SlideShare una empresa de Scribd logo

access-control-week-2

J
jemtallon
EducaciónTecnologíaEmpresariales
1 de 46
Pages 81 - 148 CISSP CBK 3rd
● Access Control Techniques ○ Methods ● Identification and Authentication ○ Types and Strategies ● Identification Management ○ Considerations ● Authentication Methods ○ How to establish ● Sessions ○ Strategies on how to control What the pages cover
Access Control ● Only Authorised Users, Programs, and/or systems are allowed to access resources. Access Control Techniques ● How we can determine which users, programs or systems, what resources, and what access. ● Methods of organising and protecting data. Access Controls - Continued
"Yo, Check out that sweet role-based access control..." - Lord Nikon Access Control Techniques
The process of translating the balance between Access controls enforced by the Organization, and information owners to can have access, can be defined by three general frameworks: ● Discretionary (DACs) ● Non-Discretionary ● Mandatory (MACs) Discretionary and Mandatory Access Controls
Discretionary: ● Controls placed on data by the owner of the data. The owner decides who, and what privilege. ● User-centric (User is responsible). Mandatory: ● Controls are determined by the system and based on Organisational Policy. ● System-centric (User vs. Resource Classification). ● The Information Owner provides who needs to know. System makes decision against that criteria. ● man chmod Discretionary and Mandatory Access Controls - continued.
ACL's (Access Control Lists) ● Keyword Pattern & Action ○ Examples: MAC Address filtering ● If no matches or unspecified actions - default will either be deny by default or allow by default (based on the org's stance). ● Structure of access is often based on Organization Structure (Users into Groups. Groups into file and directory permissions). Data Access Controls
● An ACL in the form of a table. ● Unwieldy for large environments, but useful when designing a system, or looking at smaller portions. Access Control Matrix
● Access is based on a predefined set of rules. ● These rules specify the privileges granted to users when specific conditions are met. ○ Example: ■ The Standard ACL says that Jr. Admin Bob can access the Dubstep MP3 Folder, but the rule based system would specify that while he can access it, he can only access the folder between 5PM and 8AM (outside of Sr. Admin Barry's Office Hours). Rule-based Access Control
● RBAC bases the access control authorizations on the roles or functions that the user is assigned within an organization. ● The determination of what roles have what access, can be governed by both the Data Owner, or the applied based on Org Policy. Role-Based Access Controls
The four basic RBAC architectures: ● Non-RBAC ○ Traditional user-granted access (like ACL's).No formal roles or mapping. ● Limited RBAC ○ Users are mapped to a single application only. ● Hybrid RBAC ○ Users are mapped to multiple applications, that subscribe to the Org's role-based model. ● Full RBAC ○ Enterprise wide. Top down, from role policy. See Fig. 1.11 RBAC - Continued
● RBAC is easily modeled after the organisations own organization, or functional structure. ○ Personal moves are simplified (job role is tied to access). See also "The Triangle of Power" by Matt Byrd, MSFT: http://blogs.technet. com/b/exchange/archive/2009/11/16/340882 5.aspx RBAC - Continued
● Content dependant access controls are based on the data. The control mechanism examines the data, and makes decisions based on what it finds. ● Constrained User Interface is a method of restricting users to functions in the UI, based on role in the system. ○ Example: AS/400 Payroll Menus, POS unit, or Views in a database. Miscellaneous Controls
● Capability tables are used to match subjects (like users or process) and their capabilities (read, write, etc..). ● Temporal (Time-based) Isolation limits access based on time. ○ Examples: Dubstep MP3 Folder, or Limiting access to change Payroll to the first 4 hours of the day. Miscellaneous Controls - cont'd
● Identification ○ Provides uniqueness and accountability (when done properly) ● Authentication ○ Provides validity. You are expected, and trusted. ● Authorization ○ Provides Control. Identification and Authentication
Identification provides a point of assignment and association to a user entity within a system. Can be user, service account, etc... Examples: ● User Name ● User ID ● Account Number ● PIN ● Certificates Identification Methods
● The Identification Badge is the most common form of Physical identification. ○ Name, Logo, Face, Colour, etc.. ● Policy usually dictate they must be worn at all times. ● "Badge Check" ● Usually tied together with an access badge & reader. ● RFID Badges
● User ID ○ Only use it as a system ID, not an authenticator. ● MAC (Media Access Control) ○ No longer a good way to authenticate a user (spoofable). ● IP Address ○ Logical Location on network. Set by software, not a good indicator. ○ Subnets ● Email Address ○ Concept is email is globally unique, however it's spoofable and only unique by convention. Other Types
● Three Essential Security characteristics regarding identities: ○ Uniqueness ■ Must be unambiguous & distinct ■ Can be duplicated across systems, but bad practice ○ Non Descriptiveness ■ billg@microsoft.com ■ Samir_Nagheenanajar@Initech.com ■ CIO@Wellsfargo.com ○ Secure Issuance ■ Documentable and traceable. User Identification Guidelines
● Every system must track valid users and control their permissions, across different types of administrative software and processes. ● Account creation process & propagation. ● Goal of the system is to consolidate access rights into a managed system. ● See Fig 1.13 ● Quicker provision & deprovision Poll: How long does it take to deprovision/lock all passwords/etc on a user account in your org? Identity Management
● 2 Minutes Hate - topic: User Provisioning ● Backlog ○ Not Enough People to process ● Cumbrsome ○ Too Complex, or time consuming = Errors ● Incomplete Forms ○ "I just check all the boxes." ● No Audit Trails ○ "Fuck it, we'll do it live!" ● Stale users ○ Ghost NDRs Identity Management Challenges
● Consistency ○ User profile data should be consistent and uniform. ● Usability ● Reliability ○ "My admin account never worked right, so I've just been using the domain admin." ● Scalability ○ If you have 10,000 users, and your domain controller is an old laptop, your gunna have a bad time. Identity Management Challenges - continued
● Can help with legal obligations, and industry-specific compliance. ● When properly done, you can have a finer control (and flexabillity) over what levels the public, guests, vendors, contractors, support, etc... groups have. Other Considerations
