Scribd
Upload
4 views

Week6_2

Intro to Cybersecurity slides, part 2

Uploaded by

Matt Niemic
Copyright
© © All Rights Reserved
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
4 views

Week6_2

Intro to Cybersecurity slides, part 2

Uploaded by

Matt Niemic
Copyright
© © All Rights Reserved
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 50

Lecture: 6-2

CSCI 3403 Topic:


INTRO TO Authorization

CYBERSECURITY Presenter: Matt


Niemiec
These slides are property of the University of Colorado at Boulder
Announcements

• Exam in just over two weeks


• Twitter guest lecturer week after exam!
• And three others after the break
• MySQL in recitation this week
• Make sure environments are set up
• May want to go even if you know MySQL
Midterm Exam

• Thursday, March 5th in class


• There will be a review session before the exam
• Tuesday in class
• Will release collaborative study guide?
• You may bring one double-sided 8.5”x11” cheat sheet
• You may bring a calculator
• Please provide accommodation requests soon
• Please let us know ASAP if you cannot make it
Authorizatio
n
Authorization

• Access control policies dictates what types of access


are permitted, under what circumstances, and by
whom
Four Main Types of Access Control

• Mandatory Access Control (MAC)


• Don’t confuse with Message Authentication Code!
• Discretionary Access Control (DAC)
• Role-based Access Control (RBAC)
• Attribute-based Access Control (ABAC)
Mandatory
Access
Control
(MAC)
Content borrowed from
Introduction to Computer Security
©2004 Matt Bishop
Mandatory Access Control

• Very rigid access control


• Users either can access a resource or they can’t
• Compares clearance levels of each
• Example: Bell-LaPadula model (BLP)
• Commonly seen in government and military
BLP: Confidentiality Part 1

• Every subject has a clearance


• Every object has a classification
• Subjects can “read down, write up”
• Information flows up
• Levels: Top secret, secret, confidential, and
unclassified
Example
security level subject object
Top Secret Tamara Personnel Files
Secret Samuel E-Mail Files
Confidential Claire Activity Logs
Unclassified Tom Telephone Lists
• Tamara can read all files
• Claire cannot read Personnel or E-Mail Files
• Tom can only read Telephone Lists
Formally...

• We have the level of the object, L(o)


• We have the level of the subject, L(s)
• A subject s can read an object o iff L(o) ≤ L(s)
• A subject s can write an object o iff L(s) ≤ L(o)
BLP: Confidentiality Part 2
• The current model is too linear
• Each subject and object has a category set
• A clearance level is a tuple (clearance, category set)
Formal Definitions

• (A, C) dom (A, C) iff A ≤ A and C  C


• Examples
• (Top Secret, {NUC, ASI}) dom (Secret, {NUC})
• (Top Secret, {NUC}) dom (Confidential, {EUR})

• A subject s can read an object o iff L(s) dom L(o)


• A subject s can write an object o iff L(o) dom L(s)
Biba

• BLP guarantees the confidentiality of a file


• Biba guarantees the integrity
• A subject s can read an object o iff i(s) ≤ i(o)
• A subject s can write an object o iff i(o) ≤ i(s)
• The exact opposite!
• In this way, information flows down
Discretionary
Access
Control (DAC)
DAC

• Just means that users get to decide who can access


what i.e. discretionary
• Privileges can be assigned and revoked on a per-item
basis
• Use case: Linux
Access Control Matrix
UNIX

• Everything is a file
• Three types of permissions in UNIX
• Read, write, and execute
• Three classes of subjects
• Owner, group, and world
• Each file has 9* bits to set

*9 regular bits. We’ll see more shortly


UNIX
setfacl

• Set file access control list


• Create exceptions to the normal permissions
• Makes UNIX truly DAC
*https://www.tecmint.com/set-access-control-lists-acls-and-disk-quotas-for-users-groups/
The “Special” Bits

• Setuid and setgid: allow non-owner users to run file as


owner/group
• Why is this useful?
• Why is this dangerous?
• Sticky bit: when applied to a directory, it specifies that
only the owner of any file in the directory can rename,
move, or delete that file
Role-Based
Access
Control
(RBAC)
RBAC

• No direct relationship with every item


• Each user has a number of roles
• Each resource requires a certain set of roles
• Widely used in industry (including Active Directory)
RBAC
RBAC Example

