EECS Chapter 8 – Common Access Control

EECS Access Control Objectives zConfidentiality (includes privacy) zIntegrity zAvailability How do they relate to CAATO?

EECS Access Control Processes zIdentification zAuthentication zAuthorization zLogging zMonitoring

EECS Common Access Controls zPassword zTwo-factor authentication zBiometrics zAccess control lists for granting authorization to information zLocks

EECS Common Access Controls zEncryption zAnti-virus zPatching zFirewall zIntrusion detection system zIntrusion prevention system Collectively called defence in depth

EECS General Access Control zApplies to a multitude of systems. zCan be a policy, a set of standards or a system control. zCrucial to the external audit as it affects organization controls and program change controls.

EECS General Access Control zSecurity education zPhysical security zEncryption

EECS General Access Control zInformation security policy zCode of Business Conduct zWeb filtering to deny employee access to inappropriate web sites zPasswords zPrivacy policy zNetwork and operating system security

Requirements for Effective Operating Systems Performance zProtect against tampering by users zPrevent users from tampering with the programs of other users zSafeguard users’ applications from accidental corruption zSafeguard its own programs from accidental corruption zProtect itself from power failures and other disasters 9EECS

10 Application Access Control zApplies to specific systems zCan be procedural or automated zSupports management or independent controls zAn example is a password

EECS Application Access Controls zPasswords zAccess control lists (ACL) to restrict functions in an application, e.g., only payroll people can process pay raises. ACL can be by individual users. zEncryption. zProcedures. zMonitoring zIt supports segregation of duties.

EECS Passwords zShould not be shared zShould be changed by user zShould be changed frequently and upon compromise (suspected unauthorized disclosure)

EECS Passwords zLong, at least 8 characters zAlphanumeric zHashed (one-way scrambling) zSystem should allow only a few attempts before locking out account

EECS Password Cracking Methods zDictionary attacks – try scrambling the common names and all dictionary words zBrute force – try scrambling all possible combinations of characters, most time consuming zSystematic deduction – try name followed by month, etc. zHacker community has tables of hashes, called rainbow tables to help in cracking.

EECS Passwords zAn 8-letter password is 676 times stronger than a 6-letter password. zA user chosen 6- character alphanumeric Word password can be cracked in 7 seconds. zA 6-character alphanumeric password is 6 times stronger than a 6-letter password. zA completely random 8-character alphanumeric is virtually uncrackable with a modern PC, takes about a year. zStrength should depend on user’s privilege and locality of system.

EECS Two-factor Authentication (general or application) zUsed to compensate for the inherent weaknesses of passwords, i.e., guessing and hacking. zUses what the user has and what the user knows. zExamples are to use a token with a dynamic password and ATM.

EECS Biometrics (general or application) zCan include fingerprint, hand geometry, voice etc. zHeld back by privacy concerns. zNot recognised legally in place of signature

EECS Operating System Security (general control) zUse a standard checklist for configuration zLocks down workstation access by employees to prevent unauthorized installation of software zUse scanning software to detect vulnerabilities before implementation and periodically zUse automated patching tools to install security fixes.

EECS Firewall (general control) zCan be hardware based only, e.g., a router. zCan be a server with sophisticated software, more granular and reliable than a router, provides better logs. zCan use artificial intelligence to check for patterns.

EECS Firewall zEvery organization that hosts a web site should have a firewall to protect its internal network from hackers zThe firewall would block traffic that is definitely unacceptable.

EECS Firewall zA typical firewall uses rules to determine whether traffic is acceptable, e.g., port scanning is not allowed by some organizations. zA data packet typically consists of a source Internet Protocol (IP) address, a port and a destination Internet Protocol address.

EECS Firewall zA port is a logical connection point in a network device including a computer. zIt is used to standardize Internet traffic, e.g., web browsing uses port 80, e- commerce uses port 443.

EECS Firewalls, Intrusion Detection Systems, and Antivirus Software (continued) zNetwork address translation (NAT) yProvides an additional layer of protection yConceals the IP address of the host computer to sniffer programs. TECHNOLOGIES AND TOOLS FOR SECURITY AND CONTROL

EECS Firewall Management zFirewall should not be remotely administerable in order to reduce the risk of hacking. zFirewall logs should be reviewed frequently to avoid the log getting full and firewall collapsing.

