Date post: | 14-Apr-2018 |
Category: |
Documents |
Upload: | tanmoy-mukherjee |
View: | 215 times |
Download: | 0 times |
of 108
7/30/2019 Access Control 2011
1/108
Domain 1: Access Control
2010 CISSP Study Group
Presented By: Jeff McEwen, CISSP. SecurityArchitect, AAA NCNU Insurance Exchange
Domain 1:
Access Control
http://sfbay.issa.org/index.htm7/30/2019 Access Control 2011
2/108
Domain 1: Access Control
2
Domain Objective
The objective of this domain is tounderstand:
Access control concepts and techniques
Access control methodologies and
implementation within centralized anddecentralized environments
Detective and corrective access controls
Mechanisms for controlling system use
Potential risks, vulnerabilities, and exposures
http://sfbay.issa.org/index.htm7/30/2019 Access Control 2011
3/108
Domain 1: Access Control
3
Domain Summary
The information for this domain representsapproximately 16% of the CISSP examcontent.
http://sfbay.issa.org/index.htm7/30/2019 Access Control 2011
4/108
Domain 1: Access Control
4
Access Control Defined
Access control is the heart of security The ability to allow only authorized users, programs orprocesses system or resource access
The granting or denying, according to a particularsecurity model, of certain permissions to access aresource
An entire set of procedures performed by hardware,software and administrators, to monitor access, identifyusers requesting access, record access attempts, andgrant or deny access based on pre-established rules.
The collection of mechanisms for limiting, controlling,
and monitoring system access to certain items ofinformation, or to certain features based on a usersidentity and their membership in various predefinedgroups.
http://sfbay.issa.org/index.htm7/30/2019 Access Control 2011
5/108
Domain 1: Access Control
5
Key Access Control Terms
Identification assert user is the user; processthrough which one ascertains the identity ofanother person or entity; provides accountabilityto users & traceability of their activities
Authentication verifies user is who user
claims; process through which one proves andverifies certain information. Authorization actions the user is allowed to
perform Accountability tracks user actions and when
they were done Approval Authorizations were appropriatelygranted by the data owner
http://sfbay.issa.org/index.htm7/30/2019 Access Control 2011
6/108
Domain 1: Access Control
6
Access Control Concepts
Security Policy - a high-level overall planembracing general goals and acceptableactions for each system
Accountability - systems that processsensitive information must assureindividual accountability
Assurance - systems must guarantee
correct and accurate interpretation ofsecurity policy
http://sfbay.issa.org/index.htm7/30/2019 Access Control 2011
7/108
Domain 1: Access Control
Access Control Systems & Methodology
Why Control Access
http://sfbay.issa.org/index.htm7/30/2019 Access Control 2011
8/108
Domain 1: Access Control
8
Access Control Purposes
Confidentiality - information is not disclosed tounauthorized individuals or processes
protects against hackers, unprotectedcommunications, unauthorized users
Integrity - information retains its original level ofaccuracy
protects against unauthorized data modifications,system changes, or program changes
Availability - reliable access to data
protects against denial of service, ping attacks, e-mailflaming
http://sfbay.issa.org/index.htm7/30/2019 Access Control 2011
9/108
Domain 1: Access Control
9
What does AC hope to protect?
Data - Unauthorized viewing, modificationor copying
System - Unauthorized use, modificationor denial of service
It should be noted that nearly everynetwork operating system (NT, Unix,
Vines, NetWare) is based on a secure
physical infrastructure
http://sfbay.issa.org/index.htm7/30/2019 Access Control 2011
10/108
Domain 1: Access Control
10
Information Value
Information is assumed to have a valuethat can be measured by quantity orquality
The major reason to value information isthe cost to develop and the value to itsowners
Valuation techniques - Use of policy or
regulation, checklist, questionnaire,consensus, accounting data, statisticalanalysis
http://sfbay.issa.org/index.htm7/30/2019 Access Control 2011
11/108
Domain 1: Access Control
11
File and Data Ownership
A prerequisite to development of effectiveaccess controls is the establishment of DataOwnership. The Data Owner is required to:
Identify sensitivity of information
Determine security requirements Ensure security requirements meet goals
Authorize access
Develop contingency plans
http://sfbay.issa.org/index.htm7/30/2019 Access Control 2011
12/108
Domain 1: Access Control
Access Control Systems & Methodology
How do we control access?
http://sfbay.issa.org/index.htm7/30/2019 Access Control 2011
13/108
Domain 1: Access Control
13
Control Types
Preventative - deter problems beforethey occur
Detective - investigate an act that hasoccurred
Corrective - remedy acts that haveoccurred
Deterrent - discourage an act fromoccurring
Recovery - restore a resource from anact that has occurred
http://sfbay.issa.org/index.htm7/30/2019 Access Control 2011
14/108
Domain 1: Access Control
14
Lines of Defenses
Security mechanisms for limiting and controllingaccess to resources by layering protection
Categories - usually 3 lines with action priorities based onincreased control with each succeeding layer
First Line - policies, firewalls, passwords, separation of
duties, training, quality assurance, fault tolerance, etc. Second Line - audit trails, monitoring, penetration
testing
Third Line - insurance, bonding, backups, contingencyplans
http://sfbay.issa.org/index.htm7/30/2019 Access Control 2011
15/108
Domain 1: Access Control
15
Management - policies, procedures, andaccountability designed to control systemuse
Technical - hardware and softwarecontrols used to automate protection ofthe system
Operational - personnel procedures used
to protect the system
Access Control Types
http://sfbay.issa.org/index.htm7/30/2019 Access Control 2011
16/108
Domain 1: Access Control
16
Proactive access control
Awareness training
Background checks
Separation of duties
Split knowledge
Policies
Data classification
Effective user registration
Termination procedures
Change control procedures
http://sfbay.issa.org/index.htm7/30/2019 Access Control 2011
17/108
Domain 1: Access Control
17
Physical access control
Guards
Locks
Mantraps
ID badges
CCTV, sensors, alarms
Biometrics
Fences - the higher the voltage the better
Card-key and tokens
Guard dogs
http://sfbay.issa.org/index.htm7/30/2019 Access Control 2011
18/108
Domain 1: Access Control
18
How can AC be implemented?
