Document Sample
CyberSecurity Powered By Docstoc
					Access Control Terminology
Access Controls
   Control how users and systems communicate
    and interact
        Process Terminology
   Method for determining a subject is who it says it is
   User name, PIN number, smart card, account number
   Provided a second matching piece to the identification
   Password, passphrase, PIN number
   Has appropriate access to the requested resource
       Strong Authentication
Types of authentication
   Something a person has
   Something a person knows
   Something a person is
Strong Authentication includes at least
2 of the 3
Only 1 is considered _______________
Biometrics – Something a Person Is
 A unique personal attribute
 Type I Error
    Rejected an authorized user
 Type II Error
    Accepts a non-authorized imposter
 Crossover Error Rate (CER)
    Point where Type I Error distribution and Type
     II Error distribution meet
    The lower the number, the better
          Popular Biometrics
Fingerprint                Signature Dynamics
Palm scan                  Keyboard Dynamics
Hand Geometry              Voice Print
   Length and width of    Facial Scan
    the hand and fingers
                           Hand Topology
Retina Scan                   Side picture of the
Iris Scan                      hand
Biometrics Compared
Passwords – Something a Person Knows

 Passphrases refer to multiple word passwords
 Personal Identification Numbers (PIN) refer to
 numeric numbers
 Considered weak
    People use familiar words or numbers
    Words are susceptible to dictionary and brute force
    Users can’t remember strong passwords so they write
     them down
 Making Passwords Stronger
Forced password lifetimes
   Shorter makes it more secure, but too short and users
    forget which is active
   60 days is good compromise
Enforced minimum lengths
Forced special characters, case changes
No reuse
Lock out users at low clipping level (acceptable
failed attempts)
   For how long?
Better Passwords Through Technology

 Password Generators
    Produce passwords using random but
     pronounceable passwords
 Password Checkers/Crackers
    L0phtcrack
    John the Ripper
    Brutus
       Variations on a Theme
Cognitive Passwords
   Fact or opinion based information
   Best for seldom used authentication needs
One-Time Use Passwords
   Synchronous token device
      Token and server preshare private key
      Time based – token device and server clock are sync’ed,
      time value used as plaintext
      Event based – token and server share authentication value
   Asynchronous token device
      Server prompts with challenge code, user enters code into
      token device which returns a response code, user enters
      response into server
Digital Signatures

    -------BEGIN SIGNATURE------
    2V7LlOnAelws4S87UX80cL BtBcN6AACf11
     -------END SIGNATURE------
Cards – Something a Person Has
Memory Cards
   Hold information only
   Credit cards, ATM cards
Smart Cards
   Process information and hold information
   Information on card actively protected by
         Authorization Criteria
   Based on job function or assignment
Physical location
   Interactive login, for example
Logical location
   IP address, for example
Time of day
Transaction type
   Amount of money to be transferred, for example
    Restrictions to Remember
Default to NO ACCESS
   Access Control Lists (ACL) commonly default to deny
Base granted access on Need To Know
   Least-privilege principal
Single sign on whenever possible
   Scripts
   Kerberos is recognized standard in heterogeneous
   SESAME - Secure European System for Applications
    in a Multivendor Environment
      Access Control Models
Discretionary Access Control (DAC)
   Owner (creator) can access resource and
    dictate who else can access it
   Does not lend itself to central management
Mandatory Access Control (MAC)
   Operating system controls access based on
    owners sensitivity level
   Commonly used in military systems
Role Based Access Control (RBAC)
   Subjects role determines access
   Managed centrally
Rule Based Access Control
   Access matched against rules
   Common in network devices
Constrained Interfaces
   Limits data access and functionality
   ATM machines, for example
Content Dependant Access Control
   Restrictions based on data content
   Firewalls commonly use this to stop worms, viruses
      Access Control Matrixes
Table of subjects and objects indicating actions
subjects can take upon objects
Common in DAC model
Capability Tables
   Access rights a specific subject has for a specific
   Lists of subjects that have access to a specific object
   Very common in networking devices, firewalls
 Centralized Access Control
Remote Authentication Dial-in User Service
Terminal Access Controller Access Control
System (TACACS)

