9 access ctrl physical lecture 340
TRANSCRIPT
-
7/27/2019 9 Access Ctrl Physical Lecture 340
1/41
1
Access Control andPhysical Security
Janine L. Spears, Ph.D.
May 22, 2012
DePaul University
CNS 340
-
7/27/2019 9 Access Ctrl Physical Lecture 340
2/41
2
1. Announcements
a) Quiz #3
b) Group project
c) Review of NW security process
2. Access control
3. Physical security
4. Convergence
This Evenings Agenda
-
7/27/2019 9 Access Ctrl Physical Lecture 340
3/41
33
Attendance points posted thru week 8
Discussion forum points posted thru week 7
HW #5 due this Thurs by 11:59pm CST
Submit both the required and extra credit work in 1 doc
Quiz #3:
Quiz posted: available Thurs, May 24th
Quiz deadline: Mon, May 28th, 11:59pm CST
Timed quiz once quiz is accessed: 75 minutes
Announcements (1 of 2)
-
7/27/2019 9 Access Ctrl Physical Lecture 340
4/41
-
7/27/2019 9 Access Ctrl Physical Lecture 340
5/41
5
Some examples of things that can go wrong for an
online user (threats)
Malware code is implanted in JavaScript that is run when a
user accesses a malware hosting web site
Spyware is installed on a users computer that tracks
browsing history
Search engine queries are intercepted
A user goes believes he/she went to a chosen web site, butinstead is redirected to a bogus web site
Browser fingerprinting that is combined with other data to
reveal an individual users identity
Group Project: Browser Security (1 of 4)
-
7/27/2019 9 Access Ctrl Physical Lecture 340
6/41
6
Some examples of weaknesses that may exist in an
online users computing environment (vulnerabilities)
HTTPS has been found to have significant structural
weaknesses
Browser software is not current
A user accesses web sites that commonly host malware
A user has no way of determining if malware, spyware, or
adware is installed on his/her computer
Confidential data is transmitted from the users computer
to a web site as clear text
Group Project: Browser Security (2 of 4)
-
7/27/2019 9 Access Ctrl Physical Lecture 340
7/41
7
What your team is tasked to do:
For an identified vulnerability, consider what could go
wrong if that vulnerabilities is exploited (what is the
threat?)
For an identified threat, consider what weakness in a userscomputing environment may enable that threat to realized
(what is the vulnerability?)
OR
For an identified threat, consider who (e.g., person, orgn,
industry, technology) may carry out that threat (who/what
is the threat agent?)
Group Project: Browser Security (3 of 4)
-
7/27/2019 9 Access Ctrl Physical Lecture 340
8/41
8
Initial instructions state that the majority of your
group class presentation should be on software This is no longer required.
Your team is free to discuss a threat/vulnerability (e.g., HTTPS, digital
certificates, spyware functionality, etc.) and/or a technology (e.g.,
browser add-on, etc.). Only topic requirement is that it is related to a browser/internet
vulnerability, threat, or threat agent
Only 1 (not 2) threat/threat agent/vulnerability is required so that you
can cover a topic in more depth
At least briefly state who (or what) is the entity likely to carry out the
threat (threat agent); this could also be a groups key topic
(e.g., who are the advertising intermediaries that sell consumer web history data? How do
certificate authorities issue digital certificates, and what are the vulnerabilities?)
Ideally there will be a variety of topics and tools presented
Group Project: Browser Security (4 of 4)
-
7/27/2019 9 Access Ctrl Physical Lecture 340
9/41
9
Example of threat agents: who are these folks? What
data are they collecting? To whom do they sell data?
Group Project: Browser Security (4 of 4)
-
7/27/2019 9 Access Ctrl Physical Lecture 340
10/41
10
Vulnerability assessment is used to uncoverweaknesses in an organizations computing
environment.