Hardware
Software
Application
Protocol (Kerberos, IPSec) Physical
Logical (policies)
http://sfbay.issa.org/index.htm7/30/2019 Access Control 2011
19/108
Domain 1: Access Control
19
Access Control & privacy issues
Expectation of privacy Policies
Monitoring activity, Internet usage, e-
mail Login banners should detail expectations
of privacy and state levels of monitoring
http://sfbay.issa.org/index.htm7/30/2019 Access Control 2011
20/108
Domain 1: Access Control
Access Control Systems & Methodology
User Authentication
http://sfbay.issa.org/index.htm7/30/2019 Access Control 2011
21/108
Domain 1: Access Control
21
Identification
Types of ID User IDs
Names
Pins (also used for authentication)
Badges
Biometrics (also used for authentication)
http://sfbay.issa.org/index.htm7/30/2019 Access Control 2011
22/108
Domain 1: Access Control
22
User Authentication
User Identification - provides identity tosystem
authentication data verifies individual
activities traced to an individual
responsible for actions
use of a label to ID user
User Label Characteristics
unique non-descriptive of function, area, or company
http://sfbay.issa.org/index.htm7/30/2019 Access Control 2011
23/108
Domain 1: Access Control
23
User Authentication
System Implementation Administration - create, distribute, and store
authentication data (passwords)
Maintaining authentication - log out user or locksystem during inactivity
Single log-in - a group of systems on one OS platformthat allow the user to authenticate once
Host-to-host authentication - host passes on logondata
Authentication servers - user logs on to a special
network server
User-to-host authentication - user logs on andreceives token for logons to other systems
http://sfbay.issa.org/index.htm7/30/2019 Access Control 2011
24/108
Domain 1: Access Control
24
Authentication
3 types of authentication: Something you know - Password, PIN, mothers
maiden name, passcode, fraternity chant
Something you have - ATM card, smart card,token, key, ID Badge, driver license, passport
Something you are - Fingerprint, voice scan, irisscan, retina scan, body odor, DNA
http://sfbay.issa.org/index.htmhttp://sfbay.issa.org/index.htm7/30/2019 Access Control 2011
25/108
Domain 1: Access Control
25
Password
Most common type of authentication inuse
something a user knows
a string of characters that IDs a user
Types
One-time passwords - system generated andchanged after every use
Passphrase a sequence of characters that islonger than a regular password and istransformed into a virtual password
http://sfbay.issa.org/index.htmhttp://sfbay.issa.org/index.htm7/30/2019 Access Control 2011
26/108
Domain 1: Access Control
26
Password Issues
Selection Source can be assigned or user selected, system
generated, token generated, or a system default
Composition can be words, characters, or a phrase
Types can be system or resource specific
Management Transport paths that user uses to update password
owner authentication generated by owner
system owner authentication generated by
system system administration to owner & system
generated by system administrator
http://sfbay.issa.org/index.htmhttp://sfbay.issa.org/index.htm7/30/2019 Access Control 2011
27/108
Domain 1: Access Control
27
Password Issues
Management (continued) Initial passwords
New users
One-time passwords
Force user change
User notification on successful login date & time oflast logon and location
Suspend ID after number of unsuccessful logonattempts
Audit trail of logons successful login, unsuccessfulattempts, along with date/time/ID/origin
Control maximum logon attempt rate
http://sfbay.issa.org/index.htmhttp://sfbay.issa.org/index.htm7/30/2019 Access Control 2011
28/108
Domain 1: Access Control
28
Password Issues
Control Password lifetime length of time the
password can be secure
Users change own password
Audit trail of password changes Risk if compromised
Distribution risk
Probability of guessing
Electronic monitoring
Vulnerable to cracking
http://sfbay.issa.org/index.htmhttp://sfbay.issa.org/index.htm7/30/2019 Access Control 2011
29/108
Domain 1: Access Control
29
Password Issues
Control (continued) Password security
Number of characters
Minimum length
Number of invalid attempts
Compromises severity of measures vs. useracceptance
Forgotten passwords issue expired
passwords, user changes immediately
User ID by phone validate user identity, callback user at office phone with new password
P bl ith d
http://sfbay.issa.org/index.htmhttp://sfbay.issa.org/index.htm7/30/2019 Access Control 2011
30/108
Domain 1: Access Control
30
Problems with passwords(what a person knows)
Insecure Given the choice, people will choose easily
remembered and hence easily guessed passwordssuch as names of relatives, pets, phone numbers,birthdays, hobbies, etc.
Easily broken
Programs such as crack, SmartPass, PWDUMP,NTCrack & l0phtcrack can easily decrypt Unix,NetWare & NT passwords.
Dictionary attacks are only feasible because userschoose easily guessed passwords!
Inconvenient
In an attempt to improve security, organizations oftenissue users with computer-generated passwords thatare difficult,if not impossible to remember
Cl i d l
http://sfbay.issa.org/index.htmhttp://sfbay.issa.org/index.htm7/30/2019 Access Control 2011
31/108
Domain 1: Access Control
31
Classic password rules(what a person knows)
The best passwords Easy to remember Hard to crack using a dictionary attack.
