Post on 14-Feb-2017
Information Security 365/765, Fall Semester, 2016
Course Instructor, Nicholas DavisLecture 6, Access Control
Today’s AgendaToday’s Agenda• Watch a short video about password
recovery methods, and why they are difficult to implement
• Class exercise / feedback about FBI guest speaker during previous class session
• Talk about access controls (most of lecture)
• Talk about exam review dates, and why exam review matters
• Eat sugary, chocolatly, peanut buttery snacks (Kit Kat and Reese’s Peanut Butter Cups)
05/01/23 UNIVERSITY OF WISCONSIN 2
Today, We Are GoingToday, We Are Going100% Angry Birds100% Angry Birds
• Identification methods and technologies
• Authentication methods, models and technologies
• Discretionary, Mandatory and Non-Mandatory Models
• Accountability, monitoring and auditing practices
• Possible threats to access control practices and technologies
05/01/23 UNIVERSITY OF WISCONSIN 3
Review Session For ExamReview Session For ExamOctober 13October 13thth Evening or Evening orOctober 18October 18thth (in class) (in class)
I will give you a printed handout with 50 sample questions on it.I will ask questions, and members of the class will discuss and then tell me what they believe the best answer for each question is.The REAL exam questions will look, very, very, very, very, very, very similar to the practice---perhaps even identical.
05/01/23 UNIVERSITY OF WISCONSIN 4
Let’s Talk About the FBI Agent’s Let’s Talk About the FBI Agent’s VisitVisit
The Government Is OftenThe Government Is OftenReferred to as Big BrotherReferred to as Big Brother
05/01/23 UNIVERSITY OF WISCONSIN 5
Government is Big BrotherGovernment is Big BrotherLexisNexis is Little BrotherLexisNexis is Little Brother
05/01/23 UNIVERSITY OF WISCONSIN 6
Opinion of Nicholas DavisOpinion of Nicholas DavisCourse InstructorCourse Instructor
• The biggest threat to the privacy of people is the private sector
• LexisNexis and others collect information about people which has a great impact on their lives, when sold to third parties
• As business leaders of the future, it is important for you not to engage in the modern day equivalent of Red Lining
05/01/23 UNIVERSITY OF WISCONSIN 7
RedliningRedlining“Redlining” is the practice of denying services, either directly or through selectively raising prices, to residents of certain areas based on the racial or ethnic makeups of those areas. The term "redlining" was coined in the late 1960s by John McKnight, a sociologist and community activist. It refers to the practice of marking a red line on a map to delineate the area where banks would not invest; later the term was applied to discrimination against a particular group of people (usually by race or sex) irrespective of geography.
05/01/23 UNIVERSITY OF WISCONSIN 8
RedliningRedliningIS Professionals Are the First IS Professionals Are the First Line of Defense Against This Line of Defense Against This
PracticePracticeThe Big Data is out there. As information security professionals, it will be your job to ensure proper access control, so that data can’t be misused against your potential customers. If you suspect that your corporate data is being used for modern day Redlining, alert senior management. You will have first hand knowledge of what your company’s is doing with its data. As IT security professionals, YOU are the Redlining canary in the coal mine. If you see something, say something, discretely and professionally, to senior management05/01/23 UNIVERSITY OF WISCONSIN 9
Redlining MapRedlining MapExampleExample
A HOLC 1936 security map of Philadelphia showing redlining of lower income neighborhoods. Households and businesses in the red zones could not get mortgages or business loans.
05/01/23 UNIVERSITY OF WISCONSIN 10
Exciting Team ExerciseExciting Team Exercise5 teams5 teams
1. What were your overall impressions about FBI Special Agent Franz’s lecture?
2. What did you take away from his session, which you believe you may be able to apply in the workplace, after you graduate?
3. Why do you think there is so much cyber-espionage, even though it is apparent that people know it is a real threat?
4. What did you like the most, and dislike the most about his lecture?
5. Based on Tuesday’s experience and your existing knowledge, would you consider the FBI a friend of corporations or not? What about individuals? Provide reasons for your opinion.
