Presentation is loading. Please wait.

Presentation is loading. Please wait.

ACCESS CONTROLS SZABIST – Spring 2012. Access Controls This chapter presents the following:  Identification methods and technologies  Authentication.

Similar presentations


Presentation on theme: "ACCESS CONTROLS SZABIST – Spring 2012. Access Controls This chapter presents the following:  Identification methods and technologies  Authentication."— Presentation transcript:

1 ACCESS CONTROLS SZABIST – Spring 2012

2 Access Controls This chapter presents the following:  Identification methods and technologies  Authentication methods, models, and technologies  Discretionary, mandatory, and nondiscretionary models  Accountability, monitoring, and auditing practices  Intrusion detection and prevention systems  Possible threats to access control practices and technologies

3 Access Controls – An Overview  Access controls give organizations the ability to control, restrict, monitor, and protect resource availability, integrity, and confidentiality.  Examples of Access Controls?

4 Identification, Authentication, Authorization, and Accountability  Identification – Should have necessary credentials?  Public Information - User ID  Authentication – Are credentials correct?  Private Information - Password, smart token, PIN  Authorization – Once authenticated. Are you authorized to access?  Accountability – You are liable for all the actions performed.  Now Example!!!!

5 Identification, Authentication, Authorization, and Accountability – Diagrammatic View

6 Identification, Authentication, Authorization, and Accountability  Identification Component Requirements  should be unique, for user accountability  should not be shared between users  Authentication  Two / Three Factor Authentication something a person knows, something a person has, and something a person is.

7 Identity Management “Identity management is a broad term that encompasses the use of different products to identify, authenticate, and authorize users through automated means”.  What are Identity Management Solutions?

8 Identity Management

9  The following are many of the common questions enterprises deal with today in controlling access to assets:  What should each user have access to?  Who approves and allows access?  Do former employees still have access?  How do we keep up with our dynamic and ever-changing environment?  What is the process of revoking access?  How is access controlled and monitored centrally?  Why do employees have eight passwords to remember?  We have five different operating platforms. How do we centralize access when each platform (and application) requires its own type of credential set?  How do we control access for our employees, customers, and partners?

10  What is the traditional process to grant access over the systems?  ACLs, Profiles???  Identity Management Solutions  Refer to the Diagram ‘IDENTITY MANAGEMENT’!!!  Main goals of identity management (IdM) technologies are: to streamline the management of identity, authentication, authorization, and the auditing of subjects on multiple systems throughout the enterprise. Identity Management

11 Identity Management Technologies IDENTIFICATION and AUTHENTICATION  Following are the types of technologies at least you should be aware of:  Directories  Web access management  Legacy single sign-on  Account management  Profile update

12 IDENTIFICATION  Directory Services  an Integral Part of IDM Identity Management Technologies

13 IDENTIFICATION – (contd.)  Working of Directory Services  LDAP  Meta Directory Identity Management Technologies

14 IDENTIFICATION – (contd.)  Web Access Management  Communication Process  Cookies?? Identity Management Technologies

15 AUTHENTICATION – (contd.)  Biometrics  Physiological – “What you are?”  Behavioral – “What you do?” Type 1 Error (False Rejection Rate) Type 2 Error (False Acceptance Rate) Minimize both the errors specially Type 2 Crossover Error Rate (CER) Percentage / Ratio of Type 1 and Type 2 A lower of CER represent more reliability of system Identity Management Technologies

16 AUTHENTICATION – (contd.)  Biometric Authentication Process Identity Management Technologies

17 AUTHENTICATION – (contd.)  Various Biometric Technologies  Finger Print  Palm Scan  Hand Geometry  Retina Scan  Iris Scan  Signature Dynamics  Keystroke Dynamics  Voice Print  Facial Scan  Passwords What are the possible attacks on Passwords? Identity Management Technologies

18 AUTHENTICATION – (contd.)  Various Biometric Technologies  Finger Print  Palm Scan  Hand Geometry  Retina Scan  Iris Scan  Signature Dynamics  Keystroke Dynamics  Voice Print  Facial Scan  Passwords What are the possible attacks on Passwords Electronic monitoring, Access the password file, Brute force attacks, Dictionary attacks, Social engineering; etc Identity Management Technologies

19 AUTHENTICATION – (contd.)  Password  Passwords Protection Mechanism Password Hashing and Encryption (Encryption will be discussed in later chapters) MD4 and MD5  One time Password Token Device / Secure IDs Identity Management Technologies

20 AUTHENTICATION – (contd.)

21  Cryptographic Keys  Passphrase  Smart Cards  Smart Card Attacks? Fault Generation Side Channel Attacks Microprobing Identity Management Technologies

22 AUTHORIZATION  a two-step process that determines whether an individual is allowed to access a particular resource.  Access Criteria  Roles  Groups  Physical and Logical Locations  Time of day  Temporary Access  Transaction Type  Default to No Access!!  Need to Know Access.

