access control
DESCRIPTION
ACCESS CONTROL . The most fundamental element of information security is to ensure that only those who have a specific need for an asset, combined with specific authoritative permission, will be able to access that asset. CISSP Expectations. - PowerPoint PPT PresentationTRANSCRIPT
ACCESS CONTROL
• The most fundamental element of information security is to ensure that only those who have a specific need for an asset, combined with specific authoritative permission, will be able to access that asset.
CISSP Expectations
• Access control is the process of allowing only authorized users, programs or other computer systems to observe, modify, or otherwise take possession of the resources of a computer system. It is also a mechanism for limiting the use of some resources to authorized users.
Key Access Control Concepts
• Joining C-I-A– Confidentiality, integrity, availability
• Determining a Default Stance• Defense in Depth• Access Control---A general process
Access control encompasses all operation levels of an organization:
• Facilities:• Support Systems: Power, heating, ventilation,
HVAC)• Information Systems:• Personnel: All users should be subject to some
form of access control to ensure the wrong people don’t interfere with the right people.
AC enables management to:
• Specify:– Which users can access a system– What resources those users can access– What operations those users can perform– Enforce accountability
AC addresses the CIA triad
• Confidentiality: Managing access is fundamental to preventing exposure of data by controlling who can see, use, modify, or destroy.
• Integrity: Preventing unauthorized access promotes greater confidence in data and system integrity.
• Availability: Restricting access reduces the likelihood of damage and loss of use.
Default Stance
• Allow-by-default• Deny-by-default
Defense in Depth
• The practice of applying multiple layers of security protection between an information resource and the potential attacker. P. 7
AC: A General Process
• Many different approaches, however there is a very general approach that is applicable to almost every situation.
• 3 step process:– Defining resources– Determining users– Specify the user’s use of the resource
Defining resources
• What are we trying to protect?• How each resource may be accessed?• Bind a user, group or entity to a resource• Every resource is an asset that must be
afforded protection. Don’t forget printers, faxes, etc.
Determining users
• Need a clear understanding of the needs of the user and the level of trust given to the person or entity
• An identification process must exist that takes into consideration the validity of the access need in the light of business needs, organizational policy, legal requirements, information sensitivity and security risk.
Specifying Use:
• The AC process must specify the level of use for a given resource and the permitted user actions on that resource. Example P. 11
Access Control Principles
• Access Control Policy• Separation of duties• Least Privilege• Need to Know• Compartmentalization• Security Domain
AC Policy
• Specifies the guidelines for how users are identified and authenticated and the level of access granted to resources.
• The absence of a policy will result in inconsistencies in provisioning, management, and administration of AC.
• Provides the framework for definition of necessary procedures, guidelines, standards, and best practices.
Separation of Duties
• Objective: Prevent fraud and errors• Achieved by distributing the tasks & privileges
for a specific process.• The person who requests the expenditure
should not be allowed to approve the expenditure.
• Another example P.12
Determining Applicability of Separation of Duties (1)
• 1st Action: Defining individual elements of a process – Determine element sensitivity– What elements of the process lend themselves to
distribution. P.12
Determining Applicability of Separation of Duties (Continued)
• 2nd Action: Understand what elements within a function are prone to abuse, which ones are easily segmented without significantly disrupting operations, and what skills are available.
• Determine:– Element identification, importance, and criticality– Operational considerations– User Skills & availability
Determining Applicability of Separation of Duties Continued
• Element identification, importance, and criticality– Elements within function known as milestone
elements– If elements within function don’t offer clear point
of segmentation, may need to incorporate a new milestone element as a validation & approval point within function
Determining Applicability of Separation of Duties (Continued)
• Operational considerations– Balancing the impact of the function and its role in
the business. Ensure that the separation of duties doesn’t hinder the process and make it prone to circumvention.
– Weigh the cost of implementation against the overall risk the process represents and whether the benefits of separation outweigh the time & effort costs.
Determining Applicability of Separation of Duties (Continued)
• User Skills & availability– Is there enough skilled personnel to perform the
separation of duty elements.
Least Privilege
• Requires that a user or process be given no more access privilege than necessary to perform a job, task, or function.
