; ISSA CISSP Prepation
Learning Center
Plans & pricing Sign in
Sign Out
Your Federal Quarterly Tax Payments are due April 15th Get Help Now >>

ISSA CISSP Prepation

VIEWS: 15 PAGES: 108

  • pg 1
									     • Domain 1: Access Control

 2010 CISSP Study Group
              Domain 1:
           Access Control

Presented By: Jeff McEwen, CISSP. Security
 Architect, AAA NCNU Insurance Exchange
                  Domain Objective
           • Domain 1: Access Control
• The objective of this domain is to
    – Access control concepts and techniques
    – Access control methodologies and
      implementation within centralized and
      decentralized environments
    – Detective and corrective access controls
    – Mechanisms for controlling system use
    – Potential risks, vulnerabilities, and exposures

               Domain Summary
        • Domain 1: Access Control
The information for this domain represents
  approximately 16% of the CISSP exam

               Access Control Defined
         • Domain 1: Access Control
• Access control is the heart of security
    – The ability to allow only authorized users, programs or
      processes system or resource access
    – The granting or denying, according to a particular
      security model, of certain permissions to access a
    – An entire set of procedures performed by hardware,
      software and administrators, to monitor access, identify
      users requesting access, record access attempts, and
      grant or deny access based on pre-established rules.
    – The collection of mechanisms for limiting, controlling,
      and monitoring system access to certain items of
      information, or to certain features based on a user’s
      identity and their membership in various predefined

              Key Access Control Terms
          • Domain 1: Access Control
• Identification – assert user is the user; process
  through which one ascertains the identity of
  another person or entity; provides accountability
  to users & traceability of their activities
• Authentication – verifies user is who user
  claims; process through which one proves and
  verifies certain information.
• Authorization – actions the user is allowed to
• Accountability – tracks user actions and when
  they were done
• Approval – Authorizations were appropriately
  granted by the data owner

             Access Control Concepts
         • Domain 1: Access Control
• Security Policy - a high-level overall plan
  embracing general goals and acceptable
  actions for each system
• Accountability - systems that process
  sensitive information must assure
  individual accountability
• Assurance - systems must guarantee
  correct and accurate interpretation of
  security policy

    • Domain 1: Access Control

Access Control Systems & Methodology

       Why Control Access
                Access Control Purposes
            • Domain 1: Access Control
• Confidentiality - information is not disclosed to
  unauthorized individuals or processes
    – protects against hackers, unprotected
      communications, unauthorized users
• Integrity - information retains its original level of
    – protects against unauthorized data modifications,
      system changes, or program changes
• Availability - reliable access to data
    – protects against denial of service, ping attacks, e-mail

          What does AC hope to protect?
        • Domain 1: Access Control
• Data - Unauthorized viewing, modification
  or copying
• System - Unauthorized use, modification
  or denial of service
• It should be noted that nearly every
  network operating system (NT, Unix,
  Vines, NetWare) is based on a secure
  physical infrastructure

                Information Value
         • Domain 1: Access Control

 • Information is assumed to have a value
   that can be measured by quantity or
 • The major reason to value information is
   the cost to develop and the value to its
 • Valuation techniques - Use of policy or
   regulation, checklist, questionnaire,
   consensus, accounting data, statistical

              File and Data Ownership
          • Domain 1: Access Control
• A prerequisite to development of effective
  access controls is the establishment of Data
  Ownership. The Data Owner is required to:
   – Identify sensitivity of information
   – Determine security requirements
   – Ensure security requirements meet goals
   – Authorize access
   – Develop contingency plans

    • Domain 1: Access Control

Access Control Systems & Methodology

    How do we control access?
                  Control Types
         • Domain 1: Access Control

 • Preventative - deter problems before
   they occur
 • Detective - investigate an act that has
 • Corrective - remedy acts that have
 • Deterrent - discourage an act from
 • Recovery - restore a resource from an
   act that has occurred

                    Lines of Defenses
             • Domain 1: Access Control
 Security mechanisms for limiting and controlling
   access to resources by layering protection
 • Categories - usually 3 lines with action priorities based on
   increased control with each succeeding layer
    – First Line - policies, firewalls, passwords, separation of
       duties, training, quality assurance, fault tolerance, etc.
    – Second Line - audit trails, monitoring, penetration
    – Third Line - insurance, bonding, backups, contingency

