ACCESS CONTROL - PowerPoint PPT Presentation

Access control
1 / 151

  • Uploaded on
  • Presentation posted in: General

ACCESS CONTROL . The most fundamental element of information security is to ensure that only those who have a specific need for an asset, combined with specific authoritative permission, will be able to access that asset. CISSP Expectations.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

Download Presentation


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

Access control


  • The most fundamental element of information security is to ensure that only those who have a specific need for an asset, combined with specific authoritative permission, will be able to access that asset.

Cissp expectations

CISSP Expectations

  • Access control is the process of allowing only authorized users, programs or other computer systems to observe, modify, or otherwise take possession of the resources of a computer system. It is also a mechanism for limiting the use of some resources to authorized users.

Key access control concepts

Key Access Control Concepts

  • Joining C-I-A

    • Confidentiality, integrity, availability

  • Determining a Default Stance

  • Defense in Depth

  • Access Control---A general process

Access control encompasses all operation levels of an organization

Access control encompasses all operation levels of an organization:

  • Facilities:

  • Support Systems: Power, heating, ventilation, HVAC)

  • Information Systems:

  • Personnel: All users should be subject to some form of access control to ensure the wrong people don’t interfere with the right people.

Ac enables management to

AC enables management to:

  • Specify:

    • Which users can access a system

    • What resources those users can access

    • What operations those users can perform

    • Enforce accountability

Ac addresses the cia triad

AC addresses the CIA triad

  • Confidentiality: Managing access is fundamental to preventing exposure of data by controlling who can see, use, modify, or destroy.

  • Integrity: Preventing unauthorized access promotes greater confidence in data and system integrity.

  • Availability: Restricting access reduces the likelihood of damage and loss of use.

Default stance

Default Stance

  • Allow-by-default

  • Deny-by-default

Defense in depth

Defense in Depth

  • The practice of applying multiple layers of security protection between an information resource and the potential attacker. P. 7

Ac a general process

AC: A General Process

  • Many different approaches, however there is a very general approach that is applicable to almost every situation.

  • 3 step process:

    • Defining resources

    • Determining users

    • Specify the user’s use of the resource

Defining resources

Defining resources

  • What are we trying to protect?

  • How each resource may be accessed?

  • Bind a user, group or entity to a resource

  • Every resource is an asset that must be afforded protection. Don’t forget printers, faxes, etc.

Determining users

Determining users

  • Need a clear understanding of the needs of the user and the level of trust given to the person or entity

  • An identification process must exist that takes into consideration the validity of the access need in the light of business needs, organizational policy, legal requirements, information sensitivity and security risk.

Specifying use

Specifying Use:

  • The AC process must specify the level of use for a given resource and the permitted user actions on that resource. Example P. 11

Access control principles

Access Control Principles

  • Access Control Policy

  • Separation of duties

  • Least Privilege

  • Need to Know

  • Compartmentalization

  • Security Domain

Ac policy

AC Policy

  • Specifies the guidelines for how users are identified and authenticated and the level of access granted to resources.

  • The absence of a policy will result in inconsistencies in provisioning, management, and administration of AC.

  • Provides the framework for definition of necessary procedures, guidelines, standards, and best practices.

Separation of duties

Separation of Duties

  • Objective: Prevent fraud and errors

  • Achieved by distributing the tasks & privileges for a specific process.

  • The person who requests the expenditure should not be allowed to approve the expenditure.

  • Another example P.12

Determining applicability of separation of duties 1

Determining Applicability of Separation of Duties (1)

  • 1st Action: Defining individual elements of a process

    • Determine element sensitivity

    • What elements of the process lend themselves to distribution. P.12

Determining applicability of separation of duties continued

Determining Applicability of Separation of Duties (Continued)

  • 2nd Action: Understand what elements within a function are prone to abuse, which ones are easily segmented without significantly disrupting operations, and what skills are available.

  • Determine:

    • Element identification, importance, and criticality

    • Operational considerations

    • User Skills & availability

Determining applicability of separation of duties continued1

Determining Applicability of Separation of Duties Continued

  • Element identification, importance, and criticality

    • Elements within function known as milestone elements

    • If elements within function don’t offer clear point of segmentation, may need to incorporate a new milestone element as a validation & approval point within function

Determining applicability of separation of duties continued2

Determining Applicability of Separation of Duties (Continued)

  • Operational considerations

    • Balancing the impact of the function and its role in the business. Ensure that the separation of duties doesn’t hinder the process and make it prone to circumvention.

    • Weigh the cost of implementation against the overall risk the process represents and whether the benefits of separation outweigh the time & effort costs.

