Chapter 8 – Common Access Control EECS4482 2016

Access Control Objectives Confidentiality (includes privacy) Integrity Availability EECS4482 2016

Access Control Processes Identification Authentication Authorization Logging Monitoring EECS4482 2016

Common Access Controls Password Two-factor authentication Biometrics Access control lists for granting authorization to information Locks EECS4482 2016

Common Access Controls Encryption Anti-virus Patching Firewall Intrusion detection system Intrusion prevention system Collectively called defence in depth EECS4482 2016

Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure) EECS4482 2016

Passwords Long, at least 8 characters Alphanumeric Hashed (one-way scrambling) System should allow only a few attempts before locking out account EECS4482 2016

Password Cracking Methods Dictionary attacks – try scrambling the common names and all dictionary words Brute force – try scrambling all possible combinations of characters, most time consuming Systematic deduction – try name followed by month, etc. Hacker community has tables of hashes, called rainbow tables to help in cracking. EECS4482 2016

Passwords An 8-letter password is 676 times stronger than a 6-letter password. A user chosen 6- character alphanumeric Word password can be cracked in 7 seconds. A 6-character alphanumeric password is 6 times stronger than a 6-letter password. A completely random 8-character alphanumeric is virtually uncrackable with a modern PC, takes about a year. Strength should depend on user’s privilege and locality of system. EECS4482 2016

Two-factor Authentication (general or application) Used to compensate for the inherent weaknesses of passwords, i.e., guessing and hacking. Uses what the user has and what the user knows. Examples are to use a token with a dynamic password and ATM. EECS4482 2016

Biometrics (general or application) Can include fingerprint, hand geometry, voice etc. Held back by privacy concerns. Not recognised legally in place of signature EECS4482 2016

Operating System Security (general control) Use a standard checklist for configuration Locks down workstation access by employees to prevent unauthorized installation of software Use scanning software to detect vulnerabilities before implementation and periodically Use automated patching tools to install security fixes. EECS4482 2016

Firewall Can be hardware based only, e.g., a router. Can be a server with sophisticated software, more granular and reliable than a router, provides better logs. Can use artificial intelligence to check for patterns. EECS4482 2016

Firewall Every organization that hosts a web site should have a firewall to protect its internal network from hackers The firewall would block traffic that is definitely unacceptable. EECS4482 2016

Firewall A typical firewall uses rules to determine whether traffic is acceptable, e.g., port scanning is not allowed by some organizations. A data packet typically consists of a source Internet Protocol (IP) address, a port and a destination Internet Protocol address. EECS4482 2016

Firewall A port is a logical connection point in a network device including a computer. It is used to standardize Internet traffic, e.g., web browsing uses port 80, e-commerce uses port 443. EECS4482 2016

TECHNOLOGIES AND TOOLS FOR SECURITY AND CONTROL Firewalls, Intrusion Detection Systems, and Antivirus Software (continued) Network address translation (NAT) Provides an additional layer of protection Conceals the IP address of the host computer to sniffer programs. EECS4482 2016

Firewall Management Firewall should not be remotely administerable in order to reduce the risk of hacking. Firewall logs should be reviewed frequently to avoid the log getting full and firewall collapsing. EECS4482 2016

Virus Protection Companies around the world spend about US $20 billion a year to clean up viruses All critical servers are protected All internet email is scanned Automated identification of workstations that do not have up-to-date signature files Organizations should block common virus file types to be proactive EECS4482 2016

Can spread by email attachments SYSTEM VULNERABILITY AND ABUSE Malicious Software: Viruses, Worms, Trojan Horses, and Spyware Computer viruses: Rogue software programs that attach to other programs in order to be executed, usually without user knowledge or permission Deliver a “payload” Can spread by email attachments EECS4482 2016

SYSTEM VULNERABILITY AND ABUSE Malicious Software (continued) Worms: Programs that copy themselves from one computer to another over networks Can destroy data, programs, and halt operation of computer networks Most common payload is to tie up a network to deny service. EECS4482 2016

Worm Unlike a virus, an Internet worm requires no user interaction to infect a computer. A computer only has to be on a network. If the computer has the security hole targeted by the worm, it will be infected. Main control is patching. EECS4482 2016

Virtual Private Network To secure remote access to company systems by staff or contractors. Should require two-factor authentication. Encrypts the data like eBusiness. EECS4482 2016

Intrusion Detection System Screens traffic that passes a firewall to build pattern. Alerts security administrator of questionable or unacceptable pattern. Administrator can then decide, with management guidance if significant, to place a firewall rule to block further traffic of this pattern. EECS4482 2016

