KEMBAR78
Ch07 Access Control Fundamentals | PPT
IT
Uploaded byInformation Technology
PPT, PDF8,656 views

Ch07 Access Control Fundamentals

Access control is the process of granting or denying access to resources or services on a computer system or network. There are four main access control models: mandatory access control, discretionary access control, role-based access control, and rule-based access control. Access control can be implemented through logical methods like access control lists, group policies, account restrictions, and passwords or through physical methods such as locks, mantraps, video surveillance, and access logs. Strong access control policies and practices help ensure only authorized access and prevent security breaches.

EducationTechnologyBusiness
In this document
Powered by AI

Introduction to Access Control in Chapter 7. Outline objectives of access control, such as definitions, models, and logical vs physical access methods.

Case of Jérôme Kerviel, who committed €4.9 billion fraud using access control flaws within his bank.

Introduction to Access Control in Chapter 7. Outline objectives of access control, such as definitions, models, and logical vs physical access methods.

Definitions related to access control including Identification, Authentication, Authorization, and their roles in security.

Overview of access control models including Mandatory, Discretionary, Role-Based, and Rule-Based Access Control.

Discussion on weaknesses of Discretionary Access Control including reliance on user settings for security.

Introduction to User Account Control (UAC) and the principle of least privilege in user management.

Details on Role-Based Access Control and its application in corporate environments for permission management.

Best practices including separation of duties, least privilege principle, and implicit deny to improve security.

Methods of implementing access control categorized into physical and logical access control.

Discussion on Access Control Lists (ACLs) in managing permissions for files and folders.

Group Policy for centralized management and account restrictions based on time or user status.

Emphasis on password importance, myths, and policies for effective password management and protection against attacks.

Introduction to physical access control and its significance in protecting computer equipment from unauthorized access.

Details on various physical security measures including door security, surveillance systems, mantraps, and access logs.

Downloaded 696 times
Chapter 7 Access Control Fundamentals Security+ Guide to Network Security Fundamentals, Third Edition
Jérôme Kerviel Rogue trader, lost €4.9 billion Largest fraud in banking history at that time Worked in the compliance department of a French bank Defeated security at his bank by concealing transactions with other transactions Arrested in Jan 2008, out and working at a computer consulting firm in April 2008 Links Ch7a, 7b
Objectives Define access control and list the four access control models Describe logical access control methods Explain the different types of physical access control
What Is Access Control?
Access Control The process by which resources or services are granted or denied on a computer system or network There are four standard access control models as well as specific practices used to enforce access control
Access Control Terminology Identification A user accessing a computer system would present credentials or identification, such as a username Authentication Checking the user’s credentials to be sure that they are authentic and not fabricated, usually using a password Authorization Granting permission to take the action A computer user is granted access To only certain services or applications in order to perform their duties Custodian The person who reviews security settings Also called Administrator
Access Control Terminology (continued)
Access Control Terminology (continued) Computer access control can be accomplished by one of three entities: hardware, software, or a policy Access control can take different forms depending on the resources that are being protected Other terminology is used to describe how computer systems impose access control: Object – resource to be protected Subject – user trying to access the object Operation – action being attempted
Access Control Terminology (continued)
 
Access Control Models Mandatory Access Control Discretionary Access Control Role-Based Access Control Rule-Based Access Control
Mandatory Access Control (MAC) model Most restrictive model—used by the military Objects and subjects are assigned access levels Unclassified, Classified, Secret, Top Secret The end user cannot implement, modify, or transfer any controls
Discretionary Access Control (DAC) model The least restrictive--used by Windows computers in small networks A subject has total control over any objects that he or she owns Along with the programs that are associated with those objects In the DAC model, a subject can also change the permissions for other subjects over objects
DAC Has Two Significant Weaknesses It relies on the end-user subject to set the proper level of security A subject’s permissions will be “inherited” by any programs that the subject executes
User Account Control Cruel Mac Video Link Ch 7c
User Account Control (UAC) Asks the user for permission when installing software Principle of least privilege Users run with limited privileges by default Applications run in standard user accounts Standard users can perform common tasks
Role Based Access Control (RBAC) model Sometimes called Non-Discretionary Access Control Used in Windows corporate domains Considered a more “real world” approach than the other models Assigns permissions to particular roles in the organization, such as “Manager” and then assigns users to that role Objects are set to be a certain type, to which subjects with that particular role have access
Rule Based Access Control (RBAC) model Also called the Rule-Based Role-Based Access Control (RB-RBAC) model or automated provisioning Controls access with rules defined by a custodian Example: Windows Live Family Safety
Access Control Models (continued)
Best Practices for Access Control Separation of duties No one person should control money or other essential resources alone Network administrators often have too much power and responsibility Job rotation Individuals are periodically moved from one job responsibility to another
Best Practices for Access Control Least privilege Each user should be given only the minimal amount of privileges necessary to perform his or her job function Implicit deny If a condition is not explicitly met, access is denied For example, Web filters typically block unrated sites
Logical Access Control Methods
Access Control Methods The methods to implement access control are divided into two broad categories Physical access control and Logical access control Logical access control includes Access control lists (ACLs) Group policies Account restrictions Passwords
Access Control List (ACL) A set of permissions attached to an object Specifies which subjects are allowed to access the object And what operations they can perform on it Every file and folder has an ACL Access control entry (ACE) Each entry in the ACL table in the Microsoft Windows, Linux, and Mac OS X operating systems
Windows Access Control Entries (ACEs) In Windows, the ACE includes Security identifier (SID) for the user or group Access mask that specifies the access rights controlled by the ACE A flag that indicates the type of ACE A set of flags that determine whether objects can inherit permissions
Advanced Security Settings in Windows 7 Beta
Group Policy A Microsoft Windows feature that provides centralized management and configuration of computers and remote users Using the Microsoft directory services known as Active Directory (AD) Group Policy is used in corporate domains to restrict user actions that may pose a security risk Group Policy settings are stored in Group Policy Objects (GPOs)
Account Restrictions Time of day restrictions Limit when a user can log on to a system These restrictions can be set through a Group Policy Can also be set on individual systems Account expiration The process of setting a user’s account to expire Orphaned accounts are user accounts that remain active after an employee has left an organization Can be controlled using account expiration
 
