Week 10 Part A MIS 5214

Similar documents
Protecting Information Assets - Week 10 - Identity Management and Access Control. MIS 5206 Protecting Information Assets

CS 356 Lecture 7 Access Control. Spring 2013

General Access Control Model for DAC

MIS Week 9 Host Hardening

Compliance Brief: The National Institute of Standards and Technology (NIST) , for Federal Organizations

FedRAMP Plan of Action and Milestones (POA&M) Template Completion Guide. Version 1.1

Operating Systems Security Access Control

Computer Security 3e. Dieter Gollmann. Chapter 5: 1

Access Control. Discretionary Access Control

Post-Class Quiz: Access Control Domain

Access Control (slides based Ch. 4 Gollmann)

FedRAMP: Understanding Agency and Cloud Provider Responsibilities

Module 4: Access Control

Exhibit A1-1. Risk Management Framework

Access Control. Discretionary Access Control

CSN11111 Network Security

Advanced Systems Security: Ordinary Operating Systems

Access Control. Steven M. Bellovin September 13,

We ve seen: Protection: ACLs, Capabilities, and More. Access control. Principle of Least Privilege. ? Resource. What makes it hard?

ViGo Architecture and Principles. Mobile Voice Biometrics as-a-service

Keystroke Dynamics: Low Impact Biometric Verification

Access Control. Steven M. Bellovin September 2,

Operating system security models

Access Control Part 1 CCM 4350

Chapter 3: User Authentication

Security Models Trusted Zones SPRING 2018: GANG WANG

Introduction to the Federal Risk and Authorization Management Program (FedRAMP)

A Survey of Access Control Policies. Amanda Crowell

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 7 Access Control Fundamentals

COMPLIANCE BRIEF: NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY S FRAMEWORK FOR IMPROVING CRITICAL INFRASTRUCTURE CYBERSECURITY

Use of Extreme Value Statistics in Modeling Biometric Systems

CISNTWK-440. Chapter 4 Network Vulnerabilities and Attacks

Implementing Network Admission Control

Identity, Authentication and Authorization. John Slankas

Chapter 16: Advanced Security

Metascan Client. Tony Berning Product Manager

FedRAMP Plan of Action and Milestones (POA&M) Template Completion Guide. Version 1.2

FedRAMP Security Assessment Plan (SAP) Training

Discretionary Access Control (DAC)

Chapter 4: Access Control

Computer Security. 04r. Pre-exam 1 Concept Review. Paul Krzyzanowski. Rutgers University. Spring 2018

Mission Control for the Microsoft Cloud. 5nine Cloud Security. Web Portal Version 12.o. Getting Started Guide

? Resource. Announcements. Access control. Access control in operating systems. References. u Homework Due today. Next assignment out next week

Agency Guide for FedRAMP Authorizations

11/14/2018. Istanbul Governance, risk, and compliance (GRC)

CS 591: Introduction to Computer Security. Lecture 3: Policy

CompTIA JK CompTIA Academic/E2C Security+ Certification. Download Full Version :

HPE Enterprise Maps Security. HPE Software, Cloud and Automation

Access control models and policies. Tuomas Aura T Information security technology

HIPAA Compliance Assessment Module

FedRAMP Training - Continuous Monitoring (ConMon) Overview

CompTIA A+ Certification ( ) Study Guide Table of Contents

T-SYSTEMS MULTIMEDIA SOLUTIONS ADMINISTRATION MANUAL

IT Service Delivery And Support Week Four - OS. IT Auditing and Cyber Security Fall 2016 Instructor: Liang Yao

MIS5206-Section Protecting Information Assets-Exam 1

TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION

Function Category Subcategory Implemented? Responsible Metric Value Assesed Audit Comments

P1L5 Access Control. Controlling Accesses to Resources

IBM Security Identity Manager Version Planning Topics IBM

Lecture 9 User Authentication

Jérôme Kerviel. Dang Thanh Binh

MorphoManager User Manual. Table of Contents

CounterACT Check Point Threat Prevention Module

INTERPRETING FINGERPRINT AUTHENTICATION PERFORMANCE TECHNICAL WHITE PAPER

How to Develop Key Performance Indicators for Security

Server Hardening Title Author Contributors Date Reviewed By Document Version

CCM Lecture 12. Security Model 1: Bell-LaPadula Model

Computers: Tools for an Information Age. System Software

CYSE 411/AIT 681 Secure Software Engineering Topic #3. Risk Management

How do you track devices that have been approved for use? Are you automatically alerted if an unapproved device connects to the network?

