Hello and welcome to Siberia's 2019 comp Tia Security Plus certification purpose. Of course,
we're gonna continue our discussion off model for which in fact, is domain for and the topic of discussion would be identity and access management.
The first item Arjuna is a pre assessment quiz, and the quiz reads as follows. Call has been axed Recep X control for a server. The requirement state that uses at lower previous level should not be able to see or access files and data at a higher privilege level.
What excess control Marwood best fit these requirements is eight
In this case, if you said like that, eh, you're absolutely Chris called Mandatory Access Control is the correct solution. It will not allow lower purpose users to even see the data at a higher purpose level.
Interestingly enough, he is our objective for this particular module, which again is the main 4.3, giving a scenario, implement identity and access management controls
here again on the topics which encompasses this particular learning objective,
we could begin the process by taking a look at Mac all way down to rule based access control.
An additional would take a look at physical asset control,
discuss proximate causes. What is the smart cars as well?
The first item on agenda wouldn't take a look. It's called access control Mark.
Remember, the access code model is a standard that provides a pre defined framework for your heart. Was software developers. They used the appropriate model to configure the necessary level off access control.
Now, therefore, major access control models that you need to be aware. They're considered that Manitoba Ex Control discretionary acts control,
role based access control and rule based access and Joe.
So the first item on our agenda we can begin the process are actually discussing
mandatory X control.
When we think about manito. Exit control with scripts are based on the information sensitivity
it makes use of classifications and security labels.
System enforces classic casing labels and need to know
this model lacks flexibility. Changed adapt over time but provides for more secure environment enforced by the system and not people. It requires also data classifications.
Now let's take a look again at the different minute to exit control models.
We have one of the model. We have the people model. We have the Bell Lapolla model as well. The *** Wilson,
the Chinese Wall as well. But first of all, let's take a look at the bill model that this model enforces. If the security company Jallet maybe. But this particular model information model is an embrace. Integrity, moral. The clock worsen. This model enforces separatism duties through integrity rules. The Chinese wall model used used to provide
what we call privacy and integrity for data
and the Chinese Walmart on a Brewer Nash model. It is a security model where read and write access to files is governed by membership of data
in conflict of interest classes as well as data sets.
So when we look again at these different models here we see the goal off of the people. Apollo Moloch. It has come into jelly term. The rules don't read up. No, right down the people model. The goal is integrity. Other words. Insurance And, if they had not been somehow altered, no read up.
In other words, no read down or right up the clock Wilson model. The gold is integrity certification rules again as what its enforcement rules. And then we had a Chinese WalMart was prevents conflict of interest is access is governed by membership in groups to prevent conflicts of interest.
This brings the total destruction of exit control model Most common access control model permission set by the data owner and supports the concept of need to know.
Obviously, it's much more flexible than the Mac Ward, but with an increased risk of unauthorized disclosure off information
not accept controlled list, but which is sort of what show you an assist you could actually on the system basis one of most common implementation of back
a use off objects, subject and permission that seven could be individuals in the groups or processes. But missions such as read write a pin delete as well. It's execute
some operates system allowed for four more granular very mawr option again for permissions.
Then we have our access control groups.
One possible access control permission should be based upon groups using secrets numbers
management of our access control. This is much easier winners in groups and lastly, people working in similar air who require similar access.
This brings us to access control permissions. Now permissions can be inherited. They could be granted as well. It's a zwart could be inherit or regret it or inheriting its well.
Inherent rights are like system. The admin rights can bypass your security. Policies used can be granted at men on as well as system privileges.
Inherit permissions are those that are propagated. Object from a parent object. But mission should be based out in this case should be based on your organizational policies as well as the sensitivity of the information.
Nondiscretionary access control
basically is technically not Mac or deck, but may be an attributes of both. Office again supplementary when data owners are not defined. It's managed by your system ministry versus your data owner and is enforced by the operating system itself.
The next model called a role based access control model.
Basically, this permissions are signed two roles. Whether they're to individual users, users assigned to roles. Whether they're directed to permissions and re back is good for continents. That has a high and other words. Have you incurring a high employee turnover rate then perhaps a role based access role model would be have to be the best model.
Then we have a rule based exit control model. Often time referred to his are back
within this particular model to permissions are signed two roles rather than to individual users.
They're controlling device What it does. It checks the properties of the requests against a settle rules. It's neither DAC or Mac in other words, discretionary access control nor mandatory X control. Some examples of this would be your routers and your firewalls. You also have the time based access
based upon specified piers of time,
a subject and access an object.
Then we have attributes asset control. Now this particular show is based on three different attributes. User attributes activates associate with the application on system to access and current environment of conditions. Now a good example. Again, off actually based access control would be a lot. Only users who are
tight water were employees and habitable.
For example, if they're in the HR department to access access to certain information, do you have your payroll and other, particularly during business hours?
