Access Control

Access Controls

Access controls are security features that

control how people can interact with
systems, and resources.

2
 Access*

Access is the data flow between an subject and

an object.
 Subject is a person, process or program
 Object is a resource (file, printer etc)
 Access controls should support the CIA triad!

3
 Access*

What is the CIA triad?

4
 Access*

Seriously, you need to know this.

5
 Access*

If you don’t you will not pass the CISSP exam.

6
 Components of Access Control

The component of Access Control that we are

about to discuss are:
 Identification:
▪ Who are you? (userid etc)
 Authentication:
▪ Prove you really are who you say you are
 Authorization:
▪ What are you allowed to access.
 Auditing:
▪ Your access is logged and reviewed.
7
 Components of Access Control

That was a lot of As, remember them.

8
 AAA

Authentication
The AAAs of security are authentication, authorization,
and accounting. Combined, they help to ensure that Authorization
only authorized entities have access to resources and
that their access is recorded.
Accounting
 Authentication
A user provides credentials (such as a
username and password) that are checked
against a database to prove the user’s
identity. The authentication system verifies
the credentials.
Authentication
Strong evidence that this individual or system
is actually who they claim to be needed.
Authorization
Numerous authentication mechanisms may
be applied in sequence to enhance the Accounting
reliability
of the authentication process.
 Authorization
Administrators assign rights and permissions to
resources, which authorize users to access the
resources.

Upon satisfactory authentication, the user is

assigned rights and privileges based upon a profile Authentication
they have in storage. Various limits may be placed
on access to resources or data; the limits are
included in an access list, which is based upon the Authorization
user identity. Other limits may include access to
resources or data based upon a label issued to the Accounting
user who matches the highest label of the resource
or data.
 Accounting

Logging tracks activity of a user through monitoring. A basic

accounting mechanism is an audit log, such as the Security log
in Windows systems, and audit logs create an audit trail.

Accounting refers to tracing and recording the use of network

assets and resources by users or intruders. The process of
accounting may be performed to achieve a specific purpose, Authentication
such as monitoring trends or capacity, allocating expenses and
costs for the use of resources, and monitoring proper usage of
resources. The accounting process as it relates to IT security is Authorization
involved with monitoring and recording users’ access to
resources, proper authorization levels of users, changes made
to resources (such as changes to a database), and general Accounting
actions and activities such as creating or deleting files.
 Accounting (Auditing)

Auditing is the act of reviewing or monitoring the data

obtained during the accounting process. This may
involve reviewing log fi les or forensic information.
Real-time monitoring, also called continuous Authentication
monitoring, not only creates log fi les but also can
create immediate alerts, emails, and console warning
screens for operators and administrators.
Authorization

Accounting
 Identification

Identification is the first step of access control. A

username is a primary method of identification, but it’s
important to realize that there are more methods:
• Proximity Cards Identification
• Smart Cards
• Tokens Authentication
• Biometric Methods
Authorization
The goal of these systems is to differentiate one user
from another. Accounting

It should be Unique
 Accountability

One of the underlying goals of the AAAs of security is

accountability. If a system can identify individual users, track
their actions, and monitor their behavior, it provides
accountability.

Authentication provides identification for users, and accounting

tracks their activities in audit logs. If users are not required to
authenticate or if audit trails are not created, then a system does
not provide accountability.

Ex: Your network may have proprietary data stored in a folder

named Research and publicly available information stored in a
folder named Public. You may want to track each time any
single user accesses any single file within the Research folder.
 Identification

Identifies a user uniquely

 Identification must be unique for accountability
 Standard naming schemes should be used
 Identifier should not indicate extra information
about user (like job position)

16
 Authentication

Proving who you say you are, usually one of

these 3
 Something you know
 Something you have
 Something you are

17
 Subjects and Objects

A subject is the user or entity taking the action or accessing a resource

such as a database.

An object is the item or resource being acted upon.

Subjects are always active

while
objects are always passive
 Factors of Authentication

There are three factors of authentication;

• Something you know (Type 1)

• Something you have (Type 2)
• Something you are (Type 3)

• Something you Do
• Somewhere you are
 Something You Know

This includes Passwords, PINs, and other information known by an

individual.

Passwords have following classifications;

• Static Password
• One-Time or Dynamic Password
• Cognitive Password (Pet’s name)
• Passphrase (IWi11P@$$The$$CPExam)
• Algorithm Passwords

Passwords are the least secure method of authentication

 Guidelines for Passwords
Use strong passwords A strong password includes a combination of
different character types, such as uppercase letters, lowercase letters,
numbers, and symbols.
Don’t write passwords down If a password is only in a person’s head, it
can’t be read.
Change passwords often Passwords should be changed at least every
90 days, although many organizations require users to change their
passwords more often, such as every 30, 45, or 60 days.
Don’t use the same password on multiple systems Unfortunately,
attackers have been successful at hacking into systems and downloading
huge databases that include user credentials.
Never give your password out Many social engineering attacks can
easily be avoided if users understand and follow this simple rule.
Audit passwords Many organizations use technology such as built-in
operating system tools or third-party applications to verify that passwords
are strong and that users change them regularly.

Use a credential management system Credential management systems

provide a storage space for users to keep their credentials. (!)
 Guidelines for Passwords

Always Use a Password

Policy

Enforce password history

Maximum password age

Minimum password age

Minimum password length

Password must meet complexity

requirements

Store passwords using reversible

encryption
How Strong is Your Password ?
Organizations that want to increase the
security of authentication often use the Something You Have
next factor: something you have

• Smart Cards
• Hardware Tokens (OTP)
• Synchronous dynamic password
(Time Based)
• ASynchronous dynamic
password (PIN)
• Software Tokens (OTP)
• TOTP (Time-based One-Time
Password)
• HOTP (HMAC-based One-Time
Password)
• OPIE (One-time Password In
Everything – S/KEY)
 Something You Are

Something you are is a physical

characteristic that is unique to you and
your body.

