Scribd
Upload
14 views75 pages

Chapter 5 - Access Control

Chapter 5 of 'Corporate Cybersecurity' focuses on access control, detailing various authentication methods, including passwords, access cards, tokens, and biometric systems. It outlines the importance of physical security, risk analysis, and the implementation of both mandatory and discretionary access controls. The chapter emphasizes the need for robust security measures to protect sensitive information and systems from unauthorized access.

Uploaded by

AIZUDDIN ASMAN
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
14 views75 pages

Chapter 5 - Access Control

Chapter 5 of 'Corporate Cybersecurity' focuses on access control, detailing various authentication methods, including passwords, access cards, tokens, and biometric systems. It outlines the importance of physical security, risk analysis, and the implementation of both mandatory and discretionary access controls. The chapter emphasizes the need for robust security measures to protect sensitive information and systems from unauthorized access.

Uploaded by

AIZUDDIN ASMAN
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 75

Corporate Cybersecurity

Sixth Edition

Chapter 5
Access Control

Copyright © 2025, 2021, 2015 Pearson Education, Inc. All Rights Reserved
Learning Objectives (1 of 2)
5.1 Define basic access control terminology.
5.2 Describe physical building and computer security.
5.3 Explain reusable passwords.
5.4 Explain how access cards and tokens work.
5.5 Describe biometric authentication, including verification and
identification.
5.6 Explain how PKI provides cryptographic authentication.

Copyright © 2025, 2021, 2015 Pearson Education, Inc. All Rights Reserved
Learning Objectives (2 of 2)
5.7 Explain authorizations.

5.8 Explain auditing.

5.9 Describe how central authentication servers work.

5.10 Describe how directory servers work.

5.11 Define full identity management.

Copyright © 2025, 2021, 2015 Pearson Education, Inc. All Rights Reserved
5.1: Access Control
• Access Control
–Access control is the policy-driven control of access
to systems, data, and dialogues
• Cryptography
–Many access control tools use cryptography to some
extent
–However, cryptography is only part of what they do
and how they work

Copyright © 2025, 2021, 2015 Pearson Education, Inc. All Rights Reserved
5.1: Authentication, Authorizations,
and Auditing
• AAA Protections
–Authentication - the process of assessing the identity
of each individual claiming to have permission to use
a resource
–Authorizations - specific permissions that a particular
authenticated user should have, given his or her
authenticated identity
–Auditing - collecting information about an individual’s
activities in log files

Copyright © 2025, 2021, 2015 Pearson Education, Inc. All Rights Reserved
5.1: Authentication
• Credentials Are Based on
–What you know (e.g., a password)
–What you have (e.g., an access card)
–What you are (e.g., your fingerprint)
–What you do (e.g., speaking a passphrase)

Copyright © 2025, 2021, 2015 Pearson Education, Inc. All Rights Reserved
5.1: Two-Factor Authentication
• Two-Factor Authentication
–Use two forms of authentication for defense in depth
▪Example: access card and personal identification
number (PIN)
–Multifactor authentication - two or more types of
authentication
–Can be defeated by a Trojan horse on the user’s PC
–Can be defeated by a man-in-the-middle attack by a
fake website

Copyright © 2025, 2021, 2015 Pearson Education, Inc. All Rights Reserved
5.1: Individual and Role-Based
Access Control
• Individual and Role-Based Access Control
–Individual access control - bases access rules on
individual accounts
–Role-based access control (RBAC)
• Human and Organizational Controls
–People and organizational forces may circumvent
access protections

Copyright © 2025, 2021, 2015 Pearson Education, Inc. All Rights Reserved
5.1: Military and National Security
Organization Access Controls
• Mandatory and Discretionary Access Control
–Mandatory access control (MAC)
▪No departmental or personal ability to alter access
control rules set by higher authorities
–Discretionary access control (DAC)
▪Departmental or personal ability to alter access
control rules set by higher authorities
–MAC gives stronger security but is very difficult to
implement

Copyright © 2025, 2021, 2015 Pearson Education, Inc. All Rights Reserved
5.1: Multilevel Security
• Multilevel Security
–Resources are rated by security level
–People are given the same clearance level
–Some rules are simple and some are complex
–Access control models have been created to address
multilevel security

