Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information Systems Security

Published byJemimah Green Modified over 9 years ago

Similar presentations

Presentation on theme: "Information Systems Security"— Presentation transcript:

1 Information Systems Security
Access Control Domain #2

2 Objectives Access control types
Identification, authentication, authorization Control models and techniques Single sign-on technologies Centralized and decentralized administration Intrusion Detection Systems (IDS)

3 Roles of Access Control
Limit System Access Access based on identity, groups, clearance, need-to-know, location, etc. Protect against unauthorized disclosure, corruption, destruction, or modification Physical Technical Administrative

4 Access Control Examples
Physical Locks, guards Technical Encryption, password, biometrics Administrative Policies, procedures, security training

5 Access Control Characteristics
Preventative Keeps undesirable events from happening Detective Identify undesirable events that have happened Corrective Correct undesirable events that have happened Deterrent Discourage security violations from taking place

6 Continued Recovery Compensation
Restore resources and capabilities after a violation or accident Compensation Provides alternatives to other controls

7 Who are You? Identification – username, ID account #
Authentication – passphrase, PIN, bio Authorization – “What are you allowed to do” Separation of Duties Least Privilege

8 Authentication Something you know Something you have Something you are
2-Factor Authentication Use 2 out of the 3 types of characteristics

9 Access Criteria Security Clearance Need-to-Know Least Privilege
Mandatory control systems and labels Need-to-Know Formal processes Requirements of role within company for access Least Privilege Lease amount of rights to carry out tasks No authorization creep Default to “NO ACCESS”

10 Example Controls Biometrics Tokens Memory Cards Smart Cards
Retina, finger, voice, iris Tokens Synchronous and Asynchronous device Memory Cards ATM card, proximity card Smart Cards Credit card, ID card

11 Biometric Controls Uses unique personal attributes
Most expensive and accurate Society has low acceptance rate Experience growth after

12 Error Types Type I error Type II error Crossover Error Rate (CER)
Rejects authorized individuals (False Reject) Too high a level of sensitivity Type II error Accepts imposter (False Accept) Too low a level of sensitivity Crossover Error Rate (CER) JUST RIGHT!!!!!

13 Biometric Example Fingerprint Finger Scan Palm Scan Hand Geometry
Ridge endings and bifurcations Finger Scan Uses less data than fingerprint (minutiae) Palm Scan Creases, ridges, and grooves from palm Hand Geometry Length and width of hand and fingers

14 More Biometrics Retina Scan Iris Scan Signature Dynamics
Blood vessel pattern on back of eyeball Iris Scan Colored portion of eye Signature Dynamics Electrical signals of signature process Keyboard Dynamics Electrical signals of typing process

15 More Biometrics Voice Print Facial Scan Hand Topology
Differences in sound, frequency, and pattern Facial Scan Bone structure, nose, forehead size, and eye width Hand Topology Size and width of side of hand

16 Passwords Least secure but cheap
Should be at least 8 characters and complex Keep a password history Clipping levels used Audit logs

17 Password Attacks Dictionary Attacks Brute Force Attack Rainbow tables
Every possible combination

18 Countermeasures Encrypt passwords Use password advisors
Do not transmit in clear text GREATLY protect central store of passwords Use cognitive passwords Based on life experience or opinions

19 One-time Passwords Dynamic Generated for one time use
Protects against replay attacks Token devices can generate Synchronized to time or event Based on challenge response mechanism Not as vulnerable as regular passwords

20 Passphrase Longer than a password Provides more protection
Harder to guess Converted to virtual password by software

21 Memory Cards Magnetic stripe holds data but cannot process data
No processor or circuits Proximity cards, credit cards, ATM cards Added costs compared to other technologies

22 Smart Card Microprocessor and IC Tamperproof device (lockout)
PIN used to unlock Could hold various data Biometrics, challenge, private key, history Added costs Reader purchase Card generation and maintenance

23 Single Sign-on (SSO) Scripting Authentication Characteristics
Carry out manual user authentication As users are added or changed, more maintenance is required for each script Usernames and passwords held in one central script Many times in clear text

24 SSO Continued Used by directory services (x.500) Used by thin clients
Used by Kerberos If KDC is compromised, secret key of every system is also compromised If KDC is offline, no authentication is possible

25 Kerberos Authentication, confidentiality, integrity
NO Non-availability and repudiation services Vulnerable to password guessing Keys stored on user machines in cache All principles must have Kerberos software Network traffic should be encrypted

26 SESAME Secure European System for Application in a Multi-vendor Environment Based on asymmetric cryptography Uses digital signatures Uses certificates instead of tickets Not compatible with Kerberos

27 Access Control Threats
DOS Buffer Overflow Mobile Code Malicious Software Password Cracker Spoofing/Masquerading Sniffers

28 More Access Control Threats
Eavesdropping Emanations Shoulder Surfing Object Reuse Data Remanence Unauthorized Data Mining Dumpster Diving

