SlideShare a Scribd company logo

Introduction to Access Control Week6 Part1-IS Revis.docx

Download as DOCX, PDF
M
mariuse18nolet

Introduction to Access Control Week6 Part1-IS RevisionSu2013 Access Control Access control is fundamental to Information security. Access control supports the three security tenets of Confidentiality, Integrity and Accessibility of information assets. There are two broad categories of access control we are going to discuss: Computer system access control and physical access control. Computer system access control covers the mechanisms that are used to control access to information assets stored on computer systems. Physical access control covers mechanisms that control access to rooms, buildings and other containers that are used to physically store information assets. Computer System Access Control Now that we have differentiated between physical and computer access control we will use the term access control to refer to the respective area we are discussing, which in this section is computer system access. Access control is fundamental to computer security. In some very trusted environments where there is “no fear” of malicious destruction of information the following example may be a workable model. For example, you have a home PC. Everyone in your house shares the use of one account. This is effectively allowing everyone the same access to all the files, programs, services available to that account. While this may work on a trust level there is still the risk of accidental information lost. Perhaps one party worked for hours writing a paper or doing their homework and another party comes along and inadvertently creates a file of the same name, or they accidentally delete the file. In some work environments there are shared accounts that are used to log orders, check out customers, create customer accounts and perform other operations. With multiple people accessing one account there is no firm record of what individual did what. You may be able to loosely correlate who was working at a given time, but if there is an absolute requirement to align who did what there is no way to do that with shared accounts. Shared accounts allow users to repudiate their actions. If there is no control over who has access to information assets the potential for information free-for-all exists. Anyone can access anything. Anyone can read, modify, and delete information owned by anyone else. Access control protects against malicious and accidental information lost. Some form of access control is required in information systems. In most systems there are several levels of access control which supports the principle of defense in depth. Access Control Access control is fundamental to a secure information processing infrastructure. Access control concepts are implemented redundantly throughout an information infrastructure. This is consistent with the principle of security in depth. Access control mechanisms are implemented in the operating system, applications, route.