Attribute based *** and show enabled fine grained access control, which allows form or input variables into an access control decision. Any available activity in this director Kate can be used by itself or in combination with another, to define the right filter for controlling access to a resource
continue on what I learned objective for this particular domain, 4.3 was title given a scenario imprint, identity and access management controls
here. Get us on the topics which encompasses this objective. We're gonna take a look at some biometric factors ranging from your fingerprint scanner over down to you. What we call you a crossover error rates as well.
So the first thing I wanted to find exactly what is a fingerprint scanner
my scanner used identify a person's fingerprint for security purposes.
A retina scan is a biometric verification technology that using images of individual retina in terms of blood vessel pattern as unique in terms. Identifying trait for access to secure installations.
Your iris scanner is a method of identifying people based on unique patterns within the rings shaped region surrounding the people people, in other words, of the persons I.
Voice recognition is a technique and computer technology in which specialized software and systems are created to identify, distinguished and authenticate divorce of an individual speaker.
Facial recognition is a biometric software application capable of uniquely identified or verifying a person by comparing and analyzing patterns based on the person face a contours,
continue our discussion of exploring authentication. Want to take a look again at what we call false acceptance rate,
false rejection rates. And then we have the crossover era break. Now first woman take a liquor is called far. Another word stands for the false accepted rate
is also called a type two. Air far refers to the percent of times a biometric system
false identifying unknown user. Instead, the system indicated use. It is a known user.
Then we have the false rejection rate, which is also called a tight one error.
The false trajectory refers to the percentage of times a bar Metro system falsely rejects a known user. Instead, the system indicated the user is in fact unknown.
Then we have a CR, which stands for the cross over air rate, also called a ICO error rate.
Other words. The cross area identifies the point weather where what we call the false acceptance rate
and the false objective rate of the biometric system are equal. Or, in other words, they cross over each other on the chart. As listed here, a lower cross or error rate indicates that you have a better performance by a metric type system.
So again have the false acceptance rate called a type two error
that fall subject to it, which all those called a tight one.
And we have the crossover airways also called the equal other words called Deco era rate or E. R.
Continue on without discussing he. Again. We have someone distal topics, which encompasses just particular ejectment, which again is 4.3. Giving a scenario. Implement identity and access management controls
some topics we're going to discuss. Now. Let's take a look at what token is hardware software H O T T P as well as T o T. P as well
continue. I discuss it by taking a look at Stevie Base authentication
as well as, lastly, the file system security
The first I want to take a look at, as a token, a token devices used. A smart, small hardware device that displays a number is checked against a database for changes. The token is synchronized with the authentication service, or that the server always knows a number that's display
when a user wants to long in our access. In that case, the Internet number that is visible at that particular moment.
Then we have the subway tokens and the one time passwords. One of the first things we want to highlight is the H O T. P, which stands for the hot off the press, which is often used to indicate a user in a system veer in it in the case and server.
Then we have the T o T P, which stands for the time based one time password dagger with him, which, in fact, is an algorithm that computes a one time password from a shared secret key and the current time.
Then we have the O. P. I. E. Which stands for the one time password, and everything is another type of one time passwords use in networks.
And lastly, we have the S key, which is a one time password system. Developed fourth indication to unit like operating systems, especially from dumb terminals, are untrusted public computers on which one does not want to type a long term password.
This brings us to a certificate based authentication, and this is basically it involved the use of digital certificates to identify user a machine or device before granting access to that resource network application and so forth.
Far system security. So letting a proper file system is important so that you implement an effective method of what we call file level security
file over protection includes encryption rate and well asked access control.
Database security, not databases, are the largest repository sister information. Many organizations application level encryption should be used to encrypt information before it's stored in the database database. And Christian must also be accompanied by key management to provide a high level off security.
Let's not turn our ticket order Post Assessment quiz,
and the question reads as follows. Bob is looking for authentication protocol for his network.
He's very concerned about the highly skilled Attackers as part of mitigating that concern. He wants an authentication protocol that never actually transmit a users password in any form.
What's authentication protocol would be a good fit for Bob's need. Would be a chap,
be curable? See our back or type two.
If you should let the B. You're absolutely correct, because curveballs does not send a users password across the network when they use the name of sent to the authentication service, the server, what it does with trees, a hash of the user's password from the database and then uses that as a key to encrypt the data to be sent back to the user.
takes the password that they use the Internet. It hashes it, and they uses that as a key to decrypt what was set back by the server.
My next Adam, My agenda is a key. Take a race, not doing this particular video. We learned that curveballs does not send the user password across the network.
We also learned that it falls accepted ways, also called a Type two error.
False rejection rates. Fr f R is also called a tight one error.
We learned it across the error rate, also called a equal error rate.
We learned that the access control list permission should be based on groups when possible.
We also, lastly, learned that you can aside who can access that foul you can aside if they can read, have re permission of the words right permission,
full rights and so forth.
In our upcoming video, we continue our discussion of this particular main, which is remained for by folks upon our brand new objective. Other words are learning objective which is 4.4. Its title as Pharrell follows. In other words, given a scenario different. A common account management practices
again, I look forward to seeing you in a very next video.