9 access ctrl physical lecture 340

7/27/2019 9 Access Ctrl Physical Lecture 340

1/41

1

Access Control andPhysical Security

Janine L. Spears, Ph.D.

May 22, 2012

DePaul University

CNS 340


2/41

2

1. Announcements

a) Quiz #3

b) Group project

c) Review of NW security process

2. Access control

3. Physical security

4. Convergence

This Evenings Agenda


3/41

33

Attendance points posted thru week 8

Discussion forum points posted thru week 7

HW #5 due this Thurs by 11:59pm CST

Submit both the required and extra credit work in 1 doc

Quiz #3:

Quiz posted: available Thurs, May 24th

Quiz deadline: Mon, May 28th, 11:59pm CST

Timed quiz once quiz is accessed: 75 minutes

Announcements (1 of 2)


4/41


5/41

5

Some examples of things that can go wrong for an

online user (threats)

Malware code is implanted in JavaScript that is run when a

user accesses a malware hosting web site

Spyware is installed on a users computer that tracks

browsing history

Search engine queries are intercepted

A user goes believes he/she went to a chosen web site, butinstead is redirected to a bogus web site

Browser fingerprinting that is combined with other data to

reveal an individual users identity

Group Project: Browser Security (1 of 4)


6/41

6

Some examples of weaknesses that may exist in an

online users computing environment (vulnerabilities)

HTTPS has been found to have significant structural

weaknesses

Browser software is not current

A user accesses web sites that commonly host malware

A user has no way of determining if malware, spyware, or

adware is installed on his/her computer

Confidential data is transmitted from the users computer

to a web site as clear text



7/41

7

What your team is tasked to do:

For an identified vulnerability, consider what could go

wrong if that vulnerabilities is exploited (what is the

threat?)

For an identified threat, consider what weakness in a userscomputing environment may enable that threat to realized

(what is the vulnerability?)

OR

For an identified threat, consider who (e.g., person, orgn,

industry, technology) may carry out that threat (who/what

is the threat agent?)



8/41

8

Initial instructions state that the majority of your

group class presentation should be on software This is no longer required.

Your team is free to discuss a threat/vulnerability (e.g., HTTPS, digital

certificates, spyware functionality, etc.) and/or a technology (e.g.,

browser add-on, etc.). Only topic requirement is that it is related to a browser/internet

vulnerability, threat, or threat agent

Only 1 (not 2) threat/threat agent/vulnerability is required so that you

can cover a topic in more depth

At least briefly state who (or what) is the entity likely to carry out the

threat (threat agent); this could also be a groups key topic

(e.g., who are the advertising intermediaries that sell consumer web history data? How do

certificate authorities issue digital certificates, and what are the vulnerabilities?)

Ideally there will be a variety of topics and tools presented



9/41

9

Example of threat agents: who are these folks? What

data are they collecting? To whom do they sell data?



10/41

10

Vulnerability assessment is used to uncoverweaknesses in an organizations computing

environment.

Penetration testing is used to see if unauthorized

access can be obtained (e.g., from a hacker)

Remediation refers to controls (or safeguards)

put in place to plug weaknesses found

Network Security: Review from Week 8


11/41

11

Phases of a Penetration Test

Network Security: Typing the Pieces Together

Trinckes, 2010, Figure 10.3


12/41

12

Organizations were estimated to spend $5 billionon identity and access mgmt (IAM) systems in

2010

The market is expected to grow to $12 billion by

2014

In the banking/finance and IT industries, IAM is

among the top 3 security initiatives

Access Control

Access Control Physical Security Convergence

Source: Hovav & Berger, CAIS 2009

Source: Deloitte 2009, 2010


13/41

13

Identity and access management (IAM) is

concerned with:

verifying the digital identity of an entity attempting

to gain access to system resources

granting permissions to system functions and data,

based on pre-defined roles assigned to the identity

placing constraints on access to alleviate conflicts

in the segregation of duties

monitoring & auditing

Access Control AKA Identity and Access Management


Source: Spears 2011


14/41

14

IAM systems:

Automate and enforce IAM policies for

identity lifecycles

provisioning process

user authentication

password management

Provide a central repository of identities, roles,

authorizations across enterprise systems

Provide log management features Also typically provide

Single sign-on capabilities

Encryption

Audit reports

Identity and Access Management Systems (1 of 2)



15/41

15

Identity and Access Management Systems(2 of 2)


Source:Pete

rson

etal.,JofAccoun

tancy2008


16/41

16

What has spurred IAM systems?

