Information Systems Security Access Controlitgov.cs.ui.ac.id/security/CISSP Access Control...

University of Indonesia

Magister of Information Technology

Information Systems Security

Access Control

Arrianto Mukti Wibowo, M.Sc.,

Faculty of Computer Science


[email protected]



Access Control Systems &

Methodology

University of Indonesia – University of Budi Luhur


Tujuan domain

• Mempelajari mekanisme dan metode

yang dipergunakan para

administrator/manager untuk mengontrol

apa yang boleh diakses user, termasuk

apa yang boleh dilakukan setelah

otentikasi dan otorisasi, termasuk

pemantauannya.



Topik bahasan

• Identification,

• authentication,

• authorization,

• access control

models,

• access control

techniques,

• access control

methods,

• access control

administration,

• threats to access

controls



Who?



How?



7

What is access control?

• Access control is the heart of security

• Definitions:

– The ability to allow only authorized users, programs or

processes system or resource access

– The granting or denying, according to a particular security

model, of certain permissions to access a resource

– An entire set of procedures performed by hardware, software

and administrators, to monitor access, identify users requesting

access, record access attempts, and grant or deny access based

on preestablished rules.



8

How can AC be implemented?

• Administrative controls

– Policies

– Procedures

• Logical controls

– Passwords

• Physical controls

– Electric door



9

What does AC hope to protect?

• Data - Unauthorized viewing,

modification or copying

• System - Unauthorized use, modification

or denial of service

• It should be noted that nearly every

network operating system (NT, Unix,

Vines, NetWare) is based on a secure

physical infrastructure



10

Administrative access control

• Awareness training

• Background checks

• Separation of duties

• Split knowledge

• Policies

• Data classification

• Effective user registration

• Termination procedures

• Change control procedures



11

Physical access control

• Guards

• Locks

• Mantraps

• ID badges

• CCTV, sensors, alarms

• Biometrics

• Fences - the higher the voltage the better

• Card-key and tokens

• Guard dogs



Man Trap

1. Memeasukkan kartu identifikasi (what you have)

2. Mengetikkan 12 digit angka rahasia (what you know)

3. Komputer secara acak akan memilihkan kata-kata yang harus diucapkan ulang (who you are)



Typical Access Rights

Read, inquiry or copy only

Write, create, update or delete only

Execute only

A combination of the above



Mandatory vs Discretionary

Access Control

• Mandatory

– “The system decided how the data will be shared”

– Enforces corporate security policy

– Compares sensitivity of information resources

• Discretionary

– “You decided how you want to protect and share

your data”

– Enforces data-owner-defined sharing of

information resources



15

Mandatory Access Control

• Assigns sensitivity levels, AKA labels

• Every object is given a sensitivity label & is accessible only

to users who are cleared up to that particular level.

• Only the administrators, not object owners, make change

the object level

• Generally more secure than DAC

• Orange book B-level

• Used in systems where security is critical, i.e., military

• Hard to program for and configure & implement



16

Mandatory Access Control (Continued)

• Downgrade in performance

• Relies on the system to control access

• Example: If a file is classified as confidential,

MAC will prevent anyone from writing secret

or top secret information into that file.

• All output, i.e., print jobs, floppies, other

magnetic media must have be labeled as to the

sensitivity level



17

Discretionary Access Control

• Access is restricted based on the authorization

granted to the user

• Orange book C-level

• Prime use to to separate and protect users

from unauthorized data

• Used by Unix, NT, NetWare, Linux, Vines, etc.

• Relies on the object owner to control access



18

Access control lists (ACL)

• A file used by the access control system to

determine who may access what programs and

files, in what method and at what time

• Different operating systems have different ACL

terms

• Types of access:

– Read/Write/Create/Execute/Modify/Delete/Rename



19

Standard UNIX file permissions

Permission Allowed action, if

object is a file

Allow action if object is a

directory

R (read) Reads contents of a file List contents of the directory

X (execute) Execute file as a program Search the directory

W (write) Change file contents Add, rename, create files and

subdirectories



20

Standard NT file permissions

Permission Allowed action, if

object is a file

Allow action if object is a

directory

No access None None

List N/A RX

Read RX RX

Add N/A WX

Add & Read N/A RWX

Change RWXD RWXD

Full Control All All

R- Read X - Execute W - Write D - Delete



21

Authentication

3 types of authentication:

Something you know - Password, PIN,

mother‟s maiden name, passcode, fraternity

chant

Something you have - ATM card, smart card,

token, key, ID Badge, driver license, passport

Something you are - Fingerprint, voice scan,

iris scan, retina scan, body odor, DNA



22

Multi-factor authentication

2-factor authentication. To increase the level of

security, many systems will require a user to provide 2

of the 3 types of authentication.

