SlideShare a Scribd company logo

Access Control Fundamentals

Setiya Nugroho, profile picture
Setiya Nugroho

Access control provides security by controlling how users and systems interact with resources. It uses identification, authentication, and authorization to determine access. There are three main categories of access control - administrative, physical, and technical. Administrative controls involve policies, procedures, and training while physical controls address facility security and technical controls use technology like encryption. Access control models include discretionary, mandatory, and role-based access control. Monitoring tools like IDS and IPS detect and prevent unauthorized access. Proper administration and auditing help enforce access control policies.

Technology
Related topics:
Cyber-Security
1 of 27
Downloaded 13 times
1
2
Most read
3
Most read
4
Most read
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
Access Control Fundamental Assoc. Prof. Ts. Dr. Madihah Mohd Saudi Faculty of Science & Technology, USIM
CONTENTS • Introduction • Access Control Challenges • Access Control Principles • Access Control Practices • Security Principles • Identification Authentication & Authorization • Access Control Categories • Access Control Types • Access Control Threats • Access Control Technologies- Single Sign-On • Access Control Models • Access Control Techniques • Access Control Administration • Access Control Monitoring(IDS/IPS) • Access Control Assurance
Introduction • Access controls : • security features that control how users & systems communicate & interact with other systems & resources. • Access : flow of information between a subject & a resource. • A subject : an active entity that requests access to a resource or the data within a resource. (E.g.: user, program, process, etc.) • A resource : an entity that contains the information.(E.g.: Computer, Database, File, Program, Printer, etc.) • Access controls give the organization the ability to control, restrict, monitor, & protect resource availability, integrity, & confidentiality
Access Control Challenges Credentials, personal data, contact information, work-related data, digital certificates, cognitive passwords, etc. Diverse identity data must be kept on different types of users The corporate environment is continually changing Resources have different classification levels Various types of users need different levels of access Business environment needs, resource access needs, employee roles, actual employees, etc. Internal users, contractors, outsiders, partners, etc. Confidential, internal use only, private, public, etc.
Access Control Principles States that if nothing has been specifically configured for an individual or the groups, he/she belongs to, the user should not be able to access that resource i.e.Default no access Separating any conflicting areas of responsibility so as to reduce opportunities for unauthorized or unintentional modification or misuse of organizational assets &/or information. It is based on the concept that individuals should be given access only to the information that they absolutely require in order to perform their job duties. Separation of Duties Need to know Principle of Least Privilege 1 2 3
Access Control Practices Disable unneeded system features, services, & ports. Deny access to systems by undefined users or anonymous accounts. Suspend inactive accounts after 30 to 60 days. Enforce the need-to-know & least-privilege practices. Enforce strict access criteria. Remove obsolete user accounts as soon as the user leaves the company. Suspend or delay access capability after a specific number of unsuccessful logon attempts. Limit & monitor the usage of administrator & other powerful accounts. 1 8 7 6 5 2 3 4
9 Replace default password settings on accounts. 10 Limit & monitor global access rules. 13 Remove redundant user IDs, accounts, & role-based accounts from resource access lists. 12 Remove redundant resource rules from accounts & group memberships. 11 Ensure that logon IDs are nondescriptive of job function. 14 Enforce password rotation. 15 Enforce password requirements (length, contents, lifetime, distribution, storage, & transmission). 16 Audit system & user events & actions & review reports periodically. 17 Protect audit logs.
Security Principles Fundamental Principles (CIA) Identification Authentication Authorization Non Repudiation
