1 Access Control Systems & Methodology CISSP. 2 Topics to be covered Overview Access control...
-
Upload
joseph-wilcox -
Category
Documents
-
view
215 -
download
0
Transcript of 1 Access Control Systems & Methodology CISSP. 2 Topics to be covered Overview Access control...
1
Access Control Access Control Systems & Systems & MethodologyMethodology
CISSP
2
Topics to be covered
Overview Access control
implementation Types of access control MAC & DAC Orange Book Authentication Passwords Biometrics
Tokens/SSO Kerberos Attacks/Vulnerabilities/
Monitoring IDS Object reuse TEMPEST RAS access control Penetration Testing
3
What is access control?
Access control is the traditional center of security
Definitions: The ability to allow only authorized users, programs or
processes system or resource access The granting or denying, according to a particular
security model, of certain permissions to access a resource
An entire set of procedures performed by hardware, software and administrators, to monitor access, identify users requesting access, record access attempts, and grant or deny access based on pre-established rules.
4
Access control nomenclature Authentication
Process through which one proves and verifies certain information
Identification Process through which one ascertains the identity of another
person or entity
Confidentiality Protection of private data from unauthorized viewing
Integrity Data is not corrupted or modified in any unauthorized manner
Availability System is usable. Contrast with Denial of Service (DOS)
5
How can AC be implemented?
Hardware Software
Application Protocol (Kerberos, IPSec)
Physical Logical (policies)
Why access control does not work?
? ?
7
What does AC hope to protect? Data - Unauthorized viewing,
modification or copying System - Unauthorized use, modification
or denial of service It should be noted that nearly most network
operating system is based on a secure physical infrastructure
The easiest way to protect data is not to have it one the system. Make it some-one else’s problem.
8
Proactive access control
Awareness training Background checks Separation of duties Split knowledge Policies Data classification Effective user registration Termination procedures Change control procedures
9
Physical access control
Guards Locks Mantraps ID badges Digital Carmeras, sensors, alarms Biometrics Fences - the higher the voltage the better Card-key and tokens Guard dogs
10
AC & privacy issues
Expectation of privacy Policies Monitoring activity, Internet usage,
e-mail Login banners should detail
expectations of privacy and state levels of monitoring
HIPPA
11
Varied types of Access Control Discretionary (DAC) Mandatory (MAC) Lattice/Role/Task Formal models:
Biba Take/Grant Clark/Wilson Bell/LaPadula
Used set theory to define the concept of a secure state, the modes of access, and the rules for granting access.
Not Real Useful, but part of the test!
12
Problems with formal models
Based on a static infrastructure Defined and succinct policies These do not work in corporate systems which are
extremely dynamic and constantly changing None of the previous models deals with:
Viruses/active content Trojan horses firewalls
Limited documentation on how to build these systems
Last Generation
13
MAC vs. DAC
Discretionary Access Control You decided how you want to protect
and share your data
Mandatory Access Control The system decided how the data will
be shared
14
Mandatory Access Control
Assigns sensitivity levels, Secret, Confidential .. (AKA labels)
Every object is given a sensitivity label & is accessible only to users who are cleared up to that particular level.
Only the administrators, not object owners, make change the object level
Generally more secure than DAC Orange book B-level Used in systems where security is critical, i.e.,
military
15
Mandatory Access Control (Continued)
Downgrade in performance Relies on the system to control access Example: If a file is classified as confidential,
MAC will prevent anyone from writing secret or top secret information into that file.