Copyright © 2025, 2021, 2015 Pearson Education, Inc. All Rights Reserved
5.2: Physical Access and Security
(1 of 9)

• Risk Analysis
–ISO/IEC 27002’s Chapter 7 assumes that risk
analysis has already been done
–IT security professionals need to understand the of
risks that exist at the levels of buildings, secure zones
within buildings, and computers

Copyright © 2025, 2021, 2015 Pearson Education, Inc. All Rights Reserved
5.2: Physical Access and Security
(2 of 9)

• ISO/IEC 27002’s Chapter 7 physical controls


–Physical security perimeter - Identify physical
perimeter
–Physical entry controls - access must be justified,
authorized, logged, and monitored
–Extra security for certain offices, rooms, and facilities
–Physical security such as remote cameras and
sensors

Copyright © 2025, 2021, 2015 Pearson Education, Inc. All Rights Reserved
5.2: Physical Access and Security
(3 of 9)

• ISO/IEC 27002’s Chapter 7 physical controls


–Protecting against physical and environmental threats
–Rules for working in secure areas
–User’s desks should be kept clear of physical papers
or storage media containing sensitive or classified
information
–Sensitive equipment should be placed in secure
areas
–Equipment taken off-premises should only be done
with proper authorization
Copyright © 2025, 2021, 2015 Pearson Education, Inc. All Rights Reserved
5.2: Physical Access and Security
(4 of 9)

• ISO/IEC 27002’s Chapter 7 physical controls


–Organizational policies outline how storage media is
protected against unauthorized access, stored
securely, and, destroyed securely
–Supporting utilities (electricity, water, HVAC) are
provided
–Cabling (conduits, underground wiring, etc.) are
secure

Copyright © 2025, 2021, 2015 Pearson Education, Inc. All Rights Reserved
5.2: Physical Access and Security
(5 of 9)

• ISO/IEC 27002’s Chapter 7 physical controls


–Security during off-site equipment maintenance
–Rules for the removal of property
–Security of equipment off-premises
–Secure disposal or reuse of equipment

Copyright © 2025, 2021, 2015 Pearson Education, Inc. All Rights Reserved
5.2: Physical Access and Security
(6 of 9)

• Other physical security issues


–Terrorism
▪Building set back from street
▪Armed guards
▪Bulletproof glass

Copyright © 2025, 2021, 2015 Pearson Education, Inc. All Rights Reserved
5.2: Physical Access and Security
(7 of 9)

• Other physical security issues


–Piggybacking
▪Following an authorized user through a door
▪Also called tailgating
▪Psychologically difficult to prevent
▪But can and should be done

Copyright © 2025, 2021, 2015 Pearson Education, Inc. All Rights Reserved
5.2: Physical Access and Security
(8 of 9)

• Other physical security issues


–Dumpster diving
▪Protect trash that may contain sensitive
information
▪Maintain and monitor trash inside corporate
premises

Copyright © 2025, 2021, 2015 Pearson Education, Inc. All Rights Reserved
5.2: Physical Access and Security
(9 of 9)

• Other physical security issues


–Shadow IT
▪Deploying unauthorized hardware or software
–Desktop PC security
▪Locks that connect the computer an immovable
object
▪Login screens with strong passwords

Copyright © 2025, 2021, 2015 Pearson Education, Inc. All Rights Reserved
5.3: Passwords (1 of 5)
• Reusable password
–Password used for weeks or months at a time
• One-time password
–Used only once

Copyright © 2025, 2021, 2015 Pearson Education, Inc. All Rights Reserved
5.3: Passwords (2 of 5)
• Difficulty of cracking passwords by guessing remotely
–Account is usually locked after a few login failures
• Password-cracking programs
–Password-cracking programs exist

Copyright © 2025, 2021, 2015 Pearson Education, Inc. All Rights Reserved
5.3: Passwords (3 of 5)
• Password Policies
–Not using the same password at multiple sites
–Shared password policies (makes auditing
impossible)
–Disabling passwords that are no longer valid
–Lost passwords (password resets)

