Upload
drilling-moneytree
View
219
Download
0
Embed Size (px)
Citation preview
8/10/2019 Domain2 Access Control
1/24
CISSP Essentials:
Mastering the Common Body of Knowledge
Class 2:
Access control
Lecturer Shon Harris, CISSP, MCSE
President, Logical Security
8/10/2019 Domain2 Access Control
2/24
CISSP Essentials Library:
www.searchsecurity.com/CISSPessentials
Class 2 Quiz:
www.searchsecurity.com/Class2quiz
Class 2 Spotlight:
www.searchsecurity.com/Class2spotlight
CISSP Essentials:
Mastering the Common Body of Knowledge
8/10/2019 Domain2 Access Control
3/24
8/10/2019 Domain2 Access Control
4/24
Access control mechanism examples
Physical
Locks
Removal of floppy and CD-ROM drives
Security guards controlling access to facility and equipment
Computer chassis locks
Technical (logical) Encryption
Passwords and tokens
Biometrics
Operating system and application controls
Identification and authorization technologies
Administrative
Policies and procedures
Security awareness training
Quality assurance
8/10/2019 Domain2 Access Control
5/24
Access control characteristics
Provide alternatives to other
controlsCompensation
Restore resources and
capabilities after a violation or
accident
Recovery
Discourage security violations
from taking placeDeterrent
Correct undesirable events that
have taken placeCorrective
Identify undesirable events that
have taken placeDetective
Keep undesirable events fromhappening
Preventative
DescriptionControl Service
8/10/2019 Domain2 Access Control
6/24
Control combinations
Human evaluation of output from
sensors or cameras
Motion detectors, intrusion
detection, video cameras
Guard responding to alarm
Detective Physical
IDS
Reviewing audit logsReviewing violations of clipping
levels
Forensics
Detective Technical
Job rotation
Sharing responsibilities
Inspections
Incident response
Use of auditors
Detective Administrative
8/10/2019 Domain2 Access Control
7/24
Authentication mechanisms characteristics
Verifying identificationinformation
Something you know Password
Something you have Smart card
Something you are Biometrics (example = voice print)
8/10/2019 Domain2 Access Control
8/24
Access control mechanisms in use today
Private keyCryptographic keys
Credit card, identification
card
Smart cards
ATM card, proximity cardMemory cards
Synchronous and
asynchronous devices
Token devices
Retina scan, finger print,
voice print
Biometrics
ExamplesMechanism
8/10/2019 Domain2 Access Control
9/24
Crossover Error Rate (CER)
Statistical metric
CER value is when Type 1 and Type 2 errors are equal (Type 1 = Type 2 errors) = CER metric value
Example: System ABC has 1 out of 100 Type I errors = 1%
System ABC has 1 out of 100 Type II errors = 1%
CER = 1
The lower the CER value, the higher the accuracy System with a CER of 4 has greater accuracy than a system with a CER of 5
Customers can use rating when comparing biometric systems
8/10/2019 Domain2 Access Control
10/24
Biometric system types
Side-view of hand, reviewing size and widthHand topology
Bone structure, nose ridges, forehead size, eye
widthFacial scan
Distinguishes differences in sounds, frequencies
and patternsVoice print
Captures electrical signals of typing processKeyboard dynamics
Captures electrical signals of signature processSignature dynamics
Colored portion of eye that surrounds pupilIris scan
Blood vessel pattern of retina on back of eyeballRetina scan
Shape of (length and width) hand and fingersHand geometry
All prints from fingers and creases, ridges, and
grooves from palmPalm scan
Same as fingerprint, but extracting a smaller
amount of data from fingerprintFinger scan
Ridge endings and bifurcations = minutiaeFingerprint
DescriptionBiometric Type
8/10/2019 Domain2 Access Control
11/24
Smart card
Smart card characteristics
Microprocessor and integrated circuits Holds and processes data
Tamperproof device After a threshold of failed login attempts, it can render
itself unusable
PIN or password unlocks smart cardfunctionality Smart card could be used for:
Holding biometric data in template Responding to challenge Holding private key
Holding user work history, medical information, money,etc.
