Presentation is loading. Please wait.

Presentation is loading. Please wait.

ISA 400 Management of Information Security Philip Robbins – February 6, 2016 Access Control Information Security & Assurance Program University of Hawai'i.

Published byMarshall Ramsey Modified over 8 years ago

Similar presentations

Presentation on theme: "ISA 400 Management of Information Security Philip Robbins – February 6, 2016 Access Control Information Security & Assurance Program University of Hawai'i."— Presentation transcript:

1 ISA 400 Management of Information Security Philip Robbins – February 6, 2016 Access Control Information Security & Assurance Program University of Hawai'i West Oahu Week #4

2 Access Control Topics Domain: Access Control Review Questions, Q&A Quiz #2 Assignment #2 due February 12, 2016 @ 10PM

3 3 Access Control

4 4 Overview Access Control is the process of allowing only authorized subjects to observe, modify, or otherwise take possession of an object. Access controls enable management to: specify which users can access a system specify what resources those users can access specify what operations those users can perform enforce accountability for those users’ actions

5 5 Access Control Subject v.s. Object Subject – The active entity on the network Object – The passive entity on the network

6 6 Access Control Domain Objectives -Understand types of controls (preventive v.s. detective) -Techniques (discretionary, mandatory, nondiscretionary) -Difference between Identification, Authentication, Authorization, Access, and Accountability -Authorization mechanisms -Logging and monitoring -Understand access control threats & attacks

7 7 Access Control Access The flow of information between a subject and an object. Access control mechanisms: Helps protect the assets of an enterprise against threats and vulnerabilities by reducing exposure. Allows access to information systems that have been approved.

8 8 Access Control Threats to Access Controls -Denial of Service (DoS) -Distributed Denial of Service (DDoS) -Buffer Overflow Attacks -Sniffers, and Wiretapping -Emanations -Spoofing / Masquerading -Piggybacking & Tailgating

9 9 Access Control Threats to Access Controls -Data Remanence -Dumpster Diving -Backdoors -Reliance on legacy applications -Theft -Social Engineering -Phishing, Pharming -Eavesdropping & Shoulder Surfing

10 10 Access Control Planning for Access Control Program The first element of an effective access control program is to establish an access control policy. -Specify who can access the system. -Specify what resources they can access. -Specify what operations they can perform. -Provide individuals accountability.

11 11 Access Control Security Concepts in Ascending Sequence 1. Identification 2. Authentication 3. Authorization 4. Access 5. Auditing 6. Accountability 7. Nonrepudiation

12 12 Access Control Identification Process by which a subject presents an identity and accountability is initiated. Most common forms: – User Name – User ID – Account Number – Personal Identification Number

13 13 Access Control Identification Process by which a subject presents an identity and accountability is initiated. When establishing identification here are some guidelines: – Unique: Must be able to provide positive identification – Non-descriptive: Should not expose role or job function of the user – Issuance: Must be secure and documented

14 14 Access Control Authentication Verifying or testing (validating) the identity of a subject (who you are). Forms – Type 1: Something you know – Type 2: Something you have – Type 3: Something you are Compares factors against a database Two step process with identification

15 15 Access Control Type 1: Something you know -PINs, passwords, codes, or IDs (STATIC) -Pass phrases -Cognitive information (only the user can answer): -mother's maiden name -The model or color of your first car -The city where you were born -One-time passwords (DYNAMIC) Is a computer username a Type 1 control form?

16 16 Access Control Type 1: Something you know -PINs, passwords, codes, or IDs (STATIC); most common form… -Pass phrases -Cognitive information (only the user can answer): -mother's maiden name -The model or color of your first car -The city where you were born -One-time passwords (DYNAMIC) No. Usernames are part of the identification process. An associated password is a Type 1 control form.

17 17 Access Control Type 1: Something you know Password Vulnerabilities -Dictionary attack -Brute force attack -Hybrid attack -Rainbow Tables -Social engineering -Key stroke loggers How could extremely complex passwords be vulnerable?

