SlideShare a Scribd company logo

Access Control Presentation

Wajahat Rajab
Wajahat Rajab
EducationTechnologyBusiness
1 of 97
Download to read offline
Access Control Muhammad Wajahat Rajab
• Protecting what needs to be protected with the available technologies! • Access control is the of Information Security! Overview
Some Questions • What is Access? • What is the Access Mechanism? • What is Access Control? • The right • Flow of information between subject and object • Mechanism to protect the assets!
Identification, Authentication, Authorization
Identification
Identification • Method of establishing the subject’s identity – User, Program, Process • Use of username or other public information • Identification component requirements… – Each value should be unique – Follow a standard naming scheme – Non-descriptive of the user’s position or tasks – Must not be shared between users
Authentication
Authentication • Method of proving the identity • How to prove an identity? – Something you know – Something you have – Something you are • Use of passwords, token, or biometrics other private information • What is two factor authentication? – Strong authentication
Something you know • Traditional authentication method • Passwords – Protected string of characters – Most widely used – Types • Cognitive passwords • One time passwords (Dynamic passwords) • Passphrase
Cognitive passwords • Fact or opinion based information • Created through several experience based questions • Easy to remember! – A person will not forget his birthplace, favorite color, dog's name, or the school he graduated from.
One time passwords • Only used once • Used in sensitive cases and places • Examples include – Prepaid cards – Token devices • Token device generates the one-time password for the user to submit to an authentication server
Passphrase • Sequence of characters that is longer than a password -- Thus a phrase – User enters this phrase into an application which transforms the value into a virtual password
Attacks against passwords • Electronic monitoring • Access the password file • Brute force attacks • Dictionary attacks • Social engineering • Shoulder surfing
Something you have • Requires possession of something such as a key, smart card, or some other device • Examples include… – Keys – Documents – Token devices – Memory cards – Smart cards
Token device • Software hardware hybrid object used to verify an identity in an authentication process • Token device, or password generator, is usually a handheld device that has an LCD display and possibly a keypad – Token device is separate from the computer the user is attempting to access
Token Device – Benefits/Limitations • Benefits – Not vulnerable to electronic eavesdropping • Wiretapping • Sniffing – Provide two factor authentication • Limitations – Human error – Battery limitation – Token itself (Environmental factors)
Types of Token Devices • Synchronous Token – A synchronous token device synchronizes with the authentication service by using time or a counter as the core piece of the authentication process. • Asynchronous Token – A token device using an asynchronous token generating method employs a challenge/response scheme to authenticate a user.
Synchronous Token
Asynchronous Token Device
Memory Card • Holds information but cannot process – A memory card can hold a user's authentication information, so that the user only needs to type in a UserID or PIN.
Smart Card • Holds and processes information • After a threshold of failed login attempts, it can render itself unusable • PIN or password unlocks smart card functionality • Smart card could be used for: – Holding biometric data in template – Responding to challenge – Holding private key
Types of Smart Card • Contact – Requires insertion into a smart card reader with a direct connection to a conductive micro-module on the surface of the card (typically gold plated) – Through these physical contact points, transmission of commands, data, and card status takes place • Contactless – Requires only close proximity to a reader – Both the reader and the card have antenna and it is via this contactless link that two communicate
Smart Card attacks • Micro-probing techniques • Eavesdropping techniques • Trojan Horse attacks • Social engineering attacks
Something you are • Special case of something you have • Unique personal attribute is analyzed • Encompasses all biometric techniques – Fingerprints – Retina scan – Iris scan – Hand geometry – Facial scan
Biometric System • A characteristic based system – Includes all the hardware, associated software and interconnecting infrastructure to enable the identification/authentication process • Uses individual's unique physical characteristics in order to identify and authenticate – Each has its own advantages and disadvantages
Fingerprints • Every person's fingerprint is unique • Most affordable and convenient method of verifying a person's identity • The lines that create a fingerprint pattern are called ridges and the spaces between ridges are called valleys.
Retina Scan • Retinal scan technology maps the capillary pattern of the retina – A thin (1/50th inch) nerve on the back of the eye! • Accurate • Many people are hesitant to use the device 
Iris Scan • Scans the iris or the colored portion of the eye • For authentication the subject looks at the video camera from a distance of 3-10 inches • The entire enrollment process is less than 20 seconds, and subsequent identification takes 1-2 seconds. • Offers high accuracy!
Hand Geometry • Measures specific characteristics of a person's hand such as length of fingers and thumb, widths, and depth. • Takes over 90 measurements of the length, width, thickness, and surface area of a person's hand and fingers. • Hand measurements occur with amazing speed, almost within one second. • A charge coupled device (CCD) digital camera is used to record the hand's three dimensional shape.
Keyboard Dynamics • Looks at the way a person types at a keyboard • Also called Typing Rhythms! • Keyboard dynamics measures two distinct variables: – Dwell time: The amount of time one holds a particular key – Flight time: The amount of time one moves between the keys • Keyboard dynamic system can measure one's keyboard input up to 1000 times per second!
Voice Print • A voice reference template is constructed – To construct, an individual must speak a set of phrases several times as the system builds the template. – Voice identification systems incorporate several variables including pitch, dynamics, and waveform.
Facial Scan • Incorporates two significant methods: – Detection – Recognition • Detection involves locating the human face within an image. • Recognition is comparing the captured face to other faces that have been saved and stored in a database.
Facial Scan -- Process
Biometric Performance • Biometric performance is most commonly measured in two ways: – False Rejection Rate (FRR) – Type1 – False Acceptance Rate (FAR) – Type 2 • The FRR is the probability that you are not authenticated to access your account. • The FAR is the chance that someone other than you is granted access to your account.
Crossover Error Rate • Crossover Error Rate (CER) value is when Type 1 and Type 2 errors are equal. – (Type 1 = Type 2 errors) = CER metric value • System ABC has 1 out of 100 Type 1 errors = 1% • System ABC has 1 out of 100 type 2 errors = 1% • System ABC CER = 1 • The lower the CER value, the higher accuracy • System with a CER of 5 has greater accuracy than a system with CER of 6
CER Concept
Authorization
Authorization
Controls
Types of Access Controls • There are three types of Access Controls: – Administrative controls • Define roles, responsibilities, policies, and administrative functions to manage the control environment. – Technical controls • Use hardware and software technology to implement access control. – Physical controls • Ensure safety and security of the physical environment.
Administrative Controls • Ensure that technical and physical controls are understood and properly implemented – Policies and procedures – Security awareness training – Asset classification and control – Employment policies and practices (background checks, job rotations, and separation of duties) – Account administration – Account, log monitoring – Review of audit trails
Technical Controls • Examples of Technical Controls are: – Encryption – Biometrics – Smart cards – Tokens – Access control lists – Violation reports – Audit trails – Network monitoring and intrusion detection
Physical Controls • Examples of Physical Controls are: – HVAC – Fences, locked doors, and restricted areas – Guards and dogs – Motion detectors – Video cameras – Fire detectors – Smoke detectors
Categories of Access Controls • Preventive  Avoid incident • Deterrent  Discourage incident • Detective  Identify incident • Corrective  Remedy circumstance/mitigate damage and restore controls • Recovery  Restore conditions to normal • Compensating  Alternative control • Directive
