1 / 74

Chapter 8 – Common Access Control

Chapter 8 – Common Access Control. Access Control Objectives. Confidentiality (includes privacy) Integrity Availability . Access Control Processes. Identification Authentication Authorization Logging Monitoring . Common Access Controls. Password

dudash
Download Presentation

Chapter 8 – Common Access Control

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chapter 8 – Common Access Control EECS4482 2016

  2. Access Control Objectives • Confidentiality (includes privacy) • Integrity • Availability EECS4482 2016

  3. Access Control Processes • Identification • Authentication • Authorization • Logging • Monitoring EECS4482 2016

  4. Common Access Controls • Password • Two-factor authentication • Biometrics • Access control lists for granting authorization to information • Locks EECS4482 2016

  5. Common Access Controls • Encryption • Anti-virus • Patching • Firewall • Intrusion detection system • Intrusion prevention system Collectively called defence in depth EECS4482 2016

  6. Passwords • Should not be shared • Should be changed by user • Should be changed frequently and upon compromise (suspected unauthorized disclosure) EECS4482 2016

  7. Passwords • Long, at least 8 characters • Alphanumeric • Hashed (one-way scrambling) • System should allow only a few attempts before locking out account EECS4482 2016

  8. Password Cracking Methods • Dictionary attacks – try scrambling the common names and all dictionary words • Brute force – try scrambling all possible combinations of characters, most time consuming • Systematic deduction – try name followed by month, etc. • Hacker community has tables of hashes, called rainbow tables to help in cracking. EECS4482 2016

  9. Passwords • An 8-letter password is 676 times stronger than a 6-letter password. • A user chosen 6- character alphanumeric Word password can be cracked in 7 seconds. • A 6-character alphanumeric password is 6 times stronger than a 6-letter password. • A completely random 8-character alphanumeric is virtually uncrackable with a modern PC, takes about a year. • Strength should depend on user’s privilege and locality of system. EECS4482 2016

  10. Two-factor Authentication (general or application) • Used to compensate for the inherent weaknesses of passwords, i.e., guessing and hacking. • Uses what the user has and what the user knows. • Examples are to use a token with a dynamic password and ATM. EECS4482 2016

  11. Biometrics (general or application) • Can include fingerprint, hand geometry, voice etc. • Held back by privacy concerns. • Not recognised legally in place of signature EECS4482 2016

  12. Operating System Security (general control) • Use a standard checklist for configuration • Locks down workstation access by employees to prevent unauthorized installation of software • Use scanning software to detect vulnerabilities before implementation and periodically • Use automated patching tools to install security fixes. EECS4482 2016

  13. Firewall • Can be hardware based only, e.g., a router. • Can be a server with sophisticated software, more granular and reliable than a router, provides better logs. • Can use artificial intelligence to check for patterns. EECS4482 2016

  14. Firewall • Every organization that hosts a web site should have a firewall to protect its internal network from hackers • The firewall would block traffic that is definitely unacceptable. EECS4482 2016

  15. Firewall • A typical firewall uses rules to determine whether traffic is acceptable, e.g., port scanning is not allowed by some organizations. • A data packet typically consists of a source Internet Protocol (IP) address, a port and a destination Internet Protocol address. EECS4482 2016

  16. Firewall • A port is a logical connection point in a network device including a computer. • It is used to standardize Internet traffic, e.g., web browsing uses port 80, e-commerce uses port 443. EECS4482 2016

  17. TECHNOLOGIES AND TOOLS FOR SECURITY AND CONTROL Firewalls, Intrusion Detection Systems, and Antivirus Software (continued) • Network address translation (NAT) • Provides an additional layer of protection • Conceals the IP address of the host computer to sniffer programs. EECS4482 2016

  18. Firewall Management • Firewall should not be remotely administerable in order to reduce the risk of hacking. • Firewall logs should be reviewed frequently to avoid the log getting full and firewall collapsing. EECS4482 2016