● In general, an Org will either opt to be Centralized, or Decentralized. ● Centralized: ○ All access decisions, provisioning, and management is concentrated in a central location. ○ One entity (user/department/system) manages the service for the entire org. Example: RADIUS ● Decentralized: ○ ID Management, authentication, and authorisation decisions are moved closer to the local resource. ○ Could be per department. Centralised Identity Management
● Authentication by knowledge ○ Something you know ■ Example: Password ● Authentication by possession ○ Something you have ■ Example: ID Badge ● Authentication by characteristic ○ Something you are ■ Example: Authentication Methods
● Logical controls related to those types are called "Factors" ● Single-Factor ○ Use of 1 Factor (makes sence, right?) ● Two-Factor ○ Usingtwoofthethreefactorswhoeditedthisbook? ● Three-Factor ○ You get the picture. ● The book mentions a possible 4th (Geolocation) by GPS or IP. Factors
● Passwords ○ Standard Words ■ God ● Easily Guessable ○ Combination ■ G0d ● Got an app for that ○ Complex ■ 1||$1D3j0|<3 ● Harder to remember - people usually write these down or have them somewhere. ● Passphrase ○ List of names, Phrase, or Mnemonic ■ Example: AD5wu5ydD! ● "Always do sober, what you said you'd do drunk." -Hemmingway Authentication by Knowledge
● Issues: ○ Cleartext ○ Offline and Off Site Cracking ● Passwords are often hashed, as an extra measure of protection. ● Graphical Passwords ○ Protect somewhat against keyloggers Passwords continued
● Token, Fob, Badge, Key, Ring, etc.. ● Concept is to add an additional layer of confidence. ● Two Methods: ○ Asynchronous ■ Challenge-Response ● Slide Card, Enter Pin ○ Synchronous ■ Time, Event, or Location ● Seed. Like the WoW account thingie. Authentication By Possession
● Physical device that contains credentials. ● Two Types: ○ Memory Cards ■ Swipe Cards. Mag Stripe. ■ Used + PIN, often. ■ Often the stripe is unencrypted. Theft. ○ Smart Cards ■ Embedded Chip, that can accept, store, and send information. ■ Some have apps. ● Used for Secure log-on, S/MIME, Secure Web Access, VPN's, Hard Disc Encryption. ■ Helps integrate outside devices into Enterprise PKI. Static Authentication Devices
● Types of information on a smart card: ● Read only. ● Added only. ● Updated only. ● No Access available. ● Trusted Path ○ Login process is done by the reader, instead of the host. ○ Minimises surface area, and "hops", with each addition adding opportunity for security failures. Smart-Card Segway
● ROM ○ Predetermined by MFGR ● Programmable Read-Only (PROM) ○ Can be modified, but looks like a pain in the ass. ● Erasable Programmable Read-Only (EPROM) ○ Widely used early on, but the process is difficult. Ultraviolet light? Really? ● Electrically Erasable PROM (EEPROM) ○ Current IC of choice. ● RAM ○ Not bad, actually, if used as a Deadmans switch. Smart Card Memory Types
● Data controls are intrinsic to how the IC works. ● Example: ○ When power is applied to the smart card, the process can apply logic to perform services and take action or control of the EEPROM. ○ No power = no access = less exposure ● Mag Stripe & Contact, and Contactless (rfid) ○ See Page 126-128 for Pinouts... More Smart Card Stuff
The book mentions a few other possession- based authentication devices, One of which was USB devices. iLok: Footnote
● Biometrics ○ Two Types: ■ Physiological ● Example: Fingerprint, Hand, Face, Eyes ● Vascular Scans (They scan yer veins! And if you mash your hand, you're SOL). ■ Behavioral ● Examples: Voice Pattern & Recognition. Keystroke pattern (typing style), Signature dynamics. ○ Accuracy ■ Typical Passwords, tokens, and devices provide a high degree of accuracy and confidence. ■ Humans are different, and Environments are different. Authentication by Characteristic
● False Reject Rate (Type I Error): ○ When authorised users are falsely rejected as unidentified or unverified. ● False Accept Rate (Type II Error): ○ When unauthorised persons or imposters are falsely accepted as authentic. ● Crossover Error Rate (CER): ○ The point at which the false rejection rates and the false acceptance rates are equal. THe smaller the value of CER, the more accurate the System. Biometric Accuracy
● Not sensitive enough, everyone will be authorised. ● Too sensitive, and no one gets through. ● The "tune" of the system is largely based on risk vs. importance of the controls, resulting in an Org-accepted level of risk. Biometric Accuracy - Cont'd
● Resistance to counterfeiting ○ A determined attacker can take advantage by counterfeiting what is measured. ● Data storage requirements ○ Security of the data it's matching against. ● User acceptance ○ "Ain't nobody got time for that." ○ Enrollment speed. ● Reliability and accuracy ○ "The system...is down..." ● Target user and approach ○ Who and how? Biometric Considerations
● The capabilities and level of confidence increases as more factors and techniques are included in the identification and authentication process. ○ See Fig. 1.23 ● "Strongest" leans towards Biometrics. ○ Strong: ■ Assurance that the authentication produced by the method is valid. ○ Harder to implement, manage, impersonate. ○ As with anything, trade-offs. Authentication Method Summary
Most prevalent considerations when looking at an enterprise authentication method(s): ● The Value of the Protected Asset ○ High Value = More Complex method ● The Level of Threat to the Asset ○ Assess Risk. Real vs. Perceived. ● Potential Countermeasures ○ How can we reduce threat? ● The Cost of Countermeasures ○ "Consider the following..." ● Feasibility and inconvenience to users. ○ Participation vs. Annoyance. Authentication Method Summary - cont'd
...
● Term to describe how a single instance of identification and authentication are applied to resources. ○ Desktop Sessions can be controlled & protected: ■ Screensavers ● GPO ■ Timeouts ● Power Saver ■ Automatic Logouts ■ Login Limitations ■ Schedule Limitations ● Time/Day Session (sessi on ) Management
● Session Hijacking ○ Main-In-The-Middle attacks. ○ Session Sniffing. ○ Cross-Site Scripting attacks. Logical Sessions
● Being able to determine who or what is responsible for an action, and can be held responsible. ● Repudiation (as defined by the book) ○ The ability to deny an action, event, impact, or result. ● Non-repudiation (Cue Tim) ○ The process of ensuring that a user may not deny an action. Accountability relies on non-repudiation heavily. Accountability
● Strong Identification ○ NO SHARED ACCOUNTS! ● Strong Authentication ○ Biometrics ● User training and awareness ○ Are users aware of the consequence? ● Comprehensive and Timely Monitoring ○ IDS ● Accurate and Consistent Audit Logs ○ Collect and consolidate. Security Information and Event Management (SIEM) Systems. ○ Splunk (shudder) Factors contributing to accountability of actions
● Independent Audits ○ Unbiased review. Helps root out accountability in the event of collusion. ○ Helps shape culture. ● Policies enforcing Accountability ○ HR's teeth. ● Org Culture supporting Accountability ○ "Do as I say, not as I do." Factors contributing to accountability of actions - cont'd