Need to Know
• A companion to “least privilege”.• requires a person requesting information to
establish the need to know such information in terms of the pertinent mission.
• if information is given to people on a need-to-know basis, they are given only the details that they need at the time when they need it
Security Domain
• An area where common process and security controls are groups together
• Example: All systems and users managing financial information might be separated into their own security domain
• Based on trust between resources in systems that share a single security policy and single management structure. P.16
Information Classification
• Fundamental Information Classification questions
• Benefits• Establishing a Information Classification
Program• Labeling & Marking• Information Classification Assurance
Purpose of Information Classification
• Group an organizations information assets by levels of sensitivity and criticality. Once this is accomplished then the appropriate level of protection controls is assigned to each asset in accordance to its classification.
Fundamental Information Classification questions
• Where is the organization’s information?• How should the information be handled and
protected?• Who should have access to it?• Who owns the information?• Who makes the decisions around these
parameters?
Benefits of Information Classification
• Establishes information ownership. This increases the likelihood that it will be used in the proper context and access will be properly authorized.
• Increases C-I-A by focusing the limited security funds on the resources requiring the highest level of protection and providing lesser controls for the information with less risk of loss.
Benefits of Information Classification Continued
• Increases knowledge and security awareness.• Allows for a greater understanding of the
value of the information to be protected and provides a clearer direction for the handling of sensitive information.
• Operational benefits, critical information can be identified to support COOP.
Establishing a Information Classification Program
• Page 18
Labeling & Marking
• Provides the ability to manage the information within the media with the appropriate controls.
Information Classification Assurance
• Periodically testing• Random desk checks
Access Control Requirements
• Reliability• Transparency• Integrity• Maintainability• Authentication• Auditability
Access Control Categories
• Directive• Deterrent• Preventive• Compensating• Detective• Corrective• Recovery
Access Control Categories Continued
• Directive– Controls designed to specify acceptable rules of
behavior within an organization, sometimes called administrative controls.
– Policies, procedures, standards, guidelines,
35
Deterrent Controls
• Designed to prevent specific actions by influencing choices of would-be intruders
• Does not prevent or even record events– Signs– Guards, guard dogs– Razor wire
36
Preventive Controls
• Block or control specific events– Firewalls– Anti-virus software– Encryption– Key card systems– Fencing– Bollards– Crash guards
37
Compensating Controls• Control that is introduced that compensates
for the absence or failure of a control• “Compensating” refers to why it is
implemented– Can be detective, preventive, deterrent,
administrative• Examples
– Daily monitoring of anti-virus console– Monthly review of administrative logins
38
Detective Controls
• Monitor and record specific types of events• Does not stop or directly influence events
– Video surveillance– Audit logs– Event logs– Intrusion detection system
39
Corrective Controls
• Post-event controls to prevent recurrence• “Corrective” refers to when it is implemented
– Can be preventive, detective, deterrent, administrative
• Examples– Spam filter– Anti-virus on e-mail server– WPA Wi-Fi encryption
40
Recovery Controls
• Post-incident controls to recover systems• “Recovery” refers to when it is implemented
– Can be detective, preventive, deterrent, administrative
• Examples– System restoration– Database restoration
Access Control Types
• Access control categories classify different access control methods based upon where they fall within the Access Control Time Continuum. F. 1.7 P. 35
42
Types of Controls
• Administrative– Policy, procedures, standards
• Technical– Authentication, encryption, firewalls, anti-virus
• Physical– Key card entry, fencing, video surveillance
Administrative Controls
• Represent all actions, policies, processes, and management of the control system– Operational policies & procedures P.36– Personnel security, evaluation, & clearances P.40– Monitoring P.42– User Access Management P.43– Privilege Management (rights within your access)
P.44
Technical (Logical) Controls
• Electronic, digital, & automated controls which enforce the organizations policies.– Network access– Remote access– Application access– Malware control– Encryption
Physical Controls
• Controls that protect the physical environment and people.– Locks– Guards– Fences– Cameras– Fire management, gates
System Access Control Strategies
• Identification, authentication, authorization• Access control services• Identity Management• Access control technologies
System AC Strategies continued
• Identification: The act of designating a known quantity.
• Authentication: The process of verifying the identity of a user.
