140 likes | 302 Views
Access Control The process of limiting or restricting access to information system resources only to authorized users, programs, processes, or other systems.. Access Controls Can Be Physical Guards, Cameras, Locks, Gates System User ID and Password Data Discretionary or Mandatory .
E N D
2. Information Systems Security is founded on the notion of controlling access between system users and the data within the information system. Access controls are restrictions or privileges to perform actions. For example, the ability to read, write, execute, append, modify, delete and create files and directories.
Access Controls limit access to authorized users only.
Information Systems Security is founded on the notion of controlling access between system users and the data within the information system. Access controls are restrictions or privileges to perform actions. For example, the ability to read, write, execute, append, modify, delete and create files and directories.
Access Controls limit access to authorized users only.
3. Access controls can be physical, system, or data.
Physical access to facility and IS environment:
- Guards, cameras locks, gates
- Provide an important outer security perimeter.
System access to the IS:
- Identification and authentication is a 2-step
process to controlling access to a system
- Identifies person as a valid user (USERID)
- Verifies the identity of the user (password)
- Password is the most basic system access control method.
Data access to the information or data:
- Discretionary Access
- Restricts access based on identity & need-to know
- Profiles, access control lists
- Mandatory Access
- More stringent
- Restricts access based on sensitivity of
information & formal authorization (clearance)
- System makes access decision based on above
(May have Top Secret clearance, but not for SCI)Access controls can be physical, system, or data.
Physical access to facility and IS environment:
- Guards, cameras locks, gates
- Provide an important outer security perimeter.
System access to the IS:
- Identification and authentication is a 2-step
process to controlling access to a system
- Identifies person as a valid user (USERID)
- Verifies the identity of the user (password)
- Password is the most basic system access control method.
Data access to the information or data:
- Discretionary Access
- Restricts access based on identity & need-to know
- Profiles, access control lists
- Mandatory Access
- More stringent
- Restricts access based on sensitivity of
information & formal authorization (clearance)
- System makes access decision based on above
(May have Top Secret clearance, but not for SCI)
4. Access control mechanisms are designed to detect and prevent unauthorized access and to permit authorized access to information systems.
These mechanisms must be
- Reliable
- Not rejecting an authorized user
- Not accepting an unauthorized user
- Easy to maintain
- Maintenance should be easy and straight forward
- Minimal effect on throughput
- Not become an operational bottleneck
Access control mechanisms are designed to detect and prevent unauthorized access and to permit authorized access to information systems.
These mechanisms must be
- Reliable
- Not rejecting an authorized user
- Not accepting an unauthorized user
- Easy to maintain
- Maintenance should be easy and straight forward
- Minimal effect on throughput
- Not become an operational bottleneck
5. Access control mechanisms can be any of the listed methods. We will be discussing each of these in detail.Access control mechanisms can be any of the listed methods. We will be discussing each of these in detail.
6. There is a wide variety of hardware devices that perform computer-security related functions. Here are some examples of these mechanisms.
Computer systems with removable hard drives require a key to remove the drive. After removal and re-insertion of the drive into the system, the key is also required to activate the drive. No key, no access.
Smart Card: An access card containing encoded information and sometimes a microprocessor and a user interface. This information is used to gain access to a facility or computer system.
Dumb Card: Any type of access card typically used to gain access.
Net Assure Card: Type of network card which can be configured to control access to a system.
Biometric Device: Automated method of authenticating or verifying the identity of an individual based upon a physical or behavioral characteristic. (Fingerprint, hand/palm print, voice print, eye pattern, etc.)
There is a wide variety of hardware devices that perform computer-security related functions. Here are some examples of these mechanisms.
Computer systems with removable hard drives require a key to remove the drive. After removal and re-insertion of the drive into the system, the key is also required to activate the drive. No key, no access.
Smart Card: An access card containing encoded information and sometimes a microprocessor and a user interface. This information is used to gain access to a facility or computer system.
Dumb Card: Any type of access card typically used to gain access.
Net Assure Card: Type of network card which can be configured to control access to a system.
