Show Chapter 5 Access Controlsis the process of protecting a resource so that it is used only by those allowed to use it. What do access controls define? Users ( people or computer processes), what users can do, which resources they can reach and what operations they can perform. What are the four parts of Access Control? Authorization Whos is approved for access and what, exactly can they use? Can their identities be verified? How are actions traced to an individual to ensure that the person who makes changes to data or systems can be identified. What phases are the four parts of access controls divided into? The policy definition phase The policy definition phase This phase determines who has access and what systems or resources they can use. The policy enforcement phase? grants or rejects requests for access based on the authorization Which phase does authorization operate? The policy definition phase. Organizations control access to resources primarily on two levels: Physical access controls What are Physical access controls? Control entry into buildings, parking lots, and protected areas. Ex key What are Logical access controls? Control access to a computer system or network. Require unique username and password. Summarize Physical Access Control: An organizations facilities manager is often responsible for physical access control so they issue you an employee smart card. You can use this card to gain access to company areas like the office, elevator etc. Card gives access to physical resources. Summarize Logical Access Control: A computer system manager uses logical access controls to decide who can get into a system and what tasks they can perform, monitoring what the user does, and influencing the users behavior on that system. (Username and password) Who is responsible for physical access control? What are examples of Logical system controls for HR? 1.Deciding which users can get into the system. Is the central part of a computing environments hardware, software and firmware that enforces access control for computer systems. It provides a central point of access control and implements the reference monitor concept What does the reference monitor do? and what is a part of? It permits access and creates a log entry only when the appropriate rules or conditions are met. What are the 4 central elements of access to manage access control policies well? Users People who use the system or processes that perform some service for other people or processes. aka subjects Protected in the system. Resources can be accessed only by authorized subjects. Activities that authorized users can perform on resources. Optional conditions that exist between users and resources. they are permissions granted to an authorized user, such as read, write, execute. in this policy authorization is defined by what groups you are in. Like security card for IT department only has access to computer equipment. a higher degree of authority to access certain resources is needed, only a senior level member in IT group has permission to server room. What are some Identification methods? 1 User name can take form of plastic credit card, make it easy for subjects to provide complex identification credentials without have to remember long passwords. What are the Authentication types? Knowledge something you know, such as a password, PN etc. Something you own. Smart Card, key, badge or token. Something unique about you, like your finger print, retina, or signature What s the Password best practices guidelines? 1.Dont use weak passwords Many systems disable the user ID after a certain number of consecutive failed attempts, the number of failed logon attempts A method to track who is accessing your computing environment, provides you with a record of when every user logs on or off a computer. Password Reset and Storage When a user forgers a password, or the password must be reset by the help desk, the new password should be valid for only a single logon. Is different than a password, it is longer and generally harder to guess. uses an algorithm that calculates a number at both the authentication server and the device. it displays the number on the device screen. the user enters this number as a logon authenticator Time based synchronization system the current time is used as the input, the token generates a new dynamic password that is displayed in the window of the token. To gain access, the password is entered with the users PIN at the work station, No token keyboard required. Event based synchronization system avoids the time-based synchronization problem by increasing the value of a counter with each use. the computer is the input value. the user presses a button to generate a one time password and then enters this password with hos or her PIN at the workstati Time: This system requires that the clock in the token remains in sync with the clock in the authentication server, If the clocks drift out of sync, the server can search3 or 4 min on each side of the time to detect an offset, if difference is too great y is when users create a password suing the token but don't use the password to logon on, the counter in the server and the counter in the token become out of sync. Continuous authentication is used by systems to continuously validate the user, done with proximity cards. Looks like a credit card sized calculator. The authentication server issues a challenge number that the user enters, the token computes a response to the value provided by the authentication server, the user then replies with the value displayed on the to is a hardware device that you plug into your comp, the device is encoded with your digital signature. With it you don't have to type anything is that the user authentication process is completed at the user location between the smart card and the reader. Avoids the trusted path problem and avoids sniffers or tappers. Biometrics broken into two categories Static (physical) What you are. Physiological biometrics include recognizing fingerprints, iris granularity, retina blood vessels, facial looks, hand geometry, and so on What you