Upload
cornelius-peters
View
217
Download
1
Tags:
Embed Size (px)
Citation preview
2
Domain Objectives
• Provide definitions and key concepts
• Identify access control categories and types
• Discuss access control threats
• Review system access control measures
3
Domain Objectives
• Review data access control measures
• Understand intrusion detection and intrusion prevention systems
• Understand access control assurance methods
5
Domain Agenda
• Definitions and Key Concepts
• Access Control Categories and Type
• Access Control Threats
• Access to System
• Access to Data
• Intrusion Prevention Systems (IPS) & Intrusion Detection Systems (IDS)
• Access Control Assurance
8
Information Classification
• Objectives
• Benefits
• Example of Classification
• Compartmentalized Information
9
Information Classification Procedures
• Scope
• Process
• Responsibility
• Declassification
• Marking and Labeling
• Assurance
10
Domain Agenda
• Definitions and Key Concepts
• Access Control Categories and Type
• Access Control Threats
• Access to System
• Access to Data
• Intrusion Prevention Systems (IPS) & Intrusion Detection Systems (IDS)
• Access Control Assurance
11
Access Control Categories
• Preventive
• Detective
• Corrective
• Directive
• Deterrent
• Recovery
• Compensating
12
Access Control Types
• Administrative
• Technical (Logical)
• PhysicalWarning
Banners
AuditLogs
IPS/IDS
Passwords
CCTV
BackupsConnectionControl
Technical
Tokens
Administrative
Physical
Gates
LayeredDefense
Reconstruct/Rebuild
FireExtinguisherSentry
FencesSigns
Bollards
Job
Rotation
DRPEmployeeTermination
Report
Reviews
User RegistrationProcedures
Polic
y
13
Access Control Examples
ControlsAdministrati
veTechnical Physical
Directive PolicyWarning Banner
Security Guard
Deterrent Demotion Violation Report ‘Beware of Dog’
Preventative
User Registration
Passwords, Tokens
Fences, Bollards
Detective Report Reviews Audit Logs, IDS Sensors, CCTV
CorrectiveEmployee
TerminationConnection
ManagementFire
Extinguisher
Recovery DRP BackupsReconstruct,
Rebuild
Compensating
SupervisionJob Rotation
Keystroke Logging
Layered Defenses
14
Domain Agenda
• Definitions and Key Concepts
• Access Control Categories and Type
• Access Control Threats
• Access to System
• Access to Data
• Intrusion Prevention Systems (IPS) & Intrusion Detection Systems (IDS)
• Access Control Assurance
15
Access Control Threats
• Denial of Service
• Buffer Overflow
• Mobile Code
• Malware
• Password Crackers
• Spoofing/Masquerading
• Sniffers
• Eavesdroppers
16
Access Control Threats
• Emanations
• Shoulder Surfing
• Tapping
• Object Reuse
• Data Remanence
• Unauthorized Data Mining
• Dumpster Diving
• Back Door/Trap Door
18
Domain Agenda
• Definitions and Key Concepts
• Access Control Categories and Type
• Access Control Threats
• Access to System
• Access to Data
• Intrusion Prevention Systems (IPS) & Intrusion Detection Systems (IDS)
• Access Control Assurance
21
Authentication Methods
• Knowledge (Something you know)
• Ownership (Something you have)
• Characteristics (Something you are)
24
Asynchronous Token Device (Challenge-Response)
User requests access via
Authentication Server (i.e.,
UserID)
Authentication Server issues
Challenge # to User
User enters Challenge #
w/PIN in Handheld
Handheld calculates
cryptographic response
(i.e., “password”)
User sends “password” to
Authentication
Server
Authentication Server grants access to Application Server
1
56
3
4
2
25
Synchronous Token
• Event-based Synchronization
• Time-based Synchronization
• Authentication Server knows the expected value from the token and the user must input it or be in close proximity
26
Smart Cards
• Contact Smart Cards
• Card body
• Chip
• Contacts
• Contactless Smart Cards
• Card body
• Chip
• Antenna
27
Authentication by Characteristic
• Biometrics
• Physiological Biometrics
• Behavioral Biometrics
• Characteristics
• Accuracy
• Acceptability
• Reaction time
28
Biometric Accuracy
False Accept RateType II Error
False Reject Rate
Type I Error
Crossover
Error Rate
Sensitivity
Err
or
Rate
30
Dynamic Biometric Types
• Voice Pattern
• Facial Recognition
• Keystroke Dynamics
• Signature Dynamics
31
Identity and Access Management
• Need for Identity Management
• Challenges
• Identity Management Technologies
32
Need for Identity Management
• Manual Provisioning
• Complex Environments
• Compliance with Regulations & Legislation
• Outsourcing Risks
33
Identity Management Challenges
• Consistency
• Reliability
• Usability
• Efficiency
• Scalability
34
Identity Management Challenges
• Types of Principals
• Types of Identity Data
• Identity Life Cycle
36
Identity Management Technologies
• Directories
• Web Access Management
• Password Management
• Legacy Single Sign-on
• Account Management
• Profile Update
37
Access Control Technologies
