SlideShare a Scribd company logo

access-control-week-3

J
jemtallon
EducationTechnology
1 of 49
Download to read offline
CISSP DOMAIN 1 – Access Control Lecture 3rd Pg 149-194 June 15th 2013
Decentralized/Distributed Access Control Techniques Defined policies, standard and process of AC Implement to simplify information Create effective control management service Streamline appropriate technologies
• Identity Management – Consolidate and streamlines the management of user IDs, authentication, and access across multiple system – Bind user to establish policies, processes, privileges to ensure consistency • For that Identity Management should include: » Password Management » Account Management » Profile Management » Directory Management » Single sign-on
Password Management • Most common authentication tech in use • Can be compromised over time • So it has to be changed every 30 – 90 days – Shorter the better but cumbersome to memorize • Multiple passwords on multiple system if expires at separate times, user tend to write it down (someone can steal it and own the system) • Users tend to rotate couple of passwords – hence making easier to guess • Password policies, standards, and complexity need to be managed consistently • Locking they system if password is guessed 3-5 wrong attempts
Contd… • This prevents damage with the cost of calling help desk (users are notorious to forget passwords since they get changed every couple of months or they return from long vacation) • It creates helpdesk jobs but cost money to industry • A password management system is designed to manage password consistently across enterprise by a central tool synchronizing passwords across multiple systems • Can be deployed multifactor authentication, • Use of self registration and verification (like the one used by larger internet sites) – Asking verification code in mobile – Secret question – Pictures – Sending email to trusted email account to change password (all these help helpdesk not to spend much time on unlocking account)
Account Management • Got job = new access control • Job ended = needs user account decommissioned asap (minimize time to decommission inactive account) • Web based access management addresses the issue (e.g. hotmail) • Old systems might not interact well with new single centralized account directory. Even if does, it might still have some limitations • Account Management systems attempts to identify user across multiple systems • Management processes must be performed on each system
Contd… • This should include one or more features to insure a central, cross-platform security administration capability – Central facility to manage user access to multiple systems (ensures consistency, reduces manual entry error, helps system adimin) – Workflow System (ensures prompt action like new/added or terminated access ) – Automatic replication of Data (user records between systems ensuring permission are propagated uniformly between systems) – Facility for loading batch changes (big hires/fires , restructuring organization is efficient) – Automatic creation, change/removal of access triggered by other departments (e.g. HR or corporate directory) is minimized thereby chances of access permission is greatly reduced.
Contd… • Obstacle – Higher cost of full deployment – Complexity of account management system Start small, gain experience and success before full scale deployment • Interface issues can be a big project killer – Fully automated account management system has to interface with each systems – Its hard to do because of numerous application and directories – Different interface which aren’t designed to interface with ACM esp. with older systems and mainframes. – Dedicated programmers needed and its time consuming
Profile Management • Profile = collection of info associated with a particular identity or group • In addition to user and password, a user profile should include personal info like name, phone, emergency #, etc. • These info are subjected to change over time. • These changes can be done either administratively or by user. • It is helpful for user to enter and manage those data which are not sensitive and needn’t to be validated • This will increase accuracy, saves time and cost to implement changes
Directory Management • Is a comprehensive database designed to centralize data management • Typical directory contains hierarchy of objects storing info about users, groups, systems, servers, printers • Directory is stored in one or more servers to ensure scalability and availability • Applications will access data stored in a directory by means of standard directory protocol
Contd… • Benefit- provide centralized collection of user data – Can be used by many applications to avoid replication of info and simplify architecture • Using directory it’s possible to configure several applications to share data about users rather than each system managing user, authentication, data • Limitation • Integration with legacy system, mainframes and out dated servers
Directory Technologies • Centralized directory service • Supported by international standards. • Developed by International Telecommunications Union (ITU-T) for communication protocol Types of Directory Technologies 1. X.500 2. Lightweight Directory Access Protocol 3. Active Directory 4. X.400
Contd… 1. X.500  Developed by ITU-T in 1980s  Also known as ISO/IEC 9594  Facilitate standard method of developing electronic directories for use over telecom networks  Originally developed to work with OSI network communications model  Currently TCP/IP protocol can be used  Info in X.500 is in hierarchy. Key field in database is Distinguished Name (DN)  DN provides full path through X.500 database  Also supports Relative Distinguished Name (RDN) which provides specific entry without full path component attached  Contains 4 separate protocols  Directory Access Protocol (DAP) – primary access in access information in X.500  Direcrtory System Protocol (DSP)  Directory Information Shadowing Protocol (DISP)  Directory operational bindings management Protocol (DOP)
2. Lightweight Directory Access Protocol (LDAP) • X.500 is complex to implement & administer and used OSI protocol • Developed in 1990s, based on X.500 (DAP), used TCP/IP port 389 – very simple • Version 3 LDAP protocol supports TLS to encrypt communication, can be used over SSL connection via TCP port 636 • Supports DN, RDN • Operates in client/server architecture • Client request may be connecting to disconnecting LDAP, searching directory entry comparing info, read, write, delete directory info Clien t Request LDAP ServerResul t
3. Active Direcrtory • Implementation of LDAP protocol for Microsoft environments • With additional plug-in AD can be used in UNIX, Linux, and mainframe environments • Provides central authentication and authorization capabilities for users and system services in enterprise wide level • AD has ability to enforce organizational security and configuration policies • This is the reason why AD is used to enforce user and system level security policies in uniform and highly auditable manner • AD uses LDAP for naming structure, hierarchical framework to store info. • AD are into forest(collection of all objects and their attributes) and trees(logical groupings of one or more AD security domain within a forest) • Domain in AD are identified by their name. Objects in AD are grouped by organizational units.
Single Sign-On (SSO) • SSO is referred to as reduced sign-on or federated ID management • Sign-On on a centralized system so that user can access multiple server/application without being signing on individual servers • While opening an application SSO credentials of a user will automatically be entered (client software is used to open appropriate application programs) • Central repository of user credentials. If password is changed in application, the password in SSO system must be changed • The changed password must be stored in SSO system to maintain synchronization among applications • For SSO solutions, Smart Card (secured by pin to store array of user credentials in memory card) is used • Smart card with user credentials coupled with system software detects when user wants to access application/server. Server authenticate and asks questions if system wants to learn credentials for future. You can store the credentials in your smart card. Now you can only remember passphrase to unlock smart card and unlock the system to gain access
Contd… Advantages of SSO solutions • Efficient log-on process: Fewer password to remember and work • No Need of Multiple password: SSO translates into single use credentials for users. • Users may create stronger passwords: a stronger password or passphrase can be used • Standards can be enforced across entire SSO system: access control policies, and standards can be easily enforced through SSO. Timeouts can be deployed if user is away from running workstation • Centralized administration: Disadvantages • Costly devices and software. • If centralized SSO system is compromised or fail the entire work will come to halt at once causing company to lose money • Only one password or passphrase per user- if password is cracked hacker can make significant damage to data • SSO password is stored in single database = great fun for hacker if the database is not extremely secured • SSO is complex and integration is challenging.
Script-Based Single Sign-On • If available solutions are not be feasible for a company, use of script-based single sign-on may be possible • Script can manipulate the applications, interacting with them as if they were the users and injecting user ID password and other authentication interaction with application on behalf of user • Advantage – functionality • Disadvantage- costly/complex maintenance and development of such tool
Kerboros• It guards a network with 3 elements: authentication, authorization, and auditing • Essentially a network authentication protocol • Designed to provide strong authentication for client/server application using secret key cryptography • Effective in open, distributed environments • It verifies a user who they are claimed to be and network services they use are contained within their permission • It has 4 basic requirements for access control – Security: network eavesdropper cannot obtain information by impersonating a user – Reliability: resources must be available when needed (to user) – Transparency: user should not be aware of authentication process and it should be nonintrusive – Scalability: support large number o clients and servers
Kerberos Process • Based on interaction between 3 systems – Requesting system(principal) endpoint destination server (application, information) and Kerberos or Key Distribution Center (KDC). •User workstation/application/service (principal) interacts with Kerberos. •Kerberos serves two functions- authentication Server (AS) and Ticket granting Server(TGS) •Kerberos is based on symmetric encryption and a secret key shared amongst participants •KDC maintains a database of secret keys of all principal on network
Contd… • While acting as Authentication Server (AS) it will authenticate principal user via pre-shared secret key • Once user is authenticated, Kerberos operates as TGS, providing ticket • Ticket is a piece of electronic data validated by TGS to the user to establish connection between network and user • User requests for authentication • Authentication server (AS) authenticate using pre-shared key and sends Ticket (Ticket granting Ticket or TGT) and session key using Ticket Granting Server(TGS) • User gets ticket and secure the connection with network and user also has right to request service tickets (STs) on KDC network • TGTs are valid for certain period of time and needs to be reauthenticated after expiration • Once TGTs are issued, there is no use of passwords or log-on factors • Now User again sends request application ticket (TGT) to TGS and TGS (after validation of TGT) in returns generates unique session key with encryption to be used between user and application server . • KDC will pack data in Service Ticket (ST) and send it to User • Now user will send this ST to Application Server for access. Once AS decrypt the session key it authenticate the User • Encrypted communication is now established
Contd… • Kerberos are time sensitive and require Network Time Protocol • If time is not synchronized it will lead to authentication failure = easy DOS attack • Once KDC generates unique session key, it is first sent to Client (User) to avoid DoS attack against application server • If it is not done, then application server will be overloaded with encrypted session keys
Contd… • Advantages – Goal of Kerberos is to ensure private communications between systems over a network. – Managing encryption keys, it acts to authenticate principals in communication based on secret keys, allows access session key – Elegant solution used in many platforms for broad authentication process • Disadvantages  Security of KDC should be physically secured and should not allow any non-kerberos activity  If Kerberos fails, whole system halts so backup and continuity plan should be made  Keys (both secret and session) are vulnerable to bruteforce attack. If it is long Kerberos will be overloaded with encryption key. Achilles’ heel of Kerberos are encrypted based on passwords. Traditional password guessing can compromise the system  Kerberizing ??? Please Explain
Secure European System for Applications in a Multi-Vendor Environment (SESAME) • Project funded by European Commission to eliminate the drawback of Kerberos • Primary due to need to manage symmetric keys across environments. Theweakness of Kerberos is scalability larger the entities more complex and harder to manage KDC. • The other weakness is privilege info is stored in server that user uses the server. Access info need to be located in each server as environment grows • SESAME – an extension of Kerberos – overcome those limitations by offering sign-on services with distributed access controls across environment – Eliminates the need to replicate authorization data across servers – Uses both symmetric and asymmetric cryptographic techniques for protection of interchanged data which alleviate Kerberos’s key management issues