Determining applicability of separation of duties continued3

Determining Applicability of Separation of Duties (Continued)

  • User Skills & availability

    • Is there enough skilled personnel to perform the separation of duty elements.

Least privilege

Least Privilege

  • Requires that a user or process be given no more access privilege than necessary to perform a job, task, or function.

Need to know

Need to Know

  • A companion to “least privilege”.

  • requires a person requesting information to establish the need to know such information in terms of the pertinent mission.

  • if information is given to people on a need-to-know basis, they are given only the details that they need at the time when they need it

Security domain

Security Domain

  • An area where common process and security controls are groups together

  • Example: All systems and users managing financial information might be separated into their own security domain

  • Based on trust between resources in systems that share a single security policy and single management structure. P.16

Information classification

Information Classification

  • Fundamental Information Classification questions

  • Benefits

  • Establishing a Information Classification Program

  • Labeling & Marking

  • Information Classification Assurance

Purpose of information classification

Purpose of Information Classification

  • Group an organizations information assets by levels of sensitivity and criticality. Once this is accomplished then the appropriate level of protection controls is assigned to each asset in accordance to its classification.

Fundamental information classification questions

Fundamental Information Classification questions

  • Where is the organization’s information?

  • How should the information be handled and protected?

  • Who should have access to it?

  • Who owns the information?

  • Who makes the decisions around these parameters?

Benefits of information classification

Benefits of Information Classification

  • Establishes information ownership. This increases the likelihood that it will be used in the proper context and access will be properly authorized.

  • Increases C-I-A by focusing the limited security funds on the resources requiring the highest level of protection and providing lesser controls for the information with less risk of loss.

Benefits of information classification continued

Benefits of Information Classification Continued

  • Increases knowledge and security awareness.

  • Allows for a greater understanding of the value of the information to be protected and provides a clearer direction for the handling of sensitive information.

  • Operational benefits, critical information can be identified to support COOP.

Establishing a information classification program

Establishing a Information Classification Program

  • Page 18

Labeling marking

Labeling & Marking

  • Provides the ability to manage the information within the media with the appropriate controls.

Information classification assurance

Information Classification Assurance

  • Periodically testing

  • Random desk checks

Access control requirements

Access Control Requirements

  • Reliability

  • Transparency

  • Integrity

  • Maintainability

  • Authentication

  • Auditability

Access control categories

Access Control Categories

  • Directive

  • Deterrent

  • Preventive

  • Compensating

  • Detective

  • Corrective

  • Recovery

Access control categories continued

Access Control Categories Continued

  • Directive

    • Controls designed to specify acceptable rules of behavior within an organization, sometimes called administrative controls.

    • Policies, procedures, standards, guidelines,

Deterrent controls

Deterrent Controls

  • Designed to prevent specific actions by influencing choices of would-be intruders

  • Does not prevent or even record events

    • Signs

    • Guards, guard dogs

    • Razor wire

Preventive controls

Preventive Controls

  • Block or control specific events

    • Firewalls

    • Anti-virus software

    • Encryption

    • Key card systems

    • Fencing

    • Bollards

    • Crash guards

Compensating controls

Compensating Controls

  • Control that is introduced that compensates for the absence or failure of a control

  • “Compensating” refers to why it is implemented

    • Can be detective, preventive, deterrent, administrative

  • Examples

    • Daily monitoring of anti-virus console

    • Monthly review of administrative logins

Detective controls

Detective Controls

  • Monitor and record specific types of events

  • Does not stop or directly influence events

    • Video surveillance

    • Audit logs

    • Event logs

    • Intrusion detection system

Corrective controls

Corrective Controls

  • Post-event controls to prevent recurrence

  • “Corrective” refers to when it is implemented

    • Can be preventive, detective, deterrent, administrative

  • Examples

    • Spam filter

    • Anti-virus on e-mail server

    • WPA Wi-Fi encryption

Recovery controls

Recovery Controls

  • Post-incident controls to recover systems

  • “Recovery” refers to when it is implemented

    • Can be detective, preventive, deterrent, administrative

  • Examples

    • System restoration

    • Database restoration

Access control types

Access Control Types

  • Access control categories classify different access control methods based upon where they fall within the Access Control Time Continuum. F. 1.7 P. 35

Types of controls

Types of Controls

  • Administrative

    • Policy, procedures, standards

  • Technical

    • Authentication, encryption, firewalls, anti-virus

  • Physical

    • Key card entry, fencing, video surveillance

Administrative controls

Administrative Controls

  • Represent all actions, policies, processes, and management of the control system

    • Operational policies & procedures P.36

    • Personnel security, evaluation, & clearances P.40

    • Monitoring P.42

    • User Access Management P.43

    • Privilege Management (rights within your access) P.44

Technical logical controls

Technical (Logical) Controls

  • Electronic, digital, & automated controls which enforce the organizations policies.

