Domain 1: Access Control

2010 CISSP Study Group

Domain 1:

Access Control
Presented By: Jeff McEwen, CISSP. Security Architect, AAA NCNU Insurance Exchange

Domain Objective Domain 1: Access Control The objective of this domain is to understand:
Access control concepts and techniques Access control methodologies and implementation within centralized and decentralized environments Detective and corrective access controls Mechanisms for controlling system use Potential risks, vulnerabilities, and exposures

Domain Summary Domain 1: Access Control The information for this domain represents approximately 16% of the CISSP exam content.

Access Control Defined Domain 1: Access Control Access control is the heart of security
The ability to allow only authorized users, programs or

processes system or resource access The granting or denying, according to a particular security model, of certain permissions to access a resource An entire set of procedures performed by hardware, software and administrators, to monitor access, identify users requesting access, record access attempts, and grant or deny access based on pre-established rules. The collection of mechanisms for limiting, controlling, and monitoring system access to certain items of information, or to certain features based on a users identity and their membership in various predefined groups.
4

Key Access Control Terms Domain 1: Access Control

Identification assert user is the user; process through which one ascertains the identity of another person or entity; provides accountability to users & traceability of their activities Authentication verifies user is who user claims; process through which one proves and verifies certain information. Authorization actions the user is allowed to perform Accountability tracks user actions and when they were done Approval Authorizations were appropriately granted by the data owner

Access Control Concepts Domain 1: Access Control Security Policy - a high-level overall plan embracing general goals and acceptable actions for each system Accountability - systems that process sensitive information must assure individual accountability Assurance - systems must guarantee correct and accurate interpretation of security policy

 Domain 1: Access Control

Access Control Systems & Methodology

Why Control Access

Access Control Purposes Domain 1: Access Control

Confidentiality - information is not disclosed to unauthorized individuals or processes
protects against hackers, unprotected communications, unauthorized users

Integrity - information retains its original level of accuracy

protects against unauthorized data modifications, system changes, or program changes

Availability - reliable access to data

protects against denial of service, ping attacks, e-mail flaming

What does AC hope to protect? Domain 1: Access Control Data - Unauthorized viewing, modification or copying System - Unauthorized use, modification or denial of service It should be noted that nearly every network operating system (NT, Unix, Vines, NetWare) is based on a secure physical infrastructure

Information Value Domain 1: Access Control Information is assumed to have a value that can be measured by quantity or quality The major reason to value information is the cost to develop and the value to its owners Valuation techniques - Use of policy or regulation, checklist, questionnaire, consensus, accounting data, statistical analysis
10

File and Data Ownership Domain 1: Access Control

A prerequisite to development of effective access controls is the establishment of Data Ownership. The Data Owner is required to: Identify sensitivity of information Determine security requirements Ensure security requirements meet goals Authorize access Develop contingency plans

11

 Domain 1: Access Control

Access Control Systems & Methodology

How do we control access?

Control Types Domain 1: Access Control Preventative - deter problems before they occur Detective - investigate an act that has occurred Corrective - remedy acts that have occurred Deterrent - discourage an act from occurring Recovery - restore a resource from an act that has occurred
13

Lines of Defenses Domain 1: Access Control

Security mechanisms for limiting and controlling access to resources by layering protection
Categories - usually 3 lines with action priorities based on increased control with each succeeding layer First Line - policies, firewalls, passwords, separation of duties, training, quality assurance, fault tolerance, etc. Second Line - audit trails, monitoring, penetration testing Third Line - insurance, bonding, backups, contingency plans

14

Access Control Types Domain 1: Access Control Management - policies, procedures, and accountability designed to control system use Technical - hardware and software controls used to automate protection of the system Operational - personnel procedures used to protect the system

15

Proactive access control

16

Domain 1: Access Control Awareness training Background checks Separation of duties Split knowledge Policies Data classification Effective user registration Termination procedures Change control procedures

Physical access control Domain 1: Access Control

17

Guards Locks Mantraps ID badges CCTV, sensors, alarms Biometrics Fences - the higher the voltage the better Card-key and tokens Guard dogs