Categories of Access Controls
Administrative Preventive Controls • Policies and procedures • Effective hiring practices • Pre-employment background checks • Controlled termination processes • Data classification and labeling • Security awareness • Risk assessments and analysis • Creating a security program • Separation of duties
Administrative Detective Controls • Job rotation • Sharing responsibilities • Inspections • Incident response • Use of auditors
Technical Preventive Controls • Passwords • Biometrics • Smart cards • Encryption • Database views • Firewalls • ACLs • Anti-virus
Technical Detective Controls • IDS • Reviewing audit logs • Reviewing violations of clipping levels • Forensics
Physical Preventive Controls • Badges • Guards and dogs • CCTV • Fences, locks, man-traps • Locking computer cases • Removing floppy and CD-ROM drives • Disabling USB port
Physical Detective Controls • Motion detectors • Intrusion detectors • Video cameras • Guard responding to an alarm
Jotting them together…
Centralized Access Control Methodologies
Centralized Access Control Methodologies • (ISC)2 discusses the following methodologies: – RADIUS -- Remote Authentication Dial-In User Service – TACACS -- Terminal Access Controller Access Control Systems – DIAMETER
RADIUS • Provides centralized authentication, authorization and accounting management for network services • Works on a Client/Server model • Functions: – To authenticate users or devices before granting them access to a network – To authorize users or devices for certain network services – To account for usage of services used
RADIUS Process
RADIUS Implementation
TACACS • TACACS has been through three generations: – TACACS, XTACACS and TACACS+ • TACACS uses passwords for authentication – TACACS+ allows users to use dynamic (one-time) passwords – TACACS+ encrypts all the data • TACACS uses UDP – TACACS+ uses TCP
TACACS at Work
Diameter • "New and improved" RADIUS • RADIUS is limited in its methods of authenticating users • Diameter does not encompass such limitations • Can authenticate wireless devices and smart phones • Open for future growth • Users can move between service provider networks and change their points of attachment
Single Sign-On Technologies
Single Sign On (SSO) • A system that enables a user to access multiple computer platforms • User logs in just once • Access granted to permitted resources • Login only required until after the user logs out • Examples include: – Kerberos – SESAME – Security Domains – Thin Clients
Kerberos • A computer network authentication protocol – Allows principals communicating over a non-secure network to prove their identity to one another in a secure manner. • Principals – Any user or service that interacts with a network – Term that is applied to anything within a network that needs to communicate in an authorized manner
Kerberos components • Components of Kerberos – Key Distribution Center (KDC) • Holds all of the principals' secret keys • Principals authenticate to the KDC before networking can take place – Authentication Server (AS) • Authenticates user at initial logon • Generation of initial ticket to allow user to authenticate to local system – Ticket Granting Service (TGS) • Generates of tickets to allow subjects to authenticate to each other
Kerberos Process
SESAME • Secure European System for Applications in a Multi- Vendor Environment • Uses symmetric and asymmetric cryptographic techniques • Uses Privileged Attribute Certificates (PACs) • PACs are generated by the Privileged Attribute Server (PAS) • After a user successfully authenticates to the Authentication Server (AS), the PAS then creates a PAC for the user to present to the resource that is being accessed!
SESAME Process
Security Domains • Based on trust between resources or services on a domain that share a single security policy and single management • The security policy defines the set of objects that each user has the ability to access • A similar mission and single point of management responsibility
Security Domains -- Bull’s Eye View
Thin Clients • Diskless computers are called dumb terminals or thin clients • Client/Server technology forces users to log onto a central server just to be able to use the computer and access network resources. • Server downloads the Operating System, or interactive operating software to the terminal
Access Control Models
Access Control Models • Frameworks that dictate how subjects access objects • Three Main Types – Discretionary Access Control (DAC) – Mandatory Access Control (MAC) – Role Based Access Control (RBAC)
Discretionary Access Control • Allows the owner of the resource to specify which subjects can access which resources • Access control is at the discretion of the owner • DAC defines access control policy – That restricts access to files and other system resources based on identity • DAC can be implemented through Access Control Lists (ACLs)
Access Control Matrix • Access Control Lists (ACLs) – Specifies the list of subjects that are authorized to access a specific object • Capability Lists – Specifies the access rights a certain subject possesses pertaining to specific objects
Access Control Matrix
Mandatory Access Control • Based on security label system • Users given security clearance and data is classified • Used where confidentiality is of utmost importance • MAC is considered a policy based control • Every object and subject is given a sensitivity label – Classification level • Secret, Top secret, Confidential, etc – Category • Information warfare, Treasury, UN, etc
Mandatory Access Control Subject Classification level Category Umair Secret Finance Tayyeb Secret HR Object Classification level Category Finance records Secret Finance Employee records Secret HR
Role Based Access Control • Uses centrally administered set of controls to determine how subjects and objects interact • Decisions based on the functions that a user is allowed to perform within an organization • An advantage of role based access controls is the ease of administration • Capability tables are sometimes seen in conjunction with role-based access controls • Best for high turn over organizations
Access Control Techniques
Access Control Techniques • Rules Based Access Control • Constrained User Interface • Content Dependent Access Control • Context Dependent Access Control
Penetration Testing Muhammad Wajahat Rajab ACE, CISSP (Associate), BS (TE)
Introduction • Process of simulating attacks on Information Systems – At the request of the owner, senior management • Uses set of procedures and tools designed to test security controls of a system • Emulates the same methods attackers use
Steps • Discovery • Enumeration • Vulnerability mapping • Exploitation • Report to management
Step 1 • Discovery – Gathering information about the target – Reconnaissance Types • Passive • Active
Step 2 • Enumeration – Performing port scans and resource identification methods – Gaining specific information on the basis of information gathered during reconnaissance – Includes use of dialers, port scanners, network mapping, sweeping, vulnerability scanners, and so on
Step 3 • Vulnerability Mapping – Identifying vulnerabilities in identified systems and resources – Based on these vulnerabilities attacks are carried out
Step 4 • Exploitation – Attempting to gain unauthorized access by exploiting the vulnerabilities
Step 5 • Report to management – Delivering to management documentation of test findings along with suggested countermeasures
Types • Zero knowledge • Partial knowledge • Full knowledge
Questions
Question 1 • Which of the following refers to a series of characters used to verify a user's identity? A. Token Serial number B. UserID C. Password D. Security ticket
Question • Which of the following refers to a series of characters used to verify a user's identity? A. Token Serial number B. UserID C. Password D. Security ticket
Question 2 • Which type of access control allows owners to specify who can access their files? A. Discretionary B. Relational C. Mandatory D. Administrative
Question • Which type of access control allows owners to specify who can access their files? A. Discretionary B. Relational C. Mandatory D. Administrative
Question 3 • The three primary methods for authentication of a user to a system or network are? A. Passwords, Tokens, and Biometrics B. Authorization, Identification, and Tokens C. Passwords, Encryption, and Identification D. Identification, Encryption, and Authorization
Question • The three primary methods for authentication of a user to a system or network are? A. Passwords, Tokens, and Biometrics B. Authorization, Identification, and Tokens C. Passwords, Encryption, and Identification D. Identification, Encryption, and Authorization
Thank You! 

