Docstoc

ISSA CISSP Prepation

Document Sample
ISSA CISSP Prepation Powered By Docstoc
					     • Domain 1: Access Control




 2010 CISSP Study Group
              Domain 1:
           Access Control

Presented By: Jeff McEwen, CISSP. Security
 Architect, AAA NCNU Insurance Exchange
                  Domain Objective
           • Domain 1: Access Control
• The objective of this domain is to
  understand:
    – Access control concepts and techniques
    – Access control methodologies and
      implementation within centralized and
      decentralized environments
    – Detective and corrective access controls
    – Mechanisms for controlling system use
    – Potential risks, vulnerabilities, and exposures



2
               Domain Summary
        • Domain 1: Access Control
The information for this domain represents
  approximately 16% of the CISSP exam
  content.




3
               Access Control Defined
         • Domain 1: Access Control
• Access control is the heart of security
    – The ability to allow only authorized users, programs or
      processes system or resource access
    – The granting or denying, according to a particular
      security model, of certain permissions to access a
      resource
    – An entire set of procedures performed by hardware,
      software and administrators, to monitor access, identify
      users requesting access, record access attempts, and
      grant or deny access based on pre-established rules.
    – The collection of mechanisms for limiting, controlling,
      and monitoring system access to certain items of
      information, or to certain features based on a user’s
      identity and their membership in various predefined
      groups.

4
              Key Access Control Terms
          • Domain 1: Access Control
• Identification – assert user is the user; process
  through which one ascertains the identity of
  another person or entity; provides accountability
  to users & traceability of their activities
• Authentication – verifies user is who user
  claims; process through which one proves and
  verifies certain information.
• Authorization – actions the user is allowed to
  perform
• Accountability – tracks user actions and when
  they were done
• Approval – Authorizations were appropriately
  granted by the data owner


5
             Access Control Concepts
         • Domain 1: Access Control
• Security Policy - a high-level overall plan
  embracing general goals and acceptable
  actions for each system
• Accountability - systems that process
  sensitive information must assure
  individual accountability
• Assurance - systems must guarantee
  correct and accurate interpretation of
  security policy


6
    • Domain 1: Access Control



Access Control Systems & Methodology




       Why Control Access
                Access Control Purposes
            • Domain 1: Access Control
• Confidentiality - information is not disclosed to
  unauthorized individuals or processes
    – protects against hackers, unprotected
      communications, unauthorized users
• Integrity - information retains its original level of
  accuracy
    – protects against unauthorized data modifications,
      system changes, or program changes
• Availability - reliable access to data
    – protects against denial of service, ping attacks, e-mail
      flaming



8
          What does AC hope to protect?
        • Domain 1: Access Control
• Data - Unauthorized viewing, modification
  or copying
• System - Unauthorized use, modification
  or denial of service
• It should be noted that nearly every
  network operating system (NT, Unix,
  Vines, NetWare) is based on a secure
  physical infrastructure



9
                Information Value
         • Domain 1: Access Control

 • Information is assumed to have a value
   that can be measured by quantity or
   quality
 • The major reason to value information is
   the cost to develop and the value to its
   owners
 • Valuation techniques - Use of policy or
   regulation, checklist, questionnaire,
   consensus, accounting data, statistical
   analysis

10
              File and Data Ownership
          • Domain 1: Access Control
• A prerequisite to development of effective
  access controls is the establishment of Data
  Ownership. The Data Owner is required to:
   – Identify sensitivity of information
   – Determine security requirements
   – Ensure security requirements meet goals
   – Authorize access
   – Develop contingency plans




11
    • Domain 1: Access Control

Access Control Systems & Methodology




    How do we control access?
                  Control Types
         • Domain 1: Access Control

 • Preventative - deter problems before
   they occur
 • Detective - investigate an act that has
   occurred
 • Corrective - remedy acts that have
   occurred
 • Deterrent - discourage an act from
   occurring
 • Recovery - restore a resource from an
   act that has occurred

13
                    Lines of Defenses
             • Domain 1: Access Control
 Security mechanisms for limiting and controlling
   access to resources by layering protection
 • Categories - usually 3 lines with action priorities based on
   increased control with each succeeding layer
    – First Line - policies, firewalls, passwords, separation of
       duties, training, quality assurance, fault tolerance, etc.
    – Second Line - audit trails, monitoring, penetration
       testing
    – Third Line - insurance, bonding, backups, contingency
       plans