Education
1 of 143
Introduction to Access Control Week6 Part1-IS RevisionSu2013 Access Control Access control is fundamental to Information security. Access control supports the three security tenets of Confidentiality, Integrity and Accessibility of information assets. There are two broad categories of access control we are going to discuss: Computer system access control and physical access control. Computer system access control covers the mechanisms that are used to control access to information assets stored on computer systems. Physical access control covers mechanisms that control access to rooms, buildings and other containers that are used to physically store information assets.
Computer System Access Control Now that we have differentiated between physical and computer access control we will use the term access control to refer to the respective area we are discussing, which in this section is computer system access. Access control is fundamental to computer security. In some very trusted environments where there is “no fear” of malicious destruction of information the following example may be a workable model. For example, you have a home PC. Everyone in your house shares the use of one account. This is effectively allowing everyone the same access to all the files, programs, services available to that account. While this may work on a trust level there is still the risk of accidental information lost. Perhaps one party worked for hours writing a paper or doing their homework and another party comes along and inadvertently creates a file of the same name, or they accidentally delete the file.
In some work environments there are shared accounts that are used to log orders, check out customers, create customer accounts and perform other operations. With multiple people accessing one account there is no firm record of what individual did what. You may be able to loosely correlate who was working at a given time, but if there is an absolute requirement to align who did what there is no way to do that with shared accounts. Shared accounts allow users to repudiate their actions. If there is no control over who has access to information assets the potential for information free-for-all exists. Anyone can access anything. Anyone can read, modify, and delete information owned by anyone else. Access control protects against malicious and accidental information lost. Some form of access control is required in information systems. In most systems there are several levels of access control which supports the principle
of defense in depth. Access Control Access control is fundamental to a secure information processing infrastructure. Access control concepts are implemented redundantly throughout an information infrastructure. This is consistent with the principle of security in depth. Access control mechanisms are implemented in the operating system, applications, routers, firewalls, databases and storage systems to name a few of the places. There are four major parts to an access control system: 1. Authentication: determining that a user is who they say they are. 2. Authorization: granting access to a resource based on the authenticated identity of a user. 3. Auditing: recording any access to a protected resource to provide a history of access to it. 4. Policies and Procedures: documentation of all access control
policies and procedures. Users and Processes When we discuss access control or other mechanisms that occur within the operation of a computer system we tend to talk about users. “A user has access to…”, “the user deleted…”, “the user logged into …”. In some cases the term user is appropriate, but in many cases the access that is being controlled is a process that is performing some operation on behalf of a user. A user is a person in the flesh, a breathing person like you or me. A process is a computer program that is in an operating state. It is loaded and executing in memory performing some operation on behalf of a user. The concept is easiest to describe with an example. A user logs into their system using their account identification or credentials information. In this example the information consists of a username and
password. The user is the person that is associated with an account. In general terms the following is happening: a user name and password determine if they are valid (attempts to authenticate) authenticated user re not valid the log in is rejected and the login procedure waits for another request to start the process over again It is worthwhile to understand the difference between a user and a process. We don’t want to complicate the language we use when we are relying on an intuitive understanding of what we mean by user. But in many cases it is worthwhile and even necessary to differentiate between the two.
Definitions: Authentication – the action of verifying if the token(s) presented by the user for logging on the system are valid. For example, checking if the user name and password are valid is performing authentication. If the user tokens are validated the user is said to be authenticated to the system. Credentials – whatever tokens are used for authentication. For example, the user name and password are considered the user credentials. Wireless and Remote Security Week6 Part7IS Revision Spring2015
Wireless Environment It wasn’t that long ago that wireless access was primarily constrained to the home. As households started acquiring multiple computers they were no longer used in just one room. Computers were used throughout the house. As laptop computers became the dominate platform users not only moved throughout the house, but outside to porches, yards and out buildings. Running wires between the router and each system was not practical. Households started upgrading their home network infrastructure from hardwired routers to wireless routers. The movement to laptop systems also accelerated at workplaces. Employers started deploying laptop systems for employees instead of desktop systems when systems needed replacing. The move to mobile computing was on. Laptop systems enabled employees to become increasingly mobile in their work lives. As employees traveled between offices, client sites, home and various other remote locations
they could remain connected to company servers as long as the remote site had connectivity to the companies’ intranet. Initially this connectivity was provided by having Ethernet cabling available for remote users to physically plug their laptops into. Eventually, companies started installing wireless hotspots that could be automatically detected by systems that had wireless cards. The proliferation of wireless connectivity and internet use spread from the workplace to general societal use. Average users demanded access to the internet and company intranets. Soon public places such as airports, libraries, train stations, schools and coffee shops installed wireless hotspots to allow people internet access. Some towns and cities are installing wireless hotspots to allow internet connectivity for citizens. In addition to wireless hotspots becoming omnipresent the use of handheld devices is on the rise. Handheld devices started with cell phones and moved
to higher functionality devices such as the Blackberry and Palm smart phones which allowed email access, and various local applications. The handheld devices have continued to evolve to higher functioning devices which provide general internet services as well as thousands of applications. Examples of these are the Apple iphone and the Motorola Droid which runs the Google Android operating system. Of course these devices still provide telephone services! These devices make use of various cellular network technologies such as GSM (Global System for Mobile Communications), CDMA (Code Division Mobile Access) which conform to 3G and 4G technologies for connectivity. The ubiquity of internet access points is very convenient and allows people to stay connected for work, study and personal use from a variety of locations and using a
variety of platforms. However, with this connectivity come increased security concerns. The threat vector increases as the range of vulnerabilities associated with the various platforms providing internet access increases. Many of the security defenses for wireless or remote connectivity require using the same tools, mechanisms, policies and procedures used for systems that are not remotely connected. However, there are additional vulnerabilities and defenses that need to be considered for the wireless and remote environments. Wireless Access In this section we will discuss some of the attributes of wireless access points and wireless routers. As we discuss the attributes I will make suggestions on how some potential vulnerability can be made more difficult to exploit. NOTE: fixing some of these simple vulnerabilities makes it more difficult to
exploit your system. Some people would argue that these changes add very little increase in security. While they do not provide absolute security they do make it “slightly” more difficult for someone to attack your system. This increase of security at different places in the infrastructure supports the concept of security in depth. Wireless access points (WAP) enable devices to connect to a wireless network using Wi- Fi (Wireless Fidelity) or related standards. Products that conform to the IEEE 802.11 set of standards for wireless local area networks (WLAN) are considered Wi-Fi devices. Wi- Fi is a trademark of the Wi-Fi alliance which is a trade association that certifies the compliance of devices that conform to the IEEE 802.11 standards. A wireless access point (WAP) connects to a router. A wireless router contains WAP functionality in it. This subtle distinction is made to differentiate between the
functionality of a router; which is to connect two or more computer networks and interchange data between them and a WAP which provides wireless access to the router. We will use the term wireless router to refer to the combined functionality of the WAP and router. Web Based Management Interface A wireless router contains a web based management interfaces. Access to the router is typically gained by using the IP address 192.168.0.1 or 192.168.1.1. Finding the default username and password for a particular router is simple. They are usually preconfigured with easily guessed names such as “admin or password”. To locate default usernames and passwords for various routers you can check various web sites such as: http://www.routerpasswords.com/. http://www.routerpasswords.com/
Often users do not change the default username and password to the management interface. The combination of the default values for the IP address, username and password make it very easy to attack your router. An attacker that gains access to your router through the management interface can learn your router configuration information and/or change it to suit their nefarious needs. To make your router a “little more secure” you could change the username and password. To further complicate an attack you could also change the 3 rd octet of the IP address of the management interface to something other then a “1”. For example, change it from 192.168.1.0 to 192.168.99.0. This will place your systems on a different subnet. Service Set Identifier (SSID) The service set identifier (SSID) is the name of the wireless network. By default, the SSID is broadcast every 1/10 of a second or so by the wireless
router. This broadcasting of the SSID is what a wireless device detects so it can connect to the network. Broadcasting of the SSID may also be referred to as the WAP presenting a beacon. This beacon can be detected by client devices at varying distances depending on atmospheric and geographic conditions. Typical distances are 75-100 feet indoors and up to 300 feet outdoors. These sorts of distances allow SSID beacons to be detected not only legitimate users of your network but also by potential attackers unless precautions are taken. The SSID is represented as a string of alpha-numeric characters which is up to 32 characters in length. The standard allows for the 32 octets to be any values and not just readable characters. A client device can choose to manually or automatically connect to a device.
A wireless network can choose not to advertise the SSID. This results in the network being advertised as “unnamed”. If a client chooses to connect to this network they must know the SSID name. Another defense could involve changing the SSID name to something other then what the manufacturer assigns to the device. Similar to locating router passwords (discussed above) on the internet default SSID names for some devices can be easily found. Changing the SSID name or not broadcasting the SSID name are not foolproof techniques. A determined cracker can figure out the SSID of the network by using sniffing tools that monitor users that successfully connect to the network since the SSID is transmitted in clear text. Wireless Encryption
Many private wireless networks run encryption. The intent of this is to secure communications transmitted on the network. A wireless network that runs encryption requires that clients that want to connect to the network must enter a passphrase or encryption key to connect to the network. Some client systems that frequently connect to the same wireless network may have the encryption key installed in the client so connecting to the network can occur without having to enter the encryption key. A commonly used and ineffective wireless encryption algorithm is Wired Equivalent Privacy, known as WEP. WEP is ineffective because the passphrases (e.g. encryption keys) can be easily figured out by hackers. WEP makes use of the stream cipher RC4 for confidentiality and CRC-32 for integrity. 64, 128 and 256 bit keys are used with WEP encryption. The full encryption keys are generated by concatenating the bits of the key with a 24 bit initialization vector
(IV) yielding the n bit (64, 128, 256) WEP encryption key. The IV is transmitted as clear text. On a busy network the 24 bit IV will be repeated and can be easily recovered allowing the encryption keys to be discovered using brute force techniques. Cracking a WEP network can be done in less then a minute with commonly available tools found on the internet. Perform a google for “cracking WEP” and you will be provided with links to numerous cracking tools. The WEP algorithm has been deprecated in favor of the Wi-Fi Protected Access algorithms known as WPA. There are a few variants of WPA algorithms. We will consider WPA-TKIP (Temporal Key Integrity Protocol) and WPA-AES (Advanced Encryption Standard) algorithms. WPA-TKIP uses the RC4 stream cipher (similar to WEP) however it improves on the inherent weaknesses of WEP by making use of the following:
-mixing, combining a secret key with the IV to increase cryptographic strength. -keying to use a different key for each packet. rove on WEP transmitting the IV in clear text. protect against replay attacks. WPA-TKIP is a vast improvement over the confidentiality weaknesses of the WEP algorithm; WPA-TKIP provided compatibility with older hardware that used WEP. An improvement over WPA-TKIP is WPA-AES. New wireless products are using the WPA- AES algorithm which provides improved performance over WPA-TKIP and makes use of AES (Advanced Encryption Standard) a block cipher adopted by the US government as the replacement for DES (and 3DES). The preferred choice is to use WPA-AES, however you need to make sure all of your hardware will support it. For older hardware you may be
relegated to using WPA-TKIP until you can upgrade. MAC Filtering For a home or a small business access to the wireless network can be restricted based on the MAC (Media Access Code) addresses of the allowable wireless devices. This technique can work since the number of devices that connect to the network is small and does not change. Every device with a network adapter has a unique identifier which is called the MAC address. By using the web based management interface of your wireless router the MAC addresses of these devices could be added into the configuration tables of your wireless router to accept connections with these MAC addresses and to reject connections with devices that have MAC addresses that are restricted.
War Driving War driving is the act of driving or roaming around with a laptop computer and hacking tools searching for wireless access points. When an access point is discovered the attacker can use various cracking tools to eavesdrop on information which compromises the security of the system and the network. Not advertising the SSID and implementing MAC filtering makes your network a bit more stealth, but not by much to a determined attacker. It does not protect you from eavesdroppers or war drivers intercepting packets from the air waves and decoding them. From this information an attacker could determine the SSID of your network and allowable MAC addresses. If discovered an attacker could connect to your network by using the SSID and spoofing a MAC address if MAC filtering was enabled. If the network is not secured with encryption the attacker has gained access. Even with encryption enabled with WEP, WPA or WPA2 the encryption
keys could be uncovered by using cracking tools. Once the encryption keys are discovered the attacker has gained access. Rogue Access Points A rogue wireless access point is an access point set up by an attacker to capture usernames, passwords and other information. A rogue access point could be used to stage a variety of attacks such as the man in the middle (MITM) attack when mutual authentication between the two communication end points is not implemented. A rogue access point is implemented by connecting a router to a secure network without permission of the owner or administrator of the network. Any client that connects to the network via the rogue access point is compromised. To defend against rogue access point’s network administrators can use Wireless Intrusion Detection Systems (WIDS) or Wireless Intrusion Prevention
Systems (WIPS) to monitor the radio spectrum for rogue devices and attack tools. Additionally, a WIDS or WIPS can be used to look for problems with the network configuration, create log files of activity, block activity by suspicious devices and perform automatic notification in the case of various events. Another defense against rogue access points in public places is observation. For example; if you are in a place that advertises it has a wireless hotspot you should be aware of the SSID of the hotspot. Also, if two or more networks are being advertised perhaps one or more of them are rogue hotspots. Also, don’t assume that you can safely bypass purchasing internet service by using your neighbor’s unsecured network. You leave yourself wide open to attack and compromise of your data by doing this.
Comment: Around 2011 I had an older Verizon router which was configured to support WEP. I called my ISP which is Verizon to discuss configuring my wireless router to enable further security. In particular I wanted to change encryption from WEP to WPA and I wanted to use a different subnet then the default of 192.168.0.1. The technician I spoke to “reminded me” that WPA encryption is “supported” but if there was a problem that required Verizon to perform debugging they would set my system back to using the default value for encryption which is WEP. With respect to changing the default subnet to something other then the default value of 192.168.0.1 it could be done, however it was not supported. Again, if there was a problem they would reset it to the default value before they worked on diagnosing any problems.
I explained to the Verizon representative that when problems occur you want to debug them in that environment. You don’t want to change the environment before you start debugging since you can be masking the problem. Plus, the use of WPA and a different subnet is not an obscure change. Rather they are common industry best practices. They understood this point, but that is Verizon’s policy. Debugging a problem in a changed environment runs the risk of not fixing the problem. Since that time I have updated my router to one that supports WPA2 as the default protocol. Remote Access Remote access by users is accomplished with a variety of devices including laptops, smart phones, desktops and tablets. Wireless access is not only
enabled through wireless routers and access points but devices that support 3G and 4G protocols such as smart phones. In order to secure smart phones, policies and procedures need to be established just as with laptops and desktop systems. Some of the security policies and procedures for smart phones will be similar to those for laptops and desktop systems; however there are some policies and procedures that are unique to particular platforms. Password Selection Passwords, passphrases, encryption keys and other secrets need to be protected from discovery. These secrets in authentication terms are referred to as “Something You Know” (SYK). Secure passwords need to be constructed for access to all systems. Following are some items in the wireless domain that should be constructed using secure password guidelines.
tifier) that names the network Interface device vice (laptop, desktop, smartphone) Items such as usernames, passwords and encryption keys or passphrases should be constructed using secure password guidelines. This was discussed in the lecture on authentication. Companies and organizations that care about security will have a policy for how passwords should be constructed. In addition to how these secrets are constructed there should be policies on how frequently they need to be changed. Items such as MAC ID and SSID can be changed, but you need to consider the impact of doing that. Changing the MAC ID is really not practical since the MAC ID is associated
with the device. MAC IDs are changed by attackers spoofing a MAC ID but is really not practical for an organization to have users change their MAC IDs. Changing the SSID can be done but for the determined attacker the SSID is readily available since it is broadcast in the clear. If you change the SSID anyone connecting to your network will need to know the new SSID. Communicating the new SSID is no more of a problem then communicating new passwords or encryption keys to users. Security of Remote Devices With remote devices critical information leaves corporate servers and moves to various remote devices. With this comes a risk of the remote device being lost or stolen. To ensure the Confidentiality, Integrity and Availability of this information various mechanisms that support encryption and authentication need to be deployed such as: Virtual Private Networks (VPNs), Secure Sockets Layer (SSL),
Transport Layer Security (TLS), Kerberos, CHAP, RADIUS, Diameter to name a few. These were discussed in the lecture on authentication examples. Many of these mechanisms should be considered for use for all devices in the infrastructure but they are worth amplifying their importance when using remote devices. Remote devices are generally more prone to being lost or stolen then devices that are not remote. Because of these vulnerabilities care needs to be taken to ensure data is not compromised. Some of the following functionality should be considered for security policy and procedures for all devices however, ensuring they are followed for remote devices is very important. -factor authentication. In addition to requiring password authentication biometric and token authentication could also be required.
removed or rendered inaccessible in case the system is lost or stolen. down after use and not placed into hibernate or low power mode. case a system is lost or stolen and the disk is removed and placed in another system. Removal storage media (e.g. memory sticks, USB drives) provides another avenue for data to become remote. Removal storage devices also increase the attack vector for infecting systems with malware. Place a memory stick or USB drive into a USB port and the system could become infected with malware stored on the device. Some companies may find restricting the use of removal media to be appropriate. Bring Your Own Device (BYOD) With the proliferation of personal devices such as smartphones and tablets companies and organizations are facing increasing pressures to adopt policies
that allow employees to use their own devices to access organization assets. Many of the security concerns organizations have with the use of their own equipment to access their network and data are amplified with a BYOD environment. This is primarily because the organization has limited control with the securing and handling of the BYOD device. On the other hand, allowing users access to organization data allows employees to be engaged in company business virtually 365/24/7 since most users are tethered to their mobile devices. The challenge organizations face is to implement a policy and procedures for how users can access company data with their own devices; while keeping organization assets safe and secure. In other words organizations are concerned with maintaining the CIA (Confidentiality, Integrity and Availability) of their assets. You should note that the general concerns organizations have for BYOD are congruent with the concerns
organizations have for their assets in a non-BYOD scenario. There are numerous websites and articles that enumerate major security concerns that organizations have around BYOD policies. Following is a representative list of concerns that companies have. lications or content with embedded security exploits The various policies and procedures an organization selects should be based on the requirements of the organization. This should always be the case for selecting functionality. You first define your requirements you then select functionality that meets the requirements.
Of course some company’s approach to BYOD will be not to allow it. Their approach may be to issue company owned devices for all business related. In order to support multiple devices there is additional cost. It is much easier to manage one device that is given to employees. However, the downside to this may be employee productivity. Employees may resist carrying two phones; their own and the company phone. I expect to see more and more company’s supporting a BYOD policy. Specific Areas of Concern for BYOD A policy should require secure access to corporate assets by requiring a VPN that uses encryption. A VPN requires the user to possess credentials that allow authentication to the VPN and in turn access to the organizations assets. The VPN should provide encryption for any assets in transient between the two ends of the VPN, which are the organizations server and your mobile device.
The policy should consider the use of Mobile Device Management Software. MDMS provides for remote management of devices including the uploading of applications, data and configuration information to a variety of devices. A major feature for MDM is the need to support a variety of platforms and versions including various versions of: Android, Apple iOS, Blackberry, Window Phone. The range of mobile devices includes; smartphones; tablets, printers, POS (Point of sale) systems. Some of the top BYOD security concerns that companies have are: with embedded security exploits
You should note that the BYOD concerns are similar to the concerns they have on company issued devices. Strategies and Issues Keep in mind the company needs to protect the CIA of its information. Since you are agreeing to use your device for accessing company information there will be rules for usage that will be more stringent and structured than what you are used to. Following are some of the strategies and issues around some controls to address the security concerns. Use of VPN Expect your company to mandate the use of a VPN to connect to any corporate website. This could work by requiring access through a secure website using credentials controlled
by the authentication policy of the company. Another way would be to have a local application pushed to your device that is used to initiate the login, again using company provided credentials. It may be required that periodic authentication to the VPN is done to ensure the user is remaining cognizant they are connected. Also, in case the device is lost after the VPN link is established re-authentication could block access to company access. Periodic re-authentication to the device may also be required for the same reason. If access to company resources requires a VPN connection there may be limitations as to how the device can be used for other applications. For example, certain websites may be restricted for access as well as certain applications. How this is monitored by the company is another matter that requires consideration. Another issue to consider is if questionable material is passed on the company’s network while
a VPN connection is established. Authentication Expect a company to require strong authentication for any device being used on their network. This means the use of 4 character pin’s is out and complex passwords or picture patterns are in. Also expect the company to check your password complexity for approval and require changing every so often. Many websites are moving towards a two factor authentication model. It is possible companies will require this. This means when you log into the company VPN a notification will be sent to your device with a authentication token requiring this to be entered to complete the login process. Malware Protection Running malware protection on your device will be required. Signature updates may be pushed out by the Mobile Device Management System if that is mandated by the policy. The MDMS may not allow you to turn off the malware
protection. This may also restrict your ability to run certain applications. Wipe strategies When a device is lost or stolen the company may want to track the device using GPS. If the device is located a remote wipe of data as well as disabling the device may be done. This brings up the question of wiping not only company data but user data. Should the device be found not only will the company data have been wiped but so will the personal data. GPS Tracking Another issue with wipe strategies is GPS tracking. This may bring up privacy concerns for some users that the company may have access to GPS data. When and under what circumstances GPS data is monitored needs to be clearly understood in the policy.
Encryption The confidentiality of any company data will undoubtedly require encryption. This may impact employee use of personal data if encryption needs to be implemented on an application basis as opposed to a file basis. Jail Break or Root Devices Jail breaking is typically associated with Apple devices. It refers to the bypassing of controls the manufacture has put on the device. A device that has been jail breaked can permit the installation of software that is not distributed through the app store. This means software that is not vetted by the app store could be installed. The potential for installing software with malware is increased. Apple does implement a process where developers submit software for distribution through the app store. If the app is approved for distribution it is made available through the app store. The vetting process is not perfect but it is improving all the time. Software
that does not go through this vetting process has a much greater chance of being infected with malware. A rooted device applies to Unix or Linux based devices. This is typically associated with Android based products. Rooted means that the owner of the phone has root access to the device. Root access allows unfettered access to all aspects of the device. You don’t want a BYOD device to have been rooted since a rooted device could bypass numerous controls placed on the device. Some malware seeks to obtain root access so it has total access to the device. Applications Organizations may restrict the applications that can be loaded on a device. The concern is that some applications may be considered a malware threat. The downloading of any applications may require vetting through company supplied
software. Bluetooth Functionality Most hand held devices support bluetooth technology. Blue tooth expands the attack vector and attack surface of your device. If your device is discoverable other devices in range can pair with you. This presents a security issue. Some folks feel Bluetooth is inherently insecure and it should not be used for anything you care about. Expect to find policy statements on allowable use of Bluetooth. Perhaps Bluetooth has to be turned off when connected to the company VPN. However, what if corporate data has been copied to the device is Bluetooth use restricted? This doesn’t sound realistic as for hands free driving Bluetooth is really required for any level of safety if the call participant is driving. This brings up another question. Is the device owner required to communicate when in transit? It is clear to me that any distraction while behind the wheel has the potential of
grave results. Should something happen while the device owner is using the device on company business is the company libel, or is it shared exposure? Reimbursement If you are using your device for work there may be a policy that provides for reimbursement of expenses. Keep in mind that getting reimbursed may seem desirable, but it ties your device closer to the company since you will be required to follow company policy. Exit Strategy When an employee leaves the company the policy may require a wipe of the device is done to remove any company information. This may require backing up the employee’s personal information, performing the wipe and restoring the information. Policy Violations BYOD policies are evolving. There is an ebb and flow between
the companies rights to investigate all data on a personnel device when a policy breach occurs and the device owners right to privacy. Consider the case where you have a device that connects to a company website. A breach is detected attributed to your device. Can the company lock your device down and search all the data on your phone, including personal email and social media accounts? Or is the device clearly partitioned between company data and personal data such that company can only do forensic analysis on the company data? Understanding the penalties for policy violations is important. Penalties can range from losing device privileges to termination. Summary Wireless and remote devices need to follow the same polices and procedures for any device in the infrastructure to ensure that security
vulnerabilities are minimized. There are additional procedures for remote devices that also need to be followed. As with all security there is no one foolproof set of tactics. The amount of controls for handheld devices further increases the attack vector and attack surface. The policies for BYOD in the workplace are evolving. There is an ebb and flow between security and privacy that both the owner of the device and the company need to be in agreement on. Expect these policies to continue to evolve as the use of more mobile devices occurs. For wireless, remote and handheld devices the best approach is to follow the principle of security in depth.
Security Policy Week6 Part6-IS Revision Su2013 Security Policy Security policy for access control is not unique to defining policy in any other area. Rather than discussing security policy specific to access control we will broaden the discussion to security policy in general. Some of this section is a repeat of information we covered in Week 1, however it merits repeating in the context of the learning we have done to date. Security as a process includes four key elements: prevention, detection, response and
recovery. To determine the investment that needs to be made in these areas requires doing an inventory of the assets of the organization and determining the value of these assets to the organization. A risk assessment needs to be performed that determines the threat level and vulnerability to each of these assets. As part of the assessment the cost of recovering an asset that is attacked needs to be determined. After a thorough assessment a determination can be made as to how much should be invested into protecting an asset and the type of protection that should be implemented. Aspects of policies have different target audiences. NIST standard 800-12 defines 3 broad categories that policies should target. http://csrc.nist.gov/publications/nistpubs/800- 12/handbook.pdf responsibilities within the
organization. Also discussed is how policies are created, revised, reviewed, approved and retired. deal with the operational aspects of the organization. For example, definitions of the physical access control to a facility, or definition of the access control policies for certain systems. How employees are trained in the application of policies in their roles is part of operations. For example; the access control and authentication models used in an organization; how systems are configured, firewall policies, use of encryption, how accounts are managed. Across these three categories there needs to be agreement throughout the organization as to the importance of security. There must be a top to bottom commitment in the organization to successfully implement the security policy. Having mechanisms for http://csrc.nist.gov/publications/nistpubs/800-12/handbook.pdf http://csrc.nist.gov/publications/nistpubs/800-12/handbook.pdf
verifying security compliance and assigning accountability for compliance is required for a successful implementation. Every organization has a security policy. Some organizations have very strong policies which are implemented with documentation, training, audit procedures, certification requirements, compliance reviews, and other mechanisms. Some organizations have no stated policy. They just wing it, hoping everything will work out. Those are the two extremes, with other organizations policies spread out across the spectrum. RFC 2196 is the internet working group that provides guidance for developing security policy and procedures for systems on the Internet. http://www.faqs.org/rfcs/rfc2196.html The working definition RFC 2196 provides for security policy is: Definition: Security Policy: A security policy is a formal statement of the rules
by which people who are given access to an organization's technology and information assets must abide. Having a written security policy is fundamental to an organization. It provides acceptable behaviors, practices, responsibilities around the handling of information, systems, brick and mortar facilities and anything else related to security. Policies do not have to be complex. In fact, policies should be simple to access, easy to understand and easy to seek clarification on. Similarly the implementation of security policies should be easy to follow and they should support the task at hand. Further, security policies need to be enforced at all levels of the organization. Seems like a simple concept. For many organizations security policies are anything but simple. For many organizations security policies are not clearly defined if defined at all. The policies cannot be easily located and once they have they
may be out of date. The policies may be pages and pages of technical and legal verbiage that is not well-organized and require the entire document to be studied, rather than having it clearly divided into the necessary levels of abstractions to quickly and easily understand issues. Defining a Workable Policy An effective security policy requires broad acceptance throughout the organization. This buy-in has to be at all levels of the organization. Security policy has to originate at the top levels of management. Management needs to prioritize the definition of a Security Policy. This starts with management articulating the importance of protecting company assets. Management must support the process through all phases of the Security Policy. This includes requirements definition, review cycles, education/training, implementation and maintenance. This requires an ongoing investment in time, staffing, physical resources.
A successful policy must have broad representation across the organization contributing to the definition. RFC 2196 suggests the following representation. The list should be used http://www.faqs.org/rfcs/rfc2196.html for guidance and modified according to the needs of your organization. I have made a couple of additions. ation technology technical staff (e.g., staff from computing center) (e.g., business divisions, computer science department within a university, etc.) representatives of the user groups affected by the security policy management)
The fundamental steps as defined in RFC 2196 for establishing a security policy is: effective manner. process continuously and make improvements each time a weakness is found. Enforcing the Policy Having a security policy is only as good as the enforcement of it. The policy must be easy to enforce and it must be consistently enforced. The mechanisms for enforcing the security policy should be clearly defined in the policy documents. It is important that security enforcement is as automated as possible. For example, acquiring accounts, system permissions, access to confidential information, access
to physical resources should all be seamlessly integrated into the request process so that no “special” steps need to be taken. It is of the utmost importance that security procedures are enforced. If the policy can be bypassed by a quick phone call or mail message you do not have an effective policy. An effective security policy needs to be easy to use and it needs to provide a predictable and timely response to a request for security access. A security policy must be consistently enforced at all levels of the organization. If the policy is seen to be bypassed by individuals because of their position in the organization everyone will try to bypass the system. If these characteristics are not present in a security policy people will seek alternatives,
they will avoid aspects of their job that require dealing with security and they will become disgruntled. Automated Security Event Auditing Ronald Reagan made popular the phrase “trust but verify”. This basically means that entities can be trusted as long as the facts around the trust can be verified. The tool for doing this is auditing. Every security event should be able to be audited. This means a record gets written to an audit file each time a security event occurs. If you recall in the lecture on access control we learned about auditing in the context of accessing objects. Security auditing is a similar concept. An audit capability is an integral part of a security system. The audit capability records any action involving security access to a log file. There must be some way to control what security information is written to the log file. The security policy should provide guidance as to what information needs to be audited.
An audit capability should provide the tools to easily select information from the audit log based on various parameters. For example, one should be able to select information based on user, security event, object type, date, time and other criteria. Security event auditing could be integrated with a general audit capability provided by an operating system, application or physical security mechanism. Assessing the Risk The cost of not having a security policy can be very large. In fact it is a ticket to disaster. Some companies have been driven out of business because of a simple security breach. The business disaster may not have been the actual breach, but rather the bad press caused when the lack of adequate policy protecting assets became public knowledge. Loss of customer confidence can be more damaging than the loss of tangible assets. The risk assessment methodology should be part of the security policy document. It is important to understand the policy around what assets need to
be protected and how they should be protected. It is equally important to understand how the decisions were made to protect some assets and not others. Knowing the methodology used for risk assessment and the assumptions made is a key input to understanding the security policy. We discussed in week 1 the importance of doing a risk assessment. That discussion focused on computer based assets but it really applies to all assets. Reviewing some of these concepts is worthwhile. I have replicated some material from week1 as it is relevant to the discussion on security policy. Further it amplifies the fact that security policy and risk assessment are key elements that contribute to a secure information infrastructure. Some areas to consider in risk assessment are:
information safe When defining the security policy each of the above items needs to be considered from the perspective of: or disaster? tecting against an attack or disaster? Asset Classification The following table can help support a risk assessment. If numbers are assigned to each
category rather than High, Medium, Low weighted averages and threshold values could be calculated that could help determine the security measures to implement (or not). ASSET VULNERABILITY THREAT COST TO IMPLEMENT PROTECTION COST TO RECOVER FROM ASSET n High High Medium High ASSET n+1 Low High Low Low ASSET n+2 Low Medium High Low ASSET
n+3 High Low Low High ASSET n+m Etc. Etc. Etc. Etc. Consider the following examples for a given asset n. Keep in mind that the rationale used analyzing any threat and determining how it will be handled is highly subjective. Example: If the threat of a security breach is high and the cost recovering from the breach occurring is high you may decide that the benefit of implementing protections worth it. Example: The cost associated with recovering from a security breach of this type is high. The threat of the breach occurring is low and the cost to implement
protection breach is also low. Despite the fact that the threat is low, the protection cost is also low therefore with a high recovery cost you might decide to protect against the attack. Example: The cost associated with recovering from a security breach of this type is low. The threat of the breach occurring is high and the cost to implement protection breach is also high. Since the recovery cost from this attack is low you might decide to defer the high cost of protection despite the high breach potential. Impact and Probability Another useful tool for assessing risk is an Impact and Probability Matrix. The objective is to have all threats have a low impact to the information system and for each threat to have a low probability of occurring. While this is the ideal it probably does not represent reality. By determining a numeric impact and
probability ranking each threat could be placed within a quadrant. Based on which quadrant a threat falls into the organization may decide to implement protection mechanisms or not. The following chart is credited to “Network Security Assessment” by Michael Gregg and David Kim. This text provides one source for how to develop a ranking methodology for risk assessment. Security Education High Impact Low Probability High Impact High Probability Low Impact Low Probability Low Impact High Probability
Objective Impact of Event Low High High Low w Probability of Event Impact and Probability Matrix Security education is an ongoing process that strives to provide the proper security skills needed by each individual in the organization. Another goal of security education is to get everyone in the organization to always think about security. This requires integrating security consciousness
into every member of the organization. Everyone needs to be security conscious, from cleaning crew members to the CEO. Security needs to be integrated into the work environment so that it becomes automatic to each employee. Ongoing security education throughout the organization supports this goal. There are levels of security training. The type of security education can be categorized based on the target audience and the particulars of the training. For a given organization or role the division of security training may differ. General Information: Companies can post security policies at physical premises. Some ways this can be accomplished are: posting security reminders on company web sites, distribution of fliers at facility entrance/exit points, short seminars, publishing security notes in company news letters, sending regular mail messages. Another technique is to encourage employee feedback, providing recognition/rewards
