Chapter 4_Access Control, Authentication, Authorization and Non-Repudiation .pdf

Full Transcript

CYBERSECURITY FUNDAMENTALS CYB281 Chapter 4 Access Control, Authentication, Authorization and Non-Repudiation 9/17/2024 1 Chapter Objectives ...

CYBERSECURITY FUNDAMENTALS CYB281 Chapter 4 Access Control, Authentication, Authorization and Non-Repudiation 9/17/2024 1 Chapter Objectives Define access control and list the four access control models Describe logical access control methods Explain the different types of physical access control Define the concept of authentication, authorization and nonrepudiation Services. 2 Chapter Contents Overview of access control Authentication, Authorization and Nonrepudiation Identification and authentication techniques Access control techniques Access control methodologies, implementations and administration 3 Access Control Access control is the collection of mechanisms that permits managers of a system to exercise a directing or restraining influence over the behavior, use, and content of a system. It permits management to specify what users can do, which resources they can access, and what operations they can perform on a system. 4 Access Control (Cont.) Figure 9-1 Access control process and terminology © Cengage Learning 2012 5 Access Control: Overview Access Controls: The security features that control how users and systems communicate and interact with one another. Access: The flow of information between subject and object Subject: An active entity that requests access to an object or the data in an object Object: A passive entity that contains information  Security Principle CIA Trade 6 Identification, Authentication, and Authorization Identification, Authentication, and Authorization are distinct functions. Identification Method of establishing the subject’s (user, program, process) identity. Authentication Method of proving the identity. Authorization Determines that the proven identity has some set of characteristics associated with it that gives it the right to access the requested resources. 7 Identification Identification Method of establishing the subject’s (user, program, process) identity. Use of user name or other public information. Know identification component requirements. When issuing identification values to users, the following should be in place: Each value should be unique, for user accountability; A standard naming scheme should be followed; The value should be non-descriptive of the user’s position or tasks. 8 Authentication Authentication Method of proving the identity. Something a person is, has, or does. Use of biometrics, passwords, passphrase, token, or other private information. Strong Authentication is important To be properly authenticated, the subject is usually required to provide a second piece to the credential set (i.e., password, passphrase, key, PIN, token etc). 9 Authentication Methods There are 3 primary authentication methods. Sensitive or critical information should be protected by employing at least two of them (two-or three-factor authentication). Knowledge -Something you know, such as a password, passphrase or PIN. Ownership -For example, tokens and Smart cards. Characteristics -Biometrics are digitized representations of physical features (such as fingerprints) or physical actions (such as signatures). 10 Authentication Biometrics Verifies an identity by analyzing a unique person attribute or behavior (e.g., what a person “is”). Most expensive way to prove identity, also has difficulties with user acceptance. Many different types of biometric systems, know the most common. 11 Authentication (Cont.) Biometric systems can be hard to compare. Type I Error: False rejection rate. When a biometric system rejects an authorized individual Type II Error: False acceptance rate. When a biometric system accepts an individual who should have been rejected This is an important error to avoid. Crossover Error Rate Rating stated as a percentage and represents the point at which the false rejection rate equals the false acceptance rate. 12 Authentication (Cont.) Passwords User name + password most common identification, authentication scheme. Weak security mechanism, must implement strong password protections Techniques to attack passwords Electronic monitoring Access the password file Brute Force Attacks Dictionary Attacks Social Engineering 13 Authentication (Cont.) One Time Passwords (aka Dynamic Passwords) Used for authentication purposes and are only good once. This type of system is not vulnerable to electronic eavesdropping, sniffing, or password guessing. Two types of Token Devices (aka Password Generator) Synchronous Time Based Counter Synchronization Asynchronous 14 Authentication (Cont.) Smart Cards and Memory Cards Memory Cards: Holds but cannot process information. Smart Cards: Holds and can process information. Has a microprocessor and integrated circuits incorporated into the card itself. Contact Contactless Significant benefit of smart cards is that the authentication process occurs at the reader, thereby avoiding the trusted- path (protecting logon information between the user and the authentication server) problem. 15 Authorization Authorization Determines that the proven identity has some set of characteristics associated with it that gives it the right to access the requested resources. Granting access rights to subjects should be based on the level of trust a company has in a subject and the subject’s need to know. Is a core component of every operating system and established whether a user is authorized to access a particular resource and what actions he is permitted to perform on the resource 16 Authorization (Cont.) Access Criteria can be thought of as: Roles Is an efficient way to assign rights to a type of user who performs a certain task. (job assignment or function). Groups When several users require same type of access to information and resources Location To restrict unauthorized individuals from being able to get in and reconfigure the server remotely. Time Restrict the times that certain actions or services can be accessed. Transaction Types Can be used to control what data is accessed during certain types of functions and what commands can be carried out on the data. 17 Authorization (Cont.) Authorization concepts to keep in mind: Authorization Creep When new access rights and permissions assigned to employee without the old permissions being reviewed and removed. Default to Zero All access controls should be based on the concept of starting with zero access and then building on top of that. Need to Know Principle individuals should be given access only to the information that they absolutely require in order to complete their job duties. Access Control Lists A list of subjects that are authorized to access a particular object. 