How can AC be implemented? Domain 1: Access Control

Hardware Software Application Protocol (Kerberos, IPSec) Physical Logical (policies)

18

Access Control & privacy issues Domain 1: Access Control Expectation of privacy Policies Monitoring activity, Internet usage, email Login banners should detail expectations of privacy and state levels of monitoring

19

 Domain 1: Access Control

Access Control Systems & Methodology

User Authentication

Identification Domain 1: Access Control Types of ID

User IDs Names Pins (also used for authentication) Badges Biometrics (also used for authentication)

21

User Authentication

Domain 1: Access Control User Identification - provides identity to system

authentication data verifies individual activities traced to an individual responsible for actions use of a label to ID user

User Label Characteristics

unique non-descriptive of function, area, or company

22

User Authentication

Domain 1: Access Control

System Implementation
Administration - create, distribute, and store authentication data (passwords) Maintaining authentication - log out user or lock system during inactivity Single log-in - a group of systems on one OS platform that allow the user to authenticate once Host-to-host authentication - host passes on logon data Authentication servers - user logs on to a special network server User-to-host authentication - user logs on and receives token for logons to other systems
23

Authentication

Domain 1: Access Control 3 types of authentication:

Something you know - Password, PIN, mothers

maiden name, passcode, fraternity chant

Something you have - ATM card, smart card,

token, key, ID Badge, driver license, passport
scan, retina scan, body odor, DNA

Something you are - Fingerprint, voice scan, iris

24

Password Domain 1: Access Control Most common type of authentication in use something a user knows a string of characters that IDs a user Types
One-time passwords - system generated and changed after every use Passphrase a sequence of characters that is longer than a regular password and is transformed into a virtual password
25

Password Issues Domain 1: Access Control

Selection
Source can be assigned or user selected, system generated, token generated, or a system default Composition can be words, characters, or a phrase Types can be system or resource specific

Management
Transport paths that user uses to update password owner authentication generated by owner system owner authentication generated by system system administration to owner & system generated by system administrator

26

Password Issues

Domain 1: Access Control

Management (continued)
Initial passwords New users One-time passwords Force user change User notification on successful login date & time of last logon and location Suspend ID after number of unsuccessful logon attempts Audit trail of logons successful login, unsuccessful attempts, along with date/time/ID/origin Control maximum logon attempt rate

27

Password Issues Domain 1: Access Control Control

Password lifetime length of time the password can be secure Users change own password Audit trail of password changes Risk if compromised Distribution risk Probability of guessing Electronic monitoring Vulnerable to cracking
28

Password Issues Domain 1: Access Control Control (continued)

Password security Number of characters Minimum length Number of invalid attempts Compromises severity of measures vs. user acceptance Forgotten passwords issue expired passwords, user changes immediately User ID by phone validate user identity, call back user at office phone with new password
29

Problems with passwords

Domain 1: Access Control

Insecure
Given the choice, people will choose easily remembered and hence easily guessed passwords such as names of relatives, pets, phone numbers, birthdays, hobbies, etc. Programs such as crack, SmartPass, PWDUMP, NTCrack & l0phtcrack can easily decrypt Unix, NetWare & NT passwords. Dictionary attacks are only feasible because users choose easily guessed passwords! In an attempt to improve security, organizations often issue users with computer-generated passwords that are difficult, if not impossible to remember

(what a person knows)

Easily broken

Inconvenient

30

Classic password rules

Domain 1: Access Control

The best passwords
Easy to remember Hard to crack using a dictionary attack. The best way to create passwords that fulfill both criteria is to use two small unrelated words or phonemes, ideally with a special character or number. Good examples would be hex7goop or -typetin

(what a person knows)

Dont use:
common names, DOB, spouse, phone #, etc. word found in dictionaries password as a password systems defaults

31

Password management

Domain 1: Access Control Configure system to use string passwords Set password time and lengths limits Limit unsuccessful logins Limit concurrent connections Enabled auditing How policies for password resets and changes Use last login dates in banners

(what a person knows)

32

Access Control Techniques Domain 1: Access Control

Tokens - access information stored in a portable device
Memory token - store but do not process data Smart token - store and process data Limitations - lost or stolen with PIN allows for masquerading, battery failure or device malfunction Benefits not vulnerable to regular cracks 2 factor authentication - challenge response Examples - SecurID, PIN pad, ATM card

