Information Systems Security Access Control Domain 2 Objectives

Information Systems Security Access Control Domain #2

Objectives § § § Access control types Identification, authentication, authorization Control models and techniques Single sign-on technologies Centralized and decentralized administration Intrusion Detection Systems (IDS)

Roles of Access Control § Limit System Access § Access based on identity, groups, clearance, need-to-know, location, etc. § Protect against unauthorized disclosure, corruption, destruction, or modification – Physical – Technical – Administrative

Access Control Examples § Physical – Locks, guards § Technical – Encryption, password, biometrics § Administrative – Policies, procedures, security training

Access Control Characteristics § Preventative – Keeps undesirable events from happening § Detective – Identify undesirable events that have happened § Corrective – Correct undesirable events that have happened § Deterrent – Discourage security violations from taking place

Continued § Recovery – Restore resources and capabilities after a violation or accident § Compensation – Provides alternatives to other controls

Who are You? § § § Identification – username, ID account # Authentication – passphrase, PIN, bio Authorization – “What are you allowed to do” § Separation of Duties § Least Privilege

Authentication § § § Something you know Something you have Something you are § 2 -Factor Authentication – Use 2 out of the 3 types of characteristics

Access Criteria § Security Clearance – Mandatory control systems and labels § Need-to-Know – Formal processes – Requirements of role within company for access § Least Privilege – Lease amount of rights to carry out tasks – No authorization creep § Default to “NO ACCESS”

Example Controls § Biometrics – Retina, finger, voice, iris § Tokens – Synchronous and Asynchronous device § Memory Cards – ATM card, proximity card § Smart Cards – Credit card, ID card

Biometric Controls § § Uses unique personal attributes Most expensive and accurate Society has low acceptance rate Experience growth after 9 -11 -2001

Error Types § Type I error – Rejects authorized individuals (False Reject) – Too high a level of sensitivity § Type II error – Accepts imposter (False Accept) – Too low a level of sensitivity § Crossover Error Rate (CER) – JUST RIGHT!!!!!

Biometric Example § Fingerprint – Ridge endings and bifurcations § Finger Scan – Uses less data than fingerprint (minutiae) § Palm Scan – Creases, ridges, and grooves from palm § Hand Geometry – Length and width of hand fingers

More Biometrics § Retina Scan – Blood vessel pattern on back of eyeball § Iris Scan – Colored portion of eye § Signature Dynamics – Electrical signals of signature process § Keyboard Dynamics – Electrical signals of typing process

More Biometrics § Voice Print – Differences in sound, frequency, and pattern § Facial Scan – Bone structure, nose, forehead size, and eye width § Hand Topology – Size and width of side of hand

Passwords § § § Least secure but cheap Should be at least 8 characters and complex Keep a password history Clipping levels used Audit logs

Password Attacks § Dictionary Attacks – Rainbow tables § Brute Force Attack – Every possible combination

Countermeasures § § Encrypt passwords Use password advisors Do not transmit in clear text GREATLY protect central store of passwords § Use cognitive passwords – Based on life experience or opinions

One-time Passwords § § Dynamic Generated for one time use Protects against replay attacks Token devices can generate – Synchronized to time or event – Based on challenge response mechanism § Not as vulnerable as regular passwords

Passphrase § § Longer than a password Provides more protection Harder to guess Converted to virtual password by software

Memory Cards § Magnetic stripe holds data but cannot process data § No processor or circuits § Proximity cards, credit cards, ATM cards § Added costs compared to other technologies

Smart Card § § Microprocessor and IC Tamperproof device (lockout) PIN used to unlock Could hold various data – Biometrics, challenge, private key, history § Added costs – Reader purchase – Card generation and maintenance

Single Sign-on (SSO) § Scripting Authentication Characteristics – Carry out manual user authentication – As users are added or changed, more maintenance is required for each script – Usernames and passwords held in one central script § Many times in clear text

SSO Continued § § § Used by directory services (x. 500) Used by thin clients Used by Kerberos – If KDC is compromised, secret key of every system is also compromised – If KDC is offline, no authentication is possible

