-
Access Controls
The security features that control how users and systems communicate and interact with one another.
-
Access Control
The flow of information between subject and object
-
Subject
An active entity that requests access to an object or the data in an object
-
Object
A passive entity that contains information
-
Identification
Method of establishing the subject’s (user, program, process) identity.
Use of user name, user ID, account number, or other public information.
-
Authentication
- Method of proving the identification information
- Something a person is, has, or does.
- Use of biometrics, passwords, passphrase, token, or other private information.
-
Authorization
Using Criteria to make a determination of operations that subjects can carry out on objects.
e.g. "I know who you are .. what am I willing to let you to do?"
-
Accountability
Audit logs and monitoring to track user activity
-
biometrics - type I error
A biometric system rejects an authorized user.
-
biometrics - type II error
The system accepts an impostor that should be rejected.
-
Cross-over Error Rate (CER) or Equal Error Rate (EER)
Rating stated as a percentage represents the point at which the false rejection rate equals the false acceptance rate.
-
Types of Biometrics
- Fingerprint
- Palm Scan
- Hand Geometry
- Iris Scan - mpst accurate
- Signature Dynamics
- Keyboard Dynamics
- Voice Print
- Facial Scan
- Hand Topography
-
Password attacks
- Electronic Monitoring - replay attack
- Access to Password file
- Brute Force
- Dictionary
- Social Engineering
- Rainbow tables
-
Password controls
- Password checker
- Password hashing andencryption
- Password aging
- Limit logon attempts
-
Cognitive passwords
Answer to several questions to verify a person's identity
-
one-time password
Used for temporary authentication and then not able to be used again - resetting of password
-
Synchronous Token Device
- RSA - time-based
- Time on token device and secret key create the one-time password - Authentication service and tokent device must share the same time within the internal clocks.
counter-synchronization - push button on token device, next authentication value,
BOTH token device and authentication service must share the same secret key base for encryption and decryption
-
Asynchronous Token
- 1. Challange value to end-user
- 2. End user enters challenge value and pin into token device
- 3. Token device presents different value
- 4. User enters new value into workstation
- 5. Value is sent to authentication server which is expecting a certain value
-
Passphrase
- Is a sequence of characters that is longer than a password.
- Takes the place of a password.
- Can be more secure than a password because it is more complex.
-
Memory Cards
Memory Cards: Holds authentication information - but cannot process information. (ATM card)
-
Smart Cards
Holds authentication information and can process information.
- Contact - gold seal - must be inserted into card reader
- Contactless - has an antennea that broadcasts information to reader once within a certain electromagnetc field
- Hybrid - contactless smart card that has two processors which can interact with eitehr the contact or contactless formats
- Combi - one microprocessor chip that can interact with both contact and contactless
-
Attacks on Smart Cards
- Fault Generation - presenting a smart card with an error in order to reveal the encryption function and possibly uncovering the encryption key
- Microprobing - Remove protective materia of smart card and gain direct access to data on card's ROM chips
- Side Channel Attacks (nonintrusive attacks)
- Differential Power Analysis - examining the power emitted during processing
- Electromagnetic Analysis - examining the frequencies emitted
- Timing
- Software attacks
-
Access Criteria
- Roles
- Groups
- Location
- Time
- Transaction Types
-
Authentication Concepts
- Authorization Creep
- Default to Zero
- Need to Know Principle
- Access Control Lists
-
Kerberos
KDC
principles
TGS
realm
TGT
- KDC - Key distriburtion Center
- principles - users, applications
- TGS - Ticket Granting Service
- TGT - Ticket Granting Ticket
-
Single Sign-On Technologies
- Kerberos - Authentication Protocol that uses KDC (key distribution center) and tickets, and is based on symmectric key encryption
- Sesame - Authentication Protocal that uses PAS(Privileged Attribute Server) and PAC (Privilege Attribute Certificates)s, and is based on asymmectric and symmectric cryptography
- Security Domains - resources working under the same security policy and managed by the same group
- Directory Services - network directory service provides information about network resources
- Dumb Terminals - Thin client - terminals that rely on a central server for access control, processing, and storage
-
Discrentionary Access Control
Enables owner of the resource to specify which subjects can can access specific resources
Access control is at the discretion of the owner.
