490 likes | 526 Views
Access Control Systems & Methodology. CISSP. Topics to be covered. Tokens/SSO Kerberos Attacks/Vulnerabilities/Monitoring IDS Object reuse TEMPEST RAS access control Penetration Testing. Overview Access control implementation Types of access control MAC & DAC Orange Book
E N D
Topics to be covered • Tokens/SSO • Kerberos • Attacks/Vulnerabilities/Monitoring • IDS • Object reuse • TEMPEST • RAS access control • Penetration Testing • Overview • Access control implementation • Types of access control • MAC & DAC • Orange Book • Authentication • Passwords • Biometrics
What is access control? • Access control is the traditional center of security • Definitions: • The ability to allow only authorized users, programs or processes system or resource access • The granting or denying, according to a particular security model, of certain permissions to access a resource • An entire set of procedures performed by hardware, software and administrators, to monitor access, identify users requesting access, record access attempts, and grant or deny access based on pre-established rules.
Access control nomenclature • Authentication • Process through which one proves and verifies certain information • Identification • Process through which one ascertains the identity of another person or entity • Confidentiality • Protection of private data from unauthorized viewing • Integrity • Data is not corrupted or modified in any unauthorized manner • Availability • System is usable. Contrast with Denial of Service (DOS)
How can AC be implemented? • Hardware • Software • Application • Protocol (Kerberos, IPSec) • Physical • Logical (policies)
What does AC hope to protect? • Data - Unauthorized viewing, modification or copying • System - Unauthorized use, modification or denial of service • It should be noted that nearly most network operating system is based on a secure physical infrastructure • The easiest way to protect data is not to have it one the system. Make it some-one else’s problem.
Proactive access control • Awareness training • Background checks • Separation of duties • Split knowledge • Policies • Data classification • Effective user registration • Termination procedures • Change control procedures
Physical access control • Guards • Locks • Mantraps • ID badges • Digital Carmeras, sensors, alarms • Biometrics • Fences - the higher the voltage the better • Card-key and tokens • Guard dogs
AC & privacy issues • Expectation of privacy • Policies • Monitoring activity, Internet usage, e-mail • Login banners should detail expectations of privacy and state levels of monitoring • HIPPA
Varied types of Access Control • Discretionary (DAC) • Mandatory (MAC) • Lattice/Role/Task • Formal models: • Biba • Take/Grant • Clark/Wilson • Bell/LaPadula • Used set theory to define the concept of a secure state, the modes of access, and the rules for granting access. • Not Real Useful, but part of the test!
Problems with formal models • Based on a static infrastructure • Defined and succinct policies • These do not work in corporate systems which are extremely dynamic and constantly changing • None of the previous models deals with: • Viruses/active content • Trojan horses • firewalls • Limited documentation on how to build these systems • Last Generation
MAC vs. DAC • Discretionary Access Control • You decided how you want to protect and share your data • Mandatory Access Control • The system decided how the data will be shared
Mandatory Access Control • Assigns sensitivity levels, • Secret, Confidential .. (AKA labels) • Every object is given a sensitivity label & is accessible only to users who are cleared up to that particular level. • Only the administrators, not object owners, make change the object level • Generally more secure than DAC • Orange book B-level • Used in systems where security is critical, i.e., military
Mandatory Access Control (Continued) • Downgrade in performance • Relies on the system to control access • Example: If a file is classified as confidential, MAC will prevent anyone from writing secret or top secret information into that file. • All output, i.e., print jobs, floppies, other magnetic media must have be labeled as to the sensitivity level
Discretionary Access Control • Access is restricted based on the authorization granted to the user • Orange book C-level • Prime use to separate and protect users from unauthorized data • Used by Unix and Windows. • Relies on the object owner to control access
Access control lists (ACL) • A file used by the access control system to determine who may access what programs and files, in what method and at what time • Different operating systems have different ACL terms • Types of access: • Read/Write/Create/Execute/Modify/Delete/Rename