Identification Authentication & Authorization Identification describes a method of ensuring that a subject is the entity it claims to be. (E.g.: A username or an account no.) Authentication is the method of proving the subject's identity, (e.g., Password, Passphrase, PIN.) Authorization is the method of controlling the access of objects by the subject. (E.g.: A user cannot delete a particular file after logging into the system.) Note: There must be a three-step process of Identification, Authentication, & Authorization in order for a subject to access an object
Identification Component Requirements When issuing identification values to users or subjects, ensure that: 1. Each value should be unique, for user accountability; 2. A standard naming scheme should be followed; 3. The values should be non-descriptive of the user's position or task; 4. The values should not be shared between the users.
Authentication Factors 01 Something a person knows (Passwords, PIN) 02 Something a person has (Access Card, key) 03 Something a person is (Biometrics) Note: For a strong authentication to be in process, it must include two out of the three authentication factors- also referred to as two-factor authentication.
Authentication Methods Biometrics Passwords Cognitive Passwords (mothers maidens name) One-Time Passwords Cryptographic Keys Passphrase Memory Cards (Swipe cards, ATM cards) Smart Card
Identity Management • Identity Management is a broad term that encompasses the use of different products to identify, authenticate, & authorize users through automated means. • The identity is established as: • a name (or number) is associated to the subject or object; & • the identity is re-established: a new or additional name (or number) is connected to the subject or object; • The identity is described as: • one or more attributes which are applicable to this particular subject or object may be assigned to the identity; & • the identity is newly described: one or more attributes which are applicable to this particular subject or object may be changed;
Access Control Categories Administrative Controls Physical Controls Technical or Logical Controls
Administrative Control Component Policy & Procedures Personnel Controls Supervisory Structure Security- Awareness Training Testing Examples of Administrative Controls ▪Security policy ▪Monitoring & supervising ▪Separation of duties ▪Job rotation ▪Information classification ▪Personnel procedures ▪Investigations ▪Testing ▪Security-awareness & training
Physical Control Component Network Segregation Perimeter Security Computer Controls Work Area Separation Data Backups Cabling Control Zone Examples of Physical Controls ▪Fences ▪Locks ▪Badge system ▪Security guard ▪Biometric system ▪Mantrap doors ▪Lighting ▪Motion detectors ▪Closed-circuit TVs ▪Alarms ▪Backups ▪Safe storage area of backups
Technical Control Component System Access Network Access Encryption & protocols Auditing Network Architecture Examples of Technical Controls ▪ACLs ▪Routers ▪Encryption ▪Audit logs ▪IDS ▪Antivirus software ▪Firewalls ▪Smart cards ▪Dial-up call-back systems ▪Alarms & alerts
Access Control Types Avoid undesirable events from occurring 1. Preventative 2. Detective Identify undesirable events that have occurred 3. Corrective Correct undesirable events that have occurred 4. Deterrent Discourage security violations 5. Recovery Restore resources & capabilities 6. Compensative Provide alternatives to other controls
Access Control Threats Denial of Service(DoS/DDoS) Buffer Overflows Malicious Software Password Crackers Spoofing/ Masquerading Emanations Shoulder Surfing Object Reuse Data Remanence Backdoor/ Trapdoor Dictionary Attacks Brute force Attacks Social Engineering
Access Control Technologies- Single Sign- On • Introduction • SSO is a technology that allows a user to enter credentials one time & be able to access all resources in primary & secondary network domains Advantages Reduces the amount of time users spend authenticating to resources. Enable the administrator to streamline user accounts & better control access rights Improves security by reducing the probability that users will write down their passwords Reduces the administrators time in managing the access permissions Limitations Every platform application & resource needs to accept the same type of credentials, in the same format, & interpret their meaning in the same way. Disadvantages Once an individual is in, he is in, thus giving a bigger scope to an attacker.
