Discusion_wk1
Colin Horn
Week1Slides531.pptxAccess Control, Authentication and Public Key Infrastructure
Lesson 1
Access Control Framework, Assessing Risk, and Impact on Access Control
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
09/23/10
1
1
Access Control
Enables an authorized person to control access to areas and resources in a given physical facility or computer-based information system
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
2/22/2021
2
When and Where Is Access Control Needed?
People need access to certain objects within the same or different systems to perform their work
Sensitive data (human resources, payroll, mergers, acquisitions, and senior level personnel changes) needs protection
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
2/22/2021
3
Importance of Access Control
Misuse/Adverse
affects
Absence of Access Control
Prying eyes
Inquisitive insiders
Hackers
Disgruntled employees
Important and sensitive information
Information protected
Access Control
Important and sensitive information
Prying eyes
Inquisitive insiders
Hackers
Disgruntled employees
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
2/22/2021
4
Primary Components of Access Control
Policies: Defined from laws, requirements, and industry guides
Subjects: People who need to access or are restricted from accessing
Objects: Resources or information that need protection
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
2/22/2021
5
Access control requires:
Identification
Authentication
Authorization
Access control process:
Subject: presents credentials to the system
Authentication: system verifies and validates that the credentials are authentic
Authorization: grants permission to allowed resources
Access Control Process
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
2/22/2021
6
Access Control Process (Cont.)
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
2/22/2021
7
User IAA Process
1
2
2.3
2.2
Identification—user presents credentials:
Account name and password (passphrase, tokens, and biometrics)
Authentication server operating system:
Receives and compares credentials with authorized credentials
If matched correctly, access granted otherwise denial notice sent to user
Authorization—mainframe application server or database:
Recognizes authorized credentials
Facilitates requests of authorized resources
Denies access to unauthorized resources
1
3
2
3
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
2/22/2021
8
The Information Security Triad
Page 15
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
09/23/10
9
Logical Access Controls
Who: Identity of subject
What: Type of access being requested
When: Combined with subject identity, access can be granted during one time period and denied at another time
Where: Physical or logical location
Why: Defined purpose for which access must be granted to a subject
How: Type of access that can be granted to a subject
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
2/22/2021
10
Logical Access Controls for Objects
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
2/22/2021
11
Data element
Table
Database
Application
System
Operating system
Network
Authentication Elements
Authentication elements can be any of the following or a combination of the following elements:
Something you know: password/passphrase, PIN number
Something you are: biometrics, retina, fingerprint, facial
Something you have: tokens, dongles, device
PIN - 9723
PASSWORD - Drmb9^wX
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
2/22/2021
12
Risk Definitions and Concepts
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
09/23/10
13
13
Risk
Asset value
Threat
Vulnerability
Probability of occurrence
Impact
Control
Risk Assessment
Determine which risks exist in environment or may occur in future
Measure level of risk by calculating the probability of occurrence and the potential impact on your environment
Risk = Probability X Impact
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
09/23/10
14
Access Control Threats
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
09/23/10
15
Password cracking
Guessing or deciphering passwords
Heightened access
Ability of attacker to log into a system under one level of access and exploit a vulnerability to gain a higher level of access
Social engineering
Use of manipulation or trickery to convince authorized users to perform actions or divulge sensitive information to the attacker
Access Control Vulnerabilities
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
09/23/10
16
Insecure passwords
Insecure storage
Insecure password hashes
Insecure applications run at too high of a privilege level
Users
Risk Assessment
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
09/23/10
17
Quantitative
Involves numeric data and calculations to identify and rank the risks facing an organization
Qualitative
Relies upon expert opinion rather than math
Risk Management Strategies
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
09/23/10
18
Avoidance
Acceptance
Mitigation
Transference
Considerations for Designing a Risk Assessment
Create a risk assessment policy
Define goals and objectives
Describe a consistent approach or model
Inventory all IT infrastructure and assets
Determine the value of each asset
Quantitatively or qualitatively
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
09/23/10
(c) ITT Educational Services, Inc.
19
Considerations for Designing a Risk Assessment (Cont.)
Determine a “yardstick” or consistent measurement to determine the criticality of an asset
Categorize each asset’s place within the infrastructure as critical, major, or minor
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
09/23/10
(c) ITT Educational Services, Inc.
20
Where Are Access Controls Needed the Most?
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
09/23/10
21
Defense:
Risk: Insecure Direct Object Reference
Use an automated tool for real-time attack.
Monitor parameter manipulation–hidden/static.
Establish baseline configuration.
Risk: Cross-Site Request Forgery
Use an automated tool for real-time attack.
Alert/respond to parameter manipulation.
Use known attack signatures.
Establish baseline/monitor resource changes.
Risk: Security Misconfiguration
Use an automated tool for real-time attack.
Inspect outbound responses.
Investigate application failures.
09/23/10
(c) ITT Educational Services, Inc.
21
The Seven Domains of a Typical IT Infrastructure
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
09/23/10
22
A Firewall Controls Network Traffic
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
09/23/10
23
Defense:
Risk: Insecure Direct Object Reference
Use an automated tool for real-time attack.
Monitor parameter manipulation–hidden/static.
Establish baseline configuration.
Risk: Cross-Site Request Forgery
Use an automated tool for real-time attack.
Alert/respond to parameter manipulation.
Use known attack signatures.
Establish baseline/monitor resource changes.
Risk: Security Misconfiguration
Use an automated tool for real-time attack.
Inspect outbound responses.
Investigate application failures.
09/23/10
(c) ITT Educational Services, Inc.
23
Virtual Labs
Configuring an Active Directory Domain Controller
Managing Windows Accounts and Organizational Units
Complete Labs 1 & 2 and Quizzes 1 and 2
Multiple attempts on quizzes
Due on Sunday at 11:59PM EST
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
