IST 712: 9/13/101 1 Controlling Access to Systems, Functions, Etc.

IST 712: 9/13/10 1IST 712: 9/13/10 1

Controlling Accessto Systems, Functions, Etc.

IST 712: 9/13/10 2

Objectives: September 13, 2010

• Quickly review previous discussions/demo’s– Key topics: Secret key/public key encryption approaches, digital

signature vs. digital certificate), SSL/TLS– Demo TrueCrypt encryption

• Consider issues and potential vulnerabilities associated with access control, including…– Identification, authentication, and authorization– Control concepts: separation of duties, least privilege, etc.– Access control attack types (high level only)– Access control measures– Testing access control

IST 712: 9/13/10 3


• Quickly review previous discussions/demo’s– Key topics: Secret key/public key encryption approaches,

digital signature vs. digital certificate), SSL/TLS– Demo TrueCrypt encryption


IST 712: 9/13/10 44

Demo: L0phtcrack 5.0Password Cracker

• We’ll start and allow the process to “churn” during class and check in from time to time.

• I’ll explain the process I’ve used later in our discussion

TrueCrypt

• Freeware data encryption product

(http://www.truecrypt.com))

• I use it personally, especially for portable data

• Easy to use and reliable• Allows access to

encyrpted (while “mounted”) and unencrypted portions of drive

• See Project 5-3, page 192

IST 712: 9/13/10

Flash drive with course info mounted as logical local drive Q:\

IST 712: 9/13/10 66

Access Control Concepts

• Identification– An unproven assertion of identity to a system (or other

entity)

• Authentication– A “test” which verifies that identity

• Authorization– The right, privilege, permission, etc for access to a resource

• Accountability– The system’s ability to identify actions and tie them to an

individual user (or program or function, etc)

IST 712: 9/13/10 77

Authentication Approaches

• Proving identity

– Most operating systems require users to enter userid and a password to “prove” identity

– Some other forms of authentication methods are allowed:

• Biometric logins

• Digital certificates

• Pass-through authentication (PAMS - pluggable authentication modules)

IST 712: 9/13/10 88

Authentication Methods

• Something you know

– Userid & password , the most common approach

• Something you have

– Token, smart cards, USB key, etc.

• Something you are

– Biometrics of some sort

– Fingerprint, iris scan, hand or facial geometry, voice recognition, etc.

IST 712: 9/13/10 9

Password Storage/Use (Systems)

• Typically in a database of some sort– SAM database, etc/password, etc/shadow

• Userids often in plaintext

• Passwords most often encrypted or hashed– If encrypted, can be retrieved in some cases (“forgot

password” option, for example)

– If hashed, cannot be retrieved and must be replaced

• Submitted userid/password <hash> is compared to

stored userid/hash

IST 712: 9/13/10 10

• Should be secret• Should NOT be shared

– Which concept is violated…for certain…if shared?

• Should NOT be written where others can find it– Exceptions?

• Can be stored in an encrypted file or vault– Risks?

Password Thoughts

IST 712: 9/13/10 1111

Authentication Risks

• Risk: Poor passwords– Human nature - complex passwords are difficult to

remember– Default passwords within operating systems– Intruders use automated software that attempts different

userid/password combinations

• Risk: Passwords can be sniffed– Passwords that pass in clear-text can be read by intruders – No requirement to guess the password…just read it!– Recall our FTP demo

IST 712: 9/13/10 1212

• Risk: Passwords hashes can be broken– Dictionary attack, brute force attack– Or…often…a hybrid approach

Authentication Risks

Encryption a

ab…….jayhawks

8F3C254A1866550F3AB81795

63A60F231E44…….

BRUTE FORCE ATTACK

Encryptionjayhawkstwister

winter63A60F231E44F90456A6B722

02E3FF84290F

DICTIONARY ATTACK

Encryptionjayhawks 63A60F231E44

IST 712: 9/13/10 1313

Authentication Controls

• Know where hashes can be found. Protect!• Can be sniffed via the wire• Hashes are often made available in clear-text• Sensitive files on host computers

• Employ lockout feature• Three (or other number) “strikes” and the account is locked

out• Available in Windows but not enabled as a default

IST 712: 9/13/10 1414


– Set and enforce password policies• Increase length…Windows > 14 characters• Use upper/lower case, numbers, special characters• Use less predictable substitutions

– 0 → () (Two characters substitute for one)– M → /\/\ (Four special characters for one alpha character)

• Non-dictionary words, misspellings• Change regularly but don’t recycle• Consider “pass phrases” rather than passwords

– Avoid sending passwords in clear-text• Recall FTP demo• If you must, anticipate and use “throw away” passwords

IST 712: 9/13/10 1515


– Train workforce and reinforce with leadership

• Strong passwords on Post-It notes are NOT strong passwords

• Strong passwords shared with co-workers cease to be strong passwords

• Strong passwords passed via telephone, unencrypted email are subject to compromise