Recomendados

access-control-week-3
access-control-week-3access-control-week-3
access-control-week-3
jemtallon
 
CISSP Week 12
CISSP Week 12CISSP Week 12
CISSP Week 12
jemtallon
 
Cissp Week 23
Cissp Week 23Cissp Week 23
Cissp Week 23
jemtallon
 
CISSP Week 9
CISSP Week 9CISSP Week 9
CISSP Week 9
jemtallon
 
Access control Week 1
Access control Week 1Access control Week 1
Access control Week 1
jemtallon
 
Access Controls
Access ControlsAccess Controls
Access Controls
primeteacher32
 
Ch07 Access Control Fundamentals
Ch07 Access Control FundamentalsCh07 Access Control Fundamentals
Ch07 Access Control Fundamentals
Information Technology
 
Intro To Access Controls
Intro To Access ControlsIntro To Access Controls
Intro To Access Controls
Hari Pudipeddi
 

Recomendados

access-control-week-3
access-control-week-3access-control-week-3
access-control-week-3
jemtallon
 
CISSP Week 12
CISSP Week 12CISSP Week 12
CISSP Week 12
jemtallon
 
Cissp Week 23
Cissp Week 23Cissp Week 23
Cissp Week 23
jemtallon
 
CISSP Week 9
CISSP Week 9CISSP Week 9
CISSP Week 9
jemtallon
 
Access control Week 1
Access control Week 1Access control Week 1
Access control Week 1
jemtallon
 
Access Controls
Access ControlsAccess Controls
Access Controls
primeteacher32
 
Ch07 Access Control Fundamentals
Ch07 Access Control FundamentalsCh07 Access Control Fundamentals
Ch07 Access Control Fundamentals
Information Technology
 
Intro To Access Controls
Intro To Access ControlsIntro To Access Controls
Intro To Access Controls
Hari Pudipeddi
 
Information Security Principles - Access Control
Information Security Principles - Access ControlInformation Security Principles - Access Control
Information Security Principles - Access Control
idingolay
 
2. access control
2. access control2. access control
2. access control
7wounders
 
8 Access Control
8 Access Control8 Access Control
8 Access Control
Alfred Ouyang
 
CISSP week 26
CISSP week 26CISSP week 26
CISSP week 26
jemtallon
 
Chap5 2007 C I S A Review Course
Chap5 2007 C I S A Review CourseChap5 2007 C I S A Review Course
Chap5 2007 C I S A Review Course
Desmond Devendran
 
2. Asset Security
2. Asset Security2. Asset Security
2. Asset Security
Sam Bowne
 
3. security architecture and models
3. security architecture and models3. security architecture and models
3. security architecture and models
7wounders
 
