Week 10 - Temple MIS...Week 10 MIS 5214. Agenda •Project •Authentication –Biometrics •Access Control Models •Access Control Techniques •Centralized Remote Access Control

Week 10MIS 5214

Agenda

• Project

• Authentication – Biometrics

• Access Control Models

• Access Control Techniques

• Centralized Remote Access Control Technologies

Project assignment

You and your team are: • Acting as the CSP (Cloud Service Provider)

• Seeking PA (Preliminary Authorization) for your information system

• Responsible for 1. Developing the system security architecture for your information system

2. Developing a System Security Plan (SSP) for your information system

3. Presenting your SSP to an internal senior management review team

Project TasksA. Identify a client organizationB. Identify a mission-based information system to support the organization with one of the 26

government direct services and delivery support lines of business identified in Volume 1: Guide for Mapping Types of Information and Information Systems to Security Categories (NIST SP 800-60)

C. Identify the public and organizational groups/roles (along with their geographically distributed wide-area network office locations) that will develop, support/maintain, access and use the information system to effectively conduct the mission

D. Design a security architecture for the information system, which will be hosted in a to be determined (i.e. vendor-neutral) cloud environment, and accessed remotely by individuals working in the groups identified above to conduct the organization’s mission

E. Using NIST resources covered in this course, templates available at https://www.fedramp.gov/resources/templates-2016/ and other resources you find through your research: develop, present and hand in:1. A draft system security plan for the information system based on the appropriate FedRAMP System

Security Plan (SSP) template for the security baseline appropriate for your system• Sections 3-6 and attachments - leave names, addresses and phone numbers and email addresses blank as

appropriate (fill in titles and organizations)• Section 13 – only fill in details for Technical Security Control Class Families (remove all other non-technical

security control class families from your SSP document and table of contents)• Section 15 - provide all appropriate attachments (At a minimum must have the following SSP Attachments filled

in for your system: 3, 4, 5, 9, 10, and 11)2. Powerpoint presentation covering A-E that will be presented to instructor and class

https://www.fedramp.gov/resources/templates-2016/

Project Resources include but are not limited to…




Project resources include…


Authentication – BiometricsTwo different categories of biometric factor authentication:

1. Physiological (“what you are”)• Physical attribute unique to a specific individual

• Less prone to change unless an disfiguring accident

• Hard to impersonate

2. Behavioral (“what you do”)• A characteristic of an individual

• Can change over time

• Can be forged

Authentication – BiometricsDuring identity verification (i.e. authentication) the biometric system scans personal’s physiological attribute or behavioral trait and compares the captured data to a record created in an earlier enrollment process

Biometric system • Must be capable of repeatedly taking accurate measurements of anatomical

or behavioral characteristics• Error types:

• False negative – incorrect rejection of the identity of authorized individual

• Called a Type I error • False Rejection Rate (FRR) is a measurement of the likelihood

that biometric device will result in Type I errors • False positive – incorrect match and identity acceptance of

unauthorized individual (“imposter”)• Called a Type II error

• False Acceptance Rate (FAR) is a measurement of the likelihood that biometric device will result in Type II errors

Organizations have their own security requirements which will dictate how many Type I and Type II errors are acceptable:• Organizations prioritizing confidentiality would accept a certain rate of Type I errors to achieve no Type II errors

Calibration of biometric systems would enable lowering Type II error rate by adjusting system sensitivity which will increase Type I error rate

Authentication – Biometrics

Crossover error rate (CER) also called Equal error rate (EER)• Objective measurement of biometric system accuracy, useful for comparing different

biometric system products

• Is a rating, stated as a percentage

• CER is the point at which false rejection rate equals the false acceptance rate: FRR = FAR

• Most important metric in determining a biometric system’s accuracy!

Access Control Models3 Main types (built into the kernel of different operating systems and possibly their supporting applications):

1. Discretionary Access Control (DAC)2. Mandatory Access Control (MAC)3. Role-based Access Control (RBAC)

Every operating system has a security kernel based on the access control model embedded in the system

For each access attempt, before a subject can communicate with an object, the security kernel reviews the rules of the access control model to determine if the request is permitted

Discretionary Access Control (DAC)Most operating systems of general purpose computers are based on DAC models and use Access Control List properties on a file or directory to display and control access

• Windows

• Linux

• OS X

• Unix

Discretionary Access Control (DAC)

The Network Administrator can allow resource owners to control who has access to their filesIf a user creates a file or folder then the user is the owner of the file or folder

• An identifier is placed in the file header and/or in an access control matrix in the operating system• The identifier can be a user identity or a group membership

• For example: Data owner can choose to allow Bill (user identity) and the Accounting group (group membership identity) to access his file

DAC systems grant or deny access based on the identity of the subject• Access is restricted based on the authorization granted to the users

• Users can specify what type of access can occur to the objects the own• Access control is based on the discretion of the resource owner

• Resource owners, for example, can be business unit managers or department managers who “own” the data within their organization

Discretionary Access Control (DAC)Most operating systems are based on DAC models and use Access Control List properties on a file or directory to display and control access

• Windows

• Linux

• OS X

• Unix

DACs can apply to both directory tree structure (i.e. folders) and the files it contains.

