Access Control System, BMS
- 2. • Protecting what needs to be protected with the available technologies! • Access control is the of Information Security! Overview
- 3. Some Questions • What is Access? • What is the Access Mechanism? • What is Access Control? • The right • Flow of information between subject and object • Mechanism to protect the assets!
- 6. Identification • Method of establishing the subject’s identity – User, Program,Process • Use of username or other public information • Identification component requirements… – Each value should be unique – Follow a standard naming scheme – Non-descriptive of the user’s position or tasks – Must not be shared between users
- 8. Authentication • Method of proving the identity • How to prove an identity? – Something you know – Something you have – Something you are • Use of passwords, token, or biometrics other private information • What is two factor authentication? – Strongauthentication
- 9. Something you know • Traditional authentication method • Passwords – Protected string of characters – Most widely used – Types • Cognitivepasswords • One time passwords (Dynamicpasswords) • Passphrase
- 10. Cognitive passwords • Fact or opinion based information • Created through several experience based questions • Easy to remember! – A person will not forget his birthplace, favorite color,dog's name, or the school he graduatedfrom.
- 11. One time passwords • Only used once • Used in sensitive cases and places • Examples include – Prepaidcards – Token devices • Token device generates the one-time password for the user to submit to an authenticationserver
- 12. Passphrase • Sequence of characters that is longer than a password -- Thus a phrase – User enters this phrase into an application which transformsthe value into a virtual password
- 13. Attacks against passwords • Electronic monitoring • Access the passwordfile • Brute force attacks • Dictionary attacks • Social engineering • Shoulder surfing
- 14. Something you have • Requires possession of something such as a key, smart card, or some other device • Examples include… – Keys – Documents – Token devices – Memory cards – Smartcards
- 15. Token device • Software hardware hybrid object used to verify an identity in an authentication process • Token device, or password generator, is usually a handheld device that has an LCD display and possibly a keypad – Token device is separate from the computer the user is attempting toaccess
- 16. Token Device – Benefits/Limitations • Benefits – Not vulnerable to electronic eavesdropping • Wiretapping • Sniffing – Provide two factorauthentication • Limitations – Human error – Batterylimitation – Token itself (Environmental factors)
- 17. Types of Token Devices • Synchronous Token – A synchronous token device synchronizes with the authentication service by using time or a counter as the core piece of the authenticationprocess. • Asynchronous Token – A token device using an asynchronous token generating method employs a challenge/response scheme to authenticate a user.
- 20. Memory Card • Holds information but cannot process – A memory card can hold a user's authentication information,so that the user only needs to type in a UserID or PIN.
- 21. Smart Card • Holds and processes information • After a threshold of failed login attempts, it can render itself unusable • PIN or password unlocks smart card functionality • Smart card could be used for: – Holding biometric data in template – Responding to challenge – Holding privatekey
- 22. Types of Smart Card • Contact – Requires insertion into a smart card reader with a direct connection to a conductive micro-module on the surface of the card (typically gold plated) – Through these physical contact points, transmission of commands, data, and card status takes place • Contactless – Requires only close proximity to a reader – Both the reader and the card have antenna and it is via this contactless link that two communicate
- 23. Smart Card attacks • Micro-probing techniques • Eavesdropping techniques • Trojan Horse attacks • Social engineering attacks
- 24. Something you are • Special case of something you have • Unique personal attribute is analyzed • Encompasses all biometric techniques – Fingerprints – Retina scan – Iris scan – Hand geometry – Facialscan
- 25. Biometric System • A characteristic based system – Includes all the hardware, associated software and interconnecting infrastructure to enable the identification/authenticationprocess • Uses individual's unique physical characteristics in order to identify and authenticate – Each has its own advantages and disadvantages
- 26. Fingerprints • Every person's fingerprint is unique • Most affordable and convenient method of verifying a person's identity • The lines that create a fingerprint pattern are called ridges and the spaces between ridges are called valleys.
- 27. Retina Scan • Retinal scan technology maps the capillary pattern of the retina – A thin (1/50th inch) nerve on the back of the eye! • Accurate • Many people are hesitant to use the device /
- 28. Iris Scan • Scans the iris or the colored portion of the eye • For authentication the subject looks at the video camera from a distance of 3-10 inches • The entire enrollment process is less than 20 seconds, and subsequent identification takes 1-2 seconds. • Offers high accuracy!
- 29. Hand Geometry • Measures specific characteristics of a person's hand such as length of fingers and thumb, widths, and depth. • Takes over 90 measurements of the length, width, thickness, and surfacearea of a person's hand and fingers. • Hand measurements occur with amazing speed, almost within one second. • A charge coupled device (CCD) digital camera is used to record the hand's three dimensional shape.