Access Control Models ▪ Framework that dictates how subjects access objects. ▪ Uses access control technologies & security mechanisms to enforce the rules & objectives of the model. Discretionary 1 ➢ Based on the discretion (wish) of the owner ➢ A system that uses DAC enables the owner of the resource to specify which subjects can access specific resources ➢ Examples: Unix, Linux, Windows access control is based on DAC Mandatory 2 ➢ This model is very structured & strict & is based on a security label (also known as sensitivity label) attached to all objects ➢ The subjects are given security clearance by classifying the subjects as secret, top-secret, confidential, etc.) & the objects are also classified similarly. ➢ Examples: SE Linux, by NSA, trusted Solaris Role-based 3 ➢ A RBAC is based on user roles & uses a centrally administered set of controls to determine how subjects & objects interact. ➢ The RBAC approach simplifies the access control administration ➢ It is a best system for a company that has high employee turnover. ➢ Note: The RBAC can be generally used in combination with MAC & DAC systems Model Access Control Owner Sec Policy enforced by DAC Data Owners Access-control list MAC Operating Systems Security Labels RBAC Administrator Roles/ Functional Position
Access Control Techniques 01 Rule-Based Access Control 02 Constrained User Interface 03 Access Control Matrix 04 Content Dependent Access Control 05 Context- Dependent Access Control
Rule-Based Access Control Constrained User Interface Access Control Matrix Content Dependent Access Control Context-Dependent Access Control • Uses specific rules that indicate what can & cannot happen between a subject & an object. • E.g.: Routers & firewall use rules to filter incoming & outgoing packets • Constrained user interfaces restrict user’s access ability by not allowing them to request certain functions or information, or to have access to specific system resources. • 3 major types of restricted interfaces: Menus & Shells, Database Views, Physically Constrained Interfaces • An access control matrix is a table of subjects & objects indicating what actions individual subjects can take upon individual objects. • Access to the objects is based on the content within the object. • Example: Database Views, E-mail filtering etc. • The access decisions are based on the context of a collection of information rather than on the sensitivity of the data. • Example: A firewall makes a context- based access decisions when they collect state information on a packet before allowing it into the network
Access Control Administration Centralized Access Control Here one entity (dept or an individual) is responsible for overseeing access to all corporate resources. This type of administration provides a consistent and uniform method of controlling the users' access rights. Example: RADIUS, TACACS, and Diameter Decentralized Access Control Gives control of access to the people closer to the resources There is a possibility of certain controls to overlap, in which case actions may not be properly proscribed or restricted. This type of administration does not provide methods for consistent control, as a centralized method would.
Access Control Monitoring(IDS/IPS) Method of keeping track of who attempts to access specific network resources. Intrusion Detection System (IDS) Process of detecting unauthorized use of, or attack upon, a computer, network, or telecommunication infrastructure. Designed to aid in mitigating the damage that can be caused by hacking or breaking into sensitive computer and network systems. Intrusion Prevention System Examines network traffic flows to detect & prevent vulnerability exploits. IPS is a preventative & proactive technology, whereas an IDS is a detective & after-the-fact technology.
Access Control Assurance Accountability is the method of tracking and logging the subject’s actions on the objects. Auditing is an activity where the users/subjects' actions on the objects are monitored in order to verify that the sensitivity policies are enforced & can be used as an investigation tool. Advantages of Auditing ❖ To track unauthorized activities performed by individuals. ❖ Detect intrusion. ❖ Reconstruct events & system conditions. ❖ Provide legal resource material & produce problem reports.
Access Control Fundamentals