Access permission:• No access (-)• Read (r)• Write (w)• Execute (x)

Discretionary Access Control (DAC)Most operating systems are based on DAC models and use Access Control List properties on a file or directory to display and control access

• Windows

• Linux

• OS X

• Unix

DACs can apply to both directory tree structure (i.e. folders) and the files it contains.

Access permission:• No access (-)• Read (r)• Write (w)• Execute (x)

Discretionary Access Control (DAC)Most operating systems are based on DAC models and use properties of a file or directory to display and control access information

• Windows

• Linux

• OS X

• Unix

Discretionary Access Control (DAC)Provides a huge tradeoff:

• On the one hand:• Flexibility to user

• Less administrative overhead to IT

Provides a huge tradeoff:• On the one hand:

• Flexibility to user

• Less administrative overhead to IT

• On the other hand:• Achilles’ heel (i.e. weakness) to the operating system

• Malware can work under the identity (security context) of the user• If a user opens an virus infected file, code can install itself in the background without user

awareness

• Code inherits all rights and permissions of the user, can carry out all activities the user can on the system

• Send copies of itself to all contacts in user’s email client, install a back-door, attck other systems, delete files on hard drive…

• If the user is a local administrator or has root accounts then once installed malware can do anything

Discretionary Access Control (DAC)

Security administrators can counter the downside of DAC and protect critical assets by removing user control by implementing “nondiscretionary access control” within a DAC Operating System by:

Security administrators can counter the downside of DAC and protect critical assets by removing user control by implementing “nondiscretionary access control” within a DAC Operating System by:

• Setting up workstations with pre-configured and loaded user profiles specifying the level of control the user does and does not have:• With permissions on files (including OS command files) and folders set to block discretionary access

control to users from:• Changing the system’s time

• Altering system configuration files

• Accessing a command prompt

• Installing unapproved applications

• …

Mandatory Access Control (MAC)

• Used in very specialized systems by government-oriented agencies:• To protect and maintain highly classified data

• For focused and specific purposes – and nothing more

• Users do not have discretion to determine who can access objects

• Systems are “locked down” for security purposes with• Reduced amount of user rights, permissions and functionality

• Users cannot install software, change file permissions, add new users

DAC systems are discretionary, and MAC systems are considered non-discretionary because users are unable to make access decisions based on their own choice (discretion) – Exam Tip


• Based on a system of multi-level security policies and security labels• Both subjects (users, processes) and objects (data, devices) are classified:

• For example: Top Secret, Secret, Confidential, Restricted, Official, Unclassified…



• Both users (subjects) and data (objects) are labeled with their classification• Security Clearance classification is given to each user

• Security Classification for access is given to each data object



• Both users (subjects) and data (objects) are labeled with their classification• Security Clearance classification is given to each user

• Security Classification for access is given to each data object

• The system decides about fulfilling a request to access an object based on: • Its security policy (e.g. confidentiality or integrity), and

• Clearance of the subject and classification of the object

A multi-level security (MLS) system allows data at different classification levels to be accessed and interacted with simultaneously by users with different clearance levels

Mandatory Access Control (MAC)-Security policy models

Bell-LaPadula versus Biba models• These are both information flow models concerned with data flowing from one level to

another• Bell-Lapdula uses security levels to provide data confidentiality

• “no read up” “no write down”

• Biba uses integrity levels to provide data integrity• “no write up” “no read down”





• Both have “simple” and “* (star)” rules • For writing one-way and one reading another-way

• “simple” is used in rules about reading

• * or “star” is used in rules about writing


Security policy models• Bell-LaPadula model enforces confidentiality in access control

• Goal: Prevent secret information from unauthorized access• Provides and addresses confidentiality only

• Who can and cannot access the data, and what operations can be carried out on the data

• Does not address integrity of data the system maintains

• First mathematical model for multilevel security policy – based on modes of access and provides rules of access

• A systems based on Bell-LaPadula model is called a multilevel security system because its users have different clearances and it processes data at different classification levels

