Access Control: Part II Chao-Hsien Chu, Ph.D. College of Information Sciences and Technology The Pennsylvania State University University Park, PA 16802 chu@ist.psu.edu IST 515 Access Control Process Identification: Method of establishing the subject’s (user, program, process) identity. - Use of user name or other public information. - Know identification component requirements. Identification Authentication: Method of proving the identity. - Something a person is, has, or does. - Use of biometrics, passwords, passphrase, token, or other private information. Authentication Authorization: Determines and gives the authenticated users the proper right to access the requested resources. Authorization Step 1: Identification • Identification is the assurance that the entity (e.g., user) requesting access is accurately associated with the role or subject defined within the system. • Identification is a critical first step in applying access controls. It is necessary to identify the users for downstream activities and controls. – Accountability – Audit trail – Trace individual activities Types of Identification • The most common form of identification is a username, user ID, account number, or personal identification number (PIN). • To ensure the authorized application is making the requests to potentially sensitive resources, they can use digital identification such as certificate or one time session identifier. • Other types of identification include tokens, smart card or smart devices, biometric devices, and badges for visual and physical access. Essential Identification Practices • Uniqueness: User identification must be unique so that each person can be positively identified. • Nondescriptive. User identification should not expose the associated role or job function of the user (e.g., root, admin, web master, and cfo). • Issuance: The process of issuing identifiers must be secure and documented. If an identity can be inappropriately issued, the entire system begins to break down. The entire process must be logged and documented to ensure the process can be verified and audited. Step 2: Authentication There are three types of factors/information can be used for authentication: • Authentication by knowledge – What a person knows. Something you know (e.g., a password). • Authentication by ownership – What a person has. Something you have (e.g., a token or smart card). • Authentication by characteristic – What a person is or does. Something you are or do (e.g., biometrics). Types of Authentication • Single-factor authentication employs one of the three factors, which is usually associated with a username and password combination. • Two-factor authentication uses two of the three factors. It usually introduce an additional level of technical controls in the form of physical or biometric device. It can include one-time passwords. • Three-factor authentication uses all three factors and, as such, include something about the user such as biometric features. What a Person Knows What a person knows can be associated with the user ID or other unique identifier: • Password is typically a short (5 to 15 characters) string of characters that the user must remember to authenticate against their unique identifier. • Passphrase allows the user to utilize an easier to remember phrase (sentence) as a password without sacrificing the integrity. It supports all types of characters and spaces and is longer to enter and typically harder to attack. Techniques to Attack Passwords Electronic monitoring Access the password file Brute Force Attacks Dictionary Attacks Social Engineering • What are the differences between a password checker and a password cracker? • What are the potential legal issues? The Protection of Password • The more diverse (or complicated) the password is, the more difficult it will be to guess or crack the password. • Password must never be passed over a network or stored in cleartext. Moreover, the storage of passwords must be protected. • To protect passwords from being exposed, they are typically hashed. Hash function is inherently one-way, which means that a hash results cannot be deciphered to produce the original data. • However, the time to discover a password by means of a password cracker is directly related to the complexity of the password and the employment of the hashing algorithm. What a Person Has • Typically is a physical device (such as a token, a memory card or a smart card) that can be used in lieu of a password or in addition to a password. The objective is to add another layer of confidence that the user is who he or she claims by the assurance a physical device offers. • Asynchronous: Asynchronous token device is essentially a challenge response technology. Dialogue is required between the authentication service and the remote entity. • Synchronous: Synchronous token authentication is based on an event, location, or time-based synchronization between the requestor and authenticator. Authentication Devices • Memory Cards. The cards hold user authentication information, but does not process information. The user only needs to type in a user ID or PIN and present the memory card for approval. E.g., swipe card or the ATM card. Moreover, data stored on the card is not protected. • Smart Card is a card that has an embedded semiconductor chip that accepts, stores, process and sends information. It. can hold more data than