SlideShare a Scribd company logo

access-control-week-2

J
jemtallon

The document provides an overview of access control techniques including discretionary access controls, mandatory access controls, role-based access controls, and authentication methods like passwords, tokens, biometrics, and multifactor authentication. It discusses important access control concepts like identification, authorization, accountability, and session management. Key factors in choosing an authentication method include the value of protected assets, the threat level, potential countermeasures and costs, and usability. Maintaining accountability requires strong identification, authentication, monitoring, auditing, policies, and an organizational culture that enforces responsibility.

EducationTechnologyBusiness
1 of 46
Pages 81 - 148 CISSP CBK 3rd
● Access Control Techniques ○ Methods ● Identification and Authentication ○ Types and Strategies ● Identification Management ○ Considerations ● Authentication Methods ○ How to establish ● Sessions ○ Strategies on how to control What the pages cover
Access Control ● Only Authorised Users, Programs, and/or systems are allowed to access resources. Access Control Techniques ● How we can determine which users, programs or systems, what resources, and what access. ● Methods of organising and protecting data. Access Controls - Continued
"Yo, Check out that sweet role-based access control..." - Lord Nikon Access Control Techniques
The process of translating the balance between Access controls enforced by the Organization, and information owners to can have access, can be defined by three general frameworks: ● Discretionary (DACs) ● Non-Discretionary ● Mandatory (MACs) Discretionary and Mandatory Access Controls
Discretionary: ● Controls placed on data by the owner of the data. The owner decides who, and what privilege. ● User-centric (User is responsible). Mandatory: ● Controls are determined by the system and based on Organisational Policy. ● System-centric (User vs. Resource Classification). ● The Information Owner provides who needs to know. System makes decision against that criteria. ● man chmod Discretionary and Mandatory Access Controls - continued.
ACL's (Access Control Lists) ● Keyword Pattern & Action ○ Examples: MAC Address filtering ● If no matches or unspecified actions - default will either be deny by default or allow by default (based on the org's stance). ● Structure of access is often based on Organization Structure (Users into Groups. Groups into file and directory permissions). Data Access Controls
● An ACL in the form of a table. ● Unwieldy for large environments, but useful when designing a system, or looking at smaller portions. Access Control Matrix
● Access is based on a predefined set of rules. ● These rules specify the privileges granted to users when specific conditions are met. ○ Example: ■ The Standard ACL says that Jr. Admin Bob can access the Dubstep MP3 Folder, but the rule based system would specify that while he can access it, he can only access the folder between 5PM and 8AM (outside of Sr. Admin Barry's Office Hours). Rule-based Access Control
● RBAC bases the access control authorizations on the roles or functions that the user is assigned within an organization. ● The determination of what roles have what access, can be governed by both the Data Owner, or the applied based on Org Policy. Role-Based Access Controls
The four basic RBAC architectures: ● Non-RBAC ○ Traditional user-granted access (like ACL's).No formal roles or mapping. ● Limited RBAC ○ Users are mapped to a single application only. ● Hybrid RBAC ○ Users are mapped to multiple applications, that subscribe to the Org's role-based model. ● Full RBAC ○ Enterprise wide. Top down, from role policy. See Fig. 1.11 RBAC - Continued
● RBAC is easily modeled after the organisations own organization, or functional structure. ○ Personal moves are simplified (job role is tied to access). See also "The Triangle of Power" by Matt Byrd, MSFT: http://blogs.technet. com/b/exchange/archive/2009/11/16/340882 5.aspx RBAC - Continued
● Content dependant access controls are based on the data. The control mechanism examines the data, and makes decisions based on what it finds. ● Constrained User Interface is a method of restricting users to functions in the UI, based on role in the system. ○ Example: AS/400 Payroll Menus, POS unit, or Views in a database. Miscellaneous Controls
● Capability tables are used to match subjects (like users or process) and their capabilities (read, write, etc..). ● Temporal (Time-based) Isolation limits access based on time. ○ Examples: Dubstep MP3 Folder, or Limiting access to change Payroll to the first 4 hours of the day. Miscellaneous Controls - cont'd
● Identification ○ Provides uniqueness and accountability (when done properly) ● Authentication ○ Provides validity. You are expected, and trusted. ● Authorization ○ Provides Control. Identification and Authentication
Identification provides a point of assignment and association to a user entity within a system. Can be user, service account, etc... Examples: ● User Name ● User ID ● Account Number ● PIN ● Certificates Identification Methods
● The Identification Badge is the most common form of Physical identification. ○ Name, Logo, Face, Colour, etc.. ● Policy usually dictate they must be worn at all times. ● "Badge Check" ● Usually tied together with an access badge & reader. ● RFID Badges
● User ID ○ Only use it as a system ID, not an authenticator. ● MAC (Media Access Control) ○ No longer a good way to authenticate a user (spoofable). ● IP Address ○ Logical Location on network. Set by software, not a good indicator. ○ Subnets ● Email Address ○ Concept is email is globally unique, however it's spoofable and only unique by convention. Other Types
● Three Essential Security characteristics regarding identities: ○ Uniqueness ■ Must be unambiguous & distinct ■ Can be duplicated across systems, but bad practice ○ Non Descriptiveness ■ billg@microsoft.com ■ Samir_Nagheenanajar@Initech.com ■ CIO@Wellsfargo.com ○ Secure Issuance ■ Documentable and traceable. User Identification Guidelines
● Every system must track valid users and control their permissions, across different types of administrative software and processes. ● Account creation process & propagation. ● Goal of the system is to consolidate access rights into a managed system. ● See Fig 1.13 ● Quicker provision & deprovision Poll: How long does it take to deprovision/lock all passwords/etc on a user account in your org? Identity Management
● 2 Minutes Hate - topic: User Provisioning ● Backlog ○ Not Enough People to process ● Cumbrsome ○ Too Complex, or time consuming = Errors ● Incomplete Forms ○ "I just check all the boxes." ● No Audit Trails ○ "Fuck it, we'll do it live!" ● Stale users ○ Ghost NDRs Identity Management Challenges
● Consistency ○ User profile data should be consistent and uniform. ● Usability ● Reliability ○ "My admin account never worked right, so I've just been using the domain admin." ● Scalability ○ If you have 10,000 users, and your domain controller is an old laptop, your gunna have a bad time. Identity Management Challenges - continued