    • Network access

    • Remote access

    • Application access

    • Malware control

    • Encryption

Physical controls

Physical Controls

  • Controls that protect the physical environment and people.

    • Locks

    • Guards

    • Fences

    • Cameras

    • Fire management, gates

System access control strategies

System Access Control Strategies

  • Identification, authentication, authorization

  • Access control services

  • Identity Management

  • Access control technologies

System ac strategies continued

System AC Strategies continued

  • Identification: The act of designating a known quantity.

  • Authentication: The process of verifying the identity of a user.

  • Authorization: Defining the specific resources of an authenticated user.



  • User name

  • User ID

  • Personal Identification Number (PIN)

  • Identification badges

Problems with id badges

Problems with ID Badges

  • Credential badges

    • Security doesn’t always check

  • Access badges

    • Not physically with a specific person, people can share

User id

User ID

  • User ID

  • PIN

  • MAC address

  • IP address

  • RFID (Small tag (like UPC code)

    • Privacy concerns

  • Email address

User id guidelines

User ID Guidelines

  • 3 components:

    • Uniqueness,

    • Non-descriptiveness

    • Secure issuance

      • An organization must establish a secure process for issuing IDs, including the proper documentation and approval for ID requests.

Authentication methods

Authentication Methods

  • 3 fundamental types known as factors:

    • Factor 1 something a person knows

    • Factor 2 something a person has

    • Factor 3 something a person is

  • New possible 4th factor is:

    • Somewhere you are



  • Standard words

  • Combination passwords

  • Complex passwords

  • Passphrase

  • Confidentiality of passwords (encryption)

Hashing one way function

Hashing (one-way function)

  • A hash function takes an arbitrary amount of data as input and through the use of a mathematical algorithm will produce a unique, fixed-length representation of the data as output.

  • Cracking programs can hash different passwords until a match is found.

Graphical passwords

Graphical passwords

  • Used to fight keyboard loggers

  • Using a graphical keyboard, the user clicks on the appropriate keys on the keyboard image to simulate the entry of a the password.

Authentication by possession methods

Authentication by possession methods

  • Asynchronous P. 63

  • Synchronous P. 64

Static authentication devices

Static Authentication Devices

  • Physical devices

  • 2 forms Memory & Smart Cards

    • Primary difference is processing power. Smart cards have it Memory cards don’t.

Memory cards

Memory Cards

  • No processing power, just hold information

  • User enters PIN & swipes card, card reader authenticates and user can enter.

  • Weakness: data not protected, no encryption.

Smart cards

Smart Cards

  • Semiconductor chip that accepts, stores & sends information.

  • Can hold more data. Small apps can be stored in memory.

  • International Organ for Standardization uses the term integrated circuit card (ICC).

  • Can be used with PKI

Smart cards continued

Smart cards continued

  • Common uses

    • Secure log-on

    • Secure email/digital signatures

    • Secure Web access/remote access

    • VPNs

    • H/D encryption

Smart cards continued1

Smart cards continued

  • Advantages:

    • Log-in process is done by the reader, therefore the identifier & password are not exposed to attackers while in transit to the host

    • Short trusted path

      • Trusted path is a communications channel through which all information passing through is considered secure. The shorter the path the better.

Smart cards continued2

Smart Cards continued

  • Different types of smart card memory. Page 67

  • 2 types of smart cards, contact & contactless

Authenticate by biometrics

Authenticate by Biometrics

  • 2 types, physiological

    • Finger print, Hand Geometry, Face , Eyes (retina & iris)

  • Behavioral

    • Voice patterns, Keystroke dynamics, Signature dynamics

Biometric accuracy

Biometric Accuracy

  • Temperature, humidity, pressure, medical & mental condition of the individual can cause significant physiological changes to the body that the measurement process must try and cope with.

3 categories of biometric accuracy measurement

3 categories of biometric accuracy measurement:

  • False reject rate (a Type 1 Error): When an authorized users are falsely rejected as unidentified or unverified.

  • False accept rate (a Type 2 Error): When an unauthorized user or imposter are falsely accepted as authentic.

  • Crossover Error Rate (CER): The point at which the false rejection rates and the false acceptance rate are equal. The smaller the value of CER, the more accurate the system. P. 74

Determining the correct biometric measurement

Determining the correct Biometric measurement

  • The lower the sensitivity, the more prone to type 2 errors.

  • The higher the sensitivity, the more prone to type 1 errors.

