access control

ACCESS CONTROL

• The most fundamental element of information security is to ensure that only those who have a specific need for an asset, combined with specific authoritative permission, will be able to access that asset.

CISSP Expectations

• Access control is the process of allowing only authorized users, programs or other computer systems to observe, modify, or otherwise take possession of the resources of a computer system. It is also a mechanism for limiting the use of some resources to authorized users.

Key Access Control Concepts

• Joining C-I-A– Confidentiality, integrity, availability

• Determining a Default Stance• Defense in Depth• Access Control---A general process

Access control encompasses all operation levels of an organization:

• Facilities:• Support Systems: Power, heating, ventilation,

HVAC)• Information Systems:• Personnel: All users should be subject to some

form of access control to ensure the wrong people don’t interfere with the right people.

AC enables management to:

• Specify:– Which users can access a system– What resources those users can access– What operations those users can perform– Enforce accountability

AC addresses the CIA triad

• Confidentiality: Managing access is fundamental to preventing exposure of data by controlling who can see, use, modify, or destroy.

• Integrity: Preventing unauthorized access promotes greater confidence in data and system integrity.

• Availability: Restricting access reduces the likelihood of damage and loss of use.

Default Stance

• Allow-by-default• Deny-by-default

Defense in Depth

• The practice of applying multiple layers of security protection between an information resource and the potential attacker. P. 7

AC: A General Process

• Many different approaches, however there is a very general approach that is applicable to almost every situation.

• 3 step process:– Defining resources– Determining users– Specify the user’s use of the resource

Defining resources

• What are we trying to protect?• How each resource may be accessed?• Bind a user, group or entity to a resource• Every resource is an asset that must be

afforded protection. Don’t forget printers, faxes, etc.

Determining users

• Need a clear understanding of the needs of the user and the level of trust given to the person or entity

• An identification process must exist that takes into consideration the validity of the access need in the light of business needs, organizational policy, legal requirements, information sensitivity and security risk.

Specifying Use:

• The AC process must specify the level of use for a given resource and the permitted user actions on that resource. Example P. 11

Access Control Principles

• Access Control Policy• Separation of duties• Least Privilege• Need to Know• Compartmentalization• Security Domain

AC Policy

• Specifies the guidelines for how users are identified and authenticated and the level of access granted to resources.

• The absence of a policy will result in inconsistencies in provisioning, management, and administration of AC.

• Provides the framework for definition of necessary procedures, guidelines, standards, and best practices.

Separation of Duties

• Objective: Prevent fraud and errors• Achieved by distributing the tasks & privileges

for a specific process.• The person who requests the expenditure

should not be allowed to approve the expenditure.

• Another example P.12

Determining Applicability of Separation of Duties (1)

• 1st Action: Defining individual elements of a process – Determine element sensitivity– What elements of the process lend themselves to

distribution. P.12

Determining Applicability of Separation of Duties (Continued)

• 2nd Action: Understand what elements within a function are prone to abuse, which ones are easily segmented without significantly disrupting operations, and what skills are available.

• Determine:– Element identification, importance, and criticality– Operational considerations– User Skills & availability

Determining Applicability of Separation of Duties Continued

• Element identification, importance, and criticality– Elements within function known as milestone

elements– If elements within function don’t offer clear point

of segmentation, may need to incorporate a new milestone element as a validation & approval point within function


• Operational considerations– Balancing the impact of the function and its role in

the business. Ensure that the separation of duties doesn’t hinder the process and make it prone to circumvention.

– Weigh the cost of implementation against the overall risk the process represents and whether the benefits of separation outweigh the time & effort costs.


• User Skills & availability– Is there enough skilled personnel to perform the

separation of duty elements.

Least Privilege

• Requires that a user or process be given no more access privilege than necessary to perform a job, task, or function.

Need to Know

• A companion to “least privilege”.• requires a person requesting information to

establish the need to know such information in terms of the pertinent mission.