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

Lecture 11: Human Authentication CS /12/2018

BOR3307: Intro to Cybersecurity

Implementing NIST Cybersecurity Framework Standards with BeyondTrust Solutions

K12 Cybersecurity Roadmap

AWARD TOP PERFORMER. Minex III FpVTE PFT II FRVT PRODUCT SHEET. Match on Card. Secure fingerprint verification directly on the card

Introduction p. 1 The purpose and fundamentals of access control p. 2 Authorization versus authentication p. 3 Users, subjects, objects, operations,

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

Cybersecurity: Incident Response Short

American Association for Laboratory Accreditation

ISO27001 Preparing your business with Snare

Data Inventory and Classification, Physical Devices and Systems ID.AM-1, Software Platforms and Applications ID.AM-2 Inventory

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Cloud Storage Pluggable Access Control David Slik NetApp, Inc.

CompTIA SY CompTIA Security+

Security Enhanced Linux

MU2a Authentication, Authorization & Accounting Questions and Answers with Explainations

ProjectWebFM User Guide Version 4. Written by: Document Revision History:

FFIEC Cyber Security Assessment Tool. Overview and Key Considerations

Kaspersky Administration Kit 8.0 REFERENCE GUIDE

SyAM Software Management Utilities. Client Deployment

Focus mainly on the technical part of things Foundation to manage Azure resources

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

DreamFactory Security Guide

Contents User Guide... 1 Overview... 1 Create a New Report... 3 Create Report... 3 Select Devices... 3 Report Generation... 4 Your Audit Report...

Operating Systems. Week 13 Recitation: Exam 3 Preview Review of Exam 3, Spring Paul Krzyzanowski. Rutgers University.

Access Control. CMPSC Spring 2012 Introduction Computer and Network Security Professor Jaeger.

CS 416: Operating Systems Design April 22, 2015

Mozy. Administrator Guide

NIST Security Certification and Accreditation Project

Transcription:

Week 10 Part A MIS 5214

Agenda Project Authentication Biometrics Access Control Models (DAC Part A) Access Control Techniques Centralized Remote Access Control Technologies

Project assignment You and your team are: Acting as the CSP (Cloud Service Provider) Seeking PA (Preliminary Authorization) for your information system Responsible for 1. Developing the system security architecture for your information system 2. Developing a System Security Plan (SSP) for your information system 3. Presenting your SSP to an internal senior management review team

Project Tasks A. Identify a client organization B. Identify a mission-based information system to support the organization with one of the 26 government direct services and delivery support lines of business identified in Volume 1: Guide for Mapping Types of Information and Information Systems to Security Categories (NIST SP 800-60) C. Identify the public and organizational groups/roles (along with their geographically distributed widearea network office locations) that will develop, support/maintain, access and use the information system to effectively conduct the mission D. Design a security architecture for the information system, which will be hosted in a to be determined (i.e. vendor-neutral) cloud environment, and accessed remotely by individuals working in the groups identified above to conduct the organization s mission E. Using NIST resources covered in this course, templates available at https://www.fedramp.gov/resources/templates-2016/ and other resources you find through your research: develop, present and hand in: 1. A draft system security plan for the information system based on the appropriate FedRAMP System Security Plan (SSP) template for the security baseline appropriate for your system, with the following acceptions: Sections 3-6 and attachments - leave names, addresses and phone numbers and email addresses blank as appropriate (fill in titles and organizations) Section 13 only fill in details for Technical Security Control Class Families (remove all other non-technical security control class families from your SSP document and table of contents) Section 15 - provide all appropriate attachments (At a minimum must have the following SSP Attachments filled in for your system: 3, 4, 5, 9, 10, and 11) 2. Powerpoint presentation covering A-E that will be presented to instructor and class

Project Resources include but are not limited to https://www.fedramp.gov/resources/templates-2016/