33

(what a person has)

Tokens

Domain 1: Access Control

Used to facilitate one-time Passwords Asynchronous Token Device SecurID -- synchronous Token Device Physical card S/Key Smart card Contact & Contactless Access token

34

Access Control Techniques Domain 1: Access Control Biometrics - something a person is

The one attribute that cannot be readily compromised in 3 factors of personal identity knows - i.e. password has - i.e. access card about - i.e. fingerprint Examples - fingerprint, hand geometry, voice verification Constraints cost of equipment, access time, false readings

35

(what a person is)

Biometrics

Domain 1: Access Control Authenticating a user via human characteristics

Accuracy False Reject Rate (type I error) False Accept Rate (type II error) Cross-Over Error Rate (CER)

Behavioral keystroke, signature pattern, signature dynamics Physical characteristics of a person to prove their identification
Fingerprint, Iris, retina, voice, face
36

 Domain 1: Access Control

Advantages of biometrics (what a person is)

Cant be loaned like a physical key or token and cant be forgotten like a password Good compromise between ease of use, template size, cost and accuracy Fingerprint contains enough inherent variability to enable unique identification even in very large (millions of records) databases Makes network login & authentication effortless
37

Biometric Disadvantages

Domain 1: Access Control

(what a person is)

Processing speed issues - Still relatively expensive per user Accuracy Subject to environmental changes User acceptability -- Some hesitancy for user acceptance

38

Biometric privacy issues

Domain 1: Access Control

(what a person is)

Tracking and surveillance - Ultimately, the ability to track a person's movement from hour to hour

Anonymity - Biometric links to databases could dissolve much of our anonymity when we travel and access services
Profiling - Compilation of transaction data about a particular person that creates a picture of that person's travels, preferences, affiliations or beliefs

39

Multi-factor authentication Domain 1: Access Control

2-factor authentication. To increase the level of security, many systems will require a user to provide 2 of the 3 types of authentication. ATM card + PIN Credit card + signature PIN + fingerprint 3-factor authentication -- For highest security Password + SecurID token + Fingerprint

40

Single Sign-on Domain 1: Access Control

User authenticates only once to a network system to be allowed on all systems in an enterprise Benefits
More efficient user logon process Stronger passwords are required Inactivity thresholds applied uniformly Effective for disabling terminated accounts

41

(Reduced Sign-on)

Single sign-on

Domain 1: Access Control

User has one password for all enterprise systems and applications - that way, one strong password can be remembered and used All of a users accounts can be quickly created on hire, deleted on dismissal Hard to implement and get working Kerberos, SPNEGO, x.509, SESAME Secure European System for Applications in a Multi-vendor Environment, SAML, WS-Federation CA-eTrust, RSA Access Manager, IBM Tivoli Access Manager

42

Single Sign-on Domain 1: Access Control

Methodologies
Network session managers

Provides multiple sessions limited to one computing platform Synchronization problems Security server SESAME Secure European System for Applications in a Multivendor Environment
Provides distributed access control using symmetric and asymmetric cryptography Project of ECMA Provides global access identity targets end system and provides mapping to local access
43

Single Sign-on Domain 1: Access Control

Security server (Contd) Kerberos MIT project Athena
User authentication, encryption, and uses ticket Authenticator contains same verification information Tickets database of clients and private keys Windows/Active Directory uses Kerberos today

Credential caching Scripting

Macro language Replay user keystrokes Scans for message strings

ID Federation Liberty Alliance, SAML WS Federation

44

 Domain 1: Access Control

Access Control Systems & Methodology

Authorization

Access Control Structure Domain 1: Access Control

Subject - an active user or process that requests access to a resource Object - a resource that contains information

Domain - a set of objects that the subject can access

Groups - subjects and objects grouped together based on shared characteristics

46

Access Control Criteria Domain 1: Access Control

Identity - a unique way to identify an individual or program in a system Roles - computer related functions performed by a user that uses a exclusive set of privileges Location - physical or logical place of user Time - day/time parameters used to control resource use Transaction - program checks that can be performed to protect information

