Access Control TerminologyAccess Control Terminology

Access Controls Access Controls Control how users and systems communicate Control how users and systems communicate

and interactand interact

Process TerminologyProcess Terminology

IdentificationIdentification Method for determining a subject is who it says it isMethod for determining a subject is who it says it is User name, PIN number, smart card, account numberUser name, PIN number, smart card, account number

AuthenticatedAuthenticated Provided a second matching piece to the identification Provided a second matching piece to the identification

methodmethod Password, passphrase, PIN numberPassword, passphrase, PIN number

AuthorizedAuthorized Has appropriate access to the requested resourceHas appropriate access to the requested resource

Strong AuthenticationStrong Authentication

Types of authenticationTypes of authentication Something a person hasSomething a person has Something a person knowsSomething a person knows Something a person isSomething a person is

Strong Authentication includes at least Strong Authentication includes at least 2 of the 32 of the 3

Only 1 is considered _______________Only 1 is considered _______________

Biometrics – SomethingBiometrics – Something a Person Is a Person Is

A unique personal attributeA unique personal attributeType I ErrorType I Error Rejected an authorized userRejected an authorized user

Type II ErrorType II Error Accepts a non-authorized imposterAccepts a non-authorized imposter

Crossover Error Rate (CER)Crossover Error Rate (CER) Point where Type I Error distribution and Type Point where Type I Error distribution and Type

II Error distribution meetII Error distribution meet The lower the number, the betterThe lower the number, the better

Popular BiometricsPopular Biometrics

FingerprintFingerprint

Palm scanPalm scan

Hand GeometryHand Geometry Length and width of Length and width of

the hand and fingersthe hand and fingers

Retina ScanRetina Scan

Iris ScanIris Scan

Signature DynamicsSignature Dynamics

Keyboard DynamicsKeyboard Dynamics

Voice PrintVoice Print

Facial ScanFacial Scan

Hand TopologyHand Topology Side picture of the Side picture of the

handhand

Biometrics ComparedBiometrics Compared

Passwords – Something a Person KnowsPasswords – Something a Person Knows

Passphrases refer to multiple word passwordsPassphrases refer to multiple word passwords

Personal Identification Numbers (PIN) refer to Personal Identification Numbers (PIN) refer to numeric numbersnumeric numbers

Considered weakConsidered weak People use familiar words or numbersPeople use familiar words or numbers Words are susceptible to dictionary and brute force Words are susceptible to dictionary and brute force

attacksattacks Users can’t remember strong passwords so they write Users can’t remember strong passwords so they write

them downthem down

Making Passwords StrongerMaking Passwords Stronger

Forced password lifetimesForced password lifetimes Shorter makes it more secure, but too short and users Shorter makes it more secure, but too short and users

forget which is activeforget which is active 60 days is good compromise60 days is good compromise

Enforced minimum lengthsEnforced minimum lengthsForced special characters, case changesForced special characters, case changesNo reuseNo reuseLock out users at low clipping level (acceptable Lock out users at low clipping level (acceptable failed attempts)failed attempts) For how long?For how long?

Better Passwords Through TechnologyBetter Passwords Through Technology

Password GeneratorsPassword Generators Produce passwords using random but Produce passwords using random but

pronounceable passwordspronounceable passwords

Password Checkers/CrackersPassword Checkers/Crackers L0phtcrackL0phtcrack John the RipperJohn the Ripper BrutusBrutus

Variations on a ThemeVariations on a Theme

Cognitive PasswordsCognitive Passwords Fact or opinion based informationFact or opinion based information Best for seldom used authentication needsBest for seldom used authentication needs

One-Time Use PasswordsOne-Time Use Passwords Synchronous token deviceSynchronous token device

Token and server preshare private keyToken and server preshare private keyTime based – token device and server clock are sync’ed, Time based – token device and server clock are sync’ed, time value used as plaintexttime value used as plaintextEvent based – token and server share authentication value Event based – token and server share authentication value listlist

Asynchronous token deviceAsynchronous token deviceServer prompts with challenge code, user enters code into Server prompts with challenge code, user enters code into token device which returns a response code, user enters token device which returns a response code, user enters response into serverresponse into server

