Information Security

Unit 4:
Authentication and Access Control
 Outline
 Overview of access control
 Authentication and Authorization
 Identification and authentication techniques
 Access control techniques
 Access control methodologies, implementations and
administration

2
 Access Controls
From (ISC)2 Candidate Information Bulletin:
 Access control is the collection of mechanisms
that permits managers of a system to exercise a
directing or restraining influence over the
behavior, use, and content of a system. It permits
management to specify what users can do, which
resources they can access, and what operations
they can perform on a system.

3
 Access Control: Overview
 Access Controls: The security features that
control how users and systems communicate
and interact with one another.
 Access: The flow of information between
subject and object
 Subject: An active entity that requests access to
an object or the data in an object
 Object: A passive entity that contains
information

4
 Security Principles
The three main security principles also
pertain to access control:
 Availability
 Integrity
 Confidentiality

5
 Identification, Authentication,
and Authorization
 Identification, Authentication, and Authorization are
distinct functions.
 Identification
• Method of establishing the subject’s (user, program, process)
identity.
 Authentication
• Method of proving the identity.
 Authorization
• Determines that the proven identity has some set of
characteristics associated with it that gives it the right to access
the requested resources.

6
 Identification
 Identification
 Method of establishing the subject’s (user, program,
process) identity.
• Use of user name or other public information.
• Know identification component requirements.
 When issuing identification values to users, the
following should be in place:
• Each value should be unique, for user accountability;
• A standard naming scheme should be followed;
• The value should be nondescriptive of the user’s position or
tasks; and

7
 Authentication
 Authentication
 Method of proving the identity.
• Something a person is, has, or does.
• Use of biometrics, passwords, passphrase, token,
or other private information.

 Strong Authentication is important

 To be properly authenticated, the subject is
usually required to provide a second piece to the
credential set (i.e., password, passphrase, key,
PIN, token etc).
8
 Authentication Methods
 There are 3 primary authentication methods.
Sensitive or critical information should be
protected by employing at least two of them
(two-or three-factor authentication).
 Knowledge-Something you know, such as a
password, passphrase or PIN.
 Ownership-For example, tokens and Smart cards.
 Characteristics-Biometrics are digitized
representations of physical features (such as
fingerprints) or physical actions (such as signatures).

9
 Authentication
 Biometrics
 Verifies an identity by analyzing a unique person
attribute or behavior (e.g., what a person “is”).
 Most expensive way to prove identity, also has
difficulties with user acceptance.
 Many different types of biometric systems, know
the most common.

10
 Authentication
 Most common
biometric systems:
 Fingerprint
 Palm Scan
 Hand Geometry
 Iris Scan
 Signature Dynamics
 Keyboard Dynamics
 Voice Print
 Facial Scan
 Hand Topography

11
 Authentication
 Biometric systems can be hard to
compare.
 Type I Error: False rejection rate.
 When a biometric system rejects an
authorized individual
 Type II Error: False acceptance rate.
 When a biometric system accepts an
individual who should have been rejected
 This is an important error to avoid.
 Crossover Error Rate
 Rating stated as a percentage and
represents the point at which the false
rejection rate equals the false acceptance
rate.
12
 Authentication
Passwords
 User name + password most common
identification, authentication scheme.
 Weak security mechanism, must implement
strong password protections
 Implement Clipping Levels

13
 Authentication
Techniques to attack passwords
 Electronic monitoring
 Access the password file
 Brute Force Attacks
 Dictionary Attacks
 Social Engineering

14
 Authentication
Passphrase
 Is a sequence of characters that is longer
than a password.
 Takes the place of a password.
 Can be more secure than a password
because it is more complex.

15
 Authentication
 One Time Passwords (aka Dynamic Passwords)
 Used for authentication purposes and are only good
once.
 This type of system is not vulnerable to electronic
eavesdropping, sniffing, or password guessing.
 Two types of Token Devices (aka Password
Generator)
 Synchronous
• Time Based
• Counter Synchronization
 Asynchronous

16
 Authentication
 Smart Cards and Memory Cards
 Memory Cards: Holds but cannot process information.
 Smart Cards: Holds and can process information. Has
a microprocessor and integrated circuits incorporated
into the card itself.
• Contact
• Contactless
 Significant benefit of smart cards is that the
authentication process occurs at the reader, thereby
avoiding the trusted-path (protecting logon information
between the user and the authentication server)
problem.

