Access Control Terminology
Access Controls

Control how users and systems communicate
and interact
Process Terminology
Identification


Method for determining a subject is who it says it is
User name, PIN number, smart card, account number
Authenticated


Provided a second matching piece to the identification
method
Password, passphrase, PIN number
Authorized

Has appropriate access to the requested resource
Strong Authentication
Types of authentication



Something a person has
Something a person knows
Something a person is
Strong Authentication includes at least
2 of the 3
Only 1 is considered _______________
Biometrics – Something a Person Is
A unique personal attribute
Type I Error

Rejected an authorized user
Type II Error

Accepts a non-authorized imposter
Crossover Error Rate (CER)


Point where Type I Error distribution and Type
II Error distribution meet
The lower the number, the better
Popular Biometrics
Fingerprint
Palm scan
Hand Geometry

Length and width of
the hand and fingers
Retina Scan
Iris Scan
Signature Dynamics
Keyboard Dynamics
Voice Print
Facial Scan
Hand Topology

Side picture of the
hand
Biometrics Compared
Passwords – Something a Person Knows
Passphrases refer to multiple word passwords
Personal Identification Numbers (PIN) refer to
numeric numbers
Considered weak



People use familiar words or numbers
Words are susceptible to dictionary and brute force
attacks
Users can’t remember strong passwords so they write
them down
Making Passwords Stronger
Forced password lifetimes


Shorter makes it more secure, but too short and users
forget which is active
60 days is good compromise
Enforced minimum lengths
Forced special characters, case changes
No reuse
Lock out users at low clipping level (acceptable
failed attempts)

For how long?
Better Passwords Through Technology
Password Generators

Produce passwords using random but
pronounceable passwords
Password Checkers/Crackers



L0phtcrack
John the Ripper
Brutus
Variations on a Theme
Cognitive Passwords


Fact or opinion based information
Best for seldom used authentication needs
One-Time Use Passwords

Synchronous token device
Token and server preshare private key
Time based – token device and server clock are sync’ed,
time value used as plaintext
Event based – token and server share authentication value
list

Asynchronous token device
Server prompts with challenge code, user enters code into
token device which returns a response code, user enters
response into server
Digital Signatures
-------BEGIN SIGNATURE-----IQB1AwUBMVSiA5QYCuMfgNYjAQFAKgL/
ZkBfbeNEsbthba4BlrcnjaqbcKgNv+a5kr453
7y8RCd+RHm75yYh5xxA1ojELwNhhb7cltrp
2V7LlOnAelws4S87UX80cL BtBcN6AACf11
qymC2h+Rb2j5SSU+rmXWru+=QFMx
-------END SIGNATURE------
Cards – Something a Person Has
Memory Cards


Hold information only
Credit cards, ATM cards
Smart Cards


Process information and hold information
Information on card actively protected by
authentication
Authorization Criteria
Roles

Based on job function or assignment
Groups
Physical location

Interactive login, for example
Logical location

IP address, for example
Time of day
Transaction type

Amount of money to be transferred, for example
Restrictions to Remember
Default to NO ACCESS

Access Control Lists (ACL) commonly default to deny
Base granted access on Need To Know

Least-privilege principal
Single sign on whenever possible



Scripts
Kerberos is recognized standard in heterogeneous
environments
SESAME - Secure European System for Applications
in a Multivendor Environment
Access Control Models
Discretionary Access Control (DAC)


Owner (creator) can access resource and
dictate who else can access it
Does not lend itself to central management
Mandatory Access Control (MAC)


Operating system controls access based on
owners sensitivity level
Commonly used in military systems
Role Based Access Control (RBAC)


Subjects role determines access
Managed centrally
Rule Based Access Control


Access matched against rules
Common in network devices
Constrained Interfaces


Limits data access and functionality
ATM machines, for example
Content Dependant Access Control


Restrictions based on data content
Firewalls commonly use this to stop worms, viruses
Access Control Matrixes
Table of subjects and objects indicating actions
subjects can take upon objects
Common in DAC model
Capability Tables

Access rights a specific subject has for a specific
object
ACL’s


Lists of subjects that have access to a specific object
Very common in networking devices, firewalls
Centralized Access Control
Remote Authentication Dial-in User Service
(RADIUS)
Terminal Access Controller Access Control
System (TACACS)
Decentralized Access Controls
Security Domains



