• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Information Security  Principles -  Access Control

Information Security Principles - Access Control



Access Control

Access Control



Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment
  • Denise Notes

Information Security  Principles -  Access Control Information Security Principles - Access Control Presentation Transcript

  • Denise N. Lord Computer and Information Security
    • Access controls are security features that control how people can interact with systems, and resources.
    • Goal is to protect from un-authorized access.
    • Access is the data flow between an subject.
    • Subject is a person, process or program
    • Object is a resource (file, printer etc)
    • Access control should support the CIA triad!
    • Let’s quickly go over the CIA triad again
    • Quick overview: details on each coming up
    • Identification – who am I? (userid etc)
    • Authentication – prove that I am who I say I
    • Authorization – now what am I allowed to access
    • Accountability – Audit logs and monitors activities
    • Identifies a user uniquely (hopefully)
    • SSN, UID, SID, Username
    • Should Uniquely identify a user for accountability (don’t share)
    • Standard naming scheme should be used
    • Identifier should not indicate extra information about user (like position)
    • DO NOT SHARE (NO group accounts)
    • Proving who you say you are, usually one of these 3
      • Something you know (password)
      • Something you have (smart card)
      • Something you are (biometrics)
      • Verifying the identification information .
    • Strong Authentication is the combination of 2 or more of these (also called multi-factor authentication) and is encouraged!
      • Strong Authentication provides a higher level of assurance*
    • Now that I am who I say I am, what can I do?
      • Authorization can be provided based on user, groups, roles, rules, physical location, time of day (temporal isolation)* or transaction type (example a teller may be able to withdrawal small amounts, but require manager for large withdrawals)
      • Using criteria to make a determination of operations that subjects can carry out
    • Audit log and monitoring to track subject activities with objects.
    • Identity management products are used to id, authenticate and authorize users in an automated means. It’s a broad term.
    • These products may (or may not) include
      • User account management
      • Access controls
      • Password management
      • Single Sign on
      • Permissions
      • Web access management
    • Log in one time, and access resources many places
    • Not the same as password synchronization
    • SSO software handles the authorization to multiple systems
    • What is a security problems with this?
    • What are advantages?
    • Idea is to centrally manage user accounts rather than to manually create/update them on multiple systems
    • Often include workflow processes that allow distributed authorization. I.e.. A manager can put in a user request or authorize a request, tickets might be generated for a Key card system for their locations, Permissions might be created for their specific needs etc.
    • Automates processes
    • Can includes records keeping/auditing functions
    • Can ensure all accesses/accounts are cleaned up with users leave.
    • Biometrics verifies (authenticates) an individuals identity by analyzing unique personal attribute (something they ARE)
    • Require enrollment before being used* (what is enrollment? Any ideas)
    • Can be based on
      • behavior (signature dynamics) – might change over time
      • Physical attribute (fingerprints, iris, retina scans)
      • We will talk about the different types of biometrics later
    • Can give incorrect results
    • False negative – Type 1 error* (annoying)
    • False positive – Type 2 error* (very bad)
    • Crossover Error Rate (CER)* is an important metric that is stated as a percentage that represents the point at which the false rejection rate equals the false acceptance rate.
    • Lower number CER is better/more accurate*. (3 is better than an 4)
    • Also called Equal Error Rate
    • Use CER to compare vendors products objectively
    • Systems can be calibrated, for example of you adjust the sensitivity to decrease fall positives, you probably will INCREASE false negatives, this is where the CER come in.
    • Draw diagram on board
    • Some areas (like military) are more concerned with one error than the other (ex. Would rather deny a valid user than accept an invalid user)
    • Can you think of any situations for each case?
    • Expensive
    • Unwieldy
    • Intrusive
    • Can be slow (should not take more than 5-10 seconds)*
    • Complex (enrollment)
    • We will talk in more depth of each in the next couple slides
    • Fingerprint
