Pages 81 - 148CISSP CBK 3rd
● Access Control Techniques○ Methods● Identification and Authentication○ Types and Strategies● Identification Management○ ...
Access Control● Only Authorised Users, Programs, and/orsystems are allowed to access resources.Access Control Techniques● ...
"Yo, Check out that sweet role-based accesscontrol..." - Lord NikonAccess Control Techniques
The process of translating the balancebetween Access controls enforced by theOrganization, and information owners to canha...
Discretionary:● Controls placed on data by the owner of the data.The owner decides who, and what privilege.● User-centric ...
ACLs (Access Control Lists)● Keyword Pattern & Action○ Examples: MAC Address filtering● If no matches or unspecified actio...
● An ACL in the form of a table.● Unwieldy for large environments, butuseful when designing a system, orlooking at smaller...
● Access is based on a predefined set ofrules.● These rules specify the privileges grantedto users when specific condition...
● RBAC bases the access controlauthorizations on the roles or functionsthat the user is assigned within anorganization.● T...
The four basic RBAC architectures:● Non-RBAC○ Traditional user-granted access (like ACLs).Noformal roles or mapping.● Limi...
● RBAC is easily modeled after theorganisations own organization, orfunctional structure.○ Personal moves are simplified (...
● Content dependant access controls arebased on the data. The controlmechanism examines the data, andmakes decisions based...
● Capability tables are used to matchsubjects (like users or process) and theircapabilities (read, write, etc..).● Tempora...
● Identification○ Provides uniqueness and accountability (whendone properly)● Authentication○ Provides validity. You are e...
Identification provides a point of assignmentand association to a user entity within asystem. Can be user, service account...
● The Identification Badge is the mostcommon form of Physical identification.○ Name, Logo, Face, Colour, etc..● Policy usu...
● User ID○ Only use it as a system ID, not an authenticator.● MAC (Media Access Control)○ No longer a good way to authenti...
● Three Essential Security characteristicsregarding identities:○ Uniqueness■ Must be unambiguous & distinct■ Can be duplic...
● Every system must track valid users andcontrol their permissions, across differenttypes of administrative software andpr...
● 2 Minutes Hate - topic: User Provisioning● Backlog○ Not Enough People to process● Cumbrsome○ Too Complex, or time consum...
● Consistency○ User profile data should be consistent anduniform.● Usability● Reliability○ "My admin account never worked ...
● Can help with legal obligations, andindustry-specific compliance.● When properly done, you can have a finercontrol (and ...
● In general, an Org will either opt to beCentralized, or Decentralized.● Centralized:○ All access decisions, provisioning...
● Authentication by knowledge○ Something you know■ Example: Password● Authentication by possession○ Something you have■ Ex...
● Logical controls related to those types arecalled "Factors"● Single-Factor○ Use of 1 Factor (makes sence, right?)● Two-F...
● Passwords○ Standard Words■ God● Easily Guessable○ Combination■ G0d● Got an app for that○ Complex■ 1||$1D3j0|<3● Harder t...
● Issues:○ Cleartext○ Offline and Off Site Cracking● Passwords are often hashed, as an extrameasure of protection.● Graphi...
● Token, Fob, Badge, Key, Ring, etc..● Concept is to add an additional layer ofconfidence.● Two Methods:○ Asynchronous■ Ch...
● Physical device that contains credentials.● Two Types:○ Memory Cards■ Swipe Cards. Mag Stripe.■ Used + PIN, often.■ Ofte...
● Types of information on a smart card:● Read only.● Added only.● Updated only.● No Access available.● Trusted Path○ Login...
● ROM○ Predetermined by MFGR● Programmable Read-Only (PROM)○ Can be modified, but looks like a pain in the ass.● Erasable ...
● Data controls are intrinsic to how the ICworks.● Example:○ When power is applied to the smart card, theprocess can apply...
The book mentions a few other possession-based authentication devices, One of whichwas USB devices.iLok:Footnote
● Biometrics○ Two Types:■ Physiological● Example: Fingerprint, Hand, Face, Eyes● Vascular Scans (They scan yer veins! And ...
● False Reject Rate (Type I Error):○ When authorised users are falsely rejected asunidentified or unverified.● False Accep...
● Not sensitive enough, everyone will beauthorised.● Too sensitive, and no one gets through.● The "tune" of the system is ...
● Resistance to counterfeiting○ A determined attacker can take advantage bycounterfeiting what is measured.● Data storage ...
● The capabilities and level of confidenceincreases as more factors and techniquesare included in the identification andau...
Most prevalent considerations when lookingat an enterprise authentication method(s):● The Value of the Protected Asset○ Hi...
...
● Term to describe how a single instance ofidentification and authentication areapplied to resources.○ Desktop Sessions ca...
● Session Hijacking○ Main-In-The-Middle attacks.○ Session Sniffing.○ Cross-Site Scripting attacks.Logical Sessions
● Being able to determine who or what isresponsible for an action, and can be heldresponsible.● Repudiation (as defined by...
● Strong Identification○ NO SHARED ACCOUNTS!● Strong Authentication○ Biometrics● User training and awareness○ Are users aw...
● Independent Audits○ Unbiased review. Helps root out accountability inthe event of collusion.○ Helps shape culture.● Poli...
Upcoming SlideShare
Loading in...5
×