Recommended

Access Controls
Access ControlsAccess Controls
Access Controlsprimeteacher32
 
Access_Control_Systems_and_methodology
Access_Control_Systems_and_methodologyAccess_Control_Systems_and_methodology
Access_Control_Systems_and_methodologyArti Ambokar
 
Ch07 Access Control Fundamentals
Ch07 Access Control FundamentalsCh07 Access Control Fundamentals
Ch07 Access Control FundamentalsInformation Technology
 
8 Access Control
8 Access Control8 Access Control
8 Access ControlAlfred Ouyang
 
Physical security
Physical securityPhysical security
Physical securityDhani Ahmad
 
03 cia
03 cia03 cia
03 ciaJadavsejal
 
Physical security
Physical securityPhysical security
Physical securityTariq Mahmood
 
Security risk management
Security risk managementSecurity risk management
Security risk managementG Prachi
 

Recommended

Access Controls
Access ControlsAccess Controls
Access Controlsprimeteacher32
 
Access_Control_Systems_and_methodology
Access_Control_Systems_and_methodologyAccess_Control_Systems_and_methodology
Access_Control_Systems_and_methodologyArti Ambokar
 
Ch07 Access Control Fundamentals
Ch07 Access Control FundamentalsCh07 Access Control Fundamentals
Ch07 Access Control FundamentalsInformation Technology
 
8 Access Control
8 Access Control8 Access Control
8 Access ControlAlfred Ouyang
 
Physical security
Physical securityPhysical security
Physical securityDhani Ahmad
 
03 cia
03 cia03 cia
03 ciaJadavsejal
 
Physical security
Physical securityPhysical security
Physical securityTariq Mahmood
 
Security risk management
Security risk managementSecurity risk management
Security risk managementG Prachi
 
Information Security Principles - Access Control
Information Security Principles - Access ControlInformation Security Principles - Access Control
Information Security Principles - Access Controlidingolay
 
Physical Security Presentation
Physical Security PresentationPhysical Security Presentation
Physical Security PresentationWajahat Rajab
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewTandhy Simanjuntak
 
CISSP - Chapter 1 - Security Concepts
CISSP - Chapter 1 - Security ConceptsCISSP - Chapter 1 - Security Concepts
CISSP - Chapter 1 - Security ConceptsKarthikeyan Dhayalan
 
Authentication techniques
Authentication techniquesAuthentication techniques
Authentication techniquesIGZ Software house
 
Design of security architecture in Information Technology
Design of security architecture in Information TechnologyDesign of security architecture in Information Technology
Design of security architecture in Information Technologytrainersenthil14
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information securityjayashri kolekar
 
CISSP - Chapter 3 - System security architecture
CISSP - Chapter 3 - System security architectureCISSP - Chapter 3 - System security architecture
CISSP - Chapter 3 - System security architectureKarthikeyan Dhayalan
 
An overview of access control
An overview of access controlAn overview of access control
An overview of access controlElimity
 
System security
System securitySystem security
System securitysommerville-videos
 
User authentication
User authenticationUser authentication
User authenticationCAS
 
CISSP - Security Assessment
CISSP - Security AssessmentCISSP - Security Assessment
CISSP - Security AssessmentKarthikeyan Dhayalan
 
Defence in Depth Architectural Decisions
Defence in Depth Architectural DecisionsDefence in Depth Architectural Decisions
Defence in Depth Architectural DecisionsPeter Rawsthorne
 
Cybersecurity Incident Management Powerpoint Presentation Slides
Cybersecurity Incident Management Powerpoint Presentation SlidesCybersecurity Incident Management Powerpoint Presentation Slides
Cybersecurity Incident Management Powerpoint Presentation SlidesSlideTeam
 
Security models
Security models Security models
Security models LJ PROJECTS
 
Physical security.ppt
Physical security.pptPhysical security.ppt
Physical security.pptFaheem Ul Hasan
 
CISSP - Chapter 3 - Physical security
CISSP - Chapter 3 - Physical securityCISSP - Chapter 3 - Physical security
CISSP - Chapter 3 - Physical securityKarthikeyan Dhayalan
 