14
              Access Control Types
         • Domain 1: Access Control

• Management - policies, procedures, and
  accountability designed to control system
  use
• Technical - hardware and software
  controls used to automate protection of
  the system
• Operational - personnel procedures used
  to protect the system



15
                 Proactive access control
             • Domain 1: Access Control
•    Awareness training
•    Background checks
•    Separation of duties
•    Split knowledge
•    Policies
•    Data classification
•    Effective user registration
•    Termination procedures
•    Change control procedures

16
                  Physical access control
            • Domain 1: Access Control
•    Guards
•    Locks
•    Mantraps
•    ID badges
•    CCTV, sensors, alarms
•    Biometrics
•    Fences - the higher the voltage the better
•    Card-key and tokens
•    Guard dogs

17
           How can AC be implemented?
         • Domain 1: Access Control

 • Hardware
 • Software
    – Application
    – Protocol (Kerberos, IPSec)
 • Physical
 • Logical (policies)




18
           Access Control & privacy issues
         • Domain 1: Access Control
 • Expectation of privacy
 • Policies
 • Monitoring activity, Internet usage, e-
   mail
 • Login banners should detail expectations
   of privacy and state levels of monitoring




19
    • Domain 1: Access Control

Access Control Systems & Methodology




        User Authentication
                       Identification
             • Domain 1: Access Control

 • Types of ID
     –   User IDs
     –   Names
     –   Pins – (also used for authentication)
     –   Badges
     –   Biometrics – (also used for authentication)




21
                          User Authentication
              • Domain 1: Access Control

• User Identification - provides identity to
  system
     –   authentication data verifies individual
     –   activities traced to an individual
     –   responsible for actions
     –   use of a label to ID user
• User Label Characteristics
     – unique
     – non-descriptive of function, area, or company


22
                          User Authentication
             • Domain 1: Access Control
 • System Implementation
     – Administration - create, distribute, and store
       authentication data (passwords)
     – Maintaining authentication - log out user or lock
       system during inactivity
     – Single log-in - a group of systems on one OS platform
       that allow the user to authenticate once
         • Host-to-host authentication - host passes on logon
           data
         • Authentication servers - user logs on to a special
           network server
         • User-to-host authentication - user logs on and
           receives token for logons to other systems


23
                           Authentication

             • Domain 1: Access Control
3 types of authentication:
    Something you know - Password, PIN, mother’s
     maiden name, passcode, fraternity chant
    Something you have - ATM card, smart card,
     token, key, ID Badge, driver license, passport
    Something you are - Fingerprint, voice scan, iris
     scan, retina scan, body odor, DNA




24
                       Password
           • Domain 1: Access Control
 • Most common type of authentication in
   use
 • something a user knows
 • a string of characters that IDs a user
 • Types
     – One-time passwords - system generated and
       changed after every use
     – Passphrase – a sequence of characters that is
       longer than a regular password and is
       transformed into a virtual password

25
                    Password Issues
            • Domain 1: Access Control
 • Selection
     – Source – can be assigned or user selected, system
       generated, token generated, or a system default
     – Composition – can be words, characters, or a phrase
     – Types – can be system or resource specific
 • Management
     – Transport paths that user uses to update password
        • owner authentication – generated by owner
        • system owner authentication – generated by
          system
        • system administration to owner & system –
          generated by system administrator


26
                            Password Issues
             • Domain 1: Access Control
 • Management (continued)
     – Initial passwords
         • New users
         • One-time passwords
         • Force user change
     – User notification on successful login – date & time of
       last logon and location
     – Suspend ID after number of unsuccessful logon
       attempts
     – Audit trail of logons – successful login, unsuccessful
       attempts, along with date/time/ID/origin
     – Control maximum logon attempt rate


27
                   Password Issues
           • Domain 1: Access Control
 • Control
     – Password lifetime – length of time the
       password can be secure
     – Users change own password
     – Audit trail of password changes
     – Risk if compromised
        • Distribution risk
        • Probability of guessing
        • Electronic monitoring
        • Vulnerable to cracking

