Practical_assignment-531
Colin Horn
Week3Slides2.pptxAccess Control, Authentication, and Public Key Infrastructure
Lesson 3
Security Breaches and the Law
Mapping Business Challenges
to Access Control Types
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
1
Laws and Data Breaches
Federal and state laws act as deterrents
Organizations are required to take steps to protect the sensitive data
An organization may have a legal obligation to inform all stakeholders
if a breach occurred
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
2
Federal Laws
Computer Fraud and Abuse Act (CFAA) designed to protect electronic data from theft
Digital Millennium Copyright Act (DMCA) prohibits unauthorized disclosure of data by circumventing an established technological measure
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
The Computer Fraud and Abuse Act (CFAA)[1] was enacted by Congress in 1986 as an amendment to existing computer fraud law (18 U.S.C. § 1030), which had been included in the Comprehensive Crime Control Act of 1984.
2008[1]
Eliminated the requirement that information must have been stolen through an interstate or foreign communication, thereby expanding jurisdiction for cases involving theft of information from computers;
Eliminated the requirement that the defendant’s action must result in a loss exceeding $5,000 and created a felony offense where the damage affects ten or more computers, closing a gap in the law;
Expanded 18 U.S.C. § 1030(a)(7) to criminalize not only explicit threats to cause damage to a computer, but also threats to (1) steal data on a victim's computer, (2) publicly disclose stolen data, or (3) not repair damage the offender already caused to the computer;
Created a criminal offense for conspiring to commit a computer hacking offense under section 1030;
Broadened the definition of “protected computer” in 18 U.S.C. § 1030(e)(2) to the full extent of Congress’s commerce power by including those computers used in or affecting interstate or foreign commerce or communication; and
Provided a mechanism for civil and criminal forfeiture of property used in or derived from section 1030 violations.
3
State Laws
California Identity Theft Statute requires businesses to notify customers when personal information has been disclosed
Research specific laws that apply in your state.
You can begin by visiting your state’s
Office of Attorney General Web site.
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
First-Layer Access Controls
All physical security must comply with all applicable regulations
Access to secure computing facilities granted only to individuals with a legitimate business need for access.
All secure computing facilities that allow visitors must have an access log.
Visitors must be escorted at all times
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Most common and easiest form of access
To be effective: Requires the use of a secure channel through the network to transmit the encrypted password
Not very secure
WHY USE THEM??
Something you know
User friendly – People get the concept (like an ATM pin #)
Two factor authentication
– Combine passwords with a (smart card) token
– ATM card and PIN –improved protection
Easy to manage
Supported across IT platforms
5
Access Control Failures
People
Technology
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
People
Social engineering
Phishing and spear phishing attacks
Poor physical security on systems
File-sharing and social networking sites
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
7
Technology
Very weak password encryption
Web browsers are a major vector for unauthorized access
Web servers and other public-facing systems, are an entry point for unauthorized access
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
8
Privacy Impact Assessment (PIA)
A comprehensive process for determining the privacy, confidentiality, and security risks associated with the collection, use, and disclosure of personal information
Describes the measures used to mitigate and, if possible, eliminate identified risks
Required in the public sector for any new system that handles personally identifiable information (PII)
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
9
Privacy Impact Assessment (PIA) (Cont.)
Identifies the key factors involved in securing PII
Emphasizes the process used to secure PII as well as product
Has a sufficient degree of independence from the project implementing the new system
Has a degree of public exposure
Is integrated into the decision-making process
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
10
Security Breach Principles
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
The difference between a direct & an indirect attack is in a
direct attack, the computer being used is that of the criminal to commit a break-in of other computers/systems whereas an
indirect attack is where the actual computer or system being attacked is compromised to completely this objective.
11
System exploits
Eavesdropping
Social engineering
Denial of service (DoS) attacks
Indirect attacks
Direct attacks
Consequences
Security breaches can have serious consequences for an organization.
They can rely on:
Lax physical security
Inadequate logical access controls
A combination of both
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
12
Implications of Security Breaches
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
13
Damages organizations’ computer systems
Financial Impact
Legal action
Loss of reputation
Costs of contacting all of the individuals
Organization’s market share
Mapping Business Challenges to Types of Control
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
09/23/10
14
Disaster Prevention
Disaster Recovery
Customer Access to Data
Maintain Competitive Advantage
Define your subjects and objects
Categorize them into groups and roles
Determine who needs access to what
Determine whether any external subjects will have access to internal systems and data
Solving Business Challenges with Access Control Strategies
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
09/23/10
15
A subject may be a person, a process, or a technology component that either seeks access or controls the access. For example, an employee trying to access his business email account is a subject. Similarly, the system that verifies the credentials such as username and password is also termed as a subject.
An object can be a file, data, physical equipment, or premises which need controlled access. For example, the email stored in the mailbox is an object that a subject is trying to access.
Administrative Strategies
How will new accounts be created and new access levels be granted?
How will accounts be removed and access levels be lowered?
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
09/23/10
16
16
Access Control Types
Administrative
Technical/Logical
Physical
Page 27
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Access Control Techniques
Discretionary Access Control (DAC)
Mandatory Access Control (MAC)
Non-discretionary Access Control
Page 27
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Discretionary Access Control (DAC)
DAC is “a means of restricting access to objects based on the identity of subjects and/or groups to which they belong. The controls are discretionary in the sense that a subject with a certain access permission is capable of passing that permission (perhaps indirectly) on to any other subject.”
