Information Systems Security

Access Control
Domain #2

Objectives
Access control types
Identification, authentication, authorization
Control models and techniques
Single sign-on technologies
Centralized and decentralized
administration
Intrusion Detection Systems (IDS)

Roles of Access Control

Limit System Access
Access based on identity, groups,
clearance, need-to-know, location, etc.
Protect against unauthorized disclosure,
corruption, destruction, or modification
Physical
Technical
Administrative

Access Control Examples

Physical
Locks, guards

Technical
Encryption, password, biometrics

Administrative
Policies, procedures, security training

Access Control Characteristics

Preventative
Keeps undesirable events from happening

Detective
Identify undesirable events that have happened

Corrective
Correct undesirable events that have happened

Deterrent
Discourage security violations from taking place

Continued
Recovery
Restore resources and capabilities after a
violation or accident

Compensation
Provides alternatives to other controls

Who are You?

Identification username, ID account #
Authentication passphrase, PIN, bio
Authorization What are you allowed to
do
Separation of Duties
Least Privilege

Authentication
Something you know
Something you have
Something you are
2-Factor Authentication
Use 2 out of the 3 types of characteristics

Access Criteria
Security Clearance
Mandatory control systems and labels

Need-to-Know
Formal processes
Requirements of role within company for access

Least Privilege
Lease amount of rights to carry out tasks
No authorization creep

Default to NO ACCESS

Example Controls
Biometrics
Retina, finger, voice, iris

Tokens
Synchronous and Asynchronous device

Memory Cards
ATM card, proximity card

Smart Cards
Credit card, ID card

Biometric Controls

Uses unique personal attributes

Most expensive and accurate
Society has low acceptance rate
Experience growth after 9-11-2001

Error Types
Type I error
Rejects authorized individuals (False Reject)
Too high a level of sensitivity

Type II error
Accepts imposter (False Accept)
Too low a level of sensitivity

Crossover Error Rate (CER)

JUST RIGHT!!!!!

Biometric Example
Fingerprint
Ridge endings and bifurcations

Finger Scan
Uses less data than fingerprint (minutiae)

Palm Scan
Creases, ridges, and grooves from palm

Hand Geometry
Length and width of hand and fingers

More Biometrics
Retina Scan
Blood vessel pattern on back of eyeball

Iris Scan
Colored portion of eye

Signature Dynamics
Electrical signals of signature process

Keyboard Dynamics
Electrical signals of typing process

More Biometrics
Voice Print
Differences in sound, frequency, and pattern

Facial Scan
Bone structure, nose, forehead size, and eye
width

Hand Topology
Size and width of side of hand

Passwords
Least secure but cheap
Should be at least 8 characters and
complex
Keep a password history
Clipping levels used
Audit logs

Password Attacks
Dictionary Attacks
Rainbow tables

Brute Force Attack

Every possible combination

Countermeasures
Encrypt passwords
Use password advisors
Do not transmit in clear text
GREATLY protect central store of
passwords
Use cognitive passwords

Based on life experience or opinions

One-time Passwords

Dynamic
Generated for one time use
Protects against replay attacks
Token devices can generate
Synchronized to time or event
Based on challenge response mechanism

Not as vulnerable as regular passwords

Passphrase

Longer than a password

Provides more protection
Harder to guess
Converted to virtual password by software

Memory Cards
Magnetic stripe holds data but cannot
process data
No processor or circuits
Proximity cards, credit cards, ATM cards
Added costs compared to other
technologies

Smart Card

Microprocessor and IC
Tamperproof device (lockout)
PIN used to unlock
Could hold various data
Biometrics, challenge, private key, history

Added costs
Reader purchase
Card generation and maintenance

Single Sign-on (SSO)

Scripting Authentication Characteristics
Carry out manual user authentication
As users are added or changed, more
maintenance is required for each script
Usernames and passwords held in one central
script
Many times in clear text

SSO Continued
Used by directory services (x.500)
Used by thin clients
Used by Kerberos
If KDC is compromised, secret key of every
system is also compromised
If KDC is offline, no authentication is possible