28
                   Password Issues
           • Domain 1: Access Control
 • Control (continued)
     – Password security
        • Number of characters
        • Minimum length
        • Number of invalid attempts
     – Compromises – severity of measures vs. user
       acceptance
     – Forgotten passwords – issue expired
       passwords, user changes immediately
     – User ID by phone – validate user identity, call
       back user at office phone with new password
29
                      Problems with passwords
                           (what a person knows)
             • Domain 1: Access Control
 • Insecure
     – Given the choice, people will choose easily
       remembered and hence easily guessed passwords
       such as names of relatives, pets, phone numbers,
       birthdays, hobbies, etc.
 • Easily broken
     – Programs such as crack, SmartPass, PWDUMP,
       NTCrack & l0phtcrack can easily decrypt Unix,
       NetWare & NT passwords.
     – Dictionary attacks are only feasible because users
       choose easily guessed passwords!
 • Inconvenient
     – In an attempt to improve security, organizations often
       issue users with computer-generated passwords that
       are difficult,
       if not impossible to remember

30
                        Classic password rules
                           (what a person knows)
             • Domain 1: Access Control
 • The best passwords
     – Easy to remember
     – Hard to crack using a dictionary attack.
     – The best way to create passwords that fulfill both
       criteria is to use two small unrelated words or
       phonemes, ideally with a special character or number.
       Good examples would be hex7goop or -typetin
 • Don’t use:
     –   common names, DOB, spouse, phone #, etc.
     –   word found in dictionaries
     –   password as a password
     –   systems defaults


31
                Password management
                   (what a person knows)
         • Domain 1: Access Control
 • Configure system to use string passwords
 • Set password time and lengths limits
 • Limit unsuccessful logins
 • Limit concurrent connections
 • Enabled auditing
 • How policies for password resets and
   changes
 • Use last login dates in banners


32
                Access Control Techniques
            • Domain 1: Access Control
 • Tokens - access information stored in a portable
   device
     – Memory token - store but do not process data
     – Smart token - store and process data
     – Limitations - lost or stolen with PIN allows for
       masquerading, battery failure or device malfunction
     – Benefits
         • not vulnerable to regular cracks
         • 2 factor authentication - challenge response
     – Examples - SecurID, PIN pad, ATM card




33
                               Tokens
                           (what a person has)

             • Domain 1: Access Control

•    Used to facilitate one-time Passwords
•    Asynchronous Token Device
•    SecurID -- synchronous Token Device
•    Physical card
•    S/Key
•    Smart card – Contact & Contactless
•    Access token




34
               Access Control Techniques
           • Domain 1: Access Control
 • Biometrics - something a person is
     – The one attribute that cannot be readily
       compromised in 3 factors of personal identity
        • knows - i.e. password
        • has - i.e. access card
        • about - i.e. fingerprint
     – Examples - fingerprint, hand geometry, voice
       verification
     – Constraints – cost of equipment, access time,
       false readings


35
                              Biometrics
                             (what a person is)

             • Domain 1: Access Control
• Authenticating a user via human
  characteristics
     – Accuracy
        • False Reject Rate – (type I error)
        • False Accept Rate – (type II error)
        • Cross-Over Error Rate (CER)
• Behavioral – keystroke, signature pattern,
  signature dynamics
• Physical characteristics of a person to prove
  their identification
     – Fingerprint, Iris, retina, voice, face

36
                 Advantages of biometrics
                    (what a person is)
          • Domain 1: Access Control
 • Can’t be loaned like a physical key or
   token and can’t be forgotten like a
   password
 • Good compromise between ease of use,
   template size, cost and accuracy
 • Fingerprint contains enough inherent
   variability to enable unique identification
   even in very large (millions of records)
   databases
 • Makes network login & authentication
   effortless

37
                       Biometric Disadvantages
                             (what a person is)

               • Domain 1: Access Control
        Processing speed issues - Still relatively
         expensive per user
        Accuracy – Subject to environmental
         changes
        User acceptability -- Some hesitancy for
         user acceptance




38
                      Biometric privacy issues
                             (what a person is)

            • Domain 1: Access Control
    Tracking and surveillance - Ultimately, the ability
     to track a person's movement from hour to hour
    Anonymity - Biometric links to databases could
     dissolve much of our anonymity when we travel
     and access services
    Profiling - Compilation of transaction data about
     a particular person that creates a picture of that
     person's travels, preferences, affiliations or
     beliefs




39
                 Multi-factor authentication
             • Domain 1: Access Control
    2-factor authentication. To increase the level of
     security, many systems will require a user to
     provide 2 of the 3 types of authentication.
       ATM card + PIN
       Credit card + signature
       PIN + fingerprint



    3-factor authentication -- For highest security
      Password + SecurID token + Fingerprint




40
                        Single Sign-on
               • Domain 1: Access Control
User authenticates only once to a network system
  to be allowed on all systems in an enterprise
• Benefits
     –   More efficient user logon process
     –   Stronger passwords are required
     –   Inactivity thresholds applied uniformly
     –   Effective for disabling terminated accounts