              Access Control Types
         • Domain 1: Access Control

• Management - policies, procedures, and
  accountability designed to control system
• Technical - hardware and software
  controls used to automate protection of
  the system
• Operational - personnel procedures used
  to protect the system

                 Proactive access control
             • Domain 1: Access Control
•    Awareness training
•    Background checks
•    Separation of duties
•    Split knowledge
•    Policies
•    Data classification
•    Effective user registration
•    Termination procedures
•    Change control procedures

                  Physical access control
            • Domain 1: Access Control
•    Guards
•    Locks
•    Mantraps
•    ID badges
•    CCTV, sensors, alarms
•    Biometrics
•    Fences - the higher the voltage the better
•    Card-key and tokens
•    Guard dogs

           How can AC be implemented?
         • Domain 1: Access Control

 • Hardware
 • Software
    – Application
    – Protocol (Kerberos, IPSec)
 • Physical
 • Logical (policies)

           Access Control & privacy issues
         • Domain 1: Access Control
 • Expectation of privacy
 • Policies
 • Monitoring activity, Internet usage, e-
 • Login banners should detail expectations
   of privacy and state levels of monitoring

    • Domain 1: Access Control

Access Control Systems & Methodology

        User Authentication
             • Domain 1: Access Control

 • Types of ID
     –   User IDs
     –   Names
     –   Pins – (also used for authentication)
     –   Badges
     –   Biometrics – (also used for authentication)

                          User Authentication
              • Domain 1: Access Control

• User Identification - provides identity to
     –   authentication data verifies individual
     –   activities traced to an individual
     –   responsible for actions
     –   use of a label to ID user
• User Label Characteristics
     – unique
     – non-descriptive of function, area, or company

                          User Authentication
             • Domain 1: Access Control
 • System Implementation
     – Administration - create, distribute, and store
       authentication data (passwords)
     – Maintaining authentication - log out user or lock
       system during inactivity
     – Single log-in - a group of systems on one OS platform
       that allow the user to authenticate once
         • Host-to-host authentication - host passes on logon
         • Authentication servers - user logs on to a special
           network server
         • User-to-host authentication - user logs on and
           receives token for logons to other systems


             • Domain 1: Access Control
3 types of authentication:
    Something you know - Password, PIN, mother’s
     maiden name, passcode, fraternity chant
    Something you have - ATM card, smart card,
     token, key, ID Badge, driver license, passport
    Something you are - Fingerprint, voice scan, iris
     scan, retina scan, body odor, DNA

           • Domain 1: Access Control
 • Most common type of authentication in
 • something a user knows
 • a string of characters that IDs a user
 • Types
     – One-time passwords - system generated and
       changed after every use
     – Passphrase – a sequence of characters that is
       longer than a regular password and is
       transformed into a virtual password

                    Password Issues
            • Domain 1: Access Control
 • Selection
     – Source – can be assigned or user selected, system
       generated, token generated, or a system default
     – Composition – can be words, characters, or a phrase
     – Types – can be system or resource specific
 • Management
     – Transport paths that user uses to update password
        • owner authentication – generated by owner
        • system owner authentication – generated by
        • system administration to owner & system –
          generated by system administrator

                            Password Issues
             • Domain 1: Access Control
 • Management (continued)
     – Initial passwords
         • New users
         • One-time passwords
         • Force user change
     – User notification on successful login – date & time of
       last logon and location
     – Suspend ID after number of unsuccessful logon
     – Audit trail of logons – successful login, unsuccessful
       attempts, along with date/time/ID/origin
     – Control maximum logon attempt rate

                   Password Issues
           • Domain 1: Access Control
 • Control
     – Password lifetime – length of time the
       password can be secure
     – Users change own password
     – Audit trail of password changes
     – Risk if compromised
        • Distribution risk
        • Probability of guessing
        • Electronic monitoring
        • Vulnerable to cracking