EECS Virus Protection zCompanies around the world spend about US $20 billion a year to clean up viruses zAll critical servers are protected zAll internet is scanned zAutomated identification of workstations that do not have up-to-date signature files zOrganizations should block common virus file types to be proactive

EECS Computer viruses: Rogue software programs that attach to other programs in order to be executed, usually without user knowledge or permission Deliver a “payload” Can spread by attachments SYSTEM VULNERABILITY AND ABUSE Malicious Software: Viruses, Worms, Trojan Horses, and Spyware

EECS Worms: Programs that copy themselves from one computer to another over networks Can destroy data, programs, and halt operation of computer networks Most common payload is to tie up a network to deny service. SYSTEM VULNERABILITY AND ABUSE Malicious Software (continued)

EECS Worm zUnlike a virus, an Internet worm requires no user interaction to infect a computer. A computer only has to be on a network. zIf the computer has the security hole targeted by the worm, it will be infected. zMain control is patching.

EECS Virtual Private Network (general or application) zTo secure remote access to company systems by staff or contractors. zShould require two-factor authentication. zEncrypts the data like eBusiness.

EECS Intrusion Detection System (general control) zScreens traffic that passes a firewall to build pattern. zAlerts security administrator of questionable or unacceptable pattern. zAdministrator can then decide, with management guidance if significant, to place a firewall rule to block further traffic of this pattern.

EECS Intrusion Prevention System (general control) zScreens traffic that passes a firewall to build pattern. zRejects highly questionable or unacceptable traffic. zMore effective than firewalls but may have false positive. Deployed to protect highly sensitive servers.

EECS Encryption (general or application) zUses mathematics to scramble data. zUses a key and an algorithm. Commercial algorithms are public knowledge. zSymmetric key. zAsymmetric keys (private/public key pair). zCan prevent sniffing, i.e., unauthorized interception of data transmission.

EECS Symmetric Key Encryption zThe same key is used to decrypt and encrypt zSimple to encrypt and decrypt zLarge number of keys required for one- on-one secret communication zNumber of keys for N people is N(N-1)/2 zNeed to secure the key

Application of Encryption zeBusiness zVirtual private network z zStored data zDigital signature zWireless network EECS

EECS Asymmetric Encryption zA pair of key is generated by a user, a private key and a corresponding public key. zThe public key can be disclosed. The private key is secured. zPeople can use the public key to encrypt material. zUse of private key should require a passphrase.

EECS Asymmetric Encryption zThe corresponding private key is needed to decrypt. zThe 2 keys cannot be reengineered, i.e., you cannot use the public key to derive the private key. zLonger keys than symmetric and therefore a longer process to encrypt and decrypt.

EECS Asymmetric Encryption zNeeded for encryption. zUsed for e-commerce, digital certificates and digital signatures. zNumber of keys for N users is 2N.

EECS Digital signature: A digital code attached to an electronically transmitted message that is used to verify the origin and contents of a message Digital certificates: Data files used to establish the identity of users and electronic assets for protection of online transactions. Encryption and Public Key Infrastructure TECHNOLOGIES AND TOOLS FOR SECURITY AND CONTROL

EECS A set of policy, procedures and servers used to operate a public key environment. There is a public key server that holds everybody’s public key for retrieval by programs that use encryption. There are servers used to authenticate users that activate private keys. Public Key Infrastructure TECHNOLOGIES AND TOOLS FOR SECURITY AND CONTROL

EECS Limitation of Encryption zIf key is lost, data cannot be decrypted. zRogue parties can delete an encrypted file without knowing the key; therefore access control list is important. zEncrypted attachments are generally deleted by the anti-virus program.

EECS Digital Signature zA digital signature is an electronic signature that can be used to authenticate the identity of the sender of a message or the signer of a document, and to ensure that the original content of the message or document that has been sent is unchanged.

EECS Digital Signature zThe sender uses an algorithm to compute a hash (garbled digest) of the document zSender uses its private key to encrypt the hash. zRecipient uses same algorithm to hash the plain text document when received. zRecipient uses the public key to decrypt the digital signature and compare to the hash the recipient created, to confirm integrity.

