Upload
doyle
View
23
Download
0
Embed Size (px)
DESCRIPTION
Access Control Terminology. Access Controls Control how users and systems communicate and interact. Process Terminology. Identification Method for determining a subject is who it says it is User name, PIN number, smart card, account number Authenticated - PowerPoint PPT Presentation
Citation preview
Access Control TerminologyAccess Control Terminology
Access Controls Access Controls Control how users and systems communicate Control how users and systems communicate
and interactand interact
Process TerminologyProcess Terminology
IdentificationIdentification Method for determining a subject is who it says it isMethod for determining a subject is who it says it is User name, PIN number, smart card, account numberUser name, PIN number, smart card, account number
AuthenticatedAuthenticated Provided a second matching piece to the identification Provided a second matching piece to the identification
methodmethod Password, passphrase, PIN numberPassword, passphrase, PIN number
AuthorizedAuthorized Has appropriate access to the requested resourceHas appropriate access to the requested resource
Strong AuthenticationStrong Authentication
Types of authenticationTypes of authentication Something a person hasSomething a person has Something a person knowsSomething a person knows Something a person isSomething a person is
Strong Authentication includes at least Strong Authentication includes at least 2 of the 32 of the 3
Only 1 is considered _______________Only 1 is considered _______________
Biometrics – SomethingBiometrics – Something a Person Is a Person Is
A unique personal attributeA unique personal attributeType I ErrorType I Error Rejected an authorized userRejected an authorized user
Type II ErrorType II Error Accepts a non-authorized imposterAccepts a non-authorized imposter
Crossover Error Rate (CER)Crossover Error Rate (CER) Point where Type I Error distribution and Type Point where Type I Error distribution and Type
II Error distribution meetII Error distribution meet The lower the number, the betterThe lower the number, the better
Popular BiometricsPopular Biometrics
FingerprintFingerprint
Palm scanPalm scan
Hand GeometryHand Geometry Length and width of Length and width of
the hand and fingersthe hand and fingers
Retina ScanRetina Scan
Iris ScanIris Scan
Signature DynamicsSignature Dynamics
Keyboard DynamicsKeyboard Dynamics
Voice PrintVoice Print
Facial ScanFacial Scan
Hand TopologyHand Topology Side picture of the Side picture of the
handhand
Biometrics ComparedBiometrics Compared
Passwords – Something a Person KnowsPasswords – Something a Person Knows
Passphrases refer to multiple word passwordsPassphrases refer to multiple word passwords
Personal Identification Numbers (PIN) refer to Personal Identification Numbers (PIN) refer to numeric numbersnumeric numbers
Considered weakConsidered weak People use familiar words or numbersPeople use familiar words or numbers Words are susceptible to dictionary and brute force Words are susceptible to dictionary and brute force
attacksattacks Users can’t remember strong passwords so they write Users can’t remember strong passwords so they write
them downthem down
Making Passwords StrongerMaking Passwords Stronger
Forced password lifetimesForced password lifetimes Shorter makes it more secure, but too short and users Shorter makes it more secure, but too short and users
forget which is activeforget which is active 60 days is good compromise60 days is good compromise
Enforced minimum lengthsEnforced minimum lengthsForced special characters, case changesForced special characters, case changesNo reuseNo reuseLock out users at low clipping level (acceptable Lock out users at low clipping level (acceptable failed attempts)failed attempts) For how long?For how long?