Kerberos § § § Authentication, confidentiality, integrity NO Non-availability and repudiation services Vulnerable to password guessing Keys stored on user machines in cache All principles must have Kerberos software Network traffic should be encrypted

SESAME § Secure European System for Application in a Multi-vendor Environment § Based on asymmetric cryptography § Uses digital signatures § Uses certificates instead of tickets § Not compatible with Kerberos

Access Control Threats § § § § DOS Buffer Overflow Mobile Code Malicious Software Password Cracker Spoofing/Masquerading Sniffers

More Access Control Threats § § § § Eavesdropping Emanations Shoulder Surfing Object Reuse Data Remanence Unauthorized Data Mining Dumpster Diving

More Threats § § § Theft Social Engineering Help Desk Fraud

Access Control Models § Once security policy is in place, a model must be chosen to fulfill the directives – Discretionary access control (DAC) – Mandatory access control (MAC) – Role-based access control (RBAS) § Also called non-discretionary

Discretionary § Used by OS and applications § Owner of the resource determines which subjects can access § Subjects can pass permissions to others § Owner is usually the creator and has full control § Less secure than mandatory access

Mandatory Access § Access decisions based on security clearance of subject and object § OS makes the decision, not the data owner § Provides a higher level of protection – Used by military and government agencies

Role Based Access Control § Also called non-discretionary § Allows for better enforcing most commercial security policies § Access is based on user’s role in company § Admins assign user to a role (implicit) and then assign rights to the role § Best used in companies with a high rate of turnover

Remote Authentication Dial-in User Services (RADIUS) § § § AAA protocol De facto standard for authentication Open source Works on a client/server model Hold authentication information for access

Terminal Access Controller Access Control System (TACACS) § Cisco proprietary protocol § Splits authentication, authorization, and auditing features § Provides more protection for client-to-server communication than RADIUS § TACACS+ adds two-factor authentication § Not compatible with RADIUS

Diameter § New and improved RADIUS § Users can move between service provider networks and change their point of attachment § Includes better message transport, proxying, session control, and higher security for AAA § Not compatible with RADIUS

Decentralized Access Control § Owner of asset controls access administration § Leads to enterprise inconsistencies § Conflicts of interest become apparent § Terminated employees’ rights hard to manage § Peer-to-peer environment

Hybrid Access Control § Combines centralized and decentralized administration methods § One entity may control what users access § Owners choose who can access their personal assets

Ways of Controlling Access § Physical location – MAC addresses § Logical location – IP addresses § Time of day – Only during work day § Transaction type – Limit on transaction amounts

Technical Controls § System access – Individual computer controls – Operating system mechanisms § Network access – Domain controller logins – Methods of access § Network architecture – Controlling flow of information – Network devices implemented § Auditing and encryption

Physical Controls § Network segregation – Wiring closets need physical entry protection § Perimeter security – Restrict access to facility and assets § Computer controls – Remove floppys and CDs – Lock computer cases

Protect Audit Logs § Hackers attempt to scrub the logs § Organizations that are regulated MUST keep logs for a specific amount of time § Integrity of logs can be protected with hashing algorithms § Restrict network administrator access

Intruder Detection Systems (IDS) § Software employed to monitor a network segment or an individual computer § Network-based – Monitors traffic on a network segment – Sensors communicate with central console § Host-based – Small agent program that resides on individual computer – Detects suspicious activity on one system

IDS Placement § In front of firewall – Uncover attacks being launched § Behind firewall – Root out intruders who have gotten through § Within intranet – Detect internal attacks

Type of IDS § Signature-based – Knowledge based – Database of signatures – Cannot identify new attacks – Need continual updating § Behavior-based – Statistical or anomaly based – Creates many false positives – Compares activity to ‘what is normal’

IDS Issues § May not process all packets on large network § Cannot analyze encrypted data § Lots of false alarms § Not an answers to all problems § Switched networks make it hard to examine all packets

Traps for Intruders § Padded Cell – Codes within a product to detect if malicious activity is taking place – Virtual machine provides a ‘safe’ environment – Intruder is moved to this environment – Intruder does not realize that he is not is the original environment – Protects production system from hacking – Similar to honeypots