All output, i.e., print jobs, floppies, other magnetic media must have be labeled as to
the sensitivity level
16
Discretionary Access Control
Access is restricted based on the authorization granted to the user
Orange book C-level Prime use to separate and protect
users from unauthorized data Used by Unix and Windows. Relies on the object owner to
control access
17
Access control lists (ACL)
A file used by the access control system to determine who may access what programs and files, in what method and at what time
Different operating systems have different ACL terms
Types of access: Read/Write/Create/Execute/Modify/Delete/Rename
18
Standard UNIX file permissions
Permission Allowed action, ifobject is a file
Allow action if object is adirectory
R (read) Reads contents of a file List contents of the directoryX (execute) Execute file as a program Search the directoryW (write) Change file contents Add, rename, create files and
subdirectories
19
Standard Sharing - Changing
20
Orange Book
DoD Trusted Computer System Evaluation Criteria, DoD 5200.28-STD, 1983
Provides the information needed to classify systems (A,B,C,D), defining the degree of trust that may be placed in them
For stand-alone systems only
21
Orange book levels
A - Verified protection A1 Boeing SNS, Honeywell SCOMP
B - MAC B1/B2/B3 MVS w/ s, ACF2 or TopSecret, Trusted IRIX
C - DAC C1/C2 DEC VMS, NT, NetWare, Trusted Solaris
D - Minimal security. Systems that have been evaluated, but failed
22
Problems with the Orange Book
Based on an old model, Bell-LaPadula
Stand alone network systems extensions exist
Systems take a long time Certification is expensive For the most part, not used outside
of the government sector
23
Red Book
Used to extend the Orange Book to networks
Actually two works: Trusted Network Interpretation of the TCSEC
(NCSC-TG-005) Trusted Network Interpretation
Environments Guideline: Guidance for Applying the Trusted Network Interpretation (NCSC-TG-011)
24
Authentication
3 types of authentication:
Something you know - Password, PIN, mother’s maiden name, passcode, fraternity chant
Something you have - ATM card, smart card, token, key, ID Badge, driver license, passport
Something you are - Fingerprint, voice scan, iris scan, retina scan, body odor, DNA
Confidentiality Integrity Availability
26
Multi-factor authentication
2-factor authentication. To increase the level of security, many systems will require a user to provide 2 of the 3 types of authentication. ATM card + PIN Credit card + signature PIN + fingerprint Username + Password (NetWare, Unix, NT default)
3-factor authentication -- For higher security Username + Passcode + SecurID token Username + Password + Fingerprint
27
Problems with passwords
Insecure - Given the choice, people will choose easily remembered and hence easily guessed passwords such as names of relatives, pets, phone numbers, birthdays, hobbies, etc.
Easily broken - Programs such as crack, SmartPass, PWDUMP, NTCrack & l0phtcrack can easily decrypt Unix, NetWare & NT passwords.
Dictionary attacks are only feasible because users choose easily guessed passwords!
Inconvenient - In an attempt to improve security, organizations often issue users with computer-generated passwords that are difficult, if not impossible to remember
Repudiable - Unlike a written signature, when a transaction is signed with only a password, there is no real proof as to the identity of the individual that made the transaction
28
Classic password rules
The best passwords are those that are both easy to remember and hard to crack using a dictionary attack.
Don’t use: common names, DOB, spouse, phone #, etc. word found in dictionaries password as a password systems defaults
Those trying break passwords have access to most password rules in their tool kit!
29
Password management
Configure system to use string passwords Set password time and lengths limits Limit unsuccessful logins Limit concurrent connections Enabled auditing How policies for password resets and
changes Use last login dates in banners
30
Password Attacks
See if it is “password” Brute force
l0phtcrack Dictionary
Crack John the Ripper
Trojan horse login program
31
Biometrics
Authenticating a user via human characteristics
Using measurable physical characteristics of a person to prove their identification
Fingerprint signature dynamics Iris retina voice face DNA, blood
32
Advantages of hand / fingerprint-based biometrics
• Can’t be lent like a physical key or token and can’t be forgotten like a password
• Good compromise between ease of use, template size, cost and accuracy
• Fingerprint contains enough inherent variability to enable unique identification even in very large (millions of records) databases
• Basically lasts forever -- or at least until amputation or dismemberment
• Makes network login & authentication effortless
33
Biometric Disadvantages
Still relatively expensive per user Cost is going down!
Companies & products are often new & immature
Some hesitancy for user acceptance After 9-11, some thoughts towards use
at airport security.
34
Biometric privacy issues
Tracking and surveillance - Ultimately, the ability to track a person's movement from hour to hour
Anonymity - Biometric links to databases could dissolve much of our anonymity when we travel and access services
Profiling - Compilation of transaction data about a particular person that creates a picture of that person's travels, preferences, affiliations or beliefs
U.S. Airports Now Fingerprint Foreigners
Foreigners arriving at U.S. airports were photographed and had their fingerprints scanned Monday in the start of a government effort to use some of the latest surveillance technology to keep terrorists out of the country.
