Access Control. Ed Crowley

Similar documents
Introduction to Computer Security

Introduction to Computer Security

CSC Network Security. User Authentication Basics. Authentication and Identity. What is identity? Authentication: verify a user s identity

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 8 Authentication

Authentication. Computer Security. Authentication of People. High Quality Key. process of reliably verifying identity verification techniques

CompTIA Security+ Certification SY0-301

Advanced Authentication

Smart Card- An Alternative to Password Authentication By Ahmad Ismadi Yazid B. Sukaimi

Protec'ng Informa'on Assets - Week 10 - Identity Management and Access Control. MIS 5206 Protec/ng Informa/on Assets Greg Senko

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 7 Access Control Fundamentals

CMSC 421, Operating Systems. Fall Security. URL: Dr. Kalpakis

CS 4803 Computer and Network Security

Central Agency for Information Technology

Lesson Plans Microsoft s Managing and Maintaining a Microsoft Windows Server 2003 Environment

Decision on adequate information system management. (Official Gazette 37/2010)

Biometric SSO Authentication Using Java Enterprise System

TOPIC HIERARCHY. Distributed Environment. Security. Kerberos

Authentication Types. Password-based Authentication. Off-Line Password Guessing

Multi-factor authentication

IDENTITY MANAGEMENT. February The Government of the Hong Kong Special Administrative Region

2.4: Authentication Authentication types Authentication schemes: RSA, Lamport s Hash Mutual Authentication Session Keys Trusted Intermediaries

Information Technology Branch Access Control Technical Standard

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 10 Authentication and Account Management

Part I. Universität Klagenfurt - IWAS Multimedia Kommunikation (VK) M. Euchner; Mai Siemens AG 2001, ICN M NT

HIPAA Security. 4 Security Standards: Technical Safeguards. Security Topics

Windows Security. CSE497b - Spring 2007 Introduction Computer and Network Security Professor Jaeger.

The Essentials Series: Enterprise Identity and Access Management. Authentication. sponsored by. by Richard Siddaway

Kerberos. Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, BC. From Italy (?).

22 nd NISS Conference

RSA Authentication Manager 7.1 Security Best Practices Guide. Version 2

Secure Web Access Solution

ISO 27002:2013 Version Change Summary

French Justice Portal. Authentication methods and technologies. Page n 1

Guidance on Multi-factor Authentication

A brief on Two-Factor Authentication

FileCloud Security FAQ

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

e-governance Password Management Guidelines Draft 0.1

A Nemaris Company. Formal Privacy & Security Assessment For Surgimap version and higher

CIS 551 / TCOM 401 Computer and Network Security. Spring 2006 Lecture 7

Chapter 23. Database Security. Security Issues. Database Security

Fraud Detection and Prevention. Timothy P. Minahan Vice President Government Banking TD Bank

Technical Safeguards is the third area of safeguard defined by the HIPAA Security Rule. The technical safeguards are intended to create policies and

Managing and Maintaining a Windows Server 2003 Network Environment

6. AUDIT CHECKLIST FOR NETWORK ADMINISTRATION AND SECURITY AUDITING

: Network Security. Name of Staff: Anusha Linda Kostka Department : MSc SE/CT/IT

Chapter 1 Scenario 1: Acme Corporation

WHITE PAPER Usher Mobile Identity Platform

WHITE PAPER. Smart Card Authentication for J2EE Applications Using Vintela SSO for Java (VSJ)

a) Encryption is enabled on the access point. b) The conference room network is on a separate virtual local area network (VLAN)

RSA SecurID Two-factor Authentication

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

Symantec Enterprise Security Manager Baseline Policy Manual for CIS Benchmark. For Windows Server 2008 (Domain Member Servers and Domain Controllers)

The Benefits of an Industry Standard Platform for Enterprise Sign-On

CHOOSING THE RIGHT PORTABLE SECURITY DEVICE. A guideline to help your organization chose the Best Secure USB device

CS 356 Lecture 28 Internet Authentication. Spring 2013

Identity Management and Access Control

RSA SecurID Software Token Security Best Practices Guide

How To Use Kerberos

CIS 551 / TCOM 401 Computer and Network Security. Spring 2007 Lecture 6

Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np

Two-Factor Authentication

RSA Authentication Manager 7.1 Basic Exercises

Best Practices, Procedures and Methods for Access Control Management. Michael Haythorn

Logical & Physical Security

Windows Operating Systems. Basic Security

Convenience and security

SPICE EduGuide EG0015 Security of Administrative Accounts

Leverage Active Directory with Kerberos to Eliminate HTTP Password

National Identity Exchange Federation (NIEF) Trustmark Signing Certificate Policy. Version 1.1. February 2, 2016