47

Access Control Techniques Domain 1: Access Control

Content dependent - access based on content of
record provides more access control granularity access request is in form of question arbiter program controls access

Temporal isolation - access based on user work

schedule used for multilevel security each time slot a different access level used for rotating shifts, weekend operations, etc.
access is restricted unless granted

Least privilege rule (need-to-know) - all data

48

Principles of Access Control Domain 1: Access Control

Rule of least privilege
One of the most fundamental principles of infosec States that: Any object (user, administrator, program, system)
An AC system that grants users only those rights necessary for them to perform their work Limits exposure to attacks and the damage an attack can cause Physical security example: car valet key vs. regular key

should have only the least privileges the object needs to perform its assigned task, and no more.

Separation of Duties

Limits users access based on duty position

Split responsibility requires collusion to create harm

49

Implementing least privilege Domain 1: Access Control

Ensure that only a minimal set of users have root/administrator/sysadmin access There are commercial tools available to support shared root access without shared root password Ensure that software deployed doesnt demand greater access than really needed. Implement via explicit group membership, not nested or via shared passwords.

50

 Domain 1: Access Control

Access Control Systems & Methodology

Formal Models

Varied types of Access Control Domain 1: Access Control Discretionary (DAC) vs Mandatory (MAC) Centralized vs Decentralized Formal models (detail in Sec Arch module):
Biba (Integrity) Take/Grant Clark/Wilson Bell/LaPadula (confidentiality)

52

Access Control Models Domain 1: Access Control

Discretionary - resource owner determines access and privileges user should have ( 107.2)
Identity-based - access based on user and resource identity User-directed user (owner) grants access based on restrictions Hybrid - access based on identity-based and user-directed controls

Mandatory System determines access based on label (

107.3)

Object label contains objects classification Subject label contains subjects clearance Rule-based - access granted based on resource rules Administratively directed - access granted by administrator

53

Access Control Models Domain 1: Access Control

Non-Discretionary - resource access is granted based on policies and control objectives Role-based - access is based on users responsibilities. Task-based - access is based on users job duties Lattice-based

Complex decisions with multiple objects and subjects. Mathematical structure that defines greatest lower-bound and least upperbound values for a pair of elements

54

Competing definition

Domain 1: Access Control

Wiki defines these three types:
DAC (Discretionary Access Control) MAC (Mandantory Access Control) Rule based or Lattice based Controls read and write permissions based on a user's clearance level and object confidentiality labels RBAC (Role Based Access Control) Controls collections of permissions that may include complex operations such as an ecommerce transaction

MAC and RBAC are both defined as NonDiscretionary

55

Discretionary Access Control Domain 1: Access Control

Access is restricted based on the authorization granted to the user Orange book C-level Prime use to separate and protect users from unauthorized data Used by Unix, NT, NetWare, Linux, Vines, etc. Relies on the object owner to control access

56

Mandatory Access Control Domain 1: Access Control

Assigns sensitivity levels, AKA labels Every object is given a sensitivity label & is accessible only to users who are cleared up to that particular level. Only the administrators, not object owners, make change the object level Generally more secure than DAC Orange book B-level Used in systems where security is critical, i.e., military Hard to program for and configure & implement

57

Mandatory Access Control Domain 1: Access Control

Downgrade in performance Relies on the system to control access Example: If a file is classified as confidential, MAC will prevent anyone from writing secret or top secret information into that file. All output, i.e., print jobs, floppies, other magnetic media must have be labeled as to the sensitivity level
(Continued)

58

Problems with formal models

Domain 1: Access Control Based on a static infrastructure Defined and succinct policies These do not work in corporate systems which are extremely dynamic and constantly changing None of the previous models deals with:
Viruses / active content Trojan horses firewalls

Limited documentation on how to build these systems

59

Access Control Models Domain 1: Access Control

Centralized - one location is responsible for access control advantage - strict control and uniformity of access disadvantage - central administration can be overloaded examples:

RADIUS (Remote Authentication Dial-in User Service) TACACS (Terminal Access Controller Access Control System) Active Directory

