Categorii: Tot - authorization - access - identity - authentication

realizată de Walkowska Anna 17 ani în urmă

1541

CISSP: Access Control Systems and Methodology

Access control systems encompass various methods to ensure security, focusing on identity, authentication, and authorization. Identity is a claim about who you are, while authentication verifies this claim through methods like tokens or biometrics.

CISSP: Access Control Systems and Methodology

Access Control Systems and Methodology

Top Level

Current Practices
Tokens
Layered defences
Use third party tools in RBAC

for NDS and AD

Implement MAC if possible
Threats to Access Control
Poor administration knowledge
Misuse of privilege
User distrust of biometrics

Order of Acceptance

Retina Pattern

Finger Print

Hand Print

Signature

Keystroke Pattern

Voice Pattern

Overview
Access Controls reduce Risk
Access Controls protect CIA
Controlling who can do what
Methods of Attack
Browsing

Sift through large volumes of

data for information

Inference

Traffic analysis

Learning something through

analysis

Code alteration

When someone has altered

your code

Root kits

Interrupts

Exploits hardware vulnerabilities

Faultline Attacks

TOC/TOU

Exploits time base vulnerabilities

Time of Use

Time of Check

Remote Maintenance
Brute Force
Cramming

Specifically crafted URLs

Buffer Overflow

Stack Smashing

Denial of Service

Resource Exhaustion

Spamming

Flooding

SYN Flood

Fork Bomb

Malicious Code

Trap Doors

Trojan

Worm

Lattices
Access Controls
Mandatory Access Control
Discretionary Access Control
Accountability

Terms and Principles

pranksters
hacker who conduct tricks on others, but are not intending to inflict any long-lasting harm.
Access Control Model Terminology
Types of Access Control Systems for File Systems

Must use Reference Monitor

Ensures interactions between Subjects and Objects are:

Irrevocable

Tamper-proofed

Verifiable

Role Based

Discretionary

Mandatory

Interaction

Interaction dictated by policy

How are the rules enforced?

What are the business rules?

Rules evaluated in Security Reference Monitor to allow or disallow interaction

Rules = Attributes

Objects assigned security attributes

Subject assigned Security Attributes

Labels (Sensitivity)

In addition to rules

Can be used to group Subjects

Can be used to group Objects

Data objects = Classifications

Users/Subjects = Clearances

Rules (Filters)

Windows NT4

No Access

UNIX

Execute

Write

Read

Objects (Passive)

ports

sockets

devices

pipes

Directories

Files

Subjects (Active)

Processes

Rotation of Duties
Forced Leaves

Helps detect fraud

Prevent over familiarization with roles
Rotate persons though roles
More critical the job the more segmentation
Break jobs into multiple segments
Decentralized Contol
Centralized Contol
Least Privilege
Reduce the misuse of Privilege
What are the business needs
Availability versus security

Most Secure = No Access

Access control needs good administration
Data custodian
System Admin
Network Admin
Server Admin
DBA
CIO
Data owner
CFO
CEO

Techniques

Access Control Modes
Non-Interference

Each input processing path should be independent and have no internal relationships

Based on variations in the input there should be no way to predict the output

Covert Channels

Additional reading

ucsb.edu

Sans Reading Room

Uses normal system resources to signal information

Can not be stopped

Can be introduced deliberately

Information flows from higher to lower classifications

State Machine

Monitors changes introduced after the initial state

By Event

By chronology

Captures the state of a system at a given point of time

Example: Authentication

Authorized

Authorization Pending

Authenticated

Authentication Pending

Unauthenticated

Information Flow

related to access models

in the role based model, a role is defined in a set of operations on objects. The role represents a function or job in the application. The access rule is defined to bind a subject to the roles.

in the mandatory model, the access rule (s,o,t) is specified so that the flow relation between the subject (s) and the object (o) holds. Read and Write are the only considered forms of operations (t)

in lattice one security class is given to each entity in the system. A flow relation among the security classes is defined to denote that information in one class (s1) can flow into another class (s2).

the tuple

operation

Defined:

A type of dependency that relates two versions of the same object, and thus transformation of one state into another, at successive points in time.

