1 / 49

Access Control Systems & Methodology

Access Control Systems & Methodology. CISSP. Topics to be covered. Tokens/SSO Kerberos Attacks/Vulnerabilities/Monitoring IDS Object reuse TEMPEST RAS access control Penetration Testing. Overview Access control implementation Types of access control MAC & DAC Orange Book

Patman
Download Presentation

Access Control Systems & Methodology

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Access Control Systems & Methodology CISSP

  2. Topics to be covered • Tokens/SSO • Kerberos • Attacks/Vulnerabilities/Monitoring • IDS • Object reuse • TEMPEST • RAS access control • Penetration Testing • Overview • Access control implementation • Types of access control • MAC & DAC • Orange Book • Authentication • Passwords • Biometrics

  3. What is access control? • Access control is the traditional center of security • Definitions: • The ability to allow only authorized users, programs or processes system or resource access • The granting or denying, according to a particular security model, of certain permissions to access a resource • An entire set of procedures performed by hardware, software and administrators, to monitor access, identify users requesting access, record access attempts, and grant or deny access based on pre-established rules.

  4. Access control nomenclature • Authentication • Process through which one proves and verifies certain information • Identification • Process through which one ascertains the identity of another person or entity • Confidentiality • Protection of private data from unauthorized viewing • Integrity • Data is not corrupted or modified in any unauthorized manner • Availability • System is usable. Contrast with Denial of Service (DOS)

  5. How can AC be implemented? • Hardware • Software • Application • Protocol (Kerberos, IPSec) • Physical • Logical (policies)

  6. Why access control does not work? • ? • ?

  7. What does AC hope to protect? • Data - Unauthorized viewing, modification or copying • System - Unauthorized use, modification or denial of service • It should be noted that nearly most network operating system is based on a secure physical infrastructure • The easiest way to protect data is not to have it one the system. Make it some-one else’s problem.

  8. Proactive access control • Awareness training • Background checks • Separation of duties • Split knowledge • Policies • Data classification • Effective user registration • Termination procedures • Change control procedures

  9. Physical access control • Guards • Locks • Mantraps • ID badges • Digital Carmeras, sensors, alarms • Biometrics • Fences - the higher the voltage the better • Card-key and tokens • Guard dogs

  10. AC & privacy issues • Expectation of privacy • Policies • Monitoring activity, Internet usage, e-mail • Login banners should detail expectations of privacy and state levels of monitoring • HIPPA

  11. Varied types of Access Control • Discretionary (DAC) • Mandatory (MAC) • Lattice/Role/Task • Formal models: • Biba • Take/Grant • Clark/Wilson • Bell/LaPadula • Used set theory to define the concept of a secure state, the modes of access, and the rules for granting access. • Not Real Useful, but part of the test!

  12. Problems with formal models • Based on a static infrastructure • Defined and succinct policies • These do not work in corporate systems which are extremely dynamic and constantly changing • None of the previous models deals with: • Viruses/active content • Trojan horses • firewalls • Limited documentation on how to build these systems • Last Generation

  13. MAC vs. DAC • Discretionary Access Control • You decided how you want to protect and share your data • Mandatory Access Control • The system decided how the data will be shared

  14. Mandatory Access Control • Assigns sensitivity levels, • Secret, Confidential .. (AKA labels) • Every object is given a sensitivity label & is accessible only to users who are cleared up to that particular level. • Only the administrators, not object owners, make change the object level • Generally more secure than DAC • Orange book B-level • Used in systems where security is critical, i.e., military

  15. Mandatory Access Control (Continued) • Downgrade in performance • Relies on the system to control access • Example: If a file is classified as confidential, MAC will prevent anyone from writing secret or top secret information into that file. • All output, i.e., print jobs, floppies, other magnetic media must have be labeled as to the sensitivity level

  16. Discretionary Access Control • Access is restricted based on the authorization granted to the user • Orange book C-level • Prime use to separate and protect users from unauthorized data • Used by Unix and Windows. • Relies on the object owner to control access

  17. Access control lists (ACL) • A file used by the access control system to determine who may access what programs and files, in what method and at what time • Different operating systems have different ACL terms • Types of access: • Read/Write/Create/Execute/Modify/Delete/Rename

