Академический Документы
Профессиональный Документы
Культура Документы
CISSP
Lecture-2, Access Control
By. Medhat Mousa.
Subject
Object
Discretionary Access Control (DAC)
Mandatory Access Control (MAC)
Role-Based Access Control (RBAC)
Access Control
Access Control
Access Control
(DRDos)
Buffer Overflow Attacks
Mobile Code
Malicious Software
Password Crackers
Spoofing/Masquerading
Access Control
Data
Remanence
Dumpster
Diving
Backdoor/Trapdoor
Theft
Social Engineering
Phishing, Pharming
Eavesdropping and Shoulder Surfing
Access Control
Define
Resources
Determine Users
Specify Use
Access Control
Access Control
Protection
Unauthorized access
from
Unauthorized use
Disclosure
Protect data
Residing on systems
In transit
In process
Access Control
Threats
Sniffing
Stealing password files
Social engineering
Shoulder surfing
Eavesdropping
Poor user training/awareness
Disclosure
Access Control
Countermeasures
Encryption
Traffic padding
Access controls
Authentication
Data classification
Personnel training
Shielding
Access Control
Access Control
reliability
objects
their subjects
veracity only
Ensures
Modifications
byretain
authorized
Detects alterations that have occurred
In storage
In transit
In process
Access Control
Attacks on Integrity
Viruses
Logic bombs
Unauthorized access
Malicious modifications
Data diddling The act of making small changes to data
System back doors
Human error, oversight, or
ineptitude
Alteration
Coding errors
Access Control
Countermeasures
Strict access controls
Rigorous authentication procedures
Intrusion detection systems
Object/data encryption
Hash total verifications
Interface restrictions
Input/function checks
Extensive personnel training
Access Control
Access Control
Controls ensure:
Authorized access
Acceptable level of
performance
Fault tolerance
Redundancy
Reliable backups
Prevention of data loss or
destruction
Access Control
Threats
Device failure
Destruction
Software errors
Environmental issues
Attacks
DoS
Object
destruction
Communication interruptions
Human error, oversight, or
ineptitude
Access Control
Countermeasures
Proper systems design
Software design and testing
Effective access controls
Monitoring performance & network traffic
Perimeter security devices
Implementing redundancy
Maintaining & testing backups
Access Control
Access Control
often
at odds with each other
The security mission is to find balance between
the concepts
Access Control
Access Control
Privacy
Identification
Authentication
Authorization
Accountability
Nonrepudiation
Auditing
Access Control
(PII):
Online visitors
Customers
Employees
Suppliers
Contractors
Access Control
Access Control
device
Biometrics
Often public information
Access Control
Verifies/Validates the
identity
Forms
Something you know
Something
you have
Something you are
Compares factors against a database
Access Control
user,
or process
program,
Access control
matrix compares
Subject
Object
Intended
activity
Access Control
activities
Assesses adequacy of system controls
Ensures compliance with polices
Detects malicious activity
Evidence for prosecution
Provides problem reporting and analysis
Access Control
identity
activities
and
Established
by
Auditing
Authorization
Authentication
Identification
Access Control
http://www.trainingmagnetwork.com/account/login
Access Control
Subject
The active entity on the network
Object
The passive entity on the
network
Access Control
AAA
Authenticatio
n
Authorization
Accounting
Access Control
(PIN)
identification
Non-descriptive:
Should not
expose role or job function of the
user
Issuance:
Must be secure and
documented
Access Control
Password management
Account management
Profile management
Directory management
Single sign on
Access Control
Automated or self-service
Self-service allows users to manage those parts of
Access Control
Separation
of Duties
Need
to Know
Authorization creep
Compartmentalization
Allow by default
Security Domain
Deny
by default
Least
Privilege
Defense
in Depth
Access Control
Access
Access Control
Interface
Centralized Access Control
Decentralized Access Controls
Access Control
Access Control
Access Control
It uses a program
to
therequires
data to more
make processing
decisions.
investigate
It creates and
power.
