Access control is the set of procedure (hardware, software & administrators) used to monitor access to systems, identify users requesting access, record access attempts, and grant or deny based on pre-established rules and policies.
The trio in access control
Threat, vulnerability & risk
C - Confidentiality
I - Integrity
A - Availability
Confidentiality
Not disclosed to unauthorized person
Integrity
Prevention of modification by unauthorized users
Prevention of unauthorized changes by otherwise authorized users
Internal and External Consistency
Internal Consistency within the system (i.e. within a database the sum of subtotals is equal to the sum of all units)
External Consistency – database with the real world (i.e. database total is equal to the actual inventory in the warehouse)
Availability
Timely access
Three things to consider
Threats – potential to cause harm
Vulnerabilities – weakness that can be exploited
Risk – potential for harm
Controls
Preventative – prevent harmful occurrence
Detective – detect after harmful occurrence
Corrective – restore after harmful occurrence
Controls can be:
Administrative – polices and procedures
Logical or Technical - restricted access
Physical – locked doors
Identification and Authentication
Identification establishes accountability
It is by entering public information such as user name, employee number, account number dept id etc.,
Three Factor Authentication
Something you know (password)
Something you have (token)
Something you are (biometrics)
Sometimes - something you do
Authentication
Strong authentication is combination two factor and not just using Biometrics.
Electronic monitoring is a way that listens to network traffic and can capture information especially when user is entering a password.
Passwords, x.509 certificates, biometrics, smart cards, anonymous.
Secure ID: Two way authentication / OTP + something you know/have
S/Key: OTP
Passwords
Static – same each time
Dynamic – changes each time you logon
One time – the password dies after one use & this is also called as token
Cognitive passwords – fact based cognitive data for user authentication, favorite color, movie etc.,
Passphrase – virtual password.
Passwords shall be stored with one way hash encryption. Dictionary attacks can be made if a password file is available and followed by Brute Force attack.
Password checkers, password generators, limiting the age of passwords, limit logon attempts can be additional controls on passwords.
Tokens – Smartcards / Memory cards
Static Password (like software with pin)
Owner Authenticates to the token
Token authenticates to the system
Tokens are something you have
Disadvantages: battery failure; losing the token device itself.
Synchronous Dynamic Password
Token – generates passcode value
Pin – user knows
Token and Pin entered into PC
Must fit in valid time window ( time based )
Share the same secret key for encryption and decryption.
If event based, then use initiate the logon sequence and push a button in the token which gives the relevant value.
Asynchronous
Similar to synchronous, new password is generated asynchronously, No time window
Challenge Response ( Asynchronous type)
System generates challenge string
User enters into token
Token generates response entered into workstation
Mechanism in the workstation determines authentication
Front end authentication device and back end authentication server which services multiple workstations can perform authentication.
Memory cards (two – factor)
Without processing power; user needs to type in user id or pin in the reader which is stored in the memory card and both are matched to authenticate by the reader.
Smart cards (two – factor)
Has processing capability with a chip; user enters pin which is one way hashed by reader and does a one way hash of value in the card and compares to authenticate.
Hence user authenticates to the card by providing the correct PIN and the card authenticates the user to the authentication service ( can be any type of the token mechanism explained above including by private key if employed in PKI environment).
- Reverse-engineer/tamper resistant
- Each user’s card contains unique info
- Identity, PIN, privileges, etc.
- Card’s micro performs secret, 1-way transformation of user’s PIN: Stores unreadable PIN secretly in memory
Disadv:
- One example is the so-called "timing attack" described by Paul Kocher. In this attack, various byte patterns are sent to the card to be signed by the private key. Information such as the time required to perform the operation and the number of zeroes and ones in the input bytes are used to eventually obtain the private key.
- Most smartcard operating systems write sensitive data to the EEPROM area in a proprietary, encrypted manner so that it is difficult to obtain clear text keys by directly hacking into the EEPROM
- This attack involves a rogue, Trojan horse application that has been planted on an unsuspecting user’s workstation. The Trojan horse waits until the user submits a valid PIN from a trusted application, thus enabling usage of the private key, and then asks the smartcard to digitally sign some rogue data. The operation completes but the user never knows that their private key was just used against their will. The countermeasure to prevent this attack is to use “single-access device driver" architecture.
Cryptographic keys: present a private key or a digital signature. Digitally signing a message. One of the way of authenticating a user. A Key pad is used for this type of authentication.
Authorisation is allowing you to carryout actions you are requesting based on pre-defined rules.
Access criteria
Roles, Groups, Physical location, logical location, time of day, transaction type
But better to have default to no access, if access not explicitly allowed then it MUST be implicitly denied.
Rule of least privilege
Any object (user, administrator, program, system) should have only the least privilege the object needs to perform its assigned task and no more.
Authorization creep occurs when some one continues to retain access privileges associated with a former position.
Users should be re-authorised for each position change.