 
Passwords The most common logical access control Sometimes referred to as a logical token A secret combination of letters and numbers that only the user knows A password should never be written down Must also be of a sufficient length and complexity so that an attacker cannot easily guess it (password paradox)
Passwords Myths
Attacks on Passwords Brute force attack Simply trying to guess a password through combining a random combination of characters Passwords typically are stored in an encrypted form called a “hash” Attackers try to steal the file of hashed passwords and then break the hashed passwords offline
How to Get the Hashes Easy way: Just use Cain Cracker tab, right-click, "Add to List"
Attacks on Passwords Dictionary attack Guess passwords from a dictionary Works if the password is a known common password Rainbow tables Make password attacks faster by creating a large pregenerated data set of hashes from nearly every possible password combination Works well against Windows passwords because Microsoft doesn't use the salting technique when computing hashes
 
Rainbow Tables Generating a rainbow table requires a significant amount of time Rainbow table advantages Can be used repeatedly for attacks on other passwords Rainbow tables are much faster than dictionary attacks The amount of time needed on the attacking machine is greatly reduced
Rainbow Table Attack
Passwords (continued) One reason for the success of rainbow tables is how older Microsoft Windows operating systems hash passwords A defense against breaking encrypted passwords with rainbow tables Hashing algorithm should include a random sequence of bits as input along with the user-created password These random bits are known as a salt Make brute force, dictionary, and rainbow table attacks much more difficult
No Salt! To make hashing stronger, add a random "Salt" to a password before hashing it Windows doesn't salt its hash! Two accounts with the same password hash to the same result, even in Windows 7 Beta! This makes it possible to speed up password cracking with precomputed Rainbow Tables
Demonstration Here are two accounts on a Windows 7 Beta machine with the password 'password' This hash is from a different Windows 7 Beta machine
Linux Salts its Hashes
Password Policy A strong password policy can provide several defenses against password attacks The first password policy is to create and use strong passwords One of the best defenses against rainbow tables is to prevent the attacker from capturing the password hashes A final defense is to use another program to help keep track of passwords
Domain Password Policy Setting password restrictions for a Windows domain can be accomplished through the Windows Domain password policy There are six common domain password policy settings, called password setting objects Used to build a domain password policy
 
Physical Access Control
Physical Access Control Physical access control primarily protects computer equipment Designed to prevent unauthorized users from gaining physical access to equipment in order to use, steal, or vandalize it Physical access control includes computer security, door security, mantraps, video surveillance, and physical access logs
Physical Computer Security Physically securing network servers in an organization is essential Rack-mounted servers 4.45 centimeters (1.75 inches) tall Can be stacked with up to 50 other servers in a closely confined area KVM (Keyboard, Video, Mouse) Switch Needed to connect to the servers Can be password-protected
 