• if information is given to people on a need-to-know basis, they are given only the details that they need at the time when they need it

Security Domain

• An area where common process and security controls are groups together

• Example: All systems and users managing financial information might be separated into their own security domain

• Based on trust between resources in systems that share a single security policy and single management structure. P.16

Information Classification

• Fundamental Information Classification questions

• Benefits• Establishing a Information Classification

Program• Labeling & Marking• Information Classification Assurance

Purpose of Information Classification

• Group an organizations information assets by levels of sensitivity and criticality. Once this is accomplished then the appropriate level of protection controls is assigned to each asset in accordance to its classification.

Fundamental Information Classification questions

• Where is the organization’s information?• How should the information be handled and

protected?• Who should have access to it?• Who owns the information?• Who makes the decisions around these

parameters?

Benefits of Information Classification

• Establishes information ownership. This increases the likelihood that it will be used in the proper context and access will be properly authorized.

• Increases C-I-A by focusing the limited security funds on the resources requiring the highest level of protection and providing lesser controls for the information with less risk of loss.

Benefits of Information Classification Continued

• Increases knowledge and security awareness.• Allows for a greater understanding of the

value of the information to be protected and provides a clearer direction for the handling of sensitive information.

• Operational benefits, critical information can be identified to support COOP.

Establishing a Information Classification Program

• Page 18

Labeling & Marking

• Provides the ability to manage the information within the media with the appropriate controls.

Information Classification Assurance

• Periodically testing• Random desk checks

Access Control Requirements

• Reliability• Transparency• Integrity• Maintainability• Authentication• Auditability

Access Control Categories

• Directive• Deterrent• Preventive• Compensating• Detective• Corrective• Recovery

Access Control Categories Continued

• Directive– Controls designed to specify acceptable rules of

behavior within an organization, sometimes called administrative controls.

– Policies, procedures, standards, guidelines,

35

Deterrent Controls

• Designed to prevent specific actions by influencing choices of would-be intruders

• Does not prevent or even record events– Signs– Guards, guard dogs– Razor wire

36

Preventive Controls

• Block or control specific events– Firewalls– Anti-virus software– Encryption– Key card systems– Fencing– Bollards– Crash guards

37

Compensating Controls• Control that is introduced that compensates

for the absence or failure of a control• “Compensating” refers to why it is

implemented– Can be detective, preventive, deterrent,

administrative• Examples

– Daily monitoring of anti-virus console– Monthly review of administrative logins

38

Detective Controls

• Monitor and record specific types of events• Does not stop or directly influence events

– Video surveillance– Audit logs– Event logs– Intrusion detection system

39

Corrective Controls

• Post-event controls to prevent recurrence• “Corrective” refers to when it is implemented

– Can be preventive, detective, deterrent, administrative

• Examples– Spam filter– Anti-virus on e-mail server– WPA Wi-Fi encryption

40

Recovery Controls

• Post-incident controls to recover systems• “Recovery” refers to when it is implemented

– Can be detective, preventive, deterrent, administrative

• Examples– System restoration– Database restoration

Access Control Types

• Access control categories classify different access control methods based upon where they fall within the Access Control Time Continuum. F. 1.7 P. 35

42

Types of Controls

• Administrative– Policy, procedures, standards

• Technical– Authentication, encryption, firewalls, anti-virus

• Physical– Key card entry, fencing, video surveillance

Administrative Controls

• Represent all actions, policies, processes, and management of the control system– Operational policies & procedures P.36– Personnel security, evaluation, & clearances P.40– Monitoring P.42– User Access Management P.43– Privilege Management (rights within your access)

P.44

Technical (Logical) Controls

• Electronic, digital, & automated controls which enforce the organizations policies.– Network access– Remote access– Application access– Malware control– Encryption

Physical Controls

• Controls that protect the physical environment and people.– Locks– Guards– Fences– Cameras– Fire management, gates

System Access Control Strategies

• Identification, authentication, authorization• Access control services• Identity Management• Access control technologies

System AC Strategies continued

• Identification: The act of designating a known quantity.

• Authentication: The process of verifying the identity of a user.

• Authorization: Defining the specific resources of an authenticated user.

