Slides prepared based on the paper Access Control: Principles and Practice by Ravi S. Sandhu and Pierangela Samarati, IEEE Communications Magazine, 1994
Security+ Guide to Network Security Fundamentals, 3rd Edition, by Mark Ciampa
Knowledge and skills required for Network Administrators and Information Technology professionals to be aware of security vulnerabilities, to implement security measures, to analyze an existing network environment in consideration of known security threats or risks, to defend against attacks or viruses, and to ensure data privacy and integrity. Terminology and procedures for implementation and configuration of security, including access control, authorization, encryption, packet filters, firewalls, and Virtual Private Networks (VPNs).
CNIT 120: Network Security
http://samsclass.info/120/120_S09.shtml#lecture
Policy: http://samsclass.info/policy_use.htm
Many thanks to Sam Bowne for allowing to publish these presentations.
USER AUTHENTICATION
MEANS OF USER AUTHENTICATION
PASSWORD AUTHENTICATION
PASSWORD VULNERABILITIES
USE OF HASHED PASSWORDS – IN UNIX
PASSWORD CRACKING TECHNIQUES
USING BETTER PASSWORDS
TOKEN AUTHENTICATION
BIO-METRIC AUTHENTICATION
Security+ Guide to Network Security Fundamentals, 3rd Edition, by Mark Ciampa
Knowledge and skills required for Network Administrators and Information Technology professionals to be aware of security vulnerabilities, to implement security measures, to analyze an existing network environment in consideration of known security threats or risks, to defend against attacks or viruses, and to ensure data privacy and integrity. Terminology and procedures for implementation and configuration of security, including access control, authorization, encryption, packet filters, firewalls, and Virtual Private Networks (VPNs).
CNIT 120: Network Security
http://samsclass.info/120/120_S09.shtml#lecture
Policy: http://samsclass.info/policy_use.htm
Many thanks to Sam Bowne for allowing to publish these presentations.
USER AUTHENTICATION
MEANS OF USER AUTHENTICATION
PASSWORD AUTHENTICATION
PASSWORD VULNERABILITIES
USE OF HASHED PASSWORDS – IN UNIX
PASSWORD CRACKING TECHNIQUES
USING BETTER PASSWORDS
TOKEN AUTHENTICATION
BIO-METRIC AUTHENTICATION
Penetration testing reporting and methodologyRashad Aliyev
This paper covering information about Penetration testing methodology, standards reporting formats and comparing reports. Explained problem of Cyber Security experts when they making penetration tests. How they doing current presentations.
We will focus our work in penetration testing methodology reporting form and detailed information how to compare result and related work information.
How To Learn The Network Security
Slide berikut merupakan slide yang berisikan dasar-dasar bagi kita dalam memahami konsep keamanan jaringan komputer, baik dari sisi inftrastruktur, teknologi dan paradigma bagi pengguna.
Materi yang diberikan sudah disusun oleh Pakar yang merupakan Trainer CEH dan memang berkompeten dibidang keamanan jaringan.
Slide ini saya dapatkan dari beliau saat mengikut training Certified Computer Security Officer (CCSO) dan Certified Computer Security Analyst (CCSA) dari beliau.
Semoga bermanfaat sebagai acuan bagi kita untuk belajar tentang keamanan jaringan komputer.
Terimakasih
Ethical Hacking n VAPT presentation by Suvrat jainSuvrat Jain
a perfect example of your 6 weeks summer training ppt. Course-Ethical Hacking , its info and VAPT- Vulnerability Assessment n Penetration testing. about how vulnerability scanning , tools used , cracking password , etc.
( ** Cyber Security Training: https://www.edureka.co/cybersecurity-certification-training ** )
This Edureka PPT on "Penetration Testing" will help you understand all about penetration testing, its methodologies, and tools. Below is the list of topics covered in this session:
What is Penetration Testing?
Phases of Penetration Testing
Penetration Testing Types
Penetration Testing Tools
How to perform Penetration Testing on Kali Linux?
Cyber Security Playlist: https://bit.ly/2N2jlNN
Cyber Security Blog Series: https://bit.ly/2AuULkP
Instagram: https://www.instagram.com/edureka_lea...
Facebook: https://www.facebook.com/edurekaIN/
Twitter: https://twitter.com/edurekain
LinkedIn: https://www.linkedin.com/company/edureka
While computer systems today have some of the best security systems ever, they are more vulnerable than ever before.
This vulnerability stems from the world-wide access to computer systems via the Internet.