KVM Switch
Door Security Hardware locks Preset lock Also known as the key-in-knob lock The easiest to use because it requires only a key for unlocking the door from the outside Automatically locks behind the person, unless it has been set to remain unlocked Security provided by a preset lock is minimal
Deadbolt lock Extends a solid metal bar into the door frame Much more difficult to defeat than preset locks Requires that the key be used to both open and lock the door
Lock Best Practices Change locks immediately upon loss or theft of keys Inspect all locks on a regular basis Issue keys only to authorized persons Keep records of who uses and turns in keys Keep track of keys issued, with their number and identification Master keys should not have any marks identifying them as masters
Lock Best Practices Secure unused keys in a locked safe Set up a procedure to monitor the use of all locks and keys and update the procedure as necessary When making duplicates of master keys, mark them “Do Not Duplicate,” and wipe out the manufacturer’s serial numbers to keep duplicates from being ordered
Lockpicking at DEFCON See links Ch 7e, 7f
Cipher Lock Combination locks that use buttons that must be pushed in the proper sequence to open the door Can be programmed to allow only the code of certain individuals to be valid on specific dates and times Cipher locks also keep a record of when the door was opened and by which code Cipher locks are typically connected to a networked computer system Can be monitored and controlled from one central location
Cipher Lock Disadvantages Basic models can cost several hundred dollars while advanced models can be even more expensive Users must be careful to conceal which buttons they push to avoid someone seeing or photographing the combination
Tailgate Sensor Uses infrared beams that are aimed across a doorway Can detect if a second person walks through the beam array immediately behind (“tailgates”) the first person Without presenting credentials
Physical Tokens Objects to identify users ID Badge The most common types of physical tokens ID badges originally were visually screened by security guards Today, ID badges can be fitted with tiny radio frequency identification (RFID) tags Can be read by an RFID transceiver as the user walks through the door with the badge in her pocket
Door Security (continued)
Mantrap Before entering a secure area, a person must enter the mantrap A small room like an elevator If their ID is not valid, they are trapped there until the police arrive Mantraps are used at high-security areas where only authorized persons are allowed to enter Such as sensitive data processing areas, cash handling areas, critical research labs, security control rooms, and automated airline passenger entry portals
Mantrap
Video Surveillance Closed circuit television (CCTV) Using video cameras to transmit a signal to a specific and limited set of receivers Some CCTV cameras are fixed in a single position pointed at a door or a hallway Other cameras resemble a small dome and allow the security technician to move the camera 360 degrees for a full panoramic view
Physical Access Log A record or list of individuals who entered a secure area, the time that they entered, and the time they left the area Can also identify if unauthorized personnel have accessed a secure area Physical access logs originally were paper documents Today, door access systems and physical tokens can generate electronic log documents

More Related Content

PPT
2. access control
by7wounders
 
PPT
Information Security Principles - Access Control
byidingolay
 
PDF
Access Control Presentation
byWajahat Rajab
 
PDF
An overview of access control
byElimity
 
PPT
Windows Security in Operating System
byMeghaj Mallick
 
PDF
CISSP Prep: Ch 5. Communication and Network Security (Part 2)
bySam Bowne
 
PPTX
Introduction to Network Security
byJohn Ely Masculino
 
PPT
Design for security in operating system
byBhagyashree Barde
 
2. access control
by7wounders
 
Information Security Principles - Access Control
byidingolay
 
Access Control Presentation
byWajahat Rajab
 
An overview of access control
byElimity
 
Windows Security in Operating System
byMeghaj Mallick
 
CISSP Prep: Ch 5. Communication and Network Security (Part 2)
bySam Bowne
 
Introduction to Network Security
byJohn Ely Masculino
 
Design for security in operating system
byBhagyashree Barde
 

What's hot

PPTX
Access Controls
byprimeteacher32
 
PPTX
Physical security
byTariq Mahmood
 
PPTX
Network security - Defense in Depth
byDilum Bandara
 
PDF
Access_Control_Systems_and_methodology
byArti Ambokar
 
PPS
Physical security.ppt
byFaheem Ul Hasan
 
PPT
Information Security Policies and Standards
byDirectorate of Information Security | Ditjen Aptika
 
PPT
Firewall Security Definition
byPatten John
 
PPTX
Network Security and Firewall
byShafeeqaFarsana
 
PPTX
Firewall presentation
byTayabaZahid
 
PPSX
Security policies
byNishant Pahad
 
PDF
Application Security | Application Security Tutorial | Cyber Security Certifi...
byEdureka!
 
PDF
Network Security Fundamentals
byRahmat Suhatman
 
PPTX
Seminar (network security)
byGaurav Dalvi
 
PPSX
8 Access Control
byAlfred Ouyang
 
PDF
VULNERABILITY ( CYBER SECURITY )
byKashyap Mandaliya
 
PPTX
Security Policies and Standards
byprimeteacher32
 
PPTX
Network security (vulnerabilities, threats, and attacks)
byFabiha Shahzad
 
PDF
2021/0/15 - Solarwinds supply chain attack: why we should take it sereously
bySirris
 
PPTX
Logging, monitoring and auditing
byPiyush Jain
 
PPTX
Intrusion Detection System(IDS)
byshraddha_b
 
Access Controls
byprimeteacher32
 
Physical security
byTariq Mahmood
 
Network security - Defense in Depth
byDilum Bandara
 
Access_Control_Systems_and_methodology
byArti Ambokar
 
Physical security.ppt
byFaheem Ul Hasan
 
Information Security Policies and Standards
byDirectorate of Information Security | Ditjen Aptika
 
Firewall Security Definition
byPatten John
 
Network Security and Firewall
byShafeeqaFarsana
 
Firewall presentation
byTayabaZahid
 
Security policies
byNishant Pahad
 
Application Security | Application Security Tutorial | Cyber Security Certifi...
byEdureka!
 