Identification

• User name• User ID• Personal Identification Number (PIN)• Identification badges

Problems with ID Badges

• Credential badges– Security doesn’t always check

• Access badges– Not physically with a specific person, people can

share

User ID

• User ID• PIN• MAC address• IP address• RFID (Small tag (like UPC code)

– Privacy concerns • Email address

User ID Guidelines

• 3 components:– Uniqueness,– Non-descriptiveness– Secure issuance

• An organization must establish a secure process for issuing IDs, including the proper documentation and approval for ID requests.

Authentication Methods

• 3 fundamental types known as factors:– Factor 1 something a person knows– Factor 2 something a person has– Factor 3 something a person is

• New possible 4th factor is:– Somewhere you are

Passwords

• Standard words• Combination passwords• Complex passwords• Passphrase• Confidentiality of passwords (encryption)

Hashing (one-way function)

• A hash function takes an arbitrary amount of data as input and through the use of a mathematical algorithm will produce a unique, fixed-length representation of the data as output.

• Cracking programs can hash different passwords until a match is found.

Graphical passwords

• Used to fight keyboard loggers• Using a graphical keyboard, the user clicks on

the appropriate keys on the keyboard image to simulate the entry of a the password.

Authentication by possession methods

• Asynchronous P. 63• Synchronous P. 64

Static Authentication Devices

• Physical devices• 2 forms Memory & Smart Cards

– Primary difference is processing power. Smart cards have it Memory cards don’t.

Memory Cards

• No processing power, just hold information• User enters PIN & swipes card, card reader

authenticates and user can enter.• Weakness: data not protected, no encryption.

Smart Cards

• Semiconductor chip that accepts, stores & sends information.

• Can hold more data. Small apps can be stored in memory.

• International Organ for Standardization uses the term integrated circuit card (ICC).

• Can be used with PKI

Smart cards continued

• Common uses– Secure log-on– Secure email/digital signatures– Secure Web access/remote access– VPNs– H/D encryption

Smart cards continued

• Advantages:– Log-in process is done by the reader, therefore

the identifier & password are not exposed to attackers while in transit to the host

– Short trusted path• Trusted path is a communications channel through

which all information passing through is considered secure. The shorter the path the better.

Smart Cards continued

• Different types of smart card memory. Page 67

• 2 types of smart cards, contact & contactless

Authenticate by Biometrics

• 2 types, physiological– Finger print, Hand Geometry, Face , Eyes (retina &

iris)• Behavioral

– Voice patterns, Keystroke dynamics, Signature dynamics

Biometric Accuracy

• Temperature, humidity, pressure, medical & mental condition of the individual can cause significant physiological changes to the body that the measurement process must try and cope with.

3 categories of biometric accuracy measurement:

– False reject rate (a Type 1 Error): When an authorized users are falsely rejected as unidentified or unverified.

– False accept rate (a Type 2 Error): When an unauthorized user or imposter are falsely accepted as authentic.

– Crossover Error Rate (CER): The point at which the false rejection rates and the false acceptance rate are equal. The smaller the value of CER, the more accurate the system. P. 74

Determining the correct Biometric measurement

• The lower the sensitivity, the more prone to type 2 errors.

• The higher the sensitivity, the more prone to type 1 errors.

• The lower the intersection point the more accurate the system overall.

• The correct measure rate is dependent upon what is appropriate to the application & the desired acceptable risk for the organization.

Biometric Considerations

• Resistance to counterfeiting P.75• Data storage requirements P.76• User acceptance P.76• Reliability, accuracy & speed P.76 -77 • Target user & approach P.78

Accountability

• The ability of the organization to hold people accountable. A/C & their associated audit trails can provide evidence to prove or disprove a users involvement in a given event.

• A comprehensive A/C program will include monitoring & secure logging of identification, authentication, and authorization process.

Logging Best Practices

• Control the flow of data• Do not allow rollover of data• Evaluate & implement auditing• Establish log review process• Train personnel• Protect the audit logs

5 Fundamental Audit Event types

• Network events• System events• Application events• User activities• Keystroke activities• P 81-82

Vulnerability assessment

• The use of various tools & analysis methodologies to determine where a particular system or process may be susceptible to attack.