Decentralized Access Controls
Security Domains
    Realm of distributed trust
    Hierarchical or peer implementations
    Microsoft domains are a specific version
    Typical Scenario - Hybrid
Most enterprises combine both centralized
and decentralized control methods
   May have Kerberos centralized user database
   Use TACACS+ tied to Kerberos to
    authenticate dial-up and router users
   Use Windows 2000 file servers at each
    location to allow autonomous distributed
    security domains
   Workgroup printers are shared via Windows
    desktop peering
                  Control Types
   Avoid undesirable events
   Identify undesirable events
   Fix undesirable events that have occurred
   Discourage undesirable events
   Restore resources
   Provide alternatives to other types of controls
    Services Provided by Various
          Security Controls
Fences, locks, lighting   Separation of duties
   Preventative             Preventative
   Corrective               Deterrent
   Recovery              Security awareness
Security guard            training
   Preventative             Preventative
   Detective                Detective
   Corrective            Personnel procedures
   Deterrent                Preventative
   Recovery                 Detective
                             Deterrent
                             Compensation
    Services Provided by Various
          Security Controls
ACL’s               Intrusion Detection
   Preventative    System
Encryption             Preventative
   Preventative       Detective
   Deterrent          Corrective
Audit logs             Deterrent
   Detective       Antivirus Software
Smart cards            Preventative
   Preventative       Detective
                       Corrective
                       Recovery
Common Access Control Practices
Deny access to systems by anonymous & guest
Limit and monitor use of admin accounts
Remove obsolete user accounts when
employees leave company
Suspend inactive accounts after 30-60 days
Disable unneeded system features & services
Use nondescriptive logon ID’s
Rename root and administrator logon ID’s
Remove redundant accounts, ACL’s, roles,
           Fun with Auditing
Enforces accountability
Must be reviewed
Must be backed up and protected
   Good hackers always go after the audit logs
Guaranteed integrity is key to using logs
as evidence
   To be admissible in court, logs must be
    generated in the normal course of business
     Common Audit Events
System performance
Logon attempts + date/time (successful &
Lockouts of users
Alteration of config files
Error messages
Files opened and closed
File modifications
ACL violations
     Unauthorized Disclosure
Object Reuse
   Data left on floppies, backup tapes, or hard drives can
    be read
   Sectors containing data can be marked bad, thus
    hiding data
   Low level format, degauss, or destroy the media
Emanation Security
   Capturing electrical and electromagnetic radiation
    from devices
   TEMPEST – US Government standard for emanation
 Intrusion Detection Systems
Sniff network traffic (network-based) or
monitor individual computers (host-based)
Signature Based Detection
   Must be loaded with “fingerprints” of known
   Not effective against new attacks
Statistical Intrusion Detection
   Looks for statistical anomalies in traffic
Captures network traffic real-time
Allows admins or hackers to eavesdrop on
Employees can use sniffers undetected in
some networks
Unprotected system set up to lure would be
Attackers can then be tracked, attacks
cataloged, other systems hardened
   Legally admissible, target is simply not well protected
   Not legally admissible, target invites the hacker in
    Threats to Access Control
Dictionary Attack
   Lists or dictionaries are used as a source of
    passwords or plain text
   Countermeasures
      Do not allow single word based passwords – use
      dictionary attacks against your own users to find
      weak passwords
      Rotate passwords often
      Employ one-time password techniques
      Protect password files and stores
    Threats to Access Control
Brute Force Attack
   Attack attempts every possible combination of
    potential inputs
   Countermeasures
      Employ stringent clipping levels and auditing of
      login attempts
      Use brute force attacks against your own users to
      uncover weak passwords
      Protect password files and stores
Login Spoofing
   Hacker replaces legitimate login screens with fakes
   Countermeasure
    Threats to Access Control
Login Spoofing
   Hacker replaces legitimate login screens with
   Countermeasure
      Security awareness training
      Display number of failed login attempts
       Homework Assignment
Read Chapter 5, except:
   State Machine Models & Modes of Operation
    (pgs 240-249)
   Write a 2-3 page technical brief on the “Slammer” worm
   Include vulnerable software details, countermeasures, and
    information about testing systems for the vulnerability.
   Discuss the impact and current investigation of the worm.
   Summarize the events and alerts that occurred as the weekend