What are some of the issues that arise inmanaging IAM?

Multiple identities for a single individual

Flaws in role designs Multiple roles leading to data leakage

Complexity in system architectures E.g., distributed computing; cloud computing

Complexity in ERP systems

Coding flaws in IAM scripts

Limited built-in auditing

Inherent Complexities in IAM(1 of 2)



17/41

17

An example of IAM complexity for ERP systems:

For a small organization that:

uses 100 transactions

(requiring 2 authorization objects for each

transaction)

among 200 end users

who fill a total of20 different roles

there are 800,000 ways to configure ERP security

(100*2*200*20).

Inherent Complexities in IAM(2 of 2)


Source: Hendrawirawan et al., Information Systems and Control Journal 2007


18/41

18

Access control has two components:

1. Policy Users typically define who gets access to what applications

Role-based access control

Segregation of duties

Data classification

Password policy

Two-factor authentication

Etc.

2. Technology Implements policy; administered by IT orgn

Must balance security effectiveness; ability to do job; and user

acceptance

Access Control



19/41

19

Several reputable security frameworks provide guidance

on developing access control policies, controls, andaudit procedures

Examples of guidance on access controls from security

frameworks:1. ISO 27002

2. COBIT

3. NIST SP 800-53

The PCI DSS also has an access control component(required of companies processing credit card transactions)

Access Control Policy in the Form of Security Controls



20/41

20

Clause: A.11 Access control

Main Category (Control Objective): A.11.2 User access

management

Controls:

A.11.2.1 User registration

A.11.2.2 Privilege management

A.11.2.3 User password management

A.11.2.4 Review of user access rights

ISO 27002



21/41

21

Domain: Delivery & Support (DS)

Process: DS5 Ensure Systems Security

Control Objective: DS5.3 Identity Management

Control Activities:

Ensure that all users (internal, external and temporary) and their activity on ITsystems are uniquely identifiable.

Enable user identities via authentication mechanisms. Confirm that user access rights to systems and data are in line with defined

and documented business needs and that job rqmts are attached to useridentities.

Ensure that user access rights are requested by user management, approved

by system owners and implemented by the security-responsible person.

Maintain user identities and access rights in a central repository.

Deploy cost-effective technical and procedural measures, and keep themcurrent to establish user identification, implement authentication and enforce

access rights.

COBIT



22/41

22

Class: Technical

Family (Control Objective): Access Control

Controls:

AC-1: Access Control Policy and Procedures

AC-2: Account Management AC-3: Access Enforcement

AC-4: Information Flow Enforcement

AC-5: Separation of Duties

AC-6: Least Privilege AC-7: Unsuccessful Login Attempts

AC-8: System Use Notification

Etc

NIST SP800-53



23/41

23

User provisioning:

is the creation, maintenance and deactivation of user objects

and user attributes

Authorization:

defines the ability of a specific user to perform certain tasks,

such as deleting or creating files, after authentication has

taken place.

Authentication: refers to verifying the identity of a user, process, or device,

often as a prerequisite to allowing access to resources in an

information system.

Miscellaneous Access ControlConcepts / Practices (1 of 5)


l h l


24/41

24

Role-based access control (RBAC):

refers to access control that is based on user roles

(i.e., a collection of access authorizations a user

receives based on an explicit or implicit

assumption of a given role).

A given role may apply to a single individual or to

several individuals.

role permissionsmay be inherited through a role

hierarchy and typically reflect the permissions

needed to perform defined functions within an

organization.



NISTSP

800-53,p.B-11

C l h i l S i C


25/41

25

Least privileges:

allowing only authorized accesses for users (and processes

acting on behalf of users) which are necessary to

accomplish assigned tasks in accordance with

organizational missions and business functions.

Though this term is typically used in the context of

system/database access, the concept should also be

applied to sensitive data, regardless of its form.

