Access Control and Site Security (Part 1)

Thursday 1/17/2008)

© Abdou Illia – Spring 2008

2

Learning Objectives

Understand Main Security Goals Discuss Resources’ Access Control Discuss Password-Based Access Control

Security Goals

4

Break-in and Dialog attacks: Security Goal If eavesdropping, message alteration attacks are

successful, in which of the following ways the victims could be affected?

a) Data files stored on hard drives might be deleted

b) Data files stored on hard drives might be altered

c) Corporate trade secret could be stolen

d) Competitors might get the victim company’s licensed info

e) Users might not be able to get network services for a certain period of time

f) The network might slow down

Confidentiality = Main goal in implementing defense systems against eavesdropping and message alteration.

5

Malware attacks: Security Goal

If virus attacks are successful, in which of the following ways the victims could be affected?

a) Data files stored on hard drives might be deleted

b) Data files stored on hard drives might be altered

c) Corporate trade secret could be stolen

d) Competitors might get the victim company’s licensed info

e) Users might not be able to get network services for a certain period of time

f) The network might slow down

Integrity = Main goal of implementing defense systems against malware attacks.

6

DoS attack: Security Goal

If a DoS attack is successful, in which of the following ways the victims could be affected?

a) Data files stored on hard drives might be deleted

b) Data files stored on hard drives might be altered

c) Corporate trade secret could be stolen

d) Competitors might get the victim company’s licensed info

e) Users might not be able to get network services for a certain period of time

f) The network might slow down

Availability = Main goal of implementing defense systems against DoS attacks.

7

Security GoalsThree main security goals:

Confidentiality of communications and proprietary information

Integrity of corporate data

Availability of network services and resources

CIA

Resources Access Control

9

Opening Question

Which of the following action might be taken in order to strengthen the confidentiality of companies’ proprietary information?

a) Prevent employees from accessing files not needed in their job

b) Limit the number of computers each employee could use for logging onto the network

c) Encrypt any communications involving passwords

d) All of the above

10

What is Access Control?

Access control is the policy-driven limitation of access to systems, data, and dialogs

Access control prevents attackers from gaining access to systems’ resources, and stopping them if they do

11

Managing Access Control: Steps

1) Enumeration of (sensitive) resources

E.g. HR databases, servers with trade secrets

2) Determination of sensitivity level for each resource

E.g. mission-critical vs. non mission-critical

3) Determination of “Who should have access?” Role-Based Access Control (RBAC):

Determine the roles (or categories) of users. Example: IT employees, HR employees, Salesmen, etc.

List-Based Access Control (LBAC): System administrator could in some case create lists of

employees (not based on roles) for general-purpose resources

12

Managing Access Control: Steps (cont.)

4) Determination of “What access rights should users have?” For each Role-Resource and/or List-Resource:

See

Browse/Read

Read/Modify

Delete

…

…

Full Control

Allow Deny

5) Implementing Access Control Use OS and other tools to configure access control

Mandatory Access Control: Administrator’s settings apply Discretionary Access Control: owner of resource could share & set access rights

Harden the host computers: patches, firewalls, etc. Perform security audits to test access control effectiveness

13

Managing Access Control: Steps (cont.)

6) Determine/implement general access policies

Enumerate policies for each category of sensitive resources. Examples:

Printers availability: M-F, 6:00 AM-8:00 PM

Server computers: only administrators and server operators could logon locally

Remote Access servers: Callback enabled

Implement policies

Perform security audits to test policies effectiveness

Audit by internal employees

Audit by security firm

Password-Based Access Control

15

Types of account/password

Super account User can take any action on any resource Called Administrator (Windows), Supervisor

(Netware), root (UNIX) Hacking the super account = ultimate prize for

attackers Regular account

Limited access based on setting by the admin Could gain super account status by elevating

the privileges.

