CISSP CBK 2 Access Control - PowerPoint PPT Presentation


PPT – CISSP CBK 2 Access Control PowerPoint presentation | free to download - id: 3af291-OGQwZ


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation

CISSP CBK 2 Access Control


CISSP CBK #2 Access Control Access Control This Chapter presents the following material Identification Methods and technologies Authentication Methods DAC, MAC and ... – PowerPoint PPT presentation

Number of Views:802
Avg rating:3.0/5.0
Slides: 132
Provided by: paladingr
Learn more at:
Tags: cbk | cissp | access | control


Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: CISSP CBK 2 Access Control

CISSP CBK 2 Access Control
Access Control
  • This Chapter presents the following material
  • Identification Methods and technologies
  • Authentication Methods
  • DAC, MAC and role based (non-DAC) models
  • Accountability, monitoring, and auditing
  • Unauthorized Disclosure of Information
  • Intrusion Detection Systems
  • Threats to access control practices and

Access Controls
  • Access controls are security features that
    control how people can interact with systems, and
  • Goal is to protect from un-authorized access.

  • Access is the data flow between an subject.
  • Subject is a person, process or program
  • Object is a resource (file, printer etc)

Access Control (157)
  • Access control should support the CIA triad!
  • Lets quickly go over the CIA triad again

Components of Access Control (158)
  • Quick overview details on each coming up
  • Identification who am I? (userid etc)
  • Authentication prove that I am who I say I
  • Authorization now what am I allowed to access
  • Auditing Big Brother can see what I accessed.

  • Logical (technical) access controls are used for
    these 4 items.
  • Things like smart cards and biometrics, and
    passwords, and audit system, and SELinux these
    are all examples of logical

Identification (159 162)
  • Identifies a user uniquely (hopefully)
  • SSN, UID, SID, Username
  • Should Uniquely identify a user for
    accountability (dont share)
  • Standard naming scheme should be used
  • Identifier should not indicate extra information
    about user (like position)
  • DO NOT SHARE (NO group accounts)

Authentication (160)
  • Proving who you say you are, usually one of these
  • Something you know (password)
  • Something you have (smart card)
  • Something you are (biometrics)
  • What is wrong with just using one of these

Strong Authentication (161)
  • Strong Authentication is the combination of 2 or
    more of these (also called multi-factor
    authentication) and is encouraged!
  • Strong Authentication provides a higher level of

  • What does this mean?
  • What are some type of authorization mechanism?
    (ACLs, permissions)
  • We will go more indepth on this later
  • Authorization is a preventative control (we
    will talk about controls later)

  • What is the purpose of auditing?
  • Auditing is a detective control (we will talk
    about this later)

  • Identification what is it?
  • Authentication how is this different from
  • Authorization what does this mean?
  • Auditing whats the point?

Identity Management (162)
  • Identity management products are used to id,
    authenticate and authorize users in an automated
    means. Its a broad term.
  • These products may (or may not) include
  • User account management
  • Access controls
  • Password management
  • Single Sign on
  • Permissions

ID Management and the CISSP (164)
  • Know for the exam that ID management solutions
  • Directories
  • Web Access Management
  • Password Management
  • Single Sign On
  • Account Management
  • Profile update

Profiles updates
  • What is a profile (not a windows profile)
  • A profiles is the collection of data about a
  • Email
  • Home address
  • Phone
  • Start date
  • Certifications
  • etc

Profile updates (117)
  • IdM systems may have centralized tools to manage
    profiles, may have self service portals where
    users can update their own info.
  • Profiles are similar to digital Identity

Directories (165)
  • Information about the users and resources
  • LDAP (based on X.500)
  • Key concept is namespaces (like branches of a
    tree) and DN (distinguished names) Can anyone
    explain namespaces and DNs?
  • DNCN and multiple DCs can include OUs
  • Active Directory (an implementation of LDAP)
  • Legacy NT (flat directory structure)
  • Novell Netware (???)

Directories Role in ID management
  • Specialized database optimized for reading and
    searching operations
  • Important because all resource info, users
    attributes, authorization info, roles, policies
    etc can be stored in this single place.
  • Directories allow for centralized management!
    However these can be broken up and delegated.
    (trees in a forest)

Meta and Virtual Directories (167)
  • Meta-directories allow for a centralized
    directory if users information is in multiple
    different directories (meta-directories
    synchronizes its data against the other
  • Like meta-dirs, but instead of storing data, just
    provide links or pointers to the data in the
    alternate directory
  • Advantages and Disadvantages?

