1. Access Control

2. 2 Domain Objectives Provide definitions and key concepts Identify access control categories and types Discuss access control threats Review system access control measures

3. 3 Domain Objectives Review data access control measures Understand intrusion detection and intrusion prevention systems Understand access control assurance methods

4. 4 Information Security TRIAD Availability Confidentiality Integrity Information Security

5. 5 Domain Agenda Definitions and Key Concepts Access Control Categories and Type Access Control Threats Access to System Access to Data Intrusion Prevention Systems (IPS) & Intrusion Detection Systems (IDS) Access Control Assurance

6. 6 Basic Requirements Security Reliability Transparency Scalability

7. 7 Key Concepts Separation of Duties Least Privilege Need-to-know Information Classification

8. 8 Objectives Benefits Example of Classification Compartmentalized Information

9. 9 Information Classification Procedures Scope Process Responsibility Declassification Marking and Labeling Assurance

10. 10 Domain Agenda Definitions and Key Concepts Access Control Categories and Type Access Control Threats Access to System Access to Data Intrusion Prevention Systems (IPS) & Intrusion Detection Systems (IDS) Access Control Assurance

11. 11 Access Control Categories Preventive Detective Corrective Directive Deterrent Recovery Compensating

12. 12 Access Control Types Administrative Technical (Logical) Physical Warning Banners Audit Logs IPS/IDS Passwords CCTV Backups Connection Control Technical Tokens Administrative Physical Gates Layered Defense Reconstruct/ Rebuild Fire Extinguisher Sentry Fences Signs Bollards Job Rotation DRP Employee Termination Report Reviews User Registration Procedures Policy

13. 13 Access Control Examples ControlsAdministrativeTechnicalPhysical Directive Policy Warning Banner Security Guard Deterrent DemotionViolation Report‘Beware of Dog’ Preventative User Registration Passwords, Tokens Fences, Bollards Detective Report ReviewsAudit Logs, IDSSensors, CCTV Corrective Employee Termination Connection Management Fire Extinguisher Recovery DRPBackups Reconstruct, Rebuild Compensating Supervision Job Rotation Keystroke Logging Layered Defenses

14. 14 Domain Agenda Definitions and Key Concepts Access Control Categories and Type Access Control Threats Access to System Access to Data Intrusion Prevention Systems (IPS) & Intrusion Detection Systems (IDS) Access Control Assurance

15. 15 Access Control Threats Denial of Service Buffer Overflow Mobile Code Malware Password Crackers Spoofing/Masquerading Sniffers Eavesdroppers

16. 16 Access Control Threats Emanations Shoulder Surfing Tapping Object Reuse Data Remanence Unauthorized Data Mining Dumpster Diving Back Door/Trap Door

17. 17 Access Control Threats Theft Intruders Social Engineering

18. 18 Domain Agenda Definitions and Key Concepts Access Control Categories and Type Access Control Threats Access to System Access to Data Intrusion Prevention Systems (IPS) & Intrusion Detection Systems (IDS) Access Control Assurance

19. 19 System Access Control Identification Authentication Authorization Accountability

20. 20 Identification Methods Guidelines

21. 21 Authentication Methods Knowledge (Something you know) Ownership (Something you have) Characteristics (Something you are)

22. 22 Authentication by Knowledge PASSWORD ******** Password Passphrase

23. 23 Authentication by Ownership Tokens (One-time Passwords) Smartcards Memory Cards

24. 24 Asynchronous Token Device (Challenge-Response) User requests access via Authentication Server (i.e., UserID) Authentication Server issues Challenge # to User User enters Challenge # w/PIN in Handheld Handheld calculates cryptographic response (i.e., “password”) User sends “password” to Authentication Server Authentication Server grants access to Application Server 1 5 6 3 4 2

25. 25 Synchronous Token Event-based Synchronization Time-based Synchronization Authentication Server knows the expected value from the token and the user must input it or be in close proximity

26. 26 Smart Cards Contact Smart Cards Card body Chip Contacts Contactless Smart Cards Card body Chip Antenna

27. 27 Authentication by Characteristic Biometrics Physiological Biometrics Behavioral Biometrics Characteristics Accuracy Acceptability Reaction time

28. 28 Biometric Accuracy False Accept Rate Type II Error False Reject Rate Type I Error Crossover Error Rate Sensitivity Error Rate

29. 29 Static Biometric Types Fingerprint/Palm Print Hand Geometry Retina Scan Iris Scan

30. 30 Dynamic Biometric Types Voice Pattern Facial Recognition Keystroke Dynamics Signature Dynamics

31. 31 Identity and Access Management Need for Identity Management Challenges Identity Management Technologies

32. 32 Need for Identity Management Manual Provisioning Complex Environments Compliance with Regulations & Legislation Outsourcing Risks

33. 33 Identity Management Challenges Consistency Reliability Usability Efficiency Scalability

34. 34 Identity Management Challenges Types of Principals Types of Identity Data Identity Life Cycle

35. 35 Identity Management Benefits Headcount Reduction Productivity Increase Risk Management

