Presentation is loading. Please wait.

Presentation is loading. Please wait.

Access Control. Assignment Review  Current  Next 6/23/2016 Access Control 2.

Similar presentations


Presentation on theme: "Access Control. Assignment Review  Current  Next 6/23/2016 Access Control 2."— Presentation transcript:

1 Access Control

2 Assignment Review  Current  Next 6/23/2016 Access Control 2

3 6/23/2016 Access Control 3 Traditional AAA  Authentication  Access Control  Auditing

4 6/23/2016 Access Control 4  Discretionary Access Control  Mandatory Access Control  Role Based Access Control  ACL

5 6/23/2016 Access Control 5 Discretionary Access Control  Owner Decides  Default mode for may mobile, home devices

6 6/23/2016 Access Control 6 Mandatory Access Control (MAC)  Hierarchical  Top Secret  Secret  Confidential

7 Bell LaPadula is model for MAC  Objects have sensitivity label  Users have clearance level  Access granted if clearance=>label  Can write up but not down and can read down but not up (* property)  Does not consider compartmentalization or need to know 6/23/2016 Intro Computer Security 7

8 Biba Integrity Model  Can read at their highest integrity level  Can write at or lower then their integrity level 6/23/2016 Intro Computer Security 8

9 Clark-Wilson  Focus on “well ordered transactions” to raise integrity levels  Separation of Duties also key to preserve integrity 6/23/2016 Intro Computer Security 9

10 6/23/2016 Access Control 10 Role Based Access Control  What you can do depends on what job you have  Popular in active directory environments  Typically pushes assignment of rights to resource to owner of resource

11 6/23/2016 Access Control 11 ACL  Specific list  Often matrix of User, resource, rights generated by the system  Often seen in routers, firewalls, personnel access

12 6/23/2016 Access Control 12 Auditing  Two senses  Log watch  Auditing for Compliance

13 Logs  Critical to monitor  Organization will generate tons of logs  Must use tools to monitor for exceptions 6/23/2016 Access Control 13

14 Auditing for Compliance  Should verify you comply with appropriate laws  Especially prior to review/audit 6/23/2016 Access Control 14

15 Some Fundamentals 6/23/2016 Intro Computer Security 15

16 Three types of Security Controls  Classical –Physical –Administrative –Technical  Popular –Preventative–Preventative –Detective–Detective –Responsive–Responsive 6/23/2016 Intro Computer Security 16

17 Other Controls  In the course we will refer to controls not by category but more specifically: –AV –IDS –Policy 6/23/2016 Intro Computer Security 17

18 Information Security Principles of Success 6/23/2016 Intro Computer Security 18

19 Defense in Depth Critical 6/23/2016 Intro Computer Security 19

20 People Make Bad Security Decisions 6/23/2016 Intro Computer Security 20

21 Security Depends on –Functional Requirements –Assurance Requirements 6/23/2016 Intro Computer Security 21

22 Security Through Obscurity 6/23/2016 Intro Computer Security 22

23 Security is Risk Management 6/23/2016 Intro Computer Security 23

24 Complexity is the Enemy of Security 6/23/2016 Intro Computer Security 24

25 FUD Doesn't Work –Long term anyway 6/23/2016 Intro Computer Security 25

26 People, Process & Technology are all needed 6/23/2016 Intro Computer Security 26

27 Open Disclosure is Good for Security 6/23/2016 Intro Computer Security 27

28 No Absolute Security 6/23/2016 Intro Computer Security 28

29 Non-repudiation  You cannot deny having done a particular action  No shared IDs or passwords 6/23/2016 Intro Computer Security 29

30 Separation of Duties 6/23/2016 Intro Computer Security 30

31 Principle of Least Privilege 6/23/2016 Intro Computer Security 31

32 Need to know 6/23/2016 Intro Computer Security 32

33 Defense in Depth 6/23/2016 Intro Computer Security 33

34 Complexity is the enemy of security 6/23/2016 Intro Computer Security 34

35 Industry best practices is only the lowest common denominator 6/23/2016 Intro Computer Security 35

36 6/23/2016 Intro Computer Security 36 Why Study InfoSEC?  Increasing Threat Spectrum  Compliance  Business Enabler

37 6/23/2016 Intro Computer Security 37 The InfoSEC Professional  Old Guys  The New folks

38 6/23/2016 Intro Computer Security 38 Other InfoSEC terms  IA  Computer Security  Information Security

39 Professional Development

40 6/23/2016 Intro Computer Security 40 Certifying Organizations  Establishment of certifying organizations key step to security as a profession

41 6/23/2016 Intro Computer Security 41 Some Organizations  ISC2  ISACA  CompTIA  ASIS  Other key security organizations –NIST - U.S., but a leading organization –ISO - world wide

42 6/23/2016 Intro Computer Security 42 Certification Programs  ISC2 Common Body of Knowledge  Not universal, ISC2 adds several specialized domains –The most Widely Accepted  DHS has another view as does SANS and CompTIA

43 6/23/2016 Intro Computer Security 43 ISC2 CBK often used in Educational Environments  10 Domains are good intro coverage

44 Question for you  What did you find most interesting in the reading so far?  Any war stories where one of these went wrong? Weren’t in place? 6/23/2016 Intro Computer Security 44

45 6/23/2016 Access Control 45 Questions ?


Download ppt "Access Control. Assignment Review  Current  Next 6/23/2016 Access Control 2."

Similar presentations


Ads by Google