Access Control Systems and Methodology

Access Control Measures

Preventive

try to Prevent attacks from occuring

Can be partially effective with Defence in Depth

Not always effective

Works with Deterrent measures

Examples

Physical

Fences

Guards

Alternate Power Source

Fire Extinguisher

Badges, ID Cards

Mantraps

Turnstiles

Limiting access to physical resources through the use of bollards, locks, alarms, or

Administrative

Policies and procedures

Security awareness training

Separation of duties

Security reviews and audits

Rotation of duties

Procedures for recruiting and terminating employees

Security clearances

Background checks

Alert supervision

Performance evaluations

Mandatory vacation time

Technical

Access control software, such as firewalls, proxy servers

Anti-virus software

Passwords

Smart cards/biometrics/badge systems

Encryption

Dial-up callback systems

Audit trails

Intrusion detection systems (IDSs)

Firewalls

Packet Filtering

Decision based on IP and Port

Does not know state

very fast

Stateful

Knows if incoming packet was

in response to request

Unknown packets discarded

Proxy

Slow

Never a connection from

external to internal

Network Vulnerability Scanner

Nessus

GFI LanGuard

ISS

NAI

Vulnerability Assessment

Scanning key servers

Looks for common known

vulnerabilities

Penetration Tests

Simulates an attacker trying to

break in

Finds weaknesses

Only as good as the attacker

Does not provide

comprehensive view

Usually done after Vulnerability

Assessment

Security Assessment

Comprehensive view of

Network Security

Analyzes entire network from inside

Creates a complete list of risks

against critical assets

Detective

Assumes Attack is Successful

Tries to detect AFTER an attack occurs

Time critical when attack is occuring

Examples

Physical

Motion Detectors

CCTV

Smoke Detectors

Sensors

Alarms

Administrative

Audits

Regular performance reviews

Background Investigations

Force users to take leaves

Rotation of duties

Technical

Audits

Intrusion Detection Systems

Pattern Matching

Anomaly Detection

Other

Deterrent

Discourages security violations (Preventative)

Examples

Administrative

Acceptable Use agreements

Physical

Restricted Access signs

Technical

Logon banner

Warnings on Web Pages

Compensating

Provide alternatives to other controls

Corrective

Reacts to an attack and takes corrective action for data recovery

Recovery

Restores the operating state to normal after an attack or system failure

Areas of Application

Administrative

Physical

Technical

Identity, Authentication, and Authorization

Identity and Authentication are not the same thing

Identity is who you say you are

Authentication is the process of verifying your Identity

Identity

User Identity enables accountability

Positive Identification

Negative Identification

Weak in terms of enforcement

Authentication

Validates Identity

Involves stronger measure that

indentification

Usually requires a key piece of information only the user would know

User Acceptance needed for success

Must meet business requirements

Methods of Authentication

Something you

know

Methodologies

User Picked

Too simple

System Generated

Single Sign On

Access Control

password files

/etc/passwd

/etc/shadow

NT SAM

Normally stored as hashes

Cracking

Attempt to guess passwords

Access to password file

increases success (no Duh!)

Attack Types

Dictionary

Quickest and Easiest

Not guaranteed to find all

passwords

Relies on human factors

Tries every word in dictionary

for match

Hybrid

uses dictionary in combination

with brute force

John the ripper

Brute force

Given enough time, brute

force will always work

Rainbow Crack

Negative

Users forget

Easy to compromise

users write down passwords

Easy for attackers to target

Brute force

Dictionary attack

Users tell others

Positive

Easiest to implement (passwords)

Low cost

have

Token

Token Provides password

Changes on regular basis

More expensive to implement

each user needs token

additional software equipment

Users can lose tokens

are (Biometrics)

Types

Hand

Fingerprint

ridges and valleys

30-70 points of reference

Hand Geometry

Oldest known form of

Biometrics

Eye

Retina

capillary patterns

enrollment

five scans to enroll

45 seconds

1/2" from scanner

320-400 points of

reference stored

Stored in 35 byte field

Certain people cannot enroll

Degenerative diseases exist

that compromise data fidelity

Iris

240 reference points

enrollment

video camera at 3-10in

camera locates eye

locates left and right

edges of iris

Approach is horizontal due

to eyelid occlusion

excludes lower portion because

of moisture and reflection

image captured and processed

into 512 byte record

Less than 20 seconds

Subsequent verifications

at up to 40in

Verification takes 1-2 seconds

System tests for 'live' eye

o pupil size fluctuation

additional reading

Face

Thermograms

Photos

Facial feature identification

Detection

Locate the face

Isolation

Isolate features of the face

leaves features in rectangle

mask (binary mask)

