems Access Control Assurance

“Security TranscendsTechnology”

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.