accesscontrolpresentation-130630194314-phpapp01

7/24/2019 accesscontrolpresentation-130630194314-phpapp01

1/97

Access Control

Muhammad Wajahat Rajab


2/97

Protecting what needs to be protected with the available

technologies!

Access control is the of Information Security!

Overview


3/97

Some Questions

What is Access?

What is the Access Mechanism?

What is Access Control?

The right

Flow of information between subject and object

Mechanism to protect the assets!


4/97

Identification, Authentication,

Authorization


5/97

Identification


6/97

Identification

Method of establishing the subjects identity

User, Program, Process

Use of username or other public information

Identification component requirements Each value should be unique

Follow a standard naming scheme

Non-descriptive of the users position or tasks

Must not be shared between users


7/97

Authentication


8/97

Authentication

Method of proving the identity

How to prove an identity?

Something you know

Something you have Something you are

Use of passwords, token, or biometrics other private

information

What is two factor authentication? Strong authentication


9/97

Something you know

Traditional authentication method

Passwords

Protected string of characters

Most widely used Types

Cognitive passwords

One time passwords (Dynamic passwords)

Passphrase


10/97

Cognitive passwords

Fact or opinion based information

Created through several experience based questions

Easy to remember!

A person will not forget his birthplace, favorite color, dog'sname, or the school he graduated from.


11/97

One time passwords

Only used once

Used in sensitive cases and places

Examples include

Prepaid cards Token devices

Token device generates the one-time password for the user to

submit to an authentication server


12/97

Passphrase

Sequence of characters that is longer than a password --

Thus a phrase

User enters this phrase into an application which transforms the

value into a virtual password


13/97

Attacks against passwords

Electronic monitoring

Access the password file

Brute force attacks

Dictionary attacks

Social engineering

Shoulder surfing


14/97

Something you have

Requires possession of something such as a key, smart

card, or some other device

Examples include

Keys Documents

Token devices

Memory cards

Smart cards


15/97

Token device

Software hardware hybrid object used to verify an

identity in an authentication process

Token device, or password generator, is usually a

handheld device that has an LCD display and possibly akeypad

Token device is separate from the computer the user is

attempting to access


16/97

Token Device Benefits/Limitations

Benefits

Not vulnerable to electronic eavesdropping

Wiretapping

Sniffing

Provide two factor authentication

Limitations

Human error

Battery limitation

Token itself (Environmental factors)


17/97

Types of Token Devices

Synchronous Token

A synchronous token device synchronizes with the

authentication service by using time or a counter as the core

piece of the authentication process.

Asynchronous Token

A token device using an asynchronous token generating method

employs a challenge/response scheme to authenticate a user.


18/97

Synchronous Token


19/97

Asynchronous Token Device


20/97

Memory Card

Holds information but cannot process

A memory card can hold a user's authentication information, so

that the user only needs to type in a UserID or PIN.


21/97

Smart Card

Holds and processes information

After a threshold of failed login attempts, it can render

itself unusable

PIN or password unlocks smart card functionality

Smart card could be used for:

Holding biometric data in template

Responding to challenge

Holding private key


22/97

Types of Smart Card

Contact

Requires insertion into a smart card reader with a direct

connection to a conductive micro-module on the surface of the

card (typically gold plated)

Through these physical contact points, transmission of

commands, data, and card status takes place

Contactless

Requires only close proximity to a reader

Both the reader and the card have antenna and it is via this

contactless link that two communicate


23/97

Smart Card attacks

Micro-probing techniques

Eavesdropping techniques

Trojan Horse attacks

Social engineering attacks


24/97

Something you are

Special case of something you have

Unique personal attribute is analyzed

Encompasses all biometric techniques

Fingerprints Retina scan

Iris scan

Hand geometry

Facial scan


25/97

Biometric System

A characteristic based system

Includes all the hardware, associated software and

interconnecting infrastructure to enable the

identification/authentication process

Uses individual's unique physical characteristics in order

to identify and authenticate

Each has its own advantages and disadvantages


26/97

Fingerprints

Every person's fingerprint is unique

Most affordable and convenient method of verifying aperson's identity

The lines that create a fingerprint pattern are calledridges and the spaces between ridges are called valleys.


