Published on

Information Assurance for the Enterprise

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide


  1. 1. Chapter 6 Ensuring Controlled Access
  2. 2. Objectives <ul><li>The fundamental principles of access control </li></ul><ul><li>How to structure and conduct the authorization process </li></ul><ul><li>Common access control models </li></ul>
  3. 3. Access Control <ul><li>Access control – describes the regulation of interaction between subjects and objects within a given environment </li></ul><ul><ul><li>Degree of regulation will determine how comprehensive and robust the overall protection scheme will be </li></ul></ul><ul><li>With information assurance: </li></ul><ul><ul><li>Subjects are people or processes </li></ul></ul><ul><ul><li>Processes can be either managerial or technical </li></ul></ul><ul><ul><li>Objects can be anything appropriately accessed by a valid subject </li></ul></ul>
  4. 4. Principles of Access Control <ul><li>Implementing and managing the access control process can be a very complex activity </li></ul><ul><li>Access control process centers around three principles: </li></ul><ul><ul><li>Identity – asserts and verifies the user’s identity </li></ul></ul><ul><ul><li>Authority – authorizes user access privileges </li></ul></ul><ul><ul><li>Accountability – tracks user actions, analyzes and reports </li></ul></ul>
  5. 5. Establishing Identity <ul><li>The principle of identity is composed of two functions: </li></ul><ul><ul><li>Identification function establishes the identity of every person or process that seeks access </li></ul></ul><ul><ul><li>Authentication function confirms that it is valid </li></ul></ul>
  6. 6. Passwords: Something You Know <ul><li>The simplest and most economical means of identifying an individual </li></ul><ul><ul><li>Password management system will consistently: </li></ul></ul><ul><ul><ul><li>Allow legitimate users to directly register for access </li></ul></ul></ul><ul><ul><ul><li>Allow forgotten passwords to be authenticated and reset by user </li></ul></ul></ul><ul><ul><ul><li>Allow IT support staff to authenticate callers for password management </li></ul></ul></ul><ul><ul><ul><li>Synchronize users across a range of platforms </li></ul></ul></ul><ul><ul><ul><li>Provide for immediate cancellation of passwords </li></ul></ul></ul>
  7. 7. Passwords: Something You Know <ul><li>Problem with passwords </li></ul><ul><ul><li>Memory </li></ul></ul><ul><ul><ul><li>Limitation of human memory to remember multiple passwords </li></ul></ul></ul><ul><ul><ul><li>Writing them down is a serious violation of information assurance or security protocol </li></ul></ul></ul><ul><ul><li>Usage vulnerabilities </li></ul></ul><ul><ul><ul><li>Short passwords – easily compromised by brute force, guessed or obtained through surreptitious means </li></ul></ul></ul>
  8. 8. Passwords: Something You Know <ul><li>Single sign-on </li></ul><ul><ul><li>Coordinates passwords across a range of platforms and applications </li></ul></ul>
  9. 9. Passwords: Something You Know <ul><li>One-time password </li></ul><ul><ul><li>Shortening the period of use of the password </li></ul></ul>
  10. 10. Token-Based Security: Something You Have <ul><li>Tokens – identification and authorization devices presented at the time of access </li></ul><ul><ul><li>Function similar to a key and lock </li></ul></ul><ul><li>Most frequently used authentication device is the smart card, or swipe card </li></ul><ul><ul><li>Embedded semiconductor chip accepts, stores, and sends information </li></ul></ul><ul><ul><li>Keeps personal information with a high degree of security and portability </li></ul></ul><ul><ul><li>Provides secure enterprise-wide access control </li></ul></ul>
  11. 11. Token-Based Security: Something You Have <ul><ul><li>Provides tamper-resistant storage and transport for critical data </li></ul></ul><ul><ul><li>Used in encryption systems, to store digital keys, and to create one-time passwords </li></ul></ul><ul><li>Vulnerabilities associated with using smart cards: </li></ul><ul><ul><li>Theft and loss of tokens </li></ul></ul><ul><ul><ul><li>Unauthorized finder will be able to gain access under the legitimate user’s authorizations </li></ul></ul></ul>
