O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.

Chapter 5 - Identity Management

2.559 visualizações

Publicada em

Identity and Access Management Chapter - Chapter 5

Publicada em: Educação
  • Entre para ver os comentários

Chapter 5 - Identity Management

  1. 1. Identity and Access Management
  2. 2. General Aspects • Object • A passive entity that contains information or functionality • Subject • A user, program or process that requests access to an object or the data within an object • Access • The flow of information between a subject and an object • Access control • Security features that control how user and systems communicate with each other and the resources • Access control systems need to applied in a layered defense-in-depth method • It is the extremely important first line-of-defense
  3. 3. General Aspects • Identification • Describes a method by which a subject claims to have a specific identity • It is the assertion of unique identity for a person or system • It is the critical first step in applying access control • Can be provided by the use of username or account number etc • Authentication • Describes a method to validate a subject claims of who it claims it to be • Authentication involves two step process; entering the public information (identification) and then entering the private information • It establishes trust between the user and the system for the allocation of privileges
  4. 4. • Authorization • Providing access to an authenticated resource based on its rights • Identification and Authentication are “All or nothing” aspects of access control, in contrast authorization occupies a wide range of variations • Accountability • Keeping a track of actions performed by the subject on an object • Identification and auditing are the key aspects for ensuring accountability • Accountability relies on identification and authentication, but it does not require effective authorization Identification provides uniqueness Authentication provides validity Authorization provides control
  5. 5. General Aspects • Permissions • Access granted to subject for an object and determines what you can do with it – tagged to object • Rights • Ability to take an action on an object – tagged to subject • Privileges • Its is a combination of permissions and rights
  6. 6. Identification and Authentication • Three general factors for authentication • Something a person knows (knowledge) • Something a person has (ownership) • Something a person is (characteristic) • Use of more than one factor is called multi-factor authentication • Multi-factor authentication is the most secure authentication mechanism • 1:1 Verification • Measurement of an identity against a single claimed identity • Access card • 1:N verification • Measurement of an identity against multiple identities • Fingerprint database • Mutual Authentication • Two communicating entities must be authenticated to each other before passing data
  7. 7. Identity Proofing and Registration • Process of collecting and verifying information about a person for the purpose of providing an account, credential • It is performed before an account is created or the credential is issued or special privilege is granted • It is more lengthy the first time it is created • FIPS 201-2 is the identity verification chain-of-trust for federal agencies • Chain-of-trust assures all parties involved, that each participating entity followed a vetting process to securely and accurately validate an individuals' identity • Registration happens once Identity Proofing is completed
  8. 8. Authentication Factors Factor Attribute Characteristic Knowledge Type 1 • Based on what is known by the user • Most common authentication option • Subject has to remember the attribute • Eg: password, PIN, Passphrase • Too many factors have to be remembered • If it is shared, the secrecy is lost • It is the least expensive method Ownership Type 2 • Based on something the user has in possession • Eg: Access card, smart card, ID card • Most commonly used in facility or building access control • If lost or stolen, it can result in un-authorized access Characteristic Type 3 • Based on physiological and behaviour of a user • Eg: Biometric, signature dynamic • It is considered intrusive • It is expensive compared to other methods • It is reliable than other methods Place • Somewhere you are, based on the place or identifier of the source • Eg: IP based, Geography based • It isn’t reliable on its own, but effective when used in combination with other factors
  9. 9. Identification Process • Creating and issuing identity should involve 3 aspects • Uniqueness • The identifiers must have a unique identity to be accountable • Non-descriptive • Neither piece of the credential set should indicate the purpose of the account • Issuance • Another authority should be providing the identity after proper verification
  10. 10. Identity Management • Management of uniquely identified entities, their attributes, credentials and entitlements • IdM allows organizations to create and manage digital identity life cycles in a timely and automated fashion • Goals of IdM technology are: • Streamline management of identity, authentication, authorization • Auditing of subjects on multiple systems throughout the organization
  11. 11. IdM - Directories • Directories contain information pertaining to the companies network resources and users • It is a specialized database software that is optimized for reading and searching functionality • It is the main component of an identity management solution • Most directories follow X.500 standard based hierarchical database format and LDAP as the protocol • LDAP allows subjects and objects to interact with each other • SASL (Simple Authentication and Security Layer) for LDAP provides support for a range of authentication types. • Directory service • Manages the entities and data in a directory and also enforces the configured security policy • It allows administrators to configure and manage how IAA and access control take place • Active directory is a directory service in windows environments • It assigns distinguishing names (DN) to each object • Each DN represents the collection of attributes specific to the object • Eg: cn:karthikeyan Dhayalan, dc=CyIntegriti,dc=com
  12. 12. Directory Types Meta-directory Virtual Directory • Gathers the necessary information from multiple sources and stores it in one central repository • Gathers the necessary information from multiple sources and stores the pointers in one central repository • Synchronizes itself with all identity sources periodically to ensure the up-to date information is being used by all applications Synchronizes itself with all identity sources periodically to ensure the up-to date information is being used by all applications • Physically has the identity data in its directory • Does not have the identity data, instead only has pointers to where the actual data resides
  13. 13. X.500 Based Directory • The following rules are for organizing objects in directories that are based on X.500 • Tree structure directory to organize the entries in a parent-child configuration • Each entry has an unique name made up of attributes of a specific object • The attributes are dictated by a defined schema • The unique identifiers are called distinguished names • Schema • It describes the directory structure and what names can be used within the directory
  14. 14. X.400 Standard • Set of guidelines for the message handling systems (email) • The protocol supports two primary functions • Message Transfer • Message Storage • The addresses consist of a series of name/value pairs separated by semicolons
  15. 15. IdM - Web Access Management • Controls, what users can access using web browser when accessing web based enterprise assets • The WAM software is the gateway between users and the corporate web-based resources • This type of access control is commonly put in place to control external entities requesting access to corporate web based resources