Contd… • Key attributes of SESAME – Single Sign-On – Role-based access control – Use of Privileged attribute certificate (PAC) -similar to Kerberos ticket – Use of Kerberos V5 Protocol to access SESAME components – Use of public key cryptography for distribution of secret keys
Perimeter-Based Web Portal Access • If LDAP is in place, a user can be identified, authenticated and authorized on multiple web-based application using web portal tied to Web Access Management (WAM) • These solution replaces sign-on process in Web application by the use of Plug-in services • User needs to sign-on once then he/she can access multiple web applications while plug-in will fill the authentication ticket among applications • These system provide effective user management and single sign-on in web environment but they cannot support entire access control environment. • WAM has become common
Federated Identity Management • Single Sign-On is good for a organization • When two or more companies has to access each others’ system, trust is a big issue – E.g. Car company and Parts dealer • The solution is to create Federated Identity Management infrastructure- similar policies, standards, management of user identities, authentication and authorization • Once verification and certification process is completed, each company will trust each other. • This is an example of Cross-Certification Trust Model • If 3 companies has to come to a fededration there will be 6 ways of trust. Higher the number of companies to be federated higher the complexity (permutation in terms of trust) • Lets see, several organizations has to be federated but Cross-Certification Trust model cannot be used because of its complexity • So Third Party Certification Trust Model or Bridge Model has been created. • Third party will manage the verification and due diligence process for all participating organization. • Each organization will trust third party and can gain access to database of other organization
Once In-Unlimited Access (OIUA) • Some organizations don’t need to restrict their user access to the resources. E.g. public service or website contributors • Other companies allows their employee access all the resources of company in their intranet without authentication. • If the user got access to those resources, it is assumed that the user is authorized- NO Question Asked • There are no certificates or tokens passed between authentication system and application. • Unauthorized user like contractor or support person can easily gain access to OIUA
Logging and Monitoring • Logging is keeping records of users’ activities • Monitoring is what users are doing in system • Records of identification, authentication and authorization is useful to understand is going on within a system • Attempted logging or authenticated user trying to gain access to non-privileged applications something is going wrong • Logging and monitoring helps backtrack who is trying/doing malicious activities • Security logs are important for forensics investigations for legal purposes • Attacker tries to delete logs so that they wouldn’t be caught. It is therefore important that security of storage and archive systems used to store log data is critical to integrity of information • In big organizations, security data logs are huge (gigabytes) and it will take lot of time and personnel to review those data for malicious activities. • Event filtering or Clipping Level should be used
Contd… • When threshold of log data is reached, automated tools will parse out the logs info. • based on abnormal activity (using correlation of logs from multiple system), it is possible to determine what exactly attacker was doing • Best practices to establish a log collection and management – Control the volume of data: based on available storage, processing capacity and manpower – Do not allow rollover of logs: deleting earlier logs will save disk space but valuable info can be deleted. Coping those logs into permanent storage might be important for forensic investigations – Evaluate and implement auditing tools to reduce complex task of log analysis – Establish log review and investigative procedure in advance – Train personnel to review logs – Protect unauthorized access and change-Copied logs should be physically secured
Audit Trail Monitoring • It is the data collected from various systems’ event logging activity to reconstruct event that happened in a system for legal purposes • Record of activities can be investigated if network devices, systems are operating within expected parameters • Event logging can be done in any system • It helps gain awareness of system and infrastructure • Audit trail alerts suspicious activity for further investigation. • E.g. administrator can see somebody logging into mission-critical system after work hours. Admin can look at logs and determine if it was legitimate or expected. Other logs can be checked to see if that user is doing questionable actions • It provides details of intruder activity. Hacker will leave traces behind while hopping different systems/applications. This will help to reconstruct the path, what type of tool may have been used can be known etc. • Finally , all these records can be used for legal actions
Audit Event Types Based on Info Security and access control, there are 5 key audit types 1. Network Events 2. System Events 3. Application Events 4. User Actions 5. Keystroke Activity
1. Network Events • Can play critical role during attack • Devices supporting communications can provide info • Network layer info is helpful in isolating threat activity (e.g. worm of DoS attack) • Helpful in detecting if user is using software or services not permitted by policy (eg. Instant messenger, peer to peer applications) • Network logs shows source and destination address of traffic, what application was the traffic, if the packets are allowed or blocked • How much traffic was received over a period of time
2. System Events • Part of audit trail which provides system activity info • Reports if files are modified, deleted or added • Shows if software is installed or removed, privilege was changed • If there is worm or virus in system, system will show unexpected activities • Also shows if there is strong change in management activities (both legit and hack)
3. Application Events • Broad range of possibilities for monitoring activity • Dependent on specific services of application • E.g. attack on web server can be evaluated by manipulation of URL in web server logs • The objective to audit application is to isolate key function to at least gain an initial perspective of application activity. • The reviewer should know the possible problems that can be seen in logs while analyzing the logs • If application was made by organization, security oriented logs should be incorporated
4. User Action • It helps the behavior of activity of a user • Info on log-on and log-out times, use of privileged access, application executed, data file accessed are basics of user monitoring
5. Keystroke Activity • Logging keystroke helps what user is typing • Controversial because it can evade privacy (even if company allows it) • E.g. sending inappropriate message to coworker can be the basis of firing a strong staff • Lot of info can be found in command history files found on some operating system • E.g. In unix system, $HOME directory can have names like .history , .sh_history, .bash_history
Intrusion Detection and Prevention • IDS alerts attacks in real time to administrator but don’t take any action • Considered audit/network monitoring technology • It can be implemented as a part of router, firewall, or NIDS(Network IDS). • If used with host to monitor activity, it can be called Host IDS (HIDS) • IPS (Intrusion Prevention System) can detect threats and acts proactively. It blocks unauthorized activity of hacker as well as user trying to use non-privileged actions • IPS is gaining popularity lately • IDS needs to be tuned to normal traffic of organization • If it is not tuned it becomes noisy box or sits quietly and cannot distinguish between real attack or application the organization has made.
Network Intrusion Detection System Architecture (NIDS/IDS) • NIDS works passively/promiscuous mode • It monitors every packets passing in/out of network • Can be attached with firewall, switch, routers, • NIDS should be able to handle enough traffic throughput equivalent (or greater than) combined traffic load. • Throughput = sum of all data flying by the network • E.g. if 100 MB, 10 port switch is used, we need atleast 1GB IDS to handle traffic load. If the capacity of IDS is smaller than 1GB then data packets will be lost • If the session data is encrypted IDS fails • Many tools are available which now a days break session encryption and re-establish it. • If IDS detects unwanted communication steam, it can attempt to terminate the connection by blocking packets from source of traffic, or use features of TCP protocol and inject packets into network forcing remote system to cancel communication
Host-Based Intrusion Detection Systemn(HIDS) • Implementation of IDS at host level is HIDS • Processes are limited to host boundries • Advantage- effectively detects objectionable activities it runs on host system • Offers access to system logs, processes, system info, device info, • Virtually eliminates limits associated with encryption • Level of visibility of packets are higher • Multi-host IDS allows system to share policy info and real time attack making it easier to establish defensive posture • It is invasive to operating system and uses lot of CPU and memory to function during an attack thereby causing diminished performance of laptops and workstations • However, new servers eliminate these issues
IDS Analysis Engine Methods • Based on strength and weakness different methods can be used. Two basic methods are – Pattern Matching (Signature Analysis) • Based on characteristic of attack (specific packet sequence or text in data stream) • E.g. when attacker attacks the system they send specific packets which IDS compares with its database. IDS has thousands of signature patterns and needs to be updated quite often to get new database pattern • If sequence is matched then it alerts • If there is a new attack or slight changes in packets, signature can cause IDS to miss the attack – Anomaly Detection
Anomaly Detection • Uses behavioral characteristics of system’s operation or network traffic to draw conclusion. Anomalies include: – Multiple failed log-on attempts – User logged on off hours – Unexplained changes in system clock – Unusual error message – Unexplained system shut down and restarts – Attempts to access restricted files • Reports false positives as expected in behavioral change • They aren’t dependent on Specific pattern/signature based system • Info from anomaly can be used to create pattern for signaute based attack
Stateful Matching Intrusion Detection • Scans for attack signatures in context of traffic or overall behavior • Intruder may send volley of valid packets to targeted system • Matching pattern is virtually impossible as they are valid • But why such huge volume of valid packets? • To evade attack, attacker sends packets from multiple location with long wait periods between each transmission to confuse detection System or exhaust session timing window. • If IDS is turned over a long period of time, it can detect the attack • Stateful Matching IDS also uses signatures. So it has to be updated often
Statistical Anomaly-Based Intrusion Detection • Analyses event data by comparing to normal/typical/predicted profiles • Why the data is skewed at particular time? • Very effective, high level, characteristics of IPS • Defining normal is difficult task if not impossible in a complex environment • Prone to false positive • Has potential to detect previously unknown attacks • Using signature based with Statistical anomaly based IDS is very effective to detect attack
Protocol Anomaly-Based Detection • Catches when a protocol is deviated from expected behavior • E.g. if packets deviates from HTTP in HTTP session protocol standard, IDS thinks it is a malicious behavior • Useful for HTTP, FTP, or telnet
Traffic Anomaly-Based Intrusion Detection • Based on traffic or packets • Again defining normal is difficult
Intrusion Response • Upon suspicious activity, IDS or IPS if permitted to and configured accordingly to interact with system to restrict or block traffic • Early versions of IDS interact with firewall and allow firewall to implement specific rules to the subject in question. • Still used today. The proposed rule won’t conflict with normal business operation. • Firewalls might have lot of rules and the new rule can have negative impact on normal mission-critical communications. • Firewall shares rules with other firewall therefore attacker will be blocked without affecting the system processes
Alarm and Signals • Cre capability of IDS is to produce alarm and signals that work to notify people and system to adverse events. • Fundamental components of alarm capability 1. Sensor: A mechanism that identifies an event of attack and informs an admin. Tuning sensors are important 2. Control and Communication: Mechanism of handling alerts. E.g. email, text, instant message, pager, voice message etc. 3. Enunciator:
IDS Management • Employ technically knowledgeable person to select, install, configure, operate and maintain IDS • Update system regularly to avoid signature attacks and behavioral profile • IDS may be vulnerable to attacks so protect it accordingly • Intruders might try to disable IDS with false info or overload the system

