Chapter 14: Controlling and Monitoring Access. Comparing Access Control Models Comparing permissions, rights, and privileges Understanding authorization.

Slides:

Advertisements

Similar presentations

1 cs691 chow C. Edward Chow Confidentiality Policy CS691 – Chapter 5 of Matt Bishop.

Advertisements

CISSP Luncheon Series: Access Control Systems & Methodology

Access Control Chapter 3 Part 3 Pages 209 to 227.

Access Control Methodologies

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Security+ Guide to Network Security Fundamentals, Fourth Edition

Access Control Intro, DAC and MAC System Security.

Chapter 2.  CIA Model  Host Security VS Network Security  Least Privileges  Layered Security  Access Controls Prepared by Mohammed Saher2.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Security+ Guide to Network Security Fundamentals, Third Edition

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 2 Operating System Security Fundamentals.

Controls for Information Security

Lecture 7 Access Control

7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.

Database Security By Bei Yuan. Why do we need DB Security? Make data arranged and secret Secure other’s DB.

Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.

Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department

Directory and File Transfer Services Chapter 7. Learning Objectives Explain benefits offered by centralized enterprise directory services such as LDAP.

Air Force Association (AFA) 1. 1.Access Control 2.Four Steps to Access 3.How Does it Work? 4.User and Guest Accounts 5.Administrator Accounts 6.Threat.

Tonight 1) Where we are 2) Article Presentation(s) 3) Quiz 4) Lecture 5) In-class lab(s)

FORESEC Academy FORESEC Academy Security Essentials (II)

Lecture 30 Information Security (Cont’d). Overview Organizational Structures Roles and Responsibilities Information Classification Risk Management 2.

Information Security Technological Security Implementation and Privacy Protection.

Storage Security and Management: Security Framework

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.

ISEC0511 Programming for Information System Security

1 Deployment of Computer Security in an Organization CE-408 Sir Syed University of Engineering & Technology 99-CE-282, 257 & 260.

SEC835 Practical aspects of security implementation Part 1.

Security+ Guide to Network Security Fundamentals, Third Edition

CSCE 201 Introduction to Information Security Fall 2010 Access Control.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Basic Security Networking for Home and Small Businesses – Chapter 8.

 Chapter 14 – Security Engineering 1 Chapter 12 Dependability and Security Specification 1.

Chapter 1 Overview The NIST Computer Security Handbook defines the term Computer Security as:

Securing Your ASP.NET Application Presented by: Rob Bagby Developer Evangelist Microsoft ( )

Networking and Health Information Exchange Unit 9b Privacy, Confidentiality, and Security Issues and Standards.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 4 – Access Control.

Access Control. What is Access Control? The ability to allow only authorized users, programs or processes system or resource access The ability to disallow.

12 Steps to Cloud Security A guide to securing your Cloud Deployment Vishnu Vettrivel Principal Engineering Lead,

Information Security What is Information Security?

Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 1 “Overview”. © 2016 Pearson.

Access Controls Henry Parks SSAC 2012 Presentation Outline Purpose of Access Controls Access Control Models –Mandatory –Nondiscretionary/Discretionary.

© ITT Educational Services, Inc. All rights reserved. IS3230 Access Security Unit 6 Implementing Infrastructure Controls.

Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.

© ITT Educational Services, Inc. All rights reserved. IS3230 Access Security Unit 7 Authentication Methods and Requirements.

COEN 350: Network Security Authorization. Fundamental Mechanisms: Access Matrix Subjects Objects (Subjects can be objects, too.) Access Rights Example:

Trusted Operating Systems

Privilege Management Chapter 22.

Computer Security: Principles and Practice

Chapter 1: Security Governance Through Principles and Policies

E-Commerce E-Commerce Security?? Instructor: Safaa S.Y. Dalloul E-Business Level Try to be the Best.

Database Security. Introduction to Database Security Issues (1) Threats to databases Loss of integrity Loss of availability Loss of confidentiality To.

Access Controls Mandatory Access Control by Sean Dalton December 5 th 2008.

1 Access Control Systems & Methodology. Access control is the collection of mechanisms that permits managers of a system to exercise a directing or restraining.

22 feb What is Access Control? Access control is the heart of security Definitions: * The ability to allow only authorized users, programs or.

Understanding Security Policies Lesson 3. Objectives.

Access control Presented by: Pius T. S. : Christian C. : Gabes K. : Ismael I. H. : Paulus N.

Access Control. Assignment Review  Current  Next 6/23/2016 Access Control 2.

Access Control. Assignment Review  Current –You decide what categories you want to include. Just provide the required justification.  Next  Detailed.

Understanding Security Policies

Access Control Model SAM-5.

Design for Security Pepper.

Chapter One: Mastering the Basics of Security

Configuring Windows Firewall with Advanced Security

CompTIA Security+ Study Guide (SY0-401)

OS Access Control Mauricio Sifontes.

Networking for Home and Small Businesses – Chapter 8

Access Control.

Copyright Gupta Consulting, LLC.

Networking for Home and Small Businesses – Chapter 8

Networking for Home and Small Businesses – Chapter 8

Presentation transcript:

Chapter 14: Controlling and Monitoring Access

Comparing Access Control Models Comparing permissions, rights, and privileges Understanding authorization mechanisms Defining requirements with a security policy Implementing defense in depth Discretionary access controls Nondiscretionary access controls

Comparing Permissions, Rights, and Privileges Permissions – Access granted for an object Rights – Ability to take action on an object Privileges – Combination of rights and permissions

Understanding Authorization Mechanisms Implicit deny Access control matrix Capability tables Constrained interface Content-dependent control Context-dependent control Need to know Least privilege Separation of duties and responsibilities

Defining Requirements with a Security Policy Clarifies requirements Shows senior leadership support Sets guidelines and parameters

Implementing Defense in Depth Protects against single-focused attacks Technology in combination with physical access controls and administrative access controls Document in security policy Personnel are key Uses combined solution approach

Discretionary Access Controls Owner, create, custodian define access Based on identity Uses ACLs on each object Not centrally managed Supports change

Nondiscretionary Access Controls Centrally administered Changes affect entire environment Not based on identity, instead uses rules Less flexible Rule-based Role-based Attribute-based Lattice-based

Mandatory Access Control A nondiscretionary-based access control Based on classifications Top secret, secret, confidential Confidential/proprietary, private, sensitive, public Compartmentalization Need to know Hierarchical Hybrid

Understanding Access Control Attacks Risk elements Identifying assets Identifying threats Identifying vulnerabilities Common access control attacks Summary of protection methods

Risk Elements Risk Assets Threat Vulnerability Risk management

Identifying Assets Asset valuation Tangible value Intangible value Cost-benefit analysis

Identifying Threats Threat modeling SD3+C Goals: – Reduce number of defects – Reduce severity of remaining defects Focused on assets Focused on attackers Focused on software Advanced persistent threat (APT)

Identifying Vulnerabilities Vulnerability analysis Weakness to threat Technical and administrative Vulnerability scans

Common Access Control Attacks 1/2 Impersonation Access aggregation Password – Dictionary – Brute force – Birthday – Rainbow table Sniffer

Common Access Control Attacks 2/2 Spoofing Social engineering – Phishing – Spear phishing – Whaling – Vishing Smartcard Denial of service

Summary of Protection Methods Control physical access and electronic access Encrypt password files Create a strong password policy Use password masking Deploy multifactor authentication Use account lockout controls Use last logon notification Educate users about security