Presentation is loading. Please wait.

Presentation is loading. Please wait.

Slides copyright 2010 by Paladin Group, LLC used with permission by UMBC Training Centers, LLC.

Published byGeorgina Rogers Modified over 8 years ago

Similar presentations

Presentation on theme: "Slides copyright 2010 by Paladin Group, LLC used with permission by UMBC Training Centers, LLC."— Presentation transcript:

1

2 Slides copyright 2010 by Paladin Group, LLC used with permission by UMBC Training Centers, LLC

3 Security+ Chapter 1 – Controlling Access Brian E. Brzezicki

4 Access Control (100) In the first chapter we discussed some ways to authenticate users (subjects). Now that subjects have been authenticated we can now control access to resources (objects). This process is called Access Control. Access control is generally the idea of controlling access of subjects to objects. Look for this phrasing on the Security+ exam.

5 Access Control Models (100) 4 models for access control we will discuss in the following slides Mandatory Access Control (MAC) Discretionary Access Control (DAC) Role Based Access Control Rule Based Access Control

6 MAC (101)

7 Mandatory Access Control, means that the system is configured with a set of RULES for access and strictly enforce them. The Data Owner is not able to arbitrarily set permissions for users or groups. Military system use MAC system, usually in a “clearance level” model (more)

8 MAC and clearances (101) Clearance Levels – objects are classified into a level by the data owner and marked with an appropriate “label” Top Secret – exceptionally grave damage to national security Secret – serious damage to national security Confidential – damaging national security Unclassified – public (more)

9 MAC and clearances Now users are given a clearance level For example: Bob has secret clearance If bob want to access a document, the OS looks at the documents classification and Bobs clearance level Bob only will only be allowed to read the object if his clearance “dominates” the objects label. Bob CAN write up to objects with higher level “labels”, however he cannot read those objects.

10 Example question 1 Budget.txt classification: secret Bob Clearance: top secret Can bob read the file budget.txt?

11 Example question2 super-secret-file.txt – classification: Top Secret Bob Clearance: secret Can bob access the file “super-secret-file.txt?”

12 Discretionary Access Control (103) Concept that a resource owner is allowed authorize access to subjects. This is based on their discretion. Most commercial solutions implement Discretionary Access Control ACLs are a common implementation of access controls in Discretionary systems

13 Discretionary access control (103)

14 User Based User Based – a DAC method where every user is assigned a unique ID. Permissions are granted to each individual user. If a user has permissions to a resource.. They can access it. Advantages? Problems?

15 Group Based A DAC method where groups are created. Users are placed in Groups. Permissions are given to groups. If a user is in a group that has permission to a resource.. Then that user has permission to the resource Advantages? Problems?

16 Group Based Access Control

17 Role Based Access Control (104-105) Access to resources are given to job positions or roles. Users are assigned to roles, and then they have the access rights that the roles have. This is also called non-discretionary access control This is NOT the same as groups with DAC More scalable model than DAC Great for large companies Avoids Authorization Creep Great if there is a lot of turn over

18 Rule Based Access Control (104-105) The Decision to grant access to an item is based on a set of rules, (yes or no questions) Example: You may access a file IF You are in the management group The time is between 9AM-5PM Monday-Friday Advantages: Very flexible type of control Can be combined with other types of access controls Firewalls use rule based access control to analyze a packet and see if should be allowed based on the “firewall rules”

19 Physical Security Access Control

20 Security Zones (108) Fences, Walls, Bollards, etc along with access control mechanisms can be brought together to create “security” zones. Each zone has some different security level or work type. Example. – Lobby – low security, public access – Offices – medium security, restricted access – R&D – high security, extremely restricted access – (see next slide)

21 Security Zones (108) Each inner level becomes more restricted and more secure Stronger authentication, access control, and monitoring at the entry point to each zone

22 ID Badges (108) Used in most large organizations or organizations concerned with security. Can be combined with other authorization technologies. Why is it important that everyone display an ID badge?

23 Physical Access Lists and Logs (109) I’m on the VIP list… can I jump through the line? What the purpose Why bother logging?

24 Physical Tokens (110) Authentication device that enable access to a resources. User Activated – KeyFob (RSA SecureID) – Smart Card – Memory Card Proximity Devices – How do these work? – Advantages – Disadvtanges

25 Cipher Lock (110)

26 Cipher Locks What is a Cipher Lock? Advantages Disadvantages Two Types Fail Safe Fail Secure

27 Piggybacking (109) What is Piggybacking? Countermeasures?

28 Man Trap (111)

29 What other Advantages besides anti-piggybacking do man traps offer?

30 Bollards (n/b)

31 Bollards What is the purpose of a Bollard?

32 Walls (n/b) You know what they are Choose a wall with the strength to support the security application. This might also include fire rating! If using Strong walls… ensure that a “bad guy” cannot simply subvert the walls and go around them. – Raised floors – Plenum area

33 Fencing (n/b) Can deter and delay intruders, first line of defense Fences 3-4 feet high only deter casual trespassers Fences 6-7 feet high are considered too high to climb easily Fences 8 feet high should are considered serious. Use for Critical areas

34 Hardware Locks (112)

35 Lock Picking (n/b)

36 Surveillance (114) CCTVs and recording devices to record video of site. It deters criminal activity Can be used later as evidence or to determine what happened. Can be color or B&W Can be low-light Can be wired or wireless – What’s a concern of each? CCTVs should generally have PTZ capability, and auto-irises. Placement is very important especially if PTZ and zoon features do not exist.