The best way to create passwords that fulfill bothcriteria is to use two small unrelated words or
phonemes, ideally with a special character or number.Good examples would be hex7goopor -typetin
Dont use:
common names, DOB, spouse, phone #, etc.
word found in dictionaries password as a password
systems defaults
Password management
http://sfbay.issa.org/index.htmhttp://sfbay.issa.org/index.htm7/30/2019 Access Control 2011
32/108
Domain 1: Access Control
32
Password management(what a person knows)
Configure system to use string passwords Set password time and lengths limits
Limit unsuccessful logins
Limit concurrent connections Enabled auditing
How policies for password resets andchanges
Use last login dates in banners
http://sfbay.issa.org/index.htmhttp://sfbay.issa.org/index.htm7/30/2019 Access Control 2011
33/108
Domain 1: Access Control
33
Access Control Techniques
Tokens - access information stored in a portabledevice
Memory token - store but do not process data
Smart token - store and process data
Limitations - lost or stolen with PIN allows for
masquerading, battery failure or device malfunction
Benefits
not vulnerable to regular cracks
2 factor authentication - challenge response
Examples - SecurID, PIN pad, ATM card
T k
http://sfbay.issa.org/index.htmhttp://sfbay.issa.org/index.htm7/30/2019 Access Control 2011
34/108
Domain 1: Access Control
34
Tokens(what a person has)
Used to facilitate one-time Passwords
Asynchronous Token Device
SecurID -- synchronous Token Device
Physical card
S/Key
Smart card Contact & Contactless
Access token
http://sfbay.issa.org/index.htmhttp://sfbay.issa.org/index.htm7/30/2019 Access Control 2011
35/108
Domain 1: Access Control
35
Access Control Techniques
Biometrics - something a person is The one attribute that cannot be readily
compromised in 3 factors of personal identity
knows - i.e. password
has - i.e. access card about - i.e. fingerprint
Examples - fingerprint, hand geometry, voiceverification
Constraints cost of equipment, access time,false readings
Biometrics
http://sfbay.issa.org/index.htmhttp://sfbay.issa.org/index.htm7/30/2019 Access Control 2011
36/108
Domain 1: Access Control
36
Biometrics(what a person is)
Authenticating a user via humancharacteristicsAccuracy
False Reject Rate (type I error)
False Accept Rate (type II error) Cross-Over Error Rate (CER)
Behavioral keystroke, signature pattern,signature dynamics
Physical characteristics of a person to provetheir identification Fingerprint, Iris, retina, voice, face
Advantages of biometrics
http://sfbay.issa.org/index.htmhttp://sfbay.issa.org/index.htm7/30/2019 Access Control 2011
37/108
Domain 1: Access Control
37
Advantages of biometrics(what a person is)
Cant be loaned like a physical key ortoken and cant be forgotten like apassword
Good compromise between ease of use,
template size, cost and accuracy Fingerprint contains enough inherent
variability to enable unique identificationeven in very large (millions of records)
databases Makes network login & authentication
effortless
Biomet ic Disad antages
http://sfbay.issa.org/index.htmhttp://sfbay.issa.org/index.htm7/30/2019 Access Control 2011
38/108
Domain 1: Access Control
38
Biometric Disadvantages(what a person is)
Processing speed issues - Still relativelyexpensive per user
Accuracy Subject to environmentalchanges
User acceptability -- Some hesitancy foruser acceptance
Biometric privacy issues
http://sfbay.issa.org/index.htmhttp://sfbay.issa.org/index.htm7/30/2019 Access Control 2011
39/108
Domain 1: Access Control
39
Biometric privacy issues(what a person is)
Tracking and surveillance - Ultimately, the abilityto track a person's movement from hour to hour
Anonymity - Biometric links to databases coulddissolve much of our anonymity when we traveland access services
Profiling - Compilation of transaction data abouta particular person that creates a picture of thatperson's travels, preferences, affiliations orbeliefs
http://sfbay.issa.org/index.htmhttp://sfbay.issa.org/index.htm7/30/2019 Access Control 2011
40/108
Domain 1: Access Control
40
Multi-factor authentication
2-factor authentication. To increase the level ofsecurity, many systems will require a user toprovide 2 of the 3 types of authentication.