36
Practical biometric
Network access control
Staff time and attendance tracking
Authorizing financial transactions
Government benefits distribution (Social Security, welfare, etc.)
Verifying identities at point of sale
Using in conjunction with ATM , credit or smart cards
Controlling physical access to office buildings or homes Protecting personal property
Prevent against kidnapping in schools, play areas, etc.
Protecting children from fatal gun accidents
Voting/passports/visas & immigration
37
Tokens
Used to facilitate one-time passwords
Physical card SecurID S/Key Smart card Access token
38
Single sign-on
User has one password for all enterprise systems and applications
That way, one strong password can be remembered and used
All of a users accounts can be quickly created on hire, deleted on dismissal
Kerberos, CA-Unicenter, Memco Proxima, IntelliSoft SnareWorks, Tivoli Global Sign-On, x.509
39
Kerberos
Part of MIT’s Project Athena Currently in version 5 Kerberos is an authentication protocol used for
networkwide authentication All software must be kerberized Tickets, authenticators, key distribution center
(KDC) Divided into realms Kerberos is the three-headed dog that guards
the entrance to Hades (this won’t be on the test)
40
Attacks
Passive attack - Monitor network traffic and then use data obtained or perform a replay attack.
Hard to detect Active attack - Attacker is actively trying to break-
in. Exploit system vulnerabilities Spoofing Crypto attacks
Denial of service (DoS) - Not so much an attempt to gain access, rather to prevent system operation
Smurf, SYN Flood, Ping of death Mail bombs
41
Vulnerabilities
Follow the Money! Physical Natural
Floods, earthquakes, terrorists, power outage, lightning
Hardware/Software Media
Corrupt electronic media, stolen disk drives
Emanation Communications Human
Social engineering, disgruntled staff
42
Monitoring
IDS Logs Audit trails Network tools
Tivoli Spectrum OpenView
43
Intrusion Detection Systems
IDS monitors system or network for attacks
IDS engine has a library and set of signatures that identify an attack
Adds defense in depth Should be used in conjunction with
a system scanner
44
Object reuse
With Compact Disks – One-Time Write not much of an issue; with tapes, floppies, read/write CDs
Sample Rules Must ensure that magnetic media must not have any
remnance of previous data Also applies to buffers, cache and other memory allocation Documents recently declassified as to how 10-pass writes
were recovered Objects must be declassified Magnetic media must be degaussed or have secure
overwrites
45
TEMPEST - DoD
Electromagnetic emanations from keyboards, cables, printers, modems, monitors and all electronic equipment. With appropriate and sophisticated enough equipment, data can be readable at a few hundred yards.
TEMPEST certified equipment, which encases the hardware into a tight, metal construct, shields the electromagnetic emanations
WANG Federal is the leading provider of TEMPEST hardware TEMPEST hardware is extremely expensive and can only be
serviced by certified technicians Rooms & buildings can be TEMPEST-certified TEMPEST standards NACSEM 5100A NACSI 5004 are
classified documents
46
Banners
Mostly to protect provider – no one reads them Some Reasons
Banners display at login or connection stating that the system is for the exclusive use of authorized users and that their activity may be monitored
Not foolproof, but a good start, especially from a legal perspective
Make sure that the banner does not reveal system information, i.e., OS, version, hardware, etc.
47
Penetration Testing
Identifies weaknesses in Internet, Intranet, Extranet, and RAS technologies
Discovery and footprint analysis Exploitation Physical Security Assessment Social Engineering
Attempt to identify vulnerabilities and gain access to critical systems within organization
Identifies and recommends corrective action for the systemic problems which may help propagate these vulnerabilities throughout an organization
Assessments allow client to demonstrate the need for additional security resources, by translating exiting vulnerabilities into real life business risks
48
Rule of least privilege
One of the most fundamental principles of infosec States that: Any object (user, administrator,
program, system) should have only the least privileges the object needs to perform its assigned task, and no more.
An AC system that grants users only those rights necessary for them to perform their work
Limits exposure to attacks and the damage an attack can cause
Physical security example: car ignition key vs. door key
49
Implementing least privilege
Ensure that only a minimal set of users have access to full system.
Don’t run insecure programs on the firewall or other trusted host.
Lots more!