Web Access management (168)
  • Uses a webserver(s) to deliver resources
  • Users authentications against the web server
    using whatever Auth scheme implemented
  • If authenticated requests and object
  • Web server verifies authorization
  • If so web server returns objects
  • Mainly used for external users/access
  • Very Web 2.0, you probably see a lot of this now
    a days.

Password Management (171)
  • Allows for users to change their passwords,
  • May allow users to retrieve/reset password
    automatically using special information
    (challenge questions) or processes
  • Helpdesk assisted resets/retrievals (same as
    above, but helpdesk people might ask questions
    instead of automated)
  • May handle password synchronization

Single Sign On
  • Log in one time, and access resources many places
  • Not the same as password synchronization
  • SSO software handles the authorization to
    multiple systems
  • What is a security problems with this?
  • What are advantages?

Account Management Software
  • Idea is to centrally manage user accounts rather
    than to manually create/update them on multiple
  • Often include workflow processes that allow
    distributed authorization. I.e.. A manager can
    put in a user request or authorize a request,
    tickets might be generated for a Key card system
    for their locations, Permissions might be created
    for their specific needs etc.
  • Automates processes
  • Can includes records keeping/auditing functions
  • Can ensure all accesses/accounts are cleaned up
    with users leave.

Federation (I hate this word) (178)
  • A Federation is multiple computing and/or network
    providers agreeing upon standards of operation in
    a collective fashion. (self governing entities
    that agree on common grounds to easy access
    between them)
  • A federated Identity is an identity and
    entitlements that can be used across business
    boundaries. (MS passport, Google checkout)

Identity Management Overview
  • Idea is to manage, identify and authorize users
    in an automated fashion
  • Know for the exam that ID management solutions
  • Directories
  • Web Access Management
  • Password Management
  • Single Sign On
  • Account Management
  • Profile update

Who needs ID management (178)
  • Really everyone! (at least anyone that you will
    probably deal with)
  • See table on Page 178

Biometrics (179)
  • Bio life, metrics - measure
  • Biometrics verifies (authenticates) an
    individuals identity by analyzing unique personal
    attribute (something they ARE)
  • Require enrollment before being used (what is
    enrollment? Any ideas)

Biometrics (179)
  • Can be based on
  • behavior (signature dynamics) might change over
  • Physical attribute (fingerprints, iris, retina
  • We will talk about the different types of
    biometrics later
  • Can give incorrect results
  • False negative Type 1 error (annoying)
  • False positive Type 2 error (very bad)

CER (179)
  • Crossover Error Rate (CER) is an important
    metric that is stated as a percentage that
    represents the point at which the false rejection
    rate equals the false positive rate.
  • Lower number CER is better/more accurate. (3 is
    better than an 4)
  • Also called Equal Error Rate
  • Use CER to compare vendors products objectively

Biometrics (180)
  • Systems can be calibrated, for example of you
    adjust the sensitivity to decrease fall
    positives, you probably will INCREASE false
    negatives, this is where the CER come in.
  • Draw diagram on board
  • Some areas (like military) are more concerned
    with one error than the other (ex. Would rather
    deny a valid user than accept an invalid user)
  • Can you think of any situations for each case?

Biometric problems?
  • Expensive
  • Unwieldy
  • Intrusive
  • Can be slow (should not take more than 5-10
  • Complex (enrollment)

Biometric Types Overview (182)
  • We will talk in more depth of each in the next
    couple slides
  • Fingerprint
  • Palm Scan
  • Hand Geometry
  • Retina Scan
  • Iris Scan
  • Keyboard Dynamics
  • Voice Print
  • Facial Scan
  • Hand Topography

Fingerprint (182)
  • Measures ridge endings an bifurcations (changes
    in the qualitative or topological structure) and
    other details called minutiae
  • Full fingerprint is stored, the scanners just
    compute specific features and values and sends
    those for verification against the real

Palm Scan
  • Creases, ridges, grooves
  • Can include fingerprints

Hand Geometry
  • Overall shape of hand
  • Length and width of fingers
  • This is significantly different between

