Fundamentals of ISS

Access Control
Fundamentals
 Objectives
• Define access control and list the four access control
models
• Describe logical access control methods
• Explain the different types of physical access control
What Is Access Control?
 Access Control

• The process by which resources or services are

granted or denied on a computer system or network
• There are four standard access control models as
well as specific practices used to enforce access
control
 Access Control Terminology
Identification
 A user accessing a computer system would present credentials or
identification, such as a username
Authentication
 Checking the user’s credentials to be sure that they are authentic
and not fabricated, usually using a password
Authorization
 Granting permission to take the action
A computer user is granted access
 To only certain services or applications in order to perform their
duties
• Custodian
– The person who reviews security settings
 Also called Administrator
Access Control Terminology (continued)
 Access Control Terminology (continued)

• Computer access control can be accomplished by

one of three entities: hardware, software, or a policy
• Access control can take different forms depending
on the resources that are being protected
• Other terminology is used to describe how computer
systems impose access control:
– Object – resource to be protected
– Subject – user trying to access the object
– Operation – action being attempted
Access Control Terminology (continued)
 Access Control Models

• Mandatory Access Control

• Discretionary Access Control
• Role-Based Access Control
• Rule-Based Access Control
Mandatory Access Control (MAC) model

• Most restrictive model—used by the

military
• Objects and subjects are assigned
access levels
• Unclassified, Classified, Secret, Top
Secret
• The end user cannot implement, modify,
or transfer any controls
 Discretionary Access Control (DAC)
model
• The least restrictive--used by Windows
computers in small networks
• A subject has total control over any
objects that he or she owns
• Along with the programs that are
associated with those objects
• In the DAC model, a subject can also
change the permissions for other subjects
over objects
DAC Has Two Significant Weaknesses
– It relies on the end-user subject to set
the proper level of security
– A subject’s permissions will be
“inherited” by any programs that the
subject executes
 User Account Control (UAC)

– Asks the user for

permission when
installing
software
• Principle of least privilege
– Users run with limited privileges by default
– Applications run in standard user accounts
– Standard users can perform common tasks
 Role Based Access Control (RBAC)
model
Sometimes called Non-Discretionary
Access Control
Used in Windows corporate domains
Considered a more “real world” approach
than the other models
Assigns permissions to particular roles in
the organization, such as “Manager” and
then assigns users to that role
Objects are set to be a certain type, to which
subjects with that particular role have access
 Rule Based Access Control (RBAC)
model
• Also called the Rule-
Based Role-Based
Access Control (RB-
RBAC) model or
automated
provisioning
• Controls access with
rules defined by a
custodian
– Example: Windows
Live Family Safety
Access Control Models (continued)
 Best Practices for Access Control

• Separation of duties
– No one person should control money or other
essential resources alone
• Network administrators often have too much power
and responsibility
• Job rotation
– Individuals are periodically moved from one
job responsibility to another
 Best Practices for Access Control

• Least privilege
– Each user should be given only the minimal
amount of privileges necessary to perform
his or her job function
• Implicit deny
– If a condition is not explicitly met, access is
denied
– For example, Web filters typically block
unrated sites
Logical Access Control Methods
 Access Control Methods
• The methods to implement access control are
divided into two broad categories
– Physical access control and
– Logical access control
• Logical access control includes
– Access control lists (ACLs)
– Group policies
– Account restrictions
– Passwords
 Access Control
List (ACL)
• A set of permissions
attached to an object
• Specifies which subjects
are allowed to access the
object
• And what operations they
can perform on it
• Every file and folder has an ACL
• Access control entry (ACE)
– Each entry in the ACL table in the Microsoft
Windows, Linux, and Mac OS X operating systems
 Windows Access Control Entries
(ACEs)
• In Windows, the ACE includes
– Security identifier (SID) for the user or
group
– Access mask that specifies the access
rights controlled by the ACE
– A flag that indicates the type of ACE
– A set of flags that determine whether
objects can inherit permissions
Advanced Security Settings in
Windows 7 Beta
 Group Policy

• A Microsoft Windows feature that provides

centralized management and configuration of
computers and remote users
• Using the Microsoft directory services known as
Active Directory (AD)
• Group Policy is used in corporate domains to
restrict user actions that may pose a security risk
• Group Policy settings are stored in Group Policy
Objects (GPOs)
 Account Restrictions

