From: Harris, Shon. All In One CISSP Exam Guide, 3rd Edition ...

From: Harris, Shon. All In One CISSP Exam Guide, 3rd Edition, McGraw-Hill, 2005.

1

IT 4823 – Information Security Administration

Chapter 4: Access Control, Part 1Summer 2006, Feibish


2

Access Control

This chapter presents the following: • Identification methods and technologies • Authentication methods, models, and technologies • Discretionary, mandatory, and nondiscretionary

models • Accountability, monitoring, and auditing practices • Emanation security and technologies • Intrusion detection systems • Possible threats to access control practices and

technologies


3

Overview

Definition: Access controls are security features that control how users and systems communicate and interact with other systems and resources.

They protect the systems and resources from unauthorized access and can be a component that participates in determining the level of authorization after an authentication procedure has successfully completed.


4

Definitions

Access is the flow of information between a subject and an object

A subject is an active entity that requests access to an object or the data within an object.

An object is a passive entity that contains information. An object can be a computer, database, file, computer program, directory, or field contained in a table within a database

Access control is a broad term that covers several different types of mechanisms that enforce access control features on computer systems, networks, and information.


5

Figure 4-1


6

Security Principles Availability

Fault tolerance, recovery, continuity, user productivity Information has various attributes, such as accuracy, relevance,

timeliness, and privacy.

Integrity Accurate, complete, and protected from unauthorized modification Illegitimate modifications must alert the user

Confidentiality information is not disclosed to unauthorized individuals, programs, or

processes. Some information is more sensitive than other information It is important for a company to identify the data that needs to be

classified, so that the company can ensure that a top priority of security protects this information and keeps it confidential.


7

Identification, Authentication, and Authorization Identification describes a method of ensuring that a

subject (user, program, or process) is the entity it claims to be. Identification can be provided with the use of a

username or account number.

To be properly authenticated, the subject is usually required to provide a second piece to the credential set. This piece could be a password, passphrase,

cryptographic key, personal identification number (PIN), anatomical attribute, or token


8

Identification, Authentication, and Authorization Authentication

After authentication System checks some kind of access control matrix or

security labels If system determines authenticated subject may acces

the resource, it authorizes the subject.

Accountability Subject must be uniquely identified Subject’s actions must be recorded


9

Logical Access Controls

Def: tools used for identification, authentication, authorization, and accountability

May be embeded within OS, apps, add-on security packages, database, or telecommunication management systems.


10

Fig 4-2: IAAA


11

Authentication

3 general factors: Something a person knows

Password, PIN, maiden name, combination, etc. Disadvantage: information can be lost/stolen

Something a person has Key, swipe card, access card, badge Disadvantage: token can be lsot or stolen

Something a person is Physical attribute (biometrics)


12

Strong authentication

Also known as two-factor authentication

Must provide 2 of the 3 general categories of authentication

For example Password AND employee badge Key card AND fingerprint


13

Identification component requirements

When issuing identification values to users, the following should be in place:

Each value should be unique, for user accountability.

A standard naming scheme should be followed.

The value should be nondescriptive of the user’s position or tasks.

The value should not be shared between users.


14

Identity management

Identity management is a broad term that encompasses the use of different products to identify, authenticate, and authorize users through automated means.

Should provide the following services: • User provisioning • Password synchronization and resetting • Self service for users on specific types of activities • Delegation of administrative tasks • Centralized auditing and reporting • Integrated workflow and increase in business productivity • Decrease in network access points • Regulatory compliance


15

Authentication Methods

Biometrics verifies an individual’s identity by analyzing a unique personal attribute or behavior, which is one of the most effective and accurate methods of verifying identification.

False rejection is called a Type I error False acceptance is called a Type II error

Type II errors are the MOST DANGEROUS and must be avoided!


16

CER: Crossover Error Rate

Stated as a percentage Point at which false rejection = false acceptance The lower the CER, the better Used for comparing various biometric tools


17

Biometric: barriers to implementation

Most expensive method of verifying identity User acceptance Enrollment timeframe Throughput


18

Different types of biometric systems[Review from book] Fingerprint Palm Scan Hand Geometry Retina Scan Iris Scan Signature Dynamics Keyboard Dynamics Voice Print Facial Scan Hand Topography


19

Passwords

Should be strong and properly managed Generally considered one of the weakest

security mechanisms available (why?) Users typically don’t care – until there is a

problem Systems should enforce password policies


20

How are passwords attacked?

Electronic monitoring Access the password file Brute force attacks Dictionary attacks Social engineering

Protection mechanisms include password length, complexity, age, history, and clipping level


21

Protecting password

Password checkers (or crackers) – used by IT staff during a security audit

Password hashing/encryption – do not send cleartext password. (telnet? ftp? smtp? Syskey utility in Windows)

Aging, Limit logon attempts, etc.