41
                         Single sign-on
                         (Reduced Sign-on)

          • Domain 1: Access Control
• User has one password for all enterprise systems and
  applications - that way, one strong password can be
  remembered and used
• All of a users accounts can be quickly created on
  hire, deleted on dismissal
• Hard to implement and get working
• Kerberos, SPNEGO, x.509, SESAME – Secure
  European System for Applications in a Multi-vendor
  Environment, SAML, WS-Federation
• CA-eTrust, RSA Access Manager, IBM Tivoli Access
  Manager


42
                          Single Sign-on
            • Domain 1: Access Control
 • Methodologies
     – Network session managers
        • Provides multiple sessions limited to one
          computing platform
        • Synchronization problems
     – Security server
        • SESAME – Secure European System for
          Applications in a Multivendor Environment
            – Provides distributed access control using
              symmetric and asymmetric cryptography
            – Project of ECMA
            – Provides global access identity – targets end
              system and provides mapping to local access

43
                      Single Sign-on
             • Domain 1: Access Control
     – Security server (Cont’d)
        • Kerberos – MIT project Athena
            –   User authentication, encryption, and uses ticket
            –   Authenticator contains same verification information
            –   Tickets – database of clients and private keys
            –   Windows/Active Directory uses Kerberos today
     – Credential caching
        • Scripting
            – Macro language
            – Replay user keystrokes
            – Scans for message strings
     – ID Federation
        • Liberty Alliance, SAML
        • WS Federation

44
    • Domain 1: Access Control

Access Control Systems & Methodology




           Authorization
              Access Control Structure
          • Domain 1: Access Control

• Subject - an active user or process that requests
  access to a resource

• Object - a resource that contains information

• Domain - a set of objects that the subject can
  access

• Groups - subjects and objects grouped together
  based on shared characteristics



46
               Access Control Criteria
          • Domain 1: Access Control

• Identity - a unique way to identify an individual
  or program in a system
• Roles - computer related functions performed by
  a user that uses a exclusive set of privileges
• Location - physical or logical place of user
• Time - day/time parameters used to control
  resource use
• Transaction - program checks that can be
  performed to protect information




47
                  Access Control Techniques
              • Domain 1: Access Control
 • Content dependent - access based on content of
     record
      – provides more access control granularity
      – access request is in form of question
      – arbiter program controls access
 • Temporal isolation - access based on user work
     schedule
      – used for multilevel security
      – each time slot a different access level
      – used for rotating shifts, weekend operations, etc.
 • Least privilege rule (need-to-know) - all data
     access is restricted unless granted


48
                   Principles of Access Control
                • Domain 1: Access Control

Rule of least privilege
• One of the most fundamental principles of infosec
• States that: Any object (user, administrator, program, system)
     should have only the least privileges the object needs to
     perform its assigned task, and no more.
• An AC system that grants users only those rights necessary
  for them to perform their work
• Limits exposure to attacks and the damage an attack can
  cause
• Physical security example: car valet key vs. regular key

Separation of Duties
      – Limits users access based on duty position
      – Split responsibility requires collusion to create harm


49
             Implementing least privilege
          • Domain 1: Access Control

 • Ensure that only a minimal set of users have
   root/administrator/sysadmin access
 • There are commercial tools available to support
   shared root access without shared root
   password
 • Ensure that software deployed doesn’t demand
   greater access than really needed.
 • Implement via explicit group membership, not
   nested or via shared passwords.



50
    • Domain 1: Access Control

Access Control Systems & Methodology




          Formal Models
               Varied types of Access Control
             • Domain 1: Access Control
 • Discretionary (DAC) vs Mandatory (MAC)
 • Centralized vs Decentralized
 • Formal models (detail in Sec Arch
   module):
     –   Biba (Integrity)
     –   Take/Grant
     –   Clark/Wilson
     –   Bell/LaPadula (confidentiality)



52
                        Access Control Models
                   • Domain 1: Access Control
• Discretionary - resource owner determines access and
  privileges user should have ( 107.2)
      – Identity-based - access based on user and resource identity
      – User-directed – user (owner) grants access based on restrictions
      – Hybrid - access based on identity-based and user-directed
        controls
• Mandatory – System determines access based on label (
  107.3)
      –   Object label contains object’s classification
      –   Subject label contains subject’s clearance
      –   Rule-based - access granted based on resource rules
      –   Administratively directed - access granted by administrator