Project Resources include but are not limited to

Project resources include

Project Resources include but are not limited to

Authentication Biometrics Two different categories of biometric factor authentication: 1. Physiological ( what you are ) Physical attribute unique to a specific individual Less prone to change unless an disfiguring accident Hard to impersonate 2. Behavioral ( what you do ) A characteristic of an individual Can change over time Can be forged

Authentication Biometrics During identity verification (i.e. authentication) the biometric system scans personal s physiological attribute or behavioral trait and compares the captured data to a record created in an earlier enrollment process Biometric system Must be capable of repeatedly taking accurate measurements of anatomical or behavioral characteristics Error types: False negative incorrect rejection of the identity of authorized individual Called a Type I error False Rejection Rate (FRR) is a measurement of the likelihood that biometric device will result in Type I errors False positive incorrect match and identity acceptance of unauthorized individual ( imposter ) Called a Type II error False Acceptance Rate (FAR) is a measurement of the likelihood that biometric device will result in Type II errors Organizations have their own security requirements which will dictate how many Type I and Type II errors are acceptable: Organizations prioritizing confidentiality would accept a certain rate of Type I errors to achieve no Type II errors Calibration of biometric systems would enable lowering Type II error rate by adjusting system sensitivity which will increase Type I error rate

Authentication Biometrics Crossover error rate (CER) also called Equal error rate (EER) Objective measurement of biometric system accuracy, useful for comparing different biometric system products Is a rating, stated as a percentage CER is the point at which false rejection rate equals the false acceptance rate: FRR = FAR Most important metric in determining a biometric system s accuracy!

Access Control Models 3 Main types (built into the kernel of different operating systems and possibly their supporting applications): 1. Discretionary Access Control (DAC) 2. Mandatory Access Control (MAC) 3. Role-based Access Control (RBAC) Every operating system has a security kernel based on the access control model embedded in the system For each access attempt, before a subject can communicate with an object, the security kernel reviews the rules of the access control model to determine if the request is permitted

Discretionary Access Control (DAC) Most operating systems of general purpose computers are based on DAC models and use Access Control List properties on a file or directory to display and control access Windows Linux OS X Unix

Discretionary Access Control (DAC) The Network Administrator can allow resource owners to control who has access to their files If a user creates a file or folder then the user is the owner of the file or folder An identifier is placed in the file header and/or in an access control matrix in the operating system The identifier can be a user identity or a group membership For example: Data owner can choose to allow Bill (user identity) and the Accounting group (group membership identity) to access his file DAC systems grant or deny access based on the identity of the subject Access is restricted based on the authorization granted to the users Users can specify what type of access can occur to the objects the own Access control is based on the discretion of the resource owner Resource owners, for example, can be business unit managers or department managers who own the data within their organization

Discretionary Access Control (DAC) Most operating systems are based on DAC models and use Access Control List properties on a file or directory to display and control access Windows Linux OS X Unix DACs can apply to both directory tree structure (i.e. folders) and the files it contains. Access permission: No access (-) Read (r) Write (w) Execute (x)

Discretionary Access Control (DAC) Most operating systems are based on DAC models and use Access Control List properties on a file or directory to display and control access Windows Linux OS X Unix DACs can apply to both directory tree structure (i.e. folders) and the files it contains. Access permission: No access (-) Read (r) Write (w) Execute (x)

Discretionary Access Control (DAC) Most operating systems are based on DAC models and use properties of a file or directory to display and control access information Windows Linux OS X Unix

Discretionary Access Control (DAC) Provides a huge tradeoff: On the one hand: Flexibility to user Less administrative overhead to IT On the other hand: Achilles heel (i.e. weakness) to the operating system Malware can work under the identity (security context) of the user If a user opens an virus infected file, code can install itself in the background without user awareness Code inherits all rights and permissions of the user, can carry out all activities the user can on the system Send copies of itself to all contacts in user s email client, install a back-door, attck other systems, delete files on hard drive If the user is a local administrator or has root accounts then once installed malware can do anything

Discretionary Access Control (DAC) Security administrators can counter the downside of DAC and protect critical assets by removing user control by implementing nondiscretionary access control within a DAC Operating System by: Setting up workstations with pre-configured and loaded user profiles specifying the level of control the user does and does not have: With permissions on files (including OS command files) and folders set to block discretionary access control to users from: Changing the system s time Altering system configuration files Accessing a command prompt Installing unapproved applications

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback