Security+ Guide to Network Security Fundamentals, Third
Download
Report
Transcript Security+ Guide to Network Security Fundamentals, Third
Security+ Guide to Network
Security Fundamentals, Third
Edition
Chapter 7
Access Control Fundamentals
Objectives
Define access control and list the four access
control models
Describe logical access control methods
Explain the different types of physical access
control
Security+ Guide to Network Security Fundamentals, Third Edition
2
What Is Access Control?
Access control
The process by which _____________________
________________________________________
______________________________
There are ______________ standard access
control models as well as specific practices
used to enforce access control
See next slide for details…
Security+ Guide to Network Security Fundamentals, Third Edition
3
Access Control Terminology
Identification
Authentication
___________________________ (such as _____________
or ____________ scan) to be sure that they are authentic
Authorization
A user ____________________________ would present
_____________ or identification, such as a _____________
________________________ to take the action
A computer user is granted access
To ________________________________ in order to
perform their duties
Security+ Guide to Network Security Fundamentals, Third Edition
4
Access Control Terminology
(continued)
Computer access control can be accomplished by
one of ________ entities: _____________________,
or a __________________
Access control can take ___________________
depending on the resources that are being protected
Other terminology is used to describe how computer
systems impose access control:
_____________ specific _______________
_______________________________________
______________- action taken by subject over object
Security+ Guide to Network Security Fundamentals, Third Edition
5
Access Control Terminology
(continued)
Different roles of individuals summarized here…
=
ADMINISTRATOR
Security+ Guide to Network Security Fundamentals, Third Edition
6
Security+ Guide to Network Security Fundamentals, Third Edition
7
Access Control Models
Access control model
Once an access control model is applied
custodians (administrators) can __________
________________________________ set
by the owner
Provides a ____________________ for hardware
and software developers who need to implement
_______________ in their devices or applications
So that end users can perform their job functions
_________ major Access Control models as
seen in the following slides…
Security+ Guide to Network Security Fundamentals, Third Edition
8
Access Control Models (continued)
1. Mandatory Access Control (_________) model
The ______________________________________ any
controls
The ______________________ are responsible for
__________________ access controls
Owner defines policy
Custodian implements that policy
This is the most _________________ model
because all controls are ______________
In the original MAC model, all objects and subjects
were assigned a numeric access level but now ____
such as Secret, Classified and Confidential are used
Security+ Guide to Network Security Fundamentals, Third Edition
9
Access Control Models (continued)
2. Discretionary Access Control (_________)
model
The ________________________
A subject has _______________ over any objects
that he or she _____________
Along with the programs that are associated with those
objects
In the DAC model, a subject can also ______
______________________ over objects
Security+ Guide to Network Security Fundamentals, Third Edition
10
Access Control Models (continued)
DAC has _______ significant weaknesses
It relies on the ____________ subject to _______
the _____________________________
A subject’s ___________ will be “_________” by
any programs that the subject executes
User Account Control (UAC)
Vista technology
Operating systems _____________________ for
permission whenever software is installed
Security+ Guide to Network Security Fundamentals, Third Edition
11
Access Control Models (continued)
Vista technology
Three primary security restrictions
implemented by UAC:
Run with ________________ by default
Applications run in ____________ user accounts
_____________ users ____________________
Another way of controlling DAC inheritance is
to _________________________________
________________________________
Security+ Guide to Network Security Fundamentals, Third Edition
12
Access Control Models (continued)
3. _____ Based Access Control (______) model
Sometimes called __________________ Access
Control
Considered a more “___________” approach than
the other models
Assigns permissions to ____________________
__________, and then _____________________
Objects are set to be a certain type, to which subjects
with that particular role have access
Security+ Guide to Network Security Fundamentals, Third Edition
13
Access Control Models (continued)
4. _____ Based Access Control (_____) model
Also called the _________________ Access
Control (RB-RBAC) model or ______________
provisioning
Can ____________________________ based on
a ______________________ by a custodian
Each resource object contains a set of access properties
based on the rules
Rule Based Access Control is often used for
managing user access to one or more
systems
Security+ Guide to Network Security Fundamentals, Third Edition
14
Access Control Models (continued)
Security+ Guide to Network Security Fundamentals, Third Edition
15
“Best” Practices for Access Control
_____________________________
Requires that if the fraudulent application of a
process could potentially result in a breach of
security, then the process should be __________
________________________________
Job rotation
Instead of one person having sole responsibility
for a function, individuals are _______________
___________________________
Security+ Guide to Network Security Fundamentals, Third Edition