Closely related to Lattice

Assigned classes dictate whether an object being accessed by a subject can flow into another class

Emphasizes Garbage in Garbage out

Manages access by evaluating system as a whole

Access Management
Revocation

Prompt revocation

Monitoring

Review

Logging

Maintenance

Update periodically

Review Account data

Account Administration

Good time for orientation/training

Verifies individual before providing access

Most important step

Access Control Models

Commercial: Clark-Wilson
Triples

object

program

subject

Rules

Integrity Preserving (enforcement)

Transformational proceedures executed serially and not in parallel

Triples are carefully maintained

Subjects Identities are Authenticated

How integrity of constrained items is maintained

Integrity Monitoring (certification)

Notions

Unconstrained data items are validated

Accesses are logged

Duties are separated

Transformational procedures act validly

Constrained data items are consistent

Separation of Duties
Two Properties

External Consistency

Relation of the internal state of a system to the outside world

Internal Consistency

Properties of the internal state of the system

Adapted for Commercial use
Deals with Integrity
Integrity: Biba
Developed by Ken Biba in 1975
Two key principles

Integrity Property

Simple integrity property

A user cannot read data of a lower integrity level than theirs

A user cannot write data to a higher level than they are assigned

Opposite of BLP
Deals with integrity
Confidentiality: Bell-LaPadula
Tranquility Properties

Strong tranquility property:

Labels never change during system operation

Weak Tranquility:

security policy

in such a way as to violate a defined

Security labels of subjects never change

Also: Strong Property

Can only act on a single level

No write up

No read down

Two Key principles

No Write Down (Property)

Prevents write-down trojans for declassifying data

No Read Up (Simple Property)

Deals with confidentiality
Lattice
Properties of a Lattice

The property that any two elements must have unique least upper bound and greatest lower bound

A partial Ordering relation

A set of elements

Drawn as a graph with directed arrows
Shows how information can or cannot flow
Formalizes network security models
Deals with Information Flow

Threats

Password Threats
Hardware or software keyboard intercepts can be used to record all data typed into the keyboard
Trojan horse code can be installed on a workstation that will present an unauthorized login window to the user.
Sniffers can be used to intercept a copy of the password as it travels from the client to the authentication mechanism.
Social engineering can be used to obtain passwords
Users may create weak passwords that are easily guessed.
An unauthorized user attempts to steal the file that contains a list of the passwords.
Malicious Code Threats

Awareness

Antivirus

Logic Bomb
Trojan Horse
Worms
Virus
Transmission Threats
Smurfing
Distributed Denial-of-Service (DDoS)

Fixes

Clients: TFN2K

A zombie is a computer infected with a daemon/ system agent without the owner’s knowledge and subsequently controlled by an attacker

requires the attacker to have many compromised hosts which overload a targeted server with packets until the server crashes.

Denial-of-Service (DoS)

backhoe transmission loss

smart pipes - provide damage detection information. Thus, if a cable were damaged, the smart pipe would be able to determine the type of damage to the cable, the physical position of the damage, and transmit a damage detection notification.

backhoe cuts into the cabling system carrying transmission links

SYN Flooding

Smurf

Ping of Death

Distributed Denial-of-Service

E-mail spamming

occurs when invalid data is sent in such a way that it confuses the server software and causes it to crash.

Active attacks

involve some modification of the data transmission or the creation of a false transmission.

Passive attacks

involve monitoring or eavesdropping on transmissions.

Application threats
Tunneling

This is a digital attack that attempts to get under a security system by accessing low-level system functions.

Trapdoor

A trapdoor is an opening that system developers use to bypass the user authentication process in software. It may be inadvertently left available after software delivery.

Targeted data mining
Spying
Spoofing

This is the act of masquerading as a different IP address. Packets can be formatted with false (or fake) addresses to hide the originator’s true location. It involves an intruder connected to the network and pretending to be a trusted host.

Social engineering

This occurs when an unauthorized user tries to con authorized users into providing the information needed to access systems

Sniffers
Shoulder surfing

This is the process of direct visual observation of monitor displays to obtain access to sensitive information.

Replay

This is the passive capture of a packet and its subsequent retransmission to produce an unauthorized effect.

Physical access
Password crackers
Object reuse

This refers to the possibility that sensitive data is available to a new subject. It may occur when magnetic media or memory is reassigned to a new subject and the media or memory still contains one or more objects that have not been purged before the reassignment.





