7/24/2019 accesscontrolpresentation-130630194314-phpapp01
1/97
Access Control
Muhammad Wajahat Rajab
7/24/2019 accesscontrolpresentation-130630194314-phpapp01
2/97
Protecting what needs to be protected with the available
technologies!
Access control is the of Information Security!
Overview
7/24/2019 accesscontrolpresentation-130630194314-phpapp01
3/97
Some Questions
What is Access?
What is the Access Mechanism?
What is Access Control?
The right
Flow of information between subject and object
Mechanism to protect the assets!
7/24/2019 accesscontrolpresentation-130630194314-phpapp01
4/97
Identification, Authentication,
Authorization
7/24/2019 accesscontrolpresentation-130630194314-phpapp01
5/97
Identification
7/24/2019 accesscontrolpresentation-130630194314-phpapp01
6/97
Identification
Method of establishing the subjects identity
User, Program, Process
Use of username or other public information
Identification component requirements Each value should be unique
Follow a standard naming scheme
Non-descriptive of the users position or tasks
Must not be shared between users
7/24/2019 accesscontrolpresentation-130630194314-phpapp01
7/97
Authentication
7/24/2019 accesscontrolpresentation-130630194314-phpapp01
8/97
Authentication
Method of proving the identity
How to prove an identity?
Something you know
Something you have Something you are
Use of passwords, token, or biometrics other private
information
What is two factor authentication? Strong authentication
7/24/2019 accesscontrolpresentation-130630194314-phpapp01
9/97
Something you know
Traditional authentication method
Passwords
Protected string of characters
Most widely used Types
Cognitive passwords
One time passwords (Dynamic passwords)
Passphrase
7/24/2019 accesscontrolpresentation-130630194314-phpapp01
10/97
Cognitive passwords
Fact or opinion based information
Created through several experience based questions
Easy to remember!
A person will not forget his birthplace, favorite color, dog'sname, or the school he graduated from.
7/24/2019 accesscontrolpresentation-130630194314-phpapp01
11/97
One time passwords
Only used once
Used in sensitive cases and places
Examples include
Prepaid cards Token devices
Token device generates the one-time password for the user to
submit to an authentication server
7/24/2019 accesscontrolpresentation-130630194314-phpapp01
12/97
Passphrase
Sequence of characters that is longer than a password --
Thus a phrase
User enters this phrase into an application which transforms the
value into a virtual password
7/24/2019 accesscontrolpresentation-130630194314-phpapp01
13/97
Attacks against passwords
Electronic monitoring
Access the password file
Brute force attacks
Dictionary attacks
Social engineering
Shoulder surfing
7/24/2019 accesscontrolpresentation-130630194314-phpapp01
14/97
Something you have
Requires possession of something such as a key, smart
card, or some other device
Examples include
Keys Documents
Token devices
Memory cards
Smart cards
7/24/2019 accesscontrolpresentation-130630194314-phpapp01
15/97
Token device
Software hardware hybrid object used to verify an
identity in an authentication process
Token device, or password generator, is usually a
handheld device that has an LCD display and possibly akeypad
Token device is separate from the computer the user is
attempting to access
7/24/2019 accesscontrolpresentation-130630194314-phpapp01
16/97
Token Device Benefits/Limitations
Benefits
Not vulnerable to electronic eavesdropping
Wiretapping
Sniffing
Provide two factor authentication
Limitations
Human error
Battery limitation
Token itself (Environmental factors)
7/24/2019 accesscontrolpresentation-130630194314-phpapp01
17/97
Types of Token Devices
Synchronous Token
A synchronous token device synchronizes with the
authentication service by using time or a counter as the core
piece of the authentication process.
Asynchronous Token
A token device using an asynchronous token generating method
employs a challenge/response scheme to authenticate a user.
7/24/2019 accesscontrolpresentation-130630194314-phpapp01
18/97
Synchronous Token
7/24/2019 accesscontrolpresentation-130630194314-phpapp01
19/97
Asynchronous Token Device
7/24/2019 accesscontrolpresentation-130630194314-phpapp01
20/97
Memory Card
Holds information but cannot process
A memory card can hold a user's authentication information, so
that the user only needs to type in a UserID or PIN.