05/01/23 UNIVERSITY OF WISCONSIN 11
Access ControlsAccess ControlsReally Boring DiagramReally Boring DiagramThe selective restriction of access to a resource. This can be applied to people, machines, or processes
05/01/23 UNIVERSITY OF WISCONSIN 12
Access ControlsAccess ControlsMuch More Easy to Much More Easy to
Understand the Graphic With Understand the Graphic With an Angry Birdan Angry Bird
05/01/23 UNIVERSITY OF WISCONSIN 13
Identification, AuthenticationIdentification, AuthenticationAuthorization and Authorization and
AccountabilityAccountabilityIdentification – Who you say you areAuthentication – verifying that you are who you claim to beAuthorization – decision of what you are allowed to access, read, change, add, deleteAccountability – proof of what a person, process or Angry Bird has done
05/01/23 UNIVERSITY OF WISCONSIN 14
Race ConditionRace ConditionA race condition is when an attacker tries to perform an act, without first being authorized. Trying to perform things out of order
For example, in Angry Birds, a race condition could be if you attempt to access level three before the computer can verify if you have finshed completing level two
A race condition in real life might be a person submitting an online database query in search bar of browser directly, instead of authenticating first and then using the provided GUI to submit a query
The reason for this is to attempt to access information above an access level assigned to an identity05/01/23 UNIVERSITY OF WISCONSIN 15
IdentificationIdentificationvs. Authentication Remindervs. Authentication Reminder
Username = identification (claim)Password = authentication (proof of claim)
05/01/23 UNIVERSITY OF WISCONSIN 16
Let’s Talk YahooLet’s Talk YahooFor a MinuteFor a Minute
05/01/23 UNIVERSITY OF WISCONSIN 17
Let’s Talk Yahoo AttackLet’s Talk Yahoo AttackSo, everyone knows about the Yahoo loss of 500 million usernames and passwords, but there are two issues I want to mention. 1.The passwords stolen were encrypted, and cracking 500 million of them will take a very long time, which is probably why only a representative sample of hacked usernames and passwords has been made public. Many of the news stories do not mention that important fact. 2.2. I wanted to mention that any organization which uses a an email address as a primary login identifier, is asking for trouble. Username and password together, act as an access key. When half of that key is already well known, you are giving an attacker half of what they are seeking. I 100% understand the ease of use and customer support efficiency of this practice. However, I do not believe the trade off in security is worth it. To some degree, I am making an argument of security through obscurity, which runs contrary to my core beliefs. I am not trying to generally advocate for security through obscurity. However, I am saying that in this specific situation of username and password, common sense dictates that using the left hand side of your email address as a person's login name, does indeed make life much easier for someone who desires to compromise the account. Whether we like it or not, username and password is an entrenched technology. I agree it needs to be replaced. However, for the present, people need to do what they can, with the tools available, to make accounts less easy to compromise. The first step is to disassociate login account name from email address, in my opinion. Summary: Being lazy with credentials is just as bad of a practice as Security Through Obscurity3.Summary: It is bad security practice (in my opinion) to advertise account usernames/login names05/01/23 UNIVERSITY OF WISCONSIN 18
Account PasswordAccount PasswordRecoveryRecovery
Usually done in one of two ways1.A link can be sent to a pre-designated and verified email address2.The user can answer a set number of security questions. This is knowledge based authentication3.Questions are difficult to create, because they should be easy to remember, known only to account holder (not public knowledge), be unlikely to change and difficult to guess
05/01/23 UNIVERSITY OF WISCONSIN 19
Nothing is FunnierNothing is FunnierThan TruthThan Truth
https://www.youtube.com/watch?v=tMEjpXJZgIA
Security Questions UCB comedy
05/01/23 UNIVERSITY OF WISCONSIN 20
Common AccessCommon AccessControl QuestionsControl Questions
05/01/23 UNIVERSITY OF WISCONSIN 21
Centralized Identity Centralized Identity Management VS FederatedManagement VS Federated
Centralized Identity Management – a single entity is responsible for authentication and authorization. Facebook for exampleFederated Identity Management – a set number of various organizations are deemed “trusted” For example Eduroam
05/01/23 UNIVERSITY OF WISCONSIN 22
Eduroam A Federated Eduroam A Federated ModelModel
05/01/23 UNIVERSITY OF WISCONSIN 23
Benefits and DrawbacksBenefits and Drawbacksof Centralized vs. Federated of Centralized vs. Federated
ModelModelCentralized authentication gives the system own very strong and assured control, but only over a very select universe of peopleFederated authentication has less assurance, but covers a wider universe of peopleWhich you choose depends on the service you are offering
05/01/23 UNIVERSITY OF WISCONSIN 24
Three Types of Three Types of AuthenticationAuthentication
Something you know -- passwordSomething you have – one time pass code generatorSomething you are – biometrics, palm, hand, fingerprint, retina, iris, speech pattern and tone
05/01/23 UNIVERSITY OF WISCONSIN 25
Methods to Steal PasswordsMethods to Steal Passwords
Electronic monitoringAccess the password fileBrute force attacksDictionary attacksSocial engineeringRainbow Tables – We will demonstrate a Rainbow Table tool in class, on Thursday! You will be amazed!
