2. Topics to be covered
Overview Tokens/SSO
Access control Kerberos
implementation Attacks/Vulnerabilities/Monitori
Types of access control ng
MAC & DAC IDS
Orange Book Object reuse
Authentication TEMPEST
Passwords RAS access control
Biometrics Penetration Testing
2
3. What is access control?
Access controls are the collection of mechanisms that
specify what users can do on the system, such as what
resources they can access and what operations they can
perform.
• The ability to allow only authorized users, programs or
processes system or resource access
• The granting or denying, according to a particular security
model, of certain permissions to access a resource
• An entire set of procedures performed by hardware,
software and administrators, to monitor access, identify
users requesting access, record access attempts, and grant
or deny access based on pre-established rules.
3
4. The Big Three
Confidentiality
An attack on confidentiality is when an entity, such as a
person, program, or computer, gains unauthorized access
to sensitive information.
Integrity
An attack on integrity occurs when an unauthorized entity
gains access and tampers with a system resource.
Another type of integrity attack occurs when an
unauthorized entity inserts objects into the system or
performs an unauthorized modification.
Availability
An attack on availability is when an asset on the system is
destroyed, rendered unavailable, or caused to be
unusable.
4
5. Access control Cont…
Authentication
Process through which one proves and verifies certain
information
Identification
Process through which one ascertains the identity of
another person or entity
Separation of Duties
A process is designed so that separate steps / operations
must be performed by different people.
Collusion is an agreement among two or more people to
commit fraud.
Least Privilege
A policy that limits both the system’s users and processes
to access only those resources necessary to perform
5
assigned functions.
6. How can AC be implemented?
Hardware
Software
• Application
• Protocol (Kerberos, IPSec…)
Physical
Logical (policies)
6
7. Access Control Protects
Data - Unauthorized viewing, modification or copying
System - Unauthorized use, modification or denial of
service
It should be noted that nearly every network operating
system (Win2K, NT, Unix, Vines, NetWare…) is based
on a secure physical infrastructure
Protection from Threats
Prepares for minimal Impact
Accountability
7
8. Proactive access control
Awareness training
Background checks
Separation of duties
Split knowledge
Policies
Data classification
Effective user registration
Termination procedures
Change control procedures
8
9. Physical Control
Guards
Locks
Mantraps
ID badges
CCTV, sensors, alarms
Biometrics
Fences - the higher the voltage the better
Card-key and tokens
Guard dogs
9
10. Technical (Logical) Controls
Access control software, such as firewalls, proxy
servers
Anti-virus software
Passwords
Smart cards/biometrics/badge systems
Encryption
Dial-up callback systems
Audit trails
Intrusion detection systems (IDSs)
10
11. Administrative Control
Policies and procedures
Security awareness training
Separation of duties
Security reviews and audits
Rotation of duties
Procedures for recruiting and terminating employees
Security clearances
Background checks
Alert supervision
Performance evaluations
Mandatory vacation time
11
12. AC & privacy issues
Expectation of privacy
Policies
Monitoring activity, Internet usage, e-mail
Login banners should detail expectations of
privacy and state levels of monitoring
12
13. Types of Access Control
Mandatory (MAC)
Discretionary (DAC)
Lattice / Role Based / Task Based
Formal models:
Bell-La Padula - Focuses on the confidentiality of
classified information
Biba - Rules for the protection of Information Integrity
Take/Grant – A directed Graph to specify the rights that
a subject can transfer to, or take from, another subject
Clark/Wilson – The Integrity Model based on Well
Formed Transactions
13
14. Mandatory Access Control
Assigns sensitivity levels, AKA labels
Every object is given a sensitivity label & is accessible
only to users who are cleared up to that particular
level.
Only the administrators, not object owners, make
change the object level
Generally more secure than DAC
Orange book B-level
Used in systems where security is critical, i.e., military
Hard to program for and configure & implement
14
15. Mandatory Access Control Cont…
Downgrade in performance
Relies on the system to control access
Example: If a file is classified as confidential, MAC will
prevent anyone from writing secret or top secret
information into that file.
