Embed Size (px)
Citation preview
Access Control
2
Domain Objectives
• Provide definitions and key concepts
• Identify access control categories and types
• Discuss access control threats
• Review system access control measures
3
Domain Objectives
• Review data access control measures
• Understand intrusion detection and intrusion prevention systems
• Understand access control assurance methods
4
Information Security TRIAD
Availability
ConfidentialityIntegrity
Information Security
5
Domain Agenda
• Definitions and Key Concepts
• Access Control Categories and Type
• Access Control Threats
• Access to System
• Access to Data
• Intrusion Prevention Systems (IPS) & Intrusion Detection Systems (IDS)
• Access Control Assurance
6
Basic Requirements
• Security
• Reliability
• Transparency
• Scalability
7
Key Concepts
• Separation of Duties
• Least Privilege
• Need-to-know
• Information Classification
8
Information Classification
• Objectives
• Benefits
• Example of Classification
• Compartmentalized Information
9
Information Classification Procedures
• Scope
• Process
• Responsibility
• Declassification
• Marking and Labeling
• Assurance
10
Domain Agenda
• Definitions and Key Concepts
• Access Control Categories and Type
• Access Control Threats
• Access to System
• Access to Data
• Intrusion Prevention Systems (IPS) & Intrusion Detection Systems (IDS)
• Access Control Assurance
11
Access Control Categories
• Preventive
• Detective
• Corrective
• Directive
• Deterrent
• Recovery
• Compensating
12
Access Control Types
• Administrative
• Technical (Logical)
• PhysicalWarning
Banners
AuditLogs
IPS/IDS
Passwords
CCTV
BackupsConnectionControl
Technical
Tokens
Administrative
Physical
Gates
LayeredDefense
Reconstruct/Rebuild
FireExtinguisherSentry
FencesSigns
Bollards
Job
Rotation
DRPEmployeeTermination
Report
Reviews
User RegistrationProcedures
Polic
y
13
Access Control Examples
ControlsAdministrati
veTechnical Physical
Directive PolicyWarning Banner
Security Guard
Deterrent Demotion Violation Report ‘Beware of Dog’
Preventative
User Registration
Passwords, Tokens
Fences, Bollards
Detective Report Reviews Audit Logs, IDS Sensors, CCTV
CorrectiveEmployee
TerminationConnection
ManagementFire
Extinguisher
Recovery DRP BackupsReconstruct,
Rebuild
Compensating
SupervisionJob Rotation
Keystroke Logging
Layered Defenses
14
Domain Agenda
• Definitions and Key Concepts
• Access Control Categories and Type
• Access Control Threats
• Access to System
• Access to Data
• Intrusion Prevention Systems (IPS) & Intrusion Detection Systems (IDS)
• Access Control Assurance
15
Access Control Threats
• Denial of Service
• Buffer Overflow
• Mobile Code
• Malware
• Password Crackers
• Spoofing/Masquerading
• Sniffers
• Eavesdroppers
16
Access Control Threats
• Emanations
• Shoulder Surfing
• Tapping
• Object Reuse
• Data Remanence
• Unauthorized Data Mining
• Dumpster Diving
• Back Door/Trap Door
17
Access Control Threats
• Theft
• Intruders
• Social Engineering
18
Domain Agenda
• Definitions and Key Concepts
• Access Control Categories and Type
• Access Control Threats
• Access to System
• Access to Data
• Intrusion Prevention Systems (IPS) & Intrusion Detection Systems (IDS)
• Access Control Assurance
19
System Access Control
• Identification
• Authentication
• Authorization
• Accountability
20
Identification
• Methods
• Guidelines
21
Authentication Methods
• Knowledge (Something you know)
• Ownership (Something you have)
• Characteristics (Something you are)
22
Authentication by Knowledge
PASSWORD ********
• Password
• Passphrase
23
Authentication by Ownership
• Tokens (One-time Passwords)
• Smartcards
• Memory Cards
24
Asynchronous Token Device (Challenge-Response)
User requests access via
Authentication Server (i.e.,
UserID)
Authentication Server issues
Challenge # to User
User enters Challenge #
w/PIN in Handheld
Handheld calculates
cryptographic response
(i.e., “password”)
User sends “password” to
Authentication
Server
Authentication Server grants access to Application Server
1
56
3
4
2
25
Synchronous Token
• Event-based Synchronization
• Time-based Synchronization
• Authentication Server knows the expected value from the token and the user must input it or be in close proximity
26
Smart Cards
• Contact Smart Cards
• Card body
• Chip
• Contacts
• Contactless Smart Cards
• Card body
• Chip
• Antenna
27
Authentication by Characteristic
• Biometrics
• Physiological Biometrics
• Behavioral Biometrics
• Characteristics
• Accuracy
• Acceptability
• Reaction time
28
Biometric Accuracy
False Accept RateType II Error
False Reject Rate
Type I Error
Crossover
Error Rate
Sensitivity
Err
or
Rate
29
Static Biometric Types
• Fingerprint/Palm Print
• Hand Geometry
• Retina Scan
• Iris Scan
30
Dynamic Biometric Types
• Voice Pattern
• Facial Recognition
• Keystroke Dynamics
• Signature Dynamics
31
Identity and Access Management
• Need for Identity Management
• Challenges
• Identity Management Technologies
32
Need for Identity Management
• Manual Provisioning
• Complex Environments
• Compliance with Regulations & Legislation
• Outsourcing Risks
33
Identity Management Challenges
• Consistency
• Reliability
• Usability
• Efficiency
• Scalability
34
Identity Management Challenges
• Types of Principals
• Types of Identity Data
• Identity Life Cycle
35
Identity Management Benefits
• Headcount Reduction
• Productivity Increase