 53
                  Access Control Models
             • Domain 1: Access Control
 • Non-Discretionary - resource access is granted based
   on policies and control objectives
    – Role-based - access is based on user’s responsibilities.
    – Task-based - access is based on user’s job duties
    – Lattice-based
         • Complex decisions with multiple objects
           and subjects.
         • Mathematical structure that defines
           greatest lower-bound and least upper-
           bound values for a pair of elements



54
                          Competing definition
             • Domain 1: Access Control
• Wiki defines these three types:
     – DAC (Discretionary Access Control)
     – MAC (Mandantory Access Control)
        • Rule based or Lattice based
        • Controls read and write permissions based on a
          user's clearance level and object confidentiality
          labels
     – RBAC (Role Based Access Control)
        • Controls collections of permissions that may
          include complex operations such as an e-
          commerce transaction
• MAC and RBAC are both defined as Non-
  Discretionary



55
              Discretionary Access Control
           • Domain 1: Access Control
 • Access is restricted based on the authorization
   granted to the user
 • Orange book C-level
 • Prime use to separate and protect users from
   unauthorized data
 • Used by Unix, NT, NetWare, Linux, Vines, etc.
 • Relies on the object owner to control access




56
               Mandatory Access Control
           • Domain 1: Access Control
• Assigns sensitivity levels, AKA labels
• Every object is given a sensitivity label & is
  accessible only to users who are cleared up to that
  particular level.
• Only the administrators, not object owners, make
  change the object level
• Generally more secure than DAC
• Orange book B-level
• Used in systems where security is critical, i.e.,
  military
• Hard to program for and configure & implement


57
                 Mandatory Access Control
                              (Continued)

           • Domain 1: Access Control
 • Downgrade in performance
 • Relies on the system to control access
 • Example: If a file is classified as confidential,
   MAC will prevent anyone from writing secret or
   top secret information into that file.
 • All output, i.e., print jobs, floppies, other
   magnetic media must have be labeled as to the
   sensitivity level




58
                   Problems with formal models

           • Domain 1: Access Control
•    Based on a static infrastructure
•    Defined and succinct policies
•    These do not work in corporate systems
     which are extremely dynamic and
     constantly changing
•    None of the previous models deals with:
     – Viruses / active content
     – Trojan horses
     – firewalls
• Limited documentation on how to build
  these systems
59
                  Access Control Models
             • Domain 1: Access Control
 • Centralized - one location is responsible for access control
    – advantage - strict control and uniformity of access
    – disadvantage - central administration can be
      overloaded
    – examples:
         • RADIUS (Remote Authentication Dial-in
           User Service) -
         • TACACS (Terminal Access Controller
           Access Control System)
         • Active Directory



60
                Access Control Models
           • Domain 1: Access Control
• Decentralized - resource owners are responsible
  for access control
   – examples:
       • domain - set of authorized accesses
         permitted within a resource area
       • trusted computer system - a system that has
         hardware and software controls that ensure
         data integrity




61
                   Access Control Models
              • Domain 1: Access Control
    Decentralized (continued)
       Domains – the access control parameters that protect an
        address space in which a program is operating
          • a set of objects a subject can access
          • principle of separation protects resources where
            resources are encapsulated in distinct address spaces
          • common subset of subjects
               – hierarchical domain relationship
               – subjects can access objects in equal or lower
                 domains
               – domains of higher privilege are protected from
                 lower




62
                  Access Control Models
             • Domain 1: Access Control
 • Decentralized (continued)
    – Trusted Computer System – a trusted computer
      system is one that provides at least one active
      function essential to the protection of information
         • Control is based on policy - rules to
           enforce
         • Mechanism - enforce policy
         • Assurance - confidence in control to
           provide function

 • Hybrid - a combination of centralized and decentralized
   administration


63
    • Domain 1: Access Control

Access Control Systems & Methodology




          DOD Influence
                   Orange Book
         • Domain 1: Access Control
 • DoD Trusted Computer System
   Evaluation Criteria, DoD 5200.28-STD,
   1983
 • Provides the information needed to
   classify systems (A,B,C,D), defining the
   degree of trust that may be placed in
   them
 • For stand-alone systems only
 • Windows NT has a C2 utility, it does
   many things, including disabling
   networking

65
                   Orange book levels
             • Domain 1: Access Control
• A - Verified protection
     – A1 - Boeing SNS, Honeywell SCOMP
• B - MAC
     – B1/B2/B3 -MVS w/ s, ACF2 or TopSecret,
       Trusted IRIX
• C - DAC
     – C1/C2 -DEC VMS, NT, NetWare, Trusted Solaris
• D - Minimal security. Systems that have been evaluated, but
  failed - PalmOS, MS-DOS, OS/2, NT