Biometrics is the science and technology

of recognizing a user based upon their
body.

• Fingerprints
• Footprints All biometric systems require an individual to register or
• Palm Prints & Geometry enroll by recording the specific biometric sample into the
system. Different biometric system manufacturers
• Blood Samples referred to this measurement as a reference profile,
• DNA reference template, or biometric signature.
 Something You Are

In business today, various Biometric

Techniques are used to identify and
authenticate individuals:

• Fingerprint & Thumbprint Scanning

• Palm Scanning
• Retina Scanning
• Iris Scanning
• Facial Recognition
• A fingerprint is obtained by scanning one
Weight
or more fingers several times. This digital
finger
Similar
The print
area image is
toscanner
mapping
surrounding used
points
the to
on
eye’sagenerate
fingerprint,
pupil a
is
AA palm
person’s eyes have can ameasure
pattern the
of vein
blood
fingeriris,image
a facial scan aidentifier
isrecords record that can be
Although
the
pattern
vessels innot
which
at the as
almost
person’s
back ofand
popular
asthe traces
unique
palm asusing
eye, various
other
as
and theana
used
key to
biometrics,
retina. compare
points
Iris on
weight
scans with
the future
human
recognition
areUsers
more scans.
face.
has
acceptable Using
been
infrared
retina scanscanner.
uses an don’t
infrared light to
need to
to
measurements
utilized
users
touchbecause
measure in that
the mantraps
scanner, and
they don’t
pattern. placement
to While
but bothrequire
instead retinaof various
authenticate
physical
just hover
scans
Intheirfingerscan
features, aover
video technology,
orpeople
photograph onlyof
an
are individual
contact hand
very and and
cameras
accurate, the alertcanauthorities
scanner. take
object toinathem
pictures face
the
of
features
may
event
the be
iris of extracted
matched
from two from
to
persons
a distance. the
facial fingerprint
signatures
inreveal
the mantrap, are
lightinga
in
because they can However, medical
stored.
database.
called This allows
“piggybacking.” one ofto an many rapid
can affect
conditions. theAlso, retinaWeight
accuracy scansiris has also
scan,
typically
fingerprint
been used data
as
irisalarm searches.
systems Into befingerprint
and
requiresome physical scanners
contact withcan thewarn if an
tricked
scanner.
technology,
intruder
with entire picture.
has placed
a high-quality fingerprints
weight on a are room stored
floor
onobject.
or a system, requiring large amounts of
 Biometric Errors

One of the challenges with biometrics is the

potential for errors. When considering a biometric
authentication system, it’s important to understand
the different error types and the accuracy of the
system.

False Rejection Rate (FRR) Also called a type 1 error, FRR

refers to the percentage of times a biometric system falsely
rejects a known user. Instead, the system indicates that the
user is unknown.

False Acceptance Rate (FAR) Also called a type 2 error, FAR

refers to the percentage of times a biometric system falsely
identifies an unknown user. Instead, the system indicates the
user is a known user.

Crossover Error Rate (CER) Also called the Equal Error Rate
(EER), CER identifies the point where the FAR and FRR of a
biometric system are equal or cross over each other on the
chart. A lower CER indicates a better-performing biometric
system.
 Something You Do

Something you do is a trait that you have developed over the years. This trait is
unique to you and has developed either through training, your upbringing,
environment, or perhaps something unique to your body construction. Unique
biometric scanning devices have been constructed to measure a variety of personal
traits to be able to authenticate an individual.

• Signature Dynamics
• Voice Pattern Recognition
• Keystroke Dynamics Researchers havehow identified that each person’s
• Heart/Pulse Pattern Keystroke
This
This recognizesdynamics,
acquisition system also
the known
subject
requires as
creates
the keyboard
letters
individual to
heart
pattern beats in the unique pattern. This pattern
and
speak
may be arecognition,
words. The subject
phrase
detected into recognizes
with
is requested
a recognition
recording how an
to individual
device.sign
software Thistheir
and is
types
name
the orontophrase
same the keyboard.
write out
thata specific
was Various
group of
originally biometric
words.
recorded
used
systems
Items as
tested a may
measure biometricflight authentication
include time and
pen pressure, dwell system.
time to
direction
and stored
Typically this in memory.
istyping
achieved The
by the system
user examines
wearing a
generate
of strokes,
features such a and points signature.
where
as inflection the The
pen signature
was
points, volume, lifted
wristband
generally
from the that
captures
page. monitors
flight
The their heartbeat
time,
scanning or the time
system and
a its
user
then
speaking
unique speed,and
pattern and uses
pauses. it to unlock phones,
takes
examinesbetween key depressions,
the result and matches andspecific
dwell time,
test
computers,
which
points is the
with and other
length
those saved nearby
of time devices
a key
ininmemory. that belong
is depressed.
The
to stored
user. of using keystroke dynamicssystem
theresults voice phrase the biometric
The
is referred to as a as a
biometric
voiceprint. recognition
Signature dynamics issystem are inconsistent
the biometric factor of
Heart/pulse
because pattern
handwriting users’ recognition
analysis.typing methods change is a biometric
authentication
depending upon technique.
mood or environment.
 Somewhere You Are

Geolocation and geotagging are now used by

many systems to identify where the user actually
is located. Many software applications, retail
stores, social media sites, and other systems ask
for the user to allow themselves to be geolocated.
Users may be identified and authenticated by
their location.