Example: DAC is typically the default access control mechanism for most desktop operating systems.
Page 28
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Mandatory Access Control (MAC)
MAC is a “means of restricting access to objects based on the sensitivity (as represented by a label) of the information contained in the objects and the formal authorization (i.e., clearance) of subjects to access information of such sensitivity.”
Example: A person requesting access to a classified file must have both the owner’s permission and have appropriate clearance before access will be granted.
Page 28-29
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Non-discretionary Access Control
Operating system protection
Security administrator control
Ensure that system security is enforced
Page 29
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Implementations
Access Control Lists (ACLs)
Access Control Matrix
Capability Tree
Content-Dependent Access Control
Constrained User Interface
Role-Based Access Control
Rule-Based Access Control
Temporal-Based Access Control
Page 30
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Access Control Lists (ACLs)
An ACL provides an easy method for specifying which users, or subjects, are allowed to access which object (i.e., files).
Example: User A may provide read-only access on one of her files to User B, read and write access on the same file to User C, and full control to any user belonging to Group 1.
Page 30
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
| File 1 | File 2 | Obj. | Obj. | |
| User | X | X | ||
| User | X | X | X | X |
| Group | X | X | ||
| Subject | X | X |
Subject
Object-Based Access Control Matrix
Object
Page 31
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
An Object-Based Access Control Matrix - Is a collection of access control lists implemented by comparing the column of users or subjects with their rights of access to protected objects.
Access Controls
| User A | User B | Group | Subject | |
| File 1 | WX | RWX | ||
| File 2 | W | XW | RWX | X |
| Folder 1 | R | WX | ||
| Object | RW | WX |
Object
Subject-Oriented Capability Tables
Subject
Page 31
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
A Subject-Oriented Capability Table - Is a collection of access control lists implemented by comparing the column of objects with the rows of subjects. It is an inversion of an Object-Oriented Capability table, and like an Object-Oriented table describes a system’s object and, subject interaction. A capability table will usually indicate the level of access provided to the user, i.e., read, write, or execute.
Access Controls
Content-Dependent Access Control
Content-dependent access control is based on the actual content of the data record.
Example: Managers in an organization may have access to the payroll database to review data pertaining to their employees, but not to the employees of other managers.
Page 32
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Constrained User Interface
Menus
Database views
Physically constrained useriInterfaces
Encryption
Page 32-33
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Constrained User Interface - Users are only allowed access to specific functions, files, or other resources and are prevented from requesting access to unauthorized resources. As an example, some systems gray out icons that are not available for use in the current mode of operation. Constrained user interfaces can also be done through the use of:
Menus - A widely used form of constrained user interface. When users log on, they are only presented with menu options that will lead them to approved parts of the system or processes. Users theoretically have no knowledge of the parts of the system for which they are not authorized.
Database views - Also called View-Based Access Control (VBAC). Database views are used when dealing with relational databases. They can be related to an established process used by the user, or created dynamically for each user upon logon to allow access to certain job-related parts of the database.
Physically constrained user interfaces - The user interface mechanism presents the user with a limited number of options, such as buttons to push at an ATM machine.
Encryption - Constrains users by requiring a decryption key in order to access information stored on the system, or masks sensitive information so that the user cannot see it.
References:
NIST SP 800-12, “An Introduction to Computer Security: The NIST Handbook,” 1995.
“Writing Secure Code,” Second Edition, Michael Howard and David LeBlanc, Microsoft Press, Dec 2002.
Access Controls
Role-Based Access Control (RBAC)
An access policy that bases access control authorizations according to the user’s job functions or prescribed role.
Example: Each accountant in a company will be assigned to the Accountant role, gaining access to all the resources permitted for all accountants on the system. Similarly, each software engineer might be assigned to the developer role.
Page 33
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Rule-Based Access Control
In a rule-based system, access is based on a list of rules created or authorized by system owners that specify the privileges granted to users (e.g., read, write, execute.).
Example: Permitting access for an account or group to a network connection at certain hours of the day or days of the week.
Page 33
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Temporal (Time-based) Isolation
Provides a physical method of exercising a pseudo-MAC by labeling the classification, or sensitivity level, of an object and then setting up the system so as to process a particular sensitivity level only during a specific time range.
Page 33
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Access Control Principles
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
09/23/10
31
31
Separation of Responsibilities
Least Privilege
Need to Know
Input/Output Controls
Input and output controls dictate a user’s ability to interact with devices and data.
The guiding principle for input and output controls is the same as everything else:
Users should have the least access possible to perform their job functions.
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
09/23/10
32
32
Contract strategic partner and legal requirements
Authentication methods, data classification, and data storage and recovery
Means of sharing data
Monitor access and violations
Service level agreements
Third-Party Considerations
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
09/23/10
33
Week 3 Homework Assignments
Read Chapters 5 and 6
Complete Labs 5 and 6 and Quizzes
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
If your educational institution included the Jones & Bartlett labs as part of the course curriculum, use this script to introduce the lab:
"In this lesson, you learned about a variety of access control strategies available to an organization, such as physical security, technical controls, and the principle of least privilege. You also explored how designing an access control system helps meet business needs.
In the lab for this lesson, you will explore the capabilities of Windows Firewall, a type of technical control used in many businesses today. You will test the default configuration of Windows Firewall, configure Windows Firewall inbound rules to allow HTTP connections, and confirm that the new inbound firewall rule was configured correctly."
3/5/17
34
