1 / 89

Lecture 15 Access Control Processes

Lecture 15 Access Control Processes. What is Access Control?. Access Control Access control is the policy-driven limitation of access to systems, data, and dialogs Prevent attackers from gaining access, stopping them if they do. What is Access Control?. First Steps Enumeration of Resources

elana
Download Presentation

Lecture 15 Access Control Processes

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Lecture 15Access Control Processes

  2. What is Access Control? • Access Control • Access control is the policy-driven limitation of access to systems, data, and dialogs • Prevent attackers from gaining access, stopping them if they do

  3. What is Access Control? • First Steps • Enumeration of Resources • Sensitivity of Each Resource • Next, who Should Have Access? • Can be made individual by individual • More efficient to define by roles (logged-in users, system administrators, project team members, etc.)

  4. Access Control • What Access Permissions (Authorizations) Should They Have? • Access permissions (authorizations) define whether a role or individual should have any access at all • If so, exactly what the role or individual should be allowed to do to the resource. • Usually given as a list of permissions for users to be able to do things (read, change, execute program, etc.) for each resource

  5. Access Control • How Should Access Control Be Implemented? • For each resource, need an access protection plan for how to implement protection in keeping with the selected control policy • For a file on a server, for instance, limit authorizations to a small group, harden the server against attack, use a firewall to thwart external attackers, etc. • …

  6. Access Control • Policy-Based Access Control and Protection • Have a specific access control policy and an access protection policy for each resource • Focuses attention on each resource • Guides the selection and configuration of firewalls and other protections • Guides the periodic auditing and testing of protection plans

  7. Password-Based Access Control

  8. Server Password Cracking • Reusable Passwords • A password you use repeatedly to get access to a resource on multiple occasions • Bad because attacker will have time to learn it; then can use it • Difficulty of Cracking Passwords by Guessing Remotely • Usually cut off after a few attempts • However, if can steal the password file, can crack passwords at leisure

  9. Server Password Cracking • Hacking Root • Super accounts (can take any action in any directory) • Hacking root in UNIX • Super accounts in Windows (administrator) and NetWare (supervisor) • Hacking root is rare; usually can only hack an ordinary user account • May be able to elevate the privileges of the user account to take root action

  10. Server Password Cracking • Physical Access Password Cracking • l0phtcrack • Lower-case L, zero, phtcrack • Password cracking program • Run on a server (need physical access) • Or copy password file and run l0phtcrack on another machine.

  11. Server Password Cracking • Physical Access Password Cracking • Brute-force password guessing • Try all possible character combinations • Longer passwords take longer to crack • Using more characters also takes longer • Alphabetic, no case (26 possibilities) • Alphabetic, case (52) • Alphanumeric (letters and numbers) (62) • All keyboard characters (~80)

  12. Password Length Password Length In Characters Alphabetic, No Case (N=26) Alphabetic, Case (N=52) Alphanumeric: Letters & Digits (N=62) All Keyboard Characters (N=~80) 1 26 52 62 80 2 (N2) 676 2,704 3,844 6,400 4 (N4) 456,976 7,311,616 14,776,336 40,960,000 6 308,915,776 19,770,609,664 56,800,235,584 2.62144E+11 8 2.08827E+11 5.34597E+13 2.1834E+14 1.67772E+15 10 1.41167E+14 1.44555E+17 8.39299E+17 1.07374E+19

  13. Server Password Cracking • Physical Access Password Cracking • Brute Force Attacks • Try all possible character combinations • Slow with long passwords length • Dictionary attacks • Try common words (“password”, “ouch,” etc.) • There are only a few thousand of these • Cracked very rapidly • Hybrid attacks • Common word with single digit at end, etc.