18 18 Access Control Type 1: Something you know Password Security -All users / admins should change their passwords regularly. -Establish minimum length for users (8 chars) and admins (15 chars) -Require complexity: include letters, numbers, symbols, both upper and lower case chars. -No dictionary (common) or slang words (in any language). -No connection to the user: ss#, birthdays, or names. -Never write passwords down (esp. online, through email, or store on a users computer). -Be aware of shoulder surfing. -Limit reuse of old passwords. -Set account lockout duration (i.e. timeout 30 seconds after first attempt). -Set account lockout thresholds (i.e. disable account after 3 attempts). -Use graphical passwords.

19 19 Access Control Type 2: Something you have Token Device Makes one time passwords possible; they are two factor. Synchronous – device synchronizes with an authentication service by using time or a counter. It can generate a password at set times. Asynchronous – Not synchronized with central service. Token generating method uses a challenge/response scheme to authenticate users. Generates a password on an event.

20 20 Access Control Type 2: Something you have Smart Cards Smart cards add another level of integrity. A PIN provides access to information on the card and the key on the card is used during the authentication process. Contact cards: have 8 electrical contacts (only 6 are used) with an EEPROM. Contactless cards: do not have to be placed in a reader. They are often called EAC proximity cards.

21 21 Access Control Type 3: Something you are Common Biometric Authentication Systems -? – Which is the most accurate?

22 22 Access Control Type 3: Something you are Common Biometric Authentication Systems -Palm Scan -Hand Geometry -Iris Recognition -Retina Pattern -Fingerprint -Facial Scan -Voice Recognition

23 23 Access Control Type 3: Something you are Biometric Accuracy Type I Errors: False Rejection Rate (FRR) -Access is being denied to legitimate subjects. Type II Errors: False Acceptance Rate (FAR) -Access is being granted to subjects who shouldn’t have access. Crossover Error Rate (CER) -Point at which Type I errors equal Type II errors. -The lower the CER, the more accurate the biometric.

24 24 Access Control Type 3: Something you are

25 25 Access Control Type 3: Something you are

26 26 Access Control What about Type 4??: Someplace you are Location-based access control. -Used by credit card companies to control fraud. -Can utilize Global Positioning Systems (GPS) or IP address based geo-location

27 27 Access Control Authentication Control Forms in Ascending (Secure) Order 1.Something you know (password, one time password best). 2.Something you have on your machine (key or token stored on PC). 3.Something you have in your possession (smart card w/pin). 4.Something you do (keystrokes, signature). 5.Something you are (biometrics).

28 28 Access Control Increasing Authentication Security To increase security you can use a combination of authentication methods. Two-factor / Multi-factor Authentication: – “Strong” authentication requires two (or more) different authentication types to be deployed. Ex. 1: To enter a secured building, you must insert your key card (Type 2) and undergo a retina scan (Type 3). Ex. 2: To log on to an online banking system, you enter your username, password, and then must answer a random personal question (such as your birthplace or mother's maiden name).

29 29 Access Control Increasing Authentication Security Mutual Authentication: – Requires that both parties authenticate with each other before beginning communications. – Your computer is required to use its digital certificate to prove its identity to a network server. – The server is also required to prove its identity to your computer before they will exchange messages.

30 30 Access Control Single Sign On (SSO) Enables a user to log on once and access all authorized network resources. AKA “federated identity management” Pros: – Efficient logon process – No need for multiple passwords Cons: – Creates single point of failure – Not compatible with all of systems

31 31 Access Control Authorization Ensures the authenticated subject has access to the appropriate objects given the rights and privileges assigned to the subject. Access control matrix compares – Subject – Object – Intended activity Wide range of variations – Deny, R, RW, RWX, Modify, Full

32 32 Access Control Auditing -Review & examination of records and activities -Assesses adequacy of system controls -Ensures compliance with polices -Detects malicious activity -Evidence for prosecution -Provides problem reporting and analysis

33 33 Access Control Accountability Holding one accountable for their actions. Relies upon the ability to prove a subject’s identity and activities. Established by: – Identification – Authentication – Authorization – Auditing

34 34 Access Control Monitoring Used to ensure that controls are properly employed and working effectively. -Detect deviation from established access policies. -Record authentication process and attempts.

