Information Systems 365 Lecture Six -- Access Control

Information Security 365/765, Fall Semester, 2016

Course Instructor, Nicholas DavisLecture 6, Access Control

Today’s AgendaToday’s Agenda• Watch a short video about password

recovery methods, and why they are difficult to implement

• Class exercise / feedback about FBI guest speaker during previous class session

• Talk about access controls (most of lecture)

• Talk about exam review dates, and why exam review matters

• Eat sugary, chocolatly, peanut buttery snacks (Kit Kat and Reese’s Peanut Butter Cups)

05/01/23 UNIVERSITY OF WISCONSIN 2

Today, We Are GoingToday, We Are Going100% Angry Birds100% Angry Birds

• Identification methods and technologies

• Authentication methods, models and technologies

• Discretionary, Mandatory and Non-Mandatory Models

• Accountability, monitoring and auditing practices

• Possible threats to access control practices and technologies


Review Session For ExamReview Session For ExamOctober 13October 13thth Evening or Evening orOctober 18October 18thth (in class) (in class)

I will give you a printed handout with 50 sample questions on it.I will ask questions, and members of the class will discuss and then tell me what they believe the best answer for each question is.The REAL exam questions will look, very, very, very, very, very, very similar to the practice---perhaps even identical.


Let’s Talk About the FBI Agent’s Let’s Talk About the FBI Agent’s VisitVisit

The Government Is OftenThe Government Is OftenReferred to as Big BrotherReferred to as Big Brother


Government is Big BrotherGovernment is Big BrotherLexisNexis is Little BrotherLexisNexis is Little Brother


Opinion of Nicholas DavisOpinion of Nicholas DavisCourse InstructorCourse Instructor

• The biggest threat to the privacy of people is the private sector

• LexisNexis and others collect information about people which has a great impact on their lives, when sold to third parties

• As business leaders of the future, it is important for you not to engage in the modern day equivalent of Red Lining


RedliningRedlining“Redlining” is the practice of denying services, either directly or through selectively raising prices, to residents of certain areas based on the racial or ethnic makeups of those areas. The term "redlining" was coined in the late 1960s by John McKnight, a sociologist and community activist. It refers to the practice of marking a red line on a map to delineate the area where banks would not invest; later the term was applied to discrimination against a particular group of people (usually by race or sex) irrespective of geography.


RedliningRedliningIS Professionals Are the First IS Professionals Are the First Line of Defense Against This Line of Defense Against This

PracticePracticeThe Big Data is out there. As information security professionals, it will be your job to ensure proper access control, so that data can’t be misused against your potential customers. If you suspect that your corporate data is being used for modern day Redlining, alert senior management. You will have first hand knowledge of what your company’s is doing with its data. As IT security professionals, YOU are the Redlining canary in the coal mine. If you see something, say something, discretely and professionally, to senior management05/01/23 UNIVERSITY OF WISCONSIN 9

Redlining MapRedlining MapExampleExample

A HOLC 1936 security map of Philadelphia showing redlining of lower income neighborhoods. Households and businesses in the red zones could not get mortgages or business loans.


Exciting Team ExerciseExciting Team Exercise5 teams5 teams

1. What were your overall impressions about FBI Special Agent Franz’s lecture?

2. What did you take away from his session, which you believe you may be able to apply in the workplace, after you graduate?

3. Why do you think there is so much cyber-espionage, even though it is apparent that people know it is a real threat?

4. What did you like the most, and dislike the most about his lecture?

5. Based on Tuesday’s experience and your existing knowledge, would you consider the FBI a friend of corporations or not? What about individuals? Provide reasons for your opinion.


Access ControlsAccess ControlsReally Boring DiagramReally Boring DiagramThe selective restriction of access to a resource. This can be applied to people, machines, or processes


Access ControlsAccess ControlsMuch More Easy to Much More Easy to

Understand the Graphic With Understand the Graphic With an Angry Birdan Angry Bird


Identification, AuthenticationIdentification, AuthenticationAuthorization and Authorization and

AccountabilityAccountabilityIdentification – Who you say you areAuthentication – verifying that you are who you claim to beAuthorization – decision of what you are allowed to access, read, change, add, deleteAccountability – proof of what a person, process or Angry Bird has done


Race ConditionRace ConditionA race condition is when an attacker tries to perform an act, without first being authorized. Trying to perform things out of order

For example, in Angry Birds, a race condition could be if you attempt to access level three before the computer can verify if you have finshed completing level two

A race condition in real life might be a person submitting an online database query in search bar of browser directly, instead of authenticating first and then using the provided GUI to submit a query

The reason for this is to attempt to access information above an access level assigned to an identity05/01/23 UNIVERSITY OF WISCONSIN 15

IdentificationIdentificationvs. Authentication Remindervs. Authentication Reminder

Username = identification (claim)Password = authentication (proof of claim)


