MANAGEMENT of INFORMATION SECURITY, Fifth Edition
INTRODUCTION TO PROTECTION
MECHANISMS
Management of Information Security, 5th Edition, © Cengage Learning
2
Introduction to Protection Mechanisms
• Technical controls alone cannot secure an IT
environment, but they are an essential part of the
InfoSec program
• Managing the development and use of technical
controls requires some knowledge and familiarity
with the technology that enables them
• Technical controls can enable policy enforcement
where human behavior is difficult to regulate
Management of Information Security, 5th Edition, © Cengage Learning
3
Sphere of Security
Management of Information Security, 5th Edition, © Cengage Learning
4
Access Controls and Biometrics
• Access controls regulate the admission of users into trusted
areas of the organization—both logical access to
information systems and physical access to the
organization’s facilities
• Access control encompasses four processes:
– Obtaining the identity of the entity requesting access to a logical
or physical area (identification),
– Confirming the identity of the entity seeking access to a logical
or physical area (authentication),
– Determining which actions that entity can perform in that
physical or logical area (authorization), and
– Documenting the activities of the authorized individual and
systems (accountability)
• A successful access control approach always incorporates
all four of these elements (IAAA)
Management of Information Security, 5th Edition, © Cengage Learning
5
Authentication
• There are three types of authentication
mechanisms:
– Something a person knows (for example, a password
or passphrase)
– Something a person has (for example, a cryptographic
token or smart card)
– Something a person can produce (such as fingerprints,
palm prints, hand topography, hand geometry, retina
and iris scans; or a voice or signature that is analyzed
using pattern recognition)
– These characteristics can be assessed through the use
of biometrics
Management of Information Security, 5th Edition, © Cengage Learning
6
Something A Person Knows
• This authentication mechanism verifies the user’s identity
by means of a password, passphrase, or other unique code,
such as a PIN (personal identification number)
• The current industry best practice is for all passwords to
have a minimum length of 10 characters and contain at
least one uppercase letter, one lowercase letter, one
number, and one system-acceptable special character,
which of course requires systems to be case-sensitive
• These criteria are referred to as a password’s complexity
requirement
• The passphrase and corresponding virtual password are an
improvement over the standard password, as they are
based on an easily memorable phrase
Management of Information Security, 5th Edition, © Cengage Learning
7
eWallet from Ilium Software
Management of Information Security, 5th Edition, © Cengage Learning
8
Password Power
*Estimated Time to Crack is based on an average 2015-era PC with an Intel i7-6700K Quad Core CPU
performing 207.23 Dhrystone GIPS (giga/billion instructions per second) at 4.0 GHz.
Management of Information Security, 5th Edition, © Cengage Learning
9
Something A Person Has
• This authentication mechanism makes use of
something (a card, key, or token) that the user or the
system possesses
• One example is a dumb card (such as an ATM card)
with magnetic stripes containing the digital (and often
encrypted) PIN against which user input is compared
• Another example is the smart card which contains an
embedded computer chip that can verify and validate
information in addition to PINs
• Another device often used is the cryptographic token, a
processor in a card that has a display
• Tokens may be either synchronous or asynchronous
Management of Information Security, 5th Edition, © Cengage Learning
10
Access Control Tokens
Management of Information Security, 5th Edition, © Cengage Learning
11
Something A Person Can Produce
• This authentication mechanism takes advantage of something
inherent about the user that is evaluated using biometrics
– Fingerprint comparison of the person’s actual fingerprint to a stored
fingerprint
– Palm print comparison of the person’s actual palm print to a stored
palm print
– Hand geometry comparison of the person’s actual hand to a stored
measurement
– Facial recognition using a photographic ID card, in which a human
security guard compares the person’s face to a photo
– Facial recognition using a digital camera, in which a person’s face is
compared to a stored image
– Retinal print comparison of the person’s actual retina to a stored
image
– Iris pattern comparison of the person’s actual iris to a stored image
Management of Information Security, 5th Edition, © Cengage Learning
12
Something A Person Can Produce
• Most of the technologies that scan human
characteristics convert these images to obtain some
form of minutiae—unique points of reference that are
digitized and stored in an encrypted format
• Among all possible biometrics, only three human
characteristics are usually considered truly unique:
– Fingerprints
– Retina of the eye (blood vessel pattern)
– Iris of the eye (random pattern of features found in the iris,
including freckles, pits, striations, vasculature, coronas,
and crypts)
• DNA or genetic authentication will be included in this
category if it ever becomes a cost-effective and socially
accepted technology
Management of Information Security, 5th Edition, © Cengage Learning
13
Evaluating Biometrics
• Biometric technologies are generally
evaluated according to three basic criteria:
– The false reject rate (Type I Error): the percentage
of authorized users who are denied access
– The false accept rate (Type II Error): the
percentage of unauthorized users who are
allowed access
– The crossover error rate (CER): the point at which
the number of false rejections equals the false
acceptances
Management of Information Security, 5th Edition, © Cengage Learning
14
Recognition Characteristics
Management of Information Security, 5th Edition, © Cengage Learning
15
Ranking of Biometric Effectiveness and
Acceptance
Management of Information Security, 5th Edition, © Cengage Learning
16