View
30
Download
2
Category
Preview:
Citation preview
Access ControlSlide 1 of 71
Access ControlAccess ControlJames Moore
Information Security Operations, e^deltacomPresident, ISSA – Metro Atlanta
SSCP
Access ControlSlide 2 of 71
Overview• What is Access Control?• Basic Approach• Access Control Models• Authentication• TEMPEST• Watching the Door!• Iterative Methods Review• Quiz
Access ControlSlide 3 of 71
What is Access Control?
Access ControlSlide 4 of 71
What is access control?• Access control is the heart of security• Definitions:
– The ability to allow only authorized users, programs or processes system or resource access
– The granting or denying, according to a particular security model, of certain permissions to access a resource
– An entire set of procedures performed by hardware, software and administrators, to monitor access, identify users requesting access, record access attempts, and grant or deny access based on established rules.
Access ControlSlide 5 of 71
Access control nomenclature• Authentication
– Process through which one proves and verifies certain information• Identification
– Process through which one ascertains the identity of another person or entity
• Confidentiality– Protection of private data from unauthorized viewing
• Integrity – Data is not corrupted or modified in any unauthorized manner
• Availability– System is usable. Contrast with DoS.
Access ControlSlide 6 of 71
Key Terms• Subject –an active entity, usually in the
form of a person, process, or device that cause information to flow amongst objects.
• Object –a passive entity that contains or receives information usually in the form of a file, program, memory.
Access ControlSlide 7 of 71
Labels• Sensitivity Labels
– Every subject and object in a MAC has a sensitivity label. Each label has two parts:
• Classifications and Category (or compartment)– Classifications- Secret, Top Secret, Confidential
(hierarchical)– Category- Tank Specs, Payroll, Sales Projections
• Example:– James object sensitivity label: Secret– R&D compartment sensitivity label: Confidential
Access ControlSlide 8 of 71
How can AC be implemented?– Hardware– Software
•Application•Operating System•File System•Protocol
– Physical– Logical (policies)
Access ControlSlide 9 of 71
What does AC hope to protect?• Data - Unauthorized viewing, modification or copying• System - Unauthorized use, modification or denial of
service• It should be noted that nearly every network
operating system (NT, Unix, Vines, NetWare) is based on a secure physical infrastructure
Access ControlSlide 10 of 71
Orange Book• DoD Trusted Computer System Evaluation Criteria,
DoD 5200.28-STD, 1983• Provides the information needed to classify systems
(A,B,C,D), defining the degree of trust that may be placed in them
• For stand-alone systems only
Access ControlSlide 11 of 71
Orange book levels• A - Verified protection• B - MAC• C - DAC• D - Minimal security. Systems that have been evaluated, but
failed
Access ControlSlide 12 of 71
BASIC APPROACH
Access ControlSlide 13 of 71
Banners• Banners display at login or connection stating that
the system is for the exclusive use of authorized users and that their activity may be monitored
• Not foolproof, but a good start, especially from a legal perspective
• Make sure that the banner does not reveal system information, i.e., OS, version, hardware, etc.
Access ControlSlide 14 of 71
Rule of least privilege• One of the most fundamental principles of infosec• States that: Any object (user, administrator, program,
system) should have only the least privileges the object needs to perform its assigned task, and no more.