  14. Server Password Cracking • Password Policies • Good passwords • At least 6 characters long • Change of case not at beginning • Digit (0 through 9) not at end • Other keyboard character not at end • Example: triV6#ial

  15. Server Password Cracking • Password Policies • Testing and enforcing password policies • Run password cracking program against own servers • Caution: requires approval! SysAdmins have been fired for doing this without permission—and should be • Password duration policies: How often passwords must be changed

  16. Server Password Cracking • Password Policies • Password sharing policies: Generally, forbid shared passwords • Removes ability to learn who took actions; loses accountability • Usually is not changed often or at all because of need to inform all sharers

  17. Server Password Cracking • Password Policies • Disabling passwords that are no longer valid • As soon as an employee leaves the firm, etc. • As soon as contractors, consultants leave • In many firms, a large percentage of all accounts are for people no longer with the firm

  18. Server Password Cracking • Password Policies • Lost passwords • Password resets: Help desk gives new password for the account • Opportunities for social engineering attacks • Leave changed password on answering machine • Biometrics: voice print identification for requestor (but considerable false rejection rate)

  19. Server Password Cracking • Password Policies • Lost passwords • Automated password resets • Employee goes to website • Must answer a question, such as “In what city were you born?” • Problem of easily-guessed questions that can be answered with research

  20. User Name User ID GCOS Shell plee:6babc345d7256:47:3:Pat Lee:/usr/plee/:/bin/csh Group ID Password Home Directory UNIX/etc/passwd File Entries Without Shadow Password File With Shadow Password File Plee:x:47:3:Pat Lee:/usr/plee/:/bin/csh The x indicates that the password is stored in a separate shadow password file

  21. UNIX/etc/passwd File Entries • Unix passwd File • Contains the username, password, and other information is semi-standard form • In the /etc directory that is accessible to anyone • Anyone can steal the passwd file and crack the passwords • Unix Shadow File • Newer versions of Unix store passwords in a protected shadow file • In the passwd file, there is an x in the password position

  22. Server Password Cracking • Password Policies • Encrypted (hashed) password files • Passwords not stored in readable form • Encrypted with DES or hashed with MD5 • In UNIX, etc/passwd puts x in place of password • Encrypted or hashed passwords are stored in a different (shadow) file to which only high-level accounts have access

  23. Server Password Hashing (or Encryption) 2. Hash My4Bad = 11110000 1. User = Lee Password = My4Bad 3. Hashes Match Client PC User Lee Hashed Password File Brown 11001100 Lee 11110000 Chun 00110011 Hatori 11100010 4. Hashes Match, So User is Authenticated

  24. Server Password Cracking • Password Policies • Windows passwords • Obsolete LAN manager passwords (7 characters maximum) should not be used • Windows NTLM passwords are better • Option (not default) to enforce strong passwords

  25. Server Password Cracking • Shoulder Surfing • Watch someone as they type their password • Keystroke Capture Software • Professional versions of windows protect RAM during password typing • Consumer versions do not • Trojan horse throws up a login screen later, reports its finding to attackers

  26. Server Password Cracking • Windows Client PC Software • Consumer version login screen is not for security • Windows professional and server versions provide good security with the login password • BIOS passwords allow boot-up security • Can be disabled by removing the PC’s battery • But during a battery removal, the attacker will be very visible • Screen savers with passwords allow away-from-desk security after boot-up

  27. Physical Building Security

  28. Building Security • Building Security Basics • Single point of (normal) entry to building • Fire doors, etc.: use closed-circuit television (CCTV) and alarms to monitor them • Security centers • Monitors for closed-circuit TV (CCTV) • Videotapes that must be retained (Don’t reuse too much or the quality will be bad) • Alarms

  29. Building Security • Building Security Basics • Interior doors to control access between parts of the building • Piggybacking: holding the door open so that someone can enter without identification defeats this protection • Enforcing policies: You get what you enforce • Training security personnel • Training all employees

  30. Building Security • Building Security Basics • Phone stickers with security center phone number • Thwarting piggybacking by employee education and sanctions for allowing it • Dumpster diving by keeping Dumpsters in locked, lighted area • Drive shredding programs for discarded disk drives that do more than reformat drives

  31. Physical building Cabling 3. Entrance Facility with Termination Equipment 6. Vertical Riser Space 5. Core Switch (Chassis) 4. Router 2. To WAN 1. Equipment Room (Usually in Basement)

