IT 4823 – Information Security Administration

1
IT 4823 Information Security Administration

• Chapter 4 Access Control, Part 1
• Summer 2006, Feibish

2
Access Control

• This chapter presents the following
• Identification methods and technologies
• Authentication methods, models, and
  technologies
• Discretionary, mandatory, and nondiscretionary
  models
• Accountability, monitoring, and auditing
  practices
• Emanation security and technologies
• Intrusion detection systems
• Possible threats to access control practices
  and technologies

3
Overview

• Definition Access controls are security
  features that control how users and systems
  communicate and interact with other systems and
  resources.
• They protect the systems and resources from
  unauthorized access and can be a component that
  participates in determining the level of
  authorization after an authentication procedure
  has successfully completed.

4
Definitions

• Access is the flow of information between a
  subject and an object
• A subject is an active entity that requests
  access to an object or the data within an object.
• An object is a passive entity that contains
  information. An object can be a computer,
  database, file, computer program, directory, or
  field contained in a table within a database
• Access control is a broad term that covers
  several different types of mechanisms that
  enforce access control features on computer
  systems, networks, and information.

5
Figure 4-1
6
Security Principles

• Availability
• Fault tolerance, recovery, continuity, user
  productivity
• Information has various attributes, such as
  accuracy, relevance, timeliness, and privacy.
• Integrity
• Accurate, complete, and protected from
  unauthorized modification
• Illegitimate modifications must alert the user
• Confidentiality
• information is not disclosed to unauthorized
  individuals, programs, or processes.
• Some information is more sensitive than other
  information
• It is important for a company to identify the
  data that needs to be classified, so that the
  company can ensure that a top priority of
  security protects this information and keeps it
  confidential.

7
Identification, Authentication, and Authorization

• Identification describes a method of ensuring
  that a subject (user, program, or process) is the
  entity it claims to be.
• Identification can be provided with the use of a
  username or account number.
• To be properly authenticated, the subject is
  usually required to provide a second piece to the
  credential set.
• This piece could be a password, passphrase,
  cryptographic key, personal identification number
  (PIN), anatomical attribute, or token

8
Identification, Authentication, and Authorization

• Authentication
• After authentication
• System checks some kind of access control matrix
  or security labels
• If system determines authenticated subject may
  acces the resource, it authorizes the subject.
• Accountability
• Subject must be uniquely identified
• Subjects actions must be recorded

9
Logical Access Controls

• Def tools used for identification,
  authentication, authorization, and accountability
• May be embeded within OS, apps, add-on security
  packages, database, or telecommunication
  management systems.

10
Fig 4-2 IAAA
11
Authentication

• 3 general factors
• Something a person knows
• Password, PIN, maiden name, combination, etc.
• Disadvantage information can be lost/stolen
• Something a person has
• Key, swipe card, access card, badge
• Disadvantage token can be lsot or stolen
• Something a person is
• Physical attribute (biometrics)

12
Strong authentication

• Also known as two-factor authentication
• Must provide 2 of the 3 general categories of
  authentication
• For example
• Password AND employee badge
• Key card AND fingerprint

13
Identification component requirements

• When issuing identification values to users, the
  following should be in place
• Each value should be unique, for user
  accountability.
• A standard naming scheme should be followed.
• The value should be nondescriptive of the users
  position or tasks.
• The value should not be shared between users.

14
Identity management

• Identity management is a broad term that
  encompasses the use of different products to
  identify, authenticate, and authorize users
  through automated means.
• Should provide the following services
• User provisioning
• Password synchronization and resetting
• Self service for users on specific types of
  activities
• Delegation of administrative tasks
• Centralized auditing and reporting
• Integrated workflow and increase in business
  productivity
• Decrease in network access points
• Regulatory compliance

15
Authentication Methods

• Biometrics verifies an individuals identity by
  analyzing a unique personal attribute or
  behavior, which is one of the most effective and
  accurate methods of verifying identification.
• False rejection is called a Type I error
• False acceptance is called a Type II error
• Type II errors are the MOST DANGEROUS and must be
  avoided!

16
CER Crossover Error Rate

• Stated as a percentage
• Point at which false rejection false acceptance
• The lower the CER, the better
• Used for comparing various biometric tools

17
Biometric barriers to implementation

• Most expensive method of verifying identity
• User acceptance
• Enrollment timeframe
• Throughput

18
Different types of biometric systemsReview from
book

• Fingerprint
• Palm Scan
• Hand Geometry
• Retina Scan
• Iris Scan
• Signature Dynamics
• Keyboard Dynamics
• Voice Print
• Facial Scan
• Hand Topography

19
Passwords

• Should be strong and properly managed
• Generally considered one of the weakest security
  mechanisms available (why?)
• Users typically dont care until there is a
  problem
• Systems should enforce password policies

20
How are passwords attacked?

• Electronic monitoring
• Access the password file
• Brute force attacks
• Dictionary attacks
• Social engineering
• Protection mechanisms include password length,
  complexity, age, history, and clipping level

21
Protecting password

• Password checkers (or crackers) used by IT
  staff during a security audit
• Password hashing/encryption do not send
  cleartext password. (telnet? ftp? smtp?
  Syskey utility in Windows)
• Aging, Limit logon attempts, etc.
• Cognitive passwords
• Dynamic (one-time) passwords
• SecureID (proprietary, RSA Security Inc)
• Token Device
• May be synchronous or asynchronous

22
Cryptographic keys

• An alternative to passwords
• Private keys and digital signatures are more
  secure than typical passwords
• Private key is held by owner
• Public key is provided to anyone without
  compromising the associated private key
• Passphrase string of characters longer than a
  password. It is transforned into a virtual
  password.
• Memory Cards (for example, ATM stripe)
• Smart Card (contact or contactless)

