750 likes | 767 Views
This article explores the definitions, types, and threats related to access control in computer security. Topics include access control categories, access to systems and data, intrusion prevention, and more.
E N D
Dr. Bhavani ThuraisinghamThe University of Texas at Dallas (UTD)June 2015 Access Controls
Domain Objectives • Provide definitions and key concepts • Identify access control categories and types • Discuss access control threats • Review system access control measures
Domain Agenda • Definitions and key concepts • Access control categories and types • Access control threats • Access to system • Access to data • Intrusion prevention and detection systems • Access control assurance
Basic Requirements and Concepts • Requirements • Security • Reliability • Transparency • Scalability • Maintainability • Auditability • Integrity • Authentic • Key Concepts • Separation of duties • Least privilege • Need-to-know
Information Classification • Objectives • Benefits • Example of classification • Compartmentalized information • Classification Program • Scope • Process • Ownership • Declassification • Marking and labeling • Assurance
Domain Agenda • Definitions and key concepts • Access control categories and types • Access control threats • Access to system • Access to data • Intrusion prevention and detection systems • Access control assurance
Access Control Types and Strategies • Types • Administrative • Technical / Logical • Physical • Strategies • Preventive • Detective • Corrective • Directive • Deterrent • Recovery • Compensating
Access Control • Access control is a system which enables an authority to control access to areas and resources in a given physical facility or computer-based information system. • In computer security, access control includes authentication, authorization and audit. It also includes measures such as physical devices, including biometric scans and metal locks, hidden paths, digital signatures, encryption, social barriers, and monitoring by humans and automated systems. • In any access control model, the entities that can perform actions in the system are called subjects, and the entities representing resources to which access may need to be controlled are called objects (see also Access Control Matrix). Subjects and objects should both be considered as software entities and as human users
Access Control • Access control models used by current systems tend to fall into one of two classes: those based on capabilities and those based on access control lists (ACLs). • In a capability-based model, holding an unforgeable reference or capability to an object provides access to the object • Access is conveyed to another party by transmitting such a capability over a secure channel. • In an ACL-based model, a subject's access to an object depends on whether its identity is on a list associated with the object
Domain Agenda • Definitions and key concepts • Access control categories and types • Access control threats • Access to system • Access to data • Intrusion prevention and detection systems • Access control assurance
Access Control Threats • Dumpster diving • Emanations • TOC/TOU • Denial of service • Password crackers • Dictionary • Brute force • Rainbow tables • Keystroke Loggers • Spoofing/Masquerading • Sniffers • Shoulder Surfing/Swiping
Domain Agenda • Definitions and key concepts • Access control categories and types • Access control threats • Access to system • Access to data • Intrusion prevention and detection systems • Access control assurance
System Access Control • Identification • Authentication • Authorization • Accountability
Identification and Authentication • Identification • Methods • Guidelines • RFID • MAC and IP address • Secure user registration • Authentication • Knowledge (something you know) • Ownership (something you have) • Characteristics (something you are)
Identification, Authentication, Authorization • Access control systems provide the essential services of identification and authentication (I&A), authorization, and accountability where: • identification and authentication determine who can log on to a system, and the association of users with the software subjects that they are able to control as a result of logging in; • authorization determines what a subject can do; • accountability identifies what a subject (or all subjects associated with a user) did.
Identification, Authentication, Authorization • Identification and authentication (I&A): Identification and authentication (I&A) is the process of verifying that an identity is bound to the entity that makes an assertion or claim of identity. The I&A process assumes that there was an initial validation of the identity, commonly called identity proofing. Various methods of identity proofing are available ranging from in person validation using government issued identification to anonymous methods that allow the claimant to remain anonymous, but known to the system if they return. The method used for identity proofing and validation should provide an assurance level commensurate with the intended use of the identity within the system. Subsequently, the entity asserts an identity together with an authenticator as a means for validation. The only requirements for the identifier is that it must be unique within its security domain.
Identification, Authentication, Authorization • Authenticators are commonly based on at least one of the following four factors: • Something you know, such as a password or a personal identification number (PIN). This assumes that only the owner of the account knows the password or PIN needed to access the account. • Something you have, such as a smart card or security token. This assumes that only the owner of the account has the necessary smart card or token needed to unlock the account. • Something you are, such as fingerprint, voice, retina, or iris characteristics. • Where you are, for example inside or outside a company firewall, or proximity of login location to a personal GPS device.
Identification, Authentication, Authorization • Authorization: Authorization applies to subjects. Authorization determines what a subject can do on the system. • Most modern operating systems define sets of permissions that are variations or extensions of three basic types of access: • Read (R): The subject can • Read file contents, List directory contents • Write (W): The subject can change the contents of a file or directory with the following tasks: • Add, Create, Delete, Rename • Execute (X): If the file is a program, the subject can cause the program to be run. (In Unix systems, the 'execute' permission doubles as a 'traverse directory' permission when granted for a directory.)