Retina Scan
  • Reads blood vessel patterns on the back of the
  • Patterns are extremely unique

Iris Scan
  • Measures colors
  • Measures rifts
  • Measures rings
  • Measures furrow (wrinkle, rut or groove)
  • Most accurate of all biometric systems
  • IRIS remains constant through adulthood
  • Place scanner so sun does NOT shine through

Signature Dynamics
  • Most people sign in the same manner (really???)
  • Monitor the motions and the pressure while moving
    (as opposed to a static signature)
  • Type I (what is type I again?) error high
  • Type II (what is type II again?) error low

Keyboard dynamics
  • Measure the speeds and motions as you type,
    including timed difference between characters
    typed. For a given phrase
  • This is more effective than a password believe it
    or not, as it is hard to repeats someone's typing
    style, where as its easy to get someone's

Voice Print
  • Enrollment, you say several different phrases.
  • For authentication words are jumbled.
  • Measures speech patterns, inflection and
    intonation (i.e.. pitch and tone)

Facial Scan
  • Geometric measurements of
  • Bone structure
  • Nose ridges
  • Eye width
  • Chin shape
  • Forehead size

Hand Topography
  • Peaks and valleys of hand along with overall
    shape and curvature
  • This is opposed to size and width of the fingers
    (hand geometry)
  • Camera on the side at an angle snaps a pictures
  • Not unique enough to stand on its own, but can
    be used with hand geometry to add assurance

Biometrics wrap up
  • We covered a bunch of different biometrics
  • Understand some are behavioral based
  • Voice print
  • Keyboard dynamics
  • Can change over time
  • Some are physically based
  • Fingerprint
  • Iris scan

Biometrics wrap Up
  • Fingerprints are probably the most commonly used
    and cheapest
  • Iris scanning provides the most assurance
  • Some methods are intrusive
  • Understand Type I and Type II errors
  • Be able to define CER, is a lower CER value
    better or worse?

Passwords (184)
  • What is a password? (someone tell me because I
  • Works on what you KNOW
  • Simplest form of authentication
  • Cheapest form of authentication
  • Oldest form of authentication
  • Most commonly used form of authentication
  • WEAKEST form of authentication

Problems with Passwords (184)
  • People write down passwords (bad)
  • People use weak passwords (bad)
  • People re-use passwords (bad)
  • If you make passwords to hard to remember people
    often write them down
  • If you make them too easy they are easily cracked

How to make a good password
  • Dont use common words
  • Dont use names or birthdates
  • Use at least 8 characters
  • Combine numbers, symbols and case
  • Use a phrase and take attributes of a phrase,
    transpose characters

Attacks on Password (185)
  • Sniffing (Electronic Monitoring)
  • Brute force attacks
  • Dictionary Attack
  • Social Engineering (what is social Engineering?)
  • Rainbow tables a table that contains passwords
    in hash format for easy/quick comparison

Passwords and the OS (184)
  • The OS should enforce password requirements
  • Aging when a password expires
  • Reuse of old passwords
  • Minimum number of characters
  • Limit login attempts disable logins after a
    certain number of failed attempts

System password protection
  • System should NOT store passwords in plaintext.
    Use a hash (what is a hash?)
  • Can encrypt hashes
  • Passwords salts random values added to the
    encryption/hash process to make it harder to
    brute force (one password may hash/encrypt to
    multiple different results)

Cognitive passwords (187)
  • Not really passwords, but facts that only a user
    would know. Can be used to verify who you are
    talking to without giving out password, or for
    password reset challenges.
  • Not really secure, Im not a big fan.

One Time Password
  • Password is good only once then no longer valid
  • Used in high security environments
  • VERY secure
  • Not vulnerable to electronic eavesdropping, but
    vulnerable to loss of token, (though must have
  • Require a token device to generate passwords.
    (RSA SecureID key is an example)

One Time Password Token Type
  • One of 2 types
  • Synchronous uses time to synchronize between
    token and authentication server
  • Clocks must be synchronized!
  • Can also use counter-sync which a button is
    pushed that increments values on the token and
    the server

OTP Token Types (189)
  • Asynchronous
  • Challenge response
  • Auth sends a challenge (a random value called a
  • User enters nonce into token, along with PIN
  • Token encrypts nonce and returns value
  • Users inputs value into workstation
  • If server can decrypt then you are good.

