Access Control Systems and Methodology

1
CISSP Preparation Training

• Access Control Systems and Methodology

Mark L. Spencer, CISSP IAM IEM Northrop
Grumman (719) 277-5004 mark.l.spencer_at_ngc.com
2
Objectives

• The objective of this domain is to understand
• access control concepts and techniques
• access control methodologies and implementation
  within centralized and decentralized environments
• detective and corrective access controls
• mechanisms for controlling system use
• potential risks, vulnerabilities, and exposures

3
Agenda

• Definitions (surprise)
• Access control
• Types of access control
• Access control models
• Accountability
• Access control practices
• Threats to access control

4
Fundamental Principles of Security

• C I A
• Confidentiality
• Integrity
• Availability

5
Definitions

• Access Controls
• security features that control how users and
  systems communicate and interact with other
  systems and resources
• Access
• flow of information between a subject and object
• Subject
• an active entity that requests access to an
  object or the data within an object
• Object
• a passive entity that contains information

6
Identification, Authentication, and Authorization

• Identification
• describes a method of insuring an subject is the
  entity it claims to be
• Authentication
• verification of the identity of a subject
• Authorization
• granting access to an object after the subject
  has been properly identified and authenticated

7
Identification and Authentication Methods

• Three factors
• something a person knows
• something a person has
• something a person is
• Strong Authentication
• uses two of the three factors

8
Something a Person Knows

• Password
• Personal Identification Number (PIN)
• Secret of some kind

9
Passwords

• Most common form of authentication
• Weakest security mechanism
• Why?
• Write down
• Share
• Easily guessed
• Prone to technical attacks

10
Password Security

• Password Checker/Cracker
• Password Hashing and Encryption
• Password Aging
• Limited Logon Attempts

11
Something a Person Has

• Token
• Smart Card
• ATM Card
• Password generator

12
Something a Person Is

• Specific to a person
• Unchanging
• Hard to copy
• Biometrics

13
Biometrics

• Biometrics
• verifies a persons identity by analyzing unique
  personal attributes or behaviors.
• one of the most accurate methods
• Biometric Errors
• Type I false rejection rate
• Type II false acceptance rate
• CER crossover error rate
• Type I Type II
• lower is better

14
Crossover Error Rate
FAR
FRR

CER
Sensitivity
15
Biometric Methods

• fingerprint scan
• palm scan
• hand geometry
• retinal scan
• iris scan
• signature dynamics
• keyboard dynamics
• voice print
• facial scan
• hand topography

16
One-time Passwords

• Uses password generating token
• Needs two-factor
• PIN

17
Single-sign-on

• One identification and authentication allows
  access to many systems or applications
• Requires a special security token to be passed to
  the object for the object to accept the subject

b
18
Kerberos

• Strong authentication
• Symmetric key cryptology
• Single sign on
• Allows mutual authentication
• Scalable
• Heterogeneous environment
• Currently Kerberos v5

19
Kerberos Concepts

• Realm
• Boundary of authentication
• Authentication server (AS)
• Ticket-granting server (TGS)
• AS TGS Key Distribution Center (KDS)
• Services and users receive tickets from the TGS
  and are authenticated with the AS
• Realms can trust one another

20
Kerberos Process

• AS registers all valid users (client) in realm
• AS provides each client with a ticket-granting
  ticket (TGT)
• Client uses TGT to request ticket from Ticket
  Granting Server (TGS)

21
Kerberos Ticket

• Ticket
• Block of data that allows the user to prove their
  identity to a service
• Stored in ticket cache on users computer
• Time-stamped for validity (usually 10 hours)
• Expires upon disconnect or log off

22
Kerberos Process

• Credentials are presented to KDC for
  authentication
• Password
• Smart card
• Biometrics
• KDC grants TGT associated with access token
• TGT presented to resource KDC
• Resource KDC grants session ticket
• Session ticket presented to resource server
• Resource server allows session
• Must happen within time period or session ticket
  expires

23
Kerberos Process
e
24
SESAME

• Sesame (Secure European System for Applications
  in a Multivendor Environment)
• Addresses the weaknesses in Kerberos. Uses public
  key cryptography for the distribution of the
  secret keys and provides additional access
  control support.

25
Access Control Models

• Discretionary
• Mandatory
• Non-discretionary

26
Discretionary (DAC)

• Owner determines who has access to objects
• Owner can give away ownership

27
Mandatory (MAC)

• Operating system determines whether owner can
  give access
• Security labels attached to objects
• Subject must have access and meet or exceed level
  of label

28
Nondiscretionary (Role-based) (RBAC)

• Centrally administered
• Based on role assigned to user
• Role determines operations and tasks allowed

29
Nondiscretionary (Rule-based)

• Rule-based Access Control
• a type of MAC because this access is determined
  by rules (use of classification labels) and not
  by the identity of the subjects and objects
  alone. Usually based on a specific profile for
  each user, allowing information to be easily
  changed for only one user.

