• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Access Control Presentation

Access Control Presentation






Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds


Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

    Access Control Presentation Access Control Presentation Presentation Transcript

    • Access Control Muhammad Wajahat Rajab
    • • Protecting what needs to be protected with the available technologies! • Access control is the of Information Security! Overview
    • Some Questions • What is Access? • What is the Access Mechanism? • What is Access Control? • The right • Flow of information between subject and object • Mechanism to protect the assets!
    • Identification, Authentication, Authorization
    • Identification
    • Identification • Method of establishing the subject’s identity – User, Program, Process • Use of username or other public information • Identification component requirements… – Each value should be unique – Follow a standard naming scheme – Non-descriptive of the user’s position or tasks – Must not be shared between users
    • Authentication
    • Authentication • Method of proving the identity • How to prove an identity? – Something you know – Something you have – Something you are • Use of passwords, token, or biometrics other private information • What is two factor authentication? – Strong authentication
    • Something you know • Traditional authentication method • Passwords – Protected string of characters – Most widely used – Types • Cognitive passwords • One time passwords (Dynamic passwords) • Passphrase
    • Cognitive passwords • Fact or opinion based information • Created through several experience based questions • Easy to remember! – A person will not forget his birthplace, favorite color, dog's name, or the school he graduated from.
    • One time passwords • Only used once • Used in sensitive cases and places • Examples include – Prepaid cards – Token devices • Token device generates the one-time password for the user to submit to an authentication server
    • Passphrase • Sequence of characters that is longer than a password -- Thus a phrase – User enters this phrase into an application which transforms the value into a virtual password
    • Attacks against passwords • Electronic monitoring • Access the password file • Brute force attacks • Dictionary attacks • Social engineering • Shoulder surfing
    • Something you have • Requires possession of something such as a key, smart card, or some other device • Examples include… – Keys – Documents – Token devices – Memory cards – Smart cards
    • Token device • Software hardware hybrid object used to verify an identity in an authentication process • Token device, or password generator, is usually a handheld device that has an LCD display and possibly a keypad – Token device is separate from the computer the user is attempting to access
    • Token Device – Benefits/Limitations • Benefits – Not vulnerable to electronic eavesdropping • Wiretapping • Sniffing – Provide two factor authentication • Limitations – Human error – Battery limitation – Token itself (Environmental factors)
    • Types of Token Devices • Synchronous Token – A synchronous token device synchronizes with the authentication service by using time or a counter as the core piece of the authentication process. • Asynchronous Token – A token device using an asynchronous token generating method employs a challenge/response scheme to authenticate a user.
    • Synchronous Token
    • Asynchronous Token Device
    • Memory Card • Holds information but cannot process – A memory card can hold a user's authentication information, so that the user only needs to type in a UserID or PIN.
    • Smart Card • Holds and processes information • After a threshold of failed login attempts, it can render itself unusable • PIN or password unlocks smart card functionality • Smart card could be used for: – Holding biometric data in template – Responding to challenge – Holding private key
    • Types of Smart Card • Contact – Requires insertion into a smart card reader with a direct connection to a conductive micro-module on the surface of the card (typically gold plated) – Through these physical contact points, transmission of commands, data, and card status takes place • Contactless – Requires only close proximity to a reader – Both the reader and the card have antenna and it is via this contactless link that two communicate
    • Smart Card attacks • Micro-probing techniques • Eavesdropping techniques • Trojan Horse attacks • Social engineering attacks
    • Something you are • Special case of something you have • Unique personal attribute is analyzed • Encompasses all biometric techniques – Fingerprints – Retina scan – Iris scan – Hand geometry – Facial scan
    • Biometric System • A characteristic based system – Includes all the hardware, associated software and interconnecting infrastructure to enable the identification/authentication process • Uses individual's unique physical characteristics in order to identify and authenticate – Each has its own advantages and disadvantages
    • Fingerprints • Every person's fingerprint is unique • Most affordable and convenient method of verifying a person's identity • The lines that create a fingerprint pattern are called ridges and the spaces between ridges are called valleys.
    • Retina Scan • Retinal scan technology maps the capillary pattern of the retina – A thin (1/50th inch) nerve on the back of the eye! • Accurate • Many people are hesitant to use the device 
    • Iris Scan • Scans the iris or the colored portion of the eye • For authentication the subject looks at the video camera from a distance of 3-10 inches • The entire enrollment process is less than 20 seconds, and subsequent identification takes 1-2 seconds. • Offers high accuracy!
    • Hand Geometry • Measures specific characteristics of a person's hand such as length of fingers and thumb, widths, and depth. • Takes over 90 measurements of the length, width, thickness, and surface area of a person's hand and fingers. • Hand measurements occur with amazing speed, almost within one second. • A charge coupled device (CCD) digital camera is used to record the hand's three dimensional shape.
