Information Security Principles - Access ControlPresentation Transcript
Denise N. Lord Computer and Information Security
Access controls are security features that control how people can interact with systems, and resources.
Goal is to protect from un-authorized access.
Access is the data flow between an subject.
Subject is a person, process or program
Object is a resource (file, printer etc)
Access control should support the CIA triad!
Let’s quickly go over the CIA triad again
Quick overview: details on each coming up
Identification – who am I? (userid etc)
Authentication – prove that I am who I say I
Authorization – now what am I allowed to access
Accountability – Audit logs and monitors activities
Identifies a user uniquely (hopefully)
SSN, UID, SID, Username
Should Uniquely identify a user for accountability (don’t share)
Standard naming scheme should be used
Identifier should not indicate extra information about user (like position)
DO NOT SHARE (NO group accounts)
Proving who you say you are, usually one of these 3
Something you know (password)
Something you have (smart card)
Something you are (biometrics)
Verifying the identification information .
Strong Authentication is the combination of 2 or more of these (also called multi-factor authentication) and is encouraged!
Strong Authentication provides a higher level of assurance*
Now that I am who I say I am, what can I do?
Authorization can be provided based on user, groups, roles, rules, physical location, time of day (temporal isolation)* or transaction type (example a teller may be able to withdrawal small amounts, but require manager for large withdrawals)
Using criteria to make a determination of operations that subjects can carry out
Audit log and monitoring to track subject activities with objects.
Identity management products are used to id, authenticate and authorize users in an automated means. It’s a broad term.
These products may (or may not) include
User account management
Single Sign on
Web access management
Log in one time, and access resources many places
Not the same as password synchronization
SSO software handles the authorization to multiple systems
What is a security problems with this?
What are advantages?
Idea is to centrally manage user accounts rather than to manually create/update them on multiple systems
Often include workflow processes that allow distributed authorization. I.e.. A manager can put in a user request or authorize a request, tickets might be generated for a Key card system for their locations, Permissions might be created for their specific needs etc.
Can includes records keeping/auditing functions
Can ensure all accesses/accounts are cleaned up with users leave.
Biometrics verifies (authenticates) an individuals identity by analyzing unique personal attribute (something they ARE)
Require enrollment before being used* (what is enrollment? Any ideas)
Can be based on
behavior (signature dynamics) – might change over time
We will talk about the different types of biometrics later
Can give incorrect results
False negative – Type 1 error* (annoying)
False positive – Type 2 error* (very bad)
Crossover Error Rate (CER)* is an important metric that is stated as a percentage that represents the point at which the false rejection rate equals the false acceptance rate.
Lower number CER is better/more accurate*. (3 is better than an 4)
Also called Equal Error Rate
Use CER to compare vendors products objectively
Systems can be calibrated, for example of you adjust the sensitivity to decrease fall positives, you probably will INCREASE false negatives, this is where the CER come in.
Draw diagram on board
Some areas (like military) are more concerned with one error than the other (ex. Would rather deny a valid user than accept an invalid user)
Can you think of any situations for each case?
Can be slow (should not take more than 5-10 seconds)*
We will talk in more depth of each in the next couple slides
Most people sign in the same manner (really???)
Monitor the motions and the pressure while moving (as opposed to a static signature)
Type I (what is type I again?) error high
Type II (what is type II again?) error low
We covered a bunch of different biometrics
Understand some are behavioral* based
Can change over time
Some are physically based
Fingerprints are probably the most commonly used and cheapest
Iris scanning provides the most “assurance”
Some methods are intrusive
Understand Type I and Type II errors
Be able to define CER, is a lower CER value better or worse?
What is a password? (someone tell me because I forgot…)
Works on what you KNOW
Simplest form of authentication*
Cheapest form of authentication*
Oldest form of authentication
Most commonly used form of authentication*
WEAKEST form of authentication*
People write down passwords (bad)
People use weak passwords (bad)
People re-use passwords (bad)
If you make passwords to hard to remember people often write them down
If you make them too easy… they are easily cracked
Don’t use common words
Don’t use names or birthdates
Use at least 8 characters
Combine numbers, symbols and case
Use a phrase and take attributes of a phrase, transpose characters
System should NOT store passwords in plaintext. Use a hash (what is a hash?)
Can encrypt hashes
Passwords salts – random values added to the encryption/hash process to make it harder to brute force (one password may hash/encrypt to multiple different results)
Default NO access (implicit deny)*
Need to Know
One identification/authentication instance for all networks/systems/resources
Makes things more secure (not written down passwords hopefully)
Can focus budgets and time on securing one method rather than many!
Makes things integrated
Centralized point of failure*
Can cause bottlenecks*
All vendors have to play nicely (good luck)
Often very difficult to accomplish* (golden ring of network authentication)
One ring to bind them all! (wait...no…) If you can access once, you can access ALL!