ATM card + PIN
Credit card + signature
PIN + fingerprint
3-factor authentication -- For highest security
Password + SecurID token + Fingerprint
l
http://sfbay.issa.org/index.htmhttp://sfbay.issa.org/index.htm7/30/2019 Access Control 2011
41/108
Domain 1: Access Control
41
Single Sign-on
User authenticates only once to a network systemto be allowed on all systems in an enterprise
Benefits
More efficient user logon process
Stronger passwords are required Inactivity thresholds applied uniformly
Effective for disabling terminated accounts
Single sign-on
http://sfbay.issa.org/index.htmhttp://sfbay.issa.org/index.htm7/30/2019 Access Control 2011
42/108
Domain 1: Access Control
42
Single sign on(Reduced Sign-on)
User has one password for all enterprise systems andapplications - that way, one strong password can beremembered and used
All of a users accounts can be quickly created onhire, deleted on dismissal
Hard to implement and get working
Kerberos, SPNEGO, x.509, SESAME SecureEuropean System for Applications in a Multi-vendorEnvironment, SAML, WS-Federation
CA-eTrust, RSA Access Manager, IBM Tivoli AccessManager
Single Sign on
http://sfbay.issa.org/index.htmhttp://sfbay.issa.org/index.htm7/30/2019 Access Control 2011
43/108
Domain 1: Access Control
43
Single Sign-on
Methodologies Network session managers
Provides multiple sessions limited to onecomputing platform
Synchronization problems
Security server SESAME Secure European System forApplications in a Multivendor Environment
Provides distributed access control usingsymmetric and asymmetric cryptography
Project of ECMA
Provides global access identity targets endsystem and provides mapping to local access
Si l Si
http://sfbay.issa.org/index.htmhttp://sfbay.issa.org/index.htm7/30/2019 Access Control 2011
44/108
Domain 1: Access Control
44
Single Sign-on
Security server (Contd) Kerberos MIT project Athena User authentication, encryption, and uses ticket
Authenticator contains same verification information
Tickets database of clients and private keys
Windows/Active Directory uses Kerberos today
Credential caching
Scripting Macro language
Replay user keystrokes
Scans for message strings
ID Federation
Liberty Alliance, SAML
WS Federation
http://sfbay.issa.org/index.htmhttp://sfbay.issa.org/index.htm7/30/2019 Access Control 2011
45/108
Domain 1: Access Control
Access Control Systems & Methodology
Authorization
A C t l St t
http://sfbay.issa.org/index.htmhttp://sfbay.issa.org/index.htm7/30/2019 Access Control 2011
46/108
Domain 1: Access Control
46
Access Control Structure
Subject - an active user or process that requestsaccess to a resource
Object - a resource that contains information
Domain - a set of objects that the subject canaccess
Groups - subjects and objects grouped togetherbased on shared characteristics
A C t l C it i
http://sfbay.issa.org/index.htmhttp://sfbay.issa.org/index.htm7/30/2019 Access Control 2011
47/108
Domain 1: Access Control
47
Access Control Criteria
Identity - a unique way to identify an individualor program in a system
Roles - computer related functions performed bya user that uses a exclusive set of privileges
Location - physical or logical place of user Time - day/time parameters used to control
resource use
Transaction - program checks that can beperformed to protect information
A C t l T h i
http://sfbay.issa.org/index.htmhttp://sfbay.issa.org/index.htm7/30/2019 Access Control 2011
48/108
Domain 1: Access Control
48
Access Control Techniques
Content dependent -access based on content of
record
provides more access control granularity
access request is in form of question
arbiter program controls access
Temporal isolation - access based on user workschedule
used for multilevel security
each time slot a different access level
used for rotating shifts, weekend operations, etc. Least privilege rule (need-to-know) - all data
access is restricted unless granted
P inciples of Access Cont ol
http://sfbay.issa.org/index.htmhttp://sfbay.issa.org/index.htm7/30/2019 Access Control 2011
49/108
Domain 1: Access Control
49
Principles of Access Control
Rule of least privilege One of the most fundamental principles of infosec States that:Any object (user, administrator, program, system)
should have only the least privileges the object needs toperform its assigned task, and no more.
An AC system that grants users only those rights necessaryfor them to perform their work Limits exposure to attacks and the damage an attack can
cause Physical security example: car valet key vs. regular key
Separation of Duties Limits users access based on duty position Split responsibility requires collusion to create harm
Implementing least privilege
http://sfbay.issa.org/index.htmhttp://sfbay.issa.org/index.htm7/30/2019 Access Control 2011
50/108
Domain 1: Access Control
50
Implementing least privilege
Ensure that only a minimal set of users haveroot/administrator/sysadmin access
There are commercial tools available to supportshared root access without shared root
password
Ensure that software deployed doesnt demandgreater access than really needed.
Implement via explicit group membership, not
nested or via shared passwords.
http://sfbay.issa.org/index.htmhttp://sfbay.issa.org/index.htm7/30/2019 Access Control 2011
51/108
Domain 1: Access Control
Access Control Systems & Methodology
Formal Models
Varied types of Access Control
http://sfbay.issa.org/index.htmhttp://sfbay.issa.org/index.htm7/30/2019 Access Control 2011
52/108
Domain 1: Access Control
52
Varied types of Access Control
Discretionary (DAC) vs Mandatory (MAC) Centralized vs Decentralized
Formal models (detail in Sec Archmodule):
Biba (Integrity)
Take/Grant
Clark/Wilson
Bell/LaPadula (confidentiality)
Access Control Models
http://sfbay.issa.org/index.htmhttp://sfbay.issa.org/index.htm7/30/2019 Access Control 2011
53/108
Domain 1: Access Control
53
Access Control Models
Discretionary- resource owner determines access andprivileges user should have ( 107.2) Identity-based - access based on user and resource identity
User-directed user (owner) grants access based on restrictions
Hybrid - access based on identity-based and user-directedcontrols
Mandatory System determines access based on label (107.3)
Object label contains objects classification
Subject label contains subjects clearance
Rule-based - access granted based on resource rules
Administratively directed - access granted by administrator
Access Control Models
http://sfbay.issa.org/index.htmhttp://sfbay.issa.org/index.htm7/30/2019 Access Control 2011
54/108
Domain 1: Access Control
54
Access Control Models
Non-Discretionary - resource access is granted basedon policies and control objectives
Role-based - access is based on users responsibilities.
Task-based - access is based on users job duties
Lattice-based
Complex decisions with multiple objectsand subjects.
