1 / 47

Information Systems Security

Learn about the various types of access control, including identification, authentication, and authorization. Explore control models and techniques, single sign-on technologies, and centralized and decentralized administration. Understand the roles of access control in limiting system access, protecting against unauthorized disclosure, and implementing physical, technical, and administrative controls.

irichardson
Download Presentation

Information Systems Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Information Systems Security Access Control Domain #2

  2. Objectives • Access control types • Identification, authentication, authorization • Control models and techniques • Single sign-on technologies • Centralized and decentralized administration • Intrusion Detection Systems (IDS)

  3. Roles of Access Control • Limit System Access • Access based on identity, groups, clearance, need-to-know, location, etc. • Protect against unauthorized disclosure, corruption, destruction, or modification • Physical • Technical • Administrative

  4. Access Control Examples • Physical • Locks, guards • Technical • Encryption, password, biometrics • Administrative • Policies, procedures, security training

  5. Access Control Characteristics • Preventative • Keeps undesirable events from happening • Detective • Identify undesirable events that have happened • Corrective • Correct undesirable events that have happened • Deterrent • Discourage security violations from taking place

  6. Continued • Recovery • Restore resources and capabilities after a violation or accident • Compensation • Provides alternatives to other controls

  7. Who are You? • Identification – username, ID account # • Authentication – passphrase, PIN, bio • Authorization – “What are you allowed to do” • Separation of Duties • Least Privilege

  8. Authentication • Something you know • Something you have • Something you are • 2-Factor Authentication • Use 2 out of the 3 types of characteristics

  9. Access Criteria • Security Clearance • Mandatory control systems and labels • Need-to-Know • Formal processes • Requirements of role within company for access • Least Privilege • Lease amount of rights to carry out tasks • No authorization creep • Default to “NO ACCESS”

  10. Example Controls • Biometrics • Retina, finger, voice, iris • Tokens • Synchronous and Asynchronous device • Memory Cards • ATM card, proximity card • Smart Cards • Credit card, ID card

  11. Biometric Controls • Uses unique personal attributes • Most expensive and accurate • Society has low acceptance rate • Experience growth after 9-11-2001

  12. Error Types • Type I error • Rejects authorized individuals (False Reject) • Too high a level of sensitivity • Type II error • Accepts imposter (False Accept) • Too low a level of sensitivity • Crossover Error Rate (CER) • JUST RIGHT!!!!!

  13. Biometric Example • Fingerprint • Ridge endings and bifurcations • Finger Scan • Uses less data than fingerprint (minutiae) • Palm Scan • Creases, ridges, and grooves from palm • Hand Geometry • Length and width of hand and fingers

  14. More Biometrics • Retina Scan • Blood vessel pattern on back of eyeball • Iris Scan • Colored portion of eye • Signature Dynamics • Electrical signals of signature process • Keyboard Dynamics • Electrical signals of typing process

  15. More Biometrics • Voice Print • Differences in sound, frequency, and pattern • Facial Scan • Bone structure, nose, forehead size, and eye width • Hand Topology • Size and width of side of hand

  16. Passwords • Least secure but cheap • Should be at least 8 characters and complex • Keep a password history • Clipping levels used • Audit logs

  17. Password Attacks • Dictionary Attacks • Rainbow tables • Brute Force Attack • Every possible combination

  18. Countermeasures • Encrypt passwords • Use password advisors • Do not transmit in clear text • GREATLY protect central store of passwords • Use cognitive passwords • Based on life experience or opinions

  19. One-time Passwords • Dynamic • Generated for one time use • Protects against replay attacks • Token devices can generate • Synchronized to time or event • Based on challenge response mechanism • Not as vulnerable as regular passwords

  20. Passphrase • Longer than a password • Provides more protection • Harder to guess • Converted to virtual password by software

  21. Memory Cards • Magnetic stripe holds data but cannot process data • No processor or circuits • Proximity cards, credit cards, ATM cards • Added costs compared to other technologies

  22. Smart Card • Microprocessor and IC • Tamperproof device (lockout) • PIN used to unlock • Could hold various data • Biometrics, challenge, private key, history • Added costs • Reader purchase • Card generation and maintenance

  23. Single Sign-on (SSO) • Scripting Authentication Characteristics • Carry out manual user authentication • As users are added or changed, more maintenance is required for each script • Usernames and passwords held in one central script • Many times in clear text

  24. SSO Continued • Used by directory services (x.500) • Used by thin clients • Used by Kerberos • If KDC is compromised, secret key of every system is also compromised • If KDC is offline, no authentication is possible