Recommended

access-control-week-2
access-control-week-2access-control-week-2
access-control-week-2jemtallon
 
CISSP Week 22
CISSP Week 22CISSP Week 22
CISSP Week 22jemtallon
 
CISSP Week 12
CISSP Week 12CISSP Week 12
CISSP Week 12jemtallon
 
Access control Week 1
Access control Week 1Access control Week 1
Access control Week 1jemtallon
 
CISSP Week 9
CISSP Week 9CISSP Week 9
CISSP Week 9jemtallon
 
Ch07 Access Control Fundamentals
Ch07 Access Control FundamentalsCh07 Access Control Fundamentals
Ch07 Access Control FundamentalsInformation Technology
 
Access Controls
Access ControlsAccess Controls
Access Controlsprimeteacher32
 
2. access control
2. access control2. access control
2. access control7wounders
 

Recommended

access-control-week-2
access-control-week-2access-control-week-2
access-control-week-2jemtallon
 
CISSP Week 22
CISSP Week 22CISSP Week 22
CISSP Week 22jemtallon
 
CISSP Week 12
CISSP Week 12CISSP Week 12
CISSP Week 12jemtallon
 
Access control Week 1
Access control Week 1Access control Week 1
Access control Week 1jemtallon
 
CISSP Week 9
CISSP Week 9CISSP Week 9
CISSP Week 9jemtallon
 
Ch07 Access Control Fundamentals
Ch07 Access Control FundamentalsCh07 Access Control Fundamentals
Ch07 Access Control FundamentalsInformation Technology
 
Access Controls
Access ControlsAccess Controls
Access Controlsprimeteacher32
 
2. access control
2. access control2. access control
2. access control7wounders
 
Information Security Principles - Access Control
Information Security Principles - Access ControlInformation Security Principles - Access Control
Information Security Principles - Access Controlidingolay
 
Access-control-system
Access-control-systemAccess-control-system
Access-control-systemTechera Consultants
 
Intro To Access Controls
Intro To Access ControlsIntro To Access Controls
Intro To Access ControlsHari Pudipeddi
 
3. security architecture and models
3. security architecture and models3. security architecture and models
3. security architecture and models7wounders
 
CISSP - Chapter 3 - Physical security
CISSP - Chapter 3 - Physical securityCISSP - Chapter 3 - Physical security
CISSP - Chapter 3 - Physical securityKarthikeyan Dhayalan
 
CISSP Chapter 7 - Security Operations
CISSP Chapter 7 - Security OperationsCISSP Chapter 7 - Security Operations
CISSP Chapter 7 - Security OperationsKarthikeyan Dhayalan
 
An overview of access control
An overview of access controlAn overview of access control
An overview of access controlElimity
 
Access control3
Access control3Access control3
Access control3Awhydot
 
Access Control Presentation
Access Control PresentationAccess Control Presentation
Access Control PresentationWajahat Rajab
 
Network management aa
Network management aaNetwork management aa
Network management aaDhani Ahmad
 
Data security authorization and access control
Data security authorization and access controlData security authorization and access control
Data security authorization and access controlLeo Mark Villar
 
CISSP Prep: Ch 6. Identity and Access Management
CISSP Prep: Ch 6. Identity and Access ManagementCISSP Prep: Ch 6. Identity and Access Management
CISSP Prep: Ch 6. Identity and Access ManagementSam Bowne
 
Access Control System, BMS
Access Control System, BMSAccess Control System, BMS
Access Control System, BMSMohammad Azam Khan
 
Network management ppt
Network management pptNetwork management ppt
Network management pptDheerajPachauri
 
Operations Security
Operations SecurityOperations Security
Operations SecurityMauro Alberto
 
Mandatory access control for information security
Mandatory access control for information securityMandatory access control for information security
Mandatory access control for information securityAjit Dadresa
 
6. Security Assessment and Testing
6. Security Assessment and Testing6. Security Assessment and Testing
6. Security Assessment and TestingSam Bowne
 
Security models
Security models Security models
Security models LJ PROJECTS
 
Chap5 2007 C I S A Review Course
Chap5 2007 C I S A Review CourseChap5 2007 C I S A Review Course
Chap5 2007 C I S A Review CourseDesmond Devendran
 
CISSP - Security Assessment
CISSP - Security AssessmentCISSP - Security Assessment
CISSP - Security AssessmentKarthikeyan Dhayalan
 
CISSP Week 16
CISSP Week 16CISSP Week 16
CISSP Week 16jemtallon
 
CISSP Week 13
CISSP Week 13CISSP Week 13
CISSP Week 13jemtallon
 

More Related Content

What's hot

Information Security Principles - Access Control
Information Security Principles - Access ControlInformation Security Principles - Access Control
Information Security Principles - Access Controlidingolay
 
Intro To Access Controls
Intro To Access ControlsIntro To Access Controls
Intro To Access ControlsHari Pudipeddi
 
3. security architecture and models
3. security architecture and models3. security architecture and models
3. security architecture and models7wounders
 
CISSP - Chapter 3 - Physical security
CISSP - Chapter 3 - Physical securityCISSP - Chapter 3 - Physical security
CISSP - Chapter 3 - Physical securityKarthikeyan Dhayalan
 
CISSP Chapter 7 - Security Operations
CISSP Chapter 7 - Security OperationsCISSP Chapter 7 - Security Operations
CISSP Chapter 7 - Security OperationsKarthikeyan Dhayalan
 
