Access Control Presentation
Transcript of Access Control Presentation
![Page 1: Access Control Presentation](https://reader034.fdocuments.us/reader034/viewer/2022052315/556c9c5ad8b42a44468b4831/html5/thumbnails/1.jpg)
Access Control
Muhammad Wajahat Rajab
![Page 2: Access Control Presentation](https://reader034.fdocuments.us/reader034/viewer/2022052315/556c9c5ad8b42a44468b4831/html5/thumbnails/2.jpg)
• Protecting what needs to be protected with the available technologies!
• Access control is the of Information Security!
Overview
![Page 3: Access Control Presentation](https://reader034.fdocuments.us/reader034/viewer/2022052315/556c9c5ad8b42a44468b4831/html5/thumbnails/3.jpg)
Some Questions
• What is Access?
• What is the Access Mechanism?
• What is Access Control?
• The right
• Flow of information between subject and object
• Mechanism to protect the assets!
![Page 4: Access Control Presentation](https://reader034.fdocuments.us/reader034/viewer/2022052315/556c9c5ad8b42a44468b4831/html5/thumbnails/4.jpg)
Identification, Authentication, Authorization
![Page 5: Access Control Presentation](https://reader034.fdocuments.us/reader034/viewer/2022052315/556c9c5ad8b42a44468b4831/html5/thumbnails/5.jpg)
Identification
![Page 6: Access Control Presentation](https://reader034.fdocuments.us/reader034/viewer/2022052315/556c9c5ad8b42a44468b4831/html5/thumbnails/6.jpg)
Identification
• Method of establishing the subject’s identity
– User, Program, Process
• Use of username or other public information
• Identification component requirements…
– Each value should be unique
– Follow a standard naming scheme
– Non-descriptive of the user’s position or tasks
– Must not be shared between users
![Page 7: Access Control Presentation](https://reader034.fdocuments.us/reader034/viewer/2022052315/556c9c5ad8b42a44468b4831/html5/thumbnails/7.jpg)
Authentication
![Page 8: Access Control Presentation](https://reader034.fdocuments.us/reader034/viewer/2022052315/556c9c5ad8b42a44468b4831/html5/thumbnails/8.jpg)
Authentication
• Method of proving the identity
• How to prove an identity?
– Something you know
– Something you have
– Something you are
• Use of passwords, token, or biometrics other private information
• What is two factor authentication?
– Strong authentication
![Page 9: Access Control Presentation](https://reader034.fdocuments.us/reader034/viewer/2022052315/556c9c5ad8b42a44468b4831/html5/thumbnails/9.jpg)
Something you know
• Traditional authentication method
• Passwords
– Protected string of characters
– Most widely used
– Types
• Cognitive passwords
• One time passwords (Dynamic passwords)
• Passphrase
![Page 10: Access Control Presentation](https://reader034.fdocuments.us/reader034/viewer/2022052315/556c9c5ad8b42a44468b4831/html5/thumbnails/10.jpg)
Cognitive passwords
• Fact or opinion based information
• Created through several experience based questions
• Easy to remember!
– A person will not forget his birthplace, favorite color, dog's name, or the school he graduated from.