Copyright © 2025, 2021, 2015 Pearson Education, Inc. All Rights Reserved
5.3: Passwords (4 of 5)
• Password Policies
–Opportunities for social engineering attacks
–Automated password resets use secret questions
(Where were you born?)
–Password policies must be long and complex
–Testing and enforcing passwords
–Passwords must be stored as secure hashes
–Passwords should be audited regularly

Copyright © 2025, 2021, 2015 Pearson Education, Inc. All Rights Reserved
5.3: Passwords (5 of 5)
• The End of Passwords?
–Many firms want to eliminate passwords because of
their weaknesses
–Quite a few firms have already largely phased them
out

Copyright © 2025, 2021, 2015 Pearson Education, Inc. All Rights Reserved
5.4: Access Cards and Tokens (1 of 3)
• Access Cards
–Magnetic stripe cards
–Smart cards with microprocessors and RAM
–When selecting consider cost and availability of card
readers
• Tokens
–Constantly changing password devices for one-time
passwords
–USB plug-in tokens

Copyright © 2025, 2021, 2015 Pearson Education, Inc. All Rights Reserved
5.4: Access Cards and Tokens (2 of 3)
• Proximity Access Tokens
–Use Radio Frequency ID (RFID) technology
–Supplicant only has to be near a door or computer to
be recognized
• Addressing Loss and Theft
–Both are frequent
–Card cancellation
–Requires a wired network for cancellation speed
–Must cancel quickly if risks are considerable
Copyright © 2025, 2021, 2015 Pearson Education, Inc. All Rights Reserved
5.4: Access Cards and Tokens (3 of 3)
• Two-Factor Authentication Needed because of Ease of
Loss and Theft
–PINs (Personal Identification Numbers) for the
second factor
–Other forms of two-factor authentication such as
fingerprints

Copyright © 2025, 2021, 2015 Pearson Education, Inc. All Rights Reserved
5.5: Biometric Authentication (1 of 14)
• Biometric Authentication
–Authentication based on biological (bio)
measurements (metrics)
–Major promise of biometrics is to make reusable
passwords obsolete

Copyright © 2025, 2021, 2015 Pearson Education, Inc. All Rights Reserved
5.5: Biometric Authentication (2 of 14)
• Biometric Systems
–Enrollment (enrollment scan, process for key
features, store template)
–Later access attempts provide access data, which will
be turned into key feature data for comparison with
the template
–Biometric access key features will never be the same
as the template

Copyright © 2025, 2021, 2015 Pearson Education, Inc. All Rights Reserved
5.5: Biometric Authentication (3 of 14)
• Biometric Systems
–There must be configurable decision criteria for
deciding how close a match (match index) to require
–Requiring an overly exact match index will cause
many false rejections
–Requiring too loose a match index will cause more
false acceptances

Copyright © 2025, 2021, 2015 Pearson Education, Inc. All Rights Reserved
Figure 5-10: Biometric
Authentication System

Copyright © 2025, 2021, 2015 Pearson Education, Inc. All Rights Reserved
5.5: Biometric Authentication (4 of 14)
• Verification
–Supplicant claims to be a particular person
–Is the supplicant who he or she claims to be?
–Compare access data to a single template (the
claimed identity)
–Verification is good to replace passwords in logins

Copyright © 2025, 2021, 2015 Pearson Education, Inc. All Rights Reserved
5.5: Biometric Authentication (5 of 14)
• Identification
–Supplicant does not state his or her identity
–System must compare supplicant data to all
templates to find the correct template
–Good for door access

Copyright © 2025, 2021, 2015 Pearson Education, Inc. All Rights Reserved
5.5: Biometric Authentication (6 of 14)
• Watch Lists
–Subset of identification
–Goal is to identify members of a group:
▪Terrorists
▪People who should be given proper access
–More comparisons than verification but fewer than
identification, so the risk of a false acceptance is
intermediate

Copyright © 2025, 2021, 2015 Pearson Education, Inc. All Rights Reserved
5.5: Biometric Authentication (7 of 14)
• Errors versus Deception
–Error rate
▪Refers to accuracy when the supplicant is not
trying to deceive the system
–Deception rate
▪Likelihood that an impostor will be able to deceive
the system if he or she tries