60

Access Control Models Domain 1: Access Control

Decentralized - resource owners are responsible for access control examples: domain - set of authorized accesses permitted within a resource area trusted computer system - a system that has hardware and software controls that ensure data integrity

61

Access Control Models Domain 1: Access Control

Decentralized (continued) Domains the access control parameters that protect an address space in which a program is operating a set of objects a subject can access principle of separation protects resources where resources are encapsulated in distinct address spaces common subset of subjects hierarchical domain relationship subjects can access objects in equal or lower domains domains of higher privilege are protected from lower

62

Access Control Models Domain 1: Access Control

Decentralized (continued) Trusted Computer System a trusted computer system is one that provides at least one active function essential to the protection of information

Control is based on policy - rules to enforce Mechanism - enforce policy Assurance - confidence in control to provide function
Hybrid - a combination of centralized and decentralized administration

63

 Domain 1: Access Control

Access Control Systems & Methodology

DOD Influence

Orange Book Domain 1: Access Control DoD Trusted Computer System Evaluation Criteria, DoD 5200.28-STD, 1983 Provides the information needed to classify systems (A,B,C,D), defining the degree of trust that may be placed in them For stand-alone systems only Windows NT has a C2 utility, it does many things, including disabling networking
65

Orange book levels Domain 1: Access Control

A - Verified protection

A1 - Boeing SNS, Honeywell SCOMP

B - MAC

B1/B2/B3 -MVS w/ s, ACF2 or TopSecret, Trusted IRIX

C - DAC

C1/C2 -DEC VMS, NT, NetWare, Trusted Solaris

D - Minimal security. Systems that have been evaluated, but failed - PalmOS, MS-DOS, OS/2, NT

66

Problems with the Orange Book Domain 1: Access Control Based on an old model, Bell-LaPadula Stand alone, no way to network systems Systems take a long time (1-2 years) to certify
Any changes (hot fixes, service packs, patches) break the certification

Has not adapted to changes in clientserver and corporate computing Certification is expensive Mostly not used outside of the government sector
67

Red Book Domain 1: Access Control Used to extend the Orange Book to networks Actually two works:
Trusted Network Interpretation of the TCSEC (NCSC-TG-005) Trusted Network Interpretation Environments Guideline: Guidance for Applying the Trusted Network Interpretation (NCSC-TG-011)

68

 Domain 1: Access Control

Access Control Systems & Methodology

Techniques

Access Control Techniques Domain 1: Access Control

Access Control Lists - a list containing users permitted to resources or vice versa
Elementary List - a short list of predefined access rights Advanced List - access rights based within a registry that permits user-defined controls Different operating systems have different ACL terms Types of access (Capabilities): Read/Write/Create/Execute/Modify/Delete/Rename

70

ACL Types

Domain 1: Access Control Menus and shells Database views Physically constrained user interfaces restrict access by blocking direct access to function Capability tables - access to protected resources granted if accessor possesses authentication ticket

71

Mainframe ACL Sample 1

Domain 1: Access Control

72

Mainframe Sample - 2

Domain 1: Access Control

INFORMATION FOR DATASET ABCD.EFGHIJ.** (G) ... ID ACCESS -------------USER1 READ USER2 UPDATE GROUPB EXECUTE ID ACCESS CLASS ENTITY NAME -------- ------- -------- ------------------------NO ENTRIES IN CONDITIONAL ACCESS LIST

73

Mainframe Sample # 3

Domain 1: Access Control

ACCESSORID = XXXXXX NAME XA DATASET = OPSG ACCESS = ALL XA DATASET = AABB. ACCESS = READ PRIVPGM = SAMPPROG XA DATASET = CCDD.FFFF.YYYY ACCESS = NONE XA DATASET = EEE.GGGG ACCESS = ALL ACTION = AUDIT = SAMPLE USER OWNER(DSN) OWNER(DSN) OWNER(SYS) OWNER(SYS)

74

Standard UNIX file permissions Domain 1: Access Control

Permissions
R (read)
X (execute) W (write)

Allowed action, if object is a file

Read contents of the file
Execute the file, if a program Change file contents

Allowed action, if object is a directory

List directory contents
Search the directory Add, rename, create files & sub-directories

