1

Access Control Access Control Systems & Systems & MethodologyMethodology

CISSP

2

Topics to be covered

Overview Access control

implementation Types of access control MAC & DAC Orange Book Authentication Passwords Biometrics

Tokens/SSO Kerberos Attacks/Vulnerabilities/

Monitoring IDS Object reuse TEMPEST RAS access control Penetration Testing

3

What is access control?

Access control is the traditional center of security

Definitions: The ability to allow only authorized users, programs or

processes system or resource access The granting or denying, according to a particular

security model, of certain permissions to access a resource

An entire set of procedures performed by hardware, software and administrators, to monitor access, identify users requesting access, record access attempts, and grant or deny access based on pre-established rules.

4

Access control nomenclature Authentication

Process through which one proves and verifies certain information

Identification Process through which one ascertains the identity of another

person or entity

Confidentiality Protection of private data from unauthorized viewing

Integrity Data is not corrupted or modified in any unauthorized manner

Availability System is usable. Contrast with Denial of Service (DOS)

5

How can AC be implemented?

Hardware Software

Application Protocol (Kerberos, IPSec)

Physical Logical (policies)

Why access control does not work?

? ?

7

What does AC hope to protect? Data - Unauthorized viewing,

modification or copying System - Unauthorized use, modification

or denial of service It should be noted that nearly most network

operating system is based on a secure physical infrastructure

The easiest way to protect data is not to have it one the system. Make it some-one else’s problem.

8

Proactive access control

Awareness training Background checks Separation of duties Split knowledge Policies Data classification Effective user registration Termination procedures Change control procedures

9

Physical access control

Guards Locks Mantraps ID badges Digital Carmeras, sensors, alarms Biometrics Fences - the higher the voltage the better Card-key and tokens Guard dogs

10

AC & privacy issues

Expectation of privacy Policies Monitoring activity, Internet usage,

e-mail Login banners should detail

expectations of privacy and state levels of monitoring

HIPPA

11

Varied types of Access Control Discretionary (DAC) Mandatory (MAC) Lattice/Role/Task Formal models:

Biba Take/Grant Clark/Wilson Bell/LaPadula

Used set theory to define the concept of a secure state, the modes of access, and the rules for granting access.

Not Real Useful, but part of the test!

12

Problems with formal models

Based on a static infrastructure Defined and succinct policies These do not work in corporate systems which are

extremely dynamic and constantly changing None of the previous models deals with:

Viruses/active content Trojan horses firewalls

Limited documentation on how to build these systems

Last Generation

13

MAC vs. DAC

Discretionary Access Control You decided how you want to protect

and share your data

Mandatory Access Control The system decided how the data will

be shared

14

Mandatory Access Control

Assigns sensitivity levels, Secret, Confidential .. (AKA labels)

Every object is given a sensitivity label & is accessible only to users who are cleared up to that particular level.

Only the administrators, not object owners, make change the object level

Generally more secure than DAC Orange book B-level Used in systems where security is critical, i.e.,

military

15

Mandatory Access Control (Continued)

Downgrade in performance Relies on the system to control access Example: If a file is classified as confidential,

MAC will prevent anyone from writing secret or top secret information into that file.

All output, i.e., print jobs, floppies, other magnetic media must have be labeled as to

the sensitivity level

16

Discretionary Access Control

Access is restricted based on the authorization granted to the user

Orange book C-level Prime use to separate and protect

users from unauthorized data Used by Unix and Windows. Relies on the object owner to

control access

17

Access control lists (ACL)

A file used by the access control system to determine who may access what programs and files, in what method and at what time

Different operating systems have different ACL terms

Types of access: Read/Write/Create/Execute/Modify/Delete/Rename

18

Standard UNIX file permissions

Permission Allowed action, ifobject is a file

Allow action if object is adirectory

R (read) Reads contents of a file List contents of the directoryX (execute) Execute file as a program Search the directoryW (write) Change file contents Add, rename, create files and

subdirectories

19

Standard Sharing - Changing

20

Orange Book

DoD Trusted Computer System Evaluation Criteria, DoD 5200.28-STD, 1983

Provides the information needed to classify systems (A,B,C,D), defining the degree of trust that may be placed in them

