information security principles - access control
DESCRIPTION
Access ControlTRANSCRIPT
Denise N. LordComputer and Information Security
Access controls are security features that control how people can interact with systems, and resources.
Goal is to protect from un-authorized access.
Access is the data flow between an subject. Subject is a person, process or program Object is a resource (file, printer etc)
Access control should support the CIA triad! Let’s quickly go over the CIA triad again
Quick overview: details on each coming up
Identification – who am I? (userid etc)Authentication – prove that I am who I say IAuthorization – now what am I allowed to
accessAccountability – Audit logs and monitors
activities
Identifies a user uniquely (hopefully) SSN, UID, SID, Username
Should Uniquely identify a user for accountability (don’t share)
Standard naming scheme should be used Identifier should not indicate extra
information about user (like position) DO NOT SHARE (NO group accounts)
Proving who you say you are, usually one of these 3◦ Something you know (password)◦ Something you have (smart card)◦ Something you are (biometrics)
◦ Verifying the identification information.
Strong Authentication is the combination of 2 or more of these (also called multi-factor authentication) and is encouraged!◦ Strong Authentication provides a higher level of
assurance*
Now that I am who I say I am, what can I do?◦ Authorization can be provided based on user,
groups, roles, rules, physical location, time of day (temporal isolation)* or transaction type (example a teller may be able to withdrawal small amounts, but require manager for large withdrawals)
◦ Using criteria to make a determination of operations that subjects can carry out
Audit log and monitoring to track subject activities with objects.
Identity management products are used to id, authenticate and authorize users in an automated means. It’s a broad term.
These products may (or may not) include◦ User account management◦ Access controls◦ Password management◦ Single Sign on◦ Permissions◦ Web access management
Log in one time, and access resources many places
Not the same as password synchronization SSO software handles the authorization to
multiple systems What is a security problems with this? What are advantages?
Idea is to centrally manage user accounts rather than to manually create/update them on multiple systems
Often include workflow processes that allow distributed authorization. I.e.. A manager can put in a user request or authorize a request, tickets might be generated for a Key card system for their locations, Permissions might be created for their specific needs etc.
Automates processes Can includes records keeping/auditing functions Can ensure all accesses/accounts are cleaned up
with users leave.
Biometrics verifies (authenticates) an individuals identity by analyzing unique personal attribute (something they ARE)
Require enrollment before being used* (what is enrollment? Any ideas)
EXPENSIVE COMPLEX
Can be based on ◦ behavior (signature dynamics) – might change
over time◦ Physical attribute (fingerprints, iris, retina
scans)◦ We will talk about the different types of
biometrics later Can give incorrect results False negative – Type 1 error* (annoying) False positive – Type 2 error* (very bad)
Crossover Error Rate (CER)* is an important metric that is stated as a percentage that represents the point at which the false rejection rate equals the false acceptance rate.
Lower number CER is better/more accurate*. (3 is better than an 4)
Also called Equal Error Rate Use CER to compare vendors products
objectively
Systems can be calibrated, for example of you adjust the sensitivity to decrease fall positives, you probably will INCREASE false negatives, this is where the CER come in.
Draw diagram on board Some areas (like military) are more
concerned with one error than the other (ex. Would rather deny a valid user than accept an invalid user)
Can you think of any situations for each case?
Expensive Unwieldy Intrusive Can be slow (should not take more than 5-
10 seconds)* Complex (enrollment)
We will talk in more depth of each in the next couple slides
Fingerprint Palm Scan Hand Geometry Retina Scan Iris Scan Keyboard Dynamics Voice Print Facial Scan Hand Topography
Most people sign in the same manner (really???)
Monitor the motions and the pressure while moving (as opposed to a static signature)
Type I (what is type I again?) error high Type II (what is type II again?) error low
We covered a bunch of different biometrics Understand some are behavioral* based
◦ Voice print◦ Keyboard dynamics◦ Can change over time
Some are physically based◦ Fingerprint◦ Iris scan
Fingerprints are probably the most commonly used and cheapest
Iris scanning provides the most “assurance” Some methods are intrusive Understand Type I and Type II errors Be able to define CER, is a lower CER value
better or worse?
What is a password? (someone tell me because I forgot…)
Works on what you KNOW Simplest form of authentication* Cheapest form of authentication* Oldest form of authentication Most commonly used form of
authentication* WEAKEST form of authentication*
People write down passwords (bad) People use weak passwords (bad) People re-use passwords (bad) If you make passwords to hard to remember
people often write them down If you make them too easy… they are easily
cracked
Don’t use common words Don’t use names or birthdates Use at least 8 characters Combine numbers, symbols and case Use a phrase and take attributes of a
phrase, transpose characters
System should NOT store passwords in plaintext. Use a hash (what is a hash?)
Can encrypt hashes Passwords salts – random values added to
the encryption/hash process to make it harder to brute force (one password may hash/encrypt to multiple different results)
Default NO access (implicit deny)* Need to Know
Idea One identification/authentication instance
for all networks/systems/resources Eases management Makes things more secure (not written
down passwords hopefully) Can focus budgets and time on securing
one method rather than many! Makes things integrated
Centralized point of failure* Can cause bottlenecks* All vendors have to play nicely (good luck) Often very difficult to accomplish* (golden
ring of network authentication) One ring to bind them all! (wait...no…) If
you can access once, you can access ALL!
A framework that dictates how subjects access objects.