Better Passwords Through TechnologyBetter Passwords Through Technology
Password GeneratorsPassword Generators Produce passwords using random but Produce passwords using random but
pronounceable passwordspronounceable passwords
Password Checkers/CrackersPassword Checkers/Crackers L0phtcrackL0phtcrack John the RipperJohn the Ripper BrutusBrutus
Variations on a ThemeVariations on a Theme
Cognitive PasswordsCognitive Passwords Fact or opinion based informationFact or opinion based information Best for seldom used authentication needsBest for seldom used authentication needs
One-Time Use PasswordsOne-Time Use Passwords Synchronous token deviceSynchronous token device
Token and server preshare private keyToken and server preshare private keyTime based – token device and server clock are sync’ed, Time based – token device and server clock are sync’ed, time value used as plaintexttime value used as plaintextEvent based – token and server share authentication value Event based – token and server share authentication value listlist
Asynchronous token deviceAsynchronous token deviceServer prompts with challenge code, user enters code into Server prompts with challenge code, user enters code into token device which returns a response code, user enters token device which returns a response code, user enters response into serverresponse into server
Digital SignaturesDigital Signatures
-------BEGIN SIGNATURE------ -------BEGIN SIGNATURE------
IQB1AwUBMVSiA5QYCuMfgNYjAQFAKgL/ IQB1AwUBMVSiA5QYCuMfgNYjAQFAKgL/
ZkBfbeNEsbthba4BlrcnjaqbcKgNv+a5kr453ZkBfbeNEsbthba4BlrcnjaqbcKgNv+a5kr453
7y8RCd+RHm75yYh5xxA1ojELwNhhb7cltrp7y8RCd+RHm75yYh5xxA1ojELwNhhb7cltrp
2V7LlOnAelws4S87UX80cL BtBcN6AACf112V7LlOnAelws4S87UX80cL BtBcN6AACf11
qymC2h+Rb2j5SSU+rmXWru+=QFMxqymC2h+Rb2j5SSU+rmXWru+=QFMx
-------END SIGNATURE------ -------END SIGNATURE------
Cards – Something a Person HasCards – Something a Person Has
Memory CardsMemory Cards Hold information onlyHold information only Credit cards, ATM cardsCredit cards, ATM cards
Smart CardsSmart Cards Process information and hold informationProcess information and hold information Information on card actively protected by Information on card actively protected by
authenticationauthentication
Authorization CriteriaAuthorization Criteria
RolesRoles Based on job function or assignmentBased on job function or assignment
GroupsGroupsPhysical locationPhysical location Interactive login, for exampleInteractive login, for example
Logical locationLogical location IP address, for exampleIP address, for example
Time of dayTime of dayTransaction typeTransaction type Amount of money to be transferred, for exampleAmount of money to be transferred, for example
Restrictions to RememberRestrictions to Remember
Default to NO ACCESSDefault to NO ACCESS Access Control Lists (ACL) commonly default to denyAccess Control Lists (ACL) commonly default to deny
Base granted access on Need To KnowBase granted access on Need To Know Least-privilege principalLeast-privilege principal
Single sign on whenever possibleSingle sign on whenever possible ScriptsScripts Kerberos is recognized standard in heterogeneous Kerberos is recognized standard in heterogeneous
environmentsenvironments SESAME - Secure European System for Applications SESAME - Secure European System for Applications
in a Multivendor Environmentin a Multivendor Environment
Access Control ModelsAccess Control Models
Discretionary Access Control (DAC)Discretionary Access Control (DAC) Owner (creator) can access resource and Owner (creator) can access resource and
dictate who else can access itdictate who else can access it Does not lend itself to central managementDoes not lend itself to central management
Mandatory Access Control (MAC)Mandatory Access Control (MAC) Operating system controls access based on Operating system controls access based on
owners sensitivity levelowners sensitivity level Commonly used in military systemsCommonly used in military systems
Role Based Access Control (RBAC)Role Based Access Control (RBAC) Subjects role determines accessSubjects role determines access Managed centrallyManaged centrally
Rule Based Access ControlRule Based Access Control Access matched against rulesAccess matched against rules Common in network devicesCommon in network devices
Constrained InterfacesConstrained Interfaces Limits data access and functionalityLimits data access and functionality ATM machines, for exampleATM machines, for example
Content Dependant Access ControlContent Dependant Access Control Restrictions based on data contentRestrictions based on data content Firewalls commonly use this to stop worms, virusesFirewalls commonly use this to stop worms, viruses
Access Control MatrixesAccess Control Matrixes
Table of subjects and objects indicating actions Table of subjects and objects indicating actions subjects can take upon objectssubjects can take upon objects
