Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Management Models

Published byJocelyn Dickerson Modified over 7 years ago

Similar presentations

Presentation on theme: "Security Management Models"— Presentation transcript:

1 Security Management Models
INFORMATION SECURITY MANAGEMENT Lecture 6: Security Management Models

2 Access Control Models Access controls Key principles of access control
Regulate the admission of users into trusted areas of the organization Key principles of access control

3 The value of information: CIA Triangle
The value of information comes from the characteristics it possesses Expanded to include Identification Authentication Authorization Privacy Accountability

4 Identification and Authentication
An information system possesses the characteristic of identification when it is able to recognize individual users Identification and authentication are essential to establishing the level of access or authorization that an individual is granted Authentication Occurs when a control proves that a user possesses the identity that he or she claims

5 Authorization Assures that the user has been specifically and explicitly authorized by the proper authority to access, update, or delete the contents of an information asset Authorization occurs after authentication

6 Categories of Access Control

7 Categories of Access Control
Preventative Deterrent Detective Corrective Recovery Compensating

8 Preventative/Deterrent/Detective Controls
Preventative Controls Firewalls / Anti-virus software Encryption Key card systems Bollards stop cars (as shown) Deterrent Controls Highly visible Prevent offenses by influencing choices of would-be intruders Detective Controls Monitor and record specific types of events Does not stop or directly influence events

9 Corrective/Recovery Controls
Corrective Controls Post-event controls to prevent recurrence “Corrective” refers to when it is implemented Examples (if implemented after an incident) Spam filter Anti-virus on server WPA Wi-Fi encryption Recovery Control Post-incident controls to recover systems

10 Compensating Controls
Control that is introduced that compensates for the absence or failure of a control “Compensating” refers to why it is implemented Examples Daily monitoring of anti-virus console Monthly review of administrative logins Web Application Firewall used to protect buggy application

11 Another Approach: Types of Controls
Technical Operational (aka Physical) Management (aka Administrative)

12 Controlling Information Access

13 Identification and Authentication
Identification: unproven assertion of identity “My name is…” Userid Authentication: proven assertion of identity Method Examples: Password Token Biometric

14 How Information Systems Authenticate Users
Request userid and password Hash password Retrieve stored userid and hashed password Compare Make a function call to a network based authentication service

15 How a System Stores Userids and Passwords
Typically stored in a database table Application database or authentication database Userid stored in plaintext Password stored encrypted or hashed

16 Password Hashes LM hash is weak, no longer used in Win 7 NT hash is stronger, but not salted

17 Strong Authentication
Traditional userid + password authentication has known weaknesses Stronger types of authentication available, usually referred to as “strong authentication”

18 Token: Two Factor Authentication
First factor: what user knows Second factor: what user has Without the second factor, user cannot log in

19 Token: Two Factor Authentication

20 Biometric Authentication
Stronger than userid + password Stronger than two-factor? Can be hacked

21 Article: Biometric Scanning Technologies
Overview Technologies Finger-Scan Facial-Scan Retinal-Scan

22 Authentication Issues
Password quality Consistency of user credentials across multiple environments Too many userids and passwords Handling password resets Dealing with compromised passwords Staff terminations

23 Authorization: Degree of Authority
Mandatory Access Controls Discretionary Access Controls Role Based Access Controls

24 Mandatory Access Control Security Model
Data classification scheme Rates collection of info and user with sensitivity levels When implemented, users and data owners have limited control over access

25 Mandatory Access Control Security Model
Data classification scheme/model Data owners classify the information assets Reviews periodically Security clearance structure Each user assigned an authorization level Roles and corresponding security clearances

26 Discretionary Access Control (DAC) Security Model
The owner of an object controls who and what may access it.

27 Role-based Access Control (RBAC) Security Model
Nondiscretionary Controls

28 Mobile Access Controls

29 Testing Access Controls

30 Testing Access Controls
Access controls are the primary defense that protect assets Types of tests: Penetration tests Application vulnerability tests Code reviews Testing helps to verify whether they are working properly

31 Penetration Testing Automatic scans to discover vulnerabilities Example tools: Nessus, Nikto, SAINT, Superscan, Retina, ISS, Microsoft Baseline Security Analyzer

32 Application Vulnerability Testing
Discover vulnerabilities in an application Automated tools and manual tools Example vulnerabilities Cross-site scripting, injection flaws, malicious file execution, broken authentication, broken session management, information leakage, insecure use of encryption, and many more

33 Audit Log Analysis Regular examination of audit and event logs
Detect unwanted events Audit log protection

34 Access Control Attacks

35 Access Control Attacks
Intruders will try to defeat, bypass, or trick access controls in order to reach their target Attack objectives Guess credentials Malfunction of access controls Bypass access controls Replay known good logins Trick people into giving up credentials