Identification, Authentication, Authorization • These rights and permissions are implemented differently in systems based on discretionary access control (DAC) and mandatory access control (MAC). • Accountability: Accountability uses such system components as audit trails (records) and logs to associate a subject with its actions. The information recorded should be sufficient to map the subject to a controlling user. • Audit trails and logs are important for Detecting security violations, Re-creating security incidents • If no one is regularly reviewing your logs and they are not maintained in a secure and consistent manner, they may not be admissible as evidence. • Many systems can generate automated reports based on certain predefined criteria or thresholds, known as clipping levels. For example, a clipping level may be set to generate a report for the following: More than three failed logon attempts in a given period, Any attempt to use a disabled user account, These reports help a system administrator or security administrator to more easily identify possible break-in attempts.
Authentication by Knowledge • Password – p3nc!l • Passphrase – t@lk@bou+th3w3@th3r • Personal history – 1st pet, 1st address, 1st friend • Graphical • Guidelines
Authentication by Ownership • Tokens • One-time passwords • Smart cards • Memory cards • RFID cards
Asynchronous and Synchronous Token Device • User requests access via authentication server (i.e. userID) • Authentication server issues challenge # to user • User enters challenge # w/PIN in handheld • Handheld calculates cryptographic response (i.e. password) • User sends “password” to authentication server • Authentication server grants access to application server Synchronous • Event-based synchronization • Time-based synchronization
Authentication: Smart Cards and Biometrics • Smartcards • Contact smart cards • Card body • Chip • Contacts • Contact-less smart cards • Card body • Chip • Antenna • Biometrics (Authentication by Characteristic) • Physiological • Behavioral
Biometric Types and Selection Criteria • Static • Fingerprint/Palm print • Hand geometry • Palm vein structure • Retina scan • Iris scan • Facial recognition • Dynamic • Voice pattern • Keystroke dynamics • Signature dynamics • Selection Criteria • Accuracy • Acceptability • Reaction or processing time • Population coverage • Data protection
Identity and Access Management • Need for identity management • Manual provisioning • Complex environments • Outsourcing risks • Compliance with regulations and legislation • Authoritative system of record • Challenges • Consistency • Reliability • Usability • Efficiency • Scalability • Principals • Data • Life cycle • Benefits • Headcount reduction • Productivity increase • Risk management
Identity Management Technologies • Web access management (WAM) • Password management • Account management • Profile update
Access Control Technologies • Single sign-on • Kerberos • To be explained in the next chart • SESAME • An extension of Kerberos for use with applications • Symmetric and asymmetric • Distributed authentication • Directory services • Lightweight Directory Access Protocol (LDAP) • Network Information Services (NIS) • Domain Name System (DNS) • Security domains • Hierarchical domain relationship • Equivalent classes of subjects • Web Portal Access • Federated login • Portlet
Single Sign-on Process • User enters ID and password • UserID and passwords transmitted to Authentication Server • Authentication Server verifies user’s identity • Authentication Server authorizes access to requested resource.
Single Sign-On • Single sign-on (SSO) is a property of access control of multiple, related, but independent software systems. With this property a user logs in once and gains access to all systems without being prompted to log in again at each of them. Single sign-off is the reverse property whereby a single action of signing out terminates access to multiple software systems. • As different applications and resources support different authentication mechanisms, single sign-on has to internally translate to and store different credentials compared to what is used for initial authentication.
Single Sign-on Kerberos • Kerberos is a computer network authentication protocol, which allows nodes communicating over a non-secure network to prove their identity to one another in a secure manner. It is also a suite of free software published by MIT that implements this protocol. Its designers aimed primarily at a client–server model, and it provides mutual authentication — both the user and the server verify each other's identity. Kerberos protocol messages are protected against eavesdropping and replay attacks. • Kerberos builds on symmetric key cryptography and requires a trusted third party, and optionally may use public-key cryptography by utilizing asymmetric key cryptography during certain phases of authentication
Kerberos • Kerberos uses as its basis the symmetric Needham-Schroeder protocol. It makes use of a trusted third party, termed a key distribution center (KDC), which consists of two logically separate parts: an Authentication Server (AS) and a Ticket Granting Server (TGS). Kerberos works on the basis of "tickets" which serve to prove the identity of users. • The KDC maintains a database of secret keys; each entity on the network — whether a client or a server — shares a secret key known only to itself and to the KDC. Knowledge of this key serves to prove an entity's identity. For communication between two entities, the KDC generates a session key which they can use to secure their interactions. • The security of the protocol relies heavily on participants maintaining loosely synchronized time and on short-lived assertions of authenticity called Kerberos tickets.
