2. Topics to be covered
 Overview  Tokens/SSO
 Access control  Kerberos
implementation  Attacks/Vulnerabilities/Monitori
 Types of access control ng
 MAC & DAC  IDS
 Orange Book  Object reuse
 Authentication  TEMPEST
 Passwords  RAS access control
 Biometrics  Penetration Testing
2
3. What is access control?
 Access controls are the collection of mechanisms that
specify what users can do on the system, such as what
resources they can access and what operations they can
perform.
• The ability to allow only authorized users, programs or
processes system or resource access
• The granting or denying, according to a particular security
model, of certain permissions to access a resource
• An entire set of procedures performed by hardware,
software and administrators, to monitor access, identify
users requesting access, record access attempts, and grant
or deny access based on pre-established rules.
3
4. The Big Three
Confidentiality
 An attack on confidentiality is when an entity, such as a
person, program, or computer, gains unauthorized access
to sensitive information.
Integrity
 An attack on integrity occurs when an unauthorized entity
gains access and tampers with a system resource.
Another type of integrity attack occurs when an
unauthorized entity inserts objects into the system or
performs an unauthorized modification.
Availability
 An attack on availability is when an asset on the system is
destroyed, rendered unavailable, or caused to be
unusable.
4
5. Access control Cont…
Authentication
 Process through which one proves and verifies certain
information
Identification
 Process through which one ascertains the identity of
another person or entity
Separation of Duties
 A process is designed so that separate steps / operations
must be performed by different people.
 Collusion is an agreement among two or more people to
commit fraud.
Least Privilege
 A policy that limits both the system’s users and processes
to access only those resources necessary to perform
5
assigned functions.
6. How can AC be implemented?
Hardware
Software
• Application
• Protocol (Kerberos, IPSec…)
Physical
Logical (policies)
6
7. Access Control Protects
 Data - Unauthorized viewing, modification or copying
 System - Unauthorized use, modification or denial of
service
 It should be noted that nearly every network operating
system (Win2K, NT, Unix, Vines, NetWare…) is based
on a secure physical infrastructure
 Protection from Threats
 Prepares for minimal Impact
 Accountability
7
8. Proactive access control
 Awareness training
 Background checks
 Separation of duties
 Split knowledge
 Policies
 Data classification
 Effective user registration
 Termination procedures
 Change control procedures
8
9. Physical Control
 Guards
 Locks
 Mantraps
 ID badges
 CCTV, sensors, alarms
 Biometrics
 Fences - the higher the voltage the better
 Card-key and tokens
 Guard dogs
9
10. Technical (Logical) Controls
 Access control software, such as firewalls, proxy
servers
 Anti-virus software
 Passwords
 Smart cards/biometrics/badge systems
 Encryption
 Dial-up callback systems
 Audit trails
 Intrusion detection systems (IDSs)
10
11. Administrative Control
 Policies and procedures
 Security awareness training
 Separation of duties
 Security reviews and audits
 Rotation of duties
 Procedures for recruiting and terminating employees
 Security clearances
 Background checks
 Alert supervision
 Performance evaluations
 Mandatory vacation time
11
12. AC & privacy issues
Expectation of privacy
Policies
Monitoring activity, Internet usage, e-mail
Login banners should detail expectations of
privacy and state levels of monitoring
12
13. Types of Access Control
 Mandatory (MAC)
 Discretionary (DAC)
 Lattice / Role Based / Task Based
 Formal models:
Bell-La Padula - Focuses on the confidentiality of
classified information
Biba - Rules for the protection of Information Integrity
Take/Grant – A directed Graph to specify the rights that
a subject can transfer to, or take from, another subject
Clark/Wilson – The Integrity Model based on Well
Formed Transactions
13
14. Mandatory Access Control
 Assigns sensitivity levels, AKA labels
 Every object is given a sensitivity label & is accessible
only to users who are cleared up to that particular
level.