27/97

Retina Scan

Retinal scan technology maps the capillary pattern of the

retina

A thin (1/50th inch) nerve on the back of the eye!

Accurate Many people are hesitant to use the device


28/97

Iris Scan

Scans the iris or the colored portion of the eye

For authentication the subject looks at the video camera

from a distance of 3-10 inches

The entire enrollment process is less than 20 seconds,and subsequent identification takes 1-2 seconds.

Offers high accuracy!


29/97

Hand Geometry

Measures specific characteristics of a person's hand such

as length of fingers and thumb, widths, and depth.

Takes over 90 measurements of the length, width,

thickness, and surface area of a person's hand andfingers.

Hand measurements occur with amazing speed, almost

within one second.

A charge coupled device (CCD) digital camera is used torecord the hand's three dimensional shape.


30/97

Keyboard Dynamics

Looks at the way a person types at a keyboard

Also called Typing Rhythms!

Keyboard dynamics measures two distinct variables:

Dwell time: The amount of time one holds a particular key

Flight time: The amount of time one moves between the keys

Keyboard dynamic system can measure one's keyboard

input up to 1000 times per second!


31/97

Voice Print

A voice reference template is constructed

To construct, an individual must speak a set of phrases several

times as the system builds the template.

Voice identification systems incorporate several variables

including pitch, dynamics, and waveform.


32/97

Facial Scan

Incorporates two significant methods: Detection

Recognition

Detection involves locating the human face within an

image. Recognition is comparing the captured face to other

faces that have been saved and stored in a database.


33/97

Facial Scan -- Process


34/97

Biometric Performance

Biometric performance is most commonly measured in

two ways:

False Rejection Rate (FRR) Type1

False Acceptance Rate (FAR) Type 2

The FRR is the probability that you are not authenticated

to access your account.

The FAR is the chance that someone other than you is

granted access to your account.


35/97

Crossover Error Rate

Crossover Error Rate (CER) value is when Type 1 and Type

2 errors are equal.

(Type 1 = Type 2 errors) = CER metric value

System ABC has 1 out of 100 Type 1 errors = 1%

System ABC has 1 out of 100 type 2 errors = 1%

System ABC CER = 1

The lower the CER value, the higher accuracy

System with a CER of 5 has greater accuracy than a

system with CER of 6


36/97

CER Concept


37/97

Authorization


38/97

Authorization


39/97

Controls


40/97

Types of Access Controls

There are three types of Access Controls:

Administrative controls

Define roles, responsibilities, policies, and administrative functions

to manage the control environment.

Technical controls

Use hardware and software technology to implement access

control.

Physical controls

Ensure safety and security of the physical environment.


41/97

Administrative Controls

Ensure that technical and physical controls are understood

and properly implemented

Policies and procedures

Security awareness training

Asset classification and control

Employment policies and practices (background checks, job

rotations, and separation of duties)

Account administration

Account, log monitoring

Review of audit trails


42/97

Technical Controls

Examples of Technical Controls are:

Encryption

Biometrics

Smart cards

Tokens

Access control lists

Violation reports

Audit trails

Network monitoring and intrusion detection


43/97

Physical Controls

Examples of Physical Controls are:

