Presentation is loading. Please wait.

Presentation is loading. Please wait.

Access Control. Assignment Review  Current –You decide what categories you want to include. Just provide the required justification.  Next  Detailed.

Published byHarry Elliott Modified over 8 years ago

Similar presentations

Presentation on theme: "Access Control. Assignment Review  Current –You decide what categories you want to include. Just provide the required justification.  Next  Detailed."— Presentation transcript:

1 Access Control

2 Assignment Review  Current –You decide what categories you want to include. Just provide the required justification.  Next  Detailed rubrics are in the Instructor Files section. 7/9/2016 Access Control 2

3 7/9/2016 Access Control 3 Traditional AAA  Authentication  Access Control  Auditing

4 7/9/2016 Access Control 4  Discretionary Access Control  Mandatory Access Control  Role Based Access Control  ACL

5 7/9/2016 Access Control 5 Discretionary Access Control  Owner Decides  Default mode for may mobile, home devices

6 7/9/2016 Access Control 6 Mandatory Access Control (MAC)  Hierarchical  Top Secret  Secret  Confidential

7 Bell LaPadula is model for MAC  Objects have sensitivity label  Users have clearance level  Access granted if clearance=>label  Can write up but not down and can read down but not up (* property)  Does not consider compartmentalization or need to know 7/9/2016 Intro Computer Security 7

8 Biba Integrity Model  Can read at their highest integrity level  Can write at or lower then their integrity level 7/9/2016 Intro Computer Security 8

9 Clark-Wilson  Focus on “well ordered transactions” to raise integrity levels  Separation of Duties also key to preserve integrity 7/9/2016 Intro Computer Security 9

10 7/9/2016 Access Control 10 Role Based Access Control  What you can do depends on what job you have  Popular in active directory environments  Typically pushes assignment of rights to resource to owner of resource

11 7/9/2016 Access Control 11 ACL  Specific list  Often matrix of User, resource, rights generated by the system  Often seen in routers, firewalls, personnel access

12 7/9/2016 Access Control 12 Auditing  Two senses  Log watch  Auditing for Compliance

13 Logs  Critical to monitor  Organization will generate tons of logs  Must use tools to monitor for exceptions 7/9/2016 Access Control 13

14 Auditing for Compliance  Should verify you comply with appropriate laws  Especially prior to review/audit 7/9/2016 Access Control 14

15 Some Fundamentals 7/9/2016 Intro Computer Security 15

16 Three types of Security Controls  Classical –Physical –Administrative –Technical  Popular –Preventative–Preventative –Detective–Detective –Responsive–Responsive 7/9/2016 Intro Computer Security 16

17 Other Controls  In the course we will refer to controls not by category but more specifically: –AV –IDS –Policy 7/9/2016 Intro Computer Security 17

18 Information Security Principles of Success  Defense in Depth Critical  People Make Bad Security Decisions  Security Depends on –Functional Requirements –Assurance Requirements  Security Through Obscurity  Security is Risk Management 7/9/2016 Intro Computer Security 18

19 7/9/2016 Intro Computer Security 19 And More Principles  Complexity is the Enemy of Security  FUD Doesn't Work –Long term anyway  People, Process & Technology are all needed  Open Disclosure is Good for Security

20 7/9/2016 Intro Computer Security 20 Principles  No Absolute Security  Non-repudiation –You cannot deny having done a particular action –No shared IDs or passwords

21 More Security Principles  Separation of Duties  Principle of Least Privilege  Need to know  Defense in Depth  Complexity is the enemy of security  Industry best practices is only the lowest common denominator 7/9/2016 Access Control 21

22 7/9/2016 Intro Computer Security 22 Why Study InfoSEC?  Increasing Threat Spectrum  Compliance  Business Enabler

23 7/9/2016 Intro Computer Security 23 The InfoSEC Professional  Old Guys  The New folks

24 7/9/2016 Intro Computer Security 24 Other InfoSEC terms  IA  Computer Security  Information Security

