Domain2 Access Control

8/10/2019 Domain2 Access Control

1/24

CISSP Essentials:

Mastering the Common Body of Knowledge

Class 2:

Access control

Lecturer Shon Harris, CISSP, MCSE

President, Logical Security


2/24

CISSP Essentials Library:

www.searchsecurity.com/CISSPessentials

Class 2 Quiz:

www.searchsecurity.com/Class2quiz

Class 2 Spotlight:

www.searchsecurity.com/Class2spotlight

CISSP Essentials:



3/24


4/24

Access control mechanism examples

Physical

Locks

Removal of floppy and CD-ROM drives

Security guards controlling access to facility and equipment

Computer chassis locks

Technical (logical) Encryption

Passwords and tokens

Biometrics

Operating system and application controls

Identification and authorization technologies

Administrative

Policies and procedures

Security awareness training

Quality assurance


5/24

Access control characteristics

Provide alternatives to other

controlsCompensation

Restore resources and

capabilities after a violation or

accident

Recovery

Discourage security violations

from taking placeDeterrent

Correct undesirable events that

have taken placeCorrective

Identify undesirable events that

have taken placeDetective

Keep undesirable events fromhappening

Preventative

DescriptionControl Service


6/24

Control combinations

Human evaluation of output from

sensors or cameras

Motion detectors, intrusion

detection, video cameras

Guard responding to alarm

Detective Physical

IDS

Reviewing audit logsReviewing violations of clipping

levels

Forensics

Detective Technical

Job rotation

Sharing responsibilities

Inspections

Incident response

Use of auditors

Detective Administrative


7/24

Authentication mechanisms characteristics

Verifying identificationinformation

Something you know Password

Something you have Smart card

Something you are Biometrics (example = voice print)


8/24

Access control mechanisms in use today

Private keyCryptographic keys

Credit card, identification

card

Smart cards

ATM card, proximity cardMemory cards

Synchronous and

asynchronous devices

Token devices

Retina scan, finger print,

voice print

Biometrics

ExamplesMechanism


9/24

Crossover Error Rate (CER)

Statistical metric

CER value is when Type 1 and Type 2 errors are equal (Type 1 = Type 2 errors) = CER metric value

Example: System ABC has 1 out of 100 Type I errors = 1%

System ABC has 1 out of 100 Type II errors = 1%

CER = 1

The lower the CER value, the higher the accuracy System with a CER of 4 has greater accuracy than a system with a CER of 5

Customers can use rating when comparing biometric systems


10/24

Biometric system types

Side-view of hand, reviewing size and widthHand topology

Bone structure, nose ridges, forehead size, eye

widthFacial scan

Distinguishes differences in sounds, frequencies

and patternsVoice print

Captures electrical signals of typing processKeyboard dynamics

Captures electrical signals of signature processSignature dynamics

Colored portion of eye that surrounds pupilIris scan

Blood vessel pattern of retina on back of eyeballRetina scan

Shape of (length and width) hand and fingersHand geometry

All prints from fingers and creases, ridges, and

grooves from palmPalm scan

Same as fingerprint, but extracting a smaller

amount of data from fingerprintFinger scan

Ridge endings and bifurcations = minutiaeFingerprint

DescriptionBiometric Type


11/24

Smart card

Smart card characteristics

Microprocessor and integrated circuits Holds and processes data

Tamperproof device After a threshold of failed login attempts, it can render

itself unusable

PIN or password unlocks smart cardfunctionality Smart card could be used for:

Holding biometric data in template Responding to challenge Holding private key

Holding user work history, medical information, money,etc.

Added costs compared to otherauthentication technologies

Reader purchase Card generation and maintenance


12/24

Different technologies

Single sign-on methods

Scripts Directory services

Thin clients

Kerberos

SESAME


13/24

Kerberos components working together

Components of Kerberos

Key Distribution Center (KDC) Holds all of the principals secret keys Principals authenticate to the KDC before networking can take place

Principals Any user or service that interacts with a network

Term that is applied to anything within a network that needs tocommunicate in an authorized manner

Realm All principals that a specific KDC is responsible for A KDC can be responsible for one or more domains Similar to Microsofts concept of a domain or zones within DNS

servers


14/24

More components of Kerberos

Two major services of the KDC

Authentication Server (AS) Authenticates user at initial logon

Generation of initial ticket to allow user to authenticate to localsystem

Initial ticket is also used to allow user to request a Ticket Granting

Ticket (TGT) from TGS

Ticket Granting Service (TGS) Generation of tickets to allow subjects to authenticate to each other

Tickets are called Ticket Granting Tickets (TGTs)


15/24

Kerberos authentication steps


16/24

Models for access

Access control models

Once security goals are understood, a model must bechosen to fulfill the directives of the security policy Model is actually integrated into the operating system and application

Security model that enforces access control by regulatinghow subjects and objects interact

Model Types

Discretionary Access Control (DAC)

Mandatory Access Control (MAC)

Role-Based Access Control (RBAC) Also called non-discretionary

Rule-Based Access Control

Access Control Matrix


17/24

Remote centralized administration

Technologies

RADIUS

TACAS+

Diameter


18/24

RADIUS characteristics

Remote Authentication

Dial-In User Service

(RADIUS)

AAA protocol Authentication, authorization,

auditing

De facto standard forauthentication protocol

Open source, thus hasbeen integrated into many

vendor products

Works on a client/servermodel


19/24

TACACS+ Characteristics

TACACS+

Terminal Access ControllerAccess Control System

(TACACS)

Cisco proprietary protocol Not open source for others to use

Splits authentication,authorization and auditingfeatures

Allows the administrator moreflexibility

Provides more protectionfor client-to-servercommunication compared

to RADIUS


20/24

Diameter characteristics

Diameter

New and improved RADIUS Open source protocol for all to use and integrate

RADIUS is limited in its methods of authenticating users SLIP and PPP connections

PAP, CHAP and some EAP authentication methods

Diameter does not encompass such limitations Can authenticate wireless devices and smart phones

Can authenticate by using other authentication protocols

Open for future growth

Users can move between service provider networks andchange their points of attachment

Includes better message transport, proxying, sessioncontrol and higher security for AAA transactions


21/24

IDS

Network-based IDS

Monitors traffic on a

network segment Computer or networkappliance with NIC inpromiscuous mode

Sensors communicate witha central managementconsole

Host-based IDS

Small agent programs thatreside on individual

computers Detects suspicious activity

on one system, not anetwork segment


22/24

Types of IDSes

Signature-based

Also called knowledge-based IDS has a database of signatures, which are

patterns, of previously identified attacks

Cannot identify new attacks

Software needs continual updates of signatures

Behavior-based

Statistical or anomaly-based

Creates many false positives

Better defense against new attacks

Compares audit files, logs and network behavior,and develops and maintains profiles of normal

behavior


23/24

Behavioral-based IDS

Statistical

Setting of a threshold for certain activities

Once the threshold is exceeded, an alert is released

For example: 10 FTP requests in a 10-minute period is okay. 50 FTP requests in a

10-minute period indicates an attack.

Anomaly-based

Identification of abnormal behavior based on a profileof normal behavior

The profile is built by the IDS learning about theenvironments day-in and day-out activities

An anomaly does not fall within a set of historicalvalues


24/24

CISSP Essentials:


Lecturer Shon Harris, CISSP, MCSE

President, Logical Security

www.LogicalSecurity.com

[email protected]

Coming next:Class 3: Cryptography

Register at the CISSP Essentials Library:

www.searchsecurity.com/CISSPessentials

Documents

Domain2 Access Control