36. 36 Identity Management Technologies Directories Web Access Management Password Management Legacy Single Sign-on Account Management Profile Update

37. 37 Access Control Technologies Single Sign-on (SSO) Kerberos and SESAME Directory Services Security Domains

38. 38 Single Sign-on Process UserID and password transmitted to Authentication Server Authentication Server verifies User’s identity Authentication Server authorizes access to requested resource User enters ID and password1 2 3 4 Authentication Server Application Servers

39. 39 Kerberos Process KDC - Auth Server - Ticket Granting Server Principal - P1 - User Workstation Principal - P2 - Application Server P1Key (Request – Access to P2) P1Key(SK1, P2Key (Client ID, (SK1)) P2Key(Client ID, SK1) Ticket, SK1 SK1(Authentication) Ticket Granting Ticket

40. 40 Kerberos and SESAME Kerberos Key Distribution Center Kerberos Issues SESAME

41. 41 Directory Services Security Domains Hierarchical Domain Relationship Equivalence Classes of Subjects Directory Services and Security Domains Subject “High” Subject “Low” Domain “High” Domain “Low” X Server

42. 42 Domain Agenda Definitions and Key Concepts Access Control Categories and Type Access Control Threats Access to System Access to Data Intrusion Prevention Systems (IPS) & Intrusion Detection Systems (IDS) Access Control Assurance

43. 43 Mandatory and Temporal Access Control Mandatory Access Control Joint participation in the decision- making process Labels Temporal (Time-based) Isolation

44. 44 Discretionary Access Control Access authorization based on Information Owner System enforces rules

45. 45 Access Control Lists (ACLs) Hal User Hal Directory User Kevin Directory User Kara Directory Printer 001 Full Control Write No Access Execute Kevin User Hal Direct User Kevin Directory User Kara Directory Printer 001 Write Full Control No Access Kara User Hal Directory User Kevin Directory User Kara Directory Printer 001 Printer 002Read/Write Full ControlExecute Access permissions based on individual user rights

46. 46 Access Control Matrix Subject File A File B App A App B App C Proc A Proc B HalXXX KaraXXXXXXX KevinXXX LeoXX

47. 47 Rule Based Access Control Users Rules Customer Service Application Inventory Application Accounting Application Jane Fred Albert Explicit rules grant access

48. 48 Role Based Access Control Users Customer Service Application Inventory Application Accounting Application Jane Fred Albert Customer Service Agent Role Implicit rules grant access

49. 49 Content Dependent Access Control Payroll Server Local Manager Human Resources Manager Can see data on all employees Can only see data on employees in the same department Access based on values in data (i.e., Department)

50. 50 Rights granted for access according to objects Capability Tables Subject File A File B App B App B App C Proc A Proc B HalReadX Kara Read/ Write Read/ Write XXXXX KevinRead X XX Leo Read/ Write XX X = Execute

51. 51 Non-discretionary Access Control Operating System Protection Security Administrator Control Ensures system security enforced

52. 52 Constrained User Interface Menus Database Views Physically Constrained User Interfaces Encryption

53. 53 Centralized/Decentralized Access Control Centralized Access Control RADIUS TACACS+ Diameter Decentralized Access Control

54. 54 Domain Agenda Definitions and Key Concepts Access Control Categories and Type Access Control Threats Access to System Access to Data Intrusion Prevention Systems (IPS) & Intrusion Detection Systems (IDS) Access Control Assurance

55. 55 Intrusion Detection Systems Primary Types Network-Based IDS (NIDS) Host-Based IDS (HIDS) Application-Based IDS (AIDS)

56. 56 Intrusion Prevention Systems Primary Types Host-Based IPS (HIPS) Network-Based IPS (NIPS) Content-Based Rate-Based

57. 57 Analysis Engine Methods Pattern (Signature) Based Pattern Matching Stateful Matching Anomaly Based Statistical Traffic Protocol Heuristic Scanning

58. 58 IDS/IPS Summary Anomaly Examples Response Examples Alert Types Management

59. 59 Domain Agenda Definitions and Key Concepts Access Control Categories and Type Access Control Threats Access to System Access to Data Intrusion Prevention Systems (IPS) & Intrusion Detection Systems (IDS) Access Control Assurance

60. 60 Access Control Assurance Audit Trail Monitoring Assessment Tools

61. 61 Penetration Testing Definition Areas to test Methods of testing Testing procedures Testing hazards

62. 62 Areas to Test Application Security Denial of Service (DoS) War Dialing Wireless Network Penetration Social Engineering PBX and IP Telephony

63. 63 Penetration Testing Methods External Zero-knowledge (Blind) Partial-knowledge Internal Full-knowledge Targeted Blind Double-blind

64. 64 Testing Steps Discovery Enumeration Vulnerability Mapping Exploiting

65. 65 Testing Hazards and Reporting Production interruption Application abort System crash Documentation Identified vulnerabilities Countermeasure effectiveness Recommendations

66. 66 Domain Summary Definitions and Key Concepts Access Control Categories and Types Access Control Threats System Access Data Access Intrusion Detection and Prevention Systems Access Control Assurance

67. “Security TranscendsTechnology”