CISSP Prep: Ch 3. Asset Security
CISSP Prep: Ch 3. Asset SecurityCISSP Prep: Ch 3. Asset Security
CISSP Prep: Ch 3. Asset Security
Sam Bowne
 
6. Security Assessment and Testing
6. Security Assessment and Testing6. Security Assessment and Testing
6. Security Assessment and Testing
Sam Bowne
 
Access Control: Principles and Practice
Access Control: Principles and PracticeAccess Control: Principles and Practice
Access Control: Principles and Practice
Nabeel Yoosuf
 
Security models
Security models Security models
Security models
LJ PROJECTS
 
Mandatory access control for information security
Mandatory access control for information securityMandatory access control for information security
Mandatory access control for information security
Ajit Dadresa
 
An overview of access control
An overview of access controlAn overview of access control
An overview of access control
Elimity
 
CISSP - Chapter 3 - Physical security
CISSP - Chapter 3 - Physical securityCISSP - Chapter 3 - Physical security
CISSP - Chapter 3 - Physical security
Karthikeyan Dhayalan
 
Operations Security Presentation
Operations Security PresentationOperations Security Presentation
Operations Security Presentation
Wajahat Rajab
 
Chapter 5 - Identity Management
Chapter 5 - Identity ManagementChapter 5 - Identity Management
Chapter 5 - Identity Management
Karthikeyan Dhayalan
 
Access control3
Access control3Access control3
Access control3
Awhydot
 
Operations Security
Operations SecurityOperations Security
Operations Security
Mauro Alberto
 
Access Control Presentation
Access Control PresentationAccess Control Presentation
Access Control Presentation
Wajahat Rajab
 
CNIT 125 Ch 3. Asset Security
CNIT 125 Ch 3. Asset SecurityCNIT 125 Ch 3. Asset Security
CNIT 125 Ch 3. Asset Security
Sam Bowne
 
CISSP Week 14
CISSP Week 14CISSP Week 14
CISSP Week 14
jemtallon
 
CISSP Week 16
CISSP Week 16CISSP Week 16
CISSP Week 16
jemtallon
 

Más contenido relacionado

La actualidad más candente

Information Security Principles - Access Control
Information Security Principles - Access ControlInformation Security Principles - Access Control
Information Security Principles - Access Control
idingolay
 
2. access control
2. access control2. access control
2. access control
7wounders
 
CISSP week 26
CISSP week 26CISSP week 26
CISSP week 26
jemtallon
 
Chap5 2007 C I S A Review Course
Chap5 2007 C I S A Review CourseChap5 2007 C I S A Review Course
Chap5 2007 C I S A Review Course
Desmond Devendran
 
3. security architecture and models
3. security architecture and models3. security architecture and models
3. security architecture and models
7wounders
 
Operations Security Presentation
Operations Security PresentationOperations Security Presentation
Operations Security Presentation
Wajahat Rajab
 
Access control3
Access control3Access control3
Access control3
Awhydot
 
Access Control Presentation
Access Control PresentationAccess Control Presentation
Access Control Presentation
Wajahat Rajab
 

La actualidad más candente (20)

Information Security Principles - Access Control
Information Security Principles - Access ControlInformation Security Principles - Access Control
Information Security Principles - Access Control
 
2. access control
2. access control2. access control
2. access control
 
8 Access Control
8 Access Control8 Access Control
8 Access Control
 
CISSP week 26
CISSP week 26CISSP week 26
CISSP week 26
 
Chap5 2007 C I S A Review Course
Chap5 2007 C I S A Review CourseChap5 2007 C I S A Review Course
Chap5 2007 C I S A Review Course
 
2. Asset Security
2. Asset Security2. Asset Security
2. Asset Security
 
3. security architecture and models
3. security architecture and models3. security architecture and models
3. security architecture and models
 
CISSP Prep: Ch 3. Asset Security
CISSP Prep: Ch 3. Asset SecurityCISSP Prep: Ch 3. Asset Security
CISSP Prep: Ch 3. Asset Security
 
6. Security Assessment and Testing
6. Security Assessment and Testing6. Security Assessment and Testing
6. Security Assessment and Testing
 
Access Control: Principles and Practice
Access Control: Principles and PracticeAccess Control: Principles and Practice
Access Control: Principles and Practice
 
Security models
Security models Security models
Security models
 
Mandatory access control for information security
Mandatory access control for information securityMandatory access control for information security
Mandatory access control for information security
 
An overview of access control
An overview of access controlAn overview of access control
An overview of access control
 
CISSP - Chapter 3 - Physical security
CISSP - Chapter 3 - Physical securityCISSP - Chapter 3 - Physical security
CISSP - Chapter 3 - Physical security
 
Operations Security Presentation
Operations Security PresentationOperations Security Presentation
Operations Security Presentation
 
Chapter 5 - Identity Management
Chapter 5 - Identity ManagementChapter 5 - Identity Management
Chapter 5 - Identity Management
 
Access control3
Access control3Access control3
Access control3
 
Operations Security
Operations SecurityOperations Security
Operations Security
 
Access Control Presentation
Access Control PresentationAccess Control Presentation
Access Control Presentation
 
CNIT 125 Ch 3. Asset Security
CNIT 125 Ch 3. Asset SecurityCNIT 125 Ch 3. Asset Security
CNIT 125 Ch 3. Asset Security
 

