Access Control

The security features that control how users and systems communicate and interact with one another.

The flow of information between subject and object

An active entity that requests access to an object or the data in an object

A passive entity that contains information

Method of establishing the subject’s (user, program, process) identity.

Use of user name, user ID, account number, or other public information.

• Method of proving the identification information
• Something a person is, has, or does.
• Use of biometrics, passwords, passphrase, token, or other private information.

Using Criteria to make a determination of operations that subjects can carry out on objects.

e.g. "I know who you are .. what am I willing to let you to do?"

Audit logs and monitoring to track user activity

A biometric system rejects an authorized user.

The system accepts an impostor that should be rejected.

Rating stated as a percentage represents the point at which the false rejection rate equals the false acceptance rate.

• Fingerprint
• Palm Scan
• Hand Geometry
• Iris Scan - mpst accurate
• Signature Dynamics
• Keyboard Dynamics
• Voice Print
• Facial Scan
• Hand Topography

• Electronic Monitoring - replay attack
• Access to Password file
• Brute Force
• Dictionary
• Social Engineering
• Rainbow tables

• Password checker
• Password hashing andencryption
• Password aging
• Limit logon attempts

Answer to several questions to verify a person's identity

Used for temporary authentication and then not able to be used again - resetting of password

• RSA - time-based
• Time on token device and secret key create the one-time password - Authentication service and tokent device must share the same time within the internal clocks.

counter-synchronization - push button on token device, next authentication value,

BOTH token device and authentication service must share the same secret key base for encryption and decryption

• 1. Challange value to end-user
• 2. End user enters challenge value and pin into token device
• 3. Token device presents different value
• 4. User enters new value into workstation
• 5. Value is sent to authentication server which is expecting a certain value

• Is a sequence of characters that is longer than a password.
• Takes the place of a password.
• Can be more secure than a password because it is more complex.

Memory Cards: Holds authentication information - but cannot process information. (ATM card)

Holds authentication information and can process information.

• Contact - gold seal - must be inserted into card reader
• Contactless - has an antennea that broadcasts information to reader once within a certain electromagnetc field

• Hybrid - contactless smart card that has two processors which can interact with eitehr the contact or contactless formats
• Combi - one microprocessor chip that can interact with both contact and contactless

• Fault Generation - presenting a smart card with an error in order to reveal the encryption function and possibly uncovering the encryption key
• Microprobing - Remove protective materia of smart card and gain direct access to data on card's ROM chips
• Side Channel Attacks (nonintrusive attacks)
• Differential Power Analysis - examining the power emitted during processing
• Electromagnetic Analysis - examining the frequencies emitted
• Timing
• Software attacks

• Roles
• Groups
• Location
• Time
• Transaction Types

• Authorization Creep
• Default to Zero
• Need to Know Principle
• Access Control Lists

• KDC - Key distriburtion Center
• principles - users, applications
• TGS - Ticket Granting Service
• TGT - Ticket Granting Ticket

• Kerberos - Authentication Protocol that uses KDC (key distribution center) and tickets, and is based on symmectric key encryption
• Sesame - Authentication Protocal that uses PAS(Privileged Attribute Server) and PAC (Privilege Attribute Certificates)s, and is based on asymmectric and symmectric cryptography
• Security Domains - resources working under the same security policy and managed by the same group
• Directory Services - network directory service provides information about network resources
• Dumb Terminals - Thin client - terminals that rely on a central server for access control, processing, and storage

Enables owner of the resource to specify which subjects can can access specific resources

Access control is at the discretion of the owner.

Access control is based on a security labeling system.

Users have security clearances and resources have security labels that contain data classifications.

This model is used in environments where information classification and confidentiality is very important (e.g., the military).

Role Based Access Control (RBAC) uses a centrally administered set of controls to determine how subjects and objects interact.

Is the best system for an organization that has high turnover.

• Rule Based Access Control- Restricts user access attempts by predefined rules
• Constrained User Interfaces (ristricted interface) - limites user environment within the system - reduces access to objects
• Access Control Matrix - table of subjects and objects which outlines their access relationships (Bound to object)
• Content Dependent Access Control - Bases access decisciions depending on sensitivity of data, and not subject identity
• Context Dependent Access Control - Bases access decisions depending on the state of the situation and not solely on identity or content sensitivity
• Capability Table - Bound to a subject and indicates what objects that subject can access (bound to subject)
• ACL - bound to an object and indicates what subject can access it

• Radius (UDP) - only encrypts the password, Authentication and authorization services are combined, single challange response,
• TACACs (TCP) - all traffic is encrypted, AAA support (Authentication, authorizaiton, and auditing are seperate),
• Diameter - learn later if applicable - Based on Radius but better

• Gives control of access to the people who are closer to the resources
• Has no methods for consistent control, lacks proper consistency.

• Policy and Procedure
• Personnel Controls
• Separation of Duties
• Rotation of Duties
• Mandatory Vacation
• Supervisory Structure
• Security Awareness Training
• Testing

• Network Segregation
• Perimeter Security
• Computer Controls
• Work Area Separation
• Data Backups
• Cabling
• Control Zone

• System Access
• Network Architecture
• Network Access
• Encryption and protocols
• Auditing

• Prevent
• Detect
• Correct
• Deter
• Recover
• Compensate

• Preventative Administrative Controls
• Includes policies, hiring practices, security awareness

• Preventative Physical Controls
• Includes badges, swipe cards, guards, fences

Preventative Technical ControlsIncludes passwords, encryption, antivirus software

Accountability is tracked by recording user, system, and application activities.

• Audit information must be reviewed
• Event Oriented Audit Review
• Real Time and Near Real Time Review
• Audit Reduction Tools
• Variance Detection Tools
• Attack Signature Tools

• Deny access to anonymous accounts
• Enforce strict access criteria
• Suspend inactive accounts
• Replace default passwords
• Enforce password rotation
• Audit and review
• Protect audit logs

• Object Reuse - data stored on device or memory
• Data Hiding

• Tempest - DOD - typically for military purposes
• White Noise - emits white noise so that the data cannot be deciphered
• Control Zone - create barrier on ceiling and walls so that data cannot be deciphered

• Network based - monitors network traffic in promiscuous mode
• host based - installed on machine and monitors activity on the server

• Signature Based - pattern matching, stateful matching
• Anomoly Based - Statistical Anomaly Based, Protocol Anomaly Based, Traffic Anomaly Based
• Rule Based - expert system - with knowledge base, inference engine, rule-based programming

Intrusion Prevention System - Detect activity and not allow access to resource

• Three Common Components:
• Sensors
• Analyzers
• Administrator Interfaces

• Common Types
• Intrusion Detection
• Intrusion Prevention
• Honeypots
• Network Sniffers

• Dictionary Attacks
• Countermeasures include strong password policies, strong authentication, intrusion detection and prevention

• Brute Force Attacks
• Countermeasures include penetration testing, minimum necessary information provided, monitoring, intrusion detection, clipping levels

• Spoofing at Logon
• Countermeasures include a guaranteed trusted path, security awareness to be aware of phishing scams, SSL connection