1 / 48

INFORMATION SECURITY MANAGEMENT

INFORMATION SECURITY MANAGEMENT. Lecture 6: Security Management Models. Access Control Models. Access controls Regulate the admission of users into trusted areas of the organization Key principles of access control. The value of information: CIA Triangle.

abranson
Télécharger la présentation

INFORMATION SECURITY MANAGEMENT

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. INFORMATION SECURITY MANAGEMENT Lecture 6: Security Management Models

  2. Access Control Models • Access controls • Regulate the admission of users into trusted areas of the organization • Key principles of access control

  3. The value of information: CIA Triangle The value of information comes from the characteristics it possesses Expanded to include Identification Authentication Authorization Privacy Accountability

  4. Identification and Authentication Identification • An information system possesses the characteristic of identification when it is able to recognize individual users • Identification and authentication are essential to establishing the level of access or authorization that an individual is granted Authentication • Occurs when a control proves that a user possesses the identity that he or she claims

  5. Authorization Assures that the user has been specifically and explicitly authorized by the proper authority to access, update, or delete the contents of an information asset Authorization occurs after authentication

  6. Categories of Access Control

  7. Categories of Access Control • Preventative • Deterrent • Detective • Corrective • Recovery • Compensating

  8. Preventative/Deterrent/Detective Controls • Preventative Controls • Firewalls / Anti-virus software • Encryption • Key card systems • Bollards stop cars (as shown) • Deterrent Controls • Highly visible • Prevent offenses by influencing choices of would-be intruders • Detective Controls • Monitor and record specific types of events • Does not stop or directly influence events

  9. Corrective/Recovery Controls • Corrective Controls • Post-event controls to prevent recurrence • “Corrective” refers to when it is implemented • Examples (if implemented after an incident) • Spam filter • Anti-virus on e-mail server • WPA Wi-Fi encryption • Recovery Control • Post-incident controls to recover systems

  10. Compensating Controls • Control that is introduced that compensates for the absence or failure of a control • “Compensating” refers to why it is implemented • Examples • Daily monitoring of anti-virus console • Monthly review of administrative logins • Web Application Firewall used to protect buggy application

  11. Another Approach: Types of Controls Technical Operational (aka Physical) Management (aka Administrative)

  12. Controlling Information Access

  13. Identification and Authentication • Identification: unproven assertion of identity • “My name is…” • Userid • Authentication: proven assertion of identity • Method Examples: • Password • Token • Biometric

  14. How Information Systems Authenticate Users • Request userid and password • Hash password • Retrieve stored userid and hashed password • Compare • Make a function call to a network based authentication service

  15. How a System Stores Userids and Passwords • Typically stored in a database table • Application database or authentication database • Userid stored in plaintext • Password stored encrypted or hashed

  16. Password Hashes http://www.emc.com/collateral/software/white-papers/h11013-rsa-dcp-0812-wp.pdf LM hash is weak, no longer used in Win 7 NT hash is stronger, but not salted

  17. Strong Authentication Traditional userid + password authentication has known weaknesses Stronger types of authentication available, usually referred to as “strong authentication”

  18. Token: Two Factor Authentication First factor: what user knows Second factor: what user has Without the second factor, user cannot log in

  19. Token: Two Factor Authentication

  20. Biometric Authentication • Stronger than userid + password • Stronger than two-factor? • Can be hacked

  21. Article: Biometric Scanning Technologies • Overview • Technologies • Finger-Scan • Facial-Scan • Retinal-Scan

  22. Authentication Issues Password quality Consistency of user credentials across multiple environments Too many userids and passwords Handling password resets Dealing with compromised passwords Staff terminations

  23. Authorization: Degree of Authority Mandatory Access Controls Discretionary Access Controls Role Based Access Controls

  24. Mandatory Access Control Security Model • Data classification scheme • Rates collection of info and user with sensitivity levels • When implemented, users and data owners have limited control over access

  25. Mandatory Access Control Security Model • Data classification scheme/model • Data owners classify the information assets • Reviews periodically • Security clearance structure • Each user assigned an authorization level • Roles and corresponding security clearances

