Download presentation
Presentation is loading. Please wait.
1
Chapter 13 Access Control
BIS 4113/6113
2
Chapter Overview Types of Access Control (7) Accountability
Identification and Authentication Passwords Biometrics Tokens Single Sign-On Access Control Techniques Access Control Administration
3
Access Control Not merely controlling user access to files or services
PAGES Access Control Not merely controlling user access to files or services The relationship between subjects and objects Subjects Receives information from the object User, program, process, file, computer, database, etc. Objects File, database, computer, system, etc. Provides information to the subject Mission: Protect the confidentiality, integrity, and availability of objects
4
“Defense-in-Depth” Layered resources -Siemens
5
The Process of Access Control
PAGE 563 The Process of Access Control Identification of subject Authentication Type 1: What you know Type 2: What you have Type 3: What you are Authorization of access Assigned rights and privileges Auditing
6
Type 1 Authentication Something You Know
What are examples of how you authenticate yourself with something you know? Passwords Passphrases Security questions PINs Combination lock
7
Password Authentication
PAGE 564 Password Authentication Passwords Strings of characters Typed to authenticate someone wanting to use a username (account) on a computer Benefits Ease of use for users (familiar) Inexpensive because built in to operating systems <Read the slide.>
8
Passwords: Bad? Easy to remember = easy to guess or crack Brute Force
Dictionary attacks Hard to remember = easy to write down One in 3 written down (MSNBC) Easy to forget Often transmitted in clear text Probable Password Trend Analysis
10
Example: Twitter Hack January 6, 2009
18 year old hacker “GMZ” Accounts belonging to Pres-Elect Obama, Britney Spears, Bill O’Reilly Identified a moderator account Dictionary attack No maximum password attempt Could reset any account holder’s password with moderator privileges Reset account passwords, distributed on message board
12
Example: Gmail Phishing Attacks December 2016 - January 2017
Avoidance Look for digital certificate icon URL should start with HTTPS Two-factor authentication (1) “Panic Mode” (2) Image, not attachment More info at The Daily Dot
13
Strong Password Policy
Static Passwords Eight characters minimum, mixed case & characters No reuse of names, add, emp#, SSN Each added character increases the brute force search time by a factor of about 70 Password rotation Dynamic Passwords Useful for specified period of time See “Tokens” later Passphrases Phrase: I like to watch Andy Griffith at 7:30 Password:
14
Password Authentication
Critique each of the following passwords, tell what attack can break it, and tell how difficult it will be for the attack to guess the password. swordfish Processing1 SeAtTLe R7%t& 4h*6tU9$^l
15
PAGE 566 Cognitive Passwords Primarily used for phone- or web-based applications Security question “What is your mother’s maiden name?” Weak security control “What is your favorite color?”
16
Type 2 Authentication Something You Have
What are examples of ways you authenticate yourself with something you have? Smart Card ID Badge Memory Card Token Device Key Digital Certificate
17
Token authentication Static Physical means (“what you have”)
PAGE 567 Token authentication Static Physical means (“what you have”) Synchronous dynamic password Password generated at time intervals Asynchronous dynamic password One-time password Detriments to Tokens
18
Single Sign-On One ID, one authentication needed for roaming network/website access Kerberos Ticket-granting service Facebook login Popular in healthcare Critical to have rigid authentication standards Multi-use computers
19
Type 3 Authentication Something You Are
What are examples of ways you authenticate yourself with something you are? Biometrics Fingerprint Handprint Facial Recognition Voice Recognition AFIS/Livescan
20
Biometric Authentication
PAGE 568 Biometric Authentication Authentication based on bodily measurements Promises to eliminate passwords Fingerprint Scanning Simple and inexpensive Substantial error rate (misidentification) Often can be fooled fairly easily by determined impostors Not a problem for low-risk situations like home computers AFIS/Livescan Automated Fingerprint Identification System <Read the slide.>
21
Biometric Authentication
Iris Scanners Scan the iris (colored part of the eye) with a camera (not a laser beam) Irises are complex, so very strong authentication Expensive Face Recognition Camera allows analysis of facial structure Can be done surreptitiously—without the knowledge or consent of person being scanned Very high error rate and easy to deceive <Read the slide.>
22
Acceptance of biometrics, from most to least:
Iris scan Keystroke Signature Voice Facial Fingerprint Hand scan Retina scan
23
Biometrics: Privacy Issues
According to the ACLU: Expansion of gov’t power Documented cases of misuse “Hawthorne effect” Not reliable enough to justify use
24
Biometric Factor Ratings
PAGE 571 Biometric Factor Ratings Subject Seeks Authentication Type 1 error Valid subject is not authenticated False Rejection Rate Type 2 error Invalid subject is authenticated False Acceptance Rate Equal Error Rate FRR = FAR Low on the graph is most accurate Not Authenticated Authenticated Correct Acceptance False Rejection Valid Subject Access Rights False Acceptance Correct Rejection Invalid FAR FRR % EER Sensitivity of Device
25
Multifactor Authentication
PAGE 572 Increases Effectiveness Decreases Efficiency Perfect accuracy? Type 4 Authentication Somewhere You Are PAGE 563
26
Vendor Rights: Target Security Breach of 2013
Fazio Mechanical Services Access to internal contract & billing system “SCADA” attack Supervisory Control and Data Acquisition
27
Access Control Methodologies
Centralized Managed by a team or individual Single location Single point of failure Decentralized Managed by several teams or individuals Multiple locations Administration is difficult
28
Access Control Administration
User Account Management Enrollment Maintenance Activity Tracking Access Rights & Privileges Principal of Least Privilege Excessive Privilege & Creeping Privileges (box on page 32) “Need to Know” access
29
Segregation of duties
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.