7/24/2019 accesscontrolpresentation-130630194314-phpapp01
21/97
Smart Card
Holds and processes information
After a threshold of failed login attempts, it can render
itself unusable
PIN or password unlocks smart card functionality
Smart card could be used for:
Holding biometric data in template
Responding to challenge
Holding private key
7/24/2019 accesscontrolpresentation-130630194314-phpapp01
22/97
Types of Smart Card
Contact
Requires insertion into a smart card reader with a direct
connection to a conductive micro-module on the surface of the
card (typically gold plated)
Through these physical contact points, transmission of
commands, data, and card status takes place
Contactless
Requires only close proximity to a reader
Both the reader and the card have antenna and it is via this
contactless link that two communicate
7/24/2019 accesscontrolpresentation-130630194314-phpapp01
23/97
Smart Card attacks
Micro-probing techniques
Eavesdropping techniques
Trojan Horse attacks
Social engineering attacks
7/24/2019 accesscontrolpresentation-130630194314-phpapp01
24/97
Something you are
Special case of something you have
Unique personal attribute is analyzed
Encompasses all biometric techniques
Fingerprints Retina scan
Iris scan
Hand geometry
Facial scan
7/24/2019 accesscontrolpresentation-130630194314-phpapp01
25/97
Biometric System
A characteristic based system
Includes all the hardware, associated software and
interconnecting infrastructure to enable the
identification/authentication process
Uses individual's unique physical characteristics in order
to identify and authenticate
Each has its own advantages and disadvantages
7/24/2019 accesscontrolpresentation-130630194314-phpapp01
26/97
Fingerprints
Every person's fingerprint is unique
Most affordable and convenient method of verifying aperson's identity
The lines that create a fingerprint pattern are calledridges and the spaces between ridges are called valleys.
7/24/2019 accesscontrolpresentation-130630194314-phpapp01
27/97
Retina Scan
Retinal scan technology maps the capillary pattern of the
retina
A thin (1/50th inch) nerve on the back of the eye!
Accurate Many people are hesitant to use the device
7/24/2019 accesscontrolpresentation-130630194314-phpapp01
28/97
Iris Scan
Scans the iris or the colored portion of the eye
For authentication the subject looks at the video camera
from a distance of 3-10 inches
The entire enrollment process is less than 20 seconds,and subsequent identification takes 1-2 seconds.
Offers high accuracy!
7/24/2019 accesscontrolpresentation-130630194314-phpapp01
29/97
Hand Geometry
Measures specific characteristics of a person's hand such
as length of fingers and thumb, widths, and depth.
Takes over 90 measurements of the length, width,
thickness, and surface area of a person's hand andfingers.
Hand measurements occur with amazing speed, almost
within one second.
A charge coupled device (CCD) digital camera is used torecord the hand's three dimensional shape.
7/24/2019 accesscontrolpresentation-130630194314-phpapp01
30/97
Keyboard Dynamics
Looks at the way a person types at a keyboard
Also called Typing Rhythms!
Keyboard dynamics measures two distinct variables:
Dwell time: The amount of time one holds a particular key
Flight time: The amount of time one moves between the keys
Keyboard dynamic system can measure one's keyboard
input up to 1000 times per second!
7/24/2019 accesscontrolpresentation-130630194314-phpapp01
31/97
Voice Print
A voice reference template is constructed
To construct, an individual must speak a set of phrases several
times as the system builds the template.
Voice identification systems incorporate several variables
including pitch, dynamics, and waveform.
7/24/2019 accesscontrolpresentation-130630194314-phpapp01
32/97
Facial Scan
Incorporates two significant methods: Detection
Recognition
Detection involves locating the human face within an
image. Recognition is comparing the captured face to other
faces that have been saved and stored in a database.
7/24/2019 accesscontrolpresentation-130630194314-phpapp01
33/97
Facial Scan -- Process
7/24/2019 accesscontrolpresentation-130630194314-phpapp01
34/97
Biometric Performance
Biometric performance is most commonly measured in
two ways:
False Rejection Rate (FRR) Type1
False Acceptance Rate (FAR) Type 2
The FRR is the probability that you are not authenticated
to access your account.
The FAR is the chance that someone other than you is
granted access to your account.
7/24/2019 accesscontrolpresentation-130630194314-phpapp01
35/97
Crossover Error Rate
Crossover Error Rate (CER) value is when Type 1 and Type
2 errors are equal.
(Type 1 = Type 2 errors) = CER metric value
System ABC has 1 out of 100 Type 1 errors = 1%
System ABC has 1 out of 100 type 2 errors = 1%
System ABC CER = 1
The lower the CER value, the higher accuracy
System with a CER of 5 has greater accuracy than a
system with CER of 6
7/24/2019 accesscontrolpresentation-130630194314-phpapp01
36/97
CER Concept
7/24/2019 accesscontrolpresentation-130630194314-phpapp01
37/97
Authorization
7/24/2019 accesscontrolpresentation-130630194314-phpapp01
38/97
Authorization
7/24/2019 accesscontrolpresentation-130630194314-phpapp01
39/97
Controls
7/24/2019 accesscontrolpresentation-130630194314-phpapp01
40/97
Types of Access Controls
There are three types of Access Controls:
Administrative controls
Define roles, responsibilities, policies, and administrative functions
to manage the control environment.