Let’s Talk YahooLet’s Talk YahooFor a MinuteFor a Minute


Let’s Talk Yahoo AttackLet’s Talk Yahoo AttackSo, everyone knows about the Yahoo loss of 500 million usernames and passwords, but there are two issues I want to mention. 1.The passwords stolen were encrypted, and cracking 500 million of them will take a very long time, which is probably why only a representative sample of hacked usernames and passwords has been made public. Many of the news stories do not mention that important fact. 2.2. I wanted to mention that any organization which uses a an email address as a primary login identifier, is asking for trouble. Username and password together, act as an access key. When half of that key is already well known, you are giving an attacker half of what they are seeking. I 100% understand the ease of use and customer support efficiency of this practice. However, I do not believe the trade off in security is worth it. To some degree, I am making an argument of security through obscurity, which runs contrary to my core beliefs. I am not trying to generally advocate for security through obscurity. However, I am saying that in this specific situation of username and password, common sense dictates that using the left hand side of your email address as a person's login name, does indeed make life much easier for someone who desires to compromise the account. Whether we like it or not, username and password is an entrenched technology. I agree it needs to be replaced. However, for the present, people need to do what they can, with the tools available, to make accounts less easy to compromise. The first step is to disassociate login account name from email address, in my opinion. Summary: Being lazy with credentials is just as bad of a practice as Security Through Obscurity3.Summary: It is bad security practice (in my opinion) to advertise account usernames/login names05/01/23 UNIVERSITY OF WISCONSIN 18

Account PasswordAccount PasswordRecoveryRecovery

Usually done in one of two ways1.A link can be sent to a pre-designated and verified email address2.The user can answer a set number of security questions. This is knowledge based authentication3.Questions are difficult to create, because they should be easy to remember, known only to account holder (not public knowledge), be unlikely to change and difficult to guess


Nothing is FunnierNothing is FunnierThan TruthThan Truth

https://www.youtube.com/watch?v=tMEjpXJZgIA

Security Questions UCB comedy




Common AccessCommon AccessControl QuestionsControl Questions


Centralized Identity Centralized Identity Management VS FederatedManagement VS Federated

Centralized Identity Management – a single entity is responsible for authentication and authorization. Facebook for exampleFederated Identity Management – a set number of various organizations are deemed “trusted” For example Eduroam


Eduroam A Federated Eduroam A Federated ModelModel


Benefits and DrawbacksBenefits and Drawbacksof Centralized vs. Federated of Centralized vs. Federated

ModelModelCentralized authentication gives the system own very strong and assured control, but only over a very select universe of peopleFederated authentication has less assurance, but covers a wider universe of peopleWhich you choose depends on the service you are offering


Three Types of Three Types of AuthenticationAuthentication

Something you know -- passwordSomething you have – one time pass code generatorSomething you are – biometrics, palm, hand, fingerprint, retina, iris, speech pattern and tone


Methods to Steal PasswordsMethods to Steal Passwords

Electronic monitoringAccess the password fileBrute force attacksDictionary attacksSocial engineeringRainbow Tables – We will demonstrate a Rainbow Table tool in class, on Thursday! You will be amazed!


Solutions to Password Solutions to Password AttacksAttacks

Password aging – expire password at set intervalsLimit login attempts – 3 attempts in a row, then lock account for an hourRequire use of a passphrase instead of a simple password, to defeat brute force and dictionary attackers


Authorization in GreaterAuthorization in GreaterDetailDetail

Default to no access, if you can’t authenticate the individual, or if you can’t determine what they should have access to once they are authenticated


Authorization DecisionsAuthorization DecisionsAre Be Based UponAre Be Based Upon

Roles – manager, analyst, Bad Pig, etcGroups – Accounting, Finance, Marketing, Angry Birds, etcPhysical or logical location – United States, on our network, etcTime of day – no work after 6 PMTransaction type – Transfer in allow, transfer out not allowed


Things to Keep in MindThings to Keep in MindBeware of Authorization Creep – Why does the bird who has worked here 20 years seem to have access to everything?Single Sign On (SSO) – Everyone wants it, nobody has it. Saves time, money and keeps people from picking easy passwords, because they only have to remember one….SSO is a nice dream


Keep Domains DiscreteKeep Domains DiscreteShared Network Drive Shared Network Drive

ExampleExample


Discretionary Access Discretionary Access ControlControl

The user who creates the file may decide who has access to it


Mandatory Access ControlMandatory Access Control

The system makes the choices, and the user who created the file has no control

Based on clearance level


Role Based Access Role Based Access ControlControl

Based on the role which a user holds within a company, President, Manager, Analyst, etc. For example, King Pig is allowed to view everything


Role Based Access Control is Role Based Access Control is VisibleVisible

Restrained User InterfacesRestrained User InterfacesDepending upon your role, you can only see certain options (gray vs illuminated buttons on a screen)


Access Control LayersAccess Control LayersCan be:Physical – Locked doors to sensitive areasTechnical – Role based or authorization based access controlAdministrative – Rules about what employees may and may not look at


The Importance of The Importance of EmployeeEmployee

Awareness of AuditingAwareness of AuditingMake certain that employees know that you may be continually auditing access logs

This knowledge alone can stop a lot of issues in relation to unauthorized access attempts.


Major Categories of Access Major Categories of Access ControlsControls

Deterrent – A warning on a website, forbidding unauthorized accessPreventive – Username and password controlled accessDetective – logs are audited in real-time and an alarm goes off after 10 incorrect login attemptsThere are four other categories of access controls, but, not important for our discussion


Next Lecture TopicNext Lecture TopicSecurity ArchitectureSecurity Architecture

Final thought:

The blue Angry Birds are the worst Angry Birds

Have a fun and safe weekend!See you Tuesday!


Information Systems 365 Lecture Six -- Access Control

Education

Transcript of Information Systems 365 Lecture Six -- Access Control