  19. Virus Protection • Companies around the world spend about US $20 billion a year to clean up viruses • All critical servers are protected • All internet email is scanned • Automated identification of workstations that do not have up-to-date signature files • Organizations should block common virus file types to be proactive EECS4482 2016

  20. SYSTEM VULNERABILITY AND ABUSE Malicious Software: Viruses, Worms, Trojan Horses, and Spyware • Computer viruses: • Rogue software programs that attach to other programs in order to be executed, usually without user knowledge or permission • Deliver a “payload” • Can spread by email attachments EECS4482 2016

  21. SYSTEM VULNERABILITY AND ABUSE Malicious Software (continued) • Worms: • Programs that copy themselves from one computer to another over networks • Can destroy data, programs, and halt operation of computer networks • Most common payload is to tie up a network to deny service. EECS4482 2016

  22. Worm • Unlike a virus, an Internet worm requires no user interaction to infect a computer. A computer only has to be on a network. • If the computer has the security hole targeted by the worm, it will be infected. • Main control is patching. EECS4482 2016

  23. Virtual Private Network • To secure remote access to company systems by staff or contractors. • Should require two-factor authentication. • Encrypts the data like eBusiness. EECS4482 2016

  24. Intrusion Detection System • Screens traffic that passes a firewall to build pattern. • Alerts security administrator of questionable or unacceptablepattern. • Administrator can then decide, with management guidance if significant, to place a firewall rule to block further traffic of this pattern. EECS4482 2016

  25. Intrusion Prevention System • Screens traffic that passes a firewall to build pattern. • Rejects highly questionable or unacceptable traffic. • More effective than firewalls but may have false positive. Deployed to protect highly sensitive servers. EECS4482 2016

  26. Encryption • Uses mathematics to scramble data. • Uses a key and an algorithm . Commercial algorithms are public knowledge. • Symmetric key. • Asymmetric keys (private/public key pair). • Can prevent sniffing, i.e., unauthorized interception of data transmission. EECS4482 2016

  27. Symmetric Key Encryption • The same key is used to decrypt and encrypt • Simple to encrypt and decrypt • Large number of keys required for one-on-one secret communication • Number of keys for N people is N(N-1)/2 • Need to secure the key EECS4482 2016

  28. Application of Encryption • eBusiness • Virtual private network • eMail • Stored data • Digital signature • Wireless network EECS4482 2016

  29. Asymmetric Encryption • A pair of key is generated by a user, a private key and a corresponding public key. • The public key can be disclosed. The private key is secured. • People can use the public key to encrypt material. • Use of private key should require a passphrase. EECS4482 2016

  30. Asymmetric Encryption • The corresponding private key is needed to decrypt. • The 2 keys cannot be reengineered, i.e., you cannot use the public key to derive the private key. • Longer keys than symmetric and therefore a longer process to encrypt and decrypt. EECS4482 2016

  31. Asymmetric Encryption • Needed for email encryption. • Used for e-commerce, digital certificates and digital signatures. • Number of keys for N users is 2N. EECS4482 2016

  32. TECHNOLOGIES AND TOOLS FOR SECURITY AND CONTROL Encryption and Public Key Infrastructure • Digital signature: • A digital code attached to an electronically transmitted message that is used to verify the origin and contents of a message • Digital certificates: • Data files used to establish the identity of users and electronic assets for protection of online transactions. EECS4482 2016

  33. TECHNOLOGIES AND TOOLS FOR SECURITY AND CONTROL Public Key Infrastructure • A set of policy, procedures and servers used to operate a public key environment. • There is a public key server that holds everybody’s public key for retrieval by programs that use encryption. • There are servers used to authenticate users that activate private keys. EECS4482 2016

  34. Limitation of Encryption • If key is lost, data cannot be decrypted. • Rogue parties can delete an encrypted file without knowing the key; therefore access control list is important. • Encrypted email attachments are generally deleted by the anti-virus program. EECS4482 2016