Mobile code
Masquerading/man-in-the-middle attacks

This involves someone who intercepts and manipulates packets being sent to a networked computer. A masquerade takes place when one entity pretends to be a different entity.

Malicious code
Loss of processing capability
Internal intruders
Impersonation

Impersonation is masquerading as an authorized user to gain unauthorized access.

Hackers
Emanations

Emanations are electronic signals that radiate from hardware devicesRadio-frequency (RF) computer devices are all susceptible to emanation interception. In the United States, TEMPEST /equipment is designed to eliminate this problem.

Eavesdropping

This is the use of software (sniffers) to monitor packets or wiretapping telecommunication links to read transmitted data.

Dumpster diving

This is when individuals access discarded trash to obtain user identifications, passwords, and other data.

Data remanence

Data remanence occurs when some data, after the magnetic media is written over or degaussed, still remains on the magnetic media.

Covert channel

A covert channel is one that violates the organization’s security policy through an unintended communications path.

Covert channels have the potential for occurring when two or more subjects or objects share a common resource.

Storage channel

A storage channel utilizes changes in stored data to transfer information in an unintended manner.

Timing channel.

A timing channel utilizes the timing of occurrences of an activity to transfer information in an unintended manner.

Buffer overflows

The buffer overflow problem is one of the oldest and most common problems in software. It can result when a program fills up its buffer of memory with more data than its buffer can hold.

When the program begins to write beyond the end of the buffer, the program’s execution path can be changed. This can lead to the insertion of malicious code that can be used to destroy data or to gain administrative privileges on the program or machine.

Systems and Methodologies

New Implementations
Privacy Aware RBAC (PARBAC)
Context Based Access Control (CBAC)

Preceeding actions

Quotas

XML Data Restrictions

Token Based
Opposite of List Based
Associates a list of objects and their privileges with each User
List Based (Access Control LIsts)
Each object has a list of default

privileges for unlisted users

Associates lists of Users and

their Privileges with each object

Rule-Based (RSBAC)
Based on Generalized Framework

LaPadula

for Access Control by Abrams and

Actions based on Subjects

operating on Objects

Role based (RBAC)
Examples of RBAC

Microsoft Roles

DENY Data Writer

DENY Data Reader

Data Writer

Data Reader

Database functionality

Ability to Query (Select)

Default Sorting Order

Adjusting the schema

Access rights established for each role
Based on Capabilities
Database Management
Centralized Authority
Groups given authorization to certain data
Assigns users to roles or groups based on organizational functions
Non-Discretionary
Discretionary (DAC)

Higher possiblity of unintended

No protection against even

"trusted" user error

Errors lead to possible great

escalation of privilege

Open to malicious software

results

No distinction between users

Subject to user arbitrary discretion

DAC generally assumes a

benign software environment

Processes can change access

control attributes

Processes are user surrogates

and can run arbitrary code

and programs

Software Personification

Simple to understand

Gives users control

Ownership concept

Flexible

Convenient

Examples of DAC

Win2K can be included when

folders

context is limited to files and

Most *NIX versions

Windows NT4.0

Administrators can determine access to objects
User can manage

Owners can change security attributes

Mandatory (MAC)
Weaknesses

Assumes following:

Proper physical security is in place

Users do not share accounts or access

Proper clearances have been applied to subjects

Trusted users/administrators

Protects only information in Digital Form

Helps prevent information leakage

Enforces strict controls on multi security systems

Not subject to user error

Controlled by system and cannot be overridden

Examples of MAC

Purple Penelope

Pump

SCOMP

Multics-based Honeywell

eTrust CA-ACF2

Linux

LIDS

SE by NSA

RSBAC Adamantix Project

Also known as Lattice Based Access Control (LBAC)
Subjects can only access objects if they have the right access level (clearance)
All clearances centrally controlled and cannot be overridden

Users cannot change security attributes at request

All users have clearances
All data has classification

Identity, Authentication, and Authorization

Authorization
Tied closely to POLP
Most systems do a poor job
What a subject can do once Authenticated
Authentication
Protocols

Kerberos

Strengths

Kerberos Ticket Granting Ticket

Must be protected from attacks

Sets temporal limits

Too far from ticket time can indicate spoofed ticket

TGT confirms hashes

Mutual authentication

Local security subsystem creates envrionment or process and attaches token

This is the authenticating token used to verify access requests

Local Security Subsystem adds to token

Any local access rights

Any local permissions

Any local group memberships

Local Security subsystem creates access token using users SID and SIDs of any groups user is a member of from Workstation session ticket

