Lecture 15 Access Control Processes

About This Presentation

Title:

Lecture 15 Access Control Processes

Description:

Title: Strategic Management of Information Technology Author: Barbara Hecker Last modified by: Barbara Hecker Created Date: 7/3/2002 3:36:07 AM Document presentation ... – PowerPoint PPT presentation

Number of Views:217

Avg rating:3.0/5.0

Slides: 90

Provided by: BarbaraH157

Category:

more less

Transcript and Presenter's Notes

Title: Lecture 15 Access Control Processes

1
Lecture 15Access Control Processes
2
What is Access Control?

Access Control
Access control is the policy-driven limitation of
access to systems, data, and dialogs
Prevent attackers from gaining access, stopping
them if they do

3
What is Access Control?

First Steps
Enumeration of Resources
Sensitivity of Each Resource
Next, who Should Have Access?
Can be made individual by individual
More efficient to define by roles (logged-in
users, system administrators, project team
members, etc.)

4
Access Control

What Access Permissions (Authorizations) Should
They Have?
Access permissions (authorizations) define
whether a role or individual should have any
access at all
If so, exactly what the role or individual should
be allowed to do to the resource.
Usually given as a list of permissions for users
to be able to do things (read, change, execute
program, etc.) for each resource

5
Access Control

How Should Access Control Be Implemented?
For each resource, need an access protection plan
for how to implement protection in keeping with
the selected control policy
For a file on a server, for instance, limit
authorizations to a small group, harden the
server against attack, use a firewall to thwart
external attackers, etc.

6
Access Control

Policy-Based Access Control and Protection
Have a specific access control policy and an
access protection policy for each resource
Focuses attention on each resource
Guides the selection and configuration of
firewalls and other protections
Guides the periodic auditing and testing of
protection plans

7
Password-Based Access Control
8
Server Password Cracking

Reusable Passwords
A password you use repeatedly to get access to a
resource on multiple occasions
Bad because attacker will have time to learn it
then can use it
Difficulty of Cracking Passwords by Guessing
Remotely
Usually cut off after a few attempts
However, if can steal the password file, can
crack passwords at leisure

9
Server Password Cracking

Hacking Root
Super accounts (can take any action in any
directory)
Hacking root in UNIX
Super accounts in Windows (administrator) and
NetWare (supervisor)
Hacking root is rare usually can only hack an
ordinary user account
May be able to elevate the privileges of the user
account to take root action

10
Server Password Cracking

Physical Access Password Cracking
l0phtcrack
Lower-case L, zero, phtcrack
Password cracking program
Run on a server (need physical access)
Or copy password file and run l0phtcrack on
another machine.

11
Server Password Cracking

Physical Access Password Cracking
Brute-force password guessing
Try all possible character combinations
Longer passwords take longer to crack
Using more characters also takes longer
Alphabetic, no case (26 possibilities)
Alphabetic, case (52)
Alphanumeric (letters and numbers) (62)
All keyboard characters (80)

12
Password Length
Password Length In Characters
Alphanumeric Letters Digits (N62)
All Keyboard Characters (N80)
Alphabetic, Case (N52)
Alphabetic, No Case (N26)
1
62
80
52
26
2 (N2)
3,844
6,400
2,704
676
4 (N4)
14,776,336
40,960,000
7,311,616
456,976
6
56,800,235,584
2.62144E11
19,770,609,664
308,915,776
8
2.1834E14
1.67772E15
5.34597E13
2.08827E11
10
8.39299E17
1.07374E19
1.44555E17
1.41167E14
13
Server Password Cracking

Physical Access Password Cracking
Brute Force Attacks
Try all possible character combinations
Slow with long passwords length
Dictionary attacks
Try common words (password, ouch, etc.)
There are only a few thousand of these
Cracked very rapidly
Hybrid attacks
Common word with single digit at end, etc.