Computer and network security comes in many forms, including encryption algorithms, access to facilities, digital signatures, and using fingerprints and face scans as passwords.
Penetration testing reporting and methodologyRashad Aliyev
This paper covering information about Penetration testing methodology, standards reporting formats and comparing reports. Explained problem of Cyber Security experts when they making penetration tests. How they doing current presentations.
We will focus our work in penetration testing methodology reporting form and detailed information how to compare result and related work information.
How To Learn The Network Security
Slide berikut merupakan slide yang berisikan dasar-dasar bagi kita dalam memahami konsep keamanan jaringan komputer, baik dari sisi inftrastruktur, teknologi dan paradigma bagi pengguna.
Materi yang diberikan sudah disusun oleh Pakar yang merupakan Trainer CEH dan memang berkompeten dibidang keamanan jaringan.
Slide ini saya dapatkan dari beliau saat mengikut training Certified Computer Security Officer (CCSO) dan Certified Computer Security Analyst (CCSA) dari beliau.
Semoga bermanfaat sebagai acuan bagi kita untuk belajar tentang keamanan jaringan komputer.
Terimakasih
Ethical Hacking n VAPT presentation by Suvrat jainSuvrat Jain
a perfect example of your 6 weeks summer training ppt. Course-Ethical Hacking , its info and VAPT- Vulnerability Assessment n Penetration testing. about how vulnerability scanning , tools used , cracking password , etc.
( ** Cyber Security Training: https://www.edureka.co/cybersecurity-certification-training ** )
This Edureka PPT on "Penetration Testing" will help you understand all about penetration testing, its methodologies, and tools. Below is the list of topics covered in this session:
What is Penetration Testing?
Phases of Penetration Testing
Penetration Testing Types
Penetration Testing Tools
How to perform Penetration Testing on Kali Linux?
Cyber Security Playlist: https://bit.ly/2N2jlNN
Cyber Security Blog Series: https://bit.ly/2AuULkP
Instagram: https://www.instagram.com/edureka_lea...
Facebook: https://www.facebook.com/edurekaIN/
Twitter: https://twitter.com/edurekain
LinkedIn: https://www.linkedin.com/company/edureka
While computer systems today have some of the best security systems ever, they are more vulnerable than ever before.
This vulnerability stems from the world-wide access to computer systems via the Internet.
Computer and network security comes in many forms, including encryption algorithms, access to facilities, digital signatures, and using fingerprints and face scans as passwords.
Session 2 (two) of the course Information Technology Security and Business Continuity . Objective if information security, attacking method, responsibilities, risk management and Security System Development Life Cycle are discussed
Presented at Bangladesh Institute of Management on 21 November 2015.
Authorization is the process of giving someone permission to do or have something.
Table of Content
Introduction Authorization
Common Attacker Testing Authentication
Strategies For Strong Authentication
Access Control
This is the first presentation on the series "Introduction to OAuth 2.0". OAuth 2.0 solves the pressing security problem of avoiding password anti-pattern when allowing delegated authorization.
This presentation provides an introduction to API Facade pattern. It describes what the problem is, how the pattern solves the problem and how such a pattern can be utilized in real deployments.
Oracle Transparent Data Encryption (TDE) 12cNabeel Yoosuf
This presentation provides an introduction to Oracle Transparent Data Encryption technology in 12c. It is provided as part of Oracle Advanced Security.
This presentation provides an introduction to tokenization. It describes what tokenization is, how it implement and also compares it with encryption. Most people try to separate tokenization from encryption. However, it may not really be the case as tokenization could be form of encryption as well.
Efficient Filtering in Pub-Sub Systems using BDDNabeel Yoosuf
Slides prepared based on the paper Efficient Filtering in Publish-Subscribe Systems using BDD by Alexis Campailla, SagarChaki, Edmund Clarke, SomeshJha, Helmut Veith
Unlocking Productivity: Leveraging the Potential of Copilot in Microsoft 365, a presentation by Christoforos Vlachos, Senior Solutions Manager – Modern Workplace, Uni Systems
Communications Mining Series - Zero to Hero - Session 1DianaGray10
This session provides introduction to UiPath Communication Mining, importance and platform overview. You will acquire a good understand of the phases in Communication Mining as we go over the platform with you. Topics covered:
• Communication Mining Overview
• Why is it important?
