Access Control Flashcards
CIA
CIA- Confidentiality, Integrity, Availability
DAD
DAD (disclosure, alteration, destruction) opposes CIA
IAAA
IAAA –
- Identity,
- Authentication (proving an id claim),
- Authorization (actions you can perform),
- Accountability (or Auditing)
Non-repudiation
Non-repudiation- user can’t deny performing a transaction
Least Privilege
Least Privilege- minimum amount of access to do job (this is an ideal or target)
Need to Know
Need to Know- more granular than Least Privilege (object level). E.g. have a secret clearance, and cleared for a program.
Subject
Subject- active entity on a system (user, running program)
Object
Object- passive data on system (file)
Defense in Depth
Defense in Depth- (Layered Defense) multiple safeguards in layers (or controls); e.g., you had to get to a workspace, authn to workstation, the network, then the application
Access Control Models (3 main models)
Access Control Models (3 main models)
- DAC
- MAC
- RBAC
DAC
DAC (Discretionary Access Control)- gives data owners full control of objects; access given via ACL based on Id (rather than roles as in RBAC)
MAC
MAC (Mandatory Access Control)- based on subject clearance + object labels
- Data owners cannot grant access!
- OS makes the decision based on a security label system
- Subject’s label must dominate the object’s label (greater than or equal to)
- Users and Data are given a clearance level (confidential, secret, top secret etc)*
- Rules for access are configured by the security officer and enforced by the OS.
- focus on confidentiality; difficult & expensive so it’s used for secure programs
Examples: SELinux, Trusted Solaris, Honeywell’s SCOMP, Purple Penelope, LIDS (Linux Intrusion Detection System)
RBAC
RBAC (Role-Based Access Control) (some consider a form of MAC):
- Also called non-discretionary
- Scales better than DAC and helps deter authZ creep
- Role Assignment- users are assigned an active role
- Role Authorization- users only have roles they are authZ for
- Transaction Authorization- only execute authz transactions
Other Access Control Technologies
Access Control Technologies
- Task-based Access Control
- Content Dependent Access Control
- Context (e.g. time) Dependent Access Control
- Rule-based Access Control
- Access Control Matrix
- Constrained User Interface
- Restrict user access by not allowing them see certain data or have certain functionality (based on the Clark Wilson model of ‘keep users out of your system’)
IBM Access provisioning lifecycle rules
IBM Access provisioning lifecycle rules
- Password compliance checking
- Notifying users to change password before expiration
- Identifying accounts that should be suspended due to inactivity for more than 30 day
- Identifying unused new accounts
- Identifying accounts for deletion due to being suspended more than 30 days
- Revoking accounts when a contract expires or user leaves
Access Aggregation
Access Aggregation- users gain access to more systems over time
Authorization Creep
Authorization Creep- users gain more entitlements without shedding the old ones
RADIUS
RADIUS- Remote AuthN Dial-In User Service; most often used
- Centralized
- UDP (User Datagram Protocol)
- Provides limited accountability
- Problems with flexibility, scalability, reliability, and security
- Encrypts only password
- Uses PAP, CHAP, or EAP
Request and response carried in AVP (attribute-value pairs) (8 bits):
- Access-Request
- Access-Accept
- Access-Reject
- Accounting-Request
- Accounting-Response
- Access-Challenge
- Status-Server
- Status-Client
Diameter
Diameter- successor & improver on RADIUS
o Centralized
o Is currently draft standard
o Uses 32 bit AVP
o Support for mobile
o Single server to manage policies
o Uses TCP (Transmission Control Protocol)
TACACS
TACACS (Terminal Access Controller Access Control System)
o Similar function to RADIUS
o UDP (can also use TCP)
o Centralized
o Authn using Id and static (reusable) password >> vulnerability
TACACS+
TACACS+
o TCP
o Centralized
o Multifactor AuthN
o Not backward compatible to TACACS
o Encrypts all data (uname & password) below the header
PAP
PAP (Password Authentication Protocol) o Password sent in clear text
CHAP
CHAP (Challenge Handshake Authentication Protocol) o Protection against playback attack o Uses secret (not sent over the link) known to authenticator and peer for authN o Possible for mutual authN o has stored passwords in clear-text Three-way authN process: 1) server sends challenge (nance); 2) client sends hashed challenge and password to server; 3) server compares hash against expected results
Separation of duties
Separation of duties- have more than one user perform sensitive transactions