● Can help with legal obligations, and industry-specific compliance. ● When properly done, you can have a finer control (and flexabillity) over what levels the public, guests, vendors, contractors, support, etc... groups have. Other Considerations
● In general, an Org will either opt to be Centralized, or Decentralized. ● Centralized: ○ All access decisions, provisioning, and management is concentrated in a central location. ○ One entity (user/department/system) manages the service for the entire org. Example: RADIUS ● Decentralized: ○ ID Management, authentication, and authorisation decisions are moved closer to the local resource. ○ Could be per department. Centralised Identity Management
● Authentication by knowledge ○ Something you know ■ Example: Password ● Authentication by possession ○ Something you have ■ Example: ID Badge ● Authentication by characteristic ○ Something you are ■ Example: Authentication Methods
● Logical controls related to those types are called "Factors" ● Single-Factor ○ Use of 1 Factor (makes sence, right?) ● Two-Factor ○ Usingtwoofthethreefactorswhoeditedthisbook? ● Three-Factor ○ You get the picture. ● The book mentions a possible 4th (Geolocation) by GPS or IP. Factors
● Passwords ○ Standard Words ■ God ● Easily Guessable ○ Combination ■ G0d ● Got an app for that ○ Complex ■ 1||$1D3j0|<3 ● Harder to remember - people usually write these down or have them somewhere. ● Passphrase ○ List of names, Phrase, or Mnemonic ■ Example: AD5wu5ydD! ● "Always do sober, what you said you'd do drunk." -Hemmingway Authentication by Knowledge
● Issues: ○ Cleartext ○ Offline and Off Site Cracking ● Passwords are often hashed, as an extra measure of protection. ● Graphical Passwords ○ Protect somewhat against keyloggers Passwords continued
● Token, Fob, Badge, Key, Ring, etc.. ● Concept is to add an additional layer of confidence. ● Two Methods: ○ Asynchronous ■ Challenge-Response ● Slide Card, Enter Pin ○ Synchronous ■ Time, Event, or Location ● Seed. Like the WoW account thingie. Authentication By Possession
● Physical device that contains credentials. ● Two Types: ○ Memory Cards ■ Swipe Cards. Mag Stripe. ■ Used + PIN, often. ■ Often the stripe is unencrypted. Theft. ○ Smart Cards ■ Embedded Chip, that can accept, store, and send information. ■ Some have apps. ● Used for Secure log-on, S/MIME, Secure Web Access, VPN's, Hard Disc Encryption. ■ Helps integrate outside devices into Enterprise PKI. Static Authentication Devices
● Types of information on a smart card: ● Read only. ● Added only. ● Updated only. ● No Access available. ● Trusted Path ○ Login process is done by the reader, instead of the host. ○ Minimises surface area, and "hops", with each addition adding opportunity for security failures. Smart-Card Segway
● ROM ○ Predetermined by MFGR ● Programmable Read-Only (PROM) ○ Can be modified, but looks like a pain in the ass. ● Erasable Programmable Read-Only (EPROM) ○ Widely used early on, but the process is difficult. Ultraviolet light? Really? ● Electrically Erasable PROM (EEPROM) ○ Current IC of choice. ● RAM ○ Not bad, actually, if used as a Deadmans switch. Smart Card Memory Types
● Data controls are intrinsic to how the IC works. ● Example: ○ When power is applied to the smart card, the process can apply logic to perform services and take action or control of the EEPROM. ○ No power = no access = less exposure ● Mag Stripe & Contact, and Contactless (rfid) ○ See Page 126-128 for Pinouts... More Smart Card Stuff
The book mentions a few other possession- based authentication devices, One of which was USB devices. iLok: Footnote
● Biometrics ○ Two Types: ■ Physiological ● Example: Fingerprint, Hand, Face, Eyes ● Vascular Scans (They scan yer veins! And if you mash your hand, you're SOL). ■ Behavioral ● Examples: Voice Pattern & Recognition. Keystroke pattern (typing style), Signature dynamics. ○ Accuracy ■ Typical Passwords, tokens, and devices provide a high degree of accuracy and confidence. ■ Humans are different, and Environments are different. Authentication by Characteristic
● False Reject Rate (Type I Error): ○ When authorised users are falsely rejected as unidentified or unverified. ● False Accept Rate (Type II Error): ○ When unauthorised persons or imposters are falsely accepted as authentic. ● Crossover Error Rate (CER): ○ The point at which the false rejection rates and the false acceptance rates are equal. THe smaller the value of CER, the more accurate the System. Biometric Accuracy
● Not sensitive enough, everyone will be authorised. ● Too sensitive, and no one gets through. ● The "tune" of the system is largely based on risk vs. importance of the controls, resulting in an Org-accepted level of risk. Biometric Accuracy - Cont'd
● Resistance to counterfeiting ○ A determined attacker can take advantage by counterfeiting what is measured. ● Data storage requirements ○ Security of the data it's matching against. ● User acceptance ○ "Ain't nobody got time for that." ○ Enrollment speed. ● Reliability and accuracy ○ "The system...is down..." ● Target user and approach ○ Who and how? Biometric Considerations
● The capabilities and level of confidence increases as more factors and techniques are included in the identification and authentication process. ○ See Fig. 1.23 ● "Strongest" leans towards Biometrics. ○ Strong: ■ Assurance that the authentication produced by the method is valid. ○ Harder to implement, manage, impersonate. ○ As with anything, trade-offs. Authentication Method Summary
Most prevalent considerations when looking at an enterprise authentication method(s): ● The Value of the Protected Asset ○ High Value = More Complex method ● The Level of Threat to the Asset ○ Assess Risk. Real vs. Perceived. ● Potential Countermeasures ○ How can we reduce threat? ● The Cost of Countermeasures ○ "Consider the following..." ● Feasibility and inconvenience to users. ○ Participation vs. Annoyance. Authentication Method Summary - cont'd
...
● Term to describe how a single instance of identification and authentication are applied to resources. ○ Desktop Sessions can be controlled & protected: ■ Screensavers ● GPO ■ Timeouts ● Power Saver ■ Automatic Logouts ■ Login Limitations ■ Schedule Limitations ● Time/Day Session (sessi on ) Management
● Session Hijacking ○ Main-In-The-Middle attacks. ○ Session Sniffing. ○ Cross-Site Scripting attacks. Logical Sessions
● Being able to determine who or what is responsible for an action, and can be held responsible. ● Repudiation (as defined by the book) ○ The ability to deny an action, event, impact, or result. ● Non-repudiation (Cue Tim) ○ The process of ensuring that a user may not deny an action. Accountability relies on non-repudiation heavily. Accountability
● Strong Identification ○ NO SHARED ACCOUNTS! ● Strong Authentication ○ Biometrics ● User training and awareness ○ Are users aware of the consequence? ● Comprehensive and Timely Monitoring ○ IDS ● Accurate and Consistent Audit Logs ○ Collect and consolidate. Security Information and Event Management (SIEM) Systems. ○ Splunk (shudder) Factors contributing to accountability of actions
● Independent Audits ○ Unbiased review. Helps root out accountability in the event of collusion. ○ Helps shape culture. ● Policies enforcing Accountability ○ HR's teeth. ● Org Culture supporting Accountability ○ "Do as I say, not as I do." Factors contributing to accountability of actions - cont'd