37 Logical (Technical) Access Control Methods

38 Logical Access Control Logical (technical) access controls use technology based means of restricting access. This is different than physical access control that we just described. Some types of Logical Access Control systems that we will discuss in the next couple slides are Access Control Lists Group Policies Account Restrictions

39 ACLs (115) For each object, list all the subjects that have access to that object and the level of access they have. Access Control lists are used on files and printers… but ALSO with firewalls. Ex. permit tcp any any host www.me.com eq 80www.me.com

40 Bitmap Permissions (n/b) Unix uses a different type of logical access control called “unix permissions”. They consist of 3 “rights” that can be assigned to 3 different categories of subjects. rights = read write execute subjects = user_owner group_owner everyone_else Example: rwxr-xr-- brianb it_dept/home/brianb/myfile

41 Group Policies (116) In Windows “domain” (Active Directory) environments. A way to centrally control access and policies. Can be applied to users/groups or Can be applied to groups of computers

42 Group Polices (115-118) Common uses of group polices – Enforcing password policies – Enabling or disabling services – Forcing IE security and configuration settings – Disabling USB storage Why is this important? – Disabling Autorun Why is this important?

43 Account Restrictions (119) In Windows accounts can be Domain accounts (centralized) Local accounts (on each machine) What is the pros and cons of each? (Unix has similar functionality with NIS and LDAP)

44 Time of Day Restrictions (120) Windows also allows users login times to be strictly enforced. Unix systems can also enforce this type of restriction via PAM (Pluggable Authentication Modules)

45 Account Expirations (121) A good practice when creating accounts is to also provide an account expiration date, if it is known. This is very good for temporary/contract workers. Both Unix and Windows systems provide this functionality.

Download ppt "Slides copyright 2010 by Paladin Group, LLC used with permission by UMBC Training Centers, LLC."

Similar presentations

1 cs691 chow C. Edward Chow Confidentiality Policy CS691 – Chapter 5 of Matt Bishop.

1 cs691 chow C. Edward Chow Confidentiality Policy CS691 – Chapter 5 of Matt Bishop.
TCSEC: The Orange Book. TCSEC Trusted Computer System Evaluation Criteria.

TCSEC: The Orange Book. TCSEC Trusted Computer System Evaluation Criteria.
Lecture 8 Access Control (cont)

Lecture 8 Access Control (cont)
Access Control Chapter 3 Part 3 Pages 209 to 227.

Access Control Chapter 3 Part 3 Pages 209 to 227.
Access Control Methodologies

Access Control Methodologies
Access Control Patterns Fatemeh Imani Mehr Amirkabir university of technology, Department of Computer Engineering & Information Technology.

Access Control Patterns Fatemeh Imani Mehr Amirkabir university of technology, Department of Computer Engineering & Information Technology.
Security+ Guide to Network Security Fundamentals, Fourth Edition

Security+ Guide to Network Security Fundamentals, Fourth Edition
Access Control Intro, DAC and MAC System Security.

Access Control Intro, DAC and MAC System Security.
Security+ Guide to Network Security Fundamentals, Third Edition

Security+ Guide to Network Security Fundamentals, Third Edition
CMSC 414 Computer and Network Security Lecture 11 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 11 Jonathan Katz.
Access Control Dr.Talal Alkharobi.

Access Control Dr.Talal Alkharobi.
Sicurezza Informatica Prof. Stefano Bistarelli

Sicurezza Informatica Prof. Stefano Bistarelli
User Domain Policies.

User Domain Policies.
2  A system can protect itself in two ways: It can limit who can access the system. This requires the system to implement a two-step process of identification.

2  A system can protect itself in two ways: It can limit who can access the system. This requires the system to implement a two-step process of identification.
Lecture 7 Access Control

Lecture 7 Access Control
7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.

7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.
Authorization and Policy. Is principal P permitted to perform action A on object O? – Authorization system will provide yes/no answer Authorization.

Authorization and Policy. Is principal P permitted to perform action A on object O? – Authorization system will provide yes/no answer Authorization.
Understanding Active Directory

Understanding Active Directory
CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.
Air Force Association (AFA) 1. 1.Access Control 2.Four Steps to Access 3.How Does it Work? 4.User and Guest Accounts 5.Administrator Accounts 6.Threat.

Air Force Association (AFA) 1. 1.Access Control 2.Four Steps to Access 3.How Does it Work? 4.User and Guest Accounts 5.Administrator Accounts 6.Threat.

Similar presentations

Ads by Google