Vulnerability assessment process

• Obtain a good understanding of system– Assist in determining the overall risk of any

discovered vulnerabilities• Discuss threat & vulnerabilities with business

owner & other stake holders– They are the closest to both the system &

business landscape. Also builds a partnership.

Vulnerability assessment process Continued

• Examine existing controls• Compare existing controls against know threats• Run tools to find other vulnerabilities• Examine results for accuracy• Combine results with information from business owners• Discuss findings with B/O to determine the appropriate

course of remediation. • Remediations should be based upon the criticality of

each reported vulnerability

Penetration Testing

• Use of exploitive techniques to determine the level of risk associated with a vulnerability or collection of vulnerabilities in an application or system.

Penetration Test Strategies

• Establish the rules of engagement– External testing

• Can you penetrate

– Internal testing• What damage can be done

Pen Testing (Rules of engagement, continued)

• Blind testing – Limited information is provided, publicly available

information. Time consuming & expensive• Double –blind testing

– No information is provided. Not only test strength of controls but also security monitoring & incident identification & response.

• Target testing (lights on) – IT & tester team is provided all information. Maybe more cost

effective and less time consuming.

Pen Testing (Rules of engagement, continued

• 3 basic categories of pen testing– Zero knowledge– Partial knowledge

• High level public information is provided

– Full knowledge• Every possible piece of information is provided. Focus

is on what can be done. Appropriate for internal testing.

Pen Testing (Rules of engagement, continued)

• Determine area to be tested• Application testing

– Test information flow, encryption, input & can user harm system or data, and wide range of common attacks to gauge level of resistance.

• DoS testing • War dialing• Wireless Network testing• Social Engineering• PBX & IP Telephone Testing• VOIP testing

Pen Testing Methodology• Recon

– Identify & document information about the target

• Enumeration– Gain more information with intrusive methods (network or

vulnerability discovery, ping, port scan)

• Vulnerability analysis– Map the environment profile to known vulnerabilities, analyze data.

• Execution– Attempt to gain user & privileged access

• Document findings– Document the results of the test

Pen Testing Methodology continued

• Attack process– Multiple threads and groups of test scenarios– A thread is a collection of tasks to achieve attack goal– Each test is evaluated at multiple points to ensure expected

outcome is met– Each divergence is appraised to make 2 fundamental

determinations• Is the objective being met• Is the system reacting in an unexpected manner which is

having an impact on the test

Pen Testing Methodology continued

• Document findings• Vulnerabilities discover in the target systems• Gaps in security measures• Intrusion detection and response capabilities• Observation of log activity & analysis• Suggested countermeasures

Identity Management• Set of technologies which addresses all aspects of controlling

access, with a focus on centralized management.• Must efficiently manage multiple independent access control

systems often per application, list is on P. 93• Assist organization with meeting expanding laws &

regulations• Allows organization to segment various user populations and

assign appropriate type and level of access to each group• Allows for tight control over access while also allowing for

granularity and flexibility in managing such access.

Identity Management• One primary task is the need to provision, maintain, and

manage user IDs.• Must account for the granting, and revocation of access rights

as the user goes through the natural life cycle• System must be efficient, the goal is to consolidate access

rights into an easily managed record of identity and access for each user.

• System must be timely

Challenges to ID Management• Backlogs of requests for access• Cumbersome policies• Incomplete Request forms• Number (systems) of resources growing• Audit trails improperly (or not) maintained• Departed employees still in system• Senior management often bypass the process

Identity Management system requirements

• Consistency• Usability• Reliability• Scalability

• P. 95

Centralized Identity Management• One entity (person, a department or management system)

manages the service for the entire organization. That entity sets all policies, standards, and operational parameters.

• Promotes consistency; changes can be distributed quickly and uniformly to all points limiting the risk of exposure when a user is removed from 1 part of the system but removal from another is delayed.

• Examples: RADIUS, TACACS+ P. 97• Drawback: difficult or impossible for a large organization to

operate a centralized system on the scale required.