An overview of access control
An overview of access controlAn overview of access control
An overview of access controlElimity
 
Access control3
Access control3Access control3
Access control3Awhydot
 
Access Control Presentation
Access Control PresentationAccess Control Presentation
Access Control PresentationWajahat Rajab
 
Network management aa
Network management aaNetwork management aa
Network management aaDhani Ahmad
 
Data security authorization and access control
Data security authorization and access controlData security authorization and access control
Data security authorization and access controlLeo Mark Villar
 
CISSP Prep: Ch 6. Identity and Access Management
CISSP Prep: Ch 6. Identity and Access ManagementCISSP Prep: Ch 6. Identity and Access Management
CISSP Prep: Ch 6. Identity and Access ManagementSam Bowne
 
Mandatory access control for information security
Mandatory access control for information securityMandatory access control for information security
Mandatory access control for information securityAjit Dadresa
 
6. Security Assessment and Testing
6. Security Assessment and Testing6. Security Assessment and Testing
6. Security Assessment and TestingSam Bowne
 
Security models
Security models Security models
Security models LJ PROJECTS
 
Chap5 2007 C I S A Review Course
Chap5 2007 C I S A Review CourseChap5 2007 C I S A Review Course
Chap5 2007 C I S A Review CourseDesmond Devendran
 

What's hot (20)

Information Security Principles - Access Control
Information Security Principles - Access ControlInformation Security Principles - Access Control
Information Security Principles - Access Control
 
Access-control-system
Access-control-systemAccess-control-system
Access-control-system
 
Intro To Access Controls
Intro To Access ControlsIntro To Access Controls
Intro To Access Controls
 
3. security architecture and models
3. security architecture and models3. security architecture and models
3. security architecture and models
 
CISSP - Chapter 3 - Physical security
CISSP - Chapter 3 - Physical securityCISSP - Chapter 3 - Physical security
CISSP - Chapter 3 - Physical security
 
CISSP Chapter 7 - Security Operations
CISSP Chapter 7 - Security OperationsCISSP Chapter 7 - Security Operations
CISSP Chapter 7 - Security Operations
 
An overview of access control
An overview of access controlAn overview of access control
An overview of access control
 
Access control3
Access control3Access control3
Access control3
 
Access Control Presentation
Access Control PresentationAccess Control Presentation
Access Control Presentation
 
Network management aa
Network management aaNetwork management aa
Network management aa
 
Data security authorization and access control
Data security authorization and access controlData security authorization and access control
Data security authorization and access control
 
CISSP Prep: Ch 6. Identity and Access Management
CISSP Prep: Ch 6. Identity and Access ManagementCISSP Prep: Ch 6. Identity and Access Management
CISSP Prep: Ch 6. Identity and Access Management
 
Access Control System, BMS
Access Control System, BMSAccess Control System, BMS
Access Control System, BMS
 
Network management ppt
Network management pptNetwork management ppt
Network management ppt
 
Operations Security
Operations SecurityOperations Security
Operations Security
 
Mandatory access control for information security
Mandatory access control for information securityMandatory access control for information security
Mandatory access control for information security
 
6. Security Assessment and Testing
6. Security Assessment and Testing6. Security Assessment and Testing
6. Security Assessment and Testing
 
Security models
Security models Security models
Security models
 
Chap5 2007 C I S A Review Course
Chap5 2007 C I S A Review CourseChap5 2007 C I S A Review Course
Chap5 2007 C I S A Review Course
 
CISSP - Security Assessment
CISSP - Security AssessmentCISSP - Security Assessment
CISSP - Security Assessment
 

Viewers also liked

CISSP Week 16
CISSP Week 16CISSP Week 16
CISSP Week 16jemtallon
 
CISSP Week 13
CISSP Week 13CISSP Week 13
CISSP Week 13jemtallon
 
CISSP Week 20
CISSP Week 20CISSP Week 20
CISSP Week 20jemtallon
 
CISSP Week 7
CISSP Week 7CISSP Week 7
CISSP Week 7jemtallon
 
CISSP Week 6
CISSP Week 6CISSP Week 6
CISSP Week 6jemtallon
 
CISSP Proposal
CISSP ProposalCISSP Proposal
CISSP Proposaljemtallon
 
CISSP Week 5
CISSP Week 5CISSP Week 5
CISSP Week 5jemtallon
 
CISSP week 26
CISSP week 26CISSP week 26
CISSP week 26jemtallon
 
Cissp Week 23
Cissp Week 23Cissp Week 23
Cissp Week 23jemtallon
 
CISSP Week 18
CISSP Week 18CISSP Week 18
CISSP Week 18jemtallon
 
Cissp Week 24
Cissp Week 24Cissp Week 24
Cissp Week 24jemtallon
 
CISSP week 25
CISSP week 25CISSP week 25
CISSP week 25jemtallon
 
CISSP Week 21
CISSP Week 21CISSP Week 21
CISSP Week 21jemtallon
 
Cissp d5-cryptography v2012-mini coursev2
Cissp d5-cryptography v2012-mini coursev2Cissp d5-cryptography v2012-mini coursev2
Cissp d5-cryptography v2012-mini coursev2infosecedu
 
Access Control - Week 4
Access Control - Week 4Access Control - Week 4
Access Control - Week 4jemtallon
 
CISSP Week 14
CISSP Week 14CISSP Week 14
CISSP Week 14jemtallon
 

Viewers also liked (17)

CISSP Week 16
CISSP Week 16CISSP Week 16
CISSP Week 16
 
CISSP Week 13
CISSP Week 13CISSP Week 13
CISSP Week 13
 
CISSP Week 20
CISSP Week 20CISSP Week 20
CISSP Week 20
 
CISSP Week 7
CISSP Week 7CISSP Week 7
CISSP Week 7
 
CISSP Week 6
CISSP Week 6CISSP Week 6
CISSP Week 6
 
CISSP Proposal
CISSP ProposalCISSP Proposal
CISSP Proposal
 
CISSP Week 5
CISSP Week 5CISSP Week 5
CISSP Week 5
 
CISSP week 26
CISSP week 26CISSP week 26
CISSP week 26
 
Cissp Week 23
Cissp Week 23Cissp Week 23
Cissp Week 23
 
CISSP Week 18
CISSP Week 18CISSP Week 18
CISSP Week 18
 
Cissp Week 24
Cissp Week 24Cissp Week 24
Cissp Week 24
 
CISSP week 25
CISSP week 25CISSP week 25
CISSP week 25
 
CISSP Week 21
CISSP Week 21CISSP Week 21
CISSP Week 21
 
Cissp d5-cryptography v2012-mini coursev2
Cissp d5-cryptography v2012-mini coursev2Cissp d5-cryptography v2012-mini coursev2
Cissp d5-cryptography v2012-mini coursev2
 
Access Control - Week 4
Access Control - Week 4Access Control - Week 4
Access Control - Week 4
 
CISSP Week 14
CISSP Week 14CISSP Week 14
CISSP Week 14
 
SlideShare 101
SlideShare 101SlideShare 101
SlideShare 101
 

Similar to access-control-week-3

Unit 2 - Chapter 7 (Database Security).pptx
Unit 2 - Chapter 7 (Database Security).pptxUnit 2 - Chapter 7 (Database Security).pptx
Unit 2 - Chapter 7 (Database Security).pptxSakshiGawde6
 
Successful Enterprise Single Sign-on: Addressing Deployment Challenges
Successful Enterprise Single Sign-on: Addressing Deployment ChallengesSuccessful Enterprise Single Sign-on: Addressing Deployment Challenges
Successful Enterprise Single Sign-on: Addressing Deployment ChallengesHitachi ID Systems, Inc.
 