EECS Digital Certificate An electronic business card that establishes your credentials when doing business or other transactions on the Web. It is issued and digitally signed by a certification authority. It contains your name, a serial number, expiration dates, the certificate authority’s name and public key, and your public key. People can use the certificate authority’s public key to verify the signature.

EECS Certificate Authority zAn organization that issues digital certificates to companies and individuals zAn organization can issue digital certificates to its own customers or employees to authenticate local transactions zThe certificate authority will do due diligence to confirm the existence and authenticity of the party before issuing a certificate.

EECS eBusiness Encryption zUses both symmetric keys and asymmetric keys zEnforced by the merchant zMerchant sends its certificate and public key to the browser

EECS eBusiness Encryption zBrowser generates a symmetric key based on the Secure Socket Layer (SSL) standard, usually 128 bits. zBrowser encrypts the symmetric key with the merchant’s public key zBrowser authenticates the digital certificate zEncrypted symmetric key is sent to merchant

EECS eBusiness Encryption zMerchant decrypts the symmetric key with its private key zThe symmetric key is used for all subsequent transfer of information between the 2 parties until the user logs off.

Secure Electronic Transaction (SET) zNot widely used in North America because it is less flexible than traditional eBusiness SSL encryption. zUsed more in Hong Kong, Japan and South Korea for wealthy clients. EECS

SET Process A customer receives a “personal” digital certificate from the credit card issuing financial institution, along with a private key. The customer stores it on the hard disk or a memory disk. The financial institution requires the customer to protect it with a pass phrase. EECS

SET Process When the customer buys something on a web site, s/he sends his or her digital certificate to the merchant, which sends a copy of it to the financial institution. The customer is required to use a passphrase to send the personal certificate. S/he also downloads the merchant’s and the financial institution’s digital certificates. EECS

SET Process zThe customer’s browser hashes the purchase order and the credit card information separately to form two message digests. zThe customer signs the message digests to form a composite digital signature. zThe digital signature is sent to the merchant which in turn forwards a copy of it to the financial institution. EECS

SET Process The customer uses the merchant’s public key to encrypt the purchase order and s/he uses the financial institution’s public key to encrypt the credit card information. The merchant forwards the credit card information along with the amount to be charged to the financial institution. EECS

SET Process zThe merchant and the financial institution use the customer’s public key to decrypt the digital signature. zThe merchant and financial institution use their private keys to decrypt the purchase order and credit card info. EECS

SET Process zThe merchant and the financial institution independently computes the message digests of the purchase order and credit card info respectively. zThe independently computed message digests are then compared to the message digests in the decrypted digital signature. EECS

SET Process zNow the merchant and the financial institution/ePayment vendor have authenticated the purchase and credit/ePayment card information separately and independently. zThe credit information is not known to the merchant and the purchase order (except the final amount) is not known to the card issuing financial institution or payment vendor. EECS

SET PRocess The financial institution or payment vendor sends a code to the merchant indicating payment is approved or declined. EECS

EECS Encryption zSender uses the recipient’s public key to encrypt the message zSender signs the message with own private key zRecipient uses own private key to decrypt message zRecipient uses sender’s public key to authenticate the digital signature zThe above process applies to non-Web based . Web mail encryption is same as eBusiness.

Wireless Encryption zBased on IEEE (Institute of Electrical and Electronic Engineers) standard, latest is i, wifi protected access (WPA). zUses 128 bit or 256 bit symmetric keys that changes with every packet of data. zUses a static 128 bit key for encrypting the challenge response text to authenticate the user computer. EECS

WPA zA device authorized to access an access point (wireless router) is installed with the access point’s ID, called a service set ID (SSID), a static 128 bit symmetric key and the encryption software. zThe access point sends challenge response text to the client device (desktop, laptop or phone). EECS

WPA zThe device encrypts the challenge response text and the SSID and sends it to the access point. zThe access point decrypts the text and SSID and compares to the plain text that it sent out earlier. If there is a match, the device is allowed connection. EECS

WPA zThe access point and the device generate a new 128 bit symmetric key for each packet exchanged. The packet keys are encrypted using the static key for each device. EECS

Stored Data Encryption zUses a symmetric key. zKey should be activated with a passphrase. zApplies to laptop, smart phones, memory disks, desktops and servers. EECS

EECS Encryption Strength zThe secrecy of the key zThe length of the key zThe rigour of the algorithm

EECS Cookie zUseful to web sites and users to remember info so users can be provided with more relevant info and it reduces keying, e.g., remembers the account number. zMust not be used to remember password. zPrivacy concern as web sites can track user behaviour more.

