Access Control

Slide 1 of 71
Access Control
Access Control
James Moore
Information Security Operations, e^deltacom
President, ISSA Metro Atlanta
SSCP
Access Control
Slide 2 of 71
Overview
What is Access Control?
Basic Approach
Access Control Models
Authentication
TEMPEST
Watching the Door!
Iterative Methods Review
Quiz
Access Control
Slide 3 of 71
What is Access
Control?
Access Control
Slide 4 of 71
What is access control?
Access control is the heart of security
Definitions:
The ability to allow only authorized users, programs or
processes system or resource access
The granting or denying, according to a particular
security model, of certain permissions to access a
resource
An entire set of procedures performed by hardware,
software and administrators, to monitor access,
identify users requesting access, record access
attempts, and grant or deny access based on
established rules.
Access Control
Slide 5 of 71
Access control nomenclature
Authentication
Process through which one proves and verifies certain information
Identification
Process through which one ascertains the identity of another
person or entity
Confidentiality
Protection of private data from unauthorized viewing
Integrity
Data is not corrupted or modified in any unauthorized manner
Availability
System is usable. Contrast with DoS.
Access Control
Slide 6 of 71
Key Terms
Subject an active entity, usually in the
form of a person, process, or device that
cause information to flow amongst
objects.
Object a passive entity that contains or
receives information usually in the form
of a file, program, memory.
Access Control
Slide 7 of 71
Labels
Sensitivity Labels
Every subject and object in a MAC has a sensitivity
label. Each label has two parts:
Classifications and Category (or compartment)
Classifications- Secret, Top Secret, Confidential
(hierarchical)
Category- Tank Specs, Payroll, Sales Projections
Example:
J ames object sensitivity label: Secret
R&D compartment sensitivity label: Confidential
Access Control
Slide 8 of 71
How can AC be implemented?
Hardware
Software
Application
Operating System
File System
Protocol
Physical
Logical (policies)
Access Control
Slide 9 of 71
What does AC hope to protect?
Data - Unauthorized viewing, modification or copying
System - Unauthorized use, modification or denial of
service
It should be noted that nearly every network
operating system (NT, Unix, Vines, NetWare) is
based on a secure physical infrastructure
Access Control
Slide 10 of 71
Orange Book
DoDTrusted Computer System Evaluation Criteria,
DoD5200.28-STD, 1983
Provides the information needed to classify systems
(A,B,C,D), defining the degree of trust that may be
placed in them
For stand-alone systems only
Access Control
Slide 11 of 71
Orange book levels
A - Verified protection
B - MAC
C - DAC
D - Minimal security. Systems that have been evaluated, but
failed
Access Control
Slide 12 of 71
BASIC
APPROACH
Access Control
Slide 13 of 71
Banners
Banners display at login or connection stating that
the system is for the exclusive use of authorized
users and that their activity may be monitored
Not foolproof, but a good start, especially from a
legal perspective
Make sure that the banner does not reveal system
information, i.e., OS, version, hardware, etc.
Access Control
Slide 14 of 71
Rule of least privilege
One of the most fundamental principles of infosec
States that: Any object (user, administrator, program,
system) should have only the least privileges the object
needs to perform its assigned task, and no more.
An AC system that grants users only those rights
necessary for them to perform their work
Limits exposure to attacks and the damage an attack
can cause
Physical security example: car ignition key vs. door key
Access Control
Slide 15 of 71
Implementing least privilege
Ensure that only a minimal set of users have root
access
Dont make a program run setuid to root if not
needed. Rather, make file group-writable to some
group and make the program run setgid to that
group, rather than setuid to root
Dont run insecure programs on the firewall or other
trusted host
Access Control
Slide 16 of 71
Multi-factor authentication
2-factor authentication. To increase the level of
security, many systems will require a user to provide
2 of the 3 types of authentication.