Penetration testing is used to see if unauthorized
access can be obtained (e.g., from a hacker)
Remediation refers to controls (or safeguards)
put in place to plug weaknesses found
Network Security: Review from Week 8
-
7/27/2019 9 Access Ctrl Physical Lecture 340
11/41
11
Phases of a Penetration Test
Network Security: Typing the Pieces Together
Trinckes, 2010, Figure 10.3
-
7/27/2019 9 Access Ctrl Physical Lecture 340
12/41
12
Organizations were estimated to spend $5 billionon identity and access mgmt (IAM) systems in
2010
The market is expected to grow to $12 billion by
2014
In the banking/finance and IT industries, IAM is
among the top 3 security initiatives
Access Control
Access Control Physical Security Convergence
Source: Hovav & Berger, CAIS 2009
Source: Deloitte 2009, 2010
-
7/27/2019 9 Access Ctrl Physical Lecture 340
13/41
13
Identity and access management (IAM) is
concerned with:
verifying the digital identity of an entity attempting
to gain access to system resources
granting permissions to system functions and data,
based on pre-defined roles assigned to the identity
placing constraints on access to alleviate conflicts
in the segregation of duties
monitoring & auditing
Access Control AKA Identity and Access Management
Access Control Physical Security Convergence
Source: Spears 2011
-
7/27/2019 9 Access Ctrl Physical Lecture 340
14/41
14
IAM systems:
Automate and enforce IAM policies for
identity lifecycles
provisioning process
user authentication
password management
Provide a central repository of identities, roles,
authorizations across enterprise systems
Provide log management features Also typically provide
Single sign-on capabilities
Encryption
Audit reports
Identity and Access Management Systems (1 of 2)
Access Control Physical Security Convergence
-
7/27/2019 9 Access Ctrl Physical Lecture 340
15/41
15
Identity and Access Management Systems(2 of 2)
Access Control Physical Security Convergence
Source:Pete
rson
etal.,JofAccoun
tancy2008
-
7/27/2019 9 Access Ctrl Physical Lecture 340
16/41
16
What has spurred IAM systems?
What are some of the issues that arise inmanaging IAM?
Multiple identities for a single individual
Flaws in role designs Multiple roles leading to data leakage
Complexity in system architectures E.g., distributed computing; cloud computing
Complexity in ERP systems
Coding flaws in IAM scripts
Limited built-in auditing
Inherent Complexities in IAM(1 of 2)
Access Control Physical Security Convergence
-
7/27/2019 9 Access Ctrl Physical Lecture 340
17/41
17
An example of IAM complexity for ERP systems:
For a small organization that:
uses 100 transactions
(requiring 2 authorization objects for each
transaction)
among 200 end users
who fill a total of20 different roles
there are 800,000 ways to configure ERP security
(100*2*200*20).
Inherent Complexities in IAM(2 of 2)
Access Control Physical Security Convergence
Source: Hendrawirawan et al., Information Systems and Control Journal 2007
-
7/27/2019 9 Access Ctrl Physical Lecture 340
18/41
18
Access control has two components:
1. Policy Users typically define who gets access to what applications
Role-based access control
Segregation of duties
Data classification
Password policy
Two-factor authentication
Etc.
2. Technology Implements policy; administered by IT orgn
Must balance security effectiveness; ability to do job; and user
acceptance
Access Control
Access Control Physical Security Convergence
-
7/27/2019 9 Access Ctrl Physical Lecture 340
19/41
19
Several reputable security frameworks provide guidance
on developing access control policies, controls, andaudit procedures
Examples of guidance on access controls from security
frameworks:1. ISO 27002
2. COBIT
3. NIST SP 800-53
The PCI DSS also has an access control component(required of companies processing credit card transactions)
Access Control Policy in the Form of Security Controls
Access Control Physical Security Convergence
-
7/27/2019 9 Access Ctrl Physical Lecture 340
20/41
20
Clause: A.11 Access control
Main Category (Control Objective): A.11.2 User access
management
Controls:
A.11.2.1 User registration
A.11.2.2 Privilege management
A.11.2.3 User password management
A.11.2.4 Review of user access rights
ISO 27002
Access Control Physical Security Convergence
-
7/27/2019 9 Access Ctrl Physical Lecture 340
21/41
21
Domain: Delivery & Support (DS)
Process: DS5 Ensure Systems Security
Control Objective: DS5.3 Identity Management
Control Activities:
Ensure that all users (internal, external and temporary) and their activity on ITsystems are uniquely identifiable.
Enable user identities via authentication mechanisms. Confirm that user access rights to systems and data are in line with defined
and documented business needs and that job rqmts are attached to useridentities.
Ensure that user access rights are requested by user management, approved
by system owners and implemented by the security-responsible person.
Maintain user identities and access rights in a central repository.
Deploy cost-effective technical and procedural measures, and keep themcurrent to establish user identification, implement authentication and enforce
access rights.