Recommended

access-control-week-3
access-control-week-3access-control-week-3
access-control-week-3jemtallon
 
CISSP Week 12
CISSP Week 12CISSP Week 12
CISSP Week 12jemtallon
 
Cissp Week 23
Cissp Week 23Cissp Week 23
Cissp Week 23jemtallon
 
CISSP Week 9
CISSP Week 9CISSP Week 9
CISSP Week 9
jemtallon
 
Access control Week 1
Access control Week 1Access control Week 1
Access control Week 1
jemtallon
 
Access Controls
Access ControlsAccess Controls
Access Controls
primeteacher32
 
Ch07 Access Control Fundamentals
Ch07 Access Control FundamentalsCh07 Access Control Fundamentals
Ch07 Access Control Fundamentals
Information Technology
 
Intro To Access Controls
Intro To Access ControlsIntro To Access Controls
Intro To Access Controls
Hari Pudipeddi
 

Recommended

access-control-week-3
access-control-week-3access-control-week-3
access-control-week-3jemtallon
 
CISSP Week 12
CISSP Week 12CISSP Week 12
CISSP Week 12jemtallon
 
Cissp Week 23
Cissp Week 23Cissp Week 23
Cissp Week 23jemtallon
 
CISSP Week 9
CISSP Week 9CISSP Week 9
CISSP Week 9
jemtallon
 
Access control Week 1
Access control Week 1Access control Week 1
Access control Week 1
jemtallon
 
Access Controls
Access ControlsAccess Controls
Access Controls
primeteacher32
 
Ch07 Access Control Fundamentals
Ch07 Access Control FundamentalsCh07 Access Control Fundamentals
Ch07 Access Control Fundamentals
Information Technology
 
Intro To Access Controls
Intro To Access ControlsIntro To Access Controls
Intro To Access Controls
Hari Pudipeddi
 
Information Security Principles - Access Control
Information Security Principles - Access ControlInformation Security Principles - Access Control
Information Security Principles - Access Control
idingolay
 
2. access control
2. access control2. access control
2. access control7wounders
 
8 Access Control
8 Access Control8 Access Control
8 Access Control
Alfred Ouyang
 
CISSP week 26
CISSP week 26CISSP week 26
CISSP week 26jemtallon
 
Chap5 2007 C I S A Review Course
Chap5 2007 C I S A Review CourseChap5 2007 C I S A Review Course
Chap5 2007 C I S A Review CourseDesmond Devendran
 
2. Asset Security
2. Asset Security2. Asset Security
2. Asset Security
Sam Bowne
 
3. security architecture and models
3. security architecture and models3. security architecture and models
3. security architecture and models7wounders
 
CISSP Prep: Ch 3. Asset Security
CISSP Prep: Ch 3. Asset SecurityCISSP Prep: Ch 3. Asset Security
CISSP Prep: Ch 3. Asset Security
Sam Bowne
 
6. Security Assessment and Testing
6. Security Assessment and Testing6. Security Assessment and Testing
6. Security Assessment and Testing
Sam Bowne
 
Access Control: Principles and Practice
Access Control: Principles and PracticeAccess Control: Principles and Practice
Access Control: Principles and Practice
Nabeel Yoosuf
 
Security models
Security models Security models
Security models
LJ PROJECTS
 
Mandatory access control for information security
Mandatory access control for information securityMandatory access control for information security
Mandatory access control for information security
Ajit Dadresa
 
An overview of access control
An overview of access controlAn overview of access control
An overview of access control
Elimity
 
CISSP - Chapter 3 - Physical security
CISSP - Chapter 3 - Physical securityCISSP - Chapter 3 - Physical security
CISSP - Chapter 3 - Physical security
Karthikeyan Dhayalan
 
Operations Security Presentation
Operations Security PresentationOperations Security Presentation
Operations Security PresentationWajahat Rajab
 
Chapter 5 - Identity Management
Chapter 5 - Identity ManagementChapter 5 - Identity Management
Chapter 5 - Identity Management
Karthikeyan Dhayalan
 
Access control3
Access control3Access control3
Access control3Awhydot
 
Operations Security
Operations SecurityOperations Security
Operations Security
Mauro Alberto
 
Access Control Presentation
Access Control PresentationAccess Control Presentation
Access Control PresentationWajahat Rajab
 
CNIT 125 Ch 3. Asset Security
CNIT 125 Ch 3. Asset SecurityCNIT 125 Ch 3. Asset Security
CNIT 125 Ch 3. Asset Security
Sam Bowne
 
CISSP Week 14
CISSP Week 14CISSP Week 14
CISSP Week 14jemtallon
 
CISSP Week 16
CISSP Week 16CISSP Week 16
CISSP Week 16jemtallon
 

More Related Content

What's hot

Information Security Principles - Access Control
Information Security Principles - Access ControlInformation Security Principles - Access Control
Information Security Principles - Access Control
idingolay
 
2. access control
2. access control2. access control
2. access control7wounders
 
8 Access Control
8 Access Control8 Access Control
8 Access Control
Alfred Ouyang
 
CISSP week 26
CISSP week 26CISSP week 26
CISSP week 26jemtallon
 
Chap5 2007 C I S A Review Course
Chap5 2007 C I S A Review CourseChap5 2007 C I S A Review Course
Chap5 2007 C I S A Review CourseDesmond Devendran
 
2. Asset Security
2. Asset Security2. Asset Security
2. Asset Security
Sam Bowne
 
3. security architecture and models
3. security architecture and models3. security architecture and models
3. security architecture and models7wounders
 
CISSP Prep: Ch 3. Asset Security
CISSP Prep: Ch 3. Asset SecurityCISSP Prep: Ch 3. Asset Security
CISSP Prep: Ch 3. Asset Security
Sam Bowne
 
6. Security Assessment and Testing
6. Security Assessment and Testing6. Security Assessment and Testing
6. Security Assessment and Testing
Sam Bowne
 
Access Control: Principles and Practice
Access Control: Principles and PracticeAccess Control: Principles and Practice
Access Control: Principles and Practice
Nabeel Yoosuf
 
Security models
Security models Security models
Security models
LJ PROJECTS
 
Mandatory access control for information security
Mandatory access control for information securityMandatory access control for information security
Mandatory access control for information security
Ajit Dadresa
 
An overview of access control
An overview of access controlAn overview of access control
An overview of access control
Elimity
 
CISSP - Chapter 3 - Physical security
CISSP - Chapter 3 - Physical securityCISSP - Chapter 3 - Physical security
CISSP - Chapter 3 - Physical security
Karthikeyan Dhayalan
 
Operations Security Presentation
Operations Security PresentationOperations Security Presentation
Operations Security PresentationWajahat Rajab
 
Chapter 5 - Identity Management
Chapter 5 - Identity ManagementChapter 5 - Identity Management
Chapter 5 - Identity Management
Karthikeyan Dhayalan
 
Access control3
Access control3Access control3
Access control3Awhydot
 
Operations Security
Operations SecurityOperations Security
Operations Security
Mauro Alberto
 
Access Control Presentation
Access Control PresentationAccess Control Presentation
Access Control PresentationWajahat Rajab
 
CNIT 125 Ch 3. Asset Security
CNIT 125 Ch 3. Asset SecurityCNIT 125 Ch 3. Asset Security
CNIT 125 Ch 3. Asset Security
Sam Bowne
 

What's hot (20)

Information Security Principles - Access Control
Information Security Principles - Access ControlInformation Security Principles - Access Control
Information Security Principles - Access Control
 
2. access control
2. access control2. access control
2. access control
 
8 Access Control
8 Access Control8 Access Control
8 Access Control
 
CISSP week 26
CISSP week 26CISSP week 26
CISSP week 26
 
Chap5 2007 C I S A Review Course
Chap5 2007 C I S A Review CourseChap5 2007 C I S A Review Course
Chap5 2007 C I S A Review Course
 