  16. 16. Single-Sign On • Allows the user to login one time and then access resources in the environment without having to authenticate again • SSO software intercepts requests from network resources and fills in the necessary identification/authentication information for the user • If the attacker uncovers the credential, all access will become available • It is also a bottleneck or single-point of failure • It is expensive to implement in large complex environments
  17. 17. IdM - Account Management • Deals with creating user accounts on all systems, modifying the account privileges, and decommissioning the accounts • Automated workflow component is common in account management products • It reduces the potential errors that can take place in account management • Account management products are used to setup and maintain internal accounts
  18. 18. IdM - Provisioning • Authoritative Source: • A “system of record” or location where identity information originates and is maintained • It should have the most up-to-date and reliable information • Authoritative system of record • Hierarchical tree like structure that tracks subjects and their authorization changes • It should contain the subjects name, associated accounts, authorization history per account and provision details • User provisioning refers to the creation, maintenance, deactivation of user objects and attributes as they exist in one or more systems • User provisioning software components • Change propagation, self-service workflow, consolidated user administration, delegated user administration and federated change control • It is through provisioning that users are given access or access taken away
  19. 19. IdM – Biometrics • It is one of the most accurate and effective ways of verifying identification • False Rejection Rate (Type 1) • When the system rejects an authorized user from authentication • False Acceptance Rate (Type 2) • When the system allows an un-authorized user to successfully authenticate • Cross over Error Rate (Equal Error Rate) • Represents the point at which FRR and FAR meet • It is expressed in % • Most important measurement in determining the system’s accuracy • When the biometric is too sensitive Type 1 errors are common, when it is not sensitive enough Type 2 errors can happen • Type 2 errors are the most dangerous and hence should be avoided
  20. 20. IdM – Biometrics • The stored sample of biometric data is refered as “Reference Template” or “Reference Profile” • Declaring a match or no match is based on acquired template being similar, but not identical • Some biometric systems also check for liveness detection • Some of the drawbacks are • Cost ~ it is comparatively more expensive than other mechanisms • User Acceptance ~ intrusive biometric models are not preferred by users • Throughput ~ time it takes to authenticate an user may be long • Enrollment time ~ time and effort needed to enroll an user is long
  21. 21. IdM – Biometrics Biometric Type Characteristic Fingerprint • Focuses on the distinctiveness of the ridge endings and the bifurcations exhibited by friction ridges • Most common biometric system • Stores the full fingerprint, hence takes up HDD space and resources Finger-scan • Extracts specific features from the fingerprint and stores only that • Takes up less space and allows for quicker Database queries Palm scan • Looks at the creases, ridges and grooves throughout the palm • It includes the fingerprints of each finger Retina scan • Scans the blood-vessel patterns of the retina on the backside of the eyeball • It is an extremely invasive method, since the information collected can be used in diagnosis of medical condition, it involves a number of privacy issues • It is the most accurate Biometric access method • Used in high-end security applications, such as military bases and nuclear power plants Iris scan • Analyses the coloured portion of the eye that surrounds the pupil • It is the second most accurate Biometric access method • It is more acceptable than Retina scans because there are no privacy concerns • When using Iris system, it is important that sun rays do not directly shine into the aperture • Throughput time is around 2 seconds, hence if number of people need to authenticate in short period of time, it will become bottleneck
  22. 22. Biometric Type Characteristic Signature dynamics • Writing signature produces electrical signals that can be captured by a biometric system • Signature dynamics provides more attributes than a static signature • It relies on pen pressure, stroke pattern, stroke length, does not rely on speed at which the written sample is created Keystroke dynamics • Captures electrical signals when a person types certain phrases • It is more effective than typing a password Voice pattern • Captures a voice print and compares it with the reference database • Used as an additional authentication mechanism; rarely used by itself • Less expensive compared to other technologies; synthesizer should be placed in an area where the voice is not disturbed Facial scan • Scans the bone structure of face, nose ridges, eye widths, forehead size and chin shapes Hand topography • Looks at different peaks and valleys of the hand, along with the overall shape and size • It is not unique enough to authenticate itself and hence is used in conjunction with hand geometry Hand Geometry • Focuses on the shape, length and width of each the hand and each fingers • The speed of recognition is more rapid than fingerprint recognition. But tends to give higher false accept rates than fingerprint recognition Heart/Pulse Patterns • Measures the pulse or heartbeat of a real person • Employed as a secondary authentication method
  23. 23. IdM – Password Hacking techniques Technique Characteristic Electronic monitoring (replay attack) • Listening to network traffic to capture authentication information Access the password file • Usually done on the authentication server • Capturing the file will give access to many users password • Has high damage potential Brute-force attack • Performed through automated tools that cycle many possible combinations on the password dump Dictionary attack • Thousands of dictionary words are compared to a users’ password for a successful match Social Engineering • Falsely convincing an individual to share authentication information Rainbow table • Attacker uses a table that contains all possible passwords in a hash format
  24. 24. Password Protection • Some of the controls to prevent password hacking are • After successful login, popup message capturing the last login data, time and source IP • Introduce clipping levels, beyond which the ID should be disabled or notification sent • Have a finite password lifetime • Have complex and practical password • Using salts to randomize the hashes • Salts are random values added to the encryption process to add more complexity and randomness
  25. 25. IdM - Password Management • Composition Passwords • System generated passwords for initial user creation accounts; it includes two or more unrelated words together with a number of symbol in between • They are easy to generate but should not be used for extended period of times, they are vulnerable to password-guessing attacks • Common Password Management Approaches • Password Synchronization • Password is synchronized across applications; reduces the complexity of remembering multiple passwords • Self-service password reset • Helps the user to reset the password using cognitive passwords; helps reduce support desk call volumes • Assisted password reset • Allows support desk to validate the user before allowing password resets;
