Professional Documents
Culture Documents
Access Controls
2
Access*
3
Access*
4
Access*
5
Access*
6
Components of Access Control
8
AAA
Authentication
The AAAs of security are authentication, authorization,
and accounting. Combined, they help to ensure that Authorization
only authorized entities have access to resources and
that their access is recorded.
Accounting
Authentication
A user provides credentials (such as a
username and password) that are checked
against a database to prove the user’s
identity. The authentication system verifies
the credentials.
Authentication
Strong evidence that this individual or system
is actually who they claim to be needed.
Authorization
Numerous authentication mechanisms may
be applied in sequence to enhance the Accounting
reliability
of the authentication process.
Authorization
Administrators assign rights and permissions to
resources, which authorize users to access the
resources.
Accounting
Identification
It should be Unique
Accountability
16
Authentication
17
Subjects and Objects
• Something you Do
• Somewhere you are
Something You Know
• Static Password
• One-Time or Dynamic Password
• Cognitive Password (Pet’s name)
• Passphrase (IWi11P@$$The$$CPExam)
• Algorithm Passwords
• Smart Cards
• Hardware Tokens (OTP)
• Synchronous dynamic password
(Time Based)
• ASynchronous dynamic
password (PIN)
• Software Tokens (OTP)
• TOTP (Time-based One-Time
Password)
• HOTP (HMAC-based One-Time
Password)
• OPIE (One-time Password In
Everything – S/KEY)
Something You Are
• Fingerprints
• Footprints All biometric systems require an individual to register or
• Palm Prints & Geometry enroll by recording the specific biometric sample into the
system. Different biometric system manufacturers
• Blood Samples referred to this measurement as a reference profile,
• DNA reference template, or biometric signature.
Something You Are
Crossover Error Rate (CER) Also called the Equal Error Rate
(EER), CER identifies the point where the FAR and FRR of a
biometric system are equal or cross over each other on the
chart. A lower CER indicates a better-performing biometric
system.
Something You Do
Something you do is a trait that you have developed over the years. This trait is
unique to you and has developed either through training, your upbringing,
environment, or perhaps something unique to your body construction. Unique
biometric scanning devices have been constructed to measure a variety of personal
traits to be able to authenticate an individual.
• Signature Dynamics
• Voice Pattern Recognition
• Keystroke Dynamics Researchers havehow identified that each person’s
• Heart/Pulse Pattern Keystroke
This
This recognizesdynamics,
acquisition system also
the known
subject
requires as
creates
the keyboard
letters
individual to
heart
pattern beats in the unique pattern. This pattern
and
speak
may be arecognition,
words. The subject
phrase
detected into recognizes
with
is requested
a recognition
recording how an
to individual
device.sign
software Thistheir
and is
types
name
the orontophrase
same the keyboard.
write out
thata specific
was Various
group of
originally biometric
words.
recorded
used
systems
Items as
tested a may
measure biometricflight authentication
include time and
pen pressure, dwell system.
time to
direction
and stored
Typically this in memory.
istyping
achieved The
by the system
user examines
wearing a
generate
of strokes,
features such a and points signature.
where
as inflection the The
pen signature
was
points, volume, lifted
wristband
generally
from the that
captures
page. monitors
flight
The their heartbeat
time,
scanning or the time
system and
a its
user
then
speaking
unique speed,and
pattern and uses
pauses. it to unlock phones,
takes
examinesbetween key depressions,
the result and matches andspecific
dwell time,
test
computers,
which
points is the
with and other
length
those saved nearby
of time devices
a key
ininmemory. that belong
is depressed.
The
to stored
user. of using keystroke dynamicssystem
theresults voice phrase the biometric
The
is referred to as a as a
biometric
voiceprint. recognition
Signature dynamics issystem are inconsistent
the biometric factor of
Heart/pulse
because pattern
handwriting users’ recognition
analysis.typing methods change is a biometric
authentication
depending upon technique.
mood or environment.
Somewhere You Are
32
Strong Authentication
33
Authorization
34
Auditing
35
WARNING: CISSP buzzword on the next slide.
36
CISSP BUZZWORD
37
Identity Management
Identity Management
39
Identity Management
40
Identity Management
41
Directories
42
Account Management Software
44
Password Management In ID systems
45
Federation
46
Federation
47
Federation
48
Federated Identity
49
Federated Access
Advantages
Improved usability
Compatible with silo user-identity domains
Allows SPs to bundle services and collect user info
Disadvantages
High technical and legal complexity
High trust requirements
E.g. SP-A is technically able to access SP-B on user’s behalf
Privacy issues,
Collects info about user habits for ex. which SPs are used
Limited scalability,
Can only federate SPs with similar interests
An Identity federation becomes a new silo
Security Assertion Markup Language (SAML)
Many online banking sites use SAML for SSO. For example,
the banking site might have one service for accessing
checking and savings accounts, another service for online bill
paying, and another service for handling mortgages. With
SSO, the user is able to log on to the primary banking site
one time, and then access all the services without logging on
again. Ex: Websphere
Other SSO Technologies
Public Cloud Public clouds are hosted by cloud service providers and made available either
as a free service or as a pay-per-use service. Users purchase various storage sizes and
other services from the cloud service provider.