17
 Authorization
 Authorization
 Determines that the proven identity has some set of
characteristics associated with it that gives it the right
to access the requested resources.
 Granting access rights to subjects should be based
on the level of trust a company has in a subject and
the subject’s need to know.
 Is a core component of every operating system and
established whether a user is authorized to access a
particular resource and what actions he is permitted
to perform on the resource

18
 Authorization
 Access Criteria can be thought of as:
 Roles
• Is an efficient way to assign rights to a type of user who performs a
certain task. ( job assignment or function).
 Groups
• When several users require same type of access to information and
resources
 Location
• To restrict unauthorized individuals from being able to get in and
reconfigure the server remotely.
 Time
• Restrict the times that certain actions or services can be accessed.
 Transaction Types
• Can be used to control what data is accessed during certain types of
functions and what commands can be carried out on the data.
19
 Authorization
 Authorization concepts to keep in mind:
 Authorization Creep
• When new access rights and permissions assigned to
employee without the old permissions being reviewed and
removed.
 Default to Zero
• All access controls should be based on the concept of
starting with zero access and then building on top of that.
 Need to Know Principle
• individuals should be given access only to the information
that they absolutely require in order to complete their job
duties.
 Access Control Lists
• A list of subjects that are authorized to access a particular
object. 20
 Authorization
 Problems in controlling access to assets:
 Different levels of users with different levels of access
 Resources may be classified differently
 Diverse identity data
 Corporate environments keep changing

21
 Authorization
 Solutions that enterprise wide and single sign on
solutions supply:
 User provisioning
 Password synchronization and reset
 Self service
 Centralized auditing and reporting
 Integrated workflow (increase in productivity)
 Regulatory compliance

22
 Authorization
 Single Sign On Capabilities
 Allow user credentials to be entered one time and the
user is then able to access all resources in primary and
secondary network domains
 SSO technologies include:
 Kerberos
 Sesame
 Security Domains
 Directory Services
 Dumb Terminals

23
 SSO Process
 SSOs enable users to logon to the authentication server
and still obtain access to all additional authorized
networked systems without additional identification and
authentication. SSO
 Is also referred to as reduced sign-on, and is used in
web-based environments in federated ID management
systems.

24
 SSO Technologies
 Legacy Single Sign-On (SSO)
 Although many legacy systems do not support an external means to identify and
authenticate their users, it is possible to store user credentials centrally, and
automatically enter them where and when needed.
 The SSO system stores every user’s password to every system. This causes
concern with respect to availability: if the SSO system fails, denial of service
results.
 If the SSO is compromised, controls over access to all systems may be lost.
 Kerberos
 An SSO open-standards protocol for authentication in a single security domain.
 Kerberos is an authentication protocol that uses symmetric key encryption in
three key pairs: two authentication pairs are shared by the authenticator and a
single principal and one session pair is shared between principals.
 The session-key pair is distributed in such a way that principals are required to
trust the authenticator rather than each other.
 SESAME
 The Secure European System for Applications in a Multi-Vendor Environment
(SESAME) is a protocol developed by the European Union that addresses
multiple or disparate security domains.
25
 SSO : Pros and Cons
 Pros :
 Efficient log-on process -The user logs on only once to access all
authorized systems.
 Encourages users to create stronger passwords -With only one
password to remember and control, users may be inclined to use
passwords that are harder and more difficult to crack. Fewer passwords
to manage should also result in fewer being written down in unsafe
locations.
 Centralized administration -Ensures consistent application of policy
and procedures.
 Cons :
 Single point of compromise -A single compromised sign-in allows the
intruder into all of the account owner‟s authorized resources.
 Legacy Interoperability-It may be difficult to include unique computers
or legacy systems in the single sign on network.
 Implementation difficulties-Unusual types of systems may not
interface well with SSO software.
26
 Access Control Models
Three Main Types
 Discretionary
 Mandatory
 Non-Discretionary (Role Based)

27
 Access Control Models
Discretionary Access Control (DAC)
 A system that uses discretionary access
control allows the owner of the resource to
specify which subjects can access which
resources.
 Access control is at the discretion of the
owner.

28
 Access Control Models
Mandatory Access Control (MAC)
 Access control is based on a security labeling
system. Users have security clearances and
resources have security labels that contain data
classifications.
 This model is used in environments where
information classification and confidentiality is
very important (e.g., the military).

29
 Access Control Models
Non-Discretionary (Role Based) Access
Control Models
 Role Based Access Control (RBAC) uses a
centrally administered set of controls to
determine how subjects and objects interact.
 Is the best system for an organization that has
high turnover.

30
 Access Control Techniques
There are a number of different access
controls and technologies available to support
the different models.
 Rule Based Access Control
 Constrained User Interfaces
 Access Control Matrix
 Content Dependent Access Control
 Context Dependent Access Control

31
 Access Control Techniques
Rule Based Access Control
 Uses specific rules that indicate what can and
cannot happen between a subject and an object.
 Not necessarily identity based.
 Traditionally, rule based access control has been
used in MAC systems as an enforcement
mechanism.