do. Behavioral biometrics include voice inflections, keyboard strokes, and signature motions. Concern surrounding biometrics Accuracy Each has at least two error rates associated with it. The false rejection rate (FRR) is the rate at which valid subjects are rejected. The false acceptance rate (FAR) is the rate at which invalid subjects are accepted. There is a tradeoff between the FRR such as retinal scans, are more objectionable to some users than other biometric measurements, such as signature dynamics. If users are not comfortable using the system, they may refuse to submit to it. Each biometric device requires time for the system to check an identity and give a response. A system that takes too long may not work allows users to sign on to a computer or network once, and have their identification and authorization credentials allow them into all computers and systems where they are authorized. They don't need to enter multiple user IDs or passwords. SSO reduces hu It's an efficient logon process. The user has to log on only once.It can provide for stronger passwords. With only one password to remember, users are generally willing to use stronger passwords.It provides continuous, clear reauthentication A compromised password lets an intruder into all areas open to the password owner. Using dynamic passwords and/or two-factor authentication can reduce this problem. Static passwords provide very limited security. Two-factor authentication or, at least, on It serves as the authentication server, and it serves as the ticket granting server. Kerberos is a computer-network authentication protocol that allows nodes communicating over a non-secure network to prove their identity to one another in a secure manner it improves key management by using both symmetric and asymmetric keys to protect interchanged data. It is essentially an extension of Kerberos. It offers public key cryptography and role based access control abilities. Discretionary access control (DAC) the owner of the resource decides who gets in and changes permissions as needed. The owner can give that job to others. Mandatory access control (MAC) anything to do with military. permission to access a system or any resource is determined by the sensitivity of the resource and the security level of the subject. It cannot be given to someone else. This makes MAC stronger than DAC. Non discretionary access control Non-discretionary access controls are closely monitored by the security administrator, and not the system administrator. Rule based access control Non-discretionary access controls are closely monitored by the security administrator, and not the system administrator. a means of restricting access to objects based on the identity of subjects and/or groups to which they belong. The controls are discretionary in the sense that a subject with certain access permission is capable of passing that permission (perhaps indirec Today's operating systems contain access control settings for individual users (rule based) or for groups of users (role based). Which method you use depends on the size of the organization and how specific access rights need to be for individuals or role When new users are brought into an organization, their user accounts must be created. This can take a lot of time. It must be done quickly, however, so new people can do their jobs. User registration must be standardized, efficient, and accurate. Over time, users often get special permission to complete a particular project or perform some special task. These permissions need to be reviewed from time to time to make sure they stop when they are no longer needed. is the concept of preventing people from gaining access to information they don't need to carry out their duties. Providing access on the basis of need-to-know can reduce the chance of improper handling of data or the improper release of information. is the process of dividing a task into a series of unique activities performed by different people, each of whom is allowed to execute only one part of the overall task. Employees work together (colluding) to avoid the controls and assist each other in performing unauthorized tasks. Job rotation reduces the risk of collusion. These are hidden (covert) ways of passing information against organizational policy. There are two main types of covert channels: timing (signaling from one system to another) and storage (the storing of data in an unprotected or inappropriate place). What are the permission levels? User based The permissions granted to a user are often specific to that user. In this case, the rules are set according to a user ID or other unique identifier. Job based or role based access control Permissions are based on a common set of permissions for all people in the same or similar job roles. When a group of people (for example, a project team) are working on a project, they are often granted access to documents and data related just to that project access control limits a person to executing certain functions and often enforces mutual exclusivity. In other words, if a person executes one part of a task, he or she might not be allowed to execute another related part of the task. the system and the owner jointly make the decision to allow access. The owner gives the need-to-know element. Not all users with a privilege or clearance level for sensitive material need access to all sensitive information. The system compares the subjec restricts access to specific times. It first classifies the sensitivity level of objects. Then it allows access to those objects only at certain times. Temporal isolation is often used in combination with role based access control. Non-Discretionary characteristics: Security administrators have enough control in non-discretionary access control to make sure sensitive files are write-protected for integrity and readable only by authorized users to preserve confidentiality. The chances that a corrupted program will be Rule based access control characteristics. This type of access control pushes much of the administration down to the data owner. For technical