for ideas. General Awareness: All employees need to be generally aware of security policy. They must understand what assets need to be protected, the value of the assets, general forms of attack, liability of a security breach. Employees must understand acceptable employee behavior. They need to know who to report problems to. A typical awareness course might be given every 6 to 12 months through the company intranet. Each employee must read the high level policy and indicate they will abide by it by completing some online acceptance. There may be a short quiz on the material that a minimal grade needs to be attained. Job Specific Training: All employees involved with IT systems are required to know more about the security policies. They need to know more system specific policies dealing with the security tools, system procedures. As users of IT assets they need to
understand threats, vulnerabilities and defenses. Course work may be required based on their job code or role. Their knowledge is expected to be deeper than the general employee awareness. General technical training may involve one or two courses a year perhaps 3 – 5 hours for each course. Specific training related to a job code or role may also be required which is more in-depth. Security Education: Moving up on the security knowledge ladder some employees have the requirement for detailed security education which can be college style courses, targeted professional seminars or both. This is also coupled with on the job training and experience. Employees requiring this level of course work typically work in security related positions performing functions such as: developing security policies, performing security audits, developing security software, maintaining security assets.
Security Auditing Security auditing refers to a review of an organizations security processes and procedures. In some ways a security audit resembles an I.R.S. audit (knock on wood). The procedure proceeds as follows. A specific project team is selected to be audited. They are contacted by the security audit team to prepare for a security audit. They are told to make available various documents that describe aspects of security. These may be discrete documents or may be sections of documents that address various security issues. The documents are provided for review by the security team. Following is an hypothetical example of the type of documentation that may be reviewed. Security Policy – Defines overall security policy Functional Specification - (identifying security specific aspects) Design Specification - (if applicable identifying security
specific aspects) Security support plan - (describing aspects of the policy that that the audited process of product must address) Security roles – Identification of roles, identification of individuals that are in roles Testing Plan – How is security functionality tested? Maintenance – How will the security functionality be maintained? (Virus protection, patches applied, CERTs) Disaster Plan – What to do when disaster occurs. Recovery Plan – How to recover from a disaster. Risk Identification and Risk Management Plan Issue Identification and Issue Management Plan
Proper signoff – Each document must show proper signoff by all parties that have an interest in the integrity of the system. Sometime later the auditors appear after reviewing the documents. They come with a group of individuals that have expertise in various areas. The auditors’ use the documents as a guideline to start interviews with team members to assess the level of compliance to security policy. If additional artifacts are needed, including demonstration of functionality that is provided. The audit takes place as an iterative procedure. Once completed the security team issues a report describing the nature of the audit, what was reviewed, the areas of compliance and areas of noncompliance. Any areas of noncompliance are ranked with a severity indicating the urgency that needs to be applied to get to compliance.
Discussion: Audits can be very difficult procedures for some team members to participate in. Particularly for teams that are low on the SEI- CMMI maturity scale (Software Engineering Institute – Capability Maturity Model Integration http://www.sei.cmu.edu/ Audits are a critical element that contributes to a mature security environment. As employees and project teams mature on the SEI-CMMI scale they will see the value of the security audit. It takes a lot of management effort and support to institute and support an audit process. Employees have a tendency to resist the process. Nowadays the audit procedure is more universally accepted. The convergence of internet standards has contributed to acceptance, since they provide a framework that a project/process can be compared to. Also, the benefit of adhering to standards is now intrinsic in the engineering
psyche. There was a time this was not the case. I remember the “old days” when code reviews, design reviews, quality reviews and security reviews were formally introduced. The meetings often became a hostile environment. Individuals would take personal offense for any type of project criticism. There was little visible respect for participating groups and group members. It was an ugly, painful meeting that few individuals looked forward to, or saw any value in. Fortunately, the engineering process has improved. Summary of Policy This section should be viewed as a sampling of some security policy issues. It is important to recognize that having a security is fundamental to the health of your
organization. The details of a particular security policy are unique to the organization’s needs. There are many resources available to guide the creation of a security policy. Some resources are: RFC 2196 is the internet working group that provides guidance for developing security policy and procedures for systems on the Internet. http://www.faqs.org/rfcs/rfc2196.html Software Engineering Institute – Capability Maturity Model Integration, Carnegie Mellon Institute http://www.sei.cmu.edu/ http://www.sei.cmu.edu/ http://www.faqs.org/rfcs/rfc2196.html http://www.sei.cmu.edu/ NIS (National Institute of Standards) Recommended Security Controls for Federal Information Systems http://csrc.nist.gov/publications/nistpubs/800-53-Rev2/sp800-
53-rev2-final.pdf CERT (Computer Emergency Response Team), Carnegie Mellon http://www.cert.org/ http://csrc.nist.gov/publications/nistpubs/800-53-Rev2/sp800- 53-rev2-final.pdf http://www.cert.org/ Physical Security Control Week6 Part5-IS RevisionSpring2014 Physical Security Control Physical security control is strongest when it adheres to the principles of defense in depth and least privilege. Defense in depth and least privilege should be guiding principles that are fundamental to any comprehensive security strategy. Implementing security in layers
provides a robust and redundant defense. Also, restricting access to only those that require access makes security sense. Consider an analogy of how you protect your house. You would not consider protecting your house with only perimeter defense of having a locked gate on the driveway. You have doors with multiple locks and windows with locks. You also may have alarm systems with multiple defenses; including motion, sound, perimeter defense and the ability to call authorities. You may also have closed circuit television (CCTV), guard dogs and personal protection devices. Defense in depth is what you are implementing for your home in the previous example. Also, with respect to least privilege you certainly would not give a house key or alarm code to someone you don’t want in your house. Physical security for your organization should be implemented using the principles of defense in depth and least privilege.
Keeping People Safe An obvious component of physical security is making sure that people are kept safe. The facility must have adequate protection against a range of disasters. Safety standards must be followed as dictated by local standards, for example local fire and building codes must be followed. Some safety standards for operating machinery or maintaining workplace safety are dictated by national organizations such as the Organization of Safety and Health Association (OSHA). Organizations are subject to inspection by these safety organizations for compliance and if not adhering to standards can be fined or shut down. Also, depending on where the facility is located protection against other “acts of God” such as hurricane, tornado, flooding also need to be accounted for. Local standards should always be followed as a minimum These protections also need to be applied to physical assets in the facility, but specific
attention needs to be applied to the health and well-being of personnel in the physical premises. Sound policy and procedures and education around personal safety should be number one on the list of physical security. Perimeter Control Secure physical access starts with securing your perimeter. For some types of sites the perimeter can be secured using CCTV. This can monitor the coming and going of traffic into company parking lots. It also provides employees with protection against personal threat and vandalism to their vehicles. Having adequate lighting in outside areas is important as well. Lighting discourages theft and vandalism as well as providing some safety. In a more secure or government facility gated entries can be implemented staffed with
guards. N-factor authentication can also be implemented to gain entry to the premises. Perimeter controls using walls, barbed wire and guards can be implemented depending on the level of protection required. Protecting trash and recycle areas is important. Several very damaging attacks have been engineered by attackers having acquired valuable intellectual assets by “dumpster diving”. Security measures need to be taken to protect cabling, wiring and associated infrastructure. This is needed to protect the physical medium from damage in the event of environmental disaster or man-made sabotage. Adequate security for protecting signals from third party interception when transmitted through wireless or wired medium is needed. For protecting wired medium from man-in-the-middle or eavesdropping attacks sufficient physical shielding of wires is needed to protect against physical intercept of signals. For protection of wireless signals the use of cryptologic controls such as
encryption and hashing is needed. This is an example where physical controls and programmatic controls intersect in a classic defense in depth scenario to provide protection for the information infrastructure. Entering and Exiting the Premises For most large companies employees stream through the entrance doors during normal work hours. Guard desks sometimes are staffed by less than diligent guards that simply do not check the badge of every person entering the premises. Plus with only one door for entry, several employees stream into the building at one time. Even if familiar faces are entering the building they could have been terminated the previous day and are re- entering with some malicious intent in mind. This can be a security problem. Displaying a badge to a guard as you walk by does not provide a real safe guard against false entry. A more secure approach would be to implement some sort of multi-factor authentication
to gain access to the building. For example, each employee has a coded badge requiring them to swipe it and enter a PIN before the door opened. If the PIN is correct the door opens to allow entry. This can present a problem of rapid entry to the building particularly in inclement weather if there are a lot of people, however with multiple doors, turnstiles or man-traps the problem of multiple people entering can be mitigated. Using a keycard badge to enter and exit the building also provides the benefit of having an audit trail of who entered and exited the building and the date and time. Entering the facility after hours through a locked door can be handled through coded badge access. Multi-factor authentication is very important in case a card was lost or stolen. Having a CCTV camera on each entry is important. Something that is hard to control after normal business hours entry is “tailgating”. This is where someone closely
follows an authenticated person into a facility without being authenticated. This is easiest to control if employees are educated that tailgating is not allowed. Employees will generally comply with this policy. The person that won’t comply is the person trying to gain illegal access. If they force themselves in it is difficult to make it the employee’s responsibility to keep them out, but the company should provide a contact that the legitimate employee can reach to explain what happened. For smaller places of business having protections similar to your house are in order: nd sound detection, automatic notification of authorities Entering and Exiting Secure Spaces Entering secure rooms have similar issues as entering secure grounds and buildings. The problems can also be mitigated by similar mechanisms. Physical access to certain areas
within the premise should be guided by the principle of least privilege. Principle of Least Privilege: No person should be granted more access than they need to do their job. Access to these rooms should be controlled by n-factor authentication. Minimally, entry could be gained by a swipe of a badge and entry of a PIN code. This coupled with CCTV would provide secure access with two levels of authentication along with a video record.. For more critical areas biometric access could be implemented to ensure a badge and PIN was not compromised. And of course, for ultra-secure areas guards in addition to the aforementioned mechanisms may be in order. Exit of secure spaces should also make use of the same authentication techniques that are used to enter the secure space. COMMON ACCESS CARDS Some organizations and government agencies control access to all assets using common
access cards (CAC). A CAC contains multiple types of identification. It contains a picture identifying the owner of the card. It contains a magnetic stripe for accessing rooms and areas requiring this type of access. The card contains an integrated computer chip making it into a smart card that controls access to computer systems that have suitable readers. By implementing components of PKI (Public Key Infrastructure) a user can be identified using encryption and digital signing capabilities. The card is also synched with using SYK (Something You Know) authentication such as a PIN or password. When the SYK factor is used in conjunction with the CAC another factor of authentication is provided. An advantage of a CAC is that logging of all automated CAC uses can be done and written to a centralized audit file providing a record of access.
The CAC demonstrates the merging of authentication, access and auditing controls for both physical (e.g. buildings/rooms) and electronic (e.g. computers/files) assets. Environmental Controls Some environmental control needs will be common across most facilities in most industries, particularly those that deal with the safety of people. Some unique concerns may be dependent on the business being conducted at the facility. For example, power needs. In the case of a power outage can the facility be emptied and everyone allowed to go home, or does backup power need to be supplied that supports a 24 X 7 operation? Does the 24 X 7 operation need to accommodate machines and a skeleton staff, or a full work staff? What about the use of elevators in a high-rise business? Can egress be accomplished by backup power? Fire suppression technology is another area that may require special needs depending on
the type of business being conducted. What fire suppression technology is needed for what asset type? Opening a deluge of water on a million dollar computer system is probably not the optimal first choice for fire suppression. However, suppressing a fire in a meeting room with water to protect people and the building may be the correct solution. Heating, Ventilation and Air Conditioning is another area that requires analysis. Computer rooms need reliable air conditioning that is often quite cool, office areas need air conditioning that is comfortable for humans. Heating and clean air are equally important and the needs for them need to be considered. Auditing and Physical Security The need to audit physical security events is as important as for events that apply to information technology assets. All forms of entrance and egress from buildings and secure rooms should be audited. Any access controlled through keycards, pin pads,
biometric scans or other forms of automated access should have a record of the activity automatically recorded to an audit file. Records of entry and egress recorded by hand written logs and CCTV needs to be recorded and retained in an orderly manner. Records need to be kept of physical equipment. All equipment should have asset tags that record the model and serial number of the equipment. Also recorded should be where the equipment is located and the responsible party. There may be regulatory laws that require auditing all access to various physical resources (e.g. buildings and rooms). This requirement is no different than for accessing computer systems and electronic files. How Much Physical Security is enough? Just as the risk to your information assets needed to be assessed, so does the risk to your
physical assets. The number of choices and variations in physical security are many. Consider a sampling of the numerous choices for protecting access to a room storing records in a file cabinet. Do you use: a keyed or combination lock? What Underwriters Laboratory (UL) rating is required for the locks? Is multifactor factor authentication needed for some aspects of physical security, such as for building access or secure room access? Should CCTV be implemented in the parking areas, on building doors and on access to restricted areas such as for computer lab environments and critical record storage? Are human guards required in areas to control access? The choices of protection to use are many. The proper protection to use can only be determined after the assets that require protection are assessed. Your physical assets need to inventoried and assessed along several dimensions. The
dimensions are no different than what we started with for assessing the information assets. At some point the physical assets will likely intersect with the information assets. That is, they are one in the same. In order to implement a security plan it is necessary to understand: f attacks that can take place against each asset attack or to recover from an attack he cost of protecting against the attack Only after performing a complete assessment can you determine how much physical security is enough.
Authorization Week6 Part4-IS RevisionSu2013 Authorization Authorization is that part of access control where an organization has to determine how much access a user is given. The access control model being used in your organization has an impact on the authorization a user or process has to access various resources. Access control models fall into three general categories. 1. Discretionary Access Control (DAC) 2. Mandatory Access Control (MAC) 3. Role Based Access Control (RBAC) Irrespective of the access control model in your organization accepted security practice is
to implement according to the principle of least privilege. Least privilege is the principle that a user is authorized to the minimum amount of access they need to get their job done. By granting the user the least privilege the amount of damage that can be intentionally or accidentally caused is limited. Subjects and Objects In an access control system subjects access objects. Access control works by controlling the access granted to subjects to access objects. If every subject could access every object there would be no access control and no security. Access control systems can be modeled by using access control matrices. Following is a simplified access control matrix that has three subjects and three objects. Think of the subjects as users and the objects as files. In this model:
S1 has read access to file1 and file2. It has write access to file3. S1 is the owner of file2. S2 has write access to file1, execute access to file2 and read, write access to file3. S2 is also the owner of file3. S3 is the owner of file1, has write access to file2 and read access to file 3. SUBJECTS OBJECTS file1 file2 file3 S1 read read owner write S2 write execute read write
owner S3 owner write read The access matrix is a model however one can envision defining data structures that support an actual implementation of this matrix to support an access control system. The above is a very simplified access control model. Access control concepts are extended to more than just files. They are also used to control access to processes, devices, memory locations and other constructs that need to have access controlled. Discretionary Access Control (DAC) Discretionary access control is the type of access control that is used in most commercial operating systems. Unix/Linux and Windows use a discretionary control model. DAC operates on the principle that an object has an owner. The owner controls what subjects are granted access to the object. The owner also has the authority to grant another subject
owner access so they may grant other subjects access. The above access control matrix models a simplified DAC model since owners are indicated for each of the objects. DAC model supports the principle of least privilege, but it is easy to find users that have more access than they need to do their job. Supporting least privilege in a DAC model takes some active management to ensure users do not have more privilege then their jobs require. DAC supports limited separation of duties based on the group an individual may be in, but the model is limited and other tools are used such as SUDO (Super User Do) in Unix/Linux environments for finer grained control of access. Access Control Example A description of access control concepts includes a discussion of Subjects, Objects and
Permissions. Depending on the particular system the terminology may vary slightly but the concepts should be similar. Following is an example of a UNIX access control systems. This could also be extended to a LINUX system. Subjects: – The owner of the Object. – All users including the owner that have the same Group ID in the UIC as the objects owner. – All users defined in the system *Another Subject not in the list is the superuser. This is someone that obtains superuser privilege by logging into root. Someone with root privilege could alter the owner of the object. Permissions: ht to read, print, or copy the file.
file an executable program image or a script. The UNIX permissions access control model is a discretionary access control model. The UNIX model implements access control to files by using permissions. Supplementing permissions in most UNIX/LINUX distributions are access control lists. Permissions are specified for three subjects: user, group and other. You may see this abbreviated to ugo. The objects controlled by permissions are files. Many control structures in UNIX are implemented as files. For example directories, links (symbolic and hard), pipes, sockets and device drivers (block and character) are implemented as files. Therefore while permissions control access to files, they effectively control access to other mechanisms that deal with directory structures, input/output, and inter-process
communication. The permissions for a file can be viewed by using the UNIX command ls –l command. There are other options that can be used but –l will provide us the information we need. $ ls –l -rw-r--r-- 1 wvales accfac 23 12 Feb 8:11 test.txt -rw-r--r-- 1 wvales accfac 23 12 Feb 8:12 test1.txt drw-r--r-- 1 wvales accfac 10 12 Feb 9:10 test.dir The file type is designated by the first character in the ls output. A hyphen “–” indicates the file is “normal” files in UNIX speak. Think of this as a text file. The “d” indicates the file is a directory. The above ls command outputs information for 3 files. Two
files are “normal” files and one file is a “directory” file. The permission breakdown is based on three types of subject. The user (i..e owner) of the object, group members that are in the same group the owner is a member of and anyone else which is denoted by other. These permissions pertain to any object that can be specified in the field preceding the permission field (in green). Objects can be a: file, directory, symbolic link, named pipe, socket, block device, character device. The following table shows the three subject types and the seven object types in the UNIX DAC model. SUBJECTS OBJECTS User Group Other “Object” Type -rwx rw- rw- files drwx rw- rw- directory lrwx rw- rw- symbolic link
prwx rw- rw- named pipe srwx rw- rw- socket brwx rw- rw- block device crwx rw- rw- character device There are three permissions (or access modes) assigned to the object for each subject type. Depending on the object type the access mode (rwx) means different things. – read access. For a file object read access means the file can be accessed by a text editor, or a variety of utilities such as cat or more. For a directory object read access indicates that the entries for each file in the directory can be accessed (read). – write access. For a file object write access allows a new version of the file to be written. For a directory object write access means files can be entered, removed or renamed into the directory. For a block or character device write
access means the device can be "written" to. – execute access. For a script or image file executes means the file can be run by the shell, or invoked by the image activator. For a directory object execute access means the files in the directory can be listed (ls –l *). If there is no execute access on the directory you are effectively denying access to the directory and everything beneath it in the directory tree. Access Control Lists (ACLs) Another discretionary access control in most operating systems (UNIX/Linux/Windows) is the Access Control List (ACL). The UNIX style permission structure results in a coarse granularity of access control. If you want to allow access to files for certain individuals you have to create new groups that include the users you want to grant access to. Creating and deleting groups and changing group membership can become very difficult to manage. Using an access control list simplifies this.
The access control list allows users to specify access for specific users to a file. This access is “finer grained” than the permissions which only control full group access. ACLs are not available on all implementations of UNIX. ACLs are controlled by using the setfacl and getfacl commands. Mandatory Access Control (MAC) Mandatory access control is a type of access control that is used in an environment where access is controlled by the system. Many government systems use Mandatory Access Control. In a mandatory access control system there is no owner for an object. Access to an object is controlled by the system not by a subject. MAC systems have the concept of labels. Labels correspond to access levels. A typical MAC system has labels that correspond to security levels. Using the government model there are security levels of: unclassified, confidential, secret, top secret. Labels are attached to both objects and to
subjects. Access works as follows; a subject has access to an object that has equal or less level of security associated with it. If a subject attempts to access an object that requires a higher level of access the access is denied. For example, a subject with a label of confidential can access objects with a label of confidential or unclassified. They cannot access objects with a label of secret or top secret. MAC systems support the concept of least privilege. Separation of duties is supported based on the labels that an individual has assigned to them. Role Based Access Control (RBAC) Role Based Access Control works by assigning access to an object according to the role a subject has within a system. A particular subject can have several roles in a system at any time. Each role potentially has different levels of access.
RBAC is rapidly gaining popularity as the need to control access based on role as is being mandated by government legislation such as Sarbanes-Oxley. Large organizations are starting to use RBAC systems because of the relative ease of granting access to objects by assigning roles to the subjects (employees). The ease of assigning and removing access translates into large cost saving for companies that have large turnover of employees or changing of roles in an organization. RBAC systems support the concept of least privilege. Separation of duties is supported based on roles that individuals are assigned to. Some RBAC implementations support the concept of separation of duties by implementing constraints between mutually exclusive roles. A constraint of this type means that if a subject is assigned multiple roles that are in conflict for accessing a particular object then the access to that object is restricted. For
example, assume someone is serving the dual roles of a loan officer and a loan auditor. They should not be allowed access to audit loans since they are also approved as a loan officer. Auditing Auditing of access control operations is a requirement for running a secure information infrastructure. All major operating systems have auditing systems. Windows has the event viewer application that allows viewing of various events related to: System, Security, Applications, and Internet Explorer. UNIX/Linux has the syslog utility for recording similar events. Many applications have auditing systems for any application specific operations. For example, a firewall application will keep a log related to various accesses. Database systems have audit logs for recording modifications to the database metadata as well as accesses to data. For a particular environment the amount of information that
could be recorded to an audit file could be voluminous. As long as the tools that read the audit log allow searching and sorting of entries the size of the audit logs may not be an issue. However, there are some cases that the amount of information being audited is so large that there is a performance impact on the system writing information to the audit log. Also the amount of disk space used may also be an issue. Most audit systems have the ability to specify what information is to be audited. Instead of auditing every access to every file perhaps audit entries only need to be written when critical files are accessed. Typically, with high bandwidth, big disks and good sorting and searching capabilities in the audit system users will audit everything until a problem occurs that dictates the amount of data to be audited should be reduced.
Discussion: While managing the development and maintenance of a Transaction Processing System (TPS) we had a customer that used the system for online options trading. The customer decided to audit all access control activity. At peak trading times the transaction rate exceeded several thousand transactions a minute. This resulted in a huge amount of data to be audited. System performance eventually ground to a halt affecting the ability to perform the options trading. The large amount of data being written to the audit log was causing thrashing between the process writing the audit file and the trading program. By assigning a higher priority to the trading program it allowed that program to run before the audit writing program. This worked for a while until the buffers for the audit program filled up with information that needed to be written to the audit disk. The next fix was to expand the buffers for containing the audit information. Knowing
this would postpone the problem we decided to move the audit disk to a separate disk where there was no contention by any other process. Mode Access The subject/object access models we just discussed assume the subjects all have the same privileges. This is not the case. Some users have more privileges then others. In the Windows XP (personal), Windows 7 and Windows 8 systems there are Administrator and User accounts. Any user with administrator privileges can perform more operations then a user with user privileges. Windows XP Account Types.
Windows 7 Account Types. In UNIX/Linux there are two types of users; root and user. Any user that has logged into the root account is the “superuser”. With superuser or root privileges the user can do anything. They have access to everything any other user has and more. They can create accounts, change passwords, kill user processes, change file ownership, format devices and many other operations that a user cannot do. Superuser in UNIX or administrator in windows has unfettered access to all aspects of the systems. Being logged into an account with these elevated privileges on all of the time is not recommended for a secure system. Accidents can happen, and malicious activity can result in privileged accounts to be hijacked. It is best to switch to elevated privileges when they are needed and then switch back to normal (user)
privileges when done. It only takes one errant Delete or rm command to occur when running with elevated privileges to make this point. Many UNIX/Linux systems disable the root account and force the user to use the root account via the sudo utility which is a tool that limits superuser access to a particular command for a set time period. Reasons for Auditing Analyzing System Activity Many times activity on a system needs to be looked at in retrospect. For example, some security breaches could occur that are not detected until after the fact. For example; a file is removed, or confidential information accessed or a program is accessed that in the normal day to day operation is not considered abnormal. However, after learning that confidential information has been leaked it may become necessary to determine what
users had access to the information, or the program that accessed the information. By having these accesses recorded in the audit logs it is a simple matter to search the logs to determine when the accesses occurred. Compliance Reporting In this age of corporate fraud and security breaches of sensitive information it is becoming increasingly important for organizations to prove that access to information is limited and information is protected. Regulations such as Sarbanes-Oxley require that companies keep accurate information trails for government compliance reporting. Another motivator for organizations to audit information is in case there is litigation of damages related to the improper care of client information. A key part of a security strategy is to have policies and procedures in place that audit
activities. This includes the auditing of activities related to computer access as well as auditing access to physical properties such as rooms, buildings, parking lots and any other area of importance. Determining the right amount of access information to audit is also important. The amount of information that is to be audited should be based on the asset in question. Too much audit information may require the use of too much disk space and require too much time to sort through. Auditing too little information may not provide the trail of access needed to determine when something went wrong. Examples of Authentication Systems Week6 Part3-IS RevisionSu2013
Examples of Authentication Systems Authentication services tend to be part of a larger system such as an operating system, middleware system, database management system or some other type of application. Authentication services can be implemented as services with well defined interfaces so one authentication service could be used by a variety of systems. There are numerous authentication systems available; each has their own strengths and weaknesses. Some authentication schemes were developed to support particular applications so they have unique features to support those environments (e.g. remote, mobile computing, and wireless). Some authentication schemes protect against certain types of attacks that may be more prevalent to a particular application or environment. In this section we take a look at a few representative authentication schemes. Kerberos
Kerberos is a network authentication system developed by MIT (Massachusetts Institute of Technology) in the 1980s for project Athena. Kerberos (Cerberus) is the name from Greek mythology for the three headed dog that guards the gate of Hades. Kerberos supports single user sign-on allowing users to access various server services in a network environment. It makes use of symmetric encryption to support secure communications between systems. Kerberos uses a centralized server called a Key Distribution Center (KDC) which stores all passwords and is responsible for centralized authentication. It is critical the Kerberos KDC is kept SECURE. Since all the passwords and key information is stored in the KDC it represents a single point of failure. The Kerberos protocol uses a “ticket” model where clients request tickets for services and present these tickets to the server as credentials for the requested service.
Kerberos technology is widely used in many operating systems and applications including Windows 2000 and later, UNIX distributions including Sun Solaris, FreeBSD and various Linux distributions. Virtual Private Networks (VPN) In the “old days” if a company wanted a secure connection from one destination to another they would pay the money to have private lines strung between the locations. This provided a dedicated, secure but very expensive solution. In today’s remote, mobile internet environment hardwiring of secure connections is not always feasible. To support secure connections over the internet Virtual Private Networks (VPN) have been implemented. VPN technology supports creating secure connections over an insecure median (internet). A VPN is implemented on the internet by establishing a secure connection between two
parties that want to communicate over the internet. The secure connection is established by placing a wrapper around the data to be transmitted and encrypting the data within the wrapper. The wrapping of information is known as encapsulating the data. The encryption keys are known only to the sender and receiver of the data. This results in a secure connection for the two parties using an insecure medium which is the internet. The creation of a VPN may make use of a technique known as tunneling. Tunneling uses one protocol to encapsulate and another protocol for transmission. Tunneling allows a protocol that is incompatible with the underlying network to be carried over the network. Tunneling also supports the secure transmission of information across an insecure path by allowing the information flowing through the tunnel to be encrypted. There are several different protocols that can be used to support tunneling. Some popular
ones are: col (L2TP) VPNs support the secure exchange of information by implementing functionality that provides: network re exchange of routing information VPNs need to authenticate clients and servers. There are different services that can be used to perform authentication. Depending on the type of connection a different authentication scheme may make more sense than another. Following is a small representative sample of authentication
schemes. Extensible Authentication Protocol (EAP) EAP is more of a framework than an actual implementation of authentication services. EAP was designed with Point to Point tunneling Protocol (PPTP) in mind. PPTP protocol was developed to allow PPP (point to point) an older protocol to be encapsulated within IP packets and forwarded over any IP network. EAP provides the framework where proprietary authentication schemes with standard authentication protocols that make use of passwords, digital certificates can be implemented on an IP network. Challenge Handshake Authentication Protocol (CHAP) CHAP is a three part protocol that supports the establishing of secure connections between a client and server. CHAP also has the feature of periodically re-authenticating the client. This re-authentication provides for a more robust
level of security. The challenge works by the following two attributes: 1. Client and server use the same hash function to compute the message digest. The use of a particular hash function is a given for the CHAP protocol. 2. The client and the server have a shared secret. This is something the server generates after the request is made from the client to establish a connection The three part protocol or handshaking makes use of a one way hash function to authenticate the client. 1. Client makes request to server for a connection. 2. Server generates a challenge. The challenge could be string of random numbers. Server sends challenge to the client. 3. Client responds to challenge. The response is the client calculating a message digest using the random numbers provided by the server. 4. Server receives challenge and compares what the client calculated for the
challenge with what the server calculated using the value. If the results are the same, the client is authenticated. If they are the same the client is authenticated and a connection established. If they are different the client is not authenticated and no connection is established. Password Authentication Protocol (PAP) PAP is the most basic type of authentication. The username and password are sent from the client to the server in clear text format. If the client is known to the server the server responds by authenticating the client. A fundamental problem with this scheme is that passwords can be intercepted on the client, the server or during transmission on the “wire”. An obvious improvement that can be made to this scheme is encrypting the passwords. This is done in several protocols, one such is SPAP.
Internet Protocol Security (IPSec) IPsec is used to create VPNs. There are numerous features in IPsec that support authentication of clients and server and the secure exchange of data over the authenticated connections. Authentication is done by using symmetric encryption and hashing technologies. IPSec provides encryption and authentication services. It also supports two different modes: tunneling and transport. In tunneling mode the IP routing information is encrypted providing proxy type services for further protection. IPSec operates at the Internet layer of the Internet Protocol suite. This equates to layer 3 (Network layer) of the OSI reference model. IPSec services can be used alone to establish secure connections (VPN) or IPsec services can be used by other protocols to provide services in their environment. For example L2TP (Layer 2 Tunneling Protocol) operates at the data link layer in the OSI reference
model. L2TP does not implement any authentication or encryption services in the protocol. IPSec is typically used by L2TP to provide confidentiality and authentication services for establishing a secure VPN. There is much more to say about IPSec, for now, be aware that IPsec does provide authentication services. These authentication services can be used within an IPSec implementation or they can be used in conjunction with other protocols. Authentication, Access Control, Accounting Protocols Authentication, Access Control, Accounting Protocols (AAA) are protocols used for the centralized management of computers enabling them to connect to network resources. These protocols were initially developed to provide dial-up access via PPP (point-to- point protocol) and terminal servers. There are increased demands on AAA protocols to support new technologies, new devices and new protocols. For example, supporting
mobile IP connections with roaming technology require using different protocols, devices and functionality than implementing geographically static PPP connections. AAA technologies allow companies to establish policies for authentication and access control which can be administered at a centralized location. Accounting services are also provided which audit access by users providing historical access records and metrics that are used for billing. Internet Service Providers (ISPs) and other large enterprises are users of AAA technology. In general, these systems support a centralized database of credentials and access information that can be used to connect to multiple servers. AAA systems can make use of a variety of authentication protocols (e.g. CHAP, EAP, PAP, Kerberos, Active Directory) and can also integrate customer systems into the AAA implementation for items such as using locally stored credentials that are
external to the AAA system, or storing accounting information into a customers MySQL database. AAA systems will need to continue to evolve in their capabilities by embracing new technologies and protocols that support secure network access as well as integrating customer specific needs into an implementation. Three AAA systems are: RADIUS, Diameter, TACACS. RADIUS: Remote Authentication Dial in User System is a defacto standard for many large customers in the corporate world. Originally developed to support PPP protocols. RADIUS was developed in 1991 by Livingston Enterprises. Implementations make use of unreliable transport (UDP). Diameter: The predecessor to RADIUS. Planned to be “twice as good as RADIUS” (pun). Diameter provides upgraded services and support from
RADIUS to support latest technologies. Diameter uses reliable transport protocol (TCP) and makes uses of network level security (IPSEC or TLS (SSL)). Diameter does provide an upgrade path from RADIUS. TACACS: Terminal Access Controller Access-Control System provides AAA functionality commonly used in UNIX networks. TACACS+ provides updated protocol Single Sign On (SSO) A problem for a user that requires access to several systems is that they need to authenticate themselves as they access each system. Kerberos mitigates this problem within an organization by implementing a Single Sign On (SSO) model. This allows the user to log on to the system once and they remain authenticated for access to any system within a Kerberos “Realm”. Think of a realm as being implemented for an organization. The Kerberos model can be extended to include multiple realms,
which extends the reach of the SSO to multiple organizations. Federated Identity Management Kerberos SSO makes sense within an organization or across several organizations within a larger enterprise. However, implementing SSO across several heterogeneous enterprises, websites and other entities requiring authentication presents different problems. Think about how many different sets of authentication credentials you have. Most people have credentials for every web site you do ecommerce with: Amazon, Ebay, Staples, Microsoft, Google, etc. Plus, credentials for all the banking and finance institutions you deal with, add to that websites for universities, insurance companies, hospitals. You get the idea, the number of credentials a user has to remember is difficult to manage. In an effort to simplify the online experience for users, simplify
account management through standards and to encourage enterprises to establish new meaningful business relationships with one another the idea of providing Federated Identity Management has taken hold. Federated Identity Management is the idea that an identity infrastructure could be shared by enterprises across industries to store credentials, provide access and provide a secure environment. Development of these concepts is being done under the umbrella of the Liberty Alliance. Liberty Alliance began in 2001 and has grown to include over 200 companies. Some of the companies are large multi-national finance, technology and manufacturing companies. Federated Identity Management is a needed technology worth exploring. More can be found at www.projectliberty.org
Introduction to Access Control Week6 Part1-IS Revis.docx
Introduction to Access Control Week6 Part1-IS Revis.docx
Introduction to Access Control Week6 Part1-IS Revis.docx
Introduction to Access Control Week6 Part1-IS Revis.docx
Introduction to Access Control Week6 Part1-IS Revis.docx
Introduction to Access Control Week6 Part1-IS Revis.docx
Introduction to Access Control Week6 Part1-IS Revis.docx
Introduction to Access Control Week6 Part1-IS Revis.docx
Introduction to Access Control Week6 Part1-IS Revis.docx
Introduction to Access Control Week6 Part1-IS Revis.docx
Introduction to Access Control Week6 Part1-IS Revis.docx
Introduction to Access Control Week6 Part1-IS Revis.docx
Introduction to Access Control Week6 Part1-IS Revis.docx
Introduction to Access Control Week6 Part1-IS Revis.docx
Introduction to Access Control Week6 Part1-IS Revis.docx
Introduction to Access Control Week6 Part1-IS Revis.docx
Introduction to Access Control Week6 Part1-IS Revis.docx
Introduction to Access Control Week6 Part1-IS Revis.docx
Introduction to Access Control Week6 Part1-IS Revis.docx
Introduction to Access Control Week6 Part1-IS Revis.docx