  26. 26. Password Management - Synchronization • Synchronizes the password to other systems and applications transparent to the user • Goal is to require the user to remember only one password • The user has to enter the same password for each application to be accessed • If the password is lost all application access is compromised
  27. 27. Cognitive Password / Composition Password • Cognitive Password • Fact or opinion based information used to verify an individual • This authentication model is best for a service a user does not use more commonly • Care should be taken to ensure the authentication attributes are not publicly available • Composition Password • System generated password which includes two unrelated words joined together with a number or symbol in between • These are easy for systems to generate but their lifetime should not be for longer periods because they are vulnerable for password guessing attacks
  28. 28. IdM – One-time password • It is also called dynamic password • It is used in environments that require high level of security • Token device is the most common implementation of OTP • Common implemented in 3 formats • Dedicated physical device with a small screen to display the OTP • A smart phone application • A service that sends sms message to phone
  29. 29. Passphrase • It is a sequence of characters that is longer than a password and, in come cases, takes the place of password for authentication • During the authentication process, the passphrase is transformed to a length and format that is registered with the application. This new character set is called the virtual password • A passphrase is more secure than a password because it is longer and harder to crack
  30. 30. Credential Manager • Credential manager can obtain its information in two ways • Explicit Creation • When users enter a username and password for a target computer or domain, the information is stored and used when the users attempt to log on to an appropriate resource • System Population • When system connects to a resource, it supplies the current username and password, if this is not sufficient CM attempts to supply username and password. All stored username and passwords are examined from the most specific to the least specific as appropriate.
  31. 31. Token Device • A hand held device that has an LCD display and possible keypad • The token device and the authentication service must be synchronized in some manner to be able to authenticate a user • They come in two types • Synchronous tokens • Asynchronous tokens • This type of system is vulnerable to MITM, masquerading attacks • But is not vulnerable to electronic eavesdropping, sniffing, or password guessing
  32. 32. Token Device – Synchronous • Synchronizes with the authentication device by using time or counter • Time-based • The token device and the authentication device must hold the same time within their internal clocks • Time value on the token device and the secret key is used to generate the OTP • Counter (event) based • Token device and authentication server advance to next authentication value based on counter • The counter value and base secret is used to create the OTP • In both the options, it is imperative the token device and the authentication server has the same secret key
  33. 33. Token Device – Asynchronous • This method employs a challenge-response scheme to authenticate the user • Does not use a clock synchronization • Working model • Authentication server sends a challenge (nonce) to user • The user enters this random value into the token • Token encrypts it and returns the OTP • User sends the OTP along with username to the authentication server • Authentication decrypts the value and if it is the same challenge value sent earlier the user is authenticated
  34. 34. Device Fingerprinting • With BYOD prevalent, new type of access control is device fingerprinting • Captures the key attributes of the device and maps it with a user • The user has to enroll the device first time, when attributes like OS, web browser, plug-in, time zone, screen resolution, cookie settings and HTTP headers are captured
  35. 35. Memory Cards • Memory cards can hold information but cannot process it • They are used to hold authentication information • They require a reader to process the information
  36. 36. Smart Cards • Smart card has microprocessor and integrated circuits incorporated into the card • It has capability to process information by itself • US Government personnel are required to carry Common Access cards (CAC) or Personal Identity verification cards (PIV). • Two categories of smart cards • Contact based • The card needs to be placed in contact with the card reader which will supply power and data I/O to the device • Contactless based • The smart card has an antenna wire that surrounds the perimeter of the card • Antenna generates enough energy to power the internal chip • They are resistant to reverse-engineering and tampering attacks • They are costlier than normal overhead of card generation
  37. 37. Smart Card Attacks • Fault Generation Attacks • Introducing computational errors into the cards with the goal of uncovering the encryption keys used and stored in the cards • Some methods include, changing the voltage, clock rate, temperature fluctuation • Attacker analysis the encryption process with induced error against the correct results; the results help reverse engineer the encryption process, revealing the key • Side channel Attacks • These type of attacks are used to uncover the sensitive information about how they work without compromising any type of flaw. • They are primarily used for data collection • Differential power analysis – examines the power emissions during processing • Electromagnetic analysis – examines the frequencies emitted • Timing – how long a specific process takes to complete
  38. 38. Smart Card Attacks • Software attacks • Considered non-invasive attacks • Attack involves inputting instructions into the card to extract information from the card (primarily account information) • Good example is the PoS machines are used to swipe money • Microprobing • More intrusive attack • Involves using needles and ultrasonic vibrations to remove the protective covering over the circuits • Once removed, data can be extracted by directly tapping into the ROM chips
  39. 39. Radio-Frequency Identification (RFID) • Technology that provides data communication over the use of Radio waves • Two components are involved – Tag and Reader • Tag has an integrated circuit for storing and processing data, modulating and demodulating the RF signal • Reader has built-in antenna for reading and receiving the signal • This technology can be integrated into smart cards or other mobile transport technologies for access control purposes • Security Issue: • Data can be captured as it passes between tag and reader • Encryption is not common because RFID is implemented in technologies that has low processing power
  40. 40. Authorization • Access Criteria • Granting access to subject should be based on the level of trust and the need-to-know • Can be enforced by roles, groups, location, time and transaction types Role Based The role is based on job assignment or function It is an efficient way of providing access for user who performs a certain task Group Based Combining users to a group and providing access to the group instead of individual users Another effective way of assigning access control rights Physical or Logical location Providing access based on the location of the subject Eg: Geo based access, IP based access Time of day (Temporal Isolation) Access restrictions are based on the time of the day or the creation date of a file, lifetime for a object Eg: lean hour access restrictions; Transaction-type Can be used to control what data is accesses during a certain type of function and what commands can be carried out on the data