Network Security Fundamentals
byRahmat Suhatman
 
Seminar (network security)
byGaurav Dalvi
 
8 Access Control
byAlfred Ouyang
 
VULNERABILITY ( CYBER SECURITY )
byKashyap Mandaliya
 
Security Policies and Standards
byprimeteacher32
 
Network security (vulnerabilities, threats, and attacks)
byFabiha Shahzad
 
2021/0/15 - Solarwinds supply chain attack: why we should take it sereously
bySirris
 
Logging, monitoring and auditing
byPiyush Jain
 
Intrusion Detection System(IDS)
byshraddha_b
 

Viewers also liked

PDF
Access Control: Principles and Practice
byNabeel Yoosuf
 
PPTX
Access control presentation
bySaqib Raza
 
PPT
Attribute Based Access Control
byChandra Sharma
 
PDF
Physical Security Presentation
byWajahat Rajab
 
PPT
Ch13 Business Continuity Planning and Procedures
byInformation Technology
 
PPTX
Web303
byInformation Technology
 
PPT
Ch12 Cryptographic Protocols and Public Key Infrastructure
byInformation Technology
 
PPT
Ch08 Authentication
byInformation Technology
 
PPT
Ch11 Basic Cryptography
byInformation Technology
 
PPT
Network Security
byMAJU
 
PDF
Access Control Models: Controlling Resource Authorization
byMark Niebergall
 
PPTX
Rfid security access control system
byEdgefxkits & Solutions
 
PPT
Physical Security Assessment
byGary Bahadur
 
PPT
Ch10 Conducting Audits
byInformation Technology
 
PPT
Microsoft Operating System Vulnerabilities
byInformation Technology
 
PPT
Ch03 Protecting Systems
byInformation Technology
 
PPT
Ch09 Performing Vulnerability Assessments
byInformation Technology
 
PPT
Ch04 Network Vulnerabilities and Attacks
byInformation Technology
 
PPT
Ch05 Network Defenses
byInformation Technology
 
PPT
Ch01 Introduction to Security
byInformation Technology
 
Access Control: Principles and Practice
byNabeel Yoosuf
 
Access control presentation
bySaqib Raza
 
Attribute Based Access Control
byChandra Sharma
 
Physical Security Presentation
byWajahat Rajab
 
Ch13 Business Continuity Planning and Procedures
byInformation Technology
 
Web303
byInformation Technology
 
Ch12 Cryptographic Protocols and Public Key Infrastructure
byInformation Technology
 
Ch08 Authentication
byInformation Technology
 
Ch11 Basic Cryptography
byInformation Technology
 
Network Security
byMAJU
 
Access Control Models: Controlling Resource Authorization
byMark Niebergall
 
Rfid security access control system
byEdgefxkits & Solutions
 
Physical Security Assessment
byGary Bahadur
 
Ch10 Conducting Audits
byInformation Technology
 
Microsoft Operating System Vulnerabilities
byInformation Technology
 
Ch03 Protecting Systems
byInformation Technology
 
Ch09 Performing Vulnerability Assessments
byInformation Technology
 
Ch04 Network Vulnerabilities and Attacks
byInformation Technology
 
Ch05 Network Defenses
byInformation Technology
 
Ch01 Introduction to Security
byInformation Technology
 

Similar to Ch07 Access Control Fundamentals

PPT
educational content,educational content,educational content,
byOlajide Kuku
 
PPT
access control information security professor hossein saiedian fall 2014
bymaneltighiouart7
 
PPT
Topic 7 access control
byKhawar Nehal khawar.nehal@atrc.net.pk
 
PPT
Access control mechanism (DAC, MAC and RBAC).ppt
byDAKSHATAPANCHAL2
 
PDF
Access Control Fundamentals
bySetiya Nugroho
 
PDF
Is4560
byTara Hardin
 
PPT
IT109 Microsoft Windows 7 Operating Systems Unit 07 lesson 10
byblusmurfydot1
 
PDF
Bf25342345
byIJERA Editor
 
PPT
4_5949547032388570388.ppt
byMohammedMohammed578197
 
PPT
Access control3
byAwhydot
 
PPT
Access control3
byAwhydot
 
DOCX
Introduction to Access Control Week6 Part1-IS Revis.docx
bymariuse18nolet
 
PPTX
Data security authorization and access control
byLeo Mark Villar
 
PPTX
Computer security concepts
byPrachi Gulihar
 
PPT
Data+security+sp10
byismaelhaider
 
PPTX
Access-Controls System Integragation Administration.pptx
bywenzduke3098
 
PPT
CompTIA Security+ Module1: Security fundamentals
byGanbayar Sukhbaatar
 
PPTX
<h1>slideShare</h1>access control.pptx
bykoanti abdu
 
PPTX
Least privilege, access control, operating system security
byPrachi Gulihar
 
PPT
Authentication Authorization-Lesson-2-Slides.ppt
byMuhammadAbdullah311866
 
educational content,educational content,educational content,
byOlajide Kuku
 
access control information security professor hossein saiedian fall 2014
bymaneltighiouart7
 