and security-conscious users, this type of access control tends to work well. It doesn't work as well in environments with many users or where users lack t Most operating systems provide several options to associate lists or permissions with objects Full, change, read, and deny Full, modift, list folder contents, read-execute, read, write,special, and deny What is special about deny? its overrides every other permission Role based access control characteristics policy bases access control approvals on the jobs the user is assigned. The security administrator assigns each user to one or more roles Content dependent access control access control is based on what is contained in the data. It requires the access control mechanism (the arbiter program, which is part of the application, not the operating system) to look at the data to decide who should get to see it. Constrained user interface a user's ability to get into�or interface with�certain system resources is restrained by two things. The user's rights and permissions are restricted and constraints are put on the device or program providing the interface. A device such as an ATM or soft allows different groups of users to access a database without being able to access each other's data The Bell-La Padula Model focuses on the confidentiality of data and the control of access to classified information. the parts of a system are divided into subjects and objects and the current condition of a system is described as its state first model to address integrity in computer systems based on integrity levels. Consists of three parts: subjects cannot read objects that have a lower level of integrity than the subject does. A subject cannot change objects that have a higher level of i Clark and Wilson integrity model focuses on what happens when users allowed into a system try to do things they are not permitted to do. It also looks at internal integrity threats. These two components were missing from Biba's model. This model looks at whether the software does what it comprised controls, Accessing networks Networks often include unprotected connections. Many organizations build their networks with more drops (female connectors at wall plates) than they need. This allows the organization to add more users in the event of future growth. These unused connectio Several programs and modules have a common programming weakness known as buffer overflow. This happens when an attacker enters more characters than expected into an input field. It allows malicious code throughout the application. There are many other way Radius, TACACS+, Diameter A client configuration file that contains the client address and the shared secret for transaction
authentication Base protocol�The base protocol defines the message format, transport, error reporting, and security used by all extensions. Computer applications that use UDP send messages, known as datagrams, to other hosts on an Internet Protocol (IP) network. UDP does this without requiring special transmission channels or data paths. As such, UDP's service is somewhat unreliable because d handle access control decisions and administration locally. That means access control is in the hands of the people, such as department managers who are closest to the system users. Access requests are not processed by one centralized entity All of the hardware and software required to provide services, including the network infrastructure, is operated for a single organization. The components may be managed by the organization or by a third-party provider. The actual infrastructure can be lo This type of infrastructure provides services for several organizations. The different organizations share the cloud environment and use it for their specific needs. The infrastructure can be managed by one of the participating organizations or by a third This type of cloud infrastructure is available to unrelated organizations or individuals. Public clouds are generally available for public use and are managed by a third-party provider This type of cloud infrastructure contains components of more than one type of cloud, including private, community, and public clouds. Hybrid clouds are useful to extend the limitations of more restrictive environments. They often are used to provide resi
Infrastructure as a service IaaS provides users with access to a physical or virtual machine. Users must select and load their own operating systems. They then manage all aspects of the machine, just as if it were a local computer. PaaS provides the user with access to a physical or a virtual machine running any of a number of popular operating systems. Unlike IaaS, with PaaS, the CSP manages the operating system and the underlying hardware. Instead of connecting to a local server, In the SaaS model, users access software from cloud clients. The most basic type of cloud client is the Web browser. Users do not need to install or manage any software. All they have to do is connect to the correct server and use the software as if it we Which of the following is an example of access control?Various access control examples can be found in the security systems in our doors, key locks, fences, biometric systems, motion detectors, badge system, and so forth.
What are the types of logical access controls?The three models commonly used in logical access control include discretionary access control (DAC), mandatory access control (MAC), and role-based access control (RBAC).
Which of the following is an example of a logical access control?Examples of logical controls are passwords, network firewalls, access control lists and data encryption.
What are the two generally accepted types of access control?Access controls. Access control models are sometimes categorized as either discretionary or non-discretionary. The three most widely recognized models are Discretionary Access Control (DAC), Mandatory Access Control (MAC), and Role Based Access Control (RBAC).
|
The four central components of access control are users, resources, actions, and features.
zusammenhängende Posts
Urheberrechte © © 2024 berikutyang Inc.