  41. 41. Authorization • Default to No Access • If nothing has been specifically configured for the subject, the subject should not have implicit access to any resources • Access control to default to blocking all requests until a valid access is provided for the subject ~ implicit deny rule • Need to Know • Subjects should be given access only to the information that they absolutely require for performing their job duties • It is similar to least-privilege function • It is the management’s responsibility to decide on the access rights of the user and how the access is authorized • Excessive Privileges • Occurs when users have more privileges than their assigned work tasks dictate. • Authorization Creep (creeping privileges) • Accumulation of excessive rights over time as the user is assigned more and more access rights and permissions • Enforcing least privilege will help in addressing this problem. • Authorization creep results in excessive privileges • Account reviews are effective at discovering Creeping privileges and excessive privileges
  42. 42. Single Sign-On (SSO) • It allows a user to enter their credentials one time and access all pre- authorized resources within the domain • It improves security by reducing the need for the user to remember multiple passwords • It reduces the administrator overhead on time managing the user accounts • Major Disadvantage: • If the credential gets into the hand of the attacker, he has access to all the resources within the domain; kind of single point of failure • Single Sign-on Technologies • Kerberos, Security domains, directory services, thin clients
  43. 43. Kerberos • Kerberos is a de facto authentication standard for heterogeneous networks and used in distributed environments • Its an authentication protocol • It works on a client/server model • Uses Symmetric key algorithm • It has 4 elements necessary for enterprise access control • Transparency, reliability, scalability, security • It provides end-to-end security • Most Kerberos authentications work with shared secret keys, it eliminates the need to share the passwords over the network • Trust is the foundation of Kerberos security • They are extremely time sensitive and often require NTP
  44. 44. Kerberos - components • Key Distribution Centre (KDC) • It is the most important component • It holds all users and services secret keys • Kerberos 5 uses symmetric AES encryption protocol • It provides authentication as well as key distribution service • It provides confidentiality and integrity for authentication traffic using end-to-end encryption and helps prevent against eavesdropping and replay attacks • Clients and services must trust the integrity of the KDC • It provides security services to principals (users, services, applications) • The KDC must have an account and share a secret key with each principle • When a KDC provides security services to a set of principles it is called realm • One KDC can be responsible for one realm or several realms • Realms are used by administrator to group users or services • Kerberos is a open protocol allowing vendors to manipulate it to work properly within their products • Ticket Granting Service (TGS) • A component within KDC • Ticket is generated by the TGS • The ticket enables one principle to authenticate with another principle
  45. 45. Kerberos - components • Authentication Server • Hosts the functions of the KDC: Authentication service (AS) and a Ticket granting Service (TGS) • Ticket Granting Ticket (TGT) • Provides proof that a subject has authenticated through a KDC and is authorized to request tickets to access other objects • TGT is encrypted and includes a symmetric key, an expiration time and the user’s IP address • Subjects present the TGT when requesting access to objects • Ticket • Is an encrypted message that provides proof that a subject is authorized to access an object • It is sometimes called a service ticket (ST)
  46. 46. Kerberos – Authentication Process • The principal and KDC share a secret key that is static • The principals share a session key that is dynamic, this key is generated once the principals authenticate each other • At no point will the passwords be shared over the network • When the user logins to the system, the Kerberos client in the system sends the username to the KDC • AS service in KDC verifies the Username in its database, creates a session key encrypts it with the users’s password hash and sends it back to the client • If the client can decrypt it with the hash of the user password that was entered, the user is authenticated to the system • KDC also sends a time-stamped TGT to the client; this gives the client the authenticator to use any other resource in the network
  47. 47. Kerberos – weakness • KDC an be a single point of failure; if KDC goes down no one will be able to access any resource. It must have redundancy • KDC must be able to handle large volumes of requests in a timely manner. Ti must be scalable • Secret keys are temporarily stored on the users machine • Session keys are decrypted and stored on the users machine. • Kerberos is vulnerable to password guessing, KDC does not know if a dictionary attack is taking place • Network traffic is not protected if encryption is not used • Keys are too short and vulnerable to brute-force attacks • It needs all client and server clocks to be synchronized
  48. 48. Security Domains • Domains are a set of resources available to the subjects within this logical structure and are working together under the same security policy • Different domains are segregated by logical boundaries • Domains can be architected in hierarchical manner that dictates the relationship between the different domains and the ways in which subjects within the different domains can communicate • Subjects can access resources from domains of equal or lower trust
  49. 49. Directory Services • It is another single sign-on technology • A network directory service contains information about the different resources and the subjects. • The directory service develops unique distinguishing names for each object and appends the corresponding attribute to each object as needed • The directory service enforces a security policy to control how subjects and objects interact • Directory service based on X.500 standard uses LDAP protocol for access request management • Eg: LPAP, Microsoft AD, NetIQ eDirectory
  50. 50. Thin Clients • Diskless workstations that do not have capability to store much information depend on a central server for logon as well as network resource use • Users are authenticated only to the central server and then are provided access to all authorized and necessary services
  51. 51. Digital Identity • A digital Identity is made up of attributes, entitlements and traits • Attributes can be department, role in the company, shift timing, clearance etc • Entitlements can be resources available, authoritative rights etc • Traits can be biometric information, height, sex etc
  52. 52. Federation • A portable identity that can be used across business boundaries • It allows a user to be authenticated across multiple enterprises • A federation can be composed of multiple unrelated networks within a single organization or multiple organizations sharing a common resource • Members of the organizations match the user identities within an organization to federated identities • Federated Identity management systems use SAML and SPML to meet the requirement for common language between organizations identity process
  53. 53. Federated Identity management Process • Cross-certification model • Each entity must authenticate with every other entity is worthy of its trust • The biggest problem is the scalability issue when more entities start participating • Trusted third party model (bridge model) • Each of the participating entity subscribes to the standard and practices of a third-party that manages the verification and due diligence process for all participating companies • The third-party acts a bridge between the participating organizations for identity verification purposes.