ATM card + PIN

Credit card + signature

PIN + fingerprint

Username + Password (NetWare, Unix, NT default)

3-factor authentication -- For highest security

Username + Password + Fingerprint

Username + Passcode + SecurID token



23

Problems with passwords

Insecure - Given the choice, people will choose easily

remembered and hence easily guessed passwords such as names

of relatives, pets, phone numbers, birthdays, hobbies, etc.

Easily broken - Programs such as crack, SmartPass, PWDUMP,

NTCrack & l0phtcrack can easily decrypt Unix, NetWare & NT

passwords.

Dictionary attacks are only feasible because users choose easily

guessed passwords!

Inconvenient - In an attempt to improve security, organizations

often issue users with computer-generated passwords that are

difficult, if not impossible to remember

Repudiable - Unlike a written signature, when a transaction is

signed with only a password, there is no real proof as to the

identity of the individual that made the transaction



Kerugian Password

• Eavesdropper mencuri password saat sedang

diucapkan

• Maling bisa mencuri daftar password di server

• Password mungkin mudah ditebak

• Guna meningkatkan keamanan penggunaan password,

mungkin komputer justru malah meningkatkan

ketidaknyamanan penggunaan komputer. Mis:

komputer yang memilihkan password, harus ganti

password setelah sekian lama



25

Classic password rules

• The best passwords are those that are both easy to

remember and hard to crack using a dictionary attack.

The best way to create passwords that fulfill both

criteria is to use two small unrelated words or

phonemes, ideally with a special character or number.

Good examples would be hex7goop or -typetin

• Don‟t use:

– common names, DOB, spouse, phone #, etc.

– word found in dictionaries

– password as a password

– systems defaults



On-Line password guessing &

prevensinya

• Dictionary attack

• Ada komputer yang memaksa pemasukkan password hanya oleh manusia

(bukan program). Manusia relatif tidak cepat.

• Ada maximum retries. Mis: kartu ATM bisa ditelan. Tapi bisa

menyebabkan vandalisme: jika dia punya seluruh username, dia bisa coba

bikin program yang mencoba login ke seluruh username. Setelah 5 kali,

system akan lock!

• Ada cara lain: setiap memasukkan password yang salah akan diproses

secara l a m b a t s e k a l I .. .. .. !

• Bisa mendeteksi: last successful & unsucessfull login dari mana dan

kapan

• Ada yang memaksa user menggunakan password yang dibuat oleh

komputer: user tak senang mengingatnya… sehingga user menulisnya di

kertas! Mis: geocities

• Suka pakai kombinasi @$*%$ angka huruf BESAR

• Ada juga yang memaksa ganti password setelah sekian lama



Off-line Password Guessing

• Menebak password melalui hashnya,

karena hash dari password yang umum

pasti sama

• Backup dari disk yang ada di server juga

harus dienkripsi



Password distribution

• User datang ke administrator. Kalo ada orang

menyamar?

• Pakai KTP/SIM/KTM yang ada fotonya

• User di depan terminal khusus memilih passwordnya.

• Atau user diberi password yang dipakai untuk login

pertama kali, habis itu dipaksa mengganti password.

Disebut pre-expired password

• Cara yang tidak tepat: passwordnya adalah NPM, dan

memberitahu dengan cara broadcast (misalnya posting

di papan pengumuman).

• Kalau di bank, kita akan dikirimi surat yang isinya PIN

kita. Pendapat anda?



Authentication Token

• What you have!

• kunci rumah, kartu kredit

• bisa dicuri!

• Mungkin keuntungannya psikologis: orang

kurang rela meminjamkan kartu ketimbang

password!

• Biasanya butuh hardware tambahan: misalnya

smart card / magentic card reader



Smart Card

Ukuran kartu kredit, tapi di dalamnya ada processor. Ada macam-

macam:

• PIN protected memory card: isi hanya bisa dibuka kalau PIN-nya

benar

• Cryptographic challenge & response cards

• Contactless smart card

Kegunaannya:

– Bank Cards: debit & credit

– ID-card, termasuk untuk login.

One card for all access

– Wallet for e-cash

– Payphone

– Loyality program

– Ticket parkir

– Health-card: bisa jaga rahasia

Bank Card

4532 1234 8321 3912

exp 04/03

Dr. John Tralala



31

Biometrics

• Authenticating a user via human characteristics

• Using measurable physical characteristics of a person

to prove their identification

– Fingerprint

– signature dynamics

– Iris

– retina

– voice

– face

– DNA, blood



Identifikasi Fisik Manusia

Fingerprint scan

Hand Geometry

Hand Signature



33

Advantages of fingerprint-based

biometrics

Can‟t be lent like a physical key or token and can‟t be

forgotten like a password

Good compromise between ease of use, template size,

cost and accuracy

Fingerprint contains enough inherent variability to

enable unique identification even in very large (millions

of records) databases

Basically lasts forever -- or at least until amputation or

dismemberment

Makes network login & authentication effortless



34

Biometric Disadvantages

Still relatively expensive per user

Companies & products are often new &

immature

No common API or other standard

Some hesitancy for user acceptance



Performance Issues

• False Rejection Rate (type 1 error): prosentase

subjek yang benar, tapi ditolak

• False Acceptance Rate (type 2 error):

prosentase subjek yang invalid, tapi diakui

sistem

• Cross Error Rate (CER): FRR sama dengan FAR

• Masalahnya kalau sensitifitas dinaikkan, FRR

naik, FAR turun. Perlu dicarititik optimum,

yakni CER



Cross Error Rate

FRR

FAR

%

Sensitifitas

CER



Random Number Generator

• Misalnya KeyBCA

• Challenge & respond

• Termasuk apa?