Private Cloud Private clouds are essentially the same as public clouds, the difference being
that private clouds are hosted within an organization and the general public is restricted from
access.
Concepts of Cloud Security
Platform as a Service (PaaS) provides the user with a virtual computer. The user can install
software and databases and operate the system as if it were a purchased hardware device
sitting on their desk.
Infrastructure as a Service (IaaS), the cloud provider supplies the capability of creating
cloud based networks utilizing standard or virtualized networking components. Infrastructure
as a Service allows a company to expand very rapidly without having to purchase vast
amounts of expensive hardware.
Cloud Security Vulnerabilities
Cloud Vendor Reliability Cloud vendor reliability encompasses not only the financial
viability of a cloud provider but also their ability to provide adequate safeguards and security
controls on the cloud equipment.
Data Clearing and Cleansing Data clearing and cleansing refers to company data that may
remain on cloud storage devices after a cloud size is reduced. For instance, a benefit of the
cloud is the ability to expand as required. If the space is no longer required and the company
elects to contract the cloud size, the question is what happens to the data that remains on
the cloud.
Bio -life
Metrics - measure
Biometrics verifies (authenticates) an individuals
identity by analyzing unique personal attribute
Require enrollment before being used*
EXPENSIVE
COMPLEX
60
Biometric problems?
Expensive
Unwieldy
Intrusive
Can be slow (should not take more than 5-10
seconds)*
Complex (enrollment)
Privacy Issues
65
Biometrics wrap up
We covered a bunch of different biometrics
Understand some are behavioral* based
Voice print
Keyboard dynamics
Can change over time
Some are physically based
Fingerprint
Iris scan
80
Biometrics wrap Up
81
Biometrics Wrap up
82
Passwords
Passwords
84
Passwords
Password traits
85
Problems with Passwords
86
Password Management
91
Virtual Password
92
Cognitive passwords
93
Problems with cognitive passwords
Not really
secure. I’m
not a big
fan.
94
Cognitive Passwords
96
Challenge OTP
10
Memory Cards
10
Memory Cards
10
Smart Card
10
Smart Card
Much more secure than memory cards
Can actually process information
Includes a microprocessor and ICs
Can provide two factor authentication, as you the card
can store authentication protected by a pin. (so you
need the card, and you need to know something)
Two types
Contact
contactless
10
Smart Card Attacks
(more)
10
Smart Card Attacks
(more)
10
Smart Card Attacks
11
Authorization
Authorization
11
Authorization principals
11
Authorization Creep*
11
Centralized Authentication
Sun NIS/YP
Kerberos
LDAP
Microsoft Active Directory*
12
SSO downsides
Centralized point of failure*
Can cause bottlenecks*
All vendors have to play nicely (good luck)
Often very difficult to accomplish*
One ring to bind them all!...If you can access
once, you can access ALL!
12
SSO technologies
Sun NIS/YP
Kerberos
SESAME
LDAP
Microsoft Active Directory*
12
NIS/YP
Sun NIS/YP – The first attempt at centralizing user
accounts on a network.
Flat files distributed
Old technology
Extremely insecure
12
Kerberos
The Value of the Information The first requirement is the value of the information.
Information value is strictly in the eye of the beholder. If you are in business,
financial and customer data is of utmost concern and value to you, but if you are in
the government or military, data concerning troop movements, targets to attack, and
logistics may be of utmost concern.
The Method of Accessing the Information The second requirement is how the
information is made available. For instance, can a database owner decide who has
access to the data or work object and is there another means of relating the data
specifically to the user or subject allowed to access it?
Discretionary Access Control (DAC)
The Discretionary Access Control (DAC) model provides the most granular level
of access control. It is an identity-based model and allows data owners to assign
permissions to subjects at the most basic level. Each subject is granted specific
rights to the data.
For example, when you share a folder on your desktop with three of your co-workers, you
are exercising discretionary access control. As the data owner, you are granting access to
your folder. At any time, you may restrict or revoke access to your folder, but the decision is
completely yours.
Once the individual accesses the data folder or file, the software system checks the
user credentials and allows the user to perform actions as established by the
administrator or data owner. It is important to note that at any time the data owner or
administrator may override the existing selections and make changes to the rights
and privileges. Typically, the following actions may be granted to the user for a file:
• Full Control
• Modify
• Read & Execute In the DAC model, users and data owners
• List Folder Contents have complete discretionary control over
• Read
their data and who has access to it.