2. Asset Security
2. Asset Security2. Asset Security
2. Asset Security
 
3. security architecture and models
3. security architecture and models3. security architecture and models
3. security architecture and models
 
CISSP Prep: Ch 3. Asset Security
CISSP Prep: Ch 3. Asset SecurityCISSP Prep: Ch 3. Asset Security
CISSP Prep: Ch 3. Asset Security
 
6. Security Assessment and Testing
6. Security Assessment and Testing6. Security Assessment and Testing
6. Security Assessment and Testing
 
Access Control: Principles and Practice
Access Control: Principles and PracticeAccess Control: Principles and Practice
Access Control: Principles and Practice
 
Security models
Security models Security models
Security models
 
Mandatory access control for information security
Mandatory access control for information securityMandatory access control for information security
Mandatory access control for information security
 
An overview of access control
An overview of access controlAn overview of access control
An overview of access control
 
CISSP - Chapter 3 - Physical security
CISSP - Chapter 3 - Physical securityCISSP - Chapter 3 - Physical security
CISSP - Chapter 3 - Physical security
 
Operations Security Presentation
Operations Security PresentationOperations Security Presentation
Operations Security Presentation
 
Chapter 5 - Identity Management
Chapter 5 - Identity ManagementChapter 5 - Identity Management
Chapter 5 - Identity Management
 
Access control3
Access control3Access control3
Access control3
 
Operations Security
Operations SecurityOperations Security
Operations Security
 
Access Control Presentation
Access Control PresentationAccess Control Presentation
Access Control Presentation
 
CNIT 125 Ch 3. Asset Security
CNIT 125 Ch 3. Asset SecurityCNIT 125 Ch 3. Asset Security
CNIT 125 Ch 3. Asset Security
 

Viewers also liked

CISSP Week 14
CISSP Week 14CISSP Week 14
CISSP Week 14jemtallon
 
CISSP Week 16
CISSP Week 16CISSP Week 16
CISSP Week 16jemtallon
 
CISSP Week 18
CISSP Week 18CISSP Week 18
CISSP Week 18jemtallon
 
Cissp Week 24
Cissp Week 24Cissp Week 24
Cissp Week 24jemtallon
 
CISSP Week 21
CISSP Week 21CISSP Week 21
CISSP Week 21jemtallon
 
CISSP Week 22
CISSP Week 22CISSP Week 22
CISSP Week 22jemtallon
 
Cissp d5-cryptography v2012-mini coursev2
Cissp d5-cryptography v2012-mini coursev2Cissp d5-cryptography v2012-mini coursev2
Cissp d5-cryptography v2012-mini coursev2
infosecedu
 
Access Control - Week 4
Access Control - Week 4Access Control - Week 4
Access Control - Week 4jemtallon
 
CISSP week 25
CISSP week 25CISSP week 25
CISSP week 25jemtallon
 
CISSP Week 20
CISSP Week 20CISSP Week 20
CISSP Week 20jemtallon
 
CISSP Week 13
CISSP Week 13CISSP Week 13
CISSP Week 13jemtallon
 
CISSP Week 6
CISSP Week 6CISSP Week 6
CISSP Week 6
jemtallon
 
CISSP Week 7
CISSP Week 7CISSP Week 7
CISSP Week 7
jemtallon
 
CISSP Week 5
CISSP Week 5CISSP Week 5
CISSP Week 5jemtallon
 
CISSP Proposal
CISSP ProposalCISSP Proposal
CISSP Proposal
jemtallon
 
SlideShare 101
SlideShare 101SlideShare 101
SlideShare 101
Amit Ranjan
 

Viewers also liked (16)

CISSP Week 14
CISSP Week 14CISSP Week 14
CISSP Week 14
 
CISSP Week 16
CISSP Week 16CISSP Week 16
CISSP Week 16
 
CISSP Week 18
CISSP Week 18CISSP Week 18
CISSP Week 18
 
Cissp Week 24
Cissp Week 24Cissp Week 24
Cissp Week 24
 
CISSP Week 21
CISSP Week 21CISSP Week 21
CISSP Week 21
 
CISSP Week 22
CISSP Week 22CISSP Week 22
CISSP Week 22
 
Cissp d5-cryptography v2012-mini coursev2
Cissp d5-cryptography v2012-mini coursev2Cissp d5-cryptography v2012-mini coursev2
Cissp d5-cryptography v2012-mini coursev2
 
Access Control - Week 4
Access Control - Week 4Access Control - Week 4
Access Control - Week 4
 
CISSP week 25
CISSP week 25CISSP week 25
CISSP week 25
 
CISSP Week 20
CISSP Week 20CISSP Week 20
CISSP Week 20
 
CISSP Week 13
CISSP Week 13CISSP Week 13
CISSP Week 13
 
CISSP Week 6
CISSP Week 6CISSP Week 6
CISSP Week 6
 
CISSP Week 7
CISSP Week 7CISSP Week 7
CISSP Week 7
 
CISSP Week 5
CISSP Week 5CISSP Week 5
CISSP Week 5
 
CISSP Proposal
CISSP ProposalCISSP Proposal
CISSP Proposal
 
SlideShare 101
SlideShare 101SlideShare 101
SlideShare 101
 

Similar to access-control-week-2

Information Security
Information SecurityInformation Security
Information Security
UmangThakkar26
 
Assessing a cloud based approach to cyber security
Assessing a cloud based approach to cyber securityAssessing a cloud based approach to cyber security
Assessing a cloud based approach to cyber security
Aladdin Dandis
 
Data security in the age of GDPR – most common data security problems
Data security in the age of GDPR – most common data security problemsData security in the age of GDPR – most common data security problems
Data security in the age of GDPR – most common data security problems
Exove
 
Blockade.io : One Click Browser Defense
Blockade.io : One Click Browser DefenseBlockade.io : One Click Browser Defense
Blockade.io : One Click Browser Defense
RiskIQ, Inc.
 
Access Control Fundamentals
Access Control FundamentalsAccess Control Fundamentals
Access Control Fundamentals
Setiya Nugroho
 
Troubles with Large Identity Providers.pptx
Troubles with Large Identity Providers.pptxTroubles with Large Identity Providers.pptx
Troubles with Large Identity Providers.pptx
Yury Leonychev
 
Barbed Wire Network Security Policy 27 June 2005 7
Barbed Wire Network Security Policy 27 June 2005 7Barbed Wire Network Security Policy 27 June 2005 7
Barbed Wire Network Security Policy 27 June 2005 7
Khawar Nehal khawar.nehal@atrc.net.pk
 
Data security and Integrity
Data security and IntegrityData security and Integrity
Data security and Integrity
Zaid Shabbir
 
GRC 2020 - IIA - ISACA Machine Learning Monitoring, Compliance and Governance
GRC 2020 - IIA - ISACA Machine Learning Monitoring, Compliance and GovernanceGRC 2020 - IIA - ISACA Machine Learning Monitoring, Compliance and Governance
GRC 2020 - IIA - ISACA Machine Learning Monitoring, Compliance and Governance
Andrew Clark
 
Integration_Architect_-_Study_Group_Part_1.pptx
Integration_Architect_-_Study_Group_Part_1.pptxIntegration_Architect_-_Study_Group_Part_1.pptx
Integration_Architect_-_Study_Group_Part_1.pptx
kathleenwaterworth
 
Controlling Data on the Connected Highway
Controlling Data on the Connected HighwayControlling Data on the Connected Highway
Controlling Data on the Connected Highway
mattgalvin
 
Security .NET.pdf
Security .NET.pdfSecurity .NET.pdf
Security .NET.pdf
Abhi Jain
 
Identity and Access Management (IAM)
Identity and Access Management (IAM)Identity and Access Management (IAM)
Identity and Access Management (IAM)
Jack Forbes
 
Cybersecurity Summit AHR20 Recover Tridium
Cybersecurity Summit AHR20 Recover TridiumCybersecurity Summit AHR20 Recover Tridium
Cybersecurity Summit AHR20 Recover Tridium
Cimetrics Inc
 
Segregation of Duties and Sensitive Access as a Service
Segregation of Duties and Sensitive Access as a ServiceSegregation of Duties and Sensitive Access as a Service
Segregation of Duties and Sensitive Access as a Service
Smart ERP Solutions, Inc.
 