75

UNIX Sample Domain 1: Access Control

-rw-rw-r-1 user1 group1 drwxrwxr-x 2 user1 group1

852 Jul 17 2003 samplefile.txt 512 Apr 18 09:14 testdir

76

UNIX - recommendation

Domain 1: Access Control UNIX - Dont make a program run setuid to root if not needed. Rather, make file group-writable to some group and make the program run setgid to that group, rather than setuid to root Dont run insecure programs on the firewall or other trusted host

77

Windows Sample

Domain 1: Access Control

78

 Domain 1: Access Control

Access Control Systems & Methodology

Administration, Auditing & Monitoring

Access Control Administration Domain 1: Access Control Centralized - one location is responsible for access control
Advantages Strict control and uniformity of access Composite access view easier Disadvantages central administration can be overloaded More difficult to associate entitlements with approvers

80

Access Control Administration Domain 1: Access Control Decentralized - resource owners are responsible for access control
Advantage Access is granted by person accountable (Approver) Disadvantages Access combination conflicts, Composite view of user access unavailable Lack of access consistency More difficult to respond to external regulators
81

Auditing and Monitoring Domain 1: Access Control Organizations use two basic methods to maintain operational assurance:
System audit - is a periodic event to evaluate security Monitoring - is an ongoing activity that checks user and systems

82

Auditing

Domain 1: Access Control

Periodic access reviews Data owners review and certify users who have access Automated tools - program reviews system and reports vulnerabilities Internal controls audit - auditor reviews and analyzes controls Security checklists - security plan used as a system checklist Penetration testing - attempt to break-in to check controls

83

Periodic Access Reviews

Domain 1: Access Control Regular review of network and application user accounts against active employee termination lists to ensure that only active personnel have active accounts. Regular review of user entitlements by user managers and data/application owners to ensure that users only have access necessary to do their job

84

Monitoring Domain 1: Access Control IDS Logs Audit trails Network tools
Tivoli Spectrum OpenView

85

Monitoring Domain 1: Access Control

Intrusion Detection (IDS) Techniques which attempt to detect computer and network intrusion by logs or audit trail Automated intrusion detection examines logs and compares with expected user profile activity Statistical intrusion detection monitors behavior and maintains profiles, then compares logs mathematically Rule based intrusion detection rules characterize intrusions (i.e. generic or operating system specific), then compares logs against rule database

86

Audit Trails Domain 1: Access Control

An audit trail is a series of records on computer events occurring within a system or application Keystroke monitoring - a record of keystroke information entered by a system user Event-oriented - contains records on system, application, or user Benefits - individual accountability, reconstruction of events, intrusion detection, and problem analysis Issues - protection, periodic review, analysis of data

87

Monitoring Domain 1: Access Control

Review of system logs - periodic review to detect problems Automated tools - virus scanners, performance monitor, password crackers, etc. Configuration management - system changes are reviewed Electronic news - incident response and alert email notices

88

Intrusion Detection Systems Domain 1: Access Control IDS monitors system or network for attacks IDS engine has a library and set of signatures that identify an attack Adds defense in depth NIDS / HIDS Should be used in conjunction with a system scanner (CyberCop, ISS S3) for maximum security
89

Monitoring Domain 1: Access Control Adaptive real-time anomaly detection

90

inductively generated sequential patterns sequential rules describe behavior time-based inductive learning approach time-based induction machine (TIM) observes temporal process identifies patterns set of hypotheses input episodes user profile

TIM

Penetration Testing Domain 1: Access Control

Identifies weaknesses in Internet, Intranet, Extranet, and RAS technologies
Discovery and footprint analysis Exploitation Physical Security Assessment Social Engineering

Attempt to ID vulnerabilities and gain access to critical systems within organization ID and recommends corrective action for the systemic problems Assessments allow client to demonstrate the need for additional security resources
91

 Domain 1: Access Control

Information System Controls

Access Control Systems & Methodology

Banners Domain 1: Access Control Banners display at login or connection stating that the system is for the exclusive use of authorized users and that their activity may be monitored Not foolproof, but a good start, especially from a legal perspective Make sure that the banner does not reveal system information, i.e., OS, version, hardware, etc.