• Single Sign-on (SSO)
• Kerberos and SESAME
• Directory Services
• Security Domains
38
Single Sign-on Process
UserID and password transmitted to Authentication Server
Authentication Server verifies User’s identity
Authentication Server authorizes access to requested resource
User enters ID and password
1
2
3
4
AuthenticationServer
Application Servers
39
Kerberos Process
KDC- Auth Server- Ticket Granting Server
Principal - P1- User Workstation
Principal - P2- Application Server
P1Key (Request – Access to P2)
P1Key(SK1, P2Key (Client ID, (SK1))
P2Key(Client ID, SK1)
Ticket, SK1
SK1(Authentication)
Ticket Granting
Ticket
41
• Directory Services
• Security Domains
• Hierarchical Domain Relationship
• Equivalence Classes of Subjects
Directory Services and Security Domains
Subject “High”
Subject “Low”
Domain“High”
Domain“Low”
XServer
42
Domain Agenda
• Definitions and Key Concepts
• Access Control Categories and Type
• Access Control Threats
• Access to System
• Access to Data
• Intrusion Prevention Systems (IPS) & Intrusion Detection Systems (IDS)
• Access Control Assurance
43
Mandatory and Temporal Access Control
• Mandatory Access Control
• Joint participation in the decision-making process
• Labels
• Temporal (Time-based) Isolation
44
Discretionary Access Control
• Access authorization based on Information Owner
• System enforces rules
45
Access Control Lists (ACLs)
HalUser Hal DirectoryUser Kevin DirectoryUser Kara DirectoryPrinter 001
Full Control Write No AccessExecute
KevinUser Hal DirectUser Kevin DirectoryUser Kara DirectoryPrinter 001
Write Full ControlNo AccessNo Access
KaraUser Hal DirectoryUser Kevin DirectoryUser Kara DirectoryPrinter 001Printer 002
Read/Write Read/WriteFull ControlExecute Execute
Access permissions based on individual user rights
46
Access Control Matrix
Subject
File
A
File
B
App
A
App
B
App
C
Proc A
Proc B
Hal X X X
Kara X X X X X X X
Kevin X X X
Leo X X
47
Rule Based Access Control
UsersRules
Customer Service Application
Inventory Application
Accounting Application
Jane
Fred
Albert
Explicit rules grant access
48
Role Based Access Control
Users
Customer Service Application
Inventory Application
Accounting Application
Jane
Fred
Albert
Customer Service Agent Role
Implicit rules grant access
49
Content Dependent Access Control
PayrollServer
Local Manager
Human Resources Manager
Can see data onall employees
Can only see data on employees in the same department
Access based on values in data (i.e., Department)
50
Rights granted for access according to objects
Capability Tables
Subject
File
A
File
B
App
B
App
B
App
C
Proc A
Proc B
Hal Read X
KaraRead/Write
Read/Write
X X X X X
Kevin Read X X X
LeoRead/Write
X X
X = Execute
51
Non-discretionary Access Control
• Operating System Protection
• Security Administrator Control
• Ensures system security enforced
52
Constrained User Interface
• Menus
• Database Views
• Physically Constrained User Interfaces
• Encryption
53
Centralized/Decentralized Access Control
• Centralized Access Control
• RADIUS
• TACACS+
• Diameter
• Decentralized Access Control
54
Domain Agenda
• Definitions and Key Concepts
• Access Control Categories and Type
• Access Control Threats
• Access to System
• Access to Data
• Intrusion Prevention Systems (IPS) & Intrusion Detection Systems (IDS)
• Access Control Assurance
55
Intrusion Detection Systems
Primary Types
• Network-Based IDS (NIDS)
• Host-Based IDS (HIDS)
• Application-Based IDS (AIDS)
56
Intrusion Prevention Systems
Primary Types
• Host-Based IPS (HIPS)
• Network-Based IPS (NIPS)
• Content-Based
• Rate-Based
57
Analysis Engine Methods
• Pattern (Signature) Based
• Pattern Matching
• Stateful Matching
• Anomaly Based
• Statistical
• Traffic
• Protocol
• Heuristic Scanning
59
Domain Agenda
• Definitions and Key Concepts
• Access Control Categories and Type
• Access Control Threats
• Access to System
• Access to Data
• Intrusion Prevention Systems (IPS) & Intrusion Detection Systems (IDS)
• Access Control Assurance
61
Penetration Testing
• Definition
• Areas to test
• Methods of testing
• Testing procedures
• Testing hazards
62
Areas to Test
• Application Security
• Denial of Service (DoS)
• War Dialing
• Wireless Network Penetration
• Social Engineering
• PBX and IP Telephony
63
Penetration Testing Methods
• External
• Zero-knowledge (Blind)
• Partial-knowledge
• Internal
• Full-knowledge
• Targeted
• Blind
• Double-blind
65
Testing Hazards and Reporting
• Production interruption
• Application abort
• System crash
• Documentation
• Identified vulnerabilities
• Countermeasure effectiveness
• Recommendations
66
Domain Summary
• Definitions and Key Concepts
• Access Control Categories and Types
• Access Control Threats
• System Access
• Data Access
• Intrusion Detection and Prevention Systems
• Access Control Assurance