Accountability is important to access control.
Accountability
Through recording user, system and application activities. By enabling audit trail. Used for performance information or certain types of errors and conditions.
Clipping levels
Threshold and parameters for each of these items needs to be configured.
Review of audit information
Post event oriented
Unusual behavior
Audit reduction – seeing only what is important
Variance detection – resource usage, trends and variations
Attack signature detection – specific attack based.
Keystroke monitoring – during active session, only for short term, if suspicious to capture what he types and trap;
Protecting audit log
Deleting log or the data within the log is called as Scrubbing hence it must be safeguarded and stored in write-once media (CD-ROM)
Assurance procedures ensure that the control mechanisms correctly implement the security policy for the entire life cycle of an information system.
Access Control Models
Discretionary Access control /- Use of ACL; Access control matrices; dictated by owner; set by administrator and enforced by OS.
- Based on individual’s need – to – know rather than on sensitivity labels.
- Not a replacement of MAC, but to provide granularity within the provision of MAC
- User directed access control also, which is more dynamic;
- Identity based access control is based on individual’s identity.
- Subject has authority to specify which objects are available
- Common in commercial context because of flexibility.
- Orange Book – C Level.
Mandatory Access control / Depends on labels (Sensitivity levels of objects)
Subjects access to an object
Dependent on Labels ( marking control objective in orange book).
Military – unclassified, confidential, secret, top secret
Subjects Clearance / authorization must match Classification / sensitivity of Object
Should reflect accurately the laws, regulations, and general policies from which they are derived
Need to know still applies
Labels can’t be changed
Rule based access control & not only by identity of subjects and objects alone. Rule of handling infor throughout its life cycle. (Orange book)
Static role
Orange book B level
Can’t copy a labeled file into another file with a different label
It is important to note that mandatory controls are prohibitive (i.e., all that is not expressly permitted is forbidden), not permissive.
Advantages: Very strict enforcement of security, centrally administered
Lattice based – on the sensitivity level assigned to the role.
Suggested that hierarchial level should be > than or equal to 16 and non-hierrarchial level should be greater than or equal to 64.
Non-Discretionary access control / Central Authority determines access
Role Based – on role within the organization.
Task Based – on responsibilities and duties.
Lattice based – on the sensitivity level assigned to the role.
Frequent turnover is ok with role based non-discretionary access control
He is restricted to only what is as per role unlike group based wherein he can exercise what is assigned individually also.
Lattice based /
Provides least access privileges of the access pair
Greatest lower boundLowest upper bound
Role Based Access Control
/ Role Based – on role within the organization.Task Based – on responsibilities and duties.
Both discretionary and mandatory access models.
In discretionary: administrators can develop roles and owners can decide if these can have access to their resourcesIn MAC: role and sensitivity label for roles.
Rule based access control
/Based on specific rule
Mandatory access control and admin sets ; users can’t modifyCentral control
Access Control Matrix
Or Harrison-Ruzo-Ullman Model / Access rights can be directly assigned to subjects ( capabilities) or objects (ACLs);The subject is bound to the capability table whereas the object bound to the ACL.
Matrix indicating what action individual subject can take on object.
Access control list (ACL) / is a register with
- users who have been given permission to use an object; list of susjects tat are authorized to access a specific object and they define what level of authorization is granted.
- type of access they have been permitted.
Preferred for need to know access control.
Ex: File one is access by ……
Capability tables
/Specifies the access rights a certain subject pertaining to specific objects. Ex: Diane can do,……
Constrained user interface (restricted interface) / Menus and Shells ( database views) with limited key board (example of a ATM).Content Dependent access control
/Access decision based on data, not solely on subject identity.
LOMAC
/LOMAC is a security enhancement for Linux that uses Low Water-Mark Mandatory Access Control to protect the integrity of processes and data from viruses, Trojan horses, malicious remote users and compromised root daemons. LOMAC is implemented as a loadable kernel module - no kernel recompilations or changes to existing applications are required. Although not all the planned features are currently implemented, it presently provides sufficient protection to thwart script-kiddies, and is stable enough for everyday use.
Flask
/Flask is an operating system security architecture that provides flexible support for security policies.
Access Control Administration /methodologies
Centralized
RADIUS - Remote Access Dial-In User Service /Client server protocol
Authenticates and authorizes users usually dial-up users. Dynamic passwords
Call back can be used but can be circumvented by call forwarding.CHAP: Supports encryption, protects password from eavesdroppers.
Actual international standard.
At server installation: Dictionary file composed of a series of attribute / value pairs the server uses to parse requests and generate responses. Two configuration files: client contains the address of the client and the shared secret used to authenticate transactions . Server file contains the user identification and authentication information as well as connection and authorization parameters. : UDP packets are used for authentication
Client: with IP address of servers, shared secret & the IP port numbers of the authentication and accounting services
8 standard transaction types. Authorisation parameters include : PPP, SLIP, TCP/IP & IPX. Radius acts as a proxy for client requests forwarding them to servers in other authentication domains. Works well for remote access authentication but is not suitable for host or application authentication with webserver as first exception.
