Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
McGrawMcGraw--Hill/IrwinHill/Irwin CopyrightCopyright © 2007 by The McGraw© 2007 by The McGraw--Hill Companies, Inc. All rights reserved.Hill Companies, Inc. All rights reserved.
Information Assurance for the Enterprise: Information Assurance for the Enterprise: A Roadmap to Information SecurityA Roadmap to Information Security, by , by SchouSchou and Shoemakerand Shoemaker
Chapter 6
Ensuring Controlled Access
66--22
Objectives
At the end of this unit, you will be able to explain:
� Fundamental access control principles
� How to structure and conduct the authorization
process
� Common access control models
66--33
Access Control
� Access control
� Describes regulation of interaction between
subjects and objects
� Subjects: people or processes
• Processes can be either managerial or technical
� Objects can be anything appropriately accessed
by a valid subject
66--44
Principles of Access Control
� Access control centers around three principles:
� Identity
• Asserts and verifies the user’s identity
� Authority
• Authorizes user access privileges
� Accountability
• Tracks user actions, analyzes and reports
66--55
Establishing Identity
� Principle of identity composed of two functions:
1. Identification function establishes the identity of
every person or process seeking access
2. Authentication confirms that identity is valid
66--66
Passwords: Something You Know
� Simplest, most economical, means of
identification
� Password management systems consistently:
• Allow legitimate users to directly register for access
• Allow forgotten passwords to be authenticated and
reset by user
• Allow IT support staff to authenticate callers for
password management
• Synchronize users across a range of platforms
• Provide for immediate cancellation of passwords
66--77
Passwords: Something You Know
� Problem with passwords
� Memory
• Human memory limits password numbers and sophistication
• Writing a password down is a security protocol violation
� Usage vulnerabilities
• Short and/or simple and/or familiar passwords
• Easily compromised by brute force, guessed or obtained through surreptitious means
66--88
Passwords: Something You Know
� Single sign-on (SSO)
� Coordinates passwords across a range of
platforms and applications
66--99
Passwords: Something You Know
� One-time password
� Shortening the period of use of the password
66--1010
Token-Based Security: Something You Have
� Tokens
� Identification and authorization devices
presented at the time of access
• Function similar to a key and lock
� Most frequently used authentication device is
smart card, or swipe card
� Embedded chip accepts, stores, and sends
information
� Keeps personal information secure and portable
� Provides secure enterprise-wide access control
66--1111
Token-Based Security: Something You Have
� Provides tamper-resistant storage and transport
for critical data
� Can store digital keys and can create one-time
passwords
� Vulnerabilities associated with smart cards:
� Theft and loss of tokens
• Unauthorized finder may gain access under the
legitimate user’s authorizations
66--1212
Biometrics: Something You Are
� Biometrics
� Authentication by physical attribute
� Subject asserts identity by presenting a unique
personal attribute such as a fingerprint
� Very effective
• While physical attributes might change slowly over time, they are impossible to lose
66--1313
Biometrics: Something You Are
� Biometric problems:
� Relatively immature
� Can fail due to dependency on advanced
processing capabilities
� Possible failures include:
• False positives
• False negatives
� Adjusted so that at crossover error point False
Positives == False Negatives
66--1414
Multifactor Authentication
� Multifactor authentication
� Two or three different approaches combined to
create a single access control function
� Increases level of security
• Example: automatic teller machine (ATM)
66--1515
Approaches for Establishing Identity in Cyberspace
Digital signatures
� Asserts integrity and identity through cryptographic techniques
� Signatures combine integrity and identity techniques
• Asymmetric or symmetric cryptographic key for identity
• Hashes for integrity
Digital certificates
� Trusted third party model
� Confirms integrity and authenticates message
� Certificates supported by Public Key Infrastructures (PKIs)
• PKI functions include verifying, enrolling, and certifying users
• PKIs utilize trusted third party model
66--1616
Approaches for Establishing Identity in Cyberspace
� Digital certificate is a public document that
contains:
� Information identifying a user
� User’s encryption key
� Certificate validity period
� Other information
� Certificate binds a key and an entity
66--1717
Mutual Authentication: Ensuring Identity During Transmission
� Process in which each side of an electronic
communication verifies authenticity of the other