Biometric Device: Automated method of authenticating or verifying the identity of an individual based upon a physical or behavioral characteristic. (Fingerprint, hand/palm print, voice print, eye pattern, etc.)
7. Smart card: an access card containing encoded information and sometimes a microprocessor and a user interface. The information on the code, or the information generated by the processor, is used to gain access to a facility or computer system.
Dumb card: any type of access card that is typically used simply to gain entry to a facility (e.g. like badges).
Smart card: an access card containing encoded information and sometimes a microprocessor and a user interface. The information on the code, or the information generated by the processor, is used to gain access to a facility or computer system.
Dumb card: any type of access card that is typically used simply to gain entry to a facility (e.g. like badges).
8. Emerging Technologies
Computerized Biometrics: How They Work
Fingerprint Scanners
Voice Authentication
Face Recognition
Iris Scanners Biometric security is the flashiest technology on the market. No matter what biometric method you use, the underlying process is similar: To enroll a new user, you must store an encrypted template file of the user’s biometric information on a server or client PC. When the user logs on, the template is compared against the new, live information. If it checks out, access is granted.
Biometric security is the flashiest technology on the market. No matter what biometric method you use, the underlying process is similar: To enroll a new user, you must store an encrypted template file of the user’s biometric information on a server or client PC. When the user logs on, the template is compared against the new, live information. If it checks out, access is granted.
9. Fingerprint Recognition Fingerprint-recognition packages scan your finger from several angles and store the template on a server or local hard disk. These systems tend to be very reliable and are difficult to fool. At $39 for Micros’s True Face Network, they are approaching affordability.Fingerprint-recognition packages scan your finger from several angles and store the template on a server or local hard disk. These systems tend to be very reliable and are difficult to fool. At $39 for Micros’s True Face Network, they are approaching affordability.
10. Voice Recognition Voice-authentication products create a voiceprint based on the inflection points of your speech, emphasizing the highs and lows specific to your way of talking. Citadel’s GateKeeper system is unparalleled at granting secure access to sites. The system consists of single-use passwords and random PINS and NT Log-in. Coupled with a unique voiceprint taken from a microphone or telephone, this system is not fooled by recordings. But at $50,000 to $150,000 per installation, they are restricted to large networks with big budgets.
Voice-authentication products create a voiceprint based on the inflection points of your speech, emphasizing the highs and lows specific to your way of talking. Citadel’s GateKeeper system is unparalleled at granting secure access to sites. The system consists of single-use passwords and random PINS and NT Log-in. Coupled with a unique voiceprint taken from a microphone or telephone, this system is not fooled by recordings. But at $50,000 to $150,000 per installation, they are restricted to large networks with big budgets.
11. Face Recognition Face-recognition software uses a camera attached to your PC to capture and map key identifying features. TrueFace Networks provides inexpensive solutions with a $39 package. But systems can be fooled with color masks. The most secure systems, such as Visionic’s Face It also perform a "liveness" test to see how your face moves, so that a photo of you cannot be used. This system runs at $99 and is notable for the reliability of the SQL database.Face-recognition software uses a camera attached to your PC to capture and map key identifying features. TrueFace Networks provides inexpensive solutions with a $39 package. But systems can be fooled with color masks. The most secure systems, such as Visionic’s Face It also perform a "liveness" test to see how your face moves, so that a photo of you cannot be used. This system runs at $99 and is notable for the reliability of the SQL database.
12. Iris Scan How does it work?
The random patterns of the iris are the equivalent of a complex "human barcode," created by a tangled meshwork of connective tissue and other visible features. The amount of independent variation in an iris, its stability throughout life, and its resistance to occupational or other intervention represent crucial advantages for automated biometric measurement.
The iris recognition process begins with video-based image acquisition that locates the eye and iris. The boundaries of the pupil and limbus are defined, eyelid occlusion and specular reflection are discounted, and quality of image is determined for processing.
The iris pattern is processed and encoded into an IrisCode TM record , which is stored and used for recognition in any transaction when a live iris is presented for comparison. Eyeglasses and contact lenses are accommodated easily.
