Access control

kumar99

Chapter5.pptx

Home >Computer Science homework help >Access control

Access Control, Authentication, and Public Key Infrastructure

Chapter 5

Security Breaches and the Law

www.jblearning.com

Page ‹#›

Access Control, Authentication, and PKI

www.jblearning.com

Laws and Data Breaches

Federal and state laws act as deterrents

Organizations are required to take steps to protect the sensitive data

An organization may have a legal obligation to inform all stakeholders

if a breach occurred

Page ‹#›

Access Control, Authentication, and PKI

www.jblearning.com

Federal Laws

Computer Fraud and Abuse Act (CFAA) designed to protect electronic data from theft

Digital Millennium Copyright Act (DMCA) prohibits unauthorized disclosure of data by circumventing an established technological measure

Page ‹#›

Access Control, Authentication, and PKI

www.jblearning.com

The Computer Fraud and Abuse Act (CFAA)[1] was enacted by Congress in 1986 as an amendment to existing computer fraud law (18 U.S.C. § 1030), which had been included in the Comprehensive Crime Control Act of 1984.

2008[1]

Eliminated the requirement that information must have been stolen through an interstate or foreign communication, thereby expanding jurisdiction for cases involving theft of information from computers;

Eliminated the requirement that the defendant’s action must result in a loss exceeding $5,000 and created a felony offense where the damage affects ten or more computers, closing a gap in the law;

Expanded 18 U.S.C. § 1030(a)(7) to criminalize not only explicit threats to cause damage to a computer, but also threats to (1) steal data on a victim's computer, (2) publicly disclose stolen data, or (3) not repair damage the offender already caused to the computer;

Created a criminal offense for conspiring to commit a computer hacking offense under section 1030;

Broadened the definition of “protected computer” in 18 U.S.C. § 1030(e)(2) to the full extent of Congress’s commerce power by including those computers used in or affecting interstate or foreign commerce or communication; and

Provided a mechanism for civil and criminal forfeiture of property used in or derived from section 1030 violations.

State Laws

California Identity Theft Statute requires businesses to notify customers when personal information has been disclosed

Research specific laws that apply in your state.

You can begin by visiting your state’s

Office of Attorney General Web site.

Page ‹#›

Access Control, Authentication, and PKI

www.jblearning.com

Kentucky State Laws

On April 10, Governor Beshear signed into law H.B. 232, designed to address the compromise of personally identifiable information of residents of the Bluegrass State. The law also requires cloud service providers that contract with educational institutions (K-12) to maintain the security of student data (name, address, email address, emails, and any documents, photos or unique identifiers relating to the student) and prohibits the sale or disclosure, or processing of student data for commercial purposes.

Like most states, Kentucky has defined personally identifiable information as first name or first initial and last name combined with any of the following data elements when the name or data element is not redacted:

Social Security number

Driver’s license number

Account number, credit or debit card number in combination with any required security code, access code or password permitting access to an individual’s financial account

Page ‹#›

Access Control, Authentication, and PKI

www.jblearning.com

First-Layer Access Controls

All physical security must comply with all applicable regulations

Access to secure computing facilities granted only to individuals with a legitimate business need for access.

All secure computing facilities that allow visitors must have an access log.

Visitors must be escorted at all times

Page ‹#›

Access Control, Authentication, and PKI

www.jblearning.com

Most common and easiest form of access

To be effective: Requires the use of a secure channel through the network to transmit the encrypted password

Not very secure

WHY USE THEM??