Rotation of duties
Rotation of duties- helps mitigate collusion; review work of peers
NSI Labels (objects)
NSI Labels (objects)
o Top Secret- exceptional grave damage to national security
o Secret- serious damage
o Confidential- damage
Additional object labels
Additional object labels:
o Sensitive but unclassified (SBU)
o For Official Use Only (FOUO)
o Sensitive Compartmented Information (SCI)
Access Control Defensive Types
Access Control Defensive Types
o Preventative- prevent actions from occurring, e.g., pre-employment drug screening
o Detective- alert during or after successful attack, e.g., alarm
o Corrective- typically works with detective to correct damage, e.g., anti-virus scan & quarantine
o Recovery- restore system/org functionality, e.g., reload of software or data
o Deterrent- deter users from performing actions, e.g. security sign
o Compensating- addition control to compensate for weakness
Authentication Methods
o Type 1- Something you know
o Type 2- Something you have
o Type 3- Something you are- biometric
Type 1 authN
Type 1- Something you know
o Static passwords- reusable
o Passphrases- words in a phrase
o One-time Password (OTP)- secure but difficult to manage
o Dynamic passwords- change at regular intervals
Type 2 authN
Type 2- Something you have
o Synchronous dynamic tokens- time or counters to synch a displayed token
o Asynchronous dynamic token- (challenge response tokens), challenge for user to enter info and their pin >> output of device is sent to system, e.g. smartcard
Type 3 authN
Type 3- Something you are- biometric
o Template or file size should be 1K or less
o Should not cause psychological stress
o Must be used by all staff or have compensating controls
o Possible to exchange bodily fluids
Bio Enrollment
Enrollment- user registering: provides name, PIN/password, and bio info
Bio Throughput
Throughput- authN using bio, typically 6-10 seconds
FRR
False Reject Rate (FRR)- type 1 error, authorized subject rejected
FAR
False Accept Rate (FAR)- type 2 error, unauthorized accepted
CER
Crossover Error Rate (CER) or Equal Error Rate (EER)- where FRR = FAR, describes overall accuracy (higher is better)
Fingerprints
Retina scan
Retina scan- laser scan of capillaries; rarely used due health and privacy issues
Iris scan
Iris scan- picture of iris; high accuracy, passive
Password management (adopted by DoD and MS community)
Password management (adopted by DoD and MS community)
o history = 24
o Maximum age = 90days
o Minimum age = 2 days
o Minimum length = 8char
o Complexity requirements
o No reversible encryption (hashing)
Kerberos
Kerberos- three headed dog (AAA) guarding Hades
o Used in Windows2000+ and some Unix
o Key distribution model, does not transmit passwords
o Uses DES and AES for encryption
o Symmetric encryption >> protects against sniffing and replay attacks (via timestamps)
o Principles include the User and Network Services
o KDC- Key Distribution Center which authN principles and sends a Session Key and TGT Key (Ticket Granting Ticket)
o TGS (Ticket Granting Server)- receives TGT and Session Key from principal and issues C/S (client/server) Key & Service Key (for server) to principal
o Realms – a grouping of principals that a KDC provides service for, looks like a domain name
o Server receives Session Key and Service Key
o KDC and TGS can go down and TGT will still be valid
Weaknesses:
- KDC stores all principals keys;
- KDC & TGS are single point of failure;
- can steal locally cached credentials;
- plaintext storage of symmetric keys
SESAME
SESAME (Secure European System for Applications in a Multivendor Environment)
o SSO that Adds to Kerberos using PKI
o Uses PACS (Privileged Attribute Certificates) rather than tickets, PACS are digitally signed and contain the subjects identity, access capabilities for the object, access time period and lifetime of the PAC.
o PACS come from the Privileged Attribute Server (PAS)
o supports heterogeneous environments
o scalability of public key encryption (asymmetric key); symmetric keys not stored in plaintext
o more sophisticated access control
o better manageability, audit, and delegation
KryptoKnight
KryptoKnight- older obsolete SSO Technology
Security Audit Logs
Security Audit Logs- NIST directs to collect the following logs
- Network security SW/HW (antivirus, remote access, firewall, authn)
- Operating System (sys events, audit records)
- Application (request, response, operational actions)
Five mistakes:
- Not reviewed regularly or timely
- Not stored long enough
- Not standardized or viewable by toolsets
- Not prioritized
- Only reviewed for the bad stuff
