REMEMBER • CONTROLS • CONTROL TYPES • COMMON MODELS ADMINISTRATIVE CONTROL ∗ Policy/Procedure ∗ Least privilege ∗ Separation of duties ∗ Job Rotation/Vacation ∗ Badges, uni-form and others… ∗ Training awareness ∗ Background check ∗ … PHYSICAL CONTROL ∗ Lock / Guard: ∗ Security Guard ∗ Camera ∗ Alarm (Fire…) ∗ Lock ∗ Building, room ∗ Others … LOGICAL CONTROL ∗ Logical: ∗ Network design (VLAN….) ∗ Traffic flow ∗ System access (MAC Filter, divided group … ) ∗ Encryption ∗ … REMEMBER: METHOD ∗ DAC / MAC / RBAC: ∗ DAC  based on owner  access permission ∗ MAC  based on clearance  need to know ∗ RBAC  based on role ∗ Non RBAC: user  app1, app2 ∗ Limited RBAC, user  app1  roleA, user  app2 ∗ Hybrid: user  roleA  app1 + app2, user  app3  role ∗ Full: user  roleA  app1 + app2 + app3 ∗ ABAC (Attribute Based Access Control) * REMEMBER: CONTROL TYPES PREVENTIVE PHOTOSHOP REMOVED DETECTIVE CORRECTIVE IT’S NOT RIGHT HER REMEMBER CONTROL TYPE ∗ Preventive: firewall, ips, content-filtering, anti-x, access control matrix/rights, encryption, baseline, locks… ∗ Detective: ids, logs, monitor, anti-x, audit, log-review, SIEM ∗ Deterrence: sign (banner: will be monitored, no entry …) ∗ Corrective: backup/restore, load-balance, DRP… ∗ Recovery: focus restore process ∗ Compensative: change to new effective control Continue in part II ∗ Access Control risks/threats ∗ Disclosure of information ∗ Discuss  FIRST LINE DEFENSE FIRST LINE DEFENSE (Cont) TEMPEST TIRED / BORED WORK FIRST LINE DEFENSE PIGGY BACK FIRST LINE DEFENSE • Registered users checking • BYOD controls • Logs TRUST BUT VERIFY FIRST LINE DEFENSE Default, guess Check username password injection Dumps diving, shoulder suffer, tap … Sniff, dump (crack), guess, default, key logs … Information Disclousure FIRST + A HALF LINE DEFENSE  This ID is used to perform administrative tasks Warning and notify Monitors and logs SECOND LINE DEFENSE MISCONFIGURE WILL BE DANGEROUS BECAUSE OF HIGHEST PRIVILEGES SECOND LINE DEFENSE REMEMBER: SEPARATION OF DUTIES AND INHERITANCE OF PREVIOUS CONFIGURE Defined Role Virtual, at least privileges SECOND LINE DEFENSE MUST PREVENT MOBILE CODE, SPOOF (SIGNED…) PROFILE vs ROLE ? WHAT ARE NEED TO RESTRICT? HOW MANY ARE ENOUGH ? AUTHORIZATION * Services Grant/Den y Access Control Matrix (List) Addition Rules • Access Control Matrix: clearances, check permissions… • Services Grant/Deny: control sessions grant; time to recheck • Addition rules: check some exception or explicit rules Delegated Access Rights COMBINE RBAC + ABAC PLEASE ASK QUESTIONS!!! IF YOU DON’T HAVE ANY QUESTONS, I WILL RAISE MY QUESTIONS ... Based Access Control) * REMEMBER: CONTROL TYPES PREVENTIVE PHOTOSHOP REMOVED DETECTIVE CORRECTIVE IT’S NOT RIGHT HER REMEMBER CONTROL TYPE ∗ Preventive: firewall, ips, content-filtering, anti-x, access. .. DRP… ∗ Recovery: focus restore process ∗ Compensative: change to new effective control Continue in part II ∗ Access Control risks/threats ∗ Disclosure of information ∗ Discuss  FIRST LINE DEFENSE... AUTHORIZATION * Services Grant/Den y Access Control Matrix (List) Addition Rules • Access Control Matrix: clearances, check permissions… • Services Grant/Deny: control sessions grant; time to recheck