How Access Control Takes Into Account Human Nature And Ways To Prevent Issues
Length, 2 – 3 pages.
Need Help Writing an Essay?
Tell us about your assignment and we will find the best writer for your paper.
Get Help NowAll paper are written in APA formatting, include title and references pages (not counted). Must use at least two references and citations.
* paper will checked for plagiarism so please dont copy paste
Access Control, Authentication, and Public Key Infrastructure
Lesson 7
Human Nature and Organizational Behavior
© ITT Educational Services, Inc. All rights reserved.
Page ‹#›
IS404 Access Control, Authentication and PKI (PKI)
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
09/23/10
1
1
Learning Objective and Key Concepts
Learning Objective
Define proper security controls within the User Domain to mitigate risks and threats caused by human behavior.
Key Concepts
Human resources access control considerations
User Domain security practices for human resources
Best practices for managing human risks
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
09/23/10
2
2
DISCOVER: CONCEPTS
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
09/23/10
3
Type of Threat | Organizations Reporting Issue |
Rogue Modems | 47% |
Media Downloading | 40% |
Personal Devices | 40% |
Unauthorized Blogging | 25% |
Personal Instant Messaging (IM) Accounts | 24% |
10 Prevalent Insider Threats (Continued)
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
09/23/10
4
Type of Threat | Organizations Reporting Issue |
Rogue Modems | 47 % |
Media Downloading | 40 % |
Personal Devices | 40 % |
Unauthorized Blogging | 25 % |
Personal Instant Message (IM) Accounts | 24 % |
10 Prevalent Insider Threats (Continued)
Source: Edward Cone, Baseline magazine, March 25, 2009
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
09/23/10
5
User Domain Access Control Management
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
09/23/10
6
Account Type
Justification for Secure Access
Internal User
Accountability, Auditing, and Assurance
The actions of each user’s account must be capable of being irrefutably linked to the account and the user assigned to that account.
Non-repudiation
External Remote User
Third Party
Privileged and System Accounts (Administrators)
Secure Network Access Considerations
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
09/23/10
7
DISCOVER: PROCESS
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
09/23/10
8
Pre-Employment Checks
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
09/23/10
9
What Information Can Be Considered
What Information Cannot be Considered
Applicant’s Rights
Consequences of a Bad Hiring Decision
Ongoing Observation of Personnel
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
09/23/10
10
Identify Potentially Disgruntled Employees
Proper Ways to Revoke Access upon Employee Termination
DISCOVER: ROLES
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
09/23/10
11
Roles and Responsibilities
Human Resources Department
Recruiting, retention, separation, development, promotion, welfare, and safety, health, and environment
Hiring Department Manager/Supervisor
Work specifications, data and application access, work supervision and review, promotion, reward, and discipline
Employee
Job knowledge and application, compliance with employment policies and procedures, and loyalty and ethical behavior
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
09/23/10
12
DISCOVER: RATIONALE
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
09/23/10
13
Security Awareness Training Facts
Information technology (IT) security surveys conducted by well-known accounting firms found the following:
Many organizations have some awareness training.
Most awareness programs omitted important elements.
Less than 25% of organizations had no way to track awareness program effectiveness.
Source: http://www.lumension.com/Resources/Resource-Center/Protect-Vital-Information-Minimize-Insider-Risks.aspx
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
09/23/10
14
Defining appropriate policies and procedures governing employee behavior
Educating employees about the policies and procedures relevant to them
Verifying employees’ understanding of relevant policies and procedures
Discovering and addressing behavioral shortcomings
Managing change over time
Best Practices for Managing Human Risks
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
09/23/10
15
Summary
10 prevalent insider threats
User Domain access control management
Security awareness training
Best practices for managing human resources
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
09/23/10
16
Access Control, Authentication, and Public Key Infrastructure
Lesson 8
Access Control for Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
1
Learning Objective
Implement appropriate access controls for information systems within information technology (IT) infrastructures.