16
“Best” Practices for Access Control
(continued)
____________________________
Each user should be given only the __________
______________________ necessary to perform
his or her job function
____________________________
If a condition is not explicitly met, then it is to be
_____________________
Security+ Guide to Network Security Fundamentals, Third Edition
17
Logical Access Control Methods
The methods to implement access control are
divided into ___________ broad categories
___________ access control
__________ access control
Logical access control includes access
control lists (_______), ___________,
account __________, and ____________
More to come on each of these…
Security+ Guide to Network Security Fundamentals, Third Edition
18
Access Control Lists (ACLs)
Access control list (_______)
A _________________ that is attached to an object
Specifies which subjects are ___________ ___________
the object and what ____________ they can __________
These lists are viewed most often in relation
to files maintained by the operating system
The structure behind ACL tables is a bit
complex
Access control entry (__________)
Each ____________________ in the Microsoft Windows,
Linux,
Mac
OSFundamentals
X operating systems
Security+
Guide toand
Network
Security
19
Security+ Guide to Network Security Fundamentals, Third Edition
20
Access Control Lists (ACLs)
(continued)
In Windows, the ACE includes four items of
information:
A security identifier (_________) for the user
account, group account, or logon session
An ____________ that _____________________
controlled by the ACE
A __________ that indicates the type of ACE
A set of ________ that determine whether objects
can _________________
Security+ Guide to Network Security Fundamentals, Third Edition
21
Group Policies- A Windows Feature
Group Policy
A feature that provides ______________ and
_____________ of computers and remote users
Using the Microsoft directory services known as Active
Directory (______)
Group Policy is usually used in __________
_____________ to __________________
that may pose a security risk
Group Policy settings are stored in Group
Policy Objects (_________)
Security+ Guide to Network Security Fundamentals, Third Edition
22
Two common Account Restrictions:
______________ restrictions
Limit when a user can log on to a system
These restrictions can be set through a Group Policy
Can also be set on individual systems
___________________________
The process of setting a user’s account to _____
Orphaned accounts are user accounts that
____________________________ an
organization
Can be controlled using account expiration
Could be a ____________________
Security+ Guide to Network Security Fundamentals, Third Edition
23
Security+ Guide to Network Security Fundamentals, Third Edition
24
Passwords
________________
The most _______________________________
Part of the identification/authentication process of
access control
A secret __________________________ that
only the user knows
Overall- provides _______________ security
A password should ____________________
Must also be of a sufficient length and complexity
so that an attacker _______________________
Security+ Guide to Network Security Fundamentals, Third Edition
25
Passwords (continued)
Security+ Guide to Network Security Fundamentals, Third Edition
26
Passwords (continued)
Attacks on passwords
____________________ attack
Simply trying to __________________ through
combining a random combination of characters
Passwords typically are stored in an
encrypted form called a “___________”
Attackers try to _______________________ and
then ________________ the hashed passwords
________________ as noted in the next attack
See next slide…
Security+ Guide to Network Security Fundamentals, Third Edition
27
Passwords (continued)
Attacks on passwords (continued)
_____________________ attack
Begins with the attacker _______________________
_____________________________________
And ____________________ those hashed dictionary
words against those in a _______________________
Use of ___________________________
Make password attacks easier by ________________
____________________________________ from
nearly every possible password combination
Security+ Guide to Network Security Fundamentals, Third Edition
28
Passwords (continued)
Rainbow tables (continued)
Generating a rainbow table requires a significant amount of
time
Many tables made freely available for download from the
Internet
Rainbow table _________________________
Can be _______________ for attacks on other passwords
Rainbow tables are _____________ than dictionary attacks
The amount of _________________ on the attacking
machine is ________________________
Security+ Guide to Network Security Fundamentals, Third Edition
29
Passwords (continued)
Security+ Guide to Network Security Fundamentals, Third Edition
30
Passwords (continued)
One reason for the success of rainbow tables
is how older Microsoft Windows operating
systems hash passwords
A ________________ against breaking
encrypted passwords with rainbow tables…
Hashing algorithm should include a
_______________________ as input along with
the ________________________________
These random bits are known as a ______________
Make brute force, dictionary, and rainbow table
attacks much ____________________
Security+ Guide to Network Security Fundamentals, Third Edition
31
Passwords (continued)
Password _________________
A strong password policy can provide _______________
against password attacks
The first password policy is to ______________________
_________________________________
What are some characteristics for strong passwords?
One of the best defenses against rainbow tables is
to _______________________________________
________________________
How can we protect our operating systems and
therefore our password hashes from attackers?
