CRISC

Course
Time
5 hours 20 minutes
Difficulty
Advanced
CEU/CPE
7

Video Description

This lesson covers risk mitigation through technology. This can be accomplished in the following ways: - Access control - Network devices - Cryptography This unit specifically focuses on access control which is the data flow between a subject and an object in which the subject is active; a person, process or program and the object is passive; a resource such as a file or printer.

Video Transcription

00:04
Now we've looked at risk mitigation through policy. Let's look at risk medication through technology. And certainly technology is a huge element of how we protect our dad and our information. So one of the first things will look at his access control. And when we talk about access control, what we're looking to do is regulate what a subject conduce with an object.
00:24
So a subject could be a user subject could be a process or system, and an object could be, ah, folder file a printer a share. But it could also be a process or system, so subject is active, Object is passive, and what that subject can do to the object is called access.
00:42
And then, of course, we want to control and limit
00:45
that access. So when we talk about access control, we're really looking at what I always refer to as the I Triple A identification authentication authorization, and then auditing or accounting. You'll hear either of those because, of course, auditing is about accountability.
01:02
Now, when we look at identification,
01:04
identification is the first step. We make a claim. I claim to be an administrator. I claim to be Kelly Hander Hand that's all fine. Um, usually we do that with our user. I d Kelly h. Or maybe we have an account number.
01:19
The R F I D chips are becoming very, very popular there on the credit cards on passport.
01:25
When you go through an easy pass, it's r f I D. You can offer you can identify with an I P address or a Mac address. Now, the problem is, if we just stop with identification
01:38
were subject to spoof it, anybody can spoof a Mac address or an I p address our If ideas can be cloned and spoof, so our next step is gonna be prove it. So I claim to be an administrator. Give me some level of proof and the types of proof come from three categories. Something I know, something I have
01:56
or something I am. Which would be biometrics.
01:59
Please. No. The strongest type of authentication is gonna be a combination of them. Something I know in something. I have something I have in something I I am authentication. When we talk about something, I know the first thing most people think of his password words and their most widely used absolutely, um,
02:17
are they used because they're the most secure.
02:21
They're used because they're two words. We love an administration we love cheap and we love easy. And passwords are both
02:30
for that being said. Remember that cost benefit analysis. So in this case, we're choosing ease of use over security. And sometimes we do. That's just the way the world works. So what we can do is we can try to enforce users and encourage them to use good passwords. But users will always try to circumvent that.
02:50
So we're gonna put policies in place that make him
02:52
Ah, using eight character password, Alfa numeric, non Alfa numeric upper lower case. You know, we can put the policies in place to do the right things. We still have to be careful of our users. We want to make sure they change them on a regular basis. Watch for cognitive passwords. Those air, the passwords that say, Where'd you go to high school?
03:12
Well, if you're on social media,
03:13
everyone knows where you went to high school. And if all I have to do is know where you went to high school to reset your password for your email account, that could be a real problem.
03:22
Graphic image. Um,
03:24
that's a something you know. Just think about many banks when you access the bank's website using an https connection and the bank sends back a certificate. We'll talk about that in cryptography, but basically that's all done underneath the surface. Your Web browser. Get something from the banking server that says
03:43
this is a legitimate banking server,
03:46
but that's not enough. That single factor authentication. That's something the bank has frequently. Then what the bank will do. Say, enter your user name and don't enter your password. Enter your user name and then they will send you back an image that you've chosen. So maybe you've chosen a picture of a sunflower.
04:02
That's something the bank knows. And that's a second factor, authentication
04:06
that the banking server provides back to you
04:11
also, um, along those lines,
04:14
we have to think about the fact that passwords ah, graphic images air harder. You know, sometimes you'll get back from the bank. Maybe you've chosen a phrase, a pass phrase, something like that. But I wanted to mention this last item clipping levels. Clipping levels are threshold of tolerance for mistake.
04:33
Everybody makes mistakes.
04:36
I'm gonna allow you to enter three bad passwords before you're locked out, right, Because I don't spend my day unlocking passwords.
04:44
The apparent purpose of a clipping level is to reduce administrative overhead right, And that's an important consideration because users will make mistakes. Don't spend all your time correcting those issues are addressing those issues
04:58
now something you have token devices, air very popular. If you've seen the little one time password generators are essay makes him, and trust makes them several companies make those. So every 60 seconds every 30 seconds periodically, whatever that number is gonna change, you have to have that number or code
05:16
to authenticate to the system.
05:18
In addition to that, you have to have a pen that you know. So that's something you know, which is your password or pen. And then you have to have the code on the one time password generator or the token device. So again, multi factor authentication if you have CAC's
05:34