Decentralized Identity Management

• ID management, authentication & authorization decisions are spread throughout the environment to local organizations.

• Benefit: allows access decisions to be made by the people closest to the assets, who can better address local policies and requirements

• Drawback: harder to enforce enterprise-wide policies and standards. Unless a clear policy and process defines who has ultimate responsibility, a decentralized system can quickly lead to inconsistency across the organization.

• May be more expensive because multiple systems and technology• There may also be overlapping or conflicting rights between entities which

could expose gaps in security

Access Control Technologies

• Password management• Account management• Profile management• Directory management• Single Sign-on

Password management

• Designed to manage password complexity and requirements consistently across the enterprise. Achieved by a central tool synchronizing passwords across multiple systems.

• Also assist users with resetting passwords

Account management

• Designed to streamline the administration of user identity across multiple systems. Includes the creation, modification and decommissioning of user accounts.

• Normally includes one or more of these technologies, P. 101

• Obstacles to full scale deployment are: time, cost & interface issues

Profile management

• Profiles are a collection of information associated with a particular identity or group.

• In addition to user ID and password may include personal information.

• May contain information about privileges and rights

Directory Management• Comprehensive database designed to centralize the

management of data about an assortment of company entities. Such as a hierarchy of objects storing information about users, groups, systems, servers, printers. Etc.

• Stored on 1 or more servers to ensure scalability and availability.

• Benefit: provides a centralized collection of user data that can be used by many applications to avoid duplication.

• Benefit: Using directories it is possible to configure several applications to share data.

• Drawback: Integration with legacy systems

3 Main Directory Technologies

• X.500• LDAP• X.400

X.500• Set of communication protocols by International

Telecommunication Union (ITU-T) aka ISO/IEC 9594• Designed to facilitate a standard method of developing

electronic directories for use over telecommunication networks.

• Designed to work with OSI model, however will work with TCP/IP

• Organized in a hierarchical database• Key field is called the distinguished name (DN). DN provides

the full path where a particular entry is found. • Supports the concept of a relative distinguished name (RDN).

RDN provides the name of a specific entry with the full path component attached.

X.500 consists of:

• The directory access protocol (DAP). This is the primary protocol for access information in an X.500 directory.

• The directory system protocol (DSP)• The directory information shadowing protocol

(DISP)• The directory operational bindings

management protocol (DOP)

Lightweight directory Access Protocol (LDAP)

• Suite of protocols for managing directory information.• Simpler than X.500• Organized in a hierarchical database• Supports DN & RDN concepts.• DN attributes are based on an entity's DNS name• Each entry has a name/value pair to denote various attributes

associated with each entry.• Common attributes are:• DN: distinguished name• CN: common name• DC domain name• OU: organizational unit

Lightweight directory Access Protocol (LDAP)

• Operates in a client/server environment• Typically runs over unsecured network using TCP port 389• V. 3 supports TLS to encrypt communications or SSL via TCP port

636 if security is required.

Active Directory• A Microsoft implementation of LDAP• Provides central authentication & authorization • Enforces organization security in a uniform and highly

auditable manner• AD uses LDAP for its naming structure• Uses a hierarchical framework• Directories are organized into forests and trees

– Forests is a collection of all objects & their associated attributes and trees are logical groups of 1 or more AD security domain within a forest

• Domains are identified by their DNS name• Objects in a AD database are grouped by Organization Units

(OUs)

X.400• Supports message transfer & message storage• Addresses consist of a series of name/value pairs separated

by a :• Typical address specifications include:• O (organizational name)• OU (organizational unit name)• G(Given name)• I (Initial)• S (Surname)• C (country name)• Has largely been supplanted by SMTP base e-mail systems.

