Fore sec academy security essentials ii
This presentation is the property of its rightful owner.
Sponsored Links
1 / 25

Access Control and Password Management PowerPoint PPT Presentation


  • 103 Views
  • Uploaded on
  • Presentation posted in: General

FORE SEC Academy Security Essentials (II ). Access Control and Password Management. Agenda. Access Control - Techniques - Models Passwords - Password Cracking - Password Management. Key Terms & Principles. Data Owner Data Custodian Separation of duties Least Privilege.

Download Presentation

Access Control and Password Management

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Fore sec academy security essentials ii

FORESEC AcademySecurity Essentials (II)

Access Control and PasswordManagement


Agenda

Agenda

  • Access Control

    - Techniques

    - Models

  • Passwords

    - Password Cracking

    - Password Management


Key terms principles

Key Terms & Principles

  • Data Owner

  • Data Custodian

  • Separation of duties

  • Least Privilege


Access control techniques

Access Control Techniques

  • Discretionary (DAC)

  • Mandatory (MAC)

  • Role-based

  • Rule-based

  • List-based

  • Token-based


Lattice techniques

Lattice Techniques

  • Access Matrix

    - Objects

    - Subjects

  • Bell-LaPadula

  • Biba

  • Clark-Wilson


Lattice techniques 2

Lattice Techniques (2)

Bell-LaPadula

  • Designed for Military Environment

  • Address only Confidentiality

  • Rules

    - Simple Security Property

    - Star Property (* Property)

    - Strong Star Property


Lattice techniques 3

Lattice Techniques (3)

Biba

  • Model for Integrity

  • Suited for Commercial Environment

  • Rules

    - Simple Integrity Property

    - Integrity Start Property

  • Information only flow downwards


Lattice techniques 4

Lattice Techniques (4)

Clark-Wilson

  • Integrity Model

  • Use an access triple

    - Subject, Program, Object

  • Prevent loss or corruption of data

  • Ensure well formed transactions


Access management

Access Management

  • Account administration

  • Maintenance

  • Monitoring

  • Revocation


Access control models

Access Control Models

  • State machine

  • Information flow

  • Covert channels

  • Non-interference


Protocols

Protocols

  • Password

    Authentication Protocol (PAP)

  • Challenge Handshake

    Authentication Protocol (CHAP)


Centralized control

Centralized Control

  • TACACS

  • RADIUS

  • Domains & Trusts

  • Active Directory

  • Kerberos


Access control biometrics

Access Control: Biometrics

  • Hand: Fingerprint, hand geometry

  • Eye: retina, iris

  • Face: Thermograms, Photo

  • Voice print

  • Mannerisms: keystroke, tread,

    handwriting


Access control biometrics 2

Access Control: Biometrics (2)

Key factors in selecting biometrics:

  • Reliability

    - FRR, FAR, CER, EER

  • User friendliness

  • Cost


Single sign on sso

Single Sign-On (SSO)

  • User only have to log on once

  • Credentials are carried with user

  • Simplifies User management

  • Allow centralized management

  • User only has to remember one set

    of credentials


Single sign on 2

Single Sign-On (2)

  • Can take different forms:

    - Scripts

    - Directory Services

    - Kerberos

    - Thin Clients

  • Security Issues

  • Interoperability Issues


Access control passwords

Access Control: Passwords


What is password cracking discovering a plan text password given an encrypted password

What is Password Cracking?Discovering a plan text password given an encrypted password.


Methods of password cracking

Methods of Password Cracking

  • Dictionary attack

  • Hybrid attack

  • Brute force attack


Unix password cracking crack

Unix Password Cracking - Crack

  • Name: Crack

  • Operating System: Unix

  • Brief Description: Crack is a "password

    guessing" program that is designed to

    quickly identify accounts having weak

    passwords given a Unix password file.


Crack

Crack

  • Available fromftp://ftp.cerias.purdue.edu/pub/tools/unix/pwdutils/crack

  • Features

    - Configurable password cracking

    - Modular approach with various scripts

    - Combining and extracting password files

    - Works with any crypt() implementation


Configuring crack

Configuring Crack

  • Download Crack file

  • Unzip the file using gzip

    - gunzip -r crack5.0.tar.gz

  • Untar the file

    -tar -xvf crack5.0.tar

  • Read manual.txt

  • Edit the script file

  • Compile program

    - Crack -makeonly

    - Crack -makedict


Running crack

Running Crack

  • Run Crack with a password file

    - Crack [options] [-fmt format]

    [file ...]

    - Crack myfile

  • Pipe output to a file

    - Crack myfile > output

  • Run Reporter script to see results

    - ./Reporter [-quiet] [-html]


Effectiveness of crack

Effectiveness of Crack

  • User Eric password eric – CRACKED

  • User John password john1234

  • User Mike password 5369421

  • User Mary password #57adm7#

  • User Sue password sue – CRACKED

  • User Lucy password 12345 – CRACKED

  • User Pat no password – CRACKED

  • User Tim password password– CRACKED

  • User Cathy password 55555 – CRACKED

  • User Frank password abcde – CRACKED

  • User Tom password mnopqr

  • User Karen password bbbbbbbb - CRACKED


How to protect against it

How to Protect Against it

  • Enforce a strong password policy

  • Use shadow passwords

  • Use one-time passwords

  • Use passwd to enforce strong

    passwords


  • Login