![Page 11: Access Control Presentation](https://reader034.fdocuments.us/reader034/viewer/2022052315/556c9c5ad8b42a44468b4831/html5/thumbnails/11.jpg)
One time passwords
• Only used once
• Used in sensitive cases and places
• Examples include
– Prepaid cards
– Token devices
• Token device generates the one-time password for the user to submit to an authentication server
![Page 12: Access Control Presentation](https://reader034.fdocuments.us/reader034/viewer/2022052315/556c9c5ad8b42a44468b4831/html5/thumbnails/12.jpg)
Passphrase
• Sequence of characters that is longer than a password --Thus a phrase
– User enters this phrase into an application which transforms the value into a virtual password
![Page 13: Access Control Presentation](https://reader034.fdocuments.us/reader034/viewer/2022052315/556c9c5ad8b42a44468b4831/html5/thumbnails/13.jpg)
Attacks against passwords
• Electronic monitoring
• Access the password file
• Brute force attacks
• Dictionary attacks
• Social engineering
• Shoulder surfing
![Page 14: Access Control Presentation](https://reader034.fdocuments.us/reader034/viewer/2022052315/556c9c5ad8b42a44468b4831/html5/thumbnails/14.jpg)
Something you have
• Requires possession of something such as a key, smart card, or some other device
• Examples include…
– Keys
– Documents
– Token devices
– Memory cards
– Smart cards
![Page 15: Access Control Presentation](https://reader034.fdocuments.us/reader034/viewer/2022052315/556c9c5ad8b42a44468b4831/html5/thumbnails/15.jpg)
Token device
• Software hardware hybrid object used to verify an identity in an authentication process
• Token device, or password generator, is usually a handheld device that has an LCD display and possibly a keypad
– Token device is separate from the computer the user is attempting to access
![Page 16: Access Control Presentation](https://reader034.fdocuments.us/reader034/viewer/2022052315/556c9c5ad8b42a44468b4831/html5/thumbnails/16.jpg)
Token Device – Benefits/Limitations
• Benefits
– Not vulnerable to electronic eavesdropping
• Wiretapping
• Sniffing
– Provide two factor authentication
• Limitations
– Human error
– Battery limitation
– Token itself (Environmental factors)
![Page 17: Access Control Presentation](https://reader034.fdocuments.us/reader034/viewer/2022052315/556c9c5ad8b42a44468b4831/html5/thumbnails/17.jpg)
Types of Token Devices
• Synchronous Token
– A synchronous token device synchronizes with the authentication service by using time or a counter as the core piece of the authentication process.
• Asynchronous Token
– A token device using an asynchronous token generating method employs a challenge/response scheme to authenticate a user.
![Page 18: Access Control Presentation](https://reader034.fdocuments.us/reader034/viewer/2022052315/556c9c5ad8b42a44468b4831/html5/thumbnails/18.jpg)
Synchronous Token
![Page 19: Access Control Presentation](https://reader034.fdocuments.us/reader034/viewer/2022052315/556c9c5ad8b42a44468b4831/html5/thumbnails/19.jpg)
Asynchronous Token Device
![Page 20: Access Control Presentation](https://reader034.fdocuments.us/reader034/viewer/2022052315/556c9c5ad8b42a44468b4831/html5/thumbnails/20.jpg)
Memory Card
• Holds information but cannot process
– A memory card can hold a user's authentication information, so that the user only needs to type in a UserID or PIN.
![Page 21: Access Control Presentation](https://reader034.fdocuments.us/reader034/viewer/2022052315/556c9c5ad8b42a44468b4831/html5/thumbnails/21.jpg)
Smart Card
• Holds and processes information
• After a threshold of failed login attempts, it can render itself unusable
• PIN or password unlocks smart card functionality
• Smart card could be used for:
– Holding biometric data in template
– Responding to challenge
– Holding private key
![Page 22: Access Control Presentation](https://reader034.fdocuments.us/reader034/viewer/2022052315/556c9c5ad8b42a44468b4831/html5/thumbnails/22.jpg)
Types of Smart Card
• Contact
– Requires insertion into a smart card reader with a direct connection to a conductive micro-module on the surface of the card (typically gold plated)
– Through these physical contact points, transmission of commands, data, and card status takes place
• Contactless
– Requires only close proximity to a reader
– Both the reader and the card have antenna and it is via this contactless link that two communicate
![Page 23: Access Control Presentation](https://reader034.fdocuments.us/reader034/viewer/2022052315/556c9c5ad8b42a44468b4831/html5/thumbnails/23.jpg)
Smart Card attacks
• Micro-probing techniques
• Eavesdropping techniques
• Trojan Horse attacks
• Social engineering attacks
![Page 24: Access Control Presentation](https://reader034.fdocuments.us/reader034/viewer/2022052315/556c9c5ad8b42a44468b4831/html5/thumbnails/24.jpg)
Something you are
• Special case of something you have
• Unique personal attribute is analyzed
• Encompasses all biometric techniques
– Fingerprints
– Retina scan
– Iris scan
– Hand geometry
– Facial scan
![Page 25: Access Control Presentation](https://reader034.fdocuments.us/reader034/viewer/2022052315/556c9c5ad8b42a44468b4831/html5/thumbnails/25.jpg)
Biometric System
• A characteristic based system
– Includes all the hardware, associated software and interconnecting infrastructure to enable the identification/authentication process
• Uses individual's unique physical characteristics in order to identify and authenticate
– Each has its own advantages and disadvantages
![Page 26: Access Control Presentation](https://reader034.fdocuments.us/reader034/viewer/2022052315/556c9c5ad8b42a44468b4831/html5/thumbnails/26.jpg)
Fingerprints
• Every person's fingerprint is unique
• Most affordable and convenient method of verifying a person's identity
• The lines that create a fingerprint pattern are called ridges and the spaces between ridges are called valleys.
