L 03 Isprinciples Accesscontrol 101001121837 Phpapp01

Download as pdf or txt
Download as pdf or txt
You are on page 1of 59

Denise N.

Lord
Computer and Information Security
Access controls are security features that
control how people can interact with systems,
and resources.
Goal is to protect from un-authorized access.
 Access is the data flow between an subject.
 Subject is a person, process or program
 Object is a resource (file, printer etc)
 Access control should support the CIA triad!
 Let’s quickly go over the CIA triad again
Quick overview: details on each coming up

Identification – who am I? (userid etc)


Authentication – prove that I am who I say I
Authorization – now what am I allowed to
access
Accountability – Audit logs and monitors
activities
Identifies a user uniquely (hopefully)
 SSN, UID, SID, Username

 Should Uniquely identify a user for


accountability (don’t share)
 Standard naming scheme should be used
 Identifier should not indicate extra
information about user (like position)
 DO NOT SHARE (NO group accounts)
Proving who you say you are, usually one of
these 3
◦ Something you know (password)
◦ Something you have (smart card)
◦ Something you are (biometrics)

◦ Verifying the identification information.


Strong Authentication is the combination of 2
or more of these (also called multi-factor
authentication) and is encouraged!
◦ Strong Authentication provides a higher level of
assurance*
 Now that I am who I say I am, what can I do?
◦ Authorization can be provided based on user,
groups, roles, rules, physical location, time of day
(temporal isolation)* or transaction type (example a
teller may be able to withdrawal small amounts, but
require manager for large withdrawals)
◦ Using criteria to make a determination of
operations that subjects can carry out
 Audit log and monitoring to track subject
activities with objects.
 Identity management products are used to id,
authenticate and authorize users in an
automated means. It’s a broad term.
 These products may (or may not) include
◦ User account management
◦ Access controls
◦ Password management
◦ Single Sign on
◦ Permissions
◦ Web access management
 Log in one time, and access resources many
places
 Not the same as password synchronization
 SSO software handles the authorization to
multiple systems
 What is a security problems with this?
 What are advantages?
 Idea is to centrally manage user accounts rather
than to manually create/update them on multiple
systems
 Often include workflow processes that allow
distributed authorization. I.e.. A manager can put
in a user request or authorize a request, tickets
might be generated for a Key card system for their
locations, Permissions might be created for their
specific needs etc.
 Automates processes
 Can includes records keeping/auditing functions
 Can ensure all accesses/accounts are cleaned up
with users leave.
 Biometrics verifies (authenticates) an
individuals identity by analyzing unique
personal attribute (something they ARE)
 Require enrollment before being used* (what
is enrollment? Any ideas)
 EXPENSIVE
 COMPLEX
 Can be based on
◦ behavior (signature dynamics) – might change
over time
◦ Physical attribute (fingerprints, iris, retina scans)
◦ We will talk about the different types of
biometrics later
 Can give incorrect results
 False negative – Type 1 error* (annoying)
 False positive – Type 2 error* (very bad)
 Crossover Error Rate (CER)* is an important
metric that is stated as a percentage that
represents the point at which the false
rejection rate equals the false acceptance
rate.
 Lower number CER is better/more
accurate*. (3 is better than an 4)
 Also called Equal Error Rate
 Use CER to compare vendors products
 Systems can be calibrated, for example of
you adjust the sensitivity to decrease fall
positives, you probably will INCREASE false
negatives, this is where the CER come in.
 Draw diagram on board
 Some areas (like military) are more
concerned with one error than the other (ex.
Would rather deny a valid user than accept
an invalid user)
 Expensive
 Unwieldy
 Intrusive
 Can be slow (should not take more than 5-10
seconds)*
 Complex (enrollment)
We will talk in more depth of each in the next couple
slides
 Fingerprint
 Palm Scan
 Hand Geometry
 Retina Scan
 Iris Scan
 Keyboard Dynamics
 Voice Print
 Facial Scan
 Hand Topography
 Most people sign in the same manner
(really???)
 Monitor the motions and the pressure while
moving (as opposed to a static signature)
 Type I (what is type I again?) error high
 Type II (what is type II again?) error low
We covered a bunch of different biometrics
 Understand some are behavioral* based
◦ Voice print
◦ Keyboard dynamics
◦ Can change over time
 Some are physically based
◦ Fingerprint
◦ Iris scan
 Fingerprints are probably the most commonly
used and cheapest
 Iris scanning provides the most “assurance”
 Some methods are intrusive
 Understand Type I and Type II errors
 Be able to define CER, is a lower CER value
better or worse?
What is a password? (someone tell me
because I forgot…)
 Works on what you KNOW
 Simplest form of authentication*
 Cheapest form of authentication*
 Oldest form of authentication
 Most commonly used form of
authentication*
 WEAKEST form of authentication*
 People write down passwords (bad)
 People use weak passwords (bad)
 People re-use passwords (bad)
 If you make passwords to hard to remember
people often write them down
 If you make them too easy… they are easily
cracked
 Don’t use common words
 Don’t use names or birthdates
 Use at least 8 characters
 Combine numbers, symbols and case
 Use a phrase and take attributes of a phrase,
transpose characters
 System should NOT store passwords in
plaintext. Use a hash (what is a hash?)
 Can encrypt hashes
 Passwords salts – random values added to the
encryption/hash process to make it harder to
brute force (one password may hash/encrypt
to multiple different results)
 Default NO access (implicit deny)*
 Need to Know
Idea
 One identification/authentication instance for
all networks/systems/resources
 Eases management
 Makes things more secure (not written down
passwords hopefully)
 Can focus budgets and time on securing one
method rather than many!
 Makes things integrated
 Centralized point of failure*
 Can cause bottlenecks*
 All vendors have to play nicely (good luck)
 Often very difficult to accomplish* (golden
ring of network authentication)
 One ring to bind them all! (wait...no…) If you
can access once, you can access ALL!
A framework that dictates how subjects
access objects.
 Uses access control technologies and
security mechanisms to enforce the rules
 Business goals and culture of the
organization will prescribe which model it
uses
Dictates how subjects access objects. It uses
access control technologies and security
mechanisms to enforce the rules and
objectives of the model
The different models are:
 Discretionary Access Control
 Mandatory Access Control
Discretionary Access Control*
 Owner or creator of resource specifies which
subjects have which access to a resource.
Based on the Discretion of the data owner*
 Common example is an ACL (what is an ACL?)
 Commonly implemented in commercial
products (Windows, Linux, MacOS)
Mandatory Access Control*
 Data owners cannot grant access!*
 OS makes the decision based on a security