14
Server Password Cracking

Password Policies
Good passwords
At least 6 characters long
Change of case not at beginning
Digit (0 through 9) not at end
Other keyboard character not at end
Example triV6ial

15
Server Password Cracking

Password Policies
Testing and enforcing password policies
Run password cracking program against own servers
Caution requires approval! SysAdmins have been
fired for doing this without permissionand
should be
Password duration policies How often passwords
must be changed

16
Server Password Cracking

Password Policies
Password sharing policies Generally, forbid
shared passwords
Removes ability to learn who took actions loses
accountability
Usually is not changed often or at all because of
need to inform all sharers

17
Server Password Cracking

Password Policies
Disabling passwords that are no longer valid
As soon as an employee leaves the firm, etc.
As soon as contractors, consultants leave
In many firms, a large percentage of all accounts
are for people no longer with the firm

18
Server Password Cracking

Password Policies
Lost passwords
Password resets Help desk gives new password for
the account
Opportunities for social engineering attacks
Leave changed password on answering machine
Biometrics voice print identification for
requestor (but considerable false rejection rate)

19
Server Password Cracking

Password Policies
Lost passwords
Automated password resets
Employee goes to website
Must answer a question, such as In what city
were you born?
Problem of easily-guessed questions that can be
answered with research

20
UNIX/etc/passwd File Entries
Without Shadow Password File
With Shadow Password File
Pleex473Pat Lee/usr/plee//bin/csh
The x indicates that the password is stored in a
separate shadow password file
21
UNIX/etc/passwd File Entries

Unix passwd File
Contains the username, password, and other
information is semi-standard form
In the /etc directory that is accessible to
anyone
Anyone can steal the passwd file and crack the
passwords
Unix Shadow File
Newer versions of Unix store passwords in a
protected shadow file
In the passwd file, there is an x in the password
position

22
Server Password Cracking

Password Policies
Encrypted (hashed) password files
Passwords not stored in readable form
Encrypted with DES or hashed with MD5
In UNIX, etc/passwd puts x in place of password
Encrypted or hashed passwords are stored in a
different (shadow) file to which only high-level
accounts have access

23
Password Hashing (or Encryption)
2. Hash My4Bad 11110000
1. User Lee Password My4Bad
3. Hashes Match
Client PC User Lee
Hashed Password File Brown 11001100 Lee 11110000 C
hun 00110011 Hatori 11100010
4. Hashes Match, So User is Authenticated
24
Server Password Cracking

Password Policies
Windows passwords
Obsolete LAN manager passwords (7 characters
maximum) should not be used
Windows NTLM passwords are better
Option (not default) to enforce strong passwords

25
Server Password Cracking

Shoulder Surfing
Watch someone as they type their password
Keystroke Capture Software
Professional versions of windows protect RAM
during password typing
Consumer versions do not
Trojan horse throws up a login screen later,
reports its finding to attackers

26
Server Password Cracking

Windows Client PC Software
Consumer version login screen is not for security
Windows professional and server versions provide
good security with the login password
BIOS passwords allow boot-up security
Can be disabled by removing the PCs battery
But during a battery removal, the attacker will
be very visible
Screen savers with passwords allow away-from-desk
security after boot-up

Physical Building Security

28
Building Security

Building Security Basics
Single point of (normal) entry to building
Fire doors, etc. use closed-circuit television
(CCTV) and alarms to monitor them
Security centers
Monitors for closed-circuit TV (CCTV)
Videotapes that must be retained (Dont reuse too
much or the quality will be bad)
Alarms

29
Building Security

Building Security Basics
Interior doors to control access between parts of
the building
Piggybacking holding the door open so that
someone can enter without identification defeats
this protection
Enforcing policies You get what you enforce
Training security personnel
Training all employees

30
Building Security

Building Security Basics
Phone stickers with security center phone number
Thwarting piggybacking by employee education and
sanctions for allowing it
Dumpster diving by keeping Dumpsters in locked,
lighted area
Drive shredding programs for discarded disk
drives that do more than reformat drives

31
Physical building Cabling
3. Entrance Facility with Termination Equipment
6. Vertical Riser Space
5. Core Switch (Chassis)
4. Router
2. To WAN
1. Equipment Room (Usually in Basement)
32
Physical building Cabling

Vertical
Distribution

5. Horizontal Distribution
4. Workgroup Switch
3. Telecommunications Closet on Floor
2. Optical Fiber One Pair per Floor
33
Physical building Cabling
Horizontal and Final Distribution
Workgroup Switch in Telecoms Closet
1. Horizontal Distribution One 4-Pair UTP Cord
34
Building Security

Data Wiring Security
Telecommunications closets should be locked
Wiring conduits should be hard to cut into
Servers rooms should have strong access security