Digital SignaturesDigital Signatures

-------BEGIN SIGNATURE------ -------BEGIN SIGNATURE------

IQB1AwUBMVSiA5QYCuMfgNYjAQFAKgL/ IQB1AwUBMVSiA5QYCuMfgNYjAQFAKgL/

ZkBfbeNEsbthba4BlrcnjaqbcKgNv+a5kr453ZkBfbeNEsbthba4BlrcnjaqbcKgNv+a5kr453

7y8RCd+RHm75yYh5xxA1ojELwNhhb7cltrp7y8RCd+RHm75yYh5xxA1ojELwNhhb7cltrp

2V7LlOnAelws4S87UX80cL BtBcN6AACf112V7LlOnAelws4S87UX80cL BtBcN6AACf11

qymC2h+Rb2j5SSU+rmXWru+=QFMxqymC2h+Rb2j5SSU+rmXWru+=QFMx

-------END SIGNATURE------ -------END SIGNATURE------

Cards – Something a Person HasCards – Something a Person Has

Memory CardsMemory Cards Hold information onlyHold information only Credit cards, ATM cardsCredit cards, ATM cards

Smart CardsSmart Cards Process information and hold informationProcess information and hold information Information on card actively protected by Information on card actively protected by

authenticationauthentication

Authorization CriteriaAuthorization Criteria

RolesRoles Based on job function or assignmentBased on job function or assignment

GroupsGroupsPhysical locationPhysical location Interactive login, for exampleInteractive login, for example

Logical locationLogical location IP address, for exampleIP address, for example

Time of dayTime of dayTransaction typeTransaction type Amount of money to be transferred, for exampleAmount of money to be transferred, for example

Restrictions to RememberRestrictions to Remember

Default to NO ACCESSDefault to NO ACCESS Access Control Lists (ACL) commonly default to denyAccess Control Lists (ACL) commonly default to deny

Base granted access on Need To KnowBase granted access on Need To Know Least-privilege principalLeast-privilege principal

Single sign on whenever possibleSingle sign on whenever possible ScriptsScripts Kerberos is recognized standard in heterogeneous Kerberos is recognized standard in heterogeneous

environmentsenvironments SESAME - Secure European System for Applications SESAME - Secure European System for Applications

in a Multivendor Environmentin a Multivendor Environment

Access Control ModelsAccess Control Models

Discretionary Access Control (DAC)Discretionary Access Control (DAC) Owner (creator) can access resource and Owner (creator) can access resource and

dictate who else can access itdictate who else can access it Does not lend itself to central managementDoes not lend itself to central management

Mandatory Access Control (MAC)Mandatory Access Control (MAC) Operating system controls access based on Operating system controls access based on

owners sensitivity levelowners sensitivity level Commonly used in military systemsCommonly used in military systems

Role Based Access Control (RBAC)Role Based Access Control (RBAC) Subjects role determines accessSubjects role determines access Managed centrallyManaged centrally

Rule Based Access ControlRule Based Access Control Access matched against rulesAccess matched against rules Common in network devicesCommon in network devices

Constrained InterfacesConstrained Interfaces Limits data access and functionalityLimits data access and functionality ATM machines, for exampleATM machines, for example

Content Dependant Access ControlContent Dependant Access Control Restrictions based on data contentRestrictions based on data content Firewalls commonly use this to stop worms, virusesFirewalls commonly use this to stop worms, viruses

Access Control MatrixesAccess Control Matrixes

Table of subjects and objects indicating actions Table of subjects and objects indicating actions subjects can take upon objectssubjects can take upon objects

Common in DAC modelCommon in DAC model

Capability TablesCapability Tables Access rights a specific subject has for a specific Access rights a specific subject has for a specific

objectobject

ACL’sACL’s Lists of subjects that have access to a specific objectLists of subjects that have access to a specific object Very common in networking devices, firewallsVery common in networking devices, firewalls

Centralized Access ControlCentralized Access ControlRemote Authentication Dial-in User Service Remote Authentication Dial-in User Service (RADIUS)(RADIUS)

Terminal Access Controller Access Control Terminal Access Controller Access Control System (TACACS)System (TACACS)