18 Authorization (Cont.) Problems in controlling access to assets: Different levels of users with different levels of access Resources may be classified differently Diverse identity of data Corporate environments keep changing Solutions that enterprise wide and single sign on solutions supply: User provisioning Password synchronization and reset Centralized auditing and reporting Integrated workflow (increase in productivity) Regulatory compliance 19 Authorization (Cont.) Single Sign On (SSO) Capabilities Allow user credentials to be entered one time and the user is then able to access all resources in primary and secondary network domains SSO technologies include: Kerberos Sesame Security Domains Directory Services Dumb Terminals 20 SSO Process SSOs enable users to logon to the authentication server and still obtain access to all additional authorized networked systems without additional identification and authentication. SSO is also referred to as reduced sign-on, and is used in web- based environments in federated ID management systems. Figure 1: SSO Process 21 SSO Technologies (Cont.) Legacy Single Sign-On (SSO) Although many legacy systems do not support an external means to identify and authenticate their users, it is possible to store user credentials centrally, and automatically enter them where and when needed. The SSO system stores every user’s password to every system. This causes concern with respect to availability: if the SSO system fails, denial of service results. If the SSO is compromised, controls over access to all systems may be lost. Kerberos An SSO open-standards protocol for authentication in a single security domain. Kerberos is an authentication protocol that uses symmetric key encryption in three key pairs: two authentication pairs are shared by the authenticator and a single principal and one session pair is shared between principals. The session-key pair is distributed in such a way that principals are required to trust the authenticator rather than each other. SESAME The Secure European System for Applications in a Multi-Vendor Environment (SESAME) is a protocol developed by the European Union that addresses multiple or disparate security domains. 22 Pros and Cons of SSO Technologies Pros : Efficient log-on process -The user logs on only once to access all authorized systems. Encourages users to create stronger passwords -With only one password to remember and control, users may be inclined to use passwords that are harder and more difficult to crack. Fewer passwords to manage should also result in fewer being written down in unsafe locations. Centralized administration -Ensures consistent application of policy and procedures. Cons : Single point of compromise -A single compromised sign-in allows the intruder into all of the account owner‟s authorized resources. Legacy Interoperability-It may be difficult to include unique computers or legacy systems in the single sign on network. Implementation difficulties-Unusual types of systems may not interface well with SSO software. 23 Access Control Models Three Main Types Discretionary (Unrestricted) Mandatory Non-Discretionary (Role Based) Discretionary Access Control (DAC) A system that uses discretionary access control allows the owner of the resource to specify which subjects can access which resources. Access control is at the discretion of the owner. 24 Access Control Models (cont.) Mandatory Access Control (MAC) Access control is based on a security labeling system. Users have security clearances and resources have security labels that contain data classifications. This model is used in environments where information classification and confidentiality is very important (e.g., the military). Non-Discretionary (Role Based) Access Control Models Role Based Access Control (RBAC) uses a centrally administered set of controls to determine how subjects and objects interact. Is the best system for an organization that has high turnover. 25 Access Control Techniques There are several different access controls and technologies available to support the different models. Rule Based Access Control Constrained User Interfaces Access Control Matrix Content Dependent Access Control Context Dependent Access Control 26 Access Control Techniques (Cont.) Rule Based Access Control Uses specific rules that indicate what can and cannot happen between a subject and an object. Not necessarily identity based. Traditionally, rule based access control has been used in MAC systems as an enforcement mechanism. 27 Access Control Techniques (Cont.) Constrained User Interfaces Restrict user’s access abilities by not allowing them certain types of access, or the ability to request certain functions or information Three major types Menus and Shells Database Views Physically Constrained Interfaces 28 Access Control Techniques (Cont.) Access Control Matrix Is a table of subjects and objects indicating what actions individual subjects can take upon individual objects. Two types Capability Table (bound to a subject) Access Control List (bound to an object) 29 Access Control Matrix Object-Oriented Capability Table: Is a collection of access control lists implemented by comparing the column of objects to the rows of subjects. Subject-Oriented Capability Table: Is a collection of access control lists implemented by comparing the column of users or subjects to their rights of access to protected objects. 