Other Types of Authentication (190)
  • Digital Signature (talk about in more depth in
    chapter 8).
  • Take a hash value of a message, encrypt hash with
    your private key
  • Anyone with your public key can decrypt and
    verify message is from you.

Passphrase (190)
  • Simply a phrase, application will probably make a
    virtual password from the passphrase (etc a
  • Generally more secure than a password
  • Longer
  • Yet easier to remember

Memory Cards (191)
  • NOT a smart card
  • Holds information, does NOT process
  • A memory card holds authentication info, usually
    youll want to pair this with a PIN WHY? You
    tell me.
  • A credit card or ATM card is a type of memory
    card, so is a key/swipe card
  • Usually insecure, easily copied.

Smart Card (193)
  • Much more secure than memory cards
  • Can actually process information
  • Includes a microprocessor and ICs
  • Can provide two factor authentication, as you the
    card can store authentication protected by a pin.
    (so you need the card, and you need to know
  • Two type
  • Contact
  • contactless

Smart Card Attacks (193)
  • There are attacks against smart cards
  • Fault generation manipulate environmental
    controls and measure errors in order to reverse
    engineer logic etc.

Smart Card Attacks
  • Side Channel Attacks Measure the cards while
    they work
  • Differential power analysis measure power
  • Electromagnetic analysis example frequencies

Smart Card Attacks
  • Micro probing - using needles to vibrations to
    remove the outer protection on the cards
    circuits. Then tap into ROMS if possible or die
    ROMS to read data (use chemicals to stain ROMS
    and determine values) (this is actually done
    someone just reversed engineered the game boy
    BIOS using this method)

OK enough authentication already
  • Now that I am who I say I am, what can I do?
  • Both OSes and Applications can provide this
  • Authorization can be provided based on user,
    groups, roles, rules, physical location, time of
    day (temporal isolation) or transaction type
    (example a teller may be able to withdrawal small
    amounts, but require manager for large

Authorization principals (pg 197)
  • Default NO access (implicit deny)
  • Need to Know

Authorization Creep (197)
  • What is authorization creep? (permissions
    accumulate over time even if you dont need them
  • Auditing authorization can help mitigate this.
    SOX requires yearly auditing.

Single Sign on (200)
  • Why is this section here? Its poorly located,
    but anyway lets follow the flow of the book)

  • Idea
  • One identification/authentication instance for
    all networks/systems/resources
  • Eases management
  • Makes things more secure (not written down
    passwords hopefully)
  • Can focus budgets and time on securing one method
    rather than many!
  • Makes things integrated

SSO downsides
  • Centralized point of failure
  • Can cause bottlenecks
  • All vendors have to play nicely (good luck)
  • Often very difficult to accomplish (golden ring
    of network authentication)
  • One ring to bind them all! ( If you
    can access once, you can access ALL!

SSO technologies
  • Kerberos (yeay!)

Kerberos (201)
  • From MITs Athena project
  • Designed to eliminate transmitting passwords over
    the network.
  • Scalable, reliable, secure, flexible
  • Uses Symmetric Key cryptology

Kerberos Components (201)
  • Key Distribution Center. (you CAN/SHOULD have
    backups KDCs, though the exam states that this is
    a central point of failure for Kerberos)
  • Principals (users, applications, and services)
    each principal gets an account!
  • Tickets, generated by TGS on KDC
  • Important ticket is the Ticket Granting Ticket
  • Realm is the domain of all principals that a
    Kerberos server provides tickets for.

Kerberos Process (202)
  • Go over process on page 202
  • Understand the different between a session key
    and a secret key (pg 203)
  • Note Kerberos systems MUST be time synchronized

Kerberos Problems
  • Single point of failure (though this can be made
  • KDC must be scalable
  • Secret keys are stored on the workstation, if you
    can get these keys, you can break things
  • Same with session keys
  • Vulnerable to password guessing
  • Traffic is not encrypted if not enabled

  • European technology, developed to extend Kerberos
    and improve on its weaknesses
  • Sesame uses both symmetric and asymmetric
  • Uses Privileged Attribute Certificates rather
    than tickets, PACS are digitally signed and
    contain the subjects identity, access
    capabilities for the object, access time period
    and lifetime of the PAC.
  • PACS come from the Privileged Attribute Server.