Something you know

User friendly – People get the concept (like an ATM pin #)

Two factor authentication

– Combine passwords with a (smart card) token

– ATM card and PIN –improved protection

Easy to manage

Supported across IT platforms

Access Control Failures

People

Technology

Page ‹#›

Access Control, Authentication, and PKI

www.jblearning.com

People

Social engineering

Phishing and spear phishing attacks

Poor physical security on systems

File-sharing and social networking sites

Page ‹#›

Access Control, Authentication, and PKI

www.jblearning.com

Technology

Very weak password encryption

Web browsers are a major vector for unauthorized access

Web servers and other public-facing systems, are an entry point for unauthorized access

Page ‹#›

Access Control, Authentication, and PKI

www.jblearning.com

Privacy Impact Assessment (PIA)

A comprehensive process for determining the privacy, confidentiality, and security risks associated with the collection, use, and disclosure of personal information

Describes the measures used to mitigate and, if possible, eliminate identified risks

Required in the public sector for any new system that handles personally identifiable information (PII)

Page ‹#›

Access Control, Authentication, and PKI

www.jblearning.com

Privacy Impact Assessment (PIA) (Cont.)

Identifies the key factors involved in securing PII

Emphasizes the process used to secure PII as well as product

Has a sufficient degree of independence from the project implementing the new system

Has a degree of public exposure

Is integrated into the decision-making process

Page ‹#›

Access Control, Authentication, and PKI

www.jblearning.com

Security Breach Principles

Page ‹#›

Access Control, Authentication, and PKI

www.jblearning.com

The difference between a direct & an indirect attack is in a

direct attack, the computer being used is that of the criminal to commit a break-in of other computers/systems whereas an

indirect attack is where the actual computer or system being attacked is compromised to completely this objective.

System exploits

Eavesdropping

Social engineering

Denial of service (DoS) attacks

Indirect attacks

Direct attacks

Consequences

Security breaches can have serious consequences for an organization.

They can rely on:

Lax physical security

Inadequate logical access controls

A combination of both

Page ‹#›

Access Control, Authentication, and PKI

www.jblearning.com

Implications of Security Breaches

Page ‹#›

Access Control, Authentication, and PKI

www.jblearning.com

Damages organizations’ computer systems

Financial Impact

Legal action

Loss of reputation

Costs of contacting all of the individuals

Organization’s market share

Prevent or Mitigate Access Control Attacks

Example: Target

‹#›

Hackers originally gained access to Target’s network by stealing the access credentials, via a phishing attack, of a refrigeration contractor

Electronic interaction with Target was limited to billing, contract submission, project management

Sophisticated and prolonged attack at Target

Once the hackers infiltrated the Target network, they distributed malware to thousands of PoS machines designed to siphon off customer data

The stolen data was later uploaded from the Target network to an FTP server

Then, they set up a control server within Target’s internal network that acted as the central repository for the stolen credit card data

Example Discussion Activity

How could this attack have been prevented?

‹#›

Protecting the Enterprise

‹#›

Requires a coordinated defense involving people, processes and tools that span anti-malware, firewalls, applications, servers, network access controls, intrusion detection and prevention, security event monitoring, and more

Identity and Access Management (IAM)

Obtain visibility and control over user access privileges, who has access to what?

‹#›

Detective controls

Access policy

Automated account reconciliation

Authentication Attacks

‹#›

Occur when a web application authenticates users unsafely, granting access to web clients that lack the appropriate credentials

Access Control Attacks

‹#›

Occur when an access control check in the web application is incorrect or missing, allowing users unauthorized access to privileged resources such as databases and files

Web Applications

‹#›

Exposing these rich interfaces to anyone on the Internet makes web applications an appealing target for attackers who want to gain access to other users’ data or resources

Access Control

‹#›

Access control attacks attempt to bypass or circumvent access control methods

Access control begins with identification and authorization

Access Aggregation

‹#›

Collecting multiple pieces of non-sensitive information and combining, or aggregating, the pieces to learn sensitive information

Reconnaissance Attacks

‹#›

Access aggregation attacks that combine multiple tools to identify elements of a system, such as IP addresses, open ports, running services, and operating systems

Protecting Against Access Control Attacks

‹#›

Control physical access to systems

Control electronic access to password files

Encrypt password files

Create a strong password policy

Use password masking

Deploy multifactor authentication

Use account lockout controls

Use last logon notification

Educate users about security

Audit access controls

Actively manage accounts

Use vulnerability scanners

Page ‹#›

Access Control, Authentication, and PKI