Mask values compared to database

Eigen

German word referring to

recursive mathematics

used in facial recognition

Eigen features (facial metrics)

Eigenfaces

Voice Print

Mannerisms

Keystroke

Tread

Handwriting

Positive

Hard to lose

Does not require user

to have anything

Negative

Intrusive

Can cause Privacy issues

Costly

Each authenticating system

needs hardware

Key Factors

Reliability

False acceptance Rate (FAR)

percentage of impostors

falsely authorized

False rejection Rate (FRR)

percentage of ligitimate users

falsely rejected

Cross error Rate (CER)

rate at which FAR and

FRR are equal

Equal Error Rate (EER)

Better to have a higher

FRR than a high FAR

pissed off user vs a breach

User Acceptance

A high FRR will cause users to

Try to find ways around the system

Animosity

An intrusive enrollment

Animosity

Resistance

Cost

Some of the technolgoies

still very expensive

Increases technical complexity

Adds to operational loads

Somewhere you are

Based on GPS

Costly

Each system needs

additional Hardware

Works well with

classified data

Controlled access

Strong Authentication

Two Factor

Two different methods

used together

Multi-Factor

Centralized Control

RADIUS

Remote Authentication Dian in User Service

UDP based

RFC 2865

RFC 2866

Successor to TACACS

TACACS+

Terminal Access Controller Access Control System

TCP based

RFC 1492

Domains and Trusts

Windows Security Model

Domains

Groups

Users

Role-based Model

Protocols

Originally designed

for use with PPP

Password Authentication

Protocol (PAP)

Sends actual password in the clear.

vulnerable to replay attack

Password sniffed off network and resent to server

Works wth both passwords and hases

Process

User enters password

Password sent unencrypted over network to PAP server

Can use hashes but still vulnerable to replay attack

Challenge Handshake

Authentication Protocol (CHAP)

password never traverses network

Not vulnerable to replay attack

Process

Client initiates comms to server

Server sends back challenge to client

User enters password

Client uses password and challenge to create response

Client sends response to server

Server creates local version of valid response using original challenge and stored password.

If responses are identical, server grants access

Server requests re-confirmation with this sequence when appropriate

Windows related

Win2K native is secure

Win2K in compatability mode is weakened by LM

LM Support needed for

WinNT pre SP4

Windows 9x

Macintosh

LanManager (LM)

Uses hash to obfuscate password

passwords up to 14

char easily defeated

RainbowCrack

NTLM and NTLM2

Also uses Hashes

Vulnerable to DLL injection

Forces lsass.exe to show passwords in weak LM format

weak passwords can be cracked offline

John the Ripper

Lophtcrack

Kerberos

Much more secure

Still some concerns

Now in use in Windows

Default in Win2K

Default in XP

Default in Server 2K3

Features

Secret Key Protocol and distributed service for 3rd party authentication

Kerberos KDC is trusted intermediary similar to RADIUS server

Confidentiality: DES (CBC mode) Symmetric Encryption

Integrity: Crypto hash algorithyms

Authentication: Login password (local)

Non-Repudiation: Knowlege of a password

Process

Username and Password Entered

username and password passed to local security subsystem

local security subsystem takes domain name specified and uses DNS to locate controller

When domain controller is found

local security subsystem contacts the Kerberos service on the domain controller

Requests session ticket for user

Session ticket will be used by users computer to authenticate with Kerberos service

Kerberos service contacts Active Directory to authenticate user

Kerberos service also accesses a Global Catalog Server to obtain users Universal Group Memberships

After authentication, Kerberos server return requested session ticket to users computer

Contains users SID

SIDs of all groups user belongs to

used in all future negotiations with Kerberos server

Local security subsystem sends copy of session ticket to Kerberos service on Domain controller

Users PC asks for another ticket

used to authenticate user to local PCs workstation service

AKA Workstation session ticket

Kerberos service on local PC authenticates user with new ticket

PCs Kerberos service consults AD

PCs Kerberos service consults GCS

After authentication the PCs Kerberos service sends a copy of the ticket to the users PC

