1 / 48

IT 4823 – Information Security Administration

IT 4823 – Information Security Administration. Chapter 4: Access Control, Part 2 Summer 2006, Feibish. Review: Access Control Techniques. • Access control matrix Table of subjects and objects that outlines their access relationships

brede
Download Presentation

IT 4823 – Information Security Administration

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IT 4823 – Information Security Administration Chapter 4: Access Control, Part 2 Summer 2006, Feibish From: Harris, Shon. All In One CISSP Exam Guide, 3rd Edition, McGraw-Hill, 2005.

  2. Review: Access Control Techniques • • Access control matrix Table of subjects and objects that outlines their access relationships • • ACL Bound to an object and indicates what subjects can access it • • Capability table Bound to a subject and indicates what objects that subject can access • • Content-based access Bases access decisions on the sensitivity of the data, not solely on subject identity • • Context-based access Bases access decisions on the state of the situation, not solely on identity or content sensitivity • • Restricted interface Limits the user’s environment within the system, thus limiting access to objects • • Rule-based Restricts subjects’ access attempts by predefined rules From: Harris, Shon. All In One CISSP Exam Guide, 3rd Edition, McGraw-Hill, 2005.

  3. Next: Access Control Administration • Centralized vs. Decentralized • centralized access control administration: one entity (department or individual) is responsible for overseeing access to all corporate resources. • decentralized access control administration method gives control of access to the people closer to the resources—e.g. functional manager From: Harris, Shon. All In One CISSP Exam Guide, 3rd Edition, McGraw-Hill, 2005.

  4. Centralized Access Control • Consistent and uniform across organization • Strict, but can be slow • Uses AAA protocols – “authentication, authorization, and auditing” • RADIUS • TACACS, TACACS+, XTACACS • Terminal Access Controller Access Control System • Diameter From: Harris, Shon. All In One CISSP Exam Guide, 3rd Edition, McGraw-Hill, 2005.

  5. RADIUS • Remote Authentication Dial-In User Service • client/server authentication protocol that authenticates and authorizes remote users. • Most ISPs today use RADIUS to authenticate customers before they are allowed access to the Internet. • The access server notifies the RADIUS server when the session starts and stops, for billing purposes. From: Harris, Shon. All In One CISSP Exam Guide, 3rd Edition, McGraw-Hill, 2005.

  6. RADIUS, continued • also used within corporate environments to provide road warriors and home users access to network resources. • When a user dials in and is properly authenticated, a preconfigured profile is assigned to him to control what resources he can and cannot access. • published as RFC 2138 and RFC 2139 • RADIUS is an open protocol From: Harris, Shon. All In One CISSP Exam Guide, 3rd Edition, McGraw-Hill, 2005.

  7. TACACS • Terminal Access Controller Access Control System • TACACS has been through three generations: • TACACS • combines its authentication and authorization processes • Extended TACACS (XTACACS) • separates authentication, authorization, and auditing processes, • TACACS+ • XTACACS with extended two-factor user authentication • Uses dynamic passwords From: Harris, Shon. All In One CISSP Exam Guide, 3rd Edition, McGraw-Hill, 2005.

  8. RADIUS infrastructure From: Harris, Shon. All In One CISSP Exam Guide, 3rd Edition, McGraw-Hill, 2005.

  9. RADIUS vs TACACS • RADIUS encrypts the user’s password only as it is being transmitted from the RADIUS client to the RADIUS server. Other information, as in the username, accounting, and authorized services, is passed in cleartext. (!!!) • The RADIUS protocol combines the authentication and authorization functionality. • TACACS+ uses a true AAA architecture, which separates the authentication, authorization, and accounting functionalities. • TACACS+ also enables the network administrator to define more granular user profiles • So, RADIUS is the appropriate protocol when simplistic username/password authentication can take place and users only need an Accept or Deny for obtaining access, as in ISPs. TACACS+ is the better choice for environments that require more sophisticated authentication steps and tighter control over more complex authorization activities, as in corporate networks. From: Harris, Shon. All In One CISSP Exam Guide, 3rd Edition, McGraw-Hill, 2005.

  10. TACACS+ in client/server From: Harris, Shon. All In One CISSP Exam Guide, 3rd Edition, McGraw-Hill, 2005.

  11. Diameter • Built on RADIUS but fixes many problems • Diameter is twice the radius (get it? ) • AAA protocol, but more flexibility and capability • Diameter provides a base protocol, which defines header formats, security options, commands, and AVPs. • Peer-based rather than client/server • This base protocol allows for extensions to tie in other services, such as VoIP, FoIP, Mobile IP, wireless, and cell phone authentication. From: Harris, Shon. All In One CISSP Exam Guide, 3rd Edition, McGraw-Hill, 2005.

