1 / 25

Access Control and Password Management

FORE SEC Academy Security Essentials (II ). Access Control and Password Management. Agenda. Access Control - Techniques - Models Passwords - Password Cracking - Password Management. Key Terms & Principles. Data Owner Data Custodian Separation of duties Least Privilege.

grant
Download Presentation

Access Control and Password Management

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. FORESEC AcademySecurity Essentials (II) Access Control and PasswordManagement

  2. Agenda • Access Control - Techniques - Models • Passwords - Password Cracking - Password Management

  3. Key Terms & Principles • Data Owner • Data Custodian • Separation of duties • Least Privilege

  4. Access Control Techniques • Discretionary (DAC) • Mandatory (MAC) • Role-based • Rule-based • List-based • Token-based

  5. Lattice Techniques • Access Matrix - Objects - Subjects • Bell-LaPadula • Biba • Clark-Wilson

  6. Lattice Techniques (2) Bell-LaPadula • Designed for Military Environment • Address only Confidentiality • Rules - Simple Security Property - Star Property (* Property) - Strong Star Property

  7. Lattice Techniques (3) Biba • Model for Integrity • Suited for Commercial Environment • Rules - Simple Integrity Property - Integrity Start Property • Information only flow downwards

  8. Lattice Techniques (4) Clark-Wilson • Integrity Model • Use an access triple - Subject, Program, Object • Prevent loss or corruption of data • Ensure well formed transactions

  9. Access Management • Account administration • Maintenance • Monitoring • Revocation

  10. Access Control Models • State machine • Information flow • Covert channels • Non-interference

  11. Protocols • Password Authentication Protocol (PAP) • Challenge Handshake Authentication Protocol (CHAP)

  12. Centralized Control • TACACS • RADIUS • Domains & Trusts • Active Directory • Kerberos

  13. Access Control: Biometrics • Hand: Fingerprint, hand geometry • Eye: retina, iris • Face: Thermograms, Photo • Voice print • Mannerisms: keystroke, tread, handwriting

  14. Access Control: Biometrics (2) Key factors in selecting biometrics: • Reliability - FRR, FAR, CER, EER • User friendliness • Cost

  15. Single Sign-On (SSO) • User only have to log on once • Credentials are carried with user • Simplifies User management • Allow centralized management • User only has to remember one set of credentials

  16. Single Sign-On (2) • Can take different forms: - Scripts - Directory Services - Kerberos - Thin Clients • Security Issues • Interoperability Issues

  17. Access Control: Passwords

  18. What is Password Cracking?Discovering a plan text password given an encrypted password.

  19. Methods of Password Cracking • Dictionary attack • Hybrid attack • Brute force attack

  20. Unix Password Cracking - Crack • Name: Crack • Operating System: Unix • Brief Description: Crack is a "password guessing" program that is designed to quickly identify accounts having weak passwords given a Unix password file.

  21. Crack • Available fromftp://ftp.cerias.purdue.edu/pub/tools/unix/pwdutils/crack • Features - Configurable password cracking - Modular approach with various scripts - Combining and extracting password files - Works with any crypt() implementation

  22. Configuring Crack • Download Crack file • Unzip the file using gzip - gunzip -r crack5.0.tar.gz • Untar the file -tar -xvf crack5.0.tar • Read manual.txt • Edit the script file • Compile program - Crack -makeonly - Crack -makedict

  23. Running Crack • Run Crack with a password file - Crack [options] [-fmt format] [file ...] - Crack myfile • Pipe output to a file - Crack myfile > output • Run Reporter script to see results - ./Reporter [-quiet] [-html]

  24. Effectiveness of Crack • User Eric password eric – CRACKED • User John password john1234 • User Mike password 5369421 • User Mary password #57adm7# • User Sue password sue – CRACKED • User Lucy password 12345 – CRACKED • User Pat no password – CRACKED • User Tim password password– CRACKED • User Cathy password 55555 – CRACKED • User Frank password abcde – CRACKED • User Tom password mnopqr • User Karen password bbbbbbbb - CRACKED

  25. How to Protect Against it • Enforce a strong password policy • Use shadow passwords • Use one-time passwords • Use passwd to enforce strong passwords

More Related