RFG Secure FTP. Web Interface

Chapter 15 User Authentication

JPMorgan Chase Treasury Workstation. Certification Setup Guide Version 2.0

Threats and Countermeasures Guide: Security Settings in Windows 7 and Windows Server 2008 R2

Enhancing Organizational Security Through the Use of Virtual Smart Cards

ADVANCE AUTHENTICATION TECHNIQUES

Managing Users and Identity Stores

White Paper. Authentication and Access Control - The Cornerstone of Information Security. Vinay Purohit September Trianz 2008 White Paper Page 1

This method looks at the patterns found on a fingertip. Patterns are made by the lines on the tip of the finger.

SECURITY ANALYSIS OF A SINGLE SIGN-ON MECHANISM FOR DISTRIBUTED COMPUTER NETWORKS

Smart Cards, Biometrics and Tokens for VLANs and Subnet Access

Technical Standards for Information Security Measures for the Central Government Computer Systems

Multi-Factor Authentication

Weighted Total Mark. Weighted Exam Mark

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

Information Security Basic Concepts

Defense Security Service Office of the Designated Approving Authority Standardization of Baseline Technical Security Configurations

Chapter 8: Security Measures Test your knowledge

HIPAA Privacy & Security Health Insurance Portability and Accountability Act

Security Management. Keeping the IT Security Administrator Busy

Cent ralized Out -Of-Band Aut hent ic at ion Syst em. Authentication Security for the 21 st Century

Moving to Multi-factor Authentication. Kevin Unthank

Integrating Hitachi ID Suite with WebSSO Systems

Contents. Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008

Everything you need to know!

UT Martin Password Policy May 2015

NetIQ Advanced Authentication Framework - Client. User's Guide. Version 5.1.0

Automatic Speaker Verification (ASV) System Can Slash Helpdesk Costs

User s Guide. Security Operations Ver. 1.02

Transcription:

Access Control Ed Crowley 1

ISC 2 Key Areas of Knowledge Control access by applying the following concepts/methodologies/techniques 1. Policies 2. Types of controls (preventive, detective, corrective ) 3. Techniques (e.g., non-discretionary, discretionary and mandatory) 4. Identifcation and Authentication 5. Decentralized/distributed access control techniques 6. Authorization mechanisms 7. Logging and monitoring 2

ISC2 Key Areas of Knowledge Understand access control attacks Assess, effectiveness of access controls 3

Topics Access Control Defined Access control terms and best practices Access Control Principles Access Control models MAC, DAC, and NDAC Access control types Authentication Methods Passwords Tokens Identification Methods Biometrics Passwords and attacks Kerberos and other SSOs Auditing and Monitoring Intrusion Detection Object reuse 4

Access Control Defined Collection of mechanisms that permit system managers to exercise a directing or restraining influence over the behavior, use, and content of a system. Permits specification of: What users can do Which resources they can access What operations they can perform on a system. CISSP Study Guide 5

An Access Control Model Butler Lampson, Computer Security in the Real World http://research.microsoft.com/en-us/um/people/blampson/69- SecurityRealIEEE/69-SecurityRealIEEE.htm 6

Access Control Systems Include procedures that: Identify users and processes Process and log access requests Grant or deny access Monitor system access Applications Include AAA services Authentication Authorization Accounting 7

Access Controls Components could be Hardware (physical) and/or Software (logical). Pertain to systems that are: Context Distributed or Centralized. Effective access control requires a secure physical infrastructure and a secure computer base. Specific goals depend on your specific environment. i.e. dependent on your Risk Assessment 8

Typical Goals Maintain data and system Confidentiality Integrity Availability Utilize appropriate fault tolerance and recovery processes. Support services include accountability Provide Auditing Services Users Processes Resources 9

Related Integrity Goals Data consistency (integrity): Internal External Internal consistency assures that data is consistent with itself. For example, changes in inventories are congruent with purchase orders. External consistency ensures that data stored in the database is consistent with the real world. For example, inventory records are congruent with physical inventories. Requires a method for comparing computer and physical inventories. 10

Access Access A specific type of interaction between a subject and an object that results in the flow of information from one to the other. Subject An active entity, generally in the form of a person, process, or device, that causes information to flow among objects or changes the system state. Technically, a process/domain pair. Aqua Book (NCSC-TG-004-88 ) 11