Destacado

CISSP Week 14
CISSP Week 14CISSP Week 14
CISSP Week 14
jemtallon
 
CISSP Week 16
CISSP Week 16CISSP Week 16
CISSP Week 16
jemtallon
 
CISSP Week 18
CISSP Week 18CISSP Week 18
CISSP Week 18
jemtallon
 
Cissp Week 24
Cissp Week 24Cissp Week 24
Cissp Week 24
jemtallon
 
CISSP Week 21
CISSP Week 21CISSP Week 21
CISSP Week 21
jemtallon
 
CISSP Week 22
CISSP Week 22CISSP Week 22
CISSP Week 22
jemtallon
 
Access Control - Week 4
Access Control - Week 4Access Control - Week 4
Access Control - Week 4
jemtallon
 
CISSP week 25
CISSP week 25CISSP week 25
CISSP week 25
jemtallon
 
CISSP Week 20
CISSP Week 20CISSP Week 20
CISSP Week 20
jemtallon
 
CISSP Week 13
CISSP Week 13CISSP Week 13
CISSP Week 13
jemtallon
 
CISSP Week 5
CISSP Week 5CISSP Week 5
CISSP Week 5
jemtallon
 

Destacado (16)

CISSP Week 14
CISSP Week 14CISSP Week 14
CISSP Week 14
 
CISSP Week 16
CISSP Week 16CISSP Week 16
CISSP Week 16
 
CISSP Week 18
CISSP Week 18CISSP Week 18
CISSP Week 18
 
Cissp Week 24
Cissp Week 24Cissp Week 24
Cissp Week 24
 
CISSP Week 21
CISSP Week 21CISSP Week 21
CISSP Week 21
 
CISSP Week 22
CISSP Week 22CISSP Week 22
CISSP Week 22
 
Cissp d5-cryptography v2012-mini coursev2
Cissp d5-cryptography v2012-mini coursev2Cissp d5-cryptography v2012-mini coursev2
Cissp d5-cryptography v2012-mini coursev2
 
Access Control - Week 4
Access Control - Week 4Access Control - Week 4
Access Control - Week 4
 
CISSP week 25
CISSP week 25CISSP week 25
CISSP week 25
 
CISSP Week 20
CISSP Week 20CISSP Week 20
CISSP Week 20
 
CISSP Week 13
CISSP Week 13CISSP Week 13
CISSP Week 13
 
CISSP Week 6
CISSP Week 6CISSP Week 6
CISSP Week 6
 
CISSP Week 7
CISSP Week 7CISSP Week 7
CISSP Week 7
 
CISSP Week 5
CISSP Week 5CISSP Week 5
CISSP Week 5
 
CISSP Proposal
CISSP ProposalCISSP Proposal
CISSP Proposal
 
SlideShare 101
SlideShare 101SlideShare 101
SlideShare 101
 

Similar a access-control-week-2

Blockade.io : One Click Browser Defense
Blockade.io : One Click Browser DefenseBlockade.io : One Click Browser Defense
Blockade.io : One Click Browser Defense
RiskIQ, Inc.
 
Segregation of Duties and Sensitive Access as a Service
Segregation of Duties and Sensitive Access as a ServiceSegregation of Duties and Sensitive Access as a Service
Segregation of Duties and Sensitive Access as a Service
Smart ERP Solutions, Inc.
 

Similar a access-control-week-2 (20)

Information Security
Information SecurityInformation Security
Information Security
 
Assessing a cloud based approach to cyber security
Assessing a cloud based approach to cyber securityAssessing a cloud based approach to cyber security
Assessing a cloud based approach to cyber security
 
Data security in the age of GDPR – most common data security problems
Data security in the age of GDPR – most common data security problemsData security in the age of GDPR – most common data security problems
Data security in the age of GDPR – most common data security problems
 
Blockade.io : One Click Browser Defense
Blockade.io : One Click Browser DefenseBlockade.io : One Click Browser Defense
Blockade.io : One Click Browser Defense
 
Access Control Fundamentals
Access Control FundamentalsAccess Control Fundamentals
Access Control Fundamentals
 
Troubles with Large Identity Providers.pptx
Troubles with Large Identity Providers.pptxTroubles with Large Identity Providers.pptx
Troubles with Large Identity Providers.pptx
 
Barbed Wire Network Security Policy 27 June 2005 7
Barbed Wire Network Security Policy 27 June 2005 7Barbed Wire Network Security Policy 27 June 2005 7
Barbed Wire Network Security Policy 27 June 2005 7
 
Data security and Integrity
Data security and IntegrityData security and Integrity
Data security and Integrity
 
GRC 2020 - IIA - ISACA Machine Learning Monitoring, Compliance and Governance
GRC 2020 - IIA - ISACA Machine Learning Monitoring, Compliance and GovernanceGRC 2020 - IIA - ISACA Machine Learning Monitoring, Compliance and Governance
GRC 2020 - IIA - ISACA Machine Learning Monitoring, Compliance and Governance
 
Controlling Data on the Connected Highway
Controlling Data on the Connected HighwayControlling Data on the Connected Highway
Controlling Data on the Connected Highway
 
Security .NET.pdf
Security .NET.pdfSecurity .NET.pdf
Security .NET.pdf
 
Identity and Access Management (IAM)
Identity and Access Management (IAM)Identity and Access Management (IAM)
Identity and Access Management (IAM)
 
