Information Systems Security

Access Control

Domain #2

Objectives

Access control types Identification, authentication, authorization Control models and techniques Single sign-on technologies Centralized and decentralized administration Intrusion Detection Systems (IDS)

Roles of Access Control

Limit System Access Access based on identity, groups,

clearance, need-to-know, location, etc. Protect against unauthorized disclosure,

corruption, destruction, or modification– Physical– Technical– Administrative

Access Control Examples

Physical– Locks, guards

Technical– Encryption, password, biometrics

Administrative– Policies, procedures, security training

Access Control Characteristics

Preventative– Keeps undesirable events from happening

Detective– Identify undesirable events that have happened

Corrective– Correct undesirable events that have happened

Deterrent– Discourage security violations from taking place

Continued

Recovery– Restore resources and capabilities after a

violation or accident Compensation

– Provides alternatives to other controls

Who are You?

Identification – username, ID account # Authentication – passphrase, PIN, bio Authorization – “What are you allowed to do”

Separation of Duties Least Privilege

Authentication

Something you know Something you have Something you are

2-Factor Authentication– Use 2 out of the 3 types of characteristics

Access Criteria

Security Clearance– Mandatory control systems and labels

Need-to-Know– Formal processes– Requirements of role within company for access

Least Privilege– Lease amount of rights to carry out tasks– No authorization creep

Default to “NO ACCESS”

Example Controls

Biometrics– Retina, finger, voice, iris

Tokens– Synchronous and Asynchronous device

Memory Cards– ATM card, proximity card

Smart Cards– Credit card, ID card

Biometric Controls

Uses unique personal attributes Most expensive and accurate Society has low acceptance rate Experience growth after 9-11-2001

Error Types

Type I error– Rejects authorized individuals (False Reject)– Too high a level of sensitivity

Type II error– Accepts imposter (False Accept)– Too low a level of sensitivity

Crossover Error Rate (CER)– JUST RIGHT!!!!!

Biometric Example

Fingerprint– Ridge endings and bifurcations

Finger Scan– Uses less data than fingerprint (minutiae)

Palm Scan– Creases, ridges, and grooves from palm

Hand Geometry– Length and width of hand and fingers

More Biometrics

Retina Scan– Blood vessel pattern on back of eyeball

Iris Scan– Colored portion of eye

Signature Dynamics– Electrical signals of signature process

Keyboard Dynamics– Electrical signals of typing process

More Biometrics

Voice Print– Differences in sound, frequency, and pattern

Facial Scan– Bone structure, nose, forehead size, and eye

width Hand Topology

– Size and width of side of hand

Passwords

Least secure but cheap Should be at least 8 characters and

complex Keep a password history Clipping levels used Audit logs

Password Attacks

Dictionary Attacks– Rainbow tables

Brute Force Attack– Every possible combination

Countermeasures

Encrypt passwords Use password advisors Do not transmit in clear text GREATLY protect central store of

passwords Use cognitive passwords

– Based on life experience or opinions

One-time Passwords

Dynamic Generated for one time use Protects against replay attacks Token devices can generate

– Synchronized to time or event– Based on challenge response mechanism

Not as vulnerable as regular passwords

Passphrase

Longer than a password Provides more protection Harder to guess Converted to virtual password by software

Memory Cards

Magnetic stripe holds data but cannot process data

No processor or circuits Proximity cards, credit cards, ATM cards Added costs compared to other

technologies

Smart Card

Microprocessor and IC Tamperproof device (lockout) PIN used to unlock Could hold various data

– Biometrics, challenge, private key, history Added costs

– Reader purchase– Card generation and maintenance

Single Sign-on (SSO)

Scripting Authentication Characteristics– Carry out manual user authentication– As users are added or changed, more

maintenance is required for each script– Usernames and passwords held in one central

script Many times in clear text

SSO Continued

Used by directory services (x.500) Used by thin clients Used by Kerberos

– If KDC is compromised, secret key of every system is also compromised

– If KDC is offline, no authentication is possible

Kerberos

Authentication, confidentiality, integrity NO Non-availability and repudiation services Vulnerable to password guessing Keys stored on user machines in cache All principles must have Kerberos software Network traffic should be encrypted

