• No results found

Accountability and Access Control

N/A
N/A
Info
Download
Protected

Academic year: 2020

Share "Accountability and Access Control"

Copied!
37
0
0

Loading.... (view fulltext now)

Download now ( 37 Page )

Full text

(1)

Accountability and

Access Control

Slide ke-1 Mata Kuliah: Keamanan Jaringan

(2)

Course Objectives

• Access Control

– Identification and Authentication – Techniques

– Methodology – Administration

(3)

Access Controls

• Access controls are security features that control how people can interact with

systems, and resources.

• Goal is to protect from un-authorized access.

• Access is the data flow between subject and resources. Subject is a person,

process or program. Object is a resource (file, printer etc).

(4)

Access Control’s Types

• Access controls are necessary to protect the confidentiality, integrity, and availability of objects.

– That is commonly called by CIA.

– It is sound silly, but still represent the idea ☺

• In fact, no single access control mechanism is deployed in such environment.

– Combining some types of access control mechanism to achieve more comprehensives security control.

(5)

Access Control’s Types (2)

• Access Control Types – Preventive – Deterrent – Detectives – Correctives – Recovery – Compensation – Administrative

(6)

Preventive Access Control

• Sometimes called a preventative access control.

• This access control is deployed to stop unwanted or unauthorized activity form occurring.

• Fences, locks, biometric, lighting, alarm system, encryption, auditing, CCTV,

(7)

Deterrent Access Control

• To discourage a violation of security

policy, where prevention control leaves off. • It doesn’t stop with trying to prevent an

action, instead, it goes further to exact consequences in the event of an

attempted or successful violation.

• Include intrusion alarm, security cameras, fences, etc.

(8)

Detective Access Control

• Detective access controls is deployed to discover unwanted or unauthorized

activities.

• Detective access control include security guards, motion detector, reviewing an

event captured by security cameras, intrusion and detection systems.

(9)

Corrective Access Control

• Deployed to restore system to normal after unwanted or unauthorized activities have occurred.

• Corrective control have only minimal capabilities to respond to access

violations.

• Examples of corrective control are security policy, intrusion detection system, antivirus solution, business continuity planning.

(10)

Recovery Access Control

• Deployed to repair resource, function, and capabilities after violation of security

policies.

• Recovery control have more advance

capabilities to response to access violation than corrective control.

• Recovery control: backup and restore, fault tolerance, server clustering, virtual machine shadowing.

(11)

Compensation Access Control

• Deployed to provided various options to

aid in enforcement and support of security policy.

• Include security policy requirement,

personnel supervision, monitoring, and work task procedure.

(12)

Administrative Access Control

• Policies and procedures defined by

organization to implement overall access control.

• Administrative control focus on 2 areas:

personnel and business practices. • Include policies, procedures, hiring

practices, data classification, security training, vacation history, work

(13)

Logical and Physical

Access Control

• Logical access controls are hardware and software mechanism used to manage

access to resources or systems.

– Password, encryption, firewall, access control list, etc

• Physical access control is physical barrier deployed to prevent direct contact to

systems.

– Locked doors, motion detector, guard dog, alarms, etc.

(14)

The Process of Accountability

• Several steps lead up to the ability to hold the people accountable:

– Identification – Authentication – Authorization – Auditing, and – Accountability

(15)

Identification

• User provided user name, logon ID,

personal identification number (PIN) or a smart card to represent identification

process.

• Information system tracks activities by identity, not by subject themselves.

(16)

Authentication

• Process of verifying or testing that claimed identity is valid.

– Type 1 Authentication (something you know)

• Passwords • PIN

• Lock Combination, etc

– Type 2 Authentication (something you have)

• Smart card

• Token devices • Memory card • etc

(17)

Authentication

• Process of verifying or testing that claimed identity is valid.

– Type 3 Authentication (something you are)

• Fingerprint • Voiceprint

• Retina pattern

• Face shape recognition • Hand geometry

(18)

Authorization

• Once subject is authenticated, its access must be authorized.

• Authorization indicated who is trusted to perform specific operation.

(19)

Auditing

• Auditing is process by which online

activities of user accounts and processes are tracked and recorded.

• Auditing produces audit trails/path, which can be used to reconstruct events and to verify whether a security policy or

(20)

NIST-

based

Minimum Security

Requirement

• Audit data recording must comply with:

– Create, protect, and retain information system

audit record to the extend needed to enable the monitoring, analysis, investigation,

unlawful/illegal reporting, unauthorized, inappropriate information system activity.

– Ensure that the action of individual information

(21)

Recap

Answer and give an explanation for the questions below:

Identification – what is it?

Authentication – how is this different from identification?

Authorization – what does this mean? – Auditing – what’s the point?

(22)

Identification and Authentication

Technique

• Authentication verify the identity of the

subject (user) by comparing one or more factor in database of valid identities.

• Both identification and authentication are always occur together.

(23)

Identification and Authentication

Technique (2)

• Password • Biometrics • Tokens • Tickets • Single Sign On

(24)

Password

• The common authentication technique, but consider the weakest form of protection.

• Password are poor security mechanism for several reasons:

– Easy to guest or crack. – Many users, write it down

– Easy shared, write down, and forgotten

– Transmitted password often easy to broke

– Short and weak password can be discovered by brute force attack

(25)

Biometric

• Biometric fall into Type 3 authentication category, “something you are”.