 Only the administrators, not object owners, make
change the object level
 Generally more secure than DAC
 Orange book B-level
 Used in systems where security is critical, i.e., military
 Hard to program for and configure & implement
14
15. Mandatory Access Control Cont…
 Downgrade in performance
 Relies on the system to control access
 Example: If a file is classified as confidential, MAC will
prevent anyone from writing secret or top secret
information into that file.
 All output, i.e., print jobs, floppies, other magnetic
media must have be labeled as to the sensitivity level
15
16. Discretionary Access Control
Access is restricted based on the
authorization granted to the user
Orange book C-level
Prime use to separate and protect users from
unauthorized data
Used by Unix, NT, NetWare, Linux, Vines,
etc.
Relies on the object owner to control access
16
17. Access control lists (ACL)
A file used by the access control system to
determine who may access what programs
and files, in what method and at what time
Different operating systems have different
ACL terms
Types of access:
Read/Write/Create/Execute/Modify/Delete/Renam
e
17
18. Standard UNIX file
permissions
Permission Allowed action, if object is a Allow action if object is a directory
file
R (read) Reads contents of a file List contents of the directory
X (execute) Execute file as a program Search the directory
W (write) Change file contents Add, rename, create files and
subdirectories
18
19. Standard NT file permissions
Permission Allowed action, if object is Allow action if object is a
a file directory
No access None None
List N/A RX
Read RX RX
Add N/A WX
Add & Read N/A RWX
Change RWXD RWXD
Full Control All All
R- Read X - Execute W - Write D - Delete
19
20. MAC vs. DAC
Discretionary Access Control
You decided how you want to protect and
share your data
Mandatory Access Control
 The system decided how the data will be
shared
20
21. Problems with formal models
 Based on a static infrastructure
 Defined and succinct policies
 These do not work in corporate systems which
are extremely dynamic and constantly changing
 None of the formal models deals with:
Viruses/active content
Trojan horses
firewalls
 Limited documentation on how to build these
systems
21
22. Orange Book
DoD Trusted Computer System Evaluation
Criteria, DoD 5200.28-STD, 1983
Provides the information needed to classify
systems (A,B,C,D), defining the degree of
trust that may be placed in them
For stand-alone systems only
Windows NT has a C2 utility, it does many
things, including disabling networking
22
23. Orange book levels
A - Verified protection
A1
B - MAC
B1/B2/B3
C - DAC
C1/C2
D - Minimal security. Systems that have
been evaluated, but failed
23
24. The Orange Book Limitations
Based on an old model, Bell-La Padula
Stand alone, no way to network systems
Systems take a long time (1-2 years) to certify
Any changes (hot fixes, service packs, patches)
break the certification
Has not adapted to changes in client-server
and corporate computing
Certification is expensive
For the most part, not used outside of the
government sector 24
25. Red Book
Used to extend the Orange Book to networks
Actually two works:
Trusted Network Interpretation of the TCSEC
(NCSC-TG-005)
Trusted Network Interpretation Environments
Guideline: Guidance for Applying the Trusted
Network Interpretation (NCSC-TG-011)
25
26. Authentication
Three Types of Authentication:
 Something you know - Password, PIN,
mother’s maiden name, passphrase…
 Something you have - ATM card, smart card,
token, key, ID Badge, driver license,
passport…
 Something you are - Fingerprint, voice scan,
iris scan, retina scan, DNA…
26
27. Multi-factor authentication
 2-factor authentication. To increase the level
of security, many systems will require a user
to provide 2 of the 3 types of authentication.
 ATM card + PIN
 Credit card + signature
 PIN + fingerprint
 Username + Password (NetWare, Unix, NT
default)
 3-factor authentication -- For highest security
Username + Password + Fingerprint
Username + Passcode + SecurID token
27
28. Problems with passwords
 Insecure - Given the choice, people will choose easily
remembered and hence easily guessed passwords
such as names of relatives, pets, phone numbers,
birthdays, hobbies, etc.
 Easily broken - Programs such as crack, SmartPass,
PWDUMP, NTCrack & l0phtcrack can easily decrypt
Unix, NetWare & NT passwords.
Dictionary attacks are only feasible because users
choose easily guessed passwords!