                   Password Issues
           • Domain 1: Access Control
 • Control (continued)
     – Password security
        • Number of characters
        • Minimum length
        • Number of invalid attempts
     – Compromises – severity of measures vs. user
     – Forgotten passwords – issue expired
       passwords, user changes immediately
     – User ID by phone – validate user identity, call
       back user at office phone with new password
                      Problems with passwords
                           (what a person knows)
             • Domain 1: Access Control
 • Insecure
     – Given the choice, people will choose easily
       remembered and hence easily guessed passwords
       such as names of relatives, pets, phone numbers,
       birthdays, hobbies, etc.
 • Easily broken
     – Programs such as crack, SmartPass, PWDUMP,
       NTCrack & l0phtcrack can easily decrypt Unix,
       NetWare & NT passwords.
     – Dictionary attacks are only feasible because users
       choose easily guessed passwords!
 • Inconvenient
     – In an attempt to improve security, organizations often
       issue users with computer-generated passwords that
       are difficult,
       if not impossible to remember

                        Classic password rules
                           (what a person knows)
             • Domain 1: Access Control
 • The best passwords
     – Easy to remember
     – Hard to crack using a dictionary attack.
     – The best way to create passwords that fulfill both
       criteria is to use two small unrelated words or
       phonemes, ideally with a special character or number.
       Good examples would be hex7goop or -typetin
 • Don’t use:
     –   common names, DOB, spouse, phone #, etc.
     –   word found in dictionaries
     –   password as a password
     –   systems defaults

                Password management
                   (what a person knows)
         • Domain 1: Access Control
 • Configure system to use string passwords
 • Set password time and lengths limits
 • Limit unsuccessful logins
 • Limit concurrent connections
 • Enabled auditing
 • How policies for password resets and
 • Use last login dates in banners

                Access Control Techniques
            • Domain 1: Access Control
 • Tokens - access information stored in a portable
     – Memory token - store but do not process data
     – Smart token - store and process data
     – Limitations - lost or stolen with PIN allows for
       masquerading, battery failure or device malfunction
     – Benefits
         • not vulnerable to regular cracks
         • 2 factor authentication - challenge response
     – Examples - SecurID, PIN pad, ATM card

                           (what a person has)

             • Domain 1: Access Control

•    Used to facilitate one-time Passwords
•    Asynchronous Token Device
•    SecurID -- synchronous Token Device
•    Physical card
•    S/Key
•    Smart card – Contact & Contactless
•    Access token

               Access Control Techniques
           • Domain 1: Access Control
 • Biometrics - something a person is
     – The one attribute that cannot be readily
       compromised in 3 factors of personal identity
        • knows - i.e. password
        • has - i.e. access card
        • about - i.e. fingerprint
     – Examples - fingerprint, hand geometry, voice
     – Constraints – cost of equipment, access time,
       false readings

                             (what a person is)

             • Domain 1: Access Control
• Authenticating a user via human
     – Accuracy
        • False Reject Rate – (type I error)
        • False Accept Rate – (type II error)
        • Cross-Over Error Rate (CER)
• Behavioral – keystroke, signature pattern,
  signature dynamics
• Physical characteristics of a person to prove
  their identification
     – Fingerprint, Iris, retina, voice, face

                 Advantages of biometrics
                    (what a person is)
          • Domain 1: Access Control
 • Can’t be loaned like a physical key or
   token and can’t be forgotten like a
 • Good compromise between ease of use,
   template size, cost and accuracy
 • Fingerprint contains enough inherent
   variability to enable unique identification
   even in very large (millions of records)
 • Makes network login & authentication

                       Biometric Disadvantages
                             (what a person is)

               • Domain 1: Access Control
        Processing speed issues - Still relatively
         expensive per user
        Accuracy – Subject to environmental
        User acceptability -- Some hesitancy for
         user acceptance

                      Biometric privacy issues
                             (what a person is)

            • Domain 1: Access Control
    Tracking and surveillance - Ultimately, the ability
     to track a person's movement from hour to hour
    Anonymity - Biometric links to databases could
     dissolve much of our anonymity when we travel
     and access services
    Profiling - Compilation of transaction data about
     a particular person that creates a picture of that
     person's travels, preferences, affiliations or

                 Multi-factor authentication
             • Domain 1: Access Control
    2-factor authentication. To increase the level of
     security, many systems will require a user to
     provide 2 of the 3 types of authentication.
       ATM card + PIN
       Credit card + signature
       PIN + fingerprint

    3-factor authentication -- For highest security
      Password + SecurID token + Fingerprint

                        Single Sign-on
               • Domain 1: Access Control
User authenticates only once to a network system
  to be allowed on all systems in an enterprise
• Benefits
     –   More efficient user logon process
     –   Stronger passwords are required
     –   Inactivity thresholds applied uniformly
     –   Effective for disabling terminated accounts

                         Single sign-on
                         (Reduced Sign-on)

          • Domain 1: Access Control
• User has one password for all enterprise systems and
  applications - that way, one strong password can be
  remembered and used
• All of a users accounts can be quickly created on
  hire, deleted on dismissal
• Hard to implement and get working
• Kerberos, SPNEGO, x.509, SESAME – Secure
  European System for Applications in a Multi-vendor
  Environment, SAML, WS-Federation
• CA-eTrust, RSA Access Manager, IBM Tivoli Access

                          Single Sign-on
            • Domain 1: Access Control
 • Methodologies
     – Network session managers
        • Provides multiple sessions limited to one
          computing platform
        • Synchronization problems
     – Security server
        • SESAME – Secure European System for
          Applications in a Multivendor Environment
            – Provides distributed access control using
              symmetric and asymmetric cryptography
            – Project of ECMA
            – Provides global access identity – targets end
              system and provides mapping to local access

                      Single Sign-on
             • Domain 1: Access Control
     – Security server (Cont’d)
        • Kerberos – MIT project Athena
            –   User authentication, encryption, and uses ticket
            –   Authenticator contains same verification information
            –   Tickets – database of clients and private keys
            –   Windows/Active Directory uses Kerberos today
     – Credential caching
        • Scripting
            – Macro language
            – Replay user keystrokes
            – Scans for message strings
     – ID Federation
        • Liberty Alliance, SAML
        • WS Federation

    • Domain 1: Access Control

Access Control Systems & Methodology

              Access Control Structure
          • Domain 1: Access Control

• Subject - an active user or process that requests
  access to a resource

• Object - a resource that contains information

• Domain - a set of objects that the subject can

• Groups - subjects and objects grouped together
  based on shared characteristics

               Access Control Criteria
          • Domain 1: Access Control

• Identity - a unique way to identify an individual
  or program in a system
• Roles - computer related functions performed by
  a user that uses a exclusive set of privileges
• Location - physical or logical place of user
• Time - day/time parameters used to control
  resource use
• Transaction - program checks that can be
  performed to protect information

                  Access Control Techniques
              • Domain 1: Access Control
 • Content dependent - access based on content of
      – provides more access control granularity
      – access request is in form of question
      – arbiter program controls access
 • Temporal isolation - access based on user work
      – used for multilevel security
      – each time slot a different access level
      – used for rotating shifts, weekend operations, etc.
 • Least privilege rule (need-to-know) - all data
     access is restricted unless granted

                   Principles of Access Control
                • Domain 1: Access Control

Rule of least privilege
• One of the most fundamental principles of infosec
• States that: Any object (user, administrator, program, system)
     should have only the least privileges the object needs to
     perform its assigned task, and no more.
• An AC system that grants users only those rights necessary
  for them to perform their work
• Limits exposure to attacks and the damage an attack can
• Physical security example: car valet key vs. regular key

Separation of Duties
      – Limits users access based on duty position
      – Split responsibility requires collusion to create harm

             Implementing least privilege
          • Domain 1: Access Control

 • Ensure that only a minimal set of users have
   root/administrator/sysadmin access
 • There are commercial tools available to support
   shared root access without shared root
 • Ensure that software deployed doesn’t demand
   greater access than really needed.
 • Implement via explicit group membership, not
   nested or via shared passwords.