  • The lower the intersection point the more accurate the system overall.

  • The correct measure rate is dependent upon what is appropriate to the application & the desired acceptable risk for the organization.

Biometric considerations

Biometric Considerations

  • Resistance to counterfeiting P.75

  • Data storage requirements P.76

  • User acceptance P.76

  • Reliability, accuracy & speed P.76 -77

  • Target user & approach P.78



  • The ability of the organization to hold people accountable. A/C & their associated audit trails can provide evidence to prove or disprove a users involvement in a given event.

  • A comprehensive A/C program will include monitoring & secure logging of identification, authentication, and authorization process.

Logging best practices

Logging Best Practices

  • Control the flow of data

  • Do not allow rollover of data

  • Evaluate & implement auditing

  • Establish log review process

  • Train personnel

  • Protect the audit logs

5 fundamental audit event types

5 Fundamental Audit Event types

  • Network events

  • System events

  • Application events

  • User activities

  • Keystroke activities

  • P 81-82

Vulnerability assessment

Vulnerability assessment

  • The use of various tools & analysis methodologies to determine where a particular system or process may be susceptible to attack.

Vulnerability assessment process

Vulnerability assessment process

  • Obtain a good understanding of system

    • Assist in determining the overall risk of any discovered vulnerabilities

  • Discuss threat & vulnerabilities with business owner & other stake holders

    • They are the closest to both the system & business landscape. Also builds a partnership.

Vulnerability assessment process continued

Vulnerability assessment process Continued

  • Examine existing controls

  • Compare existing controls against know threats

  • Run tools to find other vulnerabilities

  • Examine results for accuracy

  • Combine results with information from business owners

  • Discuss findings with B/O to determine the appropriate course of remediation.

  • Remediations should be based upon the criticality of each reported vulnerability

Penetration testing

Penetration Testing

  • Use of exploitive techniques to determine the level of risk associated with a vulnerability or collection of vulnerabilities in an application or system.

Penetration test strategies

Penetration Test Strategies

  • Establish the rules of engagement

    • External testing

      • Can you penetrate

    • Internal testing

      • What damage can be done

Pen testing rules of engagement continued

Pen Testing (Rules of engagement, continued)

  • Blind testing

    • Limited information is provided, publicly available information. Time consuming & expensive

  • Double –blind testing

    • No information is provided. Not only test strength of controls but also security monitoring & incident identification & response.

  • Target testing (lights on)

    • IT & tester team is provided all information. Maybe more cost effective and less time consuming.

Pen testing rules of engagement continued1

Pen Testing (Rules of engagement, continued

  • 3 basic categories of pen testing

    • Zero knowledge

    • Partial knowledge

      • High level public information is provided

    • Full knowledge

      • Every possible piece of information is provided. Focus is on what can be done. Appropriate for internal testing.

Pen testing rules of engagement continued2

Pen Testing (Rules of engagement, continued)

  • Determine area to be tested

  • Application testing

    • Test information flow, encryption, input & can user harm system or data, and wide range of common attacks to gauge level of resistance.

  • DoS testing

  • War dialing

  • Wireless Network testing

  • Social Engineering

  • PBX & IP Telephone Testing

  • VOIP testing

Pen testing methodology

Pen Testing Methodology

  • Recon

    • Identify & document information about the target

  • Enumeration

    • Gain more information with intrusive methods (network or vulnerability discovery, ping, port scan)

  • Vulnerability analysis

    • Map the environment profile to known vulnerabilities, analyze data.

  • Execution

    • Attempt to gain user & privileged access

  • Document findings

    • Document the results of the test

Pen testing methodology continued

Pen Testing Methodology continued

  • Attack process

    • Multiple threads and groups of test scenarios

    • A thread is a collection of tasks to achieve attack goal

    • Each test is evaluated at multiple points to ensure expected outcome is met

    • Each divergence is appraised to make 2 fundamental determinations

      • Is the objective being met

      • Is the system reacting in an unexpected manner which is having an impact on the test

Pen testing methodology continued1

Pen Testing Methodology continued

  • Document findings

  • Vulnerabilities discover in the target systems

  • Gaps in security measures

  • Intrusion detection and response capabilities

  • Observation of log activity & analysis

  • Suggested countermeasures

Identity management

Identity Management

  • Set of technologies which addresses all aspects of controlling access, with a focus on centralized management.

  • Must efficiently manage multiple independent access control systems often per application, list is on P. 93

  • Assist organization with meeting expanding laws & regulations

  • Allows organization to segment various user populations and assign appropriate type and level of access to each group

  • Allows for tight control over access while also allowing for granularity and flexibility in managing such access.

