Resource Protection. Controls to protect company assets

download Resource Protection. Controls to protect company assets

of 38

  • date post

    16-Jan-2016
  • Category

    Documents

  • view

    218
  • download

    0

Embed Size (px)

Transcript of Resource Protection. Controls to protect company assets

  • Resource Protection

  • Controls to protect company assets

  • Protections requiredEnvironmental protectionPhysical access protectionLogical access protection

  • Environmental ProtectionDisasters, fire, flood, earthquakeTemperature and humidityUV light, other kind of radiation, electrical interferenceElectricity interruption, blackout, brownout, power surge

  • Physical Access ControlKey and lockDoor, cabinet, disk driveIdentity badge Monitoring cameraSensorsBarriersGuards Escorts

  • Physical Control

  • Logical Access ControlTo check the identity of a user before he is allowed to access the information systemThe process is known as Authentication The information used to establish the identity is the credentials

  • Logical Access Control

  • Logical access entry pointOperator consoleOnline workstation or terminalRemote accessNetwork connectivity

  • Logical access control softwareAlways a part of the operation systemUser identification and authentication mechanismRestrict logon IDs to specific workstation and at specific timeCreate individual accountability and auditabilityCreate user profilesLog events/user activities

  • Identification and AuthenticationThe basic building block of information security for access control and establishing user accountabilitylogon ID provides individual identificationAuthentication to prove the user is what he claims himself to be, usually by means of a password

  • Authentication

  • User Authentication3 qualities to confirm a users identitySomething the user knows (password)Something the user has (token device)Something the user is (biometrics)

  • Biometrics

  • Identification by BiometricsFingerprintPalm scanHand geometryFacial scanRetina scan Iris scan Signature dynamicsKeyboard dynamics

  • Two factor AuthenticationA authentication process asking for two qualities of a user

  • PasswordAn ideal password isSomething you knowSomething a computer can verify that you knowSomething nobody else can guess

  • Use of passwordIt is actually a secret created by a userShould consider how it is:Stored (plain text, encrypted)Transmitted and UsedRetrievedDestroyed

  • Choosing passwordsUsually not random chosen as it is to be remembered by the userPeople can remember only 6 to 8 random numbersUse paraphrase as memory aidPeople tend to use Capital letters at the beginning and numbers at the end

  • 10 most popular password in UK1. '123' (3.784)2. 'password' (3.780)3. 'liverpool' (1.82)4. 'letmein' (1.76)5. '123456' (1.63)6. 'qwerty' (1.41)7. 'charlie' (1.39)8. 'monkey' (1.33)9. 'arsenal' (1.11)10. 'thomas' (0.99)

  • Strong PasswordUse both capital and small letters, numbers and symbolsAvoid actual names or wordsAt least 6 characters longCannot be identifiable to user, for example, dont use name and birthday of your wife, and your children

  • Policy on control of passwordsLengthComplexityPeriod to change passwordNo passwordLog out periodRecycle of passwords

  • Other considerationsLogon ID not used after a number of days should be de-activatedBe careful with default system password and usersA logon session should be automatically disconnected if there is no activity after a period of time (time-out)

  • What about logon IDAlways standardized by the organizationName and initialsEmail address

  • Single Sign-onUser needs to access multiple resources and computersA user authenticates only once for a session. The system will forward the authenticated identity to other processesActive directory uses KerberosAccess to Microsoft websites through Microsoft Passport

  • AuthorizationIt is a process of access control that differentiate the users and provide access to resourcesAccess control should be based on principle of separation of duties and least privilege, and provided on a documented need to know basis

  • AuthorizationAccess restrictions on;ReadWriteExecuteDelete etc. Depends onRoleGroupTimeTransaction typeDefault: no access

  • Authentication vs AuthorizationAuthentication identify who you areAuthorization determines what kind of resources the user is allowed to access

    Accounting is to keep detailed record showing who has logged on the system and the actions he takes and at what time

  • Access Control List (ACL)An access authorization table showingUsers (including groups, machines, processes) who have permission to use a particular type of system resource, andThe type of access permitted

  • Other issues to considerRemote logonAccess with mobile technology (flash drive, removable hard disk)Access using wirelessAccess using PDAsWho can access system logs

  • Access Control AdministrationCentralised vs De-centralisedRADIUS (Remote Authenticatin Dial-in User Service) serverTACACS (Terminal Access Controller Access Control System) serverAAA server

  • Access ProtocolPAP Password Authentication ProtocolCHAP Challenge Handshake Authentication ProtocolKerberosEAP Extensible Authentication Protocol

  • Access control - Vulnerability TestingSimulation of an outside attackPenetration testingEthical hacker

  • Access control Audit TrailsLogs activitiesCapture system, network, application and user eventsProtect logs from updates and unauthorized accessRetains logs sufficientlyFilter/clip data to maintain reasonable volumesAutomatic log review

  • Access control monitoring - HoneypotsSacrificial part of network for monitoring purposeOpen ports, enabled services, no informationLegal issuesEnticementLegal, open ports and enabled serviceEntrapmentIllegal, offer data for download and then prosecuting

  • Access control monitoring - SniffersMonitor network and capture the packetsPerform protocol analysis for network trouble shootingExample: Wireshark, Tcpdump

  • Document systemClassificationIndexingClearance Access controlLoggingDistributionStorageDisposal

  • ReadingCISSP Chapter 4, especially on Kerberos and Access Control AdministrationNIST Handbook Chapter 16, 17 and 18