Access Control Systems & Methodology

Report
Access Control Systems
& Methodology
CISSP
1
Topics to be covered
Overview
 Tokens/SSO
 Access control
 Kerberos
implementation
 Attacks/Vulnerabilities/Monitoring
 Types of access control  IDS
 Object reuse
 MAC & DAC
 TEMPEST
 Orange Book
 RAS access control
 Authentication
 Penetration Testing
 Passwords
 Biometrics

2
What is access control?


Access control is the traditional center of
security
Definitions:



The ability to allow only authorized users, programs or
processes system or resource access
The granting or denying, according to a particular security
model, of certain permissions to access a resource
An entire set of procedures performed by hardware,
software and administrators, to monitor access, identify
users requesting access, record access attempts, and grant
or deny access based on pre-established rules.
3
Access control nomenclature

Authentication


Identification


Protection of private data from unauthorized viewing
Integrity


Process through which one ascertains the identity of another
person or entity
Confidentiality


Process through which one proves and verifies certain information
Data is not corrupted or modified in any unauthorized manner
Availability

System is usable. Contrast with Denial of Service (DOS)
4
How can AC be implemented?


Hardware
Software




Application
Protocol (Kerberos, IPSec)
Physical
Logical (policies)
5
Why access control does not
work?


?
?
What does AC hope to protect?


Data - Unauthorized viewing, modification or
copying
System - Unauthorized use, modification or
denial of service


It should be noted that nearly most network
operating system is based on a secure physical
infrastructure
The easiest way to protect data is not to have it
one the system. Make it some-one else’s problem.
7
Proactive access control









Awareness training
Background checks
Separation of duties
Split knowledge
Policies
Data classification
Effective user registration
Termination procedures
Change control procedures
8
Physical access control









Guards
Locks
Mantraps
ID badges
Digital Carmeras, sensors, alarms
Biometrics
Fences - the higher the voltage the better
Card-key and tokens
Guard dogs
9
AC & privacy issues





Expectation of privacy
Policies
Monitoring activity, Internet usage, email
Login banners should detail
expectations of privacy and state levels
of monitoring
HIPPA
10
Varied types of Access Control




Discretionary (DAC)
Mandatory (MAC)
Lattice/Role/Task
Formal models:




Biba
Take/Grant
Clark/Wilson
Bell/LaPadula


Used set theory to define the concept of a secure state, the
modes of access, and the rules for granting access.
Not Real Useful, but part of the test!
11
Problems with formal models




Based on a static infrastructure
Defined and succinct policies
These do not work in corporate systems which are
extremely dynamic and constantly changing
None of the previous models deals with:





Viruses/active content
Trojan horses
firewalls
Limited documentation on how to build these systems
Last Generation
12
MAC vs. DAC

Discretionary Access Control


You decided how you want to protect and
share your data
Mandatory Access Control

The system decided how the data will be
shared
13
Mandatory Access Control

Assigns sensitivity levels,






Secret, Confidential .. (AKA labels)
Every object is given a sensitivity label & is accessible
only to users who are cleared up to that particular level.
Only the administrators, not object owners, make change
the object level
Generally more secure than DAC
Orange book B-level
Used in systems where security is critical, i.e., military
14
Mandatory Access Control
(Continued)




Downgrade in performance
Relies on the system to control access
Example: If a file is classified as confidential, MAC
will prevent anyone from writing secret or top secret
information into that file.
All output, i.e., print jobs, floppies, other magnetic
media must have be labeled as to the sensitivity level
15
Discretionary Access Control





Access is restricted based on the
authorization granted to the user
Orange book C-level
Prime use to separate and protect users
from unauthorized data
Used by Unix and Windows.
Relies on the object owner to control
access
16
Access control lists (ACL)



A file used by the access control system to
determine who may access what programs
and files, in what method and at what time
Different operating systems have different
ACL terms
Types of access:

Read/Write/Create/Execute/Modify/Delete/Rename
17
Standard UNIX file permissions
Permission
R (read)
X (execute)
W (write)
Allowed action, if
Allow action if object is a
object is a file
directory
Reads contents of a file List contents of the directory
Execute file as a program Search the directory
Change file contents
Add, rename, create files and
subdirectories
18
Standard Sharing - Changing
19
Orange Book