30
Access Control Lists (ACL)

• Lists of subjects authorized to access a specific
  object
• Specifies level of authorization granted

31
Lattice-based Access

• Lattice Based Access Control
• Pairs of elements that have the least upper bound
  of values and greatest lower bound of values. To
  apply this concept to access controls, the pair
  of elements is the subject and the object, and
  the subject has the greatest lower bound and the
  least upper bound of access rights to an object.
  This allows one to combine objects from different
  security classes and determine the appropriate
  classification for the result by showing that any
  combination of security objects must maintain the
  lattice rule between objects.
• Example A lt A, If A lt B and B lt C, then A lt
  C

32
Access Control Uses

• RADIUS - Remote Authentication Dial-in User
  Service
• client/server authentication protocol
• authenticates and authorizes remote users
• allows a central database of profiles

33
Access Control Uses

• Uses of Access Controls
• Preventative (in order to avoid occurrence)
• Detective (in order to detect or identify
  occurrence)
• Deterrent/Preventative (in order to discourage
  occurrences)
• Corrective (in order to correct or restore
  controls)
• Recovery (in order to restore resources,
  capabilities, or losses)

34
Access Control Uses - Examples

• Physical Preventive Controls include Backups,
  Fences, Security Guards, Locks and keys, Badge
  Systems
• Administrative Preventive Controls include
  Security awareness training, separation of
  duties, hiring procedures, security policies and
  procedures, and disaster recovery.
• Technical Preventive Controls include Access
  Control software, Antivirus software, Library
  control systems, IDS, Smart cards, and Callback
  systems.
• Physical Detective Controls include Motion
  detectors, smoke alarms, closed circuit TV, and
  alarms.
• Administrative Detective Controls include
  Security reviews and audits, rotation of duties,
  required vacations, and performance evaluations.
• Technical Detective Controls include audit
  trails and Intrusion detection expert systems.

35
Access Control Implementations

• Administrative
• Policies and procedures
• Hiring practices
• Background checks
• Termination processes
• Data classification and labeling
• Security awareness

36
Administrative Access Controls

• Principle of Least Privilege Requires that a
  user be given no more privilege than necessary to
  perform a job. Ensuring least privilege requires
  identifying what the users job is, determining
  the minimum set of privileges required to perform
  that job, and restricting the user to a domain
  with those privileges and nothing more.

37
Administrative Access Controls

• Segregation of Duties and Responsibilities
  Requires that for particular sets of
  transactions, no single individual be allowed to
  execute transactions within the set. Can either
  be static or dynamic.

38
Access Control Implementations

• Physical
• Badges, swipe cards
• Guards, dogs
• Fences, locks, mantraps

39
Access Control Implementations

• Technical
• Passwords, biometrics, smart cards
• Encryption, protocols, call-back systems,
  constrained user interfaces
• Anti-virus software, ACLs, firewalls, routers

40
Accountability

• Auditing
• technical controls that track activity
• records who tried to do something to what and its
  success
• Audit Review
• must be reviewed
• audit reduction tools
• manual review

41
Accountability

• Keystroke monitoring
• Logging
• Auditing and Logging Must Dos
• Must protect audit data and log information
• Must be admissible as evidence
• Must enforce strict access controls
• Must store on write-once media

42
Access Control Practices

• Object Reuse
• before a storage object is released to a subject
  it is cleared of residual data
• prevents data scavenging

43
Access Control Practices

• Emanation Security
• emitted electronic signals
• TEMPEST
• program of standards to prevent emanations
• Faraday cage prevents signal leakage
• White noise
• uniform spectrum of random electronic signals
• Control Zone
• physical control
• buffer area around emitter

44
Access Control Monitoring

• Intrusion Detection System
• IDS detect security breaches
• Send alerts
• Network-based IDS (NIDS)
• protects networks
• Host-based IDS (HIDS)
• protects computer

45
Access Control Monitoring

• Intrusion Prevention Systems (IPS)
• detects
• alerts
• stops

46
Access Control Monitoring

• Honeypot
• sacrificial lamb on network
• looks too good to be true
• vulnerabilities are present
• allows knowledge of attacks
• enticement - place it and leave it to be found
• entrapment advertise its presence

47
Threats to Access Control

• Dictionary Attack
• Using a predefined list, each is tried until a
  match is found
• Brute Force Attack
• Attack that continually tries different inputs to
  achieve a predefined goal
• Spoofing at Logon
• Phishing
• Presenting false information to trick other
  systems and hiding the origin of the message
• Sniffers
• Placed on a network to capture packets and their
  contents
• Crackers
• Programs that break passwords
• Social Engineering
• Deceiving users to gain information

48
Summary

• Definitions
• Access control
• Types of access control
• Access control models
• Accountability
• Access control practices
• Threats to access control

49
Questions
?