470 likes | 494 Views
Learn about the various types of access control, including identification, authentication, and authorization. Explore control models and techniques, single sign-on technologies, and centralized and decentralized administration. Understand the roles of access control in limiting system access, protecting against unauthorized disclosure, and implementing physical, technical, and administrative controls.
E N D
Information Systems Security Access Control Domain #2
Objectives • Access control types • Identification, authentication, authorization • Control models and techniques • Single sign-on technologies • Centralized and decentralized administration • Intrusion Detection Systems (IDS)
Roles of Access Control • Limit System Access • Access based on identity, groups, clearance, need-to-know, location, etc. • Protect against unauthorized disclosure, corruption, destruction, or modification • Physical • Technical • Administrative
Access Control Examples • Physical • Locks, guards • Technical • Encryption, password, biometrics • Administrative • Policies, procedures, security training
Access Control Characteristics • Preventative • Keeps undesirable events from happening • Detective • Identify undesirable events that have happened • Corrective • Correct undesirable events that have happened • Deterrent • Discourage security violations from taking place
Continued • Recovery • Restore resources and capabilities after a violation or accident • Compensation • Provides alternatives to other controls
Who are You? • Identification – username, ID account # • Authentication – passphrase, PIN, bio • Authorization – “What are you allowed to do” • Separation of Duties • Least Privilege
Authentication • Something you know • Something you have • Something you are • 2-Factor Authentication • Use 2 out of the 3 types of characteristics
Access Criteria • Security Clearance • Mandatory control systems and labels • Need-to-Know • Formal processes • Requirements of role within company for access • Least Privilege • Lease amount of rights to carry out tasks • No authorization creep • Default to “NO ACCESS”
Example Controls • Biometrics • Retina, finger, voice, iris • Tokens • Synchronous and Asynchronous device • Memory Cards • ATM card, proximity card • Smart Cards • Credit card, ID card
Biometric Controls • Uses unique personal attributes • Most expensive and accurate • Society has low acceptance rate • Experience growth after 9-11-2001
Error Types • Type I error • Rejects authorized individuals (False Reject) • Too high a level of sensitivity • Type II error • Accepts imposter (False Accept) • Too low a level of sensitivity • Crossover Error Rate (CER) • JUST RIGHT!!!!!
Biometric Example • Fingerprint • Ridge endings and bifurcations • Finger Scan • Uses less data than fingerprint (minutiae) • Palm Scan • Creases, ridges, and grooves from palm • Hand Geometry • Length and width of hand and fingers
More Biometrics • Retina Scan • Blood vessel pattern on back of eyeball • Iris Scan • Colored portion of eye • Signature Dynamics • Electrical signals of signature process • Keyboard Dynamics • Electrical signals of typing process
More Biometrics • Voice Print • Differences in sound, frequency, and pattern • Facial Scan • Bone structure, nose, forehead size, and eye width • Hand Topology • Size and width of side of hand
Passwords • Least secure but cheap • Should be at least 8 characters and complex • Keep a password history • Clipping levels used • Audit logs
Password Attacks • Dictionary Attacks • Rainbow tables • Brute Force Attack • Every possible combination
Countermeasures • Encrypt passwords • Use password advisors • Do not transmit in clear text • GREATLY protect central store of passwords • Use cognitive passwords • Based on life experience or opinions
One-time Passwords • Dynamic • Generated for one time use • Protects against replay attacks • Token devices can generate • Synchronized to time or event • Based on challenge response mechanism • Not as vulnerable as regular passwords
Passphrase • Longer than a password • Provides more protection • Harder to guess • Converted to virtual password by software
Memory Cards • Magnetic stripe holds data but cannot process data • No processor or circuits • Proximity cards, credit cards, ATM cards • Added costs compared to other technologies
Smart Card • Microprocessor and IC • Tamperproof device (lockout) • PIN used to unlock • Could hold various data • Biometrics, challenge, private key, history • Added costs • Reader purchase • Card generation and maintenance
Single Sign-on (SSO) • Scripting Authentication Characteristics • Carry out manual user authentication • As users are added or changed, more maintenance is required for each script • Usernames and passwords held in one central script • Many times in clear text
SSO Continued • Used by directory services (x.500) • Used by thin clients • Used by Kerberos • If KDC is compromised, secret key of every system is also compromised • If KDC is offline, no authentication is possible