All output, i.e., print jobs, floppies, other magnetic
media must have be labeled as to the sensitivity level
15
16. Discretionary Access Control
Access is restricted based on the
authorization granted to the user
Orange book C-level
Prime use to separate and protect users from
unauthorized data
Used by Unix, NT, NetWare, Linux, Vines,
etc.
Relies on the object owner to control access
16
17. Access control lists (ACL)
A file used by the access control system to
determine who may access what programs
and files, in what method and at what time
Different operating systems have different
ACL terms
Types of access:
Read/Write/Create/Execute/Modify/Delete/Renam
e
17
18. Standard UNIX file
permissions
Permission Allowed action, if object is a Allow action if object is a directory
file
R (read) Reads contents of a file List contents of the directory
X (execute) Execute file as a program Search the directory
W (write) Change file contents Add, rename, create files and
subdirectories
18
19. Standard NT file permissions
Permission Allowed action, if object is Allow action if object is a
a file directory
No access None None
List N/A RX
Read RX RX
Add N/A WX
Add & Read N/A RWX
Change RWXD RWXD
Full Control All All
R- Read X - Execute W - Write D - Delete
19
20. MAC vs. DAC
Discretionary Access Control
You decided how you want to protect and
share your data
Mandatory Access Control
The system decided how the data will be
shared
20
21. Problems with formal models
Based on a static infrastructure
Defined and succinct policies
These do not work in corporate systems which
are extremely dynamic and constantly changing
None of the formal models deals with:
Viruses/active content
Trojan horses
firewalls
Limited documentation on how to build these
systems
21
22. Orange Book
DoD Trusted Computer System Evaluation
Criteria, DoD 5200.28-STD, 1983
Provides the information needed to classify
systems (A,B,C,D), defining the degree of
trust that may be placed in them
For stand-alone systems only
Windows NT has a C2 utility, it does many
things, including disabling networking
22
23. Orange book levels
A - Verified protection
A1
B - MAC
B1/B2/B3
C - DAC
C1/C2
D - Minimal security. Systems that have
been evaluated, but failed
23
24. The Orange Book Limitations
Based on an old model, Bell-La Padula
Stand alone, no way to network systems
Systems take a long time (1-2 years) to certify
Any changes (hot fixes, service packs, patches)
break the certification
Has not adapted to changes in client-server
and corporate computing
Certification is expensive
For the most part, not used outside of the
government sector 24
25. Red Book
Used to extend the Orange Book to networks
Actually two works:
Trusted Network Interpretation of the TCSEC
(NCSC-TG-005)
Trusted Network Interpretation Environments
Guideline: Guidance for Applying the Trusted
Network Interpretation (NCSC-TG-011)
25
26. Authentication
Three Types of Authentication:
Something you know - Password, PIN,
mother’s maiden name, passphrase…
Something you have - ATM card, smart card,
token, key, ID Badge, driver license,
passport…
Something you are - Fingerprint, voice scan,
iris scan, retina scan, DNA…
26
27. Multi-factor authentication
2-factor authentication. To increase the level
of security, many systems will require a user
to provide 2 of the 3 types of authentication.
ATM card + PIN
Credit card + signature
PIN + fingerprint
Username + Password (NetWare, Unix, NT
default)
3-factor authentication -- For highest security
Username + Password + Fingerprint
Username + Passcode + SecurID token
27
28. Problems with passwords
Insecure - Given the choice, people will choose easily
remembered and hence easily guessed passwords
such as names of relatives, pets, phone numbers,
birthdays, hobbies, etc.
Easily broken - Programs such as crack, SmartPass,
PWDUMP, NTCrack & l0phtcrack can easily decrypt
Unix, NetWare & NT passwords.
Dictionary attacks are only feasible because users
choose easily guessed passwords!
