Access Control Terminology

Access Controls  Control how users and systems communicate and interact

Process Terminology

Identification   Method for determining a subject is who it says it is User name, PIN number, smart card, account number Authenticated   Provided a second matching piece to the identification method Password, passphrase, PIN number Authorized  Has appropriate access to the requested resource

Strong Authentication

Types of authentication  Something a person has  Something a person knows  Something a person is Strong Authentication includes at least 2 of the 3 Only 1 is considered _______________

Biometrics – Something a Person Is

A unique personal attribute Type I Error  Rejected an authorized user Type II Error  Accepts a non-authorized imposter Crossover Error Rate (CER)   Point where Type I Error distribution and Type II Error distribution meet The lower the number, the better

Popular Biometrics

Fingerprint Palm scan Hand Geometry  Length and width of the hand and fingers Retina Scan Iris Scan Signature Dynamics Keyboard Dynamics Voice Print Facial Scan Hand Topology  Side picture of the hand

Biometrics Compared

Passwords – Something a Person Knows

Passphrases refer to multiple word passwords Personal Identification Numbers (PIN) refer to numeric numbers Considered weak  People use familiar words or numbers   Words are susceptible to dictionary and brute force attacks Users can’t remember strong passwords so they write them down

Making Passwords Stronger

Forced password lifetimes  Shorter makes it more secure, but too short and users forget which is active  60 days is good compromise Enforced minimum lengths Forced special characters, case changes No reuse Lock out users at low clipping level (acceptable failed attempts)  For how long?

Better Passwords Through Technology

Password Generators  Produce passwords using random but pronounceable passwords Password Checkers/Crackers  L0phtcrack  John the Ripper  Brutus

Variations on a Theme

Cognitive Passwords   Fact or opinion based information Best for seldom used authentication needs One-Time Use Passwords   Synchronous token device Token and server preshare private key Time based – token device and server clock are sync’ed, time value used as plaintext Event based – token and server share authentication value list Asynchronous token device Server prompts with challenge code, user enters code into token device which returns a response code, user enters response into server

Digital Signatures

-------BEGIN SIGNATURE----- IQB1AwUBMVSiA5QYCuMfgNYjAQFAKgL/ ZkBfbeNEsbthba4BlrcnjaqbcKgNv+a5kr453 7y8RCd+RHm75yYh5xxA1ojELwNhhb7cltrp 2V7LlOnAelws4S87UX80cL BtBcN6AACf11 qymC2h+Rb2j5SSU+rmXWru+=QFMx -------END SIGNATURE------

Cards – Something a Person Has

Memory Cards  Hold information only  Credit cards, ATM cards Smart Cards  Process information and hold information  Information on card actively protected by authentication

Authorization Criteria

Roles  Based on job function or assignment Groups Physical location  Interactive login, for example Logical location  IP address, for example Time of day Transaction type  Amount of money to be transferred, for example

Restrictions to Remember

Default to NO ACCESS  Access Control Lists (ACL) commonly default to deny Base granted access on Need To Know  Least-privilege principal Single sign on whenever possible  Scripts   Kerberos is recognized standard in heterogeneous environments SESAME - Secure European System for Applications in a Multivendor Environment

Access Control Models

Discretionary Access Control (DAC)  Owner (creator) can access resource and dictate who else can access it  Does not lend itself to central management Mandatory Access Control (MAC)  Operating system controls access based on owners sensitivity level  Commonly used in military systems

Role Based Access Control (RBAC)   Subjects role determines access Managed centrally Rule Based Access Control   Access matched against rules Common in network devices Constrained Interfaces  Limits data access and functionality  ATM machines, for example Content Dependant Access Control  Restrictions based on data content  Firewalls commonly use this to stop worms, viruses

Access Control Matrixes

Table of subjects and objects indicating actions subjects can take upon objects Common in DAC model Capability Tables  Access rights a specific subject has for a specific object ACL’s   Lists of subjects that have access to a specific object Very common in networking devices, firewalls

Centralized Access Control

Remote Authentication Dial-in User Service (RADIUS) Terminal Access Controller Access Control System (TACACS)