The Callback - A recent application of a tried-and-true

computer system access method is the callback. Years
ago, when a remote user called in by telephone to connect
their modem to a network or mainframe, the computer
system would terminate the initial call and call the user
back at their location on a known user phone number
 Single-Factor Authentication

With single-factor authentication, only one factor

is used.

Requiring the entry of two or more of the same type

of factor is also regarded as single-factor
authentication.

Using two of the same types of factors during

authentication is no stronger than using a single
factor.

Ex : Using the password required by a screensaver. The only

factor required is something you know, which in this case is
the password.
 Multi-Factor Authentication

Multifactor authentication refers to using at least

two different types of factors for authentication
purposes. In many businesses today, employees
are issued a pass card or smart card.

In any event, for it to be multifactor authentication,

the factors must be different.

Ex : The two different types of authentication factors might be

a typed-in password and a thumb print. A secure room might
require a smart card scan and an iris scan.
 Authentication

What is wrong with just using one of these

methods?

 Any single method is weak by itself.

32
 Strong Authentication

Strong Authentication is the combination of 2

or more of these and is encouraged!
 Strong Authentication provides a higher level of
assurance*
 Strong Authentication is also called multi-factor
authentication*

33
 Authorization

The concept of ensuring that someone who is

authenticated is allowed access to a
resource.
 Authorization is a preventative control*

34
 Auditing

Logging and reviewing accesses to objects.

 What is the purpose of auditing?
 Auditing is a detective control*

35
 WARNING: CISSP buzzword on the next slide.

36
 CISSP BUZZWORD

Logical (technical) access controls are used to

provide Identification, Authentication,
Authorization and Auditing.
 Things like smart cards,biometrics, passwords,
and audit systems are all logical access controls.

37
Identity Management
 Identity Management

Identity management products are used to

identify, authenticate and authorize users in
an automated means.

39
 Identity Management

It’s a broad term.

40
 Identity Management

These products may include

 Directories
 User account management
 Profiles
 Access controls
 Password management
 Single Sign on
 Permissions

41
 Directories

 Information about the users and resources

 LDAP / Active Directory
 Legacy NT
 NIS/YP
 Novell Netware

42
 Account Management Software

Attempts to centrally manage user accounts in a

centralized and scalable method.
 Often include workflow processes that allow distributed
authorization. I.e.. A manager can put in a user request or
authorize a request, tickets might be generated for a Key
card system for their locations, Permissions might be
created for their specific needs etc.
 Automates processes
 Can includes records keeping/auditing functions
 Can ensure all accesses/accounts are cleaned up with users
leave.
43
 Directories Role in ID management

Directories are specialized database optimized

for reading and searching operations
 Important because all resource info, users
attributes, authorization info, roles, policies etc
can be stored in this single place.
 Directories allow for centralized management!
 However these can be broken up and delegated.
(trees in a forest)

44
 Password Management In ID systems

 Allows for users to change their passwords,

 May allow users to retrieve/reset password
automatically using special information
(challenge questions) or processes
 Helpdesk assisted resets/retrievals
 May handle password synchronization

45
 Federation

46
 Federation

Anyone know what a federation is?

47
 Federation

A Federation is multiple computing and/or

network providers agreeing upon standards
of operation in a collective fashion. (self
governing entities that agree on common
grounds to easy access between them)

48
 Federated Identity

A federated Identity is an identity and

entitlements that can be used across business
boundaries.
Examples:
 MS passport
 Google

49
 Federated Access

Many SSO systems use federated access

technologies. Federated access allows users in
different networks to log on only once, even if they
are accessing multiple systems. The systems can
be different operating systems, owned and
managed by different organizations.

Users log in to their work account using their

regular account. When they access the intranet
website, it uses typical SSO technologies such as
Kerberos to grant them access. Then if they click
on any links to the external sites, the federated
access SSO system verifies the user’s identity and
provides access without additional user interaction.
 Federated Access (cont.)

Advantages
 Improved usability
 Compatible with silo user-identity domains
 Allows SPs to bundle services and collect user info
Disadvantages
 High technical and legal complexity
 High trust requirements
 E.g. SP-A is technically able to access SP-B on user’s behalf
 Privacy issues,
 Collects info about user habits for ex. which SPs are used
 Limited scalability,
 Can only federate SPs with similar interests
 An Identity federation becomes a new silo
 Security Assertion Markup Language (SAML)

Security Assertion Markup Language (SAML) is an

Extensible Markup Language (XML)–based data format used
for SSO on the Internet. As an example, consider two
websites hosted by two separate organizations. Normally, a
user would have to log on to each site separately. However,
the organizations can use SAML as a federated identity
management system. Users authenticate once with the first
website, and they are not required to authenticate again
when they access the second website.

Many online banking sites use SAML for SSO. For example,
the banking site might have one service for accessing
checking and savings accounts, another service for online bill
paying, and another service for handling mortgages. With
SSO, the user is able to log on to the primary banking site
one time, and then access all the services without logging on
again. Ex: Websphere
 Other SSO Technologies

Secure European System for Applications in a Multivendor Environment

(SESAME) SESAME was created as an alternative to Kerberos in European
countries. However, with improvements to Kerberos, SESAME is rarely, if
ever, used today.

KryptoKnight IBM created KryptoKnight as an alternative to Kerberos. It

does not have as much network overhead as Kerberos. However, like
SESAME, KryptoKnight is rarely used today.
 Identity & Access Management Systems (IAM)

Identity management (IdM) describes the management of individual

identities, their authentication, authorization, roles and privileges within or
across system and enterprise boundaries with the goal of increasing security
and productivity while decreasing cost, downtime, and repetitive tasks.

