1 / 33

Access Control Terminology

Access Control Terminology. Access Controls Control how users and systems communicate and interact. Process Terminology. Identification Method for determining a subject is who it says it is User name, PIN number, smart card, account number Authenticated

doyle
Télécharger la présentation

Access Control Terminology

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Access Control Terminology • Access Controls • Control how users and systems communicate and interact

  2. Process Terminology • Identification • Method for determining a subject is who it says it is • User name, PIN number, smart card, account number • Authenticated • Provided a second matching piece to the identification method • Password, passphrase, PIN number • Authorized • Has appropriate access to the requested resource

  3. Strong Authentication • Types of authentication • Something a person has • Something a person knows • Something a person is • Strong Authentication includes at least 2 of the 3 • Only 1 is considered _______________

  4. Biometrics – Something a Person Is • A unique personal attribute • Type I Error • Rejected an authorized user • Type II Error • Accepts a non-authorized imposter • Crossover Error Rate (CER) • Point where Type I Error distribution and Type II Error distribution meet • The lower the number, the better

  5. Fingerprint Palm scan Hand Geometry Length and width of the hand and fingers Retina Scan Iris Scan Signature Dynamics Keyboard Dynamics Voice Print Facial Scan Hand Topology Side picture of the hand Popular Biometrics

  6. Biometrics Compared

  7. Passwords – Something a Person Knows • Passphrases refer to multiple word passwords • Personal Identification Numbers (PIN) refer to numeric numbers • Considered weak • People use familiar words or numbers • Words are susceptible to dictionary and brute force attacks • Users can’t remember strong passwords so they write them down

  8. Making Passwords Stronger • Forced password lifetimes • Shorter makes it more secure, but too short and users forget which is active • 60 days is good compromise • Enforced minimum lengths • Forced special characters, case changes • No reuse • Lock out users at low clipping level (acceptable failed attempts) • For how long?

  9. Better Passwords Through Technology • Password Generators • Produce passwords using random but pronounceable passwords • Password Checkers/Crackers • L0phtcrack • John the Ripper • Brutus

  10. Variations on a Theme • Cognitive Passwords • Fact or opinion based information • Best for seldom used authentication needs • One-Time Use Passwords • Synchronous token device • Token and server preshare private key • Time based – token device and server clock are sync’ed, time value used as plaintext • Event based – token and server share authentication value list • Asynchronous token device • Server prompts with challenge code, user enters code into token device which returns a response code, user enters response into server

  11. Digital Signatures -------BEGIN SIGNATURE------ IQB1AwUBMVSiA5QYCuMfgNYjAQFAKgL/ ZkBfbeNEsbthba4BlrcnjaqbcKgNv+a5kr453 7y8RCd+RHm75yYh5xxA1ojELwNhhb7cltrp 2V7LlOnAelws4S87UX80cL BtBcN6AACf11 qymC2h+Rb2j5SSU+rmXWru+=QFMx -------END SIGNATURE------

  12. Cards – Something a Person Has • Memory Cards • Hold information only • Credit cards, ATM cards • Smart Cards • Process information and hold information • Information on card actively protected by authentication

  13. Authorization Criteria • Roles • Based on job function or assignment • Groups • Physical location • Interactive login, for example • Logical location • IP address, for example • Time of day • Transaction type • Amount of money to be transferred, for example

  14. Restrictions to Remember • Default to NO ACCESS • Access Control Lists (ACL) commonly default to deny • Base granted access on Need To Know • Least-privilege principal • Single sign on whenever possible • Scripts • Kerberos is recognized standard in heterogeneous environments • SESAME - Secure European System for Applications in a Multivendor Environment

  15. Access Control Models • Discretionary Access Control (DAC) • Owner (creator) can access resource and dictate who else can access it • Does not lend itself to central management • Mandatory Access Control (MAC) • Operating system controls access based on owners sensitivity level • Commonly used in military systems

  16. Role Based Access Control (RBAC) • Subjects role determines access • Managed centrally • Rule Based Access Control • Access matched against rules • Common in network devices • Constrained Interfaces • Limits data access and functionality • ATM machines, for example • Content Dependant Access Control • Restrictions based on data content • Firewalls commonly use this to stop worms, viruses

  17. Access Control Matrixes • Table of subjects and objects indicating actions subjects can take upon objects • Common in DAC model • Capability Tables • Access rights a specific subject has for a specific object • ACL’s • Lists of subjects that have access to a specific object • Very common in networking devices, firewalls