Local Security subsystem creates access token using users SID and SIDs of any groups user is a member of from Workstation session ticket

Local Security Subsystem adds to token

Any local group memberships

Any local permissions

Any local access rights

Local security subsystem creates envrionment or process and attaches token

This is the authenticating token used to verify access requests

Strengths

Mutual authentication

Kerberos Ticket Granting Ticket

TGT confirms hashes

Sets temporal limits

Too far from ticket time can indicate spoofed ticket

Must be protected from attacks

Authorization

What a subject can do once Authenticated

Most systems do a poor job

Tied closely to POLP

Systems and Methodologies

Mandatory (MAC)

All data has classification

All users have clearances

All clearances centrally controlled and cannot be overridden

Users cannot change security attributes at request

Subjects can only access objects if they have the right access level (clearance)

Also known as Lattice Based Access Control (LBAC)

Examples of MAC

Linux

RSBAC Adamantix Project

SE by NSA

LIDS

eTrust CA-ACF2

Multics-based Honeywell

SCOMP

Pump

Purple Penelope

Strengths

Controlled by system and cannot be overridden

Not subject to user error

Enforces strict controls on multi security systems

Helps prevent information leakage

Weaknesses

Protects only information in Digital Form

Assumes following:

Trusted users/administrators

Proper clearances have been applied to subjects

Users do not share accounts or access

Proper physical security is in place

Discretionary (DAC)

User can manage

Owners can change security attributes

Administrators can determine access to objects

Examples of DAC

Windows NT4.0

Most *NIX versions

Win2K can be included when

context is limited to files and

folders

Strengths

Convenient

Flexible

Gives users control

Ownership concept

Simple to understand

Software Personification

Weaknesses

No distinction between users

and programs

Processes are user surrogates

and can run arbitrary code

Processes can change access

control attributes

DAC generally assumes a

benign software environment

Subject to user arbitrary discretion

Higher possiblity of unintended

results

Open to malicious software

Errors lead to possible great

escalation of privilege

No protection against even

"trusted" user error

Non-Discretionary

Role based (RBAC)

Assigns users to roles or groups based on organizational functions

Groups given authorization to certain data

Centralized Authority

Database Management

Based on Capabilities

Access rights established for each role

Examples of RBAC

Database functionality

Adjusting the schema

Default Sorting Order

Ability to Query (Select)

Microsoft Roles

Data Reader

Data Writer

DENY Data Reader

DENY Data Writer

Rule-Based (RSBAC)

Actions based on Subjects

operating on Objects

Based on Generalized Framework

for Access Control by Abrams and

LaPadula

List Based (Access Control LIsts)

Associates lists of Users and

their Privileges with each object

Each object has a list of default

privileges for unlisted users

Token Based

Associates a list of objects and their privileges with each User

Opposite of List Based

New Implementations

Context Based Access Control (CBAC)

XML Data Restrictions

Quotas

Preceeding actions

Privacy Aware RBAC (PARBAC)

Threats

Application threats

Buffer overflows

The buffer overflow problem is one of the oldest and most common problems in software. It can result when a program fills up its buffer of memory with more data than its buffer can hold.When the program begins to write beyond the end of the buffer, the program’s execution path can be changed. This can lead to the insertion of malicious code that can be used to destroy data or to gain administrative privileges on the program or machine.

Covert channel

A covert channel is one that violates the organization’s security policy through an unintended communications path.Covert channels have the potential for occurring when two or more subjects or objects share a common resource.

Timing channel.

A timing channel utilizes the timing of occurrences of an activity to transfer information in an unintended manner.

Storage channel

A storage channel utilizes changes in stored data to transfer information in an unintended manner.

Data remanence

Data remanence occurs when some data, after the magnetic media is written over or degaussed, still remains on the magnetic media.

Dumpster diving

This is when individuals access discarded trash to obtain user identifications, passwords, and other data.

Eavesdropping

This is the use of software (sniffers) to monitor packets or wiretapping telecommunication links to read transmitted data.

Emanations

Emanations are electronic signals that radiate from hardware devicesRadio-frequency (RF) computer devices are all susceptible to emanation interception. In the United States, TEMPEST /equipment is designed to eliminate this problem.

Hackers

Impersonation

Impersonation is masquerading as an authorized user to gain unauthorized access.