– What you know?

– What you have?

– Who you are?



Logical Access Control



Logical Access Controls

• Akses kontrol infrastruktur TI dapat dilakukan pada

berbagai tingkat

– Front end & Back end

– How networks segregate & protect access to information

resources.

• Paths of Logical Access

– General points of entry

• Network connectivity

• Remote access

• Operator console

• Online workstations or terminals



Logical Access Controls:

Protection

• Logical Access Control Software

– Prevents unauthorized access and modification to an

organization‟s sensitive data and use of system critical

functions

– Semua layer: networks, operating systems, databases &

application systems

– Fungsi software:

• Identifikasi dan otentikasi

• Otorisasi akses

• Monitor: Logging aktifitas user, reporting

– Implementasi paling efektif: tingkat networks dan operating

system (membatasi privileges pada low level)



Logical Access Controls

Operating systems access control

• User identification and authentication mechanisms

• Restricted logon IDs

• Rules for access to specific information resources

• Create individual accountability and auditability

• Create or change user profiles

• Log events

• Log user activities

• Report capabilities



Database and/or application-level

access control

• Create or change data files and database profiles

• Verify user authorization at the application and

transaction levels

• Verify user authorization within the application

• Verify user authorization at the field level for changes

within a database

• Verify subsystem authorization for the user at the file

level

• Log database/data communications access activities for

monitoring access violations



SSO is the process for the consolidating all

organization platform-based administration,

authentication and authorization functions into a

single centralized administrative function. A single

sign-on product that interfaces with:

client-server and distributed systems

mainframe systems

network security including remote access mechanisms

Single sign-on (SSO)



Single Sign On



Multiple passwords are no longer required,

therefore, whereby a user may be more inclined

and motivated to select a stronger password

It improves an administrator‟s ability to manage

users‟ accounts and authorizations to all associates

systems

It reduces administrative overhead in resetting

forgotten passwords over multiple platforms and

applications

It reduces the time taken by users to log into

multiple applications and platforms

Single sign-on (SSO) advantages



Support for all major operating system

environments is difficult

The costs associated with SSO development

can be significant when considering the nature

and extent of interface development and

maintenance that may be necessary

The centralized nature of SSO presents the

possibility of a single point of failure and total

compromise of an organization‟s information

assets

Single sign-on (SSO) disadvantages



Key Distribution Centre

(gambaran umum)



Untung rugi KDC

• Keuntungan:

– kalau ada user baru, tinggal menambahkan di KDC

– kalau seorang user ter-compromised, tidak semua

node akan tercompromised

• Kerugiannya:

– KDC bisa memalsukan jati diri orang lain

– KDC adalah titik lemah dari sistem

– Performa KDC bisa berkurang kalau banyak sekali

orang berhubungan ke KDC pada waktu yang

bersamaan.



Contoh KDC: Kerberos 5

• Dimuat dalam RFC 1510 oleh Kohl dan

Neuman pada tahun 1993, dan source

code-nya bisa diambil dari

http://web.mit.edu.

• Produk yang menggunakan antara lain

OSF Distributed Computing Environment

(DCE) dan Windows 2000.



Objek Kerberos

• Authentication: Token yang dibuat oleh client dan

dikirim ke server untuk membuktikan jati diri user

• Ticket: diterbitkan oleh TGS (ticket granting service),

yang dapat “ditunjukkan” oleh klien kepada suatu

server layanan tertentu (misalnya database server).

• Session key: kunci random yang dibuat oleh

Kerberos dan diberikan kepada klien saat ingin

berkomunikasi dengan server tertentu.

Catatan:

• Klien membutuhkan „ticket‟ dan session key untuk

berhubungan dg server tertentu, dimana ticket

tersebut memiliki periode pemakaian beberapa jam.



52

Rule of least privilege

• One of the most fundamental principles of infosec

• States that: Any object (user, administrator, program,

system) should have only the least privileges the object

needs to perform its assigned task, and no more.

• An AC system that grants users only those rights

necessary for them to perform their work

• Limits exposure to attacks and the damage an attack can

cause

• Ensure that only a minimal set of users have root access

Information Systems Security Access Controlitgov.cs.ui.ac.id/security/CISSP Access Control...

Documents

Transcript of Information Systems Security Access Controlitgov.cs.ui.ac.id/security/CISSP Access Control...