  54. 54. Access control and Markup Languages • Markup language is a way to structure text and data sets; and it dictates how to view and use them • The use of standard markup language allows for interoperability • Hypertext Markup Language (HTML) • it is used to display static web pages. • It was derived from Standard General Markup Language (SGML) and the Generalized Markup Language (GML) • Describes how data is displayed using tags manipulating size and color of text • Extensible Markup Language (XML) • XML universal and foundational standard that provides a structure for other independent markup languages to be built from and still allow for interoperability
  55. 55. Service Provisioning Markup Language (SPML) • SPML allows for exchange of provisioning data between applications residing in one organization or between organizations • It allows for automation of user management, access entitlement configuration, across multiple provisioning systems • It allows for integration and interoperation of service provisioning requests across various platforms • It is based on Directory Service Markup Language (DSML) • Has 3 main entities: • Requesting Authority  Entity that is making up the request to setup a new account or change existing account • Provisioning service provider  software that responds to account requests • Service Target  Entity that carries out provisioning activities on the requested system
  56. 56. Security Assertion Markup Language (SAML) • XML standard that allows the exchange of authentication and authorization data between security domains • It provides the authentication pieces to the Federated Identity management systems • There are three components • Principal – user access requesting • Identity provider – entity authenticating the user • Service provider – entity providing service to the user • SAML does not tell the receiving system how to interpret and use the authentication data • Federated identity systems often use SAML and SPML for access needs • It is used to provided SSO capabilities for browser access • SAML does not have security mode and relies on TLS for message confidentiality and digital signature for message integrity
  57. 57. Simple Object Access Protocol (SOAP) • It is a specification that outlines the way information pertaining to web services is exchanged in a structure manner • It is a simple messaging framework to be used by users to request a service and in turn the service is made available to the user • Transmission of SAML data takes place over SOAP • The use of web services in this manner also allows for organization to provide Service Oriented Architecture (SOA) • SOA is a way to provide independent services residing in different applications in different domains in one consistent manner
  58. 58. Extensible Access Control Markup Language (XACML) • It is used to express security policies and access rights to assets provided through web services and other enterprise applications • It is both an access control policy language and processing model that allows for policies to be interpreted and enforced in a standard manner • XACML uses a subject element, resource element and an action element • It provides assurance to all members in a federation that they are granting the same level of access to different roles • XACML has become popular with software defined networking applications
  59. 59. Scripted Access or Logon Scripts • Establishes communication links by providing an automated process to transmit credentials at the start of the logon session • It can be used to simulate SSO in environments where SSO implementation is not possible • Scripts should be stored in highly protected areas, because they usually contain access credentials in clear text
  60. 60. Once In-Unlimited Access • The user authenticates once and then has access to all the resources participating in the model • In this model the system behind the initial authentication do not have any authentication mechanism to speak of • The fact that the user is able to access the system in the first place means that the user is authorized • Eg: Casinos “unlimited Beer”
  61. 61. Other SSO Examples • SESAME • Ticket based authentication system developed to address the weakness in Kerberos • It did not compensate for all weaknesses and has not be adopted • KryptoKnight • Ticket-based authentication system developed by IBM • It uses peer-to-peer authentication • As incorporated into NetSP product, but never took off.