35 35 Access Control Monitoring Logs should include: -User IDs -Dates and times for log-n and log-off -End system identity, such as- IP address, host name, or MAC address. -Successful and rejected authentication and access attempts. Logs can be altered by an attacker. Log protection is therefore very important.

36 36 Access Control Audit Logs need to be reviewed regularly to see the impact of a given events to make decisions on securing the system. Use of automated tools to review the logs is the most effective way to review them. Separation of duties is critical to ensure that any one individual doesn’t have the ability to change logs to cover their tracks.

37 37 Access Control Auditing Issues and Concerns – Control the volume of data (don’t allow rollover logs) – Event filtering of clipping level determines the amount of log details captured – Audit tools can reduce log size – Establish procedures in advance – Train personnel in pertinent log review – Protect and ensure against unauthorized access – Disable auditing or deleting/clearing logs – Protect the audit logs from unauthorized changes – Store/archive audit logs securely

38 38 Access Control AAA – Authentication – Authorization – Accountability

39 39 Access Control AAA Be sure to understand the difference between: Access vs. Identification vs. Authentication vs. Authorization vs. Accountability vs. Auditing

40 40 Access Control Nonrepudiation Ensures that the subject of an activity cannot deny that an activity or event occurred. Established by – Identification – Authentication – Authorization – Accountability – Auditing

41 41 Access Control Review Access to data and resources are concerned with: – Identification: Who is the subject. – Authentication: Verification of the subject. – Authorization: What a subject can do. – Access: Control between the subject & object. – Accounting: What a subject has done. – Auditing: Proof of Non-Repudiation. – Non-Repudiation: Can’t deny an activity / event.

42 42 Access Control Principles Separation of Duties/Responsibilities Rotation of Duties Need to Know Implicit v.s. Explicit Deny Least Privilege Compartmentalization Defense in Depth

43 43 Access Control Principles Separation of Duties - Ensures tasks are broken down and are accomplished / involve by more than one individual. - Check & balance system.

44 44 Access Control Principles Least Privilege (Need to Know) Users should have only the necessary (minimum) rights, privileges, or information to perform their tasks (no additional permissions).

45 45 Access Control Principles Job Rotation - Rotation individuals through jobs / tasks. - Organization does not become dependent on a single employee.

46 46 Access Control Principles Implicit Deny - “Deny all” authorization and access (black listed) unless specifically allowed (white listed). - Default security rule for firewalls, routers, etc… Explicit Deny - “Allow all” authorization and access (open) unless specifically disallowed (black listed).

47 47 Access Control Review Be sure to understand the difference between: Least Privilege vs. Separation of Duties vs. Job Rotation & Implicit vs. Explicit Deny

48 48 Access Control Methods Mandatory Access Control (MAC) Discretionary Access Control (DAC) - Rule Based Access Control Nondiscretionary Access Control – Role Based Access Control (RBAC) – Task Based Access Control Content-Dependent Access Control Context-Dependent Access Control Centralized v.s. Decentralized Access Control

49 49 Access Control Mandatory Access Control (MAC) – Based on Sensitivity Labels – Controlled by Security Policy Administrators – Users cannot over-ride Security Policy

50 50 Access Control Discretionary Access Control (DAC) – Users set privileges on information they own. – Sensitivity Labels are not required. – Dynamic and allows the sharing of information. – Can lead to loss of Information Security Services.

51 51 Access Control Role Based Access Controls (RBAC) -Roles are created based on functions and tasks that a role will carry out. Users are assigned to roles, permissions are assigned to the roles and users only acquire permissions on assumption of the role. -Permissions assigned to a billet or position (not an individual). -Ideal for high turn-over positions.

52 52 Access Control Rule Based Access Controls -Policy driven. -Used in routers and firewalls for network access. -Access Control Lists (ACL’s) are the most common form – also a DAC. -Used in NTFS. -DAC system because the owner establishes the access controls. -Think Hardware.