Common in DAC modelCommon in DAC model
Capability TablesCapability Tables Access rights a specific subject has for a specific Access rights a specific subject has for a specific
objectobject
ACL’sACL’s Lists of subjects that have access to a specific objectLists of subjects that have access to a specific object Very common in networking devices, firewallsVery common in networking devices, firewalls
Centralized Access ControlCentralized Access ControlRemote Authentication Dial-in User Service Remote Authentication Dial-in User Service (RADIUS)(RADIUS)
Terminal Access Controller Access Control Terminal Access Controller Access Control System (TACACS)System (TACACS)
Decentralized Access Controls Decentralized Access Controls Security DomainsSecurity Domains Realm of distributed trustRealm of distributed trust Hierarchical or peer implementationsHierarchical or peer implementations Microsoft domains are a specific versionMicrosoft domains are a specific version
Typical Scenario - HybridTypical Scenario - Hybrid
Most enterprises combine both centralized Most enterprises combine both centralized and decentralized control methodsand decentralized control methods May have Kerberos centralized user databaseMay have Kerberos centralized user database Use TACACS+ tied to Kerberos to Use TACACS+ tied to Kerberos to
authenticate dial-up and router usersauthenticate dial-up and router users Use Windows 2000 file servers at each Use Windows 2000 file servers at each
location to allow autonomous distributed location to allow autonomous distributed security domainssecurity domains
Workgroup printers are shared via Windows Workgroup printers are shared via Windows desktop peeringdesktop peering
Control TypesControl Types
PreventativePreventative Avoid undesirable eventsAvoid undesirable events
DetectiveDetective Identify undesirable eventsIdentify undesirable events
CorrectiveCorrective Fix undesirable events that have occurredFix undesirable events that have occurred
DeterrentDeterrent Discourage undesirable eventsDiscourage undesirable events
RecoveryRecovery Restore resourcesRestore resources
CompensationCompensation Provide alternatives to other types of controlsProvide alternatives to other types of controls
Services Provided by Various Services Provided by Various Security ControlsSecurity Controls
Fences, locks, lightingFences, locks, lighting PreventativePreventative CorrectiveCorrective RecoveryRecovery
Security guardSecurity guard PreventativePreventative DetectiveDetective CorrectiveCorrective DeterrentDeterrent RecoveryRecovery
Separation of dutiesSeparation of duties PreventativePreventative DeterrentDeterrent
Security awareness Security awareness trainingtraining PreventativePreventative DetectiveDetective
Personnel proceduresPersonnel procedures PreventativePreventative DetectiveDetective DeterrentDeterrent CompensationCompensation
Services Provided by Various Services Provided by Various Security ControlsSecurity Controls
ACL’sACL’s PreventativePreventative
EncryptionEncryption PreventativePreventative DeterrentDeterrent
Audit logsAudit logs DetectiveDetective
Smart cardsSmart cards PreventativePreventative
Intrusion Detection Intrusion Detection SystemSystem PreventativePreventative DetectiveDetective CorrectiveCorrective DeterrentDeterrent
Antivirus SoftwareAntivirus Software PreventativePreventative DetectiveDetective CorrectiveCorrective RecoveryRecovery
Common Access Control PracticesCommon Access Control Practices
Deny access to systems by anonymous & guest Deny access to systems by anonymous & guest accountsaccountsLimit and monitor use of admin accountsLimit and monitor use of admin accountsRemove obsolete user accounts when Remove obsolete user accounts when employees leave companyemployees leave companySuspend inactive accounts after 30-60 daysSuspend inactive accounts after 30-60 daysDisable unneeded system features & servicesDisable unneeded system features & servicesUse nondescriptive logon ID’sUse nondescriptive logon ID’sRename root and administrator logon ID’sRename root and administrator logon ID’sRemove redundant accounts, ACL’s, roles, Remove redundant accounts, ACL’s, roles, groupsgroups
Fun with AuditingFun with Auditing
Enforces accountabilityEnforces accountability
Must be reviewedMust be reviewed
Must be backed up and protectedMust be backed up and protected Good hackers always go after the audit logsGood hackers always go after the audit logs
Guaranteed integrity is key to using logs Guaranteed integrity is key to using logs as evidenceas evidence To be admissible in court, logs must be To be admissible in court, logs must be
generated in the normal course of businessgenerated in the normal course of business
Common Audit EventsCommon Audit Events