• 3 main rules:1. Simple security rule

2. *-property (star property) rule

3. Strong star property rule

Mandatory Access Control (MAC)Bell-LaPadula model enforces confidentiality in access control

3 main rules:1. Simple security rule (often referred to as: “no read up”

rule)A subject at a particular security level cannot read data that resides at a higher security level

e.g. Bill with secret security clearance cannot read data classified as top secretIf the organization needed Bill to read top secret data, they should have given him that clearance

2. *-property (star property) rule (often referred to as: “no write down” rule)

A subject in a given security level cannot write information to a lower security level

3. Strong star property ruleA subject who has read and write capabilities can only perform both functions at the same security level; nothing higher and nothing lowerFor a subject to be able to read and write to an object, the subject’s clearance and the object classification must be equal


Security policy models• Biba model enforces integrity of data within a system

• Goal: Prevents data at any integrity level from flowing to a higher integrity level

• Uses integrity levels

• Is not concerned with security levels nor confidentiality

• 3 main rules:1. *-integrity axiom

2. Simple integrity axiom

3. Invocation property

Mandatory Access Control (MAC)-Security policy modelsBiba model enforces integrity of data within a system

Scenario: A and B are on write two documents for a project team. • A is drafting internal meeting notes for a project team which includes ideas, opinions and educated

guesses. She may used unconfirmed and possibly unreliable sources in her document.

• B is writing a report for the CEO. His report must be accurate and reliable with high degree of integrity.

• 3 main rules:1. *-integrity axiom (referred to as “no write up”)

Dictates how subjects can modify objects. A subject cannot write data to an object at higher integrity level

Scenario: This axiom blocks A from contributing her lower integrity information to B’s report, (but A could use B’s higher integrity information in her meeting notes document.)

2. Simple integrity axiom (referred to as “no read down”)A subject cannot read data from a lower integrity level

Scenario: This axiom blocks B from reading A’s document because it could possibly introduce lower integrity information into B’s higher integrity report.

3. Invocation propertyA subject cannot communicate by calling on or initializing another subject (invoke a service) at a higher integrity. Subjects are only allowed to invoke services at a lower integrity level

Mandatory Access Control (MAC)-Security policy models





• Both have “simple” and “* (star)” rules • For writing one-way and one reading another-way

• “simple” is used in rules about reading

• * or “star” is used in rules about writing

DAC versus MAC Systems

• Administrators cannot simply switch on MAC and switch of DAC in an operating system

• DAC systems• System access decisions by comparing subject’s identity to the ACL on the object (i.e.

resource)• Very flexible and dynamic• Malware usually targets• Viruses, worms, and rootkits can be installed and run as applications on DAC systems

• MAC systems • System access decisions by comparing subject’s clearance to the object’s security

label• Are very constrained and have very limited functionality• OS does block users from installing software including malware• Special types of Unix systems are developed based on the MAC model

• SE Linux is a publicly released MAC system developed by NSA and Secure Computing• Trusted Solaris is a product based on the MAC model

Role-Based Access Control (RBAC)

Traditional access control administration is based on just the DAC model• Access control is specified explicitly to subjects at the object level with ACLs

• Becomes complex • As administrators translate organizational policy into ACL configuration permissions

• As number of objects and users grow, and users change responsibilities, users tend to be granted or retain unnecessary access to some objects• Violating least-privilege rule, increasing organizational risk

• Addressed by Role-Based Access Model…

Role-Based Access Control (RBAC)

• Uses a centrally administered set of controls to determine how subjects and objects interact

• Roles defined in terms of operations and tasks the role will carry out

• Access to resources is implicitly assigned (inherited) based on the role the user holds within the organization

• Best system for organizations with high employee turnover• Assignment of users to roles is changed by administrators

• Administrators do not need to continually change the ACLs on individual objects

Core-RBACFoundation of the RBAC model:

• Users, roles, permissions, operations, and sessions defined and mapped based on security policy• Many to Many relationship among individual users and privileges

• Accommodates traditional but robust group-based access control• Many users belong to many groups with various privileges outlined for each group

• Uses a session as a mapping between a user and a subset of assigned roles• When the user logs in a session is created, the various roles and groups the user is assigned to

and all their associated permissions are available to the user at one time

• Provides robust options beyond user ID and credential for access decisions, including: time of day, location of role, day of the week, …

Hierarchical RBAC

Allows administrators to set up an organizational RBAC that maps to organizational structures and functions to the Human resources personnel hierarchical structure

• Higher you are in the chain of command, the more access you will likely have • An accumulation of rights and permissions of other roles lower down in the hierarchy

• Supports separation of duties• Static Separation of Duty relations

• Used to deter fraud by constraining combinations of privileges (e.g. user cannot be a member of both Cashier and Accounts Receivable groups)

• Dynamic Separation of Duties relations• Used to deter fraud by constraining combinations of privileges that can be activated in any

session (e.g. user cannot be both a Cashier and a Cashier Supervisor roles at the same time in a single session, but the user can be a member of both).