Intrusion Prevention System Screens traffic that passes a firewall to build pattern. Rejects highly questionable or unacceptable traffic. More effective than firewalls but may have false positive. Deployed to protect highly sensitive servers. EECS4482 2016

Encryption Uses mathematics to scramble data. Uses a key and an algorithm . Commercial algorithms are public knowledge. Symmetric key. Asymmetric keys (private/public key pair). Can prevent sniffing, i.e., unauthorized interception of data transmission. Encryption enables information to be kept on a computer or sent across communication networks without losing confidentiality or integrity. The goal of encryption is to make it impossible to take scrambled text and reproduce the original plain text without the corresponding key and to raise the cost of guessing the key beyond what is practical. An encryption algorithm transforms plain text into a coded equivalent, known as the cipher text, for transmission or storage. THe coded text is subsequently decoded at the receiving end and restored to plain text. The algorithm uses a key, which is a binary number that is typically from 56 to 128 bits in length for symmetric key systems or 512 to 4,096 bits for asymmetric-key systems. Symmetric key algorithms are used for the bulk encryption of data or data streams. These algorithms are designed to be very fast and usually have a large number of possible keys. The best symmetric key algorithms offer near-perfect secrecy: once data is encrypted with a given key, there is not way to decrypt the data without possessing the same key. The other major type of algorithm in popular use is public key encryption, which is based on two keys: one to encrypt the message digest (which then is used to encrypt the message) and another to decrypt the message digest. The algorithm is not symmetric, so knowing the public encryption key is no help in being able to decrypt a message. Users wanting to receive confidential information can freely announce their public keys, which then are used by the sendesr to encrypt data to be sent to them. The data can be decrypted only by the holder of the corresponding private key. This type of algorithm eliminates the complexity of handling the large number of secret key pairs needed for single-key algorithms, but it requires a process to ensure the public keys are authentic and really belong to their announced owner. Public keys are attached to a digital certificate, which ties the user's identity to the public key. The problem of managing a large number of public keys and making them available is the primary challenge that needs to be addressed. However, interest in and use of public key cryptography continues to grow rapidly because of its potential to facilitate electronic commerce using the Internet, in particular because it does not require an out-of-band process for secure exchange of private keys before sending encrypted messages. EECS4482 2016

Symmetric Key Encryption The same key is used to decrypt and encrypt Simple to encrypt and decrypt Large number of keys required for one-on-one secret communication Number of keys for N people is N(N-1)/2 Need to secure the key EECS4482 2016

Application of Encryption eBusiness Virtual private network eMail Stored data Digital signature Wireless network EECS4482 2016

Asymmetric Encryption A pair of key is generated by a user, a private key and a corresponding public key. The public key can be disclosed. The private key is secured. People can use the public key to encrypt material. Use of private key should require a passphrase. EECS4482 2016

Asymmetric Encryption The corresponding private key is needed to decrypt. The 2 keys cannot be reengineered, i.e., you cannot use the public key to derive the private key. Longer keys than symmetric and therefore a longer process to encrypt and decrypt. EECS4482 2016

Asymmetric Encryption Needed for email encryption. Used for e-commerce, digital certificates and digital signatures. Number of keys for N users is 2N. EECS4482 2016

Digital certificates: TECHNOLOGIES AND TOOLS FOR SECURITY AND CONTROL Encryption and Public Key Infrastructure Digital signature: A digital code attached to an electronically transmitted message that is used to verify the origin and contents of a message Digital certificates: Data files used to establish the identity of users and electronic assets for protection of online transactions. EECS4482 2016

TECHNOLOGIES AND TOOLS FOR SECURITY AND CONTROL Public Key Infrastructure A set of policy, procedures and servers used to operate a public key environment. There is a public key server that holds everybody’s public key for retrieval by programs that use encryption. There are servers used to authenticate users that activate private keys. EECS4482 2016

Limitation of Encryption If key is lost, data cannot be decrypted. Rogue parties can delete an encrypted file without knowing the key; therefore access control list is important. Encrypted email attachments are generally deleted by the anti-virus program. EECS4482 2016

Digital Signature A digital signature is an electronic signature that can be used to authenticate the identity of the sender of a message or the signer of a document, and to ensure that the original content of the message or document that has been sent is unchanged. EECS4482 2016

Digital Signature The sender uses an algorithm to compute a hash (garbled digest) of the document Sender uses its private key to encrypt the hash. Recipient uses same algorithm to hash the plain text document when received. Recipient uses the public key to decrypt the digital signature and compare to the hash the recipient created, to confirm integrity. EECS4482 2016