• An AC system that grants users only those rights necessary for them to perform their work
• Limits exposure to attacks and the damage an attack can cause
• Physical security example: car ignition key vs. door key
Access ControlSlide 15 of 71
Implementing least privilege• Ensure that only a minimal set of users have root
access• Don’t make a program run setuid to root if not
needed. Rather, make file group-writable to some group and make the program run setgid to that group, rather than setuid to root
• Don’t run insecure programs on the firewall or other trusted host
Access ControlSlide 16 of 71
Multi-factor authentication• 2-factor authentication. To increase the level of
security, many systems will require a user to provide 2 of the 3 types of authentication.• ATM card + PIN• Credit card + signature• PIN + fingerprint• Username + Password (NetWare, Unix, NT default)
• 3-factor authentication -- For highest security• Username + Password + Fingerprint• Username + Passcode + SecurID token
Access ControlSlide 17 of 71
Proactive access control• Awareness training• Background checks• Separation of duties• Split knowledge• Policies• Data classification• Effective user registration• Termination procedures• Change control procedures
Access ControlSlide 18 of 71
AC & privacy issues• Expectation of privacy• Policies• Monitoring activity, Internet usage, e-mail• Login banners should detail expectations of privacy
and state levels of monitoring
Access ControlSlide 19 of 71
System Accountability• Requires system to provide for at least the following:
– The ability to audit transactions– Control access through authentication– Provide effective identification
Access ControlSlide 20 of 71
Access Control Models
Access ControlSlide 21 of 71
Varied types of Access Control • Discretionary (DAC)
– The users/object decides the access• Mandatory (MAC)
– The systems decides the access• Non-Discretionary (Lattice/Role/Task)
– The role determines access• Formal models:
– Biba– Clark/Wilson– Bell/LaPadula
Access ControlSlide 22 of 71
Biba• The Biba Model• The Biba model addresses the issue of integrity, i.e.
whether information can become corrupted. A new label is used to gauge integrity. If a high security object comes into contact with a low-level information, or be handled by a low-level program, the integrity level can be downgraded. For instance, if one used an insecure program to view a secure document, the program might corrupt the document, append it, truncate it, or even covertly communicate it to another part of the system.
Access ControlSlide 23 of 71
Clark Wilson• Clark and Wilson have also created a model which includes an
attention to data integrity. • Data objects can only be manipulated by a certain set of programs.
Users have access to the programs rather than to the data. (e.g. this is like the WWW or a database).
• Separation of duties: assigning different roles to different users. For instance, think of the dual-key approach to arming nuclear warheads.
• Objects/data can only be accessed by authorized programs (ensures integrity).
• Subjects/users only have access to certain programs. • An audit log is maintained over external transactions. • The system must be certified in order for it to work.
Access ControlSlide 24 of 71
Bell LaPudla• This is a formal description of a system with static
access control, i.e. privacy. It tells us nothing about integrity or trust.
• Used set theory to define the concept of a secure state, the modes of access, and the rules for granting access. BLP Unix
Subjects (S) UID/UsernameGID/Groups
Objects (O)Filesprocessesmemory segments
Access rights (M)ReadWriteExecute
Security levels (L)
AllowedDisallowedSetuidSetgid
Access ControlSlide 25 of 71
Problems with formal models• Based on a static infrastructure• Defined and succinct policies• These do not work in corporate systems which are
extremely dynamic and constantly changing• None of the previous models deals with:
– Viruses/active content– Trojan horses– firewalls
• Limited documentation on how to build these systems
Access ControlSlide 26 of 71
MAC vs. DAC• Discretionary Access Control
– Individuals decide how information assets are protected and share your data
• Mandatory Access Control– The system decided how the data will be shared
Access ControlSlide 27 of 71
Mandatory Access Control
• Assigns sensitivity levels, AKA labels• Every object is given a sensitivity label & is accessible
only to users who are cleared up to that particular level.• Only the administrators, not object owners, make change
the object level• Generally more secure than DAC• Orange book B-level• Used in systems where security is critical, i.e., military• Hard to program for and configure & implement
Access ControlSlide 28 of 71
Mandatory Access Control (Continued)
• Downgrade in performance• Relies on the system to control access• Example: If a file is classified as confidential, MAC
will prevent anyone from writing secret or top secret information into that file.