- 30. Keyboard Dynamics • Looks at the way a person types at a keyboard • Also called Typing Rhythms! • Keyboard dynamics measures two distinct variables: – Dwell time: The amount of time one holds a particular key – Flight time: The amount of time one moves between the keys • Keyboard dynamic system can measure one's keyboard input up to 1000 times per second!
- 31. Voice Print • A voice reference template is constructed – To construct, an individual must speak a set of phrases several times as the system builds the template. – Voice identification systems incorporate several variables including pitch, dynamics, and waveform.
- 32. Facial Scan • Incorporates two significant methods: – Detection – Recognition • Detection involves locating the human face within an image. • Recognition is comparing the captured face to other faces that have been saved and stored in a database. Processà
- 33. Biometric Performance • Biometric performance is most commonly measured in two ways: – False Rejection Rate (FRR) – Type1 – False Acceptance Rate (FAR) – Type 2 • The FRR is the probability that you are not authenticated to access your account. • The FAR is the chance that someone other than you is granted access to your account.
- 34. Crossover Error Rate • Crossover Error Rate (CER) value is when Type 1 and Type 2 errors are equal. – (Type 1 = Type 2 errors) = CER metric value • System ABC has 1 out of 100 Type 1 errors = 1% • System ABC has 1 out of 100 type 2 errors = 1% • System ABC CER = 1 • The lower the CER value, the higher accuracy • System with a CER of 5 has greater accuracy than a system with CER of 6
- 35. CER Concept
- 36. Authorization
- 37. Authorization
- 38. Controls
- 39. Types of Access Controls • There are three types of Access Controls: – Administrativecontrols • Define roles, responsibilities, policies, and administrative functions to manage the control environment. – Technicalcontrols • Use hardware and software technology to implement access control. – Physicalcontrols • Ensure safety and security of the physical environment.
- 40. AdministrativeControls • Ensure that technical and physical controls areunderstood and properlyimplemented – Policies and procedures – Security awarenesstraining – Asset classification and control – Employment policies and practices (background checks, job rotations, and separation of duties) – Accountadministration – Account, log monitoring – Review of audit trails
- 41. Technical Controls • Examples of Technical Controls are: – Encryption – Biometrics – Smartcards – Tokens – Access controllists – Violation reports – Audit trails – Network monitoring and intrusion detection
- 42. Physical Controls • Examples of Physical Controls are: – HVAC – Fences, locked doors, and restrictedareas – Guards and dogs – Motion detectors – Video cameras – Fire detectors – Smoke detectors
- 43. Categories of Access Controls • Preventive € Avoid incident • Deterrent € Discourage incident • Detective € Identify incident • Corrective € Remedy circumstance/mitigate damage and restorecontrols • Recovery € Restore conditions to normal • Compensating € Alternative control • Directive
- 44. Categories of Access Controls
- 45. Administrative Preventive Controls • Policies and procedures • Effective hiring practices • Pre-employment background checks • Controlled termination processes • Data classification and labeling • Security awareness • Risk assessments and analysis • Creating a security program • Separation of duties
- 46. Administrative Detective Controls • Job rotation • Sharing responsibilities • Inspections • Incident response • Use of auditors
- 47. Technical Preventive Controls • Passwords • Biometrics • Smart cards • Encryption • Databaseviews • Firewalls • ACLs • Anti-virus
- 48. Technical Detective Controls • IDS • Reviewing audit logs • Reviewing violations of clipping levels • Forensics
- 49. Physical Preventive Controls • Badges • Guards and dogs • CCTV • Fences, locks, man-traps • Locking computer cases • Removing floppy and CD-ROM drives • Disabling USB port
- 50. Physical Detective Controls • Motion detectors • Intrusion detectors • Video cameras • Guard responding to an alarm
- 53. Centralized Access Control Methodologies • (ISC)2 discusses the following methodologies: – RADIUS -- Remote Authentication Dial-In User Service – TACACS -- Terminal Access Controller Access Control Systems – DIAMETER
- 54. RADIUS • Provides centralized authentication, authorization and accounting management for network services • Works on a Client/Server model • Functions: – To authenticate users or devices before granting them access to a network – To authorize users or devices for certain network services – To account for usage of services used
- 55. RADIUS Process
- 57. TACACS • TACACS has been through three generations: – TACACS, XTACACS and TACACS+ • TACACS uses passwords for authentication – TACACS+ allows users to use dynamic (one-time) passwords – TACACS+ encrypts all the data • TACACS uses UDP – TACACS+ uses TCP
- 58. TACACS at Work
- 59. Diameter • "New and improved" RADIUS • RADIUS is limited in its methods of authenticating users • Diameter does not encompass such limitations • Can authenticate wireless devices and smart phones • Open for future growth • Users can move between service provider networks and change their points of attachment