29 More Threats Theft Social Engineering Help Desk Fraud

30 Access Control Models Once security policy is in place, a model must be chosen to fulfill the directives Discretionary access control (DAC) Mandatory access control (MAC) Role-based access control (RBAS) Also called non-discretionary

31 Discretionary Used by OS and applications
Owner of the resource determines which subjects can access Subjects can pass permissions to others Owner is usually the creator and has full control Less secure than mandatory access

32 Mandatory Access Access decisions based on security clearance of subject and object OS makes the decision, not the data owner Provides a higher level of protection Used by military and government agencies

33 Role Based Access Control
Also called non-discretionary Allows for better enforcing most commercial security policies Access is based on user’s role in company Admins assign user to a role (implicit) and then assign rights to the role Best used in companies with a high rate of turnover

34 Remote Authentication Dial-in User Services (RADIUS)
AAA protocol De facto standard for authentication Open source Works on a client/server model Hold authentication information for access

35 Terminal Access Controller Access Control System (TACACS)
Cisco proprietary protocol Splits authentication, authorization, and auditing features Provides more protection for client-to-server communication than RADIUS TACACS+ adds two-factor authentication Not compatible with RADIUS

36 Diameter New and improved RADIUS
Users can move between service provider networks and change their point of attachment Includes better message transport, proxying, session control, and higher security for AAA Not compatible with RADIUS

37 Decentralized Access Control
Owner of asset controls access administration Leads to enterprise inconsistencies Conflicts of interest become apparent Terminated employees’ rights hard to manage Peer-to-peer environment

38 Hybrid Access Control Combines centralized and decentralized administration methods One entity may control what users access Owners choose who can access their personal assets

39 Ways of Controlling Access
Physical location MAC addresses Logical location IP addresses Time of day Only during work day Transaction type Limit on transaction amounts

40 Technical Controls System access Network access Network architecture
Individual computer controls Operating system mechanisms Network access Domain controller logins Methods of access Network architecture Controlling flow of information Network devices implemented Auditing and encryption

41 Physical Controls Network segregation Perimeter security
Wiring closets need physical entry protection Perimeter security Restrict access to facility and assets Computer controls Remove floppys and CDs Lock computer cases

42 Protect Audit Logs Hackers attempt to scrub the logs
Organizations that are regulated MUST keep logs for a specific amount of time Integrity of logs can be protected with hashing algorithms Restrict network administrator access

43 Intruder Detection Systems (IDS)
Software employed to monitor a network segment or an individual computer Network-based Monitors traffic on a network segment Sensors communicate with central console Host-based Small agent program that resides on individual computer Detects suspicious activity on one system

44 IDS Placement In front of firewall Behind firewall Within intranet
Uncover attacks being launched Behind firewall Root out intruders who have gotten through Within intranet Detect internal attacks

45 Type of IDS Signature-based Behavior-based Knowledge based
Database of signatures Cannot identify new attacks Need continual updating Behavior-based Statistical or anomaly based Creates many false positives Compares activity to ‘what is normal’

46 IDS Issues May not process all packets on large network
Cannot analyze encrypted data Lots of false alarms Not an answers to all problems Switched networks make it hard to examine all packets

47 Traps for Intruders Padded Cell
Codes within a product to detect if malicious activity is taking place Virtual machine provides a ‘safe’ environment Intruder is moved to this environment Intruder does not realize that he is not is the original environment Protects production system from hacking Similar to honeypots

Download ppt "Information Systems Security"

Similar presentations

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Lecture 6 User Authentication (cont)

Lecture 6 User Authentication (cont)
Dr. Kalpakis CMSC 421, Operating Systems. Fall 2008 URL: Security.

Dr. Kalpakis CMSC 421, Operating Systems. Fall 2008 URL: Security.
CISSP Luncheon Series: Access Control Systems & Methodology

CISSP Luncheon Series: Access Control Systems & Methodology
Access Control Chapter 3 Part 3 Pages 209 to 227.

Access Control Chapter 3 Part 3 Pages 209 to 227.
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 3 “User Authentication”.

Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 3 “User Authentication”.
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
Access Control Methodologies

Access Control Methodologies
Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.

Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
Silberschatz, Galvin and Gagne  2002 19.1 Operating System Concepts The Security Problem A system is secure iff its resources are used and accessed as.

Silberschatz, Galvin and Gagne  Operating System Concepts The Security Problem A system is secure iff its resources are used and accessed as.
19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.

19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.
6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.

6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.

ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.
Silberschatz, Galvin and Gagne  2002 19.1 Operating System Concepts Module 19: Security The Security Problem Authentication Program Threats System Threats.

Silberschatz, Galvin and Gagne  Operating System Concepts Module 19: Security The Security Problem Authentication Program Threats System Threats.
Chapter 15 Computer Security Techniques Patricia Roy Manatee Community College, Venice, FL ©2008, Prentice Hall Operating Systems: Internals and Design.

Chapter 15 Computer Security Techniques Patricia Roy Manatee Community College, Venice, FL ©2008, Prentice Hall Operating Systems: Internals and Design.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Chapter 19 Security.

Chapter 19 Security.

Similar presentations

Ads by Google