Cybersecurity Summit AHR20 Recover Tridium
Cybersecurity Summit AHR20 Recover TridiumCybersecurity Summit AHR20 Recover Tridium
Cybersecurity Summit AHR20 Recover Tridium
 
Segregation of Duties and Sensitive Access as a Service
Segregation of Duties and Sensitive Access as a ServiceSegregation of Duties and Sensitive Access as a Service
Segregation of Duties and Sensitive Access as a Service
 
Lecture 2 - Security Requirments.ppt
Lecture 2 - Security Requirments.pptLecture 2 - Security Requirments.ppt
Lecture 2 - Security Requirments.ppt
 
13.02 Network Security
13.02 Network Security13.02 Network Security
13.02 Network Security
 
Defining Enterprise Identity Management
Defining Enterprise Identity ManagementDefining Enterprise Identity Management
Defining Enterprise Identity Management
 
Authentication Authorization-Lesson-2-Slides.ppt
Authentication Authorization-Lesson-2-Slides.pptAuthentication Authorization-Lesson-2-Slides.ppt
Authentication Authorization-Lesson-2-Slides.ppt
 
Rules for great digital government
Rules for great digital governmentRules for great digital government
Rules for great digital government
 
AWS Big Data Demystified #4 data governance demystified [security, networ...
AWS Big Data Demystified #4 data governance demystified [security, networ...AWS Big Data Demystified #4 data governance demystified [security, networ...
AWS Big Data Demystified #4 data governance demystified [security, networ...
 

Último

1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
QucHHunhnh
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Sapana Sha
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
ciinovamais
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf
QucHHunhnh
 

Último (20)

Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
 
Arihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfArihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdf
 
Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
 
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impact
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
 
Unit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxUnit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptx
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and Mode
 
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptxINDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
 
fourth grading exam for kindergarten in writing
fourth grading exam for kindergarten in writingfourth grading exam for kindergarten in writing
fourth grading exam for kindergarten in writing
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
 
Interactive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationInteractive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communication
 
Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf
 
Disha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdfDisha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdf
 
Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104
 

access-control-week-2

  • 1. Pages 81 - 148 CISSP CBK 3rd
  • 2. ● Access Control Techniques ○ Methods ● Identification and Authentication ○ Types and Strategies ● Identification Management ○ Considerations ● Authentication Methods ○ How to establish ● Sessions ○ Strategies on how to control What the pages cover
  • 3. Access Control ● Only Authorised Users, Programs, and/or systems are allowed to access resources. Access Control Techniques ● How we can determine which users, programs or systems, what resources, and what access. ● Methods of organising and protecting data. Access Controls - Continued
  • 4. "Yo, Check out that sweet role-based access control..." - Lord Nikon Access Control Techniques
  • 5. The process of translating the balance between Access controls enforced by the Organization, and information owners to can have access, can be defined by three general frameworks: ● Discretionary (DACs) ● Non-Discretionary ● Mandatory (MACs) Discretionary and Mandatory Access Controls
  • 6. Discretionary: ● Controls placed on data by the owner of the data. The owner decides who, and what privilege. ● User-centric (User is responsible). Mandatory: ● Controls are determined by the system and based on Organisational Policy. ● System-centric (User vs. Resource Classification). ● The Information Owner provides who needs to know. System makes decision against that criteria. ● man chmod Discretionary and Mandatory Access Controls - continued.
  • 7. ACL's (Access Control Lists) ● Keyword Pattern & Action ○ Examples: MAC Address filtering ● If no matches or unspecified actions - default will either be deny by default or allow by default (based on the org's stance). ● Structure of access is often based on Organization Structure (Users into Groups. Groups into file and directory permissions). Data Access Controls
  • 8. ● An ACL in the form of a table. ● Unwieldy for large environments, but useful when designing a system, or looking at smaller portions. Access Control Matrix
  • 9. ● Access is based on a predefined set of rules. ● These rules specify the privileges granted to users when specific conditions are met. ○ Example: ■ The Standard ACL says that Jr. Admin Bob can access the Dubstep MP3 Folder, but the rule based system would specify that while he can access it, he can only access the folder between 5PM and 8AM (outside of Sr. Admin Barry's Office Hours). Rule-based Access Control
  • 10. ● RBAC bases the access control authorizations on the roles or functions that the user is assigned within an organization. ● The determination of what roles have what access, can be governed by both the Data Owner, or the applied based on Org Policy. Role-Based Access Controls
  • 11. The four basic RBAC architectures: ● Non-RBAC ○ Traditional user-granted access (like ACL's).No formal roles or mapping. ● Limited RBAC ○ Users are mapped to a single application only. ● Hybrid RBAC ○ Users are mapped to multiple applications, that subscribe to the Org's role-based model. ● Full RBAC ○ Enterprise wide. Top down, from role policy. See Fig. 1.11 RBAC - Continued
  • 12. ● RBAC is easily modeled after the organisations own organization, or functional structure. ○ Personal moves are simplified (job role is tied to access). See also "The Triangle of Power" by Matt Byrd, MSFT: http://blogs.technet. com/b/exchange/archive/2009/11/16/340882 5.aspx RBAC - Continued
  • 13. ● Content dependant access controls are based on the data. The control mechanism examines the data, and makes decisions based on what it finds. ● Constrained User Interface is a method of restricting users to functions in the UI, based on role in the system. ○ Example: AS/400 Payroll Menus, POS unit, or Views in a database. Miscellaneous Controls
  • 14. ● Capability tables are used to match subjects (like users or process) and their capabilities (read, write, etc..). ● Temporal (Time-based) Isolation limits access based on time. ○ Examples: Dubstep MP3 Folder, or Limiting access to change Payroll to the first 4 hours of the day. Miscellaneous Controls - cont'd
  • 15. ● Identification ○ Provides uniqueness and accountability (when done properly) ● Authentication ○ Provides validity. You are expected, and trusted. ● Authorization ○ Provides Control. Identification and Authentication
  • 16. Identification provides a point of assignment and association to a user entity within a system. Can be user, service account, etc... Examples: ● User Name ● User ID ● Account Number ● PIN ● Certificates Identification Methods
  • 17. ● The Identification Badge is the most common form of Physical identification. ○ Name, Logo, Face, Colour, etc.. ● Policy usually dictate they must be worn at all times. ● "Badge Check" ● Usually tied together with an access badge & reader. ● RFID Badges
  • 18. ● User ID ○ Only use it as a system ID, not an authenticator. ● MAC (Media Access Control) ○ No longer a good way to authenticate a user (spoofable). ● IP Address ○ Logical Location on network. Set by software, not a good indicator. ○ Subnets ● Email Address ○ Concept is email is globally unique, however it's spoofable and only unique by convention. Other Types
  • 19. ● Three Essential Security characteristics regarding identities: ○ Uniqueness ■ Must be unambiguous & distinct ■ Can be duplicated across systems, but bad practice ○ Non Descriptiveness ■ billg@microsoft.com ■ Samir_Nagheenanajar@Initech.com ■ CIO@Wellsfargo.com ○ Secure Issuance ■ Documentable and traceable. User Identification Guidelines
  • 20. ● Every system must track valid users and control their permissions, across different types of administrative software and processes. ● Account creation process & propagation. ● Goal of the system is to consolidate access rights into a managed system. ● See Fig 1.13 ● Quicker provision & deprovision Poll: How long does it take to deprovision/lock all passwords/etc on a user account in your org? Identity Management
  • 21. ● 2 Minutes Hate - topic: User Provisioning ● Backlog ○ Not Enough People to process ● Cumbrsome ○ Too Complex, or time consuming = Errors ● Incomplete Forms ○ "I just check all the boxes." ● No Audit Trails ○ "Fuck it, we'll do it live!" ● Stale users ○ Ghost NDRs Identity Management Challenges
  • 22. ● Consistency ○ User profile data should be consistent and uniform. ● Usability ● Reliability ○ "My admin account never worked right, so I've just been using the domain admin." ● Scalability ○ If you have 10,000 users, and your domain controller is an old laptop, your gunna have a bad time. Identity Management Challenges - continued
  • 23. ● Can help with legal obligations, and industry-specific compliance. ● When properly done, you can have a finer control (and flexabillity) over what levels the public, guests, vendors, contractors, support, etc... groups have. Other Considerations
