Presentation is loading. Please wait.

Presentation is loading. Please wait.

Domain 5 – Identity and Access Management

Published byLucas George Modified over 6 years ago

Similar presentations

Presentation on theme: "Domain 5 – Identity and Access Management"— Presentation transcript:

1 Domain 5 – Identity and Access Management
Physical and logical assets control – Bar coding and inventory tagging Identification and authentication of people and devices Identity as a server – SAML Third-part identity services – AD questions and how passwords are stored Access control attacks – Know brute=force attacks and everyway to log on as someone else Identity and access provisioning lifecycle (provisioning review)

2 Physical and logical assets control – Bar coding/Inv
RFID, Barcoding and inventory – represents the ability to prevent theft. This reduces risk.

3 Identification and authentication of people and devices
Know brute force attacks – best on spreadsheets and their passwords. Biometrics: False Rejecion – Failure to recognize a legitimate user – Type I error False Acceptance – Erroneous recognition, either by confusing one user with another or accepting an imposter as a legitimate user – Type II error Fingerprint readers Facial recognition Hand geometry Voice recognition Iris pattern Retinal scanning Signature dynamics Vascular patterns – difficult to forge, contactless, varied uses, 1:1 or 1:many matches Keystroke dynamics

4 Identification and authentication of people and devices
CER – Crossover error rate (also called equal error rate) Object reuse Space on a disk, allocated and not given back to OS Tempest attack and white noise Few questions on tempest attack, which is reading a screen at a distance and White noise, which you can pump down a wire to scramble or mask an attack

5 SAML and OAUTH Security Assertion Markup Language (SAML) – XML based, open- standard data format for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. Oauth is an open standard for authorization, commonly used as a way for internet users to log into third party websites using their Microsoft, Google, Facebook, etc. accounts without exposing their password.

6 AD Passwords AD passwords are stored as a hash. Kerberos
Reply attacks happen here. A replay attack occurs when an intruder steals a packet from the network and forwards that packet to a service or application as if the intruder was the user who originally sent the packet. When the packet is an authentication packet, the intruder can use the replay attack to authenticate on another person's behalf and consequently access that person's resources or data.

7 Access Controls Preventative access control – A preventative access controls is deployed to stop unwanted or unauthorized activity from occurring. Examples: Fences, locks, biometrics, mantraps, lighting, alarm systems, separation of duties, job rotation, data classification, penetration testing, AC methods, encryption, auditing, presence of security cameras or CCTV, smart cards, callback, security policies, security awareness training, AV. Deterrent access control – Deployed to discourage the violation of security policies. Picks up where prevention leaves off. The deterrent doesn’t stop with trying to prevent an action, it goes further to exact consequences in the event of an attempted or successful violation. Examples: locks, fences, security badges, security guards, mantraps, cameras, trespass or intrusion alarms, separation of duties, work task procedures, awareness training, encryption, auditing and firewalls.

8 Access Controls, cont. Detective access control – Deployed to discover unwanted or unauthorized activity. Are often after the fact rather than real time controls. Examples: security guards, guard dogs, motion detectors, recording and reviewing of events by cameras/CCTV, job rotation, mandatory vacations, audit trails, IDS, violation reports, honey pots, supervision and review of users, incident investigations. Corrective Access Control – Deployed to restore systems to normal after an unwanted or unauthorized activity has occurred. Minimal capability to respond to access violations. Examples: IDS, AV, alarms, mantraps, BCP, security policies.

9 Access Controls, cont. Recovery access control – Deployed to repair or restore resources, functions, and capabilities after a violation of security policies. They have more advanced or complex capability to respond to access violations than a corrective access control. Recovery access control can repair damage as well as stop further damage. Examples: backups and restores, fault tolerant drive systems, server clustering, AV, database shadowing. Compensation access control – Provides varios options to other existing controls to aid in the enforcement and support of a SP. Examples: security policy, personnel supervision, monitoring, work task procedures.

10 Access Controls, cont. Directive access control – Deployed to direct, confine, or control the actions of subject to force or encourage compliance with SPs. Examples: security guards, guard dogs, security policy, posted notifications, escape route exit signs, monitoring, supervising, work task procedures, and awareness training. Administrative access controls – Policies and procedures defined by an organizations security policy to implement and enforce overall AC. Focuses on two areas: personnel and business practices. Examples: policies, procedures, hiring practices, background checks, data classification, security training, vacation history, reviews, work supervision, personnel controls, and testing.