Adapted as standard protocol by IETF
Radius: client sever protocol: encryption, uses UDP
Offers similar benefits to TACACS+
Often used as a stepping stone to TACACS+
Radius Server contains password and network service access information (Network ACLS)
Radius is fully open protocol, can be customized for almost any security system
Provides extended user profile; bundled with the network OS.
Can be used with Kerberos and provides CHAP remote node authentication
Except does not work with
Apple Talk Remote Access Resolution Protocol
NetBios Frame Protocol Control Protocol
Netware Asynchronous Services Interface
X.25 PAD Connection
Does not provide two-way authentication and is not used for router-to-router authentication.
TACACS –Terminal Access Controller Access Control System /
Static password for network access
The original TACACS protocol was developed by BBN for MILNET. It was UDP basedProvides remote authentication and related services
User password administered in a central database rather than in individual routers
TACACS enabled network device prompts for user name and static password
TACACS enabled network device queries TACACA server to verify password
Does not support prompting for password change or use of dynamic tokens
Event logging is provided by TACACS
TACACS+ – Terminal Access Controller Access Control System Plus, supports token authentication /
TACACS+ is the latest Cisco implementation. Stronger protection through the use of tokens for two factor, dynamic password authentication. Supports more authentication parameters than Radius.
Client server protocolProposed IETF standard; uses single configuration file to control server options.
Authentication : 3 packet types; Authorisation : request and response; Accounting: similar to authorization.
Proprietary CISCO enhancement
Two factor Authentication
User can change password/resync security token
Ability to use secure tokens
Better Audit Trails
TACACS: authentication and encryption, uses TCP
Event logging is not provided by TACACS though this has better audit trail.
Diameter
/Highly extensible AAA framework capable of supporting any number of authentication, authorization or accounting schemes. Built on RADIUS concepts.
Decentralised
/Powerful model through the use of databases; developed by EF Codd of IBM;
Relational, object oriented, hierarchical, object – relational.Security Domain /
Used for decentralized access control, it can be implemented in hierarchical and relationship model. This is a separation mechanism that controls resources access capabilities and activities, protects resources and controls how access activities are performed.
Hybrid /Domain for core resources such as servers, network etc.,
User files etc., are administered by themIntrusion Detection Systems /
( not a preventive measure it is a detective measure )
Host – Based /Reviews on host
System and event logs - Write to log filesLimited by log capabilities
Use small programs (agents) on hosts
Only sees attacks to the host computer
Network – based / Real Time: hence can limit the progress
Passive
DOS can be detected
Will not detect on attack on a hot
IDS Sensors: detects events and sends data to monitoring software, accepts data from all sensors, analysis of event, determines if it is before (trend analysis) & response.
Network traffic will be affected
NIC in promiscuous mode
Signature based – knowledge based / Signatures of an attack are stored and referenced
Failure to recognize slow attacks
Must have signature stored to identify and identifies only that.
Pros /
Cons
Low false alarms / Resource IntensiveAlarms Standardized / New or unique attacks not found
Behavior based – statistical anomaly based / IDS determines “normal” usage profile using statistical samples
Detects anomaly from the normal profile (outside normal)
Use expert system technology which attempts to think like human.
Real time anomaly detection is possible by Time – based induction machine which is virtual.
False alarms high
Pros / Cons
Dynamically adapts / High False Alarm rates
Not as operating system specific / User activity may not be static enough to implement this IDS
Honey pot / Sacrificial lamb on the network.
Administrator want to keep away the attackers
Want to go after those who hurt them ( logs, enable auditing, and perform forensics to prosecute).
Entice a would be attacker, no risk if attacked, made attractive
Enable administrator to identify various attacks to fortify
Longer the attacker stays easy to trace
Must not entrap: making him to do attack which he is not intending before – illegal.
Enticement: luring him to take advantage, open ports, attractive material etc.,
Entrapment: Deceiving him to attack and when he does trapping him – illegal
A honeypot is a system designed to look like something that an intruder can hack. Examples can be:
- Installing a machine on the network with no particular purpose other than to log all attempted access.
- Installing an older unpatched operating system on a machine. For example, the default installation of WinNT 4 with IIS 4 can be hacked using several different techniques. A standard intrusion detection system can then be used to log hacks directed against the machine, and further track what the intruder attempts to do with the system once it is compromised.
- Install special software designed for this purpose. It has the advantage of making it look like the intruder is successful without really allowing them access.
- Any existing system can be "honeypot-ized". For example, on WinNT, it is possible to rename the default "administrator" account, then create a dummy account called "administrator" with no password. WinNT allows extensive logging of a person's activities, so this honeypot will track users attempting to gain adminstrator access and exploit that access.