1 / 59

INFORMATION SECURITY MANAGEMENT

INFORMATION SECURITY MANAGEMENT. Lecture 6: Security Management Models. You got to be careful if you don’t know where you’re going, because you might not get there. – Yogi Berra. Access Control Models. Access controls Key principles of access control.

adam-monroe
Download Presentation

INFORMATION SECURITY MANAGEMENT

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. INFORMATION SECURITY MANAGEMENT Lecture 6: Security Management Models You got to be careful if you don’t know where you’re going, because you might not get there. – Yogi Berra

  2. Access Control Models • Access controls • Key principles of access control

  3. The value of information:CIA Triangle The value of information comes from the characteristics it possesses Expanded to include Identification Authentication Authorization Privacy Accountability

  4. Identification and Authentication Identification • An information system possesses the characteristic of identification when it is able to recognize individual users • Identification and authentication are essential to establishing the level of access or authorization that an individual is granted Authentication • Occurs when a control proves that a user possesses the identity that he or she claims

  5. Authorization Assures that the user has been specifically and explicitly authorized by the proper authority to access, update, or delete the contents of an information asset

  6. Categories of Access Control

  7. Categories of Access Control • Preventative • Deterrent • Detective • Corrective • Recovery • Compensating

  8. Preventive Controls • Block or control specific events

  9. Deterrent/Detective Controls • Deterrent Controls • Detective Controls

  10. Corrective/Recovery Controls • Corrective Controls • Recovery Control

  11. Compensating Controls • Control that is introduced that compensates for the absence or failure of a control • Examples

  12. Another Approach:Types of Controls • Technical • Operational (aka Physical) • Management (aka Administrative)

  13. Controlling Access

  14. Identification and Authentication • Identification: unproven assertion of identity • Authentication: proven assertion of identity

  15. Authentication Methods • What the user knows • What the user has • What the user is

  16. How Information Systems Authenticate Users • Request userid and password • Hash password • Retrieve stored userid and hashed password • Compare • Make a function call to a network based authentication service

  17. How a System Stores Userids and Passwords • Typically stored in a database table • Application database or authentication database • Userid stored in plaintext • Password stored encrypted or hashed

  18. Password Hashes • LM hash is weak, no longer used in Win 7 • NT hash is stronger, but not salted http://www.emc.com/collateral/software/white-papers/h11013-rsa-dcp-0812-wp.pdf

  19. Strong Authentication • Traditional userid + password authentication has known weaknesses • Stronger types of authentication available, usually referred to as “strong authentication”

  20. Token: Two Factor Authentication • First factor: what user knows • Second factor: what user has Without the second factor, user cannot log in

  21. Token: Two Factor Authentication

  22. Biometric Authentication • Stronger than userid + password • Stronger than two-factor?

  23. Authentication Issues • Password quality • Consistency of user credentials across multiple environments • Too many userids and passwords • Handling password resets • Dealing with compromised passwords • Staff terminations

  24. Authorization:Degree of Authority • Mandatory Access Controls • Discretionary Access Controls • Role Based Access Controls

  25. Mandatory Access Control (MAC) Security Model • Data classification scheme • Rates collection of info and user with sensitivity levels • When implemented, users and data owners have limited control over access

  26. Mandatory Access Control (MAC) Security Model • Data classification scheme/model • Data owners classify the information assets • Reviews periodically • Security clearance structure • Each user assigned an authorization level • Roles and corresponding security clearances

  27. Discretionary Access Control (DAC) Security Model • The owner of an object controls who and what may access it. • Access is at the owner’s discretion. • Most personal computer operating systems are designed based on the DAC model

  28. Role-based Access Control (RBAC) Security Model • Nondiscretionary Controls • An improvement over the mandatory access control (MAC) security model • Role-based controls • Task-based controls • Simplifies management in a complex system with many users and objects

  29. Access Control Technologies

  30. Testing Access Controls

  31. Testing Access Controls • Access controls are the primary defense that protect assets • Types of tests: • Penetration tests • Application vulnerability tests • Code reviews http://secunia.com/community/

  32. Penetration Testing • Automatic scans to discover vulnerabilities • Example tools: Nessus, Nikto, SAINT, Superscan, Retina, ISS, Microsoft Baseline Security Analyzer

  33. Application Vulnerability Testing • Discover vulnerabilities in an application • Automated tools and manual tools • Example vulnerabilities • Cross-site scripting, injection flaws, malicious file execution, broken authentication, broken session management, information leakage, insecure use of encryption, and many more

  34. Audit Log Analysis • Regular examination of audit and event logs • Detect unwanted events • Audit log protection

  35. Access Control Attacks

  36. Access Control Attacks • Intruders will try to defeat, bypass, or trick access controls in order to reach their target • Attack objectives • Guess credentials • Malfunction of access controls • Bypass access controls • Replay known good logins • Trick people into giving up credentials

  37. Buffer Overflow • Cause malfunction in a way that permits illicit access • Send more data than application was designed to handle properly • Countermeasure: “safe” coding that limits length of input data; filter input data to remove unsafe characters

  38. Script Injection • Insertion of scripting language characters into application input fields • Execute script on server side • Execute script on client side – trick user or browser • Countermeasures: strip “unsafe” characters from input

  39. Data Remanence • Literally: data that remains after it has been “deleted” • Examples • Deleted hard drive files • Erased files • Discarded / lost media: USB keys, backup tapes, CDs • Countermeasures: improve media physical controls (e.g. post Wikileaks controls)

  40. Denial of Service (DoS) • Actions that cause target system to fail, thereby denying service to legitimate users • Distributed Denial of Service (DDoS) • Countermeasures: input filters, patches, high capacity

  41. Eavesdropping • Interception of data transmissions • Methods • Countermeasures: encryption, stronger encryption

  42. Spoofing and Masquerading • Specially crafted network packets that contain forged address of origin • Countermeasures: router / firewall configuration to drop forged packets, judicious use of e-mail for signaling or data transfer http://www.techrepublic.com/blog/security/how-to-spoof-a-mac-address/395

  43. Social Engineering • Tricking people into giving out sensitive information by making them think they are helping someone • Methods • Schemes • Countermeasures: security awareness training

  44. Phishing • Incoming, fraudulent e-mail messages designed to give the appearance of origin from a legitimate institution • Tricks user into providing sensitive data via a forged web site (common) or return e-mail (less common) • Countermeasure: security awareness training

  45. Pharming • Redirection of traffic to a forged website • Countermeasures: user awareness training, patches, better controls

  46. Malicious Code • Viruses, worms, Trojan horses, spyware, key logger • Harvest data or cause system malfunction • Countermeasures: anti-virus, anti-spyware, security awareness training

  47. Security Architecture Models

  48. Security Architecture Models • Can help organizations quickly make improvements through adaptation • Can focus on: • computer hardware and software • policies and practices • the confidentiality of information • the integrity of the information Pick one and go with it

  49. Bell-LaPadula Confidentiality Model • A state machine model that helps ensure the confidentiality of an information system • Using mandatory access controls (MACs), data classification, and security clearances

  50. Biba Integrity Model • Provides access controls to ensure that objects or subjects cannot have less integrity as a result of read/write operations • Ensures no information from a subject can be passed on to an object in a higher security level • This prevents contaminating data of higher integrity with data of lower integrity

More Related