66
             Problems with the Orange Book
           • Domain 1: Access Control
 • Based on an old model, Bell-LaPadula
 • Stand alone, no way to network systems
 • Systems take a long time (1-2 years) to
   certify
     – Any changes (hot fixes, service packs,
       patches) break the certification
 • Has not adapted to changes in client-
   server and corporate computing
 • Certification is expensive
 • Mostly not used outside of the
   government sector
67
                       Red Book
           • Domain 1: Access Control
 • Used to extend the Orange Book to
   networks
 • Actually two works:
     – Trusted Network Interpretation of the TCSEC
       (NCSC-TG-005)
     – Trusted Network Interpretation Environments
       Guideline: Guidance for Applying the Trusted
       Network Interpretation (NCSC-TG-011)




68
    • Domain 1: Access Control

Access Control Systems & Methodology




            Techniques
                    Access Control Techniques
             • Domain 1: Access Control
• Access Control Lists - a list containing users
  permitted to resources or vice versa
     – Elementary List - a short list of predefined access rights
     – Advanced List - access rights based within a registry that
       permits user-defined controls
     – Different operating systems have different ACL terms
     – Types of access (Capabilities):
        • Read/Write/Create/Execute/Modify/Delete/Rename




70
                       ACL Types
         • Domain 1: Access Control

 • Menus and shells
 • Database views
 • Physically constrained user interfaces -
   restrict access by blocking direct access
   to function
 • Capability tables - access to protected
   resources granted if accessor possesses
   authentication ticket


71
          Mainframe ACL – Sample 1
     • Domain 1: Access Control




72
                           Mainframe Sample - 2
              • Domain 1: Access Control

 INFORMATION FOR DATASET ABCD.EFGHIJ.** (G)
 ...…
    ID     ACCESS
 --------   -------
 USER1     READ
 USER2     UPDATE
 GROUPB   EXECUTE

    ID ACCESS CLASS                         ENTITY NAME
 -------- ------- -------- -------------------------
 NO ENTRIES IN CONDITIONAL ACCESS LIST


73
                       Mainframe Sample # 3
             • Domain 1: Access Control
ACCESSORID = XXXXXX      NAME   = SAMPLE USER
XA DATASET = OPSG                           OWNER(DSN)
  ACCESS = ALL
XA DATASET = AABB.                        OWNER(DSN)
  ACCESS = READ
  PRIVPGM = SAMPPROG
XA DATASET = CCDD.FFFF.YYYY            OWNER(SYS)
  ACCESS = NONE
XA DATASET = EEE.GGGG                    OWNER(SYS)
  ACCESS = ALL
  ACTION = AUDIT




 74
                 Standard UNIX file permissions
                  • Domain 1: Access Control



      Permissions       Allowed action,        Allowed action, if
                       if object is a file    object is a directory
     R (read)        Read contents of the    List directory contents
                     file
     X (execute)     Execute the file,       Search the directory
                     if a program
     W (write)       Change file contents    Add, rename, create files
                                             & sub-directories




75
                      UNIX Sample
            • Domain 1: Access Control



-rw-rw-r-- 1 user1 group1   852 Jul 17 2003 samplefile.txt
drwxrwxr-x 2 user1 group1   512 Apr 18 09:14 testdir




76
                UNIX - recommendation
         • Domain 1: Access Control
 • UNIX - Don’t make a program run setuid
   to root if not needed. Rather, make file
   group-writable to some group and make
   the program run setgid to that group,
   rather than setuid to root
 • Don’t run insecure programs on the
   firewall or other trusted host




77
              Windows Sample
     • Domain 1: Access Control




78
     • Domain 1: Access Control



 Access Control Systems & Methodology




Administration, Auditing & Monitoring
              Access Control Administration
           • Domain 1: Access Control
 • Centralized - one location is responsible
   for access control
     – Advantages –
        • Strict control and uniformity of access
        • Composite access view easier
     – Disadvantages –
        • central administration can be overloaded
        • More difficult to associate entitlements
          with approvers