• A biometric factors are behavioral or

physiological characteristic that is unique to every single subject.

• Types biometric factors: – Fingerprint

– Face, iris, retina, palm scan – Hand geometry

(26)

Biometric Factor Rating

• Biometric devices are rated for

performance in producing false negative

and false positive authentication.

• Most biometric devices have a sensitivity

adjustment so they can be tuned to be

more or less sensitive.

True positive = correctly identified

True negative = correctly rejected False positive = incorrectly identified False negative = incorrectly rejected

(27)

Biometric Factor Rating

• The ratio of Type 1 errors to valid authentication known as False Rejection Rate (FRR).

• The ratio of Type 2 errors to valid authentication known as False Acceptance Rate (FAR).

• The point at which FRR and FAR is equal known as

Crossover Error Rate (CER).

(28)

Appropriate Biometric Usage

Zephyr Chart is often used to compare different types of biometric solution, before choose the suitable one at your specific

(29)

Biometric Factors

Retina scan

Fingerprint Iris scan

(30)

Token (Smart Token)

• Smart Tokens are password-generating devices which is an example of Type 2 factor,

something you have”.

• Token can be a static password, like an ATM card (or others), and users have to supply the ATM card and users’ PIN.

• Otherwise, the Token can also be one-time or dynamic password which look like a small

calculator.

– The devices display a string of character for you to enter into the system.

(31)

Token Types

• There are 4 types of Token: – Static

– Synchronous dynamic password – Asynchronous dynamic password:

(32)

Token Types (Cont.)

– Can be a smart card, a floppy disk, USB RAM, or even something as simple as a key for physical lock. – Static Token often require

an additional factor like password or biometric factor.

– Commonly use a

cryptographic key provided an authentication

mechanism.

(33)

Token Types (Cont.)

– Generating password at fix time intervals.

– Time interval token require synchronizing the clock on an authentication server with the clock on a token device.

– Subject enters generated password into the system as an identification mechanism, and PIN/password as an authentication mechanism. Synchronous Dynamic Password

(34)

Token Types (Cont.)

• Auth sends a challenge (a random value called a

nonce)*

• User enters nonce into token, along with PIN

• Token encrypts nonce and returns value

• Users inputs value into workstation

• If server can decrypt then you are good.

(35)

Ticket Authentication

• Ticket Authentication is mechanism that

employs a third party to prove identification and authentication.

• The most common and well known ticket system is Kerberos.

(36)

Single Sign On

• With Single Sign On (SSO), once a

subject is authenticated, it can roam the network freely and access resource and services without further authenticating challenges.

• SSO disadvantages:

– Once an account is compromised, a malicious subject gains unrestricted access.

– This lead to the need of strong security architecture overall the systems.

(37)

Single Sign On

Single Sign On: A mechanism to solve difficulties in managing disparate accounts.

References

Download now ( PDF - 37 Page - 707.75 KB )

Related documents

The Drosophila U1-70K Protein Is Required for Viability, but Its Arginine-Rich Domain Is Dispensable

Surprisingly, and contrary to the current view of U1-70K function, animals carrying a mutant U1-70K protein lacking the arginine-rich domain, which includes two embedded sets of

Maintaining trajectory privacy in mobile wireless sensor networks

If , number of different nodes desired to keep a copy of data, is initialized to zero, the mobile sensor nodes in the network will not forward or receive a data packet and will

Title: EVALUATION OF ANTICONVULSANT ACTIVITY OF LEAF EXTRACTS OF SECURINEGA LEUCOPYRUS IN SWISS ALBINO MICE Author: S. Amreen Sultana*, A. Laly Steven, B. Mounica, N. Rama Lakshmi, D. Eswar Tony, N. Rama Rao Keyword: Securinega leucopyrus, Anti convuls

23 Table1: Neurological symptom rates of patients Patient countn Rate % 5 %20 Confusion 8 %32 Dizziness 2 %8 Agitation 8 %32 Unconsciousness 2 %8 Normal Table 2: Other

How do social activities mitigate informal caregivers’ psychological distress? Evidence from a nine-year panel survey in Japan

We conducted longitudinal analyses that aimed to exam- ine how (i) caregiving commencement and (ii) its duration were associated with caregiver psychological distress and

Unit nonresponse at the firm level: a cross-border analysis using the IAB-ReLOC data

With respect to our hypothesis that companies that are more interested in the survey topic have a higher par- ticipation probability, our results are ambiguous: On the one hand,

DRAFT AGENDA. 9:00-17:00 Pre-ACRIS II Summary Workshop on the ECRAI Framework & Outputs - ECA Conference Center

Aboubakari Babamousa, Director of Department of Infrastructure &Energy, African Union Commission (AUC) Jamal Saghir, Senior Regional Advisor, Africa of The World Bank.

Assessing Scientific, Reading and Mathematical Literacy A Framework for PISA 2006

PISA combines the assessment of domain-specific cognitive areas such as science, mathematics and reading with information on students’ home background, their approaches

Estimation of Punching Shear Capacity of Concrete Slabs Using Data Mining Techniques

In this study, various type of data mining techniques including Adaptive Neuro-fuzzy Inference System (ANFIS), Artificial Neural Network (ANN) and Generalized Neural Network