COBIT
Access Control Physical Security Convergence
-
7/27/2019 9 Access Ctrl Physical Lecture 340
22/41
22
Class: Technical
Family (Control Objective): Access Control
Controls:
AC-1: Access Control Policy and Procedures
AC-2: Account Management AC-3: Access Enforcement
AC-4: Information Flow Enforcement
AC-5: Separation of Duties
AC-6: Least Privilege AC-7: Unsuccessful Login Attempts
AC-8: System Use Notification
Etc
NIST SP800-53
Access Control Physical Security Convergence
-
7/27/2019 9 Access Ctrl Physical Lecture 340
23/41
23
User provisioning:
is the creation, maintenance and deactivation of user objects
and user attributes
Authorization:
defines the ability of a specific user to perform certain tasks,
such as deleting or creating files, after authentication has
taken place.
Authentication: refers to verifying the identity of a user, process, or device,
often as a prerequisite to allowing access to resources in an
information system.
Miscellaneous Access ControlConcepts / Practices (1 of 5)
Access Control Physical Security Convergence
l h l
-
7/27/2019 9 Access Ctrl Physical Lecture 340
24/41
24
Role-based access control (RBAC):
refers to access control that is based on user roles
(i.e., a collection of access authorizations a user
receives based on an explicit or implicit
assumption of a given role).
A given role may apply to a single individual or to
several individuals.
role permissionsmay be inherited through a role
hierarchy and typically reflect the permissions
needed to perform defined functions within an
organization.
Miscellaneous Access ControlConcepts / Practices (2 of 5)
Access Control Physical Security Convergence
NISTSP
800-53,p.B-11
C l h i l S i C
-
7/27/2019 9 Access Ctrl Physical Lecture 340
25/41
25
Least privileges:
allowing only authorized accesses for users (and processes
acting on behalf of users) which are necessary to
accomplish assigned tasks in accordance with
organizational missions and business functions.
Though this term is typically used in the context of
system/database access, the concept should also be
applied to sensitive data, regardless of its form.
An example of applying least privileges as a simple, cost-
effective security measure for protecting the SSN (e.g., on
paper forms and elsewhere)
Miscellaneous Access ControlConcepts / Practices (3 of 5)
Access Control Physical Security Convergence
Source: NIST SP 800-53, p. F-9
A C l Ph i l S i C
-
7/27/2019 9 Access Ctrl Physical Lecture 340
26/41
26
Separation of duties (AKA segregation of duties):
attempts to ensure there is no conflict of interestin types of access authorized for one user
Examples:
1. Person who administers access is different from personwho audits system access
2. Person who is authorized to order purchases is differentfrom person authorized to pay invoice
Auditors or risk managers may define SoD ctrls
Miscellaneous Access ControlConcepts / Practices (4 of 5)
Access Control Physical Security Convergence
A C t l Ph i l S it C
-
7/27/2019 9 Access Ctrl Physical Lecture 340
27/41
27
A person may authenticate him/herself in three ways, byproviding:
1. Something you know (e.g., password)
2. Something you have (e.g., token)
3. Something you are (e.g., fingerprint)
When two of these methods is used, its called two-
factor authentication
Miscellaneous Access ControlConcepts / Practices (5 of 5)
Access Control Physical Security Convergence
A C t l Ph i l S it C
-
7/27/2019 9 Access Ctrl Physical Lecture 340
28/41
28
If a user is prompted for a password, and then promptedfor a pass phrase, would that be two-factor
authentication?
RSA SecurIDhttp://www.rsa.com/node.aspx?id=1159
PhoneFactorhttp://www.phonefactor.com/
Examples of Two-Factor Authentication
Access Control Physical Security Convergence
A C t l Ph i l S it C
http://www.rsa.com/node.aspx?id=1159http://www.phonefactor.com/http://www.phonefactor.com/http://www.rsa.com/node.aspx?id=1159 -
7/27/2019 9 Access Ctrl Physical Lecture 340
29/41
29
Access control via biometrics is the process of using
body measurements to authenticate a user (somethingyou are)
Some examples of biometric technologies:
1. Fujitsu Palm SecureDemo: http://www.citrix.com/tv/#videos/430
2. Biometric Fingerprint
3. VoiceVault
4. Iris Guard's IG-AD100 Iris Camera System
Must strike balance between technological effectivenessand user acceptance
Biometric Access Control
Access Control Physical Security Convergence
Access Control Physical Security Convergence
http://www.citrix.com/tv/http://www.citrix.com/tv/ -
7/27/2019 9 Access Ctrl Physical Lecture 340
30/41
3030
Access Control Physical Security Convergence
Passwords (1 of 3)
Access Control Physical Security Convergence
-
7/27/2019 9 Access Ctrl Physical Lecture 340
31/41
3131
Top 10 most common passwords (PC Magazine May 8, 2007)
1. password
2. 123456
3. qwerty
4. abc123
5. letmein6. monkey
7. myspace1
8. password1
9. blink182
10. (your first name)
If you recognize yours, you may as well hand over your wallet orpurse to the first person you see on the street.