Recommended

Hirsch Identive | White Paper | Securing the Enterprise in a Networked World
Hirsch Identive | White Paper | Securing the Enterprise in a Networked WorldHirsch Identive | White Paper | Securing the Enterprise in a Networked World
Hirsch Identive | White Paper | Securing the Enterprise in a Networked WorldIdentive
 
Discuss how a successful organization should have the followin.docx
Discuss how a successful organization should have the followin.docxDiscuss how a successful organization should have the followin.docx
Discuss how a successful organization should have the followin.docxcuddietheresa
 
Discuss how a successful organization should have the followin.docx
Discuss how a successful organization should have the followin.docxDiscuss how a successful organization should have the followin.docx
Discuss how a successful organization should have the followin.docxsalmonpybus
 
Physical/Network Access Control
Physical/Network Access ControlPhysical/Network Access Control
Physical/Network Access Controljwpiccininni
 
Running head NETWORK INFRASTRUTCTURE AND SECURITYNETWORK INFR.docx
Running head NETWORK INFRASTRUTCTURE AND SECURITYNETWORK INFR.docxRunning head NETWORK INFRASTRUTCTURE AND SECURITYNETWORK INFR.docx
Running head NETWORK INFRASTRUTCTURE AND SECURITYNETWORK INFR.docxtoltonkendal
 
Multitenency - Solving Security Issue
Multitenency - Solving Security Issue Multitenency - Solving Security Issue
Multitenency - Solving Security Issue MANVENDRA PRIYADARSHI
 
Sample Discussion 1Security is one of the most important fun.docx
Sample Discussion 1Security is one of the most important fun.docxSample Discussion 1Security is one of the most important fun.docx
Sample Discussion 1Security is one of the most important fun.docxrtodd599
 
Sample Discussion 1Security is one of the most important fun.docx
Sample Discussion 1Security is one of the most important fun.docxSample Discussion 1Security is one of the most important fun.docx
Sample Discussion 1Security is one of the most important fun.docxjeffsrosalyn
 

Recommended

Hirsch Identive | White Paper | Securing the Enterprise in a Networked World
Hirsch Identive | White Paper | Securing the Enterprise in a Networked WorldHirsch Identive | White Paper | Securing the Enterprise in a Networked World
Hirsch Identive | White Paper | Securing the Enterprise in a Networked WorldIdentive
 
Discuss how a successful organization should have the followin.docx
Discuss how a successful organization should have the followin.docxDiscuss how a successful organization should have the followin.docx
Discuss how a successful organization should have the followin.docxcuddietheresa
 
Discuss how a successful organization should have the followin.docx
Discuss how a successful organization should have the followin.docxDiscuss how a successful organization should have the followin.docx
Discuss how a successful organization should have the followin.docxsalmonpybus
 
Physical/Network Access Control
Physical/Network Access ControlPhysical/Network Access Control
Physical/Network Access Controljwpiccininni
 
Running head NETWORK INFRASTRUTCTURE AND SECURITYNETWORK INFR.docx
Running head NETWORK INFRASTRUTCTURE AND SECURITYNETWORK INFR.docxRunning head NETWORK INFRASTRUTCTURE AND SECURITYNETWORK INFR.docx
Running head NETWORK INFRASTRUTCTURE AND SECURITYNETWORK INFR.docxtoltonkendal
 
Multitenency - Solving Security Issue
Multitenency - Solving Security Issue Multitenency - Solving Security Issue
Multitenency - Solving Security Issue MANVENDRA PRIYADARSHI
 
Sample Discussion 1Security is one of the most important fun.docx
Sample Discussion 1Security is one of the most important fun.docxSample Discussion 1Security is one of the most important fun.docx
Sample Discussion 1Security is one of the most important fun.docxrtodd599
 
Sample Discussion 1Security is one of the most important fun.docx
Sample Discussion 1Security is one of the most important fun.docxSample Discussion 1Security is one of the most important fun.docx
Sample Discussion 1Security is one of the most important fun.docxjeffsrosalyn
 
Audit Controls Paper
Audit Controls PaperAudit Controls Paper
Audit Controls PaperJennifer Lopez
 
Aerohive whitepaper-byod-and-beyond
Aerohive whitepaper-byod-and-beyondAerohive whitepaper-byod-and-beyond
Aerohive whitepaper-byod-and-beyondJ
 
WHAT IS SOFTWARE ENGINEERING (CYBERSECURITY)
WHAT IS SOFTWARE ENGINEERING (CYBERSECURITY)WHAT IS SOFTWARE ENGINEERING (CYBERSECURITY)
WHAT IS SOFTWARE ENGINEERING (CYBERSECURITY)ChristopherAntonius
 
I want you to Read intensively papers and give me a summary for ever.pdf
I want you to Read intensively papers and give me a summary for ever.pdfI want you to Read intensively papers and give me a summary for ever.pdf
I want you to Read intensively papers and give me a summary for ever.pdfamitkhanna2070
 
Remote Access Policy Is A Normal Thing
Remote Access Policy Is A Normal ThingRemote Access Policy Is A Normal Thing
Remote Access Policy Is A Normal ThingKaren Oliver
 
Elementary-Information-Security-Practices
Elementary-Information-Security-PracticesElementary-Information-Security-Practices
Elementary-Information-Security-PracticesOctogence
 
Wireless Information Security System via Role based Access Control Pattern Us...
Wireless Information Security System via Role based Access Control Pattern Us...Wireless Information Security System via Role based Access Control Pattern Us...
Wireless Information Security System via Role based Access Control Pattern Us...ijcnes
 
Enterprise Edge Security with Cisco ISE
Enterprise Edge Security with Cisco ISEEnterprise Edge Security with Cisco ISE
Enterprise Edge Security with Cisco ISEFast Lane Consulting and Education, Inc.
 
P3 m2
P3 m2P3 m2
P3 m2Matthew Horrigan
 
Choose the Best Quality Access Control System for Your Organization Safety
Choose the Best Quality Access Control System for Your Organization SafetyChoose the Best Quality Access Control System for Your Organization Safety
Choose the Best Quality Access Control System for Your Organization SafetyNexlar Security
 
Guide Preview: Ensuring your enterprise image-viewer if fully secure
Guide Preview: Ensuring your enterprise image-viewer if fully secureGuide Preview: Ensuring your enterprise image-viewer if fully secure
Guide Preview: Ensuring your enterprise image-viewer if fully secureCalgary Scientific Inc.
 
10.1.1.436.3364.pdf
10.1.1.436.3364.pdf10.1.1.436.3364.pdf
10.1.1.436.3364.pdfmistryritesh
 
Successful Enterprise Single Sign-on: Addressing Deployment Challenges
Successful Enterprise Single Sign-on: Addressing Deployment ChallengesSuccessful Enterprise Single Sign-on: Addressing Deployment Challenges
Successful Enterprise Single Sign-on: Addressing Deployment ChallengesHitachi ID Systems, Inc.
 
IRM 3305 Risk Management Theory and PracticeFall 2014Proje.docx
IRM 3305 Risk Management Theory and PracticeFall 2014Proje.docxIRM 3305 Risk Management Theory and PracticeFall 2014Proje.docx
IRM 3305 Risk Management Theory and PracticeFall 2014Proje.docxmariuse18nolet
 
Ironwood Company manufactures cast-iron barbeque cookware. During .docx
Ironwood Company manufactures cast-iron barbeque cookware. During .docxIronwood Company manufactures cast-iron barbeque cookware. During .docx
Ironwood Company manufactures cast-iron barbeque cookware. During .docxmariuse18nolet
 
IRM 3305 Risk Management Theory and PracticeGroup Project.docx
IRM 3305 Risk Management Theory and PracticeGroup Project.docxIRM 3305 Risk Management Theory and PracticeGroup Project.docx
IRM 3305 Risk Management Theory and PracticeGroup Project.docxmariuse18nolet
 
Iranian Women and GenderRelations in Los AngelesNAYEREH .docx
Iranian Women and GenderRelations in Los AngelesNAYEREH .docxIranian Women and GenderRelations in Los AngelesNAYEREH .docx
Iranian Women and GenderRelations in Los AngelesNAYEREH .docxmariuse18nolet
 
IRB HANDBOOK IRB A-Z Handbook E.docx
IRB HANDBOOK IRB A-Z Handbook E.docxIRB HANDBOOK IRB A-Z Handbook E.docx
IRB HANDBOOK IRB A-Z Handbook E.docxmariuse18nolet
 
IQuiz # II-Emerson QuizGeneral For Emerson, truth (or.docx
IQuiz # II-Emerson QuizGeneral For Emerson, truth (or.docxIQuiz # II-Emerson QuizGeneral For Emerson, truth (or.docx
IQuiz # II-Emerson QuizGeneral For Emerson, truth (or.docxmariuse18nolet
 
iPython 2For Beginners OnlyVersion 1.0Matthew .docx
iPython 2For Beginners OnlyVersion 1.0Matthew .docxiPython 2For Beginners OnlyVersion 1.0Matthew .docx
iPython 2For Beginners OnlyVersion 1.0Matthew .docxmariuse18nolet
 
Iranian Journal of Military Medicine Spring 2011, Volume 13, .docx
Iranian Journal of Military Medicine Spring 2011, Volume 13, .docxIranian Journal of Military Medicine Spring 2011, Volume 13, .docx
Iranian Journal of Military Medicine Spring 2011, Volume 13, .docxmariuse18nolet
 
IoT Referenceshttpswww.techrepublic.comarticlehow-to-secur.docx
IoT Referenceshttpswww.techrepublic.comarticlehow-to-secur.docxIoT Referenceshttpswww.techrepublic.comarticlehow-to-secur.docx
IoT Referenceshttpswww.techrepublic.comarticlehow-to-secur.docxmariuse18nolet
 

More Related Content

Similar to Introduction to Access Control Week6 Part1-IS Revis.docx

Aerohive whitepaper-byod-and-beyond
Aerohive whitepaper-byod-and-beyondAerohive whitepaper-byod-and-beyond
Aerohive whitepaper-byod-and-beyondJ
 
WHAT IS SOFTWARE ENGINEERING (CYBERSECURITY)
WHAT IS SOFTWARE ENGINEERING (CYBERSECURITY)WHAT IS SOFTWARE ENGINEERING (CYBERSECURITY)
WHAT IS SOFTWARE ENGINEERING (CYBERSECURITY)ChristopherAntonius
 
I want you to Read intensively papers and give me a summary for ever.pdf
I want you to Read intensively papers and give me a summary for ever.pdfI want you to Read intensively papers and give me a summary for ever.pdf
I want you to Read intensively papers and give me a summary for ever.pdfamitkhanna2070
 
Remote Access Policy Is A Normal Thing
Remote Access Policy Is A Normal ThingRemote Access Policy Is A Normal Thing
Remote Access Policy Is A Normal ThingKaren Oliver
 
Elementary-Information-Security-Practices
Elementary-Information-Security-PracticesElementary-Information-Security-Practices
Elementary-Information-Security-PracticesOctogence
 
Wireless Information Security System via Role based Access Control Pattern Us...
Wireless Information Security System via Role based Access Control Pattern Us...Wireless Information Security System via Role based Access Control Pattern Us...
Wireless Information Security System via Role based Access Control Pattern Us...ijcnes
 
Choose the Best Quality Access Control System for Your Organization Safety
Choose the Best Quality Access Control System for Your Organization SafetyChoose the Best Quality Access Control System for Your Organization Safety
Choose the Best Quality Access Control System for Your Organization SafetyNexlar Security
 
Guide Preview: Ensuring your enterprise image-viewer if fully secure
Guide Preview: Ensuring your enterprise image-viewer if fully secureGuide Preview: Ensuring your enterprise image-viewer if fully secure
Guide Preview: Ensuring your enterprise image-viewer if fully secureCalgary Scientific Inc.
 
10.1.1.436.3364.pdf
10.1.1.436.3364.pdf10.1.1.436.3364.pdf
10.1.1.436.3364.pdfmistryritesh
 
Successful Enterprise Single Sign-on: Addressing Deployment Challenges
Successful Enterprise Single Sign-on: Addressing Deployment ChallengesSuccessful Enterprise Single Sign-on: Addressing Deployment Challenges
Successful Enterprise Single Sign-on: Addressing Deployment ChallengesHitachi ID Systems, Inc.
 

Similar to Introduction to Access Control Week6 Part1-IS Revis.docx (13)

Audit Controls Paper
Audit Controls PaperAudit Controls Paper
Audit Controls Paper
 
Aerohive whitepaper-byod-and-beyond
Aerohive whitepaper-byod-and-beyondAerohive whitepaper-byod-and-beyond
Aerohive whitepaper-byod-and-beyond
 
WHAT IS SOFTWARE ENGINEERING (CYBERSECURITY)
WHAT IS SOFTWARE ENGINEERING (CYBERSECURITY)WHAT IS SOFTWARE ENGINEERING (CYBERSECURITY)
WHAT IS SOFTWARE ENGINEERING (CYBERSECURITY)
 
I want you to Read intensively papers and give me a summary for ever.pdf
I want you to Read intensively papers and give me a summary for ever.pdfI want you to Read intensively papers and give me a summary for ever.pdf
I want you to Read intensively papers and give me a summary for ever.pdf
 
Remote Access Policy Is A Normal Thing
Remote Access Policy Is A Normal ThingRemote Access Policy Is A Normal Thing
Remote Access Policy Is A Normal Thing
 
Elementary-Information-Security-Practices
Elementary-Information-Security-PracticesElementary-Information-Security-Practices
Elementary-Information-Security-Practices
 
Wireless Information Security System via Role based Access Control Pattern Us...
Wireless Information Security System via Role based Access Control Pattern Us...Wireless Information Security System via Role based Access Control Pattern Us...
Wireless Information Security System via Role based Access Control Pattern Us...
 
