More Related Content Similar to Funsec3e ppt ch05 (20) More from Skillspire LLC (20) Funsec3e ppt ch051. © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Fundamentals of Information
Systems Security
Lesson 5
Access Controls
2. Page 2
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 2
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Learning Objective(s)
Explain the role of access controls in an IT
infrastructure.
3. Page 3
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 3
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Key Concepts
Access control concepts and technologies
Formal models of access control
How identity is managed by access control
Developing and maintaining system access
controls
4. Page 4
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 4
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Defining Access Control
The process of protecting a resource so
that it is used only by those allowed to
Prevents unauthorized use
Mitigations put into place to protect a
resource from a threat
5. Page 5
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 5
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Four Parts of Access Control
Access Control
Component Description
Identification Who is asking to access the
asset?
Authentication Can their identities be verified?
Authorization What, exactly, can the requestor
access? And what can they do?
Accountability How are actions traced to an
individual to ensure the person
who makes data or system
changes can be identified?
6. Page 6
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 6
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Policy Definition and Policy
Enforcement Phases
Policy definition phase—Who has access
and what systems or resources they can use
• Tied to the authorization phase
Policy enforcement phase—Grants or
rejects requests for access based on the
authorizations defined in the first phase
• Tied to identification, authentication, and
accountability phases
7. Page 7
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 7
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Two Types of Access Controls
•Controls entry into
buildings, parking lots,
and protected areas
Physical
•Controls access to a
computer system or
network
Logical
8. Page 8
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 8
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Physical Access Control
Smart cards are an example
Programmed with ID number
Used at parking lots, elevators, office doors
Shared office buildings may require an
additional after hours card
Cards control access to physical resources
9. Page 9
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 9
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Logical Access Control
Deciding which users can get into a system
Monitoring what each user does on that
system
Restraining or influencing a user’s behavior
on that system
10. Page 10
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 10
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
The Security Kernel
Enforces access control for computer
systems
Central point of access control
Implements the reference monitor concept
11. Page 11
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 11
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Enforcing Access Control
12. Page 12
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 12
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Access Control Policies
•People who use the system or
processes (subjects)
Users
•Protected objects in the system
Resources
•Activities that authorized users
can perform on resources
Actions
•Optional conditions that exist
between users and resources
Relationships
Four central components of access control:
13. Page 13
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 13
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Logical Access Control Solutions
Logical Controls Solutions
Biometrics • Static: Fingerprints, iris granularity, retina blood
vessels, facial features, and hand geometry
• Dynamic: Voice inflections, keyboard strokes, and
signature motions
Tokens • Synchronous or asynchronous
• Smart cards and memory cards
Passwords • Stringent password controls for users
• Account lockout policies
• Auditing logon events
Single sign-on • Kerberos process
• Secure European System for Applications in a
Multi-Vendor Environment (SESAME)
14. Page 14
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 14
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Authorization Policies
15. Page 15
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 15
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Methods and Guidelines for
Identification
Methods
Guidelines
• Username
• Smart card
• Biometrics
• Actions
• Accounting
16. Page 16
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 16
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Authentication Types
Something you know
Knowledge
• Something you have
Ownership
• Something unique to you
Characteristics
• Somewhere you are
Location
• Something you do/how you do
it
Action
17. Page 17
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 17
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Authentication by Knowledge
Password
• Weak passwords easily cracked by brute-force
or dictionary attack
• Password best practices
Passphrase
• Stronger than a password
Account lockout policies
Audit logon events
18. Page 18
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 18
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Authentication by Ownership
Synchronous token—Calculates a number at
both the authentication server and the device
• Time-based synchronization system
• Event-based synchronization system
• Continuous authentication
Asynchronous token
• USB token
• Smart card
• Memory cards (magnetic stripe)
19. Page 19
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 19
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Asynchronous Token Challenge-
Response
20. Page 20
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 20
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Authentication by
Characteristics/Biometrics
21. Page 21
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 21
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Concerns Surrounding Biometrics
22. Page 22
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 22
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Types of Biometrics
Fingerprint
Palm print
Hand
geometry
Retina scan
Iris scan
Facial
recognition
Voice
pattern
Keystroke
dynamics
Signature
dynamics
23. Page 23
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 23
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Authentication by Location and
Action
Location
• Strong indicator of authenticity
• Additional information to suggest granting
or denying access to a resource
Action
• Stores the patterns or nuances of how you
do something
• Record typing patterns
24. Page 24
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 24
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Single Sign-On (SSO)
Sign on to a computer or network once
Identification and authorization credentials
allow user to access all computers and
systems where authorized
Reduces human error
Difficult to put in place
25. Page 25
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 25
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
SSO Processes
Kerberos
Secure European System for Applications in
a Multi-Vendor Environment (SESAME)
Lightweight Directory Access Protocol
(LDAP)
26. Page 26
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 26
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Policies and Procedures for
Accountability
Log files
Monitoring and reviews
Data retention
Media disposal
Compliance requirements
27. Page 27
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 27
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Formal Models of Access Control
Discretionary access control (DAC)
Mandatory access control (MAC)
Nondiscretionary access control
Rule-based access control
28. Page 28
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 28
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Discretionary Access Control
Operating systems-based DAC policy
considerations
• Access control method
• New user registration
• Periodic review
Application-based DAC
Permission levels
29. Page 29
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 29
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Mandatory Access Control
Determine the level of restriction by how
sensitive the resource is (classification
label)
System and owner make the decision to
allow access
Temporal isolation/time-of-day restrictions
MAC is stronger than DAC
30. Page 30
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 30
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Nondiscretionary Access Control
Access rules are closely managed by security
administrator, not system owner or ordinary
users
Sensitive files are write-protected for integrity
and readable only by authorized users
More secure than discretionary access control
Ensures that system security is enforced and
tamperproof
31. Page 31
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 31
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Rule-Based Access Control
32. Page 32
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 32
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Access Control Lists
Linux and OS X
• Read, write, execute
Permissions
• File owners, groups, global users
Applied to
33. Page 33
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 33
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Access Control Lists (cont.)