– Use advanced authentication technologies

• Biometrics, smart cards, two-factor authentication

IST 712: 9/13/10 16

Two Factor Authentication

• First factor: what user knows

• Second factor: what user has

– Password token

– USB key

– Digital certificate

– Smart card

• Superior to userid/password

IST 712: 9/13/10 17

Biometric Authentication

• Stronger than userid + password• Stronger than two-factor• Issues:

– Sensitivity– Exemplar collection/storage– Cost– Changes in characteristics

IST 712: 9/13/10 18

Other Authentication Issues

• Consistency of user credentials across multiple

environments– Variations in system capabilities

– Multiple passwords: User and management challenges

• Password reset issues/methods

• Compromised password management/handling

• “Trust relationships”

IST 712: 9/13/10 19

Authentication: Trust

• Trust is extended when a system or process allows

access without authentication

• Can occur with “remote shares”– Drive is shared “remotely”…with another computer…over

network, even Internet• Peer-to-peer clients

• Windows “File & Print Sharing”

– Sharing is often broader than realized or can be extended

by an intruder

IST 712: 9/13/10 20

Authentication: Trust

• Programs can “call”/trust other programs– Can be especially insidious with “scheduled jobs”– “Cascading trust” complicates

• Program A trusts Program B• But Program B trusts Program C…and so forth• A vulnerability in Program C (or D, E, F…) can lead to a

compromise

• Control: Audit trust regularly.– Know where trust relationships exist– Ensure each is “business critical”– Limit trust relationships to the greatest degree possible.

IST 712: 9/13/10 2121

Demo: Windows File & Sharing Permissions

IST 712: 9/13/10 22

Access Control Technologies

• LDAP (Lightweight Directory Access Protocol)

• Active Directory• RADIUS (Remote Authentication Dial In User Service)

• Diameter• TACACS (Terminal Access Controller Access Control System)

• Kerberos• Single Sign-on• Reduced Sign-on

Good news! These are provided for exposure to terms only!

IST 712: 9/13/10 2323

L0phtcrack 5.0 Demo

• Process:– Batch file to create accounts using bogus users and old passwords

class provided– Apply tool to “dump” SAM database

• Required “administrator” access– Import results of dump into L0phtcrack

• Observations/Questions:– Which passwords were most quickly cracked?– Have all been cracked? If not, what’s common to those NOT

cracked?– What types of cracks has L0phtcrack employed?– Might a different tactic provide more cracked passwords?

• Who might use the L0phtcrack tool in business?

IST 712: 9/13/10 2424

Change My Password…Again?

• All passwords are theoretically “crackable”…with time, often LOTS of time!

• Goal of change frequency is to keep time of use inside “crack time”

• Two ways to accomplish:– Lengthen “crack time” by strengthening password– Change password more frequently

Time to crack

NewPassword

Current Password

IST 712: 9/13/10 25

Access Attacks/Counters

• Buffer overflow– Programming flaw. Discussed more with applications.– Counter: Programming care and standards

• Script injection– Web application programming flaw– Similar in respects to buffer overflow. Addressed later.– Counter: Programming care and standards

• Data remanence– Data is not gone because it’s been “deleted”. Can still be

accessible.– Counter: Employee education. Recycling standards for

storage.

IST 712: 9/13/10 26


• Denial of service– Local (DoS) or distributed (DDoS), launched from many

locations– Counter: Very limited

• Dumpster diving– Retrieving sensitive information from trash– Counter: Administrative controls; employee education

• Eavesdropping– Network sniffing (wired or wireless)…more later– “Shoulder surfing”– Mobile calls and/or public conversations

– Counter: Sniffing detection (limited); employee education

IST 712: 9/13/10 27


• Emanations– Electromagnetic radiation (EMR) from monitors, cables– Counter: Education/understanding of specific risks. Some

electronic protections where warranted.

• Spoofing/masquerading– False IP addresses, stealing “cookies”, etc.– Counter: Firewall sophistication; awareness, effective web

application development

• Social engineering– Phishing, “spear phishing”, “whaling”, “pharming”– Counter: Education; email filtering

IST 712: 9/13/10 28


• Password guessing/cracking– Discussed earlier– Counter: Also previously discussed

• Malicious code (aka malware)– Viruses, Trojan horses, worms– Counter:

• Firewalls; antivirus software; anti-spyware software; user education

• More in the next block, application security

IST 712: 9/13/10 2929

Authorization

• The follow-on question to authentication: “What can you do?”– Once a user is authenticated, associated authorization

level determines what he/she can do– Synonyms: rights, privileges, permissions, etc.

• Operating systems can grant privileges to users based on several mechanisms:– Type of userid (administrative users have more access

than guest users)– Group memberships - if userid belongs to a privileged

group, it inherits the privileges of the group– Direct grants – a user, “Joe Somebody”, can do backups

IST 712: 9/13/10 3030

Authorization Risks

• Risk: Users assigned the wrong privileges– Cause: Oversight or misconfiguration

• Joe Roberts (jroberts) was a system administrator…but left the company (Assume no action taken)

• Jessica Robertson is a new hire; requests “jrobertson” for userid but truncated to “ jroberts” due to length, local policy

• Jessica inherits admin privileges associated with the userid

– Cause: Lack of administrative discipline• Jessica arrives…system administrator is overworked• Rather than “granular” permissions, Jessica receives

“blanket” authorizations– Question: Does this imply that group permissions are bad??