53 53 Access Control Content Dependent Access Control -Based on the actual content of the data. -Uses a program to investigate the data to make decisions. -Requires more processing power. Types: -Database views -URL Filters -Virus Scanning -Application Layer Proxy / Firewall -Intrusion Detection / Prevention Systems

54 54 Access Control Centralized Access Control Single entity makes access decision to resources. -Strict Control over a Domain -Autonomous System / Realm / Zone “Circle of Trust” -Examples: RADIUS and TACACS+ server -Creates single point of failure.

55 55 Access Control Decentralized Access Control Gives control of access to the people closer to the resources, department managers, and sometimes the user. -Doesn’t require a central entity. -Faster – less red tape. -Overlapping rights / redundant access controls. -Policies not enforced uniformly -Could cause security gaps.

56 56 Access Control Aggregation of Access Single Sign On – An intentional result moderated by Directory Services. Authorization Creep – User gains access rights as he/she moves around in the system or assumes new duties yet still retains past rights.

57 57 Access Control Information Classification The practice of evaluating the sensitivity of the organization’s information to ensure that the information receives the appropriate level of protection.

58 58 Access Control Information Classification Classify data by it’s need for: – Secrecy / Confidentiality – Sensitivity – Impact (Value or Cost) – Severity (Usefulness) Determines effort, money, & resources allocated to protect data Formalize & stratify the labeling process

59 59 Access Control Classification of Information - Sensitivity / Confidentiality Labeling Examples –Unclassified (UNCLASS) –For Official Use Only (FOUO) –Confidential –Secret (S) –Secret Releasable (S//REL) –Top Secret (TS) –Sensitive Compartmented Information (TS/SCI)

60 60 Access Control Classification of Information LevelTypeResult if Disclosed Top Secrethighestgrave danger Secretrestricted datacritical damage Confidentialbetween secret and SBUserious damage SBUprivate in natureno significant damage Unclassifiedlowestno noticeable damage Confidentialhighest; extremely sensitivenegative impact Privatepersonal in naturesignificant negative impact Sensitivemore classified than publicnegative impact Publiclowestno serious impact Military Commercial Proprietary data - form of confidential; drastic effects to competitive edge

61 61 Access Control Information Classification Benefits Establishes ownership of information Identification of Critical Information Assets Greater Understanding of the Value and Handling of Sensitive Data Better Return on Security Investment Greater understanding of the location of Information in the Infrastructure Greater Organizational Awareness

62 62 Access Control Planning for an Information Classification Program Determine Classification Goals Establish Organizational Support Develop Policy, Standards and Procedures Develop Tools for Implementation Identify Application and Data Owners and Delegation Develop Templates, Labeling and Marking Classify Information and Applications Develop Auditing Procedures Centralize Data Repositories Train Users Periodically Review and Update Classifications Conduct Classification Assurance Testing

63 63 Access Control Bell-LaPadula Confidentiality Security Model - Principle 1: Simple Security (No Read Up) Rule No subject can read from an object with a security classification higher than possessed by the subject. - Principle 2: * - property (No Write Down) Rule Allows a subject to write to an object of equal or greater security classification. Why wouldn’t you be able to write down to a lower class?

64 64 Access Control Bell-LaPadula Confidentiality Security Model - Principle 1: Simple Security (No Read Up) Rule No subject can read from an object with a security classification higher than possessed by the subject. - Principle 2: * - property (No Write Down) Rule Allows a subject to write to an object of equal or greater security classification. Could result in overt leakage of information (spill) from a higher to a lower classification.

65 65 Access Control Biba Integrity Security Model - Policy 1: Low-Water-Mark Prevents unauthorized modification of data; subjects writing to objects of a higher integrity label. - Policy 2: Ring Allows a subject to read any object without regard to the object’s level of integrity and without lowering the subject’s integrity level. Integrity v.s. classification security models...

66 66 Access Control Capability Tables Specifies the access rights a certain subject possesses pertaining to specific / multiple objects. A capability table is different from an ACL in that the subject is bound to the table, whereas an ACL is bound to the object. Is used in Kerberos.

67 67 Access Control Access Control Matrix (ACM) A table of subjects and objects indicating what actions individual subjects can take upon individual objects. The table structure of an ACL. Subject and object are identified. Permissions incorporated within the matrix.