• How can it help today’s business and the benefits
• Phases in Communication Mining
• Demo on Platform overview
• Q/A
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
GridMate - End to end testing is a critical piece to ensure quality and avoid...ThomasParaiso2
End to end testing is a critical piece to ensure quality and avoid regressions. In this session, we share our journey building an E2E testing pipeline for GridMate components (LWC and Aura) using Cypress, JSForce, FakerJS…
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfPeter Spielvogel
Building better applications for business users with SAP Fiori.
• What is SAP Fiori and why it matters to you
• How a better user experience drives measurable business benefits
• How to get started with SAP Fiori today
• How SAP Fiori elements accelerates application development
• How SAP Build Code includes SAP Fiori tools and other generative artificial intelligence capabilities
• How SAP Fiori paves the way for using AI in SAP apps
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Epistemic Interaction - tuning interfaces to provide information for AI support
Access Control: Principles and Practice
1. Access Control: Principles
and Practice
Reference: Access Control: Principles and
Practice, Ravi S. Sandhu and Pierangela
Samarati, IEEE Communications Magazine,
1994
Prepared by: Nabeel Mohamed
2. Access Control
The purpose is to limit that the
operations or actions that a legitimate
user of a computer system can perform
Constrains
◦ What a user can do directly, and
◦ What programs executing on behalf of users
are allowed to do
Thus, tries to prevent activities that could
lead to a breach of security
Is required to achieve confidentiality,
integrity and availability objectives
4. The Big Picture
Shows a logical picture of security
services and their interactions
Authentication service should correctly
establish the identity of the user
Authentication, and then Access
Control
Access control is not a complete
solution for securing a system. What is
the missing service?
◦ Auditing
5. The Big Picture
Auditing
◦ Performs a posteriori analysis of all the
requests and activities of users in the system
◦ Requires logging all requests and activities
◦ How can auditing help?
Acting as a deterrent
Identifying attempted or actual violations
Identifying flaws in the security system
Preventing authorized users from misusing their
privileges (accountability)
6. Policies vs. Mechanisms
Policies
◦ High-level guidelines that determine how
accesses are controlled and access
decisions determined
Mechanisms
◦ Low-level software and hardware functions
that can be configured to implement a policy
It is desirable to develop access control
mechanisms that are largely
independent of the policy for which they
could be used
7. The Access Matrix
All resources controlled by a computer
system can be represented by data
stored in objects
Subjects, which initiate activities in the
system, are typically users or programs
executing on behalf of users
Subjects can themselves be objects
Subjects initiate actions on objects
◦ Actions are allowed or denied in accordance
with the authorization established
8. The Access Matrix
Example access rights/modes:
◦ For files, the typical access rights are
read, write, execute and own
OS implements them
◦ For bank accounts, the typical access
rights are inquiry, credit and debit
Application programs implement them
9. The Access Matrix
A conceptual model that specifies the
rights that each subject possesses for
each object
Subjects in rows, objects in columns
10. The Access Matrix
The access matrix model clearly
separates the problem of
authentication from that of
authorization
A reference monitor should ensure
that only those operations authorized
by the access matrix actually get
executed
Example: Alice is the owner of the file
2, and she can read and write that file
11. Implementation Approaches
Access matrix is usually sparse and
hence not implemented as a matrix
Some common approaches to
implementing the access matrix in
practice:
◦ Access Control Lists (ACLs)
◦ Capabilities
◦ Authorization Relations
12. Access Control Lists
Each object is associated with a an
ACL
ACL has an entry of each subject if it
has some kind of access to that object
This approach corresponds to storing
the access matrix by column
14. Access Control Lists
Advantages
◦ By looking at an object’s ACL it is easy to
determine which modes of access
subjects are currently authorized for that
object
◦ Easy to revoke all access to an object
Disadvantages
◦ It is difficult to find all accesses a subject
has
15. Access Control Lists
In order to reduce the list length, the
usual practice is to use groups instead
of (or in addition to) individual subject
identifiers
Example: UNIX getfacl and setfacl
allows to create ACLs on files and
folders
16. Capabilities
A dual approach to ACLs
Each subject is associated with a list
(call the capability list)
A capability list of a subject has a list
of objects for which subject has some
kind of access
18. Capabilities
Advantage
◦ Easy to find all accesses that a subject is
authorized to perform
◦ Easy to revoke all accesses to a subject
Disadvantages
◦ Difficult to find all subjects who have
some kind of access to a given object
Modern operating systems typically
take the ACL-based approach
19. Authorization Relations
Each row or tuple of the authorization
relation specifies one access right of a
subject to an object
