370 likes | 591 Views
Access Control and Site Security (Part 1). January 27, 2014). © Abdou Illia – Spring 2014. Learning Objectives. Understand Main Security Goals Discuss Resources’ Access Control Discuss Password-Based Access Control. Basic systems’ attacks. Dialog attack: Eavesdropping.
E N D
Access Control and Site Security (Part 1) January 27, 2014) © Abdou Illia – Spring 2014
Learning Objectives • Understand Main Security Goals • Discuss Resources’ Access Control • Discuss Password-Based Access Control
Dialog attack: Eavesdropping • Intercepting confidential message being transmitted over the network Dialog Hello Client PC Bob Server Alice Hello Attacker (Eve) intercepts and reads messages
Client PC Bob Dialog attack: message Alteration • Intercepting confidential messages and modifying their content Dialog Balance = $1,000,000 Balance = $1 Server Alice Balance = $1 Balance = $1,000,000 Attacker (Eve) intercepts and alters messages
Flooding Denial-of-Service (DoS) attack Message Flood Server Overloaded By Message Flood Attacker
Dialog attacks: Security Goal • If eavesdropping and message alteration attacks succeed, in which of the following ways the target can be affected? • Data files stored on hard drives might be deleted • Data files stored on hard drives might be altered • Corporate trade secret could be stolen • Competitors might get the victim company’s licensed info • Users might not be able to get network services for a certain period of time • The network might slow down Confidentiality = Main goal in implementing defense systems against eavesdropping and message alteration.
Malware attacks: Security Goal • If malware attacks succeeded, in which of the following ways the victims could be affected? • Data files stored on hard drives might be deleted • Data files stored on hard drives might be altered • Corporate trade secret could be stolen • Competitors might get the victim company’s licensed info • Users might not be able to get network services for a certain period of time • The network might slow down Integrity = Main goal of implementing defense systems against malware attacks.
DoS attack: Security Goal • If a DoS attack succeeded, in which of the following ways the victims could be affected? • Data files stored on hard drives might be deleted • Data files stored on hard drives might be altered • Corporate trade secret could be stolen • Competitors might get the victim company’s licensed info • Users might not be able to get network services for a certain period of time • The network might slow down Availability = Main goal of implementing defense systems against DoS attacks.
Security Goals • Three main security goals: • Confidentiality of communications and proprietary information • Integrity of corporate data • Availability of network services and resources CIA • Authenticity: ensuring that the data, transactions, communications or documents are genuine. Also validating that both parties involved are who they claim to be. • Non-repudiation: Ensuring that one party of a transaction cannot deny having received a transaction nor can the other party deny having sent a transaction.
Opening Question • Which of the following actions may be taken in order to strengthen the confidentiality of companies’ proprietary information? • Prevent employees from accessing files not needed for their job • Limit the number of computers each employee can use for logging in to the network • Encrypt any communications involving passwords • All of the above
What is Access Control? • Access control is the policy-driven limitation of access to systems, data, and dialogs • Access control prevents attackers from gaining access to systems’ resources, and helps stop them if they do
Three functions of Access Control • Credentials for authentication • What you know (password, key, etc.) • What you have (smart card, physical key, etc.) • Who you are (fingerprint, etc.) • What you do (pronunciation, writing, etc.) • AAA process • Authentication: assessing the identity of individual claiming to have permission for using resources • Supplicant sends credentials to verifier for authentication • Authorization: what permissions the authenticated user has • What resources he/she can get access to • What he/she can do with these resources • Auditing: recording what people do in log files • Log files can be analyzed in real-time or later for detecting violations to authentication/authorization. Can help detect attacks
Managing Access Control: Steps • Enumeration of (sensitive) resources • E.g. HR databases, servers with trade secrets • Determination of sensitivity level for each resource • E.g. mission-critical vs. non mission-critical • Determination of Who should have access? • Role-Based Access Control (RBAC): • Determine the roles (or categories) of users. Example: IT employees, HR employees, Salesmen, etc. • List-Based Access Control (LBAC): • System administrator could in some case create lists of employees (not based on roles) for general-purpose resources
Allow Deny Managing Access Control: Steps (cont.) • Determination of What access rights should users have? • For each Role-Resource and/or List-Resource: • Develop Access Control policies • Printers availability: M-F, 6:00 AM-8:00 PM • Server computers: only administrators and server operators can use them for logging in • Remote Access servers: Callback feature must be enabled • Password policy: minimum 8-character long, level of complexity, expiration, …. • Fair-use policy
Managing Access Control: Steps (cont.) • Implementing Policies/Access Control • Use OS and other tools to configure access control • Mandatory Access Control: Administrator’s settings apply • Discretionary Access Control: owner of resource could share & set access rights • Perform penetration tests to test access control effectiveness • Perform security audits to test policies effectiveness • Audit by internal employees • Audit by security firm
Types of account/password • Super account • User can take any action on any resource • Called Administrator (Windows), Supervisor (Netware), root (UNIX) • Hacking the super account = ultimate prize for attackers • Regular account • Limited access based on setting by the admin • Could gain super account status by elevating the privileges.