Copyright © 2025, 2021, 2015 Pearson Education, Inc. All Rights Reserved
5.5: Biometric Authentication (8 of 14)
• False Acceptance Rates (FARs)
–Percentage of people identified or verified as matched
to a template but should not be
• False Rejection Rates (FRRs)
–Percentage of people who should be identified or
verified as matches to a template but are not

Copyright © 2025, 2021, 2015 Pearson Education, Inc. All Rights Reserved
5.5: Biometric Authentication (9 of 14)
• Vendor Claims for FARs and FRRs
–Tend to be exaggerated through tests under ideal
conditions
• Failure to Enroll (FTE)
–Subject cannot enroll in system
▪Such as poor fingerprints due to construction work,
clerical work, age, etc.

Copyright © 2025, 2021, 2015 Pearson Education, Inc. All Rights Reserved
5.5: Biometric Authentication (10 of 14)
• Watch Lists
–Subset of identification
–Goal is to identify members of a group:
▪Terrorists
▪People who should be given proper access
–More comparisons than verification but fewer than
identification, so the risk of a false acceptance is
intermediate

Copyright © 2025, 2021, 2015 Pearson Education, Inc. All Rights Reserved
5.5: Biometric Authentication (11 of 14)

•Fingerprint Recognition
–Simple, inexpensive, well proven
–Most biometrics today are fingerprint recognition
–Often can be defeated with latent fingerprints on
glasses copied to gelatin fingers
–Fingerprint recognition can take the place of reusable
passwords for low-risk applications

Copyright © 2025, 2021, 2015 Pearson Education, Inc. All Rights Reserved
5.5: Biometric Authentication (12 of 14)
• Iris Recognition
–Pattern in colored part of eye
–Uses a camera (no light is shined into eye, as in
Hollywood movies)
–Very low FARs
–Very expensive

Copyright © 2025, 2021, 2015 Pearson Education, Inc. All Rights Reserved
5.5: Biometric Authentication (13 of 14)
• Face Recognition
–Surreptitious (without the subject’s knowledge)
identification is possible (in airports, etc.)
–High error rates, even without deception
• Hand Geometry for Door Access
–Shape of hand
–Reader is very large, so usually used for door access

Copyright © 2025, 2021, 2015 Pearson Education, Inc. All Rights Reserved
5.5: Biometric Authentication (14 of 14)
• Voice Recognition
–High error rates
–Easily deceived by recordings
• Other Forms of Biometric Authentication
–Veins in the hand
–Keystroke recognition (pace in typing password)
–Signature recognition (handwritten signature)
–Gait recognition (way one walks)

Copyright © 2025, 2021, 2015 Pearson Education, Inc. All Rights Reserved
5.6: Cryptographic Authentication
(1 of 5)

• Key Points from Chapter 3


–Cryptographic systems have initial and message-by-
message authentication
–MS-CHAP uses passwords for initial authentication

Copyright © 2025, 2021, 2015 Pearson Education, Inc. All Rights Reserved
5.6: Cryptographic Authentication
(2 of 5)

• Key Points from Chapter 3


–Electronic signatures provide message-by-message
authentication
▪Key-Hashed Message Authentication Codes
(HMACs) are fast and inexpensive
▪Digital signatures with digital certificates are
extremely strong but slow

Copyright © 2025, 2021, 2015 Pearson Education, Inc. All Rights Reserved
5.6: Cryptographic Authentication
(3 of 5)

• Public Key Infrastructures (PKIs)


–Firms can be their own certificate authorities (CAs)
–Requires a great deal of labor
–Provisioning
▪Giving the user access credentials

Copyright © 2025, 2021, 2015 Pearson Education, Inc. All Rights Reserved
5.6: Cryptographic Authentication
(4 of 5)

• Public Key Infrastructures (PKI’s)


–Provisioning
▪Human registration is often the weakest link
–If an impostor is given credentials, no
technology access controls will work
–Limit who can submit names for registration
–Limit who can authorize registration
–Have rules for exceptions