30 Access Control Techniques (Cont.) Content Dependent Access Control Access to an object is determined by the content within the object. Context Based Access Control Makes access decision based on the context of a collection of information rather than content within an object. First an organization must choose the access control model (DAC, MAC, RBAC). Then the organization must select and implement different access control technologies. Access Control Administration comes in two basic forms: Centralized Decentralized 31 Access Control Administration Centralized Access Control Administration: One entity is responsible for overseeing access to all corporate resources. Provides a consistent and uniform method of controlling access rights. Protocols: Agreed upon ways of communication Attribute Value Pairs: Defined fields that accept certain values. Types of Centralized Access Control Radius TACAS Diameter 32 RADIUS Remote Authentication Dial In User Service. Is a client/server authentication protocol and authenticates and authorizes remote users. Most ISPs uses Radius to authenticate customers before they are allowed to access the Internet. Radius is an open protocol and can be used in different types of implementations. Uses UDP as a transport protocol Only encrypts the user’s password as it is being transmitted from Radius client to the radius server. Is appropriate protocol when simplistic username/password authentication can take place and users only need an “accept” or “deny” for obtaining access. 33 TACACS Terminal Access Controller Access Control System. Uses TCP as a transport protocol. Encrypts all user data and does not have the vulnerabilities that are inherent in the radius protocol. Presents true AAA (Authentication, authorization, and accounting) architecture. 34 Diameter Protocol that has been developed to build upon the functionality of radius and overcome many of its limitations. It is an IETF standard defined in (RFC 3588) The various applications that require AAA functions can define their own extensions on top of the Diameter base protocol, and can benefit from the general capabilities provided by the Diameter base protocol. Figure 2: Diameter Protocol 35 Decentralized Access Control Administration Decentralized Access Control Administration: Gives control of access to the people who are closer to the resources Has no methods for consistent control, lacks proper consistency. 36 Access Control Practices Know the access control tasks that need to be accomplished regularly to ensure satisfactory security. Best practices include: Deny access to anonymous accounts Enforce strict access criteria Suspend inactive accounts Replace default passwords Enforce password rotation Audit and review Protect audit logs 37 Access Control Practices (Cont.) Unauthorized Disclosure of Information Object Reuse Data Hiding Emanation Security Tempest Project started by the Department of Defense (DoD) and then turned into a standard that outlines how to develop countermeasures that control spurious electrical signals that are emitted by electronic equipment. White Noise A uniform spectrum of random electrical signals. Control Zone Creates a security perimeter and is constructed to protect against unauthorized access to data or compromise of sensitive information. 38 Access Control Monitoring Intrusion Detection Three Common Components Sensors Analyzers Administrator Interfaces Common Types Intrusion Detection Intrusion Prevention Honeypots Network Sniffers 39 Access Control Monitoring (Cont.) Two Main Types of Intrusion Detection Systems Network Based (NIDS) Host Based (HIDS) HIDS and NIDS can be: Signature Based Statistical Anomaly Based Protocol Anomaly Based Traffic Anomaly Based Rule Based 40 Access Control Monitoring (Cont.) Intrusion Prevention Systems Is a preventative and proactive technology, IDS is a detective technology. Two types: Network Based (NIPS) and Host Based (HIPS) Honeypots An attractive offering that hopes to lure attackers away from critical systems Network sniffers A general term for programs or devices that are able to examine traffic on a LAN segment. 41 Non-Repudiation A Non-Repudiation service provides assurance of the origin or delivery of data in order to protect the sender against false denial by the recipient that the data has been received, or to protect the recipient against false denial by the sender that the data has been sent. Thus, a non-repudiation service provides evidence to prevent a person from unilaterally modifying or terminating legal obligations arising out of a transaction effected by computer-based means. 42 Non-Repudiation (Cont.) Types of non-repudiation: Non-repudiation of origin Non-repudiation of submission Non-repudiation of delivery 43 Non-repudiation of origin Originator’s Digital Signature with Certificate Message Digital Signature: Hash of Message encrypted with private key of originator. Certificate of Digital Signature: Certificate by trusted party containing public key of originator. Key-Revocation Possibility: Time of key revocation is crucial, message needs to contain a time stamp. Stored at recipient. 44 Non-repudiation of submission Messages are handled by a delivery system Not under control of sender Reasonably efficient in sending messages Delivery system can send receipt to sender. 45 Non-repudiation of delivery Recipient Acknowledgment with Signature Recipient signs digest of received message and sends it back to the sender. “Reluctant recipient problem” 46 Non-repudiation of delivery (Cont.) Trusted Delivery Agent Akin to process server Police officer, deputy delivering summons or subpoena. Delivery agent is trusted when attesting to handing message to recipient Delivery agent signs digest of message and returns it to sender after handing it to the receiver. 47 Non-repudiation of delivery (Cont.) Progressive Delivery Reports Mail transfer protocol hands messages from one mail server to the next. Possible to send reports from each mail server. E-mail header has a record of those hand-offs Unfortunately, these might be faked, too. 48

Use Quizgecko on...
Browser
Browser