  26. Discretionary Access Control (DAC) Security Model The owner of an object controls who and what may access it.

  27. Role-based Access Control (RBAC) Security Model Nondiscretionary Controls

  28. Mobile Access Controls http://sponsored.eweek.com/hid-global/10-reasons-to-embrace-mobile-access-control.html?=sponsored-news-ticker

  29. Testing Access Controls

  30. Testing Access Controls http://secunia.com/community/ • Access controls are the primary defense that protect assets • Types of tests: • Penetration tests • Application vulnerability tests • Code reviews

  31. Penetration Testing Automatic scans to discover vulnerabilities Example tools: Nessus, Nikto, SAINT, Superscan, Retina, ISS, Microsoft Baseline Security Analyzer

  32. Application Vulnerability Testing • Discover vulnerabilities in an application • Automated tools and manual tools • Example vulnerabilities • Cross-site scripting, injection flaws, malicious file execution, broken authentication, broken session management, information leakage, insecure use of encryption, and many more

  33. Audit Log Analysis • Regular examination of audit and event logs • Detect unwanted events • Audit log protection

  34. Access Control Attacks

  35. Access Control Attacks • Intruders will try to defeat, bypass, or trick access controls in order to reach their target • Attack objectives • Guess credentials • Malfunction of access controls • Bypass access controls • Replay known good logins • Trick people into giving up credentials

  36. Types of Access Control Attacks • Buffer Overflow • Script Injection • Data Remanence • DoS • Spoofing/Masquerading • Social Engineering/Phishing

  37. Security Architecture Models

  38. Security Architecture Models • Can help organizations quickly make improvements through adaptation • Can focus on: • computer hardware and software • policies and practices • the confidentiality of information • the integrity of the information Pick one and go with it

  39. Bell-LaPadula Confidentiality Model • A state machine model that helps ensure the confidentiality of an information system • Using mandatory access controls (MACs), data classification, and security clearances

  40. Biba Integrity Model • Provides access controls to ensure that objects or subjects cannot have less integrity as a result of read/write operations • Ensures no information from a subject can be passed on to an object in a higher security level • This prevents contaminating data of higher integrity with data of lower integrity

  41. Clark-Wilson Integrity Model • Built upon principles of change control rather than integrity levels • Its change control principles • No changes by unauthorized subjects • No unauthorized changes by authorized subjects • The maintenance of internal and external consistency

  42. Graham-Denning Access Control Model • Composed of three parts • A set of objects • A set of subjects (a process and a domain) • A set of rights • Primitive protection rights • Create or delete object, create or delete subject • Read, grant, transfer and delete access rights

  43. Harrison-Ruzzo-Ullman Model • Defines a method to allow changes to access rights and the addition and removal of subjects and objects • Since systems change over time, their protective states need to change • Built on an access control matrix • Includes a set of generic rights and a specific set of commands

  44. Brewer-Nash Model (aka Chinese Wall) • Designed to prevent a conflict of interest between two parties • Requires users to select one of two conflicting sets of data, after which they cannot access the conflicting data

  45. The ISO 27000 Series • Information Technology – Code of Practice for Information Security Management • One of the most widely referenced and discussed security models • Originally published as British Standard 7799 and then later as ISO/IEC 17799 • Since been renamed ISO/IEC 27002 • Establishes guidelines for initiating, implementing, maintaining, and improving information security management

  46. Control Objectives for Information and Related Technology (COBIT) • Control Objectives for Information and Related Technology (COBIT) • Provides advice about the implementation of sound controls and control objectives for InfoSec • Created by the Information Systems Audit and Control Association (ISACA) and the IT Governance Institute (ITGI) in 1992

  47. COSO • A U.S. private-sector initiative • Major Objective: identify factors that cause fraudulent financial reporting and to make recommendations to reduce its incidence • Has established a common definition of internal controls, standards and criteria • Helps organizations comply with critical regulations like Sarbanes-Oxley

  48. COSO (cont’d.) • Built on five interrelated components: • Control environment • Risk assessment • Control activities • Information and communication • Monitoring

More Related