fundamentals of information systems security chapter 5

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Fundamentals of Information

Systems Security

Lesson 5

Access Controls

Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.Page 2Fundamentals of Information Systems Security


www.jblearning.com


Learning Objective(s)

Explain the role of access controls in an IT

infrastructure.


www.jblearning.com



www.jblearning.com


Key Concepts

Access control concepts and technologies

Formal models of access control

How identity is managed by access control

Developing and maintaining system access

controls


www.jblearning.com



www.jblearning.com


Defining Access Control

The process of protecting a resource so

that it is used only by those allowed to

Prevents unauthorized use

Mitigations put into place to protect a

resource from a threat


www.jblearning.com



www.jblearning.com


Four Parts of Access Control

Access Control

Component Description

Identification Who is asking to access the

asset?

Authentication Can their identities be verified?

Authorization What, exactly, can the requestor

access? And what can they do?

Accountability How are actions traced to an

individual to ensure the person

who makes data or system

changes can be identified?


www.jblearning.com



www.jblearning.com


Policy Definition and Policy

Enforcement Phases

Policy definition phase—Who has access

and what systems or resources they can use

• Tied to the authorization phase

Policy enforcement phase—Grants or

rejects requests for access based on the

authorizations defined in the first phase

• Tied to identification, authentication, and

accountability phases


www.jblearning.com



www.jblearning.com


Two Types of Access Controls

•Controls entry into buildings, parking lots, and protected areas

Physical

•Controls access to a computer system or network

Logical


www.jblearning.com



www.jblearning.com


Physical Access Control

Smart cards are an example

Programmed with ID number

Used at parking lots, elevators, office doors

Shared office buildings may require an

additional after hours card

Cards control access to physical resources


www.jblearning.com



www.jblearning.com


Logical Access Control

Deciding which users can get into a system

Monitoring what each user does on that

system

Restraining or influencing a user’s behavior

on that system


www.jblearning.com



www.jblearning.com


The Security Kernel

Enforces access control for computer

systems

Central point of access control

Implements the reference monitor concept


www.jblearning.com



www.jblearning.com


Enforcing Access Control


www.jblearning.com



www.jblearning.com


Access Control Policies

•People who use the system or processes (subjects)Users

•Protected objects in the systemResources

•Activities that authorized users can perform on resourcesActions

•Optional conditions that exist between users and resourcesRelationships

Four central components of access control:


www.jblearning.com



www.jblearning.com


Logical Access Control Solutions

Logical Controls Solutions

Biometrics • Static: Fingerprints, iris granularity, retina blood

vessels, facial features, and hand geometry

• Dynamic: Voice inflections, keyboard strokes, and

signature motions

Tokens • Synchronous or asynchronous

• Smart cards and memory cards

Passwords • Stringent password controls for users

• Account lockout policies

• Auditing logon events

Single sign-on • Kerberos process

• Secure European System for Applications in a

Multi-Vendor Environment (SESAME)


www.jblearning.com



www.jblearning.com


Authorization Policies

Authorization

User-assigned privileges

Group membership

policy

Authority-level policy


www.jblearning.com



www.jblearning.com


Methods and Guidelines for

Identification

Methods

Guidelines

• Username

• Smart card

• Biometrics

• Actions

• Accounting


www.jblearning.com



www.jblearning.com


Authentication Types

Something you knowKnowledge

• Something you haveOwnership

• Something unique to youCharacteristics

• Somewhere you areLocation

• Something you do/how you do it

Action


www.jblearning.com



www.jblearning.com


Authentication by Knowledge

Password

• Weak passwords easily cracked by brute-force

or dictionary attack

• Password best practices

Passphrase

• Stronger than a password

Account lockout policies

Audit logon events


www.jblearning.com



www.jblearning.com


Authentication by Ownership

Synchronous token—Calculates a number at

both the authentication server and the device

• Time-based synchronization system

• Event-based synchronization system

• Continuous authentication

Asynchronous token

• USB token

• Smart card

• Memory cards (magnetic stripe)


www.jblearning.com



www.jblearning.com


Asynchronous Token Challenge-

Response


www.jblearning.com



www.jblearning.com


Authentication by

Characteristics/Biometrics

Static (physiological)

measures

What you are

Dynamic (behavioral) measures

What you do


www.jblearning.com



www.jblearning.com


Concerns Surrounding Biometrics

•Accuracy

AcceptabilityReaction

time


www.jblearning.com



www.jblearning.com


Types of Biometrics

Fingerprint

Palm print

Hand geometry

Retina scan

Iris scan

Facial recognition

Voice pattern

Keystroke dynamics

Signature dynamics


www.jblearning.com



www.jblearning.com


Authentication by Location and

Action

Location

• Strong indicator of authenticity

• Additional information to suggest granting

or denying access to a resource

Action

• Stores the patterns or nuances of how you

do something

• Record typing patterns


www.jblearning.com



www.jblearning.com


Single Sign-On (SSO)

Sign on to a computer or network once

Identification and authorization credentials

allow user to access all computers and

systems where authorized

Reduces human error

Difficult to put in place


www.jblearning.com



www.jblearning.com


SSO Processes

Kerberos

Secure European System for Applications in a Multi-Vendor Environment (SESAME)

Lightweight Directory Access Protocol (LDAP)


www.jblearning.com



www.jblearning.com


Policies and Procedures for

Accountability

Log files

Monitoring and reviews

Data retention

Media disposal

Compliance requirements


www.jblearning.com



www.jblearning.com


Formal Models of Access Control

Discretionary access control (DAC)

Mandatory access control (MAC)

Nondiscretionary access control

Rule-based access control


www.jblearning.com



www.jblearning.com


Discretionary Access Control

Operating systems-based DAC policy

considerations

• Access control method

• New user registration

• Periodic review

Application-based DAC

Permission levels


www.jblearning.com



www.jblearning.com


Mandatory Access Control

Determine the level of restriction by how

sensitive the resource is (classification

label)

System and owner make the decision to

allow access

Temporal isolation/time-of-day restrictions

MAC is stronger than DAC


www.jblearning.com



www.jblearning.com


Nondiscretionary Access Control

Access rules are closely managed by security

administrator, not system owner or ordinary

users

Sensitive files are write-protected for integrity

and readable only by authorized users

More secure than discretionary access control

Ensures that system security is enforced and

tamperproof


www.jblearning.com



www.jblearning.com


Rule-Based Access Control


www.jblearning.com



www.jblearning.com


Access Control Lists

Linux and OS X

• Read, write, executePermissions

• File owners, groups, global usersApplied to


www.jblearning.com



www.jblearning.com


Access Control Lists (cont.)

Windows

•Full, change, read, denyShare permissions

•Full, modify, list folder contents, read-execute, read, write, special, deny

Security permissions


www.jblearning.com



www.jblearning.com


An Access Control List


www.jblearning.com



www.jblearning.com


Role-Based Access Control


www.jblearning.com



www.jblearning.com


Content-Dependent Access Control


www.jblearning.com



www.jblearning.com


Constrained User Interface

Methods of constraining users

MenusDatabase

views

Physically constrained

user interfaces

Encryption


www.jblearning.com



www.jblearning.com


Other Access Control Models

Bell-LaPadula model

Biba integrity model

Clark and Wilson integrity model

Brewer and Nash integrity model


www.jblearning.com



www.jblearning.com


Brewer and Nash Integrity Model


www.jblearning.com



www.jblearning.com


Effects of Breaches in Access

Control

Disclosure of private information

Corruption of data

Loss of business intelligence

Danger to facilities, staff, and systems

Damage to equipment

Failure of systems and business processes


www.jblearning.com



www.jblearning.com


Threats to Access Controls

Gaining physical access

Eavesdropping by observation

Bypassing security

Exploiting hardware and software

Reusing or discarding media

Electronic eavesdropping

Intercepting communication

Accessing networks

Exploiting applications


www.jblearning.com



www.jblearning.com


Effects of Access Control Violations

Loss of customer confidence

Loss of business opportunities

New regulations imposed on the organization

Bad publicity

More oversight

Financial penalties


www.jblearning.com



www.jblearning.com


Credential and Permissions

Management

Systems that provide the ability to collect,

manage, and use the information

associated with access control

Microsoft offers Group Policy and Group

Policy Objects (GPOs) to help

administrators manage access controls


www.jblearning.com



www.jblearning.com


Centralized and Decentralized

Access Control

Centralized authentication, authorization, and

accounting (AAA) servers

• RADIUS: Most popular; two configuration files

• TACACS+: Internet Engineering Task Force (IETF)

standard; one configuration file

• DIAMETER: Base protocol and extensions

• SAML: Open standard based on XML for exchanging

both authentication and authorization data


www.jblearning.com



www.jblearning.com


Decentralized Access Control

Access control is in the hands of the people

closest to the system users

Password Authentication Protocol (PAP)

Challenge-Handshake Authentication Protocol

(CHAP)

Mobile device authentication, Initiative for Open

Authentication (OATH)

• HMAC-based one-time password (HOTP)

• Time-based one-time password (TOTP)


www.jblearning.com



www.jblearning.com


Privacy Communicate expectations for privacy in acceptable

use policies (AUPs) and logon banners

Monitoring in the workplace includes:

• Opening mail or email

• Using automated software to check email

• Checking phone logs or recording phone calls

• Checking logs of web sites visited

• Getting information from credit-reference agencies

• Collecting information through point-of-sale (PoS)

terminals

• Recording activities on closed-circuit television (CCTV)


www.jblearning.com



www.jblearning.com


Cloud Computing

Category Description

Private All components are managed for a single

organization. May be managed by the organization

or by a third-party provider.

Community Components are shared by several organizations

and managed by one of the participating

organizations or by a third party.

Public Available for public use and managed by third-party

providers.

Hybrid Contains components of more than one type of

cloud, including private, community, and public

clouds.


www.jblearning.com



www.jblearning.com


Advantages/Disadvantages of

Cloud Computing

No need to maintain a

data center

No need to maintain a

disaster recovery site

Outsourced

responsibility for

performance and

connectivity

On-demand provisioning

More difficult to keep

private data secure

Greater danger of

private data leakage

Demand for constant

network access

Client needs to trust the

outside vendor

Advantages Disadvantages


www.jblearning.com



www.jblearning.com


Summary

Access control concepts and technologies

Formal models of access control

How identity is managed by access control

Developing and maintaining system access

controls

fundamentals of information systems security chapter 5

Education