Perimeter security solutions
Perimeter security solutionsPerimeter security solutions
Perimeter security solutionsbappyni
 
IT Security management and risk assessment
IT Security management and risk assessmentIT Security management and risk assessment
IT Security management and risk assessmentCAS
 
Incident Response
Incident Response Incident Response
Incident Response InnoTech
 
pgp s mime
pgp s mimepgp s mime
pgp s mimeChirag Patel
 
Lecture 10 intruders
Lecture 10 intrudersLecture 10 intruders
Lecture 10 intrudersrajakhurram
 

More Related Content

What's hot

Information Security Principles - Access Control
Information Security Principles - Access ControlInformation Security Principles - Access Control
Information Security Principles - Access Controlidingolay
 
Physical Security Presentation
Physical Security PresentationPhysical Security Presentation
Physical Security PresentationWajahat Rajab
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewTandhy Simanjuntak
 
CISSP - Chapter 1 - Security Concepts
CISSP - Chapter 1 - Security ConceptsCISSP - Chapter 1 - Security Concepts
CISSP - Chapter 1 - Security ConceptsKarthikeyan Dhayalan
 
Design of security architecture in Information Technology
Design of security architecture in Information TechnologyDesign of security architecture in Information Technology
Design of security architecture in Information Technologytrainersenthil14
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information securityjayashri kolekar
 
CISSP - Chapter 3 - System security architecture
CISSP - Chapter 3 - System security architectureCISSP - Chapter 3 - System security architecture
CISSP - Chapter 3 - System security architectureKarthikeyan Dhayalan
 
An overview of access control
An overview of access controlAn overview of access control
An overview of access controlElimity
 
User authentication
User authenticationUser authentication
User authenticationCAS
 
Defence in Depth Architectural Decisions
Defence in Depth Architectural DecisionsDefence in Depth Architectural Decisions
Defence in Depth Architectural DecisionsPeter Rawsthorne
 
Cybersecurity Incident Management Powerpoint Presentation Slides
Cybersecurity Incident Management Powerpoint Presentation SlidesCybersecurity Incident Management Powerpoint Presentation Slides
Cybersecurity Incident Management Powerpoint Presentation SlidesSlideTeam
 
Security models
Security models Security models
Security models LJ PROJECTS
 
CISSP - Chapter 3 - Physical security
CISSP - Chapter 3 - Physical securityCISSP - Chapter 3 - Physical security
CISSP - Chapter 3 - Physical securityKarthikeyan Dhayalan
 
Perimeter security solutions
Perimeter security solutionsPerimeter security solutions
Perimeter security solutionsbappyni
 
IT Security management and risk assessment
IT Security management and risk assessmentIT Security management and risk assessment
IT Security management and risk assessmentCAS
 
Incident Response
Incident Response Incident Response
Incident Response InnoTech
 

What's hot (20)

Information Security Principles - Access Control
Information Security Principles - Access ControlInformation Security Principles - Access Control
Information Security Principles - Access Control
 
Physical Security Presentation
Physical Security PresentationPhysical Security Presentation
Physical Security Presentation
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An Overview
 
CISSP - Chapter 1 - Security Concepts
CISSP - Chapter 1 - Security ConceptsCISSP - Chapter 1 - Security Concepts
CISSP - Chapter 1 - Security Concepts
 
Authentication techniques
Authentication techniquesAuthentication techniques
Authentication techniques
 
Design of security architecture in Information Technology
Design of security architecture in Information TechnologyDesign of security architecture in Information Technology
Design of security architecture in Information Technology
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information security
 
CISSP - Chapter 3 - System security architecture
CISSP - Chapter 3 - System security architectureCISSP - Chapter 3 - System security architecture
CISSP - Chapter 3 - System security architecture
 
An overview of access control
An overview of access controlAn overview of access control
An overview of access control
 
System security
System securitySystem security
System security
 
User authentication
User authenticationUser authentication
User authentication
 
CISSP - Security Assessment
CISSP - Security AssessmentCISSP - Security Assessment
CISSP - Security Assessment
 
Defence in Depth Architectural Decisions
Defence in Depth Architectural DecisionsDefence in Depth Architectural Decisions
Defence in Depth Architectural Decisions
 
Cybersecurity Incident Management Powerpoint Presentation Slides
Cybersecurity Incident Management Powerpoint Presentation SlidesCybersecurity Incident Management Powerpoint Presentation Slides
Cybersecurity Incident Management Powerpoint Presentation Slides
 
Security models
Security models Security models
Security models
 
Physical security.ppt
Physical security.pptPhysical security.ppt
Physical security.ppt
 
CISSP - Chapter 3 - Physical security
CISSP - Chapter 3 - Physical securityCISSP - Chapter 3 - Physical security
CISSP - Chapter 3 - Physical security
 
Perimeter security solutions
Perimeter security solutionsPerimeter security solutions
Perimeter security solutions
 
IT Security management and risk assessment
IT Security management and risk assessmentIT Security management and risk assessment
IT Security management and risk assessment
 
Incident Response
Incident Response Incident Response
Incident Response
 

Viewers also liked

Lecture 10 intruders
Lecture 10 intrudersLecture 10 intruders
Lecture 10 intrudersrajakhurram
 
secure electronics transaction
secure electronics transactionsecure electronics transaction
secure electronics transactionHarsh Mehta
 
S/MIME & E-mail Security (Network Security)
S/MIME & E-mail Security (Network Security)S/MIME & E-mail Security (Network Security)
S/MIME & E-mail Security (Network Security)Prafull Johri
 
Intrusion detection system
Intrusion detection system Intrusion detection system
Intrusion detection system gaurav koriya
 

Viewers also liked (7)

pgp s mime
pgp s mimepgp s mime
pgp s mime
 
Lecture 10 intruders
Lecture 10 intrudersLecture 10 intruders
Lecture 10 intruders
 
IP Security
IP SecurityIP Security
IP Security
 
secure electronics transaction
secure electronics transactionsecure electronics transaction
secure electronics transaction
 
S/MIME & E-mail Security (Network Security)
S/MIME & E-mail Security (Network Security)S/MIME & E-mail Security (Network Security)
S/MIME & E-mail Security (Network Security)
 