Digital Certificate An electronic business card that establishes your credentials when doing business or other transactions on the Web. It is issued and digitally signed by a certification authority. It contains your name, a serial number, expiration dates, the certificate authority’s name and public key, and your public key. People can use the certificate authority’s public key to verify the signature. A CA certificate contains the public key of a certificate authority and either the name of the CA or the name of a particular service being certified. It can be self-signed or in turn signed by another CA. It is used to certify other kinds of certificates. A server certificate contains the public key of an SSL server, the name of the organization that runs the server, its Internet hostname, and the server’s public key. A personal certificate contains an individual’s name and the individual’s public key. It can have other information, such as the individual’s e-mail address, postal address, or anything else. A software publisher certificate is used to sign distributed software. EECS4482 2016

Certificate Authority An organization that issues digital certificates to companies and individuals An organization can issue digital certificates to its own customers or employees to authenticate local transactions The certificate authority will do due diligence to confirm the existence and authenticity of the party before issuing a certificate. EECS4482 2016

eBusiness Encryption Uses both symmetric keys and asymmetric keys Enforced by the merchant Merchant sends its certificate and public key to the browser EECS4482 2016

eBusiness Encryption Browser generates a symmetric key based on the Secure Socket Layer (SSL) standard, usually 128 bits. Browser encrypts the symmetric key with the merchant’s public key Browser authenticates the digital certificate Encrypted symmetric key is sent to merchant EECS4482 2016

eBusiness Encryption Merchant decrypts the symmetric key with its private key The symmetric key is used for all subsequent transfer of information between the 2 parties until the user logs off. EECS4482 2016

Secure Electronic Transaction (SET) Not widely used in North America because it is less flexible than traditional eBusiness SSL encryption. Used more in Hong Kong, Japan and South Korea for wealthy clients. EECS4482 2016

SET Process A customer receives a “personal” digital certificate from the credit card issuing financial institution, along with a private key. The customer stores it on the hard disk or a memory disk. The financial institution requires the customer to protect it with a pass phrase. EECS4482 2016

SET Process When the customer buys something on a web site, s/he sends his or her digital certificate to the merchant, which sends a copy of it to the financial institution. The customer is required to use a passphrase to send the personal certificate. S/he also downloads the merchant’s and the financial institution’s digital certificates. EECS4482 2016

SET Process The customer’s browser hashes the purchase order and the credit card information separately to form two message digests. The customer signs the message digests to form a composite digital signature. The digital signature is sent to the merchant which in turn forwards a copy of it to the financial institution. EECS4482 2016

SET Process The customer uses the merchant’s public key to encrypt the purchase order and s/he uses the financial institution’s public key to encrypt the credit card information. The merchant forwards the credit card information along with the amount to be charged to the financial institution. EECS4482 2016

SET Process The merchant and the financial institution use the customer’s public key to decrypt the digital signature. The merchant and financial institution use their private keys to decrypt the purchase order and credit card info. EECS4482 2016

SET Process The merchant and the financial institution independently computes the message digests of the purchase order and credit card info respectively. The independently computed message digests are then compared to the message digests in the decrypted digital signature. EECS4482 2016

SET Process Now the merchant and the financial institution/ePayment vendor have authenticated the purchase and credit/ePayment card information separately and independently. The credit information is not known to the merchant and the purchase order (except the final amount) is not known to the card issuing financial institution or payment vendor. EECS4482 2016

SET PRocess The financial institution or payment vendor sends a code to the merchant indicating payment is approved or declined. EECS4482 2016

Email Encryption Sender uses the recipient’s public key to encrypt the message Sender signs the message with own private key Recipient uses own private key to decrypt message Recipient uses sender’s public key to authenticate the digital signature The above process applies to non-Web based email. Web mail encryption is same as eBusiness. EECS4482 2016

Wireless Encryption Based on IEEE (Institute of Electrical and Electronic Engineers) standard, latest is 802.11i, wifi protected access (WPA). Uses 128 bit or 256 bit symmetric keys that changes with every packet of data. Uses a static 128 bit key for encrypting the challenge response text to authenticate the user computer. EECS4482 2016

WPA A device authorized to access an access point (wireless router) is installed with the access point’s ID, called a service set ID (SSID), a static 128 bit symmetric key and the encryption software. The access point sends challenge response text to the client device (desktop, laptop or phone). EECS4482 2016

WPA The device encrypts the challenge response text and the SSID and sends it to the access point. The access point decrypts the text and SSID and compares to the plain text that it sent out earlier. If there is a match, the device is allowed connection. EECS4482 2016

WPA The access point and the device generate a new 128 bit symmetric key for each packet exchanged. The packet keys are encrypted using the static key for each device. EECS4482 2016