Types:
Database views
URL Filters
Virus Scanning
Application Layer Proxy / Firewall
Intrusion Detection / Prevention Systems
Access Control
of Trust
Examples: RADIUS
Access Control
Access Control
Access Control
Authorization Creep
Access Control
Access Control
to specific objects
Accounting-logs each RADIUS connection
UDP; port 1812/1645 for transport; 1813/1646 for
auditing.
1645 and 1646 are the old ports and may
be used by older versions. RFC 2865
Supports PAP, CHAP(password may be
stored unencrypted),EAP
Only PW encrypted in transit
Request and response data carried in Attribute
Value Pairs (AVP)
RADIUS 8 bit 256 possible AVPs
Access Control
Access-Request
Access-Accept
Access-Reject
Accounting Request
Accounting-
Response
Access-Challenge
Access Control
with RADIUS
Better performance and encryption
Single server to handle policies- RADIUS
needs more.
It uses TCP port 3868
Security provided by TLS or IPSEC
32 bit billions of Attribute Value Pairs (AVP)
can support mobile remote users
Better for roaming support
Access Control
Replaces
previous version
(TACACS/XTACACS)
UDP/TCP port 49
Allows for two factor
authentication (static
passwords in previous
versions)
Encrypts all data below
the TACACS+ header
(password and username)
Similar functionality to
RADIUS
Access Control
Periodically
Provides
centralized authentication
Authenticates in one direction but can be used for
mutual authentication
Passwords not exposed to network
Access Control
Access Control
data
incommon
a tree like
structure
Operate
Four most
directory
standards:
X.500
LDAP
Active Directory
X.400
Access Control
ISO 9594
Consists of four separate protocols:
Directory
protocol
Directory system protocol (DSP)
Directory information shadowing
protocol (DISP)
Directory operational bindings management
protocol (DOP)
Access Control
attributes are:
DN (distinguished
name), CN (common name), DC (domain
component), and OU (organizational unit)
Used 389 if unsecured, 636 if secured
Access Control
Microsoft based
implementation of LDAP
Uses LDAP for
naming structure.
Directories are organized
into forests and trees
Domains are identified by
their DNS name
Objects are grouped by
organizational units
Access Control
NetBIOS
Access Control
Potential spoofing
Access Control
Least
Privilege
Separation of
Duties
Rotation
of Duties
Access Control
Access Control
of Sensitive Data
Better Return on Security Investment
Establishes ownership of information
Greater Understanding of the Location of
Information in the Infrastructure
Access Control
Procedures
Develop Tools for Implementation
Identify Application and Data Owners
and
Delegation
Develop Templates, Labeling and
Marking
Access Control
Classifications
Conduct Classification Assurance Testing
Access Control
to protect data
Formalize & stratify the labeling process
Access Control
Criteria Based on
Usefulness
Timeliness
Value or cost
Maturity or age
Lifetime
Disclosure data
Access Control
Addresses
Data removal
Data destruction
Access Control
Commercial
Military
Level
Type
Result if Disclosed
Top Secret
highest
grave danger
Secret
restricted data
critical damage
Confidential
serious damage
SBU
private in nature
no significant damage
Unclassified
lowest
no noticeable damage
Confidential
negative impact
Private
personal in nature
Sensitive
negative impact
Public
lowest
no serious impact
Access Control
Confidential
Policy driven
Used in routers and firewalls for network access
Used in file systems NTFS
Performs a match on the resource
to networks
Based upon policies
Most common use is in the DAC model
What objects can be accessed by what users and
Mary:
UserMaryDirectory Full Control
UserBobDirectory Write
Printer001 - Execute
Access Control
Access Control
into
the matrix
File X
Dir Y
Printer Z
RW
Print
Operators
RW
RWX
FC
Service-Firewall
NA
NA
Bob
Access Control
them
access
to request
to specific
certain system
functions,
resources.