A final ___________ is to use a _______________
to help keep track of passwords
Security+ Guide to Network Security Fundamentals, Third Edition
32
Passwords (continued)
Domain password policy
Setting password restrictions for a __________
______________ can be accomplished through
the Windows Domain password policy
There are _________ common domain password
policy settings, called password setting objects
See next slide…
Security+ Guide to Network Security Fundamentals, Third Edition
33
Security+ Guide to Network Security Fundamentals, Third Edition
34
Physical Access Control
Physical access control primarily protects
__________________________
And is designed to ______________________
from ____________________________ to
equipment in order to use, steal, or vandalize it
Physical access control includes computer
security, door security, mantraps, video
surveillance, and physical access logs
More to come on each of these…
Security+ Guide to Network Security Fundamentals, Third Edition
35
Computer Security
The most fundamental step in physical
security is to ________________________
Good idea to _____________________ such
as USB ports or DVD drives
Prevents attacker from installing programs or
stealing sensitive data
___________________________ in an
organization is important
Security+ Guide to Network Security Fundamentals, Third Edition
36
Door Security
_________________________
__________ lock
The easiest to use because it requires only a key for
unlocking the door from the outside
Security provided by a preset lock is ________
_____________ lock
Extends a solid metal bar into the door frame for
________________________
Is much more ________________ than preset locks
Requires that the key be used to both open and lock the
door
Security+ Guide to Network Security Fundamentals, Third Edition
37
Door Security (continued)
Door access systems
_________ lock
Combination locks that _____________ that must be pushed
in the proper sequence to open the door
__________________ to allow only the code of certain
individuals to be valid on specific dates and times
Cipher locks also __________________ of when the door
was opened and by which code
Cipher locks are typically connected to a _____________
___________________________________
Can be monitored and controlled from one central location
Security+ Guide to Network Security Fundamentals, Third Edition
38
Security+ Guide to Network Security Fundamentals, Third Edition
39
Door Security (continued)
Door access systems (continued)
Cipher lock ____________________
Basic models can cost several hundred dollars while
advanced models can be even more _______________
Users must be careful to conceal which buttons they
push to ______________________ or photographing the
__________________________
Security+ Guide to Network Security Fundamentals, Third Edition
40
Door Security (continued)
Door access systems (continued)
_________________________
Use multiple _____________ that are aimed across a
doorway and positioned so that as a ____________
_________________ the doorway…
Some beams are activated and then other beams are
activated a short time later
Can detect if a second person walks through the beam
array _________________ (“tailgates”) the first person
Security+ Guide to Network Security Fundamentals, Third Edition
41
Door Security (continued)
Physical _________________
Objects to _____________________
____________________
The ________________ types of physical tokens
Contains magnetic strip or barcode to id user
Today, ID badges can be fitted with tiny radio
frequency identification (____________) tags
Can be read by an ________________ as the user
walks through the door with the badge in her pocket
__________________ since emitted signal can be
picked up by anyone
Security+ Guide to Network Security Fundamentals, Third Edition
42
Mantraps
A security device that monitors and controls
two _____________________________ (a
vestibule) that separates a non-secured area
from a secured area
Only __________ door can be opened at a time
Mantraps are used at _______________
where only authorized persons are allowed to
enter
Security+ Guide to Network Security Fundamentals, Third Edition
43
Video Surveillance
Closed circuit television (_________)
Using _______________ to transmit a signal to a
specific and limited set of receivers
Some CCTV cameras are fixed in a single
position pointed at a door or a hallway
Other cameras resemble a small dome and
allow the security technician to move the
camera 360 degrees for a full panoramic view
Security+ Guide to Network Security Fundamentals, Third Edition
44
Physical Access Log
A _______________________________
____________________, the time that they
entered, and the time they left the area
Can also identify if unauthorized personnel
have accessed a secure area
Security+ Guide to Network Security Fundamentals, Third Edition
45
Summary
Access control is the process by which
resources or services are denied or granted
Best practices for implementing access control
include separation of duties, job rotation, using
the principle of least privilege, and using
implicit deny
Logical access control methods include using
access control lists (ACLs), which are
provisions attached to an object
Security+ Guide to Network Security Fundamentals, Third Edition
46
Summary (continued)
Passwords, sometimes known as logical
tokens, are a secret combination of letters and
numbers that only the user should know
Physical access control attempts to limit
access to computer equipment by
unauthorized users
Security+ Guide to Network Security Fundamentals, Third Edition
47