-
Mandatory Access Control
Access control is based on a security labeling system.
Users have security clearances and resources have security labels that contain data classifications.
This model is used in environments where information classification and confidentiality is very important (e.g., the military).
-
Non-Discretionary (Role Based) Access Control Models (RBAC)
Role Based Access Control (RBAC) uses a centrally administered set of controls to determine how subjects and objects interact.
Is the best system for an organization that has high turnover.
-
Access Controls Techniques
- Rule Based Access Control- Restricts user access attempts by predefined rules
- Constrained User Interfaces (ristricted interface) - limites user environment within the system - reduces access to objects
- Access Control Matrix - table of subjects and objects which outlines their access relationships (Bound to object)
- Content Dependent Access Control - Bases access decisciions depending on sensitivity of data, and not subject identity
- Context Dependent Access Control - Bases access decisions depending on the state of the situation and not solely on identity or content sensitivity
- Capability Table - Bound to a subject and indicates what objects that subject can access (bound to subject)
- ACL - bound to an object and indicates what subject can access it
-
Centralized Access Control
- Radius (UDP) - only encrypts the password, Authentication and authorization services are combined, single challange response,
- TACACs (TCP) - all traffic is encrypted, AAA support (Authentication, authorizaiton, and auditing are seperate),
- Diameter - learn later if applicable - Based on Radius but better
-
Decentralized Access Control Administration
- Gives control of access to the people who are closer to the resources
- Has no methods for consistent control, lacks proper consistency.
-
Administrative Access Controls
- Policy and Procedure
- Personnel Controls
- Separation of Duties
- Rotation of Duties
- Mandatory Vacation
- Supervisory Structure
- Security Awareness Training
- Testing
-
Physical Controls
- Network Segregation
- Perimeter Security
- Computer Controls
- Work Area Separation
- Data Backups
- Cabling
- Control Zone
-
Technical (Logical) Controls
- System Access
- Network Architecture
- Network Access
- Encryption and protocols
- Auditing
-
Access Control Functionalities
- Prevent
- Detect
- Correct
- Deter
- Recover
- Compensate
-
Preventative Access Controls
- Preventative Administrative Controls
- Includes policies, hiring practices, security awareness
- Preventative Physical Controls
- Includes badges, swipe cards, guards, fences
Preventative Technical ControlsIncludes passwords, encryption, antivirus software
-
Accountability
Accountability is tracked by recording user, system, and application activities.
- Audit information must be reviewed
- Event Oriented Audit Review
- Real Time and Near Real Time Review
- Audit Reduction Tools
- Variance Detection Tools
- Attack Signature Tools
-
Access control Best practices
- Deny access to anonymous accounts
- Enforce strict access criteria
- Suspend inactive accounts
- Replace default passwords
- Enforce password rotation
- Audit and review
- Protect audit logs
-
Unauthorized Disclosure of Information
- Object Reuse - data stored on device or memory
- Data Hiding
-
Emanation Security
- Tempest - DOD - typically for military purposes
- White Noise - emits white noise so that the data cannot be deciphered
- Control Zone - create barrier on ceiling and walls so that data cannot be deciphered
-
Intrusion Detection - Network vs. host
- Network based - monitors network traffic in promiscuous mode
- host based - installed on machine and monitors activity on the server
-
HIDS and NIDS can be:
- Signature Based - pattern matching, stateful matching
- Anomoly Based - Statistical Anomaly Based, Protocol Anomaly Based, Traffic Anomaly Based
- Rule Based - expert system - with knowledge base, inference engine, rule-based programming
-
IPS
Intrusion Prevention System - Detect activity and not allow access to resource
-
Intrusion Detection - Compnents
- Three Common Components:
- Sensors
- Analyzers
- Administrator Interfaces
- Common Types
- Intrusion Detection
- Intrusion Prevention
- Honeypots
- Network Sniffers
-
Security Threats to Access Control
- Dictionary Attacks
- Countermeasures include strong password policies, strong authentication, intrusion detection and prevention
- Brute Force Attacks
- Countermeasures include penetration testing, minimum necessary information provided, monitoring, intrusion detection, clipping levels
- Spoofing at Logon
- Countermeasures include a guaranteed trusted path, security awareness to be aware of phishing scams, SSL connection
-
|
|