Download presentation
Presentation is loading. Please wait.
Published byBritney Adams Modified over 8 years ago
1
Access Control
2
Assignment Review Current Next 6/23/2016 Access Control 2
3
6/23/2016 Access Control 3 Traditional AAA Authentication Access Control Auditing
4
6/23/2016 Access Control 4 Discretionary Access Control Mandatory Access Control Role Based Access Control ACL
5
6/23/2016 Access Control 5 Discretionary Access Control Owner Decides Default mode for may mobile, home devices
6
6/23/2016 Access Control 6 Mandatory Access Control (MAC) Hierarchical Top Secret Secret Confidential
7
Bell LaPadula is model for MAC Objects have sensitivity label Users have clearance level Access granted if clearance=>label Can write up but not down and can read down but not up (* property) Does not consider compartmentalization or need to know 6/23/2016 Intro Computer Security 7
8
Biba Integrity Model Can read at their highest integrity level Can write at or lower then their integrity level 6/23/2016 Intro Computer Security 8
9
Clark-Wilson Focus on “well ordered transactions” to raise integrity levels Separation of Duties also key to preserve integrity 6/23/2016 Intro Computer Security 9
10
6/23/2016 Access Control 10 Role Based Access Control What you can do depends on what job you have Popular in active directory environments Typically pushes assignment of rights to resource to owner of resource
11
6/23/2016 Access Control 11 ACL Specific list Often matrix of User, resource, rights generated by the system Often seen in routers, firewalls, personnel access
12
6/23/2016 Access Control 12 Auditing Two senses Log watch Auditing for Compliance
13
Logs Critical to monitor Organization will generate tons of logs Must use tools to monitor for exceptions 6/23/2016 Access Control 13
14
Auditing for Compliance Should verify you comply with appropriate laws Especially prior to review/audit 6/23/2016 Access Control 14
15
Some Fundamentals 6/23/2016 Intro Computer Security 15
16
Three types of Security Controls Classical –Physical –Administrative –Technical Popular –Preventative–Preventative –Detective–Detective –Responsive–Responsive 6/23/2016 Intro Computer Security 16
17
Other Controls In the course we will refer to controls not by category but more specifically: –AV –IDS –Policy 6/23/2016 Intro Computer Security 17
18
Information Security Principles of Success 6/23/2016 Intro Computer Security 18
19
Defense in Depth Critical 6/23/2016 Intro Computer Security 19
20
People Make Bad Security Decisions 6/23/2016 Intro Computer Security 20
21
Security Depends on –Functional Requirements –Assurance Requirements 6/23/2016 Intro Computer Security 21
22
Security Through Obscurity 6/23/2016 Intro Computer Security 22
23
Security is Risk Management 6/23/2016 Intro Computer Security 23
24
Complexity is the Enemy of Security 6/23/2016 Intro Computer Security 24
25
FUD Doesn't Work –Long term anyway 6/23/2016 Intro Computer Security 25
26
People, Process & Technology are all needed 6/23/2016 Intro Computer Security 26
27
Open Disclosure is Good for Security 6/23/2016 Intro Computer Security 27
28
No Absolute Security 6/23/2016 Intro Computer Security 28
29
Non-repudiation You cannot deny having done a particular action No shared IDs or passwords 6/23/2016 Intro Computer Security 29
30
Separation of Duties 6/23/2016 Intro Computer Security 30
31
Principle of Least Privilege 6/23/2016 Intro Computer Security 31
32
Need to know 6/23/2016 Intro Computer Security 32
33
Defense in Depth 6/23/2016 Intro Computer Security 33
34
Complexity is the enemy of security 6/23/2016 Intro Computer Security 34
35
Industry best practices is only the lowest common denominator 6/23/2016 Intro Computer Security 35
36
6/23/2016 Intro Computer Security 36 Why Study InfoSEC? Increasing Threat Spectrum Compliance Business Enabler
37
6/23/2016 Intro Computer Security 37 The InfoSEC Professional Old Guys The New folks
38
6/23/2016 Intro Computer Security 38 Other InfoSEC terms IA Computer Security Information Security
39
Professional Development
40
6/23/2016 Intro Computer Security 40 Certifying Organizations Establishment of certifying organizations key step to security as a profession
41
6/23/2016 Intro Computer Security 41 Some Organizations ISC2 ISACA CompTIA ASIS Other key security organizations –NIST - U.S., but a leading organization –ISO - world wide
42
6/23/2016 Intro Computer Security 42 Certification Programs ISC2 Common Body of Knowledge Not universal, ISC2 adds several specialized domains –The most Widely Accepted DHS has another view as does SANS and CompTIA
43
6/23/2016 Intro Computer Security 43 ISC2 CBK often used in Educational Environments 10 Domains are good intro coverage
44
Question for you What did you find most interesting in the reading so far? Any war stories where one of these went wrong? Weren’t in place? 6/23/2016 Intro Computer Security 44
45
6/23/2016 Access Control 45 Questions ?
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.