Kerberos • The client authenticates itself to the Authentication Server and receives a ticket. (All tickets are time-stamped.) • It then contacts the Ticket Granting Server, and using the ticket it demonstrates its identity and asks for a service. • If the client is eligible for the service, then the Ticket Granting Server sends another ticket to the client. • The client then contacts the Service Server, and using this ticket it proves that it has been approved to receive the service.
Kerberos: Drawbacks • Single point of failure: It requires continuous availability of a central server. When the Kerberos server is down, no one can log in. This can be mitigated by using multiple Kerberos servers and fallback authentication mechanisms. • Kerberos requires the clocks of the involved hosts to be synchronized. The tickets have a time availability period and if the host clock is not synchronized with the Kerberos server clock, the authentication will fail. The default configuration requires that clock times are no more than five minutes apart. In practice Network Time Protocol daemons are usually used to keep the host clocks synchronized. • The administration protocol is not standardized and differs between server implementations. • Since all authentication is controlled by a centralized KDC, compromise of this authentication infrastructure will allow an attacker to impersonate any user.
Access Control Languages • Service Provisioning Markup Language (SPML) • Security Assertion Markup Language (SAML) • eXtensible Access Control Markup Language (XACML)
Domain Agenda • Definitions and key concepts • Access control categories and types • Access control threats • Access to system • Access to data • Intrusion prevention and detection systems • Access control assurance
Access to Data Implementations • Mandatory • Temporal • Discretionary • Role • Rule • Content • Privacy • Descriptions • List • Matrix • Capabilities • Non-discretionary • Constraints • Centralized • Decentralized
Access Control • Mandatory Access Control • Labels: Subject and Objects • Temporal Aces Control • Hours of Operation • Role-based Aces Control • Depends on Roles • Privacy-Aware, Role-based Access Control • Based on organization for economic co-operation and development • Content Dependent • Access based on values in data (i.e. Department) Can only see data having to do with employees in the same department
Access Control Lists • Objects/Subjects • Files/Users • O.S. dependent • Object Based Matrix • Subject Based Matrix
Non-discretionary Access Control (NDAC)/ Constrained User Interfaces • Non Discretionary • Operating system protection • Security administrator control • Ensures system security enforced • Constrained User Interfaces • Menus • Database views • Physically constrained user interfaces • Encryption
Centralized/DecentralizedAccess Control • Centralized access control • RADIUS • TACACS+ • Diameter • Decentralized access control
Access Conrol Administration • Access Contol Administration will work out how the organiztion will adninistrw access control: Centralzied or Distributed. • Terminal Access Controller Access-Control System (TACACS) is a remote authentication protocol that is used to communicate with an authentication server commonly used in UNIX networks. • TACACS allows a client to accept a username and password and send a query to a TACACS authentication server, sometimes called a TACACS daemon or XTACACS. This server was normally a program running on a host. The host would determine whether to accept or deny the request and send a response back. The TIP (routing node accepting dial-up line connections, which the user would normally want to log in into) would then allow access or not, based upon the response. • TACACS+ and RADIUS have generally replaced TACACS. TACACS+ is an entirely new protocol and not compatible with TACACS or XTACACS. TACACS+ uses the Transmission Control Protocol (TCP) and RADIUS uses the User Datagram Protocol (UDP).
Domain Agenda • Definitions and key concepts • Access control categories and types • Access control threats • Access to system • Access to data • Intrusion prevention and detection systems • Access control assurance
Intrusion Detection System • An IDS is a device (or application) that monitors network and/or system activities for malicious activities or policy violations and produces reports to a Management Station.[ • Intrusion prevention is the process of performing intrusion detection and attempting to stop detected possible incidents. • Intrusion detection and prevention systems (IDPS) are primarily focused on identifying possible incidents, logging information about them, attempting to stop them, and reporting them to security administrators.
Intrusion Detection System • For the purpose of dealing with IT, there are two main types of IDS's: network-based and host-based IDS. • In a network-based intrusion-detection system (NIDS), the sensors are located at choke points in the network to be monitored, often in the demilitarized zone (DMZ) or at network borders. The sensor captures all network traffic and analyzes the content of individual packets for malicious traffic. • In a host-based system, the sensor usually consists of a software agent, which monitors all activity of the host on which it is installed, including file system, logs and the kernel. Some application-based IDS are also part of this category.
Intrusion Prevention Systems • Host-based • Network-based • Content-based • Rate-based • KPI
Analysis Engine Methods • Examples • Anomaly • Response • Alert • Pattern- or signature-based • Pattern matching • Stateful matching • Anomaly-based • Statistical • Traffic • Protocol • Heuristic Scanning
Threats to Access Control • Dictionary Attack • Brute Force Attack • Spoofing at Logon • Phishing • Identity Theft
Domain Agenda • Definitions and key concepts • Access control categories and types • Access control threats • Access to system • Access to data • Intrusion prevention and detection systems • Access control assurance