Resource ProtectionResource Protection
Controls to protect company assetsControls to protect company assets
Protections requiredProtections required
Environmental protectionEnvironmental protection Physical access protectionPhysical access protection Logical access protectionLogical access protection
Environmental ProtectionEnvironmental Protection
Disasters, fire, flood, earthquakeDisasters, fire, flood, earthquake Temperature and humidityTemperature and humidity UV light, other kind of radiation, UV light, other kind of radiation,
electrical interferenceelectrical interference Electricity interruption, blackout, Electricity interruption, blackout,
brownout, power surgebrownout, power surge
Physical Access ControlPhysical Access Control
Key and lockKey and lock• Door, cabinet, disk driveDoor, cabinet, disk drive
Identity badge Identity badge 身分徽章 身分徽章 Monitoring cameraMonitoring camera SensorsSensors BarriersBarriers Guards Guards 警衛 警衛 Escorts Escorts 護衛 護衛
Physical ControlPhysical Control
Logical Access ControlLogical Access Control
To check the identity of a user before To check the identity of a user before he is allowed to access the he is allowed to access the information systeminformation system
The process is known as The process is known as Authentication Authentication 確認 確認
The information used to establish the The information used to establish the identity is the credentials identity is the credentials 證件 證件
Logical Access ControlLogical Access Control
Logical access entry pointLogical access entry point
Operator consoleOperator console Online workstation or terminalOnline workstation or terminal Remote accessRemote access Network connectivityNetwork connectivity
Logical access control softwareLogical access control software
Always a part of the operation systemAlways a part of the operation system User identification and authentication User identification and authentication
mechanismmechanism Restrict logon IDs to specific workstation Restrict logon IDs to specific workstation
and at specific timeand at specific time Create individual accountability and Create individual accountability and
auditabilityauditability Create user profilesCreate user profiles Log events/user activitiesLog events/user activities
Identification and AuthenticationIdentification and Authentication
The basic building block of The basic building block of information security for access information security for access control and establishing user control and establishing user accountabilityaccountability
logon ID provides individual logon ID provides individual identificationidentification
Authentication to prove the user is Authentication to prove the user is what he claims himself to be, usually what he claims himself to be, usually by means of a passwordby means of a password
AuthenticationAuthentication
User AuthenticationUser Authentication
3 qualities to confirm a user’s identity3 qualities to confirm a user’s identity Something the user knows Something the user knows
(password)(password) Something the user has (token Something the user has (token
device)device) Something the user is (biometrics)Something the user is (biometrics)
BiometricsBiometrics
Identification by BiometricsIdentification by Biometrics
FingerprintFingerprint Palm scanPalm scan Hand geometryHand geometry Facial scanFacial scan Retina scan Retina scan 視網膜 視網膜 Iris scanIris scan 虹膜 虹膜 Signature dynamicsSignature dynamics Keyboard dynamicsKeyboard dynamics
Two factor AuthenticationTwo factor Authentication
A authentication process asking for A authentication process asking for two qualities of a usertwo qualities of a user
PasswordPassword
An ideal password isAn ideal password is Something you knowSomething you know Something a computer can verify Something a computer can verify
that you knowthat you know Something nobody else can guessSomething nobody else can guess
Use of passwordUse of password
It is actually a secret created by a It is actually a secret created by a useruser
Should consider how it is:Should consider how it is:• Stored (plain text, encrypted)Stored (plain text, encrypted)• Transmitted and UsedTransmitted and Used• RetrievedRetrieved• DestroyedDestroyed
Choosing passwordsChoosing passwords
Usually not random chosen as it is to Usually not random chosen as it is to be remembered by the userbe remembered by the user
People can remember only 6 to 8 People can remember only 6 to 8 random numbersrandom numbers
Use paraphrase as memory aidUse paraphrase as memory aid People tend to use Capital letters at People tend to use Capital letters at
the beginning and numbers at the the beginning and numbers at the endend
10 most popular password in 10 most popular password in UKUK
1. '123' (3.784‰)1. '123' (3.784‰)
2. 'password' (3.780‰)2. 'password' (3.780‰)
3. 'liverpool' (1.82‰)3. 'liverpool' (1.82‰)
4. 'letmein' (1.76‰)4. 'letmein' (1.76‰)
5. '123456' (1.63‰)5. '123456' (1.63‰)
6. 'qwerty' (1.41‰)6. 'qwerty' (1.41‰)
7. 'charlie' (1.39‰)7. 'charlie' (1.39‰)
8. 'monkey' (1.33‰)8. 'monkey' (1.33‰)
9. 'arsenal' (1.11‰)9. 'arsenal' (1.11‰)
10. 'thomas' (0.99‰)10. 'thomas' (0.99‰)
Strong PasswordStrong Password
Use both capital and small letters, Use both capital and small letters, numbers and symbolsnumbers and symbols
Avoid actual names or wordsAvoid actual names or words At least 6 characters longAt least 6 characters long Cannot be identifiable to user, for Cannot be identifiable to user, for
example, don’t use name and example, don’t use name and birthday of your wife, and your birthday of your wife, and your childrenchildren
Policy on control of passwordsPolicy on control of passwords
LengthLength ComplexityComplexity Period to change passwordPeriod to change password No passwordNo password Log out periodLog out period Recycle of passwordsRecycle of passwords