Identity management1

Identity Management

  • One primary task is the need to provision, maintain, and manage user IDs.

  • Must account for the granting, and revocation of access rights as the user goes through the natural life cycle

  • System must be efficient, the goal is to consolidate access rights into an easily managed record of identity and access for each user.

  • System must be timely

Challenges to id management

Challenges to ID Management

  • Backlogs of requests for access

  • Cumbersome policies

  • Incomplete Request forms

  • Number (systems) of resources growing

  • Audit trails improperly (or not) maintained

  • Departed employees still in system

  • Senior management often bypass the process

Identity management system requirements

Identity Management system requirements

  • Consistency

  • Usability

  • Reliability

  • Scalability

  • P. 95

Centralized identity management

Centralized Identity Management

  • One entity (person, a department or management system) manages the service for the entire organization. That entity sets all policies, standards, and operational parameters.

  • Promotes consistency; changes can be distributed quickly and uniformly to all points limiting the risk of exposure when a user is removed from 1 part of the system but removal from another is delayed.

  • Examples: RADIUS, TACACS+ P. 97

  • Drawback: difficult or impossible for a large organization to operate a centralized system on the scale required.

Decentralized identity management

Decentralized Identity Management

  • ID management, authentication & authorization decisions are spread throughout the environment to local organizations.

  • Benefit: allows access decisions to be made by the people closest to the assets, who can better address local policies and requirements

  • Drawback: harder to enforce enterprise-wide policies and standards. Unless a clear policy and process defines who has ultimate responsibility, a decentralized system can quickly lead to inconsistency across the organization.

  • May be more expensive because multiple systems and technology

  • There may also be overlapping or conflicting rights between entities which could expose gaps in security

Access control technologies

Access Control Technologies

  • Password management

  • Account management

  • Profile management

  • Directory management

  • Single Sign-on

Password management

Password management

  • Designed to manage password complexity and requirements consistently across the enterprise. Achieved by a central tool synchronizing passwords across multiple systems.

  • Also assist users with resetting passwords

Account management

Account management

  • Designed to streamline the administration of user identity across multiple systems. Includes the creation, modification and decommissioning of user accounts.

  • Normally includes one or more of these technologies, P. 101

  • Obstacles to full scale deployment are: time, cost & interface issues

Profile management

Profile management

  • Profiles are a collection of information associated with a particular identity or group.

  • In addition to user ID and password may include personal information.

  • May contain information about privileges and rights

Directory management

Directory Management

  • Comprehensive database designed to centralize the management of data about an assortment of company entities. Such as a hierarchy of objects storing information about users, groups, systems, servers, printers. Etc.

  • Stored on 1 or more servers to ensure scalability and availability.

  • Benefit: provides a centralized collection of user data that can be used by many applications to avoid duplication.

  • Benefit: Using directories it is possible to configure several applications to share data.

  • Drawback: Integration with legacy systems

3 main directory technologies

3 Main Directory Technologies

  • X.500

  • LDAP

  • X.400

X 500


  • Set of communication protocols by International Telecommunication Union (ITU-T) aka ISO/IEC 9594

  • Designed to facilitate a standard method of developing electronic directories for use over telecommunication networks.

  • Designed to work with OSI model, however will work with TCP/IP

  • Organized in a hierarchical database

  • Key field is called the distinguished name (DN). DN provides the full path where a particular entry is found.

  • Supports the concept of a relative distinguished name (RDN). RDN provides the name of a specific entry with the full path component attached.

X 500 consists of

X.500 consists of:

  • The directory access protocol (DAP). This is the primary protocol for access information in an X.500 directory.

  • The directory system protocol (DSP)

  • The directory information shadowing protocol (DISP)

  • The directory operational bindings management protocol (DOP)

Lightweight directory access protocol ldap

Lightweight directory Access Protocol (LDAP)

  • Suite of protocols for managing directory information.

  • Simpler than X.500

  • Organized in a hierarchical database

  • Supports DN & RDN concepts.

  • DN attributes are based on an entity's DNS name

  • Each entry has a name/value pair to denote various attributes associated with each entry.

  • Common attributes are:

  • DN: distinguished name

  • CN: common name

  • DC domain name

  • OU: organizational unit

Lightweight directory access protocol ldap1

Lightweight directory Access Protocol (LDAP)

  • Operates in a client/server environment

  • Typically runs over unsecured network using TCP port 389

  • V. 3 supports TLS to encrypt communications or SSL via TCP port 636 if security is required.