25 Professional Development

26 7/9/2016 Intro Computer Security 26 Certifying Organizations  Establishment of certifying organizations key step to security as a profession

27 7/9/2016 Intro Computer Security 27 Some Organizations  ISC2  ISACA  CompTIA  ASIS  Other key security organizations –NIST - U.S., but a leading organization –ISO - world wide

28 7/9/2016 Intro Computer Security 28 Certification Programs  ISC2 Common Body of Knowledge  Not universal, ISC2 adds several specialized domains –The most Widely Accepted  DHS has another view as does SANS and CompTIA

29 7/9/2016 Intro Computer Security 29 ISC2 CBK often used in Educational Environments  10 Domains are good intro coverage

30 Question for you  What did you find most interesting in the reading so far?  Any war stories where one of these went wrong? Weren’t in place? 7/9/2016 Intro Computer Security 30

31 7/9/2016 Access Control 31 Questions ?

Download ppt "Access Control. Assignment Review  Current –You decide what categories you want to include. Just provide the required justification.  Next  Detailed."

Similar presentations

Information Flow and Covert Channels November, 2006.

Information Flow and Covert Channels November, 2006.
1 cs691 chow C. Edward Chow Confidentiality Policy CS691 – Chapter 5 of Matt Bishop.

1 cs691 chow C. Edward Chow Confidentiality Policy CS691 – Chapter 5 of Matt Bishop.
Access Control Chapter 3 Part 3 Pages 209 to 227.

Access Control Chapter 3 Part 3 Pages 209 to 227.
Access Control Methodologies

Access Control Methodologies
CMSC 414 Computer (and Network) Security Lecture 12 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 12 Jonathan Katz.
Slide #5-1 Chapter 5: Confidentiality Policies Overview –What is a confidentiality model Bell-LaPadula Model –General idea –Informal description of rules.

Slide #5-1 Chapter 5: Confidentiality Policies Overview –What is a confidentiality model Bell-LaPadula Model –General idea –Informal description of rules.
Access Control Intro, DAC and MAC System Security.

Access Control Intro, DAC and MAC System Security.
Chapter 2.  CIA Model  Host Security VS Network Security  Least Privileges  Layered Security  Access Controls Prepared by Mohammed Saher2.

Chapter 2.  CIA Model  Host Security VS Network Security  Least Privileges  Layered Security  Access Controls Prepared by Mohammed Saher2.
Security Fall 2006McFadyen ACS-49021 How do we protect the database from unauthorized access? Who can see employee salaries, student grades, … ? Who can.

Security Fall 2006McFadyen ACS How do we protect the database from unauthorized access? Who can see employee salaries, student grades, … ? Who can.
Information Systems Security Security Architecture Domain #5.

Information Systems Security Security Architecture Domain #5.
User Domain Policies.

User Domain Policies.
November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #6-1 Chapter 6: Integrity Policies Overview Requirements Biba’s models Clark-Wilson.

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #6-1 Chapter 6: Integrity Policies Overview Requirements Biba’s models Clark-Wilson.
Lecture 7 Access Control

Lecture 7 Access Control
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.

Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.
Security Certification

Security Certification
7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.

7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.
Effectively Integrating Information Technology (IT) Security into the Acquisition Process Section 5: Security Controls.

Effectively Integrating Information Technology (IT) Security into the Acquisition Process Section 5: Security Controls.
Information Security Update CTC 18 March 2015 Julianne Tolson.

Information Security Update CTC 18 March 2015 Julianne Tolson.
© G. Dhillon, IS Department Virginia Commonwealth University Principles of IS Security Formal Models.

© G. Dhillon, IS Department Virginia Commonwealth University Principles of IS Security Formal Models.
7-Oct-15 System Auditing. AUDITING Auditing is a systematic process of objectively obtaining and evaluating evidence regarding assertions about economic.

7-Oct-15 System Auditing. AUDITING Auditing is a systematic process of objectively obtaining and evaluating evidence regarding assertions about economic.

Similar presentations

Ads by Google