  12. AAA functionality in Diameter • • Authentication • • PAP, CHAP, EAP • • End-to-end protection of authentication information • • Replay attack protection • • Authorization • • Redirects, secure proxies, relays, and brokers • • State reconciliation • • Unsolicited disconnect • • Reauthorization on demand • • Accounting • • Reporting, ROAMOPS accounting, event monitoring From: Harris, Shon. All In One CISSP Exam Guide, 3rd Edition, McGraw-Hill, 2005.

  13. NEW TOPIC: Access Control Methods • can be implemented at various layers of a network and individual systems • Core componenets or embedded • Or 3rd party add-on packages • THEY MUST WORK TOGETHER • Typically work in layers From: Harris, Shon. All In One CISSP Exam Guide, 3rd Edition, McGraw-Hill, 2005.

  14. Access Control Layers From: Harris, Shon. All In One CISSP Exam Guide, 3rd Edition, McGraw-Hill, 2005.

  15. Detail: Administrative Control • Policy and procedures • Security policy is 1st step • derived from the laws, regulations, and business objectives that shape and restrict the company • Personnel controls • Hiring firing, suspension, promitions, etc. • Separation of duties (collusion) and Rotation of duties • Supervisory structure • Manager becomes responsible for employee actions • Security-awareness training • Testing • Periodic, constant (to test for change), aligned with policies and objectives of company From: Harris, Shon. All In One CISSP Exam Guide, 3rd Edition, McGraw-Hill, 2005.

  16. Detail: Physical Control • • Network segregation • • Perimeter security • Passcodes, locks, etc. • • Computer controls • Phyiscal locks on machines, stations, etc. • • Work area separation • Division by roles • • Data backups • • Cabling From: Harris, Shon. All In One CISSP Exam Guide, 3rd Edition, McGraw-Hill, 2005.

  17. Detail: Technical Control • • System access • • Network architecture • Subnetting • • Network access • Firewalls, SPI, etc. • • Encryption and protocols • • Control zone • control zone is physical control • area that surrounds and protects network devices that emit electrical signals • • Auditing • can be used to point out weaknesses of other technical controls and help the administrator understand where changes need to be made to preserve the necessary security level From: Harris, Shon. All In One CISSP Exam Guide, 3rd Edition, McGraw-Hill, 2005.

  18. Control Zone - example From: Harris, Shon. All In One CISSP Exam Guide, 3rd Edition, McGraw-Hill, 2005.

  19. Access Control should be layered From: Harris, Shon. All In One CISSP Exam Guide, 3rd Edition, McGraw-Hill, 2005.

  20. Access Controls serve 6 functions • Preventative • Detective • Corrective • Detterent • Recovery • Compensative From: Harris, Shon. All In One CISSP Exam Guide, 3rd Edition, McGraw-Hill, 2005.

  21. Table 4-3, pg 191 From: Harris, Shon. All In One CISSP Exam Guide, 3rd Edition, McGraw-Hill, 2005.

  22. Preventive: Administrative • The following are the soft mechanisms that are put into place to enforce access control and protection for the company as a whole: • Policies and procedures • Effective hiring practices • Pre-employment background checks • Controlled termination processes • Data classification and labeling • Security awareness From: Harris, Shon. All In One CISSP Exam Guide, 3rd Edition, McGraw-Hill, 2005.

  23. Preventive: Physical • The following can physically restrict access to a facility, specific work areas, or computer systems: • Badges, swipe cards • Guards, dogs • Fences, locks, mantraps From: Harris, Shon. All In One CISSP Exam Guide, 3rd Edition, McGraw-Hill, 2005.

  24. Preventive: Technical • The following are logical controls that are part of operating systems, third-party application add-ons, or hardware units: • Passwords, biometrics, smart cards • Encryption, protocols, call-back systems, database views, constrained user interfaces • Antivirus software, ACLs, firewalls, routers, clipping levels From: Harris, Shon. All In One CISSP Exam Guide, 3rd Edition, McGraw-Hill, 2005.

  25. Accountability • ensure that users are accountable for their actions • verify that the security policies are enforced • can be used as investigation tools • tracked by recording user, system, and application activities • Implemented through auditing • Problem: audit logs can be overwhelming From: Harris, Shon. All In One CISSP Exam Guide, 3rd Edition, McGraw-Hill, 2005.