More Related Content

PPTX
Access Controls
primeteacher32
 
PPT
Ch07 Access Control Fundamentals
Information Technology
 
PPT
Information Security Principles - Access Control
idingolay
 
PDF
Access Control Presentation
Wajahat Rajab
 
PPT
2. access control
7wounders
 
PPSX
8 Access Control
Alfred Ouyang
 
PDF
Access Control: Principles and Practice
Nabeel Yoosuf
 
PDF
An overview of access control
Elimity
 
Access Controls
primeteacher32
 
Ch07 Access Control Fundamentals
Information Technology
 
Information Security Principles - Access Control
idingolay
 
Access Control Presentation
Wajahat Rajab
 
2. access control
7wounders
 
8 Access Control
Alfred Ouyang
 
Access Control: Principles and Practice
Nabeel Yoosuf
 
An overview of access control
Elimity
 

What's hot (20)

PPT
Intro To Access Controls
Hari Pudipeddi
 
PPT
Isys20261 lecture 12
Wiliam Ferraciolli
 
PDF
55994241 cissp-cram
bsnl007
 
PPTX
Data security authorization and access control
Leo Mark Villar
 
PPTX
Chapter 5 - Identity Management
Karthikeyan Dhayalan
 
PPTX
Mandatory access control for information security
Ajit Dadresa
 
PDF
Access_Control_Systems_and_methodology
Arti Ambokar
 
PPT
8. operations security
7wounders
 
PDF
Security and Integrity
lubna19
 
PDF
access-control-week-2
jemtallon
 
PPTX
Access control Week 1
jemtallon
 
PPTX
Chapter 1 Personal security
Karthikeyan Dhayalan
 
PDF
Operations Security Presentation
Wajahat Rajab
 
PPTX
Database security
Arpana shree
 
PPT
Os8
gopal10scs185
 
PPTX
01 database security ent-db
uncleRhyme
 
PPTX
security and privacy in dbms and in sql database
gourav kottawar
 
PDF
The 5 Layers of Security Testing by Alan Koch
QA or the Highway
 
PDF
Access Control System, BMS
Mohammad Azam Khan
 
PPT
Biometric Access Control Systems
Safe-Systems Inc.
 
Intro To Access Controls
Hari Pudipeddi
 
Isys20261 lecture 12
Wiliam Ferraciolli
 
55994241 cissp-cram
bsnl007
 
Data security authorization and access control
Leo Mark Villar
 
Chapter 5 - Identity Management
Karthikeyan Dhayalan
 
Mandatory access control for information security
Ajit Dadresa
 
Access_Control_Systems_and_methodology
Arti Ambokar
 
8. operations security
7wounders
 
Security and Integrity
lubna19
 
access-control-week-2
jemtallon
 
Access control Week 1
jemtallon
 
Chapter 1 Personal security
Karthikeyan Dhayalan
 
Operations Security Presentation
Wajahat Rajab
 
Database security
Arpana shree
 
Os8
gopal10scs185
 
01 database security ent-db
uncleRhyme
 
security and privacy in dbms and in sql database
gourav kottawar
 
The 5 Layers of Security Testing by Alan Koch
QA or the Highway
 
Access Control System, BMS
Mohammad Azam Khan
 
Biometric Access Control Systems
Safe-Systems Inc.
 
Ad

Similar to Access Control Fundamentals (20)

PPTX
Access Control in internet and computer science.pptx
moromoro8
 
PPTX
009 Authentication and Access Control.pptx
AssadLeo1
 
PPTX
Chapter 7
Seth Nurul
 
PPTX
Security & Risk Mgmt_WK1.pptx
Technocracy2
 
PPTX
Security & Risk Mgmt_WK1.pptx
dotco
 
PPT
4_5949547032388570388.ppt
MohammedMohammed578197
 
PPTX
crisc_wk_5.pptx
dotco
 
PPTX
Cyber Security # Lec 5
Kabul Education University
 
PPTX
security in is.pptx
selvapriyabiher
 
PPTX
Database managementsystemes_Unit-7.pptxe
chnrketan
 
DOCX
Comprehensive Analysis of Contemporary Information Security Challenges
sidraasif9090
 
PPTX
Unit-4-User-Authentication.pptx
Puskar Bhandari
 
PPTX
Authorization Pattern.pptx power point s
Coderkids
 
PPTX
Lecture-12-ACL_information_Security.pptx
homecooking511
 
PDF
Co p
Allyn McGillicuddy
 
PDF
The 5 Layers of Security Testing by Alan Koch
QA or the Highway
 
PPTX
Identity and Security in the Cloud
Richard Diver
 
PDF
CISSP Domain 05 Identity and Access Management (IAM).pdf
gealehegn
 
PPTX
Control Strategies and Implementation.pptx
NemsEscobar
 
PPTX
Co p
Allyn McGillicuddy
 
Access Control in internet and computer science.pptx
moromoro8
 
009 Authentication and Access Control.pptx
AssadLeo1
 
Chapter 7
Seth Nurul
 
Security & Risk Mgmt_WK1.pptx
Technocracy2
 
Security & Risk Mgmt_WK1.pptx
dotco
 
4_5949547032388570388.ppt
MohammedMohammed578197
 
crisc_wk_5.pptx
dotco
 
Cyber Security # Lec 5
Kabul Education University
 
security in is.pptx
selvapriyabiher
 
Database managementsystemes_Unit-7.pptxe
chnrketan
 
Comprehensive Analysis of Contemporary Information Security Challenges
sidraasif9090
 