16

Reusable Passwords

Used to repeatedly to get access to a resource on multiple occasions

Bad because attacker could have time to crack it

Difficult to crack by guessing remotely

Usually cut off after a few attempts

However, if can steal the password file, can crack passwords at leisure

17

Password Cracking

With physical access or with password file in hand, attacker can use password cracking programs

Program Windows Linux

L0phtcrack (now LC5) √

Ophcrack √

John The Ripper √ √

RainbowCrack (uses lookup tables and hash functions) √ √

Crack √

Cain & Abel √

Programs usually come with "dictionaries" with thousands or even millions of entries of several kinds

Programs use brute-force cracking method Used by network admins to locate users with weak

password, and by attackers.

18

Brute-force password cracking

Dictionary cracking vs. hybrid cracking Try all possible character combinations Longer passwords take longer to crack Combining types of characters makes cracking

harder Alphabetic, no case (26 possibilities) Alphabetic, case (52) Alphanumeric (letters and numbers) (62) All keyboard characters (~80)

19

Figure 2-3: Password Length

PasswordLength In

Characters

1

2 (N2)

4 (N4)

6

8

10

Alphanumeric:Letters &

Digits (N=62)

62

3,844

14,776,336

56,800,235,584

2.1834E+14

8.39299E+17

All KeyboardCharacters

(N=~80)

80

6,400

40,960,000

2.62144E+11

1.67772E+15

1.07374E+19

Alphabetic,Case

(N=52)

52

2,704

7,311,616

19,770,609,664

5.34597E+13

1.44555E+17

Alphabetic,No

Case (N=26)

26

676

456,976

308,915,776

2.08827E+11

1.41167E+14

Q: Your password policy is: (a) the password must be 6 character long, (b) the password should include only decimal digits and lower case alphabetic characters. What is the maximum number of passwords the attacker would try in order to crack a password in your system?

20

Dictionary and Hybrid cracking

Dictionary cracking1

Try common words (“password”, “ouch,” etc.) There are only a few thousand of these Cracked very rapidly

Hybrid cracking2

Used when dictionary cracking fails Common word with one or few digits at end, etc.

1 Also called dictionary attack2 Also called to as hybrid attack

21

Password Policies

Good passwords At least 6 characters long

Change of case not at beginning

Digit (0 through 9) not at end

Other keyboard characters not at end

Example: triV6#ial

22

Password Policies (cont)

Shared passwords Not a good policy

Remove ability to learn who took actions; loses accountability

Usually is not changed often or at all because of need to inform all sharers

23

Questions

Q.1. ABC Inc. has a network with three users. The users have the following usernames: aillia, jwillems, vhampton. A shared-password policy implemented by the network administrator allowed the users to logon with the password abc123. Last night someone committed an attack stealing sensitive corporate information after elevating the privileges associated to the account they used to logon. Which of the following is true? (Choose all that apply)

a) the audit log file could be checked to determine at what time the attacker logged inb) the audit log file could be checked to determine which user account was used in

committing the attackc) the audit log file could be checked to determine who committed the attackd) all of the above.

Q.2. If your answer to Q.1 above indicates that at least one of the statements is not true, explain why.________________________________________________________________________________________________________________________________________________________________________________________________

24

Password Policies (cont)

Disabling passwords that are no longer valid

As soon as an employee leaves the firm, etc.

As soon as contractors, consultants leave

In many firms, a large percentage of all accounts are for people no longer with the firm

25

Password Policies (cont)

Lost passwords Password resets: Help desk gives new password

for the account

Opportunities for social engineering attacks

Leave changed password on answering machine

26

Reading Questions (Part 1)

Answer Chapter 2 Reading Questions (Part 1) posted to the course web site.

27

Summary Questions

What are the three main security goals? What security goal is jeopardized by a successful

eavesdropping attack? What is the difference between Role Based Access

Control and List Based Access Control? What is the difference between Mandatory Access

Control and Discretionary Access Control? What is a super account? What is the difference between dictionary cracking

and hybrid cracking? What is a shared password? Do you recommend

shared passwords? Why?