Single Sign-on• A unified login for 1 or more systems• Aka Federated ID management• Stores credentials for 1 or more systems• Approach to Legacy systems is

– SSO opens the legacy app & sends the appropriate keystrokes simulating the user

• Limitations for legacy systems – Password changes aren’t synchronized

• SSO advantages P. 106-107• Disadvantages:

– Cost– Single point of failure– If users SSO password is cracked, they have it all– Inclusion of unique systems

Script-based SSO

• In-house solution for highly customized shop• Log-in Scripts for every app & user are

developed• Scripts manage all logon & authentication

interaction on behalf of the user.• Disadvantage: cost of development and

maintenance

Kerberos• Designed to provide strong authentication for

client/server applications by using secret key cryptography.

• Provides authentication, authorization and auditing. • Primary goal is to provide private communications

between systems on a network.• In managing the encryption keys it acts to

authenticate each of the principles in the communication based upon possession of the secret key which allows access to the session key.

Kerberos 4 basic requirements• Security

– against attacks by passive eavesdroppers and actively malicious users

• Reliability– Resources must be available when needed

• Transparency– Users shouldn’t notice authentication taking

place• Scalability

– Large number of users and servers

Susan

KeyDistribution

Center

TicketGrantingService

Authen-TicationService

XYZ Service

Susan’sDesktop

Computer

Think “Kerberos Server” and don’t let yourself get mired in terminology.

Kerberos process

Susan

KeyDistribution

Center



XYZ Service

Susan’sDesktop

Computer

Represents something requiring Kerberos authentication (web server, ftp server, ssh server, etc…)

Susan’sDesktop

ComputerSusan

KeyDistribution

Center



XYZ Service

“I’d like to be allowed to get tickets from the Ticket Granting Server, please.

Susan’sDesktop

ComputerSusan

KeyDistribution

Center



XYZ Service“Okay. I locked this box with your secret password. If you can unlock it, you can use its contents to access my Ticket Granting Service.”

Susan’sDesktop

ComputerSusan

KeyDistribution

Center



myPassword

XYZ Service

TGT

TGT

Because Susan was able to open the box (decrypt a message) from the Authentication Service, she is now the owner of a shiny “Ticket-Granting Ticket”.

The Ticket-Granting Ticket (TGT) must be presented to the Ticket Granting Service in order to acquire “service tickets” for use with services requiring Kerberos authentication.

The TGT contains no password information.

Susan’sDesktop

ComputerSusan

KeyDistribution

Center



XYZ Service

“Let me prove I am Susan to XYZ Service.

Here’s a copy of my TGT!”

use XYZ

TGTTGT

Susan’sDesktop

ComputerSusan

KeyDistribution

Center



XYZ Service

TGT

Hey XYZ: Susan is Susan.

CONFIRMED: TGS

You’re Susan.Here, take this.

Susan’sDesktop

ComputerSusan

KeyDistribution

Center



XYZ Service

TGTHey XYZ:

Susan is Susan.CONFIRMED: TGS

I’m Susan. I’ll prove it. Here’s a copy of

my legit service ticket for XYZ.

Susan’sDesktop

ComputerSusan

KeyDistribution

Center



XYZ Service

TGTHey XYZ:



CONFIRMED: TGS

That’s Susan alright. Let me determine if she is

authorized to use me.

Authorization checks are performed by the XYZ service…

Just because Susan has authenticated herself does not inherently mean she is authorized to make use of the XYZ service.

One remaining note:

Tickets (your TGT as well as service-specific tickets) have expiration dates configured by your local system administrator(s). An expired ticket is unusable.

Until a ticket’s expiration, it may be used repeatedly.

Susan’sDesktop

ComputerSusan

KeyDistribution

Center



XYZ Service

TGTHey XYZ:


ME AGAIN! I’ll prove it. Here’s another copy of my legit service ticket

for XYZ.


CONFIRMED: TGS

use XYZ

Susan’sDesktop

ComputerSusan

KeyDistribution

Center



XYZ Service

TGTHey XYZ:



CONFIRMED: TGS

That’s Susan… again. Let me determine if she is authorized to use me.

Disadvantages of Kerberos

• The entire system depends on the KDC so it must be physically secured and hardened.

• KDC is a single point of failure• Length of the keys is important, can’t be to

short or to long• Must embed Kerberos system calls in each

application.