Unit-4-User-Authentication.pptx
Puskar Bhandari
 
Authorization Pattern.pptx power point s
Coderkids
 
Lecture-12-ACL_information_Security.pptx
homecooking511
 
Co p
Allyn McGillicuddy
 
The 5 Layers of Security Testing by Alan Koch
QA or the Highway
 
Identity and Security in the Cloud
Richard Diver
 
CISSP Domain 05 Identity and Access Management (IAM).pdf
gealehegn
 
Control Strategies and Implementation.pptx
NemsEscobar
 
Co p
Allyn McGillicuddy
 
Ad

More from Setiya Nugroho (15)

PDF
Network Security riset Network Automation + artikel.pdf
Setiya Nugroho
 
PDF
Modul 02 CRUD CI 3.pdf
Setiya Nugroho
 
PDF
Modul 02 CRUD CI 3.pdf
Setiya Nugroho
 
PDF
Web-based culinary tourism recommendation system
Setiya Nugroho
 
PDF
Network Automation.pdf
Setiya Nugroho
 
PDF
RPS 2022-Pemrograman Web 2.pdf
Setiya Nugroho
 
PDF
10. Data Security.pdf
Setiya Nugroho
 
PDF
3. Basic Pentesting 1 Walkthrough.pdf
Setiya Nugroho
 
PDF
Basic Cryptography.pdf
Setiya Nugroho
 
PDF
Web Programming Form
Setiya Nugroho
 
PDF
case study1 web defacement answer.pdf
Setiya Nugroho
 
PDF
WEEK5 Mobile Device Security 31032022.pdf
Setiya Nugroho
 
PDF
Modul 05 Framework CodeIgniter.pdf
Setiya Nugroho
 
PDF
Malware
Setiya Nugroho
 
PDF
Modul 4 Web Programming HTML Form & Hyperlink.pdf
Setiya Nugroho
 
Network Security riset Network Automation + artikel.pdf
Setiya Nugroho
 
Modul 02 CRUD CI 3.pdf
Setiya Nugroho
 
Modul 02 CRUD CI 3.pdf
Setiya Nugroho
 
Web-based culinary tourism recommendation system
Setiya Nugroho
 
Network Automation.pdf
Setiya Nugroho
 
RPS 2022-Pemrograman Web 2.pdf
Setiya Nugroho
 
10. Data Security.pdf
Setiya Nugroho
 
3. Basic Pentesting 1 Walkthrough.pdf
Setiya Nugroho
 
Basic Cryptography.pdf
Setiya Nugroho
 
Web Programming Form
Setiya Nugroho
 
case study1 web defacement answer.pdf
Setiya Nugroho
 
WEEK5 Mobile Device Security 31032022.pdf
Setiya Nugroho
 
Modul 05 Framework CodeIgniter.pdf
Setiya Nugroho
 
Malware
Setiya Nugroho
 
Modul 4 Web Programming HTML Form & Hyperlink.pdf
Setiya Nugroho
 

Recently uploaded (20)

PDF
NewMind AI Weekly Chronicles – August ’25 Week III
NewMind AI
 
PDF
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
 
PDF
A contest of sentiment analysis: k-nearest neighbor versus neural network
IAESIJAI
 
PDF
2021 HotChips TSMC Packaging Technologies for Chiplets and 3D_0819 publish_pu...
KeXue5
 
PDF
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
PPTX
MicrosoftCybserSecurityReferenceArchitecture-April-2025.pptx
SilvioHayashi
 
PPTX
Final SEM Unit 1 for mit wpu at pune .pptx
anishtilekar08
 
PDF
Transform Your ITIL® 4 & ITSM Strategy with AI in 2025.pdf
PDCA Consulting
 
PDF
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
PPTX
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PDF
From MVP to Full-Scale Product A Startup’s Software Journey.pdf
KodekX
 
PDF
A novel scalable deep ensemble learning framework for big data classification...
IAESIJAI
 
