Security+ Guide to Network Security Fundamentals, Third Edition
description
Transcript of Security+ Guide to Network Security Fundamentals, Third Edition
Security+ Guide to Network Security Fundamentals, Third Edition
Chapter 7Access Control Fundamentals
Security+ Guide to Network Security Fundamentals, Third Edition
Objectives
Define access control and list the four access control models
Describe logical access control methods Explain the different types of physical access
control
2
Security+ Guide to Network Security Fundamentals, Third Edition
What Is Access Control?
Access control The process by which _____________________
______________________________________________________________________
There are ______________ standard access control models as well as specific practices used to enforce access control See next slide for details…
3
Security+ Guide to Network Security Fundamentals, Third Edition
Access Control Terminology Identification
A user ____________________________ would present _____________ or identification, such as a _____________
Authentication ___________________________ (such as _____________
or ____________ scan) to be sure that they are authentic Authorization
________________________ to take the action A computer user is granted access
To ________________________________ in order to perform their duties
4
Security+ Guide to Network Security Fundamentals, Third Edition
Access Control Terminology (continued) Computer access control can be accomplished by
one of ________ entities: _____________________, or a __________________
Access control can take ___________________ depending on the resources that are being protected
Other terminology is used to describe how computer systems impose access control: _____________ specific _______________ _______________________________________ ______________- action taken by subject over object
5
Security+ Guide to Network Security Fundamentals, Third Edition 6
Access Control Terminology (continued)
Different roles of individuals summarized here…
=
ADMINISTRATOR
Security+ Guide to Network Security Fundamentals, Third Edition 7
Security+ Guide to Network Security Fundamentals, Third Edition
Access Control Models Access control model
Provides a ____________________ for hardware and software developers who need to implement _______________ in their devices or applications
Once an access control model is applied custodians (administrators) can __________ ________________________________ set by the owner So that end users can perform their job functions
_________ major Access Control models as seen in the following slides…
8
Security+ Guide to Network Security Fundamentals, Third Edition
Access Control Models (continued)1. Mandatory Access Control (_________) model
The ______________________________________ any controls
The ______________________ are responsible for __________________ access controls Owner defines policy Custodian implements that policy
This is the most _________________ model because all controls are ______________
In the original MAC model, all objects and subjects were assigned a numeric access level but now ____ such as Secret, Classified and Confidential are used
9
Security+ Guide to Network Security Fundamentals, Third Edition
Access Control Models (continued)2. Discretionary Access Control (_________)
model The ________________________ A subject has _______________ over any objects
that he or she _____________ Along with the programs that are associated with those
objects
In the DAC model, a subject can also ______ ______________________ over objects
10
Security+ Guide to Network Security Fundamentals, Third Edition
Access Control Models (continued) DAC has _______ significant weaknesses
It relies on the ____________ subject to _______ the _____________________________
A subject’s ___________ will be “_________” by any programs that the subject executes
User Account Control (UAC) Vista technology
Operating systems _____________________ for permission whenever software is installed
11
Security+ Guide to Network Security Fundamentals, Third Edition
Access Control Models (continued) Vista technology Three primary security restrictions
implemented by UAC: Run with ________________ by default Applications run in ____________ user accounts _____________ users ____________________
Another way of controlling DAC inheritance is to _________________________________ ________________________________
12
Security+ Guide to Network Security Fundamentals, Third Edition
Access Control Models (continued)3. _____ Based Access Control (______) model
Sometimes called __________________ Access Control
Considered a more “___________” approach than the other models
Assigns permissions to ____________________ __________, and then _____________________ Objects are set to be a certain type, to which subjects
with that particular role have access
13
Security+ Guide to Network Security Fundamentals, Third Edition
Access Control Models (continued)4. _____ Based Access Control (_____) model
Also called the _________________ Access Control (RB-RBAC) model or ______________ provisioning
Can ____________________________ based on a ______________________ by a custodian Each resource object contains a set of access properties
based on the rules
Rule Based Access Control is often used for managing user access to one or more systems
14
Security+ Guide to Network Security Fundamentals, Third Edition
Access Control Models (continued)
15
Security+ Guide to Network Security Fundamentals, Third Edition
“Best” Practices for Access Control _____________________________
Requires that if the fraudulent application of a process could potentially result in a breach of security, then the process should be __________ ________________________________