    • Palm Scan
    • Hand Geometry
    • Retina Scan
    • Iris Scan
    • Keyboard Dynamics
    • Voice Print
    • Facial Scan
    • Hand Topography
    • Most people sign in the same manner (really???)
    • Monitor the motions and the pressure while moving (as opposed to a static signature)
    • Type I (what is type I again?) error high
    • Type II (what is type II again?) error low
    • We covered a bunch of different biometrics
    • Understand some are behavioral* based
      • Voice print
      • Keyboard dynamics
      • Can change over time
    • Some are physically based
      • Fingerprint
      • Iris scan
    • Fingerprints are probably the most commonly used and cheapest
    • Iris scanning provides the most “assurance”
    • Some methods are intrusive
    • Understand Type I and Type II errors
    • Be able to define CER, is a lower CER value better or worse?
    • What is a password? (someone tell me because I forgot…)
    • Works on what you KNOW
    • Simplest form of authentication*
    • Cheapest form of authentication*
    • Oldest form of authentication
    • Most commonly used form of authentication*
    • WEAKEST form of authentication*
    • People write down passwords (bad)
    • People use weak passwords (bad)
    • People re-use passwords (bad)
    • If you make passwords to hard to remember people often write them down
    • If you make them too easy… they are easily cracked
    • Don’t use common words
    • Don’t use names or birthdates
    • Use at least 8 characters
    • Combine numbers, symbols and case
    • Use a phrase and take attributes of a phrase, transpose characters
    • System should NOT store passwords in plaintext. Use a hash (what is a hash?)
    • Can encrypt hashes
    • Passwords salts – random values added to the encryption/hash process to make it harder to brute force (one password may hash/encrypt to multiple different results)
    • Default NO access (implicit deny)*
    • Need to Know
    • Idea
    • One identification/authentication instance for all networks/systems/resources
    • Eases management
    • Makes things more secure (not written down passwords hopefully)
    • Can focus budgets and time on securing one method rather than many!
    • Makes things integrated
    • Centralized point of failure*
    • Can cause bottlenecks*
    • All vendors have to play nicely (good luck)
    • Often very difficult to accomplish* (golden ring of network authentication)
    • One ring to bind them all! (wait...no…) If you can access once, you can access ALL!
    • A framework that dictates how subjects access objects.
    • Uses access control technologies and security mechanisms to enforce the rules
    • Business goals and culture of the organization will prescribe which model it uses
    • Dictates how subjects access objects. It uses access control technologies and security mechanisms to enforce the rules and objectives of the model
    • The different models are:
    • Discretionary Access Control
    • Mandatory Access Control
    • Discretionary Access Control*
    • Owner or creator of resource specifies which subjects have which access to a resource. Based on the Discretion of the data owner*
    • Common example is an ACL (what is an ACL?)
    • Commonly implemented in commercial products (Windows, Linux, MacOS)
    • Mandatory Access Control*
    • Data owners cannot grant access!*
    • OS makes the decision based on a security label or flag system*
    • Users and Data are given a clearance level (confidential, secret, top secret etc)*
    • Rules for access are configured by the security officer and enforced by the OS.
    • MAC is used where classification and confidentiality is of utmost importance… military.
    • Generally you have to buy a specific MAC system, DAC systems don’t do MAC
      • SELinux
      • Trusted Solaris
    • Again all objects in a MAC system have a security label*
    • Security labels can be defined the organization.
    • They also have categories to support “need to know” @ a certain level.
    • Categories can be defined by the organization
    • If I have “top secret” clearance can I see all projects in the “secret” level???
    • Is an undesirable situation that occurs when a device or system attempts to perform two or more operations at the same time, but because of the nature of the device or system, the operations must be done in the proper sequence in order to be done correctly.
    • Also called non-discretionary.
    • Uses a set of controls to determine how subjects and objects interact.
    • Allows you to be assigned a role, and your roles dictates your access to a resources, rather than your direct user.
    • This scales better than DAC methods
    • You don’t have to continually change ACLs or permissions per user, nor do you have to remember what perms to set on a new user, just make them a certain role