35
Access Cards and Tokens
36
Access Cards

Magnetic Stripe Cards
Smart Cards
Have a microprocessor and RAM
More sophisticated than mag stripe cards
Release only selected information to different
access devices

37
Access Cards

Tokens
Small device with constantly-changing password
Or device that can plug into USB port or another
port
Proximity Tokens
Use short-range radio transmission
Can be detected and tested without physical
contact
Allows easier access used in Tokyo subways

38
Access Cards

Card Cancellation
Requires a central system
PINs
Personal Identification Numbers
Short about 4 digits
Can be short because attempts are manual (10,000
combinations to try with 4 digits)

39
Access Cards

PINs
Should not allow obvious combinations (1111,
1234) or important dates
Provide two-factor authentication
E.g., PIN and card
Dont allow writing PIN on card

40
Biometric Authentication
41
Biometric Authentication

Biometric Authentication
Authentication based on body measurements and
motions
Because you always bring your body with you
Biometric Systems
Enrollment
Later access attempts
Acceptance or rejection

42
Biometric Authentication System
1. Initial Enrollment
User Lee Scanning
User Lee Template (01101001)
Processing (Key Feature Extraction) A01, B101,
C001
Template Database Brown 10010010 Lee
01101001 Chun 00111011 Hirota 1101110

3. Match Index Decision Criterion (Close Enough?)
2. Subsequent Access
Applicant Scanning
User Access Data (01111001)
Processing (Key Feature Extraction) A01, B111,
C001
43
Biometric Authentication

Verification Versus Identification
Verification Are applicants who they claim to
be? (compare with single template)
Identification Who is the applicant? (compare
with all templates)
More difficult than verification because must
compare to many templates
Watch list is this person a member of a specific
group (e.g., known terrorists)
Intermediate in difficulty

44
Biometric Authentication

Verification Versus Identification
Verification is good for replacing passwords in
logins
Identification is good for door access and other
situations where entering a name would be
difficult

45
Biometric Authentication
FAR

Precision
False acceptance rates (FARs) Percentage of
unauthorized people allowed in
Person falsely accepted as member of a group
Person allowed through a door who should be
allowed through it
Very bad for security

46
Biometric Authentication
FRR

Precision
False rejection rates (FRRs) Percentage of
authorized people not recognized as being members
of the group
Valid person denied door access or server login
because not recognized
Can be reduced by allowing multiple access
attempts
High FRRs will harm user acceptance because users
are angered by being falsely forbidden

47
Biometric Authentication

Precision
Vendor claims for FARs and FRRs tend to be
exaggerated because they often perform tests
under ideal circumstances
For instance, having only small numbers of users
in the database
For instance, by using perfect lighting,
extremely clean readers, and other conditions
rarely seen in the real world

48
Biometric Authentication

User Acceptance is Crucial
Strong user resistance can kill a system
Fingerprint recognition may have a criminal
connotation
Some methods are difficult to use, such as iris
recognition, which requires the eye to be lined
up carefully.
These require a disciplined group

49
Biometric Authentication

Biometric Methods
Fingerprint recognition
Dominates the biometric market today
Based on a fingers distinctive pattern of
whorls, arches, and loops
Simple, inexpensive, well-proven
Weak security can be defeated fairly easily with
copies
Useful in modest-security areas

50
Biometric Authentication

Biometric Methods
Iris recognition
Pattern in colored part of eye
Very low FARs
High FRR if eye is not lined up correctly can
harm acceptance
Reader is a cameradoes not send light into the
eye!

51
Biometric Authentication

Biometric Methods
Face recognition
Can be put in public places for surreptitious
identification (identification without citizen
or employee knowledge). More later.
Hand geometry shape of hand
Voice recognition
High error rates
Easy to fool with recordings

52
Biometric Authentication

Biometric Methods
Keystroke recognition
Rhythm of typing
Normally restricted to passwords
Ongoing during session could allow continuous
authentication
Signature recognition
Pattern and writing dynamics

53
Biometric Authentication

Biometric Standards
Almost no standardization
Worst for user data (fingerprint feature
databases)
Get locked into single vendors