Other considerationsOther considerations
Logon ID not used after a number of Logon ID not used after a number of days should be de-activateddays should be de-activated
Be careful with default system Be careful with default system password and userspassword and users
A logon session should be A logon session should be automatically disconnected if there is automatically disconnected if there is no activity after a period of time no activity after a period of time (time-out)(time-out)
What about logon IDWhat about logon ID
Always standardized by the Always standardized by the organizationorganization
Name and initialsName and initials Email addressEmail address
Single Sign-onSingle Sign-on
User needs to access multiple User needs to access multiple resources and computersresources and computers
A user authenticates only once for a A user authenticates only once for a session. The system will forward the session. The system will forward the authenticated identity to other authenticated identity to other processesprocesses
Active directory uses KerberosActive directory uses Kerberos Access to Microsoft websites through Access to Microsoft websites through
Microsoft PassportMicrosoft Passport
AuthorizationAuthorization
It is a process of access control that It is a process of access control that differentiate the users and provide differentiate the users and provide access to resourcesaccess to resources
Access control should be based on Access control should be based on principle of separation of duties and principle of separation of duties and least privilege, and provided on a least privilege, and provided on a documented need to know basisdocumented need to know basis
AuthorizationAuthorization
Access restrictions on;Access restrictions on;• ReadRead• WriteWrite• ExecuteExecute• Delete etc. Delete etc.
Depends onDepends on• RoleRole• GroupGroup• TimeTime• Transaction typeTransaction type
Default: no accessDefault: no access
Authentication vs AuthorizationAuthentication vs Authorization
Authentication identify who you areAuthentication identify who you are Authorization determines what kind of Authorization determines what kind of
resources the user is allowed to resources the user is allowed to accessaccess
Accounting is to keep detailed record Accounting is to keep detailed record showing who has logged on the showing who has logged on the system and the actions he takes and system and the actions he takes and at what timeat what time
Access Control List (ACL)Access Control List (ACL)
An access authorization table showingAn access authorization table showing Users (including groups, machines, Users (including groups, machines,
processes) who have permission to processes) who have permission to use a particular type of system use a particular type of system resource, andresource, and
The type of access permittedThe type of access permitted
Other issues to considerOther issues to consider
Remote logonRemote logon Access with mobile technology (flash Access with mobile technology (flash
drive, removable hard disk)drive, removable hard disk) Access using wirelessAccess using wireless Access using PDAsAccess using PDAs Who can access system logsWho can access system logs
Access Control AdministrationAccess Control Administration
Centralised vs De-centralisedCentralised vs De-centralised RADIUS (Remote Authenticatin Dial-RADIUS (Remote Authenticatin Dial-
in User Service) serverin User Service) server TACACS (Terminal Access Controller TACACS (Terminal Access Controller
Access Control System) serverAccess Control System) server AAA serverAAA server
Access ProtocolAccess Protocol
PAP Password Authentication PAP Password Authentication ProtocolProtocol
CHAP Challenge Handshake CHAP Challenge Handshake Authentication ProtocolAuthentication Protocol
KerberosKerberos EAP Extensible Authentication EAP Extensible Authentication
ProtocolProtocol
Access control - Vulnerability Access control - Vulnerability TestingTesting
Simulation of an outside attackSimulation of an outside attack Penetration testingPenetration testing Ethical hackerEthical hacker
Access control – Audit TrailsAccess control – Audit Trails
Logs activitiesLogs activities Capture system, network, application Capture system, network, application
and user eventsand user events Protect logs from updates and Protect logs from updates and
unauthorized accessunauthorized access Retains logs sufficientlyRetains logs sufficiently Filter/clip data to maintain reasonable Filter/clip data to maintain reasonable
volumesvolumes Automatic log reviewAutomatic log review
Access control monitoring - Access control monitoring - HoneypotsHoneypots
Sacrificial part of network for Sacrificial part of network for monitoring purposemonitoring purpose• Open ports, enabled services, no Open ports, enabled services, no
informationinformation Legal issuesLegal issues
• EnticementEnticement Legal, open ports and enabled serviceLegal, open ports and enabled service
• EntrapmentEntrapment Illegal, offer data for download and then Illegal, offer data for download and then
prosecutingprosecuting
Access control monitoring - Access control monitoring - SniffersSniffers
Monitor network and capture the Monitor network and capture the packetspackets
Perform protocol analysis for network Perform protocol analysis for network trouble shootingtrouble shooting
Example: Wireshark, TcpdumpExample: Wireshark, Tcpdump
Document systemDocument system
ClassificationClassification IndexingIndexing Clearance Clearance Access controlAccess control LoggingLogging DistributionDistribution StorageStorage DisposalDisposal
ReadingReading
CISSP Chapter 4, especially on CISSP Chapter 4, especially on Kerberos and Access Control Kerberos and Access Control AdministrationAdministration
NIST Handbook Chapter 16, 17 and NIST Handbook Chapter 16, 17 and 1818