• Write
• Special
Non- Discretionary Access Control (non- DAC)
Some operating systems implement non-DAC models for system file access. This prevents
malware from taking ownership of any critical or sensitive system files or modifying
permissions on any of these files. Users still own and manage their own files using DAC, but
the non-DAC model methods protect system files.
Non- Discretionary Access Control Models
Mandatory access control (MAC) uses labels or tags to identify both subjects and
objects and is a nondiscretionary access control model. It is the most secure model
and is used by the most of military and federal government to protect classified data.
With the MAC model, every piece of information (object) and every user (subject)
have been given a label.
Also the following information security labels are typically used in business:
14
MAC
14
MAC sensitivity labels
14
Mandatory Access Control
Just because someone has a Top Secret classification, they don’t automatically have access to all
Top Secret data. Instead, they are granted access based on their need to know the information for
their job. Additionally, it’s possible to create sub-classifications or compartments within each
classification level.
Mandatory Access Control
The MAC model is a non-DAC model that uses labels to control access
to data. It is the most secure model when compared to other access
control models.
Under the MAC model, subjects and objects are assigned labels or
tags. Labels assigned to subjects are called security clearances or a
capabilities list, while labels assigned to objects are called security
classifications or information classifications.
Administering Mandatory Access Control
Discretionary access control is administered through the use of an access control list
(ACL) attached to each file or folder with changes that can be made on the fly by the
data owner.
Typically, in a mandatory access control system, the sensitivity of the objects being
accessed is far greater than the objects in a discretionary access control system.
The theory and application of this hardware and software mediation platform is
referred to as a trusted computing base (TCB).
Trusted Systems
Secure Hardware and Software Environment This may take the form of an isolated server stripped of
all services and capabilities not required of the mediation process. The isolation means that it should
not be possible for an attacker to be able to change the logic of the reference monitor or access and
change the contents of the security kernel.
A reference monitor is typically defined as the service or program where access control information
is stored and where access control decisions are made. Once a subject requests access to an
object, the reference monitor accesses a file, known as the security kernel database, that lists the
access privileges or security clearance of each subject and the security classification attributes of
each object.
Trusted Systems
Security Kernel The component of the trusted computing base consisting of hardware, software and
firmware elements that implements an authorized control list (ACL) database, usually referred to as
a security kernel database. This database is utilized when mediating (comparing) subject and object
labels in a Mandatory Access Control (MAC) authentication system.
Audit The final requirement is to provide a complete audit file recording attempted security
violations, authorized data accesses, data file changes, and authorized changes to the security
kernel database.
Trusted Systems
The MAC architecture model provides a framework that can be applied to various
types of information systems. In general, these models provide rules that can be
applied to subjects before they are allowed to read or write sensitive information.
Each of the four models provides a primary goal of either confidentiality or integrity.
Each of the models is named after the individuals who created it.
Bell-LaPadula Model
Biba Model
Clark-Wilson Model
Brewer-Nash Model (Chinese Wall)
Bell-LaPadula Model
The Bell-LaPadula model enforces information confidentiality. It does this by enforcing
security through two rules called no read up and no write down.
With the Bell-LaPadula model, an individual with a secret security clearance cannot read top
secret information and cannot write secret information down to a security level below secret,
such as unclassified.
Simple Security Property Rule (No Read Up) Subjects cannot read information classified at a higher level than theirs.
For example, a person with a unclassified security clearance cannot read a document classified as secret.
The Star Property Rule (No Write Down) Subjects with access to information at a certain security level cannot write that
information to a lower security level. For example, a person accessing documents classified as secret cannot reduce
the classification level by writing the information to a lower level. Usually an asterisk (*) is used as a star, as in the *
property rule.
The Strong Star Rule This rule states that if you have read and write capabilities, you are restricted to read and write
your data at your level of secrecy, but you cannot read and write to levels of higher or lower secrecy. This is sometimes
referred to as the constrained or tranquility property
Biba Model
The Biba model, another MAC-based model, enforces integrity (unlike the Bell-
LaPadula model, which enforces confidentiality). Biba includes two rules that are
reversed from the Bell-LaPadula model:
Simple Integrity Axiom—no read down Subjects granted access to any security level may not read
an object at a lower security level, at least not as the authoritative source. For example, a captain of
a ship can read orders from an admiral and consider them authoritative and actionable. However, if a
seaman recruit tries to issue orders to the captain, the captain will not read them as authoritative.
The * Integrity Axiom (read as “star Integrity Axiom”)—no write up Subjects granted access to any
security level may not write to any object at a higher security level. For example, a seaman recruit
cannot write orders for the captain of the ship. Similarly, the captain cannot write orders for the
admiral.
The Invocation Property The invocation property prevents a user at one level from using or invoking
the powers or privileges of the user at a higher level.
