Information Systems Security Access Control Domain #2 Objectives Access control types Identification, authentication, authorization Control models and techniques Single sign-on technologies Centralized and decentralized administration Intrusion Detection Systems (IDS) Roles of Access Control Limit System Access Access based on identity, groups, clearance, need-to-know, location, etc. Protect against unauthorized disclosure, corruption, destruction, or modification – Physical – Technical – Administrative Access Control Examples Physical – Locks, guards Technical – Encryption, password, biometrics Administrative – Policies, procedures, security training Access Control Characteristics Preventative – Keeps undesirable events from happening Detective – Identify undesirable events that have happened Corrective – Correct undesirable events that have happened Deterrent – Discourage security violations from taking place Continued Recovery – Restore resources and capabilities after a violation or accident Compensation – Provides alternatives to other controls Who are You? Identification – username, ID account # Authentication – passphrase, PIN, bio Authorization – “What are you allowed to do” Separation of Duties Least Privilege Authentication Something you know Something you have Something you are 2-Factor Authentication – Use 2 out of the 3 types of characteristics Access Criteria Security Clearance – Mandatory control systems and labels Need-to-Know – Formal processes – Requirements of role within company for access Least Privilege – Lease amount of rights to carry out tasks – No authorization creep Default to “NO ACCESS” Example Controls Biometrics – Retina, finger, voice, iris Tokens – Synchronous and Asynchronous device Memory Cards – ATM card, proximity card Smart Cards – Credit card, ID card Biometric Controls Uses unique personal attributes Most expensive and accurate Society has low acceptance rate Experience growth after 9-11-2001 Error Types Type I error – Rejects authorized individuals (False Reject) – Too high a level of sensitivity Type II error – Accepts imposter (False Accept) – Too low a level of sensitivity Crossover Error Rate (CER) – JUST RIGHT!!!!! Biometric Example Fingerprint – Ridge endings and bifurcations Finger Scan – Uses less data than fingerprint (minutiae) Palm Scan – Creases, ridges, and grooves from palm Hand Geometry – Length and width of hand and fingers More Biometrics Retina Scan – Blood vessel pattern on back of eyeball Iris Scan – Colored portion of eye Signature Dynamics – Electrical signals of signature process Keyboard Dynamics – Electrical signals of typing process More Biometrics Voice Print – Differences in sound, frequency, and pattern Facial Scan – Bone structure, nose, forehead size, and eye width Hand Topology – Size and width of side of hand Passwords Least secure but cheap Should be at least 8 characters and complex Keep a password history Clipping levels used Audit logs Password Attacks Dictionary Attacks – Rainbow tables Brute Force Attack – Every possible combination Countermeasures Encrypt passwords Use password advisors Do not transmit in clear text GREATLY protect central store of passwords Use cognitive passwords – Based on life experience or opinions One-time Passwords Dynamic Generated for one time use Protects against replay attacks Token devices can generate – Synchronized to time or event – Based on challenge response mechanism Not as vulnerable as regular passwords Passphrase Longer than a password Provides more protection Harder to guess Converted to virtual password by software Memory Cards Magnetic stripe holds data but cannot process data No processor or circuits Proximity cards, credit cards, ATM cards Added costs compared to other technologies Smart Card Microprocessor and IC Tamperproof device (lockout) PIN used to unlock Could hold various data – Biometrics, challenge, private key, history Added costs – Reader purchase – Card generation and maintenance Single Sign-on (SSO) Scripting Authentication Characteristics – Carry out manual user authentication – As users are added or changed, more maintenance is required for each script – Usernames and passwords held in one central script Many times in clear text SSO Continued Used by directory services (x.500) Used by thin clients Used by Kerberos – If KDC is compromised, secret key of every system is also compromised – If KDC is offline, no authentication is possible Kerberos Authentication, confidentiality, integrity NO Non-availability and repudiation services Vulnerable to password guessing Keys stored on user machines in cache All principles must have Kerberos software Network traffic should be encrypted SESAME Secure European System for Application in a Multi-vendor Environment Based on asymmetric cryptography Uses digital signatures Uses certificates instead of tickets Not compatible with Kerberos Access Control Threats DOS Buffer Overflow Mobile Code Malicious Software Password Cracker Spoofing/Masquerading Sniffers More Access Control Threats Eavesdropping Emanations Shoulder Surfing Object Reuse Data Remanence Unauthorized Data Mining Dumpster Diving More Threats Theft Social Engineering Help Desk Fraud Access Control Models Once security policy is in place, a model must be chosen to fulfill the directives – Discretionary access control (DAC) – Mandatory access control (MAC) – Role-based access control (RBAS) Also called non-discretionary Discretionary Used by OS and applications Owner of the resource determines which subjects can access Subjects can pass permissions to others Owner is usually the creator and has full control Less secure than mandatory access Mandatory Access Access decisions based on security clearance of subject and object OS makes the decision, not the data owner Provides a higher level of protection – Used by military and government agencies Role Based Access Control Also called non-discretionary Allows for better enforcing most commercial security policies Access is based on user’s role in company Admins assign user to a role (implicit) and then assign rights to the role Best used in companies with a high rate of turnover Remote Authentication Dial-in User Services (RADIUS) AAA protocol De facto standard for authentication Open source Works on a client/server model Hold authentication information for access Terminal Access Controller Access Control System (TACACS) Cisco proprietary protocol Splits authentication, authorization, and auditing features Provides more protection for client-to-server communication than RADIUS TACACS+ adds two-factor authentication Not compatible with RADIUS Diameter New and improved RADIUS Users can move between service provider networks and change their point of attachment Includes better message transport, proxying, session control, and higher security for AAA Not compatible with RADIUS Decentralized Access Control Owner of asset controls access administration Leads to enterprise inconsistencies Conflicts of interest become apparent Terminated employees’ rights hard to manage Peer-to-peer environment Hybrid Access Control Combines centralized and decentralized administration methods One entity may control what users access Owners choose who can access their personal assets Ways of Controlling Access Physical location – MAC addresses Logical location – IP addresses Time of day – Only during work day Transaction type – Limit on transaction amounts Technical Controls System access – Individual computer controls – Operating system mechanisms Network access – Domain controller logins – Methods of access Network architecture – Controlling flow of information – Network devices implemented Auditing and encryption Physical Controls Network segregation – Wiring closets need physical entry protection Perimeter security – Restrict access to facility and assets Computer controls – Remove floppys and CDs – Lock computer cases Protect Audit Logs Hackers attempt to scrub the logs Organizations that are regulated MUST keep logs for a specific amount of time Integrity of logs can be protected with hashing algorithms Restrict network administrator access Intruder Detection Systems (IDS) Software employed to monitor a network segment or an individual computer Network-based – Monitors traffic on a network segment – Sensors communicate with central console Host-based – Small agent program that resides on individual computer – Detects suspicious activity on one system IDS Placement In front of firewall – Uncover attacks being launched Behind firewall – Root out intruders who have gotten through Within intranet – Detect internal attacks Type of IDS Signature-based – Knowledge based – Database of signatures – Cannot identify new attacks – Need continual updating Behavior-based – Statistical or anomaly based – Creates many false positives – Compares activity to ‘what is normal’ IDS Issues May not process all packets on large network Cannot analyze encrypted data Lots of false alarms Not an answers to all problems Switched networks make it hard to examine all packets Traps for Intruders Padded Cell – Codes within a product to detect if malicious activity is taking place – Virtual machine provides a ‘safe’ environment – Intruder is moved to this environment – Intruder does not realize that he is not is the original environment – Protects production system from hacking – Similar to honeypots