Access Controls

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com
All rights reserved.
 Defining Access Control
▪ The process of protecting a resource so
that it is used only by those allowed to
▪ Prevents unauthorized use
▪ Mitigations put into place to protect a
resource from a threat

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 2
All rights reserved.
 Four Parts of Access Control
Access Control
Component Description
Identification Who is asking to access the
asset?
Authentication Can their identities be verified?

Authorization What, exactly, can the requestor

Accountability
Fundamentals of Information Systems Security
access? And what can they do?
How are actions traced to an
individual to ensure the person
who makes data or system
changes can be identified?
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com Page 3
All rights reserved.
 Policy Definition and Policy
Enforcement Phases
▪ Policy definition phase—Who has access
and what systems or resources they can use
• Tied to the authorization phase
▪ Policy enforcement phase—Grants or
rejects requests for access based on the
authorizations defined in the first phase
• Tied to identification, authentication, and
accountability phases

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 4
All rights reserved.
 Two Types of Access Controls

Controls entry into

Physical buildings, parking lots,
and protected areas

Controls access to a
Logical computer system or
network

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 5
All rights reserved.
 Physical Access Control
▪ Smart cards are an example
▪ Programmed with ID number
▪ Used at parking lots, elevators, office doors
▪ Shared office buildings may require an
additional after hours card
▪ Cards control access to physical resources

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 6
All rights reserved.
 Logical Access Control
▪ Deciding which users can get into a system
▪ Monitoring what each user does on that
system
▪ Restraining or influencing a user’s behavior
on that system

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 7
All rights reserved.
 Access Control Policies
Four central components of access control:
People who use the system or
Users processes (subjects)

Resources Protected objects in the system

Activities that authorized users

Actions can perform on resources

Optional conditions that exist

Relationships between users and resources

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 8
All rights reserved.
 Logical Access Control Solutions
Logical Controls Solutions
Biometrics • Static: Fingerprints, iris granularity, retina blood
vessels, facial features, and hand geometry
• Dynamic: Voice inflections, keyboard strokes, and
signature motions
Tokens • Synchronous or asynchronous
• Smart cards and memory cards

Passwords • Stringent password controls for users

• Account lockout policies
• Auditing logon events

Single sign-on • Kerberos process

• Secure European System for Applications in a
Multi-Vendor Environment (SESAME)

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 9
All rights reserved.
 Methods and Guidelines for
Identification
• Username
Methods • Smart card
• Biometrics

• Actions
Guidelines
• Accounting

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 10
All rights reserved.
 Authentication Types
Knowledge Something you know

Ownership Something you have

Characteristics Something unique to you

Location Somewhere you are

Action Something you do/how you do it

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 11
All rights reserved.
 Authentication by Knowledge
▪ Password
• Weak passwords easily cracked by brute-force
or dictionary attack
• Password best practices
▪ Passphrase
• Stronger than a password
▪ Account lockout policies
▪ Audit logon events

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 12
All rights reserved.
 Authentication by Ownership
▪ Synchronous token—Calculates a number at
both the authentication server and the device
• Time-based synchronization system
• Event-based synchronization system
• Continuous authentication

▪ Asynchronous token
• USB token
• Smart card
• Memory cards (magnetic stripe)

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 13
All rights reserved.
 Authentication by
Characteristics/Biometrics

Static Dynamic
(physiological) (behavioral)
measures measures

What you
What you do
are

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 14
All rights reserved.
 Types of Biometrics
Facial Voice
Fingerprint
recognition pattern

Keystroke
Palm print Iris scan
dynamics

Hand Retina Signature

geometry scan dynamics

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 15
All rights reserved.
 Authentication by Location and
Action
▪ Location
• Strong indicator of authenticity
• Additional information to suggest granting
or denying access to a resource
▪ Action
• Stores the patterns or nuances of how you
do something
• Record typing patterns

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 16
All rights reserved.
 Single Sign-On (SSO)
▪ Sign on to a computer or network once
▪ Identification and authorization credentials
allow user to access all computers and
systems where authorized
▪ Reduces human error
▪ Difficult to put in place

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 17
All rights reserved.
 Policies and Procedures for
Accountability

Log files
Monitoring and reviews
Data retention
Media disposal
Compliance requirements

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 18
All rights reserved.
 Access Control Lists

Linux and OS X

Permissions Read, write, execute

Applied to File owners, groups, global users

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 19
All rights reserved.
 Access Control Lists (cont.)

Windows

Share permissions Full, change, read, deny

Full, modify, list folder contents,

Security
read-execute, read, write,
permissions
special, deny

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 20
All rights reserved.
 An Access Control List

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 21
All rights reserved.
 Effects of Breaches in Access
Control
Disclosure of private information
Corruption of data
Loss of business intelligence
Danger to facilities, staff, and systems
Damage to equipment
Failure of systems and business processes

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 22
All rights reserved.
 Threats to Access Controls
▪ Gaining physical access
▪ Eavesdropping by observation
▪ Bypassing security
▪ Exploiting hardware and software
▪ Reusing or discarding media
▪ Electronic eavesdropping
▪ Intercepting communication
▪ Accessing networks
▪ Exploiting applications
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
Fundamentals of Information Systems Security www.jblearning.com Page 23
All rights reserved.
 Privacy
▪ Communicate expectations for privacy in acceptable
use policies (AUPs) and logon banners
▪ Monitoring in the workplace includes:
• Opening mail or email
• Using automated software to check email
• Checking phone logs or recording phone calls
• Checking logs of web sites visited
• Getting information from credit-reference agencies
• Collecting information through point-of-sale (PoS)
terminals
• Recording activities on closed-circuit television (CCTV)

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 24
All rights reserved.
 Cloud Computing
Category Description
Private All components are managed for a single
organization. May be managed by the organization
or by a third-party provider.
Community Components are shared by several organizations
and managed by one of the participating
organizations or by a third party.

Public Available for public use and managed by third-party

providers.
Hybrid Contains components of more than one type of
cloud, including private, community, and public
clouds.

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 25
All rights reserved.
 Advantages/Disadvantages of
Cloud Computing
Advantages Disadvantages
▪ No need to maintain a ▪ More difficult to keep
data center private data secure
▪ No need to maintain a ▪ Greater danger of
disaster recovery site private data leakage
▪ Outsourced ▪ Demand for constant
responsibility for network access
performance and ▪ Client needs to trust the
connectivity outside vendor
▪ On-demand provisioning

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 26
All rights reserved.