ISA Access Control ISA 562 Internet Security Theory & Practice

2 Objectives and References General (from ISC2 CBK Material ): Discuss Access Control mechanisms, measures and threats Details (from Bishop’s Chapters 2): Access control assurance methods General (from ISC2 CBK Material ): Intrusion detection/ intrusion prevention

Requirements & Concepts Some basic requirements of an access control: Avoid disclosing sensitive data to unauthorized users (Confidential) Provide sensitive information to authorized users (Available) Reliable and dependable (Integrity preserving) Scalable and expandable (long life) Some of the key concepts in Access control systems are: Separation of duties Least privilege Need-to-know Need-to-share (a contemporary buzz-phrase) Handle with care 3

What to protect?: Information classification Based on business risk of content released to mal- actors Example the US government classification Unclassified Confidential Secret Top secret Will be discussed in detail 4

Kinds of Access Control Preventive Access controls Avoid having unwanted actions/events by blocking the ability to do them. Detective Identify unwanted actions or events after they occur. Corrective Remedy circumstances that enabled the unwanted activity. Return to state prior to the unwanted activity. Directive Dictated by higher authority in laws or regulations or those specified in organization policy Deterrent Prescribe punishment for noncompliance Recovery Restore lost computing resources or capabilities. Compensating Reinforce or replace normal controls that are unavailable 5

3 Types of access controls Administrative Examples: separation of duties, dual control, etc Physical Examples: fences, alarms, badges, CCTV, etc Technical Examples: antivirus, antis-spam, logs, etc Further examples in ISC 2 book show how controls map to the access control types. 6

Steps in Accessing Systems Authentication Use a unique identifier– Example: user ID, Account number, PIN 3 main datum used for authentication Something requester know Passwords Pass-phrases Something the requester is Biometrics Physical characteristics Something the requester has Tokens (one-time passwords, time synchronized token) Smart Cards USB Tokens Authorization Accounting 7

Using Tokens & Smartcards for Authentication Asynchronous Token – challenge response Synchronous token Time or event based Using one-time password or hashed values Authentication server knows expected value from the token Smart Cards Contact Contact-less 8

Using Biometrics for Authentication Have false (rejection, acceptance) rates. Crossover = they are equal, both tunable to need. Examples static biometrics Fingerprint or palm print Hand Geometry Retina Example Dynamic biometrics Face /gesture Recognition Keystrokes Voice pattern 9

Identity Management What is Identity management? Set of technologies used to manage user identity information. When is it needed? For manual service provisioning Manage sophisticated and complex environments To comply with regulations What are the major challenges? Reliability of user profiles Consistency of user profiles across different systems/devices Scalability by supporting data volumes and peaks More details in the IC3 book 10

Identity Management: benefits and technologies Benefits Increasing productivity Reducing head-counting Technologies Found in systems that support the identity management process and managing data consistently and efficiently across multiple systems within an organization Directories Web Access Management Password Management Legacy single sign-on’s 11

Access Control technologies 12

Single Sign-on How they work One user ID and password for multiple application servers through an authentication server. Benefits Efficient log-on process Users may create stronger passwords No need for multiple passwords Major Drawback A compromised password allows intruder into all resources of the owner of that account 13

Single Sign-on using Kerberos 14

Single Sign-on – Kerberos and SESAME Kerberos Key Distribution Center serves two functions Authentication Server (AS) Ticket Granting Server (TGS) Kerberos Issues Security depends on careful implementation and maintenance Lifetime for authentication credentials should be as short as feasible using time stamps to minimize the threat of replayed credentials The KDC must be physically secured, it could be a point of single failure Redundancy is recommended The KDC should be hardened and not allow any non-Kerberos activity SESAME Stands for Secure European System for applications in a multi-vendor environment Developed to address some of the Kerberos weaknesses Supports SSO Improves key management by using both Symmetric and Asymmetric keys 15

Directory Service and Security Domains Directory Services Consist of applications that provide the means to hierarchically organize and manage information about network users and resources and to retrieve the information by name association Security Domains Set of objects that a subject in an information system is allowed to access Hierarchical domain relationship Equivalence classes of subjects 16

Access Control & Assurance Mechanisms used to assure that access control mechanisms are in place and in a good standing: Audit Trail analysis and monitoring is a record of system activities Assessment tools Audit tools cover a wide spectrum of cost, complexity, etc and must be tailored to the specific goals of the audit 17

The Access Control Matrix Model Chapter 2 from Bishop’s book

Chapter 2: Access Control Matrix Overview Access Control Matrix Model Boolean Expression Evaluation History Protection State Transitions Commands Conditional Commands Special Rights Principle of Attenuation of Privilege

Overview Protection state of system Describes current settings, values of system relevant to protection Access control matrix Describes protection state precisely Matrix describing rights of subjects State transitions change elements of matrix

Description objects (entities) subjects s1s2…sns1s2…sn o 1 … o m s 1 … s n Subjects S = { s 1,…,s n } Objects O = { o 1,…,o m } Rights R = { r 1,…,r k } Entries A[s i, o j ]   R A[s i, o j ] = { r x, …, r y } means subject s i has rights r x, …, r y over object o j

Example 1 Processes (subjects) p, q Files (objects) f, g Rights r, w, x, a, o fgpq prworrwxow qarorrwxo

Example 2 Procedures inc_ctr, dec_ctr, manage Variable counter Rights +, –, call counterinc_ctrdec_ctrmanage inc_ctr+ dec_ctr– managecallcallcall

Boolean Expression Evaluation ACM controls access to database fields Subjects have attributes Verbs define type of access example, read, write Rules associated with (objects, verb) pair (foo, write) Subject attempts to access object Rule for object, verb evaluated, grants or denies access