Uses access control technologies and security mechanisms to enforce the rules
Business goals and culture of the organization will prescribe which model it uses
Dictates how subjects access objects. It uses access control technologies and security mechanisms to enforce the rules and objectives of the model
The different models are: Discretionary Access Control Mandatory Access Control
Discretionary Access Control* Owner or creator of resource specifies
which subjects have which access to a resource. Based on the Discretion of the data owner*
Common example is an ACL (what is an ACL?)
Commonly implemented in commercial products (Windows, Linux, MacOS)
Mandatory Access Control* Data owners cannot grant access!* OS makes the decision based on a security
label or flag system* Users and Data are given a clearance level
(confidential, secret, top secret etc)* Rules for access are configured by the
security officer and enforced by the OS.
MAC is used where classification and confidentiality is of utmost importance… military.
Generally you have to buy a specific MAC system, DAC systems don’t do MAC◦ SELinux◦ Trusted Solaris
Again all objects in a MAC system have a security label*
Security labels can be defined the organization.
They also have categories to support “need to know” @ a certain level.
Categories can be defined by the organization
If I have “top secret” clearance can I see all projects in the “secret” level???
• Is an undesirable situation that occurs when a device or system attempts to perform two or more operations at the same time, but because of the nature of the device or system, the operations must be done in the proper sequence in order to be done correctly.
Also called non-discretionary. Uses a set of controls to determine how subjects
and objects interact. Allows you to be assigned a role, and your roles
dictates your access to a resources, rather than your direct user.
This scales better than DAC methods You don’t have to continually change ACLs or
permissions per user, nor do you have to remember what perms to set on a new user, just make them a certain role
You can simulate this with “groups” in Windows and Linux, especially with LDAP/AD.
When to use If you need centralized access If you DON’T need MAC ;) If you have high turnover*
We will talk more in depth of each in the next few slides.
Rule-based Access Control Constrained User Interfaces Access Control Matrix Access Control Lists Content-Dependant Access Control Context-Dependant Access Control
Table of subjects and objects indicating what actions individuals subjects can take on individual objects*◦ See page 220 (top)
Bound to subjects, lists what permissions a subject has to each object
This is a row in the access matrix (see 220 bottom)
Lists what (and how) subjects may access a certain object.
It’s a column of an access matrix ◦ See page 220
STOP Before we move on you need to understand
the definitions/terms that we are about to cover for the exam. (controls and control types) They are used ambiguously on the exam, so you need to think about them. We will give an overview now, but we’ll keep seeing them again and again.
Controls◦ Administrative - AAC◦ Physical - PAC◦ Technical or Logical – LAC
Now we’ll talk about control types
Types (can occur in each “control” category)◦ Deter – intended to discourage attacks◦ Prevent – intended to prevent incidents◦ Detect – intended to detect incidents◦ Correct – intended to correct incidents◦ Recover – intended to bring controls back up to
normal operation
Personnel – HR practices Supervisory – Management practices
(supervisor, corrective actions) Training – that’s pretty obvious Testing – not technical, and managements*
responsibility to ensure it happens A Policy or list
Physical Network Segregation (not logical) – ensure certain networks segments are physically restricted
Perimeter Security – CCTV, fences, security guards, badges
Computer Controls – physical locks on computer equipment, restrict USB access etc.
Work Area Separation – keep accountants out of R&D areas
Cabling – shielding, Fiber Control Zone – break up office into logical
areas (lobby – public, R&D- Top Secret, Offices – secret)
Using technology to protect System Access – Kerberos, PKI, radius
(specifically access to a system) Network Architecture – IP subnets, VLANS ,
DMZ Network Access – Routers, Switches and
Firewalls that control access Encryption – protect confidentiality,
integrity Auditing – logging and notification
systems.
IDS allow you to detect intrusion and unauthorized access.
Different types (we will discuss), but usually consist of
Sensors Storage Analysis engine Management Console (see diagram on 260)
Network Based◦ Monitor network traffic ONLY◦ Can be of multiple types (discuss later)◦ Watch out for switches (use mirroring), and
subnets (use multiple sensors)
Host based – installed on computers◦ Monitor logs◦ Monitor system activity◦ Monitor configuration files◦ Could monitor network traffic to and from the
computer installed on only.◦ Multiple types – discussed later
Signature based – like a virus scanner, look for known attack signature
MUST be updated with new signatures Will not stop unknown attacks (0-day) Relatively high rate of assurance Commonly used
Based on what is “normal” behavior (builds a profile)
Detects when thing are not normal Very subjective - Very high rate of false positives, may lead
to info being ignored. – Require high degree of knowledge and
maintenance to run –
Signature Based Anomaly / Behavioral / Knowledge Based
We will talk about these later.. But let’s review these now
Dictionary attacks – what is this? Sniffers – what is this? Brute force attacks – how is this different
then a dictionary attack. Spoofing login/trusted path Phishing Identity theft
Is a non-technical kind of intrusion that relies heavily on human interaction and often involves tricking other people to break normal security procedures.
Example…person using social engineering to break into a computer network would try to gain the confidence of someone who is authorized to access the network in order to get them to reveal information that compromises the network's security.
E-mail fraud method in which the perpetrator sends out legitimate-looking email in an attempt to gather personal and financial information from recipients.
Is the forgery of an e-mail header so that the message appears to have originated from someone or somewhere other than the actual source.