ATM card + PIN
Credit card + signature
PIN + fingerprint
Username + Password (NetWare, Unix, NT default)
3-factor authentication -- For highest security
Username + Password + Fingerprint
Username +Passcode +SecurIDtoken
Access Control
Slide 17 of 71
Proactive access control
Awareness training
Background checks
Separation of duties
Split knowledge
Policies
Data classification
Effective user registration
Termination procedures
Change control procedures
Access Control
Slide 18 of 71
AC & privacy issues
Expectation of privacy
Policies
Monitoring activity, Internet usage, e-mail
Login banners should detail expectations of privacy
and state levels of monitoring
Access Control
Slide 19 of 71
System Accountability
Requires system to provide for at least the following:
The ability to audit transactions
Control access through authentication
Provide effective identification
Access Control
Slide 20 of 71
Access Control
Models
Access Control
Slide 21 of 71
Varied types of Access Control
Discretionary (DAC)
The users/object decides the access
Mandatory (MAC)
The systems decides the access
Non-Discretionary (Lattice/Role/Task)
The role determines access
Formal models:
Biba
Clark/Wilson
Bell/LaPadula
Access Control
Slide 22 of 71
Biba
The Biba Model
The Biba model addresses the issue of integrity, i.e.
whether information can become corrupted. A new
label is used to gauge integrity. If a high security
object comes into contact with a low-level
information, or be handled by a low-level program,
the integrity level can be downgraded. For instance,
if one used an insecure program to view a secure
document, the program might corrupt the document,
append it, truncate it, or even covertly communicate
it to another part of the system.
Access Control
Slide 23 of 71
Clark Wilson
Clark and Wilson have also created a model which includes an
attention to data integrity.
Data objects can only be manipulated by a certain set of programs.
Users have access to the programs rather than to the data. (e.g. this is
like the WWW or a database).
Separation of duties: assigning different roles to different users. For
instance, think of the dual-key approach to arming nuclear warheads.
Objects/data can only be accessed by authorized programs (ensures
integrity).
Subjects/users only have access to certain programs.
An audit log is maintained over external transactions.
The system must be certified in order for it to work.
Access Control
Slide 24 of 71
Bell LaPudla
This is a formal description of a system with static
access control, i.e. privacy. It tells us nothing about
integrity or trust.
Used set theory to define the concept of a secure
state, the modes of access, and the rules for granting
access.
BLP Unix
Subjects (S)
UID/Username
GID/Groups
Objects (O)
Files
processes
memory segments
Access rights (M)
Read
Write
Execute
Security levels (L)
Allowed
Disallowed
Setuid
Setgid
Access Control
Slide 25 of 71
Problems with formal models
Based on a static infrastructure
Defined and succinct policies
These do not work in corporate systems which are
extremely dynamic and constantly changing
None of the previous models deals with:
Viruses/active content
Trojan horses
firewalls
Limited documentation on how to build these systems
Access Control
Slide 26 of 71
MAC vs. DAC
Discretionary Access Control
Individuals decide how information assets are
protected and share your data
Mandatory Access Control
The system decided how the data will be shared
Access Control
Slide 27 of 71
Mandatory Access Control
Assigns sensitivity levels, AKA labels
Every object is given a sensitivity label & is accessible
only to users who are cleared up to that particular level.
Only the administrators, not object owners, make change
the object level
Generally more secure than DAC
Orange book B-level
Used in systems where security is critical, i.e., military
Hard to program for and configure & implement
Access Control
Slide 28 of 71
Mandatory Access Control
(Continued)
Downgrade in performance
Relies on the system to control access
Example: If a file is classified as confidential, MAC
will prevent anyone from writing secret or top secret
information into that file.
All output, i.e., print jobs, floppies, other magnetic
media must have be labeled as to the sensitivity level
Access Control
Slide 29 of 71
Discretionary Access Control
Access is restricted based on the authorization
granted to the user
Orange book C-level
Prime use to to separate and protect users from
unauthorized data
Used by Unix, NT, NetWare, Linux, Vines, etc.