Access Control Physical Security Convergence
Passwords (2 of 3)
Access Control Physical Security Convergence
-
7/27/2019 9 Access Ctrl Physical Lecture 340
32/41
3232
Common recommendations for stronger passwords
At least 8 characters in length
At least one letter, number, non-alphanumeric
Sample orgnl password policy http://www.sans.org/resources/policies/Password_Policy.pdf
Compliance with password policies can be evaluated
using security software called password auditors
Access Control Physical Security Convergence
Passwords (3 of 3)
Access Control Physical Security Convergence
http://www.sans.org/resources/policies/Password_Policy.pdfhttp://www.sans.org/resources/policies/Password_Policy.pdf -
7/27/2019 9 Access Ctrl Physical Lecture 340
33/41
3333
Passphrase
Sequence of words; similar to a password, but longer
Can be used various ways.
E.g., Dear, lets dine tonight in a restaurant with atmosphere!
DLDTRWA!
Security questions
A form of a shared secret
Majority of US financial institutions use to authenticate users
before allowing them to reset a password
RSA tool comes with 150 preset security questions
What is the vulnerability with this form of authentication?
Access Control Physical Security Convergence
Passphrases and Security Questions
Access Control Physical Security Convergence
-
7/27/2019 9 Access Ctrl Physical Lecture 340
34/41
34
Physical security is concerned with physical measures
designed to safeguard personnel; to preventunauthorized access to equipment, installations,
material, and documents; and to safeguard them against
espionage, sabotage, damage, and theft(DOD, NATO).
Physical security describes both measures that prevent
or deter attackers from accessing a facility, resource, or
information stored on physical media and guidance onhow to design structures to resist various hostile acts
(Wikipedia).
Physical Security
Access ControlPhysical Security Convergence
Access ControlPhysical Security Convergence
-
7/27/2019 9 Access Ctrl Physical Lecture 340
35/41
35
1. Crime prevention through environmental design
(CPTED) CPTED based strategies emphasize enhancing the perceived
risk of detection and apprehension; intended to deter acriminal act.
Used primarily as a prevention mechanism
Examples: barbed wire, warning signs and fencing, concretebollards, metal barriers, vehicle height-restrictors, sitelighting, security guard
2. Access control Mechanical and electronic measures to control access into
facilities Used primarily as a prevention mechanism
Examples: mechanical locks & keys; electronic locks;biometric locks; security guard
Four Core Layers of Physical Security (1 of 2)
y y g
Source: Whitman & Mattord, 2009
Access ControlPhysical Security Convergence
-
7/27/2019 9 Access Ctrl Physical Lecture 340
36/41
36
3. Intrusion detection (alarm)
Monitors for and signals existence of an attack
Used primarily as a response mechanism
Can also be a deterrent
Examples: burglar alarm; motion detector; smoke detector;
security guard
4. Surveillance and monitoring
Used primarily as a response mechanism Primarily used for incident verification and historical
analysis
Examples: CCTV, IP camera; security guard
Four Core Layers of Physical Security (2 of 2)
y y g
Source: Whitman & Mattord, 2009
Access ControlPhysical Security Convergence
-
7/27/2019 9 Access Ctrl Physical Lecture 340
37/41
37
Other misc. areas of physical security include:
Heating, ventilation, and air conditioning
Electrical power management
Computer theft
Social engineering (using people skills to obtain confidential infofrom employees; e.g., phone, PC, in person)
Physical security is often managed by:
Facilities management department (larger sites)
Outsourced (smaller sites)
Physical Security
y y g
Source: Whitman & Mattord, 2009
Access Control Physical SecurityConvergence
-
7/27/2019 9 Access Ctrl Physical Lecture 340
38/41
38
Convergence refers to some form of collaboration or
integration between the physical security and IT securitytechnologies and/or groups:
Two general forms of convergence:
1. changing the orgnl structure to merge the physical andlogical groups and align policies and budgets
2. more commonly, orgns are rolling out convergedtechnologies
This convergence goes by various names: Convergence of Physical and Logical Security