Intrusion detection system
Intrusion detection system Intrusion detection system
Intrusion detection system
 
Network security
Network securityNetwork security
Network security
 

Similar to Access Control Presentation

educational content,educational content,educational content,
educational content,educational content,educational content,educational content,educational content,educational content,
educational content,educational content,educational content,Olajide Kuku
 
Types_of_Access_Controlsggggggggggggggggg
Types_of_Access_ControlsgggggggggggggggggTypes_of_Access_Controlsggggggggggggggggg
Types_of_Access_ControlsgggggggggggggggggSaurabh846965
 
Chapter 15 incident handling
Chapter 15 incident handlingChapter 15 incident handling
Chapter 15 incident handlingnewbie2019
 
network security.pdf
network security.pdfnetwork security.pdf
network security.pdfKIYALIBAN1
 
Eds user authenticationuser authentication methods
Eds user authenticationuser authentication methodsEds user authenticationuser authentication methods
Eds user authenticationuser authentication methodslapao2014
 
Authentication(pswrd,token,certificate,biometric)
Authentication(pswrd,token,certificate,biometric)Authentication(pswrd,token,certificate,biometric)
Authentication(pswrd,token,certificate,biometric)Ali Raw
 
164199724-Introduction-To-Digital-Forensics-ppt.ppt
164199724-Introduction-To-Digital-Forensics-ppt.ppt164199724-Introduction-To-Digital-Forensics-ppt.ppt
164199724-Introduction-To-Digital-Forensics-ppt.pptharshbj1801
 
Operations Security Presentation
Operations Security PresentationOperations Security Presentation
Operations Security PresentationWajahat Rajab
 
Unit-4-User-Authentication.pptx
Unit-4-User-Authentication.pptxUnit-4-User-Authentication.pptx
Unit-4-User-Authentication.pptxPuskar Bhandari
 
basic-security-concepts-what-is-security48.ppt
basic-security-concepts-what-is-security48.pptbasic-security-concepts-what-is-security48.ppt
basic-security-concepts-what-is-security48.pptPawachMetharattanara
 
Basic of Biometrics Technology
Basic of Biometrics Technology Basic of Biometrics Technology
Basic of Biometrics Technology NEHA SINGH
 
Authenticationtechnologies 120711134100-phpapp01
Authenticationtechnologies 120711134100-phpapp01Authenticationtechnologies 120711134100-phpapp01
Authenticationtechnologies 120711134100-phpapp01Hai Nguyen
 

Similar to Access Control Presentation (20)

Access Control System, BMS
Access Control System, BMSAccess Control System, BMS
Access Control System, BMS
 
educational content,educational content,educational content,
educational content,educational content,educational content,educational content,educational content,educational content,
educational content,educational content,educational content,
 
Types_of_Access_Controlsggggggggggggggggg
Types_of_Access_ControlsgggggggggggggggggTypes_of_Access_Controlsggggggggggggggggg
Types_of_Access_Controlsggggggggggggggggg
 
Hisplus Biometrics
Hisplus Biometrics Hisplus Biometrics
Hisplus Biometrics
 
Ecommerce_Ch4.pptx
Ecommerce_Ch4.pptxEcommerce_Ch4.pptx
Ecommerce_Ch4.pptx
 
Chapter 15 incident handling
Chapter 15 incident handlingChapter 15 incident handling
Chapter 15 incident handling
 
Intruders
IntrudersIntruders
Intruders
 
CyberSecurity101.pdf
CyberSecurity101.pdfCyberSecurity101.pdf
CyberSecurity101.pdf
 
network security.pdf
network security.pdfnetwork security.pdf
network security.pdf
 
Eds user authenticationuser authentication methods
Eds user authenticationuser authentication methodsEds user authenticationuser authentication methods
Eds user authenticationuser authentication methods
 
Authentication
AuthenticationAuthentication
Authentication
 
Authentication(pswrd,token,certificate,biometric)
Authentication(pswrd,token,certificate,biometric)Authentication(pswrd,token,certificate,biometric)
Authentication(pswrd,token,certificate,biometric)
 
164199724-Introduction-To-Digital-Forensics-ppt.ppt
164199724-Introduction-To-Digital-Forensics-ppt.ppt164199724-Introduction-To-Digital-Forensics-ppt.ppt
164199724-Introduction-To-Digital-Forensics-ppt.ppt
 
Operations Security Presentation
Operations Security PresentationOperations Security Presentation
Operations Security Presentation
 
Unit-4-User-Authentication.pptx
Unit-4-User-Authentication.pptxUnit-4-User-Authentication.pptx
Unit-4-User-Authentication.pptx
 
Keystroke dynamics
Keystroke dynamicsKeystroke dynamics
Keystroke dynamics
 
basic-security-concepts-what-is-security48.ppt
basic-security-concepts-what-is-security48.pptbasic-security-concepts-what-is-security48.ppt
basic-security-concepts-what-is-security48.ppt
 
css ppt.ppt
css ppt.pptcss ppt.ppt
css ppt.ppt
 
Basic of Biometrics Technology
Basic of Biometrics Technology Basic of Biometrics Technology
Basic of Biometrics Technology
 
Authenticationtechnologies 120711134100-phpapp01
Authenticationtechnologies 120711134100-phpapp01Authenticationtechnologies 120711134100-phpapp01
Authenticationtechnologies 120711134100-phpapp01
 

Recently uploaded

ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITY
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITYISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITY
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITYKayeClaireEstoconing
 
Global Lehigh Strategic Initiatives (without descriptions)
Global Lehigh Strategic Initiatives (without descriptions)Global Lehigh Strategic Initiatives (without descriptions)
Global Lehigh Strategic Initiatives (without descriptions)cama23
 
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTSGRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTSJoshuaGantuangco2
 
Karra SKD Conference Presentation Revised.pptx
Karra SKD Conference Presentation Revised.pptxKarra SKD Conference Presentation Revised.pptx
Karra SKD Conference Presentation Revised.pptxAshokKarra1
 
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17Celine George
 
4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptx4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptxmary850239
 
Proudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxProudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxthorishapillay1
 
