Security+ Guide to Network Security Fundamentals, Third Edition Chapter 7 Access Control Fundamentals

Security+ Guide to Network Security Fundamentals, Third Edition

Chapter 7Access Control Fundamentals


Objectives

Define access control and list the four access control models

Describe logical access control methods Explain the different types of physical access

control

2


What Is Access Control?

Access control The process by which _____________________

______________________________________________________________________

There are ______________ standard access control models as well as specific practices used to enforce access control See next slide for details…

3


Access Control Terminology Identification

A user ____________________________ would present _____________ or identification, such as a _____________

Authentication ___________________________ (such as _____________

or ____________ scan) to be sure that they are authentic Authorization

________________________ to take the action A computer user is granted access

To ________________________________ in order to perform their duties

4


Access Control Terminology (continued) Computer access control can be accomplished by

one of ________ entities: _____________________, or a __________________

Access control can take ___________________ depending on the resources that are being protected

Other terminology is used to describe how computer systems impose access control: _____________ specific _______________ _______________________________________ ______________- action taken by subject over object

5

Security+ Guide to Network Security Fundamentals, Third Edition 6

Access Control Terminology (continued)

Different roles of individuals summarized here…

=

ADMINISTRATOR



Access Control Models Access control model

Provides a ____________________ for hardware and software developers who need to implement _______________ in their devices or applications

Once an access control model is applied custodians (administrators) can __________ ________________________________ set by the owner So that end users can perform their job functions

_________ major Access Control models as seen in the following slides…

8


Access Control Models (continued)1. Mandatory Access Control (_________) model

The ______________________________________ any controls

The ______________________ are responsible for __________________ access controls Owner defines policy Custodian implements that policy

This is the most _________________ model because all controls are ______________

In the original MAC model, all objects and subjects were assigned a numeric access level but now ____ such as Secret, Classified and Confidential are used

9


Access Control Models (continued)2. Discretionary Access Control (_________)

model The ________________________ A subject has _______________ over any objects

that he or she _____________ Along with the programs that are associated with those

objects

In the DAC model, a subject can also ______ ______________________ over objects

10


Access Control Models (continued) DAC has _______ significant weaknesses

It relies on the ____________ subject to _______ the _____________________________

A subject’s ___________ will be “_________” by any programs that the subject executes

User Account Control (UAC) Vista technology

Operating systems _____________________ for permission whenever software is installed

11


Access Control Models (continued) Vista technology Three primary security restrictions

implemented by UAC: Run with ________________ by default Applications run in ____________ user accounts _____________ users ____________________

Another way of controlling DAC inheritance is to _________________________________ ________________________________

12


Access Control Models (continued)3. _____ Based Access Control (______) model

Sometimes called __________________ Access Control

Considered a more “___________” approach than the other models

Assigns permissions to ____________________ __________, and then _____________________ Objects are set to be a certain type, to which subjects

with that particular role have access

13


Access Control Models (continued)4. _____ Based Access Control (_____) model

Also called the _________________ Access Control (RB-RBAC) model or ______________ provisioning

Can ____________________________ based on a ______________________ by a custodian Each resource object contains a set of access properties

based on the rules

Rule Based Access Control is often used for managing user access to one or more systems

14


Access Control Models (continued)

15


“Best” Practices for Access Control _____________________________

Requires that if the fraudulent application of a process could potentially result in a breach of security, then the process should be __________ ________________________________

Job rotation Instead of one person having sole responsibility

for a function, individuals are _______________ ___________________________

16


“Best” Practices for Access Control (continued) ____________________________

Each user should be given only the __________ ______________________ necessary to perform his or her job function

____________________________ If a condition is not explicitly met, then it is to be

_____________________

17


Logical Access Control Methods The methods to implement access control are

divided into ___________ broad categories ___________ access control __________ access control

Logical access control includes access control lists (_______), ___________, account __________, and ____________ More to come on each of these…

18

Access Control Lists (ACLs)

Access control list (_______) A _________________ that is attached to an object Specifies which subjects are ___________ ___________ the

object and what ____________ they can __________

These lists are viewed most often in relation to files maintained by the operating system

The structure behind ACL tables is a bit complex Access control entry (__________)

Each ____________________ in the Microsoft Windows, Linux, and Mac OS X operating systems

Security+ Guide to Network Security Fundamentals 19



Access Control Lists (ACLs) (continued) In Windows, the ACE includes four items of

information: A security identifier (_________) for the user

account, group account, or logon session An ____________ that _____________________

controlled by the ACE A __________ that indicates the type of ACE A set of ________ that determine whether objects

can _________________

21


Group Policies- A Windows Feature Group Policy

A feature that provides ______________ and _____________ of computers and remote users Using the Microsoft directory services known as Active

Directory (______)

Group Policy is usually used in __________ _____________ to __________________ that may pose a security risk

Group Policy settings are stored in Group Policy Objects (_________)

22


Two common Account Restrictions: ______________ restrictions

Limit when a user can log on to a system These restrictions can be set through a Group Policy Can also be set on individual systems