  18. Standard UNIX file permissions

  19. Standard Sharing - Changing

  20. Orange Book • DoD Trusted Computer System Evaluation Criteria, DoD 5200.28-STD, 1983 • Provides the information needed to classify systems (A,B,C,D), defining the degree of trust that may be placed in them • For stand-alone systems only

  21. Orange book levels • A - Verified protection • A1 • Boeing SNS, Honeywell SCOMP • B - MAC • B1/B2/B3 • MVS w/ s, ACF2 or TopSecret, Trusted IRIX • C - DAC • C1/C2 • DEC VMS, NT, NetWare, Trusted Solaris • D - Minimal security. Systems that have been evaluated, but failed

  22. Problems with the Orange Book • Based on an old model, Bell-LaPadula • Stand alone • network systems extensions exist • Systems take a long time • Certification is expensive • For the most part, not used outside of the government sector

  23. Red Book • Used to extend the Orange Book to networks • Actually two works: • Trusted Network Interpretation of the TCSEC (NCSC-TG-005) • Trusted Network Interpretation Environments Guideline: Guidance for Applying the Trusted Network Interpretation (NCSC-TG-011)

  24. Authentication 3 types of authentication: • Something you know - Password, PIN, mother’s maiden name, passcode, fraternity chant • Something you have - ATM card, smart card, token, key, ID Badge, driver license, passport • Something you are - Fingerprint, voice scan, iris scan, retina scan, body odor, DNA

  25. Confidentiality Integrity Availability

  26. Multi-factor authentication • 2-factor authentication. To increase the level of security, many systems will require a user to provide 2 of the 3 types of authentication. • ATM card + PIN • Credit card + signature • PIN + fingerprint • Username + Password (NetWare, Unix, NT default) • 3-factor authentication -- For higher security • Username + Passcode + SecurID token • Username + Password + Fingerprint

  27. Problems with passwords • Insecure - Given the choice, people will choose easily remembered and hence easily guessed passwords such as names of relatives, pets, phone numbers, birthdays, hobbies, etc. • Easily broken - Programs such as crack, SmartPass, PWDUMP, NTCrack & l0phtcrack can easily decrypt Unix, NetWare & NT passwords. • Dictionary attacks are only feasible because users choose easily guessed passwords! • Inconvenient - In an attempt to improve security, organizations often issue users with computer-generated passwords that are difficult, if not impossible to remember • Repudiable - Unlike a written signature, when a transaction is signed with only a password, there is no real proof as to the identity of the individual that made the transaction

  28. Classic password rules • The best passwords are those that are both easy to remember and hard to crack using a dictionary attack. • Don’t use: • common names, DOB, spouse, phone #, etc. • word found in dictionaries • password as a password • systems defaults • Those trying break passwords have access to most password rules in their tool kit!

  29. Password management • Configure system to use string passwords • Set password time and lengths limits • Limit unsuccessful logins • Limit concurrent connections • Enabled auditing • How policies for password resets and changes • Use last login dates in banners

  30. Password Attacks • See if it is “password” • Brute force • l0phtcrack • Dictionary • Crack • John the Ripper • Trojan horse login program

  31. Biometrics • Authenticating a user via human characteristics • Using measurable physical characteristics of a person to prove their identification • Fingerprint • signature dynamics • Iris • retina • voice • face • DNA, blood

  32. Advantages of hand / fingerprint-based biometrics • Can’t be lent like a physical key or token and can’t be forgotten like a password • Good compromise between ease of use, template size, cost and accuracy • Fingerprint contains enough inherent variability to enable unique identification even in very large (millions of records) databases • Basically lasts forever -- or at least until amputation or dismemberment • Makes network login & authentication effortless

  33. Biometric Disadvantages • Still relatively expensive per user • Cost is going down! • Companies & products are often new & immature • Some hesitancy for user acceptance • After 9-11, some thoughts towards use at airport security.

  34. Biometric privacy issues • Tracking and surveillance - Ultimately, the ability to track a person's movement from hour to hour • Anonymity - Biometric links to databases could dissolve much of our anonymity when we travel and access services • Profiling - Compilation of transaction data about a particular person that creates a picture of that person's travels, preferences, affiliations or beliefs

  35. U.S. Airports Now Fingerprint Foreigners • Foreigners arriving at U.S. airports were photographed and had their fingerprints scanned Monday in the start of a government effort to use some of the latest surveillance technology to keep terrorists out of the country.