![Page 27: Access Control Presentation](https://reader034.fdocuments.us/reader034/viewer/2022052315/556c9c5ad8b42a44468b4831/html5/thumbnails/27.jpg)
Retina Scan
• Retinal scan technology maps the capillary pattern of the retina
– A thin (1/50th inch) nerve on the back of the eye!
• Accurate
• Many people are hesitant to use the device
![Page 28: Access Control Presentation](https://reader034.fdocuments.us/reader034/viewer/2022052315/556c9c5ad8b42a44468b4831/html5/thumbnails/28.jpg)
Iris Scan
• Scans the iris or the colored portion of the eye
• For authentication the subject looks at the video camera from a distance of 3-10 inches
• The entire enrollment process is less than 20 seconds, and subsequent identification takes 1-2 seconds.
• Offers high accuracy!
![Page 29: Access Control Presentation](https://reader034.fdocuments.us/reader034/viewer/2022052315/556c9c5ad8b42a44468b4831/html5/thumbnails/29.jpg)
Hand Geometry
• Measures specific characteristics of a person's hand such as length of fingers and thumb, widths, and depth.
• Takes over 90 measurements of the length, width, thickness, and surface area of a person's hand and fingers.
• Hand measurements occur with amazing speed, almost within one second.
• A charge coupled device (CCD) digital camera is used to record the hand's three dimensional shape.
![Page 30: Access Control Presentation](https://reader034.fdocuments.us/reader034/viewer/2022052315/556c9c5ad8b42a44468b4831/html5/thumbnails/30.jpg)
Keyboard Dynamics
• Looks at the way a person types at a keyboard
• Also called Typing Rhythms!
• Keyboard dynamics measures two distinct variables:
– Dwell time: The amount of time one holds a particular key
– Flight time: The amount of time one moves between the keys
• Keyboard dynamic system can measure one's keyboard input up to 1000 times per second!
![Page 31: Access Control Presentation](https://reader034.fdocuments.us/reader034/viewer/2022052315/556c9c5ad8b42a44468b4831/html5/thumbnails/31.jpg)
Voice Print
• A voice reference template is constructed
– To construct, an individual must speak a set of phrases several times as the system builds the template.
– Voice identification systems incorporate several variables including pitch, dynamics, and waveform.
![Page 32: Access Control Presentation](https://reader034.fdocuments.us/reader034/viewer/2022052315/556c9c5ad8b42a44468b4831/html5/thumbnails/32.jpg)
Facial Scan
• Incorporates two significant methods:– Detection– Recognition
• Detection involves locating the human face within an image.
• Recognition is comparing the captured face to other faces that have been saved and stored in a database.
![Page 33: Access Control Presentation](https://reader034.fdocuments.us/reader034/viewer/2022052315/556c9c5ad8b42a44468b4831/html5/thumbnails/33.jpg)
Facial Scan -- Process
![Page 34: Access Control Presentation](https://reader034.fdocuments.us/reader034/viewer/2022052315/556c9c5ad8b42a44468b4831/html5/thumbnails/34.jpg)
Biometric Performance
• Biometric performance is most commonly measured in two ways:
– False Rejection Rate (FRR) – Type1
– False Acceptance Rate (FAR) – Type 2
• The FRR is the probability that you are not authenticated to access your account.
• The FAR is the chance that someone other than you is granted access to your account.
![Page 35: Access Control Presentation](https://reader034.fdocuments.us/reader034/viewer/2022052315/556c9c5ad8b42a44468b4831/html5/thumbnails/35.jpg)
Crossover Error Rate
• Crossover Error Rate (CER) value is when Type 1 and Type 2 errors are equal.