  12. 12. Biometrics: Something You Are <ul><li>Biometrics – authentication using physical characteristics </li></ul><ul><li>Subject asserts identity by presenting a unique personal characteristic such as a fingerprint </li></ul><ul><ul><li>Highly secure because they confirm identity by means of physical characteristics that cannot be duplicated </li></ul></ul><ul><ul><li>Very effective, since physical characteristics might change slowly over time but they are impossible to lose </li></ul></ul>
  13. 13. Biometrics: Something You Are <ul><li>Problem with biometric technology: </li></ul><ul><ul><li>Still in its infancy </li></ul></ul><ul><ul><li>Can fail due to its dependency on advanced processing capabilities </li></ul></ul><ul><ul><li>When it comes to the identity process, possible failures include: </li></ul></ul><ul><ul><ul><li>False positives allow unauthorized individuals to access system resources </li></ul></ul></ul><ul><ul><ul><li>False negatives deny authorized people access </li></ul></ul></ul>
  14. 14. Combining Approaches: Multifactor Authentication <ul><li>Multifactor authentication – combination of two or three different approaches to create a single access control function </li></ul><ul><ul><li>It increases the level of security </li></ul></ul><ul><ul><ul><li>Example: automatic teller machine (ATM) </li></ul></ul></ul>
  15. 15. Approaches for Establishing Identity in Cyberspace <ul><li>Digital signatures: asserting identity using cryptography </li></ul><ul><ul><li>Signatures generated from the message itself by mathematical means </li></ul></ul><ul><ul><ul><li>MD-5 algorithm </li></ul></ul></ul><ul><ul><ul><li>Message digests </li></ul></ul></ul><ul><li>Digital certificates: utilizing trust infrastructures </li></ul><ul><ul><li>Third party confirmation that verifies that the message did indeed come from the entity it claims to have come from </li></ul></ul><ul><ul><li>Certification supported by Public Key Infrastructures (PKIs) </li></ul></ul><ul><ul><ul><li>PKIs verify, enroll, and certify users </li></ul></ul></ul><ul><ul><ul><li>PKIs serve as the trusted third party </li></ul></ul></ul>
  16. 16. Approaches for Establishing Identity in Cyberspace <ul><li>Digital certificate is a public document that contains: </li></ul><ul><ul><li>Information that identifies a user </li></ul></ul><ul><ul><li>User’s encryption key </li></ul></ul><ul><ul><li>Validity period for the certificate and other information </li></ul></ul>
  17. 17. Mutual Authentication: Ensuring Identity During Transmission <ul><li>A process in which each side of an electronic communication verifies the authenticity of the other during message transmission </li></ul><ul><ul><li>Ensures the integrity of the transmission process as well as the message sent </li></ul></ul><ul><ul><li>Especially important when remote clients are attempting to assert their identity to servers </li></ul></ul>
  18. 18. Mutual Authentication: Ensuring Identity During Transmission <ul><li>Kerberos </li></ul><ul><ul><li>Uses encryption, so a client can prove its identity to a server which in turn can authenticate itself to the client within a secure transaction </li></ul></ul>
  19. 19. Mutual Authentication: Ensuring Identity During Transmission <ul><li>Challenge Handshake Authentication Protocol (CHAP) </li></ul><ul><ul><li>Provides authentication services across a point-to-point link employing the Point-to-Point Protocol (PPP) part of the Internet </li></ul></ul>
  20. 20. Authorization: Controlling Access <ul><li>Authorization asserts specific rights to use the system, which have been granted to a subject </li></ul><ul><ul><li>Rights are referred to as permissions or privileges – based on the concept of “trust” </li></ul></ul><ul><ul><li>Trusted subjects are allowed access to specified objects </li></ul></ul><ul><ul><li>Security domain – A systematic point of reference on which determination, assignment, and monitoring of access is based </li></ul></ul><ul><ul><ul><li>Incorporates all related objects, with common protection needs, into a single manageable entity </li></ul></ul></ul>
  21. 21. Policy-Based Access Control <ul><li>Access control list (ACL) – most frequent example of policy-based access control </li></ul>
  22. 22. Discretionary Access Control (DAC) <ul><li>It lets the owner of a file or physical object selectively grant or deny access to users </li></ul><ul><ul><li>Most common model in large systems </li></ul></ul>