• Authorization: Defining the specific resources of an authenticated user.
Identification
• User name• User ID• Personal Identification Number (PIN)• Identification badges
Problems with ID Badges
• Credential badges– Security doesn’t always check
• Access badges– Not physically with a specific person, people can
share
User ID
• User ID• PIN• MAC address• IP address• RFID (Small tag (like UPC code)
– Privacy concerns • Email address
User ID Guidelines
• 3 components:– Uniqueness,– Non-descriptiveness– Secure issuance
• An organization must establish a secure process for issuing IDs, including the proper documentation and approval for ID requests.
Authentication Methods
• 3 fundamental types known as factors:– Factor 1 something a person knows– Factor 2 something a person has– Factor 3 something a person is
• New possible 4th factor is:– Somewhere you are
Passwords
• Standard words• Combination passwords• Complex passwords• Passphrase• Confidentiality of passwords (encryption)
Hashing (one-way function)
• A hash function takes an arbitrary amount of data as input and through the use of a mathematical algorithm will produce a unique, fixed-length representation of the data as output.
• Cracking programs can hash different passwords until a match is found.
Graphical passwords
• Used to fight keyboard loggers• Using a graphical keyboard, the user clicks on
the appropriate keys on the keyboard image to simulate the entry of a the password.
Authentication by possession methods
• Asynchronous P. 63• Synchronous P. 64
Static Authentication Devices
• Physical devices• 2 forms Memory & Smart Cards
– Primary difference is processing power. Smart cards have it Memory cards don’t.
Memory Cards
• No processing power, just hold information• User enters PIN & swipes card, card reader
authenticates and user can enter.• Weakness: data not protected, no encryption.
Smart Cards
• Semiconductor chip that accepts, stores & sends information.
• Can hold more data. Small apps can be stored in memory.
• International Organ for Standardization uses the term integrated circuit card (ICC).
• Can be used with PKI
Smart cards continued
• Common uses– Secure log-on– Secure email/digital signatures– Secure Web access/remote access– VPNs– H/D encryption
Smart cards continued
• Advantages:– Log-in process is done by the reader, therefore
the identifier & password are not exposed to attackers while in transit to the host
– Short trusted path• Trusted path is a communications channel through
which all information passing through is considered secure. The shorter the path the better.
Smart Cards continued
• Different types of smart card memory. Page 67
• 2 types of smart cards, contact & contactless
Authenticate by Biometrics
• 2 types, physiological– Finger print, Hand Geometry, Face , Eyes (retina &
iris)• Behavioral
– Voice patterns, Keystroke dynamics, Signature dynamics
Biometric Accuracy
• Temperature, humidity, pressure, medical & mental condition of the individual can cause significant physiological changes to the body that the measurement process must try and cope with.
3 categories of biometric accuracy measurement:
– False reject rate (a Type 1 Error): When an authorized users are falsely rejected as unidentified or unverified.
– False accept rate (a Type 2 Error): When an unauthorized user or imposter are falsely accepted as authentic.
– Crossover Error Rate (CER): The point at which the false rejection rates and the false acceptance rate are equal. The smaller the value of CER, the more accurate the system. P. 74
Determining the correct Biometric measurement
• The lower the sensitivity, the more prone to type 2 errors.
• The higher the sensitivity, the more prone to type 1 errors.
• The lower the intersection point the more accurate the system overall.
• The correct measure rate is dependent upon what is appropriate to the application & the desired acceptable risk for the organization.
Biometric Considerations
• Resistance to counterfeiting P.75• Data storage requirements P.76• User acceptance P.76• Reliability, accuracy & speed P.76 -77 • Target user & approach P.78
Accountability
• The ability of the organization to hold people accountable. A/C & their associated audit trails can provide evidence to prove or disprove a users involvement in a given event.
• A comprehensive A/C program will include monitoring & secure logging of identification, authentication, and authorization process.
Logging Best Practices
• Control the flow of data• Do not allow rollover of data• Evaluate & implement auditing• Establish log review process• Train personnel• Protect the audit logs
5 Fundamental Audit Event types
• Network events• System events• Application events• User activities• Keystroke activities• P 81-82
Vulnerability assessment
• The use of various tools & analysis methodologies to determine where a particular system or process may be susceptible to attack.
