SSCP Chpt_1

Access ControlSlide 1 of 71

Access ControlAccess ControlJames Moore

Information Security Operations, e^deltacomPresident, ISSA – Metro Atlanta

SSCP


Overview• What is Access Control?• Basic Approach• Access Control Models• Authentication• TEMPEST• Watching the Door!• Iterative Methods Review• Quiz


What is Access Control?


What is access control?• Access control is the heart of security• Definitions:

– The ability to allow only authorized users, programs or processes system or resource access

– The granting or denying, according to a particular security model, of certain permissions to access a resource

– An entire set of procedures performed by hardware, software and administrators, to monitor access, identify users requesting access, record access attempts, and grant or deny access based on established rules.


Access control nomenclature• Authentication

– Process through which one proves and verifies certain information• Identification

– Process through which one ascertains the identity of another person or entity

• Confidentiality– Protection of private data from unauthorized viewing

• Integrity – Data is not corrupted or modified in any unauthorized manner

• Availability– System is usable. Contrast with DoS.


Key Terms• Subject –an active entity, usually in the

form of a person, process, or device that cause information to flow amongst objects.

• Object –a passive entity that contains or receives information usually in the form of a file, program, memory.


Labels• Sensitivity Labels

– Every subject and object in a MAC has a sensitivity label. Each label has two parts:

• Classifications and Category (or compartment)– Classifications- Secret, Top Secret, Confidential

(hierarchical)– Category- Tank Specs, Payroll, Sales Projections

• Example:– James object sensitivity label: Secret– R&D compartment sensitivity label: Confidential


How can AC be implemented?– Hardware– Software

•Application•Operating System•File System•Protocol

– Physical– Logical (policies)


What does AC hope to protect?• Data - Unauthorized viewing, modification or copying• System - Unauthorized use, modification or denial of

service• It should be noted that nearly every network

operating system (NT, Unix, Vines, NetWare) is based on a secure physical infrastructure


Orange Book• DoD Trusted Computer System Evaluation Criteria,

DoD 5200.28-STD, 1983• Provides the information needed to classify systems

(A,B,C,D), defining the degree of trust that may be placed in them

• For stand-alone systems only


Orange book levels• A - Verified protection• B - MAC• C - DAC• D - Minimal security. Systems that have been evaluated, but

failed


BASIC APPROACH


Banners• Banners display at login or connection stating that

the system is for the exclusive use of authorized users and that their activity may be monitored

• Not foolproof, but a good start, especially from a legal perspective

• Make sure that the banner does not reveal system information, i.e., OS, version, hardware, etc.


Rule of least privilege• One of the most fundamental principles of infosec• States that: Any object (user, administrator, program,

system) should have only the least privileges the object needs to perform its assigned task, and no more.

• An AC system that grants users only those rights necessary for them to perform their work

• Limits exposure to attacks and the damage an attack can cause

• Physical security example: car ignition key vs. door key


Implementing least privilege• Ensure that only a minimal set of users have root

access• Don’t make a program run setuid to root if not

needed. Rather, make file group-writable to some group and make the program run setgid to that group, rather than setuid to root

• Don’t run insecure programs on the firewall or other trusted host


Multi-factor authentication• 2-factor authentication. To increase the level of

security, many systems will require a user to provide 2 of the 3 types of authentication.• ATM card + PIN• Credit card + signature• PIN + fingerprint• Username + Password (NetWare, Unix, NT default)

• 3-factor authentication -- For highest security• Username + Password + Fingerprint• Username + Passcode + SecurID token


Proactive access control• Awareness training• Background checks• Separation of duties• Split knowledge• Policies• Data classification• Effective user registration• Termination procedures• Change control procedures


AC & privacy issues• Expectation of privacy• Policies• Monitoring activity, Internet usage, e-mail• Login banners should detail expectations of privacy

and state levels of monitoring


System Accountability• Requires system to provide for at least the following:

– The ability to audit transactions– Control access through authentication– Provide effective identification


Access Control Models


Varied types of Access Control • Discretionary (DAC)

– The users/object decides the access• Mandatory (MAC)

– The systems decides the access• Non-Discretionary (Lattice/Role/Task)

– The role determines access• Formal models:

– Biba– Clark/Wilson– Bell/LaPadula


Biba• The Biba Model• The Biba model addresses the issue of integrity, i.e.

whether information can become corrupted. A new label is used to gauge integrity. If a high security object comes into contact with a low-level information, or be handled by a low-level program, the integrity level can be downgraded. For instance, if one used an insecure program to view a secure document, the program might corrupt the document, append it, truncate it, or even covertly communicate it to another part of the system.


