Discusion_wk1

What are the factors that influence the selection of access control software and/ or hardware? Discuss all aspects of access control systems.

APA Format

No plagarism

References 

300 words of content 

Attached the required materials 

Access Control, Authentication and Public Key Infrastructure

Lesson 1

Access Control Framework, Assessing Risk, and Impact on Access Control

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

09/23/10
1
1

Access Control
Enables an authorized person to control access to areas and resources in a given physical facility or computer-based information system

Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

2/22/2021
2

When and Where Is Access Control Needed?
People need access to certain objects within the same or different systems to perform their work
Sensitive data (human resources, payroll, mergers, acquisitions, and senior level personnel changes) needs protection

Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

2/22/2021
3

Importance of Access Control
Misuse/Adverse
affects
Absence of Access Control

Prying eyes
Inquisitive insiders
Hackers
Disgruntled employees
Important and sensitive information
Information protected
Access Control
Important and sensitive information

Prying eyes
Inquisitive insiders
Hackers
Disgruntled employees

Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

2/22/2021
4

Primary Components of Access Control
Policies: Defined from laws, requirements, and industry guides
Subjects: People who need to access or are restricted from accessing
Objects: Resources or information that need protection

Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

2/22/2021
5

Access control requires:
Identification

Authentication

Authorization

Access control process:
Subject: presents credentials to the system
Authentication: system verifies and validates that the credentials are authentic
Authorization: grants permission to allowed resources
Access Control Process

Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

2/22/2021
6

Access Control Process (Cont.)

Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

2/22/2021
7

User IAA Process

1
2
2.3

2.2
Identification—user presents credentials:
Account name and password (passphrase, tokens, and biometrics)
Authentication server
operating system:
Receives and compares credentials with authorized credentials
If matched correctly, access granted otherwise denial notice sent to user
Authorization—mainframe application server or database:
Recognizes authorized credentials
Facilitates requests of authorized resources
Denies access to unauthorized resources
1
3
2
3

Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

2/22/2021
8

The Information Security Triad
Page 15

Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

09/23/10
9

Logical Access Controls
Who: Identity of subject
What: Type of access being requested
When: Combined with subject identity, access can be granted during one time period and denied at another time
Where: Physical or logical location
Why: Defined purpose for which access must be granted to a subject
How: Type of access that can be granted to a subject

Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

2/22/2021
10

Logical Access Controls for Objects

Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

2/22/2021
11

Data element

Table

Database

Application

System

Operating system

Network

Authentication Elements
Authentication elements can be any of the following or a combination of the following elements:
Something you know: password/passphrase, PIN number
Something you are: biometrics, retina, fingerprint, facial
Something you have: tokens, dongles, device
PIN – 9723
PASSWORD – Drmb9^wX

Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

2/22/2021
12

Risk Definitions and Concepts

Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
09/23/10
13

13

Risk

Asset value

Threat

Vulnerability

Probability of occurrence

Impact

Control

Risk Assessment
Determine which risks exist in environment or may occur in future
Measure level of risk by calculating the probability of occurrence and the potential impact on your environment
Risk = Probability X Impact

Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
09/23/10
14

Access Control Threats

Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
09/23/10
15

Password cracking

Guessing or deciphering passwords

Heightened access

Ability of attacker to log into a system under one level of access and exploit a vulnerability to gain a higher level of access

Social engineering

Use of manipulation or trickery to convince authorized users to perform actions or divulge sensitive information to the attacker

Access Control Vulnerabilities

Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
09/23/10
16

Insecure passwords

Insecure storage

Insecure password hashes

Insecure applications run at too high of a privilege level

Users

Risk Assessment

Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
09/23/10
17

Quantitative

Involves numeric data and calculations to identify and rank the risks facing an organization

Qualitative

Relies upon expert opinion rather than math

Risk Management Strategies

Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
09/23/10
18

Avoidance

Acceptance

Mitigation

Transference

Considerations for Designing a Risk Assessment
Create a risk assessment policy
Define goals and objectives
Describe a consistent approach or model
Inventory all IT infrastructure and assets
Determine the value of each asset
Quantitatively or qualitatively

Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
09/23/10
(c) ITT Educational Services, Inc.
19

Considerations for Designing a Risk Assessment (Cont.)
Determine a “yardstick” or consistent measurement to determine the criticality of an asset
Categorize each asset’s place within the infrastructure as critical, major, or minor

Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
09/23/10
(c) ITT Educational Services, Inc.
20

Where Are Access Controls Needed the Most?

Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
09/23/10
21
Defense:
Risk: Insecure Direct Object Reference
Use an automated tool for real-time attack.
Monitor parameter manipulation–hidden/static.
Establish baseline configuration.
Risk: Cross-Site Request Forgery
Use an automated tool for real-time attack.
Alert/respond to parameter manipulation.
Use known attack signatures.
Establish baseline/monitor resource changes.
Risk: Security Misconfiguration
Use an automated tool for real-time attack.
Inspect outbound responses.
Investigate application failures.
09/23/10
(c) ITT Educational Services, Inc.
21

The Seven Domains of a Typical IT Infrastructure

Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
09/23/10
22

A Firewall Controls Network Traffic

Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
09/23/10
23
Defense:
Risk: Insecure Direct Object Reference
Use an automated tool for real-time attack.
Monitor parameter manipulation–hidden/static.
Establish baseline configuration.
Risk: Cross-Site Request Forgery
Use an automated tool for real-time attack.
Alert/respond to parameter manipulation.
Use known attack signatures.
Establish baseline/monitor resource changes.
Risk: Security Misconfiguration
Use an automated tool for real-time attack.
Inspect outbound responses.
Investigate application failures.
09/23/10
(c) ITT Educational Services, Inc.
23

Virtual Labs
Configuring an Active Directory Domain Controller
Managing Windows Accounts and Organizational Units
Complete Labs 1 & 2 and Quizzes 1 and 2
Multiple attempts on quizzes
Due on Sunday at 11:59PM EST

Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.