68 68 Access Control Access Control Categories Physical Controls Technical / Logical Controls Administrative / Operational Controls Remember there is no best category. Use DiD strategy.

69 69 Access Control Physical Controls The non-technical environment, such as locks, fire management, gates, and guards. – Network segregation – Perimeter security – Work area separation – Data backups – Cabling – Protected Distribution Systems (PDS)

70 70 Access Control Technical / Logical Controls HW and SW mechanisms used to manage access to resources and systems and provide protection for those systems. – User access – Network & System access – Remote access – Application access – Malware control – Encryption

71 71 Access Control Administrative / Operational Controls Policies and procedures defined by an organization’s security policy to implement and enforce overall access control. – Security Policy – Operational (Security) Procedures – Personnel Security, Evaluation, and Clearance – Monitoring and Supervision – User Management – Privilege Management

72 Preventive – Stop unwanted / unauthorized activity Deterrent – Discourage a potential attacker Detective – Identify an incident’s activities Corrective – Fix systems after an incident Recovery – Restores resources and capabilities Directive – Controls put in place due to regulation or environmental requirement Compensating – Provide alternatives to other controls (security policy, personnel supervision) 72 Access Control Access Control Types

73 73 Access Control Examples by Category & Type Reconstruction, Rebuild Tape backup Disaster Recovery Plan Recovery Fire Extinguisher Unplug, Isolate, Terminate Connection Termination Corrective Layered Defense Sentry, CCTV FenceBeware of Dog Sign Physical Logging, CCTV, Keystroke monitoring Logs, IDSPassword Based Login Warning Banner Technical Supervision, Job Rotation Review Violation Report User Registration Procedures PolicyAdministrative CompensatingDetectivePreventiveDeterrent

74 74 Review Questions Question #1 An access control policy for a bank teller is an example of the implementation of which of the following? A.Rule-based policy B.Identity-based policy C.User-based policy D.Role-based policy

75 75 Review Questions Question #1 An access control policy for a bank teller is an example of the implementation of which of the following? A.Rule-based policy B.Identity-based policy C.User-based policy D.Role-based policy

76 76 Review Questions Question #2 Which access control policy is enforced when an environment uses a nondiscretionary model? A.Rule-based B.Role-based C.Identity-based D.Mandatory

77 77 Review Questions Question #2 Which access control policy is enforced when an environment uses a nondiscretionary model? A.Rule-based B.Role-based C.Identity-based D.Mandatory

78 78 Review Questions Question #3 An access system that grants users only those rights necessary for them to perform their work is operating on which security principle? A.Discretionary Access B.Least Privilege C.Mandatory Access D.Separation of Duties

79 79 Review Questions Question #3 An access system that grants users only those rights necessary for them to perform their work is operating on which security principle? A.Discretionary Access B.Least Privilege C.Mandatory Access D.Separation of Duties

80 80 Review Questions Question #4 What is the reason for enforcing separation of duties? A.No one person can complete all the steps of a critical activity B.It induces an atmosphere for collusion C.It increases dependence on individuals D.It makes critical tasks easier to accomplish

81 81 Review Questions Question #4 What is the reason for enforcing separation of duties? A.No one person can complete all the steps of a critical activity B.It induces an atmosphere for collusion C.It increases dependence on individuals D.It makes critical tasks easier to accomplish

82 82 Review Questions Question #5 What security model is dependent on security labels? A.Discretionary Access Control B.Label-Based Access Control C.Mandatory Access Control D.Non-Discretionary Access Control

83 83 Review Questions Question #5 What security model is dependent on security labels? A.Discretionary Access Control B.Label-Based Access Control C.Mandatory Access Control D.Non-Discretionary Access Control

84 84 Review Questions Question #6 Which of the following statements pertaining to biometrics is false? A.Increased system sensitivity can cause a higher false rejection rate B.The crossover error rate is the point at which FRR equals the FAR C.False acceptance rate is also known as Type II error D.Biometrics are based on the Type 2 authentication mechanism