  36. Practical biometric • Network access control • Staff time and attendance tracking • Authorizing financial transactions • Government benefits distribution (Social Security, welfare, etc.) • Verifying identities at point of sale • Using in conjunction with ATM , credit or smart cards • Controlling physical access to office buildings or homes • Protecting personal property • Prevent against kidnapping in schools, play areas, etc. • Protecting children from fatal gun accidents • Voting/passports/visas & immigration

  37. Tokens • Used to facilitate one-time passwords • Physical card • SecurID • S/Key • Smart card • Access token

  38. Single sign-on • User has one password for all enterprise systems and applications • That way, one strong password can be remembered and used • All of a users accounts can be quickly created on hire, deleted on dismissal • Kerberos, CA-Unicenter, Memco Proxima, IntelliSoftSnareWorks, Tivoli Global Sign-On, x.509

  39. Kerberos • Part of MIT’s Project Athena • Currently in version 5 • Kerberos is an authentication protocol used for networkwide authentication • All software must be kerberized • Tickets, authenticators, key distribution center (KDC) • Divided into realms • Kerberos is the three-headed dog that guards the entrance to Hades (this won’t be on the test)

  40. Attacks • Passive attack - Monitor network traffic and then use data obtained or perform a replay attack. • Hard to detect • Active attack - Attacker is actively trying to break-in. • Exploit system vulnerabilities • Spoofing • Crypto attacks • Denial of service (DoS) - Not so much an attempt to gain access, rather to prevent system operation • Smurf, SYN Flood, Ping of death • Mail bombs

  41. Vulnerabilities • Follow the Money! • Physical • Natural • Floods, earthquakes, terrorists, power outage, lightning • Hardware/Software • Media • Corrupt electronic media, stolen disk drives • Emanation • Communications • Human • Social engineering, disgruntled staff

  42. Monitoring • IDS • Logs • Audit trails • Network tools • Tivoli • Spectrum • OpenView

  43. Intrusion Detection Systems • IDS monitors system or network for attacks • IDS engine has a library and set of signatures that identify an attack • Adds defense in depth • Should be used in conjunction with a system scanner

  44. Object reuse • With Compact Disks – One-Time Write not much of an issue; with tapes, floppies, read/write CDs • Sample Rules • Must ensure that magnetic media must not have any remnance of previous data • Also applies to buffers, cache and other memory allocation • Documents recently declassified as to how 10-pass writes were recovered • Objects must be declassified • Magnetic media must be degaussed or have secure overwrites

  45. TEMPEST - DoD • Electromagnetic emanations from keyboards, cables, printers, modems, monitors and all electronic equipment. With appropriate and sophisticated enough equipment, data can be readable at a few hundred yards. • TEMPEST certified equipment, which encases the hardware into a tight, metal construct, shields the electromagnetic emanations • WANG Federal is the leading provider of TEMPEST hardware • TEMPEST hardware is extremely expensive and can only be serviced by certified technicians • Rooms & buildings can be TEMPEST-certified • TEMPEST standards NACSEM 5100A NACSI 5004 are classified documents

  46. Banners • Mostly to protect provider – no one reads them • Some Reasons • Banners display at login or connection stating that the system is for the exclusive use of authorized users and that their activity may be monitored • Not foolproof, but a good start, especially from a legal perspective • Make sure that the banner does not reveal system information, i.e., OS, version, hardware, etc.

  47. Penetration Testing • Identifies weaknesses in Internet, Intranet, Extranet, and RAS technologies • Discovery and footprint analysis • Exploitation • Physical Security Assessment • Social Engineering • Attempt to identify vulnerabilities and gain access to critical systems within organization • Identifies and recommends corrective action for the systemic problems which may help propagate these vulnerabilities throughout an organization • Assessments allow client to demonstrate the need for additional security resources, by translating exiting vulnerabilities into real life business risks

  48. Rule of least privilege • One of the most fundamental principles of infosec • States that: Any object (user, administrator, program, system) should have only the least privileges the object needs to perform its assigned task, and no more. • An AC system that grants users only those rights necessary for them to perform their work • Limits exposure to attacks and the damage an attack can cause • Physical security example: car ignition key vs. door key

  49. Implementing least privilege • Ensure that only a minimal set of users have access to full system. • Don’t run insecure programs on the firewall or other trusted host. • Lots more!

More Related