Windows
•Full, change, read, deny
Share permissions
•Full, modify, list folder contents,
read-execute, read, write,
special, deny
Security
permissions
34. Page 34
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 34
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
An Access Control List
35. Page 35
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 35
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Role-Based Access Control
36. Page 36
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 36
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Content-Dependent Access Control
37. Page 37
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 37
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Constrained User Interface
Methods of constraining users
Menus
Database
views
Physically
constrained
user
interfaces
Encryption
38. Page 38
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 38
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Other Access Control Models
Bell-LaPadula model
Biba integrity model
Clark and Wilson integrity model
Brewer and Nash integrity model
39. Page 39
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 39
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Brewer and Nash Integrity Model
40. Page 40
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 40
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Effects of Breaches in Access
Control
Disclosure of private information
Corruption of data
Loss of business intelligence
Danger to facilities, staff, and systems
Damage to equipment
Failure of systems and business processes
41. Page 41
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 41
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Threats to Access Controls
Gaining physical access
Eavesdropping by observation
Bypassing security
Exploiting hardware and software
Reusing or discarding media
Electronic eavesdropping
Intercepting communication
Accessing networks
Exploiting applications
42. Page 42
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 42
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Effects of Access Control Violations
Loss of customer confidence
Loss of business opportunities
New regulations imposed on the organization
Bad publicity
More oversight
Financial penalties
43. Page 43
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 43
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Credential and Permissions
Management
Systems that provide the ability to collect,
manage, and use the information
associated with access control
Microsoft offers Group Policy and Group
Policy Objects (GPOs) to help
administrators manage access controls
44. Page 44
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 44
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Centralized and Decentralized
Access Control
Centralized authentication, authorization, and
accounting (AAA) servers
• RADIUS: Most popular; two configuration files
• TACACS+: Internet Engineering Task Force (IETF)
standard; one configuration file
• DIAMETER: Base protocol and extensions
• SAML: Open standard based on XML for exchanging
both authentication and authorization data
45. Page 45
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 45
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Decentralized Access Control
Access control is in the hands of the people
closest to the system users
Password Authentication Protocol (PAP)
Challenge-Handshake Authentication Protocol
(CHAP)
Mobile device authentication, Initiative for Open
Authentication (OATH)
• HMAC-based one-time password (HOTP)
• Time-based one-time password (TOTP)
46. Page 46
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 46
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Privacy
Communicate expectations for privacy in acceptable
use policies (AUPs) and logon banners
Monitoring in the workplace includes:
• Opening mail or email
• Using automated software to check email
• Checking phone logs or recording phone calls
• Checking logs of web sites visited
• Getting information from credit-reference agencies
• Collecting information through point-of-sale (PoS)
terminals
• Recording activities on closed-circuit television (CCTV)
47. Page 47
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 47
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Cloud Computing
Category Description
Private All components are managed for a single
organization. May be managed by the organization
or by a third-party provider.
Community Components are shared by several organizations
and managed by one of the participating
organizations or by a third party.
Public Available for public use and managed by third-party
providers.
Hybrid Contains components of more than one type of
cloud, including private, community, and public
clouds.
48. Page 48
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 48
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Advantages/Disadvantages of
Cloud Computing
No need to maintain a
data center
No need to maintain a
disaster recovery site
Outsourced
responsibility for
performance and
connectivity
On-demand provisioning
More difficult to keep
private data secure
Greater danger of
private data leakage
Demand for constant
network access
Client needs to trust the
outside vendor
Advantages Disadvantages
49. Page 49
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 49
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Summary
Access control concepts and technologies
Formal models of access control
How identity is managed by access control
Developing and maintaining system access
controls