Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Access Control Systems & Methodology. Access control is the collection of mechanisms that permits managers of a system to exercise a directing or restraining.

Published byLucinda York Modified over 8 years ago

Similar presentations

Presentation on theme: "1 Access Control Systems & Methodology. Access control is the collection of mechanisms that permits managers of a system to exercise a directing or restraining."— Presentation transcript:

1 1 Access Control Systems & Methodology

2 Access control is the collection of mechanisms that permits managers of a system to exercise a directing or restraining influence over the behavior, use, and content of a system. It permits management to specify what users can do, which resources they can access, and what operations they can perform on a system. 2

3 Access Controls The candidate should fully understand access control concepts, methodologies and implementation within centralized and decentralized environments across the enterprise’s computer systems. Access control techniques, detective and corrective measures should be studied to understand the potential risks, vulnerabilities, and exposures. 3

4 Access Control Overview Access Controls: The security features that control how users and systems communicate and interact with one another. Access: The flow of information between subject and object Subject: An active entity that requests access to an object or the data in an object Object: A passive entity that contains information 4

5 Security Principles The three main security principles also pertain to access control: Availability Integrity Confidentiality 5

6 Identification, Authentication, and Authorization Identification, Authentication, and Authorization are distinct functions. Identification Authentication Authorization Identity Management: A broad term to include the use of different products to identify, authenticate, and authorize users through automated means. 6

7 Identification Method of establishing the subject’s (user, program, process) identity. Use of user name or other public information. Know identification component requirements. 7

8 Identification Component Requirements: When issuing identification values to users, the following should be in place: Each value should be unique, for user accountability; A standard naming scheme should be followed; The value should be nondescriptive of the user’s position or tasks; and The value should not be shared between users. 8

9 Authentication Method of proving the identity. Something a person is, has, or does. Use of biometrics, passwords, passphrase, token, or other private information. Strong Authentication is important 9

10 Authentication Biometrics Verifies an identity by analyzing a unique person attribute or behavior (e.g., what a person “is”). Most expensive way to prove identity, also has difficulties with user acceptance. Many different types of biometric systems, know the most common. 10

11 Authentication Most common biometric systems: Fingerprint Palm Scan Hand Geometry Iris Scan Signature Dynamics Keyboard Dynamics Voice Print Facial Scan Hand Topography 11

12 Authentication Passwords User name + password most common identification, authentication scheme. Weak security mechanism, must implement strong password protections Implement Clipping Levels 12

13 Authentication Techniques to attack passwords Electronic monitoring Access the password file Brute Force Attacks Dictionary Attacks Social Engineering Know difference between a password checker and a password cracker. 13

14 Techniques that attackers can use to get passwords: (p136) Electronic monitoring: Listening to network traffic to capture information, especially when a user is sending her password to an authentication server. The password can be copied and reused by the attacker later Access the password file: Usually done on an authentication server. The password file should be protected with access control mechanisms and encryption Brute Force Attacks: Performed with tools that cycle through many possible character, number and symbol combinations to uncover a password. Password Cracker: Same tool as password checker, only tool is used by an attacker. (p137) 14

15 Dictionary Attacks: Files of thousands of words are used to compare to the user’s password until a match is found. Social Engineering: An attacker falsely convinces an individual that she has the necessary authorization to access specific resources. Password Checker: Tool used by a security professional to test the strength of a password. (p137) 15

16 Authentication Passphrase Is a sequence of characters that is longer than a password. Takes the place of a password. Can be more secure than a password because it is more complex. 16

17 Authentication One Time Passwords (aka Dynamic Passwords) Used for authentication purposes and are only good once. Can be generated in software (soft tokens), or in a piece of hardware 17

18 Authentication Two types of Token Devices (aka Password Generator) Synchronous Time Based Counter Synchronization Asynchronous Know the different types of devices and how they work. 18

19 Synchronous: The token synchronizes with the authentication service by using a time or counter as the core piece of the authentication process. (140) Time Based: If the synchronization is time based, the token device and the authentication service must hold the same time within their internal clocks. The time value on the token device and a secret key are used to create the one time password, which is displayed to the user. The user enters this value and a user ID into the computer, which then passes them to the server running the authentication service. The authentication service decrypts this value and compares it to the value expected. If the two match, the user is authenticated. (140) Counter Synchronization: If the token device and authentication service use counter synchronization, the user will need to initiate the logon sequence on the computer and push a button on the token device. This causes the token device and the authentication service to advance to the next authentication value. This value and a base secret are hashed and displayed to the user. The user enters this resulting value along with a user ID to be authenticated. (140) In either system, the token device and authentication service must share the same secrete base key used for encryption and decryption. ( 19

