The content chapter 5 include: Access control models, authentication models, logging procedures, conducting security audits, redundancy planning, disaster recovery procedures, organizational policies.
Access Control Contents v Access Control Models v Authentication Models v Logging Procedures v Conducting Security Audits v Redundancy Planning v Disaster Recovery Procedures v Organizational Policies Access Control Fundamentals v Jérôme Kerviel v Rogue trader, lost €4.9 billion v Largest fraud in history at that time banking v Worked in the compliance department of a French bank v Defeated security at his bank by concealing transactions with other transactions v Arrested in Jan 2008, out and working at a computer consulting firm in April 2008 Access Control v The process by which resources or services are granted or denied on a computer system or network v There are four standard access control models as well as specific practices used to enforce access control Access Control Terminology v Identification v A user accessing a computer system would present credentials or identification, such as a username v Authentication v Checking the user’s credentials to be sure that they are authentic and not fabricated, usually using a password v Authorization v Granting permission to take the action v A computer user is granted access v To only certain services or applications in order to perform their duties Access Control Terminology Access Control Terminology v Computer access control can be accomplished by one of three entities: hardware, software, or a policy v Access control can take different forms depending on the resources that are being protected v Other terminology is used to describe how computer systems impose access control: v Object – resource to be protected v Subject – user trying to access the object v Operation – action being attempted Access Control Terminology Access Control Access Control Models v Mandatory Access Control v Discretionary Access Control v Role-Based Access Control v Rule-Based Access Control Physical Computer Security Physical Computer Security Door Security v Hardware locks v Preset lock v v v v Also known as the key-in-knob lock The easiest to use because it requires only a key for unlocking the door from the outside Automatically locks behind the person, unless it has been set to remain unlocked Security provided by a preset lock is minimal Deadbolt lock v Extends a solid metal bar into the door frame v Much more difficult to defeat than preset locks v Requires that the key be used to both open and lock the door Lock Best Practices v Change locks immediately upon loss or theft of keys v Inspect all locks on a regular basis v Issue keys only to authorized persons v Keep records of who uses and turns in keys v Keep track of keys issued, with their number and identification v Master keys should not have any marks identifying them as masters Lock Best Practices v Secure unused keys in a locked safe v Set up a procedure to monitor the use of all locks and keys and update the procedure as necessary v When making duplicates of master keys, mark them “Do Not Duplicate,” and wipe out the manufacturer’s serial numbers to keep duplicates from being ordered Cipher Lock v Combination locks that use buttons that must be pushed in the proper sequence to open the door v Can be programmed to allow only the code of certain individuals to be valid on specific dates and times v Cipher locks also keep a record of when the door was opened and by which code v Cipher locks are typically connected to a networked computer system v Can be monitored and controlled from Cipher Lock Disadvantages v Basic models can cost several hundred dollars while advanced models can be even more expensive v Users must be careful to conceal which buttons they push to avoid someone seeing or photographing the combination Tailgate Sensor v Uses infrared beams that are aimed across a doorway v Can detect if a second person walks through the beam array immediately behind (“tailgates”) the first person v Without presenting credentials Physical Tokens v Objects to identify users v ID Badge v The most common types of physical tokens v ID badges originally were visually screened by security guards v Today, ID badges can be fitted with tiny radio frequency identification (RFID) tags v Can be read by an RFID transceiver as the user walks through the door with the badge in her pocket RFID tag Mantrap v Before entering a secure area, a person must enter the mantrap v A small room like an elevator v If their ID is not valid, they are trapped there until the police arrive v Mantraps are used at high-security areas where only authorized persons are allowed to enter v Such as sensitive data processing areas, cash handling areas, critical research labs, security control rooms, and automated airline passenger entry portals Mantrap Video Surveillance v Closed circuit television (CCTV) v Using video cameras to transmit a signal to a specific and limited set of receivers v Some CCTV cameras are fixed in a single position pointed at a door or a hallway v Other cameras resemble a small dome and allow the security technician to move the camera 360 degrees for a full panoramic view Physical Access Log v A record or list of individuals who entered a secure area, the time that they entered, and the time they left the area v Can also identify if unauthorized personnel have accessed a secure area v Physical access logs originally were paper documents v Today, door access systems and physical tokens can generate electronic log documents ... access the object v Operation – action being attempted Access Control Terminology Access Control Access Control Models v Mandatory Access Control v Discretionary Access Control v Role-Based Access. .. access control v Physical access control Logical Access Control Methods v Logical access control includes v Access control lists (ACLs) v Group policies v Account restrictions v Passwords Access Control. .. particular role have access Rule Based Access Control (RBAC) model v Also called the RuleBased Role-Based Access Control (RBRBAC) model or automated provisioning v Controls access with rules defined