Topic 7 access control
byKhawar Nehal khawar.nehal@atrc.net.pk
 
Access control mechanism (DAC, MAC and RBAC).ppt
byDAKSHATAPANCHAL2
 
Access Control Fundamentals
bySetiya Nugroho
 
Is4560
byTara Hardin
 
IT109 Microsoft Windows 7 Operating Systems Unit 07 lesson 10
byblusmurfydot1
 
Bf25342345
byIJERA Editor
 
4_5949547032388570388.ppt
byMohammedMohammed578197
 
Access control3
byAwhydot
 
Access control3
byAwhydot
 
Introduction to Access Control Week6 Part1-IS Revis.docx
bymariuse18nolet
 
Data security authorization and access control
byLeo Mark Villar
 
Computer security concepts
byPrachi Gulihar
 
Data+security+sp10
byismaelhaider
 
Access-Controls System Integragation Administration.pptx
bywenzduke3098
 
CompTIA Security+ Module1: Security fundamentals
byGanbayar Sukhbaatar
 
<h1>slideShare</h1>access control.pptx
bykoanti abdu
 
Least privilege, access control, operating system security
byPrachi Gulihar
 
Authentication Authorization-Lesson-2-Slides.ppt
byMuhammadAbdullah311866
 

More from Information Technology

PDF
Sql Server Security Best Practices
byInformation Technology
 
PPT
SAN
byInformation Technology
 
PPT
SAN Review
byInformation Technology
 
PPT
SQL 2005 Disk IO Performance
byInformation Technology
 
PPT
RAID Review
byInformation Technology
 
PPT
Review of SQL
byInformation Technology
 
PPT
Sql 2005 high availability
byInformation Technology
 
PPT
IIS 7: The Administrator’s Guide
byInformation Technology
 
PPT
MOSS 2007 Deployment Fundamentals -Part2
byInformation Technology
 
PPT
MOSS 2007 Deployment Fundamentals -Part1
byInformation Technology
 
PPT
Clustering and High Availability
byInformation Technology
 
PDF
F5 beyond load balancer (nov 2009)
byInformation Technology
 
PPT
WSS 3.0 & SharePoint 2007
byInformation Technology
 
PPT
SharePoint Topology
byInformation Technology
 
PDF
Sharepoint Deployments
byInformation Technology
 
PPT
Microsoft Clustering
byInformation Technology
 
PDF
Scalable Internet Servers and Load Balancing
byInformation Technology
 
PPT
Web Hacking
byInformation Technology
 
PPT
Migration from ASP to ASP.NET
byInformation Technology
 
PPT
Internet Traffic Monitoring and Analysis
byInformation Technology
 
Sql Server Security Best Practices
byInformation Technology
 
SAN
byInformation Technology
 
SAN Review
byInformation Technology
 
SQL 2005 Disk IO Performance
byInformation Technology
 
RAID Review
byInformation Technology
 
Review of SQL
byInformation Technology
 
Sql 2005 high availability
byInformation Technology
 
IIS 7: The Administrator’s Guide
byInformation Technology
 
MOSS 2007 Deployment Fundamentals -Part2
byInformation Technology
 
MOSS 2007 Deployment Fundamentals -Part1
byInformation Technology
 
Clustering and High Availability
byInformation Technology
 
F5 beyond load balancer (nov 2009)
byInformation Technology
 
WSS 3.0 & SharePoint 2007
byInformation Technology
 
SharePoint Topology
byInformation Technology
 
Sharepoint Deployments
byInformation Technology
 
Microsoft Clustering
byInformation Technology
 
Scalable Internet Servers and Load Balancing
byInformation Technology
 
Web Hacking
byInformation Technology
 
Migration from ASP to ASP.NET
byInformation Technology
 
Internet Traffic Monitoring and Analysis
byInformation Technology
 

Recently uploaded

PPTX
GAS chromatography ppt (Presentation) by Jatin Chauhan
byjatinchauhan1618
 
PPTX
English Home Language & First Additional Language P2 Preparation.pptx
byMasingita Maswanganye
 
PDF
Admin Slides for Oct'25 semester - PBO - MC1.pdf
byMark Kor
 
PDF
BD1TL - TNTEU - Teaching and Learning - Unit - 2.pdf
byDr Raja Mohammed T
 
PPTX
🧪“Blood Chemistry Tests in Pharmacy Practice: Clinical Laboratory Guide for P...
byBanny S.V
 
