Presentation is loading. Please wait.

Presentation is loading. Please wait.

Access Control Systems A means of ensuring a system’s C.I.A given the threats, vulnerabilities, & risks its infrastructure.

Published byByron Nichols Modified over 9 years ago

Similar presentations

Presentation on theme: "Access Control Systems A means of ensuring a system’s C.I.A given the threats, vulnerabilities, & risks its infrastructure."— Presentation transcript:

1 Access Control Systems A means of ensuring a system’s C.I.A given the threats, vulnerabilities, & risks its infrastructure

2 Rationale  Confidentiality Info not disclosed to unauthorized persons or processes  Integrity Internal consistency External consistency  Availability Reliability Utility

3 Systems  Complex  Interact with other systems  Have emergent properties that their designers did not intend  Have bugs

4 Systems & Security  Usual coping mechanism is to ignore the problem…WRONG  Security is system within larger system  Security theory vs security practice Real world systems do not lend themselves to theoretical solutions  Must look at entire system & how security affects

5 The Landscape  Secure from whom?  Secure against what?  Never black & white  Context matters more than technology  Secure is meaningless out of context

6 Completely Secure Servers  Disconnect from Network  Power Down  Wipe & Degauss Memory & Harddrive  Pulverize it to dust  Threat Modeling  Risk management

7 Concepts in planning  Threat Potential to cause harm  Vulnerability Weakness or lack of safeguard that can be exploited by threat  Risk Potential for loss or harm Probability that threat will materialize

8 Threats  Attacks are exceptions  Digital Threats mirror Physical  Will become more common, more widespread, harder to catch due to: Automation Action at a Distance  Every two points are adjacent Technical Propagation

9 Threats  All types of attackers  All present some type of threat  Impossible to anticipate all attacks or all types of attackers or all avenues of attack  Point is not to prevent all but to “think about and analyze threats with greater depth and to take reasonable steps to prevent…”

10 Attacks  Criminal Fraud-prolific on the Internet Destructive, Intellectual Property Identity Theft, Brand Theft  Privacy: less and less available people do not own their own data Surveillance, Databases, Traffic Analysis Echelon, Carnivore  Publicity & Denial of Service  Legal

11 Controls  Implemented to mitigate risk & reduce loss  Categories of controls Preventative Detective Corrective

12 Control Implementation types Administrative: polices, procedures, security awareness training, background checks, vacation history review Logical / Technical – encryption, smart cards, ACL Physical – guards, locks, protection of transmission media, backup

13 Models for Controlling Access  Control: Limiting access by a subject to an object  Categories of controls Mandatory Access Control (MAC)  Clearance, sensitivity of object, need to know  Ex: Rule-based Discretionary Access Control (DAC)  Limited ability for Subject to allow access  ACL, access control triple: user, program, object or file Non-Discretionary Access Control  Central authority determines access

14 SELinux MAC  Mandatory Access Control in kernel  Implemented via: type enforcement (domains) Role based access control  No user discretionary access control  Each process, file, user, etc has a domain & operations are limited within it  Root user can be divided into roles also

15 Control Combinations  Preventative / Administrative  Preventative / Technical  Preventative / Physical  Detective / Administrative  Detective / Technical  Detective / Physical

16 Access Control Attacks  DoS, DDos Buffer Overflow, SYN Attack, Smurf  Back door  Spoofing  Man-in-the-Middle  Replay  TCP Hijacking  Software Exploitation: non up to date software  Trojan Horses

17 Social Engineering  Ex: emails or phone calls from “upper mgt or administrators” requesting passwords  Dumpster Diving  Password guessing: L0phat  Brute force  Dictionary attack

18 System Scanning  Collection of info about a system What ports, what services running, what system software, what versions being used  Steps: 1.Network Reconnaissance 2.Gaining System Access 3.Removing Evidence of attack  Prevention Watch for scans &/or access of common unused ports