Internal intruders

Loss of processing capability

Malicious code

Masquerading/man-in-the-middle attacks

This involves someone who intercepts and manipulates packets being sent to a networked computer. A masquerade takes place when one entity pretends to be a different entity.

Mobile code

Object reuse

This refers to the possibility that sensitive data is available to a new subject. It may occur when magnetic media or memory is reassigned to a new subject and the media or memory still contains one or more objects that have not been purged before the reassignment.

Password crackers

Physical access

Replay

This is the passive capture of a packet and its subsequent retransmission to produce an unauthorized effect.

Shoulder surfing

This is the process of direct visual observation of monitor displays to obtain access to sensitive information.

Sniffers

Social engineering

This occurs when an unauthorized user tries to con authorized users into providing the information needed to access systems

Spoofing

This is the act of masquerading as a different IP address. Packets can be formatted with false (or fake) addresses to hide the originator’s true location. It involves an intruder connected to the network and pretending to be a trusted host.

Spying

Targeted data mining

Trapdoor

A trapdoor is an opening that system developers use to bypass the user authentication process in software. It may be inadvertently left available after software delivery.

Tunneling

This is a digital attack that attempts to get under a security system by accessing low-level system functions.

Transmission Threats

Passive attacks

involve monitoring or eavesdropping on transmissions.

Active attacks

involve some modification of the data transmission or the creation of a false transmission.

Denial-of-Service (DoS)

occurs when invalid data is sent in such a way that it confuses the server software and causes it to crash.

Examples

E-mail spamming

Distributed Denial-of-Service

Ping of Death

Smurf

SYN Flooding

backhoe transmission loss

backhoe cuts into the cabling system carrying transmission links

smart pipes - provide damage detection information. Thus, if a cable were damaged, the smart pipe would be able to determine the type of damage to the cable, the physical position of the damage, and transmit a damage detection notification.

Distributed Denial-of-Service (DDoS)

requires the attacker to have many compromised hosts which overload a targeted server with packets until the server crashes.

A zombie is a computer infected with a daemon/
system agent without the owner’s knowledge and subsequently controlled by an attacker

Clients: TFN2K

Fixes

Ping of Death

Fixes

Smurfing

Fixes

SYN Flooding

Fixes

Malicious Code Threats

Virus

Worms

Trojan Horse

Logic Bomb

Fixes

Antivirus

Awareness

Password Threats

An unauthorized user attempts to steal the file that contains a list of the passwords.

Users may create weak passwords that are easily guessed.

Social engineering can be used to obtain passwords

Sniffers can be used to intercept a copy of the password as it travels from the client to the authentication mechanism.

Trojan horse code can be installed on a workstation that will present an unauthorized login window to the user.

Hardware or software keyboard intercepts can be used to record all data typed into the keyboard

Access Control Models

Lattice

Deals with Information Flow

Formalizes network security models

Shows how information can or cannot flow

Drawn as a graph with directed arrows

Properties of a Lattice

A set of elements

A partial Ordering relation

The property that any two elements must have unique least upper bound and greatest lower bound

Confidentiality: Bell-LaPadula

Deals with confidentiality

Two Key principles

No Read Up (Simple Property)

No Write Down (Property)

Prevents write-down trojans for declassifying data

Also: Strong Property

No read down

No write up

Can only act on a single level

Tranquility Properties

Weak Tranquility:

Security labels of subjects never change

in such a way as to violate a defined

security policy

Strong tranquility property:

Labels never change during system operation

Integrity: Biba

Deals with integrity

Opposite of BLP

No read down

No write up

Two key principles

Simple integrity property

A user cannot write data to a higher level than they are assigned

A user cannot read data of a lower integrity level than theirs

Integrity Property

Developed by Ken Biba in 1975

Commercial: Clark-Wilson

Deals with Integrity

Adapted for Commercial use

Two Properties

Internal Consistency

Properties of the internal state of the system

External Consistency

Relation of the internal state of a system to the outside world

Separation of Duties

Rules

Integrity Monitoring (certification)

Notions

Constrained data items are consistent

Transformational procedures act validly

Duties are separated

Accesses are logged

Unconstrained data items are validated

Integrity Preserving (enforcement)