54
Biometric Authentication

Can Biometrics be Fooled?
Airport face recognition
Identification of people passing in front of a
camera
False rejection rate rate of not identifying
person as being in the database
Fail to recognize a criminal, terrorist, etc.
FRRs are bad

55
Biometric Authentication

Can Biometrics be Fooled?
Airport face recognition
4-week trial of face recognition at Palm Beach
International Airport
Only 250 volunteers in the user database
(unrealistically small)
Volunteers were scanned 958 times during the
trial
Only recognized 455 times! (47)
53 FRR

56
Biometric Authentication

Can Biometrics be Fooled?
Airport face recognition
Recognition rate fell if wore glasses (especially
tinted), looked away
Would be worse with larger database
Would be worse if photographs were not good

57
Biometric Authentication

Can Biometrics be Fooled?
DOD Tests indicate poor acceptance rates when
subjects were not attempting to evade
270-person test
Face recognition recognized person only 51
percent of time
Even iris recognition only recognized the person
94 percent of the time!

58
Biometrics Authentication

Can Biometrics be Fooled?
Other research has shown that evasion is often
successful for some methods
German ct magazine fooled most face and
fingerprint recognition systems
Prof. Matsumoto fooled fingerprint scanners 80
percent of the time with a gelatin finger created
from a latent (invisible to the naked eye) print
on a drinking glass

59
802.11 Wireless LAN Security
60
802.11 Wireless LAN (WLAN) Security

802.11 Wireless LAN Family of Standards
Basic Operation (Figure 2-12 on next slide)
Main wired network for servers (usually 802.3
Ethernet)
Wireless stations with wireless NICs
Access points
Access points are bridges that link 802.11 LANs
to 802.3 Ethernet LANs

61
802.11 Wireless LAN
802.11 Frame Containing Packet
(3)
(1)
62
802.11 Wireless LAN
(2)
802.3 Frame Containing Packet
(1)
(3)
63
802.11 Wireless LAN (WLAN) Security

Basic Operation
Propagation distance farther for attackers than
users
Attackers can have powerful antennas and
amplifiers
Attackers can benefit even if they can only read
some messages
Dont be lulled into complacency by internal
experiences with useable distances

64
802.11 Wireless LAN Standards
Standard
Rated Speed (a)
Unlicensed Radio Band
Effective Distance (b)
802.11b
11 Mbps
2.4 GHz
30-50 meters
802.11a
54 Mbps
5 GHz
10-30 meters
802.11g
54 Mbps
2.4 GHz
?
Notes (a) Actual speeds are much lower and
decline with distance. (b) These are distances
for good communication attackers can read some
signals and send attack frames from longer
distances.
65
802.11 Wireless LAN (WLAN) Security

Apparent 802.11 Security
Spread spectrum transmission does not provide
security
Signal is spread over a broad range of
frequencies
Methods used by military are hard to detect
802.11 spread spectrum methods are easy to detect
so devices can find each other
Used in 802.11 to prevent frequency-dependent
propagation problems rather than for security

66
802.11 Wireless LAN (WLAN) Security

Apparent 802.11 Security
SSIDs
Mobile devices must know the access points
service set identifier (SSID) to talk to the
access point
Usually broadcast frequently by the access point
for ease of discovery, so offers no security.
Sent in the clear in messages sent between
stations and access points

67
802.11 Wireless LAN (WLAN) Security

Wired Equivalent Privacy (WEP)
Biggest security problem Not enabled by default
40-bit encryption keys are too small
Nonstandard 128-bit (really 104-bit) keys are
reasonable interoperable

68
802.11 Wireless LAN (WLAN) Security

Wired Equivalent Privacy (WEP)
Shared passwords
Access points and all stations use the same
password
Difficult to change, so rarely changed
People tend to share shared passwords too widely
Flawed security algorithms
Algorithms were selected by cryptographic
amateurs

69
802.11 Wireless LAN (WLAN) Security

802.1x and 802.11i (Figure 2-14)
Authentication server
User data server
Individual keys give out at access point

70
802.1x Authentication for 802.11i WLANs
RADIUS Server
2. Pass on Request to RADIUS Server
1. Authentication Data
4. Accept Applicant KeyXYZ
5. OK Use Key XYZ
3. Get User Lees Data (Optional RADIUS Server
May Store This Data)
Directory Server or Kerberos Server
71
802.11 Wireless LAN (WLAN) Security

