Access control Week 1


Published on

StaridLabs CISSP Study slides for week 1

Published in: Business, Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Access control Week 1

  1. 1. Access ControlWeek 1 (pages 1-80)Jem Jensen
  2. 2. OverviewAccess Control - Only authorized users, programs, and systems areallowed to access resourcesNot surprisingly, the process for defining access control is:1. Define Resources2. Define Users3. Specify Access between users and resources
  3. 3. Overview"Joining the CIA"Confidentiality - Is it secret?Integrity - Is it safe?Availability - Does Sauron have it?
  4. 4. Stances1. Allow-By-Default1. Easy to set up, hard to secure2. Deny-By-Default1. Easy to secure, hard to set upDefence in Depth• Layer different access control styles• Every layer reduced the chance that a single attacker will find a holethrough all of the layersOverview
  5. 5. Separation Of DutiesSeparation of Duties - 2 keys to launch the nuke!Process/Concerns:• Element identity, importance and criticality• Identify areas at risk/prone to abuse• Add an "approval" step• Operational considerations• Efficiency• Cost vs. Risk• User skill/availability• Must be enough personnel
  6. 6. Least PrivilegeOnly give enough access for users to perform their jobsNeed to know• Simple way to implement least privilege• Only share information with a user if they "need" itCompartmentalization• Isolate groups from each other so information doesnt get leaked
  7. 7. Security DomainSet up a hierarchy of accessPC user accounts example:1. Guest2. User3. Power user4. Admin
  8. 8. Information ClassificationDifferent security levels for different informationBenefits:• Establish ownership of info• Reduce waste• Focus resources on the highest risk• Easier to find areas which are lacking• Can quickly reveal infos worth• Easier to raises awareness• Easier to train/retrain staff
  9. 9. Information ClassificationThe Process:1. Determine Objectives1. This is a process, not a project! It will be ongoing forever2. Defining objectives on each iteration helps you keep track ofthe work and celebrate the victories along the way2. Establish Organizational Support1. Get buy-in on the objectives from management2. If they cant see the cost-to-benefit they may not you work3. Develop Info Class Policy & Procedures1. Requirements, scope, purpose, definitions(Mostly high-level up to this point)
  10. 10. Information Classification4. Process Flows1. Document the process, flow charts5. Tools1. Make sure everyone is speaking the same language6. Identify Application Owners1. Custodians of data. They can help identify stakeholders7. Identify Info Owners1. They know the data, decide who can access data8. Distribute templates1. Info owners fill them out to identify the data they manage(Mid-level up to this point)
  11. 11. Information Classification9. Classify Info1. Is it public? Internal only? Confidential? Restricted?10. Develop Auditing1. Perform this process again on new data2. Do "spot" checks (check track, locked screens)11. Load Classification Info Into A Repository1. Allows analysis12. Train1. What classifications mean, importance, scenarios13. Review and Update1. Improve quality, keep the process ongoing
  12. 12. LabelingUse your classification systemCreate silos if its easier:• Mark all backup tapes as "confidential" instead of separating out theconfidential data to its own tapes
  13. 13. Access Control Requirements1. Reliability2. Transparency3. Scalability4. Integrity5. Maintainability6. Auditability7. Authentication Data Security
  14. 14. Access Control Types & Cats2 Methods of defining Access Controls1. By Type1. What the control itself is doing2. By Category1. Who is implementing the control -or-2. How the control is used
  15. 15. Access Control CategoriesCategories1. Administrative1. Management-style controls like firing people, holdingemployee reviews, performing trainings2. Technical/Logical1. Electronic controls like enforcing passwords, badges, logging3. Physical1. Locks, gates, guards, etc
  16. 16. Administrative Controls• Policies And Procedures• Personnel Evaluation/Clearance• Security Policies• Monitoring• User Access Management• Privilege Management
  17. 17. Logical Controls• Network Access• Remote Access• System Access• Application Access• Malware Control• Cryptography
  18. 18. Physical ControlsAre apparently self-explanatory since the book skipped them :P
  19. 19. Next week:Pages 81 - 148