20 Asynchronous: A token device that is using an asynchronous token generating method uses a challenge/response scheme to authentication the user. In this situation, the authentication server sends the user a challenge, a random value also called a nonce. The user enters this random value into the token device, which encrypts it and returns a value that the user enters as a one time password. The user sends this value, along with a user name, to the authentication server. If the authentication server can decrypt the value and it is the same challenge value that it sent earlier, the user is authenticated. (140) 20

21 Authentication Smart Cards and Memory Cards Memory Cards: Holds but cannot process information. Smart Cards: Holds and can process information. Contact Contactless Hybrid Combi 21

22 Authentication Attacks on Smart Cards Fault Generation Microprobing Side Channel Attacks (nonintrusive attacks) Differential Power Analysis Electromagnetic Analysis Timing Software attacks 22

23 Authentication Hashing & Encryption Hash or encrypting a password to ensure that passwords are not sent in clear text (means extra security) Windows environment, know syskey modes. Salts: Random values added to encryption process for additional complexity. 23

24 Authentication Cryptographic Keys Use of private keys or digital signatures to prove identity Private Key Digital Signature Beware digital signature vs. digitized signature. 24

25 Authorization Determines that the proven identity has some set of characteristics associated with it that gives it the right to access the requested resources. 25

26 Authorization Access Criteria can be thought of as: Roles Groups Location Time Transaction Types 26

27 Authorization Authorization concepts to keep in mind: Authorization Creep Default to Zero Need to Know Principle Access Control Lists 27

28 Authorization Problems in controlling access to assets: Different levels of users with different levels of access Resources may be classified differently Diverse identity data Corporate environments keep changing 28

29 Authorization Solutions that enterprise wide and single sign on solutions supply: User provisioning Password synchronization and reset Self service Centralized auditing and reporting Integrated workflow (increase in productivity) Regulatory compliance 29

30 Authorization Single Sign On Capabilities Allow user credentials to be entered one time and the user is then able to access all resources in primary and secondary network domains SSO technologies include: Kerberos Sesame Security Domains Directory Services Dumb Terminals 30

31 Access Control Models Access Control Models: Three Main Types Discretionary Mandatory Non-Discretionary (Role Based) 31

32 Access Control Models Discretionary Access Control (DAC) A system that uses discretionary access control allows the owner of the resource to specify which subjects can access which resources. Access control is at the discretion of the owner. 32

33 Access Control Models Mandatory Access Control (MAC) Access control is based on a security labeling system. Users have security clearances and resources have security labels that contain data classifications. This model is used in environments where information classification and confidentiality is very important (e.g., the military). 33

34 Access Control Models Non-Discretionary (Role Based) Access Control Models Role Based Access Control (RBAC) uses a centrally administered set of controls to determine how subjects and objects interact. Is the best system for an organization that has high turnover. 34

35 Access Control Techniques There are a number of different access controls and technologies available to support the different models. Rule Based Access Control Constrained User Interfaces Access Control Matrix Content Dependent Access Control Context Dependent Access Control 35

36 Access Control Techniques Rule Based Access Control Uses specific rules that indicate what can and cannot happen between a subject and an object. Not necessarily identity based. Traditionally, rule based access control has been used in MAC systems as an enforcement mechanism. 36

37 Access Control Techniques Constrained User Interfaces Restrict user’s access abilities by not allowing them certain types of access, or the ability to request certain functions or information Three major types Menus and Shells Database Views Physically Constrained Interfaces 37

38 Access Control Techniques Access Control Matrix Is a table of subjects and objects indicating what actions individual subjects can take upon individual objects. Two types Capability Table (bound to a subject) Access Control List (bound to an object) 38

39 Access Control Techniques Content Dependent Access Control: Access to an object is determined by the content within the object. Context Based Access Control: Makes access decision based on the context of a collection of information rather than content within an object. 39

40 Access Control Administration First an organization must choose the access control model (DAC, MAC, RBAC). Then the organization must select and implement different access control technologies. Access Control Administration comes in two basic forms: Centralized Decentralized 40

41 Access Control Administration Centralized Access Control Administration: One entity is responsible for overseeing access to all corporate resources. Provides a consistent and uniform method of controlling access rights. Protocols: Agreed upon ways of communication Attribute Value Pairs: Defined fields that accept certain values. 41

42 Access Control Administration Types of Centralized Access Control Radius TACAS Diameter 42

43 Access Control Administration Decentralized Access Control Administration: Gives control of access to the people who are closer to the resources Has no methods for consistent control, lacks proper consistency. 43

44 Access Control Methods Access controls can be implemented at various layers of an organization, network, and individual systems Three broad categories: Administrative Physical Technical (aka Logical) 44