802.1x and 802.11
Control access when the user connects to the
network
At a wired RJ-45 jack
At a wireless access point
802.1x is a general approach to port
authentication
802.11i is the implementation of 802.1x on 802.11
wireless LANs

72
802.11 Wireless LAN (WLAN) Security

802.1x and 802.11
Extensible Authentication Protocol (EAP)
Supports multiple forms of authentication
EAP-TLS
EAP-TTLS
PEAP

73
802.11 Wireless LAN (WLAN) Security

802.1x and 802.11
Extensible Authentication Protocol (EAP)
Authentication mechanisms
Passwords
Simple and inexpensive to implement
Low security
Digital Certificate
Complex and expensive to install digital
certificates on many devices
Very strong authentication

74
802.11 Wireless LAN (WLAN) Security
Client Authentication Access Point Authentication Comment
EAP-TLS Digital Certificate orNothing at all Digital Certificate Expensive client authentication or none
EAP-TTLS Password or other authentication method Digital Certificate Fits reality that many users have passwords
PEAP (Protected EAP) Password or other authentication method Digital Certificate Strong. Supported by Microsoft, Cisco, and RSA
75
802.11 Wireless LAN (WLAN) Security

TLS
The default for 802.11i security but choice of
either digital certificates for clients or no
client authentication is undesirable
PEAP and TTLS
Very similar in terms of the authentication
methods they support
PEAP is supported by Microsoft, Cisco, and RSA
TTLS is supported by a consortium of other vendors

76
802.11 Wireless LAN (WLAN) Security

802.1x and 802.11i (Figure 2-14)
After authentication, the client must be given a
key for confidentiality
Temporal Key Integrity Protocol (TKIP) is used in
802.11i and 802.1x
Key changed every 10,000 frames to foil data
collection for key guessing
This is an Advanced Encryption Standard (AES) key

77
Wi-Fi and WPA

Wi-Fi Alliance
Industry group that certifies 802.11 systems
Created the Wi-Fi Protected Access (WPA) system
in 2002
WPA is basically 802.11i
But does not use AES keys
Many installed wireless products can be upgraded
to WPA
Stop-gap measure before 802.11i

78
802.11i Today

802.11i standard was released in July 2004
But products started appearing in 2003
What must firms do?
Throw out WEP-only products
In security, legacy technologies are not
acceptable
Decide if it can have WPA and 802.11i products
co-exist

79
802.11 Wireless LAN (WLAN) Security

Virtual Private Networks (VPNs)
Add security on top of network technology to
compensate for WLAN weaknesses
Discussed in Chapter 8

WLAN, etc.
VPN
80
The Situation Today in Wireless Security

Wireless security is poor in most installations
today
The situation is improving, and technology will
soon be good
But old installations are likely to remain weak
links in corporate security

81
Topics Covered

Policy-Driven Access Control
Identify resources
Create an access policy for each
Let the policy drive implementation and testing

82
Topics Covered

Password-Based Access Control
Reusable passwords are inexpensive because built
into servers
Usually weak because people often pick cracked
passwords
Hacking root is a key goal
Password resets are necessary but dangerous

83
Topics Covered

Building Security
Single point of (normal) entry to building
Fire doors, etc. use CCTV and alarms
Security centers
Interior doors locked (but piggybacking)
Dumpster diving control
Securing building wiring, including
telecommunications closets

84
Topics Covered

Access Cards and Tokens
Magnetic strip cards
Smart cards with CPU and Memory
Tokens
Tokens with constantly-changing passwords
Tokens that plug into USB ports
Proximity cards with radio communication
Pins can be short because of manual entry

85
Topics Covered

Biometric Authentication
Can replace reusable passwords
Fingerprint scanning dominates biometrics
Inexpensive, somewhat secure
Iris recognition is more precise
Face recognition can be done surreptitiously
Identification vs verification vs watch list
FARs and FRRs
Often easily deceived by attackers

86
Topics Covered

802.11 Wireless LAN Security
Signals travel outside building, allowing
drive-by hacking
Initial security was WEP
Often not even turned on
Very easily cracked because uses shared static
key for both confidentiality and authentication
Some firms added passwords and/or VPNs to allow
secure communication anyway

87
Topics Covered