Mathematical structure that definesgreatest lower-bound and least upper-
bound values for a pair of elements
Competing definition
http://sfbay.issa.org/index.htmhttp://sfbay.issa.org/index.htm7/30/2019 Access Control 2011
55/108
Domain 1: Access Control
55
Competing definition
Wiki defines these three types: DAC (Discretionary Access Control) MAC (Mandantory Access Control)
Rule based or Lattice based Controls read and write permissions based on a
user's clearance level and object confidentiality
labels RBAC (Role Based Access Control)
Controls collections of permissions that mayinclude complex operations such as an e-commerce transaction
MAC and RBAC are both defined as Non-Discretionary
Discretionary Access Control
http://sfbay.issa.org/index.htmhttp://sfbay.issa.org/index.htm7/30/2019 Access Control 2011
56/108
Domain 1: Access Control
56
Discretionary Access Control
Access is restricted based on the authorizationgranted to the user
Orange book C-level
Prime use to separate and protect users from
unauthorized data Used by Unix, NT, NetWare, Linux, Vines, etc.
Relies on the object owner to control access
Mandatory Access Control
http://sfbay.issa.org/index.htmhttp://sfbay.issa.org/index.htm7/30/2019 Access Control 2011
57/108
Domain 1: Access Control
57
Mandatory Access Control
Assigns sensitivity levels, AKA labels
Every object is given a sensitivity label & isaccessible only to users who are cleared up to thatparticular level.
Only the administrators, not object owners, make
change the object level Generally more secure than DAC
Orange book B-level
Used in systems where security is critical, i.e.,military
Hard to program for and configure & implement
Mandatory Access Control
http://sfbay.issa.org/index.htmhttp://sfbay.issa.org/index.htm7/30/2019 Access Control 2011
58/108
Domain 1: Access Control
58
Mandatory Access Control(Continued)
Downgrade in performance Relies on the system to control access
Example: If a file is classified as confidential,MAC will prevent anyone from writing secret or
top secret information into that file. All output, i.e., print jobs, floppies, other
magnetic media must have be labeled as to thesensitivity level
Problems with formal models
http://sfbay.issa.org/index.htmhttp://sfbay.issa.org/index.htm7/30/2019 Access Control 2011
59/108
Domain 1: Access Control
59
Based on a static infrastructure
Defined and succinct policies
These do not work in corporate systemswhich are extremely dynamic and
constantly changing None of the previous models deals with:Viruses / active content
Trojan horses
firewalls Limited documentation on how to build
these systems
Access Control Models
http://sfbay.issa.org/index.htmhttp://sfbay.issa.org/index.htm7/30/2019 Access Control 2011
60/108
Domain 1: Access Control
60
Access Control Models
Centralized - one location is responsible for access control
advantage - strict control and uniformity of access
disadvantage - central administration can beoverloaded
examples:
RADIUS (Remote Authentication Dial-inUser Service) -
TACACS (Terminal Access ControllerAccess Control System)
Active Directory
Access Control Models
http://sfbay.issa.org/index.htmhttp://sfbay.issa.org/index.htm7/30/2019 Access Control 2011
61/108
Domain 1: Access Control
61
Access Control Models
Decentralized - resource owners are responsiblefor access control
examples:
domain - set of authorized accesses
permitted within a resource area trusted computer system - a system that has
hardware and software controls that ensuredata integrity
Access Control Models
http://sfbay.issa.org/index.htmhttp://sfbay.issa.org/index.htm7/30/2019 Access Control 2011
62/108
Domain 1: Access Control
62
Access Control Models
Decentralized (continued)
Domains the access control parameters that protect anaddress space in which a program is operating
a set of objects a subject can access
principle of separation protects resources whereresources are encapsulated in distinct address spaces
common subset of subjects
hierarchical domain relationship
subjects can access objects in equal or lowerdomains
domains of higher privilege are protected from
lower
Access Control Models
http://sfbay.issa.org/index.htmhttp://sfbay.issa.org/index.htm7/30/2019 Access Control 2011
63/108
Domain 1: Access Control
63
Access Control Models
Decentralized (continued)
Trusted Computer Systema trusted computersystem is one that provides at least one activefunction essential to the protection of information
Control is based on policy - rules to
enforce Mechanism - enforce policy
Assurance - confidence in control toprovide function
Hybrid - a combination of centralized and decentralizedadministration
http://sfbay.issa.org/index.htmhttp://sfbay.issa.org/index.htm7/30/2019 Access Control 2011
64/108
Domain 1: Access Control
Access Control Systems & Methodology
DOD Influence
Orange Book
http://sfbay.issa.org/index.htmhttp://sfbay.issa.org/index.htm7/30/2019 Access Control 2011
65/108
Domain 1: Access Control
65
Orange Book
DoD Trusted Computer SystemEvaluation Criteria, DoD 5200.28-STD,1983
Provides the information needed to
classify systems (A,B,C,D), defining thedegree of trust that may be placed inthem
For stand-alone systems only
Windows NT has a C2 utility, it doesmany things, including disablingnetworking
Orange book levels
http://sfbay.issa.org/index.htmhttp://sfbay.issa.org/index.htm7/30/2019 Access Control 2011
66/108
Domain 1: Access Control
66
Orange book levels
A - Verified protectionA1 - Boeing SNS, Honeywell SCOMP
B - MAC
B1/B2/B3 -MVS w/ s, ACF2 or TopSecret,Trusted IRIX