An example of applying least privileges as a simple, cost-

effective security measure for protecting the SSN (e.g., on

paper forms and elsewhere)



Source: NIST SP 800-53, p. F-9

A C l Ph i l S i C


26/41

26

Separation of duties (AKA segregation of duties):

attempts to ensure there is no conflict of interestin types of access authorized for one user

Examples:

1. Person who administers access is different from personwho audits system access

2. Person who is authorized to order purchases is differentfrom person authorized to pay invoice

Auditors or risk managers may define SoD ctrls



A C t l Ph i l S it C


27/41

27

A person may authenticate him/herself in three ways, byproviding:

1. Something you know (e.g., password)

2. Something you have (e.g., token)

3. Something you are (e.g., fingerprint)

When two of these methods is used, its called two-

factor authentication





28/41

28

If a user is prompted for a password, and then promptedfor a pass phrase, would that be two-factor

authentication?

RSA SecurIDhttp://www.rsa.com/node.aspx?id=1159

PhoneFactorhttp://www.phonefactor.com/

Examples of Two-Factor Authentication


http://www.rsa.com/node.aspx?id=1159http://www.phonefactor.com/http://www.phonefactor.com/http://www.rsa.com/node.aspx?id=1159


29/41

29

Access control via biometrics is the process of using

body measurements to authenticate a user (somethingyou are)

Some examples of biometric technologies:

1. Fujitsu Palm SecureDemo: http://www.citrix.com/tv/#videos/430

2. Biometric Fingerprint

3. VoiceVault

4. Iris Guard's IG-AD100 Iris Camera System

Must strike balance between technological effectivenessand user acceptance

Biometric Access Control


http://www.citrix.com/tv/http://www.citrix.com/tv/


30/41

3030


Passwords (1 of 3)



31/41

3131

Top 10 most common passwords (PC Magazine May 8, 2007)

1. password

2. 123456

3. qwerty

4. abc123

5. letmein6. monkey

7. myspace1

8. password1

9. blink182

10. (your first name)

If you recognize yours, you may as well hand over your wallet orpurse to the first person you see on the street.


Passwords (2 of 3)



32/41

3232

Common recommendations for stronger passwords

At least 8 characters in length

At least one letter, number, non-alphanumeric

Sample orgnl password policy http://www.sans.org/resources/policies/Password_Policy.pdf

Compliance with password policies can be evaluated

using security software called password auditors


Passwords (3 of 3)

http://www.sans.org/resources/policies/Password_Policy.pdfhttp://www.sans.org/resources/policies/Password_Policy.pdf


33/41

3333

Passphrase

Sequence of words; similar to a password, but longer

Can be used various ways.

E.g., Dear, lets dine tonight in a restaurant with atmosphere!

DLDTRWA!

Security questions

A form of a shared secret

Majority of US financial institutions use to authenticate users

before allowing them to reset a password

RSA tool comes with 150 preset security questions

What is the vulnerability with this form of authentication?


Passphrases and Security Questions



34/41

34

Physical security is concerned with physical measures

designed to safeguard personnel; to preventunauthorized access to equipment, installations,

material, and documents; and to safeguard them against

espionage, sabotage, damage, and theft(DOD, NATO).

Physical security describes both measures that prevent

or deter attackers from accessing a facility, resource, or

information stored on physical media and guidance onhow to design structures to resist various hostile acts

(Wikipedia).

Physical Security

Access ControlPhysical Security Convergence



35/41

35

1. Crime prevention through environmental design

(CPTED) CPTED based strategies emphasize enhancing the perceived

risk of detection and apprehension; intended to deter acriminal act.

Used primarily as a prevention mechanism

Examples: barbed wire, warning signs and fencing, concretebollards, metal barriers, vehicle height-restrictors, sitelighting, security guard

2. Access control Mechanical and electronic measures to control access into

facilities Used primarily as a prevention mechanism

Examples: mechanical locks & keys; electronic locks;biometric locks; security guard

Four Core Layers of Physical Security (1 of 2)

y y g

Source: Whitman & Mattord, 2009



36/41

36

3. Intrusion detection (alarm)

Monitors for and signals existence of an attack

Used primarily as a response mechanism

Can also be a deterrent

Examples: burglar alarm; motion detector; smoke detector;

security guard

4. Surveillance and monitoring

Used primarily as a response mechanism Primarily used for incident verification and historical

analysis

Examples: CCTV, IP camera; security guard

Four Core Layers of Physical Security (2 of 2)

y y g




37/41

37

Other misc. areas of physical security include:

Heating, ventilation, and air conditioning

Electrical power management

Computer theft

Social engineering (using people skills to obtain confidential infofrom employees; e.g., phone, PC, in person)