Identity management is a term that refers broadly to the administration of

individual identities within a system, such as a company, a network or even a
country. In enterprise IT, identity management is about establishing and
managing the roles and access privileges of individual network users.
 Cloud Based Security

The cloud is defined as hardware and software provided to a user on a

requested basis. The cloud may be both internal to the organization and
external, as provided by a cloud service provider. The advantage to using the
cloud is that the user generally does not have to own the equipment that
provides the cloud services. Also, the user pays only for the services they
utilize. In other words, the cloud may expand and contract depending upon
what the user is willing to pay.

Public Cloud Public clouds are hosted by cloud service providers and made available either
as a free service or as a pay-per-use service. Users purchase various storage sizes and
other services from the cloud service provider.

Private Cloud Private clouds are essentially the same as public clouds, the difference being
that private clouds are hosted within an organization and the general public is restricted from
access.
 Concepts of Cloud Security
Platform as a Service (PaaS) provides the user with a virtual computer. The user can install
software and databases and operate the system as if it were a purchased hardware device
sitting on their desk.

Software as a Service (SaaS) makes available a software application that is hosted on a

remote server and made available on demand by the user. One advantage to the system is
that, as the application programming team makes upgrades and updates to the application,
the updates are immediately available to the end user. This reduces the requirements for
service packs and updates to be installed by the end users. An example of SaaS is Microsoft
Office 365. Another advantage of Software as a Service is that the application is not required
to be resident on the end-user device, whether a pad, tablet, or cell phone, in order for the
user access the application. This reduces the requirement for memory or processing power
on a small device.

Infrastructure as a Service (IaaS), the cloud provider supplies the capability of creating
cloud based networks utilizing standard or virtualized networking components. Infrastructure
as a Service allows a company to expand very rapidly without having to purchase vast
amounts of expensive hardware.
 Cloud Security Vulnerabilities

Cloud Vendor Reliability Cloud vendor reliability encompasses not only the financial
viability of a cloud provider but also their ability to provide adequate safeguards and security
controls on the cloud equipment.

Data Clearing and Cleansing Data clearing and cleansing refers to company data that may
remain on cloud storage devices after a cloud size is reduced. For instance, a benefit of the
cloud is the ability to expand as required. If the space is no longer required and the company
elects to contract the cloud size, the question is what happens to the data that remains on
the cloud.

Cloud Client Encroachment Cloud client encroachment refers to a couple of concepts

unique to the cloud. Because the cloud is virtualized, a number of clients may all be running
on the same hardware. If one client runs afoul of the law, there’s a chance that could impact
other clients running on the exact same hardware. The second aspect is if one client is
attacked, the attacker might access other clients on the same virtualized system.
 Cloud Security Vulnerabilities (cont.)

Regulations and Jurisdiction

Regulations and jurisdiction must be
taken into account as cloud providers
offer their services worldwide. Data
stored on a cloud server system based in
Spain may come under the jurisdiction of
the Spanish legal system. This may be a
primary consideration during a forensic
investigation or a security incident
response.
Authentication
 Biometrics

Bio -life
Metrics - measure
 Biometrics verifies (authenticates) an individuals
identity by analyzing unique personal attribute
 Require enrollment before being used*
 EXPENSIVE
 COMPLEX

60
 Biometric problems?

 Expensive
 Unwieldy
 Intrusive
 Can be slow (should not take more than 5-10
seconds)*
 Complex (enrollment)
 Privacy Issues

65
 Biometrics wrap up
We covered a bunch of different biometrics
 Understand some are behavioral* based
 Voice print
 Keyboard dynamics
 Can change over time
 Some are physically based
 Fingerprint
 Iris scan

80
 Biometrics wrap Up

 Fingerprints are probably the most

commonly used and cheapest*
 Iris scanning provides the most “assurance”*
 Some methods are intrusive*
 Biometrics do cause privacy issues*

81
 Biometrics Wrap up

 Understand Type I and Type II errors

 Be able to define CER, is a lower CER value

better or worse?

82
Passwords
 Passwords

Password – A protected string of characters that

one uses to authenticate themselves.
Password authentication is:
▪ Something you know

84
 Passwords

Password traits

 Simplest form of authentication*

 Cheapest form of authentication*
 Oldest form of authentication
 Most commonly used form of authentication*
 Weakest form of authentication*

85
 Problems with Passwords

 People write down passwords

 People use weak passwords
 People re-use passwords
 If you make passwords to hard to remember
then people write them down
 If you make them too easy then they are
easily cracked

86
 Password Management

4. System should NOT store passwords in

plaintext, hash them instead.
5. Use passwords salts
 random values added to the encryption/hash
process to make it harder to brute force (one
password may hash/encrypt to multiple different
results)
6. You can encrypt hashes… (Windows
SYSKEY)… but…
89
 Attacks on Password

 Sniffing (Electronic Monitoring)

 Dictionary Attack
 Brute force attacks
 Social Engineering
 Rainbow tables

91
 Virtual Password

Simply a phrase, application will probably make

a “virtual password” from the passphrase (etc
a hash)
 Generally more secure than a password
 Longer
 Yet easier to remember

92
 Cognitive passwords

Facts that only a user should know.

 Can be used by helpdesk authenticate a user
without revealing the password.
 Often used for password reset challenges

93
 Problems with cognitive passwords

Not really
secure. I’m
not a big
fan.