Relies on the object owner to control access
Access Control
Slide 30 of 71
Access control lists (ACL)
A file used by the access control system to determine
who may access what programs and files, in what
method and at what time
Different operating systems have different ACL terms
Types of access:
Read/Write/Create/Execute/Modify/Delete/Rename
Access Control
Slide 31 of 71
Standard UNIX file permissions
Permission Allowed action, if
object is a file
Allow action if object is a
directory
R (read) Reads contents of a file List contents of the directory
X (execute) Execute file as a program Search the directory
W(write) Change file contents Add, rename, create files and
subdirectories


Access Control
Slide 32 of 71
Standard NT file permissions
Permission Allowed action, if
object is a file
Allow action if object is a
directory
No access None None
List N/A RX
Read RX RX
Add N/A WX
Add & Read N/A RWX
Change RWXD RWXD
Full Control All All
R- Read X - Execute W - Write D - Delete

Access Control
Slide 33 of 71
Physical access control
Guards
Locks
Mantraps
ID badges
CCTV, sensors, alarms
Biometrics
Fences - the higher the voltage the better
Card-key and tokens
Guard dogs
Access Control
Slide 34 of 71
Object reuse
Must ensure that magnetic media must not have any
remnants of previous data
Also applies to buffers, cache and other memory
allocation
Required at TCSEC B2/B3/A1 level
Objects must be declassified
Magnetic media must be degaussed or have secure
overwrites
Access Control
Slide 35 of 71
Authentication
Access Control
Slide 36 of 71
Authentication
3 types of authentication:
Something you know- Password, PIN, mothers
maiden name, passcode, fraternity chant
Something you have - ATM card, smart card, token,
key, ID Badge, driver license, passport
Something you are - Fingerprint, voice scan, iris scan,
retina scan, body odor, DNA
Access Control
Slide 37 of 71
Problems with passwords
Insecure - Given the choice, people will choose easily remembered and
hence easily guessed passwords such as names of relatives, pets,
phone numbers, birthdays, hobbies, etc.
Easily broken - Programs such as crack, SmartPass, PWDUMP, NTCrack
& l0phtcrack can easily decrypt Unix, NetWare & NT passwords.
Dictionary attacks are only feasible because users choose easily guessed
passwords!
Inconvenient - In an attempt to improve security, organizations often
issue users with computer-generated passwords that are difficult, if not
impossible to remember
Repudiable - Unlike a written signature, when a transaction is signed
with only a password, there is no real proof as to the identity of the
individual that made the transaction
Access Control
Slide 38 of 71
Classic password rules
The best passwords are those that are both easy to
remember and hard to crack using a dictionary attack.
The best way to create passwords that fulfill both
criteria is to use two small unrelated words or
phonemes, ideally with a special character or number.
Good examples would be hex7goop or -typetin
Dont use:
common names, DOB, spouse, phone #, etc.
word found in dictionaries
password as a password
systems defaults
Access Control
Slide 39 of 71
Password management
Configure system to use string passwords
Set password time and lengths limits
Limit unsuccessful logins
Limit concurrent connections
Enabled auditing
How policies for password resets and changes
Use last login dates in banners
Access Control
Slide 40 of 71
Password Attacks
Brute force
l0phtcrack
Dictionary
Crack
J ohn the Ripper
for a comprehensive listing, see Alan Lustiger or attend
his presentation at the CSI conference in November
Trojan horse login program
Access Control
Slide 41 of 71
Biometrics
Authenticating a user via human characteristics
Using measurable physical characteristics of a person
to prove their identification
Fingerprint
signature dynamics
Iris
retina
voice
face
DNA, blood
Access Control
Slide 42 of 71
Biometric Disadvantages
Still relatively expensive per user- most expensive,
but also most secure
Companies & products are often new & immature
No common API or other standard
Some hesitancy for user acceptance
Access Control
Slide 43 of 71
Biometric privacy issues
Tracking and surveillance - Ultimately, the ability to
track a person's movement from hour to hour
Anonymity - Biometric links to databases could
dissolve much of our anonymity when we travel and
access services
Profiling - Compilation of transaction data about a
particular person that creates a picture of that
person's travels, preferences, affiliations or beliefs
Access Control
Slide 44 of 71
Practical biometric applications
Network access control
Staff time and attendance tracking
Authorizing financial transactions
Government benefits distribution (Social Security, welfare, etc.)