Vulnerability assessment process
• Obtain a good understanding of system– Assist in determining the overall risk of any
discovered vulnerabilities• Discuss threat & vulnerabilities with business
owner & other stake holders– They are the closest to both the system &
business landscape. Also builds a partnership.
Vulnerability assessment process Continued
• Examine existing controls• Compare existing controls against know threats• Run tools to find other vulnerabilities• Examine results for accuracy• Combine results with information from business owners• Discuss findings with B/O to determine the appropriate
course of remediation. • Remediations should be based upon the criticality of
each reported vulnerability
Penetration Testing
• Use of exploitive techniques to determine the level of risk associated with a vulnerability or collection of vulnerabilities in an application or system.
Penetration Test Strategies
• Establish the rules of engagement– External testing
• Can you penetrate
– Internal testing• What damage can be done
Pen Testing (Rules of engagement, continued)
• Blind testing – Limited information is provided, publicly available
information. Time consuming & expensive• Double –blind testing
– No information is provided. Not only test strength of controls but also security monitoring & incident identification & response.
• Target testing (lights on) – IT & tester team is provided all information. Maybe more cost
effective and less time consuming.
Pen Testing (Rules of engagement, continued
• 3 basic categories of pen testing– Zero knowledge– Partial knowledge
• High level public information is provided
– Full knowledge• Every possible piece of information is provided. Focus
is on what can be done. Appropriate for internal testing.
Pen Testing (Rules of engagement, continued)
• Determine area to be tested• Application testing
– Test information flow, encryption, input & can user harm system or data, and wide range of common attacks to gauge level of resistance.
• DoS testing • War dialing• Wireless Network testing• Social Engineering• PBX & IP Telephone Testing• VOIP testing
Pen Testing Methodology• Recon
– Identify & document information about the target
• Enumeration– Gain more information with intrusive methods (network or
vulnerability discovery, ping, port scan)
• Vulnerability analysis– Map the environment profile to known vulnerabilities, analyze data.
• Execution– Attempt to gain user & privileged access
• Document findings– Document the results of the test
Pen Testing Methodology continued
• Attack process– Multiple threads and groups of test scenarios– A thread is a collection of tasks to achieve attack goal– Each test is evaluated at multiple points to ensure expected
outcome is met– Each divergence is appraised to make 2 fundamental
determinations• Is the objective being met• Is the system reacting in an unexpected manner which is
having an impact on the test
Pen Testing Methodology continued
• Document findings• Vulnerabilities discover in the target systems• Gaps in security measures• Intrusion detection and response capabilities• Observation of log activity & analysis• Suggested countermeasures
Identity Management• Set of technologies which addresses all aspects of controlling
access, with a focus on centralized management.• Must efficiently manage multiple independent access control
systems often per application, list is on P. 93• Assist organization with meeting expanding laws &
regulations• Allows organization to segment various user populations and
assign appropriate type and level of access to each group• Allows for tight control over access while also allowing for
granularity and flexibility in managing such access.
Identity Management• One primary task is the need to provision, maintain, and
manage user IDs.• Must account for the granting, and revocation of access rights
as the user goes through the natural life cycle• System must be efficient, the goal is to consolidate access
rights into an easily managed record of identity and access for each user.
• System must be timely
Challenges to ID Management• Backlogs of requests for access• Cumbersome policies• Incomplete Request forms• Number (systems) of resources growing• Audit trails improperly (or not) maintained• Departed employees still in system• Senior management often bypass the process
Identity Management system requirements
• Consistency• Usability• Reliability• Scalability
• P. 95
Centralized Identity Management• One entity (person, a department or management system)
manages the service for the entire organization. That entity sets all policies, standards, and operational parameters.
• Promotes consistency; changes can be distributed quickly and uniformly to all points limiting the risk of exposure when a user is removed from 1 part of the system but removal from another is delayed.
• Examples: RADIUS, TACACS+ P. 97• Drawback: difficult or impossible for a large organization to
operate a centralized system on the scale required.
Decentralized Identity Management
• ID management, authentication & authorization decisions are spread throughout the environment to local organizations.