Realm of distributed trust
Hierarchical or peer implementations
Microsoft domains are a specific version
Typical Scenario - Hybrid
Most enterprises combine both centralized
and decentralized control methods




May have Kerberos centralized user database
Use TACACS+ tied to Kerberos to
authenticate dial-up and router users
Use Windows 2000 file servers at each
location to allow autonomous distributed
security domains
Workgroup printers are shared via Windows
desktop peering
Control Types
Preventative

Avoid undesirable events
Detective

Identify undesirable events
Corrective

Fix undesirable events that have occurred
Deterrent

Discourage undesirable events
Recovery

Restore resources
Compensation

Provide alternatives to other types of controls
Services Provided by Various
Security Controls
Fences, locks, lighting



Preventative
Corrective
Recovery
Security guard





Preventative
Detective
Corrective
Deterrent
Recovery
Separation of duties


Preventative
Deterrent
Security awareness
training


Preventative
Detective
Personnel procedures




Preventative
Detective
Deterrent
Compensation
Services Provided by Various
Security Controls
ACL’s

Preventative
Encryption


Preventative
Deterrent
Audit logs

Detective
Smart cards

Preventative
Intrusion Detection
System




Preventative
Detective
Corrective
Deterrent
Antivirus Software




Preventative
Detective
Corrective
Recovery
Common Access Control Practices
Deny access to systems by anonymous & guest
accounts
Limit and monitor use of admin accounts
Remove obsolete user accounts when
employees leave company
Suspend inactive accounts after 30-60 days
Disable unneeded system features & services
Use nondescriptive logon ID’s
Rename root and administrator logon ID’s
Remove redundant accounts, ACL’s, roles,
groups
Fun with Auditing
Enforces accountability
Must be reviewed
Must be backed up and protected

Good hackers always go after the audit logs
Guaranteed integrity is key to using logs
as evidence

To be admissible in court, logs must be
generated in the normal course of business
Common Audit Events
System performance
Logon attempts + date/time (successful &
unsuccessful)
Lockouts of users
Alteration of config files
Error messages
Files opened and closed
File modifications
ACL violations
Unauthorized Disclosure
Object Reuse



Data left on floppies, backup tapes, or hard drives can
be read
Sectors containing data can be marked bad, thus
hiding data
Low level format, degauss, or destroy the media
Emanation Security


Capturing electrical and electromagnetic radiation
from devices
TEMPEST – US Government standard for emanation
protection
Intrusion Detection Systems
Sniff network traffic (network-based) or
monitor individual computers (host-based)
Signature Based Detection


Must be loaded with “fingerprints” of known
attacks
Not effective against new attacks
Statistical Intrusion Detection

Looks for statistical anomalies in traffic
Sniffers
Captures network traffic real-time
Allows admins or hackers to eavesdrop on
data
Employees can use sniffers undetected in
some networks
Honeypots
Unprotected system set up to lure would be
attackers
Attackers can then be tracked, attacks
cataloged, other systems hardened
appropriately
Enticement

Legally admissible, target is simply not well protected
Entrapment

Not legally admissible, target invites the hacker in
Threats to Access Control
Dictionary Attack


Lists or dictionaries are used as a source of
passwords or plain text
Countermeasures
Do not allow single word based passwords – use
dictionary attacks against your own users to find
weak passwords
Rotate passwords often
Employ one-time password techniques
Protect password files and stores
Threats to Access Control
Brute Force Attack


Attack attempts every possible combination of
potential inputs
Countermeasures
Employ stringent clipping levels and auditing of
login attempts
Use brute force attacks against your own users to
uncover weak passwords
Protect password files and stores
Login Spoofing


Hacker replaces legitimate login screens with fakes
Countermeasure
Threats to Access Control
Login Spoofing


Hacker replaces legitimate login screens with
fakes
Countermeasure
Security awareness training
Display number of failed login attempts
Homework Assignment
Read Chapter 5, except:

State Machine Models & Modes of Operation
(pgs 240-249)
Paper




Write a 2-3 page technical brief on the “Slammer” worm
Include vulnerable software details, countermeasures, and
information about testing systems for the vulnerability.
Discuss the impact and current investigation of the worm.
Summarize the events and alerts that occurred as the weekend
unfolded.