Security Network - Access Control Fundamentals

Chapter IV Access Control Fundamentals

What Is Access Control?

•  Access control

– The process by which resources or services are granted or denied on a computer system or network

•  There are four standard access control models as well as specific practices used to enforce access control

Access Control Terminology

•  Identification

– A user accessing a computer system would present credentials or identification, such as a username

•  Authentication

– Checking the user’s credentials to be sure that they are authentic and not fabricated

•  Authorization

– Granting permission to take the action

•  A computer user is granted access

– To only certain services or applications in order to perform their duties

•  Computer access control can be accomplished by one of three entities: hardware, software, or a policy

•  Access control can take different forms depending on the resources that are being protected

•  Other terminology is used to describe how computer systems impose access control:

– Object

– Subject

– Operation

Access Control Models

•  Access control model

– Provides a predefined framework for hardware and software developers who need to implement access control in their devices or applications

•  Once an access control model is applied

– Custodians can configure security based on the requirements set by the owner

•  So that end users can perform their job functions

•  Mandatory Access Control (MAC) model

– The end user cannot implement, modify, or transfer any controls

– The owner and custodian are responsible for managing access controls

•  This is the most restrictive model because all controls are fixed

•  In the original MAC model, all objects and subjects were assigned a numeric access level

– The access level of the subject had to be higher than that of the object in order for access to be granted

•  Discretionary Access Control (DAC) model

– The least restrictive

– A subject has total control over any objects that he or she owns

•  Along with the programs that are associated with those objects

•  In the DAC model, a subject can also change the permissions for other subjects over objects

•  DAC has two significant weaknesses

– It relies on the end-user subject to set the proper level of security

– A subject’s permissions will be “inherited” by any programs that the subject executes

•  User Account Control (UAC)

– Operating systems prompt the user for permission whenever software is installed

•  Three primary security restrictions implemented by UAC:

– Run with limited privileges by default

– Applications run in standard user accounts

– Standard users perform common tasks

•  Another way of controlling DAC inheritance is to automatically reduce the user’s permissions

•  Role Based Access Control (RBAC) model

– Sometimes called Non-Discretionary Access Control

– Considered a more “real world” approach than the other models

– Assigns permissions to particular roles in the organization, and then assigns users to that role

– Objects are set to be a certain type, to which subjects with that particular role have access

•  Rule Based Access Control (RBAC) model

– Also called the Rule-Based Role-Based Access Control (RB-RBAC) model or automated provisioning

– Can dynamically assign roles to subjects based on a set of rules defined by a custodian

– Each resource object contains a set of access properties based on the rules

•  Rule Based Access Control is often used for managing user access to one or more systems

Practices for Access Control

•  Separation of duties

– Requires that if the fraudulent(fake) application of a process could potentially result in a breach of security

•  Then the process should be divided between two or more individuals

•  Job rotation

– Instead of one person having sole responsibility for a function, individuals are periodically moved from one job responsibility to another

•  Least privilege

– Each user should be given only the minimal amount of privileges necessary to perform his or her job function

•  Implicit deny

– If a condition is not explicitly met, then it is to be rejected

Logical Access Control Methods

•  The methods to implement access control are divided into two broad categories

– Physical access control and logical access control

•  Logical access control includes access control lists (ACLs), group policies, account restrictions, and passwords

Access Control Lists (ACLs)

•  Access control list (ACL)

– A set of permissions that is attached to an object

– Specifies which subjects are allowed to access the object

•  And what operations they can perform on it

•  These lists are most often viewed in relation to files maintained by the operating system

•  The structure behind ACL tables is a bit complex

•  Access control entry (ACE)

– Each entry in the ACL table in the Microsoft Windows, Linux, and Mac OS X operating systems

•  In Windows, the ACE includes four items of information:

– A security identifier (SID) for the user account, group account, or logon session

– An access mask that specifies the access rights controlled by the ACE

– A flag that indicates the type of ACE

– A set of flags that determine whether objects can inherit permissions

Group Policies

•  Group Policy

– A Microsoft Windows feature that provides centralized management and configuration of computers and remote users

•  Using the Microsoft directory services known as Active Directory (AD)

•  Group Policy is usually used in enterprise environments to restrict user actions that may pose a security risk

•  Group Policy settings are stored in Group Policy Objects (GPOs)

Account Restrictions

•  Time of day restrictions

– Limit when a user can log on to a system

– These restrictions can be set through a Group Policy

– Can also be set on individual systems

•  Account expiration

– The process of setting a user’s account to expire

– Orphaned accounts are user accounts that remain active after an employee has left an organization

•  Can be controlled using account expiration

Passwords

•  Password

– The most common logical access control

– Sometimes referred to as a logical token

– A secret combination of letters and numbers that only the user knows

•  A password should never be written down

– Must also be of a sufficient length and complexity so that an attacker cannot easily guess it (password paradox)

•  Attacks on passwords

– Brute force attack

-  Simply trying to guess a password through combining a random combination of characters

– Passwords typically are stored in an encrypted form called a “hash”

-  Attackers try to steal the file of hashed passwords and then break the hashed passwords offline

– Dictionary attack

-  Begins with the attacker creating hashes of common dictionary words

•  And compares those hashed dictionary words against those in a stolen password file

