Access Control

Domain Objectives

• Provide definitions and key concepts

• Identify access control categories and types
• Discuss access control threats
• Review system access control measures
• Understand Intrusion Detection and Intrusion Prevention
systems
• Understand Access Control assurance methods
 Access Control

• Is the basic foundation of information security

• Implemented differently depending on whether the are of
implementation is physical, technical or administrative.
• Categories include:
• Preventive
• Detective
• Corrective
• Deterrent
• Recovery
• Directive
• Compensating
• Often used in combination
 Access Control

• A comprehensive threat analysis will identify the areas that will provide
the greatest cost-benefit impact.
• The field of access control is constantly evolving. Organizations need to
know what is available and what methods will best address their issues.
• Data and system access control are NOT the same. User might have
access to a system but not to the data. Think “need-to-know”
• Access control assurance addresses the due diligence aspect of
security.
• Implementing a control is part of due care, but due diligence involves
regularly checking to ensure that the control is working as expected.
Information Security TRIAD
 Domain Objectives

• Definitions of Key Concepts

• Access Control Categories and Types
• Access Control Threats
• Access to System
• Access to Data
• Intrusion Prevention and Detection Systems
• Access Control Assurance
 Basic Requirements

• Security – ensure only authorized users and processes are able to access or
modify
• Reliability – ensure control mechanisms work as expected, every time
• Transparency – have minimal impact on the ability of authorized users to
interface with the system and do their job
• Scalability – should be able to handle a wide range of changing systems and
user load without compromising system performance
• Maintainability – if too time-consuming or complicated, admins may not keep
them up to date
• Auditability – should provide audit trails
• Integrity – must be designed to protect from unauthorized changes
• Authentic – help ensure that data input is authentic
 Key Concepts

• Separation of duties
• No one person should have control over the process. Allowing this could
allow a person to manipulate the system for personal gain. Process should
be broken down into individual steps executed by different people.
• Rotation of duties prevents collusion between two or more people. This
minimizes the chance of or exposes fraud. Forced vacation can provide
the same effect.
• Core element of the Clark-Wilson Integrity model
• Least privilege – only allow access to resources that are absolutely needed
for work
• Need-to-know – just because you have the clearance doesn’t mean you
really need to know the data or process
 Information Classification

• Is the PROPER assessment of the sensitivity and criticality of information

• Ensures that info is neither improperly disclosed nor overprotected
• Objectives:
• Identify info that needs to be protected
• Standardize labeling
• Alert authorized holders of protection requirements
• Comply with laws, regulation, etc.
• Benefits – keeps cost down
• Example of classification:
• Public, internal use only and company confidential
• Compartmentalized information – information that requires special
privilege to access
 Information Classification Procedures

• Scope – risk analysis will evaluate data for classification. Things to consider:
• Exclusive possession (trade secrets, etc.)
• Usefulness
• Cost to recreate
• Legal or regulatory liability
• Operational impact
• Etc.
• Process – goal is to achieve a consistent approach to handling classified
information
• Marking and labeling – for all types of media to include video
• Human readable
• Machine readable
• Assurance – regular internal and possibly external audits should be done
 Domain Objectives

• Definitions of Key Concepts

• Access Control Categories and Types
• Access Control Threats
• Access to System
• Access to Data
• Intrusion Prevention and Detection Systems
• Access Control Assurance
 Access Control Types

• Administrative – policies and procedures.

• Technical/logical – use of hardware and software controls

• Physical – manual, structural or environmental controls to protect

facilities and resources
 Access Control Categories

• Preventive – block unwanted actions. However, only effective if

employees see these as necessary
• Detective – identify, log and alert management of unwanted
actions (during or after event)
• Corrective – remedy the circumstances that enabled event
• Directive – controls dictated by organizational and legal authorities
• Deterrent – Prescribe some sort of punishment
• Recovery – restore lost resources or capabilities
• Compensating – backup controls that come into effect when
normal controls are unavailable
 Domain Objectives

• Definitions of Key Concepts

• Access Control Categories and Types
• Access Control Threats
• Access to System
• Access to Data
• Intrusion Prevention and Detection Systems
• Access Control Assurance
 Access Control Threats

• Denial of service • Sniffers

• Password crackers • Shoulder surfing/swiping
• Dictionary • Dumpster diving
• Brute force • Emanations
• Rainbow tables
• Time of Check (TOC)/Time
• Keystroke loggers of Use (TOU)
• Spoofing/masquerading
• Machine
• Impersonation
 Domain Agenda

• Definitions of Key Concepts

• Access Control Categories and Types
• Access Control Threats
• Access to System
• Access to Data
• Intrusion Prevention and Detection Systems
• Access Control Assurance
 System Access Control

• Identification – process of recognizing users or resources as valid

accounts

• Authentication – verification of the identity of the person or node

• Authorization – determines what a user or node is allowed to do

once identified and authenticated

• Accountability – ability to track user activity

 Identification

• Methods
• Most common is UserID, account number, email or PIN
• Biometrics can also be used
• Guidelines – unique UserID unless anonymity is required
• RFID – can be used in place of above methods to identify user
• MAC and IP address – used primarily to identify a node on the network
• Security user registration – user interacts with a registration authority to
become an authorized member of the domain
1. UserID, encryption keys, job title, email, etc.
2. User validation
 Authentication Methods