Clark Wilson• Clark and Wilson have also created a model which includes an

attention to data integrity. • Data objects can only be manipulated by a certain set of programs.

Users have access to the programs rather than to the data. (e.g. this is like the WWW or a database).

• Separation of duties: assigning different roles to different users. For instance, think of the dual-key approach to arming nuclear warheads.

• Objects/data can only be accessed by authorized programs (ensures integrity).

• Subjects/users only have access to certain programs. • An audit log is maintained over external transactions. • The system must be certified in order for it to work.


Bell LaPudla• This is a formal description of a system with static

access control, i.e. privacy. It tells us nothing about integrity or trust.

• Used set theory to define the concept of a secure state, the modes of access, and the rules for granting access. BLP Unix

Subjects (S) UID/UsernameGID/Groups

Objects (O)Filesprocessesmemory segments

Access rights (M)ReadWriteExecute

Security levels (L)

AllowedDisallowedSetuidSetgid


Problems with formal models• Based on a static infrastructure• Defined and succinct policies• These do not work in corporate systems which are

extremely dynamic and constantly changing• None of the previous models deals with:

– Viruses/active content– Trojan horses– firewalls

• Limited documentation on how to build these systems


MAC vs. DAC• Discretionary Access Control

– Individuals decide how information assets are protected and share your data

• Mandatory Access Control– The system decided how the data will be shared


Mandatory Access Control

• Assigns sensitivity levels, AKA labels• Every object is given a sensitivity label & is accessible

only to users who are cleared up to that particular level.• Only the administrators, not object owners, make change

the object level• Generally more secure than DAC• Orange book B-level• Used in systems where security is critical, i.e., military• Hard to program for and configure & implement


Mandatory Access Control (Continued)

• Downgrade in performance• Relies on the system to control access• Example: If a file is classified as confidential, MAC

will prevent anyone from writing secret or top secret information into that file.

• All output, i.e., print jobs, floppies, other magnetic media must have be labeled as to the sensitivity level


Discretionary Access Control• Access is restricted based on the authorization

granted to the user• Orange book C-level• Prime use to to separate and protect users from

unauthorized data• Used by Unix, NT, NetWare, Linux, Vines, etc.• Relies on the object owner to control access


Access control lists (ACL)• A file used by the access control system to determine

who may access what programs and files, in what method and at what time

• Different operating systems have different ACL terms• Types of access:

– Read/Write/Create/Execute/Modify/Delete/Rename


Standard UNIX file permissionsPermission Allowed action, if

object is a file Allow action if object is a

directory R (read) Reads contents of a file List contents of the directory X (execute) Execute file as a program Search the directory W (write) Change file contents Add, rename, create files and

subdirectories


Standard NT file permissionsPermission Allowed action, if

object is a file Allow action if object is a

directory No access None None List N/A RX Read RX RX Add N/A WX Add & Read N/A RWX Change RWXD RWXD Full Control All All R- Read X - Execute W - Write D - Delete


Physical access control• Guards• Locks• Mantraps• ID badges• CCTV, sensors, alarms• Biometrics• Fences - the higher the voltage the better• Card-key and tokens• Guard dogs


Object reuse• Must ensure that magnetic media must not have any

remnants of previous data• Also applies to buffers, cache and other memory

allocation• Required at TCSEC B2/B3/A1 level• Objects must be declassified• Magnetic media must be degaussed or have secure

overwrites


Authentication


Authentication3 types of authentication:

Something you know - Password, PIN, mother’s maiden name, passcode, fraternity chantSomething you have - ATM card, smart card, token, key, ID Badge, driver license, passportSomething you are - Fingerprint, voice scan, iris scan, retina scan, body odor, DNA


Problems with passwordsInsecure - Given the choice, people will choose easily remembered and hence easily guessed passwords such as names of relatives, pets,phone numbers, birthdays, hobbies, etc.Easily broken - Programs such as crack, SmartPass, PWDUMP, NTCrack& l0phtcrack can easily decrypt Unix, NetWare & NT passwords.