Verifying identities at point of sale
Using in conjunction with ATM , credit or smart cards
Controlling physical access to office buildings or homes
Protecting personal property
Prevent against kidnapping in schools, play areas, etc.
Protecting children from fatal gun accidents
Voting/passports/visas & immigration
Access Control
Slide 45 of 71
Tokens
Used to facilitate one-time passwords
Physical card
SecurID
S/Key
Smart card
Access token
Access Control
Slide 46 of 71
Authentication
in the
Enterprise
Access Control
Slide 47 of 71
Single sign-on
User has one password for all enterprise systems and
applications
That way, one strong password can be remembered
and used
All of a users accounts can be quickly created on
hire, deleted on dismissal
Hard to implement and get working
Kerberos, CA-Unicenter, Memco Proxima, IntelliSoft
SnareWorks, Tivoli Global Sign-On, x.509
Access Control
Slide 48 of 71
Kerberos
Part of MITs Project Athena
Kerberos is an authentication protocol used for
network wide authentication
All software must be kerberized
Tickets, authenticators, key distribution center (KDC)
Divided into realms
Access Control
Slide 49 of 71
Kerberos roles
KDC divided into Authentication Server & Ticket
Granting Server (TGS)
Authentication Server - authentication the identities
of entities on the network
TGS - Generates unique session keys between two
parties. Parties then use these session keys for
message encryption
Access Control
Slide 50 of 71
Kerberos authentication
User must have an account on the KDC
KDC must be a trusted server in a secured location
Shares a key with each user
When a user want to access a host or application, they
request a ticket from the KDC via klogin & generate an
authenticator that validates the tickets
User provides ticket and authenticator to the
application, which processes them for validity and will
then grant access.
Access Control
Slide 51 of 71
Problems with Kerberos
Each piece of software must be kerberized
Requires synchronized time clocks
Relies on UDP which is often blocked by many
firewalls
Access Control
Slide 52 of 71
RAS access control
RADIUS (Remote Authentication Dial-In User Service) -
client/server protocol & software that enables RAS to
communicate with a central server to authenticate dial-in
users & authorize their access to requested systems
TACACS/ TACACS+ (Terminal Access Controller Access
Control System) - Authentication protocol that allows a RAS
to forward a users logon password to an authentication
server. TACACS is an unencrypted protocol and therefore
less secure than the later TACACS+ and RADIUS protocols.
A later version of TACACS is XTACACS (Extended TACACS).
May 1997 - TACACS and XTACACS are considered Cisco End-of-
Maintenance
Access Control
Slide 53 of 71
TEMPEST
Access Control
Slide 54 of 71
TEMPEST
Electromagnetic emanations from keyboards, cables,
printers, modems, monitors and all electronic equipment.
With appropriate and sophisticated enough equipment,
data can be readable at a few hundred yards.
TEMPEST certified equipment, which encases the
hardware into a tight, metal construct, shields the
electromagnetic emanations
TEMPEST hardware is extremely expensive and can only
be serviced by certified technicians
Rooms & buildings can be TEMPEST-certified
TEMPEST standards NACSEM 5100A NACSI 5004 are
classified documents
Access Control
Slide 55 of 71
Watching the
Door
Access Control
Slide 56 of 71
Physical Security
Camera coverage
Recoverable footage
Access controlled areas
Fences
Lights? (heres a question.)
