Access Control Methodology Types

Table of Contents

Technical/Logical Access Controls .................................................................................................. 2

Network Access ............................................................................................................................... 3

Remote and System Access ............................................................................................................ 5

Application Access .......................................................................................................................... 7

Malware Control and Encryption .................................................................................................. 10

Physical Access Control ................................................................................................................. 13

Notices .......................................................................................................................................... 15

Page 1 of 15

Technical/Logical Access Controls

28

Technical/Logical Access Controls

Network Access

Remote Access

Application Access

Malware Control

Encryption

**028 The bits and the bytes, all sorts of different ways to do these things electronically.

Page 2 of 15

Network Access

29

Network Access

Devices (firewall, IDS, IPS, proxy systems)

VLANs

Wireless configuration

Network access control (NAC) – ensures a system is configured in accordance with current policies before it is allowed to join the network

**029 For instance, access controls on the network. We can use boxes themselves. And we're going to drill down in each of those in a little while, too. What's a VLAN, again? That's another abbreviation I didn't spell out. What's a VLAN? Student: Virtual Local Area Network. Ben Malisow: Yes. And that's an allowed sixth grade answer because I asked what it means. Yes. Very good. What does it do? What's it do? Student: Allows you local network access when you're not on site.

Page 3 of 15

Ben Malisow: Good. Good. It gives you the figment of whether you were on site or not, right? Good. Your wireless configuration, is that an access control point? Can you use access control methodologies there? Yes. And we're going to talk a lot about those, as well. NAC, network access control, making sure that everything you demand of the machines on your network is applied to this machine before it's allowed in. What sort of things might be a policy on those? What sort of things might you look for? Student: The systems patch that has the latest anti-virus, stuff like that. Ben Malisow: Boom. Any way that it's supposed to be hardened is hardened, any ports that are disallowed are disallowed before it's allowed in. Good. Good.

Page 4 of 15

Remote and System Access

30

Remote and System Access

Remote access• Virtual private network (VPN)

System access• Combination of userid and password• Smartcards• Tokens

**030 VPN, what is that? What's a VPN? Similar to VLAN. Student: To connect to the network in your infrastructure. Ben Malisow: From? Student: Outside. Ben Malisow: Outside, good. Is that-- Gabriel, you were going to say? Through an encrypted tunnel is usually-- that's the sort of thing that would show up on a test question. Through an encrypted tunnel is what VPN is. You can go outside, even

Page 5 of 15

through the Internet, and it still looks as if- - it looks to your network as if there's a machine on the network, right? Good. Accessing your system remotely or even on your network, we're going to use different kinds of controls to do that. And we're going to drill down on a whole bunch of these things, but the most common is having a user ID and a password. Is that an access control? Yeah. Sure it is. It's rudimentary. It's one that we-- just about everyone has. It's like the basic level of access control. What's a smart card? What's a smart card? Anyone got one? Anyone got one on them? Okay. Student: I said probably everybody does, some sort of RFID. Ben Malisow: Good, RFID or magnetic, or there's a bunch of different ways to encode these cards. And it carries your identification on it. And it might open doors. And it might be hooked to a server somewhere. Good. What's a token? We're going to talk about those, too. Tokens? Student: A physical device that puts randomly generated numbers or some other-- Ben Malisow: Good, good. It's often an access control method that allows you to match up with the authentication server on the far end and confirm that you are who you say you are. Good.

Page 6 of 15

Application Access

31

Application Access

Monitor user sessions

Inactivity time-outs

Validate data entry

Limit access to services

Applications designed for reducing threats• Buffer overflow• Process scheduling conflicts• System integrity breaches

**031 Access control, technical and logical, as dictated by the application itself. Real easy ways to do that. Having it monitor the user. Can applications actually follow the user through their use of it? Sure. Anyone ever use a keystroke logger? Yeah. Andy's grinning, grinning. Andy, why is that so awesome? Student: Because they're amazing. Ben Malisow: Yes, why are they amazing? Student: Because you get all their keystrokes. You can get their password, their username. You can get what they're actually doing in something, if they're doing something malicious.