Technical controls
Use hardware and software technology to implement access
control.
Physical controls
Ensure safety and security of the physical environment.
7/24/2019 accesscontrolpresentation-130630194314-phpapp01
41/97
Administrative Controls
Ensure that technical and physical controls are understood
and properly implemented
Policies and procedures
Security awareness training
Asset classification and control
Employment policies and practices (background checks, job
rotations, and separation of duties)
Account administration
Account, log monitoring
Review of audit trails
7/24/2019 accesscontrolpresentation-130630194314-phpapp01
42/97
Technical Controls
Examples of Technical Controls are:
Encryption
Biometrics
Smart cards
Tokens
Access control lists
Violation reports
Audit trails
Network monitoring and intrusion detection
7/24/2019 accesscontrolpresentation-130630194314-phpapp01
43/97
Physical Controls
Examples of Physical Controls are:
HVAC
Fences, locked doors, and restricted areas
Guards and dogs
Motion detectors
Video cameras
Fire detectors
Smoke detectors
7/24/2019 accesscontrolpresentation-130630194314-phpapp01
44/97
Categories of Access Controls
Preventive Avoid incident
Deterrent Discourage incident
Detective Identify incident
Corrective Remedy circumstance/mitigate damageand restore controls
Recovery Restore conditions to normal
Compensating Alternative control
Directive
7/24/2019 accesscontrolpresentation-130630194314-phpapp01
45/97
Categories of Access Controls
7/24/2019 accesscontrolpresentation-130630194314-phpapp01
46/97
Administrative Preventive Controls
Policies and procedures
Effective hiring practices
Pre-employment background checks
Controlled termination processes
Data classification and labeling
Security awareness
Risk assessments and analysis
Creating a security program
Separation of duties
7/24/2019 accesscontrolpresentation-130630194314-phpapp01
47/97
Administrative Detective Controls
Job rotation
Sharing responsibilities
Inspections
Incident response Use of auditors
7/24/2019 accesscontrolpresentation-130630194314-phpapp01
48/97
Technical Preventive Controls
Passwords
Biometrics
Smart cards
Encryption Database views
Firewalls
ACLs
Anti-virus
7/24/2019 accesscontrolpresentation-130630194314-phpapp01
49/97
Technical Detective Controls
IDS
Reviewing audit logs
Reviewing violations of clipping levels
Forensics
7/24/2019 accesscontrolpresentation-130630194314-phpapp01
50/97
Physical Preventive Controls
Badges
Guards and dogs
CCTV
Fences, locks, man-traps
Locking computer cases
Removing floppy and CD-ROM drives
Disabling USB port
7/24/2019 accesscontrolpresentation-130630194314-phpapp01
51/97
Physical Detective Controls
Motion detectors
Intrusion detectors
Video cameras
Guard responding to an alarm
7/24/2019 accesscontrolpresentation-130630194314-phpapp01
52/97
Jotting them together
7/24/2019 accesscontrolpresentation-130630194314-phpapp01
53/97
Centralized Access Control
Methodologies
7/24/2019 accesscontrolpresentation-130630194314-phpapp01
54/97
Centralized Access Control Methodologies
(ISC)2 discusses the following methodologies:
RADIUS -- Remote Authentication Dial-In User Service
TACACS -- Terminal Access Controller Access Control Systems
DIAMETER
7/24/2019 accesscontrolpresentation-130630194314-phpapp01
55/97
RADIUS
Provides centralized authentication, authorization andaccounting management for network services
Works on a Client/Server model
Functions:
To authenticate users or devices before granting them access toa network
To authorize users or devices for certain network services
To account for usage of services used
7/24/2019 accesscontrolpresentation-130630194314-phpapp01
56/97
RADIUS Process
7/24/2019 accesscontrolpresentation-130630194314-phpapp01
57/97
RADIUS Implementation
7/24/2019 accesscontrolpresentation-130630194314-phpapp01
58/97
TACACS
TACACS has been through three generations: TACACS, XTACACS and TACACS+
TACACS uses passwords for authentication
TACACS+ allows users to use dynamic (one-time) passwords
TACACS+ encrypts all the data
TACACS uses UDP
TACACS+ uses TCP
7/24/2019 accesscontrolpresentation-130630194314-phpapp01
59/97
TACACS at Work
7/24/2019 accesscontrolpresentation-130630194314-phpapp01
60/97
Diameter
"New and improved" RADIUS
RADIUS is limited in its methods of authenticating users
Diameter does not encompass such limitations
Can authenticate wireless devices and smart phones
Open for future growth
Users can move between service provider networks and
change their points of attachment
7/24/2019 accesscontrolpresentation-130630194314-phpapp01
61/97
Single Sign-On Technologies
7/24/2019 accesscontrolpresentation-130630194314-phpapp01
62/97
Single Sign On (SSO)
A system that enables a user to access multiple computer
platforms
User logs in just once
Access granted to permitted resources Login only required until after the user logs out
Examples include:
Kerberos
SESAME
Security Domains
Thin Clients
7/24/2019 accesscontrolpresentation-130630194314-phpapp01
63/97
Kerberos
A computer network authentication protocol
Allows principals communicating over a non-secure network to
prove their identity to one another in a secure manner.