ah common access cards very frequently used in the government military, those air smart cards,
05:40
you've got the little chip on them, those air used for access and often almost always if your tax certainly are gonna be implemented with a public key infrastructure, and that's gonna be a way of storing your key. So smart guards and memory cards. Even if you just have a swipe card to get you in the door. That's a something you have.
05:59
We'll talk about keys and cryptography, but also a hardware key.
06:03
I authenticate to my house every day when I go to my house and I have the right key to get in my door. My house says that must be Kelly Hander hand. She's got the right key. Come on in.
06:15
Ah, certificates again, We'll talk about with cryptography cookies. So when I authenticate to the bank Ah, I type in my user name and password.
06:26
But again, the bank doesn't want to trust me, either. They don't want to just let me authenticate with single factor. So the next thing that my banking server secure server does is it checks for a cookie that was placed on the computer when the account the online banking account, was set up. That's why when you go to a new computer, you get the message that says,
06:45
Hey, Capital One doesn't recognize or whichever bank
06:47
doesn't recognize this machine and then they'll send you a code to your phone. Or you'll have to answer Siri's of security questions. Multi factor. Authentication is so very important. Now, the third type of access control is something you are biometrics. Now, please keep in mind. Many people want to say, Oh, biometrics in the most secure
07:08
multi factor is the most secure. Anything can be spoofed. So we want to be very careful not to solely rely on biometrics. There was a Mythbusters episode on how easy it is to counterfeit fingerprints or even the lift fingerprints off of, Ah, glass and
07:26
and use those so we don't rely on a single factor.
07:30
Now they're static biometrics. If you're gonna use biometric Caesar the best cause these are the things that don't change over time. Retina scan, thumbprint, iris. Scan those types of things, but you also have dynamic biometrics, that arm or behavior based how you sign your name. Vocal patterns, keyboard cadence.
07:49
Those would fall under that category.
07:53
One thing to know about dynamic biometrics is yes, certainly you can modify them, but as a general rule you could only modify them for a short period of time.
08:03
So you know I might be able Ah Tau walk differently. Gate. You know how I walked is a dynamic biometric that's gaining in popularity. I can modify how I walk, but if I do it enough, I'm eventually going to go back to what's comfortable for me. Now, when we do use biometric systems, there many concerns,
08:22
we got to think about how accurate they are.
08:24
We've got to think about in user acceptability, cause there's some devices users don't want to submit to. Ah, we have to think about cost enrollment time. There many things that we have to think about, but certainly accuracy
08:37
and their two types of errors that we can have with biometric devices we can have. False acceptance is we can have faults, rejections, a type one error is a false rejection. And what that means is somebody that should be authorized gets denied,
08:54
Right? If you give a thumbprint, what are the chances that the next time you give your thumbprint there will be a 100% match? Almost not right? I mean, mathematically, almost impossible. So I can't set the requirement for a match to be so high, because then legitimate users will be locked out.
09:13
Now the flip side of that, maybe I'm tired of all the administrative effort with false rejections. I would just let everybody that has a foam come in.
09:20
Well, that's gonna be a false acceptance type to air. False acceptance rates indicate that we're letting people that should not be onto the network or shouldn't have access. We're letting them in. So what we want to find is that comfortable point between the two. And hopefully it makes sense that if I say I will have no faults rejections, because it's too much of a hassle,
09:39
false acceptances will go up.
09:43
And if I say, Oh, that's bad From a security standpoint, we can't have any faults. Acceptances on false rejections will go up, but at some point in time that you will be equal.
09:52
That value is called the crossover error rate, and that's how we evaluate biometric systems for accuracy. The lower that number is the better, and we want that to be a low number. It's expressed in percentages, and there's just a little sample of It s o. If you like letters
10:11
where the f a r meets the F. R. R is the c e r
10:15
in English. That translates to where the false acceptance rate acceptance rate is equal to defaults. Rejection rate. We call it the crossover air ary. So again, many concerns with biometrics cost technology can be expensive, of course.
10:31
Cost her coming down. You know, many devices come with thumb print readers. Now.
10:35
We then think about your accuracy, user acceptability, the things we've talked about.
10:41
Also another concern. If I have a password to authenticate to my banking server and the password gets compromised,
10:48
I'll just get a new password if my thumbprint gets compromised. There is no revoking your biometric credentials, right? There's no way to apply for a new thumb print. That's a concern, because we really have to protect this information. Those air, the three types of authentications, something you know, something you have in something you are
11:07
authentication means I'm gonna prove
11:09
my identity. The next step, we're gonna move into his authorization, which is what rights and permissions do I have based on having properly authenticated

Up Next

CRISC

Archived Certified in Risk and Information Systems Control is for IT and business professionals who develop and maintain information system controls, and whose job revolves around security operations and compliance.

Instructed By

Instructor Profile Image
Kelly Handerhan
Senior Instructor