Copyright © 2025, 2021, 2015 Pearson Education, Inc. All Rights Reserved
5.6: Cryptographic Authentication
(5 of 5)

• Public Key Infrastructures (PKI’s)


–Must have effective terminating procedures
–Supervisors and human resources department must
assist

Copyright © 2025, 2021, 2015 Pearson Education, Inc. All Rights Reserved
Figure 5-18: Functions of a Public Key
Infrastructure (PKI)

Copyright © 2025, 2021, 2015 Pearson Education, Inc. All Rights Reserved
5.7: Authorization (1 of 4)
• Authentication versus Authorizations
–Authentication: Proof of identity
–Authorization: The assignment of permissions
(specific authorizations) to individuals or roles
–Just because you are authenticated does not mean
that you should be able to do everything

Copyright © 2025, 2021, 2015 Pearson Education, Inc. All Rights Reserved
5.7: Authorization (2 of 4)
• Principle of Least Permissions
–Initially give only the permissions a person absolutely
needs to do his or her job
–If assignment is too narrow, additional permissions
may be given
–System has permissions A, B, C, D, E, and F
–This will frustrate users somewhat

Copyright © 2025, 2021, 2015 Pearson Education, Inc. All Rights Reserved
5.7: Authorization (3 of 4)
• Giving Extensive or Full Permissions Initially Is Bad
–User will almost always have the permissions to do
his or her job
–System has permissions A, B, C, D, E, and F
▪Person needs A, B, and E
▪If given all and take away only C and D still has F
▪Errors tend to create security problems

Copyright © 2025, 2021, 2015 Pearson Education, Inc. All Rights Reserved
5.7: Authorization (4 of 4)
• Giving Extensive or Full Permissions Initially Is Bad
–Assignments can be taken away, but this is subject to
errors
–Such errors could give excessive permissions to the
user
–This could allow the user to take actions contrary to
security policy
–Giving all or extensive permissions and taking some
away does not fail safely

Copyright © 2025, 2021, 2015 Pearson Education, Inc. All Rights Reserved
5.8: Auditing (1 of 3)
• Auditing
–Authentication: Who a person is
–Authorization: What a person may do with a resource
–Auditing: What the person actually did

Copyright © 2025, 2021, 2015 Pearson Education, Inc. All Rights Reserved
5.8: Auditing (2 of 3)
• Logging
–Events
–On a server, logins, failed login attempts, file
deletions, and so forth
–Events are stored in a log file

Copyright © 2025, 2021, 2015 Pearson Education, Inc. All Rights Reserved
5.8: Auditing (3 of 3)
• Log Reading
–Regular log reading is crucial or the log becomes a
useless write-only memory
–Periodic external audits of log file entries and reading
practices
–Automatic alerts for strong threats

Copyright © 2025, 2021, 2015 Pearson Education, Inc. All Rights Reserved
5.9: Central Authentication Servers
• Company employees may need access and
authorizations for a dozen or more servers
• Companies address this need by using central
authentication servers
• Central authentication servers
–Reduce costs
–Give consistency in authentication no matter where a
user or attacker comes into the network
–Allow company-wide changes to be made instantly

Copyright © 2025, 2021, 2015 Pearson Education, Inc. All Rights Reserved
Figure 5-21: RADIUS Central
Authentication Server

Copyright © 2025, 2021, 2015 Pearson Education, Inc. All Rights Reserved
Figure 5-22: Kerberos Initial Login

Copyright © 2025, 2021, 2015 Pearson Education, Inc. All Rights Reserved
5.10: Directory Servers (1 of 5)
• Directory servers
–Central repositories for information about people,
equipment, software, and databases
• Hierarchical database organization
–Directory servers use a hierarchical database
organization
–Directory server database schema is a hierarchical
collection of objects (nodes)

Copyright © 2025, 2021, 2015 Pearson Education, Inc. All Rights Reserved
Figure 5-24: Directory Server
Organization

Copyright © 2025, 2021, 2015 Pearson Education, Inc. All Rights Reserved
5.10: Directory Servers (2 of 5)
• Lightweight Directory Access Protocol (LDAP)
–Used to retrieve data from the directory server
• Use by authentication servers
–Directory servers are important because they are
used by central authentication servers such as
RADIUS and Kerberos servers