Page 7 of 15

Ben Malisow: That's the last one we were looking for, mainly. Mainly, we should know what their password and username is. But yeah, it's a way of recreating what the user was doing while they were operating the system or the application. Why do we have time outs? Why do we have an inactivity time out? Student: So somebody can't hijack their session after their done. Ben Malisow: Good, you're not leaving the door open for the next person. Joan, is that what you were going to say? Student: Yeah, you walk away from your computer. Ben Malisow: Same thing, yeah. Good. Good. When you on a public machine, you often sign out after you've been checking your email, right, just so you don't leave it there? Good. Validating the data entry, the application can actually ensure that the user is putting good data in there. We'll talk about that one when we get to databases, especially. But is there bad information that user can put in that can harm the system and the availability? Yes. Yes. So the application can validate that from jump. The application might be able to be set to limit what users can do. Can anyone think of an example of this, services that a given application won't allow, depending on how it's configured? Microsoft Word was notorious back in the '90s for a particular virus named Melissa. Anyone

Page 8 of 15

remember Melissa, what she did, what that was all about, how it traveled? Yes. Student: Was it macros? Ben Malisow: It was-- yeah. Michael gets two. Yes. Student: Just for being old and remembering. Ben Malisow: That's a good thing. We need more candy the older we get. All right, yes. It was-- Microsoft Word has macros built into it, which are a very useful tool. They can do-- it's incredibly powerful. Unfortunately, Melissa took advantage of macros and would start going through your email address book, and I think would email the top 50 people in it. And it would transport infected word documents with this macro virus in it. In a lot of organizations, as a response to that, access to macros was shut down, that the default became no you can't have it. If you want it, come see us. And maybe we'll open that up. That's one example. Applications out of the box, should when they're being designed, take security into account, take access control into account, and have some of it built in. We're going to talk about buffers and buffer overflows, but all of these things should be built into the software. The vendors should already have this in mind. If they're not, they're selling you something irresponsibly. You don't want to add more security problems to your organization when you buy a product, right?

Page 9 of 15

Malware Control and Encryption

32

Malware Control and Encryption

Malware control (viruses, worms, Trojan horse apps, spyware, adware)

• Antivirus• File integrity checks• IPS

Encryption• Supports confidentiality and authentication• Hashed: put through a one-way, irreversible mathematical operation• Assists in session validation

**032 All right, some of the fun stuff. Malware, what's malware stand for? What's it mean? It's not even a big word, but you want to take a crack at it? Student: It's bad software. Ben Malisow: Bad software, bad, mal, mal, from the Mexican meaning mal. No. What is it? Student: Malicious. Ben Malisow: Malicious software, very good. Generally, in our industry, in the field, there's no hard and fast definition of these things. Moreover, if it's self-replicating, is it a worm? Or is it a virus with worm

Page 10 of 15

qualities? If it's hidden in a program, is it a Trojan horse? Or is it just a good macro virus. There's a whole bunch of gray area. There's a whole bunch of different vernacular out there. When we talked about taxonomy, it's just a set of words, right? The main point is it's out there. And it is ubiquitous. There's hardly anywhere that you can set up a machine, connect to the Internet, and not get infected with something if you don't protect it to a certain extent. So, how do we do that? We use anti-virus software. We do file integrity checks. What's a file integrity check? What is that? How is it done? And how does it look for viruses? Student: A CRC or a checksum. Ben Malisow: Good, checksum. What's a checksum do? What is it? And we'll talk about this in a little while, too. It takes a mathematical picture of what that data is, and then you compare it at the end of whenever you're done processing it, whenever you're done using it, to make sure that that mathematical value for that object is the same as when you started, so that you know that nothing happened in between there, right? Good. Good. IPS, what's IPS? I didn't spell that one out, sorry. Student: Intrusion prevention system. Ben Malisow: Good. Intrusion prevention system, we're going to drill down on those, too. Intrusion prevention systems can both detect and prevent and correct when we've had malware on the system.