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
2
Key Concepts
The three states of data
File system access control lists
User account type privilege management
Access control best practices
Organization-wide layered infrastructure access control
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
3
DISCOVER: CONCEPTS
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
The Three States of Data
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Data at Rest (DAR)
Stored on some device
Archived records
Data in Motion (DIM)
Sending an e-mail
Retrieving a Web page
Data in Process
Creating a new document
Processing a payment
DIM
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Use encryption to protect stored data:
Elements in databases
Files on network and shared drives
Files on portable or movable drives, Universal serial bus (USB), and flash drives
Files and shared drives accessible from the Internet
Personal computers (PCs), laptop hard drives, and full disk encryption
Protecting DAR
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Difficult to protect since it is being operated on by the central processing unit (CPU)
Protecting DIP
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
File System Access Controls
File system access controls will include logging of user activities on the:
Files
Applications
Systems
Access Controls at Different Levels in a System
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Trust-Based Peer to Peer (P2P)
Workgroup
Role-Based Access
Group-Based Files Access
Types of File System Access Controls
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Microsoft (MS) Windows versus UNIX
File system controls in MS Windows and UNIX are different, but used to accomplish the same objective–control access to data assets
Types of File System Access Controls (Continued)
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Windows Folder Permissions
Folder security properties in Windows 8
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
3/30/2015
12
Windows Folder Permissions
Editing folder permissions in Windows 8
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
3/30/2015
13
Windows Folder Permissions
Windows 8 advanced file permissions
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
3/30/2015
14
UNIX-based Rights
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
3/30/2015
15
Changing UNIX File Permissions
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
3/30/2015
16
DISCOVER: PROCESS
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Layered Protection Through IT Infrastructure
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Layered Protection Through IT Infrastructure (Continued)
DMZ 2
DMZ 1
Dual DMZ Configuration
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
DISCOVER: ROLES
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Roles and Responsibilities
Role | Responsibilities |
System Owner | Owns System Authorizes access Performs non-technical access control review |
Network Administrator | Managing host security, file permissions, backup and disaster recovery plans, file system integrity, and adding and deleting users Troubleshoot networks, systems, and applications to identify and correct malfunctions and other operational difficulties |
System Administrator | Grants access to system, applications, and data Provides special access as required Creates groups and assigns users and privileges Provides backup and recovery capabilities of systems, applications, and data |
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Roles and Responsibilities (Continued)
Role | Responsibilities |
Application Owner | Grants access to applications that manipulate data Maintains integrity of applications and processes |
Data Owner | Maintains data integrity Authorizes distribution to internal and external parties |
User | Uses systems, applications, and data to perform functions Creates file Assigns data classification |
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Summary
Three states of data
Protecting DIM and DAR
File system access controls
User account type privilege management
Layered protection
Roles and responsibilities
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Virtual Lab
Managing Linux Accounts
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
If your educational institution included the Jones & Bartlett labs as part of the course curriculum, use this script to introduce the lab:
“In this lesson, you learned about user rights and file permissions. You also explored how access controls are implemented in various operating systems, such as Microsoft Windows and UNIX-based systems.
In the lab for this lesson, you will create new user accounts on a Linux virtual machine and grant administrator privileges to one of those user accounts. You will also create two new security groups, add user accounts to those groups, and then delete one of those user accounts.”
3/30/2015
24
Connection from
Internet
Firewall
External Router
Border Firewall Only
Internal Network
Connection from Internet
Router
Connection from Internet
I lOVE this Professional essay writing website. This is perhaps the fifth time I am placing an order with them, and they have not failed me not once! My previous essays and research papers were of excellent quality, as always. With this essay writing website, you can order essays, coursework, projects, discussion, article critique, case study, term papers, research papers, research proposal, capstone project, reaction paper, movie review, speech/presentation, book report/review, annotated bibliography, and more.
Post your homework questions and get original answers from qualified tutors!