ACCESS CONTROL SYSTEMS

Access control systems are here to preserve info and make sure it is consistent and there
when you need it (Integrity. ). So to ensure this, we classify people and separate them.
(Separation of duties). That way we know who does what and what access to give them
to what. The money you spend on access control must not exceed the amount of the info
you’re protecting. You determine the value of the info you’re protecting by qualitative
and quantative methods.

Access control systems do 3 things.

1. Prevention of the modification of info by unauthorized users

2. prevention of modification of info by authorized users
3. preservation of internal and external consistency

Availability: Systems must be available ensuring the systems authorized users have
uninterrupted access.

3 things must be considered for the planning of access control mechanisms:

threat, risk, and vulnerability

One important term you will come across is “least priviledge”. When an access system
grants users only those rights necessary for them to perform their work, then it is
operating on the least privilege security principle. Least privilege addresses
INTEGRITY!

Controls

Controls are implemented to mitigate risk and reduce the potential for loss.
Controls can by preventive, detective or corrective.

Preventive controls = put in place to inhibit harmful occurrences

Detective controls = established to discover harmful occurrences
Corrective controls = used to restore systems that are victims of attack

To implement these measures, controls can be the following

Administrative – monitoring procedures people do. Such as vacation time, work

habit checks, increased supervision, background checks. Also responsible for security
awareness training

Logical/technical-protection of info through encryption, biometrics,smart cards

etc..
 Physical controls – locks, securing rooms, protection of cables, separation of
duties.

Controls provide accountability for individuals who are accessing sensitive information.

Models for controlling access:

This involves controlling access by a subject (person), to an object (file). In other
words, allowing/disallowing your employees rights by implementing these 3 terms. Use
the following 3 terms to determine what type of control to assign to different individuals
in your company.

Mandatory access control-(utilizes sensitivity labels) determined by rules, not

by identity of the subjects or objects alone. So if Rodney is cleared for secret clearance.
He should only read secret. Not anything higher, not anything lower. Here, people are
cleared by their “label”. Just like documents that are labeled “secret, top secret etc..”.
Here, the subject’s label indicates their clearance as well as the sensitivity of the object.
In M.A.C., the sensitivity labels contain the item’s classification and category set. Here,
the system determines access. Types: Rule based

Discretionary Access control- identity based. Based on subjects identity…who

they are. This subject has some authority. Discretionary access control is widely used in
commercial environments.
Discretionary control is the most common type of access control mechanism
implemented in computer systems today. The basis of this kind of security is that an
individual user, or program operating on the user's behalf, is allowed to specify explicitly
the types of access other users (or programs executing on their behalf)
Types: Identity based ; user-directed

Non-discretionary control – Here a central authority determines what subjects can

have access to certain objects based on the organizational security policy. Role based and
task based. In an organization where there are frequent personnel changes, this is perfect.
Because this control is based on the persons role (job duties). Types: lattice ; role based
; task based

Control combos

-preventive/admin
-preventive/tech
-preventive/physical
-detective/admin
-detective/tech
-detective/physical
Preventive/admin –Emphasis on “soft mechanisms”. does preemployment background
checks. Does classification labeling, vacation scheduling. Awareness
training..Organizational policies and procedures..

Preventive/tech(logical controls) –uses technology to enforce access control policies. Can be

built into OS or be software. Or can be protocols, encryption, smart cards, biometrics.

Preventive/physical –. Intended to restrict the physical access to areas with systems

holding sensitive info (aka security perimeter). / fences, badges, guards,dogs, multiple
doors. Also used for backup data and storage areas.

Detective/admin – similar to preventive/admin. Organizational policies and procedures,

Background checks, increased supervision, job rotation,review of audit records.

Detective/tech –intended to reveal violations of security policy. IDS systems and/or audit
generating programs. You must protect audit (event viewer logs) so that you can see
whats going on

Detective/physical – Usually require human to evaluate input from cameras, motion

detectors, and thermal detectors.
Identification and Authentication-

Identification: establishes user accountability for the actions on system

Identification is the act of a user professing an identity to a system, usually in the
form of a log on id. Authentication is verification the person is who they say they are.

AUTHENTICATION IS BASED ON THESE FACTORS

Type 1. Something you know, such as pin or password
Type 2 Something you have, ATM card/smart card
Type 3 Something you are (finger print/retina scan)

Sometimes you have 2-factor authentication.

For example, withdrawing funds from an atm. You must have the atm card (something
you have) and you must have the pin (something you know)
PASSWORDS
A good password should be 8 characters. Use a password adviser.
Dynamic-changes with each log in
Static-same password every time
Token-form of credit card. Used to supply static and dynamic passwords.
Something you have!
One time password-New password is required for each new log in.
(Password syncronisitation- less intrusive, improved security, lower costs)
SMART CARDS-very effective form of authentication. RELIABLE!

The following are the four types of smart cards

Static password tokens –
Synchronous dynamic tokens-done in a time period. New password each time
Asynchronous dynamic password tokens-similar to above, except no time windows.
Challenge response-has authentication mechanism in the workstation which determines if
owner should be authenticated

MANTRAPS MEASURE BODY WEIGHT

BIOMETRICS-a 1 to 1 search to verify a persons claim of identity so that they can be authenticated

An automated means of identification. Companies measure the performance of

biometric systems in 3 ways

-false rejection rate-percent of valid subjects that are falsely rejected

-false acceptance rate-percentage of invalid subjects that are falsely accepted
-crossover error rate –percent in which the false rejection rate equals the false
acceptance rate.

A good biometric system should do 10 subjects per minute. (throughput)

Acceptable enrollment time is 2 minutes (enrollment time)

ONE PROBLEM : Position iris scan so sun doesn’t shine in aperture!