Active directory

Active Directory

  • A Microsoft implementation of LDAP

  • Provides central authentication & authorization

  • Enforces organization security in a uniform and highly auditable manner

  • AD uses LDAP for its naming structure

  • Uses a hierarchical framework

  • Directories are organized into forests and trees

    • Forests is a collection of all objects & their associated attributes and trees are logical groups of 1 or more AD security domain within a forest

  • Domains are identified by their DNS name

  • Objects in a AD database are grouped by Organization Units (OUs)

X 400


  • Supports message transfer & message storage

  • Addresses consist of a series of name/value pairs separated by a :

  • Typical address specifications include:

  • O (organizational name)

  • OU (organizational unit name)

  • G(Given name)

  • I (Initial)

  • S (Surname)

  • C (country name)

  • Has largely been supplanted by SMTP base e-mail systems.

Single sign on

Single Sign-on

  • A unified login for 1 or more systems

  • Aka Federated ID management

  • Stores credentials for 1 or more systems

  • Approach to Legacy systems is

    • SSO opens the legacy app & sends the appropriate keystrokes simulating the user

  • Limitations for legacy systems

    • Password changes aren’t synchronized

  • SSO advantages P. 106-107

  • Disadvantages:

    • Cost

    • Single point of failure

    • If users SSO password is cracked, they have it all

    • Inclusion of unique systems

Script based sso

Script-based SSO

  • In-house solution for highly customized shop

  • Log-in Scripts for every app & user are developed

  • Scripts manage all logon & authentication interaction on behalf of the user.

  • Disadvantage: cost of development and maintenance



  • Designed to provide strong authentication for client/server applications by using secret key cryptography.

  • Provides authentication, authorization and auditing.

  • Primary goal is to provide private communications between systems on a network.

  • In managing the encryption keys it acts to authenticate each of the principles in the communication based upon possession of the secret key which allows access to the session key.

Kerberos 4 basic requirements

Kerberos 4 basic requirements

  • Security

    • against attacks by passive eavesdroppers and actively malicious users

  • Reliability

    • Resources must be available when needed

  • Transparency

    • Users shouldn’t notice authentication taking place

  • Scalability

    • Large number of users and servers

Access control

XYZ Service

Kerberos process







Think “Kerberos Server” and don’t let yourself get mired in terminology.








Access control

XYZ Service







Represents something requiring Kerberos authentication (web server, ftp server, ssh server, etc…)








Access control










XYZ Service

“I’d like to be allowed to get tickets from the Ticket Granting Server, please.





Access control










XYZ Service

“Okay. I locked this box with your secret password. If you can unlock it, you can use its contents to access my Ticket Granting Service.”





Access control











XYZ Service






Access control


Because Susan was able to open the box (decrypt a message) from the Authentication Service, she is now the owner of a shiny “Ticket-Granting Ticket”.

The Ticket-Granting Ticket (TGT) must be presented to the Ticket Granting Service in order to acquire “service tickets” for use with services requiring Kerberos authentication.

The TGT contains no password information.

Access control












XYZ Service

“Let me prove I am Susan to XYZ Service.

Here’s a copy of my TGT!”




use XYZ


Access control











XYZ Service

Hey XYZ:

Susan is Susan.


You’re Susan.

Here, take this.





Access control











XYZ Service

I’m Susan. I’ll prove it. Here’s a copy of my legit service ticket for XYZ.

Hey XYZ:

Susan is Susan.






Access control











That’s Susan alright. Let me determine if she is authorized to use me.

XYZ Service

Hey XYZ:

Susan is Susan.


Hey XYZ:

Susan is Susan.






Access control

Authorization checks are performed by the XYZ service…

Just because Susan has authenticated herself does not inherently mean she is authorized to make use of the XYZ service.

Access control

One remaining note:

Tickets (your TGT as well as service-specific tickets) have expiration dates configured by your local system administrator(s). An expired ticket is unusable.

Until a ticket’s expiration, it may be used repeatedly.

Access control











XYZ Service

ME AGAIN! I’ll prove it. Here’s another copy of my legit service ticket for XYZ.

Hey XYZ:

Susan is Susan.


Hey XYZ:

Susan is Susan.





use XYZ


Access control











That’s Susan… again. Let me determine if she is authorized to use me.

XYZ Service

Hey XYZ:

Susan is Susan.


Hey XYZ:

Susan is Susan.






Disadvantages of kerberos

Disadvantages of Kerberos

  • The entire system depends on the KDC so it must be physically secured and hardened.

  • KDC is a single point of failure

  • Length of the keys is important, can’t be to short or to long

  • Must embed Kerberos system calls in each application.

Secure european system for applications in a multi vendor environment sesame

Secure European System for Applications in a Multi-Vendor Environment (SESAME)

  • An extension of Kerberos that was designed to address 2 Kerberos weaknesses:

    • Kerberos scalability limitations due to the need to manage symmetric keys. The more keys the more complexity in managing the keys.