94
 Cognitive Passwords

“As detailed in the postings, the Palin hack

didn’t require any real skill. Instead, the
hacker simply reset Palin’s password using
her birthdate, ZIP code and information
about where she met her spouse — the
security question on her Yahoo account,
which was answered (Wasilla High) by a
simple Google search.”
http://www.wired.com/threatlevel/2008/09/palin-e-mail-ha/
95
 One Time Password

Password that is used only once then no longer

valid
 Used in high security environments
 VERY secure
 Not vulnerable to electronic eavesdropping, but
vulnerable to loss of token.
 Require a token device to generate passwords.
(RSA SecureID key is an example)

96
 Challenge OTP

10
 Memory Cards

10
 Memory Cards

 NOT a smart card

 Holds information, does NOT process
 A memory card holds authentication info,
usually you’ll want to pair this with a PIN…
WHY?
 A credit card or ATM card is a type of memory
card, so is a key/swipe card
 Usually insecure, easily copied.*

10
 Smart Card

10
 Smart Card
 Much more secure than memory cards
 Can actually process information
 Includes a microprocessor and ICs
 Can provide two factor authentication, as you the card
can store authentication protected by a pin. (so you
need the card, and you need to know something)
 Two types
 Contact
 contactless

10
 Smart Card Attacks

There are attacks against smart cards

1. Fault generation – manipulate environmental

controls and measure errors in order to reverse
engineer logic etc.

(more)
10
 Smart Card Attacks

2. Side Channel Attacks – Measure the cards

while they work
 Differential power analysis – measure power
emissions
 Electromagnetic analysis – example frequencies
emitted

(more)
10
 Smart Card Attacks

3. Micro probing* - using needles to vibrations

to remove the outer protection on the card's
circuits. Then tap into ROMS if possible or
“die” ROMS to read data.

11
Authorization
 Authorization

Now that I proved I am who I say I am, what can

I do?
 Both OSes and Applications can provide this
functionality.
 Authorization can be provided based on user,
groups, roles, rules, physical location, time of day
(temporal isolation)* or transaction type (example
a teller may be able to withdrawal small amounts,
but require manager for large withdrawals)

11
 Authorization principals

Default NO access (implicit deny)* - Unless a

subject is explicitly given access to an object,
then they are implicitly denied access.
 very important principal you must understand
this.

11
 Authorization Creep*

As a subject stays in an environment over time,

their permissions accumulate even after they
are no longer needed.

 Auditing authorization can help mitigate this. SOX

requires yearly auditing.

11
 Centralized Authentication

Centralized authentication is a method by which

users can log onto a network one time using
identification and authentication techniques.
Centralized refers to the technique of having one
central authentication server providing user lookup
services and allowing or disallowing access to the
data and resources. One centralized system may
be used by thousands or tens of thousands of
users to access organizational resources.
 Decentralized Authentication

With decentralized authentication, every server

or application is required to verify the identification
and authentication of the user requesting access.
As you may imagine, this may be a huge task to
maintain adequate access control lists on each and
every application and resource within an
organization. Decentralized authentication may be
applied in very specific and vertical instances where
a limited number of users have been given rights
and privileges to the resource. As the number of
users grows, the more arduous the task of
administering user rights becomes.
 Single Sign-On

Single sign-on (SSO) is an identification

authentication technique whereby the user signs on
one time and has access to multiple applications.
The user authenticates one time, and the system
passes this authentication to applications and other
entities. This is known as single
sign-on authentication. It increases password
security by reducing the number of passwords a
user must remember. The risk in this process is that
an attacker has access to multiple applications if
the user password is discovered. Several single
sign-on authentication mechanisms exist. One of
the most popular is Kerberos.
 Single Sign On

As environments get larger and more complex

it becomes harder and harder to manage
users accounts securely.
 Multiple users to create/disable
 Passwords to remember, leads to passwords
security issues
 Reduces user frustration as well as IT frustration!
 Wastes your IT budget trying to manage disparate
accounts.
12
 Single Sign On

Single sign on systems try to mitigate this

problem. Some SSO systems are.

 Sun NIS/YP
 Kerberos
 LDAP
 Microsoft Active Directory*

12
 SSO downsides
 Centralized point of failure*
 Can cause bottlenecks*
 All vendors have to play nicely (good luck)
 Often very difficult to accomplish*
 One ring to bind them all!...If you can access
once, you can access ALL!

12
 SSO technologies
 Sun NIS/YP
 Kerberos
 SESAME
 LDAP
 Microsoft Active Directory*

12
 NIS/YP
Sun NIS/YP – The first attempt at centralizing user
accounts on a network.
 Flat files distributed
 Old technology
 Extremely insecure

12
 Kerberos

Kerberos a computer network authentication

protocol is named after a three-headed Greek god
named Cerberus, known as the hound of Hades.

It was originally programmed for Unix by a group

from the Massachusetts Institute of Technology
(MIT) in the late 1980s.

All Microsoft Windows implementations after

Windows 2000 use Kerberos as the default
authentication protocol.
 How does Kerberos work?

Instead of client sending password to application

server:
• Request Ticket from authentication server
• Ticket and encrypted request sent to
application server

How to request tickets without repeatedly

sending credentials?
• Ticket granting ticket (TGT)
How does Kerberos work? :
Ticket Granting Tickets (TGT)
How does Kerberos work? :
The Ticket Granting Service
How does Kerberos work? :
The Application Server
 Kerberos : Weaknesses and Solutions

If TGT stolen, can be used to access Only a problem until ticket

network services. expires in a few hours.

Subject to dictionary attack. Timestamps require hacker to

guess in 5 minutes.

Very bad if Authentication Server Physical protection for the

compromised. server.
Access Control Models
 System-Level Access Controls

The Value of the Information The first requirement is the value of the information.
Information value is strictly in the eye of the beholder. If you are in business,
financial and customer data is of utmost concern and value to you, but if you are in
the government or military, data concerning troop movements, targets to attack, and
logistics may be of utmost concern.