Access Control
Slide 57 of 71
Intrusion Detection Systems
IDS monitors system or network for attacks
IDS engine has a library and set of signatures that
identify an attack
Adds defense in depth
Access Control
Slide 58 of 71
Iterative
Methodology
Review
Access Control
Slide 59 of 71
Penetration Testing /
Vulnerability Assessments
Basically Improving the Security of Your Site by Breaking Into it, by Dan
Farmer/Wietse Venema
http://www.fish.com/security/admin-guide-to-cracking.html
Identifies weaknesses in Internet, Intranet, Extranet, and RAS technologies
Discovery and footprint analysis
Exploitation
Physical Security Assessment
Social Engineering
Attempt to identify vulnerabilities and gain access to critical systems within
organization
Identifies and recommends corrective action for the systemic problems
which may help propagate these vulnerabilities throughout an organization
Assessments allow client to demonstrate the need for additional security
resources, by translating exiting vulnerabilities into real life business risks
Access Control
Slide 60 of 71
Review
Questions
Access Control
Slide 61 of 71
Review Questions
What is following is true about biometrics
a) Least expensive, least secure
b) Most expensive, least secure
c) Most expensive, most secure
d) Least expensive, most secure
Answer: C) Most expensive, most secure
Access Control
Slide 62 of 71
Review Questions
Discretionary Access differs from Mandatory Access in the
following way:
a) Is granted at the discretion of the system administrator
b) Is only given to personnel who have demonstrated good
discretion
c) Assigns access based on role
d) Allows subjects to grant access to objects
Answer: d) Allows subjects to grant access to objects
Access Control
Slide 63 of 71
Review Questions
The three classic ways of authenticating yourself to the
computer security software are by something you know, by
something you have, and by something
a) you need
b) non-trivial
c) you are
d) you can get
Answer: c) you are
Access Control
Slide 64 of 71
Review Questions
An access control policy for a bank teller is an
example of the implementation of a(n): you need
a) rule-based policy
b) identity-based policy
c) user-based policy
d) role-based policy
Answer: d) role-based policy
Access Control
Slide 65 of 71
Review Questions
A confidential number to verify a user's identity is called a
a) PIN
b) Userid
c) Password
d) challenge
Answer: a) PIN
Access Control
Slide 66 of 71
Review Questions
Which of the following is needed for System Accountability?
a) audit mechanisms
b) documented design as laid out in the Common Criteria
c) Authorization
d) Formal verification of system design
Answer: a) audit mechanisms
Access Control
Slide 67 of 71
Review Questions
Which of the following is true in a system with Mandatory
Access Control?
a) the system determines which users or groups may access a
file.
b) user can set up an access list for the file(s), and the system
checks both users and groups against this list before
granting access.
c) a user can specify which groups of users can access their
files, but the system determines group membership
d) no control is being enforce on this model
Answer: a) the system determines which users or groups
may access a file.
Access Control
Slide 68 of 71
Review Questions
Which of the following is *not* needed for System
Accountability?
a) Audit
b) Authentication
c) Authorization
d) identification
Answer: a) audit mechanisms
Access Control
Slide 69 of 71
Review Questions
A potential problem with an iris pattern biometric system is:
a) concern that the laser beam may cause eye damage
b) the iris pattern changes as a person grows older
c) there is a relatively high rate of false accepts
d) the optical unit must be positioned so that the sun does not
shine into the aperture
Answer: d) the optical unit must be positioned so that the
sun does not shine into the aperture
Access Control
Slide 70 of 71
Review Questions
What is TEMPEST?
a) A really good movie
b) Standards for controlling emanations from equipment
c) Tactical Electrical Modulation Emitting Surveillance
Team
d) The most secure method of Access Control
Answer: b) Standards for controlling emanations
from equipment
Access Control
Slide 71 of 71
Any questions?
Homework for next week:
CISSP Exam : Theory
Chapter 3
Pgs: 198-221, 226-237
Computer Security Basics
Chapter 6
Green and Brown books