Inconvenient - In an attempt to improve security,
organizations often issue users with computer-
generated passwords that are difficult, if not impossible
to remember
Repudiable - Unlike a written signature, when a
transaction is signed with only a password, there is no
real proof as to the identity of the individual that made 28
the transaction
29. Classic password rules
The best passwords are those that are both easy to
remember and hard to crack using a dictionary
attack. The best way to create passwords that fulfill
both criteria is to use two small unrelated words or
phonemes, ideally with a special character or
number. Good examples would be hex7goop or
-typetin
Don’t use:
common names, DOB, spouse, phone #, etc.
word found in dictionaries
password as a password
systems defaults
29
30. Password management
Configure system to use string passwords
Set password time and lengths limits
Limit unsuccessful logins
Limit concurrent connections
Enabled auditing
How policies for password resets and
changes
Use last login dates in banners
30
31. Password Attacks
Dictionary
Crack
John the Ripper
Brute force
l0phtcrack
Hybrid Attack
Dictionary and Brute Force
Trojan horse login program
Password sending Trojans
31
32. Biometrics
Authenticating a user via human
characteristics
Using measurable physical characteristics of
a person to prove their identification
Fingerprint
signature dynamics
Iris
retina
voice
face
DNA, blood
32
33. Advantages of fingerprint-based
biometrics
Can’t be lent like a physical key or token and
can’t be forgotten like a password
Good compromise between ease of use,
template size, cost and accuracy
Fingerprint contains enough inherent variability to
enable unique identification even in very large
(millions of records) databases
Basically lasts forever -- or at least until
amputation or dismemberment
Makes network login & authentication effortless
33
34. Biometric Disadvantages
Still relatively expensive per user
Companies & products are often new &
immature
No common API or other standard
Some hesitancy for user acceptance
34
35. Biometric privacy issues
Tracking and surveillance - Ultimately, the
ability to track a person's movement from hour
to hour
Anonymity - Biometric links to databases
could dissolve much of our anonymity when
we travel and access services
Profiling - Compilation of transaction data
about a particular person that creates a
picture of that person's travels, preferences,
affiliations or beliefs
35
36. Practical biometric applications
Network access control
Staff time and attendance tracking
Authorizing financial transactions
Government benefits distribution (Social Security, welfare,
etc.)
Verifying identities at point of sale
Using in conjunction with ATM , credit or smart cards
Controlling physical access to office buildings or homes
Protecting personal property
Prevent against kidnapping in schools, play areas, etc.
Protecting children from fatal gun accidents
Voting/passports/visas & immigration
36
41. Single sign-on
User has one password for all enterprise
systems and applications
That way, one strong password can be
remembered and used
All of a users accounts can be quickly created
on hire, deleted on dismissal
Hard to implement and get working
Kerberos, CA-Unicenter, Memco Proxima,
IntelliSoft SnareWorks, Tivoli Global Sign-On,
x.509
41
42. Kerberos
Part of MIT’s Project Athena
Kerberos is an authentication protocol
used for network wide authentication
All software must be kerberized
Tickets, authenticators, key distribution
center (KDC)
Divided into realms
Kerberos is the three-headed dog that
guards the entrance to Hades (this won’t
be on the test)
42
43. Kerberos Roles
KDC divided into Authentication Server &
Ticket Granting Server (TGS)
Authentication Server - authentication the
identities of entities on the network
TGS - Generates unique session keys
between two parties. Parties then use these
session keys for message encryption
43
44. Kerberos Authentication
User must have an account on the KDC
KDC must be a trusted server in a
secured location
Shares a DES key with each user
When a user want to access a host or
application, they request a ticket from the
KDC via klogin & generate an
authenticator that validates the tickets
User provides ticket and authenticator to
the application, which processes them for
validity and will then grant access. 44
45. Problems with Kerberos
Each piece of software must be kerberized
Requires synchronized time clocks
Relies on UDP which is often blocked by
many firewalls
Kerberos v4 binds tickets to a single network
address for a hosts. Host with multiple NIC’s
will have problems using tickets
45
46. Attacks
Passive attack - Monitor network traffic and then
use data obtained or perform a replay attack.