  62. 62. OpenID • Open standard for user authentication by third-parties • It is very similar to SAML, but the user authentication is maintained by a third-party not by the company • It defines 3 roles • End User: The user who wants to be authenticated • Resource party: The server that owns the resource the end-user is trying to access • OpenID provider: The system in which the end user already has an account and which will authenticate the user to the resource party
  63. 63. OpenAuth • Open standard for user authorization by third-parties • It lets you authorize a website/applications to use something you control at a different website
  64. 64. Access Control
  65. 65. Basic Access Concepts • Permissions: • Refer to the access granted for an object and determine what you can do with it • Rights: • Refers to the ability to take an action on the object • Privileges: • It is the combination of rights and permissions • Implicit Deny: • It is the basic principle of access control • Ensures access to object is denied unless access has been explicitly granted to a subject
  66. 66. Access Control types • Primary Control types • Preventive • Attempts to stop some thing bad from happening • Fence, lock, mantrap, separation of duties, encryption, data classification, penetration testing, smartcards, callback procedures, awareness training • Detective • Detects something anomalous; its an after the fact control • Audit, cctv, motion detectors, job rotation, mandatory vacations, honeypots, IDS, violation reports • Corrective • Modifies the environment to return systems to normal after an incident • Attempts to correct any problem that may have happened • Terminating malicious activity, rebooting the system, backup and restore plans, active intrusion detection systems
  67. 67. Access Control types • Other Control types • Deterrent • Attempts to dissuade someone from carrying out unauthorized activity • Fence, policies, training, CCTV, Lights, security badges, mantraps • Recovery • Attempts to repair or restore resources after a security violation • It is an extension of corrective controls • Backups and restores, fault-tolerant drive systems, system imaging, server clustering, VM Shadowing • Directive • Attempts to direct or control the actions of the subjects to force compliance to the policy • Security standard, posters, escape route maps, monitoring, supervision, procedures • Compensatory • Provides an alternative when the primary control isn’t feasible
  68. 68. Access Control categories • Administrative Access Control • Also called management access control • They focus on people and business practices • Policy, procedures, hiring practices, background checks, data classification, awareness training, reports, testing • Logical Access Control • Also called Technical Access control • Hardware and software mechanisms used to control access • Encryption, constrained interfaces, firewalls, IDS, biometric, password, clipping levels, ACLs • Physical Access Control • Items that we can physically touch • Guards, fences, motion detectors, locks, lights, cable protection, badges, video camera, mantraps
  69. 69. Access Control Models • A framework that dictates how a subject access an object • Three main types of access control models are • Discretionary access control • Mandatory access control • Role based access control • Access control model decision is based on • Business and security goals • Culture • Habits of conducting business
  70. 70. Discretionary Access Control (DAC) • A system using DAC enables the owner to specify which subjects can access specific resources • Control of access is based on the discretion of the owner • Access is restricted based on the authorization granted to the users • The most common implementation of DAC is through Access control lists (ACL) on objects • DAC can be applied to both directory tree structure and the files in it • DAC is considered identity based access control type
  71. 71. Non-Discretionary Access Control • Access decisions are not based at the discretion of the user • They are put in place by the central authoritative entity with the goal of protecting the most critical assets • Administrators centrally administer non-discretionary control and can make changes that affect the entire environment • Rule-based, role-based and lattice-based access controls are considered non-discretionary models
  72. 72. Mandatory Access Control (MAC) • Users do not have the rights to decide who can access objects • MAC model is much more structured and stricter than DAC model and is based on a security label system • Users are given security clearance and data is classified in similar way • The rules of how subjects access objects are defined via the organization’s security policy • OS based on MAC model greatly reduces the amount of rights, permissions and functionality a user has for security purposes • In MAC model, user cannot install software, change permissions, add new users etc. • This type of model is used in environments that places information classification and confidentiality of utmost importance • MAC model have labels while rule-based models do not use labels • The MAC model is often referred to as a lattice-based model • It is based on cooperative interaction between system and Information owner. The system’s decision controls access, and the owner provides the need-to-know control • It is prohibitive than permissive and it uses implicit deny principle • It is more secure than DAC but it isn’t flexible or scalable
  73. 73. MAC System – Sensitivity Labels • Also called security labels • It contains a classification and different categories • Personnel within the organization identify and define their meanings as well as requirements to obtain the label. • Administrators assign labels to subjects and objects • Classification indicates the sensitivity levels • Categories enforce need-to-know and represent compartments of information within a system • Classification follows a hierarchical structure, while categories do not follow a hierarchical scheme • Guards can be used to connect different security modes, and they can be used to connect different networks working at different security levels
  74. 74. MAC System – Environment Types Hierarchical Environment Compartmentalized Environment Hybrid Environment • Relates various classification labels in an ordered structure from low security to high security • Each classification label in the structure is related • Clearance in one level grants the subject access to objects in all levels below it • There is no relationship between one security domain and another • Each domain represents a separate isolated compartment • Subjects must have security clearance for each security domain where it would need to access object • Combines both the environment types • Each hierarchical level may contain numerous subdivisions that are isolated from the rest of the security domains • Provides granular control but difficult to manage as it grows
  75. 75. Role-Based Access Control • Access to resources is based on the role/task the user holds within the company • Also called Task Based access control • RBAC is often implemented using groups • It is a centrally administered set of controls to determine how subjects and objects interact • In RBAC a role is defined in terms of the operations and tasks the role will carry out • Rights and permissions are assigned implicitly to the user via the role or group the user inherits • It is best system for companies with high employee turnover
  76. 76. Core RBAC • It is the foundation of RBAC model • Users, roles, permissions, operations and sessions are defined and mapped according to the security policy • The core RBAC • Has a many-to-many relationship among individual users and privileges • Uses a session as a mapping between a user and a subset of assigned roles • Accommodates traditional but robust group-based access control
  77. 77. Hierarchical RBAC • Helps map the organizational structures to the roles based access control • It is an accumulation of rights and permissions of other roles • Supports two types of hierarchies • Limited Hierarchies: only one level of hierarchy is allowed • General Hierarchies: Allows for many levels of hierarchies • Separation of duties is provided by • Static Separation of Duty (SSD) Relations through RBAC: • Helps deter fraud by constraining the combination of privileges • Dynamic Separation of Duties relations through RBAC: • Helps deter fraud by constraining the combination of privileges that can be activated in any session