PDF
Yaksha Prashna | General Quiz at RLAC | Amlan Sarkar | Full Set
byAmlan Sarkar
 
PDF
Slit lamp parts 2/ppt/notes/download.pdf
byAnmol Singh
 
PPTX
Classification and Applied Aspects of Joints.pptx
byMathew Joseph
 
PDF
Umlando kaMufi. IsiZulu Ulimi Lwebele...
byNokwandaNzuza2
 
PDF
The purpose of Ethics and Values in a project context webinar, 14 October 202...
byAssociation for Project Management
 
PPTX
Safety Needs and Prevention of environmental hazards.pptx
byAneetaSharma15
 
PPTX
PECTORAL REGION.pptx Human anatomy,Bmls,
byKISMAT ALI
 
PPTX
DPSM-BITDA Introduction Presentation Slides
byGreat Files
 
PPTX
Project Dashboard in Odoo 18 Project
byCeline George
 
PPTX
Common problems or challenges faced by Indian adolescents
byDr. Harpal Kaur
 
PDF
TUYỂN CHỌN 30 ĐỀ THI CHỌN HỌC SINH GIỎI LỚP 9 CÁC TỈNH NĂM 2024-2025 MÔN TIẾN...
byNguyen Thanh Tu Collection
 
PPTX
ILA 2025 Prague CLS Presentation of Leadership journal
byjohanalvehus
 
DOCX
PRESS STATEMENT - Response to Minority_ Press Ready.docx
bynservice241
 
PDF
Who Owns the Narrative? Data, Disinformation, and the Missing Voice of Academia
byIsmail Fahmi
 
PDF
1.1 Historical background & development of Profession of Pharmacy.pdf
byMr. SAKHARE R. S.
 
GAS chromatography ppt (Presentation) by Jatin Chauhan
byjatinchauhan1618
 
English Home Language & First Additional Language P2 Preparation.pptx
byMasingita Maswanganye
 
Admin Slides for Oct'25 semester - PBO - MC1.pdf
byMark Kor
 
BD1TL - TNTEU - Teaching and Learning - Unit - 2.pdf
byDr Raja Mohammed T
 
🧪“Blood Chemistry Tests in Pharmacy Practice: Clinical Laboratory Guide for P...
byBanny S.V
 
Yaksha Prashna | General Quiz at RLAC | Amlan Sarkar | Full Set
byAmlan Sarkar
 
Slit lamp parts 2/ppt/notes/download.pdf
byAnmol Singh
 
Classification and Applied Aspects of Joints.pptx
byMathew Joseph
 
Umlando kaMufi. IsiZulu Ulimi Lwebele...
byNokwandaNzuza2
 
The purpose of Ethics and Values in a project context webinar, 14 October 202...
byAssociation for Project Management
 
Safety Needs and Prevention of environmental hazards.pptx
byAneetaSharma15
 
PECTORAL REGION.pptx Human anatomy,Bmls,
byKISMAT ALI
 
DPSM-BITDA Introduction Presentation Slides
byGreat Files
 
Project Dashboard in Odoo 18 Project
byCeline George
 
Common problems or challenges faced by Indian adolescents
byDr. Harpal Kaur
 
TUYỂN CHỌN 30 ĐỀ THI CHỌN HỌC SINH GIỎI LỚP 9 CÁC TỈNH NĂM 2024-2025 MÔN TIẾN...
byNguyen Thanh Tu Collection
 
ILA 2025 Prague CLS Presentation of Leadership journal
byjohanalvehus
 
PRESS STATEMENT - Response to Minority_ Press Ready.docx
bynservice241
 
Who Owns the Narrative? Data, Disinformation, and the Missing Voice of Academia
byIsmail Fahmi
 