Physical security is often managed by:

Facilities management department (larger sites)

Outsourced (smaller sites)

Physical Security

y y g


Access Control Physical SecurityConvergence


38/41

38

Convergence refers to some form of collaboration or

integration between the physical security and IT securitytechnologies and/or groups:

Two general forms of convergence:

1. changing the orgnl structure to merge the physical andlogical groups and align policies and budgets

2. more commonly, orgns are rolling out convergedtechnologies

This convergence goes by various names: Convergence of Physical and Logical Security

Convergence of Physical and Digital Security

Convergence of Physical and IT Security

The Convergence of Physical and Logical Security

y y g



39/41

39

Features of convergence:

Information sharing

Cross-support across areas of expertise

Convergence of security technologies

Examples of convergent technologies:

identity and access management

anti-theft tags in retail stores

IP-based surveillance cameras




40/41

40

Benefits of convergence

Synergy across skill sets

Reduced costs through greater efficiencies

Holistic approach to security

Can collaborate where it makes sense




41/41

41

Challenges for convergence

Cultural differences (J. Edgar Hoover vs. Bill Gates)

Differences in background and training

Differences in skill sets (law enforcement vs IT)

Embracement vs. skepticism toward new technology

Differences in salaries

Ownership battles

Sources:

http://www.scmagazineus.com/An-urge-to-converge-Physical-and-logical-

identity-and-access-management/article/151829/

http://www.computerworld.com/s/article/108571/Security_Convergence

http://www.scmagazineus.com/An-urge-to-converge-Physical-and-logical-identity-and-access-management/article/151829/http://www.scmagazineus.com/An-urge-to-converge-Physical-and-logical-identity-and-access-management/article/151829/http://www.computerworld.com/s/article/108571/Security_Convergencehttp://www.computerworld.com/s/article/108571/Security_Convergencehttp://www.scmagazineus.com/An-urge-to-converge-Physical-and-logical-identity-and-access-management/article/151829/http://www.scmagazineus.com/An-urge-to-converge-Physical-and-logical-identity-and-access-management/article/151829/http://www.scmagazineus.com/An-urge-to-converge-Physical-and-logical-identity-and-access-management/article/151829/http://www.scmagazineus.com/An-urge-to-converge-Physical-and-logical-identity-and-access-management/article/151829/http://www.scmagazineus.com/An-urge-to-converge-Physical-and-logical-identity-and-access-management/article/151829/http://www.scmagazineus.com/An-urge-to-converge-Physical-and-logical-identity-and-access-management/article/151829/http://www.scmagazineus.com/An-urge-to-converge-Physical-and-logical-identity-and-access-management/article/151829/http://www.scmagazineus.com/An-urge-to-converge-Physical-and-logical-identity-and-access-management/article/151829/http://www.scmagazineus.com/An-urge-to-converge-Physical-and-logical-identity-and-access-management/article/151829/http://www.scmagazineus.com/An-urge-to-converge-Physical-and-logical-identity-and-access-management/article/151829/http://www.scmagazineus.com/An-urge-to-converge-Physical-and-logical-identity-and-access-management/article/151829/http://www.scmagazineus.com/An-urge-to-converge-Physical-and-logical-identity-and-access-management/article/151829/http://www.scmagazineus.com/An-urge-to-converge-Physical-and-logical-identity-and-access-management/article/151829/http://www.scmagazineus.com/An-urge-to-converge-Physical-and-logical-identity-and-access-management/article/151829/http://www.scmagazineus.com/An-urge-to-converge-Physical-and-logical-identity-and-access-management/article/151829/http://www.scmagazineus.com/An-urge-to-converge-Physical-and-logical-identity-and-access-management/article/151829/http://www.scmagazineus.com/An-urge-to-converge-Physical-and-logical-identity-and-access-management/article/151829/http://www.scmagazineus.com/An-urge-to-converge-Physical-and-logical-identity-and-access-management/article/151829/http://www.scmagazineus.com/An-urge-to-converge-Physical-and-logical-identity-and-access-management/article/151829/http://www.scmagazineus.com/An-urge-to-converge-Physical-and-logical-identity-and-access-management/article/151829/http://www.scmagazineus.com/An-urge-to-converge-Physical-and-logical-identity-and-access-management/article/151829/

9 access ctrl physical lecture 340

Documents