  78. 78. Role-Based Access Control management types • Non-RBAC: users are mapped directly to applications and no roles are used • Limited RBAC: users are mapped to roles and also directly mapped to some applications that do not support RBAC • Hybrid RBAC: users should be mapped to multiapplication roles with only selected rights assigned to those roles (users will be part of organizational roles, but also in some instances part of specific application roles) • Full RBAC: users are mapped to enterprise roles
  79. 79. Rule Based Access control • Based on specific rules that dictate what can and cannot happen between a subject and a object • This is built on traditional RBAC and hence called RB-RBAC • It is based on the concept of “if X then Y” programming rules • It is not identity based • It allows a developer to define specific and detailed situations in which a subject can or cannot access an object • Rule based access control has been used in MAC systems • Content filtering technologies use Rule-based access control • It is a compulsory access control because administrator set the rules and users cannot modify these • A distinctive characteristic is that they have global rules that apply to all subjects
  80. 80. Attribute Based Access Control • Advanced implementation of the rule based access control • It includes multiple attributes for rules • While rule-based access control applies to all users, ABAC can be much more specific • Administrators create ABAC policies using plain language statements
  81. 81. Access Control Techniques and Technologies • Some of the access control techniques are • Constrained user interfaces • Access control Matrix • Capability table • Access control lists • Content dependent access control • Context dependent access control
  82. 82. Constrained User Interfaces • Restricts user abilities by not allowing them to request or access certain functions • 3 major types • Menus • Options the user is given to execute is limited • Shells • Shells will contain only the commands the administrator wants the user to be able to execute • Database views • Used to restrict user access to data contained in databases
  83. 83. Access Control Matrix • A table of subjects and objects indicating what actions individual subjects can taken upon individual objects • It is usually an attribute of DAC model. The access rights can be assigned directly to the subjects and objects • Capability Table: • Specifies the access rights subjects posses pertaining to objects • Subject is bound to capability table • Access Control Lists: • List of subjects that are authorized to access a specific object • Object is bound to ACLs
  84. 84. Content/Context Dependent Access Control • Content Dependent Access Control • Access to objects is determined by the content within the object • Content dependent devices employ this access control • Context Dependent Access Control • Makes access decisions based on the context of the collection of information rather than on the sensitivity of the data • It reviews the previous actions or the current situations and then takes the decision
  85. 85. Centralized Access Control Administration • One entity is responsible for all access control decisions • The entity configures mechanism to enforce access control • This model provides consistent and uniform method of controlling access rights • Supplies strict control over data • Drawback: • Since only one entity is responsible for all access decisions, it can be slow
  86. 86. RADIUS • Network protocol that provides client/server authentication, authorization and audits remote users • ISPs use RADIUS to authenticate remote users before allowing access to Internet • Allows companies to maintain centralized user profile database • It is an open protocol that can be customized by any vendor • Uses UDP as its transport protocol • Latest versions can be implemented over TCP using TLS encryption • Encrypts user’s password only as it is transmitted between the client and the server • Combines authentication, authorization and accounting functionalities • Has limited number of Attribute-value (28 ) pairs compared to TACACS+ • Works over PPP connection
  87. 87. TACACS • Combines Authentication and Authorization Functions • XTACACS separates authentication, authorization and auditing processes • TACACS+ is XTACACS with extended two-factor user authentication • TACACS uses fixed password for authentication; while TACACS+ allows for users to employ dynamic passwords • TACACS+ is not backword compatible with TACACS and XTACACS
  88. 88. TACACS+ • It uses TCP (49) protocol as its transport protocol • It is the most commonly used Authentication system • Encrypts all data between the client and server • Uses a true authentication, authorization and accounting functionality • TACACS+ has move AVPs, allowing network administrator to define ACLs, filters, user privileges and more • Supports TCP, AppletTalk, NetBIOS, and IPX protocols • Used in environments that require more sophisticated authentication steps and tighter control over more complex authorization activities
  89. 89. Diameter • Built upon the functionality of RADIUS • It is a peer-to-peer based protocol • Used in authentication of mobile devices, wireless devices, Mobile IP, Ethernet over PPP, VoIP • It also supports IPSec and TLS for encryption • Consists of two parts • Base Protocol: • Provides security communication between diameter entities, feature discovery and version negotiations • Extensions: • Built on top of base protocol to allow various technologies to use Diameter for authentication • It is not backward compatible with RADIUS • It uses TCP and Attribute-value pairs (232) • It provides proxy server support • It has better error detection and correction functionality • Has better failover properties and thus provides better network resilience • Diameter uses TCP 3868.
  90. 90. Diameter Functionality • Provides the following AAA functionality: • Authentication • PAP, CHAP, EAP • End-to-End protection of authentication information • Replay attack protection • Authorization • Secure proxy, relays, brokers • State reconciliation • Unsolicited disconnect • Reauthorization on demand • Accounting • Reporting, Roaming operations (ROAMOPS) accounting, event monitoring
  91. 91. Decentralized Access Control • Gives access control decisions to people closer to the resources • Functional manager assigns access control rights to employees • Changes can happen faster • Conflict of interest possibility can arise • It does not provide uniformity and fairness across organization • Certain actions can overlap
  92. 92. Distributed system access control • SQL incorporates many features of Role and rule based access control • Services that are useful in implementing distributed access control include LDAP, capability based Kerberos, XML based XACML
  93. 93. Accountability • Auditing capabilities ensure users are accountable for their actions • Accountability is tracked by recording user, system and application activities • Clipping level or threshold parameters can be set of items for alert trigger • Reviewing audit logs post an event is called event-oriented audit review • Audit-reduction tools help discard mundane task information and records events of interest • Deleting specific incriminating data within audit logs is called scrubbing • The integrity of the audit logs can be ensured with Digital signature, Hashing and strong access control • Confidentiality is maintained by encryption and access controls • The most significant aspect of ensuring accountability is the culture of the organization
  94. 94. Keystroke Monitoring • A type of monitoring that can record and review keystrokes entered by user during an active session • It is usually done in special cases and only for a specific length of time • Organization should ensure it states in its security policy, security training, banner notice about the option of using Keystroke monitoring.
