Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

Access Control Systems

advertisement 
Access Control Systems
A means of ensuring a system’s C.I.A given
the threats, vulnerabilities, & risks its
infrastructure
Rationale
 Confidentiality
 Info not disclosed to unauthorized
persons or processes
 Integrity
 Internal consistency
 External consistency
 Availability
 Reliability
 Utility
Systems
 Complex
 Interact with other systems
 Have emergent properties that their
designers did not intend
 Have bugs
Systems & Security
 Usual coping mechanism is to ignore the
problem…WRONG
 Security is system within larger system
 Security theory vs security practice
 Real world systems do not lend themselves to
theoretical solutions
 Must look at entire system & how security
affects
The Landscape
 Secure from whom?
 Secure against what?
 Never black & white
 Context matters more than
technology
 Secure is meaningless out of context
Completely Secure Servers




Disconnect from Network
Power Down
Wipe & Degauss Memory & Harddrive
Pulverize it to dust
 Threat Modeling
 Risk management
Concepts in planning
 Threat
 Potential to cause harm
 Vulnerability
 Weakness or lack of safeguard that can
be exploited by threat
 Risk
 Potential for loss or harm
 Probability that threat will materialize
Threats
 Attacks are exceptions
 Digital Threats mirror Physical
 Will become more common, more
widespread, harder to catch due to:
 Automation
 Action at a Distance
 Every two points are adjacent
 Technical Propagation
Threats
 All types of attackers
 All present some type of threat
 Impossible to anticipate
 all attacks or
 all types of attackers or
 all avenues of attack
 Point is not to prevent all but to “think
about and analyze threats with greater
depth and to take reasonable steps to
prevent…”
Attacks
 Criminal
 Fraud-prolific on the Internet
 Destructive, Intellectual Property
 Identity Theft, Brand Theft
 Privacy: less and less available
 people do not own their own data
 Surveillance, Databases, Traffic Analysis
 Echelon, Carnivore
 Publicity & Denial of Service
 Legal
Controls
 Implemented to mitigate risk &
reduce loss
 Categories of controls
 Preventative
 Detective
 Corrective
Control Implementation types
 Administrative: polices, procedures,
security awareness training, background
checks, vacation history review
 Logical / Technical – encryption, smart
cards, ACL
 Physical – guards, locks, protection of
transmission media, backup
Models for Controlling Access
 Control: Limiting access by a subject to an
object
 Categories of controls
 Mandatory Access Control (MAC)
 Clearance, sensitivity of object, need to know
 Ex: Rule-based
 Discretionary Access Control (DAC)
 Limited ability for Subject to allow access
 ACL, access control triple: user, program, object
or file
 Non-Discretionary Access Control
 Central authority determines access
SELinux MAC
 Mandatory Access Control in kernel
 Implemented via:
 type enforcement (domains)
 Role based access control
 No user discretionary access control
 Each process, file, user, etc has a domain &
operations are limited within it
 Root user can be divided into roles also
Control Combinations
 Preventative / Administrative
 Preventative / Technical
 Preventative / Physical
 Detective / Administrative
 Detective / Technical
 Detective / Physical
Access Control Attacks
 DoS, DDos
 Buffer Overflow, SYN Attack, Smurf
Back door
Spoofing
Man-in-the-Middle
Replay
TCP Hijacking
Software Exploitation: non up to date
software
 Trojan Horses






Social Engineering
 Ex: emails or phone calls from “upper
mgt or administrators” requesting
passwords
 Dumpster Diving
 Password guessing: L0phat
 Brute force
 Dictionary attack
System Scanning
 Collection of info about a system

What ports, what services running, what system
software, what versions being used
 Steps:
1. Network Reconnaissance
2. Gaining System Access
3. Removing Evidence of attack
 Prevention

Watch for scans &/or access of common unused
ports
Penetration Testing




“Ethical hacking”
Network-based IDS
Host-based IDS
Tests
 Full knowledge, Partial knowledge, Zero
knowledge
 Open box – Closed box
Penetration Testing Steps
1.
2.
3.
4.
5.
6.
GET APPROVAL from upper mgt
Discovery
Enumeration of tests
Vulnerability mapping
Exploitation
Reporting
Identification & Authentication
 ID: subject professing who they are
 Auth: verification of ID
 Three types of authentication




Something you know
Something you have
Something you are
Two-factor is way the best
Passwords
 Static
 Dynamic
 Passphrase
 Dictionary words
 Alpha numeric special character
 Models for choosing
 Rotation schedules for passwords
Biometrics
 Fingerprint, palm, retina, iris, face,
voice, handwritting, RFID, etc
 Enrollment time (2 min)
 Throughput rate (10 subjects/min)
 Corpus: Collection of biometric data
Biometrics
 False Rejection Rate (FRR)
 False Acceptance Rate (FAR)
 Crossover Error Rate (CER)
FAR
FRR
CER
Single Sign On (SSO)
 One id / password per session
regardless of the # of systems used
 Advantages
 Ease of use, Stronger
passwords/biodata, easier
administration, lower use of resources
 Disadvantages
 If access control is broken is a MUCH
bigger problem
SSO Example: Kerberos
1. User enters id/pass
2. Client requests service
3. Ticket is encrypted with servers
public key and sent to client
4. Client sends ticket to server &
requests service
5. Server responds
Problems: replay, compromised tickets
Access Control
 Centralized
 Remote Authentication & Dial-In
(Wireless) User Service (RADIUS)
 Call back
 De-centralized
 Relational Databases (can be both)
 Relational concepts
 Security issues
Intrusion Detection Systems
 Network Based
 Monitors Packets & headers
 SNORT
 Will not detect attacks same host attacks
 Host based
 Monitors logs and system activity
 Types
 Signature based (slow attacks problem)
 Statistical Anomaly Based
Other issues




Costs
Privacy
Accountability
Compensation for violations





Backups
RAID (Redundant Array of Independent Disks)
Fault tollerance
Business Continuity Planning
Insurance
References
 Building Secure Linux Servers
(0596002173)
 Secrets and Lies ( 0471253111)
Related documents
Managing Threats in a Changing World
Managing Threats in a Changing World
Lecture 3
Lecture 3
Access Control Systems.
Access Control Systems.
sequence authentication
sequence authentication
Information Security
Information Security
Day 1 - Introduction - IT443
Day 1 - Introduction - IT443
Detective Thinking worksheet
Detective Thinking worksheet
Chapter 4
Chapter 4
Review Questions
Review Questions
Joe`s notes on threat models
Joe`s notes on threat models
Business Plan Scope Sheet - Cleveland Clinic Academy
Business Plan Scope Sheet - Cleveland Clinic Academy
Question
Question
Threats and Attacks!! - University of New Mexico
Threats and Attacks!! - University of New Mexico
Chapter02 - MCST-CS
Chapter02 - MCST-CS
Computer Security: Principles and Practice, 1/e
Computer Security: Principles and Practice, 1/e
Cyber TA Threat Operations Center
Cyber TA Threat Operations Center
ATP HIgh Level _ Symantec Keynote
ATP HIgh Level _ Symantec Keynote
BLURRING BOUNDARIES Trend Micro Security Predictions for 2014 and Beyond Distributed by:
BLURRING BOUNDARIES Trend Micro Security Predictions for 2014 and Beyond Distributed by:
6 om as a public service of the RAND Corporation.
6 om as a public service of the RAND Corporation.
State of Security Report 2014 Voice & Unified Communications 4
State of Security Report 2014 Voice & Unified Communications 4
Download
advertisement