– (Type 1 = Type 2 errors) = CER metric value
• System ABC has 1 out of 100 Type 1 errors = 1%
• System ABC has 1 out of 100 type 2 errors = 1%
• System ABC CER = 1
• The lower the CER value, the higher accuracy
• System with a CER of 5 has greater accuracy than a system with CER of 6
![Page 36: Access Control Presentation](https://reader034.fdocuments.us/reader034/viewer/2022052315/556c9c5ad8b42a44468b4831/html5/thumbnails/36.jpg)
CER Concept
![Page 37: Access Control Presentation](https://reader034.fdocuments.us/reader034/viewer/2022052315/556c9c5ad8b42a44468b4831/html5/thumbnails/37.jpg)
Authorization
![Page 38: Access Control Presentation](https://reader034.fdocuments.us/reader034/viewer/2022052315/556c9c5ad8b42a44468b4831/html5/thumbnails/38.jpg)
Authorization
![Page 39: Access Control Presentation](https://reader034.fdocuments.us/reader034/viewer/2022052315/556c9c5ad8b42a44468b4831/html5/thumbnails/39.jpg)
Controls
![Page 40: Access Control Presentation](https://reader034.fdocuments.us/reader034/viewer/2022052315/556c9c5ad8b42a44468b4831/html5/thumbnails/40.jpg)
Types of Access Controls
• There are three types of Access Controls:
– Administrative controls
• Define roles, responsibilities, policies, and administrative functions to manage the control environment.
– Technical controls
• Use hardware and software technology to implement access control.
– Physical controls
• Ensure safety and security of the physical environment.
![Page 41: Access Control Presentation](https://reader034.fdocuments.us/reader034/viewer/2022052315/556c9c5ad8b42a44468b4831/html5/thumbnails/41.jpg)
Administrative Controls
• Ensure that technical and physical controls are understood and properly implemented
– Policies and procedures
– Security awareness training
– Asset classification and control
– Employment policies and practices (background checks, job rotations, and separation of duties)
– Account administration
– Account, log monitoring
– Review of audit trails
![Page 42: Access Control Presentation](https://reader034.fdocuments.us/reader034/viewer/2022052315/556c9c5ad8b42a44468b4831/html5/thumbnails/42.jpg)
Technical Controls
• Examples of Technical Controls are:
– Encryption
– Biometrics
– Smart cards
– Tokens
– Access control lists
– Violation reports
– Audit trails
– Network monitoring and intrusion detection
![Page 43: Access Control Presentation](https://reader034.fdocuments.us/reader034/viewer/2022052315/556c9c5ad8b42a44468b4831/html5/thumbnails/43.jpg)
Physical Controls
• Examples of Physical Controls are:
– HVAC
– Fences, locked doors, and restricted areas
– Guards and dogs
– Motion detectors
– Video cameras
– Fire detectors
– Smoke detectors
![Page 44: Access Control Presentation](https://reader034.fdocuments.us/reader034/viewer/2022052315/556c9c5ad8b42a44468b4831/html5/thumbnails/44.jpg)
Categories of Access Controls
• Preventive Avoid incident
• Deterrent Discourage incident
• Detective Identify incident
• Corrective Remedy circumstance/mitigate damage and restore controls
• Recovery Restore conditions to normal
• Compensating Alternative control
• Directive
![Page 45: Access Control Presentation](https://reader034.fdocuments.us/reader034/viewer/2022052315/556c9c5ad8b42a44468b4831/html5/thumbnails/45.jpg)
Categories of Access Controls
![Page 46: Access Control Presentation](https://reader034.fdocuments.us/reader034/viewer/2022052315/556c9c5ad8b42a44468b4831/html5/thumbnails/46.jpg)
Administrative Preventive Controls
• Policies and procedures
• Effective hiring practices
• Pre-employment background checks
• Controlled termination processes
• Data classification and labeling
• Security awareness
• Risk assessments and analysis
• Creating a security program
• Separation of duties
![Page 47: Access Control Presentation](https://reader034.fdocuments.us/reader034/viewer/2022052315/556c9c5ad8b42a44468b4831/html5/thumbnails/47.jpg)
Administrative Detective Controls
• Job rotation
• Sharing responsibilities
• Inspections
• Incident response
• Use of auditors
![Page 48: Access Control Presentation](https://reader034.fdocuments.us/reader034/viewer/2022052315/556c9c5ad8b42a44468b4831/html5/thumbnails/48.jpg)
Technical Preventive Controls
• Passwords
• Biometrics
• Smart cards
• Encryption
• Database views
• Firewalls
• ACLs
• Anti-virus