Secure European System for Applications in a Multi-Vendor Environment (SESAME)

• An extension of Kerberos that was designed to address 2 Kerberos weaknesses:– Kerberos scalability limitations due to the need to

manage symmetric keys. The more keys the more complexity in managing the keys.

– As the need for Kerberos to store user privilege information increases, the need to for that information to be located on each server the user accesses increases.


• It overcomes these 2 weaknesses by:– Offering SSO with distributed access control. This

alleviates the need to replicate authentication data between servers.

– And using symmetric & asymmetric cryptographic technologies which alleviates the key management issues


• Key attributes– SSO with distributed A/C using symmetric & asymmetric

cryptographic technologies to protect data interchanges– Role based A/C– The use of a privilege attribute certification (PAC), similar

in functionality to a Kerberos ticket– The use of Kerberos V5 protocol to access components– The use of public key cryptography for the distribution of

secret keys.

Perimeter-Based Web portal Access• SSO for Web applications by using:

– Directory service (LDAP, X.500, AD)– Uses a Web portal – Web Access Management system (WAM)

• User logs-in to portal, WAM authenticates & maintains authentication between Web apps

• Effective for Web environments not Enterprise wide

Federated Identity Management• SSO for multiple organizations who must

share data & applications– Each entity subscribes to a common set of:

policies, standards, & procedures for provisioning & management of identificatin, authentication & authorization information & also a common process for A/C

– Each entity establishes a trust relationship with the other participating entities

2 Basic ways for linking member entities in a FIM

• Cross-Certification:– Each entity must individually certify that every

other participating entity is worthy of its true– Each entity reviews the others to see if they meet

their criteria– Drawbacks: Once the number of entities grows

the complexity of managing is to burdensome or expensive

2 Basic ways for linking member entities in a FIM

• Trusted 3rd party:– Each entity subscribes to the policies, standards &

practices of a trusted 3rd party entity and the trusted 3rd party manages the verification of all other entities.

– Once the 3rd party verifies a – Drawbacks: Once the number of entities grows

the complexity of managing is to burdensome or expensive

Once In-Unlimited Access

• Just what is says

Data Access Controls Frameworks or Models

• Discretionary • Mandatory• Nondiscretionary

128

Discretionary Access Control (DAC)

• A system that uses discretionary access control allows the owner of the resource to specify which subjects can access which resources.

• Access control is at the discretion of the owner.

• VAX, VMS, UNIX, Windows X, MAC

Mandatory Access Controls (MAC)• Controls are determined by the system & based on

organizational policy. Controls applied based upon user clearance and classification of an object or data.

• Used for highly sensitive systems and when owners don’t want users to potentially by pass organizational policies.

• This model is used in environments where information classification and confidentiality is very important (e.g., the military).

• Access control is based on a security labeling system. Users have security clearances and resources have security labels that contain data classifications.

Mandatory Access Controls (MAC)

• System provides access control & owner provides need-to-know control

• Not everyone who is cleared should have access, only those cleared & with a need to know.

• Even if the owner determines a user has a need to know the system must ascertain that the user is cleared.

• Page 117 examples of access capabilities & Access permissions

Nondiscretionary

• Administrator determines who has access and what privileges

Access Control Lists (ACL)

• List of permissions associated with an object• Keyword=Action

– Router, IP Address=Allow or IP Address=Deny– User1=R, X, L, W– User2=R, , L– Group A=R,X,L– Group B=R,L

• Access Control Matrix is an ACL in the form of a table. Page 119

133

Rule Based Access Control• Uses specific rules that indicate what can and

cannot happen between a subject and an object.• Not necessarily identity based.• Traditionally, rule based access control has been

used in MAC systems as an enforcement mechanism.

• Example Page 120

Role Based Access Control (RBAC)Page 121

• Role Based Access Control (RBAC) is a methodology of limiting tasks to objects based on a specific role

• Administration boundaries can be synonymous with job duties or functions and can be associated with individual users

• The goal in role definition is to determine all the access in advance that a user might require to perform a specific tasks or job

• Scalability and efficiency gains are two benefits of role-based administration

• Aligns with an organizations structure of roles and • responsibilities

135

Content Dependent Access Control• Access to an object is determined by the content

within the object.