Decentralized Access Controls Decentralized Access Controls Security DomainsSecurity Domains Realm of distributed trustRealm of distributed trust Hierarchical or peer implementationsHierarchical or peer implementations Microsoft domains are a specific versionMicrosoft domains are a specific version

Typical Scenario - HybridTypical Scenario - Hybrid

Most enterprises combine both centralized Most enterprises combine both centralized and decentralized control methodsand decentralized control methods May have Kerberos centralized user databaseMay have Kerberos centralized user database Use TACACS+ tied to Kerberos to Use TACACS+ tied to Kerberos to

authenticate dial-up and router usersauthenticate dial-up and router users Use Windows 2000 file servers at each Use Windows 2000 file servers at each

location to allow autonomous distributed location to allow autonomous distributed security domainssecurity domains

Workgroup printers are shared via Windows Workgroup printers are shared via Windows desktop peeringdesktop peering

Control TypesControl Types

PreventativePreventative Avoid undesirable eventsAvoid undesirable events

DetectiveDetective Identify undesirable eventsIdentify undesirable events

CorrectiveCorrective Fix undesirable events that have occurredFix undesirable events that have occurred

DeterrentDeterrent Discourage undesirable eventsDiscourage undesirable events

RecoveryRecovery Restore resourcesRestore resources

CompensationCompensation Provide alternatives to other types of controlsProvide alternatives to other types of controls

Services Provided by Various Services Provided by Various Security ControlsSecurity Controls

Fences, locks, lightingFences, locks, lighting PreventativePreventative CorrectiveCorrective RecoveryRecovery

Security guardSecurity guard PreventativePreventative DetectiveDetective CorrectiveCorrective DeterrentDeterrent RecoveryRecovery

Separation of dutiesSeparation of duties PreventativePreventative DeterrentDeterrent

Security awareness Security awareness trainingtraining PreventativePreventative DetectiveDetective

Personnel proceduresPersonnel procedures PreventativePreventative DetectiveDetective DeterrentDeterrent CompensationCompensation

Services Provided by Various Services Provided by Various Security ControlsSecurity Controls

ACL’sACL’s PreventativePreventative

EncryptionEncryption PreventativePreventative DeterrentDeterrent

Audit logsAudit logs DetectiveDetective

Smart cardsSmart cards PreventativePreventative

Intrusion Detection Intrusion Detection SystemSystem PreventativePreventative DetectiveDetective CorrectiveCorrective DeterrentDeterrent

Antivirus SoftwareAntivirus Software PreventativePreventative DetectiveDetective CorrectiveCorrective RecoveryRecovery

Common Access Control PracticesCommon Access Control Practices

Deny access to systems by anonymous & guest Deny access to systems by anonymous & guest accountsaccountsLimit and monitor use of admin accountsLimit and monitor use of admin accountsRemove obsolete user accounts when Remove obsolete user accounts when employees leave companyemployees leave companySuspend inactive accounts after 30-60 daysSuspend inactive accounts after 30-60 daysDisable unneeded system features & servicesDisable unneeded system features & servicesUse nondescriptive logon ID’sUse nondescriptive logon ID’sRename root and administrator logon ID’sRename root and administrator logon ID’sRemove redundant accounts, ACL’s, roles, Remove redundant accounts, ACL’s, roles, groupsgroups

Fun with AuditingFun with Auditing

Enforces accountabilityEnforces accountability

Must be reviewedMust be reviewed

Must be backed up and protectedMust be backed up and protected Good hackers always go after the audit logsGood hackers always go after the audit logs

Guaranteed integrity is key to using logs Guaranteed integrity is key to using logs as evidenceas evidence To be admissible in court, logs must be To be admissible in court, logs must be

generated in the normal course of businessgenerated in the normal course of business

Common Audit EventsCommon Audit Events

System performanceSystem performanceLogon attempts + date/time (successful & Logon attempts + date/time (successful & unsuccessful)unsuccessful)Lockouts of usersLockouts of usersAlteration of config filesAlteration of config filesError messagesError messagesFiles opened and closedFiles opened and closedFile modificationsFile modificationsACL violationsACL violations