![Page 49: Access Control Presentation](https://reader034.fdocuments.us/reader034/viewer/2022052315/556c9c5ad8b42a44468b4831/html5/thumbnails/49.jpg)
Technical Detective Controls
• IDS
• Reviewing audit logs
• Reviewing violations of clipping levels
• Forensics
![Page 50: Access Control Presentation](https://reader034.fdocuments.us/reader034/viewer/2022052315/556c9c5ad8b42a44468b4831/html5/thumbnails/50.jpg)
Physical Preventive Controls
• Badges
• Guards and dogs
• CCTV
• Fences, locks, man-traps
• Locking computer cases
• Removing floppy and CD-ROM drives
• Disabling USB port
![Page 51: Access Control Presentation](https://reader034.fdocuments.us/reader034/viewer/2022052315/556c9c5ad8b42a44468b4831/html5/thumbnails/51.jpg)
Physical Detective Controls
• Motion detectors
• Intrusion detectors
• Video cameras
• Guard responding to an alarm
![Page 52: Access Control Presentation](https://reader034.fdocuments.us/reader034/viewer/2022052315/556c9c5ad8b42a44468b4831/html5/thumbnails/52.jpg)
Jotting them together…
![Page 53: Access Control Presentation](https://reader034.fdocuments.us/reader034/viewer/2022052315/556c9c5ad8b42a44468b4831/html5/thumbnails/53.jpg)
Centralized Access Control Methodologies
![Page 54: Access Control Presentation](https://reader034.fdocuments.us/reader034/viewer/2022052315/556c9c5ad8b42a44468b4831/html5/thumbnails/54.jpg)
Centralized Access Control Methodologies
• (ISC)2 discusses the following methodologies:
– RADIUS -- Remote Authentication Dial-In User Service
– TACACS -- Terminal Access Controller Access Control Systems
– DIAMETER
![Page 55: Access Control Presentation](https://reader034.fdocuments.us/reader034/viewer/2022052315/556c9c5ad8b42a44468b4831/html5/thumbnails/55.jpg)
RADIUS
• Provides centralized authentication, authorization and accounting management for network services
• Works on a Client/Server model
• Functions:– To authenticate users or devices before granting them access to
a network
– To authorize users or devices for certain network services
– To account for usage of services used
![Page 56: Access Control Presentation](https://reader034.fdocuments.us/reader034/viewer/2022052315/556c9c5ad8b42a44468b4831/html5/thumbnails/56.jpg)
RADIUS Process
![Page 57: Access Control Presentation](https://reader034.fdocuments.us/reader034/viewer/2022052315/556c9c5ad8b42a44468b4831/html5/thumbnails/57.jpg)
RADIUS Implementation
![Page 58: Access Control Presentation](https://reader034.fdocuments.us/reader034/viewer/2022052315/556c9c5ad8b42a44468b4831/html5/thumbnails/58.jpg)
TACACS
• TACACS has been through three generations:– TACACS, XTACACS and TACACS+
• TACACS uses passwords for authentication– TACACS+ allows users to use dynamic (one-time) passwords
– TACACS+ encrypts all the data
• TACACS uses UDP– TACACS+ uses TCP
![Page 59: Access Control Presentation](https://reader034.fdocuments.us/reader034/viewer/2022052315/556c9c5ad8b42a44468b4831/html5/thumbnails/59.jpg)
TACACS at Work
![Page 60: Access Control Presentation](https://reader034.fdocuments.us/reader034/viewer/2022052315/556c9c5ad8b42a44468b4831/html5/thumbnails/60.jpg)
Diameter
• "New and improved" RADIUS
• RADIUS is limited in its methods of authenticating users
• Diameter does not encompass such limitations
• Can authenticate wireless devices and smart phones
• Open for future growth
• Users can move between service provider networks and change their points of attachment
![Page 61: Access Control Presentation](https://reader034.fdocuments.us/reader034/viewer/2022052315/556c9c5ad8b42a44468b4831/html5/thumbnails/61.jpg)
Single Sign-On Technologies
![Page 62: Access Control Presentation](https://reader034.fdocuments.us/reader034/viewer/2022052315/556c9c5ad8b42a44468b4831/html5/thumbnails/62.jpg)
Single Sign On (SSO)
• A system that enables a user to access multiple computer platforms
• User logs in just once
• Access granted to permitted resources
• Login only required until after the user logs out
• Examples include:
– Kerberos
– SESAME
– Security Domains
– Thin Clients
![Page 63: Access Control Presentation](https://reader034.fdocuments.us/reader034/viewer/2022052315/556c9c5ad8b42a44468b4831/html5/thumbnails/63.jpg)
Kerberos
• A computer network authentication protocol
– Allows principals communicating over a non-secure network to prove their identity to one another in a secure manner.
