Beruflich Dokumente
Kultur Dokumente
Access Control
Domain #2
Objectives
Access control types
Identification, authentication, authorization
Control models and techniques
Single sign-on technologies
Centralized and decentralized
administration
Intrusion Detection Systems (IDS)
Technical
Encryption, password, biometrics
Administrative
Policies, procedures, security training
Detective
Identify undesirable events that have happened
Corrective
Correct undesirable events that have happened
Deterrent
Discourage security violations from taking place
Continued
Recovery
Restore resources and capabilities after a
violation or accident
Compensation
Provides alternatives to other controls
Authentication
Something you know
Something you have
Something you are
2-Factor Authentication
Use 2 out of the 3 types of characteristics
Access Criteria
Security Clearance
Mandatory control systems and labels
Need-to-Know
Formal processes
Requirements of role within company for access
Least Privilege
Lease amount of rights to carry out tasks
No authorization creep
Default to NO ACCESS
Example Controls
Biometrics
Retina, finger, voice, iris
Tokens
Synchronous and Asynchronous device
Memory Cards
ATM card, proximity card
Smart Cards
Credit card, ID card
Biometric Controls
Error Types
Type I error
Rejects authorized individuals (False Reject)
Too high a level of sensitivity
Type II error
Accepts imposter (False Accept)
Too low a level of sensitivity
Biometric Example
Fingerprint
Ridge endings and bifurcations
Finger Scan
Uses less data than fingerprint (minutiae)
Palm Scan
Creases, ridges, and grooves from palm
Hand Geometry
Length and width of hand and fingers
More Biometrics
Retina Scan
Blood vessel pattern on back of eyeball
Iris Scan
Colored portion of eye
Signature Dynamics
Electrical signals of signature process
Keyboard Dynamics
Electrical signals of typing process
More Biometrics
Voice Print
Differences in sound, frequency, and pattern
Facial Scan
Bone structure, nose, forehead size, and eye
width
Hand Topology
Size and width of side of hand
Passwords
Least secure but cheap
Should be at least 8 characters and
complex
Keep a password history
Clipping levels used
Audit logs
Password Attacks
Dictionary Attacks
Rainbow tables
Countermeasures
Encrypt passwords
Use password advisors
Do not transmit in clear text
GREATLY protect central store of
passwords
Use cognitive passwords
One-time Passwords
Dynamic
Generated for one time use
Protects against replay attacks
Token devices can generate
Synchronized to time or event
Based on challenge response mechanism
Passphrase
Memory Cards
Magnetic stripe holds data but cannot
process data
No processor or circuits
Proximity cards, credit cards, ATM cards
Added costs compared to other
technologies
Smart Card
Microprocessor and IC
Tamperproof device (lockout)
PIN used to unlock
Could hold various data
Biometrics, challenge, private key, history
Added costs
Reader purchase
Card generation and maintenance
SSO Continued
Used by directory services (x.500)
Used by thin clients
Used by Kerberos
If KDC is compromised, secret key of every
system is also compromised
If KDC is offline, no authentication is possible
Kerberos
Authentication, confidentiality, integrity
NO Non-availability and repudiation
services
Vulnerable to password guessing
Keys stored on user machines in cache
All principles must have Kerberos software
Network traffic should be encrypted
SESAME
Secure European System for Application in
a Multi-vendor Environment
Based on asymmetric cryptography
Uses digital signatures
Uses certificates instead of tickets
Not compatible with Kerberos
DOS
Buffer Overflow
Mobile Code
Malicious Software
Password Cracker
Spoofing/Masquerading
Sniffers
Eavesdropping
Emanations
Shoulder Surfing
Object Reuse
Data Remanence
Unauthorized Data Mining
Dumpster Diving
More Threats
Theft
Social Engineering
Help Desk Fraud
Discretionary
Used by OS and applications
Owner of the resource determines which
subjects can access
Subjects can pass permissions to others
Owner is usually the creator and has full
control
Less secure than mandatory access
Mandatory Access
Access decisions based on security
clearance of subject and object
OS makes the decision, not the data owner
Provides a higher level of protection
Used by military and government agencies
AAA protocol
De facto standard for authentication
Open source
Works on a client/server model
Hold authentication information for access
Diameter
New and improved RADIUS
Users can move between service provider
networks and change their point of
attachment
Includes better message transport,
proxying, session control, and higher
security for AAA
Not compatible with RADIUS
Logical location
IP addresses
Time of day
Only during work day
Transaction type
Limit on transaction amounts
Technical Controls
System access
Individual computer controls
Operating system mechanisms
Network access
Domain controller logins
Methods of access
Network architecture
Controlling flow of information
Network devices implemented
Physical Controls
Network segregation
Wiring closets need physical entry protection
Perimeter security
Restrict access to facility and assets
Computer controls
Remove floppys and CDs
Lock computer cases
Host-based
Small agent program that resides on individual
computer
Detects suspicious activity on one system
IDS Placement
In front of firewall
Uncover attacks being launched
Behind firewall
Root out intruders who have gotten through
Within intranet
Detect internal attacks
Type of IDS
Signature-based
Knowledge based
Database of signatures
Cannot identify new attacks
Need continual updating
Behavior-based
Statistical or anomaly based
Creates many false positives
Compares activity to what is normal
IDS Issues
May not process all packets on large
network
Cannot analyze encrypted data
Lots of false alarms
Not an answers to all problems
Switched networks make it hard to examine
all packets