Orange Book • DoD Trusted Computer System Evaluation Criteria, DoD 5200.28-STD, 1983 • Provides the information needed to classify systems (A,B,C,D), defining the degree of trust that may be placed in them • For stand-alone systems only
Orange book levels • A - Verified protection • A1 • Boeing SNS, Honeywell SCOMP • B - MAC • B1/B2/B3 • MVS w/ s, ACF2 or TopSecret, Trusted IRIX • C - DAC • C1/C2 • DEC VMS, NT, NetWare, Trusted Solaris • D - Minimal security. Systems that have been evaluated, but failed
Problems with the Orange Book • Based on an old model, Bell-LaPadula • Stand alone • network systems extensions exist • Systems take a long time • Certification is expensive • For the most part, not used outside of the government sector
Red Book • Used to extend the Orange Book to networks • Actually two works: • Trusted Network Interpretation of the TCSEC (NCSC-TG-005) • Trusted Network Interpretation Environments Guideline: Guidance for Applying the Trusted Network Interpretation (NCSC-TG-011)
Authentication 3 types of authentication: • Something you know - Password, PIN, mother’s maiden name, passcode, fraternity chant • Something you have - ATM card, smart card, token, key, ID Badge, driver license, passport • Something you are - Fingerprint, voice scan, iris scan, retina scan, body odor, DNA
Multi-factor authentication • 2-factor authentication. To increase the level of security, many systems will require a user to provide 2 of the 3 types of authentication. • ATM card + PIN • Credit card + signature • PIN + fingerprint • Username + Password (NetWare, Unix, NT default) • 3-factor authentication -- For higher security • Username + Passcode + SecurID token • Username + Password + Fingerprint
Problems with passwords • Insecure - Given the choice, people will choose easily remembered and hence easily guessed passwords such as names of relatives, pets, phone numbers, birthdays, hobbies, etc. • Easily broken - Programs such as crack, SmartPass, PWDUMP, NTCrack & l0phtcrack can easily decrypt Unix, NetWare & NT passwords. • Dictionary attacks are only feasible because users choose easily guessed passwords! • Inconvenient - In an attempt to improve security, organizations often issue users with computer-generated passwords that are difficult, if not impossible to remember • Repudiable - Unlike a written signature, when a transaction is signed with only a password, there is no real proof as to the identity of the individual that made the transaction
Classic password rules • The best passwords are those that are both easy to remember and hard to crack using a dictionary attack. • Don’t use: • common names, DOB, spouse, phone #, etc. • word found in dictionaries • password as a password • systems defaults • Those trying break passwords have access to most password rules in their tool kit!
Password management • Configure system to use string passwords • Set password time and lengths limits • Limit unsuccessful logins • Limit concurrent connections • Enabled auditing • How policies for password resets and changes • Use last login dates in banners
Password Attacks • See if it is “password” • Brute force • l0phtcrack • Dictionary • Crack • John the Ripper • Trojan horse login program
Biometrics • Authenticating a user via human characteristics • Using measurable physical characteristics of a person to prove their identification • Fingerprint • signature dynamics • Iris • retina • voice • face • DNA, blood
Advantages of hand / fingerprint-based biometrics • Can’t be lent like a physical key or token and can’t be forgotten like a password • Good compromise between ease of use, template size, cost and accuracy • Fingerprint contains enough inherent variability to enable unique identification even in very large (millions of records) databases • Basically lasts forever -- or at least until amputation or dismemberment • Makes network login & authentication effortless
Biometric Disadvantages • Still relatively expensive per user • Cost is going down! • Companies & products are often new & immature • Some hesitancy for user acceptance • After 9-11, some thoughts towards use at airport security.
Biometric privacy issues • Tracking and surveillance - Ultimately, the ability to track a person's movement from hour to hour • Anonymity - Biometric links to databases could dissolve much of our anonymity when we travel and access services • Profiling - Compilation of transaction data about a particular person that creates a picture of that person's travels, preferences, affiliations or beliefs
U.S. Airports Now Fingerprint Foreigners • Foreigners arriving at U.S. airports were photographed and had their fingerprints scanned Monday in the start of a government effort to use some of the latest surveillance technology to keep terrorists out of the country.