Object Passive entity that contains or receives information. Access to an object potentially implies access to the information it contains. Examples of objects include: records, blocks, pages, segments, files, directories, directory trees, and programs, as well as bits, bytes, words, fields, processors, video displays, keyboards, clocks, printers, and network nodes. Aqua Book (NCSC-TG-004-88 ) 12

Reference Monitor mediates all access between a subject and an object. 13

Logical and Physical Controls Involve the restriction of access to systems. Encryption, smart cards, anti-virus software, audit trails and ACLs. Physical controls incorporate, file backup, guards, gates, and building security. 14

Access Control Terms Identify a User with a Username Authenticate a User with a: Password Token, or Biometric Authorize access to a resource 15

Access Control Best Practices Utilize Groups or Roles Job Function, Department, Location Centralized vs. Decentralized Single-sign-on (centralized) vs. local logins for each system Vulnerability: One compromise all access 16

Access Control Principles Separation of Duties Developer does not sign off tests and promote to production Admin does not sign off on log reviews of own servers Financial transactions processed are reviewed approved by a manager in a line of higher authority. Collusion is a deliberate agreement to subvert controls 17

Access Control Principles Rotate job duties to detect and prevent fraud; learn new skills, refresh staff 18

Access Control Principles Need to Know Principle: Given only access rights needed to perform job Implicit deny to resources unless authorized and granted access 19

File Security Directory hierarchies, and inherited permissions in subdirectories and files (Windows NTFS, Unix umask) Finance may view accounting data and reports but not change Often remove Domain admins from HR/Personnel/Payroll data access Employees can see the Company Policies, but not change them Secretary vs. Manager vs. Analyst doing work on credit reporting Secretary no access Manager view Analyst update Admin full control Watch for bosses delegating to secretary; Secretary keeping access to old dept 20

File and Print Permissions 21

Print Security Most printers are set to allow anyone to print to them Most will also allow redirection or redundant direction of output Restrict redirect, mainly in sensitive areas or from sensitive systems Set auditing on printers. Review appropriate use 22

Logical Access Control Logical Access Control Methods: Software-based components that authenticate users and allow them to access resources Often built into operating system, application, or module 23

Logical Access Control Methods Password policies: length, strength, rotation, age, failed logins count/lock Domain passwords should not match local username/password due to risk of pass-through authentication. Single-signon via LDAP source allows use of both domain and local systems via one single-source 24

To download 62,000 random logons and passwords click below The Lulz Boat http://lulzsecurity.com/releases/62000_random_logins.tx 25

Logical Access Control Methods User account policies: naming conventions, disable unused accounts Token use (RSA SecurID, Cryptocard / Proximity card / RFID chip Time and machine use restrictions (rare now, due to remote access) 26

Access Control Model A framework that defines how subjects access objects. Controlling access by a subject to an object involves establishing access rules. Three common frameworks: Mandatory Access Controls (MAC) Discretionary Access Control (DAC) Non-Discretionary Access Control aka role based (NDAC) 27

MAC Subject s access to an object depends upon labels. A label indicate subject s clearance and classification or sensitivity of the object. Every subject and object must have a label. Based upon rules System makes access decisions. Administrator makes access rules. Military standard. Note that historically, the military has been primarily interested in confidentiality. 28

DAC May be user directed or identity based. System makes access decisions. Enables a resource owner to specify what subjects can access what objects. Often implemented as a matrix utilizing Access Control Lists (ACLs). Role based access control is a form of DAC. Commercial standard. 29

MAC and DAC MAC DAC with ACL 30

Non-Discretionary Access Control aka Role Based Control Useful in high turnover areas. Based on the organizational security policy, a central authority determines, by group, what subjects can have access to what objects. Lattice based access control models are considered Non- Discretionary. Lattice based models utilize pairs of elements that have the least upper bound of values and the greatest lower bound. Subject s role, or task, determines access. 31

MAC, DAC, and NDAC Summary Discretionary Access Control User decides what objects are shared with what subjects. Mandatory Access Control Centralized framework decides what objects are shared with what subjects. Non Discretionary Access Control Centralized with predefined roles determining access based upon users role or task. 32

Identification and Authentication Professing an identity to a system. Logon ID Facilitates user accountability. Authentication Verification that claimed identity is valid. User password. Note authentication establishes a subject s identity, does not grant access to a specific resource. 33

Three Possible Authentication Criteria Something you know. Username, password Something you have. Token, key Something you are. Biometrics 34

Two-factor Authentication Requires two of the three authentication factors. ATM card & PIN Credit Card & Signature Username & password 35