SESAME procedure (205)
  • See page 206, note that SESAME uses
    public/private keys for initial authentication.
    (send an authenticator message, and a timestamp
    or random number, sign this message)

Access Control Models (211)
  • A framework that dictates how subjects access
  • Uses access control technologies and security
    mechanisms to enforce the rules
  • Business goals and culture of the organization
    will prescribe which model it uses
  • Every OS has a security kernel/reference monitor
    (talk about in another chapter) that enforces the
    access control model.

Access Control Models
  • DAC
  • MAC
  • Roles based
  • Each will be discussed in upcoming slides

  • Discretionary Access Control
  • Owner or creator of resource specifies which
    subjects have which access to a resource. Based
    on the Discretion of the data owner
  • Common example is an ACL (what is an ACL?)
  • Commonly implemented in commercial products
    (Windows, Linux, MacOS)

  • Mandatory Access Control
  • Data owners cannot grant access!
  • OS makes the decision based on a security label
  • Users and Data are given a clearance level
    (confidential, secret, top secret etc)
  • Rules for access are configured by the security
    officer and enforced by the OS.

MAC (212)
  • MAC is used where classification and
    confidentiality is of utmost importance
  • Generally you have to buy a specific MAC system,
    DAC systems dont do MAC
  • SELinux
  • Trusted Solaris

MAC sensitivity labels
  • Again all objects in a MAC system have a security
  • Security labels can be defined the organization.
  • They also have categories to support need to
    know _at_ a certain level.
  • Categories can be defined by the organization
  • If I have top secret clearance can I see all
    projects in the secret level???

Role Based Access Control (214)
  • Also called non-discretionary.
  • Uses a set of controls to determine how subjects
    and objects interact.
  • Allows you to be assigned a role, and your roles
    dictates your access to a resources, rather than
    your direct user.
  • This scales better than DAC methods
  • You dont have to continually change ACLs or
    permissions per user, nor do you have to remember
    what perms to set on a new user, just make them a
    certain role
  • You can simulate this with groups in Windows
    and Linux, especially with LDAP/AD.

Role based Access control
  • When to use
  • If you need centralized access
  • If you DONT need MAC )
  • If you have high turnover

Software and Hardware Guards
  • Allow the exchange of data between trusted and
    less trusted systems. We will talk about this in
    another chapter, lets not worry about it now.

Access Control technologies that support access
control models (217)
  • We will talk more in depth of each in the next
    few slides.
  • Rule-based Access Control
  • Constrained User Interfaces
  • Access Control Matrix
  • Access Control Lists
  • Content-Dependant Access Control
  • Context-Dependant Access Control

Rule Based Access Control (217)
  • Uses specific rules that indicate what can and
    cannot transpire between subject and object.
  • if x then y logic
  • Before a subject can access and object it must
    meet a set of predefined rules.
  • ex. If a user has proper clearance, and its
    between 9AM -5PM then allow access
  • However it does NOT have to deal specifically
    with identity/authorization
  • Ex. May only accept email attachments 5M or less

Rules Based Access Control
  • Is considered a compulsory control because the
    rules are strictly enforced and not modifiable by
  • Routers and firewalls use Rule Based access
    control heavily

Constrained User Interfaces (218)
  • Restrict user access by not allowing them see
    certain data or have certain functionality
  • Views only allow access to certain data (canned
  • Restricted shell like a real shell but only
    with certain commands. (like Cisco's non-enable
  • Menu similar but more gui
  • Physically constrained interface show only
    certain keys on a keypad/touch screen. like an
    ATM. (a modern type of menu) Difference is you
    are physically constrained from accessing them.

Access Control Matrix (220)
  • Table of subjects and objects indicating what
    actions individuals subjects can take on
    individual objects
  • See page 220 (top)

Capability Table
  • Bound to subjects, lists what permissions a
    subject has to each object
  • This is a row in the access matrix
  • (see 220 bottom)
  • NOT an ACL.. In fact the opposite

  • Lists what (and how) subjects may access a
    certain object.
  • Its a column of an access matrix
  • See page 220

Content Dependant Access Controls (221)
  • Access is determined by the type of data.
  • Example, email filters that look for specific
    things like confidential, SSN, images.
  • Web Proxy servers may be content based.