Job rotation Instead of one person having sole responsibility
for a function, individuals are _______________ ___________________________
16
Security+ Guide to Network Security Fundamentals, Third Edition
“Best” Practices for Access Control (continued) ____________________________
Each user should be given only the __________ ______________________ necessary to perform his or her job function
____________________________ If a condition is not explicitly met, then it is to be
_____________________
17
Security+ Guide to Network Security Fundamentals, Third Edition
Logical Access Control Methods The methods to implement access control are
divided into ___________ broad categories ___________ access control __________ access control
Logical access control includes access control lists (_______), ___________, account __________, and ____________ More to come on each of these…
18
Access Control Lists (ACLs)
Access control list (_______) A _________________ that is attached to an object Specifies which subjects are ___________ ___________ the
object and what ____________ they can __________
These lists are viewed most often in relation to files maintained by the operating system
The structure behind ACL tables is a bit complex Access control entry (__________)
Each ____________________ in the Microsoft Windows, Linux, and Mac OS X operating systems
Security+ Guide to Network Security Fundamentals 19
Security+ Guide to Network Security Fundamentals, Third Edition 20
Security+ Guide to Network Security Fundamentals, Third Edition
Access Control Lists (ACLs) (continued) In Windows, the ACE includes four items of
information: A security identifier (_________) for the user
account, group account, or logon session An ____________ that _____________________
controlled by the ACE A __________ that indicates the type of ACE A set of ________ that determine whether objects
can _________________
21
Security+ Guide to Network Security Fundamentals, Third Edition
Group Policies- A Windows Feature Group Policy
A feature that provides ______________ and _____________ of computers and remote users Using the Microsoft directory services known as Active
Directory (______)
Group Policy is usually used in __________ _____________ to __________________ that may pose a security risk
Group Policy settings are stored in Group Policy Objects (_________)
22
Security+ Guide to Network Security Fundamentals, Third Edition
Two common Account Restrictions: ______________ restrictions
Limit when a user can log on to a system These restrictions can be set through a Group Policy Can also be set on individual systems
___________________________ The process of setting a user’s account to _____ Orphaned accounts are user accounts that
____________________________ an organization Can be controlled using account expiration Could be a ____________________
23
Security+ Guide to Network Security Fundamentals, Third Edition 24
Security+ Guide to Network Security Fundamentals, Third Edition
Passwords ________________
The most _______________________________ Part of the identification/authentication process of
access control A secret __________________________ that
only the user knows Overall- provides _______________ security
A password should ____________________ Must also be of a sufficient length and complexity
so that an attacker _______________________
25
Security+ Guide to Network Security Fundamentals, Third Edition 26
Passwords (continued)
Security+ Guide to Network Security Fundamentals, Third Edition
Passwords (continued) Attacks on passwords
____________________ attack Simply trying to __________________ through
combining a random combination of characters
Passwords typically are stored in an encrypted form called a “___________” Attackers try to _______________________ and
then ________________ the hashed passwords ________________ as noted in the next attack
See next slide…
27
Security+ Guide to Network Security Fundamentals, Third Edition
Passwords (continued) Attacks on passwords (continued)
_____________________ attack Begins with the attacker _______________________
_____________________________________ And ____________________ those hashed dictionary
words against those in a _______________________
Use of ___________________________ Make password attacks easier by ________________
____________________________________ from nearly every possible password combination
28
Security+ Guide to Network Security Fundamentals, Third Edition
Passwords (continued)
Rainbow tables (continued) Generating a rainbow table requires a significant amount of
time Many tables made freely available for download from the
Internet
Rainbow table _________________________ Can be _______________ for attacks on other passwords Rainbow tables are _____________ than dictionary attacks The amount of _________________ on the attacking
machine is ________________________
29
Security+ Guide to Network Security Fundamentals, Third Edition 30
Passwords (continued)
Security+ Guide to Network Security Fundamentals, Third Edition
Passwords (continued) One reason for the success of rainbow tables
is how older Microsoft Windows operating systems hash passwords
A ________________ against breaking encrypted passwords with rainbow tables… Hashing algorithm should include a
_______________________ as input along with the ________________________________ These random bits are known as a ______________
Make brute force, dictionary, and rainbow table attacks much ____________________
31
Security+ Guide to Network Security Fundamentals, Third Edition
Passwords (continued) Password _________________
A strong password policy can provide _______________ against password attacks
The first password policy is to ______________________ _________________________________ What are some characteristics for strong passwords?