access-control-week-2

685

Published on

Published in: Education, Technology, Business
1 Comment
4 Likes
Statistics
Notes
  • Can u please permit to safe this ppt? Thanks in advance.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total Views
685
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
1
Likes
4
Embeds 0
No embeds

No notes for slide

Transcript of "access-control-week-2"

  1. 1. Pages 81 - 148CISSP CBK 3rd
  2. 2. ● Access Control Techniques○ Methods● Identification and Authentication○ Types and Strategies● Identification Management○ Considerations● Authentication Methods○ How to establish● Sessions○ Strategies on how to controlWhat the pages cover
  3. 3. Access Control● Only Authorised Users, Programs, and/orsystems are allowed to access resources.Access Control Techniques● How we can determine which users,programs or systems, what resources, andwhat access.● Methods of organising and protectingdata.Access Controls - Continued
  4. 4. "Yo, Check out that sweet role-based accesscontrol..." - Lord NikonAccess Control Techniques
  5. 5. The process of translating the balancebetween Access controls enforced by theOrganization, and information owners to canhave access, can be defined by threegeneral frameworks:● Discretionary (DACs)● Non-Discretionary● Mandatory (MACs)Discretionary and MandatoryAccess Controls
  6. 6. Discretionary:● Controls placed on data by the owner of the data.The owner decides who, and what privilege.● User-centric (User is responsible).Mandatory:● Controls are determined by the system and based onOrganisational Policy.● System-centric (User vs. Resource Classification).● The Information Owner provides who needs to know.System makes decision against that criteria.● man chmodDiscretionary and MandatoryAccess Controls - continued.
  7. 7. ACLs (Access Control Lists)● Keyword Pattern & Action○ Examples: MAC Address filtering● If no matches or unspecified actions -default will either be deny by default orallow by default (based on the orgsstance).● Structure of access is often based onOrganization Structure (Users intoGroups. Groups into file and directorypermissions).Data Access Controls
  8. 8. ● An ACL in the form of a table.● Unwieldy for large environments, butuseful when designing a system, orlooking at smaller portions.Access Control Matrix
  9. 9. ● Access is based on a predefined set ofrules.● These rules specify the privileges grantedto users when specific conditions are met.○ Example:■ The Standard ACL says that Jr. Admin Bobcan access the Dubstep MP3 Folder, but therule based system would specify that while hecan access it, he can only access the folderbetween 5PM and 8AM (outside of Sr. AdminBarrys Office Hours).Rule-based Access Control
  10. 10. ● RBAC bases the access controlauthorizations on the roles or functionsthat the user is assigned within anorganization.● The determination of what roles have whataccess, can be governed by both the DataOwner, or the applied based on OrgPolicy.Role-Based Access Controls
  11. 11. The four basic RBAC architectures:● Non-RBAC○ Traditional user-granted access (like ACLs).Noformal roles or mapping.● Limited RBAC○ Users are mapped to a single application only.● Hybrid RBAC○ Users are mapped to multiple applications, thatsubscribe to the Orgs role-based model.● Full RBAC○ Enterprise wide. Top down, from role policy.See Fig. 1.11RBAC - Continued
  12. 12. ● RBAC is easily modeled after theorganisations own organization, orfunctional structure.○ Personal moves are simplified (job role is tied toaccess).See also "The Triangle of Power" by MattByrd, MSFT:http://blogs.technet.com/b/exchange/archive/2009/11/16/3408825.aspxRBAC - Continued
  13. 13. ● Content dependant access controls arebased on the data. The controlmechanism examines the data, andmakes decisions based on what it finds.● Constrained User Interface is a methodof restricting users to functions in the UI,based on role in the system.○ Example: AS/400 Payroll Menus, POS unit, orViews in a database.Miscellaneous Controls
  14. 14. ● Capability tables are used to matchsubjects (like users or process) and theircapabilities (read, write, etc..).● Temporal (Time-based) Isolation limitsaccess based on time.○ Examples: Dubstep MP3 Folder, or Limitingaccess to change Payroll to the first 4 hours ofthe day.Miscellaneous Controls - contd
  15. 15. ● Identification○ Provides uniqueness and accountability (whendone properly)● Authentication○ Provides validity. You are expected, and trusted.● Authorization○ Provides Control.Identification and Authentication
  16. 16. Identification provides a point of assignmentand association to a user entity within asystem. Can be user, service account, etc...Examples:● User Name● User ID● Account Number● PIN● CertificatesIdentification Methods