19 Penetration Testing  “Ethical hacking”  Network-based IDS  Host-based IDS  Tests Full knowledge, Partial knowledge, Zero knowledge Open box – Closed box

20 Penetration Testing Steps 1.GET APPROVAL from upper mgt 2.Discovery 3.Enumeration of tests 4.Vulnerability mapping 5.Exploitation 6.Reporting

21 Identification & Authentication  ID: subject professing who they are  Auth: verification of ID  Three types of authentication Something you know Something you have Something you are Two-factor is way the best

22 Passwords  Static  Dynamic  Passphrase  Dictionary words  Alpha numeric special character  Models for choosing  Rotation schedules for passwords

23 Biometrics  Fingerprint, palm, retina, iris, face, voice, handwritting, RFID, etc  Enrollment time (2 min)  Throughput rate (10 subjects/min)  Corpus: Collection of biometric data

24 Biometrics  False Rejection Rate (FRR)  False Acceptance Rate (FAR)  Crossover Error Rate (CER) FAR FRR CER

25 Single Sign On (SSO)  One id / password per session regardless of the # of systems used  Advantages Ease of use, Stronger passwords/biodata, easier administration, lower use of resources  Disadvantages If access control is broken is a MUCH bigger problem

26 SSO Example: Kerberos 1.User enters id/pass 2.Client requests service 3.Ticket is encrypted with servers public key and sent to client 4.Client sends ticket to server & requests service 5.Server responds Problems: replay, compromised tickets

27 Access Control  Centralized Remote Authentication & Dial-In (Wireless) User Service (RADIUS) Call back  De-centralized Relational Databases (can be both)  Relational concepts  Security issues

28 Intrusion Detection Systems  Network Based Monitors Packets & headers SNORT Will not detect attacks same host attacks  Host based Monitors logs and system activity  Types Signature based (slow attacks problem) Statistical Anomaly Based

29 Other issues  Costs  Privacy  Accountability  Compensation for violations Backups RAID (Redundant Array of Independent Disks) Fault tollerance Business Continuity Planning Insurance

30 References  Building Secure Linux Servers (0596002173)  Secrets and Lies ( 0471253111)

Download ppt "Access Control Systems A means of ensuring a system’s C.I.A given the threats, vulnerabilities, & risks its infrastructure."

Similar presentations

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
HONEYPOTS Mathew Benwell, Sunee Holland, Grant Pannell.

HONEYPOTS Mathew Benwell, Sunee Holland, Grant Pannell.
Lecture 6 User Authentication (cont)

Lecture 6 User Authentication (cont)
CISSP Luncheon Series: Access Control Systems & Methodology

CISSP Luncheon Series: Access Control Systems & Methodology
Hackers, Crackers, and Network Intruders: Heroes, villains, or delinquents? Tim McLaren Thursday, September 28, 2000 McMaster University.

Hackers, Crackers, and Network Intruders: Heroes, villains, or delinquents? Tim McLaren Thursday, September 28, 2000 McMaster University.
Access Control Methodologies

Access Control Methodologies
MIS PROTECTING INFORMATION RESOURCES Biometrics Identity theft

MIS PROTECTING INFORMATION RESOURCES Biometrics Identity theft
Chapter 10: Data Centre and Network Security Proxies and Gateways * Firewalls * Virtual Private Network (VPN) * Security issues * * * * Objectives:

Chapter 10: Data Centre and Network Security Proxies and Gateways * Firewalls * Virtual Private Network (VPN) * Security issues * * * * Objectives:
INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)

INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)
1 An Overview of Computer Security computer security.

1 An Overview of Computer Security computer security.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.

ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Controls for Information Security

Controls for Information Security
Operating System Security Chapter 9. Operating System Security Terms and Concepts An operating system manages and controls access to hardware components.

Operating System Security Chapter 9. Operating System Security Terms and Concepts An operating system manages and controls access to hardware components.
Chapter 19 Security.

Chapter 19 Security.
Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.

Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.
Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.

Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.

Similar presentations

Ads by Google