    • Domain 1: Access Control

Access Control Systems & Methodology

          Formal Models
               Varied types of Access Control
             • Domain 1: Access Control
 • Discretionary (DAC) vs Mandatory (MAC)
 • Centralized vs Decentralized
 • Formal models (detail in Sec Arch
     –   Biba (Integrity)
     –   Take/Grant
     –   Clark/Wilson
     –   Bell/LaPadula (confidentiality)

                        Access Control Models
                   • Domain 1: Access Control
• Discretionary - resource owner determines access and
  privileges user should have ( 107.2)
      – Identity-based - access based on user and resource identity
      – User-directed – user (owner) grants access based on restrictions
      – Hybrid - access based on identity-based and user-directed
• Mandatory – System determines access based on label (
      –   Object label contains object’s classification
      –   Subject label contains subject’s clearance
      –   Rule-based - access granted based on resource rules
      –   Administratively directed - access granted by administrator

                  Access Control Models
             • Domain 1: Access Control
 • Non-Discretionary - resource access is granted based
   on policies and control objectives
    – Role-based - access is based on user’s responsibilities.
    – Task-based - access is based on user’s job duties
    – Lattice-based
         • Complex decisions with multiple objects
           and subjects.
         • Mathematical structure that defines
           greatest lower-bound and least upper-
           bound values for a pair of elements

                          Competing definition
             • Domain 1: Access Control
• Wiki defines these three types:
     – DAC (Discretionary Access Control)
     – MAC (Mandantory Access Control)
        • Rule based or Lattice based
        • Controls read and write permissions based on a
          user's clearance level and object confidentiality
     – RBAC (Role Based Access Control)
        • Controls collections of permissions that may
          include complex operations such as an e-
          commerce transaction
• MAC and RBAC are both defined as Non-

              Discretionary Access Control
           • Domain 1: Access Control
 • Access is restricted based on the authorization
   granted to the user
 • Orange book C-level
 • Prime use to separate and protect users from
   unauthorized data
 • Used by Unix, NT, NetWare, Linux, Vines, etc.
 • Relies on the object owner to control access

               Mandatory Access Control
           • Domain 1: Access Control
• Assigns sensitivity levels, AKA labels
• Every object is given a sensitivity label & is
  accessible only to users who are cleared up to that
  particular level.
• Only the administrators, not object owners, make
  change the object level
• Generally more secure than DAC
• Orange book B-level
• Used in systems where security is critical, i.e.,
• Hard to program for and configure & implement

                 Mandatory Access Control

           • Domain 1: Access Control
 • Downgrade in performance
 • Relies on the system to control access
 • Example: If a file is classified as confidential,
   MAC will prevent anyone from writing secret or
   top secret information into that file.
 • All output, i.e., print jobs, floppies, other
   magnetic media must have be labeled as to the
   sensitivity level

                   Problems with formal models

           • Domain 1: Access Control
•    Based on a static infrastructure
•    Defined and succinct policies
•    These do not work in corporate systems
     which are extremely dynamic and
     constantly changing
•    None of the previous models deals with:
     – Viruses / active content
     – Trojan horses
     – firewalls
• Limited documentation on how to build
  these systems
                  Access Control Models
             • Domain 1: Access Control
 • Centralized - one location is responsible for access control
    – advantage - strict control and uniformity of access
    – disadvantage - central administration can be
    – examples:
         • RADIUS (Remote Authentication Dial-in
           User Service) -
         • TACACS (Terminal Access Controller
           Access Control System)
         • Active Directory

                Access Control Models
           • Domain 1: Access Control
• Decentralized - resource owners are responsible
  for access control
   – examples:
       • domain - set of authorized accesses
         permitted within a resource area
       • trusted computer system - a system that has
         hardware and software controls that ensure
         data integrity

                   Access Control Models
              • Domain 1: Access Control
    Decentralized (continued)
       Domains – the access control parameters that protect an
        address space in which a program is operating
          • a set of objects a subject can access
          • principle of separation protects resources where
            resources are encapsulated in distinct address spaces
          • common subset of subjects
               – hierarchical domain relationship
               – subjects can access objects in equal or lower
               – domains of higher privilege are protected from

                  Access Control Models
             • Domain 1: Access Control
 • Decentralized (continued)
    – Trusted Computer System – a trusted computer
      system is one that provides at least one active
      function essential to the protection of information
         • Control is based on policy - rules to
         • Mechanism - enforce policy
         • Assurance - confidence in control to
           provide function