DoD Trusted Computer System Evaluation
Criteria, DoD 5200.28-STD, 1983
Provides the information needed to classify
systems (A,B,C,D), defining the degree of
trust that may be placed in them
For stand-alone systems only
20
Orange book levels

A - Verified protection



B - MAC



B1/B2/B3
MVS w/ s, ACF2 or TopSecret, Trusted IRIX
C - DAC



A1
Boeing SNS, Honeywell SCOMP
C1/C2
DEC VMS, NT, NetWare, Trusted Solaris
D - Minimal security. Systems that have been evaluated, but
failed
21
Problems with the Orange Book


Based on an old model, Bell-LaPadula
Stand alone




network systems extensions exist
Systems take a long time
Certification is expensive
For the most part, not used outside of
the government sector
22
Red Book


Used to extend the Orange Book to networks
Actually two works:


Trusted Network Interpretation of the TCSEC
(NCSC-TG-005)
Trusted Network Interpretation Environments
Guideline: Guidance for Applying the Trusted
Network Interpretation (NCSC-TG-011)
23
Authentication
3 types of authentication:

Something you know - Password, PIN,
mother’s maiden name, passcode, fraternity
chant

Something you have - ATM card, smart card,
token, key, ID Badge, driver license, passport

Something you are - Fingerprint, voice scan,
iris scan, retina scan, body odor, DNA
24
Confidentiality Integrity
Availability
Multi-factor authentication

2-factor authentication. To increase the level of
security, many systems will require a user to
provide 2 of the 3 types of authentication.





ATM card + PIN
Credit card + signature
PIN + fingerprint
Username + Password (NetWare, Unix, NT default)
3-factor authentication -- For higher security


Username + Passcode + SecurID token
Username + Password + Fingerprint
26
Problems with passwords

Insecure - Given the choice, people will choose easily remembered and
hence easily guessed passwords such as names of relatives, pets,
phone numbers, birthdays, hobbies, etc.

Easily broken - Programs such as crack, SmartPass, PWDUMP, NTCrack
& l0phtcrack can easily decrypt Unix, NetWare & NT passwords.

Dictionary attacks are only feasible because users choose easily guessed
passwords!

Inconvenient - In an attempt to improve security, organizations often
issue users with computer-generated passwords that are difficult, if not
impossible to remember

Repudiable - Unlike a written signature, when a transaction is signed
with only a password, there is no real proof as to the identity of the
individual that made the transaction
27
Classic password rules


The best passwords are those that are both easy to
remember and hard to crack using a dictionary attack.
Don’t use:





common names, DOB, spouse, phone #, etc.
word found in dictionaries
password as a password
systems defaults
Those trying break passwords have access to most
password rules in their tool kit!
28
Password management







Configure system to use string passwords
Set password time and lengths limits
Limit unsuccessful logins
Limit concurrent connections
Enabled auditing
How policies for password resets and changes
Use last login dates in banners
29
Password Attacks


See if it is “password”
Brute force


Dictionary



l0phtcrack
Crack
John the Ripper
Trojan horse login program
30
Biometrics


Authenticating a user via human
characteristics
Using measurable physical characteristics of a
person to prove their identification







Fingerprint
signature dynamics
Iris
retina
voice
face
DNA, blood
31
Advantages of hand / fingerprintbased biometrics
•
Can’t be lent like a physical key or token and can’t be
forgotten like a password
•
Good compromise between ease of use, template
size, cost and accuracy
•
Fingerprint contains enough inherent variability to
enable unique identification even in very large
(millions of records) databases
•
Basically lasts forever -- or at least until amputation
or dismemberment
•
Makes network login & authentication effortless
32
Biometric Disadvantages

Still relatively expensive per user

Cost is going down!

Companies & products are often new &
immature

Some hesitancy for user acceptance

After 9-11, some thoughts towards use at
airport security.
33
Biometric privacy issues

Tracking and surveillance - Ultimately, the ability to
track a person's movement from hour to hour

Anonymity - Biometric links to databases could
dissolve much of our anonymity when we travel and
access services

Profiling - Compilation of transaction data about a
particular person that creates a picture of that
person's travels, preferences, affiliations or beliefs
34
U.S. Airports Now
Fingerprint Foreigners

Foreigners arriving
at U.S. airports were
photographed and
had their
fingerprints scanned
Monday in the start
of a government
effort to use some of
the latest
surveillance
technology to keep
terrorists out of the
country.
Practical biometric

Network access control

Staff time and attendance tracking

Authorizing financial transactions

Government benefits distribution (Social Security, welfare, etc.)