The Method of Accessing the Information The second requirement is how the
information is made available. For instance, can a database owner decide who has
access to the data or work object and is there another means of relating the data
specifically to the user or subject allowed to access it?
 Discretionary Access Control (DAC)

The Discretionary Access Control (DAC) model provides the most granular level
of access control. It is an identity-based model and allows data owners to assign
permissions to subjects at the most basic level. Each subject is granted specific
rights to the data.

For example, when you share a folder on your desktop with three of your co-workers, you
are exercising discretionary access control. As the data owner, you are granting access to
your folder. At any time, you may restrict or revoke access to your folder, but the decision is
completely yours.

In the slightly more sophisticated environment of a Microsoft SharePoint administrator, the

administrator may decide which users can read only, edit, or write to a data fi le. Again, this
is completely discretionary based upon the value of the data in the eyes of the administrator,
department head, or company.
 Discretionary Access Control (DAC)

Once the individual accesses the data folder or file, the software system checks the
user credentials and allows the user to perform actions as established by the
administrator or data owner. It is important to note that at any time the data owner or
administrator may override the existing selections and make changes to the rights
and privileges. Typically, the following actions may be granted to the user for a file:

• Full Control
• Modify
• Read & Execute In the DAC model, users and data owners
• List Folder Contents have complete discretionary control over
• Read
their data and who has access to it.
• Write
• Special
 Non- Discretionary Access Control (non- DAC)

In non-Discretionary Access Control (non-DAC) models, security administrators

control the access granted to users. In contrast, in a DAC model, users have
ownership of their resources and users have full control of the resources they own.
In general, any model that is not a DAC model is a non-DAC model.

Some operating systems implement non-DAC models for system file access. This prevents
malware from taking ownership of any critical or sensitive system files or modifying
permissions on any of these files. Users still own and manage their own files using DAC, but
the non-DAC model methods protect system files.
 Non- Discretionary Access Control Models

• Mandatory Access Control

• Role-Based Access Control

• Rule-Based Access Control

• Attribute Based Access Control

 Mandatory Access Control

Mandatory access control (MAC) uses labels or tags to identify both subjects and
objects and is a nondiscretionary access control model. It is the most secure model
and is used by the most of military and federal government to protect classified data.
With the MAC model, every piece of information (object) and every user (subject)
have been given a label.

Currently governments maintains the following levels of information labels:

Top Secret Release of this information is listed as causing “exceptionally grave

damage” to national security.
Secret Release of this information would do “serious damage” to national security.
Confidential Release of this information would cause “damage” to national security.
Unclassified This is not a security label but a general catchall for any information
not labeled.
 Mandatory Access Control
Mandatory access control (MAC) uses labels or tags to identify both subjects and
objects and is a nondiscretionary access control model. It is the most secure model
and is used by the most of military and federal government to protect classified data.
With the MAC model, every piece of information (object) and every user (subject)
have been given a label.

Also the following information security labels are typically used in business:

Trade Secret Release of this information could cause a company to collapse

Secret Release of this information could be dangerous for company’s future.
Confidential Disclosure of this information may cause irreparable harm to the
company.
Internal Use Disclosure of this information may cause harm to the company.
Private This type of information should be kept in a small group of people, or
confidential for a specific individual.
Public This classification of information is generally known to the public.
 MAC

Mandatory Access Control*

 Data owners cannot grant access!*
 OS makes the decision based on a security
label system*
 Users and Data are given a clearance level
(confidential, secret, top secret etc)*
 Rules for access are configured by the
security officer and enforced by the OS.

14
 MAC

MAC is used where classification and

confidentiality is of utmost importance…
military.
 Generally you have to buy a specific MAC
system, DAC systems don’t do MAC
 SELinux
 Trusted Solaris

14
 MAC sensitivity labels

 All objects in a MAC system have a security

label*
 Security labels can be defined the organization.
 They also have categories to support “need to
know” @ a certain level.
 Categories can be defined by the organization
 If I have “top secret” clearance can I see all
projects in the “secret” level???

14
 Mandatory Access Control

Just because someone has a Top Secret classification, they don’t automatically have access to all
Top Secret data. Instead, they are granted access based on their need to know the information for
their job. Additionally, it’s possible to create sub-classifications or compartments within each
classification level.
 Mandatory Access Control

The MAC model is a non-DAC model that uses labels to control access
to data. It is the most secure model when compared to other access
control models.

Under the MAC model, subjects and objects are assigned labels or
tags. Labels assigned to subjects are called security clearances or a
capabilities list, while labels assigned to objects are called security
classifications or information classifications.
 Administering Mandatory Access Control

Discretionary access control is administered through the use of an access control list
(ACL) attached to each file or folder with changes that can be made on the fly by the
data owner.

Mandatory access control must be enforced by a completely different

mechanism.

Typically, in a mandatory access control system, the sensitivity of the objects being
accessed is far greater than the objects in a discretionary access control system.

Therefore, greater harm or expense may be incurred should subjects be given

improper access to highly sensitive data.
 Administering Mandatory Access Control
(cont.)

In a mandatory access control system, something is required to mediate between

the levels of access granted to the subject and the security classification of an
object.

This mediation or decision-making process must be accomplished in an

environment of trust, where the hardware and software providing this
mediation is above reproach.

The theory and application of this hardware and software mediation platform is
referred to as a trusted computing base (TCB).
 Trusted Systems

In a trusted system Trusted computing base (TCB) is a protected part of the

operating system that includes a security kernel and a reference monitor.

There are several components to a trusted computing base:

Secure Hardware and Software Environment This may take the form of an isolated server stripped of
all services and capabilities not required of the mediation process. The isolation means that it should
not be possible for an attacker to be able to change the logic of the reference monitor or access and
change the contents of the security kernel.

