Wednesday, September 29, 2010

Access Control

Note for first Module. Try on. Ganbatte Kudasai. Hikaru is light. I am Hikaru. And Hikaru use Kent. Kendy mean is candy, but this case, it is katana.
First!
A.    Access Control and Methodology
Access Control Basic:
    Access Control:
        Bảo vệ khỏi những truy cập trái phép (unauthorize access)
        Two entities:
        Subject: active request access to object, like user, computer...
        Object: passive    contain data and information, such as computer, data, file...
        Security Principle: CIA: Confidentiality - Integrity - Availablity
        3 steps: Indentification, Authentication, Authorization        -> resource
        Logical Access: tools for IAAA ( 3 steps + acountablity)
        2 steps Authenication: use public infor, like username, user number, and enter private info, such as password, PIN
        Strong Authentication: two factor authentication
        Indentification compoments: unique, naming schema, nondescriptive user, not share.
        Authentication methods: biometric, password (PW managment, PW checker, PW hash and encryption, PW aging, Limit Login, cognitive pw, on-time PW, card...)
        Authorization:
            Access Criteria: role, group, physical or logical location, time of day
                => Authorization creep: Default no access, Least privilege ( need to know), single sign-on,
            kerberos: single sign-on system on distributed enviroments.
Physical Access:
Control: dua ra cac van de kiem soat doi tuong tu threat
Cabel Protection:     su dung nguyen lieu chan tu truong tot nhat emanation
                    su dung cap quang fiber optical
Separation: of duties and work areas. Moi nguoi moi se co mot vung rieng de tranh nghe len + lam quyen. ( shoulder suffing)
            giam sat nhan vien thuc hien cong viec nhay cam ( sensitive process)

Admin access: quan tri co tinh truy cap
Policies and procedures:
Securirty awarencess training: cac khoa dao tao ngan han cho nhan vien
Monitoring: giam sat
Logical Access: gan quyen
object access restriction: chi cho user dc authorized
encryption:
network architecture:

Access Control Techniques:
Control type: moi loai hiem hoa se co tung cach xu ly
    preventative: hiem hoa co the phog chong -> avoid
    dectective -> identify: nhan dang kha nang do tim
    corrective: khi mot thong tin bi chinh sua ( khi khac phuc su co) -> fix: dam bao truy cap binh thuong
    recovery -> backup: dam bao hoat dong
Control categories:
    Physical Preventative Control: han che user ( smart card)
        y thuc user
    technique preventative control: han che user trong viec theo doi hoat dong
        encryption + anti virus
Security labels:
    top secret, secert, confidental , sensitive ( unclassified)
    dung de danh dau phan loai muc do quan trong cua thong tin
    1 subject pai dc cap quyen tuong ung vs muc do truy cap: vd nhan vien dc xep vao muc do nao ko ( ko pai la top secret)
    Discretionary: DAC: truy cap co lua chon.
                        xac dinh dua tren truy cap
                        nguoi so huu co quyen chi quyen truy cap
    Mandatory: MAC: truy cap dua tren rule-base: cac luat dc dinh nghia san. Moi tai
                        nguyen va user dc gan 1 label de dc truy cap tuong ung
                    quyen truy cap cua 1 subject tuong duong vs object dc gan
    None Discretationary: role base access control: dua tren vai tro, dua tren nhiem vu mieu ta cua user
    Access Control List:
Access control implementation:
    Centraized Authenication: chung thuc tap trung -> dam bao an toan, tuy nhien
                                    toc do cham
                                Single point of failuer: 1 diem fail toan bo he thong fail, hoac 1 ngu
                                        pass wa he thong thi se co toan quyen
    Radius:    dial up connection
    Tacacs:
        single factor: chi doi hoi 1 dieu kieu
        two factor authentication: 2 dk de truy cap
    Decentraized:    remote
                    overhead administrator
                    Security domain:
    Hybrid model: phoi hop giua 2 model

Authenication: 3 types: what you know what you have what you are
type 1: password, PIN, passpharse ( virtual password)
        strong password: strong, length.
type 2: token, ticket, one-time password
        time-base password
        ticket: message chua ticket mess va subject dc quyen access
        token: tu dong xay dung 1 password dong bo he thong
type 3: biometric
        CER Cross Error Rate gia tri he thong dua tren giao diem ( FRR False Rejection Rate) va FAR False Acception Rate. Do sai so cua thiet bi pai co 2 sai so con = nhau
single - sign on:   
        kerberos: su dung khoa doi xung, cung cap che do end-to-end
                    KDC: key distribution center, noi giu tat ca khoa bao mat.
                    ticket granting server: dc trien khai boi KDC
                    AS: authenication service.
                    Qua trinh thuc hien: subject gui yeu cau vao server, KDC chung thuc, gui cho subject, subject gui ticket nay cho object, vd la file server, object chung thuc, roi cho phep subject
Sesame: su dung phuong phap public key

Attack:
brute force: password guesting
dictionary:
denial of service
spoofing
man in the middle
monitoring

       
Security Model and Architecture

Organizaion:
    CPU
                CPU
                ALU
                Registers
                Clock
    RAM
        Dynamic RAM
        Static RAM: flip - flop
    ROM
    Eresable ROM
    Memotry Addressing
    Cache Memory
    Vitual Memory
------------------------------------------------------------
Thanks for reading
--------------------------------------------------------------------------
All my Lab:
Linux Lab -- window and Cisco Lab
to be continued - I will update more.
  

       

No comments:

Install Xposed Inspector and Frida on Genymotion

Today i had some work with android. So i need trace application. I found 2 nice tool can help me: Xposed Inspector and Frida. To setup ther...