Principals
Any user or service that interacts with a network
Term that is applied to anything within a network that needs to
communicate in an authorized manner
7/24/2019 accesscontrolpresentation-130630194314-phpapp01
64/97
Kerberos components
Components of Kerberos Key Distribution Center (KDC)
Holds all of the principals' secret keys
Principals authenticate to the KDC before networking can takeplace
Authentication Server (AS)
Authenticates user at initial logon
Generation of initial ticket to allow user to authenticate to localsystem
Ticket Granting Service (TGS) Generates of tickets to allow subjects to authenticate to each
other
7/24/2019 accesscontrolpresentation-130630194314-phpapp01
65/97
Kerberos Process
7/24/2019 accesscontrolpresentation-130630194314-phpapp01
66/97
SESAME
Secure European System for Applications in a Multi-Vendor Environment
Uses symmetric and asymmetric cryptographictechniques
Uses Privileged Attribute Certificates (PACs) PACs are generated by the Privileged Attribute Server
(PAS)
After a user successfully authenticates to the
Authentication Server (AS), the PAS then creates a PACfor the user to present to the resource that is beingaccessed!
7/24/2019 accesscontrolpresentation-130630194314-phpapp01
67/97
SESAME Process
7/24/2019 accesscontrolpresentation-130630194314-phpapp01
68/97
Security Domains
Based on trust between resources or services on a
domain that share a single security policy and single
management
The security policy defines the set of objects that each
user has the ability to access
A similar mission and single point of management
responsibility
7/24/2019 accesscontrolpresentation-130630194314-phpapp01
69/97
Security Domains -- Bulls Eye View
7/24/2019 accesscontrolpresentation-130630194314-phpapp01
70/97
Thin Clients
Diskless computers are called dumb terminals or thinclients
Client/Server technology forces users to log onto a
central server just to be able to use the computer and
access network resources.
Server downloads the Operating System, or interactive
operating software to the terminal
7/24/2019 accesscontrolpresentation-130630194314-phpapp01
71/97
Access Control Models
7/24/2019 accesscontrolpresentation-130630194314-phpapp01
72/97
Access Control Models
Frameworks that dictate how subjects access objects
Three Main Types
Discretionary Access Control (DAC)
Mandatory Access Control (MAC)
Role Based Access Control (RBAC)
7/24/2019 accesscontrolpresentation-130630194314-phpapp01
73/97
Discretionary Access Control
Allows the owner of the resource to specify whichsubjects can access which resources
Access control is at the discretion of the owner
DAC defines access control policy That restricts access to files and other system resources based
on identity
DAC can be implemented through Access Control Lists
(ACLs)
7/24/2019 accesscontrolpresentation-130630194314-phpapp01
74/97
Access Control Matrix
Access Control Lists (ACLs) Specifies the list of subjects that are authorized to access a
specific object
Capability Lists
Specifies the access rights a certain subject possesses pertainingto specific objects
7/24/2019 accesscontrolpresentation-130630194314-phpapp01
75/97
Access Control Matrix
7/24/2019 accesscontrolpresentation-130630194314-phpapp01
76/97
Mandatory Access Control
Based on security label system
Users given security clearance and data is classified
Used where confidentiality is of utmost importance
MAC is considered a policy based control
Every object and subject is given a sensitivity label
Classification level
Secret, Top secret, Confidential, etc
Category
Information warfare, Treasury, UN, etc
7/24/2019 accesscontrolpresentation-130630194314-phpapp01
77/97
Mandatory Access Control
Subject Classification level Category
Umair Secret Finance
Tayyeb Secret HR
Object Classification level Category
Finance records Secret Finance
Employee records Secret HR
7/24/2019 accesscontrolpresentation-130630194314-phpapp01
78/97
Role Based Access Control
Uses centrally administered set of controls to determinehow subjects and objects interact
Decisions based on the functions that a user is allowed to