• Principals
– Any user or service that interacts with a network
– Term that is applied to anything within a network that needs to communicate in an authorized manner
![Page 64: Access Control Presentation](https://reader034.fdocuments.us/reader034/viewer/2022052315/556c9c5ad8b42a44468b4831/html5/thumbnails/64.jpg)
Kerberos components
• Components of Kerberos– Key Distribution Center (KDC)
• Holds all of the principals' secret keys
• Principals authenticate to the KDC before networking can take place
– Authentication Server (AS)• Authenticates user at initial logon
• Generation of initial ticket to allow user to authenticate to local system
– Ticket Granting Service (TGS)• Generates of tickets to allow subjects to authenticate to each
other
![Page 65: Access Control Presentation](https://reader034.fdocuments.us/reader034/viewer/2022052315/556c9c5ad8b42a44468b4831/html5/thumbnails/65.jpg)
Kerberos Process
![Page 66: Access Control Presentation](https://reader034.fdocuments.us/reader034/viewer/2022052315/556c9c5ad8b42a44468b4831/html5/thumbnails/66.jpg)
SESAME
• Secure European System for Applications in a Multi-Vendor Environment
• Uses symmetric and asymmetric cryptographic techniques
• Uses Privileged Attribute Certificates (PACs)
• PACs are generated by the Privileged Attribute Server (PAS)
• After a user successfully authenticates to the Authentication Server (AS), the PAS then creates a PAC for the user to present to the resource that is being accessed!
![Page 67: Access Control Presentation](https://reader034.fdocuments.us/reader034/viewer/2022052315/556c9c5ad8b42a44468b4831/html5/thumbnails/67.jpg)
SESAME Process
![Page 68: Access Control Presentation](https://reader034.fdocuments.us/reader034/viewer/2022052315/556c9c5ad8b42a44468b4831/html5/thumbnails/68.jpg)
Security Domains
• Based on trust between resources or services on a domain that share a single security policy and single management
• The security policy defines the set of objects that each user has the ability to access
• A similar mission and single point of management responsibility
![Page 69: Access Control Presentation](https://reader034.fdocuments.us/reader034/viewer/2022052315/556c9c5ad8b42a44468b4831/html5/thumbnails/69.jpg)
Security Domains -- Bull’s Eye View
![Page 70: Access Control Presentation](https://reader034.fdocuments.us/reader034/viewer/2022052315/556c9c5ad8b42a44468b4831/html5/thumbnails/70.jpg)
Thin Clients
• Diskless computers are called dumb terminals or thin clients
• Client/Server technology forces users to log onto a central server just to be able to use the computer and access network resources.