Copyright © 2025, 2021, 2015 Pearson Education, Inc. All Rights Reserved
Figure 5-25 Using a Directory Server
to Centralize Authentication
Information

Copyright © 2025, 2021, 2015 Pearson Education, Inc. All Rights Reserved
Figure 5-26: Active Directory
Domains and Tree

Copyright © 2025, 2021, 2015 Pearson Education, Inc. All Rights Reserved
5.10: Directory Servers (3 of 5)
• Trust
–Means that one directory server will accept
information from another
▪Mutual - bidirectional
▪One-way - one directory server trusts another, but
the trust is not reciprocated

Copyright © 2025, 2021, 2015 Pearson Education, Inc. All Rights Reserved
5.10: Directory Servers (4 of 5)
• Trust
–Means that one directory server will accept
information from another
▪Transitive
–If Directory Server X trusts Directory Server Y,
and if Directory Server Y trusts Server Z, then
Directory Server X will automatically trust
Directory Server Z

Copyright © 2025, 2021, 2015 Pearson Education, Inc. All Rights Reserved
5.10: Directory Servers (5 of 5)
• Trust
–Means that one directory server will accept
information from another
▪Intransitive
–If Directory Server X trusts Directory Server Y,
and Directory Server Y trusts Directory Server
Z, but Directory Server X does not
automatically trust Directory Server Z

Copyright © 2025, 2021, 2015 Pearson Education, Inc. All Rights Reserved
Figure 5-28: Multiple Directory
Servers and Metadirectory Server

Copyright © 2025, 2021, 2015 Pearson Education, Inc. All Rights Reserved
Figure 5-29: Federated Identity
Management

Copyright © 2025, 2021, 2015 Pearson Education, Inc. All Rights Reserved
5.11: Full Identity Management (1 of 5)
• Identity Management - centralized policy-based
management of all information required for access to
corporate systems by a person, machine, program, or
other resource

Copyright © 2025, 2021, 2015 Pearson Education, Inc. All Rights Reserved
5.11: Full Identity Management (2 of 5)
• Benefits of Identity Management
–Reduction in the redundant work needed to manage
identity information
–Consistency in information
–Rapid changes
–Central auditing

Copyright © 2025, 2021, 2015 Pearson Education, Inc. All Rights Reserved
5.11: Full Identity Management (3 of 5)
• Benefits of Identity Management
–Single sign-on (SSO)
–Increasingly required to meet compliance
requirements
–At least reduced sign-on when SSO is impossible

Copyright © 2025, 2021, 2015 Pearson Education, Inc. All Rights Reserved
5.11: Full Identity Management (4 of 5)
• Identity
–The set of attributes about a person or nonhuman
resource that must be revealed in a particular context
–Principle of minimum identity data: only reveal the
information necessary in a particular context

Copyright © 2025, 2021, 2015 Pearson Education, Inc. All Rights Reserved
5.11: Full Identity Management (5 of 5)
• Identity Lifecycle Management
–Initial credential checking
–Defining identities (pieces of information to be
divulged)
–Managing trust relationships
–Provisioning, reprovisioning if changes, and
deprovisioning
–Implementing controlled decentralization
–Providing self-service functions (password reset

Copyright © 2025, 2021, 2015 Pearson Education, Inc. All Rights Reserved
Thank You

Copyright © 2025, 2021, 2015 Pearson Education, Inc. All Rights Reserved
Copyright

This work is protected by United States copyright laws and is


provided solely for the use of instructors in teaching their
courses and assessing student learning. Dissemination or sale of
any part of this work (including on the World Wide Web) will
destroy the integrity of the work and is not permitted. The work
and materials from it should never be made available to students
except by instructors using the accompanying text in their
classes. All recipients of this work are expected to abide by these
restrictions and to honor the intended pedagogical purposes and
the needs of other instructors who rely on these materials.

Copyright © 2025, 2021, 2015 Pearson Education, Inc. All Rights Reserved

You might also like