EECS Web Application Security Input validation: Web applications implement controls to ensure the input entered is valid. zWeb applications expect valid input – that is, it is of correct length, right type (text vs integer), etc. zDevelopers often insert edit checks via JavaScript that is executed on the client side. zHowever end users can always modify these checks (since they reside on client side) to bypass them and submit wrong inputs to the application. zDevelopers should implement edit checks on the server side.

EECS Buffer Overflow Buffer overflows: Attack wherein malicious input spills into sensitive portions of memory compromising applications. zBuffer overflow - Buffers are memory locations allocated by programmers to store user’s inputs. zAttackers may provide malicious input that runs past the size of the buffer. zExtra input could spill into sensitive portions of memory with results ranging from nothing happening, to application crashing, to a complete compromise. z.

EECS Buffer Overflow Buffer overflow risks: zImpact of buffer overflow ranges from application failing its execution, to its crash, to running of malicious code of attacker’s choice resulting in complete compromise. Controls: zEnforce boundary checks before accepting inputs. Use compilers that warn of potential overflow conditions. zEducate programmers in safe programming practices. z.

EECS SQL Injection Attack SQL injection: Attack wherein malicious SQL commands are passed into web applications via user inputs. zWeb applications with back-end databases are often susceptible to these attacks. zThese applications convert user supplied input into SQL commands that are processed by the database. zAttackers can craft special input that make the SQL commands malicious in nature.

EECS SQL Injection Attack SQL injection: SQL injection attack example. zConsider, a web application, that allows users to type in a keyword to search a particular product type by asking: Product keyword: antique zSay, the resulting SQL executed by the database is: SELECT product FROM product_table WHERE product_description like ‘%antique%’; zThis query results in showing all products from the product_table that have the keyword ‘antique’ in it.

EECS SQL Injection Attack SQL injection: SQL injection attack example contd. zNow consider, if the user provides the following special input: Product keyword: antique%’; DROP password_table zThe resulting SQL executed by the database then is: SELECT product FROM product_table WHERE product_description like ‘% antique%’; DROP table_w_sensitive_data; --%’; zThis results in deletion of a table!

EECS Conclusion zAccess control increasingly important because of e-commerce. zAccess control supports organization control and program change control. zAccess controls support management control, independent controls and segregation of duties.

Review Questions z1. What is the relationship between privacy and access control? z 2. Who should the chief information security officer report to and why? z 3. Why is encryption not very commonly used? EECS

z4. What are the relationships between access controls and other internal controls? z z 5. Which technique is used both in a password control and a digital signature? How? z 6. How is defence in depth achieved? z EECS

Review Questions z7. What is the difference between hashing and encryption? z 8. Where should an intrusion detection system be placed in relation to a firewall and z why? EECS

Review Questions z9. How does encryption affect anti-virus software tools and what should z an organization do to address the effect? z z10. What security risk can materialize if a domain name server is compromised? z EECS

MC Question Which of the following provides the strongest protection against hackers? A. Operating system B. Access control list C. Firewall D. Virtual private network EECS

MC Question Which of the following would be the most appropriate task for a systems administrator to perform? A. Configure the operating system. B. Develop access control lists. C. Develop a checklist for operating system configuration. D. Set a password policy. EECS

MC Question Which of the following is most likely to change with technology? zA. Security policy zB. Code of business conduct zC. Security configuration zD. Security training EECS

MC Question Which of the following technologies would conflict with encryption the most? zA. Virtual private network zB. Digital certificate zC. Anti-virus software zD. Password EECS

MC Question Which of the following is the most effective solution for preventing external users from modifying sensitive and classified information? A.Security standards B.Intrusion detection system C. Access logs D. Firewall EECS