during message transmission
� Ensures the integrity of the transmission process
as well as the message sent
� Especially important when remote clients are
attempting to assert their identity to servers
66--1818
Mutual Authentication: Ensuring Identity During Transmission
� Kerberos
� Uses encryption, so a client can prove its identity
to a server which in turn can authenticate itself to
the client within a secure transaction
66--1919
Mutual Authentication: Ensuring Identity During Transmission
� Challenge Handshake Authentication Protocol
(CHAP)
� Provides authentication across a point-to-point
link employing Point-to-Point Protocol (PPP)
66--2020
Authorization: Controlling Access
� Authorization asserts specific rights to use the system, which have been granted to a subject
� Rights are referred to as permissions or privileges
• Based on the concept of “trust”
� Trusted subjects are allowed access to specified objects
Security domain
� A systematic point of reference on which determination, assignment, and monitoring of access is based
• Incorporates all related objects, with common protection needs, into a single manageable entity
66--2121
Policy-Based Access Control
� Access control list (ACL) – most frequent
example of policy-based access control
66--2222
Discretionary Access Control (DAC)
� Lets the owner of a file or physical object
selectively grant or deny access to users
� In large systems, most common model
66--2323
Discretionary Access Control (DAC)
� Role-based access control (RBAC)
� A common form of discretionary access control
� Involves the assignment of access permissions
to objects that are associated with given roles
66--2424
Discretionary Access Control (DAC)
� Content-dependent access control
� Used to control access to record-intensive applications such as databases
� Capability-based system
• If the user possesses a capability (ticket), access granted.
• Authorization Table Matrix (ATM) manages the assignment of access privileges
� Advantage
• Greater level of granularity
• Both simple and intuitive
� Disadvantage
• Machine-intensive
• Requires high level of computer performance
66--2525
Discretionary Access Control (DAC)
� Temporal access control
� Event driven and dynamic
� Whether access is granted, and the type of access given
is determined by:
• Time of day
• Point of origin
• How many times the individual identity attempted to access the system
• Number of password attempts
� Advantage:
• Allows anticipation and protection from undesirable events
� Disadvantage
• Chain of events that lead to a given decision is not always predictable
66--2626
Mandatory Access Control (MAC)
� Restricts a subject’s access to objects based on
a set of security attributes (labels)
� Used when policy dictates that:
• Protection decisions must not be decided by the object owner
• System must enforce the protection decisions over the wishes or intentions of the object owner
� Prevents arbitrary object sharing
� Uses a specific set of policies or security rules to
define the sharing of data within the organization
66--2727
Mandatory Access Control (MAC)
� Access is controlled automatically by the system
using set criteria
66--2828
Real-World Access Control: Automating the Process
� Reference monitor
� implemented either operationally or within the
operating system
� Real-time and dynamic allocation of access
privileges
� System must be able to distinguish instantly and
correctly assign rights for each individual identity
• As well as determine what each can and cannot
access
66--2929
Real-World Access Control: Automating the Process
� Automated identity management system requires five basic conditions:� Identity architecture
• Establishing identity infrastructure
� Privilege setting • Establishing rights of each identity
� Identity reference • Automating process• Reference monitor involves three factors:
• Completeness
• Isolation
• Verifiability
� Enforcement of privileges • Guarding door
� Continuous maintenance • Keeping system current
66--3030
Setting Up the System: Account Management
� Account management
� Day-to-day face of any automated access control system
� Ensures that• Identity data accurate and up to date
• Monitoring and enforcement system is operating as intended
� Links user identities to specific applications, databases, and services
� Built around three related processes:• Creation of new system access
• Modification to system access
• Termination of system access
66--3131
Intrusion Detection Systems
� Detects, characterizes, and reports on any
suspicious attempts to access protected space
� Built around boundary sensors - a software utility
that is located at the perimeter of the protected
space and monitors traffic
• Term commonly used to describe this utility is intrusion
detection system (IDS)
• Intrusion prevention systems (IPSs)
66--3232
Types of Intrusion Detection: Automated versus Human Centered