C - DAC
C1/C2 -DEC VMS, NT, NetWare, Trusted Solaris D - Minimal security. Systems that have been evaluated, but
failed - PalmOS, MS-DOS, OS/2, NT
Problems with the Orange Book
http://sfbay.issa.org/index.htmhttp://sfbay.issa.org/index.htm7/30/2019 Access Control 2011
67/108
Domain 1: Access Control
67
Problems with the Orange Book
Based on an old model, Bell-LaPadula
Stand alone, no way to network systems
Systems take a long time (1-2 years) tocertify
Any changes (hot fixes, service packs,patches) break the certification
Has not adapted to changes in client-server and corporate computing
Certification is expensive Mostly not used outside of the
government sector
Red Book
http://sfbay.issa.org/index.htmhttp://sfbay.issa.org/index.htm7/30/2019 Access Control 2011
68/108
Domain 1: Access Control
68
Red Book
Used to extend the Orange Book tonetworks
Actually two works:
Trusted Network Interpretation of the TCSEC
(NCSC-TG-005) Trusted Network Interpretation Environments
Guideline: Guidance for Applying the TrustedNetwork Interpretation (NCSC-TG-011)
http://sfbay.issa.org/index.htmhttp://sfbay.issa.org/index.htm7/30/2019 Access Control 2011
69/108
Domain 1: Access Control
Access Control Systems & Methodology
Techniques
Access Control Techniques
http://sfbay.issa.org/index.htmhttp://sfbay.issa.org/index.htm7/30/2019 Access Control 2011
70/108
Domain 1: Access Control
70
q
Access Control Lists - a list containing users
permitted to resources or vice versa Elementary List - a short list of predefined access rights
Advanced List - access rights based within a registry thatpermits user-defined controls
Different operating systems have different ACL terms Types of access (Capabilities):
Read/Write/Create/Execute/Modify/Delete/Rename
ACL Types
http://sfbay.issa.org/index.htmhttp://sfbay.issa.org/index.htm7/30/2019 Access Control 2011
71/108
Domain 1: Access Control
71
yp
Menus and shells Database views
Physically constrained user interfaces -
restrict access by blocking direct accessto function
Capability tables - access to protectedresources granted if accessor possesses
authentication ticket
Mainframe ACL Sample 1
http://sfbay.issa.org/index.htmhttp://sfbay.issa.org/index.htm7/30/2019 Access Control 2011
72/108
Domain 1: Access Control
72
p
Mainframe Sample - 2
http://sfbay.issa.org/index.htmhttp://sfbay.issa.org/index.htm7/30/2019 Access Control 2011
73/108
Domain 1: Access Control
73
p
INFORMATION FOR DATASET ABCD.EFGHIJ.** (G)
...
ID ACCESS
-------- -------
USER1 READUSER2 UPDATE
GROUPB EXECUTE
ID ACCESS CLASS ENTITY NAME
-------- ------- -------- -------------------------
NO ENTRIES IN CONDITIONAL ACCESS LIST
Mainframe Sample # 3
http://sfbay.issa.org/index.htmhttp://sfbay.issa.org/index.htm7/30/2019 Access Control 2011
74/108
Domain 1: Access Control
74
p
ACCESSORID = XXXXXX NAME = SAMPLE USERXA DATASET = OPSG OWNER(DSN)ACCESS = ALL
XA DATASET = AABB. OWNER(DSN)ACCESS = READPRIVPGM = SAMPPROG
XA DATASET = CCDD.FFFF.YYYY OWNER(SYS)ACCESS = NONE
XA DATASET = EEE.GGGG OWNER(SYS)ACCESS = ALLACTION = AUDIT
St d d UNIX fil i i
http://sfbay.issa.org/index.htmhttp://sfbay.issa.org/index.htm7/30/2019 Access Control 2011
75/108
Domain 1: Access Control
75
Standard UNIX file permissions
Permissions Allowed action,if object is a file
Allowed action, ifobject is a directory
R (read) Read contents of the
file
List directory contents
X (execute) Execute the file,if a program
Search the directory
W (write) Change file contents Add, rename, create files& sub-directories
UNIX Sample
http://sfbay.issa.org/index.htmhttp://sfbay.issa.org/index.htm7/30/2019 Access Control 2011
76/108
Domain 1: Access Control
76
p
-rw-rw-r-- 1 user1 group1 852 Jul 17 2003 samplefile.txt
drwxrwxr-x 2 user1 group1 512 Apr 18 09:14 testdir
UNIX - recommendation
http://sfbay.issa.org/index.htmhttp://sfbay.issa.org/index.htm7/30/2019 Access Control 2011
77/108
Domain 1: Access Control
77
UNIX - Dont make a program run setuidto root if not needed. Rather, make filegroup-writable to some group and makethe program run setgidto that group,
rather than setuidto root Dont run insecure programs on the
firewall or other trusted host
Windows Sample
http://sfbay.issa.org/index.htmhttp://sfbay.issa.org/index.htm7/30/2019 Access Control 2011
78/108
Domain 1: Access Control
78
http://sfbay.issa.org/index.htmhttp://sfbay.issa.org/index.htm7/30/2019 Access Control 2011
79/108
Domain 1: Access Control
Access Control Systems & Methodology
Administration, Auditing & Monitoring
Access Control Administration
http://sfbay.issa.org/index.htmhttp://sfbay.issa.org/index.htm7/30/2019 Access Control 2011
80/108
Domain 1: Access Control
80
Centralized - one location is responsiblefor access control
Advantages
Strict control and uniformity of access
Composite access view easier Disadvantages
central administration can be overloaded
More difficult to associate entitlements
with approvers
Access Control Administration
http://sfbay.issa.org/index.htmhttp://sfbay.issa.org/index.htm7/30/2019 Access Control 2011
81/108
Domain 1: Access Control
81
Decentralized - resource owners areresponsible for access control
Advantage
Access is granted by person accountable
(Approver) Disadvantages
Access combination conflicts,
Composite view of user access unavailable
Lack of access consistency More difficult to respond to external
regulators
Auditing and Monitoring
http://sfbay.issa.org/index.htmhttp://sfbay.issa.org/index.htm7/30/2019 Access Control 2011
82/108
Domain 1: Access Control
82
Organizations use two basic methods tomaintain operational assurance:
System audit - is a periodic event to evaluatesecurity
Monitoring - is an ongoing activity that checksuser and systems
Auditing
http://sfbay.issa.org/index.htmhttp://sfbay.issa.org/index.htm7/30/2019 Access Control 2011
83/108
Domain 1: Access Control
83
Periodic access reviews Data owners reviewand certify users who have access
Automated tools - program reviews system andreports vulnerabilities
Internal controls audit - auditor reviews andanalyzes controls
Security checklists - security plan used as asystem checklist
Penetration testing - attempt to break-in to
check controls
Periodic Access Reviews
http://sfbay.issa.org/index.htmhttp://sfbay.issa.org/index.htm7/30/2019 Access Control 2011
84/108
Domain 1: Access Control
84
Regular review of network andapplication user accounts against activeemployee termination lists to ensure thatonly active personnel have active
accounts. Regular review of user entitlements by
user managers and data/applicationowners to ensure that users only have
access necessary to do their job
Monitoring
http://sfbay.issa.org/index.htmhttp://sfbay.issa.org/index.htm7/30/2019 Access Control 2011
85/108
Domain 1: Access Control
85
IDS
Logs
Audit trails
Network tools Tivoli
Spectrum
OpenView
Monitoring
http://sfbay.issa.org/index.htmhttp://sfbay.issa.org/index.htm7/30/2019 Access Control 2011
86/108
Domain 1: Access Control
86
Intrusion Detection (IDS)
Techniques which attempt to detect computer andnetwork intrusion by logs or audit trail
Automated intrusion detection examines logs andcompares with expected user profile activity
Statistical intrusion detection monitors behavior and
maintains profiles, then compares logs mathematically
Rule based intrusion detection rules characterizeintrusions (i.e. generic or operating system specific),then compares logs against rule database
Audit Trails
http://sfbay.issa.org/index.htmhttp://sfbay.issa.org/index.htm7/30/2019 Access Control 2011
87/108
Domain 1: Access Control
87
An audit trail is a series of records on computer
events occurring within a system or application Keystroke monitoring - a record of keystroke
information entered by a system user
Event-oriented - contains records on system,
application, or user Benefits - individual accountability,
reconstruction of events, intrusion detection,and problem analysis
Issues - protection, periodic review, analysis of
data
Monitoring
http://sfbay.issa.org/index.htmhttp://sfbay.issa.org/index.htm7/30/2019 Access Control 2011
88/108
Domain 1: Access Control
88
Review of system logs - periodic review to
detect problems Automated tools - virus scanners, performance
monitor, password crackers, etc.
Configuration management - system changes
are reviewed Electronic news - incident response and alert e-
mail notices
Intrusion Detection Systems
http://sfbay.issa.org/index.htmhttp://sfbay.issa.org/index.htm7/30/2019 Access Control 2011
89/108
Domain 1: Access Control
89
IDS monitors system or network forattacks
IDS engine has a library and set ofsignatures that identify an attack
Adds defense in depth NIDS / HIDS
Should be used in conjunction with a
system scanner (CyberCop, ISS S3) formaximum security
Monitoring
http://sfbay.issa.org/index.htmhttp://sfbay.issa.org/index.htm7/30/2019 Access Control 2011
90/108
Domain 1: Access Control
90
Adaptive real-time anomaly detection inductively generated sequential patterns
sequential rules describe behavior
time-based inductive learning approach
time-based induction machine (TIM)
TIM observes temporal process
identifies patterns
set of hypotheses input episodes
user profile
Penetration Testing
http://sfbay.issa.org/index.htmhttp://sfbay.issa.org/index.htm7/30/2019 Access Control 2011
91/108
Domain 1: Access Control
91
Identifies weaknesses in Internet, Intranet,
Extranet, and RAS technologies Discovery and footprint analysis
Exploitation
Physical Security Assessment
Social Engineering
Attempt to ID vulnerabilities and gain access tocritical systems within organization
ID and recommends corrective action for the
systemic problems Assessments allow client to demonstrate the
need for additional security resources
http://sfbay.issa.org/index.htmhttp://sfbay.issa.org/index.htm7/30/2019 Access Control 2011
92/108
Domain 1: Access Control
Information System Controls
Access Control Systems & Methodology
Banners
http://sfbay.issa.org/index.htmhttp://sfbay.issa.org/index.htm7/30/2019 Access Control 2011
93/108
Domain 1: Access Control
93
Banners display at login or connectionstating that the system is for theexclusive use of authorized users andthat their activity may be monitored
Not foolproof, but a good start, especiallyfrom a legal perspective
Make sure that the banner does notreveal system information, i.e., OS,version, hardware, etc.
Access Control Software
http://sfbay.issa.org/index.htmhttp://sfbay.issa.org/index.htm7/30/2019 Access Control 2011
94/108
Domain 1: Access Control
94
Software that automates informationsecurity functions on host computers
Features:
use password protection
log accesses user access controls
data access controls
flexible administration
Examples: RACF, ACF2, TOP SECRET, TivoliAccess Manager, RSA Access Manager,Windows GINA/Active Directory
RAS access control
http://sfbay.issa.org/index.htmhttp://sfbay.issa.org/index.htm7/30/2019 Access Control 2011
95/108
Domain 1: Access Control
95
RADIUS (Remote Authentication Dial-In User Service)
TACACS/TACACS+ (Terminal Access Controller Access
Control System)
Both defined in greater detail in Telecom and NetworkSecurity Module.