PDF
Getting Started with Data Integration: FME Form 101
Safe Software
 
PPTX
Modernising the Digital Integration Hub
Daniel Toomey
 
PPTX
cloud_computing_Infrastucture_as_cloud_p
mainakbhattacharya20
 
PPTX
observCloud-Native Containerability and monitoring.pptx
anupsingh76937
 
PDF
Web App vs Mobile App What Should You Build First.pdf
KodekX
 
PDF
How ambidextrous entrepreneurial leaders react to the artificial intelligence...
IAESIJAI
 
PPTX
TLE Review Electricity (Electricity).pptx
JayPolicarpio2
 
NewMind AI Weekly Chronicles – August ’25 Week III
NewMind AI
 
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
 
A contest of sentiment analysis: k-nearest neighbor versus neural network
IAESIJAI
 
2021 HotChips TSMC Packaging Technologies for Chiplets and 3D_0819 publish_pu...
KeXue5
 
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
MicrosoftCybserSecurityReferenceArchitecture-April-2025.pptx
SilvioHayashi
 
Final SEM Unit 1 for mit wpu at pune .pptx
anishtilekar08
 
Transform Your ITIL® 4 & ITSM Strategy with AI in 2025.pdf
PDCA Consulting
 
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
From MVP to Full-Scale Product A Startup’s Software Journey.pdf
KodekX
 
A novel scalable deep ensemble learning framework for big data classification...
IAESIJAI
 
Getting Started with Data Integration: FME Form 101
Safe Software
 
Modernising the Digital Integration Hub
Daniel Toomey
 
cloud_computing_Infrastucture_as_cloud_p
mainakbhattacharya20
 
observCloud-Native Containerability and monitoring.pptx
anupsingh76937
 
Web App vs Mobile App What Should You Build First.pdf
KodekX
 
How ambidextrous entrepreneurial leaders react to the artificial intelligence...
IAESIJAI
 
