Access Control Systems
A means of ensuring a system’s C.I.A given
the threats, vulnerabilities, & risks its
infrastructure
Rationale

Confidentiality


Integrity



Info not disclosed to unauthorized
persons or processes
Internal consistency
External consistency
Availability


Reliability
Utility
Systems

Complex

Interact with other systems


Have emergent properties that their
designers did not intend
Have bugs
Systems & Security

Usual coping mechanism is to ignore the
problem…WRONG

Security is system within larger system

Security theory vs security practice


Real world systems do not lend themselves to
theoretical solutions
Must look at entire system & how security
affects
The Landscape


Secure from whom?
Secure against what?

Never black & white
Context matters more than
technology

Secure is meaningless out of context

Completely Secure Servers






Disconnect from Network
Power Down
Wipe & Degauss Memory & Harddrive
Pulverize it to dust
Threat Modeling
Risk management
Concepts in planning

Threat


Vulnerability


Potential to cause harm
Weakness or lack of safeguard that can
be exploited by threat
Risk


Potential for loss or harm
Probability that threat will materialize
Threats



Attacks are exceptions
Digital Threats mirror Physical
Will become more common, more
widespread, harder to catch due to:


Automation
Action at a Distance


Every two points are adjacent
Technical Propagation
Threats



All types of attackers
All present some type of threat
Impossible to anticipate




all attacks or
all types of attackers or
all avenues of attack
Point is not to prevent all but to “think
about and analyze threats with greater
depth and to take reasonable steps to
prevent…”
Attacks

Criminal




Privacy: less and less available





Fraud-prolific on the Internet
Destructive, Intellectual Property
Identity Theft, Brand Theft
people do not own their own data
Surveillance, Databases, Traffic Analysis
Echelon, Carnivore
Publicity & Denial of Service
Legal
Controls


Implemented to mitigate risk &
reduce loss
Categories of controls



Preventative
Detective
Corrective
Control Implementation types



Administrative: polices, procedures,
security awareness training, background
checks, vacation history review
Logical / Technical – encryption, smart
cards, ACL
Physical – guards, locks, protection of
transmission media, backup
Models for Controlling Access


Control: Limiting access by a subject to an
object
Categories of controls



Mandatory Access Control (MAC)

Clearance, sensitivity of object, need to know

Ex: Rule-based
Discretionary Access Control (DAC)

Limited ability for Subject to allow access

ACL, access control triple: user, program, object
or file
Non-Discretionary Access Control

Central authority determines access
SELinux MAC


Mandatory Access Control in kernel
Implemented via:





type enforcement (domains)
Role based access control
No user discretionary access control
Each process, file, user, etc has a domain &
operations are limited within it
Root user can be divided into roles also
Control Combinations






Preventative / Administrative
Preventative / Technical
Preventative / Physical
Detective / Administrative
Detective / Technical
Detective / Physical
Access Control Attacks

DoS, DDos








Buffer Overflow, SYN Attack, Smurf
Back door
Spoofing
Man-in-the-Middle
Replay
TCP Hijacking
Software Exploitation: non up to date
software
Trojan Horses
Social Engineering





Ex: emails or phone calls from “upper
mgt or administrators” requesting
passwords
Dumpster Diving
Password guessing: L0phat
Brute force
Dictionary attack
Spear Phishing

Phishing – broad based email scam

Spear Phishing




Very targeted attack
Knowledgeable
Much harder to spot
Credit Unions Attacks
System Scanning
Collection of info about a system

What ports, what services running, what system
software, what versions being used

Steps:

1.
2.
3.
Network Reconnaissance
Gaining System Access
Removing Evidence of attack
Prevention


Watch for scans &/or access of common unused
ports
Penetration Testing




“Ethical hacking”
Network-based IDS
Host-based IDS
Tests


Full knowledge, Partial knowledge, Zero
knowledge
Open box – Closed box
Penetration Testing Steps
1.
2.
3.
4.
5.
6.
GET APPROVAL from upper mgt
Discovery
Enumeration of tests
Vulnerability mapping
Exploitation
Reporting
Identification & Authentication

ID: subject professing who they are
Auth: verification of ID

Three types of authentication





Something you know
Something you have
Something you are, Something you do
Two-factor is way the best
Passwords








Static
Dynamic
Passphrase
Dictionary words
Alpha numeric special character
Models for choosing
Rotation schedules for passwords
Always change default passwords
Password Security Principles - 1

One of the weakest links




Do not write on paper
Do not share passwords or login information
Be careful of shoulder surfing: someone looking
over your shoulder for your password.
Never give your password to anyone, including IT
staff
Password Security Principles - 2



Never re-use the same password on
multiple systems/equipment
Use password managers, such as
PasswordSafe & KeePass, responsibly
Limit physical access to privileged
equipment
Password Security Principles - 3


Users generally will pick easy-to-remember,
convenient passwords such as their birthday, their
subsequent username, the word password.
Password security and user convenience are
inversely proportional.


Password security goes up, then user
convenience goes down, vice versa.
Password creation policy should be set based on
the risk to the organization resulting from
unauthorized access to the system.
Cracking Passwords

Dictionary

Brute Force

Rainbow Table: Dr. Philippe Oechslin
Biometrics




Fingerprint, palm, retina, iris, face,
voice, handwritting, RFID, etc
Enrollment time (2 min)
Throughput rate (10 subjects/min)
Corpus: Collection of biometric data
Biometrics



False Rejection Rate (FRR)
False Acceptance Rate (FAR)
Crossover Error Rate (CER)
FAR
FRR
CER
Two Factor Authentication

Problems





Easily damaged
Easily lost
Cost prohibitive
Do not exist on “home” computers
Solutions


Soft two factor alternatives
Adaptive authentication or
Risk-based Authentication
Risk-Based Authentication

Authentication based on context



Who are you
Where are you in the session
What is your typical account behavior


Time of day, IP address, Geographic
location, Kind of computer / browser used
Examples


Alice typically banks from home on
Saturday
Bob travels LOTS but takes his laptop
Single Sign On (SSO)


One id / password per session
regardless of the # of systems used
Advantages


Ease of use, Stronger
passwords/biodata, easier
administration, lower use of resources
Disadvantages

If access control is broken is a MUCH
bigger problem
SSO Example: Kerberos
User enters id/pass
2. Client requests service
3. Ticket is encrypted with servers
public key and sent to client
4. Client sends ticket to server &
requests service
5. Server responds
Problems: replay, compromised tickets
1.
Access Control

Centralized



Remote Authentication & Dial-In
(Wireless) User Service (RADIUS)
Call back
De-centralized

Relational Databases (can be both)


Relational concepts
Security issues
Intrusion Detection Systems

Network Based




Host based


Monitors Packets & headers
SNORT
Will not detect attacks same host attacks
Monitors logs and system activity
Types


Signature based (slow attacks problem)
Statistical Anomaly Based
Other issues




Costs
Privacy
Accountability
Compensation for violations





Backups
RAID (Redundant Array of Independent Disks)
Fault tollerance
Business Continuity Planning
Insurance
References




Building Secure Linux Servers
(0596002173)
Secrets and Lies ( 0471253111)
Cody Brunson
Smarter Authentication Article

InfoWorld (7/24/06)