Kerberos
http://sfbay.issa.org/index.htmhttp://sfbay.issa.org/index.htm7/30/2019 Access Control 2011
96/108
Domain 1: Access Control
96
Part of MITs Project Athena Currently inver 5
Kerberos is an authentication protocolused for network wide authentication
All software must be kerberized Tickets, authenticators, key distributioncenter (KDC)
Divided into realms
Kerberos is the three-headed dog thatguards the entrance to Hades (this wontbe on the test)
l
Kerberos roles
http://sfbay.issa.org/index.htmhttp://sfbay.issa.org/index.htm7/30/2019 Access Control 2011
97/108
Domain 1: Access Control
97
KDC divided into Authentication Server &Ticket Granting Server (TGS)
Authentication Server - authenticates theidentities of entities on the network
TGS - Generates unique session keysbetween two parties. Parties then usethese session keys for message
encryption
C l
Kerberos authentication
http://sfbay.issa.org/index.htmhttp://sfbay.issa.org/index.htm7/30/2019 Access Control 2011
98/108
Domain 1: Access Control
98
User must have an account on the KDC
KDC must be a trusted server in a securedlocation Shares a DES key with each user When a user want to access a host or
application, they request a ticket from the KDC
User provides ticket and authenticator to theapplication, which processes them for validity andwill then grant access.
Requires synchronized time clocks Relies on UDP which is often blocked by many
firewalls
D i 1 A C l
http://sfbay.issa.org/index.htmhttp://sfbay.issa.org/index.htm7/30/2019 Access Control 2011
99/108
Domain 1: Access Control
Access Control Systems & Methodology
Vulnerabilities & Attacks
D i 1 A C t l
Risk
http://sfbay.issa.org/index.htmhttp://sfbay.issa.org/index.htm7/30/2019 Access Control 2011
100/108
Domain 1: Access Control
100
Threat - an activity with the potential forcausing harm to an information system
Vulnerability - a flaw or weakness that mayallow harm to an information system
Impact - the harm that would be caused by anincident
Risk - is a combination of chance that threat willoccur and the severity of its impact
Exposure - a specific instance of weakness tolosses from a threat event
D i 1 A C t l
Vulnerabilities
http://sfbay.issa.org/index.htmhttp://sfbay.issa.org/index.htm7/30/2019 Access Control 2011
101/108
Domain 1: Access Control
101
Physical
Natural
Floods, earthquakes, terrorists, power outage,lightning
Hardware/Software
Media Corrupt electronic media, stolen disk drives
Emanation
Communications
Human
Social engineering, disgruntled staff
D i 1 A C t l
Attacks
http://sfbay.issa.org/index.htmhttp://sfbay.issa.org/index.htm7/30/2019 Access Control 2011
102/108
Domain 1: Access Control
102
Passive attack - Monitor network traffic and then use data
obtained or perform a replay attack. Hard to detect
Active attack - Attacker is actively trying to break-in.
Exploit system vulnerabilities
Spoofing
Crypto attacks
Denial of service (DoS) - Not so much an attempt to gainaccess, rather to prevent system operation
Smurf, SYN Flood, Ping of death
Mail bombs
D i 1 A C t l
Methods of Attack
http://sfbay.issa.org/index.htmhttp://sfbay.issa.org/index.htm7/30/2019 Access Control 2011
103/108
Domain 1: Access Control
103
Methods to bypass access controls andgain unauthorized access to information Brute force - persistent series of attacks,
trying multiple approaches, in an attempt tobreak into a computer system
Denial of service - overloading a systemthrough an online connection to force it toshutdown
Social Engineering - deception of systempersonnel in order to gain access
Spoofing - masquerading an ID or data togain access to data or a system
D i 1 A C t l
Password Attacks
http://sfbay.issa.org/index.htmhttp://sfbay.issa.org/index.htm7/30/2019 Access Control 2011
104/108
Domain 1: Access Control
104
Brute force
l0phtcrack
Dictionary
Crack
John the Ripper Trojan horse login program
D i 1 A C t l
http://sfbay.issa.org/index.htmhttp://sfbay.issa.org/index.htm7/30/2019 Access Control 2011
105/108
Domain 1: Access Control
Access Control Systems &Methodology
Protection
Domain 1: Access Control
Object reuse
http://sfbay.issa.org/index.htmhttp://sfbay.issa.org/index.htm7/30/2019 Access Control 2011
106/108
Domain 1: Access Control
106
Must ensure that magnetic media must not have
any remnance of previous data Also applies to buffers, cache and other memoryallocation
Required at TCSEC B2/B3/A1 level
Secure Deletion of Data from Magnetic and Solid-State Memory, Peter Gutmann http://www.fish.com/security/secure_del.html
Documents recently declassified as to how 10-passwrites were recovered
Objects must be declassified Magnetic media must be degaussed or have secure
overwrites
Domain 1: Access ControlTEMPEST
http://sfbay.issa.org/index.htmhttp://sfbay.issa.org/index.htm7/30/2019 Access Control 2011
107/108
Domain 1: Access Control
107
Electromagnetic emanations from
keyboards, cables, printers, modems,monitors and all electronic equipment.With appropriate and sophisticated enoughequipment, data can be readable at a fewhundred yards.
TEMPEST certified equipment, whichencases the hardware into a tight, metal
construct, shields the electromagneticemanations
Domain 1: Access ControlTEMPEST
http://sfbay.issa.org/index.htmhttp://sfbay.issa.org/index.htm7/30/2019 Access Control 2011
108/108
Domain 1: Access ControlTEMPEST
Rooms & buildings can be TEMPEST-certified TEMPEST hardware is extremely expensive
and can only be serviced by certifiedtechnicians
TEMPEST standards NACSEM 5100A NACSI5004 are classified documents
http://sfbay.issa.org/index.htm