 Inconvenient - In an attempt to improve security,
organizations often issue users with computer-
generated passwords that are difficult, if not impossible
to remember
 Repudiable - Unlike a written signature, when a
transaction is signed with only a password, there is no
real proof as to the identity of the individual that made 28
the transaction
29. Classic password rules
 The best passwords are those that are both easy to
remember and hard to crack using a dictionary
attack. The best way to create passwords that fulfill
both criteria is to use two small unrelated words or
phonemes, ideally with a special character or
number. Good examples would be hex7goop or
-typetin
 Don’t use:
 common names, DOB, spouse, phone #, etc.
 word found in dictionaries
 password as a password
 systems defaults
29
30. Password management
Configure system to use string passwords
Set password time and lengths limits
Limit unsuccessful logins
Limit concurrent connections
Enabled auditing
How policies for password resets and
changes
Use last login dates in banners
30
31. Password Attacks
Dictionary
Crack
John the Ripper
Brute force
l0phtcrack
Hybrid Attack
Dictionary and Brute Force
Trojan horse login program
Password sending Trojans
31
32. Biometrics
Authenticating a user via human
characteristics
Using measurable physical characteristics of
a person to prove their identification
Fingerprint
signature dynamics
Iris
retina
voice
face
DNA, blood
32
33. Advantages of fingerprint-based
biometrics
 Can’t be lent like a physical key or token and
can’t be forgotten like a password
 Good compromise between ease of use,
template size, cost and accuracy
 Fingerprint contains enough inherent variability to
enable unique identification even in very large
(millions of records) databases
 Basically lasts forever -- or at least until
amputation or dismemberment
 Makes network login & authentication effortless
33
34. Biometric Disadvantages
 Still relatively expensive per user
 Companies & products are often new &
immature
 No common API or other standard
 Some hesitancy for user acceptance
34
35. Biometric privacy issues
 Tracking and surveillance - Ultimately, the
ability to track a person's movement from hour
to hour
 Anonymity - Biometric links to databases
could dissolve much of our anonymity when
we travel and access services
 Profiling - Compilation of transaction data
about a particular person that creates a
picture of that person's travels, preferences,
affiliations or beliefs
35
36. Practical biometric applications
 Network access control
 Staff time and attendance tracking
 Authorizing financial transactions
 Government benefits distribution (Social Security, welfare,
etc.)
 Verifying identities at point of sale
 Using in conjunction with ATM , credit or smart cards
 Controlling physical access to office buildings or homes
 Protecting personal property
 Prevent against kidnapping in schools, play areas, etc.
 Protecting children from fatal gun accidents
 Voting/passports/visas & immigration
36
41. Single sign-on
User has one password for all enterprise
systems and applications
That way, one strong password can be
remembered and used
All of a users accounts can be quickly created
on hire, deleted on dismissal
Hard to implement and get working
Kerberos, CA-Unicenter, Memco Proxima,
IntelliSoft SnareWorks, Tivoli Global Sign-On,
x.509
41
42. Kerberos
Part of MIT’s Project Athena
Kerberos is an authentication protocol
used for network wide authentication
All software must be kerberized
Tickets, authenticators, key distribution
center (KDC)
Divided into realms
Kerberos is the three-headed dog that
guards the entrance to Hades (this won’t
be on the test)
42
43. Kerberos Roles
KDC divided into Authentication Server &
Ticket Granting Server (TGS)
Authentication Server - authentication the
identities of entities on the network
TGS - Generates unique session keys
between two parties. Parties then use these
session keys for message encryption
43
44. Kerberos Authentication
User must have an account on the KDC
KDC must be a trusted server in a
secured location
Shares a DES key with each user
When a user want to access a host or
application, they request a ticket from the
KDC via klogin & generate an
authenticator that validates the tickets
User provides ticket and authenticator to
the application, which processes them for
validity and will then grant access. 44
45. Problems with Kerberos
Each piece of software must be kerberized
Requires synchronized time clocks
Relies on UDP which is often blocked by
many firewalls
Kerberos v4 binds tickets to a single network
address for a hosts. Host with multiple NIC’s
will have problems using tickets
45
46. Attacks
 Passive attack - Monitor network traffic and then
use data obtained or perform a replay attack.
