You are on page 1of 47

Information Systems Security

Access Control
Domain #2

Access control types
Identification, authentication, authorization
Control models and techniques
Single sign-on technologies
Centralized and decentralized
Intrusion Detection Systems (IDS)

Roles of Access Control

Limit System Access
Access based on identity, groups,
clearance, need-to-know, location, etc.
Protect against unauthorized disclosure,
corruption, destruction, or modification

Access Control Examples

Locks, guards

Encryption, password, biometrics

Policies, procedures, security training

Access Control Characteristics

Keeps undesirable events from happening

Identify undesirable events that have happened

Correct undesirable events that have happened

Discourage security violations from taking place

Restore resources and capabilities after a
violation or accident

Provides alternatives to other controls

Who are You?

Identification username, ID account #
Authentication passphrase, PIN, bio
Authorization What are you allowed to
Separation of Duties
Least Privilege

Something you know
Something you have
Something you are
2-Factor Authentication
Use 2 out of the 3 types of characteristics

Access Criteria
Security Clearance
Mandatory control systems and labels

Formal processes
Requirements of role within company for access

Least Privilege
Lease amount of rights to carry out tasks
No authorization creep

Default to NO ACCESS

Example Controls
Retina, finger, voice, iris

Synchronous and Asynchronous device

Memory Cards
ATM card, proximity card

Smart Cards
Credit card, ID card

Biometric Controls

Uses unique personal attributes

Most expensive and accurate
Society has low acceptance rate
Experience growth after 9-11-2001

Error Types
Type I error
Rejects authorized individuals (False Reject)
Too high a level of sensitivity

Type II error
Accepts imposter (False Accept)
Too low a level of sensitivity

Crossover Error Rate (CER)


Biometric Example
Ridge endings and bifurcations

Finger Scan
Uses less data than fingerprint (minutiae)

Palm Scan
Creases, ridges, and grooves from palm

Hand Geometry
Length and width of hand and fingers

More Biometrics
Retina Scan
Blood vessel pattern on back of eyeball

Iris Scan
Colored portion of eye

Signature Dynamics
Electrical signals of signature process

Keyboard Dynamics
Electrical signals of typing process

More Biometrics
Voice Print
Differences in sound, frequency, and pattern

Facial Scan
Bone structure, nose, forehead size, and eye

Hand Topology
Size and width of side of hand

Least secure but cheap
Should be at least 8 characters and
Keep a password history
Clipping levels used
Audit logs

Password Attacks
Dictionary Attacks
Rainbow tables

Brute Force Attack

Every possible combination

Encrypt passwords
Use password advisors
Do not transmit in clear text
GREATLY protect central store of
Use cognitive passwords

Based on life experience or opinions

One-time Passwords

Generated for one time use
Protects against replay attacks
Token devices can generate
Synchronized to time or event
Based on challenge response mechanism

Not as vulnerable as regular passwords


Longer than a password

Provides more protection
Harder to guess
Converted to virtual password by software

Memory Cards
Magnetic stripe holds data but cannot
process data
No processor or circuits
Proximity cards, credit cards, ATM cards
Added costs compared to other

Smart Card

Microprocessor and IC
Tamperproof device (lockout)
PIN used to unlock
Could hold various data
Biometrics, challenge, private key, history

Added costs
Reader purchase
Card generation and maintenance

Single Sign-on (SSO)

Scripting Authentication Characteristics
Carry out manual user authentication
As users are added or changed, more
maintenance is required for each script
Usernames and passwords held in one central
Many times in clear text

SSO Continued
Used by directory services (x.500)
Used by thin clients
Used by Kerberos
If KDC is compromised, secret key of every
system is also compromised
If KDC is offline, no authentication is possible

Authentication, confidentiality, integrity
NO Non-availability and repudiation
Vulnerable to password guessing
Keys stored on user machines in cache
All principles must have Kerberos software
Network traffic should be encrypted

Secure European System for Application in
a Multi-vendor Environment
Based on asymmetric cryptography
Uses digital signatures
Uses certificates instead of tickets
Not compatible with Kerberos

Access Control Threats

Buffer Overflow
Mobile Code
Malicious Software
Password Cracker

More Access Control Threats

Shoulder Surfing
Object Reuse
Data Remanence
Unauthorized Data Mining
Dumpster Diving

More Threats
Social Engineering
Help Desk Fraud

Access Control Models

Once security policy is in place, a model
must be chosen to fulfill the directives
Discretionary access control (DAC)
Mandatory access control (MAC)
Role-based access control (RBAS)
Also called non-discretionary

Used by OS and applications
Owner of the resource determines which
subjects can access
Subjects can pass permissions to others
Owner is usually the creator and has full
Less secure than mandatory access

Mandatory Access
Access decisions based on security
clearance of subject and object
OS makes the decision, not the data owner
Provides a higher level of protection
Used by military and government agencies

Role Based Access Control

Also called non-discretionary
Allows for better enforcing most
commercial security policies
Access is based on users role in company
Admins assign user to a role (implicit) and
then assign rights to the role
Best used in companies with a high rate of

Remote Authentication Dial-in User

Services (RADIUS)

AAA protocol
De facto standard for authentication
Open source
Works on a client/server model
Hold authentication information for access

Terminal Access Controller Access

Control System (TACACS)
Cisco proprietary protocol
Splits authentication, authorization, and
auditing features
Provides more protection for client-to-server
communication than RADIUS
TACACS+ adds two-factor authentication
Not compatible with RADIUS

New and improved RADIUS
Users can move between service provider
networks and change their point of
Includes better message transport,
proxying, session control, and higher
security for AAA
Not compatible with RADIUS

Decentralized Access Control

Owner of asset controls access
Leads to enterprise inconsistencies
Conflicts of interest become apparent
Terminated employees rights hard to
Peer-to-peer environment

Hybrid Access Control

Combines centralized and decentralized
administration methods
One entity may control what users access
Owners choose who can access their
personal assets

Ways of Controlling Access

Physical location
MAC addresses

Logical location
IP addresses

Time of day
Only during work day

Transaction type
Limit on transaction amounts

Technical Controls
System access
Individual computer controls
Operating system mechanisms

Network access
Domain controller logins
Methods of access

Network architecture
Controlling flow of information
Network devices implemented

Auditing and encryption

Physical Controls
Network segregation
Wiring closets need physical entry protection

Perimeter security
Restrict access to facility and assets

Computer controls
Remove floppys and CDs
Lock computer cases

Protect Audit Logs

Hackers attempt to scrub the logs
Organizations that are regulated MUST
keep logs for a specific amount of time
Integrity of logs can be protected with
hashing algorithms
Restrict network administrator access

Intruder Detection Systems (IDS)

Software employed to monitor a network
segment or an individual computer
Monitors traffic on a network segment
Sensors communicate with central console

Small agent program that resides on individual
Detects suspicious activity on one system

IDS Placement
In front of firewall
Uncover attacks being launched

Behind firewall
Root out intruders who have gotten through

Within intranet
Detect internal attacks

Type of IDS
Knowledge based
Database of signatures
Cannot identify new attacks
Need continual updating

Statistical or anomaly based
Creates many false positives
Compares activity to what is normal

IDS Issues
May not process all packets on large
Cannot analyze encrypted data
Lots of false alarms
Not an answers to all problems
Switched networks make it hard to examine
all packets

Traps for Intruders

Padded Cell
Codes within a product to detect if malicious
activity is taking place
Virtual machine provides a safe environment
Intruder is moved to this environment
Intruder does not realize that he is not is the
original environment
Protects production system from hacking
Similar to honeypots