80
              Access Control Administration
           • Domain 1: Access Control
 • Decentralized - resource owners are
   responsible for access control
     – Advantage
        • Access is granted by person accountable
          (Approver)
     – Disadvantages
        • Access combination conflicts,
        • Composite view of user access unavailable
        • Lack of access consistency
        • More difficult to respond to external
          regulators
81
                Auditing and Monitoring
           • Domain 1: Access Control
 Organizations use two basic methods to
   maintain operational assurance:
  System audit - is a periodic event to evaluate
   security
  Monitoring - is an ongoing activity that checks
   user and systems




82
                             Auditing
              • Domain 1: Access Control
      Periodic access reviews – Data owners review
       and certify users who have access
      Automated tools - program reviews system and
       reports vulnerabilities
      Internal controls audit - auditor reviews and
       analyzes controls
      Security checklists - security plan used as a
       system checklist
      Penetration testing - attempt to break-in to
       check controls



83
                 Periodic Access Reviews
         • Domain 1: Access Control
 • Regular review of network and
   application user accounts against active
   employee termination lists to ensure that
   only active personnel have active
   accounts.
 • Regular review of user entitlements by
   user managers and data/application
   owners to ensure that users only have
   access necessary to do their job


84
                      Monitoring
           • Domain 1: Access Control

 •   IDS
 •   Logs
 •   Audit trails
 •   Network tools
     – Tivoli
     – Spectrum
     – OpenView




85
                              Monitoring
            • Domain 1: Access Control
 Intrusion Detection (IDS)
   – Techniques which attempt to detect computer and
      network intrusion by logs or audit trail
   – Automated intrusion detection examines logs and
      compares with expected user profile activity
   – Statistical intrusion detection – monitors behavior and
      maintains profiles, then compares logs mathematically
   – Rule based intrusion detection – rules characterize
      intrusions (i.e. generic or operating system specific),
      then compares logs against rule database




86
                      Audit Trails
           • Domain 1: Access Control
 An audit trail is a series of records on computer
   events occurring within a system or application
  Keystroke monitoring - a record of keystroke
   information entered by a system user
  Event-oriented - contains records on system,
   application, or user
  Benefits - individual accountability,
   reconstruction of events, intrusion detection,
   and problem analysis
  Issues - protection, periodic review, analysis of
   data



87
                     Monitoring
          • Domain 1: Access Control
• Review of system logs - periodic review to
  detect problems
• Automated tools - virus scanners, performance
  monitor, password crackers, etc.
• Configuration management - system changes
  are reviewed
• Electronic news - incident response and alert e-
  mail notices




88
            Intrusion Detection Systems
         • Domain 1: Access Control
 • IDS monitors system or network for
   attacks
 • IDS engine has a library and set of
   signatures that identify an attack
 • Adds defense in depth
 • NIDS / HIDS
 • Should be used in conjunction with a
   system scanner (CyberCop, ISS S3) for
   maximum security

89
                        Monitoring
             • Domain 1: Access Control
 • Adaptive real-time anomaly detection
     –   inductively generated sequential patterns
     –   sequential rules describe behavior
     –   time-based inductive learning approach
     –   time-based induction machine (TIM)
 • TIM
     –   observes temporal process
     –   identifies patterns
     –   set of hypotheses
     –   input episodes
     –   user profile

90
                    Penetration Testing
              • Domain 1: Access Control
 • Identifies weaknesses in Internet, Intranet,
   Extranet, and RAS technologies
     –   Discovery and footprint analysis
     –   Exploitation
     –   Physical Security Assessment
     –   Social Engineering
 • Attempt to ID vulnerabilities and gain access to
   critical systems within organization
 • ID and recommends corrective action for the
   systemic problems
 • Assessments allow client to demonstrate the
   need for additional security resources
91
     • Domain 1: Access Control



    Information System Controls



Access Control Systems & Methodology
                        Banners
         • Domain 1: Access Control
 • Banners display at login or connection
   stating that the system is for the
   exclusive use of authorized users and
   that their activity may be monitored
 • Not foolproof, but a good start, especially
   from a legal perspective
 • Make sure that the banner does not
   reveal system information, i.e., OS,
   version, hardware, etc.


93
               Access Control Software
           • Domain 1: Access Control
 • Software that automates information
   security functions on host computers
     – Features:
        • use password protection
        • log accesses
        • user access controls
        • data access controls
        • flexible administration
     – Examples: RACF, ACF2, TOP SECRET, Tivoli
       Access Manager, RSA Access Manager,
       Windows GINA/Active Directory
94
                    RAS access control
             • Domain 1: Access Control
 • RADIUS (Remote Authentication Dial-In User Service)
   –
 • TACACS/TACACS+ (Terminal Access Controller Access
   Control System) –


     Both defined in greater detail in Telecom and Network
       Security Module.