HVAC

Fences, locked doors, and restricted areas

Guards and dogs

Motion detectors

Video cameras

Fire detectors

Smoke detectors


44/97

Categories of Access Controls

Preventive Avoid incident

Deterrent Discourage incident

Detective Identify incident

Corrective Remedy circumstance/mitigate damageand restore controls

Recovery Restore conditions to normal

Compensating Alternative control

Directive


45/97

Categories of Access Controls


46/97

Administrative Preventive Controls

Policies and procedures

Effective hiring practices

Pre-employment background checks

Controlled termination processes

Data classification and labeling

Security awareness

Risk assessments and analysis

Creating a security program

Separation of duties


47/97

Administrative Detective Controls

Job rotation

Sharing responsibilities

Inspections

Incident response Use of auditors


48/97

Technical Preventive Controls

Passwords

Biometrics

Smart cards

Encryption Database views

Firewalls

ACLs

Anti-virus


49/97

Technical Detective Controls

IDS

Reviewing audit logs

Reviewing violations of clipping levels

Forensics


50/97

Physical Preventive Controls

Badges

Guards and dogs

CCTV

Fences, locks, man-traps

Locking computer cases

Removing floppy and CD-ROM drives

Disabling USB port


51/97

Physical Detective Controls

Motion detectors

Intrusion detectors

Video cameras

Guard responding to an alarm


52/97

Jotting them together


53/97

Centralized Access Control

Methodologies


54/97

Centralized Access Control Methodologies

(ISC)2 discusses the following methodologies:

RADIUS -- Remote Authentication Dial-In User Service

TACACS -- Terminal Access Controller Access Control Systems

DIAMETER


55/97

RADIUS

Provides centralized authentication, authorization andaccounting management for network services

Works on a Client/Server model

Functions:

To authenticate users or devices before granting them access toa network

To authorize users or devices for certain network services

To account for usage of services used


56/97

RADIUS Process


57/97

RADIUS Implementation


58/97

TACACS

TACACS has been through three generations: TACACS, XTACACS and TACACS+

TACACS uses passwords for authentication

TACACS+ allows users to use dynamic (one-time) passwords

TACACS+ encrypts all the data

TACACS uses UDP

TACACS+ uses TCP


59/97

TACACS at Work


60/97

Diameter

"New and improved" RADIUS

RADIUS is limited in its methods of authenticating users

Diameter does not encompass such limitations

Can authenticate wireless devices and smart phones

Open for future growth

Users can move between service provider networks and

change their points of attachment


61/97

Single Sign-On Technologies


62/97

Single Sign On (SSO)

A system that enables a user to access multiple computer

platforms

User logs in just once

Access granted to permitted resources Login only required until after the user logs out

Examples include:

Kerberos

SESAME

Security Domains

Thin Clients


63/97

Kerberos

A computer network authentication protocol

Allows principals communicating over a non-secure network to

prove their identity to one another in a secure manner.

Principals

Any user or service that interacts with a network

Term that is applied to anything within a network that needs to

communicate in an authorized manner


64/97

Kerberos components

Components of Kerberos Key Distribution Center (KDC)

Holds all of the principals' secret keys

Principals authenticate to the KDC before networking can takeplace

Authentication Server (AS)

Authenticates user at initial logon

Generation of initial ticket to allow user to authenticate to localsystem

Ticket Granting Service (TGS) Generates of tickets to allow subjects to authenticate to each

other


65/97

Kerberos Process


66/97

SESAME

Secure European System for Applications in a Multi-Vendor Environment

Uses symmetric and asymmetric cryptographictechniques

Uses Privileged Attribute Certificates (PACs) PACs are generated by the Privileged Attribute Server

(PAS)

After a user successfully authenticates to the

Authentication Server (AS), the PAS then creates a PACfor the user to present to the resource that is beingaccessed!


67/97

SESAME Process


68/97

Security Domains

Based on trust between resources or services on a

domain that share a single security policy and single

management

The security policy defines the set of objects that each

user has the ability to access

A similar mission and single point of management

responsibility


69/97

Security Domains -- Bulls Eye View


70/97

Thin Clients

Diskless computers are called dumb terminals or thinclients

Client/Server technology forces users to log onto a

central server just to be able to use the computer and

access network resources.