After authentication the PCs Kerberos service sends a copy of the ticket to the users PC

Kerberos service on local PC authenticates user with new ticket

PCs Kerberos service consults GCS

PCs Kerberos service consults AD

Users PC asks for another ticket

AKA Workstation session ticket

used to authenticate user to local PCs workstation service

Local security subsystem sends copy of session ticket to Kerberos service on Domain controller

After authentication, Kerberos server return requested session ticket to users computer

used in all future negotiations with Kerberos server

SIDs of all groups user belongs to

Contains users SID

Kerberos service also accesses a Global Catalog Server to obtain users Universal Group Memberships

Kerberos service contacts Active Directory to authenticate user

When domain controller is found

Session ticket will be used by users computer to authenticate with Kerberos service

Requests session ticket for user

local security subsystem contacts the Kerberos service on the domain controller

local security subsystem takes domain name specified and uses DNS to locate controller

username and password passed to local security subsystem

Username and Password Entered

Features

Non-Repudiation: Knowlege of a password

Authentication: Login password (local)

Integrity: Crypto hash algorithyms

Confidentiality: DES (CBC mode) Symmetric Encryption

Kerberos KDC is trusted intermediary similar to RADIUS server

Secret Key Protocol and distributed service for 3rd party authentication

Now in use in Windows

Default in Server 2K3

Default in XP

Default in Win2K

Still some concerns

Much more secure

Windows related

NTLM and NTLM2

Vulnerable to DLL injection

weak passwords can be cracked offline

Lophtcrack

John the Ripper

Forces lsass.exe to show passwords in weak LM format

Also uses Hashes

LanManager (LM)

passwords up to 14

char easily defeated

RainbowCrack

Uses hash to obfuscate password

LM Support needed for

Macintosh

Windows 9x

WinNT pre SP4

Win2K in compatability mode is weakened by LM

Win2K native is secure

Originally designed

Challenge Handshake

Server requests re-confirmation with this sequence when appropriate

If responses are identical, server grants access

Server creates local version of valid response using original challenge and stored password.

Client sends response to server

Client uses password and challenge to create response

Server sends back challenge to client

Client initiates comms to server

Not vulnerable to replay attack

password never traverses network

Authentication Protocol (CHAP)

Password Authentication

Can use hashes but still vulnerable to replay attack

Process

Password sent unencrypted over network to PAP server

User enters password

vulnerable to replay attack

Works wth both passwords and hases

Password sniffed off network and resent to server

Sends actual password in the clear.

Protocol (PAP)

for use with PPP

Methods of Authentication

Centralized Control

Domains and Trusts

Role-based Model

Domains

Users

Groups

Windows Security Model

TACACS+

RFC 1492

TCP based

Terminal Access Controller Access Control System

RADIUS

Successor to TACACS

RFC 2866

RFC 2865

UDP based

Remote Authentication Dian in User Service

Strong Authentication

Multi-Factor

Two Factor

Two different methods

used together

Somewhere you are

Works well with

Controlled access

classified data

Each system needs

additional Hardware

Based on GPS

Something you

are (Biometrics)

Key Factors

Cost

Adds to operational loads

Increases technical complexity

Some of the technolgoies

still very expensive

User Acceptance

An intrusive enrollment

Resistance

A high FRR will cause users to

Animosity

Try to find ways around the system

Reliability

Better to have a higher

FRR than a high FAR

pissed off user vs a breach

Equal Error Rate (EER)

Cross error Rate (CER)

rate at which FAR and

FRR are equal

False rejection Rate (FRR)

percentage of ligitimate users

falsely rejected

False acceptance Rate (FAR)

percentage of impostors

falsely authorized

Costly

Each authenticating system

needs hardware

Intrusive

Can cause Privacy issues

Does not require user

to have anything

Hard to lose

Types

Mannerisms

Handwriting

Tread

Keystroke

Voice Print

Face

Eigen

Eigenfaces

Eigen features (facial metrics)

German word referring to

used in facial recognition

recursive mathematics

Facial feature identification

Isolation

Mask values compared to database

leaves features in rectangle

mask (binary mask)

