Presentation is loading. Please wait.

Presentation is loading. Please wait.

Domain 6 – Security Assessment and Testing

Published byWhitney Norman Modified over 6 years ago

Similar presentations

Presentation on theme: "Domain 6 – Security Assessment and Testing"— Presentation transcript:

1 Domain 6 – Security Assessment and Testing
Assessment and test strategies – what kind of testing, test cases help security Security process data (management and operational controls) Security control testing Security architectures vulnerabilites

2 Assessment and Test strategies
Pen Test War dialing – bank of medems Sniffing – monitoring network traffic Eavesdropping – listening Dumpster diving – sifting through discarded documents, etc. Social engineering – Human manipulation

3 Security process data Employment policies and practices – termination process and background checks Roles and responsibilities – management sets the standard and verbalizes the policy Security awareness training – prevents social engineering

4 Control Models - MAC Mandatory set of rules Rule based Access control
Data owners have less freedom than DAC Access Granted on rules or security labels More secure (government) Every resource has a label, every user has a clearance Embodies the concept of need to know

5 Control Models - DAC Indentity based Access Control
Owner specifies access levels Unix and Windows Most common access control

6 Control Models – Non Discretionary
Role based access control Access based on job description Good for high staff turnover Lattice Based ACL Access based on job role and the task

7 Control Types – Centralized and De-centralized
All objects controlled at a central point Very strict access control Ease of administration Types: RADIUS – Serves dial in users, incorporates authentication server and dynamic password TACACS – static password TACACS+ - supports token authentication Decentralized Remote authentication Decistion is closer to the objects More administration overhead Different user rights around the network Hybrid model A mixture of centralized and decentralized

8 Single Sign On - Kerberos
Symmetric key cryptography Components KDC – holds the cryptographic keys Tickets TGS Process Subject requests access to an object Request goes via the KDC – includes a session key derived from user PW KDC generates a ticket for the subject and the object Subject validates the ticket came from the KDC Subject sends ticket to object Object validates the ticket Object grants access to the subject – kerberized session is established

Download ppt "Domain 6 – Security Assessment and Testing"

Similar presentations

OM-AM and RBAC Ravi Sandhu * www.list.gmu.edu Laboratory for Information Security Technology (LIST) George Mason University.

OM-AM and RBAC Ravi Sandhu * Laboratory for Information Security Technology (LIST) George Mason University.
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).

Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Access Control Chapter 3 Part 3 Pages 209 to 227.

Access Control Chapter 3 Part 3 Pages 209 to 227.
Access Control Methodologies

Access Control Methodologies
Using Kerberos the fundamentals. Computer/Network Security needs: Authentication Who is requesting access Authorization What user is allowed to do Auditing.

Using Kerberos the fundamentals. Computer/Network Security needs: Authentication Who is requesting access Authorization What user is allowed to do Auditing.
The Kerberos Authentication System Brad Karp UCL Computer Science CS GZ03 / M030 17 th November, 2008.

The Kerberos Authentication System Brad Karp UCL Computer Science CS GZ03 / M th November, 2008.
Security+ Guide to Network Security Fundamentals, Fourth Edition

Security+ Guide to Network Security Fundamentals, Fourth Edition
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Secure Systems Research Group - FAU Patterns for access control E.B. Fernandez.

Secure Systems Research Group - FAU Patterns for access control E.B. Fernandez.
ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.

ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.
Chapter 16 AAA. AAA Components  AAA server –Authenticates users accessing a device or network –Authorizes user to perform specific activities –Performs.

Chapter 16 AAA. AAA Components  AAA server –Authenticates users accessing a device or network –Authorizes user to perform specific activities –Performs.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
Role Based Access control By Ganesh Godavari. Outline of the talk Motivation Terms and Definitions Current Access Control Mechanism Role Based Access.

Role Based Access control By Ganesh Godavari. Outline of the talk Motivation Terms and Definitions Current Access Control Mechanism Role Based Access.
7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.

7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.
Introduction to Kerberos Kerberos and Domain Authentication.

Introduction to Kerberos Kerberos and Domain Authentication.
70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory Chapter 9: Active Directory Authentication and Security.

70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory Chapter 9: Active Directory Authentication and Security.
Authenticating Users Chapter 6. Learning Objectives Understand why authentication is a critical aspect of network security Describe why firewalls authenticate.

Authenticating Users Chapter 6. Learning Objectives Understand why authentication is a critical aspect of network security Describe why firewalls authenticate.

Similar presentations

Ads by Google