Access Control

  1. Access Controls
    The security features that control how users and systems communicate and interact with one another.
  2. Access Control
    The flow of information between subject and object
  3. Subject
    An active entity that requests access to an object or the data in an object
  4. Object
    A passive entity that contains information
  5. Identification
    Method of establishing the subject’s (user, program, process) identity.

    Use of user name, user ID, account number, or other public information.
  6. Authentication
    • Method of proving the identification information
    • Something a person is, has, or does.
    • Use of biometrics, passwords, passphrase, token, or other private information.
  7. Authorization
    Using Criteria to make a determination of operations that subjects can carry out on objects.

    e.g. "I know who you are .. what am I willing to let you to do?"
  8. Accountability
    Audit logs and monitoring to track user activity
  9. biometrics - type I error
    A biometric system rejects an authorized user.
  10. biometrics - type II error
    The system accepts an impostor that should be rejected.
  11. Cross-over Error Rate (CER) or Equal Error Rate (EER)
    Rating stated as a percentage represents the point at which the false rejection rate equals the false acceptance rate.
  12. Types of Biometrics
    • Fingerprint
    • Palm Scan
    • Hand Geometry
    • Iris Scan - mpst accurate
    • Signature Dynamics
    • Keyboard Dynamics
    • Voice Print
    • Facial Scan
    • Hand Topography
  13. Password attacks
    • Electronic Monitoring - replay attack
    • Access to Password file
    • Brute Force
    • Dictionary
    • Social Engineering
    • Rainbow tables
  14. Password controls
    • Password checker
    • Password hashing andencryption
    • Password aging
    • Limit logon attempts
  15. Cognitive passwords
    Answer to several questions to verify a person's identity
  16. one-time password
    Used for temporary authentication and then not able to be used again - resetting of password
  17. Synchronous Token Device
    • RSA - time-based
    • Time on token device and secret key create the one-time password - Authentication service and tokent device must share the same time within the internal clocks.

    counter-synchronization - push button on token device, next authentication value,

    BOTH token device and authentication service must share the same secret key base for encryption and decryption
  18. Asynchronous Token
    • 1. Challange value to end-user
    • 2. End user enters challenge value and pin into token device
    • 3. Token device presents different value
    • 4. User enters new value into workstation
    • 5. Value is sent to authentication server which is expecting a certain value
  19. Passphrase
    • Is a sequence of characters that is longer than a password.
    • Takes the place of a password.
    • Can be more secure than a password because it is more complex.
  20. Memory Cards
    Memory Cards: Holds authentication information - but cannot process information. (ATM card)
  21. Smart Cards
    Holds authentication information and can process information.

    • Contact - gold seal - must be inserted into card reader
    • Contactless - has an antennea that broadcasts information to reader once within a certain electromagnetc field

    • Hybrid - contactless smart card that has two processors which can interact with eitehr the contact or contactless formats
    • Combi - one microprocessor chip that can interact with both contact and contactless
  22. Attacks on Smart Cards
    • Fault Generation - presenting a smart card with an error in order to reveal the encryption function and possibly uncovering the encryption key
    • Microprobing - Remove protective materia of smart card and gain direct access to data on card's ROM chips
    • Side Channel Attacks (nonintrusive attacks)
    • Differential Power Analysis - examining the power emitted during processing
    • Electromagnetic Analysis - examining the frequencies emitted
    • Timing
    • Software attacks
  23. Access Criteria
    • Roles
    • Groups
    • Location
    • Time
    • Transaction Types
  24. Authentication Concepts
    • Authorization Creep
    • Default to Zero
    • Need to Know Principle
    • Access Control Lists
  25. Kerberos
    • KDC - Key distriburtion Center
    • principles - users, applications
    • TGS - Ticket Granting Service
    • TGT - Ticket Granting Ticket
  26. Single Sign-On Technologies
    • Kerberos - Authentication Protocol that uses KDC (key distribution center) and tickets, and is based on symmectric key encryption
    • Sesame - Authentication Protocal that uses PAS(Privileged Attribute Server) and PAC (Privilege Attribute Certificates)s, and is based on asymmectric and symmectric cryptography
    • Security Domains - resources working under the same security policy and managed by the same group
    • Directory Services - network directory service provides information about network resources
    • Dumb Terminals - Thin client - terminals that rely on a central server for access control, processing, and storage
  27. Discrentionary Access Control
    Enables owner of the resource to specify which subjects can can access specific resources

    Access control is at the discretion of the owner.
  28. Mandatory Access Control
    Access control is based on a security labeling system.