___________________________ The process of setting a user’s account to _____ Orphaned accounts are user accounts that

____________________________ an organization Can be controlled using account expiration Could be a ____________________

23



Passwords ________________

The most _______________________________ Part of the identification/authentication process of

access control A secret __________________________ that

only the user knows Overall- provides _______________ security

A password should ____________________ Must also be of a sufficient length and complexity

so that an attacker _______________________

25


Passwords (continued)


Passwords (continued) Attacks on passwords

____________________ attack Simply trying to __________________ through

combining a random combination of characters

Passwords typically are stored in an encrypted form called a “___________” Attackers try to _______________________ and

then ________________ the hashed passwords ________________ as noted in the next attack

See next slide…

27


Passwords (continued) Attacks on passwords (continued)

_____________________ attack Begins with the attacker _______________________

_____________________________________ And ____________________ those hashed dictionary

words against those in a _______________________

Use of ___________________________ Make password attacks easier by ________________

____________________________________ from nearly every possible password combination

28



Rainbow tables (continued) Generating a rainbow table requires a significant amount of

time Many tables made freely available for download from the

Internet

Rainbow table _________________________ Can be _______________ for attacks on other passwords Rainbow tables are _____________ than dictionary attacks The amount of _________________ on the attacking

machine is ________________________

29




Passwords (continued) One reason for the success of rainbow tables

is how older Microsoft Windows operating systems hash passwords

A ________________ against breaking encrypted passwords with rainbow tables… Hashing algorithm should include a

_______________________ as input along with the ________________________________ These random bits are known as a ______________

Make brute force, dictionary, and rainbow table attacks much ____________________

31


Passwords (continued) Password _________________

A strong password policy can provide _______________ against password attacks

The first password policy is to ______________________ _________________________________ What are some characteristics for strong passwords?

One of the best defenses against rainbow tables is to _______________________________________ ________________________

How can we protect our operating systems and therefore our password hashes from attackers?

A final ___________ is to use a _______________ to help keep track of passwords

32



Domain password policy Setting password restrictions for a __________

______________ can be accomplished through the Windows Domain password policy

There are _________ common domain password policy settings, called password setting objects

See next slide…

33



Physical Access Control

Physical access control primarily protects __________________________ And is designed to ______________________

from ____________________________ to equipment in order to use, steal, or vandalize it

Physical access control includes computer security, door security, mantraps, video surveillance, and physical access logs

More to come on each of these…

35


Computer Security

The most fundamental step in physical security is to ________________________

Good idea to _____________________ such as USB ports or DVD drives Prevents attacker from installing programs or

stealing sensitive data ___________________________ in an

organization is important

36


Door Security

_________________________ __________ lock

The easiest to use because it requires only a key for unlocking the door from the outside

Security provided by a preset lock is ________ _____________ lock

Extends a solid metal bar into the door frame for ________________________

Is much more ________________ than preset locks Requires that the key be used to both open and lock the

door

37


Door Security (continued) Door access systems

_________ lock Combination locks that _____________ that must be pushed

in the proper sequence to open the door __________________ to allow only the code of certain

individuals to be valid on specific dates and times Cipher locks also __________________ of when the door

was opened and by which code Cipher locks are typically connected to a _____________

___________________________________ Can be monitored and controlled from one central location

38



Door Security (continued) Door access systems (continued)

Cipher lock ____________________ Basic models can cost several hundred dollars while

advanced models can be even more _______________ Users must be careful to conceal which buttons they

push to ______________________ or photographing the __________________________

40


Door Security (continued) Door access systems (continued)

_________________________ Use multiple _____________ that are aimed across a

doorway and positioned so that as a ____________ _________________ the doorway… Some beams are activated and then other beams are

activated a short time later Can detect if a second person walks through the beam

array _________________ (“tailgates”) the first person

41


Door Security (continued) Physical _________________

Objects to _____________________ ____________________

The ________________ types of physical tokens Contains magnetic strip or barcode to id user

Today, ID badges can be fitted with tiny radio frequency identification (____________) tags Can be read by an ________________ as the user

walks through the door with the badge in her pocket __________________ since emitted signal can be

picked up by anyone

42


Mantraps A security device that monitors and controls

two _____________________________ (a vestibule) that separates a non-secured area from a secured area Only __________ door can be opened at a time

Mantraps are used at _______________ where only authorized persons are allowed to enter

43


Video Surveillance Closed circuit television (_________)

Using _______________ to transmit a signal to a specific and limited set of receivers

Some CCTV cameras are fixed in a single position pointed at a door or a hallway

Other cameras resemble a small dome and allow the security technician to move the camera 360 degrees for a full panoramic view

44


Physical Access Log

A _______________________________ ____________________, the time that they entered, and the time they left the area

Can also identify if unauthorized personnel have accessed a secure area

45


Summary Access control is the process by which

resources or services are denied or granted Best practices for implementing access control

include separation of duties, job rotation, using the principle of least privilege, and using implicit deny

Logical access control methods include using access control lists (ACLs), which are provisions attached to an object

46


Summary (continued)

Passwords, sometimes known as logical tokens, are a secret combination of letters and numbers that only the user should know

Physical access control attempts to limit access to computer equipment by unauthorized users

47

Documents

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 7 Access Control Fundamentals