College Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
Types_of_Access_Controlsggggggggggggggggg
1. Types of Access Controls
• There are three types of Access Controls:
– Administrative controls
• Define roles, responsibilities, policies, and administrative functions
to manage the control environment.
– Technical controls
• Use hardware and software technology to implement access
control.
– Physical controls
• Ensure safety and security of the physical environment.
2. Administrative Controls
• Ensure that technical and physical controls are understood and properly
implemented
– Policies and procedures
– Security awareness training
– Asset classification and control
– Employment policies and practices (background checks, job rotations, and
separation of duties)
– Account administration
– Account, log monitoring
– Review of audit trails
3. Administrative Preventive Controls
• Policies and procedures
• Effective hiring practices
• Pre-employment background checks
• Controlled termination processes
• Data classification and labeling
• Security awareness
• Risk assessments and analysis
• Creating a security program
• Separation of duties
14. Kerberos
• A computer network authentication protocol
– Allows principals communicating over a non-secure network to
prove their identity to one another in a secure manner.
• Principals
– Any user or service that interacts with a network
– Term that is applied to anything within a network that needs to
communicate in an authorized manner
15. Components of Kerberos
– Key Distribution Center (KDC)
• Holds all of the principals' secret keys
• Principals authenticate to the KDC before networking can take place
– Authentication Server (AS)
• Authenticates user at initial logon
• Generation of initial ticket to allow user to authenticate to local system
– Ticket Granting Service (TGS)
• Generates of tickets to allow subjects to authenticate to each other
17. Access Control Models
Frameworks that dictate how subjects access objects
Three Main Types
– Discretionary Access Control (DAC)
– Mandatory Access Control (MAC)
– Role Based Access Control (RBAC)
18. Discretionary Access Control
• Allows the owner of the resource to specify which subjects can access
which resources
• Access control is at the discretion of the owner
• DAC defines access control policy
• That restricts access to files and other system resources based on identity
• DAC can be implemented through Access Control Lists (ACLs)
19. Access Control Matrix
• Access Control Lists (ACLs)
• Specifies the list of subjects that are authorized to access a specific object
• Capability Lists
• Specifies the access rights a certain subject possesses pertaining to specific
objects
21. Mandatory Access Control
• Based on security label system
• Users given security clearance and data is classified
• Used where confidentiality is of utmost importance
• MAC is considered a policy based control
• Every object and subject is given a sensitivity label
– Classification level
• Secret, Top secret, Confidential, etc
– Category
• Information warfare, Treasury, UN, etc
22. Role Based Access Control
• Uses centrally administered set of controls to determine how subjects and
objects interact
• Decisions based on the functions that a user is allowed to perform within an
organization
• An advantage of role based access controls is the ease of administration
• Capability tables are sometimes seen in conjunction with role-based access
controls
• Best for high turn over organizations
23. Access Control Techniques
• Rules Based Access Control
• Constrained User Interface
• Content Dependent Access Control
• Context Dependent Access Control
24. Penetration Testing
• Process of simulating attacks on Information Systems
– At the request of the owner, senior management
• Uses set of procedures and tools designed to test security controls of a
system
• Emulates the same methods attackers use
27. Step 2
Enumeration
– Performing port scans and resource identification methods
– Gaining specific information on the basis of information gathered
during reconnaissance
– Includes use of dialers, port scanners, network mapping,
sweeping, vulnerability scanners, and so on
28. Step 3
Vulnerability Mapping
• Identifying vulnerabilities in identified systems and resources
• Based on these vulnerabilities attacks are carried out
Step 4
Exploitation
– Attempting to gain unauthorized access by exploiting the Vulnerabilities
Step 5
Report to management
– Delivering to management documentation of test findings along with suggested countermeasures