  17. 17. ● The Identification Badge is the mostcommon form of Physical identification.○ Name, Logo, Face, Colour, etc..● Policy usually dictate they must be worn atall times.● "Badge Check"● Usually tied together with an accessbadge & reader.● RFIDBadges
  18. 18. ● User ID○ Only use it as a system ID, not an authenticator.● MAC (Media Access Control)○ No longer a good way to authenticate a user(spoofable).● IP Address○ Logical Location on network. Set by software, nota good indicator.○ Subnets● Email Address○ Concept is email is globally unique, however itsspoofable and only unique by convention.Other Types
  19. 19. ● Three Essential Security characteristicsregarding identities:○ Uniqueness■ Must be unambiguous & distinct■ Can be duplicated across systems, but badpractice○ Non Descriptiveness■ billg@microsoft.com■ Samir_Nagheenanajar@Initech.com■ CIO@Wellsfargo.com○ Secure Issuance■ Documentable and traceable.User Identification Guidelines
  20. 20. ● Every system must track valid users andcontrol their permissions, across differenttypes of administrative software andprocesses.● Account creation process & propagation.● Goal of the system is to consolidateaccess rights into a managed system.● See Fig 1.13● Quicker provision & deprovisionPoll: How long does it take to deprovision/lock allpasswords/etc on a user account in your org?Identity Management
  21. 21. ● 2 Minutes Hate - topic: User Provisioning● Backlog○ Not Enough People to process● Cumbrsome○ Too Complex, or time consuming = Errors● Incomplete Forms○ "I just check all the boxes."● No Audit Trails○ "Fuck it, well do it live!"● Stale users○ Ghost NDRsIdentity Management Challenges
  22. 22. ● Consistency○ User profile data should be consistent anduniform.● Usability● Reliability○ "My admin account never worked right, so Ivejust been using the domain admin."● Scalability○ If you have 10,000 users, and your domaincontroller is an old laptop, your gunna have a badtime.Identity Management Challenges -continued
  23. 23. ● Can help with legal obligations, andindustry-specific compliance.● When properly done, you can have a finercontrol (and flexabillity) over what levelsthe public, guests, vendors, contractors,support, etc... groups have.Other Considerations
  24. 24. ● In general, an Org will either opt to beCentralized, or Decentralized.● Centralized:○ All access decisions, provisioning, andmanagement is concentrated in a central location.○ One entity (user/department/system) managesthe service for the entire org. Example: RADIUS● Decentralized:○ ID Management, authentication, and authorisationdecisions are moved closer to the local resource.○ Could be per department.Centralised Identity Management
  25. 25. ● Authentication by knowledge○ Something you know■ Example: Password● Authentication by possession○ Something you have■ Example: ID Badge● Authentication by characteristic○ Something you are■ Example:Authentication Methods
  26. 26. ● Logical controls related to those types arecalled "Factors"● Single-Factor○ Use of 1 Factor (makes sence, right?)● Two-Factor○ Usingtwoofthethreefactorswhoeditedthisbook?● Three-Factor○ You get the picture.● The book mentions a possible 4th (Geolocation) byGPS or IP.Factors
  27. 27. ● Passwords○ Standard Words■ God● Easily Guessable○ Combination■ G0d● Got an app for that○ Complex■ 1||$1D3j0|<3● Harder to remember - people usually write these down orhave them somewhere.● Passphrase○ List of names, Phrase, or Mnemonic■ Example: AD5wu5ydD!● "Always do sober, what you said youd do drunk." -HemmingwayAuthentication by Knowledge
  28. 28. ● Issues:○ Cleartext○ Offline and Off Site Cracking● Passwords are often hashed, as an extrameasure of protection.● Graphical Passwords○ Protect somewhat against keyloggersPasswords continued
  29. 29. ● Token, Fob, Badge, Key, Ring, etc..● Concept is to add an additional layer ofconfidence.● Two Methods:○ Asynchronous■ Challenge-Response● Slide Card, Enter Pin○ Synchronous■ Time, Event, or Location● Seed. Like the WoW account thingie.Authentication By Possession
  30. 30. ● Physical device that contains credentials.● Two Types:○ Memory Cards■ Swipe Cards. Mag Stripe.■ Used + PIN, often.■ Often the stripe is unencrypted. Theft.○ Smart Cards■ Embedded Chip, that can accept, store, andsend information.■ Some have apps.● Used for Secure log-on, S/MIME, Secure Web Access,VPNs, Hard Disc Encryption.■ Helps integrate outside devices into EnterprisePKI.Static Authentication Devices
  31. 31. ● Types of information on a smart card:● Read only.● Added only.● Updated only.● No Access available.● Trusted Path○ Login process is done by the reader, instead ofthe host.○ Minimises surface area, and "hops", with eachaddition adding opportunity for security failures.Smart-Card Segway