Server downloads the Operating System, or interactive

operating software to the terminal


71/97

Access Control Models


72/97

Access Control Models

Frameworks that dictate how subjects access objects

Three Main Types

Discretionary Access Control (DAC)

Mandatory Access Control (MAC)

Role Based Access Control (RBAC)


73/97

Discretionary Access Control

Allows the owner of the resource to specify whichsubjects can access which resources

Access control is at the discretion of the owner

DAC defines access control policy That restricts access to files and other system resources based

on identity

DAC can be implemented through Access Control Lists

(ACLs)


74/97

Access Control Matrix

Access Control Lists (ACLs) Specifies the list of subjects that are authorized to access a

specific object

Capability Lists

Specifies the access rights a certain subject possesses pertainingto specific objects


75/97

Access Control Matrix


76/97

Mandatory Access Control

Based on security label system

Users given security clearance and data is classified

Used where confidentiality is of utmost importance

MAC is considered a policy based control

Every object and subject is given a sensitivity label

Classification level

Secret, Top secret, Confidential, etc

Category

Information warfare, Treasury, UN, etc


77/97

Mandatory Access Control

Subject Classification level Category

Umair Secret Finance

Tayyeb Secret HR

Object Classification level Category

Finance records Secret Finance

Employee records Secret HR


78/97

Role Based Access Control

Uses centrally administered set of controls to determinehow subjects and objects interact

Decisions based on the functions that a user is allowed to

perform within an organization

An advantage of role based access controls is the ease of

administration

Capability tables are sometimes seen in conjunction with

role-based access controls Best for high turn over organizations


79/97

Access Control Techniques

l h


80/97

Access Control Techniques

Rules Based Access Control

Constrained User Interface

Content Dependent Access Control

Context Dependent Access Control


81/97

Penetration Testing

Muhammad Wajahat Rajab

ACE, CISSP (Associate), BS (TE)

I d i


82/97

Introduction

Process of simulating attacks on Information Systems At the request of the owner, senior management

Uses set of procedures and tools designed to test

security controls of a system

Emulates the same methods attackers use

S


83/97

Steps

Discovery

Enumeration

Vulnerability mapping

Exploitation Report to management

S 1


84/97

Step 1

Discovery Gathering information about the target

Reconnaissance Types

Passive

Active

St 2


85/97

Step 2

Enumeration Performing port scans and resource identification methods

Gaining specific information on the basis of information

gathered during reconnaissance

Includes use of dialers, port scanners, network mapping,sweeping, vulnerability scanners, and so on

St 3


86/97

Step 3

Vulnerability Mapping Identifying vulnerabilities in identified systems and resources

Based on these vulnerabilities attacks are carried out

St 4


87/97

Step 4

Exploitation Attempting to gain unauthorized access by exploiting the

vulnerabilities

St 5


88/97

Step 5

Report to management Delivering to management documentation of test findings along

with suggested countermeasures

T


89/97

Types

Zero knowledge

Partial knowledge

Full knowledge


90/97

Questions

Q ti 1


91/97

Question 1

Which of the following refers to a series of charactersused to verify a user's identity?

A. Token Serial number

B. UserID

C. Password

D. Security ticket

Question


92/97

Question

Which of the following refers to a series of charactersused to verify a user's identity?

A. Token Serial number

B. UserID

C. Password

D. Security ticket

Question 2


93/97

Question 2

Which type of access control allows owners to specifywho can access their files?

A. Discretionary

B. Relational

C. Mandatory

D. Administrative

Question


94/97

Question

Which type of access control allows owners to specifywho can access their files?

A. Discretionary

B. Relational

C. Mandatory

D. Administrative

Question 3


95/97

Question 3

The three primary methods for authentication of a userto a system or network are?

A. Passwords, Tokens, and Biometrics

B. Authorization, Identification, and Tokens

C. Passwords, Encryption, and Identification

D. Identification, Encryption, and Authorization

Question


96/97

Question

The three primary methods for authentication of a userto a system or network are?

A. Passwords, Tokens, and Biometrics

B. Authorization, Identification, and Tokens

C. Passwords, Encryption, and Identification

D. Identification, Encryption, and Authorization

Thank You!


97/97

Thank You!

Date post:	22-Feb-2018
Category:	Documents
Upload:	kaleem
View:	215 times
Download:	0 times