  26. Auditing: System-level events • • System performance • • Logon attempts (successful and unsuccessful) • • Logon ID • • Date and time of each logon attempt • • Lockouts of users and terminals • • Use of administration utilities • • Devices used • • Functions performed • • Requests to alter configuration files From: Harris, Shon. All In One CISSP Exam Guide, 3rd Edition, McGraw-Hill, 2005.

  27. Auditing: Application-level events • • Error messages • • Files opened and closed • • Modifications of files • • Security violations within application From: Harris, Shon. All In One CISSP Exam Guide, 3rd Edition, McGraw-Hill, 2005.

  28. Auditing: User-level events • • Identification and authentication attempts • • Files, services, and resources used • • Commands initiated • • Security violations From: Harris, Shon. All In One CISSP Exam Guide, 3rd Edition, McGraw-Hill, 2005.

  29. Auditing tools • An audit-reduction tool reduces the amount of information within an audit log • A variance-detection tool can monitor computer and resource usage trends and detect variations. • If an attack signature–detection tool is used, the application will have a database of information that has been known to indicate specific attacks. From: Harris, Shon. All In One CISSP Exam Guide, 3rd Edition, McGraw-Hill, 2005.

  30. Keystroke Monitoring • Monitors every keystroke during an active session • Can be used by admins or attackers • There are privacy issues with this type of monitoring, and administrators could be subject to criminal and civil liabilities if it is done without proper notification to the employees and authorization from management. From: Harris, Shon. All In One CISSP Exam Guide, 3rd Edition, McGraw-Hill, 2005.

  31. Access Control Practices – regular maintenance • • Deny access to systems by undefined users or anonymous accounts. • • Limit and monitor the usage of administrator and other powerful accounts. • • Suspend or delay access capability after a specific number of unsuccessful logon attempts. • • Remove obsolete user accounts as soon as the user leaves the company. • • Suspend inactive accounts after 30 to 60 days. • • Enforce strict access criteria. • • Enforce the need-to-know and least-privilege practices. • • Disable unneeded system features, services, and ports. • • Replace default password settings on accounts. From: Harris, Shon. All In One CISSP Exam Guide, 3rd Edition, McGraw-Hill, 2005.

  32. Access Control Practices – regular maintenance (continued) • • Limit and monitor global access rules. • • Ensure that logon IDs are nondescriptive of job function. • • Remove redundant resource rules from accounts and group memberships. • • Remove redundant user IDs, accounts, and role-based accounts from resource • access lists. • • Enforce password rotation. • • Enforce password requirements (length, contents, lifetime, distribution, • storage, and transmission). • • Audit system and user events and actions and review reports periodically. • • Protect audit logs. From: Harris, Shon. All In One CISSP Exam Guide, 3rd Edition, McGraw-Hill, 2005.

  33. New Topic: Unauthorized disclosure of information • Object resuse • Old disks or tapes • Also memory locations, variables, registers • Sensitive data should be classified and labeled along with corresponding media. • Emanation Security • Interception of electrical signals • Tempest: secuity standard to reduce electronic emission • Solutions: Faraday cage, white noice, control zone From: Harris, Shon. All In One CISSP Exam Guide, 3rd Edition, McGraw-Hill, 2005.

  34. Access Control Monitoring • Intrusion detection systems (IDSs) are different from traditional firewall products because they are designed to detect a security breach. • Common components: • Sensors • Analyzers • Administrator interfaces • 2 Main types of IDS: • Network-based: monitor network communicatino • Host-based: analyze activity within a particular system From: Harris, Shon. All In One CISSP Exam Guide, 3rd Edition, McGraw-Hill, 2005.

  35. IDS: many types • HIDS or NIDS can be any of the following types • Signature based • Statistical anomaly based • Protocol anomaly based • Traffic anomaly based • Rule based • Stateful matching • Model based From: Harris, Shon. All In One CISSP Exam Guide, 3rd Edition, McGraw-Hill, 2005.

  36. IDS Types • • Signature based • • Pattern matching, similar to antivirus software • • Signatures must be continuously updated • • Cannot identify new attacks From: Harris, Shon. All In One CISSP Exam Guide, 3rd Edition, McGraw-Hill, 2005.

  37. IDS Types • • Statistical anomaly based • • Behavioral-based system that learns the “normal” activities of an environment • • Can detect new attacks • • Two types: • Protocol anomaly based Unusual format or behavior of protocols • Traffic anomaly based Unusual format of traffic patterns From: Harris, Shon. All In One CISSP Exam Guide, 3rd Edition, McGraw-Hill, 2005.