Dictionary attacks are only feasible because users choose easily guessed passwords!

Inconvenient - In an attempt to improve security, organizations often issue users with computer-generated passwords that are difficult, if not impossible to rememberRepudiable - Unlike a written signature, when a transaction is signed with only a password, there is no real proof as to the identity of the individual that made the transaction


Classic password rules• The best passwords are those that are both easy to

remember and hard to crack using a dictionary attack. The best way to create passwords that fulfill both criteria is to use two small unrelated words or phonemes, ideally with a special character or number. Good examples would be hex7goop or -typetin

• Don’t use: – common names, DOB, spouse, phone #, etc.– word found in dictionaries – password as a password– systems defaults


Password management• Configure system to use string passwords• Set password time and lengths limits• Limit unsuccessful logins• Limit concurrent connections• Enabled auditing• How policies for password resets and changes• Use last login dates in banners


Password Attacks• Brute force

– l0phtcrack• Dictionary

– Crack– John the Ripper– for a comprehensive listing, see Alan Lustiger or attend

his presentation at the CSI conference in November• Trojan horse login program


Biometrics• Authenticating a user via human characteristics• Using measurable physical characteristics of a person

to prove their identification– Fingerprint– signature dynamics– Iris– retina– voice– face– DNA, blood


Biometric Disadvantages• Still relatively expensive per user- most expensive,

but also most secure• Companies & products are often new & immature• No common API or other standard• Some hesitancy for user acceptance


Biometric privacy issuesTracking and surveillance - Ultimately, the ability to track a person's movement from hour to hourAnonymity - Biometric links to databases could dissolve much of our anonymity when we travel and access servicesProfiling - Compilation of transaction data about a particular person that creates a picture of that person's travels, preferences, affiliations or beliefs


Practical biometric applications• Network access control• Staff time and attendance tracking• Authorizing financial transactions• Government benefits distribution (Social Security, welfare, etc.)• Verifying identities at point of sale • Using in conjunction with ATM , credit or smart cards • Controlling physical access to office buildings or homes • Protecting personal property• Prevent against kidnapping in schools, play areas, etc.• Protecting children from fatal gun accidents• Voting/passports/visas & immigration


Tokens• Used to facilitate one-time passwords• Physical card• SecurID• S/Key• Smart card• Access token


Authentication in the

Enterprise


Single sign-on• User has one password for all enterprise systems and

applications• That way, one strong password can be remembered

and used• All of a users accounts can be quickly created on

hire, deleted on dismissal• Hard to implement and get working• Kerberos, CA-Unicenter, Memco Proxima, IntelliSoft

SnareWorks, Tivoli Global Sign-On, x.509


Kerberos• Part of MIT’s Project Athena• Kerberos is an authentication protocol used for

network wide authentication• All software must be kerberized• Tickets, authenticators, key distribution center (KDC)• Divided into realms


Kerberos roles• KDC divided into Authentication Server & Ticket

Granting Server (TGS)• Authentication Server - authentication the identities

of entities on the network• TGS - Generates unique session keys between two

parties. Parties then use these session keys for message encryption


Kerberos authentication • User must have an account on the KDC• KDC must be a trusted server in a secured location• Shares a key with each user• When a user want to access a host or application, they

request a ticket from the KDC via klogin & generate an authenticator that validates the tickets

• User provides ticket and authenticator to the application, which processes them for validity and will then grant access.


Problems with Kerberos• Each piece of software must be kerberized• Requires synchronized time clocks• Relies on UDP which is often blocked by many

firewalls


RAS access control• RADIUS (Remote Authentication Dial-In User Service) -

client/server protocol & software that enables RAS to communicate with a central server to authenticate dial-in users & authorize their access to requested systems

• TACACS/TACACS+ (Terminal Access Controller Access Control System) - Authentication protocol that allows a RAS to forward a users logon password to an authentication server. TACACS is an unencrypted protocol and therefore less secure than the later TACACS+ and RADIUS protocols. A later version of TACACS is XTACACS (Extended TACACS).– May 1997 - TACACS and XTACACS are considered Cisco End-of-

Maintenance


TEMPEST


TEMPEST• Electromagnetic emanations from keyboards, cables,

printers, modems, monitors and all electronic equipment. With appropriate and sophisticated enough equipment, data can be readable at a few hundred yards.