Kerberos • Authentication, confidentiality, integrity • NO Non-availability and repudiation services • Vulnerable to password guessing • Keys stored on user machines in cache • All principles must have Kerberos software • Network traffic should be encrypted
SESAME • Secure European System for Application in a Multi-vendor Environment • Based on asymmetric cryptography • Uses digital signatures • Uses certificates instead of tickets • Not compatible with Kerberos
Access Control Threats • DOS • Buffer Overflow • Mobile Code • Malicious Software • Password Cracker • Spoofing/Masquerading • Sniffers
More Access Control Threats • Eavesdropping • Emanations • Shoulder Surfing • Object Reuse • Data Remanence • Unauthorized Data Mining • Dumpster Diving
More Threats • Theft • Social Engineering • Help Desk Fraud
Access Control Models • Once security policy is in place, a model must be chosen to fulfill the directives • Discretionary access control (DAC) • Mandatory access control (MAC) • Role-based access control (RBAS) • Also called non-discretionary
Discretionary • Used by OS and applications • Owner of the resource determines which subjects can access • Subjects can pass permissions to others • Owner is usually the creator and has full control • Less secure than mandatory access
Mandatory Access • Access decisions based on security clearance of subject and object • OS makes the decision, not the data owner • Provides a higher level of protection • Used by military and government agencies
Role Based Access Control • Also called non-discretionary • Allows for better enforcing most commercial security policies • Access is based on user’s role in company • Admins assign user to a role (implicit) and then assign rights to the role • Best used in companies with a high rate of turnover
Remote Authentication Dial-in User Services (RADIUS) • AAA protocol • De facto standard for authentication • Open source • Works on a client/server model • Hold authentication information for access
Terminal Access Controller Access Control System (TACACS) • Cisco proprietary protocol • Splits authentication, authorization, and auditing features • Provides more protection for client-to-server communication than RADIUS • TACACS+ adds two-factor authentication • Not compatible with RADIUS
Diameter • New and improved RADIUS • Users can move between service provider networks and change their point of attachment • Includes better message transport, proxying, session control, and higher security for AAA • Not compatible with RADIUS
Decentralized Access Control • Owner of asset controls access administration • Leads to enterprise inconsistencies • Conflicts of interest become apparent • Terminated employees’ rights hard to manage • Peer-to-peer environment
Hybrid Access Control • Combines centralized and decentralized administration methods • One entity may control what users access • Owners choose who can access their personal assets
Ways of Controlling Access • Physical location • MAC addresses • Logical location • IP addresses • Time of day • Only during work day • Transaction type • Limit on transaction amounts
Technical Controls • System access • Individual computer controls • Operating system mechanisms • Network access • Domain controller logins • Methods of access • Network architecture • Controlling flow of information • Network devices implemented • Auditing and encryption
Physical Controls • Network segregation • Wiring closets need physical entry protection • Perimeter security • Restrict access to facility and assets • Computer controls • Remove floppys and CDs • Lock computer cases
Protect Audit Logs • Hackers attempt to scrub the logs • Organizations that are regulated MUST keep logs for a specific amount of time • Integrity of logs can be protected with hashing algorithms • Restrict network administrator access
Intruder Detection Systems (IDS) • Software employed to monitor a network segment or an individual computer • Network-based • Monitors traffic on a network segment • Sensors communicate with central console • Host-based • Small agent program that resides on individual computer • Detects suspicious activity on one system
IDS Placement • In front of firewall • Uncover attacks being launched • Behind firewall • Root out intruders who have gotten through • Within intranet • Detect internal attacks
Type of IDS • Signature-based • Knowledge based • Database of signatures • Cannot identify new attacks • Need continual updating • Behavior-based • Statistical or anomaly based • Creates many false positives • Compares activity to ‘what is normal’
IDS Issues • May not process all packets on large network • Cannot analyze encrypted data • Lots of false alarms • Not an answers to all problems • Switched networks make it hard to examine all packets
Traps for Intruders • Padded Cell • Codes within a product to detect if malicious activity is taking place • Virtual machine provides a ‘safe’ environment • Intruder is moved to this environment • Intruder does not realize that he is not is the original environment • Protects production system from hacking • Similar to honeypots