Lecture 2 - Security Requirments.ppt
Lecture 2 - Security Requirments.pptLecture 2 - Security Requirments.ppt
Lecture 2 - Security Requirments.ppt
DrBasemMohamedElomda
 
13.02 Network Security
13.02 Network Security13.02 Network Security
13.02 Network Security
Anjan Mahanta
 
Defining Enterprise Identity Management
Defining Enterprise Identity ManagementDefining Enterprise Identity Management
Defining Enterprise Identity Management
Hitachi ID Systems, Inc.
 
Authentication Authorization-Lesson-2-Slides.ppt
Authentication Authorization-Lesson-2-Slides.pptAuthentication Authorization-Lesson-2-Slides.ppt
Authentication Authorization-Lesson-2-Slides.ppt
MuhammadAbdullah311866
 
Rules for great digital government
Rules for great digital governmentRules for great digital government
Rules for great digital government
ProudCity
 

Similar to access-control-week-2 (20)

Information Security
Information SecurityInformation Security
Information Security
 
Assessing a cloud based approach to cyber security
Assessing a cloud based approach to cyber securityAssessing a cloud based approach to cyber security
Assessing a cloud based approach to cyber security
 
Data security in the age of GDPR – most common data security problems
Data security in the age of GDPR – most common data security problemsData security in the age of GDPR – most common data security problems
Data security in the age of GDPR – most common data security problems
 
Blockade.io : One Click Browser Defense
Blockade.io : One Click Browser DefenseBlockade.io : One Click Browser Defense
Blockade.io : One Click Browser Defense
 
Access Control Fundamentals
Access Control FundamentalsAccess Control Fundamentals
Access Control Fundamentals
 
Troubles with Large Identity Providers.pptx
Troubles with Large Identity Providers.pptxTroubles with Large Identity Providers.pptx
Troubles with Large Identity Providers.pptx
 
Barbed Wire Network Security Policy 27 June 2005 7
Barbed Wire Network Security Policy 27 June 2005 7Barbed Wire Network Security Policy 27 June 2005 7
Barbed Wire Network Security Policy 27 June 2005 7
 
Data security and Integrity
Data security and IntegrityData security and Integrity
Data security and Integrity
 
GRC 2020 - IIA - ISACA Machine Learning Monitoring, Compliance and Governance
GRC 2020 - IIA - ISACA Machine Learning Monitoring, Compliance and GovernanceGRC 2020 - IIA - ISACA Machine Learning Monitoring, Compliance and Governance
GRC 2020 - IIA - ISACA Machine Learning Monitoring, Compliance and Governance
 
Integration_Architect_-_Study_Group_Part_1.pptx
Integration_Architect_-_Study_Group_Part_1.pptxIntegration_Architect_-_Study_Group_Part_1.pptx
Integration_Architect_-_Study_Group_Part_1.pptx
 
Controlling Data on the Connected Highway
Controlling Data on the Connected HighwayControlling Data on the Connected Highway
Controlling Data on the Connected Highway
 
Security .NET.pdf
Security .NET.pdfSecurity .NET.pdf
Security .NET.pdf
 
Identity and Access Management (IAM)
Identity and Access Management (IAM)Identity and Access Management (IAM)
Identity and Access Management (IAM)
 
Cybersecurity Summit AHR20 Recover Tridium
Cybersecurity Summit AHR20 Recover TridiumCybersecurity Summit AHR20 Recover Tridium
Cybersecurity Summit AHR20 Recover Tridium
 
Segregation of Duties and Sensitive Access as a Service
Segregation of Duties and Sensitive Access as a ServiceSegregation of Duties and Sensitive Access as a Service
Segregation of Duties and Sensitive Access as a Service
 
Lecture 2 - Security Requirments.ppt
Lecture 2 - Security Requirments.pptLecture 2 - Security Requirments.ppt
Lecture 2 - Security Requirments.ppt
 
13.02 Network Security
13.02 Network Security13.02 Network Security
13.02 Network Security
 
Defining Enterprise Identity Management
Defining Enterprise Identity ManagementDefining Enterprise Identity Management
Defining Enterprise Identity Management
 
Authentication Authorization-Lesson-2-Slides.ppt
Authentication Authorization-Lesson-2-Slides.pptAuthentication Authorization-Lesson-2-Slides.ppt
Authentication Authorization-Lesson-2-Slides.ppt
 
Rules for great digital government
Rules for great digital governmentRules for great digital government
Rules for great digital government
 

Recently uploaded

Overview on Edible Vaccine: Pros & Cons with Mechanism
Overview on Edible Vaccine: Pros & Cons with MechanismOverview on Edible Vaccine: Pros & Cons with Mechanism
Overview on Edible Vaccine: Pros & Cons with Mechanism
DeeptiGupta154
 
Adversarial Attention Modeling for Multi-dimensional Emotion Regression.pdf
Adversarial Attention Modeling for Multi-dimensional Emotion Regression.pdfAdversarial Attention Modeling for Multi-dimensional Emotion Regression.pdf
Adversarial Attention Modeling for Multi-dimensional Emotion Regression.pdf
Po-Chuan Chen
 
Embracing GenAI - A Strategic Imperative
Embracing GenAI - A Strategic ImperativeEmbracing GenAI - A Strategic Imperative
Embracing GenAI - A Strategic Imperative
Peter Windle
 
"Protectable subject matters, Protection in biotechnology, Protection of othe...
"Protectable subject matters, Protection in biotechnology, Protection of othe..."Protectable subject matters, Protection in biotechnology, Protection of othe...
"Protectable subject matters, Protection in biotechnology, Protection of othe...
SACHIN R KONDAGURI
 
Thesis Statement for students diagnonsed withADHD.ppt
Thesis Statement for students diagnonsed withADHD.pptThesis Statement for students diagnonsed withADHD.ppt
Thesis Statement for students diagnonsed withADHD.ppt
EverAndrsGuerraGuerr
 
Phrasal Verbs.XXXXXXXXXXXXXXXXXXXXXXXXXX
Phrasal Verbs.XXXXXXXXXXXXXXXXXXXXXXXXXXPhrasal Verbs.XXXXXXXXXXXXXXXXXXXXXXXXXX
Phrasal Verbs.XXXXXXXXXXXXXXXXXXXXXXXXXX
MIRIAMSALINAS13
 