Hard to detect
Active attack - Attacker is actively trying to break-
in.
Exploit system vulnerabilities
Spoofing
Crypto attacks
Denial of service (DoS) - Not so much an attempt
to gain access, rather to prevent system operation
Smurf, SYN Flood, Ping of death
Mail bombs
46
48. Monitoring
IDS
Network based and Host Based (Signature and Anomaly
Detection)
Logs
System Logs and Audit Logs
Audit trails
Network tools
Network Monitor (Sniffers and SNMP Based Tools)
Tivoli
Spectrum
OpenView
48
49. Intrusion Detection Systems
IDS monitors system or network for attacks
IDS engine has a library and set of signatures
that identify an attack
Adds defense in depth
Should be used in conjunction with a system
scanner (CyberCop, ISS S3) for maximum
security
49
50. Object reuse
Must ensure that magnetic media must not have
any remanance of previous data
Also applies to buffers, cache and other memory
allocation
Required at TCSEC B2/B3/A1 level
Secure Deletion of Data from Magnetic and Solid-
State Memory
Documents recently declassified
Objects must be declassified
Magnetic media must be degaussed or have
secure overwrites
50
51. TEMPEST
Electromagnetic emanations from keyboards,
cables, printers, modems, monitors and all
electronic equipment. With appropriate and
sophisticated enough equipment, data can be
readable at a few hundred yards.
TEMPEST certified equipment, which encases the
hardware into a tight, metal construct, shields the
electromagnetic emanations
WANG Federal is the leading provider of TEMPEST
hardware
TEMPEST hardware is extremely expensive and
can only be serviced by certified technicians
Rooms & buildings can be TEMPEST-certified
TEMPEST standards NACSEM 5100A NACSI 5004
are classified documents 51
52. Banners
Banners display at login or connection stating
that the system is for the exclusive use of
authorized users and that their activity may be
monitored
Not foolproof, but a good start, especially from
a legal perspective
Make sure that the banner does not reveal
system information, i.e., OS, version,
hardware, etc.
52
53. RAS access control
RADIUS (Remote Authentication Dial-In User
Service) - client/server protocol & software that
enables RAS to communicate with a central
server to authenticate dial-in users & authorize
their access to requested systems
TACACS/TACACS+ (Terminal Access Controller
Access Control System) - Authentication protocol
that allows a RAS to forward a users logon
password to an authentication server. TACACS is
an unencrypted protocol and therefore less
secure than the later TACACS+ and RADIUS
protocols. A later version of TACACS is
XTACACS (Extended TACACS).
May 1997 - TACACS and XTACACS are 53
considered Cisco End-of-Maintenance
54. Penetration Testing
Basically Measuring the Security of Your Network by Breaking
Into it
Identifies weaknesses in Internet, Intranet, Extranet, and RAS
technologies
Discovery and footprint analysis
Exploitation
Physical Security Assessment
Social Engineering
Attempt to identify vulnerabilities and gain access to critical
systems within organization
Identifies and recommends corrective action for the systemic
problems which may help propagate these vulnerabilities
throughout an organization
Assessments allow client to demonstrate the need for
additional security resources, by translating exiting
vulnerabilities into real life business risks 54
55. Rule of least privilege
One of the most fundamental principles of infosec
States that: Any object (user, administrator, program,
system) should have only the least privileges the
object needs to perform its assigned task, and no
more.
An AC system that grants users only those rights
necessary for them to perform their work
Limits exposure to attacks and the damage an attack
can cause
Physical security example: car ignition key vs. door
key
55
56. Implementing least privilege
Ensure that only a minimal set of users have
root access
Don’t make a program run setuid to root if not
needed. Rather, make file group-writable to
some group and make the program run setgid to
that group, rather than setuid to root
Don’t run insecure programs on the firewall or
other trusted host
56