Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chapter 14: Controlling and Monitoring Access. Comparing Access Control Models Comparing permissions, rights, and privileges Understanding authorization.

Published byCory Collins Modified over 8 years ago

Similar presentations

Presentation on theme: "Chapter 14: Controlling and Monitoring Access. Comparing Access Control Models Comparing permissions, rights, and privileges Understanding authorization."— Presentation transcript:

1 Chapter 14: Controlling and Monitoring Access

2 Comparing Access Control Models Comparing permissions, rights, and privileges Understanding authorization mechanisms Defining requirements with a security policy Implementing defense in depth Discretionary access controls Nondiscretionary access controls

3 Comparing Permissions, Rights, and Privileges Permissions – Access granted for an object Rights – Ability to take action on an object Privileges – Combination of rights and permissions

4 Understanding Authorization Mechanisms Implicit deny Access control matrix Capability tables Constrained interface Content-dependent control Context-dependent control Need to know Least privilege Separation of duties and responsibilities

5 Defining Requirements with a Security Policy Clarifies requirements Shows senior leadership support Sets guidelines and parameters

6 Implementing Defense in Depth Protects against single-focused attacks Technology in combination with physical access controls and administrative access controls Document in security policy Personnel are key Uses combined solution approach

7 Discretionary Access Controls Owner, create, custodian define access Based on identity Uses ACLs on each object Not centrally managed Supports change

8 Nondiscretionary Access Controls Centrally administered Changes affect entire environment Not based on identity, instead uses rules Less flexible Rule-based Role-based Attribute-based Lattice-based

9 Mandatory Access Control A nondiscretionary-based access control Based on classifications Top secret, secret, confidential Confidential/proprietary, private, sensitive, public Compartmentalization Need to know Hierarchical Hybrid

10 Understanding Access Control Attacks Risk elements Identifying assets Identifying threats Identifying vulnerabilities Common access control attacks Summary of protection methods

11 Risk Elements Risk Assets Threat Vulnerability Risk management

12 Identifying Assets Asset valuation Tangible value Intangible value Cost-benefit analysis

13 Identifying Threats Threat modeling SD3+C Goals: – Reduce number of defects – Reduce severity of remaining defects Focused on assets Focused on attackers Focused on software Advanced persistent threat (APT)

14 Identifying Vulnerabilities Vulnerability analysis Weakness to threat Technical and administrative Vulnerability scans

15 Common Access Control Attacks 1/2 Impersonation Access aggregation Password – Dictionary – Brute force – Birthday – Rainbow table Sniffer

16 Common Access Control Attacks 2/2 Spoofing Social engineering – Phishing – Spear phishing – Whaling – Vishing Smartcard Denial of service

17 Summary of Protection Methods Control physical access and electronic access Encrypt password files Create a strong password policy Use password masking Deploy multifactor authentication Use account lockout controls Use last logon notification Educate users about security

Download ppt "Chapter 14: Controlling and Monitoring Access. Comparing Access Control Models Comparing permissions, rights, and privileges Understanding authorization."

Similar presentations

1 cs691 chow C. Edward Chow Confidentiality Policy CS691 – Chapter 5 of Matt Bishop.

1 cs691 chow C. Edward Chow Confidentiality Policy CS691 – Chapter 5 of Matt Bishop.
CISSP Luncheon Series: Access Control Systems & Methodology

CISSP Luncheon Series: Access Control Systems & Methodology
Access Control Chapter 3 Part 3 Pages 209 to 227.

Access Control Chapter 3 Part 3 Pages 209 to 227.
Access Control Methodologies

Access Control Methodologies
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Security+ Guide to Network Security Fundamentals, Fourth Edition

Security+ Guide to Network Security Fundamentals, Fourth Edition
Access Control Intro, DAC and MAC System Security.

Access Control Intro, DAC and MAC System Security.
Chapter 2.  CIA Model  Host Security VS Network Security  Least Privileges  Layered Security  Access Controls Prepared by Mohammed Saher2.

Chapter 2.  CIA Model  Host Security VS Network Security  Least Privileges  Layered Security  Access Controls Prepared by Mohammed Saher2.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Security+ Guide to Network Security Fundamentals, Third Edition

Security+ Guide to Network Security Fundamentals, Third Edition
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 2 Operating System Security Fundamentals.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 2 Operating System Security Fundamentals.
Controls for Information Security

Controls for Information Security
Lecture 7 Access Control

Lecture 7 Access Control
7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.

7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.
Database Security By Bei Yuan. Why do we need DB Security? Make data arranged and secret Secure other’s DB.

Database Security By Bei Yuan. Why do we need DB Security? Make data arranged and secret Secure other’s DB.
Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.

Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.
Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department

Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department
Directory and File Transfer Services Chapter 7. Learning Objectives Explain benefits offered by centralized enterprise directory services such as LDAP.

Directory and File Transfer Services Chapter 7. Learning Objectives Explain benefits offered by centralized enterprise directory services such as LDAP.
Air Force Association (AFA) 1. 1.Access Control 2.Four Steps to Access 3.How Does it Work? 4.User and Guest Accounts 5.Administrator Accounts 6.Threat.

Air Force Association (AFA) 1. 1.Access Control 2.Four Steps to Access 3.How Does it Work? 4.User and Guest Accounts 5.Administrator Accounts 6.Threat.
Tonight 1) Where we are 2) Article Presentation(s) 3) Quiz 4) Lecture 5) In-class lab(s)

Tonight 1) Where we are 2) Article Presentation(s) 3) Quiz 4) Lecture 5) In-class lab(s)

Similar presentations

Ads by Google