• Server downloads the Operating System, or interactive operating software to the terminal
![Page 71: Access Control Presentation](https://reader034.fdocuments.us/reader034/viewer/2022052315/556c9c5ad8b42a44468b4831/html5/thumbnails/71.jpg)
Access Control Models
![Page 72: Access Control Presentation](https://reader034.fdocuments.us/reader034/viewer/2022052315/556c9c5ad8b42a44468b4831/html5/thumbnails/72.jpg)
Access Control Models
• Frameworks that dictate how subjects access objects
• Three Main Types
– Discretionary Access Control (DAC)
– Mandatory Access Control (MAC)
– Role Based Access Control (RBAC)
![Page 73: Access Control Presentation](https://reader034.fdocuments.us/reader034/viewer/2022052315/556c9c5ad8b42a44468b4831/html5/thumbnails/73.jpg)
Discretionary Access Control
• Allows the owner of the resource to specify which subjects can access which resources
• Access control is at the discretion of the owner
• DAC defines access control policy
– That restricts access to files and other system resources based on identity
• DAC can be implemented through Access Control Lists (ACLs)
![Page 74: Access Control Presentation](https://reader034.fdocuments.us/reader034/viewer/2022052315/556c9c5ad8b42a44468b4831/html5/thumbnails/74.jpg)
Access Control Matrix
• Access Control Lists (ACLs)
– Specifies the list of subjects that are authorized to access a specific object
• Capability Lists
– Specifies the access rights a certain subject possesses pertaining to specific objects
![Page 75: Access Control Presentation](https://reader034.fdocuments.us/reader034/viewer/2022052315/556c9c5ad8b42a44468b4831/html5/thumbnails/75.jpg)
Access Control Matrix
![Page 76: Access Control Presentation](https://reader034.fdocuments.us/reader034/viewer/2022052315/556c9c5ad8b42a44468b4831/html5/thumbnails/76.jpg)
Mandatory Access Control
• Based on security label system
• Users given security clearance and data is classified
• Used where confidentiality is of utmost importance
• MAC is considered a policy based control
• Every object and subject is given a sensitivity label– Classification level
• Secret, Top secret, Confidential, etc
– Category• Information warfare, Treasury, UN, etc
![Page 77: Access Control Presentation](https://reader034.fdocuments.us/reader034/viewer/2022052315/556c9c5ad8b42a44468b4831/html5/thumbnails/77.jpg)
Mandatory Access Control
Subject Classification level Category
Umair Secret Finance
Tayyeb Secret HR
Object Classification level Category
Finance records Secret Finance
Employee records Secret HR
![Page 78: Access Control Presentation](https://reader034.fdocuments.us/reader034/viewer/2022052315/556c9c5ad8b42a44468b4831/html5/thumbnails/78.jpg)
Role Based Access Control
• Uses centrally administered set of controls to determine how subjects and objects interact
• Decisions based on the functions that a user is allowed to perform within an organization
• An advantage of role based access controls is the ease of administration
• Capability tables are sometimes seen in conjunction with role-based access controls
• Best for high turn over organizations
![Page 79: Access Control Presentation](https://reader034.fdocuments.us/reader034/viewer/2022052315/556c9c5ad8b42a44468b4831/html5/thumbnails/79.jpg)
Access Control Techniques
![Page 80: Access Control Presentation](https://reader034.fdocuments.us/reader034/viewer/2022052315/556c9c5ad8b42a44468b4831/html5/thumbnails/80.jpg)
Access Control Techniques
• Rules Based Access Control
• Constrained User Interface
• Content Dependent Access Control
• Context Dependent Access Control
![Page 81: Access Control Presentation](https://reader034.fdocuments.us/reader034/viewer/2022052315/556c9c5ad8b42a44468b4831/html5/thumbnails/81.jpg)
Penetration Testing
Muhammad Wajahat Rajab
ACE, CISSP (Associate), BS (TE)
![Page 82: Access Control Presentation](https://reader034.fdocuments.us/reader034/viewer/2022052315/556c9c5ad8b42a44468b4831/html5/thumbnails/82.jpg)
Introduction
• Process of simulating attacks on Information Systems
– At the request of the owner, senior management
• Uses set of procedures and tools designed to test security controls of a system
• Emulates the same methods attackers use
![Page 83: Access Control Presentation](https://reader034.fdocuments.us/reader034/viewer/2022052315/556c9c5ad8b42a44468b4831/html5/thumbnails/83.jpg)