Enterprise Edge Security with Cisco ISE
Enterprise Edge Security with Cisco ISEEnterprise Edge Security with Cisco ISE
Enterprise Edge Security with Cisco ISE
 
P3 m2
P3 m2P3 m2
P3 m2
 
Choose the Best Quality Access Control System for Your Organization Safety
Choose the Best Quality Access Control System for Your Organization SafetyChoose the Best Quality Access Control System for Your Organization Safety
Choose the Best Quality Access Control System for Your Organization Safety
 
Guide Preview: Ensuring your enterprise image-viewer if fully secure
Guide Preview: Ensuring your enterprise image-viewer if fully secureGuide Preview: Ensuring your enterprise image-viewer if fully secure
Guide Preview: Ensuring your enterprise image-viewer if fully secure
 
10.1.1.436.3364.pdf
10.1.1.436.3364.pdf10.1.1.436.3364.pdf
10.1.1.436.3364.pdf
 
Successful Enterprise Single Sign-on: Addressing Deployment Challenges
Successful Enterprise Single Sign-on: Addressing Deployment ChallengesSuccessful Enterprise Single Sign-on: Addressing Deployment Challenges
Successful Enterprise Single Sign-on: Addressing Deployment Challenges
 

More from mariuse18nolet

IRM 3305 Risk Management Theory and PracticeFall 2014Proje.docx
IRM 3305 Risk Management Theory and PracticeFall 2014Proje.docxIRM 3305 Risk Management Theory and PracticeFall 2014Proje.docx
IRM 3305 Risk Management Theory and PracticeFall 2014Proje.docxmariuse18nolet
 
Ironwood Company manufactures cast-iron barbeque cookware. During .docx
Ironwood Company manufactures cast-iron barbeque cookware. During .docxIronwood Company manufactures cast-iron barbeque cookware. During .docx
Ironwood Company manufactures cast-iron barbeque cookware. During .docxmariuse18nolet
 
IRM 3305 Risk Management Theory and PracticeGroup Project.docx
IRM 3305 Risk Management Theory and PracticeGroup Project.docxIRM 3305 Risk Management Theory and PracticeGroup Project.docx
IRM 3305 Risk Management Theory and PracticeGroup Project.docxmariuse18nolet
 
Iranian Women and GenderRelations in Los AngelesNAYEREH .docx
Iranian Women and GenderRelations in Los AngelesNAYEREH .docxIranian Women and GenderRelations in Los AngelesNAYEREH .docx
Iranian Women and GenderRelations in Los AngelesNAYEREH .docxmariuse18nolet
 
IRB HANDBOOK IRB A-Z Handbook E.docx
IRB HANDBOOK IRB A-Z Handbook E.docxIRB HANDBOOK IRB A-Z Handbook E.docx
IRB HANDBOOK IRB A-Z Handbook E.docxmariuse18nolet
 
IQuiz # II-Emerson QuizGeneral For Emerson, truth (or.docx
IQuiz # II-Emerson QuizGeneral For Emerson, truth (or.docxIQuiz # II-Emerson QuizGeneral For Emerson, truth (or.docx
IQuiz # II-Emerson QuizGeneral For Emerson, truth (or.docxmariuse18nolet
 
iPython 2For Beginners OnlyVersion 1.0Matthew .docx
iPython 2For Beginners OnlyVersion 1.0Matthew .docxiPython 2For Beginners OnlyVersion 1.0Matthew .docx
iPython 2For Beginners OnlyVersion 1.0Matthew .docxmariuse18nolet
 
Iranian Journal of Military Medicine Spring 2011, Volume 13, .docx
Iranian Journal of Military Medicine Spring 2011, Volume 13, .docxIranian Journal of Military Medicine Spring 2011, Volume 13, .docx
Iranian Journal of Military Medicine Spring 2011, Volume 13, .docxmariuse18nolet
 
IoT Referenceshttpswww.techrepublic.comarticlehow-to-secur.docx
IoT Referenceshttpswww.techrepublic.comarticlehow-to-secur.docxIoT Referenceshttpswww.techrepublic.comarticlehow-to-secur.docx
IoT Referenceshttpswww.techrepublic.comarticlehow-to-secur.docxmariuse18nolet
 
IP Subnet Design Project- ONLY QUALITY ASSIGNMENTS AND 0 PLAG.docx
IP Subnet Design Project- ONLY QUALITY ASSIGNMENTS AND 0 PLAG.docxIP Subnet Design Project- ONLY QUALITY ASSIGNMENTS AND 0 PLAG.docx
IP Subnet Design Project- ONLY QUALITY ASSIGNMENTS AND 0 PLAG.docxmariuse18nolet
 
IranAyatollahTheocracyTwelver ShiismVilayat-e Faghih (jur.docx
IranAyatollahTheocracyTwelver ShiismVilayat-e Faghih (jur.docxIranAyatollahTheocracyTwelver ShiismVilayat-e Faghih (jur.docx
IranAyatollahTheocracyTwelver ShiismVilayat-e Faghih (jur.docxmariuse18nolet
 
ipopulation monitoring in radiation emergencies a gui.docx
ipopulation monitoring in radiation emergencies a gui.docxipopulation monitoring in radiation emergencies a gui.docx
ipopulation monitoring in radiation emergencies a gui.docxmariuse18nolet
 
In Innovation as Usual How to Help Your People Bring Great Ideas .docx
In Innovation as Usual How to Help Your People Bring Great Ideas .docxIn Innovation as Usual How to Help Your People Bring Great Ideas .docx
In Innovation as Usual How to Help Your People Bring Great Ideas .docxmariuse18nolet
 
Investor’s Business Daily – Investors.comBloomberg Business – Blo.docx
Investor’s Business Daily – Investors.comBloomberg Business – Blo.docxInvestor’s Business Daily – Investors.comBloomberg Business – Blo.docx
Investor’s Business Daily – Investors.comBloomberg Business – Blo.docxmariuse18nolet
 
Invitation to Public Speaking, Fifth EditionChapter 8 Introdu.docx
Invitation to Public Speaking, Fifth EditionChapter 8 Introdu.docxInvitation to Public Speaking, Fifth EditionChapter 8 Introdu.docx
Invitation to Public Speaking, Fifth EditionChapter 8 Introdu.docxmariuse18nolet
 
Invitation to the Life SpanRead chapters 13 and 14.Objectives.docx
Invitation to the Life SpanRead chapters 13 and 14.Objectives.docxInvitation to the Life SpanRead chapters 13 and 14.Objectives.docx
Invitation to the Life SpanRead chapters 13 and 14.Objectives.docxmariuse18nolet
 
IOBOARD Week 2 Lab BPage 2 of 4Name _________________ Gr.docx
IOBOARD Week 2 Lab BPage 2 of 4Name _________________ Gr.docxIOBOARD Week 2 Lab BPage 2 of 4Name _________________ Gr.docx
IOBOARD Week 2 Lab BPage 2 of 4Name _________________ Gr.docxmariuse18nolet
 
INVITATION TO Computer Science 1 1 Chapter 17 Making .docx
INVITATION TO Computer Science 1 1 Chapter 17 Making .docxINVITATION TO Computer Science 1 1 Chapter 17 Making .docx
INVITATION TO Computer Science 1 1 Chapter 17 Making .docxmariuse18nolet
 
Investment Analysis & Portfolio Management AD 717 OLHomework E.docx
Investment Analysis & Portfolio Management AD 717 OLHomework E.docxInvestment Analysis & Portfolio Management AD 717 OLHomework E.docx
Investment Analysis & Portfolio Management AD 717 OLHomework E.docxmariuse18nolet
 
Investment BAFI 1042 Kevin Dorr 3195598 GOODMAN .docx
Investment BAFI 1042 Kevin Dorr 3195598 GOODMAN .docxInvestment BAFI 1042 Kevin Dorr 3195598 GOODMAN .docx
Investment BAFI 1042 Kevin Dorr 3195598 GOODMAN .docxmariuse18nolet
 

More from mariuse18nolet (20)

IRM 3305 Risk Management Theory and PracticeFall 2014Proje.docx
IRM 3305 Risk Management Theory and PracticeFall 2014Proje.docxIRM 3305 Risk Management Theory and PracticeFall 2014Proje.docx
IRM 3305 Risk Management Theory and PracticeFall 2014Proje.docx
 
Ironwood Company manufactures cast-iron barbeque cookware. During .docx
Ironwood Company manufactures cast-iron barbeque cookware. During .docxIronwood Company manufactures cast-iron barbeque cookware. During .docx
Ironwood Company manufactures cast-iron barbeque cookware. During .docx
 
IRM 3305 Risk Management Theory and PracticeGroup Project.docx
IRM 3305 Risk Management Theory and PracticeGroup Project.docxIRM 3305 Risk Management Theory and PracticeGroup Project.docx
IRM 3305 Risk Management Theory and PracticeGroup Project.docx
 
Iranian Women and GenderRelations in Los AngelesNAYEREH .docx
Iranian Women and GenderRelations in Los AngelesNAYEREH .docxIranian Women and GenderRelations in Los AngelesNAYEREH .docx
Iranian Women and GenderRelations in Los AngelesNAYEREH .docx
 
IRB HANDBOOK IRB A-Z Handbook E.docx
IRB HANDBOOK IRB A-Z Handbook E.docxIRB HANDBOOK IRB A-Z Handbook E.docx
IRB HANDBOOK IRB A-Z Handbook E.docx
 
IQuiz # II-Emerson QuizGeneral For Emerson, truth (or.docx
IQuiz # II-Emerson QuizGeneral For Emerson, truth (or.docxIQuiz # II-Emerson QuizGeneral For Emerson, truth (or.docx
IQuiz # II-Emerson QuizGeneral For Emerson, truth (or.docx
 
iPython 2For Beginners OnlyVersion 1.0Matthew .docx
iPython 2For Beginners OnlyVersion 1.0Matthew .docxiPython 2For Beginners OnlyVersion 1.0Matthew .docx
iPython 2For Beginners OnlyVersion 1.0Matthew .docx
 
Iranian Journal of Military Medicine Spring 2011, Volume 13, .docx
Iranian Journal of Military Medicine Spring 2011, Volume 13, .docxIranian Journal of Military Medicine Spring 2011, Volume 13, .docx
Iranian Journal of Military Medicine Spring 2011, Volume 13, .docx
 
IoT Referenceshttpswww.techrepublic.comarticlehow-to-secur.docx
IoT Referenceshttpswww.techrepublic.comarticlehow-to-secur.docxIoT Referenceshttpswww.techrepublic.comarticlehow-to-secur.docx
IoT Referenceshttpswww.techrepublic.comarticlehow-to-secur.docx
 
IP Subnet Design Project- ONLY QUALITY ASSIGNMENTS AND 0 PLAG.docx
IP Subnet Design Project- ONLY QUALITY ASSIGNMENTS AND 0 PLAG.docxIP Subnet Design Project- ONLY QUALITY ASSIGNMENTS AND 0 PLAG.docx
IP Subnet Design Project- ONLY QUALITY ASSIGNMENTS AND 0 PLAG.docx
 
IranAyatollahTheocracyTwelver ShiismVilayat-e Faghih (jur.docx
IranAyatollahTheocracyTwelver ShiismVilayat-e Faghih (jur.docxIranAyatollahTheocracyTwelver ShiismVilayat-e Faghih (jur.docx
IranAyatollahTheocracyTwelver ShiismVilayat-e Faghih (jur.docx
 
ipopulation monitoring in radiation emergencies a gui.docx
ipopulation monitoring in radiation emergencies a gui.docxipopulation monitoring in radiation emergencies a gui.docx
ipopulation monitoring in radiation emergencies a gui.docx
 
In Innovation as Usual How to Help Your People Bring Great Ideas .docx
In Innovation as Usual How to Help Your People Bring Great Ideas .docxIn Innovation as Usual How to Help Your People Bring Great Ideas .docx
In Innovation as Usual How to Help Your People Bring Great Ideas .docx
 
Investor’s Business Daily – Investors.comBloomberg Business – Blo.docx
Investor’s Business Daily – Investors.comBloomberg Business – Blo.docxInvestor’s Business Daily – Investors.comBloomberg Business – Blo.docx
Investor’s Business Daily – Investors.comBloomberg Business – Blo.docx
 
Invitation to Public Speaking, Fifth EditionChapter 8 Introdu.docx
Invitation to Public Speaking, Fifth EditionChapter 8 Introdu.docxInvitation to Public Speaking, Fifth EditionChapter 8 Introdu.docx
Invitation to Public Speaking, Fifth EditionChapter 8 Introdu.docx
 
Invitation to the Life SpanRead chapters 13 and 14.Objectives.docx
Invitation to the Life SpanRead chapters 13 and 14.Objectives.docxInvitation to the Life SpanRead chapters 13 and 14.Objectives.docx
Invitation to the Life SpanRead chapters 13 and 14.Objectives.docx
 
IOBOARD Week 2 Lab BPage 2 of 4Name _________________ Gr.docx
IOBOARD Week 2 Lab BPage 2 of 4Name _________________ Gr.docxIOBOARD Week 2 Lab BPage 2 of 4Name _________________ Gr.docx
IOBOARD Week 2 Lab BPage 2 of 4Name _________________ Gr.docx
 
INVITATION TO Computer Science 1 1 Chapter 17 Making .docx
INVITATION TO Computer Science 1 1 Chapter 17 Making .docxINVITATION TO Computer Science 1 1 Chapter 17 Making .docx
INVITATION TO Computer Science 1 1 Chapter 17 Making .docx
 
Investment Analysis & Portfolio Management AD 717 OLHomework E.docx
Investment Analysis & Portfolio Management AD 717 OLHomework E.docxInvestment Analysis & Portfolio Management AD 717 OLHomework E.docx
Investment Analysis & Portfolio Management AD 717 OLHomework E.docx
 
Investment BAFI 1042 Kevin Dorr 3195598 GOODMAN .docx
Investment BAFI 1042 Kevin Dorr 3195598 GOODMAN .docxInvestment BAFI 1042 Kevin Dorr 3195598 GOODMAN .docx
Investment BAFI 1042 Kevin Dorr 3195598 GOODMAN .docx
 

Recently uploaded

Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)Jisc
 
OSCM Unit 2_Operations Processes & Systems
OSCM Unit 2_Operations Processes & SystemsOSCM Unit 2_Operations Processes & Systems
OSCM Unit 2_Operations Processes & SystemsSandeep D Chaudhary
 
Economic Importance Of Fungi In Food Additives
Economic Importance Of Fungi In Food AdditivesEconomic Importance Of Fungi In Food Additives
Economic Importance Of Fungi In Food AdditivesSHIVANANDaRV
 
PANDITA RAMABAI- Indian political thought GENDER.pptx
PANDITA RAMABAI- Indian political thought GENDER.pptxPANDITA RAMABAI- Indian political thought GENDER.pptx
PANDITA RAMABAI- Indian political thought GENDER.pptxakanksha16arora
 
What is 3 Way Matching Process in Odoo 17.pptx
What is 3 Way Matching Process in Odoo 17.pptxWhat is 3 Way Matching Process in Odoo 17.pptx
What is 3 Way Matching Process in Odoo 17.pptxCeline George
 
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...Nguyen Thanh Tu Collection
 
How to Add New Custom Addons Path in Odoo 17
How to Add New Custom Addons Path in Odoo 17How to Add New Custom Addons Path in Odoo 17
How to Add New Custom Addons Path in Odoo 17Celine George
 
How to Manage Call for Tendor in Odoo 17
How to Manage Call for Tendor in Odoo 17How to Manage Call for Tendor in Odoo 17
How to Manage Call for Tendor in Odoo 17Celine George
 
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...Pooja Bhuva
 
Graduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - EnglishGraduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - Englishneillewis46
 
The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxheathfieldcps1
 
AIM of Education-Teachers Training-2024.ppt
AIM of Education-Teachers Training-2024.pptAIM of Education-Teachers Training-2024.ppt
AIM of Education-Teachers Training-2024.pptNishitharanjan Rout
 
FICTIONAL SALESMAN/SALESMAN SNSW 2024.pdf
FICTIONAL SALESMAN/SALESMAN SNSW 2024.pdfFICTIONAL SALESMAN/SALESMAN SNSW 2024.pdf
FICTIONAL SALESMAN/SALESMAN SNSW 2024.pdfPondicherry University
 
Simple, Complex, and Compound Sentences Exercises.pdf
Simple, Complex, and Compound Sentences Exercises.pdfSimple, Complex, and Compound Sentences Exercises.pdf
Simple, Complex, and Compound Sentences Exercises.pdfstareducators107
 
On National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsOn National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsMebane Rash
 
UGC NET Paper 1 Unit 7 DATA INTERPRETATION.pdf
UGC NET Paper 1 Unit 7 DATA INTERPRETATION.pdfUGC NET Paper 1 Unit 7 DATA INTERPRETATION.pdf
UGC NET Paper 1 Unit 7 DATA INTERPRETATION.pdfNirmal Dwivedi
 
COMMUNICATING NEGATIVE NEWS - APPROACHES .pptx
COMMUNICATING NEGATIVE NEWS - APPROACHES .pptxCOMMUNICATING NEGATIVE NEWS - APPROACHES .pptx
COMMUNICATING NEGATIVE NEWS - APPROACHES .pptxannathomasp01
 
How to Add a Tool Tip to a Field in Odoo 17
How to Add a Tool Tip to a Field in Odoo 17How to Add a Tool Tip to a Field in Odoo 17
How to Add a Tool Tip to a Field in Odoo 17Celine George
 

Recently uploaded (20)

OS-operating systems- ch05 (CPU Scheduling) ...
OS-operating systems- ch05 (CPU Scheduling) ...OS-operating systems- ch05 (CPU Scheduling) ...
OS-operating systems- ch05 (CPU Scheduling) ...
 
Our Environment Class 10 Science Notes pdf
Our Environment Class 10 Science Notes pdfOur Environment Class 10 Science Notes pdf
Our Environment Class 10 Science Notes pdf
 
Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)
 
OSCM Unit 2_Operations Processes & Systems
OSCM Unit 2_Operations Processes & SystemsOSCM Unit 2_Operations Processes & Systems
OSCM Unit 2_Operations Processes & Systems
 
Economic Importance Of Fungi In Food Additives
Economic Importance Of Fungi In Food AdditivesEconomic Importance Of Fungi In Food Additives
Economic Importance Of Fungi In Food Additives
 
PANDITA RAMABAI- Indian political thought GENDER.pptx
PANDITA RAMABAI- Indian political thought GENDER.pptxPANDITA RAMABAI- Indian political thought GENDER.pptx
PANDITA RAMABAI- Indian political thought GENDER.pptx
 
What is 3 Way Matching Process in Odoo 17.pptx
What is 3 Way Matching Process in Odoo 17.pptxWhat is 3 Way Matching Process in Odoo 17.pptx
What is 3 Way Matching Process in Odoo 17.pptx
 
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
 
How to Add New Custom Addons Path in Odoo 17
How to Add New Custom Addons Path in Odoo 17How to Add New Custom Addons Path in Odoo 17
How to Add New Custom Addons Path in Odoo 17
 
How to Manage Call for Tendor in Odoo 17
How to Manage Call for Tendor in Odoo 17How to Manage Call for Tendor in Odoo 17
How to Manage Call for Tendor in Odoo 17
 
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
 
Graduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - EnglishGraduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - English
 
The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptx
 
AIM of Education-Teachers Training-2024.ppt
AIM of Education-Teachers Training-2024.pptAIM of Education-Teachers Training-2024.ppt
AIM of Education-Teachers Training-2024.ppt
 
FICTIONAL SALESMAN/SALESMAN SNSW 2024.pdf
FICTIONAL SALESMAN/SALESMAN SNSW 2024.pdfFICTIONAL SALESMAN/SALESMAN SNSW 2024.pdf
FICTIONAL SALESMAN/SALESMAN SNSW 2024.pdf
 
Simple, Complex, and Compound Sentences Exercises.pdf
Simple, Complex, and Compound Sentences Exercises.pdfSimple, Complex, and Compound Sentences Exercises.pdf
Simple, Complex, and Compound Sentences Exercises.pdf
 
On National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsOn National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan Fellows
 
UGC NET Paper 1 Unit 7 DATA INTERPRETATION.pdf
UGC NET Paper 1 Unit 7 DATA INTERPRETATION.pdfUGC NET Paper 1 Unit 7 DATA INTERPRETATION.pdf
UGC NET Paper 1 Unit 7 DATA INTERPRETATION.pdf
 
COMMUNICATING NEGATIVE NEWS - APPROACHES .pptx
COMMUNICATING NEGATIVE NEWS - APPROACHES .pptxCOMMUNICATING NEGATIVE NEWS - APPROACHES .pptx
COMMUNICATING NEGATIVE NEWS - APPROACHES .pptx
 
How to Add a Tool Tip to a Field in Odoo 17
How to Add a Tool Tip to a Field in Odoo 17How to Add a Tool Tip to a Field in Odoo 17
How to Add a Tool Tip to a Field in Odoo 17
 