• Roles: Adult, Juvenile, and Child


• Permissions: Can view R, PG-13, and G-rated movies

Movie Rating Users Allowed Access


R Age 17 and older
PG-13 Age 13 and older
G Everyone
RBAC Example

• Roles: Adult, Juvenile, Child, Premium, and Regular


• Permissions: View R, PG-13, G, regular, and premium
Movie Release Users Allowed Access
New Release Premium Users
Old Release Regular Users
Movie Rating Users Allowed Access
R Age 17 and older
PG-13 Age 13 and older
G Everyone
RBAC Models

• There are 4 models of RBAC


RBAC Hierarchies

• Allows roles with sub-roles


RBAC Constraints

• Provisions restrictions on relationships between roles


• Types:
Mutually Prerequisite
Cardinality
exclusive roles roles
• A user can only be • Setting a • Dictates that a
assigned to one maximum number user can only be
role in the set with respect to assigned to a
(either during a roles particular role if it
session or is already
statically) assigned to some
• Any permission other specified
(access right) can role
be granted to only
one role in the set
Attribute-
Based Access
Control
(RBAC)
ABAC

• A generalization of ABAC
• Relies on three things
• Subject attributes (think RBAC roles)
• Object attributes (think RBAC permissions)
• Environment attributes
• Should a bank teller access money at 1AM?
• You should know it exists. We won’t cover here
Social
Engineering
Social Engineering

• Lie to get what you want


• Easiest way to get into a system
See Example

• Link: https://www.youtube.com/watch?v=lc7scxvKQOo
Tactics

• Authority
• ”This is the CEO of your company, and I need something from
you...”
• Intimidation
• “Do this or something bad will happen to you”
• Consensus
• “99% of users rate 5 stars!”
• Scarcity
• “Hurry, there’s only 3 left!”
Tactics, Cont.

• Familiarity
• “Hi, it’s Dave, and I called earlier about the routine IT
update...”
• Urgency
• “This has to be done within the next two hours”
How To Lie Steps
How To (Establishing an Effective Lie)

1) Keep your lie simple


2) Avoid including other people in the lie
3) Make your lie plausible
4) Include something truthful in the lie
5) Lie before you have to
Also See..
Takeaways

• Never try this at home!!!


• Lying, and detecting lying, takes practice
• Why we shouldn’t try at home
• Many people have put in the practice doing this
• Educating is important
• Always stay vigilant
Physical
Security
Physical Security

• Very much within the field of cybersecurity*


• Something good to think about

*Perceptions and opinions may vary


Security Topics on Security+

Lighting, Signs, Fencing/gate/cage, Security guards,


Alarms, Safe, Secure cabinets/enclosures, Protected
distribution/Protected cabling, Airgap, Mantrap, Faraday
cage, Lock types, Biometrics, Barricades/bollards,
Tokens/cards, Environmental controls, HVAC, Hot and
cold aisles, Fire suppression, Cable locks, Screen
filters, Cameras, Motion detection, Logs, Infrared
detection, Key management
Physical and Infrastructure Security
Logical security
• Protects computer-based data from software-based and communication-
based threats
Physical security
• Also called infrastructure security
• Protects the information systems that contain data and the people who use,
operate, and maintain the systems
• Must prevent any type of physical access or intrusion that can compromise
logical security

Premises security
• Also known as corporate or facilities security
• Protects the people and property within an entire area, facility, or
building(s), and is usually required by laws, regulations, and fiduciary
obligations
• Provides perimeter security, access control, smoke and fire detection, fire
suppression, some environmental protection, and usually surveillance
systems, alarms, and guards
Physical Security Overview

Concerns include
information system
Prevent damage to
hardware, physical
physical infrastructure
facility, support facilities,
Involves two and personnel
complementary
requirements: Prevent physical Includes vandalism, theft
infrastructure misuse of equipment, theft by
that leads to the misuse copying, theft of
or damage of protected services, and
information unauthorized entry
Common Natural Disasters
Common Temperature Thresholds
Water Damage

A pipe may burst


Primary danger is Sprinkler systems
from a fault in
an electrical set off
the line or from
short accidentally
freezing

Due diligence
Floodwater
should be
leaving a muddy
performed to
residue and
ensure that water
suspended
from as far as two
material in the
floors above will
water
not create a hazard
Takeaways

• Attackers aren’t picky about how they get into your


system, so you can’t be picky on how you defend!
• These statistics are all things you can look up later
• Don’t be caught off guard if somebody asks about the
physical security of these things

You might also like