magnetic-stripe cards. Also, small applications can be incorporated into the memory to provide various functions. Smart cards can be contact or contactless. Authentication - Biometrics Uses a unique person attribute or behavior (e.g., what a person “is”) to verify her/his identity. Biometric considerations: Resistance to counterfeiting Data storage requirements User acceptance (due to privacy concern). Reliability and accuracy. Type of Biometrics Biometric systems can be divided in two main classes: Physiological Behavior • Fingerprint • Voice • Hand • Keystroke • Face • Signature • Iris • DNA Biometric Accuracy Measurement Accuracy or the ability to separate authentic users from imposters is essential for Biometric systems. False rejection rate (Type I Error). Authorized users are rejected as unidentified or unverified. False acceptance rate (Type II Error). Unauthorized persons are accepted as authentic. This is an important error to avoid. Crossover Error Rate (CER). The point at which the false reject rate and false acceptance rate are equal. The smaller the value of the CER, the more accurate the system. Biometric Accuracy Measurement The lower the sensitivity, the more prone the system is to false acceptance. Not sensitive enough, and anyone is authorized; too sensitive, and no one get through. One Time Passwords Also know as Dynamic Passwords, a onetime password (OTP) is a password that is valid for only one login session or transaction. OTPs are not vulnerable to replay attacks. OTP generation algorithms typically make use of randomness. It can be generated in software (soft tokens) based on timesynchronization between the authentication server and the client, a mathematical algorithm, or a hardware. Step 3: Authorization • Once the subject provides its credentials and is properly identified, the system access needs to determine if this subject has been given the necessary right to carry out the requested actions and authorize it. • Access Criteria can be thought of as: Roles – assign rights based on roles Groups – assign the right to groups Location – assign rights to specific location Time od day – assign based on the time Transaction Types – assign rights to specific transaction. Challenges of Authorization Common problems encountered in controlling access to assets include: Different levels of users with different levels of access (e.g., manager vs. staff). Resources may be classified differently Diverse identity data and devices (interoperability issue). Corporate environments keep changing (maintenance issue). Authorization - Single Sign On (SSO) Capabilities: Allow user credentials to be entered one time and the user is then able to access all resources in primary and secondary network domains Technologies: • Kerberos – is an authentication protocol based on a symmetric key cryptography technology, which has been widely used in operating systems. • SESAME – based on both asymmetric and symmetric key cryptography. • Security Domains • Directory Services • Dumb Terminals / Thin Clients Access Control Categories • Each control works at a different level of granularity, but can also perform several functions • Access Control Functionalities/Categories: – - Preventive, to avoid incidents Deterrent: to discourage incidents Detective: to identify incidents Corrective: to remedy circumstance; mitigate damage and restore controls - Recovery: to restore conditionals to normal - Compensation: as an alternative control (Supervision) Types of Control • Access controls can be implemented at various layers of an organization, network, and individual systems • There are three broad categories (types) of access control: – Administrative: Defines the roles, responsibilities, policies, and administrative functions to manage the control environment. – Physical: The operating environment, such as doors, locks, fire management, gates and guards. – Technical (aka Logical). Firewalls, filters, operating systems, applications, and routing protocols. Administrative Controls Personnel security, evaluation, and clearances: – Separation of Duties • Change Management – Rotation of Duties • Business Continuity & – Mandatory Vacation Disaster Management Security Policies • Performance Operational policies and Procedures • Configuration Mgmt. • Vulnerability Mgmt. Monitoring • Product Life-cycle Mgmt. User Management • Network Management Security Awareness Training Privilege Management Testing Physical Controls Perimeter Security Physical Entry Computer Controls / Information Processing Center Work Area Separation Data Backups Cabling Control Zone Technical (Logical) Controls User Controls System Access Network Architecture Network Access Remote Access Application Access Malware Control Encryption and Protocols Auditing Access Control Administration Step 1: Choose the access control model (DAC, MAC, RBAC). Step 2: Select and implement different access control technologies. Step 3: Access Control Administration. – Centralized – Decentralized Centralized Access Control • One entity is responsible for overseeing access to all corporate resources. • Provides a consistent and uniform method of controlling access rights. – Protocols: Agreed upon ways of communication – Attribute Value Pairs: Defined fields that accept certain values. • Types of Centralized Access Control – RADIUS – TACACS (Terminal Access Controller AccessControl System) – DIAMETER RADIUS • RADIUS