– Rainbow tables

-  Make password attacks easier by creating a large pregenerated data set of hashes from nearly every possible password combination

– Generating a rainbow table requires a significant amount of time

– Rainbow table advantages

§ Can be used repeatedly for attacks on other passwords

§ Rainbow tables are much faster than dictionary attacks

§ The amount of memory needed on the attacking machine is greatly reduced

– One reason for the success of rainbow tables is how older Microsoft Windows operating systems hash passwords

– A defense against breaking encrypted passwords with rainbow tables

§ Hashing algorithm should include a random sequence of bits as input along with the user-created password

– These random bits are known as a salt

§ Make brute force, dictionary, and rainbow table attacks much more difficult

– Password policy

§ A strong password policy can provide several defenses against password attacks

§ The first password policy is to create and use strong passwords

– One of the best defenses against rainbow tables is to prevent the attacker from capturing the password hashes

– A final defense is to use another program to help keep track of passwords

– Domain password policy

§ Setting password restrictions for a Windows domain can be accomplished through the Windows Domain password policy

§ There are six common domain password policy settings, called password setting objects

-  Used to build a domain password policy

Physical Access Control

•  Physical access control primarily protects computer equipment

– Designed to prevent unauthorized users from gaining physical access to equipment in order to use, steal, or vandalize it

•  Physical access control includes computer security, door security, mantraps, video surveillance, and physical access logs

Computer Security

•  The most fundamental step in physical security is to secure the system itself

•  Securing network servers in an organization is important

•  Rack-mounted servers

– 4.45 centimeters (1.75 inches) tall

– Can be stacked with up to 50 other servers in a closely confined area

Door Security

•  Hardware locks

– Preset lock

•  Also known as the key-in-knob lock

•  The easiest to use because it requires only a key for unlocking the door from the outside

•  Automatically locks behind the person, unless it has been set to remain unlocked

•  Security provided by a preset lock is minimal

– Deadbolt lock

•  Extends a solid metal bar into the door frame for extra security

•  Is much more difficult to defeat than preset locks

•  Requires that the key be used to both open and lock the door

•  Most organizations observe the following practices:

– Change locks immediately upon loss or theft of keys

– Inspect all locks on a regular basis

– Issue keys only to authorized persons

– Keep records of who uses and turns in keys

– Keep track of keys issued, with their number and identification

– Master keys should not have any marks identifying them as masters

– Secure unused keys in a locked safe

– Set up a procedure to monitor the use of all locks and keys and update the procedure as necessary

– When making duplicates of master keys, mark them “Do Not Duplicate,” and wipe out the manufacturer’s serial numbers to keep duplicates from being ordered

•  Door access systems

– Cipher lock

•  Combination locks that use buttons that must be pushed in the proper sequence to open the door

•  Can be programmed to allow only the code of certain individuals to be valid on specific dates and times

– Cipher locks also keep a record of when the door was opened and by which code

– Cipher locks are typically connected to a networked computer system

•  Can be monitored and controlled from one central location

– Cipher lock disadvantages

•  Basic models can cost several hundred dollars while advanced models can be even more expensive

•  Users must be careful to conceal which buttons they push to avoid someone seeing or photographing the combination

– Tailgate sensor

•  Use multiple infrared beams that are aimed across a doorway and positioned so that as a person walks through the doorway

•  Some beams are activated and then other beams are activated a short time later

•  Can detect if a second person walks through the beam array immediately behind (“tailgates”) the first person

•  Without presenting credentials

•  Physical tokens

– Objects to identify users

•  ID badge

– The most common types of physical tokens

– ID badges originally were visually screened by security guards

– Today, ID badges can be fitted with tiny radio frequency identification (RFID) tags

•  Can be read by an RFID transceiver as the user walks through the door with the badge in her pocket

Mantraps

•  Mantrap

– A security device that monitors and controls two interlocking doors to a small room (a vestibule) that separates a nonsecured area from a secured area

•  Mantraps are used at high-security areas where only authorized persons are allowed to enter

– Such as sensitive data processing areas, cash handling areas, critical research labs, security control rooms, and automated airline passenger entry portals

Video Surveillance

•  Closed circuit television (CCTV)

– Using video cameras to transmit a signal to a specific and limited set of receivers

•  Some CCTV cameras are fixed in a single position pointed at a door or a hallway

•  Other cameras resemble a small dome and allow the security technician to move the camera 360 degrees for a full panoramic view

Physical Access Log

•  Physical access log

– A record or list of individuals who entered a secure area, the time that they entered, and the time they left the area

– Can also identify if unauthorized personnel have accessed a secure area

•  Physical access logs originally were paper documents

– Today, door access systems and physical tokens can generate electronic log documents

Summary

• Access control is the process by which resources or services are denied or granted
• Best practices for implementing access control include separation of duties, job rotation, using the principle of least privilege, and using implicit deny
• Logical access control methods include using access control lists (ACLs), which are provisions attached to an object
• Passwords, sometimes known as logical tokens, are a secret combination of letters and numbers that only the user should know
• Physical access control attempts to limit access to computer equipment by unauthorized users

Thanks ............