Rule-Based RBAC

• Adds on to RBAC by imposing rules that further restrict access decisions• Enables a developer to define specific and detailed situations in which a

subject can or cannot access an object and what the subject can do once access is grated.

• A type of compulsory access control• Can be used to implement the Brewer and Nash (also called the Chinese Wall)

access control model• An access control that

• Protects against conflicts of interest by users’ access attempts • Can change dynamically depending on a users’ previous actions

• A subject can write to an object, if and only if, the subject cannot read another object that is in a different dataset• E.g. To block a broker representing one client learning of an impeding business deal and

encourages another client to purchase/sell the first client’s stock

Access Control Models

Main characteristics of the 4 access control models:1. DAC – Data owners decide who has access to resources, using ACLs to

enforce these access decisions

2. MAC – Operating systems enforce system’s security policy through the use of security labels

3. RBAC – Access decisions based on each subject’s role or functional position

4. RB-RBAC – Adds to RBAC, imposing rules further restricting access decisions

Access Control TechniquesUsed to support access control models

• Access control matrix • A table of subjects and objects indicating what actions individual subjects can take on individual

objects

• Usually used in DAC models

• Access rights can be assigned directly to the subjects (capabilities) or to the objects (ACLs)

Harris, S. and Maymi F. (2016) All in One CISSP Exam Guide, Seventh Edition, McGraw Hill Education

Note: Table data structure are readily implemented in operating systems and programs


• Access control list (ACL) – Bound to an object, indicating which subjects can access it and what operations they can do• Used in many operating systems, applications and router configurations

• Lists of subjects that are authorized to access a specific object, and they define what level o authorization is granted

• Authorization can be specified for an individual, group or role



Capability table – Specifies the access rights a certain subject possesses with respect to accessing specific objects

• Subject presents the OS or application a capability component (token, ticket, key) which is a data structure containing an object identifier and access rights the subject has to the object

• Kerberos is an example of a capability-based access control system: A user is given a capability ticket (and the ticket is bound to the user) which dictates the objects the user can access and to what extent.


Capability table has subjects bound to the rows in the Access Control Matrix, where as the ACL has the object bound to the columns

Access Control Techniques

Used to support access control modelsContent-Dependent Access Control– Access to the objects is determined by the data content within the object

Examples:

• Content of specific database fields (e.g. social security numbers, salaries, planned stock trade dates, …) for example, dictate which users can see specific information within the database tables

• Content-dependent E-mail filters look for specific strings such as “confidential”, “social security number,” “confidential”, …

• Organizations control employees’ web surfing by filtering for specific words related so such things as gambling, pornography,…


Used to support access control modelsContext-Dependent Access Control – Makes access decisions based on context (i.e. collected sequence of information) rather than on the sensitivity of the data

• Systems that use context-dependent access controls review the collected data and then make the access control decision• Example: Stateful Inspection Firewalls collect packets comprising a dialog session and compares it the valid

sequence of SYN, SYN/ACK, ACK packets to determine if the packets should be permitted access to the internal network


Used to support access control modelsConstrained User Interfaces – Restrict users’ access by not allowing them to request certain information, functions, or access to specific resources

3 Types:

1. Menus and shellsMenus are set up by system administrators to restrict a user’s view of options, shells are set up restricted to only the commands the user can execute

2. Database viewsThese are set up by database administrators so users cannot see fields that require a level of confidentiality they do not possess

3. Physically constrained interfacesThese are set up to provide users only certain keys on the keypad or certain touch screen buttons they are permitted access to Harris, S. and Maymi F. (2016) All in One CISSP Exam Guide, Seventh Edition, McGraw Hill Education

Access Control TechniquesUsed to support the access control models

• Access control matrix – Table of subjects and objects that specify their access relationships

• Access control list – Bound to an object indicating which subjects can access it using through what operations

• Capabilities table – Bound to a subject indicating which objects it can access in what operations

• Content-based access – Access decisions based on sensitivity of the data and subject’s identity

• Context-based access – Access decisions based on the state of the situation, not only on content sensitivity and subject’s identity

Centralized Remote Access Control Technologies

Use what is referred to as “AAA Protocol” (triple A)• Authentication, Authorization, and Auditing (or Accounting)

• Early traditional AAA Protocols include (more on these and their improvements later…):• Password Authentication Protocol (PAP)

