Introduction To It Security: Access Controls (A)
Introduction To It Security: Access Controls (A)
INTRODUCTION TO IT SECURITY
LECTURE 05
Access Controls (a)
1 5/29/2017
Controls
The goal of security management is to protect the
company's assets.
Security has three main objectives (CIA Triad)
Controls are required in order to achieve CIA
2 5/29/2017
Access Control
Access control is a process to determine “Who
does what to what,” based on a policy.
It is controlling access of who gets in and out of
the system and who uses what resources, when,
and in what amounts.
Access control is restricting access to a system or
system resources based on something other than
the identity of the user.
3 5/29/2017
Access Control
Security management utilized three control types to protect the
assets:
1. Administrative controls - are controls that include the
development and publication of security policies, standards,
procedures, personnel screening, system activity monitoring,
change control procedures, and security awareness training.
2. Technical controls - are controls that consist of logical access
control mechanisms, password and resource management,
identification and authentication methods, configuration of
the network, and relevant security devices.
3. Physical controls - are controls that allow individual access
into a facility, locking systems, protecting the perimeter of the
facility, intrusion detection, and environmental controls.
4 5/29/2017
TERMINOLOGIES
Identification
Identification is a process through which one system
confirms the identity of another person / entity/
computer system. (Compare one to many)
Authentication
Authentication is a process to verify the credentials of
the principal or the system. (Compare one to one)
Authorization
It is a process by which the principal is either granted
access or disallowed to protected resources. Only the
trusted principal can be granted secure access.
Note: Access control often used as synonym for authorization
5 5/29/2017
AUTHENTICATION
(User)
6 5/29/2017
User Authentication
How to authenticate a human to a machine?
3 types of authentication
7 5/29/2017
Something You Know
Username
Password
PIN
Passphrase
8 5/29/2017
Something You Have
Smart cards (NIDA)
Multi-function
Examples
National ID card (NIDA)
Driver’s license
ATM card
9 5/29/2017
Something You Are (Biometrics)
Face
Signature
Fingerprint
Retina
Iris
Palm geometry
Voice
DNA
10 5/29/2017
Passwords
Password is the most common authentication method
Something you know
A password is a word or string of characters used for
user authentication to prove identity or access approval
to gain access to a resource, which is to be kept secret
from those not allowed access.
Some passwords are formed from multiple words and
may more accurately be called a passphrase.
The terms passcode and passkey are sometimes used
when the secret information is purely numeric, such as
the personal identification number (PIN) commonly
11
used for ATM access. 5/29/2017
Passwords
Most organizations specify a password policy that sets
requirements for the composition and usage of passwords.
Typically dictating minimum length
Required categories (e.g. Upper and lower case,
numbers, and special characters)
Prohibited elements (e.g. Own name, date of birth,
address, telephone number)
Some governments have national authentication
frameworks that define requirements for user
authentication to government services, including
requirements for passwords.
12 5/29/2017
Passwords
The use of passwords is known to be ancient.
Sentries would challenge those wishing to enter an area or
approaching it to supply a password or watchword, and
would only allow a person or group to pass if they knew
the password.
In modern times, user names and passwords are
commonly used by people during a login process that
controls access to protected resources;
Operating systems
Mobile phones
Automated teller machines (ATMs), etc.
13 5/29/2017
Why Passwords?
Why is “something you know” more
popular than “something you have” and
“something you are”?
Cost: passwords are free
Convenience: easier for System
Administrators to reset password than to
issue user a new thumb
14 5/29/2017
Classic password rules
The best passwords are those that are both easy to
remember and hard to crack using a dictionary attack.
The best way to create passwords that fulfill both
criteria is to use two small unrelated words or
phonemes, ideally with a special character or number.
Good examples would be hex7goop or –typetin
Don’t use:
Common names, DOB, spouse, phone #, etc.
Word found in dictionaries
Password as a password
Systems defaults
15 5/29/2017
Classic password rules
Use Strong Passwords
Passwords are like house keys
Different key for each lock
Brute force attacks
Sniffing clear text
SUPR tests
Strong – Password strong (length and content)?
Unique – Unique and unrelated to other
passwords?
Practical – Can you remember it?
Recent – Have you changed it recently?
16 5/29/2017
PASSWORD MANAGEMENT
Configure system to use string passwords
Set password time and lengths limits
Limit unsuccessful logins
Enabled auditing
How policies for password resets and changes
17 5/29/2017
Problems with passwords
Insecure - Given the choice, people will choose easily
remembered and hence easily guessed passwords such as
names of relatives, phone numbers, birthdays, hobbies, etc.
Easily broken - Programs such as crack, SmartPass,
PWDUMP, NTCrack & l0phtcrack can easily decrypt Unix,
NetWare & NT passwords.
Dictionary attacks are only feasible because users choose
easily guessed passwords!
Inconvenient - In an attempt to improve security,
organizations often issue users with computer-generated
passwords that are difficult, if not impossible to remember
Repudiable - Unlike a written signature, when a transaction is
signed with only a password, there is no real proof as to the
18
identity of the individual that made the transaction 5/29/2017
Other Password Issues
19 5/29/2017
Attacks on Passwords
The bottom line: Weak Password cracking is too easy!