Unauthorized DisclosureUnauthorized Disclosure

Object ReuseObject Reuse Data left on floppies, backup tapes, or hard drives can Data left on floppies, backup tapes, or hard drives can

be readbe read Sectors containing data can be marked bad, thus Sectors containing data can be marked bad, thus

hiding datahiding data Low level format, degauss, or destroy the mediaLow level format, degauss, or destroy the media

Emanation SecurityEmanation Security Capturing electrical and electromagnetic radiation Capturing electrical and electromagnetic radiation

from devicesfrom devices TEMPEST – US Government standard for emanation TEMPEST – US Government standard for emanation

protectionprotection

Intrusion Detection SystemsIntrusion Detection Systems

Sniff network traffic (network-based) or Sniff network traffic (network-based) or monitor individual computers (host-based)monitor individual computers (host-based)

Signature Based DetectionSignature Based Detection Must be loaded with “fingerprints” of known Must be loaded with “fingerprints” of known

attacksattacks Not effective against new attacksNot effective against new attacks

Statistical Intrusion DetectionStatistical Intrusion Detection Looks for statistical anomalies in trafficLooks for statistical anomalies in traffic

SniffersSniffers

Captures network traffic real-timeCaptures network traffic real-time

Allows admins or hackers to eavesdrop on Allows admins or hackers to eavesdrop on datadata

Employees can use sniffers undetected in Employees can use sniffers undetected in some networkssome networks

HoneypotsHoneypots

Unprotected system set up to lure would be Unprotected system set up to lure would be attackersattackers

Attackers can then be tracked, attacks Attackers can then be tracked, attacks cataloged, other systems hardened cataloged, other systems hardened appropriatelyappropriately

EnticementEnticement Legally admissible, target is simply not well protectedLegally admissible, target is simply not well protected

EntrapmentEntrapment Not legally admissible, target invites the hacker inNot legally admissible, target invites the hacker in

Threats to Access ControlThreats to Access Control

Dictionary AttackDictionary Attack Lists or dictionaries are used as a source of Lists or dictionaries are used as a source of

passwords or plain textpasswords or plain text CountermeasuresCountermeasures

Do not allow single word based passwords – use Do not allow single word based passwords – use dictionary attacks against your own users to find dictionary attacks against your own users to find weak passwordsweak passwords

Rotate passwords oftenRotate passwords often

Employ one-time password techniquesEmploy one-time password techniques

Protect password files and storesProtect password files and stores

Threats to Access ControlThreats to Access Control

Brute Force AttackBrute Force Attack Attack attempts every possible combination of Attack attempts every possible combination of

potential inputspotential inputs CountermeasuresCountermeasures

Employ stringent clipping levels and auditing of Employ stringent clipping levels and auditing of login attemptslogin attemptsUse brute force attacks against your own users to Use brute force attacks against your own users to uncover weak passwordsuncover weak passwordsProtect password files and storesProtect password files and stores

Login SpoofingLogin Spoofing Hacker replaces legitimate login screens with fakesHacker replaces legitimate login screens with fakes CountermeasureCountermeasure

Threats to Access ControlThreats to Access Control

Login SpoofingLogin Spoofing Hacker replaces legitimate login screens with Hacker replaces legitimate login screens with

fakesfakes CountermeasureCountermeasure

Security awareness trainingSecurity awareness trainingDisplay number of failed login attemptsDisplay number of failed login attempts

Homework AssignmentHomework Assignment

Read Chapter 5, except:Read Chapter 5, except: State Machine Models & Modes of Operation State Machine Models & Modes of Operation

(pgs 240-249)(pgs 240-249)

PaperPaper Write a 2-3 page technical brief on the “Slammer” wormWrite a 2-3 page technical brief on the “Slammer” worm Include vulnerable software details, countermeasures, and Include vulnerable software details, countermeasures, and

information about testing systems for the vulnerability.information about testing systems for the vulnerability. Discuss the impact and current investigation of the worm.Discuss the impact and current investigation of the worm. Summarize the events and alerts that occurred as the weekend Summarize the events and alerts that occurred as the weekend

unfolded.unfolded.