1. Trang chủ
  2. » Công Nghệ Thông Tin

Lecture Information systems security - Chapter 6: Access control

64 58 0

Đang tải... (xem toàn văn)

Tài liệu hạn chế xem trước, để xem đầy đủ mời bạn chọn Tải xuống

THÔNG TIN TÀI LIỆU

Thông tin cơ bản

Định dạng
Số trang 64
Dung lượng 1,06 MB

Nội dung

The content chapter 5 include: Access control models, authentication models, logging procedures, conducting security audits, redundancy planning, disaster recovery procedures, organizational policies.

Access Control   Contents v Access Control Models v Authentication Models v Logging Procedures v Conducting Security Audits v Redundancy Planning v Disaster Recovery Procedures v Organizational Policies Access Control Fundamentals v Jérôme Kerviel v Rogue trader, lost €4.9 billion v Largest fraud in history at that time banking v Worked in the compliance department of a French bank v Defeated security at his bank by concealing transactions with other transactions v Arrested in Jan 2008, out and working at a computer consulting firm in April 2008 Access Control v The process by which resources or services are granted or denied on a computer system or network v There are four standard access control models as well as specific practices used to enforce access control Access Control Terminology v Identification v A user accessing a computer system would present credentials or identification, such as a username v Authentication v Checking the user’s credentials to be sure that they are authentic and not fabricated, usually using a password v Authorization v Granting permission to take the action v A computer user is granted access v To only certain services or applications in order to perform their duties Access Control Terminology Access Control Terminology v Computer access control can be accomplished by one of three entities: hardware, software, or a policy v Access control can take different forms depending on the resources that are being protected v Other terminology is used to describe how computer systems impose access control: v Object – resource to be protected v Subject – user trying to access the object v Operation – action being attempted Access Control Terminology Access Control Access Control Models v Mandatory Access Control v Discretionary Access Control v Role-Based Access Control v Rule-Based Access Control Physical Computer Security Physical Computer Security Door Security v Hardware locks v Preset lock v v v v Also known as the key-in-knob lock The easiest to use because it requires only a key for unlocking the door from the outside Automatically locks behind the person, unless it has been set to remain unlocked Security provided by a preset lock is minimal Deadbolt lock v Extends a solid metal bar into the door frame v Much more difficult to defeat than preset locks v Requires that the key be used to both open and lock the door Lock Best Practices v Change locks immediately upon loss or theft of keys v Inspect all locks on a regular basis v Issue keys only to authorized persons v Keep records of who uses and turns in keys v Keep track of keys issued, with their number and identification v Master keys should not have any marks identifying them as masters Lock Best Practices v Secure unused keys in a locked safe v Set up a procedure to monitor the use of all locks and keys and update the procedure as necessary v When making duplicates of master keys, mark them “Do Not Duplicate,” and wipe out the manufacturer’s serial numbers to keep duplicates from being ordered Cipher Lock v Combination locks that use buttons that must be pushed in the proper sequence to open the door v Can be programmed to allow only the code of certain individuals to be valid on specific dates and times v Cipher locks also keep a record of when the door was opened and by which code v Cipher locks are typically connected to a networked computer system v Can be monitored and controlled from Cipher Lock Disadvantages v Basic models can cost several hundred dollars while advanced models can be even more expensive v Users must be careful to conceal which buttons they push to avoid someone seeing or photographing the combination Tailgate Sensor v Uses infrared beams that are aimed across a doorway v Can detect if a second person walks through the beam array immediately behind (“tailgates”) the first person v Without presenting credentials Physical Tokens v Objects to identify users v ID Badge v The most common types of physical tokens v ID badges originally were visually screened by security guards v Today, ID badges can be fitted with tiny radio frequency identification (RFID) tags v Can be read by an RFID transceiver as the user walks through the door with the badge in her pocket RFID tag Mantrap v Before entering a secure area, a person must enter the mantrap v A small room like an elevator v If their ID is not valid, they are trapped there until the police arrive v Mantraps are used at high-security areas where only authorized persons are allowed to enter v Such as sensitive data processing areas, cash handling areas, critical research labs, security control rooms, and automated airline passenger entry portals Mantrap Video Surveillance v Closed circuit television (CCTV) v Using video cameras to transmit a signal to a specific and limited set of receivers v Some CCTV cameras are fixed in a single position pointed at a door or a hallway v Other cameras resemble a small dome and allow the security technician to move the camera 360 degrees for a full panoramic view Physical Access Log v A record or list of individuals who entered a secure area, the time that they entered, and the time they left the area v Can also identify if unauthorized personnel have accessed a secure area v Physical access logs originally were paper documents v Today, door access systems and physical tokens can generate electronic log documents ... access the object v Operation – action being attempted Access Control Terminology Access Control Access Control Models v Mandatory Access Control v Discretionary Access Control v Role-Based Access. .. access control v Physical access control Logical Access Control Methods v Logical access control includes v Access control lists (ACLs) v Group policies v Account restrictions v Passwords Access Control. .. particular role have access Rule Based Access Control (RBAC) model v Also called the RuleBased Role-Based Access Control (RBRBAC) model or automated provisioning v Controls access with rules defined

Ngày đăng: 30/01/2020, 11:58