Steps
• Discovery
• Enumeration
• Vulnerability mapping
• Exploitation
• Report to management
![Page 84: Access Control Presentation](https://reader034.fdocuments.us/reader034/viewer/2022052315/556c9c5ad8b42a44468b4831/html5/thumbnails/84.jpg)
Step 1
• Discovery
– Gathering information about the target
– Reconnaissance Types
• Passive
• Active
![Page 85: Access Control Presentation](https://reader034.fdocuments.us/reader034/viewer/2022052315/556c9c5ad8b42a44468b4831/html5/thumbnails/85.jpg)
Step 2
• Enumeration
– Performing port scans and resource identification methods
– Gaining specific information on the basis of information gathered during reconnaissance
– Includes use of dialers, port scanners, network mapping, sweeping, vulnerability scanners, and so on
![Page 86: Access Control Presentation](https://reader034.fdocuments.us/reader034/viewer/2022052315/556c9c5ad8b42a44468b4831/html5/thumbnails/86.jpg)
Step 3
• Vulnerability Mapping
– Identifying vulnerabilities in identified systems and resources
– Based on these vulnerabilities attacks are carried out
![Page 87: Access Control Presentation](https://reader034.fdocuments.us/reader034/viewer/2022052315/556c9c5ad8b42a44468b4831/html5/thumbnails/87.jpg)
Step 4
• Exploitation
– Attempting to gain unauthorized access by exploiting the vulnerabilities
![Page 88: Access Control Presentation](https://reader034.fdocuments.us/reader034/viewer/2022052315/556c9c5ad8b42a44468b4831/html5/thumbnails/88.jpg)
Step 5
• Report to management
– Delivering to management documentation of test findings along with suggested countermeasures
![Page 89: Access Control Presentation](https://reader034.fdocuments.us/reader034/viewer/2022052315/556c9c5ad8b42a44468b4831/html5/thumbnails/89.jpg)
Types
• Zero knowledge
• Partial knowledge
• Full knowledge
![Page 90: Access Control Presentation](https://reader034.fdocuments.us/reader034/viewer/2022052315/556c9c5ad8b42a44468b4831/html5/thumbnails/90.jpg)
Questions
![Page 91: Access Control Presentation](https://reader034.fdocuments.us/reader034/viewer/2022052315/556c9c5ad8b42a44468b4831/html5/thumbnails/91.jpg)
Question 1
• Which of the following refers to a series of characters used to verify a user's identity?
A. Token Serial number
B. UserID
C. Password
D. Security ticket
![Page 92: Access Control Presentation](https://reader034.fdocuments.us/reader034/viewer/2022052315/556c9c5ad8b42a44468b4831/html5/thumbnails/92.jpg)
Question
• Which of the following refers to a series of characters used to verify a user's identity?
A. Token Serial number
B. UserID
C. Password
D. Security ticket
![Page 93: Access Control Presentation](https://reader034.fdocuments.us/reader034/viewer/2022052315/556c9c5ad8b42a44468b4831/html5/thumbnails/93.jpg)
Question 2
• Which type of access control allows owners to specify who can access their files?
A. Discretionary
B. Relational
C. Mandatory
D. Administrative
![Page 94: Access Control Presentation](https://reader034.fdocuments.us/reader034/viewer/2022052315/556c9c5ad8b42a44468b4831/html5/thumbnails/94.jpg)
Question
• Which type of access control allows owners to specify who can access their files?
A. Discretionary
B. Relational
C. Mandatory
D. Administrative
![Page 95: Access Control Presentation](https://reader034.fdocuments.us/reader034/viewer/2022052315/556c9c5ad8b42a44468b4831/html5/thumbnails/95.jpg)
Question 3
• The three primary methods for authentication of a user to a system or network are?
A. Passwords, Tokens, and Biometrics
B. Authorization, Identification, and Tokens
C. Passwords, Encryption, and Identification
D. Identification, Encryption, and Authorization
![Page 96: Access Control Presentation](https://reader034.fdocuments.us/reader034/viewer/2022052315/556c9c5ad8b42a44468b4831/html5/thumbnails/96.jpg)
Question
• The three primary methods for authentication of a user to a system or network are?
A. Passwords, Tokens, and Biometrics
B. Authorization, Identification, and Tokens
C. Passwords, Encryption, and Identification
D. Identification, Encryption, and Authorization
![Page 97: Access Control Presentation](https://reader034.fdocuments.us/reader034/viewer/2022052315/556c9c5ad8b42a44468b4831/html5/thumbnails/97.jpg)
Thank You!