• Risk Management
36
Identity Management Technologies
• Directories
• Web Access Management
• Password Management
• Legacy Single Sign-on
• Account Management
• Profile Update
37
Access Control Technologies
• Single Sign-on (SSO)
• Kerberos and SESAME
• Directory Services
• Security Domains
38
Single Sign-on Process
UserID and password transmitted to Authentication Server
Authentication Server verifies User’s identity
Authentication Server authorizes access to requested resource
User enters ID and password
1
2
3
4
AuthenticationServer
Application Servers
39
Kerberos Process
KDC- Auth Server- Ticket Granting Server
Principal - P1- User Workstation
Principal - P2- Application Server
P1Key (Request – Access to P2)
P1Key(SK1, P2Key (Client ID, (SK1))
P2Key(Client ID, SK1)
Ticket, SK1
SK1(Authentication)
Ticket Granting
Ticket
40
Kerberos and SESAME
• Kerberos Key Distribution Center
• Kerberos Issues
• SESAME
41
• Directory Services
• Security Domains
• Hierarchical Domain Relationship
• Equivalence Classes of Subjects
Directory Services and Security Domains
Subject “High”
Subject “Low”
Domain“High”
Domain“Low”
XServer
42
Domain Agenda
• Definitions and Key Concepts
• Access Control Categories and Type
• Access Control Threats
• Access to System
• Access to Data
• Intrusion Prevention Systems (IPS) & Intrusion Detection Systems (IDS)
• Access Control Assurance
43
Mandatory and Temporal Access Control
• Mandatory Access Control
• Joint participation in the decision-making process
• Labels
• Temporal (Time-based) Isolation
44
Discretionary Access Control
• Access authorization based on Information Owner
• System enforces rules
45
Access Control Lists (ACLs)
HalUser Hal DirectoryUser Kevin DirectoryUser Kara DirectoryPrinter 001
Full Control Write No AccessExecute
KevinUser Hal DirectUser Kevin DirectoryUser Kara DirectoryPrinter 001
Write Full ControlNo AccessNo Access
KaraUser Hal DirectoryUser Kevin DirectoryUser Kara DirectoryPrinter 001Printer 002
Read/Write Read/WriteFull ControlExecute Execute
Access permissions based on individual user rights
46
Access Control Matrix
Subject
File
A
File
B
App
A
App
B
App
C
Proc A
Proc B
Hal X X X
Kara X X X X X X X
Kevin X X X
Leo X X
47
Rule Based Access Control
UsersRules
Customer Service Application
Inventory Application
Accounting Application
Jane
Fred
Albert
Explicit rules grant access
48
Role Based Access Control
Users
Customer Service Application
Inventory Application
Accounting Application
Jane
Fred
Albert
Customer Service Agent Role
Implicit rules grant access
49
Content Dependent Access Control
PayrollServer
Local Manager
Human Resources Manager
Can see data onall employees
Can only see data on employees in the same department
Access based on values in data (i.e., Department)
50
Rights granted for access according to objects
Capability Tables
Subject
File
A
File
B
App
B
App
B
App
C
Proc A
Proc B
Hal Read X
KaraRead/Write
Read/Write
X X X X X
Kevin Read X X X
LeoRead/Write
X X
X = Execute
51
Non-discretionary Access Control
• Operating System Protection
• Security Administrator Control
• Ensures system security enforced
52
Constrained User Interface
• Menus
• Database Views
• Physically Constrained User Interfaces
• Encryption
53
Centralized/Decentralized Access Control
• Centralized Access Control
• RADIUS
• TACACS+
• Diameter
• Decentralized Access Control
54
Domain Agenda
• Definitions and Key Concepts
• Access Control Categories and Type
• Access Control Threats
• Access to System
• Access to Data
• Intrusion Prevention Systems (IPS) & Intrusion Detection Systems (IDS)
• Access Control Assurance
55
Intrusion Detection Systems
Primary Types
• Network-Based IDS (NIDS)
• Host-Based IDS (HIDS)
• Application-Based IDS (AIDS)
56
Intrusion Prevention Systems
Primary Types
• Host-Based IPS (HIPS)
• Network-Based IPS (NIPS)
• Content-Based
• Rate-Based
57
Analysis Engine Methods
• Pattern (Signature) Based
• Pattern Matching
• Stateful Matching
• Anomaly Based
• Statistical
• Traffic
• Protocol
• Heuristic Scanning
58
IDS/IPS Summary
• Anomaly Examples
• Response Examples
• Alert Types
• Management
59
Domain Agenda
• Definitions and Key Concepts
• Access Control Categories and Type
• Access Control Threats
• Access to System
• Access to Data
• Intrusion Prevention Systems (IPS) & Intrusion Detection Systems (IDS)
• Access Control Assurance
60
Access Control Assurance
• Audit Trail Monitoring
• Assessment Tools
61
Penetration Testing
• Definition
• Areas to test
• Methods of testing
• Testing procedures
• Testing hazards
62
Areas to Test
• Application Security
• Denial of Service (DoS)
• War Dialing
• Wireless Network Penetration
• Social Engineering
• PBX and IP Telephony
63
Penetration Testing Methods
• External
• Zero-knowledge (Blind)
• Partial-knowledge
• Internal
• Full-knowledge
• Targeted
• Blind
• Double-blind
64
Testing Steps
• Discovery
• Enumeration
• Vulnerability Mapping
• Exploiting
65
Testing Hazards and Reporting
• Production interruption
• Application abort
• System crash
• Documentation
• Identified vulnerabilities
• Countermeasure effectiveness
• Recommendations
66
Domain Summary
• Definitions and Key Concepts
• Access Control Categories and Types
• Access Control Threats
• System Access
• Data Access
• Intrusion Detection and Prevention Systems
• Access Control Assurance
“SecurityTranscendsTechnology”
