fundamentals of information systems security chapter 5
TRANSCRIPT
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Fundamentals of Information
Systems Security
Lesson 5
Access Controls
Page 2Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 2Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Learning Objective(s)
Explain the role of access controls in an IT
infrastructure.
Page 3Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 3Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Key Concepts
Access control concepts and technologies
Formal models of access control
How identity is managed by access control
Developing and maintaining system access
controls
Page 4Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 4Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Defining Access Control
The process of protecting a resource so
that it is used only by those allowed to
Prevents unauthorized use
Mitigations put into place to protect a
resource from a threat
Page 5Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 5Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Four Parts of Access Control
Access Control
Component Description
Identification Who is asking to access the
asset?
Authentication Can their identities be verified?
Authorization What, exactly, can the requestor
access? And what can they do?
Accountability How are actions traced to an
individual to ensure the person
who makes data or system
changes can be identified?
Page 6Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 6Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Policy Definition and Policy
Enforcement Phases
Policy definition phase—Who has access
and what systems or resources they can use
• Tied to the authorization phase
Policy enforcement phase—Grants or
rejects requests for access based on the
authorizations defined in the first phase
• Tied to identification, authentication, and
accountability phases
Page 7Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 7Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Two Types of Access Controls
•Controls entry into buildings, parking lots, and protected areas
Physical
•Controls access to a computer system or network
Logical
Page 8Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 8Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Physical Access Control
Smart cards are an example
Programmed with ID number
Used at parking lots, elevators, office doors
Shared office buildings may require an
additional after hours card
Cards control access to physical resources
Page 9Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 9Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Logical Access Control
Deciding which users can get into a system
Monitoring what each user does on that
system
Restraining or influencing a user’s behavior
on that system
Page 10Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 10Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
The Security Kernel
Enforces access control for computer
systems
Central point of access control
Implements the reference monitor concept
Page 11Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 11Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Enforcing Access Control
Page 12Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 12Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Access Control Policies
•People who use the system or processes (subjects)Users
•Protected objects in the systemResources
•Activities that authorized users can perform on resourcesActions
•Optional conditions that exist between users and resourcesRelationships
Four central components of access control:
Page 13Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 13Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Logical Access Control Solutions
Logical Controls Solutions
Biometrics • Static: Fingerprints, iris granularity, retina blood
vessels, facial features, and hand geometry
• Dynamic: Voice inflections, keyboard strokes, and
signature motions
Tokens • Synchronous or asynchronous
• Smart cards and memory cards
Passwords • Stringent password controls for users
• Account lockout policies
• Auditing logon events
Single sign-on • Kerberos process
• Secure European System for Applications in a
Multi-Vendor Environment (SESAME)
Page 14Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 14Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Authorization Policies
Authorization
User-assigned privileges
Group membership
policy
Authority-level policy
Page 15Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 15Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Methods and Guidelines for
Identification
Methods
Guidelines
• Username
• Smart card
• Biometrics
• Actions
• Accounting
Page 16Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 16Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Authentication Types
Something you knowKnowledge
• Something you haveOwnership
• Something unique to youCharacteristics
• Somewhere you areLocation
• Something you do/how you do it
Action
Page 17Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 17Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Authentication by Knowledge
Password
• Weak passwords easily cracked by brute-force
or dictionary attack
• Password best practices
Passphrase
• Stronger than a password
Account lockout policies
Audit logon events
Page 18Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 18Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Authentication by Ownership
Synchronous token—Calculates a number at
both the authentication server and the device
• Time-based synchronization system
• Event-based synchronization system
• Continuous authentication
Asynchronous token
• USB token
• Smart card
• Memory cards (magnetic stripe)
Page 19Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 19Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Asynchronous Token Challenge-
Response
Page 20Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 20Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Authentication by
Characteristics/Biometrics
Static (physiological)
measures
What you are
Dynamic (behavioral) measures
What you do
Page 21Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 21Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Concerns Surrounding Biometrics
•Accuracy
AcceptabilityReaction
time
Page 22Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 22Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Types of Biometrics
Fingerprint
Palm print
Hand geometry
Retina scan
Iris scan
Facial recognition
Voice pattern
Keystroke dynamics
Signature dynamics
Page 23Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 23Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Authentication by Location and
Action
Location
• Strong indicator of authenticity
• Additional information to suggest granting
or denying access to a resource
Action
• Stores the patterns or nuances of how you
do something
• Record typing patterns
Page 24Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 24Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Single Sign-On (SSO)
Sign on to a computer or network once
Identification and authorization credentials
allow user to access all computers and
systems where authorized
Reduces human error
Difficult to put in place
Page 25Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 25Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
SSO Processes
Kerberos
Secure European System for Applications in a Multi-Vendor Environment (SESAME)
Lightweight Directory Access Protocol (LDAP)
Page 26Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 26Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Policies and Procedures for
Accountability
Log files
Monitoring and reviews
Data retention
Media disposal
Compliance requirements
Page 27Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 27Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Formal Models of Access Control
Discretionary access control (DAC)
Mandatory access control (MAC)
Nondiscretionary access control
Rule-based access control
Page 28Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 28Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Discretionary Access Control
Operating systems-based DAC policy
considerations
• Access control method
• New user registration
• Periodic review
Application-based DAC
Permission levels
Page 29Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 29Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Mandatory Access Control
Determine the level of restriction by how
sensitive the resource is (classification
label)
System and owner make the decision to
allow access
Temporal isolation/time-of-day restrictions
MAC is stronger than DAC
Page 30Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 30Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Nondiscretionary Access Control
Access rules are closely managed by security
administrator, not system owner or ordinary
users
Sensitive files are write-protected for integrity
and readable only by authorized users
More secure than discretionary access control
Ensures that system security is enforced and
tamperproof
Page 31Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 31Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Rule-Based Access Control
Page 32Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 32Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Access Control Lists
Linux and OS X
• Read, write, executePermissions
• File owners, groups, global usersApplied to
Page 33Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 33Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Access Control Lists (cont.)