  • 24. ● In general, an Org will either opt to be Centralized, or Decentralized. ● Centralized: ○ All access decisions, provisioning, and management is concentrated in a central location. ○ One entity (user/department/system) manages the service for the entire org. Example: RADIUS ● Decentralized: ○ ID Management, authentication, and authorisation decisions are moved closer to the local resource. ○ Could be per department. Centralised Identity Management
  • 25. ● Authentication by knowledge ○ Something you know ■ Example: Password ● Authentication by possession ○ Something you have ■ Example: ID Badge ● Authentication by characteristic ○ Something you are ■ Example: Authentication Methods
  • 26. ● Logical controls related to those types are called "Factors" ● Single-Factor ○ Use of 1 Factor (makes sence, right?) ● Two-Factor ○ Usingtwoofthethreefactorswhoeditedthisbook? ● Three-Factor ○ You get the picture. ● The book mentions a possible 4th (Geolocation) by GPS or IP. Factors
  • 27. ● Passwords ○ Standard Words ■ God ● Easily Guessable ○ Combination ■ G0d ● Got an app for that ○ Complex ■ 1||$1D3j0|<3 ● Harder to remember - people usually write these down or have them somewhere. ● Passphrase ○ List of names, Phrase, or Mnemonic ■ Example: AD5wu5ydD! ● "Always do sober, what you said you'd do drunk." -Hemmingway Authentication by Knowledge
  • 28. ● Issues: ○ Cleartext ○ Offline and Off Site Cracking ● Passwords are often hashed, as an extra measure of protection. ● Graphical Passwords ○ Protect somewhat against keyloggers Passwords continued
  • 29. ● Token, Fob, Badge, Key, Ring, etc.. ● Concept is to add an additional layer of confidence. ● Two Methods: ○ Asynchronous ■ Challenge-Response ● Slide Card, Enter Pin ○ Synchronous ■ Time, Event, or Location ● Seed. Like the WoW account thingie. Authentication By Possession
  • 30. ● Physical device that contains credentials. ● Two Types: ○ Memory Cards ■ Swipe Cards. Mag Stripe. ■ Used + PIN, often. ■ Often the stripe is unencrypted. Theft. ○ Smart Cards ■ Embedded Chip, that can accept, store, and send information. ■ Some have apps. ● Used for Secure log-on, S/MIME, Secure Web Access, VPN's, Hard Disc Encryption. ■ Helps integrate outside devices into Enterprise PKI. Static Authentication Devices
  • 31. ● Types of information on a smart card: ● Read only. ● Added only. ● Updated only. ● No Access available. ● Trusted Path ○ Login process is done by the reader, instead of the host. ○ Minimises surface area, and "hops", with each addition adding opportunity for security failures. Smart-Card Segway
  • 32. ● ROM ○ Predetermined by MFGR ● Programmable Read-Only (PROM) ○ Can be modified, but looks like a pain in the ass. ● Erasable Programmable Read-Only (EPROM) ○ Widely used early on, but the process is difficult. Ultraviolet light? Really? ● Electrically Erasable PROM (EEPROM) ○ Current IC of choice. ● RAM ○ Not bad, actually, if used as a Deadmans switch. Smart Card Memory Types
  • 33. ● Data controls are intrinsic to how the IC works. ● Example: ○ When power is applied to the smart card, the process can apply logic to perform services and take action or control of the EEPROM. ○ No power = no access = less exposure ● Mag Stripe & Contact, and Contactless (rfid) ○ See Page 126-128 for Pinouts... More Smart Card Stuff
  • 34. The book mentions a few other possession- based authentication devices, One of which was USB devices. iLok: Footnote
  • 35. ● Biometrics ○ Two Types: ■ Physiological ● Example: Fingerprint, Hand, Face, Eyes ● Vascular Scans (They scan yer veins! And if you mash your hand, you're SOL). ■ Behavioral ● Examples: Voice Pattern & Recognition. Keystroke pattern (typing style), Signature dynamics. ○ Accuracy ■ Typical Passwords, tokens, and devices provide a high degree of accuracy and confidence. ■ Humans are different, and Environments are different. Authentication by Characteristic
  • 36. ● False Reject Rate (Type I Error): ○ When authorised users are falsely rejected as unidentified or unverified. ● False Accept Rate (Type II Error): ○ When unauthorised persons or imposters are falsely accepted as authentic. ● Crossover Error Rate (CER): ○ The point at which the false rejection rates and the false acceptance rates are equal. THe smaller the value of CER, the more accurate the System. Biometric Accuracy
  • 37. ● Not sensitive enough, everyone will be authorised. ● Too sensitive, and no one gets through. ● The "tune" of the system is largely based on risk vs. importance of the controls, resulting in an Org-accepted level of risk. Biometric Accuracy - Cont'd
  • 38. ● Resistance to counterfeiting ○ A determined attacker can take advantage by counterfeiting what is measured. ● Data storage requirements ○ Security of the data it's matching against. ● User acceptance ○ "Ain't nobody got time for that." ○ Enrollment speed. ● Reliability and accuracy ○ "The system...is down..." ● Target user and approach ○ Who and how? Biometric Considerations
  • 39. ● The capabilities and level of confidence increases as more factors and techniques are included in the identification and authentication process. ○ See Fig. 1.23 ● "Strongest" leans towards Biometrics. ○ Strong: ■ Assurance that the authentication produced by the method is valid. ○ Harder to implement, manage, impersonate. ○ As with anything, trade-offs. Authentication Method Summary
  • 40. Most prevalent considerations when looking at an enterprise authentication method(s): ● The Value of the Protected Asset ○ High Value = More Complex method ● The Level of Threat to the Asset ○ Assess Risk. Real vs. Perceived. ● Potential Countermeasures ○ How can we reduce threat? ● The Cost of Countermeasures ○ "Consider the following..." ● Feasibility and inconvenience to users. ○ Participation vs. Annoyance. Authentication Method Summary - cont'd
  • 41. ...
  • 42. ● Term to describe how a single instance of identification and authentication are applied to resources. ○ Desktop Sessions can be controlled & protected: ■ Screensavers ● GPO ■ Timeouts ● Power Saver ■ Automatic Logouts ■ Login Limitations ■ Schedule Limitations ● Time/Day Session (sessi on ) Management
  • 43. ● Session Hijacking ○ Main-In-The-Middle attacks. ○ Session Sniffing. ○ Cross-Site Scripting attacks. Logical Sessions
  • 44. ● Being able to determine who or what is responsible for an action, and can be held responsible. ● Repudiation (as defined by the book) ○ The ability to deny an action, event, impact, or result. ● Non-repudiation (Cue Tim) ○ The process of ensuring that a user may not deny an action. Accountability relies on non-repudiation heavily. Accountability
  • 45. ● Strong Identification ○ NO SHARED ACCOUNTS! ● Strong Authentication ○ Biometrics ● User training and awareness ○ Are users aware of the consequence? ● Comprehensive and Timely Monitoring ○ IDS ● Accurate and Consistent Audit Logs ○ Collect and consolidate. Security Information and Event Management (SIEM) Systems. ○ Splunk (shudder) Factors contributing to accountability of actions
  • 46. ● Independent Audits ○ Unbiased review. Helps root out accountability in the event of collusion. ○ Helps shape culture. ● Policies enforcing Accountability ○ HR's teeth. ● Org Culture supporting Accountability ○ "Do as I say, not as I do." Factors contributing to accountability of actions - cont'd