Verifying identities at point of sale

Using in conjunction with ATM , credit or smart cards

Controlling physical access to office buildings or homes

Protecting personal property

Prevent against kidnapping in schools, play areas, etc.

Protecting children from fatal gun accidents

Voting/passports/visas & immigration
36
Tokens






Used to facilitate one-time passwords
Physical card
SecurID
S/Key
Smart card
Access token
37
Single sign-on




User has one password for all enterprise
systems and applications
That way, one strong password can be
remembered and used
All of a users accounts can be quickly created
on hire, deleted on dismissal
Kerberos, CA-Unicenter, Memco Proxima,
IntelliSoft SnareWorks, Tivoli Global Sign-On,
x.509
38
Kerberos







Part of MIT’s Project Athena
Currently in version 5
Kerberos is an authentication protocol used for
networkwide authentication
All software must be kerberized
Tickets, authenticators, key distribution center (KDC)
Divided into realms
Kerberos is the three-headed dog that guards the
entrance to Hades (this won’t be on the test)
39
Attacks

Passive attack - Monitor network traffic and then use
data obtained or perform a replay attack.


Active attack - Attacker is actively trying to break-in.




Hard to detect
Exploit system vulnerabilities
Spoofing
Crypto attacks
Denial of service (DoS) - Not so much an attempt to
gain access, rather to prevent system operation


Smurf, SYN Flood, Ping of death
Mail bombs
40
Vulnerabilities



Follow the Money!
Physical
Natural



Hardware/Software
Media




Floods, earthquakes, terrorists, power outage, lightning
Corrupt electronic media, stolen disk drives
Emanation
Communications
Human

Social engineering, disgruntled staff
41
Monitoring




IDS
Logs
Audit trails
Network tools



Tivoli
Spectrum
OpenView
42
Intrusion Detection Systems




IDS monitors system or network for
attacks
IDS engine has a library and set of
signatures that identify an attack
Adds defense in depth
Should be used in conjunction with a
system scanner
43
Object reuse


With Compact Disks – One-Time Write not much of an issue;
with tapes, floppies, read/write CDs
Sample Rules





Must ensure that magnetic media must not have any remnance of
previous data
Also applies to buffers, cache and other memory allocation
Documents recently declassified as to how 10-pass writes were
recovered
Objects must be declassified
Magnetic media must be degaussed or have secure overwrites
44
TEMPEST - DoD






Electromagnetic emanations from keyboards, cables, printers,
modems, monitors and all electronic equipment. With appropriate
and sophisticated enough equipment, data can be readable at a
few hundred yards.
TEMPEST certified equipment, which encases the hardware into a
tight, metal construct, shields the electromagnetic emanations
WANG Federal is the leading provider of TEMPEST hardware
TEMPEST hardware is extremely expensive and can only be
serviced by certified technicians
Rooms & buildings can be TEMPEST-certified
TEMPEST standards NACSEM 5100A NACSI 5004 are classified
documents
45
Banners


Mostly to protect provider – no one reads them
Some Reasons



Banners display at login or connection stating that the
system is for the exclusive use of authorized users and that
their activity may be monitored
Not foolproof, but a good start, especially from a legal
perspective
Make sure that the banner does not reveal system
information, i.e., OS, version, hardware, etc.
46
Penetration Testing

Identifies weaknesses in Internet, Intranet, Extranet, and RAS technologies







Discovery and footprint analysis
Exploitation
Physical Security Assessment
Social Engineering
Attempt to identify vulnerabilities and gain access to critical systems within
organization
Identifies and recommends corrective action for the systemic problems
which may help propagate these vulnerabilities throughout an organization
Assessments allow client to demonstrate the need for additional security
resources, by translating exiting vulnerabilities into real life business risks
47
Rule of least privilege


One of the most fundamental principles of infosec
States that: Any object (user, administrator, program,
system) should have only the least privileges the object
needs to perform its assigned task, and no more.



An AC system that grants users only those rights
necessary for them to perform their work
Limits exposure to attacks and the damage an attack
can cause
Physical security example: car ignition key vs. door key
48
Implementing least privilege



Ensure that only a minimal set of users have
access to full system.
Don’t run insecure programs on the firewall
or other trusted host.
Lots more!
49

similar documents