  35. Digital Signature • A digital signature is an electronic signature that can be used to authenticate the identity of the sender of a message or the signer of a document, and to ensure that the original content of the message or document that has been sent is unchanged. EECS4482 2016

  36. Digital Signature • The sender uses an algorithm to compute a hash (garbled digest) of the document • Sender uses its private key to encrypt the hash. • Recipient uses same algorithm to hash the plain text document when received. • Recipient uses the public key to decrypt the digital signature and compare to the hash the recipient created, to confirm integrity. EECS4482 2016

  37. Digital Certificate • An electronic business card that establishes your credentials when doing business or other transactions on the Web. • It is issued and digitally signed by a certification authority. It contains your name, a serial number, expiration dates, the certificate authority’s name and public key, and your public key. • People can use the certificate authority’s public key to verify the signature. EECS4482 2016

  38. Certificate Authority • An organization that issues digital certificates to companies and individuals • An organization can issue digital certificates to its own customers or employees to authenticate local transactions • The certificate authority will do due diligence to confirm the existence and authenticity of the party before issuing a certificate. EECS4482 2016

  39. eBusiness Encryption • Uses both symmetric keys and asymmetric keys • Enforced by the merchant • Merchant sends its certificate and public key to the browser EECS4482 2016

  40. eBusiness Encryption • Browser generates a symmetric key based on the Secure Socket Layer (SSL) standard, usually 128 bits. • Browser encrypts the symmetric key with the merchant’s public key • Browser authenticates the digital certificate • Encrypted symmetric key is sent to merchant EECS4482 2016

  41. eBusiness Encryption • Merchant decrypts the symmetric key with its private key • The symmetric key is used for all subsequent transfer of information between the 2 parties until the user logs off. EECS4482 2016

  42. Secure Electronic Transaction (SET) • Not widely used in North America because it is less flexible than traditional eBusiness SSL encryption. • Used more in Hong Kong, Japan and South Korea for wealthy clients. EECS4482 2016

  43. SET Process A customer receives a “personal” digital certificate from the credit card issuing financial institution, along with a private key. The customer stores it on the hard disk or a memory disk. The financial institution requires the customer to protect it with a pass phrase. EECS4482 2016

  44. SET Process When the customer buys something on a web site, s/he sends his or her digital certificate to the merchant, which sends a copy of it to the financial institution. The customer is required to use a passphrase to send the personal certificate. S/he also downloads the merchant’s and the financial institution’s digital certificates. EECS4482 2016

  45. SET Process • The customer’s browser hashes the purchase order and the credit card information separately to form two message digests. • The customer signs the message digests to form a composite digital signature. • The digital signature is sent to the merchant which in turn forwards a copy of it to the financial institution. EECS4482 2016

  46. SET Process The customer uses the merchant’s public key to encrypt the purchase order and s/he uses the financial institution’s public key to encrypt the credit card information. The merchant forwards the credit card information along with the amount to be charged to the financial institution. EECS4482 2016

  47. SET Process • The merchant and the financial institution use the customer’s public key to decrypt the digital signature. • The merchant and financial institution use their private keys to decrypt the purchase order and credit card info. EECS4482 2016

  48. SET Process • The merchant and the financial institution independently computes the message digests of the purchase order and credit card info respectively. • The independently computed message digests are then compared to the message digests in the decrypted digital signature. EECS4482 2016

  49. SET Process • Now the merchant and the financial institution/ePayment vendor have authenticated the purchase and credit/ePayment card information separately and independently. • The credit information is not known to the merchant and the purchase order (except the final amount) is not known to the card issuing financial institution or payment vendor. EECS4482 2016

  50. SET PRocess The financial institution or payment vendor sends a code to the merchant indicating payment is approved or declined. EECS4482 2016

More Related