95
                     Kerberos
         • Domain 1: Access Control
 • Part of MIT’s Project Athena Currently in
   ver 5
 • Kerberos is an authentication protocol
   used for network wide authentication
 • All software must be kerberized
 • Tickets, authenticators, key distribution
   center (KDC)
 • Divided into realms
 • Kerberos is the three-headed dog that
   guards the entrance to Hades (this won’t
   be on the test)
96
                  Kerberos roles
         • Domain 1: Access Control

• KDC divided into Authentication Server &
  Ticket Granting Server (TGS)
• Authentication Server - authenticates the
  identities of entities on the network
• TGS - Generates unique session keys
  between two parties. Parties then use
  these session keys for message
  encryption



97
                 Kerberos authentication
          • Domain 1: Access Control
• User must have an account on the KDC
• KDC must be a trusted server in a secured
  location
• Shares a DES key with each user
• When a user want to access a host or
  application, they request a ticket from the KDC
• User provides ticket and authenticator to the
  application, which processes them for validity and
  will then grant access.
• Requires synchronized time clocks
• Relies on UDP which is often blocked by many
  firewalls



98
    • Domain 1: Access Control

Access Control Systems & Methodology




     Vulnerabilities & Attacks
                          Risk
            • Domain 1: Access Control
  • Threat - an activity with the potential for
    causing harm to an information system
  • Vulnerability - a flaw or weakness that may
    allow harm to an information system
  • Impact - the harm that would be caused by an
    incident
  • Risk - is a combination of chance that threat will
    occur and the severity of its impact
  • Exposure - a specific instance of weakness to
    losses from a threat event


100
                       Vulnerabilities
              • Domain 1: Access Control
  • Physical
  • Natural
      – Floods, earthquakes, terrorists, power outage,
        lightning
  • Hardware/Software
  • Media
      – Corrupt electronic media, stolen disk drives
  • Emanation
  • Communications
  • Human
      – Social engineering, disgruntled staff


101
                                Attacks
             • Domain 1: Access Control
• Passive attack - Monitor network traffic and then use data
  obtained or perform a replay attack.
   – Hard to detect
• Active attack - Attacker is actively trying to break-in.
   – Exploit system vulnerabilities
   – Spoofing
   – Crypto attacks
• Denial of service (DoS) - Not so much an attempt to gain
  access, rather to prevent system operation
   – Smurf, SYN Flood, Ping of death
   – Mail bombs




102
                   Methods of Attack
            • Domain 1: Access Control
  • Methods to bypass access controls and
    gain unauthorized access to information
      – Brute force - persistent series of attacks,
        trying multiple approaches, in an attempt to
        break into a computer system
      – Denial of service - overloading a system
        through an online connection to force it to
        shutdown
      – Social Engineering - deception of system
        personnel in order to gain access
      – Spoofing - masquerading an ID or data to
        gain access to data or a system

103
                   Password Attacks
            • Domain 1: Access Control
  • Brute force
      – l0phtcrack
  • Dictionary
      – Crack
      – John the Ripper
  • Trojan horse login program




104
    • Domain 1: Access Control



Access Control Systems & Methodology




             Protection
                          Object reuse
                • Domain 1: Access Control
• Must ensure that magnetic media must not have
  any remnance of previous data
• Also applies to buffers, cache and other memory
  allocation
• Required at TCSEC B2/B3/A1 level
• Secure Deletion of Data from Magnetic and Solid-
  State Memory, Peter Gutmann
      – http://www.fish.com/security/secure_del.html
• Documents recently declassified as to how 10-pass
  writes were recovered
• Objects must be declassified
• Magnetic media must be degaussed or have secure
  overwrites

106
                 TEMPEST
          • Domain 1: Access Control
  • Electromagnetic emanations from
    keyboards, cables, printers, modems,
    monitors and all electronic equipment.
    With appropriate and sophisticated enough
    equipment, data can be readable at a few
    hundred yards.
  • TEMPEST certified equipment, which
    encases the hardware into a tight, metal
    construct, shields the electromagnetic
    emanations

107
                TEMPEST
         • Domain 1: Access Control

• Rooms & buildings can be TEMPEST-certified
• TEMPEST hardware is extremely expensive
  and can only be serviced by certified
  technicians
• TEMPEST standards NACSEM 5100A NACSI
  5004 are classified documents




108

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:15
posted:7/17/2011
language:English
pages:108