1 / 131

CISSP CBK #2 Access Control

CISSP CBK #2 Access Control. Access Control. This Chapter presents the following material Identification Methods and technologies Authentication Methods DAC, MAC and role based (non-DAC) models Accountability, monitoring, and auditing Unauthorized Disclosure of Information

amela-blevins
Download Presentation

CISSP CBK #2 Access Control

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CISSP CBK #2 Access Control

  2. Access Control This Chapter presents the following material • Identification Methods and technologies • Authentication Methods • DAC, MAC and role based (non-DAC) models • Accountability, monitoring, and auditing • Unauthorized Disclosure of Information • Intrusion Detection Systems • Threats to access control practices and technologies

  3. Access Controls Access controls are security features that control how people can interact with systems, and resources. Goal is to protect from un-authorized access.

  4. Access • Access is the data flow between an subject. • Subject is a person, process or program • Object is a resource (file, printer etc)

  5. Access Control (157) • Access control should support the CIA triad! • Let’s quickly go over the CIA triad again

  6. Components of Access Control (158) Quick overview: details on each coming up Identification – who am I? (userid etc) Authentication – prove that I am who I say I Authorization – now what am I allowed to access Auditing – Big Brother can see what I accessed.

  7. CISSP BUZZWORD • Logical (technical) access controls are used for these 4 items.* • Things like smart cards and biometrics, and passwords, and audit system, and SELinux these are all examples of logical

  8. Identification (159 & 162) Identifies a user uniquely (hopefully) • SSN, UID, SID, Username • Should Uniquely identify a user for accountability (don’t share) • Standard naming scheme should be used • Identifier should not indicate extra information about user (like position) • DO NOT SHARE (NO group accounts)

  9. Authentication (160) Proving who you say you are, usually one of these 3 • Something you know (password) • Something you have (smart card) • Something you are (biometrics) What is wrong with just using one of these methods?

  10. Strong Authentication (161) Strong Authentication is the combination of 2 or more of these (also called multi-factor authentication) and is encouraged! • Strong Authentication provides a higher level of assurance*

  11. Authorization • What does this mean? • What are some type of authorization mechanism? (ACLs, permissions) • We will go more indepth on this later • Authorization is a preventative “control”* (we will talk about controls later)

  12. Auditing • What is the purpose of auditing? • Auditing is a “detective” control* (we will talk about this later)

  13. Recap • Identification – what is it? • Authentication – how is this different from identification • Authorization – what does this mean? • Auditing – what’s the point?

  14. Identity Management (162) • Identity management products are used to id, authenticate and authorize users in an automated means. It’s a broad term. • These products may (or may not) include • User account management • Access controls • Password management • Single Sign on • Permissions

  15. ID Management and the CISSP (164) • Know for the exam that ID management solutions include • Directories • Web Access Management • Password Management • Single Sign On • Account Management • Profile update

  16. Profiles updates • What is a profile (not a windows profile) • A profiles is the collection of data about a • Email • Home address • Phone • Start date • Certifications • etc

  17. Profile updates (117) • IdM systems may have centralized tools to manage profiles, may have “self service” portals where users can update their own info. • Profiles are similar to ‘digital Identity’

  18. Directories (165) • Information about the users and resources • LDAP (based on X.500) • Key concept is namespaces (like branches of a tree) and DN (distinguished names) Can anyone explain namespaces and DNs? • DN=CN and multiple DCs can include OUs • Active Directory (an implementation of LDAP) • Legacy NT (flat directory structure) • Novell Netware (???)

  19. Directories Role in ID management • Specialized database optimized for reading and searching operations • Important because all resource info, users attributes, authorization info, roles, policies etc can be stored in this single place. • Directories allow for centralized management! However these can be broken up and delegated. (trees in a forest)

  20. Meta and Virtual Directories (167) • Meta-directories allow for a centralized directory if users information is in multiple different directories (meta-directories synchronizes it’s data against the other databases) • Like meta-dirs, but instead of storing data, just provide links or pointers to the data in the alternate directory • Advantages and Disadvantages?

  21. Web Access management (168) • Uses a webserver(s) to deliver resources • Users authentications against the web server using whatever Auth scheme implemented • If authenticated requests and object • Web server verifies authorization • If so web server returns objects • Mainly used for external users/access • Very Web 2.0, you probably see a lot of this now a days.

  22. Password Management (171) • Allows for users to change their passwords, • May allow users to retrieve/reset password automatically using special information (challenge questions) or processes • Helpdesk assisted resets/retrievals (same as above, but helpdesk people might ask questions instead of automated) • May handle password synchronization

  23. Single Sign On • Log in one time, and access resources many places • Not the same as password synchronization • SSO software handles the authorization to multiple systems • What is a security problems with this? • What are advantages?

  24. Account Management Software • Idea is to centrally manage user accounts rather than to manually create/update them on multiple systems • Often include workflow processes that allow distributed authorization. I.e.. A manager can put in a user request or authorize a request, tickets might be generated for a Key card system for their locations, Permissions might be created for their specific needs etc. • Automates processes • Can includes records keeping/auditing functions • Can ensure all accesses/accounts are cleaned up with users leave.