• Challenge Handshake Authentication Protocol (CHAP)

• Extensible Authentication Protocol (EAP)

RADIUS – Remote Authentication Dial-In User Service (RADIUS)

TACACS – Terminal Access Controller Access Control System (TACACS)

Diameter

RADIUS - Remote Authentication Dial-In User ServiceNetwork protocol providing:

• Client/server authentication, authorization and audits of remote users

• Single administered entry point, with standardized security and simple way to track usage and network statistics

• Created by Livingston Enterprises – then published as a set of open protocol standards (RFC 2865 and RFC 2866)

• Today: • Most Internet Service Providers (ISPs) use RADIUS to

authenticate their customers before they are provided access to the Internet

• Many corporations use RADIUS to provide road warriors and home user employees to access their network resources


RADIUS - Remote Authentication Dial-In User Service• The access server and user’s software negotiate a handshake procedure and agree on

an authentication protocol (PAP, CHAP, or EAP)• User provides username and password to the access server via a Point-to-Point protocol (PPP)

connection

• Access server and RADIUS server communicate over the RADIUS protocol

• Once the authentication is properly completed• User system is given an IP address and connection parameters, and corporate users are provided a

preconfigured profile to control which resources they can access

• User credentials and configurations can be held in LDAP (Lightweight Directory Access Protocol) servers, databases or text files

RADIUS - Remote Authentication Dial-In User Service• Uses UDP (connectionless)

• Requires RADIUS to have more code to detect and correct transmission errors (packet corruption, long timeouts, or dropped packets)

• Encrypts users’ password only when transmitted from RADIUS client to RADIUS server• Other information is passed in clear text: Username, accounting and authorized services

• Open invitation for attackers to capture session information for replay attacks

• Vendors who integrated RADIUS into their products must understand the weaknesses and add additional security capabilities into their products

• Combined authentication and authorization functionality limits flexibility…

TACACS – Terminal Access Controller Access Control System3 generations

1. TACACS• Combines authentication and authorization processes

• Uses fixed passwords for authentication

2. XTACACS (Extended TACACS)• Separates authentication, authorization and auditing processes

3. TACACS+• Is a different protocol than TACACS and XTACACS


TACACS+

• Has 2-factor authentication• Allows users to one-time (dynamic) passwords for more protection

• Similar functionality as RADIUS but uses TCP• Does not need extra code to deal with transmission problems like RADIUS which supports UDP

• Encrypts all data between client and server • Does not have the vulnerabilities inherent in RADIUS

• Users true authentication, authorization and accounting/audit (AAA) architecture that separates the 3 functions to provide network administrators more flexibility in how remote users are authenticated• Can work with alternative authentication servers (e.g. Kerberos is used in the organization for

authentication then it can be used by TACACS+, alternatively if Active Directory is used for local users then that can be used)

• Can define more granular user provides to control over the specific commands users can carry out

• Is a protocol with more Attribute Value Pairs (AVPs) than RADIUS • Enabling network administrators to use them to define ACLs filters, user privileges and more…

RADUS versus TACACS+

TACACS+ is a better choice for corporate networks needing better authentication and control of authorization


Diameter – “twice the radius”• Enhanced AAA protocol providing similar functionality as RADIUS and

TACACS+, but with greater flexibility and capabilities

• Consists of 2 portions: • Base protocol – secure communication among Diameter entities, feature discovery

and version negotiation• Extensions – allowing various technologies to use Diameter authentication,

authorization and auditing capabilities• Supports interoperability with wireless devices, smartphones, Voice over IP (VOIP), Mobile IP

(coordinates transfer or traffic between care-of-address and home IP address)

• Peer-based protocol • Not Client/Server (which requires client and server to take turns sending data

between them)• Either end can initiate communication

Diameter – “twice the radius”

• Authentication• PAP, CHAP, EAP• End-to-end protection of authentication information• Replay attack protection

• Authorization• Redirects, secure proxies, relays, and brokers• State reconciliation• Unsolicited disconnect• Reauthorization on demand

• Accounting/Auditing• Reporting, roaming operations (ROAMOPS) accounting, event monitoring

Diameter Versus RADIUS

Liu, J., Kiang, S., and Lin, H. (2006) “Introduction to Diameter – Get the next generation AAA protocol”, IBM developerWorks

Agenda

• Project

• Authentication – Biometrics

• Access Control Models

• Access Control Techniques

• Centralized Remote Access Control Technologies

Documents

Week 10 - Temple MIS...Week 10 MIS 5214. Agenda •Project •Authentication –Biometrics •Access Control Models •Access Control Techniques •Centralized Remote Access Control