The iris recognition process begins with video-based image acquisition that locates the eye and iris. The boundaries of the pupil and limbus are defined, eyelid occlusion and specular reflection are discounted, and quality of image is determined for processing.
The iris pattern is processed and encoded into an IrisCode TM record , which is stored and used for recognition in any transaction when a live iris is presented for comparison. Eyeglasses and contact lenses are accommodated easily.
13. Characteristics of Iris Scan ADVANTAGES
Highly protected, internal organ of the eye
Externally visible; patterns imaged from a distance
Iris patterns possess a high degree of randomness
Changing pupil size confirms natural physiology
Patterns apparently stable throughout life
image analysis and encoding time: 1 second
search speed: 100,000 IrisCodes per second
DISADVANTAGES
Small target (1 cm) to acquire from a distance (1 m)
Moving target ...within another... on yet another
Located behind a curved, wet, reflecting surface
Obscured by eyelashes, lenses, reflections
Partially occluded by eyelids, often drooping
Deforms non-elastically as pupil changes size The iris of each eye is absolutely unique. In the entire human population, no two irises are alike in their mathematical detail, even between identical (monozygotic) twins and triplets.
The iris of each eye is absolutely unique. In the entire human population, no two irises are alike in their mathematical detail, even between identical (monozygotic) twins and triplets.
14. Software plays an important role in computer security. As stated earlier, the password is the most basic access control method.
In addition to requiring user id and password, most operating systems have the means to set controls over files and directories. The software can be configured to specify what users have access to read, write, create, modify, etc.
Remote access and time/workstation restrictions can also be controlled through the operating system. This provides the administrator with a means to control who can access the system remotely, and to set limitations as to when a user can log on (time and day) and what workstations the user may log on to.
There are also add-on software packages which can increase the security of the system.Software plays an important role in computer security. As stated earlier, the password is the most basic access control method.
In addition to requiring user id and password, most operating systems have the means to set controls over files and directories. The software can be configured to specify what users have access to read, write, create, modify, etc.
Remote access and time/workstation restrictions can also be controlled through the operating system. This provides the administrator with a means to control who can access the system remotely, and to set limitations as to when a user can log on (time and day) and what workstations the user may log on to.
There are also add-on software packages which can increase the security of the system.
15. Procedural requirements help ensure only designated individuals are granted entry to protected areas, use computers in a particular operating mode, or use classified information in a computer.
Because the password is the basic access control method, it is important to understand and abide by the command’s password procedures. Passwords should be 8 characters or more in length. A password should also be random characters and include numbers and special characters. Do not share your password with anyone else.
All systems/commands require a security plan that outlines what systems and data need to be protected, and how protection will be accomplished. MCB Quantico has an overall contingency plan for handling and recovering from specific adverse conditions and disasters. As a user, you need to identify your critical systems/data for inclusion in this plan. Back up your data!
A fundamental aspect to effective access control is labeling/marking of information and materials. If the information is not marked, how do you know what to protect?
People are one of the weakest links in securing systems. Need to make users aware of their responsibilities and teach them the correct practices. Training supports individual accountability. You can never have enough TRAINING.Procedural requirements help ensure only designated individuals are granted entry to protected areas, use computers in a particular operating mode, or use classified information in a computer.
Because the password is the basic access control method, it is important to understand and abide by the command’s password procedures. Passwords should be 8 characters or more in length. A password should also be random characters and include numbers and special characters. Do not share your password with anyone else.
All systems/commands require a security plan that outlines what systems and data need to be protected, and how protection will be accomplished. MCB Quantico has an overall contingency plan for handling and recovering from specific adverse conditions and disasters. As a user, you need to identify your critical systems/data for inclusion in this plan. Back up your data!
A fundamental aspect to effective access control is labeling/marking of information and materials. If the information is not marked, how do you know what to protect?
People are one of the weakest links in securing systems. Need to make users aware of their responsibilities and teach them the correct practices. Training supports individual accountability. You can never have enough TRAINING.