    • You can simulate this with “groups” in Windows and Linux, especially with LDAP/AD.
    • When to use
    • If you need centralized access
    • If you DON’T need MAC ;)
    • If you have high turnover*
    • We will talk more in depth of each in the next few slides.
    • Rule-based Access Control
    • Constrained User Interfaces
    • Access Control Matrix
    • Access Control Lists
    • Content-Dependant Access Control
    • Context-Dependant Access Control
    • Table of subjects and objects indicating what actions individuals subjects can take on individual objects*
      • See page 220 (top)
    • Bound to subjects, lists what permissions a subject has to each object
    • This is a row in the access matrix
    • (see 220 bottom)
    • Lists what (and how) subjects may access a certain object.
    • It’s a column of an access matrix
      • See page 220
    • STOP
    • Before we move on you need to understand the definitions/terms that we are about to cover for the exam. (controls and control types) They are used ambiguously on the exam, so you need to think about them. We will give an overview now, but we’ll keep seeing them again and again.
    • Controls
      • Administrative - AAC
      • Physical - PAC
      • Technical or Logical – LAC
      • Now we’ll talk about control types
    • Types (can occur in each “control” category)
      • Deter – intended to discourage attacks
      • Prevent – intended to prevent incidents
      • Detect – intended to detect incidents
      • Correct – intended to correct incidents
      • Recover – intended to bring controls back up to normal operation
    • Personnel – HR practices
    • Supervisory – Management practices (supervisor, corrective actions)
    • Training – that’s pretty obvious
    • Testing – not technical, and managements* responsibility to ensure it happens
    • A Policy or list
    • Physical Network Segregation (not logical) – ensure certain networks segments are physically restricted
    • Perimeter Security – CCTV, fences, security guards, badges
    • Computer Controls – physical locks on computer equipment, restrict USB access etc.
    • Work Area Separation – keep accountants out of R&D areas
    • Cabling – shielding, Fiber
    • Control Zone – break up office into logical areas (lobby – public, R&D- Top Secret, Offices – secret)
    • Using technology to protect
    • System Access – Kerberos, PKI, radius (specifically access to a system)
    • Network Architecture – IP subnets, VLANS , DMZ
    • Network Access – Routers, Switches and Firewalls that control access
    • Encryption – protect confidentiality, integrity
    • Auditing – logging and notification systems.
    • IDS allow you to detect intrusion and unauthorized access.
    • Different types (we will discuss), but usually consist of
    • Sensors
    • Storage
    • Analysis engine
    • Management Console
    • (see diagram on 260)
    • Network Based
      • Monitor network traffic ONLY
      • Can be of multiple types (discuss later)
      • Watch out for switches (use mirroring), and subnets (use multiple sensors)
    • Host based – installed on computers
      • Monitor logs
      • Monitor system activity
      • Monitor configuration files
      • Could monitor network traffic to and from the computer installed on only.
      • Multiple types – discussed later
    • Signature based – like a virus scanner, look for known attack signature
    • MUST be updated with new signatures
    • Will not stop unknown attacks (0-day)
    • Relatively high rate of assurance
    • Commonly used
    • Based on what is “normal” behavior (builds a profile)
    • Detects when thing are not normal
    • Very subjective -
    • Very high rate of false positives, may lead to info being ignored. –
    • Require high degree of knowledge and maintenance to run –
    • Signature Based
    • Anomaly / Behavioral / Knowledge Based
    • We will talk about these later.. But let’s review these now
    • Dictionary attacks – what is this?
    • Sniffers – what is this?
    • Brute force attacks – how is this different then a dictionary attack.
    • Spoofing login/trusted path
    • Phishing
    • Identity theft
    • Is a non-technical kind of intrusion that relies heavily on human interaction and often involves tricking other people to break normal security procedures.
    • Example…person using social engineering to break into a computer network would try to gain the confidence of someone who is authorized to access the network in order to get them to reveal information that compromises the network's security.
    • E-mail fraud method in which the perpetrator sends out legitimate-looking email in an attempt to gather personal and financial information from recipients.
    • Is the forgery of an e-mail header so that the message appears to have originated from someone or somewhere other than the actual source.