fsdffffffffffffffffffff

1. Types of Access Controls
• There are three types of Access Controls:
– Administrative controls
• Define roles, responsibilities, policies, and administrative functions
to manage the control environment.
– Technical controls
• Use hardware and software technology to implement access
control.
– Physical controls
• Ensure safety and security of the physical environment.

2. Administrative Controls
• Ensure that technical and physical controls are understood and properly
implemented
– Policies and procedures
– Security awareness training
– Asset classification and control
– Employment policies and practices (background checks, job rotations, and
separation of duties)
– Account administration
– Account, log monitoring
– Review of audit trails

3. Administrative Preventive Controls
• Policies and procedures
• Effective hiring practices
• Pre-employment background checks
• Controlled termination processes
• Data classification and labeling
• Security awareness
• Risk assessments and analysis
• Creating a security program
• Separation of duties

4. Administrative Detective Controls
• Job rotation
• Sharing responsibilities
• Inspections
• Incident response
• Use of auditors

5. Technical Controls
• Examples of Technical Controls are:
– Encryption
– Biometrics
– Smart cards
– Tokens
– Access control lists
– Violation reports
– Audit trails
– Network monitoring and intrusion detection

6. Physical Controls
• Examples of Physical Controls are:
– HVAC
– Fences, locked doors, and restricted areas
– Guards and dogs
– Motion detectors
– Video cameras
– Fire detectors
– Smoke detectors

7. Technical Preventive Controls
• Passwords
• Biometrics
• Smart cards
• Encryption
• Database views
• Firewalls
• ACLs
• Anti-virus

8. Categories of Access Controls
• Preventive Avoid incident
• Deterrent Discourage incident
• Detective Identify incident
• Corrective Remedy circumstance/mitigate damage and restore
controls
• Recovery Restore conditions to normal
• Compensating Alternative control
• Directive

9. Categories of Access Controls

10. Physical Preventive Controls
• Badges
• Guards and dogs
• CCTV
• Fences, locks, man-traps
• Locking computer cases
• Removing floppy and CD-ROM drives
• Disabling USB port

11. Technical Detective Controls
• IDS(Intrusion Detection Systems)
• Reviewing audit logs
• Reviewing violations of clipping levels
• Forensics

12. Physical Detective Controls
• Motion detectors
• Intrusion detectors
• Video cameras
• Guard responding to an alarm

13. Jotting them together…

14. Kerberos
• A computer network authentication protocol
– Allows principals communicating over a non-secure network to
prove their identity to one another in a secure manner.
• Principals
– Any user or service that interacts with a network
– Term that is applied to anything within a network that needs to
communicate in an authorized manner

15. Components of Kerberos
– Key Distribution Center (KDC)
• Holds all of the principals' secret keys
• Principals authenticate to the KDC before networking can take place
– Authentication Server (AS)
• Authenticates user at initial logon
• Generation of initial ticket to allow user to authenticate to local system
– Ticket Granting Service (TGS)
• Generates of tickets to allow subjects to authenticate to each other

16. Kerberos Process

17. Access Control Models
Frameworks that dictate how subjects access objects
Three Main Types
– Discretionary Access Control (DAC)
– Mandatory Access Control (MAC)
– Role Based Access Control (RBAC)

18. Discretionary Access Control
• Allows the owner of the resource to specify which subjects can access
which resources
• Access control is at the discretion of the owner
• DAC defines access control policy
• That restricts access to files and other system resources based on identity
• DAC can be implemented through Access Control Lists (ACLs)

19. Access Control Matrix
• Access Control Lists (ACLs)
• Specifies the list of subjects that are authorized to access a specific object
• Capability Lists
• Specifies the access rights a certain subject possesses pertaining to specific
objects

20. Access Control Matrix

21. Mandatory Access Control
• Based on security label system
• Users given security clearance and data is classified
• Used where confidentiality is of utmost importance
• MAC is considered a policy based control
• Every object and subject is given a sensitivity label
– Classification level
• Secret, Top secret, Confidential, etc
– Category
• Information warfare, Treasury, UN, etc

22. Role Based Access Control
• Uses centrally administered set of controls to determine how subjects and
objects interact
• Decisions based on the functions that a user is allowed to perform within an
organization
• An advantage of role based access controls is the ease of administration
• Capability tables are sometimes seen in conjunction with role-based access
controls
• Best for high turn over organizations

23. Access Control Techniques
• Rules Based Access Control
• Constrained User Interface
• Content Dependent Access Control
• Context Dependent Access Control

24. Penetration Testing
• Process of simulating attacks on Information Systems
– At the request of the owner, senior management
• Uses set of procedures and tools designed to test security controls of a
system
• Emulates the same methods attackers use

25. Steps
• Discovery
• Enumeration
• Vulnerability mapping
• Exploitation
• Report to management

26. Step 1
Discovery
– Gathering information about the target
– Reconnaissance Types
• Passive
• Active

27. Step 2
Enumeration
– Performing port scans and resource identification methods
– Gaining specific information on the basis of information gathered
during reconnaissance
– Includes use of dialers, port scanners, network mapping,
sweeping, vulnerability scanners, and so on

28. Step 3
Vulnerability Mapping
• Identifying vulnerabilities in identified systems and resources
• Based on these vulnerabilities attacks are carried out
Step 4
Exploitation
– Attempting to gain unauthorized access by exploiting the Vulnerabilities
Step 5
Report to management
– Delivering to management documentation of test findings along with suggested countermeasures

29. Types
• Zero knowledge
• Partial knowledge
• Full knowledge