Introduction to Access Control Week6 Part1-IS Revis.docx

  • 1. Introduction to Access Control Week6 Part1-IS RevisionSu2013 Access Control Access control is fundamental to Information security. Access control supports the three security tenets of Confidentiality, Integrity and Accessibility of information assets. There are two broad categories of access control we are going to discuss: Computer system access control and physical access control. Computer system access control covers the mechanisms that are used to control access to information assets stored on computer systems. Physical access control covers mechanisms that control access to rooms, buildings and other containers that are used to physically store information assets.
  • 2. Computer System Access Control Now that we have differentiated between physical and computer access control we will use the term access control to refer to the respective area we are discussing, which in this section is computer system access. Access control is fundamental to computer security. In some very trusted environments where there is “no fear” of malicious destruction of information the following example may be a workable model. For example, you have a home PC. Everyone in your house shares the use of one account. This is effectively allowing everyone the same access to all the files, programs, services available to that account. While this may work on a trust level there is still the risk of accidental information lost. Perhaps one party worked for hours writing a paper or doing their homework and another party comes along and inadvertently creates a file of the same name, or they accidentally delete the file.
  • 3. In some work environments there are shared accounts that are used to log orders, check out customers, create customer accounts and perform other operations. With multiple people accessing one account there is no firm record of what individual did what. You may be able to loosely correlate who was working at a given time, but if there is an absolute requirement to align who did what there is no way to do that with shared accounts. Shared accounts allow users to repudiate their actions. If there is no control over who has access to information assets the potential for information free-for-all exists. Anyone can access anything. Anyone can read, modify, and delete information owned by anyone else. Access control protects against malicious and accidental information lost. Some form of access control is required in information systems. In most systems there are several levels of access control which supports the principle
  • 4. of defense in depth. Access Control Access control is fundamental to a secure information processing infrastructure. Access control concepts are implemented redundantly throughout an information infrastructure. This is consistent with the principle of security in depth. Access control mechanisms are implemented in the operating system, applications, routers, firewalls, databases and storage systems to name a few of the places. There are four major parts to an access control system: 1. Authentication: determining that a user is who they say they are. 2. Authorization: granting access to a resource based on the authenticated identity of a user. 3. Auditing: recording any access to a protected resource to provide a history of access to it. 4. Policies and Procedures: documentation of all access control
  • 5. policies and procedures. Users and Processes When we discuss access control or other mechanisms that occur within the operation of a computer system we tend to talk about users. “A user has access to…”, “the user deleted…”, “the user logged into …”. In some cases the term user is appropriate, but in many cases the access that is being controlled is a process that is performing some operation on behalf of a user. A user is a person in the flesh, a breathing person like you or me. A process is a computer program that is in an operating state. It is loaded and executing in memory performing some operation on behalf of a user. The concept is easiest to describe with an example. A user logs into their system using their account identification or credentials information. In this example the information consists of a username and
  • 6. password. The user is the person that is associated with an account. In general terms the following is happening: a user name and password determine if they are valid (attempts to authenticate) authenticated user re not valid the log in is rejected and the login procedure waits for another request to start the process over again It is worthwhile to understand the difference between a user and a process. We don’t want to complicate the language we use when we are relying on an intuitive understanding of what we mean by user. But in many cases it is worthwhile and even necessary to differentiate between the two.
  • 7. Definitions: Authentication – the action of verifying if the token(s) presented by the user for logging on the system are valid. For example, checking if the user name and password are valid is performing authentication. If the user tokens are validated the user is said to be authenticated to the system. Credentials – whatever tokens are used for authentication. For example, the user name and password are considered the user credentials. Wireless and Remote Security Week6 Part7IS Revision Spring2015
  • 8. Wireless Environment It wasn’t that long ago that wireless access was primarily constrained to the home. As households started acquiring multiple computers they were no longer used in just one room. Computers were used throughout the house. As laptop computers became the dominate platform users not only moved throughout the house, but outside to porches, yards and out buildings. Running wires between the router and each system was not practical. Households started upgrading their home network infrastructure from hardwired routers to wireless routers. The movement to laptop systems also accelerated at workplaces. Employers started deploying laptop systems for employees instead of desktop systems when systems needed replacing. The move to mobile computing was on. Laptop systems enabled employees to become increasingly mobile in their work lives. As employees traveled between offices, client sites, home and various other remote locations
  • 9. they could remain connected to company servers as long as the remote site had connectivity to the companies’ intranet. Initially this connectivity was provided by having Ethernet cabling available for remote users to physically plug their laptops into. Eventually, companies started installing wireless hotspots that could be automatically detected by systems that had wireless cards. The proliferation of wireless connectivity and internet use spread from the workplace to general societal use. Average users demanded access to the internet and company intranets. Soon public places such as airports, libraries, train stations, schools and coffee shops installed wireless hotspots to allow people internet access. Some towns and cities are installing wireless hotspots to allow internet connectivity for citizens. In addition to wireless hotspots becoming omnipresent the use of handheld devices is on the rise. Handheld devices started with cell phones and moved
  • 10. to higher functionality devices such as the Blackberry and Palm smart phones which allowed email access, and various local applications. The handheld devices have continued to evolve to higher functioning devices which provide general internet services as well as thousands of applications. Examples of these are the Apple iphone and the Motorola Droid which runs the Google Android operating system. Of course these devices still provide telephone services! These devices make use of various cellular network technologies such as GSM (Global System for Mobile Communications), CDMA (Code Division Mobile Access) which conform to 3G and 4G technologies for connectivity. The ubiquity of internet access points is very convenient and allows people to stay connected for work, study and personal use from a variety of locations and using a
  • 11. variety of platforms. However, with this connectivity come increased security concerns. The threat vector increases as the range of vulnerabilities associated with the various platforms providing internet access increases. Many of the security defenses for wireless or remote connectivity require using the same tools, mechanisms, policies and procedures used for systems that are not remotely connected. However, there are additional vulnerabilities and defenses that need to be considered for the wireless and remote environments. Wireless Access In this section we will discuss some of the attributes of wireless access points and wireless routers. As we discuss the attributes I will make suggestions on how some potential vulnerability can be made more difficult to exploit. NOTE: fixing some of these simple vulnerabilities makes it more difficult to
  • 12. exploit your system. Some people would argue that these changes add very little increase in security. While they do not provide absolute security they do make it “slightly” more difficult for someone to attack your system. This increase of security at different places in the infrastructure supports the concept of security in depth. Wireless access points (WAP) enable devices to connect to a wireless network using Wi- Fi (Wireless Fidelity) or related standards. Products that conform to the IEEE 802.11 set of standards for wireless local area networks (WLAN) are considered Wi-Fi devices. Wi- Fi is a trademark of the Wi-Fi alliance which is a trade association that certifies the compliance of devices that conform to the IEEE 802.11 standards. A wireless access point (WAP) connects to a router. A wireless router contains WAP functionality in it. This subtle distinction is made to differentiate between the
  • 13. functionality of a router; which is to connect two or more computer networks and interchange data between them and a WAP which provides wireless access to the router. We will use the term wireless router to refer to the combined functionality of the WAP and router. Web Based Management Interface A wireless router contains a web based management interfaces. Access to the router is typically gained by using the IP address 192.168.0.1 or 192.168.1.1. Finding the default username and password for a particular router is simple. They are usually preconfigured with easily guessed names such as “admin or password”. To locate default usernames and passwords for various routers you can check various web sites such as: http://www.routerpasswords.com/. http://www.routerpasswords.com/
  • 14. Often users do not change the default username and password to the management interface. The combination of the default values for the IP address, username and password make it very easy to attack your router. An attacker that gains access to your router through the management interface can learn your router configuration information and/or change it to suit their nefarious needs. To make your router a “little more secure” you could change the username and password. To further complicate an attack you could also change the 3 rd octet of the IP address of the management interface to something other then a “1”. For example, change it from 192.168.1.0 to 192.168.99.0. This will place your systems on a different subnet. Service Set Identifier (SSID) The service set identifier (SSID) is the name of the wireless network. By default, the SSID is broadcast every 1/10 of a second or so by the wireless
  • 15. router. This broadcasting of the SSID is what a wireless device detects so it can connect to the network. Broadcasting of the SSID may also be referred to as the WAP presenting a beacon. This beacon can be detected by client devices at varying distances depending on atmospheric and geographic conditions. Typical distances are 75-100 feet indoors and up to 300 feet outdoors. These sorts of distances allow SSID beacons to be detected not only legitimate users of your network but also by potential attackers unless precautions are taken. The SSID is represented as a string of alpha-numeric characters which is up to 32 characters in length. The standard allows for the 32 octets to be any values and not just readable characters. A client device can choose to manually or automatically connect to a device.
  • 16. A wireless network can choose not to advertise the SSID. This results in the network being advertised as “unnamed”. If a client chooses to connect to this network they must know the SSID name. Another defense could involve changing the SSID name to something other then what the manufacturer assigns to the device. Similar to locating router passwords (discussed above) on the internet default SSID names for some devices can be easily found. Changing the SSID name or not broadcasting the SSID name are not foolproof techniques. A determined cracker can figure out the SSID of the network by using sniffing tools that monitor users that successfully connect to the network since the SSID is transmitted in clear text. Wireless Encryption
  • 17. Many private wireless networks run encryption. The intent of this is to secure communications transmitted on the network. A wireless network that runs encryption requires that clients that want to connect to the network must enter a passphrase or encryption key to connect to the network. Some client systems that frequently connect to the same wireless network may have the encryption key installed in the client so connecting to the network can occur without having to enter the encryption key. A commonly used and ineffective wireless encryption algorithm is Wired Equivalent Privacy, known as WEP. WEP is ineffective because the passphrases (e.g. encryption keys) can be easily figured out by hackers. WEP makes use of the stream cipher RC4 for confidentiality and CRC-32 for integrity. 64, 128 and 256 bit keys are used with WEP encryption. The full encryption keys are generated by concatenating the bits of the key with a 24 bit initialization vector
  • 18. (IV) yielding the n bit (64, 128, 256) WEP encryption key. The IV is transmitted as clear text. On a busy network the 24 bit IV will be repeated and can be easily recovered allowing the encryption keys to be discovered using brute force techniques. Cracking a WEP network can be done in less then a minute with commonly available tools found on the internet. Perform a google for “cracking WEP” and you will be provided with links to numerous cracking tools. The WEP algorithm has been deprecated in favor of the Wi-Fi Protected Access algorithms known as WPA. There are a few variants of WPA algorithms. We will consider WPA-TKIP (Temporal Key Integrity Protocol) and WPA-AES (Advanced Encryption Standard) algorithms. WPA-TKIP uses the RC4 stream cipher (similar to WEP) however it improves on the inherent weaknesses of WEP by making use of the following:
  • 19. -mixing, combining a secret key with the IV to increase cryptographic strength. -keying to use a different key for each packet. rove on WEP transmitting the IV in clear text. protect against replay attacks. WPA-TKIP is a vast improvement over the confidentiality weaknesses of the WEP algorithm; WPA-TKIP provided compatibility with older hardware that used WEP. An improvement over WPA-TKIP is WPA-AES. New wireless products are using the WPA- AES algorithm which provides improved performance over WPA-TKIP and makes use of AES (Advanced Encryption Standard) a block cipher adopted by the US government as the replacement for DES (and 3DES). The preferred choice is to use WPA-AES, however you need to make sure all of your hardware will support it. For older hardware you may be
  • 20. relegated to using WPA-TKIP until you can upgrade. MAC Filtering For a home or a small business access to the wireless network can be restricted based on the MAC (Media Access Code) addresses of the allowable wireless devices. This technique can work since the number of devices that connect to the network is small and does not change. Every device with a network adapter has a unique identifier which is called the MAC address. By using the web based management interface of your wireless router the MAC addresses of these devices could be added into the configuration tables of your wireless router to accept connections with these MAC addresses and to reject connections with devices that have MAC addresses that are restricted.
  • 21. War Driving War driving is the act of driving or roaming around with a laptop computer and hacking tools searching for wireless access points. When an access point is discovered the attacker can use various cracking tools to eavesdrop on information which compromises the security of the system and the network. Not advertising the SSID and implementing MAC filtering makes your network a bit more stealth, but not by much to a determined attacker. It does not protect you from eavesdroppers or war drivers intercepting packets from the air waves and decoding them. From this information an attacker could determine the SSID of your network and allowable MAC addresses. If discovered an attacker could connect to your network by using the SSID and spoofing a MAC address if MAC filtering was enabled. If the network is not secured with encryption the attacker has gained access. Even with encryption enabled with WEP, WPA or WPA2 the encryption
  • 22. keys could be uncovered by using cracking tools. Once the encryption keys are discovered the attacker has gained access. Rogue Access Points A rogue wireless access point is an access point set up by an attacker to capture usernames, passwords and other information. A rogue access point could be used to stage a variety of attacks such as the man in the middle (MITM) attack when mutual authentication between the two communication end points is not implemented. A rogue access point is implemented by connecting a router to a secure network without permission of the owner or administrator of the network. Any client that connects to the network via the rogue access point is compromised. To defend against rogue access point’s network administrators can use Wireless Intrusion Detection Systems (WIDS) or Wireless Intrusion Prevention
  • 23. Systems (WIPS) to monitor the radio spectrum for rogue devices and attack tools. Additionally, a WIDS or WIPS can be used to look for problems with the network configuration, create log files of activity, block activity by suspicious devices and perform automatic notification in the case of various events. Another defense against rogue access points in public places is observation. For example; if you are in a place that advertises it has a wireless hotspot you should be aware of the SSID of the hotspot. Also, if two or more networks are being advertised perhaps one or more of them are rogue hotspots. Also, don’t assume that you can safely bypass purchasing internet service by using your neighbor’s unsecured network. You leave yourself wide open to attack and compromise of your data by doing this.
  • 24. Comment: Around 2011 I had an older Verizon router which was configured to support WEP. I called my ISP which is Verizon to discuss configuring my wireless router to enable further security. In particular I wanted to change encryption from WEP to WPA and I wanted to use a different subnet then the default of 192.168.0.1. The technician I spoke to “reminded me” that WPA encryption is “supported” but if there was a problem that required Verizon to perform debugging they would set my system back to using the default value for encryption which is WEP. With respect to changing the default subnet to something other then the default value of 192.168.0.1 it could be done, however it was not supported. Again, if there was a problem they would reset it to the default value before they worked on diagnosing any problems.
  • 25. I explained to the Verizon representative that when problems occur you want to debug them in that environment. You don’t want to change the environment before you start debugging since you can be masking the problem. Plus, the use of WPA and a different subnet is not an obscure change. Rather they are common industry best practices. They understood this point, but that is Verizon’s policy. Debugging a problem in a changed environment runs the risk of not fixing the problem. Since that time I have updated my router to one that supports WPA2 as the default protocol. Remote Access Remote access by users is accomplished with a variety of devices including laptops, smart phones, desktops and tablets. Wireless access is not only
  • 26. enabled through wireless routers and access points but devices that support 3G and 4G protocols such as smart phones. In order to secure smart phones, policies and procedures need to be established just as with laptops and desktop systems. Some of the security policies and procedures for smart phones will be similar to those for laptops and desktop systems; however there are some policies and procedures that are unique to particular platforms. Password Selection Passwords, passphrases, encryption keys and other secrets need to be protected from discovery. These secrets in authentication terms are referred to as “Something You Know” (SYK). Secure passwords need to be constructed for access to all systems. Following are some items in the wireless domain that should be constructed using secure password guidelines.
  • 27. tifier) that names the network Interface device vice (laptop, desktop, smartphone) Items such as usernames, passwords and encryption keys or passphrases should be constructed using secure password guidelines. This was discussed in the lecture on authentication. Companies and organizations that care about security will have a policy for how passwords should be constructed. In addition to how these secrets are constructed there should be policies on how frequently they need to be changed. Items such as MAC ID and SSID can be changed, but you need to consider the impact of doing that. Changing the MAC ID is really not practical since the MAC ID is associated
  • 28. with the device. MAC IDs are changed by attackers spoofing a MAC ID but is really not practical for an organization to have users change their MAC IDs. Changing the SSID can be done but for the determined attacker the SSID is readily available since it is broadcast in the clear. If you change the SSID anyone connecting to your network will need to know the new SSID. Communicating the new SSID is no more of a problem then communicating new passwords or encryption keys to users. Security of Remote Devices With remote devices critical information leaves corporate servers and moves to various remote devices. With this comes a risk of the remote device being lost or stolen. To ensure the Confidentiality, Integrity and Availability of this information various mechanisms that support encryption and authentication need to be deployed such as: Virtual Private Networks (VPNs), Secure Sockets Layer (SSL),
  • 29. Transport Layer Security (TLS), Kerberos, CHAP, RADIUS, Diameter to name a few. These were discussed in the lecture on authentication examples. Many of these mechanisms should be considered for use for all devices in the infrastructure but they are worth amplifying their importance when using remote devices. Remote devices are generally more prone to being lost or stolen then devices that are not remote. Because of these vulnerabilities care needs to be taken to ensure data is not compromised. Some of the following functionality should be considered for security policy and procedures for all devices however, ensuring they are followed for remote devices is very important. -factor authentication. In addition to requiring password authentication biometric and token authentication could also be required.
  • 30. removed or rendered inaccessible in case the system is lost or stolen. down after use and not placed into hibernate or low power mode. case a system is lost or stolen and the disk is removed and placed in another system. Removal storage media (e.g. memory sticks, USB drives) provides another avenue for data to become remote. Removal storage devices also increase the attack vector for infecting systems with malware. Place a memory stick or USB drive into a USB port and the system could become infected with malware stored on the device. Some companies may find restricting the use of removal media to be appropriate. Bring Your Own Device (BYOD) With the proliferation of personal devices such as smartphones and tablets companies and organizations are facing increasing pressures to adopt policies
  • 31. that allow employees to use their own devices to access organization assets. Many of the security concerns organizations have with the use of their own equipment to access their network and data are amplified with a BYOD environment. This is primarily because the organization has limited control with the securing and handling of the BYOD device. On the other hand, allowing users access to organization data allows employees to be engaged in company business virtually 365/24/7 since most users are tethered to their mobile devices. The challenge organizations face is to implement a policy and procedures for how users can access company data with their own devices; while keeping organization assets safe and secure. In other words organizations are concerned with maintaining the CIA (Confidentiality, Integrity and Availability) of their assets. You should note that the general concerns organizations have for BYOD are congruent with the concerns
  • 32. organizations have for their assets in a non-BYOD scenario. There are numerous websites and articles that enumerate major security concerns that organizations have around BYOD policies. Following is a representative list of concerns that companies have. lications or content with embedded security exploits The various policies and procedures an organization selects should be based on the requirements of the organization. This should always be the case for selecting functionality. You first define your requirements you then select functionality that meets the requirements.
  • 33. Of course some company’s approach to BYOD will be not to allow it. Their approach may be to issue company owned devices for all business related. In order to support multiple devices there is additional cost. It is much easier to manage one device that is given to employees. However, the downside to this may be employee productivity. Employees may resist carrying two phones; their own and the company phone. I expect to see more and more company’s supporting a BYOD policy. Specific Areas of Concern for BYOD A policy should require secure access to corporate assets by requiring a VPN that uses encryption. A VPN requires the user to possess credentials that allow authentication to the VPN and in turn access to the organizations assets. The VPN should provide encryption for any assets in transient between the two ends of the VPN, which are the organizations server and your mobile device.
  • 34. The policy should consider the use of Mobile Device Management Software. MDMS provides for remote management of devices including the uploading of applications, data and configuration information to a variety of devices. A major feature for MDM is the need to support a variety of platforms and versions including various versions of: Android, Apple iOS, Blackberry, Window Phone. The range of mobile devices includes; smartphones; tablets, printers, POS (Point of sale) systems. Some of the top BYOD security concerns that companies have are: with embedded security exploits
  • 35. You should note that the BYOD concerns are similar to the concerns they have on company issued devices. Strategies and Issues Keep in mind the company needs to protect the CIA of its information. Since you are agreeing to use your device for accessing company information there will be rules for usage that will be more stringent and structured than what you are used to. Following are some of the strategies and issues around some controls to address the security concerns. Use of VPN Expect your company to mandate the use of a VPN to connect to any corporate website. This could work by requiring access through a secure website using credentials controlled
  • 36. by the authentication policy of the company. Another way would be to have a local application pushed to your device that is used to initiate the login, again using company provided credentials. It may be required that periodic authentication to the VPN is done to ensure the user is remaining cognizant they are connected. Also, in case the device is lost after the VPN link is established re-authentication could block access to company access. Periodic re-authentication to the device may also be required for the same reason. If access to company resources requires a VPN connection there may be limitations as to how the device can be used for other applications. For example, certain websites may be restricted for access as well as certain applications. How this is monitored by the company is another matter that requires consideration. Another issue to consider is if questionable material is passed on the company’s network while
  • 37. a VPN connection is established. Authentication Expect a company to require strong authentication for any device being used on their network. This means the use of 4 character pin’s is out and complex passwords or picture patterns are in. Also expect the company to check your password complexity for approval and require changing every so often. Many websites are moving towards a two factor authentication model. It is possible companies will require this. This means when you log into the company VPN a notification will be sent to your device with a authentication token requiring this to be entered to complete the login process. Malware Protection Running malware protection on your device will be required. Signature updates may be pushed out by the Mobile Device Management System if that is mandated by the policy. The MDMS may not allow you to turn off the malware
  • 38. protection. This may also restrict your ability to run certain applications. Wipe strategies When a device is lost or stolen the company may want to track the device using GPS. If the device is located a remote wipe of data as well as disabling the device may be done. This brings up the question of wiping not only company data but user data. Should the device be found not only will the company data have been wiped but so will the personal data. GPS Tracking Another issue with wipe strategies is GPS tracking. This may bring up privacy concerns for some users that the company may have access to GPS data. When and under what circumstances GPS data is monitored needs to be clearly understood in the policy.
  • 39. Encryption The confidentiality of any company data will undoubtedly require encryption. This may impact employee use of personal data if encryption needs to be implemented on an application basis as opposed to a file basis. Jail Break or Root Devices Jail breaking is typically associated with Apple devices. It refers to the bypassing of controls the manufacture has put on the device. A device that has been jail breaked can permit the installation of software that is not distributed through the app store. This means software that is not vetted by the app store could be installed. The potential for installing software with malware is increased. Apple does implement a process where developers submit software for distribution through the app store. If the app is approved for distribution it is made available through the app store. The vetting process is not perfect but it is improving all the time. Software
  • 40. that does not go through this vetting process has a much greater chance of being infected with malware. A rooted device applies to Unix or Linux based devices. This is typically associated with Android based products. Rooted means that the owner of the phone has root access to the device. Root access allows unfettered access to all aspects of the device. You don’t want a BYOD device to have been rooted since a rooted device could bypass numerous controls placed on the device. Some malware seeks to obtain root access so it has total access to the device. Applications Organizations may restrict the applications that can be loaded on a device. The concern is that some applications may be considered a malware threat. The downloading of any applications may require vetting through company supplied