Added costs compared to otherauthentication technologies
Reader purchase Card generation and maintenance
8/10/2019 Domain2 Access Control
12/24
Different technologies
Single sign-on methods
Scripts Directory services
Thin clients
Kerberos
SESAME
8/10/2019 Domain2 Access Control
13/24
Kerberos components working together
Components of Kerberos
Key Distribution Center (KDC) Holds all of the principals secret keys Principals authenticate to the KDC before networking can take place
Principals Any user or service that interacts with a network
Term that is applied to anything within a network that needs tocommunicate in an authorized manner
Realm All principals that a specific KDC is responsible for A KDC can be responsible for one or more domains Similar to Microsofts concept of a domain or zones within DNS
servers
8/10/2019 Domain2 Access Control
14/24
More components of Kerberos
Two major services of the KDC
Authentication Server (AS) Authenticates user at initial logon
Generation of initial ticket to allow user to authenticate to localsystem
Initial ticket is also used to allow user to request a Ticket Granting
Ticket (TGT) from TGS
Ticket Granting Service (TGS) Generation of tickets to allow subjects to authenticate to each other
Tickets are called Ticket Granting Tickets (TGTs)
8/10/2019 Domain2 Access Control
15/24
Kerberos authentication steps
8/10/2019 Domain2 Access Control
16/24
Models for access
Access control models
Once security goals are understood, a model must bechosen to fulfill the directives of the security policy Model is actually integrated into the operating system and application
Security model that enforces access control by regulatinghow subjects and objects interact
Model Types
Discretionary Access Control (DAC)
Mandatory Access Control (MAC)
Role-Based Access Control (RBAC) Also called non-discretionary
Rule-Based Access Control
Access Control Matrix
8/10/2019 Domain2 Access Control
17/24
Remote centralized administration
Technologies
RADIUS
TACAS+
Diameter
8/10/2019 Domain2 Access Control
18/24
RADIUS characteristics
Remote Authentication
Dial-In User Service
(RADIUS)
AAA protocol Authentication, authorization,
auditing
De facto standard forauthentication protocol
Open source, thus hasbeen integrated into many
vendor products
Works on a client/servermodel
8/10/2019 Domain2 Access Control
19/24
TACACS+ Characteristics
TACACS+
Terminal Access ControllerAccess Control System
(TACACS)
Cisco proprietary protocol Not open source for others to use
Splits authentication,authorization and auditingfeatures
Allows the administrator moreflexibility
Provides more protectionfor client-to-servercommunication compared
to RADIUS
8/10/2019 Domain2 Access Control
20/24
Diameter characteristics
Diameter
New and improved RADIUS Open source protocol for all to use and integrate
RADIUS is limited in its methods of authenticating users SLIP and PPP connections
PAP, CHAP and some EAP authentication methods
Diameter does not encompass such limitations Can authenticate wireless devices and smart phones
Can authenticate by using other authentication protocols
Open for future growth
Users can move between service provider networks andchange their points of attachment
Includes better message transport, proxying, sessioncontrol and higher security for AAA transactions
8/10/2019 Domain2 Access Control
21/24
IDS
Network-based IDS
Monitors traffic on a
network segment Computer or networkappliance with NIC inpromiscuous mode
Sensors communicate witha central managementconsole
Host-based IDS
Small agent programs thatreside on individual
computers Detects suspicious activity
on one system, not anetwork segment
8/10/2019 Domain2 Access Control
22/24
Types of IDSes
Signature-based
Also called knowledge-based IDS has a database of signatures, which are
patterns, of previously identified attacks
Cannot identify new attacks
Software needs continual updates of signatures
Behavior-based
Statistical or anomaly-based
Creates many false positives
Better defense against new attacks
Compares audit files, logs and network behavior,and develops and maintains profiles of normal
behavior
8/10/2019 Domain2 Access Control
23/24
Behavioral-based IDS
Statistical
Setting of a threshold for certain activities
Once the threshold is exceeded, an alert is released
For example: 10 FTP requests in a 10-minute period is okay. 50 FTP requests in a
10-minute period indicates an attack.
Anomaly-based
Identification of abnormal behavior based on a profileof normal behavior
The profile is built by the IDS learning about theenvironments day-in and day-out activities
An anomaly does not fall within a set of historicalvalues
8/10/2019 Domain2 Access Control
24/24
CISSP Essentials:
Mastering the Common Body of Knowledge
Lecturer Shon Harris, CISSP, MCSE
President, Logical Security
www.LogicalSecurity.com
Coming next:Class 3: Cryptography
Register at the CISSP Essentials Library:
www.searchsecurity.com/CISSPessentials