23
Smart Cards
24
Smart card attacks

• fault generation intentional intruction of
  computational errors to expose encryption keys
• Side-channel attacks are nonintrusive and are
  used to uncover sensitive information about about
  how a component works without trying to
  compromise any type of flaw or weakness
• differential power analysis - examining the power
  emissions that are released
• electromagnetic analysis examining the
  frequencies that are emitted
• timing - how long a specific process takes to
  complete
• Software attacks input instructions into the
  card that will allow for the attacker to extract
  account information
• Microprobing uses needles to remove the outer
  protective material on the cards circuits, by
  using ultrasonic vibration. Once this is
  completed, then data can be accessed and
  manipulated by directly tapping into the cards
  ROM chips

25
Authorization

• Criteria
• Roles (job function)
• Groups
• Physical or logical location
• Time of day (temporal isolatino)
• Transaction type
• Know Authorization Creep
• Why is this a problem?

26
Access Levels

• Default to No Access
• Safest, default is always no access
• Need to Know
• individuals should be given access only to the
  information that they absolutely require in order
  to perform their job duties
• Single sign-on (SSO)
• Single password for access to many systems
• Problem interoperability

27
SSO
28
SSO Technologies

• Kerberos Authentication protocol that uses a
  KDC and tickets, and is based on symmetric key
  cryptography
• SESAME Authentication protocol that uses a PAS
  and PACs, and is based on symmetric and
  asymmetric cryptography
• Security domains Resources working under the
  same security policy and managed by the same
  group
• Thin clients Terminals that rely upon a central
  server for access control, processing, and
  storage

29
Access Control Models

• An access control model is a framework that
  dictates how subjects access objects.
• 3 main types
• Discretionary
• Mandatory
• Nondiscretionary (or role-based)

30
Discretionary Access Control

• A system that uses discretionary access control
  (DAC) enables the owner of the resource to
  specify which subjects can access specific
  resources.
• This means that users are allowed to specify what
  type of access can occur to the objects they own.
• Does not lend itself to a centrally controlled
  environment
• Most of the operating systems that you may be
  used to dealing with are based on DAC models,
  such as all Windows, Linux, and Macintosh

31
Mandatory Access Control

• The operating system makes the final decision and
  can override the users wishes
• This model is much more structured and strict and
  is based on a security label system
• Users are given a security clearance (secret, top
  secret, confidential, and so on), and data is
  classified in the same way.
• The rules for how subjects access objects are
  made by the security officer, configured by the
  administrator, enforced by the operating system,
  and supported by security technologies.
• Note Security Label Sensitivity Label

32
Role-Based Access Control

• Centrally administrated set of controls to
  determine how subjects and objects interact
• based on the role the user holds within the
  company
• This means that if you are assigned only to the
  Contractor role in a company, there is nothing
  you can do about it.
• Best for companies with high turnover

33
Access Control Models - review
34
Access Control Techniques/Technolgoies

• Once an organization determines what type of
  access control model it is going to use,it needs
  to identify and refine its technologies and
  techniques to support the model.

35
Rule-Based Access Control

• uses specific rules that indicate what can and
  cannot happen between a subject and an object.
• It is based on the simple concept of if X then
  Y programming rules, which can be used to
  provided finer-grained access control to
  resources.
• Rule-based access control is not necessarily
  identity-based.
• Traditionally, rule-based access control has been
  used in MAC
• today, rule-based access is used in other types
  of systems and applications,as well. (firewalls)

36
Constrained User Interfaces

• Restrict users access abilities by not allowing
  them to request certain functions or information
• 3 types
• Menus and shells
• Database views
• Physically constrained interfaces (provide only
  certain keys, hiding buttons,etc)

37
Access Control Matrix

• Table of subjects and objects indicating what
  actions individual subjects can take upon
  individual objects.
• Usually an attribute of DAC models.

38
Capability Table vs. ACL

• A capability table is bound to a subject, whereas
  an ACL is bound to an object.

39
Conent vs. Context dependent access control

• In Content-dependent access control, access to
  objects is determined by the content within the
  object.
• Example Content-dependent filtering is used
  when corporations employ e-mail filters that look
  for specific strings, such as confidential,
  social security number, top secret, and any
  other types of words that the company deems
  unacceptable.
• Context-dependent access control differs from
  content-dependent access control in that it makes
  access decisions based on the context of a
  collection of information rather than on the
  sensitivity of the data.
• Example SPI firewall, SYN?ACK

40
Review Access Control Techniques

• Access control matrix Table of subjects and
  objects that outlines their access relationships
• ACL Bound to an object and indicates what
  subjects can access it
• Capability table Bound to a subject and
  indicates what objects that subject can access
• Content-based access Bases access decisions on
  the sensitivity of the data, not solely on
  subject identity
• Context-based access Bases access decisions on
  the state of the situation, not solely on
  identity or content sensitivity
• Restricted interface Limits the users
  environment within the system, thus limiting
  access to objects
• Rule-based Restricts subjects access attempts
  by predefined rules

41
Next Access Control Administration

• Centralized vs. Decentralized
• centralized access control administration one
  entity (department or individual) is responsible
  for overseeing access to all corporate resources.
• decentralized access control administration
  method gives control of access to the people
  closer to the resourcese.g. functional manager

42
Centralized Access Control

• Consistent and uniform across organization
• Strict, but can be slow
• Uses AAA protocols authentication,
  authorization, and auditing
• RADIUS
• TACACS, TACACS, XTACACS
• Terminal Access Controller Access Control System
• Diameter

43
Next

• We will look at the the technical details of
  these protocols and continue chapter 4.

44
Questions?