One of the best defenses against rainbow tables is to _______________________________________ ________________________
How can we protect our operating systems and therefore our password hashes from attackers?
A final ___________ is to use a _______________ to help keep track of passwords
32
Security+ Guide to Network Security Fundamentals, Third Edition
Passwords (continued)
Domain password policy Setting password restrictions for a __________
______________ can be accomplished through the Windows Domain password policy
There are _________ common domain password policy settings, called password setting objects
See next slide…
33
Security+ Guide to Network Security Fundamentals, Third Edition 34
Security+ Guide to Network Security Fundamentals, Third Edition
Physical Access Control
Physical access control primarily protects __________________________ And is designed to ______________________
from ____________________________ to equipment in order to use, steal, or vandalize it
Physical access control includes computer security, door security, mantraps, video surveillance, and physical access logs
More to come on each of these…
35
Security+ Guide to Network Security Fundamentals, Third Edition
Computer Security
The most fundamental step in physical security is to ________________________
Good idea to _____________________ such as USB ports or DVD drives Prevents attacker from installing programs or
stealing sensitive data ___________________________ in an
organization is important
36
Security+ Guide to Network Security Fundamentals, Third Edition
Door Security
_________________________ __________ lock
The easiest to use because it requires only a key for unlocking the door from the outside
Security provided by a preset lock is ________ _____________ lock
Extends a solid metal bar into the door frame for ________________________
Is much more ________________ than preset locks Requires that the key be used to both open and lock the
door
37
Security+ Guide to Network Security Fundamentals, Third Edition
Door Security (continued) Door access systems
_________ lock Combination locks that _____________ that must be pushed
in the proper sequence to open the door __________________ to allow only the code of certain
individuals to be valid on specific dates and times Cipher locks also __________________ of when the door
was opened and by which code Cipher locks are typically connected to a _____________
___________________________________ Can be monitored and controlled from one central location
38
Security+ Guide to Network Security Fundamentals, Third Edition 39
Security+ Guide to Network Security Fundamentals, Third Edition
Door Security (continued) Door access systems (continued)
Cipher lock ____________________ Basic models can cost several hundred dollars while
advanced models can be even more _______________ Users must be careful to conceal which buttons they
push to ______________________ or photographing the __________________________
40
Security+ Guide to Network Security Fundamentals, Third Edition
Door Security (continued) Door access systems (continued)
_________________________ Use multiple _____________ that are aimed across a
doorway and positioned so that as a ____________ _________________ the doorway… Some beams are activated and then other beams are
activated a short time later Can detect if a second person walks through the beam
array _________________ (“tailgates”) the first person
41
Security+ Guide to Network Security Fundamentals, Third Edition
Door Security (continued) Physical _________________
Objects to _____________________ ____________________
The ________________ types of physical tokens Contains magnetic strip or barcode to id user
Today, ID badges can be fitted with tiny radio frequency identification (____________) tags Can be read by an ________________ as the user
walks through the door with the badge in her pocket __________________ since emitted signal can be
picked up by anyone
42
Security+ Guide to Network Security Fundamentals, Third Edition
Mantraps A security device that monitors and controls
two _____________________________ (a vestibule) that separates a non-secured area from a secured area Only __________ door can be opened at a time
Mantraps are used at _______________ where only authorized persons are allowed to enter
43
Security+ Guide to Network Security Fundamentals, Third Edition
Video Surveillance Closed circuit television (_________)
Using _______________ to transmit a signal to a specific and limited set of receivers
Some CCTV cameras are fixed in a single position pointed at a door or a hallway
Other cameras resemble a small dome and allow the security technician to move the camera 360 degrees for a full panoramic view
44
Security+ Guide to Network Security Fundamentals, Third Edition
Physical Access Log
A _______________________________ ____________________, the time that they entered, and the time they left the area
Can also identify if unauthorized personnel have accessed a secure area
45
Security+ Guide to Network Security Fundamentals, Third Edition
Summary Access control is the process by which
resources or services are denied or granted Best practices for implementing access control
include separation of duties, job rotation, using the principle of least privilege, and using implicit deny
Logical access control methods include using access control lists (ACLs), which are provisions attached to an object
46
Security+ Guide to Network Security Fundamentals, Third Edition
Summary (continued)
Passwords, sometimes known as logical tokens, are a secret combination of letters and numbers that only the user should know
Physical access control attempts to limit access to computer equipment by unauthorized users
47