85 85 Review Questions Question #6 Which of the following statements pertaining to biometrics is false? A.Increased system sensitivity can cause a higher false rejection rate B.The crossover error rate is the point at which FRR equals the FAR C.False acceptance rate is also known as Type II error D.Biometrics are based on the Type 2 authentication mechanism

86 86 Review Questions Question #7 Which approach to a security program makes sure that the people actually responsible for protecting the company’s assets are DRIVING the program? A.The Delphi approach B.The top-down approach C.The bottom-up approach D.The technology approach

87 87 Review Questions Question #7 Which approach to a security program makes sure that the people actually responsible for protecting the company’s assets are DRIVING the program? A.The Delphi approach B.The top-down approach C.The bottom-up approach D.The technology approach

88 88 Review Questions Question #8 Which of the following is most likely to be useful in detecting intrusions? A.Access control lists B.Security labels C.Audit trails D.Information security policies

89 89 Review Questions Question #8 Which of the following is most likely to be useful in detecting intrusions? A.Access control lists B.Security labels C.Audit trails D.Information security policies

90 90 Review Questions Question #9 What primary role does biometrics play in access control? A.Authorization B.Authenticity C.Authentication D.Accountability

91 91 Review Questions Question #9 What primary role does biometrics play in access control? A.Authorization B.Authenticity C.Authentication D.Accountability

92 92 Review Questions Question #10 Which of the following statements relating to the Bell- LaPadula security model is FALSE? A.A subject is not allowed to read up. B.The *-property restriction can be escaped by temporarily downgrading a high level subject. C.A subject is not allowed to read down. D.It is restricted to confidentiality.

93 93 Review Questions Question #10 Which of the following statements relating to the Bell- LaPadula security model is FALSE? A.A subject is not allowed to read up. B.The *-property restriction can be escaped by temporarily downgrading a high level subject. C.A subject is not allowed to read down. D.It is restricted to confidentiality.

94 94 Review Questions Question #11 What does the Clark-Wilson security model focus on? A.Confidentiality B.Integrity C.Accountability D.Availability

95 95 Review Questions Question #11 What does the Clark-Wilson security model focus on? A.Confidentiality B.Integrity C.Accountability D.Availability

96 96 Review Questions Question #12 (last one) Which type of control is concerned with avoiding occurrences of risks? A.Deterrent controls B.Detective controls C.Preventive controls D.Compensating controls

97 97 Review Questions Question #12 (last one) Which type of control is concerned with avoiding occurrences of risks? A.Deterrent controls B.Detective controls C.Preventive controls D.Compensating controls

98 98 Quiz #2 Short answer, closed book, closed notes.

99 99 Questions? probbins@hawaii.edu www2.hawaii.edu/~probbins https://www.dorkatron.com/docs/ISA400.SP16/

Download ppt "ISA 400 Management of Information Security Philip Robbins – February 6, 2016 Access Control Information Security & Assurance Program University of Hawai'i."

Similar presentations

HIPAA Security Standards Emmanuelle Mirsakov USC School of Pharmacy.

HIPAA Security Standards Emmanuelle Mirsakov USC School of Pharmacy.
CISSP Luncheon Series: Access Control Systems & Methodology

CISSP Luncheon Series: Access Control Systems & Methodology
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
Access Control Methodologies

Access Control Methodologies
Auditing Computer Systems

Auditing Computer Systems
Chapter 2.  CIA Model  Host Security VS Network Security  Least Privileges  Layered Security  Access Controls Prepared by Mohammed Saher2.

Chapter 2.  CIA Model  Host Security VS Network Security  Least Privileges  Layered Security  Access Controls Prepared by Mohammed Saher2.
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.

6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.

7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.
Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.

Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.
Network security policy: best practices

Network security policy: best practices
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.

D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.
Course ILT Security Unit objectives Configure operating system and file system security Install a fingerprint scanner and card reader Manage the human.

Course ILT Security Unit objectives Configure operating system and file system security Install a fingerprint scanner and card reader Manage the human.
Effectively Integrating Information Technology (IT) Security into the Acquisition Process Section 5: Security Controls.

Effectively Integrating Information Technology (IT) Security into the Acquisition Process Section 5: Security Controls.

Similar presentations

Ads by Google