  23. 23. Discretionary Access Control (DAC) <ul><li>Role-based access control (RBAC) is a common form of discretionary access control </li></ul><ul><ul><li>Involves the assignment of access permissions to objects that are associated with given roles </li></ul></ul>
  24. 24. Discretionary Access Control (DAC) <ul><li>Content-dependent access control </li></ul><ul><ul><li>Used to control access to record-intensive applications such as databases </li></ul></ul><ul><ul><li>Capability-based system – access is granted if the user possesses a capability (ticket) </li></ul></ul><ul><ul><ul><li>Authorization Table Matrix (ATM) manages the assignment of access privileges </li></ul></ul></ul><ul><ul><li>Advantage: achieves a greater level of granularity in the process and it is both simple and intuitive </li></ul></ul><ul><ul><li>Disadvantage: Machine-intensive; requires a very high level of computer performance </li></ul></ul>
  25. 25. Discretionary Access Control (DAC) <ul><li>Temporal access control – Event driven and dynamic </li></ul><ul><ul><li>Whether access is granted, and the type of access given is determined by: </li></ul></ul><ul><ul><ul><li>The time of day </li></ul></ul></ul><ul><ul><ul><li>The point of origin </li></ul></ul></ul><ul><ul><ul><li>How many times the individual identity attempted to access the system </li></ul></ul></ul><ul><ul><ul><li>The number of password attempts </li></ul></ul></ul><ul><ul><li>Advantage: allows anticipation and protection from undesirable events </li></ul></ul><ul><ul><li>Disadvantage: chain of events that lead to a given decision is not always predictable </li></ul></ul>
  26. 26. Mandatory Access Control (MAC) <ul><li>MAC restricts a subject’s access to objects based on a set of security attributes </li></ul><ul><ul><li>Used when policy dictates that: </li></ul></ul><ul><ul><ul><li>Protection decisions must not be decided by the object owner </li></ul></ul></ul><ul><ul><ul><li>The system must enforce the protection decisions over the wishes or intentions of the object owner </li></ul></ul></ul><ul><ul><li>Prevents arbitrary object sharing </li></ul></ul><ul><ul><li>Uses a specific set of policies or security rules to define the sharing of data within the organization </li></ul></ul>
  27. 27. Mandatory Access Control (MAC) <ul><li>Access is controlled automatically by the system using set criteria </li></ul>
  28. 28. Real-World Access Control: Automating the Process <ul><li>A reference monitor implemented either operationally or within the operating system </li></ul><ul><li>Real-time and dynamic allocation of access privileges </li></ul><ul><ul><li>Situation can involve internal and external processes and applications </li></ul></ul><ul><ul><li>Accesses must be managed securely in real time for the system to meet its required objectives </li></ul></ul><ul><ul><li>System must be able to distinguish instantly and correctly assign the rights for each individual identity </li></ul></ul><ul><ul><ul><li>As well as determine what each can and cannot access </li></ul></ul></ul>
  29. 29. Real-World Access Control: Automating the Process <ul><li>Automated identity management system requires five basic conditions: </li></ul><ul><ul><li>Identity architecture – establishing the identity infrastructure </li></ul></ul><ul><ul><li>Privilege setting – establishing the rights of each identity </li></ul></ul><ul><ul><li>Identity reference – automating the process </li></ul></ul><ul><ul><ul><li>Reference monitor involves three factors: completeness, and isolation, verifiability </li></ul></ul></ul><ul><ul><li>Enforcement of privileges – guarding the door </li></ul></ul><ul><ul><li>Continuous maintenance – keeping the system current </li></ul></ul>
  30. 30. Setting Up the System: Account Management <ul><li>Account management is the day-to-day face of any automated access control system </li></ul><ul><ul><li>Ensures that identity data are accurate and up to date </li></ul></ul><ul><ul><li>Ensures that the monitoring and enforcement system is operating as intended </li></ul></ul><ul><ul><li>Links user identities to specific applications, databases, and services </li></ul></ul><ul><ul><li>Built around three related processes: </li></ul></ul><ul><ul><ul><li>Creation of new system access </li></ul></ul></ul><ul><ul><ul><li>Modification to system access </li></ul></ul></ul><ul><ul><ul><li>Termination of system access </li></ul></ul></ul>