Authentication Authorization-Lesson-2-Slides.ppt
Authentication Authorization-Lesson-2-Slides.pptAuthentication Authorization-Lesson-2-Slides.ppt
Authentication Authorization-Lesson-2-Slides.pptMuhammadAbdullah311866
 
Operating system security
Operating system securityOperating system security
Operating system securityRamesh Ogania
 
4 Module - Operating Systems Configuration and Use by Mark John Lado
4 Module - Operating Systems Configuration and Use by Mark John Lado4 Module - Operating Systems Configuration and Use by Mark John Lado
4 Module - Operating Systems Configuration and Use by Mark John LadoMark John Lado, MIT
 
Fastman Bulk Data Manager (Business View)
Fastman Bulk Data Manager (Business View)Fastman Bulk Data Manager (Business View)
Fastman Bulk Data Manager (Business View)Fastman
 
SCRIMPS-STD: Test Automation Design Principles - and asking the right questions!
SCRIMPS-STD: Test Automation Design Principles - and asking the right questions!SCRIMPS-STD: Test Automation Design Principles - and asking the right questions!
SCRIMPS-STD: Test Automation Design Principles - and asking the right questions!Richard Robinson
 
Security concerns in web erp
Security concerns in web erpSecurity concerns in web erp
Security concerns in web erpManoj Jhawar
 
What is Database Management System
What is Database Management SystemWhat is Database Management System
What is Database Management SystemAbhiPatel171
 
Information Security
Information SecurityInformation Security
Information Securitysonykhan3
 
Asug84339 how to secure privacy data in a hybrid s4 hana landscape
Asug84339 how to secure privacy data in a hybrid s4 hana landscapeAsug84339 how to secure privacy data in a hybrid s4 hana landscape
Asug84339 how to secure privacy data in a hybrid s4 hana landscapeDharma Atluri
 

Similar to access-control-week-3 (20)

Chapter02-rev.pptx
Chapter02-rev.pptxChapter02-rev.pptx
Chapter02-rev.pptx
 
Unit 2 - Chapter 7 (Database Security).pptx
Unit 2 - Chapter 7 (Database Security).pptxUnit 2 - Chapter 7 (Database Security).pptx
Unit 2 - Chapter 7 (Database Security).pptx
 
Successful Enterprise Single Sign-on: Addressing Deployment Challenges
Successful Enterprise Single Sign-on: Addressing Deployment ChallengesSuccessful Enterprise Single Sign-on: Addressing Deployment Challenges
Successful Enterprise Single Sign-on: Addressing Deployment Challenges
 
Authentication Authorization-Lesson-2-Slides.ppt
Authentication Authorization-Lesson-2-Slides.pptAuthentication Authorization-Lesson-2-Slides.ppt
Authentication Authorization-Lesson-2-Slides.ppt
 
Operating system security
Operating system securityOperating system security
Operating system security
 
HMSC_AD Event V3
HMSC_AD Event V3HMSC_AD Event V3
HMSC_AD Event V3
 
Chapter 7
Chapter 7Chapter 7
Chapter 7
 
Operating System-adi.pdf
Operating System-adi.pdfOperating System-adi.pdf
Operating System-adi.pdf
 
4 Module - Operating Systems Configuration and Use by Mark John Lado
4 Module - Operating Systems Configuration and Use by Mark John Lado4 Module - Operating Systems Configuration and Use by Mark John Lado
4 Module - Operating Systems Configuration and Use by Mark John Lado
 
Fastman Bulk Data Manager (Business View)
Fastman Bulk Data Manager (Business View)Fastman Bulk Data Manager (Business View)
Fastman Bulk Data Manager (Business View)
 
SCRIMPS-STD: Test Automation Design Principles - and asking the right questions!
SCRIMPS-STD: Test Automation Design Principles - and asking the right questions!SCRIMPS-STD: Test Automation Design Principles - and asking the right questions!
SCRIMPS-STD: Test Automation Design Principles - and asking the right questions!
 
Security concerns in web erp
Security concerns in web erpSecurity concerns in web erp
Security concerns in web erp
 
DBMS.pptx
DBMS.pptxDBMS.pptx
DBMS.pptx
 
dbms.ppt
dbms.pptdbms.ppt
dbms.ppt
 
dbms.ppt
dbms.pptdbms.ppt
dbms.ppt
 
What is Database Management System
What is Database Management SystemWhat is Database Management System
What is Database Management System
 
ISBB_Chapter6.pptx
ISBB_Chapter6.pptxISBB_Chapter6.pptx
ISBB_Chapter6.pptx
 
Information Security
Information SecurityInformation Security
Information Security
 
OCSP.pptx
OCSP.pptxOCSP.pptx
OCSP.pptx
 
Asug84339 how to secure privacy data in a hybrid s4 hana landscape
Asug84339 how to secure privacy data in a hybrid s4 hana landscapeAsug84339 how to secure privacy data in a hybrid s4 hana landscape
Asug84339 how to secure privacy data in a hybrid s4 hana landscape
 

Recently uploaded

Unraveling Hypertext_ Analyzing Postmodern Elements in Literature.pptx
Unraveling Hypertext_ Analyzing Postmodern Elements in Literature.pptxUnraveling Hypertext_ Analyzing Postmodern Elements in Literature.pptx
Unraveling Hypertext_ Analyzing Postmodern Elements in Literature.pptxDhatriParmar
 
Beauty Amidst the Bytes_ Unearthing Unexpected Advantages of the Digital Wast...
Beauty Amidst the Bytes_ Unearthing Unexpected Advantages of the Digital Wast...Beauty Amidst the Bytes_ Unearthing Unexpected Advantages of the Digital Wast...
Beauty Amidst the Bytes_ Unearthing Unexpected Advantages of the Digital Wast...DhatriParmar
 
4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptx4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptxmary850239
 
4.16.24 Poverty and Precarity--Desmond.pptx
4.16.24 Poverty and Precarity--Desmond.pptx4.16.24 Poverty and Precarity--Desmond.pptx
4.16.24 Poverty and Precarity--Desmond.pptxmary850239
 
ICS2208 Lecture6 Notes for SL spaces.pdf
ICS2208 Lecture6 Notes for SL spaces.pdfICS2208 Lecture6 Notes for SL spaces.pdf
ICS2208 Lecture6 Notes for SL spaces.pdfVanessa Camilleri
 
Q-Factor HISPOL Quiz-6th April 2024, Quiz Club NITW
Q-Factor HISPOL Quiz-6th April 2024, Quiz Club NITWQ-Factor HISPOL Quiz-6th April 2024, Quiz Club NITW
Q-Factor HISPOL Quiz-6th April 2024, Quiz Club NITWQuiz Club NITW
 
Indexing Structures in Database Management system.pdf
Indexing Structures in Database Management system.pdfIndexing Structures in Database Management system.pdf
Indexing Structures in Database Management system.pdfChristalin Nelson
 
Transaction Management in Database Management System
Transaction Management in Database Management SystemTransaction Management in Database Management System
Transaction Management in Database Management SystemChristalin Nelson
 
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptxQ4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptxlancelewisportillo
 
Expanded definition: technical and operational
Expanded definition: technical and operationalExpanded definition: technical and operational
Expanded definition: technical and operationalssuser3e220a
 
Sulphonamides, mechanisms and their uses
Sulphonamides, mechanisms and their usesSulphonamides, mechanisms and their uses
Sulphonamides, mechanisms and their usesVijayaLaxmi84
 
Mythology Quiz-4th April 2024, Quiz Club NITW
Mythology Quiz-4th April 2024, Quiz Club NITWMythology Quiz-4th April 2024, Quiz Club NITW
Mythology Quiz-4th April 2024, Quiz Club NITWQuiz Club NITW
 
31 ĐỀ THI THỬ VÀO LỚP 10 - TIẾNG ANH - FORM MỚI 2025 - 40 CÂU HỎI - BÙI VĂN V...
31 ĐỀ THI THỬ VÀO LỚP 10 - TIẾNG ANH - FORM MỚI 2025 - 40 CÂU HỎI - BÙI VĂN V...31 ĐỀ THI THỬ VÀO LỚP 10 - TIẾNG ANH - FORM MỚI 2025 - 40 CÂU HỎI - BÙI VĂN V...
31 ĐỀ THI THỬ VÀO LỚP 10 - TIẾNG ANH - FORM MỚI 2025 - 40 CÂU HỎI - BÙI VĂN V...Nguyen Thanh Tu Collection
 
4.11.24 Mass Incarceration and the New Jim Crow.pptx
4.11.24 Mass Incarceration and the New Jim Crow.pptx4.11.24 Mass Incarceration and the New Jim Crow.pptx
4.11.24 Mass Incarceration and the New Jim Crow.pptxmary850239
 
Q-Factor General Quiz-7th April 2024, Quiz Club NITW
Q-Factor General Quiz-7th April 2024, Quiz Club NITWQ-Factor General Quiz-7th April 2024, Quiz Club NITW
Q-Factor General Quiz-7th April 2024, Quiz Club NITWQuiz Club NITW
 
CHEST Proprioceptive neuromuscular facilitation.pptx
CHEST Proprioceptive neuromuscular facilitation.pptxCHEST Proprioceptive neuromuscular facilitation.pptx
CHEST Proprioceptive neuromuscular facilitation.pptxAneriPatwari
 
Tree View Decoration Attribute in the Odoo 17
Tree View Decoration Attribute in the Odoo 17Tree View Decoration Attribute in the Odoo 17
Tree View Decoration Attribute in the Odoo 17Celine George
 
Concurrency Control in Database Management system
Concurrency Control in Database Management systemConcurrency Control in Database Management system
Concurrency Control in Database Management systemChristalin Nelson
 
ARTERIAL BLOOD GAS ANALYSIS........pptx
ARTERIAL BLOOD GAS ANALYSIS........pptxARTERIAL BLOOD GAS ANALYSIS........pptx
ARTERIAL BLOOD GAS ANALYSIS........pptxAneriPatwari
 

Recently uploaded (20)

Unraveling Hypertext_ Analyzing Postmodern Elements in Literature.pptx
Unraveling Hypertext_ Analyzing Postmodern Elements in Literature.pptxUnraveling Hypertext_ Analyzing Postmodern Elements in Literature.pptx
Unraveling Hypertext_ Analyzing Postmodern Elements in Literature.pptx
 
Beauty Amidst the Bytes_ Unearthing Unexpected Advantages of the Digital Wast...
Beauty Amidst the Bytes_ Unearthing Unexpected Advantages of the Digital Wast...Beauty Amidst the Bytes_ Unearthing Unexpected Advantages of the Digital Wast...
Beauty Amidst the Bytes_ Unearthing Unexpected Advantages of the Digital Wast...
 