Practical biometric • Network access control • Staff time and attendance tracking • Authorizing financial transactions • Government benefits distribution (Social Security, welfare, etc.) • Verifying identities at point of sale • Using in conjunction with ATM , credit or smart cards • Controlling physical access to office buildings or homes • Protecting personal property • Prevent against kidnapping in schools, play areas, etc. • Protecting children from fatal gun accidents • Voting/passports/visas & immigration
Tokens • Used to facilitate one-time passwords • Physical card • SecurID • S/Key • Smart card • Access token
Single sign-on • User has one password for all enterprise systems and applications • That way, one strong password can be remembered and used • All of a users accounts can be quickly created on hire, deleted on dismissal • Kerberos, CA-Unicenter, Memco Proxima, IntelliSoftSnareWorks, Tivoli Global Sign-On, x.509
Kerberos • Part of MIT’s Project Athena • Currently in version 5 • Kerberos is an authentication protocol used for networkwide authentication • All software must be kerberized • Tickets, authenticators, key distribution center (KDC) • Divided into realms • Kerberos is the three-headed dog that guards the entrance to Hades (this won’t be on the test)
Attacks • Passive attack - Monitor network traffic and then use data obtained or perform a replay attack. • Hard to detect • Active attack - Attacker is actively trying to break-in. • Exploit system vulnerabilities • Spoofing • Crypto attacks • Denial of service (DoS) - Not so much an attempt to gain access, rather to prevent system operation • Smurf, SYN Flood, Ping of death • Mail bombs
Vulnerabilities • Follow the Money! • Physical • Natural • Floods, earthquakes, terrorists, power outage, lightning • Hardware/Software • Media • Corrupt electronic media, stolen disk drives • Emanation • Communications • Human • Social engineering, disgruntled staff
Monitoring • IDS • Logs • Audit trails • Network tools • Tivoli • Spectrum • OpenView
Intrusion Detection Systems • IDS monitors system or network for attacks • IDS engine has a library and set of signatures that identify an attack • Adds defense in depth • Should be used in conjunction with a system scanner
Object reuse • With Compact Disks – One-Time Write not much of an issue; with tapes, floppies, read/write CDs • Sample Rules • Must ensure that magnetic media must not have any remnance of previous data • Also applies to buffers, cache and other memory allocation • Documents recently declassified as to how 10-pass writes were recovered • Objects must be declassified • Magnetic media must be degaussed or have secure overwrites
TEMPEST - DoD • Electromagnetic emanations from keyboards, cables, printers, modems, monitors and all electronic equipment. With appropriate and sophisticated enough equipment, data can be readable at a few hundred yards. • TEMPEST certified equipment, which encases the hardware into a tight, metal construct, shields the electromagnetic emanations • WANG Federal is the leading provider of TEMPEST hardware • TEMPEST hardware is extremely expensive and can only be serviced by certified technicians • Rooms & buildings can be TEMPEST-certified • TEMPEST standards NACSEM 5100A NACSI 5004 are classified documents
Banners • Mostly to protect provider – no one reads them • Some Reasons • Banners display at login or connection stating that the system is for the exclusive use of authorized users and that their activity may be monitored • Not foolproof, but a good start, especially from a legal perspective • Make sure that the banner does not reveal system information, i.e., OS, version, hardware, etc.
Penetration Testing • Identifies weaknesses in Internet, Intranet, Extranet, and RAS technologies • Discovery and footprint analysis • Exploitation • Physical Security Assessment • Social Engineering • Attempt to identify vulnerabilities and gain access to critical systems within organization • Identifies and recommends corrective action for the systemic problems which may help propagate these vulnerabilities throughout an organization • Assessments allow client to demonstrate the need for additional security resources, by translating exiting vulnerabilities into real life business risks
Rule of least privilege • One of the most fundamental principles of infosec • States that: Any object (user, administrator, program, system) should have only the least privileges the object needs to perform its assigned task, and no more. • An AC system that grants users only those rights necessary for them to perform their work • Limits exposure to attacks and the damage an attack can cause • Physical security example: car ignition key vs. door key
Implementing least privilege • Ensure that only a minimal set of users have access to full system. • Don’t run insecure programs on the firewall or other trusted host. • Lots more!