BIOMETRIC CHARACTERISTICS:]=

1.fingerprints (features from fingerprints are stored)

2. retina scans (blood vessel pattern)
3. iris scans
4. facial scans
5. palm scans
6. hand geometry
7. voice
8. hand written

Single Sign on (ex: Passport)

Addresses the cumbersome situation of logging on multiple times to access different

resources. A user provides one id and password per work session and is automatically
logged on to all required applications. For security, do not store passwords in clear. The
advantages of SSo is that you can have stronger passwords (users wont have to remember
or worst write down passwords).

KERBEROS, SESAME, KRYPTOKNIGHT, and NETSP all utilize this.

AUTHENTICATION PROTOCOLS

1. Kerberos authenticates clients to other entities on a network and facilllitates

communications through assignment of session keys(temp keys). Dependant upon
symmetric ciphers. Private key cryptography Kerberos systems use private keys, and a
kerberos server must have copies of all keys on it, which requires a great deal of physical
security. In contrast, in a properly designed PKI the public-key server contains only public keys or
public certificates. The private keys of a PKI should be stored on the client machines, in a
cryptographically secure manner. KERBEROS PREVENTS REPLAY ATTACKS! Subject to
password guessing.

2. Sesame- authenticates by using the first block of a message only and not complete.
Subject to password guessing. Developed to address weaknesses in Kerberos.

3. Kryptoknight-from IBM. Provides authentication, sso, and key distribution services.

Designed to support computers with widely varying computational capabilities. Uses
KDC. KDC authenticates user and sends user a ticket encrypted with secret key. NETSP
is based on KRYPTOKNIGHT

The difference between kryptoknight and Kerberos is that there is per to peer relations
among parties .

Access Control methodologies

Access control implementations can be divided into two domains. Centralized and
decentralized. Below are different recommendations for accessing network remotely (ex:
ppp, slip, pptp etc..)

1. Centralized Access control

(A)For dial up users, the standard RADIOUS can be used. RADIUS incorporates
an authentication server and dynamic password. Callback can also be used. (Call
forwarding defeats callback)

(B)Another approach for dialing in (remote access)is CHAP. Challenge

handshake authentication. Chap encrypts.

(C)For networked applications, use TACAS. It uses a static password

TACAS+ is even stronger using tokens for a two factor dynamic password
2. Decentralized/distributed access control

A powerful approach to controlling access of info in a decentralized environment

is through the use of databases.

(A)Relational Database security

Has three parts

1. data structures called tables or relations
2. integrity rules on allowable values
3. operators on the data in the tables

The description of the database is called a schema, and the schema is defined by a
DDL (data description language)

For security, the DBMS can be set up so that only certain subjects are permitted to
perform certain operations on the database. For example, a particular user can be
restricted to certain info in the database and will no be allowed to view any other
info. You can define this as a “view” A filter that only allows individuals to see
the only things they are allowed to se. In this way, the view can be thought as
implementing least privledge.

A relation is the basis of a relational database and is represented by a two

dimensional table.

NOTE* The referential integrity requires that for any foreign key attribute, the
referenced relation must have a tuple with the same value for its primary key.

DATA NORMALIZATION-ensures that attributes in a table depend only on the

primary key. This process makes it easier to maintain data and have consistent reports.

(B)SQL IBM made

Is a standard data manipulation and relational database definition language

(C)Object Oriented Data Bases (OODB)

Relational database models are ideal for business transactions where most of the
information is in text form.
 OODBs are useful in storing and manipulating complex data like images and
graphics.. But it has a steep learning curve and high overheard

IDS

A system that is used to monitor network traffic or monitor host audit logs to determine if
any violations of an organizations security policy have taken place. An ids can detect
intrusion that have passed through a firewall or are occurring within the LAn behind the
Firewall.

A truly effective IDS will detect common attacks as they are occurring.

NETWORK BASED IDS-(nic in sniffer mode. )

Involves real time info. Passive IDS.

Network based IDS reviews packets and headers.

The problem with this IDS is that it will not detect attacks against a host made by an
intrude who is logged in at the hosts terminal.

HOST BASED-(one 1 machine doesn’t monitor network!)

Host based review the systems event logs in order to detect and attack on the host
and to determine if the attack was successful. As you can imagine, detection capabilities
of host based ID systems are limited by the incompleteleness of the operating systems
“logging” abilities. Uses “AGENTS”

IDS DETECTION METHODS

An ids detects an attack through 2 mechanisms. A signature based id or statiscal
anomaly based ID.

SIGNATURE BASED(aka knowledge based)-shows attacks. Uses database of

previous attacks and known vulnerabilities. Compares to your IDS rules to determine if
attack was successful.

Weaknesses are that you cant detect attacks that are launched over a long period of time.
Why? Well because only attack signatures stored in their database are detected. And if
the attacker is slow, the ids system is unlikely to be able to store all the sigs. Also, new
attacks go un-noticed.

Statistical Anomaly based ID (aka behavior based) THEY LEARN!

With this method, an IDS acquires data and defines a “normal” usage profile. With this
approach, new attacks can be detected because they produce “abnormal” statistics. The
disadvantage is pretty apparent here. It will not detect an attack that does not
significantly change the operating system characteristics. Or it may falsely detect a non
attack event that had caused a momentary anonmaly in the system. HIGH FALSE
ALARM RATE

ACCOUNTABILITY

Individuals on a system are responsible for their actions. Accountability is supported by

audit trails. Monitoring individual activities such as keystroke monitoring should be done
IAW the company policy.

The following measures are used to compensate for both internal and external access
violations

-backups
-raid
-fault tolerance
-business continuity planning
-insurance