  38. IDS Types • • Rule based • • Use of IF/THEN rule-based programming within expert systems • • Use of expert system allows for artificial intelligence characteristics • • The more complex the rules, the more demands on software and hardware processing requirements • • Cannot detect new attacks • • Two types: • Stateful matching Tracking system state changes that indicate an attack is under way • Model based Models of attack scenarios are built and then captured data is compared to the models to uncover malicious activities From: Harris, Shon. All In One CISSP Exam Guide, 3rd Edition, McGraw-Hill, 2005.

  39. Intrusion Prevention Systems (IPS) • IPS is a preventative and proactive technology, whereas an IDS is a detective and after-the-fact technology. • Not widely implemented … yet • any inline device can be a traffic bottleneck, reduce performance, and pose a single point of failure From: Harris, Shon. All In One CISSP Exam Guide, 3rd Edition, McGraw-Hill, 2005.

  40. Honeypot • A honeypot is a computer set up as a sacrificial lamb on the network • This is to entice a would-be attacker to this computer instead of attacking authentic production systems on a network • It is important to draw a line between enticement and entrapment when implementing a honeypot system. • Entrapment is where the intruder is induced or tricked into commiting a crime. Entrapment is illegal and cannot be used when harging an individual with hacking or unauthorized activity. From: Harris, Shon. All In One CISSP Exam Guide, 3rd Edition, McGraw-Hill, 2005.

  41. Network Sniffers • packet or network sniffer is a general term for programs or devices that are able to examine traffic on a LAN segment • The sniffer has to have a protocol-analysis capability to recognize the different protocol values to properly interpret their meaning. • Requires NIC in promiscuous mode and a filtering machanism • Sniffers are dangerous because they are very hard to detect and their activities are difficult to audit. • Very popular free tool: Ethereal From: Harris, Shon. All In One CISSP Exam Guide, 3rd Edition, McGraw-Hill, 2005.

  42. Threats to Access Control • Dictionary Attack • Brute Force Attack • Spoofing at Logon • Phishing Attacks From: Harris, Shon. All In One CISSP Exam Guide, 3rd Edition, McGraw-Hill, 2005.

  43. Countermeasures to Dictionary Attack • Do not allow passwords to be sent in cleartext. • Encrypt the passwords with encryption algorithms or hashing functions. • Employ one-time password tokens. • Use hard-to-guess passwords. • Rotate passwords frequently. • Employ an IDS to detect suspicious behavior. • Use dictionary cracking tools to find weak passwords chosen by users. • Use special characters, numbers, and upper- and lowercase letters within the password. • Protect password files. From: Harris, Shon. All In One CISSP Exam Guide, 3rd Edition, McGraw-Hill, 2005.

  44. Countermeasures to Brute Force Attack • Perform brute force attacks to find weaknesses and hanging modems. • Make sure only necessary phone numbers are made public. • Provide stringent access control methods that would make brute force attacks less successful. • Monitor and audit for such activity. • Employ an IDS to watch for suspicious activity. • Set lockout thresholds. From: Harris, Shon. All In One CISSP Exam Guide, 3rd Edition, McGraw-Hill, 2005.

  45. Countermeasures to Logon Spoofing Attacks • An operating system can be configured to display the number of failed logon attempts. • If the first logon attempt seemed to have failed, but was really the attacker’s program capturing the entered credentials, and it was not reported at the second attempt and the user could get suspicious as to what just took place. • A guaranteed trusted path can be provided by the operating system. A trusted path is a communication link between the user and the kernel that cannot be circumvented as described in the scenario of a fake logon screen. • Windows 2000 uses a sequence of CTRL-ALT-DEL to invoke the operating system’s logon screen. (However, some sneaky fake programs can set themselves to be called upon by this combination of keys also.) From: Harris, Shon. All In One CISSP Exam Guide, 3rd Edition, McGraw-Hill, 2005.

  46. Countermeasures to Phishing Attacks • • Be skeptical of e-mails indicating that you need to make changes to your accounts or warnings indicating that accounts will be terminated without you doing some type of activity online. • • Call the legitimate company to find out if this is a fraudulent message. • • Review the address bar to see if the domain name is correct. • • When submitting any type of financial information or credential data, an SSL connection should be set up, which is indicated in the address bar (https://) and a closed-padlock icon in the browser at the bottom-right corner. • • Do not click on an HTML link within an e-mail. Type the URL out manually instead. • • Do not accept e-mail in HTML format. From: Harris, Shon. All In One CISSP Exam Guide, 3rd Edition, McGraw-Hill, 2005.

  47. All done…. • Wheh! From: Harris, Shon. All In One CISSP Exam Guide, 3rd Edition, McGraw-Hill, 2005.

  48. Questions? From: Harris, Shon. All In One CISSP Exam Guide, 3rd Edition, McGraw-Hill, 2005.

More Related