Stored Data Encryption Uses a symmetric key. Key should be activated with a passphrase. Applies to laptop, smart phones, memory disks, desktops and servers. EECS4482 2016

Encryption Strength The secrecy of the key The length of the key The rigour of the algorithm Cryptographic strength can almost never be proven; it can only be disproven. When new encryption algorithms are proposed, their creators believe that the algorithm is perfect. That is, the creator believes that the algorithms are strong and that there is no way to decrypt an encrypted message without possession of the corresponding key. The algorithm’s creator can also show that the algorithm is resistant to specific attacks which are already known. As time passes, people usually find new attacks that work against the algorithm and publish them. EECS4482 2016

Cookie Useful to web sites and users to remember info so users can be provided with more relevant info and it reduces keying, e.g., remembers the account number. Must not be used to remember password. Privacy concern as web sites can track user behaviour more. EECS4482 2016

Web Application Security Input validation: Web applications implement controls to ensure the input entered is valid. Web applications expect valid input – that is, it is of correct length, right type (text vs integer), etc. Developers often insert edit checks via JavaScript that is executed on the client side. However end users can always modify these checks (since they reside on client side) to bypass them and submit wrong inputs to the application. Developers should implement edit checks on the server side. EECS4482 2016

Buffer Overflow Buffer overflows: Attack wherein malicious input spills into sensitive portions of memory compromising applications. Buffer overflow - Buffers are memory locations allocated by programmers to store user’s inputs. Attackers may provide malicious input that runs past the size of the buffer. Extra input could spill into sensitive portions of memory with results ranging from nothing happening, to application crashing, to a complete compromise. . EECS4482 2016

Buffer Overflow Buffer overflow risks: Impact of buffer overflow ranges from application failing its execution, to its crash, to running of malicious code of attacker’s choice resulting in complete compromise. Controls: Enforce boundary checks before accepting inputs. Use compilers that warn of potential overflow conditions. Educate programmers in safe programming practices. . EECS4482 2016

SQL Injection Attack SQL injection: Attack wherein malicious SQL commands are passed into web applications via user inputs. Web applications with back-end databases are often susceptible to these attacks. These applications convert user supplied input into SQL commands that are processed by the database. Attackers can craft special input that make the SQL commands malicious in nature. EECS4482 2016

SQL Injection Attack SQL injection: SQL injection attack example. Consider, a web application, that allows users to type in a keyword to search a particular product type by asking: Product keyword: antique Say, the resulting SQL executed by the database is: SELECT product FROM product_table WHERE product_description like ‘%antique%’; This query results in showing all products from the product_table that have the keyword ‘antique’ in it. EECS4482 2016

SQL Injection Attack SQL injection: SQL injection attack example contd. Now consider, if the user provides the following special input: Product keyword: antique%’; DROP password_table The resulting SQL executed by the database then is: SELECT product FROM product table WHERE product_description like ‘% antique%’; DROP password_table; --%’; This results in deletion of the password table! EECS4482 2016

Conclusion Access control increasingly important because of e-commerce. Access control supports organization control and program change control. Access controls support management control, independent controls and segregation of duties. EECS4482 2016

Review Questions 1. What is the relationship between privacy and access control? 2. Who should the chief information security officer report to and why? 3. Why is email encryption not very commonly used? EECS4482 2016

6. How is defence in depth achieved? 4. What are the relationships between access controls and other internal controls?   5. Which technique is used both in a password control and a digital signature? How? 6. How is defence in depth achieved? EECS4482 2016

Review Questions 7. What is the difference between hashing and encryption? 8. Where should an intrusion detection system be placed in relation to a firewall and why? EECS4482 2016

Review Questions 9. How does encryption affect anti-virus software tools and what should an organization do to address the effect?   10. What security risk can materialize if a domain name server is compromised? EECS4482 2016

MC Question Which of the following provides the strongest protection against hackers? A. Operating system B. Access control list C. Firewall D. Virtual private network EECS4482 2016

MC Question Which of the following would be the most appropriate task for a systems administrator to perform? A. Configure the operating system. B. Develop access control lists. C. Develop a checklist for operating system configuration. D. Set a password policy. EECS4482 2016

MC Question Which of the following is most likely to change with technology? A. Security policy B. Code of business conduct C. Security configuration D. Security training EECS4482 2016

MC Question Which of the following technologies would conflict with encryption the most? A. Virtual private network B. Digital certificate C. Anti-virus software D. Password EECS4482 2016

MC Question Which of the following is the most effective solution for preventing external users from modifying sensitive and classified information? Security standards Intrusion detection system C. Access logs D. Firewall EECS4482 2016