Clark-Wilson Model
The goal of the Clark-Wilson model is to enforce separation of duties through integrity
rules. This model places a mechanism such as a software program between the subject
and object.
The software program separates the subject and object. This model enforces data
integrity by checking, screening, or formatting data prior to it being placed in the object,
such as a database.
The Clark-Wilson model enforces what is called “well-formed transactions.” This model
also enforces such integrity policies as authorized users may not take unauthorized
actions and unauthorized users will not be allowed access.
The Clark-Wilson model uses certification rules (identified as C1 through C5) and
enforcement rules (identified as E1 through E4) to enforce separation of duties. The
certification rules are integrity-monitoring rules, and the enforcement rules are integrity-
preserving rules.
Clark-Wilson Model
These rules are complex, but they work together to ensure there is adequate separation
of the elements of any transaction.
For example, consider a company that purchases products. The transaction includes someone
placing an order, someone receiving the products (and verifying that they were received), and
someone paying for the products (after verification that the products were received).
Imagine that Fred has sole responsibility for doing all three tasks in the transaction. This increases
the potential for fraud, because he could place an order through a fictitious company, acknowledge
receipt (even if no products were received), and deposit the funds into his own bank account.
The Clark-Wilson model ensures that different people perform the separate tasks
independently of each other.
Brewer-Nash Model (Chinese Wall)
For example, if a business is providing different services for the same client, each branch or
department is isolated from the other with no knowledge of the other departments’ activities. This
eliminates the possibility of a conflict of interest. This is also referred to as providing a Chinese wall
between the two groups. Each group’s information (objects) is classified so that it may not be
accessed by the other.
Financial services organizations often implement this model to help prevent a conflict of
interest, and it helps enforce the separation of duties principle.
Goals and Rules of Mandatory Access Control
Models
Covert Channels
A Covert Channel is a way for an entity to send or
receive information in an unauthorized manner.
It is an information flow that is not controlled via
a security mechanism and was not intended to
transfer information. Such methods violate the
security policy.
(more)
15
Covert Channels
Two types of CC
Storage – (give temp file example)
Timing – hold or not hold an object (give example)
15
Graham-Denning Model
A model more concerned with actual
implementation than abstract concepts.
GD outlines 8 operations that define how objects
should be created and deleted. It addresses how
to assign specific access rights. The 8 operations
specifically are
(more)
15
GD model
How to securely create an object
How to securely create a subject
How to securely delete an object
How to securely delete a subject
How to securely provide the read access right
How to securely provide the grant access right
How to securely provide the delete access right
How to securely provide transfer access rights
16
Role-Based Access Control
Although the Role-BAC model doesn’t provide the granularity offered by DAC, it is
easier to implement for large groups of people.
Typically, users with very similar or identical roles are identified and placed in a group.
Access control is granted to all individuals in the group based upon their membership in the
group.
This type of administration is ideal for large groups such as call center employees, bank
tellers, store clerks, and stock traders or with groups in which numerous adds and drops
occur frequently. Once a user is assigned to the group, they receive all the rights and
privileges anyone in the group has received.
Role Based Access Control
Also called non-discretionary.
Uses a set of controls to determine how subjects
and objects interact.
Don’t give rights to users directly. Instead create
“roles” which are given rights. Assign users to roles
rather than providing users directly with privileges.
Advantages:
This scales better than DAC methods
Fights “authorization creep”*
16
Role based Access control
When to use*
If you need centralized access*
If you DON’T need MAC ;)
If you have high turnover*
16
Rule-Based Access Control
Rule-based access control (RBAC or RAC) is based upon explicit rules that have
been established to control the activities of subjects. Various rules may be created to
allow or restrict access to objects.
One such rule is the time of day restriction. This rule establishes when a resource or
object may be accessed.
As an example, routers have rules within an ACL. These rules identify what traffic the router
will pass based on IP addresses, ports, and protocols.
Rule Based Access Control (216)
16
If you see RBAC in either a text or article, be careful for the context.
Determine if the “RBAC” is referring to role-based access control OR
rule-based access control.
The last rule in a router is an implicit deny rule. It blocks all traffic that
isn’t explicitly allowed by previous rules. Permissions assigned in
DACLs use a similar concept. For example, you explicitly grant
permissions to users for a folder. If you don’t assign permissions to a
specific user, the system blocks that user from accessing the folder.
Constrained User Interfaces (218)
17
Access Control Matrix* (218)
17
Capability Table*
17
ACL*
17
Content Dependant Access Controls
17
Context Dependant Access Control
17
Unauthorized Disclosure of
Information
Unauthorized Disclosure of
Information
Sometimes data is un-intentionally released.
Examples:
Object reuse
Countermeasures
▪ Destruction
▪ Degaussing
▪ overwriting
Emanations Security (next)
20
Emanation Security
20
Emanation Countermeasures
Q. What is CER?