One weak password may break the whole security
Users choose bad passwords
Social engineering attacks, etc.
The bad guy has all of the advantages
Passwords are a big security problem
Attacker could…
Target one particular account
Target any account on system
Target any account on any system
Common attack path
Outsider normal user administrator
20 May only require one weak password! 5/29/2017
Attacks on Passwords
Passwords Attacks:
1. Guessing
2. Dictionary Attacks
3. Brute force attacks
4. Social Engineering
21 5/29/2017
Techniques for guessing passwords
Try default passwords.
Try all short words, 1 to 3 characters long.
Try all the words in an electronic
dictionary(60,000).
Collect information about the user’s hobbies,
family names, birthday, etc.
Try user’s phone number, social security number,
street address, etc.
Try all license plate numbers (T103 AAA).
Use a Trojan horse
22 5/29/2017
How to avoid Guessable
passwords?
Techniques used to avoid guessable
passwords.
24 5/29/2017
How to avoid Guessable passwords?
1. User education: Users can be told the importance of using
hard-to-guess passwords and can be provided with
guidelines for selecting strong passwords.
2. Computer-generated passwords: Users are provided
passwords generated by a computer algorithm.
3. Reactive password checking: the system periodically runs
its own password cracker to find guessable passwords. The
system cancels any passwords that are guessed and notifies
the user.
4. Proactive password checking: a user is allowed to select
his or her own password. However, at the time of selection,
the system checks to see if the password is allowable and, if
25
not, rejects it. 5/29/2017
Password Cracking Tools
Popular password cracking tools
Password Crackers
Password Portal
L0phtCrack and LC4 (Windows)
John the Ripper (Unix)
Admins should use these tools to test for weak
passwords since attackers will!
Good article on password cracking
Passwords - Cornerstone of Computer Security
26 5/29/2017
Password protection
Two common techniques used to protect a password file
One-way encryption: The system stores only an
encrypted form of the user's password. When the user
presents a password, the system encrypts that password
and compares it with the stored value. In practice, the
system usually performs a one-way transformation (not
reversible) in which the password is used to generate a
key for the encryption function and in which a fixed-
length output is produced.
Access control: Access to the password file is limited to
one or a very few accounts.
27 5/29/2017
UNIX Password Scheme
Loading a new
password
Loading a new
password
Loading a new
password
Loading a new
password
Biometric
35 5/29/2017
Biometrics
Authenticating a user via human characteristics
Using measurable physical characteristics of a person to
prove their identification
Fingerprint, Handwritten signature, Facial recognition,
Speech recognition, Iris, Retina, DNA, Blood
Biometrics seen as desirable replacement for passwords
…but cheap and reliable biometrics is needed
Today, a very active area of research
Biometrics are used in security today
Thumbprint mouse, Palm print for secure entry,
Fingerprint to unlock car door, etc.
But biometrics not too popular
36
Has not lived up to its promise (yet) 5/29/2017
Desired Properties
Universal: Applies to (almost) everyone
In reality, no biometric applies to everyone
Distinguishing: Distinguish with certainty
In reality, cannot hope for 100% certainty
Permanent: Physical characteristic being measured never
changes
In reality, want it to remain valid for a long time
Collectable: Easy to collect required data
Depends on whether subjects are cooperative
Performance, User’s Accpetability, Robustness against
Circumvention
37 5/29/2017
Practical biometric applications
Network access control
Staff time and attendance tracking
Authorizing financial transactions
Government benefits distribution (Social Security,
welfare, etc.)
Verifying identities at point of sale
Using in conjunction with ATM , credit or smart cards
Controlling physical access to office buildings or
homes
Protecting personal property
38 5/29/2017
Comparison
Biometric Type Accuracy Ease of Use User Acceptance
39 5/29/2017
Fingerprint Biometric
44 5/29/2017
Face Recognition
Issues with Face Recognition?
45 5/29/2017
46 5/29/2017
Biometrics: The Bottom Line
Biometrics are hard to forge
But attacker could
Steal Alice’s thumb
Photocopy Bob’s fingerprint, eye, etc.
Subvert software, database, “trusted path”, …
Also, how to revoke a “broken” biometric?
Biometrics are not foolproof!
Biometric use is limited today
That should change in the future…
47 5/29/2017
MULTI-FACTOR AUTHENTICATION
Requires 2 out of 3 of
1. Something you know
2. Something you have
3. Something you are
Examples
ATM machine: ATM Card and PIN
Credit card: Card and signature
Smartcard with password/PIN
48 5/29/2017
MULTI-FACTOR AUTHENTICATION
2-factor authentication: To increase the level of
security, many systems will require a user to provide
2 of the 3 types of authentication.
ATM card + PIN
Credit card + signature
PIN + fingerprint
Username + Password (Unix, NT default)
49 5/29/2017
END
CS 126 LECTURE 05
50 5/29/2017