  95. 95. Access Control Monitoring - IDS • Intrusion detection is the process of detecting anomalous activities in a system or network • IDS is designed to aid in mitigating the damage caused by malicious actions • IDS tool is used to detect something suspicious and sound alarm • 3 main components of IDS • Sensor – collect network and user activity traffic and sends to analyzer • Analyzer – looks for suspicious activities from the collected data and alerts the admin interface • Administrator interface – User interface for managing and monitoring the IDS
  96. 96. Two main types of IDS Network Based Host Based Software installed dedicated appliance that has one of its NIC in promiscuous mode Installed on individual server or workstation Promiscuous mode enables NIC to capture all traffic and make a copy Software within the system enables it to inspect all the actions of the system Looks only at network traffic flow Looks only at system activities
  97. 97. IDS Analysis Types • 2 Types • Signature based • Pattern matching • Stateful matching • Anomaly based • Statistical anomaly based • Protocol anomaly based • Traffic anomaly based • Rule or heuristic based
  98. 98. Signature Based IDS • Also known as knowledge based and pattern matching • Developed by vendors based on known attack patterns • Most popular IDS product • Its effectiveness depends on regular update with new signatures • It is weak against new types of attacks because it can recognize only the ones that are known previously
  99. 99. State-Based IDS • State is a snapshot of an OS value in volatile, permanent memory locations • In this model, the initial state is the state prior to the execution of the attack, and compromised state is the state after successful execution of the attack • IDS has rules that outline which state transition sequences should sound an alarm • Its scans for attack signatures in the context of a stream of activity instead of looking at individual packets • Effectiveness is dependent on regular signature update
  100. 100. Statistical Anomaly IDS • It’s a behavior based IDS • Does not use predefined signatures • The IDS is allowed to learn the network traffic to create a baseline, post which any traffic pattern that meets a defined threshold variation will trigger an alert • The key factor is to ensure during learning phase the environment does not have any malicious activity • It can detect Zero Day attacks • It can also detect low and slow attacks • Disadvantages • Prone to serious false-positives in a complex network • Need highly skilled security engineers to investigate the alerts
  101. 101. Protocol Anomaly IDS • Protocol anomaly pertains to the behavior and format of the protocol • IDS has specific knowledge of each protocol they will monitor • Considering protocols are customized there is possibilities for false- positives • Can be used in statistical anomaly-based IDS
  102. 102. Traffic Anomaly IDS • Behavior based IDS has traffic anomaly based filters • They detect changes in the traffic patterns of the network and generate alert • It can detect unknown attacks
  103. 103. Rule Based IDS • It is associated with expert system • Expert system is made up of knowledge base, inference engine and rule-based programming • Knowledge is represented as rules and data to be analyzed is referred as facts • Used IF/THEN rule-based programming to take decisions • The inference engine provides the artificial intelligence into the process
  104. 104. Application Based IDS • Specialized IDS products that can monitor specific applications • They can gather fine-grained and detailed activities of the specific application being monitored • They can capture very specific application attack types, but does not have visibility to more general OS attacks • Predominantly used in applications that carry out encryption functions which may not be inspected by other IDS systems
  105. 105. Honeypot • Enticement: • Setting up the environment that allows an attacker to easily hack into • Entrapment • Setting up the environment and also indicating the users to perform an action with an intention of charging them with violation • It is illegal and cannot be used when charging anyone with hacking attempts
  106. 106. Access Control Threats • Threat are primarily unauthorized individuals attempting unauthorized access to resources • Threat Modelling • Process of identifying, understanding and categorizing potential threats • Goal is to identify a potential list of threats to the system and analyze the threats • It attempts to identify the attackers goals and categorize them based on the priority of the underlying assets
  107. 107. Threat Modelling Approaches • Focused on Assets: • This method uses asset valuation results and attempts to identify threats to the valuable assets • Personnel evaluate the specific threats to determine the susceptibility to attacks • Focused on Attacker: • This method focuses on identifying the attackers and identify the threats they represent based on the attackers goals • Commonly used by governments • Challenge is that this approach will not be able to consider new threats that may not be anticipated • Focused on Software: • Organization developing software consider potential threats to the software
  108. 108. Access control Attacks • Access Aggregation Attacks • Collecting multiple pieces of non-sensitive information and combining them to learn sensitive information • Reconnaissance attacks are access aggregation attacks • Combining defense-in-depth, need-to-know and least privilege helps prevent access aggregation attacks • Dictionary Password Attacks • Attempt to discover password by using every possible password in a pre- defined database • Includes character combinations commonly used as password, but not found in dictionary • It can scan for one-upped-constructed passwords
  109. 109. Access control Attacks • Brute-force Attacks • Attempts to discover passwords for user accounts by systematically attempting all combinations of letters, numbers, symbols. • Uses comparative analysis to guess the password from the hash files • Rainbow tables • Its a database of precomputed password hashes that can be used by password crackers to brute force password attacks • It significantly reduces the time it takes to crack a password • Sniffing Attack (Snooping) • A tool that can capture network traffic. • If it has capability to understand and interpret individual protocols it is called as protocol analyzer • Sniffers are dangerous and very hard to detect • Their activities are difficult to audit
  110. 110. Access control Attacks • Spoofing attack • Also known as masquerading attack • Pretending to be something, someone • Email spoofing, phone number spoofing, IP spoofing • Login spoofing attack can be mitigated by trusted path • Shoulder Surfing • Looking over the shoulder of an individual to read information on the screen • Screen filters help restrict this attack • Phishing • Tricking users to give sensitive information • Spear phishing is a phishing attack targeted to a specific group • Whaling is a phishing attack that is targeted to senior or high profile executives • Vishing is a phishing variant that uses phone or voip.
  111. 111. Karthikeyan Dhayalan MD & Chief Security Partner