Denise N. LordComputer and Information Security

Access controls are security features that control how people can interact with systems, and resources.

Goal is to protect from un-authorized access.

Access is the data flow between an subject. Subject is a person, process or program Object is a resource (file, printer etc)

Access control should support the CIA triad! Let’s quickly go over the CIA triad again

Quick overview: details on each coming up

Identification – who am I? (userid etc)Authentication – prove that I am who I say IAuthorization – now what am I allowed to

accessAccountability – Audit logs and monitors

activities

Identifies a user uniquely (hopefully) SSN, UID, SID, Username

Should Uniquely identify a user for accountability (don’t share)

Standard naming scheme should be used Identifier should not indicate extra

information about user (like position) DO NOT SHARE (NO group accounts)

Proving who you say you are, usually one of these 3◦ Something you know (password)◦ Something you have (smart card)◦ Something you are (biometrics)

◦ Verifying the identification information.

Strong Authentication is the combination of 2 or more of these (also called multi-factor authentication) and is encouraged!◦ Strong Authentication provides a higher level of

assurance*

Now that I am who I say I am, what can I do?◦ Authorization can be provided based on user,

groups, roles, rules, physical location, time of day (temporal isolation)* or transaction type (example a teller may be able to withdrawal small amounts, but require manager for large withdrawals)

◦ Using criteria to make a determination of operations that subjects can carry out

Audit log and monitoring to track subject activities with objects.

Identity management products are used to id, authenticate and authorize users in an automated means. It’s a broad term.

These products may (or may not) include◦ User account management◦ Access controls◦ Password management◦ Single Sign on◦ Permissions◦ Web access management

Log in one time, and access resources many places

Not the same as password synchronization SSO software handles the authorization to

multiple systems What is a security problems with this? What are advantages?

Idea is to centrally manage user accounts rather than to manually create/update them on multiple systems

Often include workflow processes that allow distributed authorization. I.e.. A manager can put in a user request or authorize a request, tickets might be generated for a Key card system for their locations, Permissions might be created for their specific needs etc.

Automates processes Can includes records keeping/auditing functions Can ensure all accesses/accounts are cleaned up

with users leave.

Biometrics verifies (authenticates) an individuals identity by analyzing unique personal attribute (something they ARE)

Require enrollment before being used* (what is enrollment? Any ideas)

EXPENSIVE COMPLEX

Can be based on ◦ behavior (signature dynamics) – might change

over time◦ Physical attribute (fingerprints, iris, retina

scans)◦ We will talk about the different types of

biometrics later Can give incorrect results False negative – Type 1 error* (annoying) False positive – Type 2 error* (very bad)

Crossover Error Rate (CER)* is an important metric that is stated as a percentage that represents the point at which the false rejection rate equals the false acceptance rate.

Lower number CER is better/more accurate*. (3 is better than an 4)

Also called Equal Error Rate Use CER to compare vendors products

objectively

Systems can be calibrated, for example of you adjust the sensitivity to decrease fall positives, you probably will INCREASE false negatives, this is where the CER come in.

Draw diagram on board Some areas (like military) are more

concerned with one error than the other (ex. Would rather deny a valid user than accept an invalid user)

Can you think of any situations for each case?

Expensive Unwieldy Intrusive Can be slow (should not take more than 5-

10 seconds)* Complex (enrollment)

We will talk in more depth of each in the next couple slides

Fingerprint Palm Scan Hand Geometry Retina Scan Iris Scan Keyboard Dynamics Voice Print Facial Scan Hand Topography

Most people sign in the same manner (really???)

Monitor the motions and the pressure while moving (as opposed to a static signature)

Type I (what is type I again?) error high Type II (what is type II again?) error low

We covered a bunch of different biometrics Understand some are behavioral* based

◦ Voice print◦ Keyboard dynamics◦ Can change over time

Some are physically based◦ Fingerprint◦ Iris scan

Fingerprints are probably the most commonly used and cheapest

Iris scanning provides the most “assurance” Some methods are intrusive Understand Type I and Type II errors Be able to define CER, is a lower CER value

better or worse?

What is a password? (someone tell me because I forgot…)

Works on what you KNOW Simplest form of authentication* Cheapest form of authentication* Oldest form of authentication Most commonly used form of

authentication* WEAKEST form of authentication*

People write down passwords (bad) People use weak passwords (bad) People re-use passwords (bad) If you make passwords to hard to remember

people often write them down If you make them too easy… they are easily

cracked

Don’t use common words Don’t use names or birthdates Use at least 8 characters Combine numbers, symbols and case Use a phrase and take attributes of a

phrase, transpose characters

System should NOT store passwords in plaintext. Use a hash (what is a hash?)

Can encrypt hashes Passwords salts – random values added to

the encryption/hash process to make it harder to brute force (one password may hash/encrypt to multiple different results)

Default NO access (implicit deny)* Need to Know

Idea One identification/authentication instance

for all networks/systems/resources Eases management Makes things more secure (not written

down passwords hopefully) Can focus budgets and time on securing

one method rather than many! Makes things integrated

Centralized point of failure* Can cause bottlenecks* All vendors have to play nicely (good luck) Often very difficult to accomplish* (golden

ring of network authentication) One ring to bind them all! (wait...no…) If

you can access once, you can access ALL!

A framework that dictates how subjects access objects.

