Accountability and Access Control Slide ke-1 Mata Kuliah: Keamanan Jaringan oleh Setio Basuki
Accountability and Access Control Course Objectives
- Access Control
- – Identification and Authentication – Techniques – Methodology – Administration
Access Controls
- Access controls are security features that control how people can interact with systems, and resources.
- Goal is to protect from
un-authorized access .
- Access is the data flow between subject
Access Control’s Types
- Access controls are necessary to protect the confidentiality, integrity, and availability of objects.
- – That is commonly called by CIA.
- – It is sound silly, but still represent the idea
• In fact, no single access control mechanism
is deployed in such environment.
Access Control’s Types (2)
- Access Control Types
- – Preventive – Deterrent – Detectives – Correctives – Recovery
Preventive Access Control
- Sometimes called a preventative access control.
- This access control is deployed to stop unwanted or unauthorized activity form occurring.
- Fences, locks, biometric, lighting, alarm
Deterrent Access Control
- To discourage a violation of security policy, where prevention control leaves off.
- It doesn’t stop with trying to prevent an action, instead, it goes further to exact consequences in the event of an attempted or successful violation.
Detective Access Control
- Detective access controls is deployed to discover unwanted or unauthorized activities.
- Detective access control include security guards, motion detector, reviewing an event captured by security cameras,
Corrective Access Control
- Deployed to restore system to normal after unwanted or unauthorized activities have occurred.
- Corrective control have only minimal capabilities to respond to access violations.
Recovery Access Control
- Deployed to repair resource, function, and capabilities after violation of security policies.
- Recovery control have more advance capabilities to response to access violation than corrective control.
Compensation Access Control
- Deployed to provided various options to aid in enforcement and support of security policy.
- Include security policy requirement, personnel supervision, monitoring, and work task procedure.
Administrative Access Control
- Policies and procedures defined by organization to implement overall access control.
- Administrative control focus on 2 areas: personnel and business practices .
- Include policies, procedures, hiring
Logical and Physical
Access Control
- Logical access controls are hardware and software mechanism used to manage access to resources or systems.
- – Password, encryption, firewall, access control list, etc
- Physical access control is physical barrier deployed to prevent direct contact to
The Process of Accountability
- Several steps lead up to the ability to hold the people accountable:
- – Identification – Authentication – Authorization – Auditing, and
Identification
- User provided user name, logon ID, personal identification number (PIN) or a smart card to represent identification process.
- Information system tracks activities by identity, not by subject themselves.
Authentication
• Process of verifying or testing that claimed
identity is valid.– Type 1 Authentication ( something you know )
- Passwords • PIN
- Lock Combination, etc
- – Type 2 Authentication (
something you have )
- Smart card
Authentication
- Process of verifying or testing that claimed identity is valid.
something you are )
- – Type 3 Authentication (
- Fingerprint • Voiceprint • Retina pattern
- Face shape recognition
Authorization
- Once subject is authenticated, its access must be authorized.
- Authorization indicated who is trusted to perform specific operation.
Auditing
- Auditing is process by which online activities of user accounts and processes are tracked and recorded.
- Auditing produces audit
trails/path , which
can be used to reconstruct events and to verify whether a security policy or
based NIST- Minimum Security
Requirement
- Audit data recording must comply with:
- – Create, protect, and retain information system
audit record to the extend needed to enable the monitoring, analysis, investigation, unlawful/illegal reporting, unauthorized,
inappropriate information system activity.
that the action of individual
- – Ensure
Recap
Answer and give an explanation for the questions below:
- – Identification – what is it?
- – Authentication – how is this different from identification?
- – Authorization – what does this mean?
- – Auditing – what’s the point?
Identification and Authentication
Technique
- Authentication verify the identity of the subject (user) by comparing one or more factor in database of valid identities.
- Both
identification and authentication are always occur together.
Identification and Authentication
Technique (2)
- Password • Biometrics • Tokens • Tickets • Single Sign On
Password
- The common authentication technique, but consider the weakest form of protection.
- Password are poor security mechanism for several reasons: – Easy to guest or crack.
- – Many users, write it down
- – Easy shared, write down, and forgotten
Biometric
- Biometric fall into Type 3 authentication category, “something you are”.
- A biometric factors
are behavioral or physiological characteristic that is unique to every single subject.
- Types biometric factors:
- – Fingerprint
Biometric Factor Rating
- Biometric devices are rated for performance in producing false negative and false positive authentication.
- Most biometric devices have a
sensitivity
adjustment so they can be tuned to be
more or less sensitive. True positive = correctly identified
Biometric Factor Rating
- The ratio of Type 1 errors to valid authentication known as False Rejection Rate (FRR) .
- The ratio of Type 2 errors to valid authentication known as False Acceptance Rate (FAR).
- The point at which FRR and FAR is equal known as
Crossover Error Rate
Appropriate Biometric Usage
Biometric Factors Fingerprint Iris scan
Token (Smart Token)
- Smart Tokens are password-generating devices which is an example of Type 2 factor, “ something you have ”.
- Token can be a static password, like an ATM card (or others), and users have to supply the ATM card and users’ PIN.
- Otherwise, the Token can also be one-time or dynamic password which look like a small
Token Types
- There are 4 types of Token:
- – Static – Synchronous dynamic password
- – Asynchronous dynamic password: challenge- response
Token Types (Cont.)
- – Can be a smart card, a floppy disk, USB RAM, or even something as simple as a key for physical lock.
- – Static Token often require an additional factor like password or biometric factor.
- – Commonly use a
Token Types (Cont.)
- – Generating password at fix time intervals.
- – Time interval token require synchronizing the clock on an authentication server with the clock on a token device.
Synchronous Dynamic
- – Subject enters generated
Password password into the system as
Token Types (Cont.)
- Auth sends a challenge (a random value called a nonce)*
- User enters nonce into token, along with PIN
- Token encrypts nonce and returns value
- Users inputs value into
Ticket Authentication
- Ticket Authentication is mechanism that employs a third party to prove identification and authentication.
- The most common and well known ticket system is Kerberos .
Single Sign On
• With Single Sign On (SSO), once a subject
is authenticated, it can roam the network
freely and access resource and services
without further authenticating challenges.
- SSO disadvantages
:
- – Once an account is compromised, a malicious subject gains unrestricted access.
Single Sign On