System performanceSystem performanceLogon attempts + date/time (successful & Logon attempts + date/time (successful & unsuccessful)unsuccessful)Lockouts of usersLockouts of usersAlteration of config filesAlteration of config filesError messagesError messagesFiles opened and closedFiles opened and closedFile modificationsFile modificationsACL violationsACL violations
Unauthorized DisclosureUnauthorized Disclosure
Object ReuseObject Reuse Data left on floppies, backup tapes, or hard drives can Data left on floppies, backup tapes, or hard drives can
be readbe read Sectors containing data can be marked bad, thus Sectors containing data can be marked bad, thus
hiding datahiding data Low level format, degauss, or destroy the mediaLow level format, degauss, or destroy the media
Emanation SecurityEmanation Security Capturing electrical and electromagnetic radiation Capturing electrical and electromagnetic radiation
from devicesfrom devices TEMPEST – US Government standard for emanation TEMPEST – US Government standard for emanation
protectionprotection
Intrusion Detection SystemsIntrusion Detection Systems
Sniff network traffic (network-based) or Sniff network traffic (network-based) or monitor individual computers (host-based)monitor individual computers (host-based)
Signature Based DetectionSignature Based Detection Must be loaded with “fingerprints” of known Must be loaded with “fingerprints” of known
attacksattacks Not effective against new attacksNot effective against new attacks
Statistical Intrusion DetectionStatistical Intrusion Detection Looks for statistical anomalies in trafficLooks for statistical anomalies in traffic
SniffersSniffers
Captures network traffic real-timeCaptures network traffic real-time
Allows admins or hackers to eavesdrop on Allows admins or hackers to eavesdrop on datadata
Employees can use sniffers undetected in Employees can use sniffers undetected in some networkssome networks
HoneypotsHoneypots
Unprotected system set up to lure would be Unprotected system set up to lure would be attackersattackers
Attackers can then be tracked, attacks Attackers can then be tracked, attacks cataloged, other systems hardened cataloged, other systems hardened appropriatelyappropriately
EnticementEnticement Legally admissible, target is simply not well protectedLegally admissible, target is simply not well protected
EntrapmentEntrapment Not legally admissible, target invites the hacker inNot legally admissible, target invites the hacker in
Threats to Access ControlThreats to Access Control
Dictionary AttackDictionary Attack Lists or dictionaries are used as a source of Lists or dictionaries are used as a source of
passwords or plain textpasswords or plain text CountermeasuresCountermeasures
Do not allow single word based passwords – use Do not allow single word based passwords – use dictionary attacks against your own users to find dictionary attacks against your own users to find weak passwordsweak passwords
Rotate passwords oftenRotate passwords often
Employ one-time password techniquesEmploy one-time password techniques
Protect password files and storesProtect password files and stores
Threats to Access ControlThreats to Access Control
Brute Force AttackBrute Force Attack Attack attempts every possible combination of Attack attempts every possible combination of
potential inputspotential inputs CountermeasuresCountermeasures
Employ stringent clipping levels and auditing of Employ stringent clipping levels and auditing of login attemptslogin attemptsUse brute force attacks against your own users to Use brute force attacks against your own users to uncover weak passwordsuncover weak passwordsProtect password files and storesProtect password files and stores
Login SpoofingLogin Spoofing Hacker replaces legitimate login screens with fakesHacker replaces legitimate login screens with fakes CountermeasureCountermeasure
Threats to Access ControlThreats to Access Control
Login SpoofingLogin Spoofing Hacker replaces legitimate login screens with Hacker replaces legitimate login screens with
fakesfakes CountermeasureCountermeasure
Security awareness trainingSecurity awareness trainingDisplay number of failed login attemptsDisplay number of failed login attempts
Homework AssignmentHomework Assignment
Read Chapter 5, except:Read Chapter 5, except: State Machine Models & Modes of Operation State Machine Models & Modes of Operation
(pgs 240-249)(pgs 240-249)
PaperPaper Write a 2-3 page technical brief on the “Slammer” wormWrite a 2-3 page technical brief on the “Slammer” worm Include vulnerable software details, countermeasures, and Include vulnerable software details, countermeasures, and
information about testing systems for the vulnerability.information about testing systems for the vulnerability. Discuss the impact and current investigation of the worm.Discuss the impact and current investigation of the worm. Summarize the events and alerts that occurred as the weekend Summarize the events and alerts that occurred as the weekend
unfolded.unfolded.