• Benefit: allows access decisions to be made by the people closest to the assets, who can better address local policies and requirements
• Drawback: harder to enforce enterprise-wide policies and standards. Unless a clear policy and process defines who has ultimate responsibility, a decentralized system can quickly lead to inconsistency across the organization.
• May be more expensive because multiple systems and technology• There may also be overlapping or conflicting rights between entities which
could expose gaps in security
Access Control Technologies
• Password management• Account management• Profile management• Directory management• Single Sign-on
Password management
• Designed to manage password complexity and requirements consistently across the enterprise. Achieved by a central tool synchronizing passwords across multiple systems.
• Also assist users with resetting passwords
Account management
• Designed to streamline the administration of user identity across multiple systems. Includes the creation, modification and decommissioning of user accounts.
• Normally includes one or more of these technologies, P. 101
• Obstacles to full scale deployment are: time, cost & interface issues
Profile management
• Profiles are a collection of information associated with a particular identity or group.
• In addition to user ID and password may include personal information.
• May contain information about privileges and rights
Directory Management• Comprehensive database designed to centralize the
management of data about an assortment of company entities. Such as a hierarchy of objects storing information about users, groups, systems, servers, printers. Etc.
• Stored on 1 or more servers to ensure scalability and availability.
• Benefit: provides a centralized collection of user data that can be used by many applications to avoid duplication.
• Benefit: Using directories it is possible to configure several applications to share data.
• Drawback: Integration with legacy systems
3 Main Directory Technologies
• X.500• LDAP• X.400
X.500• Set of communication protocols by International
Telecommunication Union (ITU-T) aka ISO/IEC 9594• Designed to facilitate a standard method of developing
electronic directories for use over telecommunication networks.
• Designed to work with OSI model, however will work with TCP/IP
• Organized in a hierarchical database• Key field is called the distinguished name (DN). DN provides
the full path where a particular entry is found. • Supports the concept of a relative distinguished name (RDN).
RDN provides the name of a specific entry with the full path component attached.
X.500 consists of:
• The directory access protocol (DAP). This is the primary protocol for access information in an X.500 directory.
• The directory system protocol (DSP)• The directory information shadowing protocol
(DISP)• The directory operational bindings
management protocol (DOP)
Lightweight directory Access Protocol (LDAP)
• Suite of protocols for managing directory information.• Simpler than X.500• Organized in a hierarchical database• Supports DN & RDN concepts.• DN attributes are based on an entity's DNS name• Each entry has a name/value pair to denote various attributes
associated with each entry.• Common attributes are:• DN: distinguished name• CN: common name• DC domain name• OU: organizational unit
Lightweight directory Access Protocol (LDAP)
• Operates in a client/server environment• Typically runs over unsecured network using TCP port 389• V. 3 supports TLS to encrypt communications or SSL via TCP port
636 if security is required.
Active Directory• A Microsoft implementation of LDAP• Provides central authentication & authorization • Enforces organization security in a uniform and highly
auditable manner• AD uses LDAP for its naming structure• Uses a hierarchical framework• Directories are organized into forests and trees
– Forests is a collection of all objects & their associated attributes and trees are logical groups of 1 or more AD security domain within a forest
• Domains are identified by their DNS name• Objects in a AD database are grouped by Organization Units
(OUs)
X.400• Supports message transfer & message storage• Addresses consist of a series of name/value pairs separated
by a :• Typical address specifications include:• O (organizational name)• OU (organizational unit name)• G(Given name)• I (Initial)• S (Surname)• C (country name)• Has largely been supplanted by SMTP base e-mail systems.
Single Sign-on• A unified login for 1 or more systems• Aka Federated ID management• Stores credentials for 1 or more systems• Approach to Legacy systems is
– SSO opens the legacy app & sends the appropriate keystrokes simulating the user
• Limitations for legacy systems – Password changes aren’t synchronized
• SSO advantages P. 106-107• Disadvantages:
– Cost– Single point of failure– If users SSO password is cracked, they have it all– Inclusion of unique systems
Script-based SSO
• In-house solution for highly customized shop• Log-in Scripts for every app & user are
developed• Scripts manage all logon & authentication
interaction on behalf of the user.• Disadvantage: cost of development and
maintenance
Kerberos• Designed to provide strong authentication for
client/server applications by using secret key cryptography.