Lapbook sobre os Regimes Totalitários.pdf
Lapbook sobre os Regimes Totalitários.pdfLapbook sobre os Regimes Totalitários.pdf
Lapbook sobre os Regimes Totalitários.pdf
Jean Carlos Nunes Paixão
 
The Accursed House by Émile Gaboriau.pptx
The Accursed House by Émile Gaboriau.pptxThe Accursed House by Émile Gaboriau.pptx
The Accursed House by Émile Gaboriau.pptx
DhatriParmar
 
Instructions for Submissions thorugh G- Classroom.pptx
Instructions for Submissions thorugh G- Classroom.pptxInstructions for Submissions thorugh G- Classroom.pptx
Instructions for Submissions thorugh G- Classroom.pptx
Jheel Barad
 
TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...
TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...
TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...
EugeneSaldivar
 
Acetabularia Information For Class 9 .docx
Acetabularia Information For Class 9 .docxAcetabularia Information For Class 9 .docx
Acetabularia Information For Class 9 .docx
vaibhavrinwa19
 
The Challenger.pdf DNHS Official Publication
The Challenger.pdf DNHS Official PublicationThe Challenger.pdf DNHS Official Publication
The Challenger.pdf DNHS Official Publication
Delapenabediema
 
The French Revolution Class 9 Study Material pdf free download
The French Revolution Class 9 Study Material pdf free downloadThe French Revolution Class 9 Study Material pdf free download
The French Revolution Class 9 Study Material pdf free download
Vivekanand Anglo Vedic Academy
 
Palestine last event orientationfvgnh .pptx
Palestine last event orientationfvgnh .pptxPalestine last event orientationfvgnh .pptx
Palestine last event orientationfvgnh .pptx
RaedMohamed3
 
Biological Screening of Herbal Drugs in detailed.
Biological Screening of Herbal Drugs in detailed.Biological Screening of Herbal Drugs in detailed.
Biological Screening of Herbal Drugs in detailed.
Ashokrao Mane college of Pharmacy Peth-Vadgaon
 
How libraries can support authors with open access requirements for UKRI fund...
How libraries can support authors with open access requirements for UKRI fund...How libraries can support authors with open access requirements for UKRI fund...
How libraries can support authors with open access requirements for UKRI fund...
Jisc
 
CLASS 11 CBSE B.St Project AIDS TO TRADE - INSURANCE
CLASS 11 CBSE B.St Project AIDS TO TRADE - INSURANCECLASS 11 CBSE B.St Project AIDS TO TRADE - INSURANCE
CLASS 11 CBSE B.St Project AIDS TO TRADE - INSURANCE
BhavyaRajput3
 
Welcome to TechSoup New Member Orientation and Q&A (May 2024).pdf
Welcome to TechSoup New Member Orientation and Q&A (May 2024).pdfWelcome to TechSoup New Member Orientation and Q&A (May 2024).pdf
Welcome to TechSoup New Member Orientation and Q&A (May 2024).pdf
TechSoup
 
Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46
Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46
Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46
MysoreMuleSoftMeetup
 
A Strategic Approach: GenAI in Education
A Strategic Approach: GenAI in EducationA Strategic Approach: GenAI in Education
A Strategic Approach: GenAI in Education
Peter Windle
 

Recently uploaded (20)

Overview on Edible Vaccine: Pros & Cons with Mechanism
Overview on Edible Vaccine: Pros & Cons with MechanismOverview on Edible Vaccine: Pros & Cons with Mechanism
Overview on Edible Vaccine: Pros & Cons with Mechanism
 
Adversarial Attention Modeling for Multi-dimensional Emotion Regression.pdf
Adversarial Attention Modeling for Multi-dimensional Emotion Regression.pdfAdversarial Attention Modeling for Multi-dimensional Emotion Regression.pdf
Adversarial Attention Modeling for Multi-dimensional Emotion Regression.pdf
 
Embracing GenAI - A Strategic Imperative
Embracing GenAI - A Strategic ImperativeEmbracing GenAI - A Strategic Imperative
Embracing GenAI - A Strategic Imperative
 
"Protectable subject matters, Protection in biotechnology, Protection of othe...
"Protectable subject matters, Protection in biotechnology, Protection of othe..."Protectable subject matters, Protection in biotechnology, Protection of othe...
"Protectable subject matters, Protection in biotechnology, Protection of othe...
 
Thesis Statement for students diagnonsed withADHD.ppt
Thesis Statement for students diagnonsed withADHD.pptThesis Statement for students diagnonsed withADHD.ppt
Thesis Statement for students diagnonsed withADHD.ppt
 
Phrasal Verbs.XXXXXXXXXXXXXXXXXXXXXXXXXX
Phrasal Verbs.XXXXXXXXXXXXXXXXXXXXXXXXXXPhrasal Verbs.XXXXXXXXXXXXXXXXXXXXXXXXXX
Phrasal Verbs.XXXXXXXXXXXXXXXXXXXXXXXXXX
 
Lapbook sobre os Regimes Totalitários.pdf
Lapbook sobre os Regimes Totalitários.pdfLapbook sobre os Regimes Totalitários.pdf
Lapbook sobre os Regimes Totalitários.pdf
 
The Accursed House by Émile Gaboriau.pptx
The Accursed House by Émile Gaboriau.pptxThe Accursed House by Émile Gaboriau.pptx
The Accursed House by Émile Gaboriau.pptx
 
Instructions for Submissions thorugh G- Classroom.pptx
Instructions for Submissions thorugh G- Classroom.pptxInstructions for Submissions thorugh G- Classroom.pptx
Instructions for Submissions thorugh G- Classroom.pptx
 
TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...
TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...
TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...
 
Acetabularia Information For Class 9 .docx
Acetabularia Information For Class 9 .docxAcetabularia Information For Class 9 .docx
Acetabularia Information For Class 9 .docx
 
The Challenger.pdf DNHS Official Publication
The Challenger.pdf DNHS Official PublicationThe Challenger.pdf DNHS Official Publication
The Challenger.pdf DNHS Official Publication
 
The French Revolution Class 9 Study Material pdf free download
The French Revolution Class 9 Study Material pdf free downloadThe French Revolution Class 9 Study Material pdf free download
The French Revolution Class 9 Study Material pdf free download
 
Palestine last event orientationfvgnh .pptx
Palestine last event orientationfvgnh .pptxPalestine last event orientationfvgnh .pptx
Palestine last event orientationfvgnh .pptx
 
Biological Screening of Herbal Drugs in detailed.
Biological Screening of Herbal Drugs in detailed.Biological Screening of Herbal Drugs in detailed.
Biological Screening of Herbal Drugs in detailed.
 
How libraries can support authors with open access requirements for UKRI fund...
How libraries can support authors with open access requirements for UKRI fund...How libraries can support authors with open access requirements for UKRI fund...
How libraries can support authors with open access requirements for UKRI fund...
 