4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptx4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptx
 
4.16.24 Poverty and Precarity--Desmond.pptx
4.16.24 Poverty and Precarity--Desmond.pptx4.16.24 Poverty and Precarity--Desmond.pptx
4.16.24 Poverty and Precarity--Desmond.pptx
 
ICS2208 Lecture6 Notes for SL spaces.pdf
ICS2208 Lecture6 Notes for SL spaces.pdfICS2208 Lecture6 Notes for SL spaces.pdf
ICS2208 Lecture6 Notes for SL spaces.pdf
 
Q-Factor HISPOL Quiz-6th April 2024, Quiz Club NITW
Q-Factor HISPOL Quiz-6th April 2024, Quiz Club NITWQ-Factor HISPOL Quiz-6th April 2024, Quiz Club NITW
Q-Factor HISPOL Quiz-6th April 2024, Quiz Club NITW
 
Indexing Structures in Database Management system.pdf
Indexing Structures in Database Management system.pdfIndexing Structures in Database Management system.pdf
Indexing Structures in Database Management system.pdf
 
Transaction Management in Database Management System
Transaction Management in Database Management SystemTransaction Management in Database Management System
Transaction Management in Database Management System
 
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptxQ4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
 
Expanded definition: technical and operational
Expanded definition: technical and operationalExpanded definition: technical and operational
Expanded definition: technical and operational
 
Sulphonamides, mechanisms and their uses
Sulphonamides, mechanisms and their usesSulphonamides, mechanisms and their uses
Sulphonamides, mechanisms and their uses
 
Mythology Quiz-4th April 2024, Quiz Club NITW
Mythology Quiz-4th April 2024, Quiz Club NITWMythology Quiz-4th April 2024, Quiz Club NITW
Mythology Quiz-4th April 2024, Quiz Club NITW
 
31 ĐỀ THI THỬ VÀO LỚP 10 - TIẾNG ANH - FORM MỚI 2025 - 40 CÂU HỎI - BÙI VĂN V...
31 ĐỀ THI THỬ VÀO LỚP 10 - TIẾNG ANH - FORM MỚI 2025 - 40 CÂU HỎI - BÙI VĂN V...31 ĐỀ THI THỬ VÀO LỚP 10 - TIẾNG ANH - FORM MỚI 2025 - 40 CÂU HỎI - BÙI VĂN V...
31 ĐỀ THI THỬ VÀO LỚP 10 - TIẾNG ANH - FORM MỚI 2025 - 40 CÂU HỎI - BÙI VĂN V...
 
4.11.24 Mass Incarceration and the New Jim Crow.pptx
4.11.24 Mass Incarceration and the New Jim Crow.pptx4.11.24 Mass Incarceration and the New Jim Crow.pptx
4.11.24 Mass Incarceration and the New Jim Crow.pptx
 
Q-Factor General Quiz-7th April 2024, Quiz Club NITW
Q-Factor General Quiz-7th April 2024, Quiz Club NITWQ-Factor General Quiz-7th April 2024, Quiz Club NITW
Q-Factor General Quiz-7th April 2024, Quiz Club NITW
 
CHEST Proprioceptive neuromuscular facilitation.pptx
CHEST Proprioceptive neuromuscular facilitation.pptxCHEST Proprioceptive neuromuscular facilitation.pptx
CHEST Proprioceptive neuromuscular facilitation.pptx
 
Paradigm shift in nursing research by RS MEHTA
Paradigm shift in nursing research by RS MEHTAParadigm shift in nursing research by RS MEHTA
Paradigm shift in nursing research by RS MEHTA
 
Tree View Decoration Attribute in the Odoo 17
Tree View Decoration Attribute in the Odoo 17Tree View Decoration Attribute in the Odoo 17
Tree View Decoration Attribute in the Odoo 17
 
Concurrency Control in Database Management system
Concurrency Control in Database Management systemConcurrency Control in Database Management system
Concurrency Control in Database Management system
 
ARTERIAL BLOOD GAS ANALYSIS........pptx
ARTERIAL BLOOD GAS ANALYSIS........pptxARTERIAL BLOOD GAS ANALYSIS........pptx
ARTERIAL BLOOD GAS ANALYSIS........pptx
 