136

Constrained User Interfaces• Restrict user’s access abilities by not allowing

them certain types of access, or the ability to request certain functions or information

• Three major types– Menus and Shells– Database Views– Physically Constrained Interfaces

Capability table:

• Specifies the access rights a certain subject possesses pertaining to certain objects

• Bounded to a subject and indicates what objects that subject can access.

• Page 123 Figure 1.27

Temporal(Time-Based) Isolation

• Activities are OK or Not OK based upon not who but when.

• Examples:– If you leave class before the lecture ends its not

OK– All classified processing occurs in the morning

Intrusion Detection and Prevention Systems

• IDS– Informative tool that provides real-time information when

suspicious activities are identified– Not used to directly prevent the suspected attack

• IPS– Monitors like IDS, however will automatically take

proactive preventive action if it detects unacceptable activity.

• Important to tune system to detect true attacks

Network Intrusion Detection System (NIDS)

• Install tap or mirror ports on a core switch– Works in promiscuous mode– Must be able to handle amount of traffic

• Encryption can be a problem• Can be integrated into other network devices

Host Based IDS, aka HIDS • Analyze the activity within a particular computer system• Can be installed on individual workstations and/or servers and

watch for inappropriate or anomalous activity. • Usually used to make sure users do not delete system files,

reconfigure important things, or put the system at risk in any other way.

• HIDS universe is limited to the computer itself. • Multi-host IDSs allow systems to share policy information &

attack data & remediation actions.• Drawback is that they consume inordinate amount of host

resources

IDS Analysis Engine Methods

• 2 basic analysis methods– Pattern Matching

• Looks for known attacks– Anomaly Detection

• Looks for system changes–Stateful Matching–Statistical Anomaly-Based–Protocol Anomaly-Based–Traffic Anomaly-Based

Pattern match (signature analysis)IDS Method

• Pattern match (signature analysis)– Models of specific attacks and how they are

carried out. Each identified attack has a signature, which is used to detect an attack in progress or determine if one has occurred within the network. Any action that is not recognized as an attack is considered acceptable.

• Similar to antivirus software• Signatures must be continuously updated• Cannot identify new attacks

Anomaly Analysis IDS Methods

• Based on behavior identification (system changes) or anomalies

• Possible list of anomalies, P.127• Tend to report more data & false positives

Stateful matching IDS Method• Uses signatures and tracks system state changes that indicate

an attack is underway.• State: a snapshot of an operating systems values in volatile,

semi permanent, and permanent memory locations.• Every change that an operating system experiences is

considered a state transition.• A state transition is when a variable’s value changes, which

usually happens continuously within every system. • Example Page 128

Statistical Anomaly-Based• Examines event data by comparing it to typical

known or predicted traffic in an effort to fined potential security breaches.

• It attempts to identity suspicious behavior by identifying patterns that are not the norm

• Tuning can be challenging if not done regularly• Definition of normal traffic is open for

interpretation• Has potential to detect unknown attacks

Protocol Anomaly-Based IDS

• Identifies any unacceptable deviation form expected behavior based on known network protocols

• Prone to same issues as signature-based IDSs

Traffic Anomaly-Based

• Identifies any unacceptable deviation form expected behavior based on actual traffic structure

Intrusion Response

• Inject rule into firewall, or modify access control for routers, VPNs or VLAN switches– May be disadvantage if replicated to other devices

• Disable communications• Disable user accounts• Enable additional auditing

Intrusion Response• Sensor

– Identifies an event– Must tune sensitivity properly

• Control & communication– Notification component email, pager, PDA

• Enunciator• IDs correct business unit, formats msg for specific

devices• Determining who gets notified & what their

response is

IDS Management

• Must devote planning, time, money & expert personnel to properly manage an IDS solution

• Page 132

access control

Documents

level of access

form of access control

access need

unauthorized access

key access control concepts

authorized users

depthaccess control

level of use