Practical_assignment-531
Access Control, Authentication, and Public Key Infrastructure
Lesson 4
Human Nature and Organizational Behavior
Access Control for Information Systems
© ITT Educational Services, Inc. All rights reserved.
Page ‹#›
IS404 Access Control, Authentication and PKI (PKI)
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
09/23/10
1
1
Dealing with Human Nature
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
09/23/10
2
The unintentional threat
Hackers and motivation
Social engineering
Pre-Employment Checks
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
09/23/10
3
What Information Can Be Considered
What Information Cannot be Considered
Applicant’s Rights
Consequences of a Bad Hiring Decision
Ongoing Observation of Personnel
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
09/23/10
4
Identify Potentially Disgruntled Employees
Proper Ways to Revoke Access upon Employee Termination
Organizational Structure and Access Control Strategy
Access control model based on organizational structure is designed to prevent social engineering attacks
Employees are given access based on tasks they must complete as part of their job
Access rules are based on balance of confidentiality and necessity
Organizational structure model is similar to the role-based access control (RBAC) model
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
09/23/10
5
Job Rotation and Position Sensitivity
Job rotation minimizes effects of dishonesty
Often used for sensitive positions, especially those that are directly responsible for crucial information and assets
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
09/23/10
6
Requirement for Periodic Vacation
Periodic vacations act as a security measure
Requiring person to take time off from work provides time for evidence of dishonesty to surface
Can also reduce the success of social engineers
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
09/23/10
7
Separation of Duties
Ensures that a single person does not handle all crucial decisions and activities, especially those involving a high level of trust
Goal is to avoid the temptation to commit fraud or other illegal activities
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
09/23/10
8
Two-person control
Collusion
Monitoring and oversight
Responsibilities of Access Owners
Disclosing to users any relevant legal, regulatory, or ethical issues surrounding the use or disclosure of the information
Implementing a data classification system and rating the data according to its sensitivity, confidentiality, inherent value, and other factors
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
09/23/10
9
Responsibilities of Access Owners (Cont.)
Maintaining a list of authorized users
Implementing procedures to safeguard information from unauthorized use, disclosure, alteration, or accidental or intentional destruction
Developing a policy governing data retention and disposition
• Providing users with adequate training in the use and protection of the information
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
09/23/10
10
Training Employees
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
09/23/10
11
Be ongoing
Include multiple formats
Be interactive
Include multiple points of contact
Security Awareness Training Facts
Information technology (IT) security surveys conducted by well-known accounting firms found the following:
Many organizations have some awareness training.
Most awareness programs omitted important elements.
Less than 25% of organizations had no way to track awareness program effectiveness.
Source: http://www.lumension.com/Resources/Resource-Center/Protect-Vital-Information-Minimize-Insider-Risks.aspx
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
09/23/10
12
Ethics
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
09/23/10
13
What is right and what is wrong
Enforcing policies
Human resources involvement
Defining appropriate policies and procedures governing employee behavior
Educating employees about the policies and procedures relevant to them
Discovering and addressing behavioral shortcomings
Encouraging create risk-taking
Best Practices for Managing Human Nature
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
09/23/10
14
User Domain Access Control Management
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
09/23/10
15
The Three States of Data
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Data at Rest (DAR)
Stored on some device
Archived records
Data in Motion (DIM)
Sending an e-mail
Retrieving a Web page
Data in Process
Creating a new document
Processing a payment
Use encryption to protect stored data:
Elements in databases
Files on network and shared drives
Files on portable or movable drives, Universal serial bus (USB), and flash drives
Files and shared drives accessible from the Internet
Personal computers (PCs), laptop hard drives, and full disk encryption
Protecting DAR
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
DIM
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Difficult to protect since it is being operated on by the central processing unit (CPU)
Protecting DIP
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Object: An item or a distinct group of information in a data storage system
Group information as an object, set controls at the object level
Allows you to manage groups of related data
Helps with DAR and DIM security
Object-Level Security
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
A security identifier (SID) that identifies what the ACE applies to—the specific user, group or system
An access mask that lists the specific rights granted or denied
Flags to indicate the type of ACE and whether child objects can inherit the rights from the object that the ACE is attached to
Access Control List Properties
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Access Control List Types
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
access-denied
access-allowed
system-audit
DACL and SACL
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Discretionary Access Control List (DACL)
Controls access to an object
System Access Control List (SACL)
Handles the information assurance aspect of access controls
Best Practices for Access Controls for Information Systems
Create a baseline for access
Segregate users’ rights by role
Automate user creation
Tie access controls to the environment
Have a clear standard for decommissioning data storage devices
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Week 4 Homework Assignments
Read Chapters 7 and 8
Complete Labs 7 and 8 and Quizzes
Midterm Exam
50 questions: multiple choice and true/false
60 minutes
ONE attempt
Due Sunday at 11:59 PM EST
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.