    • As the need for Kerberos to store user privilege information increases, the need to for that information to be located on each server the user accesses increases.

Secure european system for applications in a multi vendor environment sesame1

Secure European System for Applications in a Multi-Vendor Environment (SESAME)

  • It overcomes these 2 weaknesses by:

    • Offering SSO with distributed access control. This alleviates the need to replicate authentication data between servers.

    • And using symmetric & asymmetric cryptographic technologies which alleviates the key management issues

Secure european system for applications in a multi vendor environment sesame2

Secure European System for Applications in a Multi-Vendor Environment (SESAME)

  • Key attributes

    • SSO with distributed A/C using symmetric & asymmetric cryptographic technologies to protect data interchanges

    • Role based A/C

    • The use of a privilege attribute certification (PAC), similar in functionality to a Kerberos ticket

    • The use of Kerberos V5 protocol to access components

    • The use of public key cryptography for the distribution of secret keys.

Perimeter based web portal access

Perimeter-Based Web portal Access

  • SSO for Web applications by using:

    • Directory service (LDAP, X.500, AD)

    • Uses a Web portal

    • Web Access Management system (WAM)

  • User logs-in to portal, WAM authenticates & maintains authentication between Web apps

  • Effective for Web environments not Enterprise wide

Federated identity management

Federated Identity Management

  • SSO for multiple organizations who must share data & applications

    • Each entity subscribes to a common set of: policies, standards, & procedures for provisioning & management of identificatin, authentication & authorization information & also a common process for A/C

    • Each entity establishes a trust relationship with the other participating entities

2 basic ways for linking member entities in a fim

2 Basic ways for linking member entities in a FIM

  • Cross-Certification:

    • Each entity must individually certify that every other participating entity is worthy of its true

    • Each entity reviews the others to see if they meet their criteria

    • Drawbacks: Once the number of entities grows the complexity of managing is to burdensome or expensive

2 basic ways for linking member entities in a fim1

2 Basic ways for linking member entities in a FIM

  • Trusted 3rd party:

    • Each entity subscribes to the policies, standards & practices of a trusted 3rd party entity and the trusted 3rd party manages the verification of all other entities.

    • Once the 3rd party verifies a

    • Drawbacks: Once the number of entities grows the complexity of managing is to burdensome or expensive

Once in unlimited access

Once In-Unlimited Access

  • Just what is says

Data access controls frameworks or models

Data Access Controls Frameworks or Models

  • Discretionary

  • Mandatory

  • Nondiscretionary

Discretionary access control dac

Discretionary Access Control (DAC)

  • A system that uses discretionary access control allows the owner of the resource to specify which subjects can access which resources.

  • Access control is at the discretion of the owner.

  • VAX, VMS, UNIX, Windows X, MAC

Mandatory access controls mac

Mandatory Access Controls (MAC)

  • Controls are determined by the system & based on organizational policy. Controls applied based upon user clearance and classification of an object or data.

  • Used for highly sensitive systems and when owners don’t want users to potentially by pass organizational policies.

  • This model is used in environments where information classification and confidentiality is very important (e.g., the military).

  • Access control is based on a security labeling system. Users have security clearances and resources have security labels that contain data classifications.

Mandatory access controls mac1

Mandatory Access Controls (MAC)

  • System provides access control & owner provides need-to-know control

  • Not everyone who is cleared should have access, only those cleared & with a need to know.

  • Even if the owner determines a user has a need to know the system must ascertain that the user is cleared.

  • Page 117 examples of access capabilities & Access permissions



  • Administrator determines who has access and what privileges

Access control lists acl

Access Control Lists (ACL)

  • List of permissions associated with an object

  • Keyword=Action

    • Router, IP Address=Allow or IP Address=Deny

    • User1=R, X, L, W

    • User2=R, , L

    • Group A=R,X,L

    • Group B=R,L

  • Access Control Matrix is an ACL in the form of a table. Page 119

Rule based access control

Rule Based Access Control

  • Uses specific rules that indicate what can and cannot happen between a subject and an object.

  • Not necessarily identity based.

  • Traditionally, rule based access control has been used in MAC systems as an enforcement mechanism.

  • Example Page 120

Role based access control rbac page 121

Role Based Access Control (RBAC)Page 121

  • Role Based Access Control (RBAC) is a methodology of limiting tasks to objects based on a specific role

  • Administration boundaries can be synonymous with job duties or functions and can be associated with individual users

  • The goal in role definition is to determine all the access in advance that a user might require to perform a specific tasks or job

  • Scalability and efficiency gains are two benefits of role-based administration

  • Aligns with an organizations structure of roles and

  • responsibilities

Content dependent access control

Content Dependent Access Control

  • Access to an object is determined by the content within the object.