For stand-alone systems only

21

Orange book levels

A - Verified protection A1 Boeing SNS, Honeywell SCOMP

B - MAC B1/B2/B3 MVS w/ s, ACF2 or TopSecret, Trusted IRIX

C - DAC C1/C2 DEC VMS, NT, NetWare, Trusted Solaris

D - Minimal security. Systems that have been evaluated, but failed

22

Problems with the Orange Book

Based on an old model, Bell-LaPadula

Stand alone network systems extensions exist

Systems take a long time Certification is expensive For the most part, not used outside

of the government sector

23

Red Book

Used to extend the Orange Book to networks

Actually two works: Trusted Network Interpretation of the TCSEC

(NCSC-TG-005) Trusted Network Interpretation

Environments Guideline: Guidance for Applying the Trusted Network Interpretation (NCSC-TG-011)

24

Authentication

3 types of authentication:

Something you know - Password, PIN, mother’s maiden name, passcode, fraternity chant

Something you have - ATM card, smart card, token, key, ID Badge, driver license, passport

Something you are - Fingerprint, voice scan, iris scan, retina scan, body odor, DNA

Confidentiality Integrity Availability

26

Multi-factor authentication

2-factor authentication. To increase the level of security, many systems will require a user to provide 2 of the 3 types of authentication. ATM card + PIN Credit card + signature PIN + fingerprint Username + Password (NetWare, Unix, NT default)

3-factor authentication -- For higher security Username + Passcode + SecurID token Username + Password + Fingerprint

27

Problems with passwords

Insecure - Given the choice, people will choose easily remembered and hence easily guessed passwords such as names of relatives, pets, phone numbers, birthdays, hobbies, etc.

Easily broken - Programs such as crack, SmartPass, PWDUMP, NTCrack & l0phtcrack can easily decrypt Unix, NetWare & NT passwords.

Dictionary attacks are only feasible because users choose easily guessed passwords!

Inconvenient - In an attempt to improve security, organizations often issue users with computer-generated passwords that are difficult, if not impossible to remember

Repudiable - Unlike a written signature, when a transaction is signed with only a password, there is no real proof as to the identity of the individual that made the transaction

28

Classic password rules

The best passwords are those that are both easy to remember and hard to crack using a dictionary attack.

Don’t use: common names, DOB, spouse, phone #, etc. word found in dictionaries password as a password systems defaults

Those trying break passwords have access to most password rules in their tool kit!

29

Password management

Configure system to use string passwords Set password time and lengths limits Limit unsuccessful logins Limit concurrent connections Enabled auditing How policies for password resets and

changes Use last login dates in banners

30

Password Attacks

See if it is “password” Brute force

l0phtcrack Dictionary

Crack John the Ripper

Trojan horse login program

31

Biometrics

Authenticating a user via human characteristics

Using measurable physical characteristics of a person to prove their identification

Fingerprint signature dynamics Iris retina voice face DNA, blood

32

Advantages of hand / fingerprint-based biometrics

• Can’t be lent like a physical key or token and can’t be forgotten like a password

• Good compromise between ease of use, template size, cost and accuracy

• Fingerprint contains enough inherent variability to enable unique identification even in very large (millions of records) databases

• Basically lasts forever -- or at least until amputation or dismemberment

• Makes network login & authentication effortless

33

Biometric Disadvantages

Still relatively expensive per user Cost is going down!

Companies & products are often new & immature

Some hesitancy for user acceptance After 9-11, some thoughts towards use

at airport security.

34

Biometric privacy issues

Tracking and surveillance - Ultimately, the ability to track a person's movement from hour to hour

Anonymity - Biometric links to databases could dissolve much of our anonymity when we travel and access services

Profiling - Compilation of transaction data about a particular person that creates a picture of that person's travels, preferences, affiliations or beliefs

U.S. Airports Now Fingerprint Foreigners

Foreigners arriving at U.S. airports were photographed and had their fingerprints scanned Monday in the start of a government effort to use some of the latest surveillance technology to keep terrorists out of the country.