11 Access Controls, cont. Administrative access controls – policies and procedures defined by an organizations security policy to implement and enforce overall AC. Administrative AC focuses on two areas : personnel and business practices. Examples: policies, procedures, hiring practices, background checks, data classification, security training, vacation history, reviews, work supervision, personnel controls, and testing. Logical/technical AC – hardware or software mechanisms used to manage access to resources and systems and provide protection for those resources and systems. Examples: encryption, ACLs, protocols, firewalls, routers, IDS and clipping levels.

12 Access Controls, cont. Physical Access control – physical barriers deployed to prevent direct contact with systems or portions of a facility. Examples: guards, fences, motion detectors, locked doors, sealed windows, lights, cable protections, laptop locks, swipe cards, guard dogs, video cameras, mantraps, and alarms.

13 Access Control Attacks
Dictionary attacks – These are programs with built in dictionaries. They would use all dictionary works in an attempt to find the right password. Brute Force – All possible combinations of the alphabet, numbers, etc. Could takes days, months, years to crack a complex password with 8 characters or more. Spoofed logon screens – Phishing sites, etc. Will send credentials to the hacker. Prevention against authentication and access control attacks – Passwords should be long and complex and changed every so often. Secure your endpoints!

14 Identity and Access Provisioning Lifecycle

15 Identity and Access Provisioning Lifecycle

Download ppt "Domain 5 – Identity and Access Management"

Similar presentations

CISSP Luncheon Series: Access Control Systems & Methodology

CISSP Luncheon Series: Access Control Systems & Methodology
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
Access Control Methodologies

Access Control Methodologies
Information Security Policies and Standards

Information Security Policies and Standards
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
Security+ Guide to Network Security Fundamentals, Third Edition

Security+ Guide to Network Security Fundamentals, Third Edition
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.

7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.
Security Measures Using IS to secure data. Security Equipment, Hardware Biometrics –Authentication based on what you are (Biometrics) –Biometrics, human.

Security Measures Using IS to secure data. Security Equipment, Hardware Biometrics –Authentication based on what you are (Biometrics) –Biometrics, human.
Security Equipment Equipment for preventing unauthorised access to data & information.

Security Equipment Equipment for preventing unauthorised access to data & information.
Physical Security SAND No. 2005-3288 C Sandia is a multiprogram laboratory operated by Sandia Corporation, a Lockheed Martin Company, for the United States.

Physical Security SAND No C Sandia is a multiprogram laboratory operated by Sandia Corporation, a Lockheed Martin Company, for the United States.
Air Force Association (AFA) 1. 1.Access Control 2.Four Steps to Access 3.How Does it Work? 4.User and Guest Accounts 5.Administrator Accounts 6.Threat.

Air Force Association (AFA) 1. 1.Access Control 2.Four Steps to Access 3.How Does it Work? 4.User and Guest Accounts 5.Administrator Accounts 6.Threat.
Security. If I get 7.5% interest on $5,349.44, how much do I get in a month? (.075/12) =.00625 * 5,349.44 = $33.434 What happens to the.004?.004+.004+.004=.012.004.

Security. If I get 7.5% interest on $5,349.44, how much do I get in a month? (.075/12) = * 5, = $ What happens to the.004? =
Tonight 1) Where we are 2) Article Presentation(s) 3) Quiz 4) Lecture 5) In-class lab(s)

Tonight 1) Where we are 2) Article Presentation(s) 3) Quiz 4) Lecture 5) In-class lab(s)
(2011) Security Breach Compromises 75,000 Staff/Student Social Security Numbers Image from this Site Presenters: Aron Eisold, Matt Mickelson, Bryce Nelson,

(2011) Security Breach Compromises 75,000 Staff/Student Social Security Numbers Image from this Site Presenters: Aron Eisold, Matt Mickelson, Bryce Nelson,
Chapter 10: Computer Controls for Organizations and Accounting Information Systems

Chapter 10: Computer Controls for Organizations and Accounting Information Systems
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.

Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
Understanding Security Layers

Understanding Security Layers
AIS, 20141 Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)

AIS, Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)

Similar presentations

Ads by Google