  32. 32. ● ROM○ Predetermined by MFGR● Programmable Read-Only (PROM)○ Can be modified, but looks like a pain in the ass.● Erasable Programmable Read-Only(EPROM)○ Widely used early on, but the process is difficult.Ultraviolet light? Really?● Electrically Erasable PROM (EEPROM)○ Current IC of choice.● RAM○ Not bad, actually, if used as a Deadmans switch.Smart Card Memory Types
  33. 33. ● Data controls are intrinsic to how the ICworks.● Example:○ When power is applied to the smart card, theprocess can apply logic to perform services andtake action or control of the EEPROM.○ No power = no access = less exposure● Mag Stripe & Contact, and Contactless(rfid)○ See Page 126-128 for Pinouts...More Smart Card Stuff
  34. 34. The book mentions a few other possession-based authentication devices, One of whichwas USB devices.iLok:Footnote
  35. 35. ● Biometrics○ Two Types:■ Physiological● Example: Fingerprint, Hand, Face, Eyes● Vascular Scans (They scan yer veins! And if you mashyour hand, youre SOL).■ Behavioral● Examples: Voice Pattern & Recognition. Keystrokepattern (typing style), Signature dynamics.○ Accuracy■ Typical Passwords, tokens, and devicesprovide a high degree of accuracy andconfidence.■ Humans are different, and Environments aredifferent.Authentication by Characteristic
  36. 36. ● False Reject Rate (Type I Error):○ When authorised users are falsely rejected asunidentified or unverified.● False Accept Rate (Type II Error):○ When unauthorised persons or imposters arefalsely accepted as authentic.● Crossover Error Rate (CER):○ The point at which the false rejection rates andthe false acceptance rates are equal. THe smallerthe value of CER, the more accurate the System.Biometric Accuracy
  37. 37. ● Not sensitive enough, everyone will beauthorised.● Too sensitive, and no one gets through.● The "tune" of the system is largely basedon risk vs. importance of the controls,resulting in an Org-accepted level of risk.Biometric Accuracy - Contd
  38. 38. ● Resistance to counterfeiting○ A determined attacker can take advantage bycounterfeiting what is measured.● Data storage requirements○ Security of the data its matching against.● User acceptance○ "Aint nobody got time for that."○ Enrollment speed.● Reliability and accuracy○ "The system...is down..."● Target user and approach○ Who and how?Biometric Considerations
  39. 39. ● The capabilities and level of confidenceincreases as more factors and techniquesare included in the identification andauthentication process.○ See Fig. 1.23● "Strongest" leans towards Biometrics.○ Strong:■ Assurance that the authentication produced bythe method is valid.○ Harder to implement, manage, impersonate.○ As with anything, trade-offs.Authentication Method Summary
  40. 40. Most prevalent considerations when lookingat an enterprise authentication method(s):● The Value of the Protected Asset○ High Value = More Complex method● The Level of Threat to the Asset○ Assess Risk. Real vs. Perceived.● Potential Countermeasures○ How can we reduce threat?● The Cost of Countermeasures○ "Consider the following..."● Feasibility and inconvenience to users.○ Participation vs. Annoyance.Authentication Method Summary -contd
  41. 41. ...
  42. 42. ● Term to describe how a single instance ofidentification and authentication areapplied to resources.○ Desktop Sessions can be controlled & protected:■ Screensavers● GPO■ Timeouts● Power Saver■ Automatic Logouts■ Login Limitations■ Schedule Limitations● Time/DaySession (sessi on ) Management
  43. 43. ● Session Hijacking○ Main-In-The-Middle attacks.○ Session Sniffing.○ Cross-Site Scripting attacks.Logical Sessions
  44. 44. ● Being able to determine who or what isresponsible for an action, and can be heldresponsible.● Repudiation (as defined by the book)○ The ability to deny an action, event, impact, orresult.● Non-repudiation (Cue Tim)○ The process of ensuring that a user may not denyan action. Accountability relies on non-repudiationheavily.Accountability
  45. 45. ● Strong Identification○ NO SHARED ACCOUNTS!● Strong Authentication○ Biometrics● User training and awareness○ Are users aware of the consequence?● Comprehensive and Timely Monitoring○ IDS● Accurate and Consistent Audit Logs○ Collect and consolidate. Security Information andEvent Management (SIEM) Systems.○ Splunk (shudder)Factors contributing toaccountability of actions
  46. 46. ● Independent Audits○ Unbiased review. Helps root out accountability inthe event of collusion.○ Helps shape culture.● Policies enforcing Accountability○ HRs teeth.● Org Culture supporting Accountability○ "Do as I say, not as I do."Factors contributing toaccountability of actions - contd

×