    Users have security clearances and resources have security labels that contain data classifications.

    This model is used in environments where information classification and confidentiality is very important (e.g., the military).
  29. Non-Discretionary (Role Based) Access Control Models (RBAC)
    Role Based Access Control (RBAC) uses a centrally administered set of controls to determine how subjects and objects interact.

    Is the best system for an organization that has high turnover.
  30. Access Controls Techniques
    • Rule Based Access Control- Restricts user access attempts by predefined rules
    • Constrained User Interfaces (ristricted interface) - limites user environment within the system - reduces access to objects
    • Access Control Matrix - table of subjects and objects which outlines their access relationships (Bound to object)
    • Content Dependent Access Control - Bases access decisciions depending on sensitivity of data, and not subject identity
    • Context Dependent Access Control - Bases access decisions depending on the state of the situation and not solely on identity or content sensitivity
    • Capability Table - Bound to a subject and indicates what objects that subject can access (bound to subject)
    • ACL - bound to an object and indicates what subject can access it
  31. Centralized Access Control
    • Radius (UDP) - only encrypts the password, Authentication and authorization services are combined, single challange response,
    • TACACs (TCP) - all traffic is encrypted, AAA support (Authentication, authorizaiton, and auditing are seperate),
    • Diameter - learn later if applicable - Based on Radius but better
  32. Decentralized Access Control Administration
    • Gives control of access to the people who are closer to the resources
    • Has no methods for consistent control, lacks proper consistency.
  33. Administrative Access Controls
    • Policy and Procedure
    • Personnel Controls
    • Separation of Duties
    • Rotation of Duties
    • Mandatory Vacation
    • Supervisory Structure
    • Security Awareness Training
    • Testing
  34. Physical Controls
    • Network Segregation
    • Perimeter Security
    • Computer Controls
    • Work Area Separation
    • Data Backups
    • Cabling
    • Control Zone
  35. Technical (Logical) Controls
    • System Access
    • Network Architecture
    • Network Access
    • Encryption and protocols
    • Auditing
  36. Access Control Functionalities
    • Prevent
    • Detect
    • Correct
    • Deter
    • Recover
    • Compensate
  37. Preventative Access Controls
    • Preventative Administrative Controls
    • Includes policies, hiring practices, security awareness

    • Preventative Physical Controls
    • Includes badges, swipe cards, guards, fences

    Preventative Technical ControlsIncludes passwords, encryption, antivirus software
  38. Accountability
    Accountability is tracked by recording user, system, and application activities.

    • Audit information must be reviewed
    • Event Oriented Audit Review
    • Real Time and Near Real Time Review
    • Audit Reduction Tools
    • Variance Detection Tools
    • Attack Signature Tools
  39. Access control Best practices
    • Deny access to anonymous accounts
    • Enforce strict access criteria
    • Suspend inactive accounts
    • Replace default passwords
    • Enforce password rotation
    • Audit and review
    • Protect audit logs
  40. Unauthorized Disclosure of Information
    • Object Reuse - data stored on device or memory
    • Data Hiding
  41. Emanation Security
    • Tempest - DOD - typically for military purposes
    • White Noise - emits white noise so that the data cannot be deciphered
    • Control Zone - create barrier on ceiling and walls so that data cannot be deciphered
  42. Intrusion Detection - Network vs. host
    • Network based - monitors network traffic in promiscuous mode
    • host based - installed on machine and monitors activity on the server
  43. HIDS and NIDS can be:
    • Signature Based - pattern matching, stateful matching
    • Anomoly Based - Statistical Anomaly Based, Protocol Anomaly Based, Traffic Anomaly Based
    • Rule Based - expert system - with knowledge base, inference engine, rule-based programming
  44. IPS
    Intrusion Prevention System - Detect activity and not allow access to resource
  45. Intrusion Detection - Compnents
    • Three Common Components:
    • Sensors
    • Analyzers
    • Administrator Interfaces

    • Common Types
    • Intrusion Detection
    • Intrusion Prevention
    • Honeypots
    • Network Sniffers
  46. Security Threats to Access Control
    • Dictionary Attacks
    • Countermeasures include strong password policies, strong authentication, intrusion detection and prevention

    • Brute Force Attacks
    • Countermeasures include penetration testing, minimum necessary information provided, monitoring, intrusion detection, clipping levels

    • Spoofing at Logon
    • Countermeasures include a guaranteed trusted path, security awareness to be aware of phishing scams, SSL connection
  47. Kerberos Diagram
    Image Upload 2
Card Set
Access Control
Chapter 4 Access Control