Convergence of Physical and Digital Security
Convergence of Physical and IT Security
The Convergence of Physical and Logical Security
y y g
Access Control Physical SecurityConvergence
-
7/27/2019 9 Access Ctrl Physical Lecture 340
39/41
39
Features of convergence:
Information sharing
Cross-support across areas of expertise
Convergence of security technologies
Examples of convergent technologies:
identity and access management
anti-theft tags in retail stores
IP-based surveillance cameras
The Convergence of Physical and Logical Security
Access Control Physical SecurityConvergence
-
7/27/2019 9 Access Ctrl Physical Lecture 340
40/41
40
Benefits of convergence
Synergy across skill sets
Reduced costs through greater efficiencies
Holistic approach to security
Can collaborate where it makes sense
The Convergence of Physical and Logical Security
Access Control Physical SecurityConvergence
-
7/27/2019 9 Access Ctrl Physical Lecture 340
41/41
41
Challenges for convergence
Cultural differences (J. Edgar Hoover vs. Bill Gates)
Differences in background and training
Differences in skill sets (law enforcement vs IT)
Embracement vs. skepticism toward new technology
Differences in salaries
Ownership battles
Sources:
http://www.scmagazineus.com/An-urge-to-converge-Physical-and-logical-
identity-and-access-management/article/151829/
http://www.computerworld.com/s/article/108571/Security_Convergence
The Convergence of Physical and Logical Security
http://www.scmagazineus.com/An-urge-to-converge-Physical-and-logical-identity-and-access-management/article/151829/http://www.scmagazineus.com/An-urge-to-converge-Physical-and-logical-identity-and-access-management/article/151829/http://www.computerworld.com/s/article/108571/Security_Convergencehttp://www.computerworld.com/s/article/108571/Security_Convergencehttp://www.scmagazineus.com/An-urge-to-converge-Physical-and-logical-identity-and-access-management/article/151829/http://www.scmagazineus.com/An-urge-to-converge-Physical-and-logical-identity-and-access-management/article/151829/http://www.scmagazineus.com/An-urge-to-converge-Physical-and-logical-identity-and-access-management/article/151829/http://www.scmagazineus.com/An-urge-to-converge-Physical-and-logical-identity-and-access-management/article/151829/http://www.scmagazineus.com/An-urge-to-converge-Physical-and-logical-identity-and-access-management/article/151829/http://www.scmagazineus.com/An-urge-to-converge-Physical-and-logical-identity-and-access-management/article/151829/http://www.scmagazineus.com/An-urge-to-converge-Physical-and-logical-identity-and-access-management/article/151829/http://www.scmagazineus.com/An-urge-to-converge-Physical-and-logical-identity-and-access-management/article/151829/http://www.scmagazineus.com/An-urge-to-converge-Physical-and-logical-identity-and-access-management/article/151829/http://www.scmagazineus.com/An-urge-to-converge-Physical-and-logical-identity-and-access-management/article/151829/http://www.scmagazineus.com/An-urge-to-converge-Physical-and-logical-identity-and-access-management/article/151829/http://www.scmagazineus.com/An-urge-to-converge-Physical-and-logical-identity-and-access-management/article/151829/http://www.scmagazineus.com/An-urge-to-converge-Physical-and-logical-identity-and-access-management/article/151829/http://www.scmagazineus.com/An-urge-to-converge-Physical-and-logical-identity-and-access-management/article/151829/http://www.scmagazineus.com/An-urge-to-converge-Physical-and-logical-identity-and-access-management/article/151829/http://www.scmagazineus.com/An-urge-to-converge-Physical-and-logical-identity-and-access-management/article/151829/http://www.scmagazineus.com/An-urge-to-converge-Physical-and-logical-identity-and-access-management/article/151829/http://www.scmagazineus.com/An-urge-to-converge-Physical-and-logical-identity-and-access-management/article/151829/http://www.scmagazineus.com/An-urge-to-converge-Physical-and-logical-identity-and-access-management/article/151829/http://www.scmagazineus.com/An-urge-to-converge-Physical-and-logical-identity-and-access-management/article/151829/http://www.scmagazineus.com/An-urge-to-converge-Physical-and-logical-identity-and-access-management/article/151829/