How integrity of constrained items is maintained

Subjects Identities are Authenticated

How integrity of constrained items is maintained

Triples are carefully maintained

Transformational proceedures executed serially and not in parallel

Triples

subject

program

object

Techniques

Access Management

Account Administration

Most important step

Verifies individual before providing access

Good time for orientation/training

Maintenance

Review Account data

Update periodically

Monitoring

Logging

Review

Revocation

Prompt revocation

Access Control Modes

Information Flow

Manages access by evaluating system as a whole

Emphasizes Garbage in Garbage out

Closely related to Lattice

Assigned classes dictate whether an object being accessed by a subject can flow into another class

Defined:

A type of dependency that relates two versions of the same object, and thus transformation of one state into another, at successive points in time.

the tuple

subject

object

operation

related to access models

in lattice one security class is given to each entity in the system. A flow relation among the security classes is defined to denote that information in one class (s1) can flow into another class (s2).

in the mandatory model, the access rule (s,o,t) is specified so that the flow relation between the subject (s) and the object (o) holds. Read and Write are the only considered forms of operations (t)

in the role based model, a role is defined in a set of operations on objects. The role represents a function or job in the application. The access rule is defined to bind a subject to the roles.

State Machine

Example: Authentication

Unauthenticated

Authentication Pending

Authenticated

Authorization Pending

Authorized

Captures the state of a system at a given point of time

Monitors changes introduced after the initial state

By chronology

By Event

Covert Channels

Information flows from higher to lower classifications

Can be introduced deliberately

Can not be stopped

Uses normal system resources to signal information

Additional reading

Sans Reading Room

ucsb.edu

Non-Interference

Based on variations in the input there should be no way to predict the output

Each input processing path should be independent and have no internal relationships

Terms and Principles

Data owner

CEO

CFO

Data custodian

CIO

DBA

Server Admin

Network Admin

System Admin

Least Privilege

Access control needs good administration

Availability versus security

Most Secure = No Access

What are the business needs

Reduce the misuse of Privilege

Centralized Contol

Decentralized Contol

Separation of Duties

Break jobs into multiple segments

More critical the job the more segmentation

Rotation of Duties

Rotate persons though roles

Prevent over familiarization with roles

Forced Leaves

Helps detect fraud

Access Control Model Terminology

Subjects (Active)

Users

Processes

Objects (Passive)

Files

Directories

pipes

devices

sockets

ports

Rules (Filters)

UNIX

Read

Write

Execute

Windows NT4

Read

Write

Execute

No Access

Labels (Sensitivity)

Users/Subjects = Clearances

Data objects = Classifications

In addition to rules

Can be used to group Objects

Can be used to group Subjects

Interaction

Subject assigned Security Attributes

Objects assigned security attributes

Rules = Attributes

Rules evaluated in Security Reference Monitor to allow or disallow interaction

Interaction dictated by policy

What are the business rules?

How are the rules enforced?

Types of Access Control Systems for File Systems

Mandatory

Discretionary

Role Based

Must use Reference Monitor

Ensures interactions between Subjects and Objects are:

Verifiable

Tamper-proofed

Irrevocable

pranksters

hacker who conduct tricks on others, but are not intending to inflict any long-lasting harm.

Top Level

Accountability

Access Controls

Discretionary Access Control

Mandatory Access Control

Lattices

Methods of Attack

Malicious Code

Virus

Worm

Trojan

Logic Bomb

Trap Doors

Denial of Service

Resource Exhaustion

Fork Bomb

Flooding

SYN Flood

Spamming

Cramming

Buffer Overflow

Stack Smashing

Specifically crafted URLs

Brute Force

Remote Maintenance

TOC/TOU

Time of Check

Time of Use

Exploits time base vulnerabilities

Interrupts

Faultline Attacks

Exploits hardware vulnerabilities

Code alteration

Root kits

When someone has altered

your code

Inference

Learning something through

analysis

Traffic analysis

Browsing

Sift through large volumes of

data for information

Overview

Controlling who can do what

Access Controls protect CIA

Access Controls reduce Risk

Threats to Access Control

User distrust of biometrics

Order of Acceptance

Voice Pattern

Keystroke Pattern

Signature

Hand Geometry

Hand Print

Finger Print

Iris

Retina Pattern

Misuse of privilege

Poor administration knowledge

Current Practices

Implement MAC if possible

Use third party tools in RBAC

for NDS and AD

Layered defences

Tokens

Biometrics