• Time of day restrictions

– Limit when a user can log on to a system
– These restrictions can be set through a Group Policy
– Can also be set on individual systems
• Account expiration
– The process of setting a user’s account to expire
– Orphaned accounts are user accounts that remain
active after an employee has left an organization
• Can be controlled using account expiration
 Passwords

• The most common logical access control

• Sometimes referred to as a logical token
• A secret combination of letters and
numbers that only the user knows
• A password should never be written down
– Must also be of a sufficient length and
complexity so that an attacker cannot
easily guess it (password paradox)
Passwords Myths
 Attacks on Passwords
• Brute force attack
– Simply trying to guess a password through
combining a random combination of
characters
• Passwords typically are stored in an
encrypted form called a “hash”
– Attackers try to steal the file of hashed
passwords and then break the hashed
passwords offline
 How to Get the Hashes
• Easy way: Just use Cain
• Cracker tab, right-click, "Add to List"
 Attacks on Passwords
• Dictionary attack
– Guess passwords from a dictionary
– Works if the password is a known common password
• Rainbow tables
– Make password attacks faster by creating a large
pregenerated data set of hashes from nearly every
possible password combination
– Works well against Windows passwords because
Microsoft doesn't use the salting technique when
computing hashes
 Rainbow Tables

• Generating a rainbow table requires a significant

amount of time
• Rainbow table advantages
– Can be used repeatedly for attacks on other
passwords
– Rainbow tables are much faster than
dictionary attacks
– The amount of time needed on the attacking
machine is greatly reduced
Rainbow Table Attack
 Passwords (continued)
• One reason for the success of rainbow tables is how
older Microsoft Windows operating systems hash
passwords
• A defense against breaking encrypted passwords
with rainbow tables
– Hashing algorithm should include a random sequence
of bits as input along with the user-created password
• These random bits are known as a salt
– Make brute force, dictionary, and rainbow table
attacks much more difficult
 No Salt!
• To make hashing stronger, add a random "Salt" to a
password before hashing it
• Windows doesn't salt its hash!
• This makes it possible to speed up password cracking
with precomputed Rainbow Tables
 Password Policy

• A strong password policy can provide several

defenses against password attacks
• The first password policy is to create and use
strong passwords
• One of the best defenses against rainbow tables
is to prevent the attacker from capturing the
password hashes
• A final defense is to use another program to help
keep track of passwords
 Domain Password Policy

• Setting password restrictions for a Windows

domain can be accomplished through the
Windows Domain password policy
• There are six common domain password policy
settings, called password setting objects
– Used to build a domain password policy
Physical Access Control
 Physical Access Control

• Physical access control primarily protects

computer equipment
– Designed to prevent unauthorized users
from gaining physical access to
equipment in order to use, steal, or
vandalize it
• Physical access control includes computer
security, door security, mantraps, video
surveillance, and physical access logs
 Physical Computer Security
• Physically securing network servers in an
organization is essential
• Rack-mounted servers
– 4.45 centimeters (1.75 inches) tall
– Can be stacked with up to 50 other servers in
a closely confined area
• KVM (Keyboard, Video, Mouse) Switch
– Needed to connect to the servers
– Can be password-protected
KVM Switch
 Door Security

• Hardware locks
– Preset lock
• Also known as the key-in-knob lock
• The easiest to use because it requires only a key
for unlocking the door from the outside
• Automatically locks behind the person, unless it
has been set to remain unlocked
• Security provided by a preset lock is minimal
 Deadbolt lock

• Extends a solid metal bar into the door frame

• Much more difficult to defeat than preset locks
• Requires that the key be used to both open and
lock the door
 Lock Best Practices

• Change locks immediately upon loss or theft of

keys
• Inspect all locks on a regular basis
• Issue keys only to authorized persons
• Keep records of who uses and turns in keys
• Keep track of keys issued, with their number and
identification
• Master keys should not have any marks
identifying them as masters
 Lock Best Practices

• Secure unused keys in a locked safe

• Set up a procedure to monitor the use of
all locks and keys and update the
procedure as necessary
• When making duplicates of master keys,
mark them “Do Not Duplicate,” and wipe
out the manufacturer’s serial numbers to
keep duplicates from being ordered
 Cipher Lock
• Combination locks that use buttons that must
be pushed in the proper sequence to open the
door
• Can be programmed to allow only the code of
certain individuals to be valid on specific dates
and times
• Cipher locks also keep a record of when the
door was opened and by which code
• Cipher locks are typically connected to a
networked computer system
– Can be monitored and controlled from one
central location
 Cipher Lock Disadvantages