Cognitive passwords Dynamic (one-time) passwords SecureID (proprietary, RSA Security Inc) Token Device

May be synchronous or asynchronous


22

Cryptographic keys

An alternative to passwords Private keys and digital signatures are more secure

than typical passwords Private key is held by owner Public key is provided to anyone without compromising

the associated private key Passphrase – string of characters longer than a

password. It is transforned into a virtual password. Memory Cards (for example, ATM stripe) Smart Card (contact or contactless)


23

Smart Cards


24

Smart card attacks fault generation: intentional intruction of computational errors

to expose encryption keys Side-channel attacks are nonintrusive and are used to uncover

sensitive information about about how a component works without trying to compromise any type of flaw or weakness differential power analysis - examining the power

emissions that are released electromagnetic analysis examining the frequencies that

are emitted timing - how long a specific process takes to complete

Software attacks: input instructions into the card that will allow for the attacker to extract account information

Microprobing uses needles to remove the outer protective material on the card’s circuits, by using ultrasonic vibration. Once this is completed, then data can be accessed and manipulated by directly tapping into the card’s ROM chips


25

Authorization

Criteria: Roles (job function) Groups Physical or logical location Time of day (temporal isolatino) Transaction type

Know: Authorization Creep Why is this a problem?


26

Access Levels

Default to No Access Safest, default is always “no access”

Need to Know individuals should be given access only to the

information that they absolutely require in order to perform their job duties

Single sign-on (SSO) Single password for access to many systems Problem: interoperability


27

SSO


28

SSO Technologies

• Kerberos Authentication protocol that uses a KDC and tickets, and is based on symmetric key cryptography

• SESAME Authentication protocol that uses a PAS and PACs, and is based on symmetric and asymmetric cryptography

• Security domains Resources working under the same security policy and managed by the same group

• Thin clients Terminals that rely upon a central server for access control, processing, and storage


29

Access Control Models

An access control model is a framework that dictates how subjects access objects.

3 main types: Discretionary Mandatory Nondiscretionary (or role-based)


30

Discretionary Access Control

A system that uses discretionary access control (DAC) enables the owner of the resource to specify which subjects can access specific resources.

This means that users are allowed to specify what type of access can occur to the objects they own.

Does not lend itself to a centrally controlled environment

Most of the operating systems that you may be used to dealing with are based on DAC models, such as all Windows, Linux, and Macintosh


31

Mandatory Access Control

The operating system makes the final decision and can override the users’ wishes

This model is much more structured and strict and is based on a security label system

Users are given a security clearance (secret, top secret, confidential, and so on), and data is classified in the same way.

The rules for how subjects access objects are made by the security officer, configured by the administrator, enforced by the operating system, and supported by security technologies.

Note: “Security Label” = “Sensitivity Label”


32

Role-Based Access Control

Centrally administrated set of controls to determine how subjects and objects interact

based on the role the user holds within the company

This means that if you are assigned only to the Contractor role in a company, there is nothing you can do about it.

Best for companies with high turnover


33

Access Control Models - review


34

Access Control Techniques/Technolgoies Once an organization determines what type

of access control model it is going to use,it needs to identify and refine its technologies and techniques to support the model.


35

Rule-Based Access Control

uses specific rules that indicate what can and cannot happen between a subject and an object.

It is based on the simple concept of “if X then Y” programming rules, which can be used to provided finer-grained access control to resources.

Rule-based access control is not necessarily identity-based.

Traditionally, rule-based access control has been used in MAC

today, rule-based access is used in other types of systems and applications,as well. (firewalls)


36

Constrained User Interfaces

Restrict users’ access abilities by not allowing them to request certain functions or information

3 types: Menus and shells Database views Physically constrained interfaces (provide

only certain keys, hiding buttons,etc)


37

Access Control Matrix

Table of subjects and objects indicating what actions individual subjects can take upon individual objects.

Usually an attribute of DAC models.


38

Capability Table vs. ACL

A capability table is bound to a subject, whereas an ACL is bound to an object.


39

Conent vs. Context dependent access control In Content-dependent access control, access to

objects is determined by the content within the object. Example: Content-dependent filtering is used when corporations

employ e-mail filters that look for specific strings, such as “confidential”, “social security number”, “top secret”, and any other types of words that the company deems unacceptable.

Context-dependent access control differs from content-dependent access control in that it makes access decisions based on the context of a collection of information rather than on the sensitivity of the data. Example: SPI firewall, SYN?ACK


40

Review: Access Control Techniques

• Access control matrix Table of subjects and objects that outlines their access relationships

• ACL Bound to an object and indicates what subjects can access it

• Capability table Bound to a subject and indicates what objects that subject can access

• Content-based access Bases access decisions on the sensitivity of the data, not solely on subject identity

• Context-based access Bases access decisions on the state of the situation, not solely on identity or content sensitivity

• Restricted interface Limits the user’s environment within the system, thus limiting access to objects

• Rule-based Restricts subjects’ access attempts by predefined rules


41

Next: Access Control Administration

Centralized vs. Decentralized

centralized access control administration: one entity (department or individual) is responsible for overseeing access to all corporate resources.

decentralized access control administration method gives control of access to the people closer to the resources—e.g. functional manager


42

Centralized Access Control

Consistent and uniform across organization Strict, but can be slow Uses AAA protocols – “authentication,

authorization, and auditing” RADIUS TACACS, TACACS+, XTACACS

Terminal Access Controller Access Control System

Diameter


43

Next…

We will look at the the technical details of these protocols and continue chapter 4.


44

Questions?

From: Harris, Shon. All In One CISSP Exam Guide, 3rd Edition ...

Documents

Transcript of From: Harris, Shon. All In One CISSP Exam Guide, 3rd Edition ...