� Automated: when instantaneous response is
needed
� Human-centered: if time will allow for a more
considered response
� Two IDS types:
� Network-Based IDS (NIDS)
• – detect attacks by capturing and analyzing network packets
� Host-Based IDS (HIDS)
• – Operate on information collected and analyzed by
an individual computer system
66--3333
Common Network-Based IDS (NIDS)
� Pattern-matching IDS
� Scans incoming network packets for specific byte sequence signatures stored in a database of known attacks
� State-matching IDS
� Scans for attack behaviors in the traffic stream itself rather than the presence of an individual packet signature
� Analysis engine methods
� Use anomalous behavior as the basis for their response
• Example: Statistical anomaly-based IDS
66--3434
Common Network-Based IDS (NIDS)
� Protocol anomaly-based methods
� Capable of using feedback from prior attempts to
refine their approach
� Traffic anomaly-based methods
� Watch for unusual traffic activities, suddenly
appearing on the network
66--3535
Common Network-Based IDS (NIDS)
� Summary
66--3636
Host-Based IDS (HIDS)
� Work through audit function and monitoring
audit trails
� Types of events captured in an audit trail include:
• Network connection event data
• System-level event data
• Application-level event data
• User-level event data
• Keystroke activity
� Primary issue: volume of data that must be
examined
66--3737
Security Assessments: Penetration Testing
� “Pen” testing denotes activities undertaken to
identify and exploit security vulnerabilities
� Evaluates system security by attacking it
� Aimed at the security conditions that are the
most common targets of intruders
� Three pen tests types:
• Zero-knowledge –tester has no relevant information about the target
• Partial-knowledge –tester may have some information about the target
• Full-knowledge – tester has intimate knowledge of the
target environment
66--3838
Security Assessments: Penetration Testing
� Four pen-testing activities:
1. Discovery
2. Enumeration
3. Vulnerability mapping
4. User and privilege access
� Resultant report can help to identify:
• System vulnerabilities
• Gaps in security measures
• IDS and intrusion response capability
• Whether anyone is monitoring audit logs
• How suspicious activity is reported
• Potential countermeasures
66--3939
Security Assessments: Penetration Testing
� Penetration-testing strategies can include:
• Application testing
• Denial of Service (DoS) testing
• War dialing
• Wireless network penetration testing
• Social engineering
� Internal procedures focus on identifying
anomalies in the internal IT environment and
include:
• Blind tests
• Double-blind test
• Targeted tests
66--4040
Common Access Control Models
� Access control models enforce policies
� Must be specifically designed to embody the
organization’s overall approach to security
� Three models in common use today:
• Confidentiality/Classification-based models – Bell-
LaPadula
• Integrity-based models – Biba
• Transaction-based models – Clark-Wilson
66--4141
Classification-Based Security Models: Bell-LaPadula
� Framework that manages different classification
levels.
� Intended to limit disclosure of information
between dissimilar levels
� A multilevel security system
• Uses a hierarchical classification structure
66--4242
Classification-Based Security Models: Bell-LaPadula
� Bell-LaPadula
� Employs both mandatory and discretionary
access control mechanisms
• Implements two security rules
1. “no-read-up”
2. “no-write-down.”
� Classification level of object and access rights
of the subject determine:
• What data the subject is authorized to access
• What they may do
66--4343
Integrity-Based Security Models: Biba
� Formal approach centered on ensuring the
integrity of subjects and objects in a system
� Primary objective
• limit the information modification
66--4444
Integrity-Based Security Models: Biba
� Biba operates on two simple rules:
1. A subject with a lower classification cannot
write data to a higher classification
2. A subject with a higher classification cannot
read data from a lower classification
� Biba model called an information flow model
66--4545
Transaction-Based Security Models: Clark-Wilson
� Uses transactions as the basis for decision
making
� Defines two integrity levels:
• Constrained data items (CDI) – the controlled assets
• Unconstrained data items (UDI) – not deemed
valuable enough to control
� Defines two types of processes to control CDIs:
• Integrity verification processes (IVP) – ensure that the CDI meets specified integrity constraints
• Transformation processes (TP) – change the state of data from one valid state to another
66--4646
Transaction-Based Security Models: Clark-Wilson
� Validation of integrity is done to ensure that:
• The data item being modified is valid
• The results of the modification are valid
66--4747
Questions?