A reference monitor is typically defined as the service or program where access control information
is stored and where access control decisions are made. Once a subject requests access to an
object, the reference monitor accesses a file, known as the security kernel database, that lists the
access privileges or security clearance of each subject and the security classification attributes of
each object.
 Trusted Systems

Security Kernel The component of the trusted computing base consisting of hardware, software and
firmware elements that implements an authorized control list (ACL) database, usually referred to as
a security kernel database. This database is utilized when mediating (comparing) subject and object
labels in a Mandatory Access Control (MAC) authentication system.

Audit The final requirement is to provide a complete audit file recording attempted security
violations, authorized data accesses, data file changes, and authorized changes to the security
kernel database.
 Trusted Systems

The reference monitor mediates (compares) subject and object security

labels prior to allowing access.
 Mandatory Access Control Architecture Models

The MAC architecture model provides a framework that can be applied to various
types of information systems. In general, these models provide rules that can be
applied to subjects before they are allowed to read or write sensitive information.
Each of the four models provides a primary goal of either confidentiality or integrity.
Each of the models is named after the individuals who created it.

Bell-LaPadula Model
Biba Model
Clark-Wilson Model
Brewer-Nash Model (Chinese Wall)
 Bell-LaPadula Model
The Bell-LaPadula model enforces information confidentiality. It does this by enforcing
security through two rules called no read up and no write down.
With the Bell-LaPadula model, an individual with a secret security clearance cannot read top
secret information and cannot write secret information down to a security level below secret,
such as unclassified.
Simple Security Property Rule (No Read Up) Subjects cannot read information classified at a higher level than theirs.
For example, a person with a unclassified security clearance cannot read a document classified as secret.

The Star Property Rule (No Write Down) Subjects with access to information at a certain security level cannot write that
information to a lower security level. For example, a person accessing documents classified as secret cannot reduce
the classification level by writing the information to a lower level. Usually an asterisk (*) is used as a star, as in the *
property rule.

The Strong Star Rule This rule states that if you have read and write capabilities, you are restricted to read and write
your data at your level of secrecy, but you cannot read and write to levels of higher or lower secrecy. This is sometimes
referred to as the constrained or tranquility property
 Biba Model

The Biba model, another MAC-based model, enforces integrity (unlike the Bell-
LaPadula model, which enforces confidentiality). Biba includes two rules that are
reversed from the Bell-LaPadula model:

Simple Integrity Axiom—no read down Subjects granted access to any security level may not read
an object at a lower security level, at least not as the authoritative source. For example, a captain of
a ship can read orders from an admiral and consider them authoritative and actionable. However, if a
seaman recruit tries to issue orders to the captain, the captain will not read them as authoritative.

The * Integrity Axiom (read as “star Integrity Axiom”)—no write up Subjects granted access to any
security level may not write to any object at a higher security level. For example, a seaman recruit
cannot write orders for the captain of the ship. Similarly, the captain cannot write orders for the
admiral.

The Invocation Property The invocation property prevents a user at one level from using or invoking
the powers or privileges of the user at a higher level.
 Clark-Wilson Model

The goal of the Clark-Wilson model is to enforce separation of duties through integrity
rules. This model places a mechanism such as a software program between the subject
and object.

The software program separates the subject and object. This model enforces data
integrity by checking, screening, or formatting data prior to it being placed in the object,
such as a database.

The Clark-Wilson model enforces what is called “well-formed transactions.” This model
also enforces such integrity policies as authorized users may not take unauthorized
actions and unauthorized users will not be allowed access.

The Clark-Wilson model uses certification rules (identified as C1 through C5) and
enforcement rules (identified as E1 through E4) to enforce separation of duties. The
certification rules are integrity-monitoring rules, and the enforcement rules are integrity-
preserving rules.
 Clark-Wilson Model

These rules are complex, but they work together to ensure there is adequate separation
of the elements of any transaction.

For example, consider a company that purchases products. The transaction includes someone
placing an order, someone receiving the products (and verifying that they were received), and
someone paying for the products (after verification that the products were received).

Imagine that Fred has sole responsibility for doing all three tasks in the transaction. This increases
the potential for fraud, because he could place an order through a fictitious company, acknowledge
receipt (even if no products were received), and deposit the funds into his own bank account.

The Clark-Wilson model ensures that different people perform the separate tasks
independently of each other.
 Brewer-Nash Model (Chinese Wall)

The Brewer-Nash model is used in many business organizations to prevent conflict of

interest situations within the same business.

Objects are classified in a manner that indicates conflicts of interest.

For example, if a business is providing different services for the same client, each branch or
department is isolated from the other with no knowledge of the other departments’ activities. This
eliminates the possibility of a conflict of interest. This is also referred to as providing a Chinese wall
between the two groups. Each group’s information (objects) is classified so that it may not be
accessed by the other.

Financial services organizations often implement this model to help prevent a conflict of
interest, and it helps enforce the separation of duties principle.
Goals and Rules of Mandatory Access Control
Models
 Covert Channels
A Covert Channel is a way for an entity to send or
receive information in an unauthorized manner.
It is an information flow that is not controlled via
a security mechanism and was not intended to
transfer information. Such methods violate the
security policy.
(more)

15
 Covert Channels
Two types of CC
 Storage – (give temp file example)
 Timing – hold or not hold an object (give example)

They occur due to one of the following reasons

1. Improper oversight in the development of a product
2. Improper implementation of access controls
3. Existence of a shared resource between to subjects

15
 Graham-Denning Model
A model more concerned with actual
implementation than abstract concepts.
GD outlines 8 operations that define how objects
should be created and deleted. It addresses how
to assign specific access rights. The 8 operations
specifically are
(more)

15
 GD model
 How to securely create an object
 How to securely create a subject
 How to securely delete an object
 How to securely delete a subject
 How to securely provide the read access right
 How to securely provide the grant access right
 How to securely provide the delete access right
 How to securely provide transfer access rights

16
 Role-Based Access Control

The Role-based Access Control (Role-BAC) model uses roles to determine

access. Subjects are placed into specific roles and object permissions are granted to
the roles.