• Provides authentication, authorization and auditing. • Primary goal is to provide private communications
between systems on a network.• In managing the encryption keys it acts to
authenticate each of the principles in the communication based upon possession of the secret key which allows access to the session key.
Kerberos 4 basic requirements• Security
– against attacks by passive eavesdroppers and actively malicious users
• Reliability– Resources must be available when needed
• Transparency– Users shouldn’t notice authentication taking
place• Scalability
– Large number of users and servers
Susan
KeyDistribution
Center
TicketGrantingService
Authen-TicationService
XYZ Service
Susan’sDesktop
Computer
Think “Kerberos Server” and don’t let yourself get mired in terminology.
Kerberos process
Susan
KeyDistribution
Center
TicketGrantingService
Authen-TicationService
XYZ Service
Susan’sDesktop
Computer
Represents something requiring Kerberos authentication (web server, ftp server, ssh server, etc…)
Susan’sDesktop
ComputerSusan
KeyDistribution
Center
TicketGrantingService
Authen-TicationService
XYZ Service
“I’d like to be allowed to get tickets from the Ticket Granting Server, please.
Susan’sDesktop
ComputerSusan
KeyDistribution
Center
TicketGrantingService
Authen-TicationService
XYZ Service“Okay. I locked this box with your secret password. If you can unlock it, you can use its contents to access my Ticket Granting Service.”
Susan’sDesktop
ComputerSusan
KeyDistribution
Center
TicketGrantingService
Authen-TicationService
myPassword
XYZ Service
TGT
TGT
Because Susan was able to open the box (decrypt a message) from the Authentication Service, she is now the owner of a shiny “Ticket-Granting Ticket”.
The Ticket-Granting Ticket (TGT) must be presented to the Ticket Granting Service in order to acquire “service tickets” for use with services requiring Kerberos authentication.
The TGT contains no password information.
Susan’sDesktop
ComputerSusan
KeyDistribution
Center
TicketGrantingService
Authen-TicationService
XYZ Service
“Let me prove I am Susan to XYZ Service.
Here’s a copy of my TGT!”
use XYZ
TGTTGT
Susan’sDesktop
ComputerSusan
KeyDistribution
Center
TicketGrantingService
Authen-TicationService
XYZ Service
TGT
Hey XYZ: Susan is Susan.
CONFIRMED: TGS
You’re Susan.Here, take this.
Susan’sDesktop
ComputerSusan
KeyDistribution
Center
TicketGrantingService
Authen-TicationService
XYZ Service
TGTHey XYZ:
Susan is Susan.CONFIRMED: TGS
I’m Susan. I’ll prove it. Here’s a copy of
my legit service ticket for XYZ.
Susan’sDesktop
ComputerSusan
KeyDistribution
Center
TicketGrantingService
Authen-TicationService
XYZ Service
TGTHey XYZ:
Susan is Susan.CONFIRMED: TGS
Hey XYZ: Susan is Susan.
CONFIRMED: TGS
That’s Susan alright. Let me determine if she is
authorized to use me.
Authorization checks are performed by the XYZ service…
Just because Susan has authenticated herself does not inherently mean she is authorized to make use of the XYZ service.
One remaining note:
Tickets (your TGT as well as service-specific tickets) have expiration dates configured by your local system administrator(s). An expired ticket is unusable.
Until a ticket’s expiration, it may be used repeatedly.
Susan’sDesktop
ComputerSusan
KeyDistribution
Center
TicketGrantingService
Authen-TicationService
XYZ Service
TGTHey XYZ:
Susan is Susan.CONFIRMED: TGS
ME AGAIN! I’ll prove it. Here’s another copy of my legit service ticket
for XYZ.
Hey XYZ: Susan is Susan.
CONFIRMED: TGS
use XYZ
Susan’sDesktop
ComputerSusan
KeyDistribution
Center
TicketGrantingService
Authen-TicationService
XYZ Service
TGTHey XYZ:
Susan is Susan.CONFIRMED: TGS
Hey XYZ: Susan is Susan.
CONFIRMED: TGS
That’s Susan… again. Let me determine if she is authorized to use me.