Context Dependant Access Control (221)
  • System reviews a Situation then makes a decision
    on access.
  • A firewall is a great example of this, if session
    is established, then allow
  • Another example, allow access to certain body
    imagery if previous web sessions are referencing
    medical data.

Review of Access Control Technology / Techniques
  • Constrained User Interfaces
  • view, shell, menu, physical
  • Access Control Matrix
  • Capability Tables
  • ACL
  • Content Dependant Access Control
  • Context Dependant Access Control
  • You should really know ALL of these and be able
    to differential between similar types!

Centralized Access Control Administration (223)
  • What is it?
  • A centralized place for configuring and managing
    access control
  • All the ones we will talk about (next) are AAA
  • Authentication
  • Authorization
  • Auditing

Centralized Access Control Technologies
  • We will talk about each of these in the upcoming
  • Radius
  • Diameter

Radius (223)
  • Initially developed by Livingston to authenticate
    modem users
  • Access Server sends credentials to Radius server.
    Which sends back authorization and connection
    parameters (IP address etc) (see diagram on 224)
  • Can use multiple authentication type (PAP, CHAP,
  • Uses UDP port 1812 , and auditing 1813
  • Sends Attribute Value Pair (Ex. IP192.168.1.1)
  • Access server notifies Radius server on
    disconnect (for auditing)

What is radius used for
  • Network access
  • Dial up
  • VLAN provisioning
  • IP address assignment

Radius benefits
  • Its been around, a lot of vendor support

Radius issues
  • Radius can share symmetric key between NAS and
    Radius server, but does not encrypt attribute
    value pairs, only user info. This could provide
    info to people doing reconnaissance
  • PAP password go clear text from dial up user to

TACACS() (225)
  • TACACS uses fixed passwords
  • TACACS uses TCP or UDP port 49
  • TACACS is old (1990) TACACS replaces it
  • TACACS can support one time passwords
  • Provides the same functionality of Radius
  • TACACS uses TCP port 49

TACACS benefits
  • TCP? Is this a benefit? Discuss
  • Encrypts ALL traffic
  • TACACS separates each AAA function.
  • For example can use AD for authentication (radius
    can actually do this too.. But you have to write
  • Has more AVP pairs than Radius, more flexible

Diameter (229)
  • Builds upon Radius
  • Similar functionality to Radius and TACACS
  • NOT Backwards compatible with Radius (book is
    wrong) but is similar and an upgrade path
  • Uses TCP, or STCP (stream TCP)

Diameter benefits
  • With Diameter the DS can connect to the NAS
    (i.e.. Could say kick user off now). Radius
    servers only respond to client requests.
  • Has a lot more AVP pairs (232 rather than 28)

Centralized Access Controls overview
  • Idea centralize access control
  • Radius, TACACS, diameter
  • Is Active Directory a type of Centralized Access
  • Decentralized is simply maintaining access
    control on all nodes separately.

Controls and Control Types
  • STOP
  • Before we move on you need to understand the
    definitions/terms that we are about to cover for
    the exam. (controls and control types) They are
    used ambiguously on the exam, so you need to
    think about them. We will give an overview now,
    but well keep seeing them again and again.

Controls and Control Types Not directly in book
  • There are Controls and Control types, need to
    understand these
  • Controls
  • Administrative
  • Physical
  • Technical
  • Now well talk about control types

Control types (241 skip ahead)
  • Types (can occur in each control category)
  • Deterrent intended to discourage attacks
  • Preventative intended to prevent incidents
  • Detective intended to detect incidents
  • Corrective intended to correct incidents
  • Recovery intended to bring controls back up to
    normal operation
  • Compensative provides alternative controls to
    other controls

Administrative Controls (back to 231)
  • Personnel HR practices
  • Supervisory Management practices (supervisor,
    corrective actions)
  • Training thats pretty obvious
  • Testing not technical, and managements
    responsibility to ensure it happens

Physical Controls (223)
  • Physical Network Segregation (not logical)
    ensure certain networks segments are physically
  • Perimeter Security CCTV, fences, security
    guards, badges
  • Computer Controls physical locks on computer
    equipment, restrict USB access etc.