  • 41. software. Bluetooth Functionality Most hand held devices support bluetooth technology. Blue tooth expands the attack vector and attack surface of your device. If your device is discoverable other devices in range can pair with you. This presents a security issue. Some folks feel Bluetooth is inherently insecure and it should not be used for anything you care about. Expect to find policy statements on allowable use of Bluetooth. Perhaps Bluetooth has to be turned off when connected to the company VPN. However, what if corporate data has been copied to the device is Bluetooth use restricted? This doesn’t sound realistic as for hands free driving Bluetooth is really required for any level of safety if the call participant is driving. This brings up another question. Is the device owner required to communicate when in transit? It is clear to me that any distraction while behind the wheel has the potential of
  • 42. grave results. Should something happen while the device owner is using the device on company business is the company libel, or is it shared exposure? Reimbursement If you are using your device for work there may be a policy that provides for reimbursement of expenses. Keep in mind that getting reimbursed may seem desirable, but it ties your device closer to the company since you will be required to follow company policy. Exit Strategy When an employee leaves the company the policy may require a wipe of the device is done to remove any company information. This may require backing up the employee’s personal information, performing the wipe and restoring the information. Policy Violations BYOD policies are evolving. There is an ebb and flow between
  • 43. the companies rights to investigate all data on a personnel device when a policy breach occurs and the device owners right to privacy. Consider the case where you have a device that connects to a company website. A breach is detected attributed to your device. Can the company lock your device down and search all the data on your phone, including personal email and social media accounts? Or is the device clearly partitioned between company data and personal data such that company can only do forensic analysis on the company data? Understanding the penalties for policy violations is important. Penalties can range from losing device privileges to termination. Summary Wireless and remote devices need to follow the same polices and procedures for any device in the infrastructure to ensure that security
  • 44. vulnerabilities are minimized. There are additional procedures for remote devices that also need to be followed. As with all security there is no one foolproof set of tactics. The amount of controls for handheld devices further increases the attack vector and attack surface. The policies for BYOD in the workplace are evolving. There is an ebb and flow between security and privacy that both the owner of the device and the company need to be in agreement on. Expect these policies to continue to evolve as the use of more mobile devices occurs. For wireless, remote and handheld devices the best approach is to follow the principle of security in depth.
  • 45. Security Policy Week6 Part6-IS Revision Su2013 Security Policy Security policy for access control is not unique to defining policy in any other area. Rather than discussing security policy specific to access control we will broaden the discussion to security policy in general. Some of this section is a repeat of information we covered in Week 1, however it merits repeating in the context of the learning we have done to date. Security as a process includes four key elements: prevention, detection, response and
  • 46. recovery. To determine the investment that needs to be made in these areas requires doing an inventory of the assets of the organization and determining the value of these assets to the organization. A risk assessment needs to be performed that determines the threat level and vulnerability to each of these assets. As part of the assessment the cost of recovering an asset that is attacked needs to be determined. After a thorough assessment a determination can be made as to how much should be invested into protecting an asset and the type of protection that should be implemented. Aspects of policies have different target audiences. NIST standard 800-12 defines 3 broad categories that policies should target. http://csrc.nist.gov/publications/nistpubs/800- 12/handbook.pdf responsibilities within the
  • 47. organization. Also discussed is how policies are created, revised, reviewed, approved and retired. deal with the operational aspects of the organization. For example, definitions of the physical access control to a facility, or definition of the access control policies for certain systems. How employees are trained in the application of policies in their roles is part of operations. For example; the access control and authentication models used in an organization; how systems are configured, firewall policies, use of encryption, how accounts are managed. Across these three categories there needs to be agreement throughout the organization as to the importance of security. There must be a top to bottom commitment in the organization to successfully implement the security policy. Having mechanisms for http://csrc.nist.gov/publications/nistpubs/800-12/handbook.pdf http://csrc.nist.gov/publications/nistpubs/800-12/handbook.pdf
  • 48. verifying security compliance and assigning accountability for compliance is required for a successful implementation. Every organization has a security policy. Some organizations have very strong policies which are implemented with documentation, training, audit procedures, certification requirements, compliance reviews, and other mechanisms. Some organizations have no stated policy. They just wing it, hoping everything will work out. Those are the two extremes, with other organizations policies spread out across the spectrum. RFC 2196 is the internet working group that provides guidance for developing security policy and procedures for systems on the Internet. http://www.faqs.org/rfcs/rfc2196.html The working definition RFC 2196 provides for security policy is: Definition: Security Policy: A security policy is a formal statement of the rules
  • 49. by which people who are given access to an organization's technology and information assets must abide. Having a written security policy is fundamental to an organization. It provides acceptable behaviors, practices, responsibilities around the handling of information, systems, brick and mortar facilities and anything else related to security. Policies do not have to be complex. In fact, policies should be simple to access, easy to understand and easy to seek clarification on. Similarly the implementation of security policies should be easy to follow and they should support the task at hand. Further, security policies need to be enforced at all levels of the organization. Seems like a simple concept. For many organizations security policies are anything but simple. For many organizations security policies are not clearly defined if defined at all. The policies cannot be easily located and once they have they
  • 50. may be out of date. The policies may be pages and pages of technical and legal verbiage that is not well-organized and require the entire document to be studied, rather than having it clearly divided into the necessary levels of abstractions to quickly and easily understand issues. Defining a Workable Policy An effective security policy requires broad acceptance throughout the organization. This buy-in has to be at all levels of the organization. Security policy has to originate at the top levels of management. Management needs to prioritize the definition of a Security Policy. This starts with management articulating the importance of protecting company assets. Management must support the process through all phases of the Security Policy. This includes requirements definition, review cycles, education/training, implementation and maintenance. This requires an ongoing investment in time, staffing, physical resources.
  • 51. A successful policy must have broad representation across the organization contributing to the definition. RFC 2196 suggests the following representation. The list should be used http://www.faqs.org/rfcs/rfc2196.html for guidance and modified according to the needs of your organization. I have made a couple of additions. ation technology technical staff (e.g., staff from computing center) (e.g., business divisions, computer science department within a university, etc.) representatives of the user groups affected by the security policy management)
  • 52. The fundamental steps as defined in RFC 2196 for establishing a security policy is: effective manner. process continuously and make improvements each time a weakness is found. Enforcing the Policy Having a security policy is only as good as the enforcement of it. The policy must be easy to enforce and it must be consistently enforced. The mechanisms for enforcing the security policy should be clearly defined in the policy documents. It is important that security enforcement is as automated as possible. For example, acquiring accounts, system permissions, access to confidential information, access
  • 53. to physical resources should all be seamlessly integrated into the request process so that no “special” steps need to be taken. It is of the utmost importance that security procedures are enforced. If the policy can be bypassed by a quick phone call or mail message you do not have an effective policy. An effective security policy needs to be easy to use and it needs to provide a predictable and timely response to a request for security access. A security policy must be consistently enforced at all levels of the organization. If the policy is seen to be bypassed by individuals because of their position in the organization everyone will try to bypass the system. If these characteristics are not present in a security policy people will seek alternatives,
  • 54. they will avoid aspects of their job that require dealing with security and they will become disgruntled. Automated Security Event Auditing Ronald Reagan made popular the phrase “trust but verify”. This basically means that entities can be trusted as long as the facts around the trust can be verified. The tool for doing this is auditing. Every security event should be able to be audited. This means a record gets written to an audit file each time a security event occurs. If you recall in the lecture on access control we learned about auditing in the context of accessing objects. Security auditing is a similar concept. An audit capability is an integral part of a security system. The audit capability records any action involving security access to a log file. There must be some way to control what security information is written to the log file. The security policy should provide guidance as to what information needs to be audited.
  • 55. An audit capability should provide the tools to easily select information from the audit log based on various parameters. For example, one should be able to select information based on user, security event, object type, date, time and other criteria. Security event auditing could be integrated with a general audit capability provided by an operating system, application or physical security mechanism. Assessing the Risk The cost of not having a security policy can be very large. In fact it is a ticket to disaster. Some companies have been driven out of business because of a simple security breach. The business disaster may not have been the actual breach, but rather the bad press caused when the lack of adequate policy protecting assets became public knowledge. Loss of customer confidence can be more damaging than the loss of tangible assets. The risk assessment methodology should be part of the security policy document. It is important to understand the policy around what assets need to
  • 56. be protected and how they should be protected. It is equally important to understand how the decisions were made to protect some assets and not others. Knowing the methodology used for risk assessment and the assumptions made is a key input to understanding the security policy. We discussed in week 1 the importance of doing a risk assessment. That discussion focused on computer based assets but it really applies to all assets. Reviewing some of these concepts is worthwhile. I have replicated some material from week1 as it is relevant to the discussion on security policy. Further it amplifies the fact that security policy and risk assessment are key elements that contribute to a secure information infrastructure. Some areas to consider in risk assessment are:
  • 57. information safe When defining the security policy each of the above items needs to be considered from the perspective of: or disaster? tecting against an attack or disaster? Asset Classification The following table can help support a risk assessment. If numbers are assigned to each
  • 58. category rather than High, Medium, Low weighted averages and threshold values could be calculated that could help determine the security measures to implement (or not). ASSET VULNERABILITY THREAT COST TO IMPLEMENT PROTECTION COST TO RECOVER FROM ASSET n High High Medium High ASSET n+1 Low High Low Low ASSET n+2 Low Medium High Low ASSET
  • 59. n+3 High Low Low High ASSET n+m Etc. Etc. Etc. Etc. Consider the following examples for a given asset n. Keep in mind that the rationale used analyzing any threat and determining how it will be handled is highly subjective. Example: If the threat of a security breach is high and the cost recovering from the breach occurring is high you may decide that the benefit of implementing protections worth it. Example: The cost associated with recovering from a security breach of this type is high. The threat of the breach occurring is low and the cost to implement
  • 60. protection breach is also low. Despite the fact that the threat is low, the protection cost is also low therefore with a high recovery cost you might decide to protect against the attack. Example: The cost associated with recovering from a security breach of this type is low. The threat of the breach occurring is high and the cost to implement protection breach is also high. Since the recovery cost from this attack is low you might decide to defer the high cost of protection despite the high breach potential. Impact and Probability Another useful tool for assessing risk is an Impact and Probability Matrix. The objective is to have all threats have a low impact to the information system and for each threat to have a low probability of occurring. While this is the ideal it probably does not represent reality. By determining a numeric impact and
  • 61. probability ranking each threat could be placed within a quadrant. Based on which quadrant a threat falls into the organization may decide to implement protection mechanisms or not. The following chart is credited to “Network Security Assessment” by Michael Gregg and David Kim. This text provides one source for how to develop a ranking methodology for risk assessment. Security Education High Impact Low Probability High Impact High Probability Low Impact Low Probability Low Impact High Probability
  • 62. Objective Impact of Event Low High High Low w Probability of Event Impact and Probability Matrix Security education is an ongoing process that strives to provide the proper security skills needed by each individual in the organization. Another goal of security education is to get everyone in the organization to always think about security. This requires integrating security consciousness
  • 63. into every member of the organization. Everyone needs to be security conscious, from cleaning crew members to the CEO. Security needs to be integrated into the work environment so that it becomes automatic to each employee. Ongoing security education throughout the organization supports this goal. There are levels of security training. The type of security education can be categorized based on the target audience and the particulars of the training. For a given organization or role the division of security training may differ. General Information: Companies can post security policies at physical premises. Some ways this can be accomplished are: posting security reminders on company web sites, distribution of fliers at facility entrance/exit points, short seminars, publishing security notes in company news letters, sending regular mail messages. Another technique is to encourage employee feedback, providing recognition/rewards
  • 64. for ideas. General Awareness: All employees need to be generally aware of security policy. They must understand what assets need to be protected, the value of the assets, general forms of attack, liability of a security breach. Employees must understand acceptable employee behavior. They need to know who to report problems to. A typical awareness course might be given every 6 to 12 months through the company intranet. Each employee must read the high level policy and indicate they will abide by it by completing some online acceptance. There may be a short quiz on the material that a minimal grade needs to be attained. Job Specific Training: All employees involved with IT systems are required to know more about the security policies. They need to know more system specific policies dealing with the security tools, system procedures. As users of IT assets they need to
  • 65. understand threats, vulnerabilities and defenses. Course work may be required based on their job code or role. Their knowledge is expected to be deeper than the general employee awareness. General technical training may involve one or two courses a year perhaps 3 – 5 hours for each course. Specific training related to a job code or role may also be required which is more in-depth. Security Education: Moving up on the security knowledge ladder some employees have the requirement for detailed security education which can be college style courses, targeted professional seminars or both. This is also coupled with on the job training and experience. Employees requiring this level of course work typically work in security related positions performing functions such as: developing security policies, performing security audits, developing security software, maintaining security assets.
  • 66. Security Auditing Security auditing refers to a review of an organizations security processes and procedures. In some ways a security audit resembles an I.R.S. audit (knock on wood). The procedure proceeds as follows. A specific project team is selected to be audited. They are contacted by the security audit team to prepare for a security audit. They are told to make available various documents that describe aspects of security. These may be discrete documents or may be sections of documents that address various security issues. The documents are provided for review by the security team. Following is an hypothetical example of the type of documentation that may be reviewed. Security Policy – Defines overall security policy Functional Specification - (identifying security specific aspects) Design Specification - (if applicable identifying security
  • 67. specific aspects) Security support plan - (describing aspects of the policy that that the audited process of product must address) Security roles – Identification of roles, identification of individuals that are in roles Testing Plan – How is security functionality tested? Maintenance – How will the security functionality be maintained? (Virus protection, patches applied, CERTs) Disaster Plan – What to do when disaster occurs. Recovery Plan – How to recover from a disaster. Risk Identification and Risk Management Plan Issue Identification and Issue Management Plan
  • 68. Proper signoff – Each document must show proper signoff by all parties that have an interest in the integrity of the system. Sometime later the auditors appear after reviewing the documents. They come with a group of individuals that have expertise in various areas. The auditors’ use the documents as a guideline to start interviews with team members to assess the level of compliance to security policy. If additional artifacts are needed, including demonstration of functionality that is provided. The audit takes place as an iterative procedure. Once completed the security team issues a report describing the nature of the audit, what was reviewed, the areas of compliance and areas of noncompliance. Any areas of noncompliance are ranked with a severity indicating the urgency that needs to be applied to get to compliance.
  • 69. Discussion: Audits can be very difficult procedures for some team members to participate in. Particularly for teams that are low on the SEI- CMMI maturity scale (Software Engineering Institute – Capability Maturity Model Integration http://www.sei.cmu.edu/ Audits are a critical element that contributes to a mature security environment. As employees and project teams mature on the SEI-CMMI scale they will see the value of the security audit. It takes a lot of management effort and support to institute and support an audit process. Employees have a tendency to resist the process. Nowadays the audit procedure is more universally accepted. The convergence of internet standards has contributed to acceptance, since they provide a framework that a project/process can be compared to. Also, the benefit of adhering to standards is now intrinsic in the engineering
  • 70. psyche. There was a time this was not the case. I remember the “old days” when code reviews, design reviews, quality reviews and security reviews were formally introduced. The meetings often became a hostile environment. Individuals would take personal offense for any type of project criticism. There was little visible respect for participating groups and group members. It was an ugly, painful meeting that few individuals looked forward to, or saw any value in. Fortunately, the engineering process has improved. Summary of Policy This section should be viewed as a sampling of some security policy issues. It is important to recognize that having a security is fundamental to the health of your
  • 71. organization. The details of a particular security policy are unique to the organization’s needs. There are many resources available to guide the creation of a security policy. Some resources are: RFC 2196 is the internet working group that provides guidance for developing security policy and procedures for systems on the Internet. http://www.faqs.org/rfcs/rfc2196.html Software Engineering Institute – Capability Maturity Model Integration, Carnegie Mellon Institute http://www.sei.cmu.edu/ http://www.sei.cmu.edu/ http://www.faqs.org/rfcs/rfc2196.html http://www.sei.cmu.edu/ NIS (National Institute of Standards) Recommended Security Controls for Federal Information Systems http://csrc.nist.gov/publications/nistpubs/800-53-Rev2/sp800-
  • 72. 53-rev2-final.pdf CERT (Computer Emergency Response Team), Carnegie Mellon http://www.cert.org/ http://csrc.nist.gov/publications/nistpubs/800-53-Rev2/sp800- 53-rev2-final.pdf http://www.cert.org/ Physical Security Control Week6 Part5-IS RevisionSpring2014 Physical Security Control Physical security control is strongest when it adheres to the principles of defense in depth and least privilege. Defense in depth and least privilege should be guiding principles that are fundamental to any comprehensive security strategy. Implementing security in layers
  • 73. provides a robust and redundant defense. Also, restricting access to only those that require access makes security sense. Consider an analogy of how you protect your house. You would not consider protecting your house with only perimeter defense of having a locked gate on the driveway. You have doors with multiple locks and windows with locks. You also may have alarm systems with multiple defenses; including motion, sound, perimeter defense and the ability to call authorities. You may also have closed circuit television (CCTV), guard dogs and personal protection devices. Defense in depth is what you are implementing for your home in the previous example. Also, with respect to least privilege you certainly would not give a house key or alarm code to someone you don’t want in your house. Physical security for your organization should be implemented using the principles of defense in depth and least privilege.
  • 74. Keeping People Safe An obvious component of physical security is making sure that people are kept safe. The facility must have adequate protection against a range of disasters. Safety standards must be followed as dictated by local standards, for example local fire and building codes must be followed. Some safety standards for operating machinery or maintaining workplace safety are dictated by national organizations such as the Organization of Safety and Health Association (OSHA). Organizations are subject to inspection by these safety organizations for compliance and if not adhering to standards can be fined or shut down. Also, depending on where the facility is located protection against other “acts of God” such as hurricane, tornado, flooding also need to be accounted for. Local standards should always be followed as a minimum These protections also need to be applied to physical assets in the facility, but specific
  • 75. attention needs to be applied to the health and well-being of personnel in the physical premises. Sound policy and procedures and education around personal safety should be number one on the list of physical security. Perimeter Control Secure physical access starts with securing your perimeter. For some types of sites the perimeter can be secured using CCTV. This can monitor the coming and going of traffic into company parking lots. It also provides employees with protection against personal threat and vandalism to their vehicles. Having adequate lighting in outside areas is important as well. Lighting discourages theft and vandalism as well as providing some safety. In a more secure or government facility gated entries can be implemented staffed with
  • 76. guards. N-factor authentication can also be implemented to gain entry to the premises. Perimeter controls using walls, barbed wire and guards can be implemented depending on the level of protection required. Protecting trash and recycle areas is important. Several very damaging attacks have been engineered by attackers having acquired valuable intellectual assets by “dumpster diving”. Security measures need to be taken to protect cabling, wiring and associated infrastructure. This is needed to protect the physical medium from damage in the event of environmental disaster or man-made sabotage. Adequate security for protecting signals from third party interception when transmitted through wireless or wired medium is needed. For protecting wired medium from man-in-the-middle or eavesdropping attacks sufficient physical shielding of wires is needed to protect against physical intercept of signals. For protection of wireless signals the use of cryptologic controls such as
  • 77. encryption and hashing is needed. This is an example where physical controls and programmatic controls intersect in a classic defense in depth scenario to provide protection for the information infrastructure. Entering and Exiting the Premises For most large companies employees stream through the entrance doors during normal work hours. Guard desks sometimes are staffed by less than diligent guards that simply do not check the badge of every person entering the premises. Plus with only one door for entry, several employees stream into the building at one time. Even if familiar faces are entering the building they could have been terminated the previous day and are re- entering with some malicious intent in mind. This can be a security problem. Displaying a badge to a guard as you walk by does not provide a real safe guard against false entry. A more secure approach would be to implement some sort of multi-factor authentication
  • 78. to gain access to the building. For example, each employee has a coded badge requiring them to swipe it and enter a PIN before the door opened. If the PIN is correct the door opens to allow entry. This can present a problem of rapid entry to the building particularly in inclement weather if there are a lot of people, however with multiple doors, turnstiles or man-traps the problem of multiple people entering can be mitigated. Using a keycard badge to enter and exit the building also provides the benefit of having an audit trail of who entered and exited the building and the date and time. Entering the facility after hours through a locked door can be handled through coded badge access. Multi-factor authentication is very important in case a card was lost or stolen. Having a CCTV camera on each entry is important. Something that is hard to control after normal business hours entry is “tailgating”. This is where someone closely
  • 79. follows an authenticated person into a facility without being authenticated. This is easiest to control if employees are educated that tailgating is not allowed. Employees will generally comply with this policy. The person that won’t comply is the person trying to gain illegal access. If they force themselves in it is difficult to make it the employee’s responsibility to keep them out, but the company should provide a contact that the legitimate employee can reach to explain what happened. For smaller places of business having protections similar to your house are in order: nd sound detection, automatic notification of authorities Entering and Exiting Secure Spaces Entering secure rooms have similar issues as entering secure grounds and buildings. The problems can also be mitigated by similar mechanisms. Physical access to certain areas
  • 80. within the premise should be guided by the principle of least privilege. Principle of Least Privilege: No person should be granted more access than they need to do their job. Access to these rooms should be controlled by n-factor authentication. Minimally, entry could be gained by a swipe of a badge and entry of a PIN code. This coupled with CCTV would provide secure access with two levels of authentication along with a video record.. For more critical areas biometric access could be implemented to ensure a badge and PIN was not compromised. And of course, for ultra-secure areas guards in addition to the aforementioned mechanisms may be in order. Exit of secure spaces should also make use of the same authentication techniques that are used to enter the secure space. COMMON ACCESS CARDS Some organizations and government agencies control access to all assets using common
  • 81. access cards (CAC). A CAC contains multiple types of identification. It contains a picture identifying the owner of the card. It contains a magnetic stripe for accessing rooms and areas requiring this type of access. The card contains an integrated computer chip making it into a smart card that controls access to computer systems that have suitable readers. By implementing components of PKI (Public Key Infrastructure) a user can be identified using encryption and digital signing capabilities. The card is also synched with using SYK (Something You Know) authentication such as a PIN or password. When the SYK factor is used in conjunction with the CAC another factor of authentication is provided. An advantage of a CAC is that logging of all automated CAC uses can be done and written to a centralized audit file providing a record of access.
  • 82. The CAC demonstrates the merging of authentication, access and auditing controls for both physical (e.g. buildings/rooms) and electronic (e.g. computers/files) assets. Environmental Controls Some environmental control needs will be common across most facilities in most industries, particularly those that deal with the safety of people. Some unique concerns may be dependent on the business being conducted at the facility. For example, power needs. In the case of a power outage can the facility be emptied and everyone allowed to go home, or does backup power need to be supplied that supports a 24 X 7 operation? Does the 24 X 7 operation need to accommodate machines and a skeleton staff, or a full work staff? What about the use of elevators in a high-rise business? Can egress be accomplished by backup power? Fire suppression technology is another area that may require special needs depending on