ENGLISH6-Q4-W3.pptxqurter our high choom
ENGLISH6-Q4-W3.pptxqurter our high choomENGLISH6-Q4-W3.pptxqurter our high choom
ENGLISH6-Q4-W3.pptxqurter our high choomnelietumpap1
 
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdfGrade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdfJemuel Francisco
 
Culture Uniformity or Diversity IN SOCIOLOGY.pptx
Culture Uniformity or Diversity IN SOCIOLOGY.pptxCulture Uniformity or Diversity IN SOCIOLOGY.pptx
Culture Uniformity or Diversity IN SOCIOLOGY.pptxPoojaSen20
 
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)lakshayb543
 
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdf
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdfAMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdf
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdfphamnguyenenglishnb
 
Student Profile Sample - We help schools to connect the data they have, with ...
Student Profile Sample - We help schools to connect the data they have, with ...Student Profile Sample - We help schools to connect the data they have, with ...
Student Profile Sample - We help schools to connect the data they have, with ...Seán Kennedy
 
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...Nguyen Thanh Tu Collection
 
Transaction Management in Database Management System
Transaction Management in Database Management SystemTransaction Management in Database Management System
Transaction Management in Database Management SystemChristalin Nelson
 
What is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERPWhat is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERPCeline George
 
Field Attribute Index Feature in Odoo 17
Field Attribute Index Feature in Odoo 17Field Attribute Index Feature in Odoo 17
Field Attribute Index Feature in Odoo 17Celine George
 

Recently uploaded (20)

YOUVE GOT EMAIL_FINALS_EL_DORADO_2024.pptx
YOUVE GOT EMAIL_FINALS_EL_DORADO_2024.pptxYOUVE GOT EMAIL_FINALS_EL_DORADO_2024.pptx
YOUVE GOT EMAIL_FINALS_EL_DORADO_2024.pptx
 
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITY
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITYISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITY
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITY
 
Global Lehigh Strategic Initiatives (without descriptions)
Global Lehigh Strategic Initiatives (without descriptions)Global Lehigh Strategic Initiatives (without descriptions)
Global Lehigh Strategic Initiatives (without descriptions)
 
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTSGRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
 
Karra SKD Conference Presentation Revised.pptx
Karra SKD Conference Presentation Revised.pptxKarra SKD Conference Presentation Revised.pptx
Karra SKD Conference Presentation Revised.pptx
 
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
 
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
 
4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptx4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptx
 
Proudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxProudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptx
 
LEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptx
LEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptxLEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptx
LEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptx
 
ENGLISH6-Q4-W3.pptxqurter our high choom
ENGLISH6-Q4-W3.pptxqurter our high choomENGLISH6-Q4-W3.pptxqurter our high choom
ENGLISH6-Q4-W3.pptxqurter our high choom
 
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdfGrade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
 
Culture Uniformity or Diversity IN SOCIOLOGY.pptx
Culture Uniformity or Diversity IN SOCIOLOGY.pptxCulture Uniformity or Diversity IN SOCIOLOGY.pptx
Culture Uniformity or Diversity IN SOCIOLOGY.pptx
 
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
 
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdf
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdfAMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdf
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdf
 
Student Profile Sample - We help schools to connect the data they have, with ...
Student Profile Sample - We help schools to connect the data they have, with ...Student Profile Sample - We help schools to connect the data they have, with ...
Student Profile Sample - We help schools to connect the data they have, with ...
 
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
 
Transaction Management in Database Management System
Transaction Management in Database Management SystemTransaction Management in Database Management System
Transaction Management in Database Management System
 
What is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERPWhat is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERP
 
Field Attribute Index Feature in Odoo 17
Field Attribute Index Feature in Odoo 17Field Attribute Index Feature in Odoo 17
Field Attribute Index Feature in Odoo 17
 