 • Hybrid - a combination of centralized and decentralized

    • Domain 1: Access Control

Access Control Systems & Methodology

          DOD Influence
                   Orange Book
         • Domain 1: Access Control
 • DoD Trusted Computer System
   Evaluation Criteria, DoD 5200.28-STD,
 • Provides the information needed to
   classify systems (A,B,C,D), defining the
   degree of trust that may be placed in
 • For stand-alone systems only
 • Windows NT has a C2 utility, it does
   many things, including disabling

                   Orange book levels
             • Domain 1: Access Control
• A - Verified protection
     – A1 - Boeing SNS, Honeywell SCOMP
• B - MAC
     – B1/B2/B3 -MVS w/ s, ACF2 or TopSecret,
       Trusted IRIX
• C - DAC
     – C1/C2 -DEC VMS, NT, NetWare, Trusted Solaris
• D - Minimal security. Systems that have been evaluated, but
  failed - PalmOS, MS-DOS, OS/2, NT

             Problems with the Orange Book
           • Domain 1: Access Control
 • Based on an old model, Bell-LaPadula
 • Stand alone, no way to network systems
 • Systems take a long time (1-2 years) to
     – Any changes (hot fixes, service packs,
       patches) break the certification
 • Has not adapted to changes in client-
   server and corporate computing
 • Certification is expensive
 • Mostly not used outside of the
   government sector
                       Red Book
           • Domain 1: Access Control
 • Used to extend the Orange Book to
 • Actually two works:
     – Trusted Network Interpretation of the TCSEC
     – Trusted Network Interpretation Environments
       Guideline: Guidance for Applying the Trusted
       Network Interpretation (NCSC-TG-011)

    • Domain 1: Access Control

Access Control Systems & Methodology

                    Access Control Techniques
             • Domain 1: Access Control
• Access Control Lists - a list containing users
  permitted to resources or vice versa
     – Elementary List - a short list of predefined access rights
     – Advanced List - access rights based within a registry that
       permits user-defined controls
     – Different operating systems have different ACL terms
     – Types of access (Capabilities):
        • Read/Write/Create/Execute/Modify/Delete/Rename

                       ACL Types
         • Domain 1: Access Control

 • Menus and shells
 • Database views
 • Physically constrained user interfaces -
   restrict access by blocking direct access
   to function
 • Capability tables - access to protected
   resources granted if accessor possesses
   authentication ticket

          Mainframe ACL – Sample 1
     • Domain 1: Access Control

                           Mainframe Sample - 2
              • Domain 1: Access Control

    ID     ACCESS
 --------   -------

    ID ACCESS CLASS                         ENTITY NAME
 -------- ------- -------- -------------------------

                       Mainframe Sample # 3
             • Domain 1: Access Control
XA DATASET = OPSG                           OWNER(DSN)
XA DATASET = AABB.                        OWNER(DSN)
XA DATASET = EEE.GGGG                    OWNER(SYS)

                 Standard UNIX file permissions
                  • Domain 1: Access Control

      Permissions       Allowed action,        Allowed action, if
                       if object is a file    object is a directory
     R (read)        Read contents of the    List directory contents
     X (execute)     Execute the file,       Search the directory
                     if a program
     W (write)       Change file contents    Add, rename, create files
                                             & sub-directories

                      UNIX Sample
            • Domain 1: Access Control

-rw-rw-r-- 1 user1 group1   852 Jul 17 2003 samplefile.txt
drwxrwxr-x 2 user1 group1   512 Apr 18 09:14 testdir

                UNIX - recommendation
         • Domain 1: Access Control
 • UNIX - Don’t make a program run setuid
   to root if not needed. Rather, make file
   group-writable to some group and make
   the program run setgid to that group,
   rather than setuid to root
 • Don’t run insecure programs on the
   firewall or other trusted host

              Windows Sample
     • Domain 1: Access Control

     • Domain 1: Access Control

 Access Control Systems & Methodology

Administration, Auditing & Monitoring
              Access Control Administration
           • Domain 1: Access Control
 • Centralized - one location is responsible
   for access control
     – Advantages –
        • Strict control and uniformity of access
        • Composite access view easier
     – Disadvantages –
        • central administration can be overloaded
        • More difficult to associate entitlements
          with approvers