• Knowledge (something you know)

• Ownership (something you have)

• Characteristics (something you are)

 Identity and Access Management

• Need for identity management – needed to manage,

authenticate, authorize, provision, de-provision and protect
identities

• Challenges – the more complex a network and data protection

system, the more challenging to manage

• Identity management technologies – designed to centralize and

streamline the management of user ids, authentication and
authorization
 Identity Management Challenges

• Consistency – user data entered across different systems MUST

be consistent
• Reliability – user profile data should be reliable. Especially if used
to control access to data or resources
• Usability – multiple logins over multiply systems might not be the
best idea
• Efficiency – using an identity management system can decrease
costs and improve productivity for both users and administrators
• Scalability – the management system used must be able to scale
to support the data, systems and peak transaction rates
 Identity Management Challenges

• Principals
• Insiders – employees and contractors
• Outsiders – customers, partners, vendors, etc.
• Data – different types of data about principals must be managed
• Personal, legal and access control
• Some of this data might have regulatory requirements
• Life Cycle
• Initial setup – when user joins
• Change and maintenance – routine pw change, name changes, etc.
• Tear-down – when user leaves
 Identity Management Technologies

• Web Access Management (WAM)

• Password management

• Account management

• Profile update
 Access Control Technologies

• Single sign-on

• Kerberos

• SESAME - protocol developed by the European Union. Also known as

SSO

• Web Portal Access

• Directory services

• Security domains
 Domain Objectives

• Definitions of Key Concepts

• Access Control Categories and Types
• Access Control Threats
• Access to System
• Access to Data
• Intrusion Prevention and Detection Systems
• Access Control Assurance
 Access to Data
Implementations Descriptions
• Mandatory • List
• Temporal • Matrix
• Discretionary • Capabilities
• Role • Non-discretionary
• Rule • Constraints
• Content • Centralized
• Privacy • Decentralized
 Access Control Lists (ACL)

• Most common implementation of Discretionary Access Control (DAC)

• Provide easy method to specify which users are allowed access to which
objects
• Objects/subjects
• Files/users
• O.S. dependent
• Each OS has its own way of representing ACLs.
• UNIX – 3 subjects: owner, group and world w/ 3 permissions: Read ,Write,
Execute
• ACL support in Linux is available for Ext2, Ext3, IBJ JFS, ReiserFS and
SGI XFS
• Microsoft has unlimited # of subjects and 26 permissions
 Centralized/Decentralized Access Control

• Centralized access control – one entity makes network access decisions.

Owners decide which users can access specific objects and the administration
supports these directives.
• RADIUS
• TACACS+
• Diameter (RADIUS base but enhanced to overcome inherent limitations)

• Decentralized access control – decisions and admin are implemented

locally, allowing people closer to the resource security controls.
• Often causes confusion because it can lead to non-standardization,
overlapping rights, etc.
• P2P
 Domain Objectives

• Definitions of Key Concepts

• Access Control Categories and Types
• Access Control Threats
• Access to System
• Access to Data
• Intrusion Prevention and Detection Systems
• Access Control Assurance
 Intrusion Detection Systems

• Network Based • = Packet

• NIDS

• Host-Based • = Permission
• HIDS

• Application-Based • =Process
• AIDS
• APIDS
 Intrusion Prevention Systems

• Host-based

• Network-based

• Content-based

• Rate-based

• KPI (Key Performance Indicator) - measure effectiveness

 Analysis Engine Methods

• Pattern or signature-based
• Pattern matching
• Stateful matching

• Anomaly-based
• Statistical
• Traffic
• Protocol

• Heuristic scanning
 IDS/IPS Examples
• Anomaly
• Multiple failed logins
• User logged in at unusual times
• Unexplained changes to system clocks
• Unusual number of error messages
• Unexplained system shutdowns/restarts
• Response
• Dropping suspicious packets
• Denying access to suspicious users
• Reporting suspicions to other system hosts/firewalls
• Changing IDS configurations
• Alert
• IM
• Email
• Pager
• Audible alarm
 Domain Objectives

• Definitions of Key Concepts

• Access Control Categories and Types
• Access Control Threats
• Access to System
• Access to Data
• Intrusion Prevention and Detection Systems
• Access Control Assurance
 Access Control Assurance

• Audit trail monitoring

• Vulnerability assessment tools

 Penetration Testing Overview

• Definition

• Areas to test

• Methods of testing

• Testing procedures

• Testing hazards
 Areas to Test
• Application security

• Denial of Service (DoS)

• War dialing

• Wireless penetration

• Social engineering

• PBX and IP telephony

 Penetration Testing Methods

• Attack perspectives
• External
• Internal

• Attack strategies
• Zero-knowledge
• Partial-knowledge
• Full-knowledge
• Targeted
• Double-blind
 Testing Steps

• Discovery

• Enumeration

• Vulnerability mapping

• Exploitation
 Testing Hazards and Reporting

• Production interruption
• Application abort
• System crash

• Documentation
• Idetified vulnerabilities
• Countermeasure effectiveness
• Recommendations

• KPI – Key Performance Indicators

 Access Control Domain Summary

• Definitions of Key Concepts

• Access Control Categories and Types
• Access Control Threats
• Access to System
• Access to Data
• Intrusion Prevention and Detection Systems
• Access Control Assurance