TLE Review Electricity (Electricity).pptx
JayPolicarpio2
 

Access Control Fundamentals

  • 1. Access Control Fundamental Assoc. Prof. Ts. Dr. Madihah Mohd Saudi Faculty of Science & Technology, USIM
  • 2. CONTENTS • Introduction • Access Control Challenges • Access Control Principles • Access Control Practices • Security Principles • Identification Authentication & Authorization • Access Control Categories • Access Control Types • Access Control Threats • Access Control Technologies- Single Sign-On • Access Control Models • Access Control Techniques • Access Control Administration • Access Control Monitoring(IDS/IPS) • Access Control Assurance
  • 3. Introduction • Access controls : • security features that control how users & systems communicate & interact with other systems & resources. • Access : flow of information between a subject & a resource. • A subject : an active entity that requests access to a resource or the data within a resource. (E.g.: user, program, process, etc.) • A resource : an entity that contains the information.(E.g.: Computer, Database, File, Program, Printer, etc.) • Access controls give the organization the ability to control, restrict, monitor, & protect resource availability, integrity, & confidentiality
  • 4. Access Control Challenges Credentials, personal data, contact information, work-related data, digital certificates, cognitive passwords, etc. Diverse identity data must be kept on different types of users The corporate environment is continually changing Resources have different classification levels Various types of users need different levels of access Business environment needs, resource access needs, employee roles, actual employees, etc. Internal users, contractors, outsiders, partners, etc. Confidential, internal use only, private, public, etc.
  • 5. Access Control Principles States that if nothing has been specifically configured for an individual or the groups, he/she belongs to, the user should not be able to access that resource i.e.Default no access Separating any conflicting areas of responsibility so as to reduce opportunities for unauthorized or unintentional modification or misuse of organizational assets &/or information. It is based on the concept that individuals should be given access only to the information that they absolutely require in order to perform their job duties. Separation of Duties Need to know Principle of Least Privilege 1 2 3
  • 6. Access Control Practices Disable unneeded system features, services, & ports. Deny access to systems by undefined users or anonymous accounts. Suspend inactive accounts after 30 to 60 days. Enforce the need-to-know & least-privilege practices. Enforce strict access criteria. Remove obsolete user accounts as soon as the user leaves the company. Suspend or delay access capability after a specific number of unsuccessful logon attempts. Limit & monitor the usage of administrator & other powerful accounts. 1 8 7 6 5 2 3 4
  • 7. 9 Replace default password settings on accounts. 10 Limit & monitor global access rules. 13 Remove redundant user IDs, accounts, & role-based accounts from resource access lists. 12 Remove redundant resource rules from accounts & group memberships. 11 Ensure that logon IDs are nondescriptive of job function. 14 Enforce password rotation. 15 Enforce password requirements (length, contents, lifetime, distribution, storage, & transmission). 16 Audit system & user events & actions & review reports periodically. 17 Protect audit logs.
  • 8. Security Principles Fundamental Principles (CIA) Identification Authentication Authorization Non Repudiation
  • 9. Identification Authentication & Authorization Identification describes a method of ensuring that a subject is the entity it claims to be. (E.g.: A username or an account no.) Authentication is the method of proving the subject's identity, (e.g., Password, Passphrase, PIN.) Authorization is the method of controlling the access of objects by the subject. (E.g.: A user cannot delete a particular file after logging into the system.) Note: There must be a three-step process of Identification, Authentication, & Authorization in order for a subject to access an object
  • 10. Identification Component Requirements When issuing identification values to users or subjects, ensure that: 1. Each value should be unique, for user accountability; 2. A standard naming scheme should be followed; 3. The values should be non-descriptive of the user's position or task; 4. The values should not be shared between the users.
  • 11. Authentication Factors 01 Something a person knows (Passwords, PIN) 02 Something a person has (Access Card, key) 03 Something a person is (Biometrics) Note: For a strong authentication to be in process, it must include two out of the three authentication factors- also referred to as two-factor authentication.
  • 12. Authentication Methods Biometrics Passwords Cognitive Passwords (mothers maidens name) One-Time Passwords Cryptographic Keys Passphrase Memory Cards (Swipe cards, ATM cards) Smart Card
  • 13. Identity Management • Identity Management is a broad term that encompasses the use of different products to identify, authenticate, & authorize users through automated means. • The identity is established as: • a name (or number) is associated to the subject or object; & • the identity is re-established: a new or additional name (or number) is connected to the subject or object; • The identity is described as: • one or more attributes which are applicable to this particular subject or object may be assigned to the identity; & • the identity is newly described: one or more attributes which are applicable to this particular subject or object may be changed;
  • 15. Administrative Control Component Policy & Procedures Personnel Controls Supervisory Structure Security- Awareness Training Testing Examples of Administrative Controls ▪Security policy ▪Monitoring & supervising ▪Separation of duties ▪Job rotation ▪Information classification ▪Personnel procedures ▪Investigations ▪Testing ▪Security-awareness & training