36 Types of Access Control Attacks
Buffer Overflow Script Injection Data Remanence DoS Spoofing/Masquerading Social Engineering/Phishing

37 Security Architecture Models

38 Security Architecture Models
Can help organizations quickly make improvements through adaptation Can focus on: computer hardware and software policies and practices the confidentiality of information the integrity of the information Pick one and go with it

39 Bell-LaPadula Confidentiality Model
A state machine model that helps ensure the confidentiality of an information system Using mandatory access controls (MACs), data classification, and security clearances

40 Biba Integrity Model Provides access controls to ensure that objects or subjects cannot have less integrity as a result of read/write operations Ensures no information from a subject can be passed on to an object in a higher security level This prevents contaminating data of higher integrity with data of lower integrity

41 Clark-Wilson Integrity Model
Built upon principles of change control rather than integrity levels Its change control principles No changes by unauthorized subjects No unauthorized changes by authorized subjects The maintenance of internal and external consistency

42 Graham-Denning Access Control Model
Composed of three parts A set of objects A set of subjects (a process and a domain) A set of rights Primitive protection rights Create or delete object, create or delete subject Read, grant, transfer and delete access rights

43 Harrison-Ruzzo-Ullman Model
Defines a method to allow changes to access rights and the addition and removal of subjects and objects Since systems change over time, their protective states need to change Built on an access control matrix Includes a set of generic rights and a specific set of commands

44 Brewer-Nash Model (aka Chinese Wall)
Designed to prevent a conflict of interest between two parties Requires users to select one of two conflicting sets of data, after which they cannot access the conflicting data

45 The ISO Series Information Technology – Code of Practice for Information Security Management One of the most widely referenced and discussed security models Originally published as British Standard 7799 and then later as ISO/IEC 17799 Since been renamed ISO/IEC 27002 Establishes guidelines for initiating, implementing, maintaining, and improving information security management

46 Control Objectives for Information and Related Technology (COBIT)
Provides advice about the implementation of sound controls and control objectives for InfoSec Created by the Information Systems Audit and Control Association (ISACA) and the IT Governance Institute (ITGI) in 1992

47 COSO A U.S. private-sector initiative
Major Objective: identify factors that cause fraudulent financial reporting and to make recommendations to reduce its incidence Has established a common definition of internal controls, standards and criteria Helps organizations comply with critical regulations like Sarbanes-Oxley

48 COSO (cont’d.) Built on five interrelated components:
Control environment Risk assessment Control activities Information and communication Monitoring

Download ppt "Security Management Models"

Similar presentations

Operating System Security

Operating System Security
Security by Design A Prequel for COMPSCI 702. Perspective “Any fool can know. The point is to understand.” - Albert Einstein “Sometimes it's not enough.

Security by Design A Prequel for COMPSCI 702. Perspective “Any fool can know. The point is to understand.” - Albert Einstein “Sometimes it's not enough.
Access Control Methodologies

Access Control Methodologies
Security Controls – What Works

Security Controls – What Works
INFORMATION SECURITY MANAGEMENT L ECTURE 6: S ECURITY M ANAGEMENT M ODELS.

INFORMATION SECURITY MANAGEMENT L ECTURE 6: S ECURITY M ANAGEMENT M ODELS.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.

Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Security Architecture Dr. Gabriel. Security Database security: –degree to which data is fully protected from tampering or unauthorized acts –Full understanding.

Security Architecture Dr. Gabriel. Security Database security: –degree to which data is fully protected from tampering or unauthorized acts –Full understanding.
Database Auditing Models Dr. Gabriel. 2 Auditing Overview Audit examines: documentation that reflects (from business or individuals); actions, practices,

Database Auditing Models Dr. Gabriel. 2 Auditing Overview Audit examines: documentation that reflects (from business or individuals); actions, practices,
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.

D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.
Auditing Logical Access in a Network Environment Presented By, Eric Booker and Mark Ren New York State Comptroller’s Office Network Security Unit.

Auditing Logical Access in a Network Environment Presented By, Eric Booker and Mark Ren New York State Comptroller’s Office Network Security Unit.
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.

Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
Storage Security and Management: Security Framework

Storage Security and Management: Security Framework
CISSP Guide to Security Essentials

CISSP Guide to Security Essentials
Switch off your Mobiles Phones or Change Profile to Silent Mode.

Switch off your Mobiles Phones or Change Profile to Silent Mode.
Security Architecture

Security Architecture

Similar presentations

Ads by Google