Disadvantages of Kerberos
• The entire system depends on the KDC so it must be physically secured and hardened.
• KDC is a single point of failure• Length of the keys is important, can’t be to
short or to long• Must embed Kerberos system calls in each
application.
Secure European System for Applications in a Multi-Vendor Environment (SESAME)
• An extension of Kerberos that was designed to address 2 Kerberos weaknesses:– Kerberos scalability limitations due to the need to
manage symmetric keys. The more keys the more complexity in managing the keys.
– As the need for Kerberos to store user privilege information increases, the need to for that information to be located on each server the user accesses increases.
Secure European System for Applications in a Multi-Vendor Environment (SESAME)
• It overcomes these 2 weaknesses by:– Offering SSO with distributed access control. This
alleviates the need to replicate authentication data between servers.
– And using symmetric & asymmetric cryptographic technologies which alleviates the key management issues
Secure European System for Applications in a Multi-Vendor Environment (SESAME)
• Key attributes– SSO with distributed A/C using symmetric & asymmetric
cryptographic technologies to protect data interchanges– Role based A/C– The use of a privilege attribute certification (PAC), similar
in functionality to a Kerberos ticket– The use of Kerberos V5 protocol to access components– The use of public key cryptography for the distribution of
secret keys.
Perimeter-Based Web portal Access• SSO for Web applications by using:
– Directory service (LDAP, X.500, AD)– Uses a Web portal – Web Access Management system (WAM)
• User logs-in to portal, WAM authenticates & maintains authentication between Web apps
• Effective for Web environments not Enterprise wide
Federated Identity Management• SSO for multiple organizations who must
share data & applications– Each entity subscribes to a common set of:
policies, standards, & procedures for provisioning & management of identificatin, authentication & authorization information & also a common process for A/C
– Each entity establishes a trust relationship with the other participating entities
2 Basic ways for linking member entities in a FIM
• Cross-Certification:– Each entity must individually certify that every
other participating entity is worthy of its true– Each entity reviews the others to see if they meet
their criteria– Drawbacks: Once the number of entities grows
the complexity of managing is to burdensome or expensive
2 Basic ways for linking member entities in a FIM
• Trusted 3rd party:– Each entity subscribes to the policies, standards &
practices of a trusted 3rd party entity and the trusted 3rd party manages the verification of all other entities.
– Once the 3rd party verifies a – Drawbacks: Once the number of entities grows
the complexity of managing is to burdensome or expensive
Once In-Unlimited Access
• Just what is says
Data Access Controls Frameworks or Models
• Discretionary • Mandatory• Nondiscretionary
128
Discretionary Access Control (DAC)
• A system that uses discretionary access control allows the owner of the resource to specify which subjects can access which resources.
• Access control is at the discretion of the owner.
• VAX, VMS, UNIX, Windows X, MAC
Mandatory Access Controls (MAC)• Controls are determined by the system & based on
organizational policy. Controls applied based upon user clearance and classification of an object or data.
• Used for highly sensitive systems and when owners don’t want users to potentially by pass organizational policies.
• This model is used in environments where information classification and confidentiality is very important (e.g., the military).
• Access control is based on a security labeling system. Users have security clearances and resources have security labels that contain data classifications.
Mandatory Access Controls (MAC)
• System provides access control & owner provides need-to-know control
• Not everyone who is cleared should have access, only those cleared & with a need to know.
• Even if the owner determines a user has a need to know the system must ascertain that the user is cleared.
• Page 117 examples of access capabilities & Access permissions
Nondiscretionary
• Administrator determines who has access and what privileges
Access Control Lists (ACL)
• List of permissions associated with an object• Keyword=Action
– Router, IP Address=Allow or IP Address=Deny– User1=R, X, L, W– User2=R, , L– Group A=R,X,L– Group B=R,L
• Access Control Matrix is an ACL in the form of a table. Page 119
133
Rule Based Access Control• Uses specific rules that indicate what can and
cannot happen between a subject and an object.• Not necessarily identity based.• Traditionally, rule based access control has been
used in MAC systems as an enforcement mechanism.
