Professional Documents
Culture Documents
Object
The resource a subject attempts to access
Information leak
Lack of controls lets people without need to access data
E.g., physician needs data about the patients health and not
about the insurance
Controls
Mechanisms put into place to allow or disallow object
access
Controls
Controls organized into different categories
Common categories
Administrative
enforce security rules through policies
Logical
implement object access restrictions
Physical
limit physical access to hardware
Techniques differ in
The way objects and subjects are identified
How decisions are made to approve or deny access
Unclassified
Confidential
Secret
Top Secret
Public
Private
Sensitive
Confidential
Includes
Identity-based access control
Access control lists (ACLs)
More stable
Not a single point of failure
Accountability
System auditing used by administrators to monitor
Who is using the system
What users are doing
Biba model
Focuses on integrity controls
Clark-Wilson Model
Restricts access to a small number of tightly controlled
access programs
Non-interference Model
Often an addition to other models
Ensures that changes at one security level do not bleed over
into other levels
Authentication Methods
Two-factor authentication uses two phases
Identification
Authentication
Authentication Methods
1-factor
What you
know
Password, PIN,
Challenge question
2-factor
What you
have
3-factor
Single Sign-On
Users choice in multi-application environments
Avoids multiple logins
Transfer of identity from one system to another in a
trusted group
Requires additional work for administrators
Kerberos is an example of good SSO systems in use
Kerberos developed at MIT
Kerberos
Uses symmetric key cryptography
Provides end-to-end security
Intermediate machines cannot read message content
Data Ownership
Different layers of responsibility for ensuring security
of organizations information
Data owner
Bears ultimate responsibility, sets classification levels
Data custodian
Enforces security policies, often a member of IT
department
Data user
Accesses data on a day-to-day basis
responsible for following the organizations security
policies
Vulnerabilities
Brute force attack
Try all possible combinations of characters to satisfy Type
1 authentication (password guessing)
Dictionary attack
Subset of brute force
Instead of all possible combinations, uses a list of common
passwords
Spoofing attack
Create fake login program, prompt for User ID, password
Return login failure message, store captured information
References
Kerberos: An Authentication Service for Computer
Networks, Clifford Neuman and Theodore Tso, IEEE
Communications Mag., Sep. 1994, 33-38.
Information Security: An integrated collection of
essays, Editors: Marshall Abrams, Sushil Jajodia,
Harold Podell, IEEE Computer Society Press,
Washington D.C., 1995
Essay 5: Abstraction and Refinement of Layered Security
Policy by Marshall Abrams and David Bailey
Essay 7: Information Security Policy by Ingrid Olson and
Marshall Abrams
Essay 13: Supporting Policies and Functions by Marshall
Abrams and Harold Podell
References
Management of Information Security by Michael
Whitman and Herbert Mattord, Course Technology,
2004.
The Business Case for Network Security by
Catherine Paquet and Warren Saxe, Cisco Press,
Indianapolis, 2005
Chapter 5: Policy, Personnel, and Equipment as Security
Enablers
Chapter 10: Essential Elements of Security Policy
Development
Chapter 11: Security is a Living Process
References
Role-based Access Control Models by R. S. Sandhu
et al, IEEE Computer, Vol. 29, Feb. 1996, 38-47.