label or flag system*


 Users and Data are given a clearance level
(confidential, secret, top secret etc)*
 Rules for access are configured by the
security officer and enforced by the OS.
MAC is used where classification and
confidentiality is of utmost importance…
military.
Generally you have to buy a specific MAC
system, DAC systems don’t do MAC
◦ SELinux
◦ Trusted Solaris
 Again all objects in a MAC system have a
security label*
 Security labels can be defined the
organization.
 They also have categories to support “need
to know” @ a certain level.
 Categories can be defined by the
organization
 If I have “top secret” clearance can I see all
projects in the “secret” level???
• Is an undesirable situation that occurs when a
device or system attempts to perform two or
more operations at the same time, but because
of the nature of the device or system, the
operations must be done in the proper sequence
in order to be done correctly.
 Also called non-discretionary.
 Uses a set of controls to determine how subjects
and objects interact.
 Allows you to be assigned a role, and your roles
dictates your access to a resources, rather than
your direct user.
 This scales better than DAC methods
 You don’t have to continually change ACLs or
permissions per user, nor do you have to
remember what perms to set on a new user, just
make them a certain role
 You can simulate this with “groups” in Windows and
Linux, especially with LDAP/AD.
When to use
 If you need centralized access
 If you DON’T need MAC ;)
 If you have high turnover*
We will talk more in depth of each in the next
few slides.
 Rule-based Access Control
 Constrained User Interfaces
 Access Control Matrix
 Access Control Lists
 Content-Dependant Access Control
 Context-Dependant Access Control
 Table of subjects and objects indicating what
actions individuals subjects can take on
individual objects*
◦ See page 220 (top)
 Bound to subjects, lists what permissions a
subject has to each object
 This is a row in the access matrix
 (see 220 bottom)
 Lists what (and how) subjects may access a
certain object.
 It’s a column of an access matrix
◦ See page 220
STOP
 Before we move on you need to understand
the definitions/terms that we are about to
cover for the exam. (controls and control
types) They are used ambiguously on the
exam, so you need to think about them. We
will give an overview now, but we’ll keep
seeing them again and again.
 Controls
◦ Administrative - AAC
◦ Physical - PAC
◦ Technical or Logical – LAC