Although the Role-BAC model doesn’t provide the granularity offered by DAC, it is
easier to implement for large groups of people.

Typically, users with very similar or identical roles are identified and placed in a group.
Access control is granted to all individuals in the group based upon their membership in the
group.

This type of administration is ideal for large groups such as call center employees, bank
tellers, store clerks, and stock traders or with groups in which numerous adds and drops
occur frequently. Once a user is assigned to the group, they receive all the rights and
privileges anyone in the group has received.
 Role Based Access Control
 Also called non-discretionary.
 Uses a set of controls to determine how subjects
and objects interact.
 Don’t give rights to users directly. Instead create
“roles” which are given rights. Assign users to roles
rather than providing users directly with privileges.

 Advantages:
 This scales better than DAC methods
 Fights “authorization creep”*
16
 Role based Access control
When to use*
 If you need centralized access*
 If you DON’T need MAC ;)
 If you have high turnover*

16
 Rule-Based Access Control

Rule-based access control (RBAC or RAC) is based upon explicit rules that have
been established to control the activities of subjects. Various rules may be created to
allow or restrict access to objects.

One such rule is the time of day restriction. This rule establishes when a resource or
object may be accessed.

As an example, routers have rules within an ACL. These rules identify what traffic the router
will pass based on IP addresses, ports, and protocols.
 Rule Based Access Control (216)

Uses specific rules that indicate what can and

cannot transpire between subject and object.
 “if x then y” logic
 Before a subject can access and object it must
meet a set of predefined rules.
 ex. If a user has proper clearance, and it’s between
9AM -5PM then allow access
 However it does NOT have to deal specifically
with identity/authorization
 Ex. May only accept email attachments 5M or less
16
 Rules Based Access Control

 Is considered a “compulsory control” because

the rules are strictly enforced and not
modifiable by users.
 Routers and firewalls use Rule Based access
control*

16
If you see RBAC in either a text or article, be careful for the context.
Determine if the “RBAC” is referring to role-based access control OR
rule-based access control.

The last rule in a router is an implicit deny rule. It blocks all traffic that
isn’t explicitly allowed by previous rules. Permissions assigned in
DACLs use a similar concept. For example, you explicitly grant
permissions to users for a folder. If you don’t assign permissions to a
specific user, the system blocks that user from accessing the folder.
 Constrained User Interfaces (218)

Restrict user access by not allowing them see certain

data or have certain functionality (see slides)
 Views – only allow access to certain data (canned
interfaces)
 Restricted shell – like a real shell but only with certain
commands. (like Cisco's non-enable mode)
 Menu – similar but more “gui”
 Physically constrained interface – show only certain
keys on a keypad/touch screen. – like an ATM. (a
modern type of menu) Difference is you are physically
constrained from accessing them.
17
 Physically Constrained UI

17
 Access Control Matrix* (218)

 Table of subjects and objects indicating what

actions individuals' subjects can take on
individual objects*

17
 Capability Table*

 Bound to subjects, lists what permissions a

subject has to each object
 This is a row in the access matrix
 NOT an ACL.. In fact the opposite

17
 ACL*

 Lists what (and how) subjects may access a

certain object.
 It’s a column of an access matrix

17
 Content Dependant Access Controls

Access is determined by the type of data.

 Example, email filters that look for specific things
like “confidential”, “SSN”, images.
 Web Proxy servers may be content based.

17
 Context Dependant Access Control

System reviews a Situation then makes a

decision on access.
 A firewall is a great example of this, if session is
established, then allow traffic to proceed.
 In a web proxy, allow access to certain body
imagery if previous web sessions are referencing
medical data otherwise deny access.

17
Unauthorized Disclosure of
Information
 Unauthorized Disclosure of
Information
 Sometimes data is un-intentionally released.

Examples:
 Object reuse
 Countermeasures
▪ Destruction
▪ Degaussing
▪ overwriting
 Emanations Security (next)

20
 Emanation Security

 All devices give off electrical / magnetic

signals.
 A non-obvious example is reading info from a
CRT bouncing off something like a pair of
sunglasses.
 Tempest* is a standard to develop
countermeasures to protect against this.

20
 Emanation Countermeasures

 Faraday cage – a metal mesh cage around an

object, it negates a lot of electrical/magnetic
fields.
 White Noise – a device that emits uniform
spectrum of random electronics signals. You
can buy sounds frequency white noise
machines. (call centers, doctors)
 Control Zones – protect sensitive devices in
special areas with special walls etc.
20
 Chapter - Review

 Q. What is a type 1 error (biometrics)

 Q. What is a type 2 error (biometrics)

 Q. Which is generally less desirable.

 Q. What is CER?

 Q. What is derived from a passphrase

23
 Chapter - Review
 Q. Does Kerberos use
 Tickets?
 Public keys?
 Private keys?
 Digital certificates?

 Q. Does Kerberos ever send a password over the network?

 Q. What is the most commonly used method of

authentication

 Q. what is strong authentication?

23
 Chapter - Review
 Q. If a company has a high turnover rate, which access control
system is the best.
 DAC
 Role-Based
 Rule-Based

 Q. What is mutual authentication?

 Q. Reviewing audit logs is what type of control

 Preventative
 Detective
 corrective?

 Q. What is the concept of least privilege?

23