23 AUTHENTICATION and AUTHORIZATION  KERBEROS  designed in the mid-1980s as part of MIT’s Project Athena.  Provides end to end security in a client/server model and is based on symmetric key cryptography  Initially developed and used in UNIX systems Currently the default authentication method for Microsoft OS, Apple’s Mac OS X, Sun’s Solaris, and Red Hat Enterprise Linux  Main Components in Kerberos

24 AUTHENTICATION and AUTHORIZATION  KERBEROS  Main Components in Kerberos

25 AUTHORIZATION  KERBEROS  Working of Kerberos User enters the authentication credentials into the Kerberos software installed on user’s computer. Username is sent to the authentication service (AS) on the KDC, which in turn sends an initial ticket that is encrypted with user’s password (secret key). If the password is correct, then the ticket is decrypted and user gains access to the local workstation. When user needs to send a print job to the print server, the system sends the initial ticket to the ticket granting service (TGS) which runs on the KDC. (proves that user is authenticated and allows to request access to the print server.) The TGS creates and sends a second ticket to user, which will be used to authenticate to the print server.

26 AUTHORIZATION  KERBEROS - Working of Kerberos This second ticket contains two instances of the same session key, one encrypted with user’s secret key and the other encrypted with the print server’s secret key. Also contains an authenticator, which contains identification information of user, the system’s IP address, sequence number, and a timestamp. User’s system receives the second ticket, decrypts and extracts the session key, adds a second authenticator set of identification information to the ticket, and sends the ticket to the print server. The print server receives the ticket, decrypts and extracts the session key, and decrypts and extracts the two authenticators in the ticket. If the printer server can decrypt and extract the session key, it knows the KDC created the ticket, because only the KDC has the secret key used to encrypt the session key. If the authenticator information that the KDC and the user put into the ticket matches, then the print server knows it received the ticket from the correct principal. Once this is completed, it means user is properly authenticated to the print server and the server prints the document.

27 AUTHORIZATION  KERBEROS  Weaknesses of Kerberos Open architecture therefore interoperability issues The KDC can be a single point of failure. If the KDC goes down, no one can access needed resources. Redundancy is necessary for the KDC. The KDC must be able to handle the number of requests it receives in a timely manner. It must be scalable. Secret keys are temporarily stored on the users’ workstations, which means it is possible for an intruder to obtain these cryptographic keys. Session keys are decrypted and reside on the users’ workstations, either in a cache or in a key table. Again, an intruder can capture these keys. If the keys are too short, they can be vulnerable to brute force attacks.

28 AUTHORIZATION  SESAME (The Secure European System for Applications in a Multi-vendor Environment)  Extension to KERBEROS functionality  Uses symmetric and asymmetric cryptographic techniques to authenticate subjects to network resources.  Assignment 2  Thin Clients

29 Access Control Models  Mandatory Access Controls (MAC)  Discretionary Access Controls (DAC)  Role Based Access Controls (RBAC)

30 Access Control Models  Access Controls List (ACL)  Access Controls Matrix

31 Access Controls Administration  Centralized Access Control Administration  Decentralized Access Control Administration

32 Accountability  Accountability is tracked by recording user, system, and application activities.  Auditing capabilities ensure users are accountable for their actions.  System-level events  Application-level events  User-level events  Review of Audit Information  Protecting Audit Data and Log Information

33 Access Controls Monitoring  Intrusion Detection System (IDS)  Network Based IDS (NIDS) Identify attacks within the monitored network and issue a warning to the operator. If placed between the Internet and the firewall, it will detect all the attack attempts, whether or not they enter the firewall. If placed between a firewall and the corporate network, it will detect those attacks that enter the firewall (it will detect intruders).  Host Based IDS (HIDS) Configured for a specific environment and will monitor various internal resources of the operating system to warn of a possible attack. They can detect the modification of executable programs, detect the deletion of files and issue a warning when an attempt is made to use a privileged command.

34 Access Controls Monitoring  Intrusion Detection System (IDS) – contd. HIDS and NIDS can be one of the following types:  Signature-based Pattern matching Stateful matching  Anomaly-based Statistical anomaly–based Protocol anomaly–based Traffic anomaly–based  Rule- or Heuristic-based

35 Access Controls Monitoring  Intrusion Prevention System (IPS)  Honey Pots  Network Sniffers

36 A Few Threats to Access Controls  Dictionary Attacks  Countermeasures Do not allow passwords to be sent in cleartext. Encrypt the passwords with encryption algorithms or hashing functions. Employ one-time password tokens. Use hard-to-guess passwords. Rotate passwords frequently. Employ an IDS to detect suspicious behavior. Use dictionary cracking tools to find weak passwords chosen by users (Ethical Hacking).

37 A Few Threats to Access Controls  Brute Force Attacks  Countermeasures Perform brute force attacks to find weaknesses and hanging modems (internal penetration testing). Monitor and audit for such activity. Employ an IDS to watch for suspicious activity. Set account lockout thresholds.

38 A Few Threats to Access Controls  Spoofing at Logon  Fake logon screen  Fake error message will appear  Phishing  Type of social engineering www.amazon.com might become www.amzaon.comwww.amzaon.com

39 A Few Threats to Access Controls  DNS Poisoning (Pharming)

40 A Few Threats to Access Controls  Countermeasures  Be skeptical of e-mails indicating you must make changes to your accounts, or warnings stating an account will be terminated if you don’t perform some online activity.  Call the legitimate company to find out if this is a fraudulent message.  Review the address bar to see if the domain name is correct.  When submitting any type of financial information or credential data, an SSL connection should be set up, which is indicated in the address bar (https://) and a closed-padlock icon in the browser at the bottom-right corner.  Do not click an HTML link within an e-mail. Type the URL out manually instead.

41 End of Chapter 3  Thank You


Download ppt "ACCESS CONTROLS SZABIST – Spring 2012. Access Controls This chapter presents the following:  Identification methods and technologies  Authentication."

Similar presentations


Ads by Google