Password Problems Vulnerable Password files must be protected. Inconvenient Users forget them. Reputable Users tell them to other people. Expensive When users forget, enterprise has to pay people to reset password, staff help desk, investigate password compromises 36

37

Sample Password Issues Composition Length Lifetime Source Ownership Distribution Storage Entry Transmission Authentication period. 38

Password Attack Methods Brute force Try every possible combination. Dictionary Run an encrypted dictionary. Brute Force and Dictionary attacks are also available in a smart form Trojan horse Capture password on system. Key logger Capture all keystrokes on system. Social Engineering If password passes over a network, then protocol call analyzers will also capture them. 39

Password Countermeasures Time of day restrictions. Length restrictions. Limit unsuccessful logons. Limit concurrent connections. Enable auditing. Put last login date into banner. 40

Password Terms One time password provides maximum security. Tokens can be used to facilitate one time passwords. May be credit card size memory cards or smart cards. Static password is the same for each log-on. Passphrase Sequence of characters that is usually longer than the allotted number for a password. Converted into a virtual password. 41

Tokens Static or dynamic Synchronous dynamic password tokens Time based e.g. secret key encryption of the system time. Asynchronous Dynamic password tokens No time dependency Challenge-response tokens. System generates a random challenge string and the owner enters the string into the token along with the proper PIN. 42

Biometrics Automated means of identifying and/or authenticating the identity of a person based on physiological or behavioral characteristics. Three performance measures False Rejection Rate (FRR) -- Type I error False Acceptance Rate (FAR) -- Type II error Crossover Error Rate (CER) Expressed as a percentage, false acceptance rate equals the false rejection rate. (lower is better) 43

Biometric Issues Enrollment Time Acceptable rate is 2 minutes per person Throughput Time Acceptable rate is 10 people per minute Acceptability Issues Privacy Physical Psychological 44

Potential Biometric Criteria Fingerprints Retina scans Iris scans Facial scans Palm scans Hand geometry Voice Handwritten signature dynamics 45

Biometrics Summary Advantages Can not be forgotten Lasts forever Makes login & authentication easier Possible long term cost advantages when compared to passwords Disadvantages Initial expense Not mature Problematic user acceptance 46

Access Control Methodologies Centralized For dial up users, Radius, CHAP, TACUS, and TACUS + TACUS+ can use 2 part authentication Open Radius Decentralized Utilizes Database Hybrid 47

Single Sign On (SSO) Addresses problem of logging on multiple times to access different resources. Each user has one password for all enterprise resources. Difficult to implement. Examples include: Kerberos SESAME KryptoKnight 48

Kerberos Defacto SSO standard for heterogeneous networks. Assumes that messages are not secure. Specifically designed to eliminate the need to transmit passwords over the network. Centralized access control methodology. Utilizes symmetric key cryptography. Kerberos authenticates clients to other entities on a network from which a client requires services. 49

Kerberos Fundamentals KDC provides security services to principles. Principles may be users or processes KDC initially uses secret keys to exchange information with the client and server. Issues temporary symmetric session keys for communications between: Client and KDC (share a secret key) Server and the KDC (share a different key) Client and server. Security unit called a realm. Realm is a logical grouping of resources. 50

Kerberos Operational Overview 51

Kerberos Logical Components Key Distribution Center (KDC) Hold all secret keys Initially uses secret keys to exchange information with the client and server KDC Logical Components Authentication Service (AS) Authenticates network entities Ticket granting Service (TGS) Generates temporary session keys 52

Kerberos Issues All software must be kerberized. Time clocks must be synchronized. Uses UDP KDC is a single point of failure. 53

Kerberos Vulnerabilities Kerberos addresses confidentiality and integrity. Does not directly address availability. Kerberos servers are vulnerable to both physical attacks and attacks from malicious code. Password guessing can be used to impersonate a client. A client s secret key is stored temporarily on the client workstation and can be compromised as well as the session keys that are stored at the client s computer and at the servers. Network monitor could initiate a replay attack. 54

Security Domain (Realm) Decentralized access control methodology. Realm of trust. Defines the objects a subject can access. Ensures that random activities do not damage system resources. 55

Monitoring IDS Logs Audit trails Network tools 56

Auditing Ensures that users are accountable for their actions. Verifies that security policies are enforced. Works as a deterrence to improper actions. Used as an investigative tool. 57

TEMPEST Study and control of electrical signals emitted by systems. If not controlled, these signals can function as covert channels. For PCs, normally implemented by placing system within a Faraday Cage. 58

Object Reuse Ensures that magnetic media must not have any remanence of previous data. Erased magnetic data can often be recovered. 59

Questions? 60

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information