Isolate features of the face

Detection

Locate the face

Photos

Thermograms

Eye

Iris

additional reading

System tests for 'live' eye

o pupil size fluctuation

Verification takes 1-2 seconds

Subsequent verifications

at up to 40in

Less than 20 seconds

image captured and processed

into 512 byte record

excludes lower portion because

of moisture and reflection

Approach is horizontal due

to eyelid occlusion

locates left and right

edges of iris

camera locates eye

video camera at 3-10in

240 reference points

Retina

Degenerative diseases exist

that compromise data fidelity

Certain people cannot enroll

enrollment

Stored in 35 byte field

320-400 points of

reference stored

1/2" from scanner

45 seconds

five scans to enroll

capillary patterns

Hand

Hand Geometry

Oldest known form of

Biometrics

Fingerprint

30-70 points of reference

ridges and valleys

have

Users can lose tokens

More expensive to implement

additional software equipment

each user needs token

Changes on regular basis

Token Provides password

Token

know

Positive

Low cost

Easiest to implement (passwords)

Negative

Easy to compromise

Users tell others

Easy for attackers to target

Dictionary attack

users write down passwords

Users forget

Attack Types

Brute force

Rainbow Crack

Given enough time, brute

force will always work

Hybrid

John the ripper

uses dictionary in combination

with brute force

Dictionary

Tries every word in dictionary

for match

Relies on human factors

Not guaranteed to find all

passwords

Quickest and Easiest

Cracking

Access to password file

increases success (no Duh!)

Attempt to guess passwords

Access Control

Normally stored as hashes

password files

NT SAM

/etc/shadow

/etc/passwd

Methodologies

Single Sign On

System Generated

User Picked

Too simple

Must meet business requirements
User Acceptance needed for success
Usually requires a key piece of information only the user would know
indentification
Involves stronger measure that
Validates Identity
Identity
Weak in terms of enforcement
Negative Identification
Positive Identification
User Identity enables accountability
Identity and Authentication are not the same thing
Authentication is the process of verifying your Identity
Identity is who you say you are

Access Control Measures

Areas of Application
Other
Recovery

Restores the operating state to normal after an attack or system failure

Corrective

Reacts to an attack and takes corrective action for data recovery

Compensating

Provide alternatives to other controls

Deterrent

Warnings on Web Pages

Logon banner

Restricted Access signs

Acceptable Use agreements

Discourages security violations (Preventative)

Detective

Anomaly Detection

Pattern Matching

Intrusion Detection Systems

Force users to take leaves

Background Investigations

Regular performance reviews

Audits

Alarms

Sensors

Smoke Detectors

CCTV

Motion Detectors

Time critical when attack is occuring
Tries to detect AFTER an attack occurs
Assumes Attack is Successful
Preventive
Security Assessment

Creates a complete list of risks

against critical assets

Analyzes entire network from inside

Comprehensive view of

Network Security

Penetration Tests

Usually done after Vulnerability

Assessment

Does not provide

comprehensive view

Only as good as the attacker

Finds weaknesses

Simulates an attacker trying to

break in

Vulnerability Assessment

Looks for common known

vulnerabilities

Scanning key servers

Network Vulnerability Scanner

NAI

ISS

GFI LanGuard

Nessus

Firewalls

Proxy

Never a connection from

external to internal

Slow

Stateful

Unknown packets discarded

Knows if incoming packet was

in response to request

Packet Filtering

very fast

Does not know state

Decision based on IP and Port

Examples

Technical

Intrusion detection systems (IDSs)

Audit trails

Dial-up callback systems

Encryption

Smart cards/biometrics/badge systems

Passwords

Anti-virus software

Access control software, such as firewalls, proxy servers

Administrative

Mandatory vacation time

Performance evaluations

Alert supervision

Background checks

Security clearances

Procedures for recruiting and terminating employees

Rotation of duties

Security reviews and audits

Separation of duties

Security awareness training

Policies and procedures

Physical

Limiting access to physical resources through the use of bollards, locks, alarms, or

Turnstiles

Mantraps

Badges, ID Cards

Fire Extinguisher

Alternate Power Source

Guards

Fences

Works with Deterrent measures
Not always effective
Can be partially effective with Defence in Depth
try to Prevent attacks from occuring