    • Keyboard Dynamics • Looks at the way a person types at a keyboard • Also called Typing Rhythms! • Keyboard dynamics measures two distinct variables: – Dwell time: The amount of time one holds a particular key – Flight time: The amount of time one moves between the keys • Keyboard dynamic system can measure one's keyboard input up to 1000 times per second!
    • Voice Print • A voice reference template is constructed – To construct, an individual must speak a set of phrases several times as the system builds the template. – Voice identification systems incorporate several variables including pitch, dynamics, and waveform.
    • Facial Scan • Incorporates two significant methods: – Detection – Recognition • Detection involves locating the human face within an image. • Recognition is comparing the captured face to other faces that have been saved and stored in a database.
    • Facial Scan -- Process
    • Biometric Performance • Biometric performance is most commonly measured in two ways: – False Rejection Rate (FRR) – Type1 – False Acceptance Rate (FAR) – Type 2 • The FRR is the probability that you are not authenticated to access your account. • The FAR is the chance that someone other than you is granted access to your account.
    • Crossover Error Rate • Crossover Error Rate (CER) value is when Type 1 and Type 2 errors are equal. – (Type 1 = Type 2 errors) = CER metric value • System ABC has 1 out of 100 Type 1 errors = 1% • System ABC has 1 out of 100 type 2 errors = 1% • System ABC CER = 1 • The lower the CER value, the higher accuracy • System with a CER of 5 has greater accuracy than a system with CER of 6
    • CER Concept
    • Authorization
    • Authorization
    • Controls
    • Types of Access Controls • There are three types of Access Controls: – Administrative controls • Define roles, responsibilities, policies, and administrative functions to manage the control environment. – Technical controls • Use hardware and software technology to implement access control. – Physical controls • Ensure safety and security of the physical environment.
    • Administrative Controls • Ensure that technical and physical controls are understood and properly implemented – Policies and procedures – Security awareness training – Asset classification and control – Employment policies and practices (background checks, job rotations, and separation of duties) – Account administration – Account, log monitoring – Review of audit trails
    • Technical Controls • Examples of Technical Controls are: – Encryption – Biometrics – Smart cards – Tokens – Access control lists – Violation reports – Audit trails – Network monitoring and intrusion detection
    • Physical Controls • Examples of Physical Controls are: – HVAC – Fences, locked doors, and restricted areas – Guards and dogs – Motion detectors – Video cameras – Fire detectors – Smoke detectors
    • Categories of Access Controls • Preventive  Avoid incident • Deterrent  Discourage incident • Detective  Identify incident • Corrective  Remedy circumstance/mitigate damage and restore controls • Recovery  Restore conditions to normal • Compensating  Alternative control • Directive
    • Categories of Access Controls
    • Administrative Preventive Controls • Policies and procedures • Effective hiring practices • Pre-employment background checks • Controlled termination processes • Data classification and labeling • Security awareness • Risk assessments and analysis • Creating a security program • Separation of duties
    • Administrative Detective Controls • Job rotation • Sharing responsibilities • Inspections • Incident response • Use of auditors
    • Technical Preventive Controls • Passwords • Biometrics • Smart cards • Encryption • Database views • Firewalls • ACLs • Anti-virus
    • Technical Detective Controls • IDS • Reviewing audit logs • Reviewing violations of clipping levels • Forensics
    • Physical Preventive Controls • Badges • Guards and dogs • CCTV • Fences, locks, man-traps • Locking computer cases • Removing floppy and CD-ROM drives • Disabling USB port
    • Physical Detective Controls • Motion detectors • Intrusion detectors • Video cameras • Guard responding to an alarm
    • Jotting them together…
    • Centralized Access Control Methodologies
    • Centralized Access Control Methodologies • (ISC)2 discusses the following methodologies: – RADIUS -- Remote Authentication Dial-In User Service – TACACS -- Terminal Access Controller Access Control Systems – DIAMETER
    • RADIUS • Provides centralized authentication, authorization and accounting management for network services • Works on a Client/Server model • Functions: – To authenticate users or devices before granting them access to a network – To authorize users or devices for certain network services – To account for usage of services used
    • RADIUS Process
    • RADIUS Implementation
    • TACACS • TACACS has been through three generations: – TACACS, XTACACS and TACACS+ • TACACS uses passwords for authentication – TACACS+ allows users to use dynamic (one-time) passwords – TACACS+ encrypts all the data • TACACS uses UDP – TACACS+ uses TCP
    • TACACS at Work
    • Diameter • "New and improved" RADIUS • RADIUS is limited in its methods of authenticating users • Diameter does not encompass such limitations • Can authenticate wireless devices and smart phones • Open for future growth • Users can move between service provider networks and change their points of attachment
    • Single Sign-On Technologies
    • Single Sign On (SSO) • A system that enables a user to access multiple computer platforms • User logs in just once • Access granted to permitted resources • Login only required until after the user logs out • Examples include: – Kerberos – SESAME – Security Domains – Thin Clients
    • Kerberos • A computer network authentication protocol – Allows principals communicating over a non-secure network to prove their identity to one another in a secure manner. • Principals – Any user or service that interacts with a network – Term that is applied to anything within a network that needs to communicate in an authorized manner