SESAME

Secure European System for Application in a Multi-vendor Environment

Based on asymmetric cryptography Uses digital signatures Uses certificates instead of tickets Not compatible with Kerberos

Access Control Threats

DOS Buffer Overflow Mobile Code Malicious Software Password Cracker Spoofing/Masquerading Sniffers

More Access Control Threats

Eavesdropping Emanations Shoulder Surfing Object Reuse Data Remanence Unauthorized Data Mining Dumpster Diving

More Threats

Theft Social Engineering Help Desk Fraud

Access Control Models

Once security policy is in place, a model must be chosen to fulfill the directives– Discretionary access control (DAC)– Mandatory access control (MAC)– Role-based access control (RBAS)

Also called non-discretionary

Discretionary

Used by OS and applications Owner of the resource determines which

subjects can access Subjects can pass permissions to others Owner is usually the creator and has full

control Less secure than mandatory access

Mandatory Access

Access decisions based on security clearance of subject and object

OS makes the decision, not the data owner Provides a higher level of protection

– Used by military and government agencies

Role Based Access Control

Also called non-discretionary Allows for better enforcing most commercial

security policies Access is based on user’s role in company Admins assign user to a role (implicit) and

then assign rights to the role Best used in companies with a high rate of

turnover

Remote Authentication Dial-in User Services (RADIUS)

AAA protocol De facto standard for authentication Open source Works on a client/server model Hold authentication information for access

Terminal Access Controller Access Control System (TACACS)

Cisco proprietary protocol Splits authentication, authorization, and

auditing features Provides more protection for client-to-server

communication than RADIUS TACACS+ adds two-factor authentication Not compatible with RADIUS

Diameter

New and improved RADIUS Users can move between service provider

networks and change their point of attachment

Includes better message transport, proxying, session control, and higher security for AAA

Not compatible with RADIUS

Decentralized Access Control

Owner of asset controls access administration

Leads to enterprise inconsistencies Conflicts of interest become apparent Terminated employees’ rights hard to

manage Peer-to-peer environment

Hybrid Access Control

Combines centralized and decentralized administration methods

One entity may control what users access Owners choose who can access their

personal assets

Ways of Controlling Access

Physical location– MAC addresses

Logical location– IP addresses

Time of day– Only during work day

Transaction type– Limit on transaction amounts

Technical Controls

System access– Individual computer controls– Operating system mechanisms

Network access– Domain controller logins– Methods of access

Network architecture– Controlling flow of information– Network devices implemented

Auditing and encryption

Physical Controls

Network segregation– Wiring closets need physical entry protection

Perimeter security– Restrict access to facility and assets

Computer controls– Remove floppys and CDs– Lock computer cases

Protect Audit Logs

Hackers attempt to scrub the logs Organizations that are regulated MUST

keep logs for a specific amount of time Integrity of logs can be protected with

hashing algorithms Restrict network administrator access

Intruder Detection Systems (IDS)

Software employed to monitor a network segment or an individual computer

Network-based– Monitors traffic on a network segment– Sensors communicate with central console

Host-based– Small agent program that resides on individual

computer– Detects suspicious activity on one system

IDS Placement

In front of firewall– Uncover attacks being launched

Behind firewall– Root out intruders who have gotten through

Within intranet– Detect internal attacks

Type of IDS

Signature-based– Knowledge based– Database of signatures– Cannot identify new attacks– Need continual updating

Behavior-based– Statistical or anomaly based– Creates many false positives– Compares activity to ‘what is normal’

IDS Issues

May not process all packets on large network

Cannot analyze encrypted data Lots of false alarms Not an answers to all problems Switched networks make it hard to examine

all packets

Traps for Intruders

Padded Cell– Codes within a product to detect if malicious

activity is taking place– Virtual machine provides a ‘safe’ environment– Intruder is moved to this environment– Intruder does not realize that he is not is the

original environment– Protects production system from hacking– Similar to honeypots