- Table of Contents
- Overview
- Web Application Security
- Operating System Security
- Network Security
- Hardening Your System
- Overview
- Start with the Operating System
- Protection/Prevention Tools
- Detection Tools: Snort
- Detection Tools: IDS for Windows
- Detection Tools: Honeypots
- Detection Tools: Honeyd
- Auditing Tools: KNOPPIX
- Auditing Tools: Fragroute
- Beginning SOHO Security
- Graphics Attacks
- Reverse Engineering and Program Understanding
- White Box vs. Gray Box Analysis
- Using Gray Box Techniques to Find Vulnerabilities in Microsoft SQL Server
- Using Cipher.exe
- Tor: An Anonymous Internet Communication System
- Using the Applied Watch Command Center to Manage Open Source Security, Part 1
- Using the Applied Watch Command Center to Manage Open Source Security, Part 2: Product Review of the Applied Watch Command Center
- Using the Applied Watch Command Center to Manage Open Source Security, Part 3
- Access Control Systems, Part 1
- Access Control Systems, Part 2
- Access Control Systems, Part 3
- Beginner's Guide to Programming for Security Practitioners
- Business Continuity Planning and Disaster Recovery Planning, Part 1
- Business Continuity Planning and Disaster Recovery Planning, Part 2
- Physical Security: The Often Neglected Information Security
- Breaking Physical Security
- Tracking with Flash "Cookies"
- The Evolution of Vulnerability Assessments
- Workstation Stress Testing
- Benchmarking Security
- Installing OpenSSH on Windows Vista
- Two Factor Authentication
- Wireless Security
- Mobile Security
- Data Forensics
- Legal and Ethical Issues of Security
- Home User Security
- Additional Resources
- Job Security for the IT Security Industry
- A Biased Book Review: Chained Exploits: Advanced Hacking Attacks from Start to Finish
- Security of Mechanical Locks
- Information Security in Academics
- Holiday Security: Hackers Don’t Take Holidays
- Gary McGraw on Building Secure Software
- Gary McGraw on Exploiting Online Games
- A Student-Hacker Showdown at the Collegiate Cyber Defense Competition
- The Collegiate Cyber Defense Competition Year 3: Revenge of the Red Cell
- Questions from RSA 2007
- How to Steal 80,000 Identities in One Day
Access Control Systems, Part 1
Last updated Jul 1, 2004.
Why Access Control Systems are a Necessity
Access control systems play an enormous part in information system security because they are essential in maintaining the confidentiality, integrity and availability of information.
Implementing strong access control on a network or an individual computer will automatically solve a lot of confidentiality problems. Information can be made available to individual users on a case by case basis, protecting the information's confidentiality by not exposing it to unnecessary (unauthorized) users.
The integrity of information can be maintained with strong access controls. Integrity is addressed in 4 ways:
- Data is protected from accidental modification. A very simple example of an access control technique often used with important documents is the Portable Document Format or PDF. PDF files cannot be easily edited and in their normal state they allow a user to view and read a document without being able to make changes to the document. This is a major reason that you will find price quotes, contracts and other important documents in PDF format.
- Data is protected from deliberate modifications. It makes common sense for a company to control access to important financial information. A disgruntled employee with access to a company's payroll could easily change his or her pay information. Poor access control can lead to companies loosing money to deliberate and malicious modification of data. A recent example in Australia showed how an Airline employee stole hundreds of thousands of dollars worth of frequent flyer points from a rival airline after working out how to log into their computers. Admittedly he was given the password by a friend but stronger access controls would have protected this company from fraud. You can read about this incident here http://tinyurl.com/8af3g (registration required).
- External database consistency is maintained because data can easily be compared against an external database. Modifications made on the external database can be detected when inconsistency is found in the local data.
- Internal database consistency is maintained. Using the same techniques as previously mentioned.
A good access control system will ensure that authorized users have availability to the minimum amount of data or information that they require to do their work. Availability is an important aspect as it is not only important that the data is available, the process required to access the data should not be overly time consuming. If a user has to write a 500 word passphrase or something equally as crazy, you will find that employee's may try and find ways to disable security measures.
Access control systems require planning and research before they can be implemented. When researching what type of access control system will be implemented in your organisation it is important to study the following:
- Threats: What are the potential threats faced by the system or network you want to protect. A threat is something that has the potential to damage. It can be an activity by a user or an event such as a virus infection (or even an earthquake)
- Vulnerabilities: Does the system or network you are trying to protect have flaws that would allow an internal or external attack? Does the operating system frequently crash? Vulnerabilities pose a major threat to access control systems. Systems with very strong access controls are only as strong as their weakest flaw. It is important that you fix all known vulnerabilities on your system or network before integrating access control systems.
- Risk: A risk can be described as; the likelihood of a threat occurring and the damage sustained by an individual or company financial or other from the occurrence of that threat. It is important to differentiate between likely threats and unlikely threats. Although a meteor landing through the roof of your server farm would probably cause huge financial damage and data loss, the likelihood of this occurring is very slim.
Types of Controls
Access controls use three different protective measures each measure can have its good and bad points. These measures are as follows:
- Preventative: These prevent harmful activities or events. Blocking access to a port or service that you know can be exploited is a basic preventative control.
- Detective: Detective controls are used to detect unauthorized access to information or data by users. A detective control may not stop access to the data but it will tell you if the data has been accessed.
- Corrective: Corrective controls are normally put in place after threat has occurred on a system. Corrective controls are used to restore the system to a state of confidentiality, integrity and availability. Corrective controls can also act as preventative controls in instances of further attacks.
Three types of controls are used to implement these measures. These controls are as follows:
- Administrative Controls: Ultimately the responsibility for a company falls on those in charge. Administrative controls encompass the policies, procedures and work place training that administration put in place. It involves background checking on new staff, rotation of duties and supervision duties. Rotation of duties may sound a little silly as a control measure but often fraud and other threats can be uncovered by rotating users in various duties.
- Technical Controls (sometimes called logical controls): These controls restrict the availability or access of data to the various users of a system. They can also restrict access to systems or networks by those unauthorized to have access. Common examples of technical controls include; access control lists (ACL), encryption software, current usage rules and software based personal firewalls. Most operating systems have some sort of login prompt when you change user or reboot, this is also a technical control.
- Physical Controls: Physical controls consist of the security measure put in place to stop physical access to a computer or group of computers. This can not only be secure and strong locks it can also be security guards. Physical controls are a critical yet often neglected aspect of information security. You can have the hardest system on the planet but if your system and back ups are destroyed by fire or vandalism you will lose everything. Physical Controls also incorporate the protection of cables and devices from data emanation.
Digg
Del.icio.us
Your Account
Account Sign In
View your cart