CLASS 11 CBSE B.St Project AIDS TO TRADE - INSURANCE
CLASS 11 CBSE B.St Project AIDS TO TRADE - INSURANCECLASS 11 CBSE B.St Project AIDS TO TRADE - INSURANCE
CLASS 11 CBSE B.St Project AIDS TO TRADE - INSURANCE
 
Welcome to TechSoup New Member Orientation and Q&A (May 2024).pdf
Welcome to TechSoup New Member Orientation and Q&A (May 2024).pdfWelcome to TechSoup New Member Orientation and Q&A (May 2024).pdf
Welcome to TechSoup New Member Orientation and Q&A (May 2024).pdf
 
Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46
Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46
Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46
 
A Strategic Approach: GenAI in Education
A Strategic Approach: GenAI in EducationA Strategic Approach: GenAI in Education
A Strategic Approach: GenAI in Education
 

access-control-week-2

  • 1. Pages 81 - 148 CISSP CBK 3rd
  • 2. ● Access Control Techniques ○ Methods ● Identification and Authentication ○ Types and Strategies ● Identification Management ○ Considerations ● Authentication Methods ○ How to establish ● Sessions ○ Strategies on how to control What the pages cover
  • 3. Access Control ● Only Authorised Users, Programs, and/or systems are allowed to access resources. Access Control Techniques ● How we can determine which users, programs or systems, what resources, and what access. ● Methods of organising and protecting data. Access Controls - Continued
  • 4. "Yo, Check out that sweet role-based access control..." - Lord Nikon Access Control Techniques
  • 5. The process of translating the balance between Access controls enforced by the Organization, and information owners to can have access, can be defined by three general frameworks: ● Discretionary (DACs) ● Non-Discretionary ● Mandatory (MACs) Discretionary and Mandatory Access Controls
  • 6. Discretionary: ● Controls placed on data by the owner of the data. The owner decides who, and what privilege. ● User-centric (User is responsible). Mandatory: ● Controls are determined by the system and based on Organisational Policy. ● System-centric (User vs. Resource Classification). ● The Information Owner provides who needs to know. System makes decision against that criteria. ● man chmod Discretionary and Mandatory Access Controls - continued.
  • 7. ACL's (Access Control Lists) ● Keyword Pattern & Action ○ Examples: MAC Address filtering ● If no matches or unspecified actions - default will either be deny by default or allow by default (based on the org's stance). ● Structure of access is often based on Organization Structure (Users into Groups. Groups into file and directory permissions). Data Access Controls
  • 8. ● An ACL in the form of a table. ● Unwieldy for large environments, but useful when designing a system, or looking at smaller portions. Access Control Matrix
  • 9. ● Access is based on a predefined set of rules. ● These rules specify the privileges granted to users when specific conditions are met. ○ Example: ■ The Standard ACL says that Jr. Admin Bob can access the Dubstep MP3 Folder, but the rule based system would specify that while he can access it, he can only access the folder between 5PM and 8AM (outside of Sr. Admin Barry's Office Hours). Rule-based Access Control
  • 10. ● RBAC bases the access control authorizations on the roles or functions that the user is assigned within an organization. ● The determination of what roles have what access, can be governed by both the Data Owner, or the applied based on Org Policy. Role-Based Access Controls
  • 11. The four basic RBAC architectures: ● Non-RBAC ○ Traditional user-granted access (like ACL's).No formal roles or mapping. ● Limited RBAC ○ Users are mapped to a single application only. ● Hybrid RBAC ○ Users are mapped to multiple applications, that subscribe to the Org's role-based model. ● Full RBAC ○ Enterprise wide. Top down, from role policy. See Fig. 1.11 RBAC - Continued
  • 12. ● RBAC is easily modeled after the organisations own organization, or functional structure. ○ Personal moves are simplified (job role is tied to access). See also "The Triangle of Power" by Matt Byrd, MSFT: http://blogs.technet. com/b/exchange/archive/2009/11/16/340882 5.aspx RBAC - Continued
  • 13. ● Content dependant access controls are based on the data. The control mechanism examines the data, and makes decisions based on what it finds. ● Constrained User Interface is a method of restricting users to functions in the UI, based on role in the system. ○ Example: AS/400 Payroll Menus, POS unit, or Views in a database. Miscellaneous Controls
  • 14. ● Capability tables are used to match subjects (like users or process) and their capabilities (read, write, etc..). ● Temporal (Time-based) Isolation limits access based on time. ○ Examples: Dubstep MP3 Folder, or Limiting access to change Payroll to the first 4 hours of the day. Miscellaneous Controls - cont'd
  • 15. ● Identification ○ Provides uniqueness and accountability (when done properly) ● Authentication ○ Provides validity. You are expected, and trusted. ● Authorization ○ Provides Control. Identification and Authentication
  • 16. Identification provides a point of assignment and association to a user entity within a system. Can be user, service account, etc... Examples: ● User Name ● User ID ● Account Number ● PIN ● Certificates Identification Methods
  • 17. ● The Identification Badge is the most common form of Physical identification. ○ Name, Logo, Face, Colour, etc.. ● Policy usually dictate they must be worn at all times. ● "Badge Check" ● Usually tied together with an access badge & reader. ● RFID Badges
  • 18. ● User ID ○ Only use it as a system ID, not an authenticator. ● MAC (Media Access Control) ○ No longer a good way to authenticate a user (spoofable). ● IP Address ○ Logical Location on network. Set by software, not a good indicator. ○ Subnets ● Email Address ○ Concept is email is globally unique, however it's spoofable and only unique by convention. Other Types
  • 19. ● Three Essential Security characteristics regarding identities: ○ Uniqueness ■ Must be unambiguous & distinct ■ Can be duplicated across systems, but bad practice ○ Non Descriptiveness ■ billg@microsoft.com ■ Samir_Nagheenanajar@Initech.com ■ CIO@Wellsfargo.com ○ Secure Issuance ■ Documentable and traceable. User Identification Guidelines
  • 20. ● Every system must track valid users and control their permissions, across different types of administrative software and processes. ● Account creation process & propagation. ● Goal of the system is to consolidate access rights into a managed system. ● See Fig 1.13 ● Quicker provision & deprovision Poll: How long does it take to deprovision/lock all passwords/etc on a user account in your org? Identity Management
  • 21. ● 2 Minutes Hate - topic: User Provisioning ● Backlog ○ Not Enough People to process ● Cumbrsome ○ Too Complex, or time consuming = Errors ● Incomplete Forms ○ "I just check all the boxes." ● No Audit Trails ○ "Fuck it, we'll do it live!" ● Stale users ○ Ghost NDRs Identity Management Challenges
  • 22. ● Consistency ○ User profile data should be consistent and uniform. ● Usability ● Reliability ○ "My admin account never worked right, so I've just been using the domain admin." ● Scalability ○ If you have 10,000 users, and your domain controller is an old laptop, your gunna have a bad time. Identity Management Challenges - continued