Uses access control technologies and security mechanisms to enforce the rules

Business goals and culture of the organization will prescribe which model it uses

Dictates how subjects access objects. It uses access control technologies and security mechanisms to enforce the rules and objectives of the model

The different models are: Discretionary Access Control Mandatory Access Control

Discretionary Access Control* Owner or creator of resource specifies

which subjects have which access to a resource. Based on the Discretion of the data owner*

Common example is an ACL (what is an ACL?)

Commonly implemented in commercial products (Windows, Linux, MacOS)

Mandatory Access Control* Data owners cannot grant access!* OS makes the decision based on a security

label or flag system* Users and Data are given a clearance level

(confidential, secret, top secret etc)* Rules for access are configured by the

security officer and enforced by the OS.

MAC is used where classification and confidentiality is of utmost importance… military.

Generally you have to buy a specific MAC system, DAC systems don’t do MAC◦ SELinux◦ Trusted Solaris

Again all objects in a MAC system have a security label*

Security labels can be defined the organization.

They also have categories to support “need to know” @ a certain level.

Categories can be defined by the organization

If I have “top secret” clearance can I see all projects in the “secret” level???

• Is an undesirable situation that occurs when a device or system attempts to perform two or more operations at the same time, but because of the nature of the device or system, the operations must be done in the proper sequence in order to be done correctly.

Also called non-discretionary. Uses a set of controls to determine how subjects

and objects interact. Allows you to be assigned a role, and your roles

dictates your access to a resources, rather than your direct user.

This scales better than DAC methods You don’t have to continually change ACLs or

permissions per user, nor do you have to remember what perms to set on a new user, just make them a certain role

You can simulate this with “groups” in Windows and Linux, especially with LDAP/AD.

When to use If you need centralized access If you DON’T need MAC ;) If you have high turnover*

We will talk more in depth of each in the next few slides.

Rule-based Access Control Constrained User Interfaces Access Control Matrix Access Control Lists Content-Dependant Access Control Context-Dependant Access Control

Table of subjects and objects indicating what actions individuals subjects can take on individual objects*◦ See page 220 (top)

Bound to subjects, lists what permissions a subject has to each object

This is a row in the access matrix (see 220 bottom)

Lists what (and how) subjects may access a certain object.

It’s a column of an access matrix ◦ See page 220

STOP Before we move on you need to understand

the definitions/terms that we are about to cover for the exam. (controls and control types) They are used ambiguously on the exam, so you need to think about them. We will give an overview now, but we’ll keep seeing them again and again.

Controls◦ Administrative - AAC◦ Physical - PAC◦ Technical or Logical – LAC

Now we’ll talk about control types

Types (can occur in each “control” category)◦ Deter – intended to discourage attacks◦ Prevent – intended to prevent incidents◦ Detect – intended to detect incidents◦ Correct – intended to correct incidents◦ Recover – intended to bring controls back up to

normal operation

Personnel – HR practices Supervisory – Management practices

(supervisor, corrective actions) Training – that’s pretty obvious Testing – not technical, and managements*

responsibility to ensure it happens A Policy or list

Physical Network Segregation (not logical) – ensure certain networks segments are physically restricted

Perimeter Security – CCTV, fences, security guards, badges

Computer Controls – physical locks on computer equipment, restrict USB access etc.

Work Area Separation – keep accountants out of R&D areas

Cabling – shielding, Fiber Control Zone – break up office into logical

areas (lobby – public, R&D- Top Secret, Offices – secret)

Using technology to protect System Access – Kerberos, PKI, radius

(specifically access to a system) Network Architecture – IP subnets, VLANS ,

DMZ Network Access – Routers, Switches and

Firewalls that control access Encryption – protect confidentiality,

integrity Auditing – logging and notification

systems.

IDS allow you to detect intrusion and unauthorized access.

Different types (we will discuss), but usually consist of

Sensors Storage Analysis engine Management Console (see diagram on 260)

Network Based◦ Monitor network traffic ONLY◦ Can be of multiple types (discuss later)◦ Watch out for switches (use mirroring), and

subnets (use multiple sensors)

Host based – installed on computers◦ Monitor logs◦ Monitor system activity◦ Monitor configuration files◦ Could monitor network traffic to and from the

computer installed on only.◦ Multiple types – discussed later

Signature based – like a virus scanner, look for known attack signature

MUST be updated with new signatures Will not stop unknown attacks (0-day) Relatively high rate of assurance Commonly used

Based on what is “normal” behavior (builds a profile)

Detects when thing are not normal Very subjective - Very high rate of false positives, may lead

to info being ignored. – Require high degree of knowledge and

maintenance to run –

Signature Based Anomaly / Behavioral / Knowledge Based

We will talk about these later.. But let’s review these now

Dictionary attacks – what is this? Sniffers – what is this? Brute force attacks – how is this different

then a dictionary attack. Spoofing login/trusted path Phishing Identity theft

Is a non-technical kind of intrusion that relies heavily on human interaction and often involves tricking other people to break normal security procedures.

Example…person using social engineering to break into a computer network would try to gain the confidence of someone who is authorized to access the network in order to get them to reveal information that compromises the network's security.

E-mail fraud method in which the perpetrator sends out legitimate-looking email in an attempt to gather personal and financial information from recipients.

Is the forgery of an e-mail header so that the message appears to have originated from someone or somewhere other than the actual source.