Constrained user interfaces

Constrained User Interfaces

  • Restrict user’s access abilities by not allowing them certain types of access, or the ability to request certain functions or information

  • Three major types

    • Menus and Shells

    • Database Views

    • Physically Constrained Interfaces

Capability table

Capability table:

  • Specifies the access rights a certain subject possesses pertaining to certain objects

  • Bounded to a subject and indicates what objects that subject can access.

  • Page 123 Figure 1.27

Temporal time based isolation

Temporal(Time-Based) Isolation

  • Activities are OK or Not OK based upon not who but when.

  • Examples:

    • If you leave class before the lecture ends its not OK

    • All classified processing occurs in the morning

Intrusion detection and prevention systems

Intrusion Detection and Prevention Systems

  • IDS

    • Informative tool that provides real-time information when suspicious activities are identified

    • Not used to directly prevent the suspected attack

  • IPS

    • Monitors like IDS, however will automatically take proactive preventive action if it detects unacceptable activity.

  • Important to tune system to detect true attacks

Network intrusion detection system nids

Network Intrusion Detection System (NIDS)

  • Install tap or mirror ports on a core switch

    • Works in promiscuous mode

    • Must be able to handle amount of traffic

  • Encryption can be a problem

  • Can be integrated into other network devices

Host based ids aka hids

Host Based IDS, aka HIDS

  • Analyze the activity within a particular computer system

  • Can be installed on individual workstations and/or servers and watch for inappropriate or anomalous activity.

  • Usually used to make sure users do not delete system files, reconfigure important things, or put the system at risk in any other way.

  • HIDS universe is limited to the computer itself.

  • Multi-host IDSs allow systems to share policy information & attack data & remediation actions.

  • Drawback is that they consume inordinate amount of host resources

Ids analysis engine methods

IDS Analysis Engine Methods

  • 2 basic analysis methods

    • Pattern Matching

      • Looks for known attacks

    • Anomaly Detection

      • Looks for system changes

        • Stateful Matching

        • Statistical Anomaly-Based

        • Protocol Anomaly-Based

        • Traffic Anomaly-Based

Pattern match signature analysis ids method

Pattern match (signature analysis)IDS Method

  • Pattern match (signature analysis)

    • Models of specific attacks and how they are carried out. Each identified attack has a signature, which is used to detect an attack in progress or determine if one has occurred within the network. Any action that is not recognized as an attack is considered acceptable.

  • Similar to antivirus software

  • Signatures must be continuously updated

  • Cannot identify new attacks

Anomaly analysis ids methods

Anomaly Analysis IDS Methods

  • Based on behavior identification (system changes) or anomalies

  • Possible list of anomalies, P.127

  • Tend to report more data & false positives

Stateful matching ids method

Stateful matching IDS Method

  • Uses signatures and tracks system state changes that indicate an attack is underway.

  • State: a snapshot of an operating systems values in volatile, semi permanent, and permanent memory locations.

  • Every change that an operating system experiences is considered a state transition.

  • A state transition is when a variable’s value changes, which usually happens continuously within every system.

  • Example Page 128

Statistical anomaly based

Statistical Anomaly-Based

  • Examines event data by comparing it to typical known or predicted traffic in an effort to fined potential security breaches.

  • It attempts to identity suspicious behavior by identifying patterns that are not the norm

  • Tuning can be challenging if not done regularly

  • Definition of normal traffic is open for interpretation

  • Has potential to detect unknown attacks

Protocol anomaly based ids

Protocol Anomaly-Based IDS

  • Identifies any unacceptable deviation form expected behavior based on known network protocols

  • Prone to same issues as signature-based IDSs

Traffic anomaly based

Traffic Anomaly-Based

  • Identifies any unacceptable deviation form expected behavior based on actual traffic structure

Intrusion response

Intrusion Response

  • Inject rule into firewall, or modify access control for routers, VPNs or VLAN switches

    • May be disadvantage if replicated to other devices

  • Disable communications

  • Disable user accounts

  • Enable additional auditing

Intrusion response1

Intrusion Response

  • Sensor

    • Identifies an event

    • Must tune sensitivity properly

  • Control & communication

    • Notification component email, pager, PDA

  • Enunciator

  • IDs correct business unit, formats msg for specific devices

  • Determining who gets notified & what their response is

Ids management

IDS Management

  • Must devote planning, time, money & expert personnel to properly manage an IDS solution

  • Page 132

  • Login