- 61. Single Sign On (SSO) • A system that enables a user to access multiple computer platforms • User logs in just once • Access granted to permitted resources • Login only required until after the user logs out • Examples include: – Kerberos – SESAME – Security Domains – Thin Clients
- 62. Kerberos • A computer network authentication protocol – Allows principals communicating over a non-secure network to prove their identity to one another in a secure manner. • Principals – Any user or service that interacts with a network – Term that is applied to anything within a network that needs to communicate in an authorized manner
- 63. Kerberos components • Components of Kerberos – Key Distribution Center (KDC) • Holds all of the principals' secret keys • Principals authenticate to the KDC before networking can take place – Authentication Server (AS) • Authenticates user at initial logon • Generation of initial ticket to allow user to authenticate to local system – Ticket Granting Service (TGS) • Generates of tickets to allow subjects to authenticate to each other
- 64. Kerberos Process
- 65. SESAME • Secure European System for Applications in a Multi- Vendor Environment • Uses symmetric and asymmetric cryptographic techniques • Uses Privileged Attribute Certificates (PACs) • PACs are generated by the Privileged Attribute Server (PAS) • After a user successfully authenticates to the Authentication Server (AS), the PAS then creates a PAC for the user to present to the resource that is being accessed!
- 66. SESAME Process
- 67. Security Domains • Based on trust between resources or services on a domain that share a single security policy and single management • The security policy defines the set of objects that each user has the ability to access • A similar mission and single point of management responsibility
- 68. Security Domains -- Bull’s Eye View
- 69. Thin Clients • Diskless computers are called dumb terminals or thin clients • Client/Server technology forces users to log onto a central server just to be able to use the computer and access network resources. • Server downloads the Operating System, or interactive operating software to the terminal
- 71. Access Control Models • Frameworks that dictate how subjects access objects • Three Main Types – Discretionary Access Control (DAC) – Mandatory Access Control (MAC) – Role Based Access Control (RBAC)
- 72. Discretionary Access Control • Allows the owner of the resource to specify which subjects can access which resources • Access control is at the discretion of the owner • DAC defines access control policy – That restricts access to files and other system resources based on identity • DAC can be implemented through Access Control Lists (ACLs)
- 73. Access Control Matrix • Access Control Lists (ACLs) – Specifies the list of subjects that are authorized to access a specific object • Capability Lists – Specifies the access rights a certain subject possesses pertaining to specific objects
- 75. Mandatory Access Control • Based on security label system • Users given security clearance and data is classified • Used where confidentiality is of utmost importance • MAC is considered a policy based control • Every object and subject is given a sensitivity label – Classificationlevel • Secret, Top secret, Confidential, etc – Category • Information warfare, Treasury, UN, etc
- 76. Mandatory Access Control Subject Classificationlevel Category Umair Secret Finance Tayyeb Secret HR Object Classificationlevel Category Financerecords Secret Finance Employeerecords Secret HR
- 77. Role Based Access Control • Uses centrally administered set of controls to determine how subjects and objects interact • Decisions based on the functions that a user is allowed to perform within an organization • An advantage of role based access controls is the ease of administration • Capability tables are sometimes seen in conjunction with role-based access controls • Best for high turn over organizations
- 79. Access Control Techniques • Rules Based Access Control • Constrained User Interface • Content Dependent Access Control • Context Dependent Access Control
- 81. Introduction • Process of simulating attacks on Information Systems – At the request of the owner, senior management • Uses set of procedures and tools designed totest security controls of a system • Emulates the same methods attackersuse
- 82. Steps • Discovery • Enumeration • Vulnerability mapping • Exploitation • Report to management
- 83. Step 1 • Discovery – Gathering information about the target – ReconnaissanceTypes • Passive • Active
- 84. Step 2 • Enumeration – Performing port scans and resource identificationmethods – Gaining specific information on the basis of information gathered during reconnaissance – Includes use of dialers, port scanners, network mapping, sweeping, vulnerability scanners, and so on
- 85. Step 3 • Vulnerability Mapping – Identifying vulnerabilities in identified systems and resources – Based on these vulnerabilities attacks are carried out
- 86. Step 4 • Exploitation – Attempting to gain unauthorized access by exploiting the vulnerabilities
- 87. Step 5 • Report to management – Delivering to management documentation of test findings along with suggestedcountermeasures