perform within an organization
An advantage of role based access controls is the ease of
administration
Capability tables are sometimes seen in conjunction with
role-based access controls Best for high turn over organizations
7/24/2019 accesscontrolpresentation-130630194314-phpapp01
79/97
Access Control Techniques
l h
7/24/2019 accesscontrolpresentation-130630194314-phpapp01
80/97
Access Control Techniques
Rules Based Access Control
Constrained User Interface
Content Dependent Access Control
Context Dependent Access Control
7/24/2019 accesscontrolpresentation-130630194314-phpapp01
81/97
Penetration Testing
Muhammad Wajahat Rajab
ACE, CISSP (Associate), BS (TE)
I d i
7/24/2019 accesscontrolpresentation-130630194314-phpapp01
82/97
Introduction
Process of simulating attacks on Information Systems At the request of the owner, senior management
Uses set of procedures and tools designed to test
security controls of a system
Emulates the same methods attackers use
S
7/24/2019 accesscontrolpresentation-130630194314-phpapp01
83/97
Steps
Discovery
Enumeration
Vulnerability mapping
Exploitation Report to management
S 1
7/24/2019 accesscontrolpresentation-130630194314-phpapp01
84/97
Step 1
Discovery Gathering information about the target
Reconnaissance Types
Passive
Active
St 2
7/24/2019 accesscontrolpresentation-130630194314-phpapp01
85/97
Step 2
Enumeration Performing port scans and resource identification methods
Gaining specific information on the basis of information
gathered during reconnaissance
Includes use of dialers, port scanners, network mapping,sweeping, vulnerability scanners, and so on
St 3
7/24/2019 accesscontrolpresentation-130630194314-phpapp01
86/97
Step 3
Vulnerability Mapping Identifying vulnerabilities in identified systems and resources
Based on these vulnerabilities attacks are carried out
St 4
7/24/2019 accesscontrolpresentation-130630194314-phpapp01
87/97
Step 4
Exploitation Attempting to gain unauthorized access by exploiting the
vulnerabilities
St 5
7/24/2019 accesscontrolpresentation-130630194314-phpapp01
88/97
Step 5
Report to management Delivering to management documentation of test findings along
with suggested countermeasures
T
7/24/2019 accesscontrolpresentation-130630194314-phpapp01
89/97
Types
Zero knowledge
Partial knowledge
Full knowledge
7/24/2019 accesscontrolpresentation-130630194314-phpapp01
90/97
Questions
Q ti 1
7/24/2019 accesscontrolpresentation-130630194314-phpapp01
91/97
Question 1
Which of the following refers to a series of charactersused to verify a user's identity?
A. Token Serial number
B. UserID
C. Password
D. Security ticket
Question
7/24/2019 accesscontrolpresentation-130630194314-phpapp01
92/97
Question
Which of the following refers to a series of charactersused to verify a user's identity?
A. Token Serial number
B. UserID
C. Password
D. Security ticket
Question 2
7/24/2019 accesscontrolpresentation-130630194314-phpapp01
93/97
Question 2
Which type of access control allows owners to specifywho can access their files?
A. Discretionary
B. Relational
C. Mandatory
D. Administrative
Question
7/24/2019 accesscontrolpresentation-130630194314-phpapp01
94/97
Question
Which type of access control allows owners to specifywho can access their files?
A. Discretionary
B. Relational
C. Mandatory
D. Administrative
Question 3
7/24/2019 accesscontrolpresentation-130630194314-phpapp01
95/97
Question 3
The three primary methods for authentication of a userto a system or network are?
A. Passwords, Tokens, and Biometrics
B. Authorization, Identification, and Tokens
C. Passwords, Encryption, and Identification
D. Identification, Encryption, and Authorization
Question
7/24/2019 accesscontrolpresentation-130630194314-phpapp01
96/97
Question
The three primary methods for authentication of a userto a system or network are?
A. Passwords, Tokens, and Biometrics
B. Authorization, Identification, and Tokens
C. Passwords, Encryption, and Identification
D. Identification, Encryption, and Authorization
Thank You!
7/24/2019 accesscontrolpresentation-130630194314-phpapp01
97/97
Thank You!