information systems security access control domain #2
TRANSCRIPT
Objectives
Access control types Identification, authentication, authorization Control models and techniques Single sign-on technologies Centralized and decentralized administration Intrusion Detection Systems (IDS)
Roles of Access Control
Limit System Access Access based on identity, groups,
clearance, need-to-know, location, etc. Protect against unauthorized disclosure,
corruption, destruction, or modification– Physical– Technical– Administrative
Access Control Examples
Physical– Locks, guards
Technical– Encryption, password, biometrics
Administrative– Policies, procedures, security training
Access Control Characteristics
Preventative– Keeps undesirable events from happening
Detective– Identify undesirable events that have happened
Corrective– Correct undesirable events that have happened
Deterrent– Discourage security violations from taking place
Continued
Recovery– Restore resources and capabilities after a
violation or accident Compensation
– Provides alternatives to other controls
Who are You?
Identification – username, ID account # Authentication – passphrase, PIN, bio Authorization – “What are you allowed to do”
Separation of Duties Least Privilege
Authentication
Something you know Something you have Something you are
2-Factor Authentication– Use 2 out of the 3 types of characteristics
Access Criteria
Security Clearance– Mandatory control systems and labels
Need-to-Know– Formal processes– Requirements of role within company for access
Least Privilege– Lease amount of rights to carry out tasks– No authorization creep
Default to “NO ACCESS”
Example Controls
Biometrics– Retina, finger, voice, iris
Tokens– Synchronous and Asynchronous device
Memory Cards– ATM card, proximity card
Smart Cards– Credit card, ID card
Biometric Controls
Uses unique personal attributes Most expensive and accurate Society has low acceptance rate Experience growth after 9-11-2001
Error Types
Type I error– Rejects authorized individuals (False Reject)– Too high a level of sensitivity
Type II error– Accepts imposter (False Accept)– Too low a level of sensitivity
Crossover Error Rate (CER)– JUST RIGHT!!!!!
Biometric Example
Fingerprint– Ridge endings and bifurcations
Finger Scan– Uses less data than fingerprint (minutiae)
Palm Scan– Creases, ridges, and grooves from palm
Hand Geometry– Length and width of hand and fingers
More Biometrics
Retina Scan– Blood vessel pattern on back of eyeball
Iris Scan– Colored portion of eye
Signature Dynamics– Electrical signals of signature process
Keyboard Dynamics– Electrical signals of typing process
More Biometrics
Voice Print– Differences in sound, frequency, and pattern
Facial Scan– Bone structure, nose, forehead size, and eye
width Hand Topology
– Size and width of side of hand
Passwords
Least secure but cheap Should be at least 8 characters and
complex Keep a password history Clipping levels used Audit logs
Countermeasures
Encrypt passwords Use password advisors Do not transmit in clear text GREATLY protect central store of
passwords Use cognitive passwords
– Based on life experience or opinions
One-time Passwords
Dynamic Generated for one time use Protects against replay attacks Token devices can generate
– Synchronized to time or event– Based on challenge response mechanism
Not as vulnerable as regular passwords
Passphrase
Longer than a password Provides more protection Harder to guess Converted to virtual password by software
Memory Cards
Magnetic stripe holds data but cannot process data
No processor or circuits Proximity cards, credit cards, ATM cards Added costs compared to other
technologies
Smart Card
Microprocessor and IC Tamperproof device (lockout) PIN used to unlock Could hold various data
– Biometrics, challenge, private key, history Added costs
– Reader purchase– Card generation and maintenance
Single Sign-on (SSO)
Scripting Authentication Characteristics– Carry out manual user authentication– As users are added or changed, more
maintenance is required for each script– Usernames and passwords held in one central
script Many times in clear text
SSO Continued
Used by directory services (x.500) Used by thin clients Used by Kerberos
– If KDC is compromised, secret key of every system is also compromised
– If KDC is offline, no authentication is possible
Kerberos
Authentication, confidentiality, integrity NO Non-availability and repudiation services Vulnerable to password guessing Keys stored on user machines in cache All principles must have Kerberos software Network traffic should be encrypted
SESAME