• All output, i.e., print jobs, floppies, other magnetic media must have be labeled as to the sensitivity level
Access ControlSlide 29 of 71
Discretionary Access Control• Access is restricted based on the authorization
granted to the user• Orange book C-level• Prime use to to separate and protect users from
unauthorized data• Used by Unix, NT, NetWare, Linux, Vines, etc.• Relies on the object owner to control access
Access ControlSlide 30 of 71
Access control lists (ACL)• A file used by the access control system to determine
who may access what programs and files, in what method and at what time
• Different operating systems have different ACL terms• Types of access:
– Read/Write/Create/Execute/Modify/Delete/Rename
Access ControlSlide 31 of 71
Standard UNIX file permissionsPermission Allowed action, if
object is a file Allow action if object is a
directory R (read) Reads contents of a file List contents of the directory X (execute) Execute file as a program Search the directory W (write) Change file contents Add, rename, create files and
subdirectories
Access ControlSlide 32 of 71
Standard NT file permissionsPermission Allowed action, if
object is a file Allow action if object is a
directory No access None None List N/A RX Read RX RX Add N/A WX Add & Read N/A RWX Change RWXD RWXD Full Control All All R- Read X - Execute W - Write D - Delete
Access ControlSlide 33 of 71
Physical access control• Guards• Locks• Mantraps• ID badges• CCTV, sensors, alarms• Biometrics• Fences - the higher the voltage the better• Card-key and tokens• Guard dogs
Access ControlSlide 34 of 71
Object reuse• Must ensure that magnetic media must not have any
remnants of previous data• Also applies to buffers, cache and other memory
allocation• Required at TCSEC B2/B3/A1 level• Objects must be declassified• Magnetic media must be degaussed or have secure
overwrites
Access ControlSlide 35 of 71
Authentication
Access ControlSlide 36 of 71
Authentication3 types of authentication:
Something you know - Password, PIN, mother’s maiden name, passcode, fraternity chantSomething you have - ATM card, smart card, token, key, ID Badge, driver license, passportSomething you are - Fingerprint, voice scan, iris scan, retina scan, body odor, DNA
Access ControlSlide 37 of 71
Problems with passwordsInsecure - Given the choice, people will choose easily remembered and hence easily guessed passwords such as names of relatives, pets,phone numbers, birthdays, hobbies, etc.Easily broken - Programs such as crack, SmartPass, PWDUMP, NTCrack& l0phtcrack can easily decrypt Unix, NetWare & NT passwords.
Dictionary attacks are only feasible because users choose easily guessed passwords!
Inconvenient - In an attempt to improve security, organizations often issue users with computer-generated passwords that are difficult, if not impossible to rememberRepudiable - Unlike a written signature, when a transaction is signed with only a password, there is no real proof as to the identity of the individual that made the transaction
Access ControlSlide 38 of 71
Classic password rules• The best passwords are those that are both easy to
remember and hard to crack using a dictionary attack. The best way to create passwords that fulfill both criteria is to use two small unrelated words or phonemes, ideally with a special character or number. Good examples would be hex7goop or -typetin
• Don’t use: – common names, DOB, spouse, phone #, etc.– word found in dictionaries – password as a password– systems defaults
Access ControlSlide 39 of 71
Password management• Configure system to use string passwords• Set password time and lengths limits• Limit unsuccessful logins• Limit concurrent connections• Enabled auditing• How policies for password resets and changes• Use last login dates in banners
Access ControlSlide 40 of 71
Password Attacks• Brute force
– l0phtcrack• Dictionary
– Crack– John the Ripper– for a comprehensive listing, see Alan Lustiger or attend
his presentation at the CSI conference in November• Trojan horse login program
Access ControlSlide 41 of 71
Biometrics• Authenticating a user via human characteristics• Using measurable physical characteristics of a person
to prove their identification– Fingerprint– signature dynamics– Iris– retina– voice– face– DNA, blood
Access ControlSlide 42 of 71
Biometric Disadvantages• Still relatively expensive per user- most expensive,