Access Control Presentation

  • 2. • Protecting what needs to be protected with the available technologies! • Access control is the of Information Security! Overview
  • 3. Some Questions • What is Access? • What is the Access Mechanism? • What is Access Control? • The right • Flow of information between subject and object • Mechanism to protect the assets!
  • 6. Identification • Method of establishing the subject’s identity – User, Program, Process • Use of username or other public information • Identification component requirements… – Each value should be unique – Follow a standard naming scheme – Non-descriptive of the user’s position or tasks – Must not be shared between users
  • 8. Authentication • Method of proving the identity • How to prove an identity? – Something you know – Something you have – Something you are • Use of passwords, token, or biometrics other private information • What is two factor authentication? – Strong authentication
  • 9. Something you know • Traditional authentication method • Passwords – Protected string of characters – Most widely used – Types • Cognitive passwords • One time passwords (Dynamic passwords) • Passphrase
  • 10. Cognitive passwords • Fact or opinion based information • Created through several experience based questions • Easy to remember! – A person will not forget his birthplace, favorite color, dog's name, or the school he graduated from.
  • 11. One time passwords • Only used once • Used in sensitive cases and places • Examples include – Prepaid cards – Token devices • Token device generates the one-time password for the user to submit to an authentication server
  • 12. Passphrase • Sequence of characters that is longer than a password -- Thus a phrase – User enters this phrase into an application which transforms the value into a virtual password
  • 13. Attacks against passwords • Electronic monitoring • Access the password file • Brute force attacks • Dictionary attacks • Social engineering • Shoulder surfing
  • 14. Something you have • Requires possession of something such as a key, smart card, or some other device • Examples include… – Keys – Documents – Token devices – Memory cards – Smart cards
  • 15. Token device • Software hardware hybrid object used to verify an identity in an authentication process • Token device, or password generator, is usually a handheld device that has an LCD display and possibly a keypad – Token device is separate from the computer the user is attempting to access
  • 16. Token Device – Benefits/Limitations • Benefits – Not vulnerable to electronic eavesdropping • Wiretapping • Sniffing – Provide two factor authentication • Limitations – Human error – Battery limitation – Token itself (Environmental factors)
  • 17. Types of Token Devices • Synchronous Token – A synchronous token device synchronizes with the authentication service by using time or a counter as the core piece of the authentication process. • Asynchronous Token – A token device using an asynchronous token generating method employs a challenge/response scheme to authenticate a user.
  • 20. Memory Card • Holds information but cannot process – A memory card can hold a user's authentication information, so that the user only needs to type in a UserID or PIN.
  • 21. Smart Card • Holds and processes information • After a threshold of failed login attempts, it can render itself unusable • PIN or password unlocks smart card functionality • Smart card could be used for: – Holding biometric data in template – Responding to challenge – Holding private key
  • 22. Types of Smart Card • Contact – Requires insertion into a smart card reader with a direct connection to a conductive micro-module on the surface of the card (typically gold plated) – Through these physical contact points, transmission of commands, data, and card status takes place • Contactless – Requires only close proximity to a reader – Both the reader and the card have antenna and it is via this contactless link that two communicate
  • 23. Smart Card attacks • Micro-probing techniques • Eavesdropping techniques • Trojan Horse attacks • Social engineering attacks
  • 24. Something you are • Special case of something you have • Unique personal attribute is analyzed • Encompasses all biometric techniques – Fingerprints – Retina scan – Iris scan – Hand geometry – Facial scan
  • 25. Biometric System • A characteristic based system – Includes all the hardware, associated software and interconnecting infrastructure to enable the identification/authentication process • Uses individual's unique physical characteristics in order to identify and authenticate – Each has its own advantages and disadvantages
  • 26. Fingerprints • Every person's fingerprint is unique • Most affordable and convenient method of verifying a person's identity • The lines that create a fingerprint pattern are called ridges and the spaces between ridges are called valleys.
  • 27. Retina Scan • Retinal scan technology maps the capillary pattern of the retina – A thin (1/50th inch) nerve on the back of the eye! • Accurate • Many people are hesitant to use the device 
  • 28. Iris Scan • Scans the iris or the colored portion of the eye • For authentication the subject looks at the video camera from a distance of 3-10 inches • The entire enrollment process is less than 20 seconds, and subsequent identification takes 1-2 seconds. • Offers high accuracy!
  • 29. Hand Geometry • Measures specific characteristics of a person's hand such as length of fingers and thumb, widths, and depth. • Takes over 90 measurements of the length, width, thickness, and surface area of a person's hand and fingers. • Hand measurements occur with amazing speed, almost within one second. • A charge coupled device (CCD) digital camera is used to record the hand's three dimensional shape.
  • 30. Keyboard Dynamics • Looks at the way a person types at a keyboard • Also called Typing Rhythms! • Keyboard dynamics measures two distinct variables: – Dwell time: The amount of time one holds a particular key – Flight time: The amount of time one moves between the keys • Keyboard dynamic system can measure one's keyboard input up to 1000 times per second!
  • 31. Voice Print • A voice reference template is constructed – To construct, an individual must speak a set of phrases several times as the system builds the template. – Voice identification systems incorporate several variables including pitch, dynamics, and waveform.
  • 32. Facial Scan • Incorporates two significant methods: – Detection – Recognition • Detection involves locating the human face within an image. • Recognition is comparing the captured face to other faces that have been saved and stored in a database.
  • 33. Facial Scan -- Process
  • 34. Biometric Performance • Biometric performance is most commonly measured in two ways: – False Rejection Rate (FRR) – Type1 – False Acceptance Rate (FAR) – Type 2 • The FRR is the probability that you are not authenticated to access your account. • The FAR is the chance that someone other than you is granted access to your account.
  • 35. Crossover Error Rate • Crossover Error Rate (CER) value is when Type 1 and Type 2 errors are equal. – (Type 1 = Type 2 errors) = CER metric value • System ABC has 1 out of 100 Type 1 errors = 1% • System ABC has 1 out of 100 type 2 errors = 1% • System ABC CER = 1 • The lower the CER value, the higher accuracy • System with a CER of 5 has greater accuracy than a system with CER of 6
  • 40. Types of Access Controls • There are three types of Access Controls: – Administrative controls • Define roles, responsibilities, policies, and administrative functions to manage the control environment. – Technical controls • Use hardware and software technology to implement access control. – Physical controls • Ensure safety and security of the physical environment.
  • 41. Administrative Controls • Ensure that technical and physical controls are understood and properly implemented – Policies and procedures – Security awareness training – Asset classification and control – Employment policies and practices (background checks, job rotations, and separation of duties) – Account administration – Account, log monitoring – Review of audit trails
  • 42. Technical Controls • Examples of Technical Controls are: – Encryption – Biometrics – Smart cards – Tokens – Access control lists – Violation reports – Audit trails – Network monitoring and intrusion detection
  • 43. Physical Controls • Examples of Physical Controls are: – HVAC – Fences, locked doors, and restricted areas – Guards and dogs – Motion detectors – Video cameras – Fire detectors – Smoke detectors
  • 44. Categories of Access Controls • Preventive  Avoid incident • Deterrent  Discourage incident • Detective  Identify incident • Corrective  Remedy circumstance/mitigate damage and restore controls • Recovery  Restore conditions to normal • Compensating  Alternative control • Directive