Hard to detect
 Active attack - Attacker is actively trying to break-
in.
Exploit system vulnerabilities
Spoofing
Crypto attacks
 Denial of service (DoS) - Not so much an attempt
to gain access, rather to prevent system operation
Smurf, SYN Flood, Ping of death
Mail bombs
46
48. Monitoring
 IDS
Network based and Host Based (Signature and Anomaly
Detection)
 Logs
System Logs and Audit Logs
 Audit trails
 Network tools
Network Monitor (Sniffers and SNMP Based Tools)
Tivoli
Spectrum
OpenView
48
49. Intrusion Detection Systems
IDS monitors system or network for attacks
IDS engine has a library and set of signatures
that identify an attack
Adds defense in depth
Should be used in conjunction with a system
scanner (CyberCop, ISS S3) for maximum
security
49
50. Object reuse
 Must ensure that magnetic media must not have
any remanance of previous data
 Also applies to buffers, cache and other memory
allocation
 Required at TCSEC B2/B3/A1 level
 Secure Deletion of Data from Magnetic and Solid-
State Memory
 Documents recently declassified
 Objects must be declassified
 Magnetic media must be degaussed or have
secure overwrites
50
51. TEMPEST
Electromagnetic emanations from keyboards,
cables, printers, modems, monitors and all
electronic equipment. With appropriate and
sophisticated enough equipment, data can be
readable at a few hundred yards.
TEMPEST certified equipment, which encases the
hardware into a tight, metal construct, shields the
electromagnetic emanations
WANG Federal is the leading provider of TEMPEST
hardware
TEMPEST hardware is extremely expensive and
can only be serviced by certified technicians
Rooms & buildings can be TEMPEST-certified
TEMPEST standards NACSEM 5100A NACSI 5004
are classified documents 51
52. Banners
Banners display at login or connection stating
that the system is for the exclusive use of
authorized users and that their activity may be
monitored
Not foolproof, but a good start, especially from
a legal perspective
Make sure that the banner does not reveal
system information, i.e., OS, version,
hardware, etc.
52
53. RAS access control
 RADIUS (Remote Authentication Dial-In User
Service) - client/server protocol & software that
enables RAS to communicate with a central
server to authenticate dial-in users & authorize
their access to requested systems
 TACACS/TACACS+ (Terminal Access Controller
Access Control System) - Authentication protocol
that allows a RAS to forward a users logon
password to an authentication server. TACACS is
an unencrypted protocol and therefore less
secure than the later TACACS+ and RADIUS
protocols. A later version of TACACS is
XTACACS (Extended TACACS).
May 1997 - TACACS and XTACACS are 53
considered Cisco End-of-Maintenance
54. Penetration Testing
 Basically Measuring the Security of Your Network by Breaking
Into it
 Identifies weaknesses in Internet, Intranet, Extranet, and RAS
technologies
 Discovery and footprint analysis
 Exploitation
 Physical Security Assessment
 Social Engineering
 Attempt to identify vulnerabilities and gain access to critical
systems within organization
 Identifies and recommends corrective action for the systemic
problems which may help propagate these vulnerabilities
throughout an organization
 Assessments allow client to demonstrate the need for
additional security resources, by translating exiting
vulnerabilities into real life business risks 54
55. Rule of least privilege
 One of the most fundamental principles of infosec
 States that: Any object (user, administrator, program,
system) should have only the least privileges the
object needs to perform its assigned task, and no
more.
 An AC system that grants users only those rights
necessary for them to perform their work
 Limits exposure to attacks and the damage an attack
can cause
 Physical security example: car ignition key vs. door
key
55
56. Implementing least privilege
 Ensure that only a minimal set of users have
root access
 Don’t make a program run setuid to root if not
needed. Rather, make file group-writable to
some group and make the program run setgid to
that group, rather than setuid to root
 Don’t run insecure programs on the firewall or
other trusted host
56