45 Access Control Methods Administrative Controls Policy and Procedure Personnel Controls Separation of Duties Rotation of Duties Mandatory Vacation Supervisory Structure Security Awareness Training Testing 45

46 Access Control Methods Physical Controls Network Segregation Perimeter Security Computer Controls Work Area Separation Data Backups Cabling Control Zone 46

47 Access Control Methods Technical (Logical) Controls System Access Network Architecture Network Access Encryption and protocols Auditing 47

48 Access Control Types Each control works at a different level of granularity, but can also perform several functions Access Control Functionalities Prevent Detect Correct Deter Recover Compensate 48

49 Access Control Types Security controls should be built on the concept of preventative security Preventative Administrative Controls Includes policies, hiring practices, security awareness Preventative Physical Controls Includes badges, swipe cards, guards, fences Preventative Technical Controls Includes passwords, encryption, antivirus software 49

50 Accountability Accountability is tracked by recording user, system, and application activities. Audit information must be reviewed Event Oriented Audit Review Real Time and Near Real Time Review Audit Reduction Tools Variance Detection Tools Attack Signature Tools 50

51 Accountability Other accountability concepts… Keystroke Monitoring Can review and record keystroke entries by a user during an active session. A hacker can also do this May have privacy implications for an organization Scrubbing: Removing specific incriminating data within audit logs 51

52 Access Control Practices Know the access control tasks that need to be accomplished regularly to ensure satisfactory security. Best practices include: Deny access to anonymous accounts Enforce strict access criteria Suspend inactive accounts Replace default passwords Enforce password rotation Audit and review Protect audit logs 52

53 Access Control Practices Unauthorized Disclosure of Information Object Reuse Data Hiding Emanation Security Tempest White Noise Control Zone 53

54 Access Control Monitoring Intrusion Detection Three Common Components Sensors Analyzers Administrator Interfaces Common Types Intrusion Detection Intrusion Prevention Honeypots Network Sniffers 54

55 Access Control Monitoring Two Main Types of Intrusion Detection Systems Network Based (NIDS) Host Based (HIDS) HIDS and NIDS can be: Signature Based Statistical Anomaly Based Protocol Anomaly Based Traffic Anomaly Based Rule Based 55

56 Access Control Monitoring Intrusion Prevention Systems The next big thing Is a preventative and proactive technology, IDS is a detective technology. Two types: Network Based (NIPS) and Host Based (HIPS) 56

57 Access Control Monitoring Honeypots An attractive offering that hopes to lure attackers away from critical systems Network sniffers A general term for programs or devices that are able to examine traffic on a LAN segment. 57

58 Threats to Access Control A few threats to access control Insiders Countermeasures include good policies and procedures, separation of duties, job rotation Dictionary Attacks Countermeasures include strong password policies, strong authentication, intrusion detection and prevention Brute Force Attacks Countermeasures include penetration testing, minimum necessary information provided, monitoring, intrusion detection, clipping levels Spoofing at Logon Countermeasures include a guaranteed trusted path, security awareness to be aware of phishing scams, SSL connection 58

Download ppt "1 Access Control Systems & Methodology. Access control is the collection of mechanisms that permits managers of a system to exercise a directing or restraining."

Similar presentations

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Fundamentals of Information Systems Security.

© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Fundamentals of Information Systems Security.
Lecture 6 User Authentication (cont)

Lecture 6 User Authentication (cont)
CISSP Luncheon Series: Access Control Systems & Methodology

CISSP Luncheon Series: Access Control Systems & Methodology
Access Control Chapter 3 Part 3 Pages 209 to 227.

Access Control Chapter 3 Part 3 Pages 209 to 227.
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
Access Control Methodologies

Access Control Methodologies
Authentication & Kerberos

Authentication & Kerberos
Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.

Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.
Security Controls – What Works

Security Controls – What Works
Chapter 12 Network Security.

Chapter 12 Network Security.
Lecture III : Communication Security, Services & Mechanisms Internet Security: Principles & Practices John K. Zao, PhD SMIEEE National Chiao-Tung University.

Lecture III : Communication Security, Services & Mechanisms Internet Security: Principles & Practices John K. Zao, PhD SMIEEE National Chiao-Tung University.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.

ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.
Chapter 15 Computer Security Techniques Patricia Roy Manatee Community College, Venice, FL ©2008, Prentice Hall Operating Systems: Internals and Design.

Chapter 15 Computer Security Techniques Patricia Roy Manatee Community College, Venice, FL ©2008, Prentice Hall Operating Systems: Internals and Design.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 2 Operating System Security Fundamentals.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 2 Operating System Security Fundamentals.
SE571 Security in Computing

SE571 Security in Computing

Similar presentations

Ads by Google