Reusable Password • Used to repeatedly to get access to a resource on multiple occasions • Bad because attacker can have time to crack it • Difficult to crack by remote guessing • Usually cut off after a few attempts • However, if intruder steals the password file, he/she can crack passwords at leisure
Password Cracking • With physical access or with password file in hand, attacker can use password cracking programs • Programs usually come with "dictionaries" with thousands or even millions of entries of several kinds • Programs use brute-force cracking method • Used by network admins to locate users with weak password, and by attackers.
Cracking techniques • Dictionary attack Fastest way to crack password. A “dictionary” file (a text file full of dictionary words) is loaded into a cracking application, which is run against user accounts located by the application. • Hybrid attack Will add numbers or symbols to the search words to successfully crack a password. Many people change their passwords by simply adding a number to the end of their current password. • Brute force attack More suitable for complex passwords. May take a long time to work depending on the complexity of the password. Program will begin trying any and every combination of numbers and letters and running them against the hashed passwords on the computer. Passwords composed of random letters numbers and characters are most vulnerable to this type of attack.
Brute-force password cracking • Longer passwords take longer to crack • Combining types of characters makes cracking harder • Alphabetic, no case (26 possibilities) • Alphabetic, case (52) • Alphanumeric (letters and numbers) (62) • All keyboard characters (~80)
Password Length Password Length In Characters Alphabetic, No Case (N=26) Alphabetic, Case (N=52) Alphanumeric: Letters & Digits (N=62) All Keyboard Characters (N=~80) 1 26 52 62 80 2 (N2) 676 2,704 3,844 6,400 4 (N4) 456,976 7,311,616 14,776,336 40,960,000 6 308,915,776 19,770,609,664 56,800,235,584 2.62144E+11 8 2.08827E+11 5.34597E+13 2.1834E+14 1.67772E+15 10 1.41167E+14 1.44555E+17 8.39299E+17 1.07374E+19 Q: Your password policy is: (a) the password must be 6 character long, (b) the password should include only decimal digits and lower case alphabetic characters. What is the maximum number of passwords the attacker would try in order to crack a password in your system?
Password Policies • Good password policy • At least 8 characters long • Change of case not at beginning • Digit (0 through 9) not at end • Other keyboard characters not at end • Example: triV6#ial • Completely random passwords are best but usually are written down • Password duration • Regularly test the strength of internal passwords • Disable passwords no longer valid
Password Policies (cont) • Shared passwords • Not a good policy • Remove ability to learn who took actions; loses accountability • Usually not changed often or at all because of need to inform all sharers
Questions Q.1. ABC Inc. has a network with three users. The users have the following usernames: aillia, jwillems, vhampton. A shared-password policy implemented by the network administrator allowed the users to logon with the password abc123. Last night someone committed an attack stealing sensitive corporate information after elevating the privileges associated with the account they used to logon. Which of the following is true? (Choose all that apply) • the audit log file could be checked to determine at what time the attacker logged in • the audit log file could be checked to determine which user account was used in committing the attack • the audit log file could be checked to determine who committed the attack • all of the above. Q.2. If your answer to Q.1 above indicates that at least one of the statements is not true, explain why. ________________________________________________________________ ________________________________________________________________
Password Policies (cont) • Disabling accounts that are no longer valid • As soon as an employee leaves the firm, etc. • As soon as contractors, consultants leave • In many firms, a large percentage of all accounts are for people no longer with the firm
Password Policies (cont) • Lost passwords • Password resets: Help desk gives new temporary password for the account • Leave temporary password on answering machine • Opportunities for social engineering attacks • Self-service reset may be better
Summary Questions • What are the three main security goals? • What security goal is jeopardized by a successful eavesdropping attack? • What is the difference between Role Based Access Control and List Based Access Control? • What is the difference between Mandatory Access Control and Discretionary Access Control? • What is a super account? • What is the difference between dictionary cracking and hybrid cracking? • What is a shared password? Do you recommend shared passwords? Why?
Alternativesto password • Access Cards • Magnetic stripe cards • Smart cards • Have a microprocessor and RAM • Can implement public key encryption for challenge/response authentication • Token • Constantly changing password devices for one-time passwords • USB plug-in tokens
Alternatives to password (cont.) • Proximity Access Tokens • Use Radio Frequency ID (RFID) technology • Supplicant only has to be near a door or computer to be recognized • Two-Factor Authentication • PINs for the second factor • Short: 4 to 6 digits • Can be short because attempts are manual • Should not choose obvious combinations (1111, 1234) or important dates
Alternatives to password (cont.) • Biometric Authentication • Authentication based on biological (bio) measurements (metrics). • Biometric authentication is based on something you are (your fingerprint, iris pattern, face, hand geometry, and so forth) • Or something you do (write, type, and so forth) • The major promise of biometrics is to make reusable passwords obsolete
Review Questions • Answer Review Questions 2 posted to the Notes’ section of course web site.