Decentralized Access Controls

Security Domains  Realm of distributed trust  Hierarchical or peer implementations  Microsoft domains are a specific version

Typical Scenario - Hybrid

Most enterprises combine both centralized and decentralized control methods     May have Kerberos centralized user database Use TACACS+ tied to Kerberos to authenticate dial-up and router users Use Windows 2000 file servers at each location to allow autonomous distributed security domains Workgroup printers are shared via Windows desktop peering

Control Types

Preventative  Avoid undesirable events Detective  Identify undesirable events Corrective  Fix undesirable events that have occurred Deterrent  Discourage undesirable events Recovery  Restore resources Compensation  Provide alternatives to other types of controls

Services Provided by Various Security Controls

Fences, locks, lighting  Preventative   Corrective Recovery Security guard  Preventative     Detective Corrective Deterrent Recovery Separation of duties  Preventative  Deterrent Security awareness training  Preventative  Detective Personnel procedures   Preventative Detective   Deterrent Compensation

Services Provided by Various Security Controls

ACL’s  Preventative Encryption  Preventative  Deterrent Audit logs  Detective Smart cards  Preventative Intrusion Detection System   Preventative Detective   Corrective Deterrent Antivirus Software  Preventative    Detective Corrective Recovery

Common Access Control Practices

Deny access to systems by anonymous & guest accounts Limit and monitor use of admin accounts Remove obsolete user accounts when employees leave company Suspend inactive accounts after 30-60 days Disable unneeded system features & services Use nondescriptive logon ID’s Rename root and administrator logon ID’s Remove redundant accounts, ACL’s, roles, groups

Fun with Auditing

Enforces accountability Must be reviewed Must be backed up and protected  Good hackers always go after the audit logs Guaranteed integrity is key to using logs as evidence  To be admissible in court, logs must be generated in the normal course of business

Common Audit Events

System performance Logon attempts + date/time (successful & unsuccessful) Lockouts of users Alteration of config files Error messages Files opened and closed File modifications ACL violations

Unauthorized Disclosure

Object Reuse  Data left on floppies, backup tapes, or hard drives can be read   Sectors containing data can be marked bad, thus hiding data Low level format, degauss, or destroy the media Emanation Security   Capturing electrical and electromagnetic radiation from devices TEMPEST – US Government standard for emanation protection

Intrusion Detection Systems

Sniff network traffic (network-based) or monitor individual computers (host-based) Signature Based Detection  Must be loaded with “fingerprints” of known attacks  Not effective against new attacks Statistical Intrusion Detection  Looks for statistical anomalies in traffic

Sniffers

Captures network traffic real-time Allows admins or hackers to eavesdrop on data Employees can use sniffers undetected in some networks

Honeypots

Unprotected system set up to lure would be attackers Attackers can then be tracked, attacks cataloged, other systems hardened appropriately Enticement  Legally admissible, target is simply not well protected Entrapment  Not legally admissible, target invites the hacker in

Threats to Access Control

Dictionary Attack  Lists or dictionaries are used as a source of passwords or plain text  Countermeasures Do not allow single word based passwords – use dictionary attacks against your own users to find weak passwords Rotate passwords often Employ one-time password techniques Protect password files and stores

Threats to Access Control

Brute Force Attack   Attack attempts every possible combination of potential inputs Countermeasures Employ stringent clipping levels and auditing of login attempts Use brute force attacks against your own users to uncover weak passwords Protect password files and stores Login Spoofing   Hacker replaces legitimate login screens with fakes Countermeasure

Threats to Access Control

Login Spoofing   Hacker replaces legitimate login screens with fakes Countermeasure Security awareness training Display number of failed login attempts

Homework Assignment

Read Chapter 5, except:  State Machine Models & Modes of Operation (pgs 240-249) Paper  Write a 2 3 page technical brief on the “Slammer” worm   Include vulnerable software details, countermeasures, and information about testing systems for the vulnerability.

Discuss the impact and current investigation of the worm.

 Summarize the events and alerts that occurred as the weekend unfolded.