but also most secure• Companies & products are often new & immature• No common API or other standard• Some hesitancy for user acceptance
Access ControlSlide 43 of 71
Biometric privacy issuesTracking and surveillance - Ultimately, the ability to track a person's movement from hour to hourAnonymity - Biometric links to databases could dissolve much of our anonymity when we travel and access servicesProfiling - Compilation of transaction data about a particular person that creates a picture of that person's travels, preferences, affiliations or beliefs
Access ControlSlide 44 of 71
Practical biometric applications• Network access control• Staff time and attendance tracking• Authorizing financial transactions• Government benefits distribution (Social Security, welfare, etc.)• Verifying identities at point of sale • Using in conjunction with ATM , credit or smart cards • Controlling physical access to office buildings or homes • Protecting personal property• Prevent against kidnapping in schools, play areas, etc.• Protecting children from fatal gun accidents• Voting/passports/visas & immigration
Access ControlSlide 45 of 71
Tokens• Used to facilitate one-time passwords• Physical card• SecurID• S/Key• Smart card• Access token
Access ControlSlide 46 of 71
Authentication in the
Enterprise
Access ControlSlide 47 of 71
Single sign-on• User has one password for all enterprise systems and
applications• That way, one strong password can be remembered
and used• All of a users accounts can be quickly created on
hire, deleted on dismissal• Hard to implement and get working• Kerberos, CA-Unicenter, Memco Proxima, IntelliSoft
SnareWorks, Tivoli Global Sign-On, x.509
Access ControlSlide 48 of 71
Kerberos• Part of MIT’s Project Athena• Kerberos is an authentication protocol used for
network wide authentication• All software must be kerberized• Tickets, authenticators, key distribution center (KDC)• Divided into realms
Access ControlSlide 49 of 71
Kerberos roles• KDC divided into Authentication Server & Ticket
Granting Server (TGS)• Authentication Server - authentication the identities
of entities on the network• TGS - Generates unique session keys between two
parties. Parties then use these session keys for message encryption
Access ControlSlide 50 of 71
Kerberos authentication • User must have an account on the KDC• KDC must be a trusted server in a secured location• Shares a key with each user• When a user want to access a host or application, they
request a ticket from the KDC via klogin & generate an authenticator that validates the tickets
• User provides ticket and authenticator to the application, which processes them for validity and will then grant access.
Access ControlSlide 51 of 71
Problems with Kerberos• Each piece of software must be kerberized• Requires synchronized time clocks• Relies on UDP which is often blocked by many
firewalls
Access ControlSlide 52 of 71
RAS access control• RADIUS (Remote Authentication Dial-In User Service) -
client/server protocol & software that enables RAS to communicate with a central server to authenticate dial-in users & authorize their access to requested systems
• TACACS/TACACS+ (Terminal Access Controller Access Control System) - Authentication protocol that allows a RAS to forward a users logon password to an authentication server. TACACS is an unencrypted protocol and therefore less secure than the later TACACS+ and RADIUS protocols. A later version of TACACS is XTACACS (Extended TACACS).– May 1997 - TACACS and XTACACS are considered Cisco End-of-
Maintenance
Access ControlSlide 53 of 71
TEMPEST
Access ControlSlide 54 of 71
TEMPEST• Electromagnetic emanations from keyboards, cables,
printers, modems, monitors and all electronic equipment. With appropriate and sophisticated enough equipment, data can be readable at a few hundred yards.
• TEMPEST certified equipment, which encases the hardware into a tight, metal construct, shields the electromagnetic emanations
• TEMPEST hardware is extremely expensive and can only be serviced by certified technicians
• Rooms & buildings can be TEMPEST-certified • TEMPEST standards NACSEM 5100A NACSI 5004 are
classified documents
Access ControlSlide 55 of 71
Watching the Door
Access ControlSlide 56 of 71
Physical Security• Camera coverage
– Recoverable footage• Access controlled areas• Fences• Lights? (here’s a question….)