access-control-week-3

  • 1. CISSP DOMAIN 1 – Access Control Lecture 3rd Pg 149-194 June 15th 2013
  • 2. Decentralized/Distributed Access Control Techniques Defined policies, standard and process of AC Implement to simplify information Create effective control management service Streamline appropriate technologies
  • 3. • Identity Management – Consolidate and streamlines the management of user IDs, authentication, and access across multiple system – Bind user to establish policies, processes, privileges to ensure consistency • For that Identity Management should include: » Password Management » Account Management » Profile Management » Directory Management » Single sign-on
  • 4. Password Management • Most common authentication tech in use • Can be compromised over time • So it has to be changed every 30 – 90 days – Shorter the better but cumbersome to memorize • Multiple passwords on multiple system if expires at separate times, user tend to write it down (someone can steal it and own the system) • Users tend to rotate couple of passwords – hence making easier to guess • Password policies, standards, and complexity need to be managed consistently • Locking they system if password is guessed 3-5 wrong attempts
  • 5. Contd… • This prevents damage with the cost of calling help desk (users are notorious to forget passwords since they get changed every couple of months or they return from long vacation) • It creates helpdesk jobs but cost money to industry • A password management system is designed to manage password consistently across enterprise by a central tool synchronizing passwords across multiple systems • Can be deployed multifactor authentication, • Use of self registration and verification (like the one used by larger internet sites) – Asking verification code in mobile – Secret question – Pictures – Sending email to trusted email account to change password (all these help helpdesk not to spend much time on unlocking account)
  • 6. Account Management • Got job = new access control • Job ended = needs user account decommissioned asap (minimize time to decommission inactive account) • Web based access management addresses the issue (e.g. hotmail) • Old systems might not interact well with new single centralized account directory. Even if does, it might still have some limitations • Account Management systems attempts to identify user across multiple systems • Management processes must be performed on each system
  • 7. Contd… • This should include one or more features to insure a central, cross-platform security administration capability – Central facility to manage user access to multiple systems (ensures consistency, reduces manual entry error, helps system adimin) – Workflow System (ensures prompt action like new/added or terminated access ) – Automatic replication of Data (user records between systems ensuring permission are propagated uniformly between systems) – Facility for loading batch changes (big hires/fires , restructuring organization is efficient) – Automatic creation, change/removal of access triggered by other departments (e.g. HR or corporate directory) is minimized thereby chances of access permission is greatly reduced.
  • 8. Contd… • Obstacle – Higher cost of full deployment – Complexity of account management system Start small, gain experience and success before full scale deployment • Interface issues can be a big project killer – Fully automated account management system has to interface with each systems – Its hard to do because of numerous application and directories – Different interface which aren’t designed to interface with ACM esp. with older systems and mainframes. – Dedicated programmers needed and its time consuming
  • 9. Profile Management • Profile = collection of info associated with a particular identity or group • In addition to user and password, a user profile should include personal info like name, phone, emergency #, etc. • These info are subjected to change over time. • These changes can be done either administratively or by user. • It is helpful for user to enter and manage those data which are not sensitive and needn’t to be validated • This will increase accuracy, saves time and cost to implement changes
  • 10. Directory Management • Is a comprehensive database designed to centralize data management • Typical directory contains hierarchy of objects storing info about users, groups, systems, servers, printers • Directory is stored in one or more servers to ensure scalability and availability • Applications will access data stored in a directory by means of standard directory protocol
  • 11. Contd… • Benefit- provide centralized collection of user data – Can be used by many applications to avoid replication of info and simplify architecture • Using directory it’s possible to configure several applications to share data about users rather than each system managing user, authentication, data • Limitation • Integration with legacy system, mainframes and out dated servers
  • 12. Directory Technologies • Centralized directory service • Supported by international standards. • Developed by International Telecommunications Union (ITU-T) for communication protocol Types of Directory Technologies 1. X.500 2. Lightweight Directory Access Protocol 3. Active Directory 4. X.400
  • 13. Contd… 1. X.500  Developed by ITU-T in 1980s  Also known as ISO/IEC 9594  Facilitate standard method of developing electronic directories for use over telecom networks  Originally developed to work with OSI network communications model  Currently TCP/IP protocol can be used  Info in X.500 is in hierarchy. Key field in database is Distinguished Name (DN)  DN provides full path through X.500 database  Also supports Relative Distinguished Name (RDN) which provides specific entry without full path component attached  Contains 4 separate protocols  Directory Access Protocol (DAP) – primary access in access information in X.500  Direcrtory System Protocol (DSP)  Directory Information Shadowing Protocol (DISP)  Directory operational bindings management Protocol (DOP)
  • 14. 2. Lightweight Directory Access Protocol (LDAP) • X.500 is complex to implement & administer and used OSI protocol • Developed in 1990s, based on X.500 (DAP), used TCP/IP port 389 – very simple • Version 3 LDAP protocol supports TLS to encrypt communication, can be used over SSL connection via TCP port 636 • Supports DN, RDN • Operates in client/server architecture • Client request may be connecting to disconnecting LDAP, searching directory entry comparing info, read, write, delete directory info Clien t Request LDAP ServerResul t
  • 15. 3. Active Direcrtory • Implementation of LDAP protocol for Microsoft environments • With additional plug-in AD can be used in UNIX, Linux, and mainframe environments • Provides central authentication and authorization capabilities for users and system services in enterprise wide level • AD has ability to enforce organizational security and configuration policies • This is the reason why AD is used to enforce user and system level security policies in uniform and highly auditable manner • AD uses LDAP for naming structure, hierarchical framework to store info. • AD are into forest(collection of all objects and their attributes) and trees(logical groupings of one or more AD security domain within a forest) • Domain in AD are identified by their name. Objects in AD are grouped by organizational units.
  • 16. Single Sign-On (SSO) • SSO is referred to as reduced sign-on or federated ID management • Sign-On on a centralized system so that user can access multiple server/application without being signing on individual servers • While opening an application SSO credentials of a user will automatically be entered (client software is used to open appropriate application programs) • Central repository of user credentials. If password is changed in application, the password in SSO system must be changed • The changed password must be stored in SSO system to maintain synchronization among applications • For SSO solutions, Smart Card (secured by pin to store array of user credentials in memory card) is used • Smart card with user credentials coupled with system software detects when user wants to access application/server. Server authenticate and asks questions if system wants to learn credentials for future. You can store the credentials in your smart card. Now you can only remember passphrase to unlock smart card and unlock the system to gain access
  • 17. Contd… Advantages of SSO solutions • Efficient log-on process: Fewer password to remember and work • No Need of Multiple password: SSO translates into single use credentials for users. • Users may create stronger passwords: a stronger password or passphrase can be used • Standards can be enforced across entire SSO system: access control policies, and standards can be easily enforced through SSO. Timeouts can be deployed if user is away from running workstation • Centralized administration: Disadvantages • Costly devices and software. • If centralized SSO system is compromised or fail the entire work will come to halt at once causing company to lose money • Only one password or passphrase per user- if password is cracked hacker can make significant damage to data • SSO password is stored in single database = great fun for hacker if the database is not extremely secured • SSO is complex and integration is challenging.
  • 18. Script-Based Single Sign-On • If available solutions are not be feasible for a company, use of script-based single sign-on may be possible • Script can manipulate the applications, interacting with them as if they were the users and injecting user ID password and other authentication interaction with application on behalf of user • Advantage – functionality • Disadvantage- costly/complex maintenance and development of such tool
  • 19. Kerboros• It guards a network with 3 elements: authentication, authorization, and auditing • Essentially a network authentication protocol • Designed to provide strong authentication for client/server application using secret key cryptography • Effective in open, distributed environments • It verifies a user who they are claimed to be and network services they use are contained within their permission • It has 4 basic requirements for access control – Security: network eavesdropper cannot obtain information by impersonating a user – Reliability: resources must be available when needed (to user) – Transparency: user should not be aware of authentication process and it should be nonintrusive – Scalability: support large number o clients and servers
  • 20. Kerberos Process • Based on interaction between 3 systems – Requesting system(principal) endpoint destination server (application, information) and Kerberos or Key Distribution Center (KDC). •User workstation/application/service (principal) interacts with Kerberos. •Kerberos serves two functions- authentication Server (AS) and Ticket granting Server(TGS) •Kerberos is based on symmetric encryption and a secret key shared amongst participants •KDC maintains a database of secret keys of all principal on network
  • 21. Contd… • While acting as Authentication Server (AS) it will authenticate principal user via pre-shared secret key • Once user is authenticated, Kerberos operates as TGS, providing ticket • Ticket is a piece of electronic data validated by TGS to the user to establish connection between network and user • User requests for authentication • Authentication server (AS) authenticate using pre-shared key and sends Ticket (Ticket granting Ticket or TGT) and session key using Ticket Granting Server(TGS) • User gets ticket and secure the connection with network and user also has right to request service tickets (STs) on KDC network • TGTs are valid for certain period of time and needs to be reauthenticated after expiration • Once TGTs are issued, there is no use of passwords or log-on factors • Now User again sends request application ticket (TGT) to TGS and TGS (after validation of TGT) in returns generates unique session key with encryption to be used between user and application server . • KDC will pack data in Service Ticket (ST) and send it to User • Now user will send this ST to Application Server for access. Once AS decrypt the session key it authenticate the User • Encrypted communication is now established
  • 22. Contd… • Kerberos are time sensitive and require Network Time Protocol • If time is not synchronized it will lead to authentication failure = easy DOS attack • Once KDC generates unique session key, it is first sent to Client (User) to avoid DoS attack against application server • If it is not done, then application server will be overloaded with encrypted session keys
  • 23. Contd… • Advantages – Goal of Kerberos is to ensure private communications between systems over a network. – Managing encryption keys, it acts to authenticate principals in communication based on secret keys, allows access session key – Elegant solution used in many platforms for broad authentication process • Disadvantages  Security of KDC should be physically secured and should not allow any non-kerberos activity  If Kerberos fails, whole system halts so backup and continuity plan should be made  Keys (both secret and session) are vulnerable to bruteforce attack. If it is long Kerberos will be overloaded with encryption key. Achilles’ heel of Kerberos are encrypted based on passwords. Traditional password guessing can compromise the system  Kerberizing ??? Please Explain
  • 24. Secure European System for Applications in a Multi-Vendor Environment (SESAME) • Project funded by European Commission to eliminate the drawback of Kerberos • Primary due to need to manage symmetric keys across environments. Theweakness of Kerberos is scalability larger the entities more complex and harder to manage KDC. • The other weakness is privilege info is stored in server that user uses the server. Access info need to be located in each server as environment grows • SESAME – an extension of Kerberos – overcome those limitations by offering sign-on services with distributed access controls across environment – Eliminates the need to replicate authorization data across servers – Uses both symmetric and asymmetric cryptographic techniques for protection of interchanged data which alleviate Kerberos’s key management issues