• Basic models can cost several

hundred dollars while advanced
models can be even more expensive
• Users must be careful to conceal
which buttons they push to avoid
someone seeing or photographing
the combination
 Tailgate Sensor

• Uses infrared beams that are aimed

across a doorway
• Can detect if a second person walks
through the beam array immediately
behind (“tailgates”) the first person
– Without presenting credentials
 Physical Tokens
• Objects to identify users
• ID Badge
– The most common types of physical tokens
– ID badges originally were visually screened by
security guards
– Today, ID badges can be fitted with tiny radio
frequency identification (RFID) tags
• Can be read by an RFID transceiver as the user
walks through the door with the badge in her
pocket
 Mantrap
• Before entering a secure area, a person must
enter the mantrap
– A small room like an elevator
• If their ID is not valid, they are trapped there until
the police arrive
• Mantraps are used at high-security areas where
only authorized persons are allowed to enter
– Such as sensitive data processing areas, cash
handling areas, critical research labs, security
control rooms, and automated airline passenger
entry portals
Mantrap
 Video Surveillance

• Closed circuit television (CCTV)

– Using video cameras to transmit a signal to
a specific and limited set of receivers
• Some CCTV cameras are fixed in a single
position pointed at a door or a hallway
• Other cameras resemble a small dome and
allow the security technician to move the
camera 360 degrees for a full panoramic view
 Physical Access Log

– A record or list of individuals who entered a

secure area, the time that they entered, and
the time they left the area
– Can also identify if unauthorized personnel
have accessed a secure area
• Physical access logs originally were paper
documents
– Today, door access systems and physical
tokens can generate electronic log documents
 Administrative Controls

•Administrative controls (also called procedural controls)

consist of approved written policies, procedures, standards
and guidelines.
•Administrative controls form the framework for running the
business and managing people.
•Laws and regulations created by government bodies are
also a type of administrative control because they inform
the business.
•Example: corporate security policy, password policy, hiring
policies, and disciplinary policies.
 Defense in depth
Information security must protect
information throughout the life span of
the information, from the initial creation
of the information on through to the final
disposal of the information.

To fully protect the information during its lifetime, each component of

the information processing system must have its own protection
mechanisms.
Security classification of Information
•In the business sector
Public
Sensitive
Private
Confidential
•In Government Sector
Unclassified
Sensitive but unclassified
Restricted
Confidential
Secret
Top Secret
And Their non English equivalent
 Laws and regulations
The original Information Technology Act (section
43 and 66)
•Passed in 2000
•Deals with computer misuse
•Does not have any express provision for data security.
The IT (Amendment ) Act 2008 (“Amendment Act”)
(section 43A and section 72A)
•Under Section 43A, “bodies corporate” can be liable if they
are negligent in implementing and maintaining “reasonable
security practices and procedures” to protect “sensitive
personal data or information”.
New data security regulations , 2011 (“sensitive personal
data rules”)
The Sensitive Personal Data Rules defines “sensitive personal data
or information” of a person to include information about:
•Passwords;
•Financial information such as bank accounts, credit and debit card details;
•Physiological and mental health condition, medical records;
•Biometric information;
•Information received by body corporate under lawful contract or otherwise;
•User details as provided at the time of registration or thereafter; and
•Call data records.

Information that is freely available in the public domain or accessible

under the Right to Information Act, 2005 or any other law will not be
regarded as sensitive personal data or information.
 Summary

•Information security is a “well-informed sense of

assurance that the information risks and controls
are in balance.”
•Successful organizations have multiple layers of
security in place: physical, personal, operations,
communications, network, and information.
• Security should be considered a balance
between protection and availability
 Types of IT Threats
1.Computer virus
2.Trojan Horses
3.DNS poisoning
4.Password grabbers
5.Network worms
6.Logic Bombs
7.Hijacked home page
8.Password cracker
Types of Attacks
1.SQL Injection
2.Dictionary attack
3.Phishing
4.Cross site scripting (XSS)
5.UI redressing