is a server for remote user authentication and accounting. Its primary use is for Internet Service Providers, though it may as well be used on any network that needs a centralized authentication and/or accounting service for its workstations. • The package includes an authentication and accounting server and some administrator tools. TACACS+ • TACACS+ is an entirely new protocol and not compatible with TACACS or XTACACS. • TACACS+ uses the Transmission Control Protocol (TCP) and RADIUS uses the User Datagram Protocol (UDP). Some administrators recommend using TACACS+ because TCP is seen as a more reliable protocol. Whereas RADIUS combines authentication and authorization in a user profile, TACACS+ separates the two operations. Example of Centralized Control DIAMETER extends the base protocol by adding new commands and/or attributes, such as those for use of the Extensible Authentication Protocol (EAP). Decentralized Access Control • Gives control of access to the people who are closer to the resources, as in department managers and sometimes users. • Has no methods for consistent control, lacks proper consistency. • Nonstandardization and overlapping rights, which may cause gaps in security control. Example of Decentralized Control Access Control Practices • Security professionals need to know the access control tasks that need to be accomplished regularly to ensure satisfactory security. • Best practices used in industry include: - Deny access to anonymous accounts Enforce strict access criteria Suspend inactive accounts Replace default passwords Enforce password rotation Audit and review Protect audit logs Threats to Access Control • Denial of service • Buffer Overflows • Insiders • Mobile code • Malicious software • Password crackers • Spoofing / masquerading • Sniffers • Eavesdropping • Emanations • Shoulder surfing • • • • • • • • • Tapping Object reuse Data remanance Unauthorized targeted data mining Dumpster diving Backdoor/trapdoor Theft Intruders Social engineering Threats to Access Control • Emanation is the proliferation or propagation of a signal. This is most evident in wireless networks. A wireless network antenna may radiate the signal to areas beyond the desired scope, such as out of a building and into the parking lot. If this were to occur, an attacker could drive to the location and attempt to access the network from the privacy of his vehicle, potentially undetected. • Data Remanence is the remains of partial or even the entire data set of digital information. Normally, this refers to the data that remains after the media is written over or degaussed. Countermeasure to Emanation Security • TEMPEST refers to standardized technology that suppresses signal emanations with shielding material. The devices (monitors, computers, printers, and so on) have an outer metal coating, referred to as a Faraday cage. This is made of metal with the necessary depth to ensure only a certain amount of radiation is released. • White noise is a uniform spectrum of random electrical signals. It is distributed over the full spectrum so the bandwidth is constant and an intruder is not able to decipher real information from random noise or random information. • Control Zone uses material in their walls to contain electrical signals. This prevents intruders from being able to access information emitted via electrical signals from network devices. Access Control Monitoring • Three Common Components: - Sensors - Analyzers - Administrator Interfaces • Common Types: - Intrusion Detection Intrusion Prevention Honeypots Network Sniffers Intrusion Detection Systems (IDS) IDS is a technical solution whose role is to detect suspicious activity and report on the findings. IDS is a reactive warning system that provides information necessary to guide administrators in responding to the attack. Two Main Types of Intrusion Detection Systems: • Network Based (NIDS) is a network device, or dedicated system attached to the network, that monitors traffic traversing the network segment for which it is integrated. NIDS is usually incorporated into the network in a passive architecture. • Host Based (HIDS) is the implementation of IDS capabilities at the host level. Its most significant difference from NIDS is intrusion detection analysis, and related processes are limited to the boundaries of the host. Intrusion Detection Systems (IDS) HIDS and NIDS can be: • Signature Based • Statistical Anomaly Based IDS – Protocol Anomaly Based • Traffic Anomaly Based • Rule Based Intrusion Prevention Systems (IPS) • The next big thing • Is a preventative and proactive technology, IDS is a detective technology. • Two types: - Network Based (NIPS) - Host Based (HIPS) Access Control Monitoring • Honeypots: An attractive offering that hopes to lure attackers away from critical systems • Network sniffers: A general term for programs or devices that are able to examine traffic on a LAN segment. Accountability • Accountability is tracked by recording user, system, and application activities. • Audit information must be reviewed - Event Oriented Audit Review - Real Time and Near Real Time Review - Audit Reduction Tools - Variance Detection Tools - Attack Signature Tools Practical Projects • • • • RBAC for Banking. RBAC for Healthcare. RBAC for Critical Systems. Comparatives analysis of different access control techniques. • Deployment of RBAC Mechanism. • Semantic Access Control.