information or have
Three types of restricted interfaces:
Menus and shells
Database views
Physically constrained interfaces
Access Control
Access Control
Control:
Administrative
Physical
/ Operational controls
Controls
Technical
/ Logical Controls
Access Control
administrative functions
Security
Policy
Operational Procedure (Security / Operational)
Personnel Security, Evaluation, and Clearance
Monitoring and Supervision
User Management
Privilege Management
Access Control
segregation
Perimeter security
Computer controls
Work area separation
Data backups
Cabling
Access Control
access
Network access
Remote access
System access
Application access
Malware control
Encryption
Access Control
Preventive
Stop
unwanted / unauthorized
activity
Deterrent Discourage a
potential attacker
Detective Identify an
incidents activities
Corrective Fix systems
after an incident
Recovery
Restores
resources and capabilities
Directive Controls put
in place due to regulation
or environmental
requirement
Compensating Provide
alternatives to other
controls
(security
policy, personnel
supervision)
Access Control
Use
Administrative
Deterrent
Preventive
Detective
Corrective
Recovery
Compensating
Policy
User
Registration
Procedures
Review
Violation
Report
Termination
Disaster
Recovery Plan
Supervision,
Job Rotation
Password
Based Login
Logs, IDS
Unplug,
Isolate,
Terminate
Connection
Tape backup
Logging,
CCTV,
Keystroke
monitoring
Technical
Warning
Banner
Physical
Beware of
Dog Sign
Fence
Sentry,
CCTV
Fire
Extinguisher
Access Control
Reconstruction,
Rebuild
Layered
Defense
Verifying the
Claimant
Three
Typetypes:
1 - Something you know (knowledge)
Type
Access Control
PIN
Password
Pass
phrases
Cognitive
Composition
One-time
Access Control
Dictionary attack
Brute force attack
Hybrid attack
Social engineering
Key stroke loggers
Improve security with:
One-way encryption
Account lockout
Auditing
Training
Hardware
Storage of Passwords
Graphical Passwords
Access Control
Access Control
enterprise
Passwords synchronized across multiple systems
May provide self registration procedures and
personal security questions
At a minimum a password management
system will:
Track password history
Manage password aging
Manage password construction and length
Store passwords with non-reversible
encryption
(hash)
Access Control
Token
Static password token
Device
Synchronous token
Asynchronous token
Challenge-Response
Access Control
Information
Information
Information
Information
Information
Behavioral
Signature Dynamics
Keyboard Dynamics
Gait
Physiological
Fingerprint
Palm Scan
Hand Geometry
Retina Scan
Iris Scan
Facial Scan
Voice recognition
Access Control
Resistance to counterfeiting
Throughput and enrollment times
Data storage requirements
User acceptance
Reliability and accuracy
Access Control
best)
Something you
stored on PC)
Something you
w/pin)
Something you
Something you
Access Control
Access Control
Two-factor /
Multi-
to be deployed.
To enter a secured building, you must insert your
key card (Type 2) and undergo a retina scan (Type 3)
Strong authentication:
Requires two or more methods
Two factor and three factor are strong
authentication
Access Control
Mutual:
Requires that both parties authenticate with each
Access Control
logon process
No need for multiple passwords
Centralized Administration
Cons:
Compromised
password
Not compatible with all of systems
Access Control
Access Control
Default
authentication
protocol for
Windows Server 2K8,
7E, 2K3, 2k, and
Workstation XP
authentication
protocol
Establishes single-sign on
Uses symmetric keys for encryption.
or asymmetric encryption involved.
Access Control
No PKI
Kerberos
AKA
Server (AS)
Ticket-Granting
Server (TGS)
users or services
Access Control
Realm
set
Principals
entities
Ticket
tickets
Access Control
Access Control
a timely manner.
Since
stored on
the users workstation and could be
compromised.
Access Control
attack is in progress.
Network traffic is not protected by Kerberos
Encryption
must be enabled
Access Control
Vendor Environment
Offers SSO
Uses symmetric and asymmetric encryption
Compatible with Kerberos V.5
Uses public key cryptography to distribute secret
keys
Uses Privilege Attribute Certificates (PAC) instead
of Kerberos tickets
Access Control