              Access Control Administration
           • Domain 1: Access Control
 • Decentralized - resource owners are
   responsible for access control
     – Advantage
        • Access is granted by person accountable
     – Disadvantages
        • Access combination conflicts,
        • Composite view of user access unavailable
        • Lack of access consistency
        • More difficult to respond to external
                Auditing and Monitoring
           • Domain 1: Access Control
 Organizations use two basic methods to
   maintain operational assurance:
  System audit - is a periodic event to evaluate
  Monitoring - is an ongoing activity that checks
   user and systems

              • Domain 1: Access Control
      Periodic access reviews – Data owners review
       and certify users who have access
      Automated tools - program reviews system and
       reports vulnerabilities
      Internal controls audit - auditor reviews and
       analyzes controls
      Security checklists - security plan used as a
       system checklist
      Penetration testing - attempt to break-in to
       check controls

                 Periodic Access Reviews
         • Domain 1: Access Control
 • Regular review of network and
   application user accounts against active
   employee termination lists to ensure that
   only active personnel have active
 • Regular review of user entitlements by
   user managers and data/application
   owners to ensure that users only have
   access necessary to do their job

           • Domain 1: Access Control

 •   IDS
 •   Logs
 •   Audit trails
 •   Network tools
     – Tivoli
     – Spectrum
     – OpenView

            • Domain 1: Access Control
 Intrusion Detection (IDS)
   – Techniques which attempt to detect computer and
      network intrusion by logs or audit trail
   – Automated intrusion detection examines logs and
      compares with expected user profile activity
   – Statistical intrusion detection – monitors behavior and
      maintains profiles, then compares logs mathematically
   – Rule based intrusion detection – rules characterize
      intrusions (i.e. generic or operating system specific),
      then compares logs against rule database

                      Audit Trails
           • Domain 1: Access Control
 An audit trail is a series of records on computer
   events occurring within a system or application
  Keystroke monitoring - a record of keystroke
   information entered by a system user
  Event-oriented - contains records on system,
   application, or user
  Benefits - individual accountability,
   reconstruction of events, intrusion detection,
   and problem analysis
  Issues - protection, periodic review, analysis of

          • Domain 1: Access Control
• Review of system logs - periodic review to
  detect problems
• Automated tools - virus scanners, performance
  monitor, password crackers, etc.
• Configuration management - system changes
  are reviewed
• Electronic news - incident response and alert e-
  mail notices

            Intrusion Detection Systems
         • Domain 1: Access Control
 • IDS monitors system or network for
 • IDS engine has a library and set of
   signatures that identify an attack
 • Adds defense in depth
 • Should be used in conjunction with a
   system scanner (CyberCop, ISS S3) for
   maximum security

             • Domain 1: Access Control
 • Adaptive real-time anomaly detection
     –   inductively generated sequential patterns
     –   sequential rules describe behavior
     –   time-based inductive learning approach
     –   time-based induction machine (TIM)
 • TIM
     –   observes temporal process
     –   identifies patterns
     –   set of hypotheses
     –   input episodes
     –   user profile

                    Penetration Testing
              • Domain 1: Access Control
 • Identifies weaknesses in Internet, Intranet,
   Extranet, and RAS technologies
     –   Discovery and footprint analysis
     –   Exploitation
     –   Physical Security Assessment
     –   Social Engineering
 • Attempt to ID vulnerabilities and gain access to
   critical systems within organization
 • ID and recommends corrective action for the
   systemic problems
 • Assessments allow client to demonstrate the
   need for additional security resources
     • Domain 1: Access Control

    Information System Controls

Access Control Systems & Methodology
         • Domain 1: Access Control
 • Banners display at login or connection
   stating that the system is for the
   exclusive use of authorized users and
   that their activity may be monitored
 • Not foolproof, but a good start, especially
   from a legal perspective
 • Make sure that the banner does not
   reveal system information, i.e., OS,
   version, hardware, etc.

               Access Control Software
           • Domain 1: Access Control
 • Software that automates information
   security functions on host computers
     – Features:
        • use password protection
        • log accesses
        • user access controls
        • data access controls
        • flexible administration
     – Examples: RACF, ACF2, TOP SECRET, Tivoli
       Access Manager, RSA Access Manager,
       Windows GINA/Active Directory
                    RAS access control
             • Domain 1: Access Control
 • RADIUS (Remote Authentication Dial-In User Service)
 • TACACS/TACACS+ (Terminal Access Controller Access
   Control System) –

     Both defined in greater detail in Telecom and Network
       Security Module.