  31. 31. Intrusion Detection: Backstopping Access Control <ul><li>Access control is backstopped by intrusion detection </li></ul><ul><li>Information assurance has four general goals: </li></ul><ul><ul><li>Preventive – avoid the occurrence </li></ul></ul><ul><ul><li>Detective – identify characterize the occurrence </li></ul></ul><ul><ul><li>Corrective – remedy the circumstance </li></ul></ul><ul><ul><li>Compensating – provide alternative control </li></ul></ul><ul><li>Intrusion detection is a purely detective activity </li></ul>
  32. 32. Intrusion Detection Systems: Keeping the Perimeter Secure <ul><li>Designed to sit on the perimeter and detect, characterize, and report on any suspicious attempts to access a protected space </li></ul><ul><ul><li>Built around boundary sensors - a software utility that is located at the perimeter of the protected space and monitors traffic </li></ul></ul><ul><ul><ul><li>Term commonly used to describe this utility is intrusion detection system (IDS) </li></ul></ul></ul><ul><ul><ul><li>Intrusion prevention systems (IPSs) </li></ul></ul></ul>
  33. 33. Types of Intrusion Detection: Automated versus Human Centered <ul><li>Automated: when instantaneous response is needed </li></ul><ul><li>Human-centered: if time will allow for a more considered response </li></ul><ul><li>Two types of IDS: </li></ul><ul><ul><li>Network-Based IDS (NIDS) – detect attacks by capturing and analyzing network packets </li></ul></ul><ul><ul><li>Host-Based IDS (HIDS) – Operate on information collected and analyzed by an individual computer system </li></ul></ul>
  34. 34. Common Network-Based IDS (NIDS) <ul><li>Pattern-matching IDS </li></ul><ul><ul><li>Scans incoming network packets for specific byte sequence signatures stored in a database of known attacks </li></ul></ul><ul><li>State-matching IDS </li></ul><ul><ul><li>Scans for attack behaviors in the traffic stream itself rather than the presence of an individual packet signature </li></ul></ul><ul><li>Analysis engine methods </li></ul><ul><ul><li>Use anomalous behavior as the basis for their response </li></ul></ul><ul><ul><ul><li>Example: Statistical anomaly-based IDS </li></ul></ul></ul>
  35. 35. Common Network-Based IDS (NIDS) <ul><li>Protocol anomaly-based methods </li></ul><ul><ul><li>Capable of using feedback from prior attempts to refine their approach </li></ul></ul><ul><li>Traffic anomaly-based methods </li></ul><ul><ul><li>Watch for unusual traffic activities, suddenly appearing on the network </li></ul></ul>
  36. 36. Common Network-Based IDS (NIDS) <ul><li>Summary </li></ul>
  37. 37. Host-Based IDS (HIDS) <ul><li>Work through the audit function and monitoring audit trails </li></ul><ul><ul><li>A record of system activities usually generated by the system </li></ul></ul><ul><ul><li>Types of events captured in an audit trail include: </li></ul></ul><ul><ul><ul><li>Network connection event data </li></ul></ul></ul><ul><ul><ul><li>System-level event data </li></ul></ul></ul><ul><ul><ul><li>Application-level event data </li></ul></ul></ul><ul><ul><ul><li>User-level event data </li></ul></ul></ul><ul><ul><ul><li>Keystroke activity </li></ul></ul></ul><ul><ul><li>Primary issue is the volume of data that must be examined for this understanding to be adequate </li></ul></ul>
  38. 38. Security Assessments: Penetration Testing <ul><li>“Pen” testing denotes activities undertaken to identify and exploit security vulnerabilities </li></ul><ul><ul><li>Evaluates system security by attacking it </li></ul></ul><ul><ul><li>Aimed at the security conditions that are the most common targets of intruders </li></ul></ul><ul><ul><li>Types of pen tests include: </li></ul></ul><ul><ul><ul><li>Zero-knowledge – where the tester has no relevant information about the target </li></ul></ul></ul><ul><ul><ul><li>Partial-knowledge – where the tester may have some information about the target </li></ul></ul></ul><ul><ul><ul><li>Full-knowledge – the tester has intimate knowledge of the target environment </li></ul></ul></ul>