IST 712: 9/13/10 3131

Authorizations: Risks

– Cause: Accumulated authorizations• Mary T began in accounting → Authorization Set #1• Mary promoted to supervisor → Authorization Set #2• Mary reassigned to internal audit → Authorization Set #3• Mary later assumes role as project manager → Authorization Set

#4• And so on…• Mary has accumulated (assuming no revocation actions) multiple

authorizations…many likely inappropriate to her current position

IST 712: 9/13/10 3232

Authorization Risks

• Risk: Processes assigned high privileges– Authorization pertains to programs & processes, not

simply users

– Processes (such as a backup process, web service, etc.)

can be assigned higher privileges than required

– Intruder breaks the process to gain the process’s

privileges • Example: Buffer overflows - covered later

• Higher privileges = greater potential impact/damage

IST 712: 9/13/10 3333

Authorization Controls

• Consistent, effective actions associated with hiring, transfer, termination, etc.

• Periodic audits of group memberships, permissions, etc.

• Regular review of privileges assigned to people and processes– Minimum privileges consistent with business needs– Limiting privileges can generate…

• Administrative load• Potential employee ill will

– Can overlooked or disregarded

IST 712: 9/13/10 3434

Key Concept

• Principle of Least Privileges– Any user, program, process receives the minimum

privileges <routinely> required – Add permissions as justified– Remove/disable when no longer needed– In other words, start with nothing and add when needed,

delete when unneeded • Again…what issues will this approach sometimes

generate?• Security is always in tension with efficiency & cost

– What if a company can’t afford to do all it would really like to do? What might be “next best”?

– We’ll address shortly

IST 712: 9/13/10 3535

Another Key Concept

• Separation (or Segregation) of Duties– No single user should have privileges that would allow

unaided completion of a key business or technical process– Important functions should be divided to requirement

involvement of different individuals or functional groups– Examples: software changes, creation of computer/client

accounts, financial transactions

• Once again, though, security is always in tension with efficiency & cost– What if a company can’t afford to do all it would really like to

do? What might be “next best”?– Once again…response upcoming

IST 712: 9/13/10 3636

Risk: Critical Files & Directories

• Some files constitute “crown jewels” on a system• Compromise can have dire consequences lead to

system or data compromise– Files containing password hashes– Group memberships– Startup & shutdown scripts – Configuration files– Sensitive data files

• Controls– Identify all critical files and directories– Ensure only authorized users can access and/or modify

these files and directories

IST 712: 9/13/10 37

Types of Controls

• Technical controls– Authentication, access control lists (ACLs), firewalls,

encryption, remote access software, anti-virus/anti-spyware software

• Physical controls– Key card access, video surveillance, alarm systems

• Administrative controls– Policies (operating policies, security policies, system

acceptable use policies, etc.)

IST 712: 9/13/10 38

Categories of Controls

• Detective– Surveillance, logs, intrusion detections systems, etc.

• Deterrent controls– Guards, signs, visible surveillance

equipment, barbed/razor wire perimeter fencing

– Can also be detective, preventive

• Preventive– Firewalls, anti-virus, intrusion prevention systems, fencing,

bollards

• Corrective controls– Controls implemented to prevent recurrence of an exploit

or repeat of an event

IST 712: 9/13/10 39

Categories of Controls

• Recovery controls

– Also, post-incident. Actions to restore normal system operation

• Compensating controls

– “Compensating” refers to WHY a control is implemented

– Actions taken to compensate when another control cannot be put in place or fails in some way

• Layered, heterogeneous control mixes provide the defense in depth concept introduced earlier

IST 712: 9/13/10 40

Access Control Testing

• Penetration testing (aka “pen testing”)– Seeks to detect system defects, often exploitable

vulnerabilities…technical and/or physical– Fair number of automated tools available to aid process– Caution required to avoid unintended consequences

• Application vulnerability testing– Range of vulnerability scanning applications available– Seeks to identify issues with software and web applications

that can be maliciously exploited

• Audit log analysis– Regular review of selected system event and audit logs to

detect unexplained or suspicious activity

IST 712: 9/13/10 41


• Quickly review previous discussions/demo’s– Key topics: Secret key/public key encryption approaches,

digital signature vs. digital certificate), SSL/TLS– Demo TrueCrypt encryption


IST 712: 9/13/10 42

Upcoming Meetings

• September 20– Guest speaker: TBA (may move to another date)– Begin discussion of application security topics

• September 27– Conclude application security coverage– Complete a high level, topical review for Exam 1

• Please come with YOUR questions

• October 4– Exam 1– Only activity planned

Date post:	25-Dec-2015
Category:	Documents
Upload:	gabriel-butler
View:	216 times
Download:	2 times

IST 712: 9/13/101 1 Controlling Access to Systems, Functions, Etc.

Documents