Secure European System for Application in a Multi-vendor Environment
Based on asymmetric cryptography Uses digital signatures Uses certificates instead of tickets Not compatible with Kerberos
Access Control Threats
DOS Buffer Overflow Mobile Code Malicious Software Password Cracker Spoofing/Masquerading Sniffers
More Access Control Threats
Eavesdropping Emanations Shoulder Surfing Object Reuse Data Remanence Unauthorized Data Mining Dumpster Diving
Access Control Models
Once security policy is in place, a model must be chosen to fulfill the directives– Discretionary access control (DAC)– Mandatory access control (MAC)– Role-based access control (RBAS)
Also called non-discretionary
Discretionary
Used by OS and applications Owner of the resource determines which
subjects can access Subjects can pass permissions to others Owner is usually the creator and has full
control Less secure than mandatory access
Mandatory Access
Access decisions based on security clearance of subject and object
OS makes the decision, not the data owner Provides a higher level of protection
– Used by military and government agencies
Role Based Access Control
Also called non-discretionary Allows for better enforcing most commercial
security policies Access is based on user’s role in company Admins assign user to a role (implicit) and
then assign rights to the role Best used in companies with a high rate of
turnover
Remote Authentication Dial-in User Services (RADIUS)
AAA protocol De facto standard for authentication Open source Works on a client/server model Hold authentication information for access
Terminal Access Controller Access Control System (TACACS)
Cisco proprietary protocol Splits authentication, authorization, and
auditing features Provides more protection for client-to-server
communication than RADIUS TACACS+ adds two-factor authentication Not compatible with RADIUS
Diameter
New and improved RADIUS Users can move between service provider
networks and change their point of attachment
Includes better message transport, proxying, session control, and higher security for AAA
Not compatible with RADIUS
Decentralized Access Control
Owner of asset controls access administration
Leads to enterprise inconsistencies Conflicts of interest become apparent Terminated employees’ rights hard to
manage Peer-to-peer environment
Hybrid Access Control
Combines centralized and decentralized administration methods
One entity may control what users access Owners choose who can access their
personal assets
Ways of Controlling Access
Physical location– MAC addresses
Logical location– IP addresses
Time of day– Only during work day
Transaction type– Limit on transaction amounts
Technical Controls
System access– Individual computer controls– Operating system mechanisms
Network access– Domain controller logins– Methods of access
Network architecture– Controlling flow of information– Network devices implemented
Auditing and encryption
Physical Controls
Network segregation– Wiring closets need physical entry protection
Perimeter security– Restrict access to facility and assets
Computer controls– Remove floppys and CDs– Lock computer cases
Protect Audit Logs
Hackers attempt to scrub the logs Organizations that are regulated MUST
keep logs for a specific amount of time Integrity of logs can be protected with
hashing algorithms Restrict network administrator access
Intruder Detection Systems (IDS)
Software employed to monitor a network segment or an individual computer
Network-based– Monitors traffic on a network segment– Sensors communicate with central console
Host-based– Small agent program that resides on individual
computer– Detects suspicious activity on one system
IDS Placement
In front of firewall– Uncover attacks being launched
Behind firewall– Root out intruders who have gotten through
Within intranet– Detect internal attacks
Type of IDS
Signature-based– Knowledge based– Database of signatures– Cannot identify new attacks– Need continual updating
Behavior-based– Statistical or anomaly based– Creates many false positives– Compares activity to ‘what is normal’
IDS Issues
May not process all packets on large network
Cannot analyze encrypted data Lots of false alarms Not an answers to all problems Switched networks make it hard to examine
all packets
Traps for Intruders
Padded Cell– Codes within a product to detect if malicious
activity is taking place– Virtual machine provides a ‘safe’ environment– Intruder is moved to this environment– Intruder does not realize that he is not is the
original environment– Protects production system from hacking– Similar to honeypots