1.1 Historical background & development of Profession of Pharmacy.pdf
byMr. SAKHARE R. S.
 

Ch07 Access Control Fundamentals

  • 1.
    Chapter 7 AccessControl Fundamentals Security+ Guide to Network Security Fundamentals, Third Edition
  • 2.
    Jérôme Kerviel Roguetrader, lost €4.9 billion Largest fraud in banking history at that time Worked in the compliance department of a French bank Defeated security at his bank by concealing transactions with other transactions Arrested in Jan 2008, out and working at a computer consulting firm in April 2008 Links Ch7a, 7b
  • 3.
    Objectives Define accesscontrol and list the four access control models Describe logical access control methods Explain the different types of physical access control
  • 4.
  • 5.
    Access Control Theprocess by which resources or services are granted or denied on a computer system or network There are four standard access control models as well as specific practices used to enforce access control
  • 6.
    Access Control TerminologyIdentification A user accessing a computer system would present credentials or identification, such as a username Authentication Checking the user’s credentials to be sure that they are authentic and not fabricated, usually using a password Authorization Granting permission to take the action A computer user is granted access To only certain services or applications in order to perform their duties Custodian The person who reviews security settings Also called Administrator
  • 7.
  • 8.
    Access Control Terminology(continued) Computer access control can be accomplished by one of three entities: hardware, software, or a policy Access control can take different forms depending on the resources that are being protected Other terminology is used to describe how computer systems impose access control: Object – resource to be protected Subject – user trying to access the object Operation – action being attempted
  • 9.
  • 10.
  • 11.
    Access Control ModelsMandatory Access Control Discretionary Access Control Role-Based Access Control Rule-Based Access Control
  • 12.
    Mandatory Access Control(MAC) model Most restrictive model—used by the military Objects and subjects are assigned access levels Unclassified, Classified, Secret, Top Secret The end user cannot implement, modify, or transfer any controls
  • 13.
    Discretionary Access Control(DAC) model The least restrictive--used by Windows computers in small networks A subject has total control over any objects that he or she owns Along with the programs that are associated with those objects In the DAC model, a subject can also change the permissions for other subjects over objects
  • 14.
    DAC Has TwoSignificant Weaknesses It relies on the end-user subject to set the proper level of security A subject’s permissions will be “inherited” by any programs that the subject executes
  • 15.
    User Account ControlCruel Mac Video Link Ch 7c
  • 16.
    User Account Control(UAC) Asks the user for permission when installing software Principle of least privilege Users run with limited privileges by default Applications run in standard user accounts Standard users can perform common tasks
  • 17.
    Role Based AccessControl (RBAC) model Sometimes called Non-Discretionary Access Control Used in Windows corporate domains Considered a more “real world” approach than the other models Assigns permissions to particular roles in the organization, such as “Manager” and then assigns users to that role Objects are set to be a certain type, to which subjects with that particular role have access
  • 18.
    Rule Based AccessControl (RBAC) model Also called the Rule-Based Role-Based Access Control (RB-RBAC) model or automated provisioning Controls access with rules defined by a custodian Example: Windows Live Family Safety
  • 19.
  • 20.
    Best Practices forAccess Control Separation of duties No one person should control money or other essential resources alone Network administrators often have too much power and responsibility Job rotation Individuals are periodically moved from one job responsibility to another
  • 21.
    Best Practices forAccess Control Least privilege Each user should be given only the minimal amount of privileges necessary to perform his or her job function Implicit deny If a condition is not explicitly met, access is denied For example, Web filters typically block unrated sites
  • 22.
  • 23.
    Access Control MethodsThe methods to implement access control are divided into two broad categories Physical access control and Logical access control Logical access control includes Access control lists (ACLs) Group policies Account restrictions Passwords
  • 24.
    Access Control List (ACL) A set of permissions attached to an object Specifies which subjects are allowed to access the object And what operations they can perform on it Every file and folder has an ACL Access control entry (ACE) Each entry in the ACL table in the Microsoft Windows, Linux, and Mac OS X operating systems
  • 25.
    Windows Access ControlEntries (ACEs) In Windows, the ACE includes Security identifier (SID) for the user or group Access mask that specifies the access rights controlled by the ACE A flag that indicates the type of ACE A set of flags that determine whether objects can inherit permissions
  • 26.
    Advanced Security Settingsin Windows 7 Beta
  • 27.
    Group Policy AMicrosoft Windows feature that provides centralized management and configuration of computers and remote users Using the Microsoft directory services known as Active Directory (AD) Group Policy is used in corporate domains to restrict user actions that may pose a security risk Group Policy settings are stored in Group Policy Objects (GPOs)
  • 28.
    Account Restrictions Timeof day restrictions Limit when a user can log on to a system These restrictions can be set through a Group Policy Can also be set on individual systems Account expiration The process of setting a user’s account to expire Orphaned accounts are user accounts that remain active after an employee has left an organization Can be controlled using account expiration
  • 29.
  • 30.
  • 31.
    Passwords The mostcommon logical access control Sometimes referred to as a logical token A secret combination of letters and numbers that only the user knows A password should never be written down Must also be of a sufficient length and complexity so that an attacker cannot easily guess it (password paradox)
  • 32.
  • 33.
    Attacks on PasswordsBrute force attack Simply trying to guess a password through combining a random combination of characters Passwords typically are stored in an encrypted form called a “hash” Attackers try to steal the file of hashed passwords and then break the hashed passwords offline