  32. Physical building Cabling • Vertical • Distribution 5. Horizontal Distribution 4. Workgroup Switch 3. Telecommunications Closet on Floor 2. Optical Fiber One Pair per Floor

  33. Physical building Cabling Horizontal and Final Distribution Workgroup Switch in Telecoms Closet 1. Horizontal Distribution One 4-Pair UTP Cord

  34. Building Security • Data Wiring Security • Telecommunications closets should be locked • Wiring conduits should be hard to cut into • Servers rooms should have strong access security

  35. Access Cards and Tokens

  36. Access Cards • Magnetic Stripe Cards • Smart Cards • Have a microprocessor and RAM • More sophisticated than mag stripe cards • Release only selected information to different access devices

  37. Access Cards • Tokens • Small device with constantly-changing password • Or device that can plug into USB port or another port • Proximity Tokens • Use short-range radio transmission • Can be detected and tested without physical contact • Allows easier access; used in Tokyo subways

  38. Access Cards • Card Cancellation • Requires a central system • PINs • Personal Identification Numbers • Short: about 4 digits • Can be short because attempts are manual (10,000 combinations to try with 4 digits)

  39. Access Cards • PINs • Should not allow obvious combinations (1111, 1234) or important dates • Provide two-factor authentication • E.g., PIN and card • Don’t allow writing PIN on card

  40. Biometric Authentication

  41. Biometric Authentication • Biometric Authentication • Authentication based on body measurements and motions • Because you always bring your body with you • Biometric Systems • Enrollment • Later access attempts • Acceptance or rejection

  42. Biometric Authentication System 1. Initial Enrollment User Lee Scanning User Lee Template (01101001) Processing (Key Feature Extraction) A=01, B=101, C=001 Template Database Brown 10010010 Lee 01101001 Chun 00111011 Hirota 1101110 … … 3. Match Index Decision Criterion (Close Enough?) 2. Subsequent Access Applicant Scanning User Access Data (01111001) Processing (Key Feature Extraction) A=01, B=111, C=001

  43. Biometric Authentication • Verification Versus Identification • Verification: Are applicants who they claim to be? (compare with single template) • Identification: Who is the applicant? (compare with all templates) • More difficult than verification because must compare to many templates • Watch list: is this person a member of a specific group (e.g., known terrorists) • Intermediate in difficulty

  44. Biometric Authentication • Verification Versus Identification • Verification is good for replacing passwords in logins • Identification is good for door access and other situations where entering a name would be difficult

  45. Biometric Authentication FAR • Precision • False acceptance rates (FARs): Percentage of unauthorized people allowed in • Person falsely accepted as member of a group • Person allowed through a door who should be allowed through it • Very bad for security

  46. Biometric Authentication FRR • Precision • False rejection rates (FRRs): Percentage of authorized people not recognized as being members of the group • Valid person denied door access or server login because not recognized • Can be reduced by allowing multiple access attempts • High FRRs will harm user acceptance because users are angered by being falsely forbidden

  47. Biometric Authentication • Precision • Vendor claims for FARs and FRRs tend to be exaggerated because they often perform tests under ideal circumstances • For instance, having only small numbers of users in the database • For instance, by using perfect lighting, extremely clean readers, and other conditions rarely seen in the real world

  48. Biometric Authentication • User Acceptance is Crucial • Strong user resistance can kill a system • Fingerprint recognition may have a criminal connotation • Some methods are difficult to use, such as iris recognition, which requires the eye to be lined up carefully. • These require a disciplined group

  49. Biometric Authentication • Biometric Methods • Fingerprint recognition • Dominates the biometric market today • Based on a finger’s distinctive pattern of whorls, arches, and loops • Simple, inexpensive, well-proven • Weak security: can be defeated fairly easily with copies • Useful in modest-security areas

  50. Biometric Authentication • Biometric Methods • Iris recognition • Pattern in colored part of eye • Very low FARs • High FRR if eye is not lined up correctly can harm acceptance • Reader is a camera—does not send light into the eye!

More Related