• Example Page 120
Role Based Access Control (RBAC)Page 121
• Role Based Access Control (RBAC) is a methodology of limiting tasks to objects based on a specific role
• Administration boundaries can be synonymous with job duties or functions and can be associated with individual users
• The goal in role definition is to determine all the access in advance that a user might require to perform a specific tasks or job
• Scalability and efficiency gains are two benefits of role-based administration
• Aligns with an organizations structure of roles and • responsibilities
135
Content Dependent Access Control• Access to an object is determined by the content
within the object.
136
Constrained User Interfaces• Restrict user’s access abilities by not allowing
them certain types of access, or the ability to request certain functions or information
• Three major types– Menus and Shells– Database Views– Physically Constrained Interfaces
Capability table:
• Specifies the access rights a certain subject possesses pertaining to certain objects
• Bounded to a subject and indicates what objects that subject can access.
• Page 123 Figure 1.27
Temporal(Time-Based) Isolation
• Activities are OK or Not OK based upon not who but when.
• Examples:– If you leave class before the lecture ends its not
OK– All classified processing occurs in the morning
Intrusion Detection and Prevention Systems
• IDS– Informative tool that provides real-time information when
suspicious activities are identified– Not used to directly prevent the suspected attack
• IPS– Monitors like IDS, however will automatically take
proactive preventive action if it detects unacceptable activity.
• Important to tune system to detect true attacks
Network Intrusion Detection System (NIDS)
• Install tap or mirror ports on a core switch– Works in promiscuous mode– Must be able to handle amount of traffic
• Encryption can be a problem• Can be integrated into other network devices
Host Based IDS, aka HIDS • Analyze the activity within a particular computer system• Can be installed on individual workstations and/or servers and
watch for inappropriate or anomalous activity. • Usually used to make sure users do not delete system files,
reconfigure important things, or put the system at risk in any other way.
• HIDS universe is limited to the computer itself. • Multi-host IDSs allow systems to share policy information &
attack data & remediation actions.• Drawback is that they consume inordinate amount of host
resources
IDS Analysis Engine Methods
• 2 basic analysis methods– Pattern Matching
• Looks for known attacks– Anomaly Detection
• Looks for system changes–Stateful Matching–Statistical Anomaly-Based–Protocol Anomaly-Based–Traffic Anomaly-Based
Pattern match (signature analysis)IDS Method
• Pattern match (signature analysis)– Models of specific attacks and how they are
carried out. Each identified attack has a signature, which is used to detect an attack in progress or determine if one has occurred within the network. Any action that is not recognized as an attack is considered acceptable.
• Similar to antivirus software• Signatures must be continuously updated• Cannot identify new attacks
Anomaly Analysis IDS Methods
• Based on behavior identification (system changes) or anomalies
• Possible list of anomalies, P.127• Tend to report more data & false positives
Stateful matching IDS Method• Uses signatures and tracks system state changes that indicate
an attack is underway.• State: a snapshot of an operating systems values in volatile,
semi permanent, and permanent memory locations.• Every change that an operating system experiences is
considered a state transition.• A state transition is when a variable’s value changes, which
usually happens continuously within every system. • Example Page 128
Statistical Anomaly-Based• Examines event data by comparing it to typical
known or predicted traffic in an effort to fined potential security breaches.
• It attempts to identity suspicious behavior by identifying patterns that are not the norm
• Tuning can be challenging if not done regularly• Definition of normal traffic is open for
interpretation• Has potential to detect unknown attacks
Protocol Anomaly-Based IDS
• Identifies any unacceptable deviation form expected behavior based on known network protocols
• Prone to same issues as signature-based IDSs
Traffic Anomaly-Based
• Identifies any unacceptable deviation form expected behavior based on actual traffic structure
Intrusion Response
• Inject rule into firewall, or modify access control for routers, VPNs or VLAN switches– May be disadvantage if replicated to other devices
• Disable communications• Disable user accounts• Enable additional auditing
Intrusion Response• Sensor
– Identifies an event– Must tune sensitivity properly
• Control & communication– Notification component email, pager, PDA
• Enunciator• IDs correct business unit, formats msg for specific
devices• Determining who gets notified & what their
response is
IDS Management
• Must devote planning, time, money & expert personnel to properly manage an IDS solution
• Page 132