Kerberos
Authentication, confidentiality, integrity
NO Non-availability and repudiation
services
Vulnerable to password guessing
Keys stored on user machines in cache
All principles must have Kerberos software
Network traffic should be encrypted

SESAME
Secure European System for Application in
a Multi-vendor Environment
Based on asymmetric cryptography
Uses digital signatures
Uses certificates instead of tickets
Not compatible with Kerberos

Access Control Threats

DOS
Buffer Overflow
Mobile Code
Malicious Software
Password Cracker
Spoofing/Masquerading
Sniffers

More Access Control Threats

Eavesdropping
Emanations
Shoulder Surfing
Object Reuse
Data Remanence
Unauthorized Data Mining
Dumpster Diving

More Threats
Theft
Social Engineering
Help Desk Fraud

Access Control Models

Once security policy is in place, a model
must be chosen to fulfill the directives
Discretionary access control (DAC)
Mandatory access control (MAC)
Role-based access control (RBAS)
Also called non-discretionary

Discretionary
Used by OS and applications
Owner of the resource determines which
subjects can access
Subjects can pass permissions to others
Owner is usually the creator and has full
control
Less secure than mandatory access

Mandatory Access
Access decisions based on security
clearance of subject and object
OS makes the decision, not the data owner
Provides a higher level of protection
Used by military and government agencies

Role Based Access Control

Also called non-discretionary
Allows for better enforcing most
commercial security policies
Access is based on users role in company
Admins assign user to a role (implicit) and
then assign rights to the role
Best used in companies with a high rate of
turnover

Remote Authentication Dial-in User

Services (RADIUS)

AAA protocol
De facto standard for authentication
Open source
Works on a client/server model
Hold authentication information for access

Terminal Access Controller Access

Control System (TACACS)
Cisco proprietary protocol
Splits authentication, authorization, and
auditing features
Provides more protection for client-to-server
communication than RADIUS
TACACS+ adds two-factor authentication
Not compatible with RADIUS

Diameter
New and improved RADIUS
Users can move between service provider
networks and change their point of
attachment
Includes better message transport,
proxying, session control, and higher
security for AAA
Not compatible with RADIUS

Decentralized Access Control

Owner of asset controls access
administration
Leads to enterprise inconsistencies
Conflicts of interest become apparent
Terminated employees rights hard to
manage
Peer-to-peer environment

Hybrid Access Control

Combines centralized and decentralized
administration methods
One entity may control what users access
Owners choose who can access their
personal assets

Ways of Controlling Access

Physical location
MAC addresses

Logical location
IP addresses

Time of day
Only during work day

Transaction type
Limit on transaction amounts

Technical Controls
System access
Individual computer controls
Operating system mechanisms

Network access
Domain controller logins
Methods of access

Network architecture
Controlling flow of information
Network devices implemented

Auditing and encryption

Physical Controls
Network segregation
Wiring closets need physical entry protection

Perimeter security
Restrict access to facility and assets

Computer controls
Remove floppys and CDs
Lock computer cases

Protect Audit Logs

Hackers attempt to scrub the logs
Organizations that are regulated MUST
keep logs for a specific amount of time
Integrity of logs can be protected with
hashing algorithms
Restrict network administrator access

Intruder Detection Systems (IDS)

Software employed to monitor a network
segment or an individual computer
Network-based
Monitors traffic on a network segment
Sensors communicate with central console

Host-based
Small agent program that resides on individual
computer
Detects suspicious activity on one system

IDS Placement
In front of firewall
Uncover attacks being launched

Behind firewall
Root out intruders who have gotten through

Within intranet
Detect internal attacks

Type of IDS
Signature-based
Knowledge based
Database of signatures
Cannot identify new attacks
Need continual updating

Behavior-based
Statistical or anomaly based
Creates many false positives
Compares activity to what is normal

IDS Issues
May not process all packets on large
network
Cannot analyze encrypted data
Lots of false alarms
Not an answers to all problems
Switched networks make it hard to examine
all packets

Traps for Intruders

Padded Cell
Codes within a product to detect if malicious
activity is taking place
Virtual machine provides a safe environment
Intruder is moved to this environment
Intruder does not realize that he is not is the
original environment
Protects production system from hacking
Similar to honeypots