32
 Access Control Techniques
Constrained User Interfaces
 Restrict user’s access abilities by not allowing
them certain types of access, or the ability to
request certain functions or information
Three major types
 Menus and Shells
 Database Views
 Physically Constrained Interfaces

33
 Access Control Techniques
Access Control Matrix
 Is a table of subjects and objects indicating what
actions individual subjects can take upon
individual objects.
 Two types
• Capability Table (bound to a subject)
• Access Control List (bound to an object)

34
 Access Control Matrix

Object-Oriented Capability Table:

Is a collection of access control lists
implemented by comparing the
column of objects to the rows of
subjects.

Subject-Oriented Capability Table:

Is a collection of access control lists
implemented by comparing the column
of users or subjects to their rights of
access to protected objects.

35
 Access Control Techniques
 Content Dependent Access Control
 Access to an object is determined by the content within
the object.
 Context Based Access Control
 Makes access decision based on the context of a
collection of information rather than content within an
object.

36
 Access Control Administration
 First an organization must choose the access
control model (DAC, MAC, RBAC).
 Then the organization must select and implement
different access control technologies.
 Access Control Administration comes in two basic
forms:
 Centralized
 Decentralized

37
 Access Control Administration
Centralized Access Control Administration:
 One entity is responsible for overseeing access to
all corporate resources.
 Provides a consistent and uniform method of
controlling access rights.
• Protocols: Agreed upon ways of communication
• Attribute Value Pairs: Defined fields that accept
certain values.

38
 Access Control Administration
Types of Centralized Access Control
 Radius
 TACAS
 Diameter

39
 RADIUS
Remote Authentication Dial In User Service.
Is a client/server authentication protocol and
authenticates and authorizes remote users.
Most ISPs uses Radius to authenticate customers before
they are allowed to access the Internet.
Radius is an open protocol and can be used in different
types of implementations.
Uses UDP as a transport protocol
Only encrypts the user’s password as it is being
transmitted from Radius client to the radius server.
Is appropriate protocol when simplistic
username/password authentication can take place and
users only need an “accept” or “deny” for obtaining
access.

40
 TACACS
Terminal Access Controller Access Control System
Uses TCP as a transport protocol.
Encrypts all user data and does not have the
vulnerabilities that are inherent in the radius protocol.
Presents true AAA (Authentication, authorization, and
accounting) architecture.

41
 Diameter
 Protocol that has been developed to build upon the
functionality of radius and overcome many of its
limitations.
 It is an IETF standard defined in (RFC 3588)
 The various applications that require AAA functions can
define their own extensions on top of the Diameter base
protocol, and can benefit from the general capabilities
provided by the Diameter base protocol.

42
 Access Control Administration
Decentralized Access Control Administration:
 Gives control of access to the people who are
closer to the resources
 Has no methods for consistent control, lacks
proper consistency.

43
 Accountability
Accountability is tracked by recording
user, system, and application activities.
Audit information must be reviewed
 Event Oriented Audit Review
 Real Time and Near Real Time Review
 Audit Reduction Tools
 Variance Detection Tools
 Attack Signature Tools

44
 Accountability
 Other accountability concepts
 Keystroke Monitoring
• Can review and record keystroke entries by a user during an
active session.
• A hacker can also do this
• May have privacy implications for an organization
 Scrubbing: Removing specific incriminating data
within audit logs

45
 Access Control Practices
 Know the access control tasks that need to be
accomplished regularly to ensure satisfactory
security. Best practices include:
 Deny access to anonymous accounts
 Enforce strict access criteria
 Suspend inactive accounts
 Replace default passwords
 Enforce password rotation
 Audit and review
 Protect audit logs

46
 Access Control Practices
 Unauthorized Disclosure of Information
 Object Reuse
 Data Hiding
 Emanation Security
 Tempest
• Project started by the DoD and then turned into a standard
that outlines how to develop countermeasures that control
spurious electrical signals that are emitted by electronic
equipment.
 White Noise
• A uniform spectrum of random electrical signals.
 Control Zone
• Creates a security perimeter and is constructed to protect
against unauthorized access to data or compromise of
sensitive information. 47
 Access Control Monitoring
Intrusion Detection
 Three Common Components
• Sensors
• Analyzers
• Administrator Interfaces
 Common Types
• Intrusion Detection
• Intrusion Prevention
• Honeypots
• Network Sniffers

48
 Access Control Monitoring
 Two Main Types of Intrusion Detection Systems
 Network Based (NIDS)
 Host Based (HIDS)
 HIDS and NIDS can be:
 Signature Based
 Statistical Anomaly Based
• Protocol Anomaly Based
• Traffic Anomaly Based
 Rule Based

49
 Access Control Monitoring
Intrusion Prevention Systems
 Is a preventative and proactive technology,
IDS is a detective technology.
 Two types: Network Based (NIPS) and Host
Based (HIPS)

50
 Access Control Monitoring
Honeypots
 An attractive offering that hopes to lure
attackers away from critical systems
Network sniffers
 A general term for programs or devices that
are able to examine traffic on a LAN segment.

51