  25. Federation (I hate this word) (178) • A Federation is multiple computing and/or network providers agreeing upon standards of operation in a collective fashion. (self governing entities that agree on common grounds to easy access between them) • A federated Identity is an identity and entitlements that can be used across business boundaries. (MS passport, Google checkout)

  26. Identity Management Overview • Idea is to manage, identify and authorize users in an automated fashion • Know for the exam that ID management solutions include • Directories • Web Access Management • Password Management • Single Sign On • Account Management • Profile update

  27. Who needs ID management (178) • Really everyone! (at least anyone that you will probably deal with) • See table on Page 178

  28. Break?

  29. Biometrics (179) • Bio – life, metrics - measure • Biometrics verifies (authenticates) an individuals identity by analyzing unique personal attribute (something they ARE) • Require enrollment before being used* (what is enrollment? Any ideas) • EXPENSIVE • COMPLEX

  30. Biometrics (179) • Can be based on • behavior (signature dynamics) – might change over time • Physical attribute (fingerprints, iris, retina scans) • We will talk about the different types of biometrics later • Can give incorrect results • False negative – Type 1 error* (annoying) • False positive – Type 2 error* (very bad)

  31. CER (179) • Crossover Error Rate (CER)* is an important metric that is stated as a percentage that represents the point at which the false rejection rate equals the false positive rate. • Lower number CER is better/more accurate*. (3 is better than an 4) • Also called Equal Error Rate • Use CER to compare vendors products objectively

  32. Biometrics (180) • Systems can be calibrated, for example of you adjust the sensitivity to decrease fall positives, you probably will INCREASE false negatives, this is where the CER come in. • Draw diagram on board • Some areas (like military) are more concerned with one error than the other (ex. Would rather deny a valid user than accept an invalid user) • Can you think of any situations for each case?

  33. Biometric problems? • Expensive • Unwieldy • Intrusive • Can be slow (should not take more than 5-10 seconds)* • Complex (enrollment)

  34. Biometric Types Overview* (182) We will talk in more depth of each in the next couple slides • Fingerprint • Palm Scan • Hand Geometry • Retina Scan • Iris Scan • Keyboard Dynamics • Voice Print • Facial Scan • Hand Topography

  35. Fingerprint (182) • Measures ridge endings an bifurcations (changes in the qualitative or topological structure) and other details called “minutiae” • Full fingerprint is stored, the scanners just compute specific features and values and sends those for verification against the real fingerprint.

  36. Palm Scan • Creases, ridges, grooves • Can include fingerprints

  37. Hand Geometry • Overall shape of hand • Length and width of fingers • This is significantly different between individuals

  38. Retina Scan • Reads blood vessel patterns on the back of the eye. • Patterns are extremely unique

  39. Iris Scan • Measures colors • Measures rifts • Measures rings • Measures furrow (wrinkle, rut or groove) • Most accurate of all biometric systems • IRIS remains constant through adulthood • Place scanner so sun does NOT shine through aperture*

  40. Signature Dynamics • Most people sign in the same manner (really???) • Monitor the motions and the pressure while moving (as opposed to a static signature) • Type I (what is type I again?) error high • Type II (what is type II again?) error low

  41. Keyboard dynamics • Measure the speeds and motions as you type, including timed difference between characters typed. For a given phrase • This is more effective than a password believe it or not, as it is hard to repeats someone's typing style, where as it’s easy to get someone's password.

  42. Voice Print • Enrollment, you say several different phrases. • For authentication words are jumbled. • Measures speech patterns, inflection and intonation (i.e.. pitch and tone)

  43. Facial Scan Geometric measurements of • Bone structure • Nose ridges • Eye width • Chin shape • Forehead size

  44. Hand Topography • Peaks and valleys of hand along with overall shape and curvature • This is opposed to size and width of the fingers (hand geometry) • Camera on the side at an angle snaps a pictures • Not unique enough to stand on it’s own, but can be used with hand geometry to add assurance

  45. Biometrics wrap up We covered a bunch of different biometrics • Understand some are behavioral* based • Voice print • Keyboard dynamics • Can change over time • Some are physically based • Fingerprint • Iris scan

  46. Biometrics wrap Up • Fingerprints are probably the most commonly used and cheapest • Iris scanning provides the most “assurance” • Some methods are intrusive • Understand Type I and Type II errors • Be able to define CER, is a lower CER value better or worse?

  47. Passwords (184) What is a password? (someone tell me because I forgot…) • Works on what you KNOW • Simplest form of authentication* • Cheapest form of authentication* • Oldest form of authentication • Most commonly used form of authentication* • WEAKEST form of authentication*

  48. Problems with Passwords (184) • People write down passwords (bad) • People use weak passwords (bad) • People re-use passwords (bad) • If you make passwords to hard to remember people often write them down • If you make them too easy… they are easily cracked

  49. How to make a good password • Don’t use common words • Don’t use names or birthdates • Use at least 8 characters • Combine numbers, symbols and case • Use a phrase and take attributes of a phrase, transpose characters

  50. Attacks on Password (185) • Sniffing (Electronic Monitoring) • Brute force attacks • Dictionary Attack • Social Engineering (what is social Engineering?) • Rainbow tables – a table that contains passwords in hash format for easy/quick comparison

More Related