  • 34.
    How to Getthe Hashes Easy way: Just use Cain Cracker tab, right-click, &quot;Add to List&quot;
  • 35.
    Attacks on PasswordsDictionary attack Guess passwords from a dictionary Works if the password is a known common password Rainbow tables Make password attacks faster by creating a large pregenerated data set of hashes from nearly every possible password combination Works well against Windows passwords because Microsoft doesn't use the salting technique when computing hashes
  • 36.
  • 37.
    Rainbow Tables Generatinga rainbow table requires a significant amount of time Rainbow table advantages Can be used repeatedly for attacks on other passwords Rainbow tables are much faster than dictionary attacks The amount of time needed on the attacking machine is greatly reduced
  • 38.
  • 39.
    Passwords (continued) Onereason for the success of rainbow tables is how older Microsoft Windows operating systems hash passwords A defense against breaking encrypted passwords with rainbow tables Hashing algorithm should include a random sequence of bits as input along with the user-created password These random bits are known as a salt Make brute force, dictionary, and rainbow table attacks much more difficult
  • 40.
    No Salt! Tomake hashing stronger, add a random &quot;Salt&quot; to a password before hashing it Windows doesn't salt its hash! Two accounts with the same password hash to the same result, even in Windows 7 Beta! This makes it possible to speed up password cracking with precomputed Rainbow Tables
  • 41.
    Demonstration Here aretwo accounts on a Windows 7 Beta machine with the password 'password' This hash is from a different Windows 7 Beta machine
  • 42.
  • 43.
    Password Policy Astrong password policy can provide several defenses against password attacks The first password policy is to create and use strong passwords One of the best defenses against rainbow tables is to prevent the attacker from capturing the password hashes A final defense is to use another program to help keep track of passwords
  • 44.
    Domain Password PolicySetting password restrictions for a Windows domain can be accomplished through the Windows Domain password policy There are six common domain password policy settings, called password setting objects Used to build a domain password policy
  • 45.
  • 46.
  • 47.
    Physical Access ControlPhysical access control primarily protects computer equipment Designed to prevent unauthorized users from gaining physical access to equipment in order to use, steal, or vandalize it Physical access control includes computer security, door security, mantraps, video surveillance, and physical access logs
  • 48.
    Physical Computer SecurityPhysically securing network servers in an organization is essential Rack-mounted servers 4.45 centimeters (1.75 inches) tall Can be stacked with up to 50 other servers in a closely confined area KVM (Keyboard, Video, Mouse) Switch Needed to connect to the servers Can be password-protected
  • 49.
  • 50.
  • 51.
    Door Security Hardwarelocks Preset lock Also known as the key-in-knob lock The easiest to use because it requires only a key for unlocking the door from the outside Automatically locks behind the person, unless it has been set to remain unlocked Security provided by a preset lock is minimal
  • 52.
    Deadbolt lock Extendsa solid metal bar into the door frame Much more difficult to defeat than preset locks Requires that the key be used to both open and lock the door
  • 53.
    Lock Best PracticesChange locks immediately upon loss or theft of keys Inspect all locks on a regular basis Issue keys only to authorized persons Keep records of who uses and turns in keys Keep track of keys issued, with their number and identification Master keys should not have any marks identifying them as masters
  • 54.
    Lock Best PracticesSecure unused keys in a locked safe Set up a procedure to monitor the use of all locks and keys and update the procedure as necessary When making duplicates of master keys, mark them “Do Not Duplicate,” and wipe out the manufacturer’s serial numbers to keep duplicates from being ordered
  • 55.
    Lockpicking at DEFCONSee links Ch 7e, 7f
  • 56.
    Cipher Lock Combinationlocks that use buttons that must be pushed in the proper sequence to open the door Can be programmed to allow only the code of certain individuals to be valid on specific dates and times Cipher locks also keep a record of when the door was opened and by which code Cipher locks are typically connected to a networked computer system Can be monitored and controlled from one central location
  • 57.
    Cipher Lock DisadvantagesBasic models can cost several hundred dollars while advanced models can be even more expensive Users must be careful to conceal which buttons they push to avoid someone seeing or photographing the combination
  • 58.
    Tailgate Sensor Usesinfrared beams that are aimed across a doorway Can detect if a second person walks through the beam array immediately behind (“tailgates”) the first person Without presenting credentials
  • 59.
    Physical Tokens Objectsto identify users ID Badge The most common types of physical tokens ID badges originally were visually screened by security guards Today, ID badges can be fitted with tiny radio frequency identification (RFID) tags Can be read by an RFID transceiver as the user walks through the door with the badge in her pocket
  • 60.
  • 61.
    Mantrap Before enteringa secure area, a person must enter the mantrap A small room like an elevator If their ID is not valid, they are trapped there until the police arrive Mantraps are used at high-security areas where only authorized persons are allowed to enter Such as sensitive data processing areas, cash handling areas, critical research labs, security control rooms, and automated airline passenger entry portals
  • 62.
  • 63.
    Video Surveillance Closedcircuit television (CCTV) Using video cameras to transmit a signal to a specific and limited set of receivers Some CCTV cameras are fixed in a single position pointed at a door or a hallway Other cameras resemble a small dome and allow the security technician to move the camera 360 degrees for a full panoramic view
  • 64.
    Physical Access LogA record or list of individuals who entered a secure area, the time that they entered, and the time they left the area Can also identify if unauthorized personnel have accessed a secure area Physical access logs originally were paper documents Today, door access systems and physical tokens can generate electronic log documents