Access ControlSlide 57 of 71
Intrusion Detection Systems• IDS monitors system or network for attacks• IDS engine has a library and set of signatures that
identify an attack• Adds defense in depth
Access ControlSlide 58 of 71
Iterative Methodology
Review
Access ControlSlide 59 of 71
Penetration Testing / Vulnerability Assessments
• Basically Improving the Security of Your Site by Breaking Into it, by Dan Farmer/Wietse Venema
– http://www.fish.com/security/admin-guide-to-cracking.html
• Identifies weaknesses in Internet, Intranet, Extranet, and RAS technologies – Discovery and footprint analysis – Exploitation – Physical Security Assessment – Social Engineering
• Attempt to identify vulnerabilities and gain access to critical systems within organization
• Identifies and recommends corrective action for the systemic problems which may help propagate these vulnerabilities throughout an organization
• Assessments allow client to demonstrate the need for additional security resources, by translating exiting vulnerabilities into real life business risks
Access ControlSlide 60 of 71
Review Questions
Access ControlSlide 61 of 71
Review Questions• What is following is true about biometrics
a) Least expensive, least secureb) Most expensive, least securec) Most expensive, most secured) Least expensive, most secure
Answer: C) Most expensive, most secure
Access ControlSlide 62 of 71
Review Questions• Discretionary Access differs from Mandatory Access in the
following way:a) Is granted at the discretion of the system administratorb) Is only given to personnel who have demonstrated good
discretionc) Assigns access based on roled) Allows subjects to grant access to objects
Answer: d) Allows subjects to grant access to objects
Access ControlSlide 63 of 71
Review Questions• The three classic ways of authenticating yourself to the
computer security software are by something you know, by something you have, and by something a) you needb) non-trivialc) you ared) you can get
Answer: c) you are
Access ControlSlide 64 of 71
Review Questions• An access control policy for a bank teller is an
example of the implementation of a(n): you needa) rule-based policyb) identity-based policyc) user-based policyd) role-based policy
Answer: d) role-based policy
Access ControlSlide 65 of 71
Review Questions• A confidential number to verify a user's identity is called a
a) PINb) Useridc) Passwordd) challenge
Answer: a) PIN
Access ControlSlide 66 of 71
Review Questions• Which of the following is needed for System Accountability?
a) audit mechanismsb) documented design as laid out in the Common Criteriac) Authorizationd) Formal verification of system design
Answer: a) audit mechanisms
Access ControlSlide 67 of 71
Review Questions• Which of the following is true in a system with Mandatory
Access Control?a) the system determines which users or groups may access a
file.b) user can set up an access list for the file(s), and the system
checks both users and groups against this list before granting access.
c) a user can specify which groups of users can access their files, but the system determines group membership
d) no control is being enforce on this model
Answer: a) the system determines which users or groups may access a file.
Access ControlSlide 68 of 71
Review Questions• Which of the following is *not* needed for System
Accountability? a) Auditb) Authenticationc) Authorizationd) identification
Answer: a) audit mechanisms
Access ControlSlide 69 of 71
Review Questions• A potential problem with an iris pattern biometric system is:
a) concern that the laser beam may cause eye damageb) the iris pattern changes as a person grows olderc) there is a relatively high rate of false acceptsd) the optical unit must be positioned so that the sun does not
shine into the aperture
Answer: d) the optical unit must be positioned so that the sun does not shine into the aperture
Access ControlSlide 70 of 71
Review Questions• What is TEMPEST?
a) A really good movieb) Standards for controlling emanations from equipmentc) Tactical Electrical Modulation Emitting Surveillance
Teamd) The most secure method of Access Control
Answer: b) Standards for controlling emanations from equipment
Access ControlSlide 71 of 71
Any questions?• Homework for next week:
– CISSP Exam : Theory• Chapter 3• Pgs: 198-221, 226-237
– Computer Security Basics• Chapter 6
– Green and Brown books
Recommended