Research Paper

profileskollipara1028
ch14.pptx

Chapter 14 Controlling and Monitoring Access

Comparing Access Control Models

Comparing Permissions, Rights, and Privileges

Understanding Authorization Mechanisms

Defining Requirements with a Security Policy

Implementing Defense in Depth

Summarizing Access Control Models

Discretionary Access Controls

Nondiscretionary Access Controls

overview

Comparing Permissions, Rights, and Privileges

Permissions

Access granted for an object

Rights

Ability to take action on an object

Privileges

Combination of rights and permissions

Understanding Authorization Mechanisms

Implicit deny

Access control matrix

Capability tables

Constrained interface

Content-dependent control

Context-dependent control

Need to know

Least privilege

Separation of duties and responsibilities

Defining Requirements with a Security Policy

Clarifies requirements

Shows senior leadership support

Sets guidelines and parameters

Implementing Defense in Depth

Protects against single-focused attacks

Document in security policy

Personnel are key

Uses combined solution approach

Summarizing Access Control Models

Discretionary Access Control (DAC)

Role Based Access Control (RBAC)

Rule-based access control (rule BAC)

Attribute Based Access Control (ABAC)

Mandatory Access Control (MAC)

Discretionary Access Controls

Owner, create, custodian define access

Based on identity

Uses ACLs on each object

Not centrally managed

Supports change

Nondiscretionary Access Controls

Centrally administered

Changes affect entire environment

Not based on identity, instead uses rules

Less flexible

Role Based Access Control

Based on subject’s role or assigned tasks

Enforces principle of least privilege

Related to job descriptions and work functions

Useful in dynamic environments

Often implemented using groups (via DAC)

Task based access control (TBAC)

Rule-Based Access Controls

Rules, restrictions, filters

Global rules apply to all subjects

Firewall and router rules/filters

Attribute Based Access Controls

Characteristics are used to determine rule applications

Can relate to users, groups, network, or devices

Mandatory Access Control

Based on classifications

Top Secret, Secret, Confidential

Confidential/Proprietary, Private, Sensitive, Public

Need to know

Prohibitive rather than permissive

Hierarchical

Compartmentalization

Hybrid

Understanding Access Control Attacks

Risk Elements

Identifying Assets

Identifying Threats

Threat Modeling Approaches

Identifying Vulnerabilities

Common Access Control Attacks

Summary of Protection Methods

overview

Risk Elements

Risk

Assets

Threat

Vulnerability

Risk Management

Identifying Assets

Asset valuation

Tangible value

Intangible value

Cost-benefit analysis

Identifying Threats

Threat modeling

Secure by Design, Secure by Default, Secure in Deployment and Communication (SD3+C)

Goals:

Reduce number of defects

Reduce severity of remaining defects

Advanced Persistent Threat (APT)

Threat Modeling Approaches

Focused on assets

Focused on attackers

Focused on software

Identifying Vulnerabilities

Vulnerability analysis

Weakness to threat

Technical and administrative

Vulnerability scans

Common Access Control Attacks 1/2

Impersonation

Access aggregation

Password

Dictionary

Brute force

Birthday

Rainbow table

Sniffer

Common Access Control Attacks 2/2

Spoofing

Social engineering

Phishing

Drive-by download

Spear phishing

Whaling

Vishing

Smartcard

Side-channel attack

Summary of Protection Methods

Control physical access and electronic access

Create a strong password policy

Hash and salt passwords

Use password masking

Deploy multifactor authentication

Use account lockout controls

Use last logon notification

Educate users about security

Conclusion

Read the Exam Essentials

Review the chapter

Perform the Written Labs

Answer the Review Questions