05/01/23 UNIVERSITY OF WISCONSIN 26
Solutions to Password Solutions to Password AttacksAttacks
Password aging – expire password at set intervalsLimit login attempts – 3 attempts in a row, then lock account for an hourRequire use of a passphrase instead of a simple password, to defeat brute force and dictionary attackers
05/01/23 UNIVERSITY OF WISCONSIN 27
Authorization in GreaterAuthorization in GreaterDetailDetail
Default to no access, if you can’t authenticate the individual, or if you can’t determine what they should have access to once they are authenticated
05/01/23 UNIVERSITY OF WISCONSIN 28
Authorization DecisionsAuthorization DecisionsAre Be Based UponAre Be Based Upon
Roles – manager, analyst, Bad Pig, etcGroups – Accounting, Finance, Marketing, Angry Birds, etcPhysical or logical location – United States, on our network, etcTime of day – no work after 6 PMTransaction type – Transfer in allow, transfer out not allowed
05/01/23 UNIVERSITY OF WISCONSIN 29
Things to Keep in MindThings to Keep in MindBeware of Authorization Creep – Why does the bird who has worked here 20 years seem to have access to everything?Single Sign On (SSO) – Everyone wants it, nobody has it. Saves time, money and keeps people from picking easy passwords, because they only have to remember one….SSO is a nice dream
05/01/23 UNIVERSITY OF WISCONSIN 30
Keep Domains DiscreteKeep Domains DiscreteShared Network Drive Shared Network Drive
ExampleExample
05/01/23 UNIVERSITY OF WISCONSIN 31
Discretionary Access Discretionary Access ControlControl
The user who creates the file may decide who has access to it
05/01/23 UNIVERSITY OF WISCONSIN 32
Mandatory Access ControlMandatory Access Control
The system makes the choices, and the user who created the file has no control
Based on clearance level
05/01/23 UNIVERSITY OF WISCONSIN 33
Role Based Access Role Based Access ControlControl
Based on the role which a user holds within a company, President, Manager, Analyst, etc. For example, King Pig is allowed to view everything
05/01/23 UNIVERSITY OF WISCONSIN 34
Role Based Access Control is Role Based Access Control is VisibleVisible
Restrained User InterfacesRestrained User InterfacesDepending upon your role, you can only see certain options (gray vs illuminated buttons on a screen)
05/01/23 UNIVERSITY OF WISCONSIN 35
Access Control LayersAccess Control LayersCan be:Physical – Locked doors to sensitive areasTechnical – Role based or authorization based access controlAdministrative – Rules about what employees may and may not look at
05/01/23 UNIVERSITY OF WISCONSIN 36
The Importance of The Importance of EmployeeEmployee
Awareness of AuditingAwareness of AuditingMake certain that employees know that you may be continually auditing access logs
This knowledge alone can stop a lot of issues in relation to unauthorized access attempts.
05/01/23 UNIVERSITY OF WISCONSIN 37
Major Categories of Access Major Categories of Access ControlsControls
Deterrent – A warning on a website, forbidding unauthorized accessPreventive – Username and password controlled accessDetective – logs are audited in real-time and an alarm goes off after 10 incorrect login attemptsThere are four other categories of access controls, but, not important for our discussion
05/01/23 UNIVERSITY OF WISCONSIN 38
Next Lecture TopicNext Lecture TopicSecurity ArchitectureSecurity Architecture
Final thought:
The blue Angry Birds are the worst Angry Birds
Have a fun and safe weekend!See you Tuesday!
05/01/23 UNIVERSITY OF WISCONSIN 39
05/01/23 UNIVERSITY OF WISCONSIN 40
05/01/23 UNIVERSITY OF WISCONSIN 41
05/01/23 UNIVERSITY OF WISCONSIN 42
05/01/23 UNIVERSITY OF WISCONSIN 43
05/01/23 UNIVERSITY OF WISCONSIN 44
05/01/23 UNIVERSITY OF WISCONSIN 45
05/01/23 UNIVERSITY OF WISCONSIN 46
05/01/23 UNIVERSITY OF WISCONSIN 47
05/01/23 UNIVERSITY OF WISCONSIN 48
05/01/23 UNIVERSITY OF WISCONSIN 49
05/01/23 UNIVERSITY OF WISCONSIN 50
05/01/23 UNIVERSITY OF WISCONSIN 51
05/01/23 UNIVERSITY OF WISCONSIN 52
05/01/23 UNIVERSITY OF WISCONSIN 53
05/01/23 UNIVERSITY OF WISCONSIN 54
05/01/23 UNIVERSITY OF WISCONSIN 55
05/01/23 UNIVERSITY OF WISCONSIN 56