  • 83. the type of business being conducted. What fire suppression technology is needed for what asset type? Opening a deluge of water on a million dollar computer system is probably not the optimal first choice for fire suppression. However, suppressing a fire in a meeting room with water to protect people and the building may be the correct solution. Heating, Ventilation and Air Conditioning is another area that requires analysis. Computer rooms need reliable air conditioning that is often quite cool, office areas need air conditioning that is comfortable for humans. Heating and clean air are equally important and the needs for them need to be considered. Auditing and Physical Security The need to audit physical security events is as important as for events that apply to information technology assets. All forms of entrance and egress from buildings and secure rooms should be audited. Any access controlled through keycards, pin pads,
  • 84. biometric scans or other forms of automated access should have a record of the activity automatically recorded to an audit file. Records of entry and egress recorded by hand written logs and CCTV needs to be recorded and retained in an orderly manner. Records need to be kept of physical equipment. All equipment should have asset tags that record the model and serial number of the equipment. Also recorded should be where the equipment is located and the responsible party. There may be regulatory laws that require auditing all access to various physical resources (e.g. buildings and rooms). This requirement is no different than for accessing computer systems and electronic files. How Much Physical Security is enough? Just as the risk to your information assets needed to be assessed, so does the risk to your
  • 85. physical assets. The number of choices and variations in physical security are many. Consider a sampling of the numerous choices for protecting access to a room storing records in a file cabinet. Do you use: a keyed or combination lock? What Underwriters Laboratory (UL) rating is required for the locks? Is multifactor factor authentication needed for some aspects of physical security, such as for building access or secure room access? Should CCTV be implemented in the parking areas, on building doors and on access to restricted areas such as for computer lab environments and critical record storage? Are human guards required in areas to control access? The choices of protection to use are many. The proper protection to use can only be determined after the assets that require protection are assessed. Your physical assets need to inventoried and assessed along several dimensions. The
  • 86. dimensions are no different than what we started with for assessing the information assets. At some point the physical assets will likely intersect with the information assets. That is, they are one in the same. In order to implement a security plan it is necessary to understand: f attacks that can take place against each asset attack or to recover from an attack he cost of protecting against the attack Only after performing a complete assessment can you determine how much physical security is enough.
  • 87. Authorization Week6 Part4-IS RevisionSu2013 Authorization Authorization is that part of access control where an organization has to determine how much access a user is given. The access control model being used in your organization has an impact on the authorization a user or process has to access various resources. Access control models fall into three general categories. 1. Discretionary Access Control (DAC) 2. Mandatory Access Control (MAC) 3. Role Based Access Control (RBAC) Irrespective of the access control model in your organization accepted security practice is
  • 88. to implement according to the principle of least privilege. Least privilege is the principle that a user is authorized to the minimum amount of access they need to get their job done. By granting the user the least privilege the amount of damage that can be intentionally or accidentally caused is limited. Subjects and Objects In an access control system subjects access objects. Access control works by controlling the access granted to subjects to access objects. If every subject could access every object there would be no access control and no security. Access control systems can be modeled by using access control matrices. Following is a simplified access control matrix that has three subjects and three objects. Think of the subjects as users and the objects as files. In this model:
  • 89. S1 has read access to file1 and file2. It has write access to file3. S1 is the owner of file2. S2 has write access to file1, execute access to file2 and read, write access to file3. S2 is also the owner of file3. S3 is the owner of file1, has write access to file2 and read access to file 3. SUBJECTS OBJECTS file1 file2 file3 S1 read read owner write S2 write execute read write
  • 90. owner S3 owner write read The access matrix is a model however one can envision defining data structures that support an actual implementation of this matrix to support an access control system. The above is a very simplified access control model. Access control concepts are extended to more than just files. They are also used to control access to processes, devices, memory locations and other constructs that need to have access controlled. Discretionary Access Control (DAC) Discretionary access control is the type of access control that is used in most commercial operating systems. Unix/Linux and Windows use a discretionary control model. DAC operates on the principle that an object has an owner. The owner controls what subjects are granted access to the object. The owner also has the authority to grant another subject
  • 91. owner access so they may grant other subjects access. The above access control matrix models a simplified DAC model since owners are indicated for each of the objects. DAC model supports the principle of least privilege, but it is easy to find users that have more access than they need to do their job. Supporting least privilege in a DAC model takes some active management to ensure users do not have more privilege then their jobs require. DAC supports limited separation of duties based on the group an individual may be in, but the model is limited and other tools are used such as SUDO (Super User Do) in Unix/Linux environments for finer grained control of access. Access Control Example A description of access control concepts includes a discussion of Subjects, Objects and
  • 92. Permissions. Depending on the particular system the terminology may vary slightly but the concepts should be similar. Following is an example of a UNIX access control systems. This could also be extended to a LINUX system. Subjects: – The owner of the Object. – All users including the owner that have the same Group ID in the UIC as the objects owner. – All users defined in the system *Another Subject not in the list is the superuser. This is someone that obtains superuser privilege by logging into root. Someone with root privilege could alter the owner of the object. Permissions: ht to read, print, or copy the file.
  • 93. file an executable program image or a script. The UNIX permissions access control model is a discretionary access control model. The UNIX model implements access control to files by using permissions. Supplementing permissions in most UNIX/LINUX distributions are access control lists. Permissions are specified for three subjects: user, group and other. You may see this abbreviated to ugo. The objects controlled by permissions are files. Many control structures in UNIX are implemented as files. For example directories, links (symbolic and hard), pipes, sockets and device drivers (block and character) are implemented as files. Therefore while permissions control access to files, they effectively control access to other mechanisms that deal with directory structures, input/output, and inter-process
  • 94. communication. The permissions for a file can be viewed by using the UNIX command ls –l command. There are other options that can be used but –l will provide us the information we need. $ ls –l -rw-r--r-- 1 wvales accfac 23 12 Feb 8:11 test.txt -rw-r--r-- 1 wvales accfac 23 12 Feb 8:12 test1.txt drw-r--r-- 1 wvales accfac 10 12 Feb 9:10 test.dir The file type is designated by the first character in the ls output. A hyphen “–” indicates the file is “normal” files in UNIX speak. Think of this as a text file. The “d” indicates the file is a directory. The above ls command outputs information for 3 files. Two
  • 95. files are “normal” files and one file is a “directory” file. The permission breakdown is based on three types of subject. The user (i..e owner) of the object, group members that are in the same group the owner is a member of and anyone else which is denoted by other. These permissions pertain to any object that can be specified in the field preceding the permission field (in green). Objects can be a: file, directory, symbolic link, named pipe, socket, block device, character device. The following table shows the three subject types and the seven object types in the UNIX DAC model. SUBJECTS OBJECTS User Group Other “Object” Type -rwx rw- rw- files drwx rw- rw- directory lrwx rw- rw- symbolic link
  • 96. prwx rw- rw- named pipe srwx rw- rw- socket brwx rw- rw- block device crwx rw- rw- character device There are three permissions (or access modes) assigned to the object for each subject type. Depending on the object type the access mode (rwx) means different things. – read access. For a file object read access means the file can be accessed by a text editor, or a variety of utilities such as cat or more. For a directory object read access indicates that the entries for each file in the directory can be accessed (read). – write access. For a file object write access allows a new version of the file to be written. For a directory object write access means files can be entered, removed or renamed into the directory. For a block or character device write
  • 97. access means the device can be "written" to. – execute access. For a script or image file executes means the file can be run by the shell, or invoked by the image activator. For a directory object execute access means the files in the directory can be listed (ls –l *). If there is no execute access on the directory you are effectively denying access to the directory and everything beneath it in the directory tree. Access Control Lists (ACLs) Another discretionary access control in most operating systems (UNIX/Linux/Windows) is the Access Control List (ACL). The UNIX style permission structure results in a coarse granularity of access control. If you want to allow access to files for certain individuals you have to create new groups that include the users you want to grant access to. Creating and deleting groups and changing group membership can become very difficult to manage. Using an access control list simplifies this.
  • 98. The access control list allows users to specify access for specific users to a file. This access is “finer grained” than the permissions which only control full group access. ACLs are not available on all implementations of UNIX. ACLs are controlled by using the setfacl and getfacl commands. Mandatory Access Control (MAC) Mandatory access control is a type of access control that is used in an environment where access is controlled by the system. Many government systems use Mandatory Access Control. In a mandatory access control system there is no owner for an object. Access to an object is controlled by the system not by a subject. MAC systems have the concept of labels. Labels correspond to access levels. A typical MAC system has labels that correspond to security levels. Using the government model there are security levels of: unclassified, confidential, secret, top secret. Labels are attached to both objects and to
  • 99. subjects. Access works as follows; a subject has access to an object that has equal or less level of security associated with it. If a subject attempts to access an object that requires a higher level of access the access is denied. For example, a subject with a label of confidential can access objects with a label of confidential or unclassified. They cannot access objects with a label of secret or top secret. MAC systems support the concept of least privilege. Separation of duties is supported based on the labels that an individual has assigned to them. Role Based Access Control (RBAC) Role Based Access Control works by assigning access to an object according to the role a subject has within a system. A particular subject can have several roles in a system at any time. Each role potentially has different levels of access.
  • 100. RBAC is rapidly gaining popularity as the need to control access based on role as is being mandated by government legislation such as Sarbanes-Oxley. Large organizations are starting to use RBAC systems because of the relative ease of granting access to objects by assigning roles to the subjects (employees). The ease of assigning and removing access translates into large cost saving for companies that have large turnover of employees or changing of roles in an organization. RBAC systems support the concept of least privilege. Separation of duties is supported based on roles that individuals are assigned to. Some RBAC implementations support the concept of separation of duties by implementing constraints between mutually exclusive roles. A constraint of this type means that if a subject is assigned multiple roles that are in conflict for accessing a particular object then the access to that object is restricted. For
  • 101. example, assume someone is serving the dual roles of a loan officer and a loan auditor. They should not be allowed access to audit loans since they are also approved as a loan officer. Auditing Auditing of access control operations is a requirement for running a secure information infrastructure. All major operating systems have auditing systems. Windows has the event viewer application that allows viewing of various events related to: System, Security, Applications, and Internet Explorer. UNIX/Linux has the syslog utility for recording similar events. Many applications have auditing systems for any application specific operations. For example, a firewall application will keep a log related to various accesses. Database systems have audit logs for recording modifications to the database metadata as well as accesses to data. For a particular environment the amount of information that
  • 102. could be recorded to an audit file could be voluminous. As long as the tools that read the audit log allow searching and sorting of entries the size of the audit logs may not be an issue. However, there are some cases that the amount of information being audited is so large that there is a performance impact on the system writing information to the audit log. Also the amount of disk space used may also be an issue. Most audit systems have the ability to specify what information is to be audited. Instead of auditing every access to every file perhaps audit entries only need to be written when critical files are accessed. Typically, with high bandwidth, big disks and good sorting and searching capabilities in the audit system users will audit everything until a problem occurs that dictates the amount of data to be audited should be reduced.
  • 103. Discussion: While managing the development and maintenance of a Transaction Processing System (TPS) we had a customer that used the system for online options trading. The customer decided to audit all access control activity. At peak trading times the transaction rate exceeded several thousand transactions a minute. This resulted in a huge amount of data to be audited. System performance eventually ground to a halt affecting the ability to perform the options trading. The large amount of data being written to the audit log was causing thrashing between the process writing the audit file and the trading program. By assigning a higher priority to the trading program it allowed that program to run before the audit writing program. This worked for a while until the buffers for the audit program filled up with information that needed to be written to the audit disk. The next fix was to expand the buffers for containing the audit information. Knowing
  • 104. this would postpone the problem we decided to move the audit disk to a separate disk where there was no contention by any other process. Mode Access The subject/object access models we just discussed assume the subjects all have the same privileges. This is not the case. Some users have more privileges then others. In the Windows XP (personal), Windows 7 and Windows 8 systems there are Administrator and User accounts. Any user with administrator privileges can perform more operations then a user with user privileges. Windows XP Account Types.
  • 105. Windows 7 Account Types. In UNIX/Linux there are two types of users; root and user. Any user that has logged into the root account is the “superuser”. With superuser or root privileges the user can do anything. They have access to everything any other user has and more. They can create accounts, change passwords, kill user processes, change file ownership, format devices and many other operations that a user cannot do. Superuser in UNIX or administrator in windows has unfettered access to all aspects of the systems. Being logged into an account with these elevated privileges on all of the time is not recommended for a secure system. Accidents can happen, and malicious activity can result in privileged accounts to be hijacked. It is best to switch to elevated privileges when they are needed and then switch back to normal (user)
  • 106. privileges when done. It only takes one errant Delete or rm command to occur when running with elevated privileges to make this point. Many UNIX/Linux systems disable the root account and force the user to use the root account via the sudo utility which is a tool that limits superuser access to a particular command for a set time period. Reasons for Auditing Analyzing System Activity Many times activity on a system needs to be looked at in retrospect. For example, some security breaches could occur that are not detected until after the fact. For example; a file is removed, or confidential information accessed or a program is accessed that in the normal day to day operation is not considered abnormal. However, after learning that confidential information has been leaked it may become necessary to determine what
  • 107. users had access to the information, or the program that accessed the information. By having these accesses recorded in the audit logs it is a simple matter to search the logs to determine when the accesses occurred. Compliance Reporting In this age of corporate fraud and security breaches of sensitive information it is becoming increasingly important for organizations to prove that access to information is limited and information is protected. Regulations such as Sarbanes-Oxley require that companies keep accurate information trails for government compliance reporting. Another motivator for organizations to audit information is in case there is litigation of damages related to the improper care of client information. A key part of a security strategy is to have policies and procedures in place that audit
  • 108. activities. This includes the auditing of activities related to computer access as well as auditing access to physical properties such as rooms, buildings, parking lots and any other area of importance. Determining the right amount of access information to audit is also important. The amount of information that is to be audited should be based on the asset in question. Too much audit information may require the use of too much disk space and require too much time to sort through. Auditing too little information may not provide the trail of access needed to determine when something went wrong. Examples of Authentication Systems Week6 Part3-IS RevisionSu2013
  • 109. Examples of Authentication Systems Authentication services tend to be part of a larger system such as an operating system, middleware system, database management system or some other type of application. Authentication services can be implemented as services with well defined interfaces so one authentication service could be used by a variety of systems. There are numerous authentication systems available; each has their own strengths and weaknesses. Some authentication schemes were developed to support particular applications so they have unique features to support those environments (e.g. remote, mobile computing, and wireless). Some authentication schemes protect against certain types of attacks that may be more prevalent to a particular application or environment. In this section we take a look at a few representative authentication schemes. Kerberos
  • 110. Kerberos is a network authentication system developed by MIT (Massachusetts Institute of Technology) in the 1980s for project Athena. Kerberos (Cerberus) is the name from Greek mythology for the three headed dog that guards the gate of Hades. Kerberos supports single user sign-on allowing users to access various server services in a network environment. It makes use of symmetric encryption to support secure communications between systems. Kerberos uses a centralized server called a Key Distribution Center (KDC) which stores all passwords and is responsible for centralized authentication. It is critical the Kerberos KDC is kept SECURE. Since all the passwords and key information is stored in the KDC it represents a single point of failure. The Kerberos protocol uses a “ticket” model where clients request tickets for services and present these tickets to the server as credentials for the requested service.
  • 111. Kerberos technology is widely used in many operating systems and applications including Windows 2000 and later, UNIX distributions including Sun Solaris, FreeBSD and various Linux distributions. Virtual Private Networks (VPN) In the “old days” if a company wanted a secure connection from one destination to another they would pay the money to have private lines strung between the locations. This provided a dedicated, secure but very expensive solution. In today’s remote, mobile internet environment hardwiring of secure connections is not always feasible. To support secure connections over the internet Virtual Private Networks (VPN) have been implemented. VPN technology supports creating secure connections over an insecure median (internet). A VPN is implemented on the internet by establishing a secure connection between two
  • 112. parties that want to communicate over the internet. The secure connection is established by placing a wrapper around the data to be transmitted and encrypting the data within the wrapper. The wrapping of information is known as encapsulating the data. The encryption keys are known only to the sender and receiver of the data. This results in a secure connection for the two parties using an insecure medium which is the internet. The creation of a VPN may make use of a technique known as tunneling. Tunneling uses one protocol to encapsulate and another protocol for transmission. Tunneling allows a protocol that is incompatible with the underlying network to be carried over the network. Tunneling also supports the secure transmission of information across an insecure path by allowing the information flowing through the tunnel to be encrypted. There are several different protocols that can be used to support tunneling. Some popular
  • 113. ones are: col (L2TP) VPNs support the secure exchange of information by implementing functionality that provides: network re exchange of routing information VPNs need to authenticate clients and servers. There are different services that can be used to perform authentication. Depending on the type of connection a different authentication scheme may make more sense than another. Following is a small representative sample of authentication
  • 114. schemes. Extensible Authentication Protocol (EAP) EAP is more of a framework than an actual implementation of authentication services. EAP was designed with Point to Point tunneling Protocol (PPTP) in mind. PPTP protocol was developed to allow PPP (point to point) an older protocol to be encapsulated within IP packets and forwarded over any IP network. EAP provides the framework where proprietary authentication schemes with standard authentication protocols that make use of passwords, digital certificates can be implemented on an IP network. Challenge Handshake Authentication Protocol (CHAP) CHAP is a three part protocol that supports the establishing of secure connections between a client and server. CHAP also has the feature of periodically re-authenticating the client. This re-authentication provides for a more robust
  • 115. level of security. The challenge works by the following two attributes: 1. Client and server use the same hash function to compute the message digest. The use of a particular hash function is a given for the CHAP protocol. 2. The client and the server have a shared secret. This is something the server generates after the request is made from the client to establish a connection The three part protocol or handshaking makes use of a one way hash function to authenticate the client. 1. Client makes request to server for a connection. 2. Server generates a challenge. The challenge could be string of random numbers. Server sends challenge to the client. 3. Client responds to challenge. The response is the client calculating a message digest using the random numbers provided by the server. 4. Server receives challenge and compares what the client calculated for the
  • 116. challenge with what the server calculated using the value. If the results are the same, the client is authenticated. If they are the same the client is authenticated and a connection established. If they are different the client is not authenticated and no connection is established. Password Authentication Protocol (PAP) PAP is the most basic type of authentication. The username and password are sent from the client to the server in clear text format. If the client is known to the server the server responds by authenticating the client. A fundamental problem with this scheme is that passwords can be intercepted on the client, the server or during transmission on the “wire”. An obvious improvement that can be made to this scheme is encrypting the passwords. This is done in several protocols, one such is SPAP.
  • 117. Internet Protocol Security (IPSec) IPsec is used to create VPNs. There are numerous features in IPsec that support authentication of clients and server and the secure exchange of data over the authenticated connections. Authentication is done by using symmetric encryption and hashing technologies. IPSec provides encryption and authentication services. It also supports two different modes: tunneling and transport. In tunneling mode the IP routing information is encrypted providing proxy type services for further protection. IPSec operates at the Internet layer of the Internet Protocol suite. This equates to layer 3 (Network layer) of the OSI reference model. IPSec services can be used alone to establish secure connections (VPN) or IPsec services can be used by other protocols to provide services in their environment. For example L2TP (Layer 2 Tunneling Protocol) operates at the data link layer in the OSI reference
  • 118. model. L2TP does not implement any authentication or encryption services in the protocol. IPSec is typically used by L2TP to provide confidentiality and authentication services for establishing a secure VPN. There is much more to say about IPSec, for now, be aware that IPsec does provide authentication services. These authentication services can be used within an IPSec implementation or they can be used in conjunction with other protocols. Authentication, Access Control, Accounting Protocols Authentication, Access Control, Accounting Protocols (AAA) are protocols used for the centralized management of computers enabling them to connect to network resources. These protocols were initially developed to provide dial-up access via PPP (point-to- point protocol) and terminal servers. There are increased demands on AAA protocols to support new technologies, new devices and new protocols. For example, supporting
  • 119. mobile IP connections with roaming technology require using different protocols, devices and functionality than implementing geographically static PPP connections. AAA technologies allow companies to establish policies for authentication and access control which can be administered at a centralized location. Accounting services are also provided which audit access by users providing historical access records and metrics that are used for billing. Internet Service Providers (ISPs) and other large enterprises are users of AAA technology. In general, these systems support a centralized database of credentials and access information that can be used to connect to multiple servers. AAA systems can make use of a variety of authentication protocols (e.g. CHAP, EAP, PAP, Kerberos, Active Directory) and can also integrate customer systems into the AAA implementation for items such as using locally stored credentials that are
  • 120. external to the AAA system, or storing accounting information into a customers MySQL database. AAA systems will need to continue to evolve in their capabilities by embracing new technologies and protocols that support secure network access as well as integrating customer specific needs into an implementation. Three AAA systems are: RADIUS, Diameter, TACACS. RADIUS: Remote Authentication Dial in User System is a defacto standard for many large customers in the corporate world. Originally developed to support PPP protocols. RADIUS was developed in 1991 by Livingston Enterprises. Implementations make use of unreliable transport (UDP). Diameter: The predecessor to RADIUS. Planned to be “twice as good as RADIUS” (pun). Diameter provides upgraded services and support from
  • 121. RADIUS to support latest technologies. Diameter uses reliable transport protocol (TCP) and makes uses of network level security (IPSEC or TLS (SSL)). Diameter does provide an upgrade path from RADIUS. TACACS: Terminal Access Controller Access-Control System provides AAA functionality commonly used in UNIX networks. TACACS+ provides updated protocol Single Sign On (SSO) A problem for a user that requires access to several systems is that they need to authenticate themselves as they access each system. Kerberos mitigates this problem within an organization by implementing a Single Sign On (SSO) model. This allows the user to log on to the system once and they remain authenticated for access to any system within a Kerberos “Realm”. Think of a realm as being implemented for an organization. The Kerberos model can be extended to include multiple realms,
  • 122. which extends the reach of the SSO to multiple organizations. Federated Identity Management Kerberos SSO makes sense within an organization or across several organizations within a larger enterprise. However, implementing SSO across several heterogeneous enterprises, websites and other entities requiring authentication presents different problems. Think about how many different sets of authentication credentials you have. Most people have credentials for every web site you do ecommerce with: Amazon, Ebay, Staples, Microsoft, Google, etc. Plus, credentials for all the banking and finance institutions you deal with, add to that websites for universities, insurance companies, hospitals. You get the idea, the number of credentials a user has to remember is difficult to manage. In an effort to simplify the online experience for users, simplify
  • 123. account management through standards and to encourage enterprises to establish new meaningful business relationships with one another the idea of providing Federated Identity Management has taken hold. Federated Identity Management is the idea that an identity infrastructure could be shared by enterprises across industries to store credentials, provide access and provide a secure environment. Development of these concepts is being done under the umbrella of the Liberty Alliance. Liberty Alliance began in 2001 and has grown to include over 200 companies. Some of the companies are large multi-national finance, technology and manufacturing companies. Federated Identity Management is a needed technology worth exploring. More can be found at www.projectliberty.org