  • 25. Contd… • Key attributes of SESAME – Single Sign-On – Role-based access control – Use of Privileged attribute certificate (PAC) -similar to Kerberos ticket – Use of Kerberos V5 Protocol to access SESAME components – Use of public key cryptography for distribution of secret keys
  • 26. Perimeter-Based Web Portal Access • If LDAP is in place, a user can be identified, authenticated and authorized on multiple web-based application using web portal tied to Web Access Management (WAM) • These solution replaces sign-on process in Web application by the use of Plug-in services • User needs to sign-on once then he/she can access multiple web applications while plug-in will fill the authentication ticket among applications • These system provide effective user management and single sign-on in web environment but they cannot support entire access control environment. • WAM has become common
  • 27. Federated Identity Management • Single Sign-On is good for a organization • When two or more companies has to access each others’ system, trust is a big issue – E.g. Car company and Parts dealer • The solution is to create Federated Identity Management infrastructure- similar policies, standards, management of user identities, authentication and authorization • Once verification and certification process is completed, each company will trust each other. • This is an example of Cross-Certification Trust Model • If 3 companies has to come to a fededration there will be 6 ways of trust. Higher the number of companies to be federated higher the complexity (permutation in terms of trust) • Lets see, several organizations has to be federated but Cross-Certification Trust model cannot be used because of its complexity • So Third Party Certification Trust Model or Bridge Model has been created. • Third party will manage the verification and due diligence process for all participating organization. • Each organization will trust third party and can gain access to database of other organization
  • 28. Once In-Unlimited Access (OIUA) • Some organizations don’t need to restrict their user access to the resources. E.g. public service or website contributors • Other companies allows their employee access all the resources of company in their intranet without authentication. • If the user got access to those resources, it is assumed that the user is authorized- NO Question Asked • There are no certificates or tokens passed between authentication system and application. • Unauthorized user like contractor or support person can easily gain access to OIUA
  • 29. Logging and Monitoring • Logging is keeping records of users’ activities • Monitoring is what users are doing in system • Records of identification, authentication and authorization is useful to understand is going on within a system • Attempted logging or authenticated user trying to gain access to non-privileged applications something is going wrong • Logging and monitoring helps backtrack who is trying/doing malicious activities • Security logs are important for forensics investigations for legal purposes • Attacker tries to delete logs so that they wouldn’t be caught. It is therefore important that security of storage and archive systems used to store log data is critical to integrity of information • In big organizations, security data logs are huge (gigabytes) and it will take lot of time and personnel to review those data for malicious activities. • Event filtering or Clipping Level should be used
  • 30. Contd… • When threshold of log data is reached, automated tools will parse out the logs info. • based on abnormal activity (using correlation of logs from multiple system), it is possible to determine what exactly attacker was doing • Best practices to establish a log collection and management – Control the volume of data: based on available storage, processing capacity and manpower – Do not allow rollover of logs: deleting earlier logs will save disk space but valuable info can be deleted. Coping those logs into permanent storage might be important for forensic investigations – Evaluate and implement auditing tools to reduce complex task of log analysis – Establish log review and investigative procedure in advance – Train personnel to review logs – Protect unauthorized access and change-Copied logs should be physically secured
  • 31. Audit Trail Monitoring • It is the data collected from various systems’ event logging activity to reconstruct event that happened in a system for legal purposes • Record of activities can be investigated if network devices, systems are operating within expected parameters • Event logging can be done in any system • It helps gain awareness of system and infrastructure • Audit trail alerts suspicious activity for further investigation. • E.g. administrator can see somebody logging into mission-critical system after work hours. Admin can look at logs and determine if it was legitimate or expected. Other logs can be checked to see if that user is doing questionable actions • It provides details of intruder activity. Hacker will leave traces behind while hopping different systems/applications. This will help to reconstruct the path, what type of tool may have been used can be known etc. • Finally , all these records can be used for legal actions
  • 32. Audit Event Types Based on Info Security and access control, there are 5 key audit types 1. Network Events 2. System Events 3. Application Events 4. User Actions 5. Keystroke Activity
  • 33. 1. Network Events • Can play critical role during attack • Devices supporting communications can provide info • Network layer info is helpful in isolating threat activity (e.g. worm of DoS attack) • Helpful in detecting if user is using software or services not permitted by policy (eg. Instant messenger, peer to peer applications) • Network logs shows source and destination address of traffic, what application was the traffic, if the packets are allowed or blocked • How much traffic was received over a period of time
  • 34. 2. System Events • Part of audit trail which provides system activity info • Reports if files are modified, deleted or added • Shows if software is installed or removed, privilege was changed • If there is worm or virus in system, system will show unexpected activities • Also shows if there is strong change in management activities (both legit and hack)
  • 35. 3. Application Events • Broad range of possibilities for monitoring activity • Dependent on specific services of application • E.g. attack on web server can be evaluated by manipulation of URL in web server logs • The objective to audit application is to isolate key function to at least gain an initial perspective of application activity. • The reviewer should know the possible problems that can be seen in logs while analyzing the logs • If application was made by organization, security oriented logs should be incorporated
  • 36. 4. User Action • It helps the behavior of activity of a user • Info on log-on and log-out times, use of privileged access, application executed, data file accessed are basics of user monitoring
  • 37. 5. Keystroke Activity • Logging keystroke helps what user is typing • Controversial because it can evade privacy (even if company allows it) • E.g. sending inappropriate message to coworker can be the basis of firing a strong staff • Lot of info can be found in command history files found on some operating system • E.g. In unix system, $HOME directory can have names like .history , .sh_history, .bash_history
  • 38. Intrusion Detection and Prevention • IDS alerts attacks in real time to administrator but don’t take any action • Considered audit/network monitoring technology • It can be implemented as a part of router, firewall, or NIDS(Network IDS). • If used with host to monitor activity, it can be called Host IDS (HIDS) • IPS (Intrusion Prevention System) can detect threats and acts proactively. It blocks unauthorized activity of hacker as well as user trying to use non-privileged actions • IPS is gaining popularity lately • IDS needs to be tuned to normal traffic of organization • If it is not tuned it becomes noisy box or sits quietly and cannot distinguish between real attack or application the organization has made.
  • 39. Network Intrusion Detection System Architecture (NIDS/IDS) • NIDS works passively/promiscuous mode • It monitors every packets passing in/out of network • Can be attached with firewall, switch, routers, • NIDS should be able to handle enough traffic throughput equivalent (or greater than) combined traffic load. • Throughput = sum of all data flying by the network • E.g. if 100 MB, 10 port switch is used, we need atleast 1GB IDS to handle traffic load. If the capacity of IDS is smaller than 1GB then data packets will be lost • If the session data is encrypted IDS fails • Many tools are available which now a days break session encryption and re-establish it. • If IDS detects unwanted communication steam, it can attempt to terminate the connection by blocking packets from source of traffic, or use features of TCP protocol and inject packets into network forcing remote system to cancel communication
  • 40. Host-Based Intrusion Detection Systemn(HIDS) • Implementation of IDS at host level is HIDS • Processes are limited to host boundries • Advantage- effectively detects objectionable activities it runs on host system • Offers access to system logs, processes, system info, device info, • Virtually eliminates limits associated with encryption • Level of visibility of packets are higher • Multi-host IDS allows system to share policy info and real time attack making it easier to establish defensive posture • It is invasive to operating system and uses lot of CPU and memory to function during an attack thereby causing diminished performance of laptops and workstations • However, new servers eliminate these issues
  • 41. IDS Analysis Engine Methods • Based on strength and weakness different methods can be used. Two basic methods are – Pattern Matching (Signature Analysis) • Based on characteristic of attack (specific packet sequence or text in data stream) • E.g. when attacker attacks the system they send specific packets which IDS compares with its database. IDS has thousands of signature patterns and needs to be updated quite often to get new database pattern • If sequence is matched then it alerts • If there is a new attack or slight changes in packets, signature can cause IDS to miss the attack – Anomaly Detection
  • 42. Anomaly Detection • Uses behavioral characteristics of system’s operation or network traffic to draw conclusion. Anomalies include: – Multiple failed log-on attempts – User logged on off hours – Unexplained changes in system clock – Unusual error message – Unexplained system shut down and restarts – Attempts to access restricted files • Reports false positives as expected in behavioral change • They aren’t dependent on Specific pattern/signature based system • Info from anomaly can be used to create pattern for signaute based attack
  • 43. Stateful Matching Intrusion Detection • Scans for attack signatures in context of traffic or overall behavior • Intruder may send volley of valid packets to targeted system • Matching pattern is virtually impossible as they are valid • But why such huge volume of valid packets? • To evade attack, attacker sends packets from multiple location with long wait periods between each transmission to confuse detection System or exhaust session timing window. • If IDS is turned over a long period of time, it can detect the attack • Stateful Matching IDS also uses signatures. So it has to be updated often
  • 44. Statistical Anomaly-Based Intrusion Detection • Analyses event data by comparing to normal/typical/predicted profiles • Why the data is skewed at particular time? • Very effective, high level, characteristics of IPS • Defining normal is difficult task if not impossible in a complex environment • Prone to false positive • Has potential to detect previously unknown attacks • Using signature based with Statistical anomaly based IDS is very effective to detect attack
  • 45. Protocol Anomaly-Based Detection • Catches when a protocol is deviated from expected behavior • E.g. if packets deviates from HTTP in HTTP session protocol standard, IDS thinks it is a malicious behavior • Useful for HTTP, FTP, or telnet
  • 46. Traffic Anomaly-Based Intrusion Detection • Based on traffic or packets • Again defining normal is difficult
  • 47. Intrusion Response • Upon suspicious activity, IDS or IPS if permitted to and configured accordingly to interact with system to restrict or block traffic • Early versions of IDS interact with firewall and allow firewall to implement specific rules to the subject in question. • Still used today. The proposed rule won’t conflict with normal business operation. • Firewalls might have lot of rules and the new rule can have negative impact on normal mission-critical communications. • Firewall shares rules with other firewall therefore attacker will be blocked without affecting the system processes
  • 48. Alarm and Signals • Cre capability of IDS is to produce alarm and signals that work to notify people and system to adverse events. • Fundamental components of alarm capability 1. Sensor: A mechanism that identifies an event of attack and informs an admin. Tuning sensors are important 2. Control and Communication: Mechanism of handling alerts. E.g. email, text, instant message, pager, voice message etc. 3. Enunciator:
  • 49. IDS Management • Employ technically knowledgeable person to select, install, configure, operate and maintain IDS • Update system regularly to avoid signature attacks and behavioral profile • IDS may be vulnerable to attacks so protect it accordingly • Intruders might try to disable IDS with false info or overload the system