Page 11 of 15

Encryption, we've got a whole module on encryption. But just to touch on it briefly, what does it mean? What does encryption mean? What does it do? If I encrypt something, what am I doing to it? I'm not sealing it in a crypt. Student: You're making sure that only the recipient can read it. Ben Malisow: Say again. Student: Making sure that only authorized people can read it. Ben Malisow: Good, yes. I take-- and like I said, we'll get into this. We take plain text, we run it through some obscuring mechanism. And we come up with cipher text that only people who have the key or who have access to it can read that cipher text by putting it back into plain text. It supports, we talked about the CIA triad confidentiality, meaning keeping it secret, and authentication. You're authenticating access to the information by ensuring that only people who have that key have access to it. Good. Hashing it, we're going to get into detail on hashes, too. Similar to a checksum, you're going to take the information; you're going to put it through an algorithm. You're going to come up with a mathematical representation of what that information is. It's not encryption itself. The hashing is not an encryption itself because you can't recover the data from the value, but what you can do is be assured that only that data, unchanged, will give you that same hash value.

Page 12 of 15

All right, and validation. Encryption helps with validation. By using the hash, we can be sure that the data hasn't changed from point A to point B. Good stuff.

Physical Access Control

33

Physical Access Control

Includes the full spectrum of tangible controls (locks, doors, fences, windows, environmental, guards, etc.)

Often described by security “zones” (increasing levels of control, using differing controls, surrounding the assets)

Human safety is paramount

**033 Physical access control, we talked a little bit about this earlier. It's got everything in the tangible world. We're going to talk about that. We've got a whole module on physical security, as well. But this should be part of your access control program. Do not just think that everything has to be logical. Unfortunately, in the IT world, a lot of us just love the bits and bytes. We forget about putting a lock on the door. That's an important stuff, too. This is valuable data. Good.

Page 13 of 15

And like we talked about domains in our access, or our information hierarchy, we should have the same thing in our physical zones. Do we want to put our mailroom inside a SCIF? No. Why not? I'm sorry, what's a SCIF? Student: The mail can't come out then. Ben Malisow: That might be useful. We might actually want to try this. What's a SCIF, sorry? Sorry. Student: Secure compartmented information facility, some thing like that. Ben Malisow: I think, yeah. I think it's sensitive compartmentalized information facility. But yeah, all those things. It's a box, right? It's a box with a lock on it. And people go in there and work. And we throw cheese at them every now and then. Good. Yeah. It's very secure. When you leave, you have to lock it behind you. When you come back, you have to unlock it to get in. You don't want to put the mail in there because you want the mail to be dispersed. It shouldn't be protected at that level. So your zones should be based on your information classification. Why do we say this? Why do we say this? Why do we have to say that when it comes to security? What's the important thing to remember when we're securing everything, when we're locking it up? Student: In case of an emergency, people can get out.

Page 14 of 15

Ben Malisow: Yes, yes. Fail safe, instead of fail secure, right? When the fire alarm starts going off, everyone can push that bar on the door and still get out, right? There's very, very small amounts of data that are worth anybody dying for or even getting hurt for.

Notices

NoticesCopyright 2013 Carnegie Mellon University

This material has been approved for public release and unlimited distribution except as restricted below. This material is distributed by the Software Engineering Institute (SEI) only to course attendees for their own individual study. Except for the U.S. government purposes described below, this material SHALL NOT be reproduced or used in any other manner without requesting formal permission from the Software Engineering Institute at permission@sei.cmu.edu.

This material is based upon work funded and supported by the Department of Defense under Contract No. FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center.

The U.S. Government's rights to use, modify, reproduce, release, perform, display, or disclose this material are restricted by the Rights in Technical Data-Noncommercial Items clauses (DFAR 252-227.7013 and DFAR 252-227.7013 Alternate I) contained in the above identified contract. Any reproduction of this material or portions thereof marked with this legend must also reproduce the disclaimers contained on this slide.

Although the rights granted by contract do not require course attendance to use this material for U.S. Government purposes, the SEI recommends attendance to ensure proper understanding.

NO WARRANTY. THE MATERIAL IS PROVIDED ON AN “AS IS” BASIS, AND CARNEGIE MELLON DISCLAIMS ANY AND ALL WARRANTIES, IMPLIED OR OTHERWISE (INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR A PARTICULAR PURPOSE, RESULTS OBTAINED FROM USE OF THE MATERIAL, MERCHANTABILITY, AND/OR NON-INFRINGEMENT).

CERT® is a registered mark of Carnegie Mellon University..

Page 15 of 15