  • 16. Physical Control Component Network Segregation Perimeter Security Computer Controls Work Area Separation Data Backups Cabling Control Zone Examples of Physical Controls ▪Fences ▪Locks ▪Badge system ▪Security guard ▪Biometric system ▪Mantrap doors ▪Lighting ▪Motion detectors ▪Closed-circuit TVs ▪Alarms ▪Backups ▪Safe storage area of backups
  • 17. Technical Control Component System Access Network Access Encryption & protocols Auditing Network Architecture Examples of Technical Controls ▪ACLs ▪Routers ▪Encryption ▪Audit logs ▪IDS ▪Antivirus software ▪Firewalls ▪Smart cards ▪Dial-up call-back systems ▪Alarms & alerts
  • 18. Access Control Types Avoid undesirable events from occurring 1. Preventative 2. Detective Identify undesirable events that have occurred 3. Corrective Correct undesirable events that have occurred 4. Deterrent Discourage security violations 5. Recovery Restore resources & capabilities 6. Compensative Provide alternatives to other controls
  • 19. Access Control Threats Denial of Service(DoS/DDoS) Buffer Overflows Malicious Software Password Crackers Spoofing/ Masquerading Emanations Shoulder Surfing Object Reuse Data Remanence Backdoor/ Trapdoor Dictionary Attacks Brute force Attacks Social Engineering
  • 20. Access Control Technologies- Single Sign- On • Introduction • SSO is a technology that allows a user to enter credentials one time & be able to access all resources in primary & secondary network domains Advantages Reduces the amount of time users spend authenticating to resources. Enable the administrator to streamline user accounts & better control access rights Improves security by reducing the probability that users will write down their passwords Reduces the administrators time in managing the access permissions Limitations Every platform application & resource needs to accept the same type of credentials, in the same format, & interpret their meaning in the same way. Disadvantages Once an individual is in, he is in, thus giving a bigger scope to an attacker.
  • 21. Access Control Models ▪ Framework that dictates how subjects access objects. ▪ Uses access control technologies & security mechanisms to enforce the rules & objectives of the model. Discretionary 1 ➢ Based on the discretion (wish) of the owner ➢ A system that uses DAC enables the owner of the resource to specify which subjects can access specific resources ➢ Examples: Unix, Linux, Windows access control is based on DAC Mandatory 2 ➢ This model is very structured & strict & is based on a security label (also known as sensitivity label) attached to all objects ➢ The subjects are given security clearance by classifying the subjects as secret, top-secret, confidential, etc.) & the objects are also classified similarly. ➢ Examples: SE Linux, by NSA, trusted Solaris Role-based 3 ➢ A RBAC is based on user roles & uses a centrally administered set of controls to determine how subjects & objects interact. ➢ The RBAC approach simplifies the access control administration ➢ It is a best system for a company that has high employee turnover. ➢ Note: The RBAC can be generally used in combination with MAC & DAC systems Model Access Control Owner Sec Policy enforced by DAC Data Owners Access-control list MAC Operating Systems Security Labels RBAC Administrator Roles/ Functional Position
  • 22. Access Control Techniques 01 Rule-Based Access Control 02 Constrained User Interface 03 Access Control Matrix 04 Content Dependent Access Control 05 Context- Dependent Access Control
  • 23. Rule-Based Access Control Constrained User Interface Access Control Matrix Content Dependent Access Control Context-Dependent Access Control • Uses specific rules that indicate what can & cannot happen between a subject & an object. • E.g.: Routers & firewall use rules to filter incoming & outgoing packets • Constrained user interfaces restrict user’s access ability by not allowing them to request certain functions or information, or to have access to specific system resources. • 3 major types of restricted interfaces: Menus & Shells, Database Views, Physically Constrained Interfaces • An access control matrix is a table of subjects & objects indicating what actions individual subjects can take upon individual objects. • Access to the objects is based on the content within the object. • Example: Database Views, E-mail filtering etc. • The access decisions are based on the context of a collection of information rather than on the sensitivity of the data. • Example: A firewall makes a context- based access decisions when they collect state information on a packet before allowing it into the network
  • 24. Access Control Administration Centralized Access Control Here one entity (dept or an individual) is responsible for overseeing access to all corporate resources. This type of administration provides a consistent and uniform method of controlling the users' access rights. Example: RADIUS, TACACS, and Diameter Decentralized Access Control Gives control of access to the people closer to the resources There is a possibility of certain controls to overlap, in which case actions may not be properly proscribed or restricted. This type of administration does not provide methods for consistent control, as a centralized method would.
  • 25. Access Control Monitoring(IDS/IPS) Method of keeping track of who attempts to access specific network resources. Intrusion Detection System (IDS) Process of detecting unauthorized use of, or attack upon, a computer, network, or telecommunication infrastructure. Designed to aid in mitigating the damage that can be caused by hacking or breaking into sensitive computer and network systems. Intrusion Prevention System Examines network traffic flows to detect & prevent vulnerability exploits. IPS is a preventative & proactive technology, whereas an IDS is a detective & after-the-fact technology.
  • 26. Access Control Assurance Accountability is the method of tracking and logging the subject’s actions on the objects. Auditing is an activity where the users/subjects' actions on the objects are monitored in order to verify that the sensitivity policies are enforced & can be used as an investigation tool. Advantages of Auditing ❖ To track unauthorized activities performed by individuals. ❖ Detect intrusion. ❖ Reconstruct events & system conditions. ❖ Provide legal resource material & produce problem reports.