Example Subject Alice Attributes role (artist), groups (creative) Verb paint Default 0 (deny unless explicitly granted) Object picture Rule: paint:‘artist’ in subject.role and ‘creative’ in subject.groups and time.hour ≥ 0 and time.hour < 5

ACM at 3AM and 10AM … picture … … annie … paint At 3AM, time condition met; ACM is: … picture … … annie … At 10AM, time condition not met; ACM is:

AC by History and Inference Database: namepositionagesalary Aliceteacher45$40,000 Bobaide20$20,000 Cathyprincipal37$60,000 Dilbertteacher50$50,000 Eveteacher33$50,000 Queries: 1. sum(salary, “position = teacher”) = 140, sum(salary, “age > 40 & position = teacher”) should not be answered (deduce Eve’s salary)

ACM of Database Queries O i = { objects referenced in query i } f(o i ) = permission set of query i f(o i ) = {read}for o j  O i, if |  j = 1,…,i  O j | < 2 f(o i ) =  for o j  O i, otherwise O 1 = { Alice, Dilbert, Eve } and no previous query set, so: A[asker, Alice] = f(Alice) = { read } A[asker, Dilbert] = f(Dilbert) = { read} A[asker, Eve] = f(Eve) = { read } and the query can be answered

But Query 2 From last slide: f(o i ) = { read }for o j in O i, if |  j = 1,…,i  O j | <2 f(o i ) =  for o j in O i, otherwise 2. O 2 = { Alice, Dilbert } but | O 2  O 1 | = 2 so A[asker, Alice] = f(Alice) =  A[asker, Dilbert] = f(Dilbert) =  and query cannot be answered

State Transitions Change the protection state of system X i is a state of the ACM at time i |– represents transition X i |–  X i+1 : command  moves system from state X i to X i+1 X i |– * X i+1 : a sequence of commands moves system from state X i to X i+1 Commands often called transformation procedures, because the transform the sate of the access control matrix

Primitive Operations create subject s, create object o Creates new row, column in ACM; creates new column in ACM destroy subject s, destroy object o Deletes row, column from ACM; deletes column from ACM enter r into A[s, o] Adds r rights for subject s over object o delete r from A[s, o] Removes r rights from subject s over object o

Access control requests Transforms sate of the access control matrix An access control request can be precisely defined using Pre-conditions Post-conditions Use notation (from Z) Pre-state without primes Post-state with primes Example: pre-state - A[alice, file1] is the permission set of Alice to file 1 before a requests, and A’[alice, file1] is a post-state

Create Subject – pre and post conditions Pre-condition: s  S Primitive command: create subject s Post-conditions: S = S  { s }, O = O  { s } (  y  O)[a[s, y] =  ] (  x  S)[a[x, s] =  ] (  x  S)(  y  O)[a[x, y] = a[x, y]]

Create Object Precondition: o  O Primitive command: create object o Post-conditions: S = S, O = O  { o } (  x  S)[a[x, o] =  ] (  x  S)(  y  O)[a[x, y] = a[x, y]]

Add Right Precondition: s  S, o  O Primitive command: enter r into a[s, o] Post-conditions: S = S, O = O a[s, o] = a[s, o]  { r } (  x  S)(  y  O – { o }) [a[x, y] = a[x, y]] (  x  S – { s })(  y  O) [a[x, y] = a[x, y]]

Delete Right Precondition: s  S, o  O Primitive command: delete r from a[s, o] Postconditions: S = S, O = O a[s, o] = a[s, o] – { r } (  x  S)(  y  O – { o }) [a[x, y] = a[x, y]] (  x  S – { s })(  y  O) [a[x, y] = a[x, y]]

Destroy Subject Precondition: s  S Primitive command: destroy subject s Postconditions: S = S – { s }, O = O – { s } (  y  O)[a[s, y] =  ], (  x  S)[a´[x, s] =  ] (  x  S)(  y  O) [a[x, y] = a[x, y]]

Destroy Object Precondition: o  O Primitive command: destroy object o Postconditions: S = S, O = O – { o } (  x  S)[a[x, o] =  ] (  x  S)(  y  O) [a[x, y] = a[x, y]]

Creating File Process p creates file f with r and w permission command createfile(p, f) create object f; enter own into A[p, f]; enter r into A[p, f]; enter w into A[p, f]; end

Mono-Operational Commands Make process p the owner of file g command makeowner(p, g) enter own into A[p, g]; end Mono-operational command Single primitive operation in this command

Conditional Commands Let p give q r rights over f, if p owns f command grantreadfile1(p, f, q) if own in A[p, f] then enter r into A[q, f]; end Mono-conditional command Single condition in this command

Multiple Conditions Let p give q r and w rights over f, if p owns f and p has c rights over q command grantreadfile2(p, f, q) if own in A[p, f] and c in A[p, q] then enter r into A[q, f]; enter w into A[q, f]; end

Copy Right Allows possessor to give rights to another Often attached to a right, so only applies to that right r is read right that cannot be copied rc is read right that can be copied Is copy flag copied when giving r rights? Depends on the model and its instantiation

Own Right Usually allows possessor to change entries in ACM column Owner of an object can add, delete rights for others May depend on what system allows Can’t give rights to specific (set of) users Can’t pass copy flag to specific (set of) users

Attenuation of Privilege Principle says you can’t give rights you do not possess Restricts addition of rights within a system Usually ignored for owner Why? Owner gives herself rights, gives them to others, deletes her rights.

Main Points Access control matrix simplest abstraction mechanism for representing protection state Transitions alter protection state 6 primitive operations that alter the matrix Transitions can be expressed as commands composed of these operations and, possibly, conditions