A framework that dictates how subjects access objects.
Uses access control technologies and security mechanisms to enforce the rules
Business goals and culture of the organization will prescribe which model it uses
Dictates how subjects access objects. It uses access control technologies and security mechanisms to enforce the rules and objectives of the model
The different models are:
Discretionary Access Control
Mandatory Access Control
Discretionary Access Control*
Owner or creator of resource specifies which subjects have which access to a resource. Based on the Discretion of the data owner*
Common example is an ACL (what is an ACL?)
Commonly implemented in commercial products (Windows, Linux, MacOS)
Mandatory Access Control*
Data owners cannot grant access!*
OS makes the decision based on a security label or flag system*
Users and Data are given a clearance level (confidential, secret, top secret etc)*
Rules for access are configured by the security officer and enforced by the OS.
MAC is used where classification and confidentiality is of utmost importance… military.
Generally you have to buy a specific MAC system, DAC systems don’t do MAC
Again all objects in a MAC system have a security label*
Security labels can be defined the organization.
They also have categories to support “need to know” @ a certain level.
Categories can be defined by the organization
If I have “top secret” clearance can I see all projects in the “secret” level???
Is an undesirable situation that occurs when a device or system attempts to perform two or more operations at the same time, but because of the nature of the device or system, the operations must be done in the proper sequence in order to be done correctly.
Also called non-discretionary.
Uses a set of controls to determine how subjects and objects interact.
Allows you to be assigned a role, and your roles dictates your access to a resources, rather than your direct user.
This scales better than DAC methods
You don’t have to continually change ACLs or permissions per user, nor do you have to remember what perms to set on a new user, just make them a certain role
You can simulate this with “groups” in Windows and Linux, especially with LDAP/AD.
When to use
If you need centralized access
If you DON’T need MAC ;)
If you have high turnover*
We will talk more in depth of each in the next few slides.
Rule-based Access Control
Constrained User Interfaces
Access Control Matrix
Access Control Lists
Content-Dependant Access Control
Context-Dependant Access Control
Table of subjects and objects indicating what actions individuals subjects can take on individual objects*
See page 220 (top)
Bound to subjects, lists what permissions a subject has to each object
This is a row in the access matrix
(see 220 bottom)
Lists what (and how) subjects may access a certain object.
It’s a column of an access matrix
See page 220
Before we move on you need to understand the definitions/terms that we are about to cover for the exam. (controls and control types) They are used ambiguously on the exam, so you need to think about them. We will give an overview now, but we’ll keep seeing them again and again.
Administrative - AAC
Physical - PAC
Technical or Logical – LAC
Now we’ll talk about control types
Types (can occur in each “control” category)
Deter – intended to discourage attacks
Prevent – intended to prevent incidents
Detect – intended to detect incidents
Correct – intended to correct incidents
Recover – intended to bring controls back up to normal operation
Computer Controls – physical locks on computer equipment, restrict USB access etc.
Work Area Separation – keep accountants out of R&D areas
Cabling – shielding, Fiber
Control Zone – break up office into logical areas (lobby – public, R&D- Top Secret, Offices – secret)
Using technology to protect
System Access – Kerberos, PKI, radius (specifically access to a system)
Network Architecture – IP subnets, VLANS , DMZ
Network Access – Routers, Switches and Firewalls that control access
Encryption – protect confidentiality, integrity
Auditing – logging and notification systems.
IDS allow you to detect intrusion and unauthorized access.
Different types (we will discuss), but usually consist of
(see diagram on 260)
Monitor network traffic ONLY
Can be of multiple types (discuss later)
Watch out for switches (use mirroring), and subnets (use multiple sensors)
Host based – installed on computers
Monitor system activity
Monitor configuration files
Could monitor network traffic to and from the computer installed on only.
Multiple types – discussed later
Signature based – like a virus scanner, look for known attack signature
MUST be updated with new signatures
Will not stop unknown attacks (0-day)
Relatively high rate of assurance
Based on what is “normal” behavior (builds a profile)
Detects when thing are not normal
Very subjective -
Very high rate of false positives, may lead to info being ignored. –
Require high degree of knowledge and maintenance to run –
Anomaly / Behavioral / Knowledge Based
We will talk about these later.. But let’s review these now
Dictionary attacks – what is this?
Sniffers – what is this?
Brute force attacks – how is this different then a dictionary attack.
Spoofing login/trusted path
Is a non-technical kind of intrusion that relies heavily on human interaction and often involves tricking other people to break normal security procedures.
Example…person using social engineering to break into a computer network would try to gain the confidence of someone who is authorized to access the network in order to get them to reveal information that compromises the network's security.
E-mail fraud method in which the perpetrator sends out legitimate-looking email in an attempt to gather personal and financial information from recipients.
Is the forgery of an e-mail header so that the message appears to have originated from someone or somewhere other than the actual source.