  18. Centralized Access Control • Remote Authentication Dial-in User Service (RADIUS) • Terminal Access Controller Access Control System (TACACS) Decentralized Access Controls • Security Domains • Realm of distributed trust • Hierarchical or peer implementations • Microsoft domains are a specific version

  19. Typical Scenario - Hybrid • Most enterprises combine both centralized and decentralized control methods • May have Kerberos centralized user database • Use TACACS+ tied to Kerberos to authenticate dial-up and router users • Use Windows 2000 file servers at each location to allow autonomous distributed security domains • Workgroup printers are shared via Windows desktop peering

  20. Control Types • Preventative • Avoid undesirable events • Detective • Identify undesirable events • Corrective • Fix undesirable events that have occurred • Deterrent • Discourage undesirable events • Recovery • Restore resources • Compensation • Provide alternatives to other types of controls

  21. Fences, locks, lighting Preventative Corrective Recovery Security guard Preventative Detective Corrective Deterrent Recovery Separation of duties Preventative Deterrent Security awareness training Preventative Detective Personnel procedures Preventative Detective Deterrent Compensation Services Provided by Various Security Controls

  22. ACL’s Preventative Encryption Preventative Deterrent Audit logs Detective Smart cards Preventative Intrusion Detection System Preventative Detective Corrective Deterrent Antivirus Software Preventative Detective Corrective Recovery Services Provided by Various Security Controls

  23. Common Access Control Practices • Deny access to systems by anonymous & guest accounts • Limit and monitor use of admin accounts • Remove obsolete user accounts when employees leave company • Suspend inactive accounts after 30-60 days • Disable unneeded system features & services • Use nondescriptive logon ID’s • Rename root and administrator logon ID’s • Remove redundant accounts, ACL’s, roles, groups

  24. Fun with Auditing • Enforces accountability • Must be reviewed • Must be backed up and protected • Good hackers always go after the audit logs • Guaranteed integrity is key to using logs as evidence • To be admissible in court, logs must be generated in the normal course of business

  25. Common Audit Events • System performance • Logon attempts + date/time (successful & unsuccessful) • Lockouts of users • Alteration of config files • Error messages • Files opened and closed • File modifications • ACL violations

  26. Unauthorized Disclosure • Object Reuse • Data left on floppies, backup tapes, or hard drives can be read • Sectors containing data can be marked bad, thus hiding data • Low level format, degauss, or destroy the media • Emanation Security • Capturing electrical and electromagnetic radiation from devices • TEMPEST – US Government standard for emanation protection

  27. Intrusion Detection Systems • Sniff network traffic (network-based) or monitor individual computers (host-based) • Signature Based Detection • Must be loaded with “fingerprints” of known attacks • Not effective against new attacks • Statistical Intrusion Detection • Looks for statistical anomalies in traffic

  28. Sniffers • Captures network traffic real-time • Allows admins or hackers to eavesdrop on data • Employees can use sniffers undetected in some networks

  29. Honeypots • Unprotected system set up to lure would be attackers • Attackers can then be tracked, attacks cataloged, other systems hardened appropriately • Enticement • Legally admissible, target is simply not well protected • Entrapment • Not legally admissible, target invites the hacker in

  30. Threats to Access Control • Dictionary Attack • Lists or dictionaries are used as a source of passwords or plain text • Countermeasures • Do not allow single word based passwords – use dictionary attacks against your own users to find weak passwords • Rotate passwords often • Employ one-time password techniques • Protect password files and stores

  31. Threats to Access Control • Brute Force Attack • Attack attempts every possible combination of potential inputs • Countermeasures • Employ stringent clipping levels and auditing of login attempts • Use brute force attacks against your own users to uncover weak passwords • Protect password files and stores • Login Spoofing • Hacker replaces legitimate login screens with fakes • Countermeasure

  32. Threats to Access Control • Login Spoofing • Hacker replaces legitimate login screens with fakes • Countermeasure • Security awareness training • Display number of failed login attempts

  33. Homework Assignment • Read Chapter 5, except: • State Machine Models & Modes of Operation (pgs 240-249) • Paper • Write a 2-3 page technical brief on the “Slammer” worm • Include vulnerable software details, countermeasures, and information about testing systems for the vulnerability. • Discuss the impact and current investigation of the worm. • Summarize the events and alerts that occurred as the weekend unfolded.

More Related