  • 23. ● Can help with legal obligations, and industry-specific compliance. ● When properly done, you can have a finer control (and flexabillity) over what levels the public, guests, vendors, contractors, support, etc... groups have. Other Considerations
  • 24. ● In general, an Org will either opt to be Centralized, or Decentralized. ● Centralized: ○ All access decisions, provisioning, and management is concentrated in a central location. ○ One entity (user/department/system) manages the service for the entire org. Example: RADIUS ● Decentralized: ○ ID Management, authentication, and authorisation decisions are moved closer to the local resource. ○ Could be per department. Centralised Identity Management
  • 25. ● Authentication by knowledge ○ Something you know ■ Example: Password ● Authentication by possession ○ Something you have ■ Example: ID Badge ● Authentication by characteristic ○ Something you are ■ Example: Authentication Methods
  • 26. ● Logical controls related to those types are called "Factors" ● Single-Factor ○ Use of 1 Factor (makes sence, right?) ● Two-Factor ○ Usingtwoofthethreefactorswhoeditedthisbook? ● Three-Factor ○ You get the picture. ● The book mentions a possible 4th (Geolocation) by GPS or IP. Factors
  • 27. ● Passwords ○ Standard Words ■ God ● Easily Guessable ○ Combination ■ G0d ● Got an app for that ○ Complex ■ 1||$1D3j0|<3 ● Harder to remember - people usually write these down or have them somewhere. ● Passphrase ○ List of names, Phrase, or Mnemonic ■ Example: AD5wu5ydD! ● "Always do sober, what you said you'd do drunk." -Hemmingway Authentication by Knowledge
  • 28. ● Issues: ○ Cleartext ○ Offline and Off Site Cracking ● Passwords are often hashed, as an extra measure of protection. ● Graphical Passwords ○ Protect somewhat against keyloggers Passwords continued
  • 29. ● Token, Fob, Badge, Key, Ring, etc.. ● Concept is to add an additional layer of confidence. ● Two Methods: ○ Asynchronous ■ Challenge-Response ● Slide Card, Enter Pin ○ Synchronous ■ Time, Event, or Location ● Seed. Like the WoW account thingie. Authentication By Possession
  • 30. ● Physical device that contains credentials. ● Two Types: ○ Memory Cards ■ Swipe Cards. Mag Stripe. ■ Used + PIN, often. ■ Often the stripe is unencrypted. Theft. ○ Smart Cards ■ Embedded Chip, that can accept, store, and send information. ■ Some have apps. ● Used for Secure log-on, S/MIME, Secure Web Access, VPN's, Hard Disc Encryption. ■ Helps integrate outside devices into Enterprise PKI. Static Authentication Devices
  • 31. ● Types of information on a smart card: ● Read only. ● Added only. ● Updated only. ● No Access available. ● Trusted Path ○ Login process is done by the reader, instead of the host. ○ Minimises surface area, and "hops", with each addition adding opportunity for security failures. Smart-Card Segway
  • 32. ● ROM ○ Predetermined by MFGR ● Programmable Read-Only (PROM) ○ Can be modified, but looks like a pain in the ass. ● Erasable Programmable Read-Only (EPROM) ○ Widely used early on, but the process is difficult. Ultraviolet light? Really? ● Electrically Erasable PROM (EEPROM) ○ Current IC of choice. ● RAM ○ Not bad, actually, if used as a Deadmans switch. Smart Card Memory Types
  • 33. ● Data controls are intrinsic to how the IC works. ● Example: ○ When power is applied to the smart card, the process can apply logic to perform services and take action or control of the EEPROM. ○ No power = no access = less exposure ● Mag Stripe & Contact, and Contactless (rfid) ○ See Page 126-128 for Pinouts... More Smart Card Stuff
  • 34. The book mentions a few other possession- based authentication devices, One of which was USB devices. iLok: Footnote
  • 35. ● Biometrics ○ Two Types: ■ Physiological ● Example: Fingerprint, Hand, Face, Eyes ● Vascular Scans (They scan yer veins! And if you mash your hand, you're SOL). ■ Behavioral ● Examples: Voice Pattern & Recognition. Keystroke pattern (typing style), Signature dynamics. ○ Accuracy ■ Typical Passwords, tokens, and devices provide a high degree of accuracy and confidence. ■ Humans are different, and Environments are different. Authentication by Characteristic
  • 36. ● False Reject Rate (Type I Error): ○ When authorised users are falsely rejected as unidentified or unverified. ● False Accept Rate (Type II Error): ○ When unauthorised persons or imposters are falsely accepted as authentic. ● Crossover Error Rate (CER): ○ The point at which the false rejection rates and the false acceptance rates are equal. THe smaller the value of CER, the more accurate the System. Biometric Accuracy
  • 37. ● Not sensitive enough, everyone will be authorised. ● Too sensitive, and no one gets through. ● The "tune" of the system is largely based on risk vs. importance of the controls, resulting in an Org-accepted level of risk. Biometric Accuracy - Cont'd
  • 38. ● Resistance to counterfeiting ○ A determined attacker can take advantage by counterfeiting what is measured. ● Data storage requirements ○ Security of the data it's matching against. ● User acceptance ○ "Ain't nobody got time for that." ○ Enrollment speed. ● Reliability and accuracy ○ "The system...is down..." ● Target user and approach ○ Who and how? Biometric Considerations
  • 39. ● The capabilities and level of confidence increases as more factors and techniques are included in the identification and authentication process. ○ See Fig. 1.23 ● "Strongest" leans towards Biometrics. ○ Strong: ■ Assurance that the authentication produced by the method is valid. ○ Harder to implement, manage, impersonate. ○ As with anything, trade-offs. Authentication Method Summary
  • 40. Most prevalent considerations when looking at an enterprise authentication method(s): ● The Value of the Protected Asset ○ High Value = More Complex method ● The Level of Threat to the Asset ○ Assess Risk. Real vs. Perceived. ● Potential Countermeasures ○ How can we reduce threat? ● The Cost of Countermeasures ○ "Consider the following..." ● Feasibility and inconvenience to users. ○ Participation vs. Annoyance. Authentication Method Summary - cont'd
  • 41. ...
  • 42. ● Term to describe how a single instance of identification and authentication are applied to resources. ○ Desktop Sessions can be controlled & protected: ■ Screensavers ● GPO ■ Timeouts ● Power Saver ■ Automatic Logouts ■ Login Limitations ■ Schedule Limitations ● Time/Day Session (sessi on ) Management
  • 43. ● Session Hijacking ○ Main-In-The-Middle attacks. ○ Session Sniffing. ○ Cross-Site Scripting attacks. Logical Sessions
  • 44. ● Being able to determine who or what is responsible for an action, and can be held responsible. ● Repudiation (as defined by the book) ○ The ability to deny an action, event, impact, or result. ● Non-repudiation (Cue Tim) ○ The process of ensuring that a user may not deny an action. Accountability relies on non-repudiation heavily. Accountability
  • 45. ● Strong Identification ○ NO SHARED ACCOUNTS! ● Strong Authentication ○ Biometrics ● User training and awareness ○ Are users aware of the consequence? ● Comprehensive and Timely Monitoring ○ IDS ● Accurate and Consistent Audit Logs ○ Collect and consolidate. Security Information and Event Management (SIEM) Systems. ○ Splunk (shudder) Factors contributing to accountability of actions
  • 46. ● Independent Audits ○ Unbiased review. Helps root out accountability in the event of collusion. ○ Helps shape culture. ● Policies enforcing Accountability ○ HR's teeth. ● Org Culture supporting Accountability ○ "Do as I say, not as I do." Factors contributing to accountability of actions - cont'd