  25. Kerberos • Authentication, confidentiality, integrity • NO Non-availability and repudiation services • Vulnerable to password guessing • Keys stored on user machines in cache • All principles must have Kerberos software • Network traffic should be encrypted

  26. SESAME • Secure European System for Application in a Multi-vendor Environment • Based on asymmetric cryptography • Uses digital signatures • Uses certificates instead of tickets • Not compatible with Kerberos

  27. Access Control Threats • DOS • Buffer Overflow • Mobile Code • Malicious Software • Password Cracker • Spoofing/Masquerading • Sniffers

  28. More Access Control Threats • Eavesdropping • Emanations • Shoulder Surfing • Object Reuse • Data Remanence • Unauthorized Data Mining • Dumpster Diving

  29. More Threats • Theft • Social Engineering • Help Desk Fraud

  30. Access Control Models • Once security policy is in place, a model must be chosen to fulfill the directives • Discretionary access control (DAC) • Mandatory access control (MAC) • Role-based access control (RBAS) • Also called non-discretionary

  31. Discretionary • Used by OS and applications • Owner of the resource determines which subjects can access • Subjects can pass permissions to others • Owner is usually the creator and has full control • Less secure than mandatory access

  32. Mandatory Access • Access decisions based on security clearance of subject and object • OS makes the decision, not the data owner • Provides a higher level of protection • Used by military and government agencies

  33. Role Based Access Control • Also called non-discretionary • Allows for better enforcing most commercial security policies • Access is based on user’s role in company • Admins assign user to a role (implicit) and then assign rights to the role • Best used in companies with a high rate of turnover

  34. Remote Authentication Dial-in User Services (RADIUS) • AAA protocol • De facto standard for authentication • Open source • Works on a client/server model • Hold authentication information for access

  35. Terminal Access Controller Access Control System (TACACS) • Cisco proprietary protocol • Splits authentication, authorization, and auditing features • Provides more protection for client-to-server communication than RADIUS • TACACS+ adds two-factor authentication • Not compatible with RADIUS

  36. Diameter • New and improved RADIUS • Users can move between service provider networks and change their point of attachment • Includes better message transport, proxying, session control, and higher security for AAA • Not compatible with RADIUS

  37. Decentralized Access Control • Owner of asset controls access administration • Leads to enterprise inconsistencies • Conflicts of interest become apparent • Terminated employees’ rights hard to manage • Peer-to-peer environment

  38. Hybrid Access Control • Combines centralized and decentralized administration methods • One entity may control what users access • Owners choose who can access their personal assets

  39. Ways of Controlling Access • Physical location • MAC addresses • Logical location • IP addresses • Time of day • Only during work day • Transaction type • Limit on transaction amounts

  40. Technical Controls • System access • Individual computer controls • Operating system mechanisms • Network access • Domain controller logins • Methods of access • Network architecture • Controlling flow of information • Network devices implemented • Auditing and encryption

  41. Physical Controls • Network segregation • Wiring closets need physical entry protection • Perimeter security • Restrict access to facility and assets • Computer controls • Remove floppys and CDs • Lock computer cases

  42. Protect Audit Logs • Hackers attempt to scrub the logs • Organizations that are regulated MUST keep logs for a specific amount of time • Integrity of logs can be protected with hashing algorithms • Restrict network administrator access

  43. Intruder Detection Systems (IDS) • Software employed to monitor a network segment or an individual computer • Network-based • Monitors traffic on a network segment • Sensors communicate with central console • Host-based • Small agent program that resides on individual computer • Detects suspicious activity on one system

  44. IDS Placement • In front of firewall • Uncover attacks being launched • Behind firewall • Root out intruders who have gotten through • Within intranet • Detect internal attacks

  45. Type of IDS • Signature-based • Knowledge based • Database of signatures • Cannot identify new attacks • Need continual updating • Behavior-based • Statistical or anomaly based • Creates many false positives • Compares activity to ‘what is normal’

  46. IDS Issues • May not process all packets on large network • Cannot analyze encrypted data • Lots of false alarms • Not an answers to all problems • Switched networks make it hard to examine all packets

  47. Traps for Intruders • Padded Cell • Codes within a product to detect if malicious activity is taking place • Virtual machine provides a ‘safe’ environment • Intruder is moved to this environment • Intruder does not realize that he is not is the original environment • Protects production system from hacking • Similar to honeypots

More Related