• TEMPEST certified equipment, which encases the hardware into a tight, metal construct, shields the electromagnetic emanations

• TEMPEST hardware is extremely expensive and can only be serviced by certified technicians

• Rooms & buildings can be TEMPEST-certified • TEMPEST standards NACSEM 5100A NACSI 5004 are

classified documents


Watching the Door


Physical Security• Camera coverage

– Recoverable footage• Access controlled areas• Fences• Lights? (here’s a question….)


Intrusion Detection Systems• IDS monitors system or network for attacks• IDS engine has a library and set of signatures that

identify an attack• Adds defense in depth


Iterative Methodology

Review


Penetration Testing / Vulnerability Assessments

• Basically Improving the Security of Your Site by Breaking Into it, by Dan Farmer/Wietse Venema

– http://www.fish.com/security/admin-guide-to-cracking.html

• Identifies weaknesses in Internet, Intranet, Extranet, and RAS technologies – Discovery and footprint analysis – Exploitation – Physical Security Assessment – Social Engineering

• Attempt to identify vulnerabilities and gain access to critical systems within organization

• Identifies and recommends corrective action for the systemic problems which may help propagate these vulnerabilities throughout an organization

• Assessments allow client to demonstrate the need for additional security resources, by translating exiting vulnerabilities into real life business risks


Review Questions


Review Questions• What is following is true about biometrics

a) Least expensive, least secureb) Most expensive, least securec) Most expensive, most secured) Least expensive, most secure

Answer: C) Most expensive, most secure


Review Questions• Discretionary Access differs from Mandatory Access in the

following way:a) Is granted at the discretion of the system administratorb) Is only given to personnel who have demonstrated good

discretionc) Assigns access based on roled) Allows subjects to grant access to objects

Answer: d) Allows subjects to grant access to objects


Review Questions• The three classic ways of authenticating yourself to the

computer security software are by something you know, by something you have, and by something a) you needb) non-trivialc) you ared) you can get

Answer: c) you are


Review Questions• An access control policy for a bank teller is an

example of the implementation of a(n): you needa) rule-based policyb) identity-based policyc) user-based policyd) role-based policy

Answer: d) role-based policy


Review Questions• A confidential number to verify a user's identity is called a

a) PINb) Useridc) Passwordd) challenge

Answer: a) PIN


Review Questions• Which of the following is needed for System Accountability?

a) audit mechanismsb) documented design as laid out in the Common Criteriac) Authorizationd) Formal verification of system design

Answer: a) audit mechanisms


Review Questions• Which of the following is true in a system with Mandatory

Access Control?a) the system determines which users or groups may access a

file.b) user can set up an access list for the file(s), and the system

checks both users and groups against this list before granting access.

c) a user can specify which groups of users can access their files, but the system determines group membership

d) no control is being enforce on this model

Answer: a) the system determines which users or groups may access a file.


Review Questions• Which of the following is *not* needed for System

Accountability? a) Auditb) Authenticationc) Authorizationd) identification

Answer: a) audit mechanisms


Review Questions• A potential problem with an iris pattern biometric system is:

a) concern that the laser beam may cause eye damageb) the iris pattern changes as a person grows olderc) there is a relatively high rate of false acceptsd) the optical unit must be positioned so that the sun does not

shine into the aperture

Answer: d) the optical unit must be positioned so that the sun does not shine into the aperture


Review Questions• What is TEMPEST?

a) A really good movieb) Standards for controlling emanations from equipmentc) Tactical Electrical Modulation Emitting Surveillance

Teamd) The most secure method of Access Control

Answer: b) Standards for controlling emanations from equipment


Any questions?• Homework for next week:

– CISSP Exam : Theory• Chapter 3• Pgs: 198-221, 226-237

– Computer Security Basics• Chapter 6

– Green and Brown books

SSCP Chpt_1

Documents

Transcript of SSCP Chpt_1