The security features that control how users and systems communicate and interact with one another.
The flow of information between subject and object
An active entity that requests access to an object or the data in an object
A passive entity that contains information
Method of establishing the subject’s (user, program, process) identity.
Use of user name, user ID, account number, or other public information.
- Method of proving the identification information
- Something a person is, has, or does.
- Use of biometrics, passwords, passphrase, token, or other private information.
Using Criteria to make a determination of operations that subjects can carry out on objects.
e.g. "I know who you are .. what am I willing to let you to do?"
Audit logs and monitoring to track user activity
biometrics - type I error
A biometric system rejects an authorized user.
biometrics - type II error
The system accepts an impostor that should be rejected.
Cross-over Error Rate (CER) or Equal Error Rate (EER)
Rating stated as a percentage represents the point at which the false rejection rate equals the false acceptance rate.
Types of Biometrics
- Palm Scan
- Hand Geometry
- Iris Scan - mpst accurate
- Signature Dynamics
- Keyboard Dynamics
- Voice Print
- Facial Scan
- Hand Topography
- Electronic Monitoring - replay attack
- Access to Password file
- Brute Force
- Social Engineering
- Rainbow tables
- Password checker
- Password hashing andencryption
- Password aging
- Limit logon attempts
Answer to several questions to verify a person's identity
Used for temporary authentication and then not able to be used again - resetting of password
Synchronous Token Device
- RSA - time-based
- Time on token device and secret key create the one-time password - Authentication service and tokent device must share the same time within the internal clocks.
counter-synchronization - push button on token device, next authentication value,
BOTH token device and authentication service must share the same secret key base for encryption and decryption
- 1. Challange value to end-user
- 2. End user enters challenge value and pin into token device
- 3. Token device presents different value
- 4. User enters new value into workstation
- 5. Value is sent to authentication server which is expecting a certain value
- Is a sequence of characters that is longer than a password.
- Takes the place of a password.
- Can be more secure than a password because it is more complex.
Memory Cards: Holds authentication information - but cannot process information. (ATM card)
Holds authentication information and can process information.
- Contact - gold seal - must be inserted into card reader
- Contactless - has an antennea that broadcasts information to reader once within a certain electromagnetc field
- Hybrid - contactless smart card that has two processors which can interact with eitehr the contact or contactless formats
- Combi - one microprocessor chip that can interact with both contact and contactless
Attacks on Smart Cards
- Fault Generation - presenting a smart card with an error in order to reveal the encryption function and possibly uncovering the encryption key
- Microprobing - Remove protective materia of smart card and gain direct access to data on card's ROM chips
- Side Channel Attacks (nonintrusive attacks)
- Differential Power Analysis - examining the power emitted during processing
- Electromagnetic Analysis - examining the frequencies emitted
- Software attacks
- Transaction Types
- Authorization Creep
- Default to Zero
- Need to Know Principle
- Access Control Lists
- KDC - Key distriburtion Center
- principles - users, applications
- TGS - Ticket Granting Service
- TGT - Ticket Granting Ticket
Single Sign-On Technologies
- Kerberos - Authentication Protocol that uses KDC (key distribution center) and tickets, and is based on symmectric key encryption
- Sesame - Authentication Protocal that uses PAS(Privileged Attribute Server) and PAC (Privilege Attribute Certificates)s, and is based on asymmectric and symmectric cryptography
- Security Domains - resources working under the same security policy and managed by the same group
- Directory Services - network directory service provides information about network resources
- Dumb Terminals - Thin client - terminals that rely on a central server for access control, processing, and storage
Discrentionary Access Control
Enables owner of the resource to specify which subjects can can access specific resources
Access control is at the discretion of the owner.
Mandatory Access Control
Access control is based on a security labeling system.
Users have security clearances and resources have security labels that contain data classifications.
This model is used in environments where information classification and confidentiality is very important (e.g., the military).
Non-Discretionary (Role Based) Access Control Models (RBAC)
Role Based Access Control (RBAC) uses a centrally administered set of controls to determine how subjects and objects interact.
Is the best system for an organization that has high turnover.
Access Controls Techniques
- Rule Based Access Control- Restricts user access attempts by predefined rules
- Constrained User Interfaces (ristricted interface) - limites user environment within the system - reduces access to objects
- Access Control Matrix - table of subjects and objects which outlines their access relationships (Bound to object)
- Content Dependent Access Control - Bases access decisciions depending on sensitivity of data, and not subject identity
- Context Dependent Access Control - Bases access decisions depending on the state of the situation and not solely on identity or content sensitivity
- Capability Table - Bound to a subject and indicates what objects that subject can access (bound to subject)
- ACL - bound to an object and indicates what subject can access it
Centralized Access Control
- Radius (UDP) - only encrypts the password, Authentication and authorization services are combined, single challange response,
- TACACs (TCP) - all traffic is encrypted, AAA support (Authentication, authorizaiton, and auditing are seperate),
- Diameter - learn later if applicable - Based on Radius but better
Decentralized Access Control Administration
- Gives control of access to the people who are closer to the resources
- Has no methods for consistent control, lacks proper consistency.
Administrative Access Controls
- Policy and Procedure
- Personnel Controls
- Separation of Duties
- Rotation of Duties
- Mandatory Vacation
- Supervisory Structure
- Security Awareness Training
- Network Segregation
- Perimeter Security
- Computer Controls
- Work Area Separation
- Data Backups
- Control Zone
Technical (Logical) Controls
- System Access
- Network Architecture
- Network Access
- Encryption and protocols
Access Control Functionalities
Preventative Access Controls
- Preventative Administrative Controls
- Includes policies, hiring practices, security awareness
- Preventative Physical Controls
- Includes badges, swipe cards, guards, fences
Preventative Technical ControlsIncludes passwords, encryption, antivirus software
Accountability is tracked by recording user, system, and application activities.
- Audit information must be reviewed
- Event Oriented Audit Review
- Real Time and Near Real Time Review
- Audit Reduction Tools
- Variance Detection Tools
- Attack Signature Tools
Access control Best practices
- Deny access to anonymous accounts
- Enforce strict access criteria
- Suspend inactive accounts
- Replace default passwords
- Enforce password rotation
- Audit and review
- Protect audit logs
Unauthorized Disclosure of Information
- Object Reuse - data stored on device or memory
- Data Hiding
- Tempest - DOD - typically for military purposes
- White Noise - emits white noise so that the data cannot be deciphered
- Control Zone - create barrier on ceiling and walls so that data cannot be deciphered
Intrusion Detection - Network vs. host
- Network based - monitors network traffic in promiscuous mode
- host based - installed on machine and monitors activity on the server
HIDS and NIDS can be:
- Signature Based - pattern matching, stateful matching
- Anomoly Based - Statistical Anomaly Based, Protocol Anomaly Based, Traffic Anomaly Based
- Rule Based - expert system - with knowledge base, inference engine, rule-based programming
Intrusion Prevention System - Detect activity and not allow access to resource
Intrusion Detection - Compnents
- Three Common Components:
- Administrator Interfaces
- Common Types
- Intrusion Detection
- Intrusion Prevention
- Network Sniffers
Security Threats to Access Control
- Dictionary Attacks
- Countermeasures include strong password policies, strong authentication, intrusion detection and prevention
- Brute Force Attacks
- Countermeasures include penetration testing, minimum necessary information provided, monitoring, intrusion detection, clipping levels
- Spoofing at Logon
- Countermeasures include a guaranteed trusted path, security awareness to be aware of phishing scams, SSL connection