Transcript Computer Security

Information Systems Security
Access Control
Domain #2
Objectives






Access control types
Identification, authentication, authorization
Control models and techniques
Single sign-on technologies
Centralized and decentralized administration
Intrusion Detection Systems (IDS)
Roles of Access Control
 Limit System Access
 Access based on identity, groups,
clearance, need-to-know, location, etc.
 Protect against unauthorized disclosure,
corruption, destruction, or modification
– Physical
– Technical
– Administrative
Access Control Examples
 Physical
– Locks, guards
 Technical
– Encryption, password, biometrics
 Administrative
– Policies, procedures, security training
Access Control Characteristics
 Preventative
– Keeps undesirable events from happening
 Detective
– Identify undesirable events that have happened
 Corrective
– Correct undesirable events that have happened
 Deterrent
– Discourage security violations from taking place
Continued
 Recovery
– Restore resources and capabilities after a
violation or accident
 Compensation
– Provides alternatives to other controls
Who are You?
 Identification – username, ID account #
 Authentication – passphrase, PIN, bio
 Authorization – “What are you allowed to do”
 Separation of Duties
 Least Privilege
Authentication
 Something you know
 Something you have
 Something you are
 2-Factor Authentication
– Use 2 out of the 3 types of characteristics
Access Criteria
 Security Clearance
– Mandatory control systems and labels
 Need-to-Know
– Formal processes
– Requirements of role within company for access
 Least Privilege
– Lease amount of rights to carry out tasks
– No authorization creep
 Default to “NO ACCESS”
Example Controls
 Biometrics
– Retina, finger, voice, iris
 Tokens
– Synchronous and Asynchronous device
 Memory Cards
– ATM card, proximity card
 Smart Cards
– Credit card, ID card
Biometric Controls




Uses unique personal attributes
Most expensive and accurate
Society has low acceptance rate
Experience growth after 9-11-2001
Error Types
 Type I error
– Rejects authorized individuals (False Reject)
– Too high a level of sensitivity
 Type II error
– Accepts imposter (False Accept)
– Too low a level of sensitivity
 Crossover Error Rate (CER)
– JUST RIGHT!!!!!
Biometric Example
 Fingerprint
– Ridge endings and bifurcations
 Finger Scan
– Uses less data than fingerprint (minutiae)
 Palm Scan
– Creases, ridges, and grooves from palm
 Hand Geometry
– Length and width of hand and fingers
More Biometrics
 Retina Scan
– Blood vessel pattern on back of eyeball
 Iris Scan
– Colored portion of eye
 Signature Dynamics
– Electrical signals of signature process
 Keyboard Dynamics
– Electrical signals of typing process
More Biometrics
 Voice Print
– Differences in sound, frequency, and pattern
 Facial Scan
– Bone structure, nose, forehead size, and eye
width
 Hand Topology
– Size and width of side of hand
Passwords





Least secure but cheap
Should be at least 8 characters and complex
Keep a password history
Clipping levels used
Audit logs
Password Attacks
 Dictionary Attacks
– Rainbow tables
 Brute Force Attack
– Every possible combination
Countermeasures




Encrypt passwords
Use password advisors
Do not transmit in clear text
GREATLY protect central store of
passwords
 Use cognitive passwords
– Based on life experience or opinions
One-time Passwords




Dynamic
Generated for one time use
Protects against replay attacks
Token devices can generate
– Synchronized to time or event
– Based on challenge response mechanism
 Not as vulnerable as regular passwords
Passphrase




Longer than a password
Provides more protection
Harder to guess
Converted to virtual password by software
Memory Cards
 Magnetic stripe holds data but cannot
process data
 No processor or circuits
 Proximity cards, credit cards, ATM cards
 Added costs compared to other
technologies
Smart Card




Microprocessor and IC
Tamperproof device (lockout)
PIN used to unlock
Could hold various data
– Biometrics, challenge, private key, history
 Added costs
– Reader purchase
– Card generation and maintenance
Single Sign-on (SSO)
 Scripting Authentication Characteristics
– Carry out manual user authentication
– As users are added or changed, more
maintenance is required for each script
– Usernames and passwords held in one central
script
 Many times in clear text
SSO Continued
 Used by directory services (x.500)
 Used by thin clients
 Used by Kerberos
– If KDC is compromised, secret key of every
system is also compromised
– If KDC is offline, no authentication is possible
Kerberos






