Security Principles
- Availability
- Integrity
- Confidentiality
Identification -> Authentication -> Authorization -> Accountability (IAAA)
Identification and Authentication
One-to-One and One-to-Many
- Identification Component Requirements
- Access Control Review
- IAAA
Identity Management
- Directories
- Web Access Management
- Password Management
- Password Synchronization
- Self-service password reset
- Assisted password reset
Legacy Single sign-on
Account Management
Provisioning
Authoritative System of Record
Profile Update
Biometrics
- Processing Speed
- Fingerprint
- Palm Scan
- Hand Geometry
- Retina Scan (Extremely Invasive and involve a number of privacy issues)
- Iris Scan
- Signature Dynamics
- Keystroke Dynamics
- Voice Print
- Facial Scan
- Hand Topography
- Electronic monitoring
- Access the password file
- Brute-firse attacks
- Dictionary attacks
- Social Engineering
- Rainbow table
Password Hashing and Encryption
Password Aging
Limit Logon Attempts
Cogntive Password
One-Time Password
The Token Devices
Synchronous (OneKey, RSA SecurID, Banking Devices)
Asynchronous (challenge/response scheme to authenticate the user; challenge + nonce (random value) ; users enters the random value + username; encrypted sent to server; server decrypts; user authenticated)
Cryptographic Keys
Passphrase
Memory Cards
Smart Card
Smart Card Attacks
Interoperability
- ISO/IEC 14443-1 Physical Characterstics
- ISO/IEC 14443-3 Initialization and anticollision
- ISO/IEC 14443-4 Transmission protocol
- Radio-Frequency Identification (RFID)
- Authorization
- Access Criteria
- Default to No Access
- Need to Know
- Single Sign-On
- Kerberos
- Security Domains
- Directory Services
- Federation
Access Control and Markup Languages
- SPML
- SAML
- OpenID
- OAuth
- Identity as a Service
- Integrated Identity Services
- Establishing Connectivity
- Esatblishing Trust
- Incremental Testing
Access Control Models
DAC - Discretionary Access Control
Identity-Based Access Control
MAC - Mandatory Access Control
Sensitivity Levels
RBAC - Role-Based Access Control
Core RBAC
Hierarchical RBAC
Limited Hierarchy
Gerneral Hierarchy
Static Separation of Duty (SSD) Relations through RBAC
Dynamic Separation of Duties (DSD) Relations through RBAC
RB-RBAC - Rule-Based Access Control
Access Control Techniques and Technologies
- Contrained User Interfaces
- Access Control Matrix
- Capability Table
- Access Control Lists
- Content-Dependent Access Control
- Context-Dependent Access Control
Access Control Administration
Centralized Access Control Administration
RADIUS - Remote Authentication Dial-In User Service
TACACS - Terminal Access Controller Access Control System
Diameter (protocol)
Mobile IP
Decentralized Access Control Administration
Access Control Methods
Access Control Layers
Administrative controls
Personnel Controls
Supervisory Structure
Security-Awareness Training
Testing
Physical controls
Network Segregation
Perimeter Security
Computer Controls
Work Area Separation
Cabling
Control Zone
Technical controls
System Access
Network Architecture
Network Access
Encryption and Protocols
Auditing
Accountability
Review of Audit Information
SEM & SIEM
Protecing Audit Data and Log Information
Keystroke Monitoring
Access Control Practices
Unauthorized Disclosure of Information
Object Reuse
Emanation Security
TEMPEST
White Noise
Control Zone
Access Control Monitoring
IDS - Intrusion Detection Systems
Network-Based IDSs
Host-Based IDSs Signature-based
Pattern matching
Stateful matching
Anamoly-based
Statistical anamoly-based
Protocol anamoly-based
Traffic anamoly-based
Rule- or heuristic-based
Knowledge- or Signature-Based Intrusion Detection
State-Based IDSs
Statistical Anamoly-Based IDS
Protocol Anamoly-Based IDS
Traffic Anamoly-Based IDS
Rule-Based IDS
IDS Sensors
Network Traffic
IPS - Intrusion Prevention Systems
- Switched Environments
- Honeypot
- Intrusion Responses
- Network Sniffers
Threats to Access Control
Dictionary Attack
Countermeasures
Brute-Force Attacks
Countermeasures
Spoofing at Logon
Phishing and Pharming
- Spear-phishing
- Whaling