         • Domain 1: Access Control
 • Part of MIT’s Project Athena Currently in
   ver 5
 • Kerberos is an authentication protocol
   used for network wide authentication
 • All software must be kerberized
 • Tickets, authenticators, key distribution
   center (KDC)
 • Divided into realms
 • Kerberos is the three-headed dog that
   guards the entrance to Hades (this won’t
   be on the test)
                  Kerberos roles
         • Domain 1: Access Control

• KDC divided into Authentication Server &
  Ticket Granting Server (TGS)
• Authentication Server - authenticates the
  identities of entities on the network
• TGS - Generates unique session keys
  between two parties. Parties then use
  these session keys for message

                 Kerberos authentication
          • Domain 1: Access Control
• User must have an account on the KDC
• KDC must be a trusted server in a secured
• Shares a DES key with each user
• When a user want to access a host or
  application, they request a ticket from the KDC
• User provides ticket and authenticator to the
  application, which processes them for validity and
  will then grant access.
• Requires synchronized time clocks
• Relies on UDP which is often blocked by many

    • Domain 1: Access Control

Access Control Systems & Methodology

     Vulnerabilities & Attacks
            • Domain 1: Access Control
  • Threat - an activity with the potential for
    causing harm to an information system
  • Vulnerability - a flaw or weakness that may
    allow harm to an information system
  • Impact - the harm that would be caused by an
  • Risk - is a combination of chance that threat will
    occur and the severity of its impact
  • Exposure - a specific instance of weakness to
    losses from a threat event

              • Domain 1: Access Control
  • Physical
  • Natural
      – Floods, earthquakes, terrorists, power outage,
  • Hardware/Software
  • Media
      – Corrupt electronic media, stolen disk drives
  • Emanation
  • Communications
  • Human
      – Social engineering, disgruntled staff

             • Domain 1: Access Control
• Passive attack - Monitor network traffic and then use data
  obtained or perform a replay attack.
   – Hard to detect
• Active attack - Attacker is actively trying to break-in.
   – Exploit system vulnerabilities
   – Spoofing
   – Crypto attacks
• Denial of service (DoS) - Not so much an attempt to gain
  access, rather to prevent system operation
   – Smurf, SYN Flood, Ping of death
   – Mail bombs

                   Methods of Attack
            • Domain 1: Access Control
  • Methods to bypass access controls and
    gain unauthorized access to information
      – Brute force - persistent series of attacks,
        trying multiple approaches, in an attempt to
        break into a computer system
      – Denial of service - overloading a system
        through an online connection to force it to
      – Social Engineering - deception of system
        personnel in order to gain access
      – Spoofing - masquerading an ID or data to
        gain access to data or a system

                   Password Attacks
            • Domain 1: Access Control
  • Brute force
      – l0phtcrack
  • Dictionary
      – Crack
      – John the Ripper
  • Trojan horse login program

    • Domain 1: Access Control

Access Control Systems & Methodology

                          Object reuse
                • Domain 1: Access Control
• Must ensure that magnetic media must not have
  any remnance of previous data
• Also applies to buffers, cache and other memory
• Required at TCSEC B2/B3/A1 level
• Secure Deletion of Data from Magnetic and Solid-
  State Memory, Peter Gutmann
      – http://www.fish.com/security/secure_del.html
• Documents recently declassified as to how 10-pass
  writes were recovered
• Objects must be declassified
• Magnetic media must be degaussed or have secure

          • Domain 1: Access Control
  • Electromagnetic emanations from
    keyboards, cables, printers, modems,
    monitors and all electronic equipment.
    With appropriate and sophisticated enough
    equipment, data can be readable at a few
    hundred yards.
  • TEMPEST certified equipment, which
    encases the hardware into a tight, metal
    construct, shields the electromagnetic

         • Domain 1: Access Control

• Rooms & buildings can be TEMPEST-certified
• TEMPEST hardware is extremely expensive
  and can only be serviced by certified
• TEMPEST standards NACSEM 5100A NACSI
  5004 are classified documents


To top