Authentication, confidentiality, integrity
NO Non-availability and repudiation services
Vulnerable to password guessing
Keys stored on user machines in cache
All principles must have Kerberos software
Network traffic should be encrypted
SESAME
 Secure European System for Application in
a Multi-vendor Environment
 Based on asymmetric cryptography
 Uses digital signatures
 Uses certificates instead of tickets
 Not compatible with Kerberos
Access Control Threats







DOS
Buffer Overflow
Mobile Code
Malicious Software
Password Cracker
Spoofing/Masquerading
Sniffers
More Access Control Threats







Eavesdropping
Emanations
Shoulder Surfing
Object Reuse
Data Remanence
Unauthorized Data Mining
Dumpster Diving
More Threats
 Theft
 Social Engineering
 Help Desk Fraud
Access Control Models
 Once security policy is in place, a model
must be chosen to fulfill the directives
– Discretionary access control (DAC)
– Mandatory access control (MAC)
– Role-based access control (RBAS)
 Also called non-discretionary
Discretionary
 Used by OS and applications
 Owner of the resource determines which
subjects can access
 Subjects can pass permissions to others
 Owner is usually the creator and has full
control
 Less secure than mandatory access
Mandatory Access
 Access decisions based on security
clearance of subject and object
 OS makes the decision, not the data owner
 Provides a higher level of protection
– Used by military and government agencies
Role Based Access Control
 Also called non-discretionary
 Allows for better enforcing most commercial
security policies
 Access is based on user’s role in company
 Admins assign user to a role (implicit) and
then assign rights to the role
 Best used in companies with a high rate of
turnover
Remote Authentication Dial-in User
Services (RADIUS)





AAA protocol
De facto standard for authentication
Open source
Works on a client/server model
Hold authentication information for access
Terminal Access Controller Access
Control System (TACACS)
 Cisco proprietary protocol
 Splits authentication, authorization, and
auditing features
 Provides more protection for client-to-server
communication than RADIUS
 TACACS+ adds two-factor authentication
 Not compatible with RADIUS
Diameter
 New and improved RADIUS
 Users can move between service provider
networks and change their point of
attachment
 Includes better message transport, proxying,
session control, and higher security for AAA
 Not compatible with RADIUS
Decentralized Access Control
 Owner of asset controls access
administration
 Leads to enterprise inconsistencies
 Conflicts of interest become apparent
 Terminated employees’ rights hard to
manage
 Peer-to-peer environment
Hybrid Access Control
 Combines centralized and decentralized
administration methods
 One entity may control what users access
 Owners choose who can access their
personal assets
Ways of Controlling Access
 Physical location
– MAC addresses
 Logical location
– IP addresses
 Time of day
– Only during work day
 Transaction type
– Limit on transaction amounts
Technical Controls
 System access
– Individual computer controls
– Operating system mechanisms
 Network access
– Domain controller logins
– Methods of access
 Network architecture
– Controlling flow of information
– Network devices implemented
 Auditing and encryption
Physical Controls
 Network segregation
– Wiring closets need physical entry protection
 Perimeter security
– Restrict access to facility and assets
 Computer controls
– Remove floppys and CDs
– Lock computer cases
Protect Audit Logs
 Hackers attempt to scrub the logs
 Organizations that are regulated MUST
keep logs for a specific amount of time
 Integrity of logs can be protected with
hashing algorithms
 Restrict network administrator access
Intruder Detection Systems (IDS)
 Software employed to monitor a network
segment or an individual computer
 Network-based
– Monitors traffic on a network segment
– Sensors communicate with central console
 Host-based
– Small agent program that resides on individual
computer
– Detects suspicious activity on one system
IDS Placement
 In front of firewall
– Uncover attacks being launched
 Behind firewall
– Root out intruders who have gotten through
 Within intranet
– Detect internal attacks
Type of IDS
 Signature-based
– Knowledge based
– Database of signatures
– Cannot identify new attacks
– Need continual updating
 Behavior-based
– Statistical or anomaly based
– Creates many false positives
– Compares activity to ‘what is normal’
IDS Issues
 May not process all packets on large
network
 Cannot analyze encrypted data
 Lots of false alarms
 Not an answers to all problems
 Switched networks make it hard to examine
all packets
Traps for Intruders
 Padded Cell
– Codes within a product to detect if malicious
activity is taking place
– Virtual machine provides a ‘safe’ environment
– Intruder is moved to this environment
– Intruder does not realize that he is not is the
original environment
– Protects production system from hacking
– Similar to honeypots