For example, John’s accesses to File
1 require 3 rows
If the table is sorted by subjects, it
reflects capabilities
If the table is sorted by objects, it
reflects ACLs
The relation is not normalized
22. Multiple Access Control Policies
AC policies are not exclusive; can be
combined to provide a more suitable
protection system
When policies are combined, only the
intersections of their accesses allowed
23. Discretionary Policies
Access control is under the discretion
of the user
Flexibility of discretionary policies has
made them successful in industry
24. Discretionary Policies
However, they do not provide real
assurance on the flow of information in
the system
◦ It’s easy to bypass the access restrictions
stated through the authorizations
◦ Example: a user, able to read an object, can
pass it to other users with the knowledge of
the owner
◦ The reason is discretionary policies do not
impose any restriction on the usage of
information by a user once the user received
it (dissemination of information is not
controlled)
25. Mandatory Policies
Access control enforcement is under the
control of the system
MLS (Multilevel Security) model is the
most popular mandatory approach
◦ Access is based on the security levels
assigned to objects and subjects
Each user and each object in the system
is assigned a security level
MLS provides one-directional information
flow in a lattice of security labels
26. Mandatory Policies
The security level associated with an
object reflects
◦ The sensitivity of the information
contained in the object
The security level associated with a
subject (also called clearance) reflects
◦ The user’s trustworthiness not to disclose
sensitive information to users not cleared
to see it
27. Example Security Levels
In a military setting we usually find the
following security levels:
◦ Top Secret (TS)
◦ Secret (S)
◦ Confidential (C)
◦ Unclassified (U)
They form the ordered set TS > S > C >
U
Each security level is said to dominate
itself and all others below it in this
hierarchy
28. Confidentiality Policies
Read down
◦ A subject’s clearance must dominate the
security level of the object being read
Write up
◦ A subject’s clearance must be dominated by
the security level of the object being written
Prevent information in high-level objects
(more sensitive) to flow to objects in
lower levels
Information can only flow upwards or
within the same security domain
30. Confidentiality Policies
In order to write at a lower security level,
subject should be allowed to take any
clearance level dominated by its original
clearance level
The intuition behind write-up rule is to
prevent malicious software from leaking
secret information downwards
Write-up rule may destroy data in higher
security levels – Hence, it is usually
controlled to work only at the same
security level as the subject
31. Integrity Policies
Read up
◦ A subject’s integrity level must be dominated
by the integrity level of the object being read
Write down
◦ A subject’s integrity level must dominate the
integrity level of the object being written
Prevent information stored in low objects
(hence less reliable) to flow to high
objects
Protect only one aspect of integrity
Information can only flow downwards or
within the same security level
33. Role-based Policies
Neither discretionary nor mandatory
approaches satisfies the needs of
most commercial enterprises
◦ Mandatory policies rise from rigid
environments, like those of military
◦ Discretionary policies rise from
cooperative yet autonomous
requirements, like those of academic
researchers
One alternative is role-base policies
34. Role-based Policies
The flexibility required:
◦ Allow the specification of authorization to
be granted to users (or groups) on objects
like in the discretionary approach,
together with the possibility of specifying
restrictions (like in the mandatory
approach) on the assignment or on the
use of such authorizations
35. Role-based Policies
A role is a set of actions and
responsibilities associated with a
particular working activity
Instead of specifying all the accesses
each user is allowed to execute, access
authorizations are specified for roles
Users are given authorization to adopt
roles
A user playing a role is allowed to
execute all accesses for which the role is
authorized.
36. Role-based Policies
User may or may not be allowed to
play multiple roles at the same time
A user may take on different roles on
different occasions
37. Advantages of Role-based
Policies
Simplification of authorization
management
Hierarchical roles further simplify by
allowing generalization and
specialization
Adapting different roles to operate at the
least privilege
Promotes separation of duty to prevent
misuse of the system
Instead of individual objects, access can
be specified for object classes
38. Administration of Authorization
Administrative policies determine who
is authorized to modify the allowed
access
In mandatory AC, security
administrator determines the access
to objects by subjects
In discretionary and role-based AC,
there are possibly many types of
administrative policies
39. Administration of Authorization
Example DAC administrative policies
◦ Centralized – a single authorized user like
in MAC
◦ Hierarchical – authorizers are ordered in a
hierarchy with decreasing power
◦ Cooperative – multiple authorizers to
specify each access
◦ Ownership – owner of the object controls
accesses
◦ Decentralized – delegate authorization to
others to control accesses