Physical Controls continued
  • Work Area Separation keep accountants out of
    RD areas
  • Cabling shielding, Fiber
  • Control Zone break up office into logical areas
    (lobby public, RD- Top Secret, Offices

Technical or Logical controls (235)
  • Using technology to protect
  • System Access Kerberos, PKI, radius
    (specifically access to a system)
  • Network Architecture IP subnets, VLANS , DMZ
  • Network Access Routers, Switches and Firewalls
    that control access
  • Encryption protect confidentiality, integrity
  • Auditing logging and notification systems.

Ok we went out of order.. Skip to 247
  • This is out of WAY out of order, but for the exam
    you should know the table on 247 (Access control
    practices) lets read it together.

Unauthorized Disclosure of Information
  • Sometimes things are disclosed un-intentionally.
    In the next couple slides we will talk about
  • Object reuse
  • Emanation security

Object reuse (248)
  • Media may be re-used without cleaning off old
  • Fix this
  • Destroy or wipe (destroy) old data
  • Why destroy?
  • What is degaussing?

Emanation Security (249)
  • All devices give off electrical / magnetic
    signals. This can be used against you (weve all
    seen Alias and 24?)
  • Hard/expensive to do often but not always.
  • A non-obvious example is reading info from a CRT
    bouncing off something (weve seen CSI right?)
  • Tempest is a standard to develop countermeasures
    to protect against this.
  • Lets talk about emanation countermeasures

Emanation Countermeasures
  • Faraday cage a metal mesh cage around an
    object, it negates a lot of electrical/magnetic
  • White Noise a device that emits uniform
    spectrum of random electronics signals. You can
    buy sounds frequency white noise machines. (call
    centers, doctors)
  • Control Zones protect sensitive devices in
    special areas with special walls etc.

Intrusion detection (250)
  • IDS allow you to detect intrusion and
    unauthorized access.
  • Different types (we will discuss), but usually
    consist of
  • Sensors
  • Storage
  • Analysis engine
  • Management Console
  • (see diagram on 260)

  • Network Based
  • Monitor network traffic ONLY
  • Can be of multiple types (discuss later)
  • Watch out for switches (use mirroring), and
    subnets (use multiple sensors)

  • Host based installed on computers
  • Monitor logs
  • Monitor system activity
  • Monitor configuration files
  • Could monitor network traffic to and from the
    computer installed on only.
  • Multiple types discussed later

IDS types (251)
  • Signature based like a virus scanner, look for
    known attack signature
  • MUST be updated with new signatures
  • Will not stop unknown attacks (0-day)
  • Relatively high rate of assurance
  • Commonly used

Statistical Anomaly Based IDS / heuristic
  • Based on what is normal behavior (builds a
  • Detects when thing are not normal
  • Very subjective -
  • Very high rate of false positives, may lead to
    info being ignored.
  • Require high degree of knowledge and maintenance
    to run -
  • Can possibly detect zero days

Protocol based IDS
  • What is a protocol? Anyone?
  • Understand the protocols its watching (like
  • Looks for deviations from the normal protocol
  • Good to combined with other IDS types (signature
    based, or statistical based)
  • A lot of protocols are open to interpretation
    which can confuse protocol based IDS

Rules Based 255
  • Uses expert system/knowledge based systems.
  • These use a database of knowledge and an
    inference engine) to try to mimic human
    knowledge. Its like of a person was watching
    data in real time and had knowledge of how
    attacks work.

IDS review
  • Signature Based
  • Anomaly Based
  • Rule Based
  • When studding review the table on page 257

  • Like an IDS, but actively take steps to
    neutralize attacks in real time. (doest require
    IDS functionality)
  • Might reset TCP connections, might updates
    firewall rules to block traffic.
  • Cool right?
  • May create problems in troubleshooting network

Honey Pots/ Honey Nets (263)
  • Computer or network setup to distract attackers
    to this machine/net rather than the real
  • Can be restricted and monitored so you can see
    whos trying to do what, and stop them.
  • Be weary of enticement vs. entrapment. Can anyone
    explain the difference?

Threats to Access Control
  • We will talk about these later.. But lets review
    these now
  • Dictionary attacks what is this?
  • Sniffers what is this?
  • Brute force attacks how is this different then
    a dictionary attack.
  • Spoofing login/trusted path
  • Phishing
  • Identity theft

Wow that was a lot, lets review
  • Read quick tips on pg 269
  • Lets review the questions from the book.