36

Practical biometric

Network access control

Staff time and attendance tracking

Authorizing financial transactions

Government benefits distribution (Social Security, welfare, etc.)

Verifying identities at point of sale

Using in conjunction with ATM , credit or smart cards

Controlling physical access to office buildings or homes Protecting personal property

Prevent against kidnapping in schools, play areas, etc.

Protecting children from fatal gun accidents

Voting/passports/visas & immigration

37

Tokens

Used to facilitate one-time passwords

Physical card SecurID S/Key Smart card Access token

38

Single sign-on

User has one password for all enterprise systems and applications

That way, one strong password can be remembered and used

All of a users accounts can be quickly created on hire, deleted on dismissal

Kerberos, CA-Unicenter, Memco Proxima, IntelliSoft SnareWorks, Tivoli Global Sign-On, x.509

39

Kerberos

Part of MIT’s Project Athena Currently in version 5 Kerberos is an authentication protocol used for

networkwide authentication All software must be kerberized Tickets, authenticators, key distribution center

(KDC) Divided into realms Kerberos is the three-headed dog that guards

the entrance to Hades (this won’t be on the test)

40

Attacks

Passive attack - Monitor network traffic and then use data obtained or perform a replay attack.

Hard to detect Active attack - Attacker is actively trying to break-

in. Exploit system vulnerabilities Spoofing Crypto attacks

Denial of service (DoS) - Not so much an attempt to gain access, rather to prevent system operation

Smurf, SYN Flood, Ping of death Mail bombs

41

Vulnerabilities

Follow the Money! Physical Natural

Floods, earthquakes, terrorists, power outage, lightning

Hardware/Software Media

Corrupt electronic media, stolen disk drives

Emanation Communications Human

Social engineering, disgruntled staff

42

Monitoring

IDS Logs Audit trails Network tools

Tivoli Spectrum OpenView

43

Intrusion Detection Systems

IDS monitors system or network for attacks

IDS engine has a library and set of signatures that identify an attack

Adds defense in depth Should be used in conjunction with

a system scanner

44

Object reuse

With Compact Disks – One-Time Write not much of an issue; with tapes, floppies, read/write CDs

Sample Rules Must ensure that magnetic media must not have any

remnance of previous data Also applies to buffers, cache and other memory allocation Documents recently declassified as to how 10-pass writes

were recovered Objects must be declassified Magnetic media must be degaussed or have secure

overwrites

45

TEMPEST - DoD

Electromagnetic emanations from keyboards, cables, printers, modems, monitors and all electronic equipment. With appropriate and sophisticated enough equipment, data can be readable at a few hundred yards.

TEMPEST certified equipment, which encases the hardware into a tight, metal construct, shields the electromagnetic emanations

WANG Federal is the leading provider of TEMPEST hardware TEMPEST hardware is extremely expensive and can only be

serviced by certified technicians Rooms & buildings can be TEMPEST-certified TEMPEST standards NACSEM 5100A NACSI 5004 are

classified documents

46

Banners

Mostly to protect provider – no one reads them Some Reasons

Banners display at login or connection stating that the system is for the exclusive use of authorized users and that their activity may be monitored

Not foolproof, but a good start, especially from a legal perspective

Make sure that the banner does not reveal system information, i.e., OS, version, hardware, etc.

47

Penetration Testing

Identifies weaknesses in Internet, Intranet, Extranet, and RAS technologies

Discovery and footprint analysis Exploitation Physical Security Assessment Social Engineering

Attempt to identify vulnerabilities and gain access to critical systems within organization

Identifies and recommends corrective action for the systemic problems which may help propagate these vulnerabilities throughout an organization

Assessments allow client to demonstrate the need for additional security resources, by translating exiting vulnerabilities into real life business risks

48

Rule of least privilege

One of the most fundamental principles of infosec States that: Any object (user, administrator,

program, system) should have only the least privileges the object needs to perform its assigned task, and no more.

An AC system that grants users only those rights necessary for them to perform their work

Limits exposure to attacks and the damage an attack can cause

Physical security example: car ignition key vs. door key

49

Implementing least privilege

Ensure that only a minimal set of users have access to full system.

Don’t run insecure programs on the firewall or other trusted host.

Lots more!