McGrawMcGraw--Hill/IrwinHill/Irwin CopyrightCopyright © 2007 by The McGraw© 2007 by The McGraw--Hill Companies, Inc. All rights reserved.Hill Companies, Inc. All rights reserved.

Information Assurance for the Enterprise: Information Assurance for the Enterprise: A Roadmap to Information SecurityA Roadmap to Information Security, by , by SchouSchou and Shoemakerand Shoemaker

Chapter 6

Ensuring Controlled Access

66--22

Objectives

At the end of this unit, you will be able to explain:

� Fundamental access control principles

� How to structure and conduct the authorization

process

� Common access control models

66--33

Access Control

� Access control

� Describes regulation of interaction between

subjects and objects

� Subjects: people or processes

• Processes can be either managerial or technical

� Objects can be anything appropriately accessed

by a valid subject

66--44

Principles of Access Control

� Access control centers around three principles:

� Identity

• Asserts and verifies the user’s identity

� Authority

• Authorizes user access privileges

� Accountability

• Tracks user actions, analyzes and reports

66--55

Establishing Identity

� Principle of identity composed of two functions:

1. Identification function establishes the identity of

every person or process seeking access

2. Authentication confirms that identity is valid

66--66

Passwords: Something You Know

� Simplest, most economical, means of

identification

� Password management systems consistently:

• Allow legitimate users to directly register for access

• Allow forgotten passwords to be authenticated and

reset by user

• Allow IT support staff to authenticate callers for

password management

• Synchronize users across a range of platforms

• Provide for immediate cancellation of passwords

66--77

Passwords: Something You Know

� Problem with passwords

� Memory

• Human memory limits password numbers and sophistication

• Writing a password down is a security protocol violation

� Usage vulnerabilities

• Short and/or simple and/or familiar passwords

• Easily compromised by brute force, guessed or obtained through surreptitious means

66--88

Passwords: Something You Know

� Single sign-on (SSO)

� Coordinates passwords across a range of

platforms and applications

66--99

Passwords: Something You Know

� One-time password

� Shortening the period of use of the password

66--1010

Token-Based Security: Something You Have

� Tokens

� Identification and authorization devices

presented at the time of access

• Function similar to a key and lock

� Most frequently used authentication device is

smart card, or swipe card

� Embedded chip accepts, stores, and sends

information

� Keeps personal information secure and portable

� Provides secure enterprise-wide access control

66--1111

Token-Based Security: Something You Have

� Provides tamper-resistant storage and transport

for critical data

� Can store digital keys and can create one-time

passwords

� Vulnerabilities associated with smart cards:

� Theft and loss of tokens

• Unauthorized finder may gain access under the

legitimate user’s authorizations

66--1212

Biometrics: Something You Are

� Biometrics

� Authentication by physical attribute

� Subject asserts identity by presenting a unique

personal attribute such as a fingerprint

� Very effective

• While physical attributes might change slowly over time, they are impossible to lose

66--1313

Biometrics: Something You Are

� Biometric problems:

� Relatively immature

� Can fail due to dependency on advanced

processing capabilities

� Possible failures include:

• False positives

• False negatives

� Adjusted so that at crossover error point False

Positives == False Negatives

66--1414

Multifactor Authentication

� Multifactor authentication

� Two or three different approaches combined to

create a single access control function

� Increases level of security

• Example: automatic teller machine (ATM)

66--1515

Approaches for Establishing Identity in Cyberspace

Digital signatures

� Asserts integrity and identity through cryptographic techniques

� Signatures combine integrity and identity techniques

• Asymmetric or symmetric cryptographic key for identity

• Hashes for integrity

Digital certificates

� Trusted third party model

� Confirms integrity and authenticates message

� Certificates supported by Public Key Infrastructures (PKIs)

• PKI functions include verifying, enrolling, and certifying users

• PKIs utilize trusted third party model

66--1616

Approaches for Establishing Identity in Cyberspace

� Digital certificate is a public document that

contains:

� Information identifying a user

� User’s encryption key

� Certificate validity period

� Other information

� Certificate binds a key and an entity

66--1717

Mutual Authentication: Ensuring Identity During Transmission

� Process in which each side of an electronic

communication verifies authenticity of the other

during message transmission

� Ensures the integrity of the transmission process

as well as the message sent

� Especially important when remote clients are

attempting to assert their identity to servers

66--1818

Mutual Authentication: Ensuring Identity During Transmission

� Kerberos

� Uses encryption, so a client can prove its identity

to a server which in turn can authenticate itself to

the client within a secure transaction

66--1919

Mutual Authentication: Ensuring Identity During Transmission

� Challenge Handshake Authentication Protocol

(CHAP)

� Provides authentication across a point-to-point

link employing Point-to-Point Protocol (PPP)

66--2020

Authorization: Controlling Access

� Authorization asserts specific rights to use the system, which have been granted to a subject

� Rights are referred to as permissions or privileges

• Based on the concept of “trust”

� Trusted subjects are allowed access to specified objects

Security domain

� A systematic point of reference on which determination, assignment, and monitoring of access is based

• Incorporates all related objects, with common protection needs, into a single manageable entity

66--2121

Policy-Based Access Control

� Access control list (ACL) – most frequent

example of policy-based access control

66--2222

Discretionary Access Control (DAC)

� Lets the owner of a file or physical object

selectively grant or deny access to users

� In large systems, most common model

66--2323

Discretionary Access Control (DAC)

� Role-based access control (RBAC)

� A common form of discretionary access control

� Involves the assignment of access permissions

to objects that are associated with given roles

66--2424

Discretionary Access Control (DAC)

� Content-dependent access control

� Used to control access to record-intensive applications such as databases

� Capability-based system

• If the user possesses a capability (ticket), access granted.

• Authorization Table Matrix (ATM) manages the assignment of access privileges

� Advantage

• Greater level of granularity

• Both simple and intuitive

� Disadvantage

• Machine-intensive

• Requires high level of computer performance

66--2525

Discretionary Access Control (DAC)

� Temporal access control

� Event driven and dynamic

� Whether access is granted, and the type of access given

is determined by:

• Time of day

• Point of origin

• How many times the individual identity attempted to access the system

• Number of password attempts

� Advantage:

• Allows anticipation and protection from undesirable events

� Disadvantage

• Chain of events that lead to a given decision is not always predictable

66--2626

Mandatory Access Control (MAC)

� Restricts a subject’s access to objects based on

a set of security attributes (labels)

� Used when policy dictates that:

• Protection decisions must not be decided by the object owner

• System must enforce the protection decisions over the wishes or intentions of the object owner

� Prevents arbitrary object sharing

� Uses a specific set of policies or security rules to

define the sharing of data within the organization

66--2727

Mandatory Access Control (MAC)

� Access is controlled automatically by the system

using set criteria

66--2828

Real-World Access Control: Automating the Process

� Reference monitor

� implemented either operationally or within the

operating system

� Real-time and dynamic allocation of access

privileges

� System must be able to distinguish instantly and

correctly assign rights for each individual identity

• As well as determine what each can and cannot

access

66--2929

Real-World Access Control: Automating the Process

� Automated identity management system requires five basic conditions:� Identity architecture

• Establishing identity infrastructure

� Privilege setting • Establishing rights of each identity

� Identity reference • Automating process• Reference monitor involves three factors:

• Completeness

• Isolation

• Verifiability

� Enforcement of privileges • Guarding door

� Continuous maintenance • Keeping system current

66--3030

Setting Up the System: Account Management

� Account management

� Day-to-day face of any automated access control system

� Ensures that• Identity data accurate and up to date

• Monitoring and enforcement system is operating as intended

� Links user identities to specific applications, databases, and services

� Built around three related processes:• Creation of new system access

• Modification to system access

• Termination of system access

66--3131

Intrusion Detection Systems

� Detects, characterizes, and reports on any

suspicious attempts to access protected space

� Built around boundary sensors - a software utility

that is located at the perimeter of the protected

space and monitors traffic

• Term commonly used to describe this utility is intrusion

detection system (IDS)

• Intrusion prevention systems (IPSs)

66--3232

Types of Intrusion Detection: Automated versus Human Centered

� Automated: when instantaneous response is

needed

� Human-centered: if time will allow for a more

considered response

� Two IDS types:

� Network-Based IDS (NIDS)

• – detect attacks by capturing and analyzing network packets

� Host-Based IDS (HIDS)

• – Operate on information collected and analyzed by

an individual computer system

66--3333

Common Network-Based IDS (NIDS)

� Pattern-matching IDS

� Scans incoming network packets for specific byte sequence signatures stored in a database of known attacks

� State-matching IDS

� Scans for attack behaviors in the traffic stream itself rather than the presence of an individual packet signature

� Analysis engine methods

� Use anomalous behavior as the basis for their response

• Example: Statistical anomaly-based IDS

66--3434

Common Network-Based IDS (NIDS)

� Protocol anomaly-based methods

� Capable of using feedback from prior attempts to

refine their approach

� Traffic anomaly-based methods

� Watch for unusual traffic activities, suddenly

appearing on the network

66--3535

Common Network-Based IDS (NIDS)

� Summary

66--3636

Host-Based IDS (HIDS)

� Work through audit function and monitoring

audit trails

� Types of events captured in an audit trail include:

• Network connection event data

• System-level event data

• Application-level event data

• User-level event data

• Keystroke activity

� Primary issue: volume of data that must be

examined

66--3737

Security Assessments: Penetration Testing

� “Pen” testing denotes activities undertaken to

identify and exploit security vulnerabilities

� Evaluates system security by attacking it

� Aimed at the security conditions that are the

most common targets of intruders

� Three pen tests types:

• Zero-knowledge –tester has no relevant information about the target

• Partial-knowledge –tester may have some information about the target

• Full-knowledge – tester has intimate knowledge of the

target environment

66--3838

Security Assessments: Penetration Testing

� Four pen-testing activities:

1. Discovery

2. Enumeration

3. Vulnerability mapping

4. User and privilege access

� Resultant report can help to identify:

• System vulnerabilities

• Gaps in security measures

• IDS and intrusion response capability

• Whether anyone is monitoring audit logs

• How suspicious activity is reported

• Potential countermeasures

66--3939

Security Assessments: Penetration Testing

� Penetration-testing strategies can include:

• Application testing

• Denial of Service (DoS) testing

• War dialing

• Wireless network penetration testing

• Social engineering

� Internal procedures focus on identifying

anomalies in the internal IT environment and

include:

• Blind tests

• Double-blind test

• Targeted tests

66--4040

Common Access Control Models

� Access control models enforce policies

� Must be specifically designed to embody the

organization’s overall approach to security

� Three models in common use today:

• Confidentiality/Classification-based models – Bell-

LaPadula

• Integrity-based models – Biba

• Transaction-based models – Clark-Wilson

66--4141

Classification-Based Security Models: Bell-LaPadula

� Framework that manages different classification

levels.

� Intended to limit disclosure of information

between dissimilar levels

� A multilevel security system

• Uses a hierarchical classification structure

66--4242

Classification-Based Security Models: Bell-LaPadula

� Bell-LaPadula

� Employs both mandatory and discretionary

access control mechanisms

• Implements two security rules

1. “no-read-up”

2. “no-write-down.”

� Classification level of object and access rights

of the subject determine:

• What data the subject is authorized to access

• What they may do

66--4343

Integrity-Based Security Models: Biba

� Formal approach centered on ensuring the

integrity of subjects and objects in a system

� Primary objective

• limit the information modification

66--4444

Integrity-Based Security Models: Biba

� Biba operates on two simple rules:

1. A subject with a lower classification cannot

write data to a higher classification

2. A subject with a higher classification cannot

read data from a lower classification

� Biba model called an information flow model

66--4545

Transaction-Based Security Models: Clark-Wilson

� Uses transactions as the basis for decision

making

� Defines two integrity levels:

• Constrained data items (CDI) – the controlled assets

• Unconstrained data items (UDI) – not deemed

valuable enough to control

� Defines two types of processes to control CDIs:

• Integrity verification processes (IVP) – ensure that the CDI meets specified integrity constraints

• Transformation processes (TP) – change the state of data from one valid state to another

66--4646

Transaction-Based Security Models: Clark-Wilson

� Validation of integrity is done to ensure that:

• The data item being modified is valid

• The results of the modification are valid

66--4747

Questions?