  39. 39. Security Assessments: Penetration Testing <ul><ul><li>Pen-testing methods are based on four activities: </li></ul></ul><ul><ul><ul><li>Discovery </li></ul></ul></ul><ul><ul><ul><li>Enumeration </li></ul></ul></ul><ul><ul><ul><li>Vulnerability mapping </li></ul></ul></ul><ul><ul><ul><li>User and privilege access </li></ul></ul></ul><ul><ul><li>Resultant report can help to identify: </li></ul></ul><ul><ul><ul><li>Vulnerabilities of the system </li></ul></ul></ul><ul><ul><ul><li>Gaps in security measures </li></ul></ul></ul><ul><ul><ul><li>IDS and intrusion response capability </li></ul></ul></ul><ul><ul><ul><li>Whether anyone is monitoring audit logs </li></ul></ul></ul><ul><ul><ul><li>How suspicious activity is reported </li></ul></ul></ul><ul><ul><ul><li>Potential countermeasures </li></ul></ul></ul>
  40. 40. Security Assessments: Penetration Testing <ul><ul><li>Various types of penetration-testing strategies include: </li></ul></ul><ul><ul><ul><li>Application security testing </li></ul></ul></ul><ul><ul><ul><li>Denial of Service (DoS) testing </li></ul></ul></ul><ul><ul><ul><li>War dialing </li></ul></ul></ul><ul><ul><ul><li>Wireless network penetration testing </li></ul></ul></ul><ul><ul><ul><li>Social engineering </li></ul></ul></ul><ul><ul><li>Internal procedures focus on identifying anomalies in the internal IT environment and include: </li></ul></ul><ul><ul><ul><li>Blind tests </li></ul></ul></ul><ul><ul><ul><li>Double-blind test </li></ul></ul></ul><ul><ul><ul><li>Targeted tests </li></ul></ul></ul>
  41. 41. Common Access Control Models <ul><li>Access control models enforce policies </li></ul><ul><ul><li>Must be specifically designed to embody the organization’s overall approach to security </li></ul></ul><ul><ul><li>Three types of models in common use in the industry today: </li></ul></ul><ul><ul><ul><li>Confidentiality/Classification-based models – Bell- LaPadula </li></ul></ul></ul><ul><ul><ul><li>Integrity-based models – Biba </li></ul></ul></ul><ul><ul><ul><li>Transaction-based models – Clark-Wilson </li></ul></ul></ul>
  42. 42. Classification-Based Security Models: Bell-LaPadula <ul><li>A framework that manages different classification levels intended to limit disclosure of information between dissimilar levels </li></ul><ul><ul><li>It is known as a multilevel security system </li></ul></ul><ul><ul><li>It uses a hierarchical classification structure </li></ul></ul>
  43. 43. Classification-Based Security Models: Bell-LaPadula <ul><li>Bell-LaPadula </li></ul><ul><ul><li>Employs both mandatory and discretionary access control mechanisms </li></ul></ul><ul><ul><ul><li>Implements two security rules - “no-read-up” and “no-write-down.” </li></ul></ul></ul><ul><ul><li>Centers on a set of subjects along with data objects and their relative security levels </li></ul></ul><ul><ul><li>Classification level of the object and the access rights of the subject determine: </li></ul></ul><ul><ul><ul><li>What data the subject is authorized to access </li></ul></ul></ul><ul><ul><ul><li>What they may legitimately do with it </li></ul></ul></ul>
  44. 44. Integrity-Based Security Models: Biba <ul><li>It is a formal approach centered on ensuring the integrity of subjects and objects in a system </li></ul><ul><ul><li>Primary objective: limit the modification of information, rather than its flow between levels </li></ul></ul>
  45. 45. Integrity-Based Security Models: Biba <ul><li>Biba operates on two simple rules: </li></ul><ul><ul><li>A subject with a lower classification cannot write data to a higher classification </li></ul></ul><ul><ul><li>A subject with a higher classification cannot read data from a lower classification </li></ul></ul><ul><li>Biba model is called an information flow model </li></ul>
  46. 46. Transaction-Based Security Models: Clark-Wilson <ul><li>This model uses transactions as the basis for its access control decision making </li></ul><ul><ul><li>Defines two levels of integrity: </li></ul></ul><ul><ul><ul><li>Constrained data items (CDI) – the controlled assets </li></ul></ul></ul><ul><ul><ul><li>Unconstrained data items (UDI) – not deemed valuable enough to control </li></ul></ul></ul><ul><ul><li>Defines two types of processes to control CDIs: </li></ul></ul><ul><ul><ul><li>Integrity verification processes (IVP) – ensure that the CDI meets specified integrity constraints </li></ul></ul></ul><ul><ul><ul><li>Transformation processes (TP) – change the state of data from one valid state to another </li></ul></ul></ul>
  47. 47. Transaction-Based Security Models: Clark-Wilson <ul><ul><li>Validation of integrity is done to ensure that: </li></ul></ul><ul><ul><ul><li>The data item being modified is valid </li></ul></ul></ul><ul><ul><ul><li>The results of the modification are valid </li></ul></ul></ul>