  • 46. Administrative Preventive Controls • Policies and procedures • Effective hiring practices • Pre-employment background checks • Controlled termination processes • Data classification and labeling • Security awareness • Risk assessments and analysis • Creating a security program • Separation of duties
  • 47. Administrative Detective Controls • Job rotation • Sharing responsibilities • Inspections • Incident response • Use of auditors
  • 48. Technical Preventive Controls • Passwords • Biometrics • Smart cards • Encryption • Database views • Firewalls • ACLs • Anti-virus
  • 49. Technical Detective Controls • IDS • Reviewing audit logs • Reviewing violations of clipping levels • Forensics
  • 50. Physical Preventive Controls • Badges • Guards and dogs • CCTV • Fences, locks, man-traps • Locking computer cases • Removing floppy and CD-ROM drives • Disabling USB port
  • 51. Physical Detective Controls • Motion detectors • Intrusion detectors • Video cameras • Guard responding to an alarm
  • 54. Centralized Access Control Methodologies • (ISC)2 discusses the following methodologies: – RADIUS -- Remote Authentication Dial-In User Service – TACACS -- Terminal Access Controller Access Control Systems – DIAMETER
  • 55. RADIUS • Provides centralized authentication, authorization and accounting management for network services • Works on a Client/Server model • Functions: – To authenticate users or devices before granting them access to a network – To authorize users or devices for certain network services – To account for usage of services used
  • 58. TACACS • TACACS has been through three generations: – TACACS, XTACACS and TACACS+ • TACACS uses passwords for authentication – TACACS+ allows users to use dynamic (one-time) passwords – TACACS+ encrypts all the data • TACACS uses UDP – TACACS+ uses TCP
  • 60. Diameter • "New and improved" RADIUS • RADIUS is limited in its methods of authenticating users • Diameter does not encompass such limitations • Can authenticate wireless devices and smart phones • Open for future growth • Users can move between service provider networks and change their points of attachment
  • 62. Single Sign On (SSO) • A system that enables a user to access multiple computer platforms • User logs in just once • Access granted to permitted resources • Login only required until after the user logs out • Examples include: – Kerberos – SESAME – Security Domains – Thin Clients
  • 63. Kerberos • A computer network authentication protocol – Allows principals communicating over a non-secure network to prove their identity to one another in a secure manner. • Principals – Any user or service that interacts with a network – Term that is applied to anything within a network that needs to communicate in an authorized manner
  • 64. Kerberos components • Components of Kerberos – Key Distribution Center (KDC) • Holds all of the principals' secret keys • Principals authenticate to the KDC before networking can take place – Authentication Server (AS) • Authenticates user at initial logon • Generation of initial ticket to allow user to authenticate to local system – Ticket Granting Service (TGS) • Generates of tickets to allow subjects to authenticate to each other
  • 66. SESAME • Secure European System for Applications in a Multi- Vendor Environment • Uses symmetric and asymmetric cryptographic techniques • Uses Privileged Attribute Certificates (PACs) • PACs are generated by the Privileged Attribute Server (PAS) • After a user successfully authenticates to the Authentication Server (AS), the PAS then creates a PAC for the user to present to the resource that is being accessed!
  • 68. Security Domains • Based on trust between resources or services on a domain that share a single security policy and single management • The security policy defines the set of objects that each user has the ability to access • A similar mission and single point of management responsibility
  • 69. Security Domains -- Bull’s Eye View
  • 70. Thin Clients • Diskless computers are called dumb terminals or thin clients • Client/Server technology forces users to log onto a central server just to be able to use the computer and access network resources. • Server downloads the Operating System, or interactive operating software to the terminal
  • 72. Access Control Models • Frameworks that dictate how subjects access objects • Three Main Types – Discretionary Access Control (DAC) – Mandatory Access Control (MAC) – Role Based Access Control (RBAC)
  • 73. Discretionary Access Control • Allows the owner of the resource to specify which subjects can access which resources • Access control is at the discretion of the owner • DAC defines access control policy – That restricts access to files and other system resources based on identity • DAC can be implemented through Access Control Lists (ACLs)
  • 74. Access Control Matrix • Access Control Lists (ACLs) – Specifies the list of subjects that are authorized to access a specific object • Capability Lists – Specifies the access rights a certain subject possesses pertaining to specific objects
  • 76. Mandatory Access Control • Based on security label system • Users given security clearance and data is classified • Used where confidentiality is of utmost importance • MAC is considered a policy based control • Every object and subject is given a sensitivity label – Classification level • Secret, Top secret, Confidential, etc – Category • Information warfare, Treasury, UN, etc
  • 77. Mandatory Access Control Subject Classification level Category Umair Secret Finance Tayyeb Secret HR Object Classification level Category Finance records Secret Finance Employee records Secret HR
  • 78. Role Based Access Control • Uses centrally administered set of controls to determine how subjects and objects interact • Decisions based on the functions that a user is allowed to perform within an organization • An advantage of role based access controls is the ease of administration • Capability tables are sometimes seen in conjunction with role-based access controls • Best for high turn over organizations
  • 80. Access Control Techniques • Rules Based Access Control • Constrained User Interface • Content Dependent Access Control • Context Dependent Access Control
  • 81. Penetration Testing Muhammad Wajahat Rajab ACE, CISSP (Associate), BS (TE)
  • 82. Introduction • Process of simulating attacks on Information Systems – At the request of the owner, senior management • Uses set of procedures and tools designed to test security controls of a system • Emulates the same methods attackers use
  • 83. Steps • Discovery • Enumeration • Vulnerability mapping • Exploitation • Report to management
  • 84. Step 1 • Discovery – Gathering information about the target – Reconnaissance Types • Passive • Active
  • 85. Step 2 • Enumeration – Performing port scans and resource identification methods – Gaining specific information on the basis of information gathered during reconnaissance – Includes use of dialers, port scanners, network mapping, sweeping, vulnerability scanners, and so on
  • 86. Step 3 • Vulnerability Mapping – Identifying vulnerabilities in identified systems and resources – Based on these vulnerabilities attacks are carried out
  • 87. Step 4 • Exploitation – Attempting to gain unauthorized access by exploiting the vulnerabilities
  • 88. Step 5 • Report to management – Delivering to management documentation of test findings along with suggested countermeasures
  • 89. Types • Zero knowledge • Partial knowledge • Full knowledge
  • 91. Question 1 • Which of the following refers to a series of characters used to verify a user's identity? A. Token Serial number B. UserID C. Password D. Security ticket
  • 92. Question • Which of the following refers to a series of characters used to verify a user's identity? A. Token Serial number B. UserID C. Password D. Security ticket
  • 93. Question 2 • Which type of access control allows owners to specify who can access their files? A. Discretionary B. Relational C. Mandatory D. Administrative
  • 94. Question • Which type of access control allows owners to specify who can access their files? A. Discretionary B. Relational C. Mandatory D. Administrative
  • 95. Question 3 • The three primary methods for authentication of a user to a system or network are? A. Passwords, Tokens, and Biometrics B. Authorization, Identification, and Tokens C. Passwords, Encryption, and Identification D. Identification, Encryption, and Authorization
  • 96. Question • The three primary methods for authentication of a user to a system or network are? A. Passwords, Tokens, and Biometrics B. Authorization, Identification, and Tokens C. Passwords, Encryption, and Identification D. Identification, Encryption, and Authorization