Now we’ll talk about control types


 Types (can occur in each “control” category)
◦ Deter – intended to discourage attacks
◦ Prevent – intended to prevent incidents
◦ Detect – intended to detect incidents
◦ Correct – intended to correct incidents
◦ Recover – intended to bring controls back up to
normal operation
 Personnel – HR practices
 Supervisory – Management practices
(supervisor, corrective actions)
 Training – that’s pretty obvious
 Testing – not technical, and managements*
responsibility to ensure it happens
 A Policy or list
 Physical Network Segregation (not logical) –
ensure certain networks segments are
physically restricted
 Perimeter Security – CCTV, fences, security
guards, badges
 Computer Controls – physical locks on
computer equipment, restrict USB access etc.
 Work Area Separation – keep accountants out
of R&D areas
 Cabling – shielding, Fiber
 Control Zone – break up office into logical
areas (lobby – public, R&D- Top Secret,
Offices – secret)
Using technology to protect
 System Access – Kerberos, PKI, radius
(specifically access to a system)
 Network Architecture – IP subnets, VLANS ,
DMZ
 Network Access – Routers, Switches and
Firewalls that control access
 Encryption – protect confidentiality,
integrity
 Auditing – logging and notification systems.
IDS allow you to detect intrusion and
unauthorized access.
Different types (we will discuss), but usually
consist of
 Sensors
 Storage
 Analysis engine
 Management Console
 (see diagram on 260)
 Network Based
◦ Monitor network traffic ONLY
◦ Can be of multiple types (discuss later)
◦ Watch out for switches (use mirroring), and subnets
(use multiple sensors)
 Host based – installed on computers
◦ Monitor logs
◦ Monitor system activity
◦ Monitor configuration files
◦ Could monitor network traffic to and from the
computer installed on only.
◦ Multiple types – discussed later
 Signature based – like a virus scanner, look
for known attack signature
 MUST be updated with new signatures
 Will not stop unknown attacks (0-day)
 Relatively high rate of assurance
 Commonly used
 Based on what is “normal” behavior (builds a
profile)
 Detects when thing are not normal
 Very subjective -
 Very high rate of false positives, may lead to
info being ignored. –
 Require high degree of knowledge and
maintenance to run –
 Signature Based
 Anomaly / Behavioral / Knowledge Based
We will talk about these later.. But let’s review
these now
 Dictionary attacks – what is this?
 Sniffers – what is this?
 Brute force attacks – how is this different
then a dictionary attack.
 Spoofing login/trusted path
 Phishing
 Identity theft
 Is a non-technical kind of intrusion that relies
heavily on human interaction and often
involves tricking other people to break
normal security procedures.

 Example…person using social engineering to break


into a computer network would try to gain the
confidence of someone who is authorized to access
the network in order to get them to reveal
information that compromises the network's
security.
 E-mail fraud method in which the perpetrator
sends out legitimate-looking email in an
attempt to gather personal and financial
information from recipients.
 Is the forgery of an e-mail header so that the
message appears to have originated from
someone or somewhere other than the actual
source.

You might also like