    • Kerberos components • Components of Kerberos – Key Distribution Center (KDC) • Holds all of the principals' secret keys • Principals authenticate to the KDC before networking can take place – Authentication Server (AS) • Authenticates user at initial logon • Generation of initial ticket to allow user to authenticate to local system – Ticket Granting Service (TGS) • Generates of tickets to allow subjects to authenticate to each other
    • Kerberos Process
    • SESAME • Secure European System for Applications in a Multi- Vendor Environment • Uses symmetric and asymmetric cryptographic techniques • Uses Privileged Attribute Certificates (PACs) • PACs are generated by the Privileged Attribute Server (PAS) • After a user successfully authenticates to the Authentication Server (AS), the PAS then creates a PAC for the user to present to the resource that is being accessed!
    • SESAME Process
    • Security Domains • Based on trust between resources or services on a domain that share a single security policy and single management • The security policy defines the set of objects that each user has the ability to access • A similar mission and single point of management responsibility
    • Security Domains -- Bull’s Eye View
    • Thin Clients • Diskless computers are called dumb terminals or thin clients • Client/Server technology forces users to log onto a central server just to be able to use the computer and access network resources. • Server downloads the Operating System, or interactive operating software to the terminal
    • Access Control Models
    • Access Control Models • Frameworks that dictate how subjects access objects • Three Main Types – Discretionary Access Control (DAC) – Mandatory Access Control (MAC) – Role Based Access Control (RBAC)
    • Discretionary Access Control • Allows the owner of the resource to specify which subjects can access which resources • Access control is at the discretion of the owner • DAC defines access control policy – That restricts access to files and other system resources based on identity • DAC can be implemented through Access Control Lists (ACLs)
    • Access Control Matrix • Access Control Lists (ACLs) – Specifies the list of subjects that are authorized to access a specific object • Capability Lists – Specifies the access rights a certain subject possesses pertaining to specific objects
    • Access Control Matrix
    • Mandatory Access Control • Based on security label system • Users given security clearance and data is classified • Used where confidentiality is of utmost importance • MAC is considered a policy based control • Every object and subject is given a sensitivity label – Classification level • Secret, Top secret, Confidential, etc – Category • Information warfare, Treasury, UN, etc
    • Mandatory Access Control Subject Classification level Category Umair Secret Finance Tayyeb Secret HR Object Classification level Category Finance records Secret Finance Employee records Secret HR
    • Role Based Access Control • Uses centrally administered set of controls to determine how subjects and objects interact • Decisions based on the functions that a user is allowed to perform within an organization • An advantage of role based access controls is the ease of administration • Capability tables are sometimes seen in conjunction with role-based access controls • Best for high turn over organizations
    • Access Control Techniques
    • Access Control Techniques • Rules Based Access Control • Constrained User Interface • Content Dependent Access Control • Context Dependent Access Control
    • Penetration Testing Muhammad Wajahat Rajab ACE, CISSP (Associate), BS (TE)
    • Introduction • Process of simulating attacks on Information Systems – At the request of the owner, senior management • Uses set of procedures and tools designed to test security controls of a system • Emulates the same methods attackers use
    • Steps • Discovery • Enumeration • Vulnerability mapping • Exploitation • Report to management
    • Step 1 • Discovery – Gathering information about the target – Reconnaissance Types • Passive • Active
    • Step 2 • Enumeration – Performing port scans and resource identification methods – Gaining specific information on the basis of information gathered during reconnaissance – Includes use of dialers, port scanners, network mapping, sweeping, vulnerability scanners, and so on
    • Step 3 • Vulnerability Mapping – Identifying vulnerabilities in identified systems and resources – Based on these vulnerabilities attacks are carried out
    • Step 4 • Exploitation – Attempting to gain unauthorized access by exploiting the vulnerabilities
    • Step 5 • Report to management – Delivering to management documentation of test findings along with suggested countermeasures
    • Types • Zero knowledge • Partial knowledge • Full knowledge
    • Questions
    • Question 1 • Which of the following refers to a series of characters used to verify a user's identity? A. Token Serial number B. UserID C. Password D. Security ticket
    • Question • Which of the following refers to a series of characters used to verify a user's identity? A. Token Serial number B. UserID C. Password D. Security ticket
    • Question 2 • Which type of access control allows owners to specify who can access their files? A. Discretionary B. Relational C. Mandatory D. Administrative
    • Question • Which type of access control allows owners to specify who can access their files? A. Discretionary B. Relational C. Mandatory D. Administrative
    • Question 3 • The three primary methods for authentication of a user to a system or network are? A. Passwords, Tokens, and Biometrics B. Authorization, Identification, and Tokens C. Passwords, Encryption, and Identification D. Identification, Encryption, and Authorization
    • Question • The three primary methods for authentication of a user to a system or network are? A. Passwords, Tokens, and Biometrics B. Authorization, Identification, and Tokens C. Passwords, Encryption, and Identification D. Identification, Encryption, and Authorization
    • Thank You! 