Windows
•Full, change, read, denyShare permissions
•Full, modify, list folder contents, read-execute, read, write, special, deny
Security permissions
Page 34Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 34Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
An Access Control List
Page 35Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 35Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Role-Based Access Control
Page 36Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 36Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Content-Dependent Access Control
Page 37Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 37Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Constrained User Interface
Methods of constraining users
MenusDatabase
views
Physically constrained
user interfaces
Encryption
Page 38Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 38Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Other Access Control Models
Bell-LaPadula model
Biba integrity model
Clark and Wilson integrity model
Brewer and Nash integrity model
Page 39Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 39Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Brewer and Nash Integrity Model
Page 40Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 40Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Effects of Breaches in Access
Control
Disclosure of private information
Corruption of data
Loss of business intelligence
Danger to facilities, staff, and systems
Damage to equipment
Failure of systems and business processes
Page 41Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 41Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Threats to Access Controls
Gaining physical access
Eavesdropping by observation
Bypassing security
Exploiting hardware and software
Reusing or discarding media
Electronic eavesdropping
Intercepting communication
Accessing networks
Exploiting applications
Page 42Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 42Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Effects of Access Control Violations
Loss of customer confidence
Loss of business opportunities
New regulations imposed on the organization
Bad publicity
More oversight
Financial penalties
Page 43Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 43Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Credential and Permissions
Management
Systems that provide the ability to collect,
manage, and use the information
associated with access control
Microsoft offers Group Policy and Group
Policy Objects (GPOs) to help
administrators manage access controls
Page 44Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 44Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Centralized and Decentralized
Access Control
Centralized authentication, authorization, and
accounting (AAA) servers
• RADIUS: Most popular; two configuration files
• TACACS+: Internet Engineering Task Force (IETF)
standard; one configuration file
• DIAMETER: Base protocol and extensions
• SAML: Open standard based on XML for exchanging
both authentication and authorization data
Page 45Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 45Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Decentralized Access Control
Access control is in the hands of the people
closest to the system users
Password Authentication Protocol (PAP)
Challenge-Handshake Authentication Protocol
(CHAP)
Mobile device authentication, Initiative for Open
Authentication (OATH)
• HMAC-based one-time password (HOTP)
• Time-based one-time password (TOTP)
Page 46Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 46Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Privacy Communicate expectations for privacy in acceptable
use policies (AUPs) and logon banners
Monitoring in the workplace includes:
• Opening mail or email
• Using automated software to check email
• Checking phone logs or recording phone calls
• Checking logs of web sites visited
• Getting information from credit-reference agencies
• Collecting information through point-of-sale (PoS)
terminals
• Recording activities on closed-circuit television (CCTV)
Page 47Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 47Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Cloud Computing
Category Description
Private All components are managed for a single
organization. May be managed by the organization
or by a third-party provider.
Community Components are shared by several organizations
and managed by one of the participating
organizations or by a third party.
Public Available for public use and managed by third-party
providers.
Hybrid Contains components of more than one type of
cloud, including private, community, and public
clouds.
Page 48Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 48Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Advantages/Disadvantages of
Cloud Computing
No need to maintain a
data center
No need to maintain a
disaster recovery site
Outsourced
responsibility for
performance and
connectivity
On-demand provisioning
More difficult to keep
private data secure
Greater danger of
private data leakage
Demand for constant
network access
Client needs to trust the
outside vendor
Advantages Disadvantages
Page 49Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 49Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Summary
Access control concepts and technologies
Formal models of access control
How identity is managed by access control
Developing and maintaining system access
controls