93

Access Control Software Domain 1: Access Control Software that automates information security functions on host computers
Features: use password protection log accesses user access controls data access controls flexible administration Examples: RACF, ACF2, TOP SECRET, Tivoli Access Manager, RSA Access Manager, Windows GINA/Active Directory
94

RAS access control Domain 1: Access Control

RADIUS (Remote Authentication Dial-In User Service) TACACS/TACACS+ (Terminal Access Controller Access Control System)
Both defined in greater detail in Telecom and Network Security Module.

95

Kerberos Domain 1: Access Control Part of MITs Project Athena Currently in ver 5 Kerberos is an authentication protocol used for network wide authentication All software must be kerberized Tickets, authenticators, key distribution center (KDC) Divided into realms Kerberos is the three-headed dog that guards the entrance to Hades (this wont be on the test)
96

Kerberos roles Domain 1: Access Control KDC divided into Authentication Server & Ticket Granting Server (TGS) Authentication Server - authenticates the identities of entities on the network TGS - Generates unique session keys between two parties. Parties then use these session keys for message encryption

97

Kerberos authentication
Domain 1: Access Control
User must have an account on the KDC KDC must be a trusted server in a secured location Shares a DES key with each user When a user want to access a host or application, they request a ticket from the KDC User provides ticket and authenticator to the application, which processes them for validity and will then grant access. Requires synchronized time clocks Relies on UDP which is often blocked by many firewalls

98

 Domain 1: Access Control

Access Control Systems & Methodology

Vulnerabilities & Attacks

Risk Domain 1: Access Control

Threat - an activity with the potential for causing harm to an information system Vulnerability - a flaw or weakness that may allow harm to an information system Impact - the harm that would be caused by an incident Risk - is a combination of chance that threat will occur and the severity of its impact Exposure - a specific instance of weakness to losses from a threat event

100

Vulnerabilities Domain 1: Access Control

Physical Natural
Floods, earthquakes, terrorists, power outage, lightning

Hardware/Software Media
Corrupt electronic media, stolen disk drives

Emanation Communications Human

Social engineering, disgruntled staff
101

Attacks Domain 1: Access Control

Passive attack - Monitor network traffic and then use data obtained or perform a replay attack. Hard to detect Active attack - Attacker is actively trying to break-in. Exploit system vulnerabilities Spoofing Crypto attacks Denial of service (DoS) - Not so much an attempt to gain access, rather to prevent system operation Smurf, SYN Flood, Ping of death Mail bombs

102

Methods of Attack Domain 1: Access Control Methods to bypass access controls and gain unauthorized access to information
Brute force - persistent series of attacks, trying multiple approaches, in an attempt to break into a computer system Denial of service - overloading a system through an online connection to force it to shutdown Social Engineering - deception of system personnel in order to gain access Spoofing - masquerading an ID or data to gain access to data or a system
103

Password Attacks Domain 1: Access Control Brute force

l0phtcrack

Dictionary
Crack John the Ripper

Trojan horse login program

104

 Domain 1: Access Control

Access Control Systems & Methodology

Protection

 Must ensure that magnetic media must not have any remnance of previous data Also applies to buffers, cache and other memory allocation Required at TCSEC B2/B3/A1 level Secure Deletion of Data from Magnetic and SolidState Memory, Peter Gutmann
http://www.fish.com/security/secure_del.html

Object reuse Domain 1: Access Control

Documents recently declassified as to how 10-pass writes were recovered Objects must be declassified Magnetic media must be degaussed or have secure overwrites
106

TEMPEST Domain 1: Access Control

Electromagnetic emanations from keyboards, cables, printers, modems, monitors and all electronic equipment. With appropriate and sophisticated enough equipment, data can be readable at a few hundred yards. TEMPEST certified equipment, which encases the hardware into a tight, metal construct, shields the electromagnetic emanations
107

TEMPEST Domain 1: Access Control

Rooms & buildings can be TEMPEST-certified TEMPEST hardware is extremely expensive and can only be serviced by certified technicians TEMPEST standards NACSEM 5100A NACSI 5004 are classified documents

108