Lecture 6 Access Controls PDF

Summary

This document provides a lecture on access controls in information technology security. It discusses various concepts, technologies, and models related to protecting resources and preventing unauthorized access.

Full Transcript

Information Technology
Security

Lecture 6
Access Controls

Recommended Reading: Fundamentals of Information Systems Security.4th ed.
Author: David Kim, Michael G. Solomon 2023 Chapter 6: Access Controls
OR
Recommended Reading: Fundamentals of Information Systems Security.3rd ed.
Author: David Kim, Michael G. Solomon 2018 Chapter 5: Access Controls
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
Fundamentals of Information Systems Security www.jblearning.com Page 1
All rights reserved.
 Learning Objective(s)
▪ Explain the role of access controls in an IT
infrastructure.

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
Fundamentals of Information Systems Security www.jblearning.com Page 2
All rights reserved.
 Key Concepts
▪ Access control concepts and technologies
▪ Formal models of access control
▪ How identity is managed by access control
▪ Developing and maintaining system access
controls

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
Fundamentals of Information Systems Security www.jblearning.com Page 3
All rights reserved.
 Defining Access Control
▪ The process of protecting a resource so
that it is used only by those allowed to
▪ Prevents unauthorized use
▪ Mitigations put into place to protect a
resource from a threat

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
Fundamentals of Information Systems Security www.jblearning.com Page 4
All rights reserved.
 Four Phases of Access Control
Access Control
Component Description
Identification Who is asking to access the
asset?
Authentication Can their identities be verified?

Authorization What, exactly, can the requestor
access? And what can they do?
Accountability How are actions traced to an
individual to ensure the person
who makes data or system
changes can be identified?
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
Fundamentals of Information Systems Security www.jblearning.com Page 5
All rights reserved.
 Policy Definition and Policy
Enforcement Phases
▪ Policy definition phase—Who has access
and what systems or resources they can use
Tied to the authorization phase
▪ Policy enforcement phase—Grants or
rejects requests for access based on the
authorizations defined in the first phase
Tied to identification, authentication, and
accountability phases

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
Fundamentals of Information Systems Security www.jblearning.com Page 6
All rights reserved.
 Two Types of Access Controls

Controls entry into
Physical buildings, parking lots,
and protected areas

Controls access to a
Logical computer system or
network

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
Fundamentals of Information Systems Security www.jblearning.com Page 7
All rights reserved.
 Physical Access Control
▪ Smart cards are an example
▪ Programmed with ID number
▪ Used at parking lots, elevators, office doors
▪ Shared office buildings may require an
additional after hours card
▪ Cards control access to physical resources

Where can your student card get you to?
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
Fundamentals of Information Systems Security www.jblearning.com Page 8
All rights reserved.
 Logical Access Control
▪ Deciding which users can get into a system
▪ Monitoring what each user does on that
system
▪ Restraining or influencing a user’s behavior
on that system

What can you do with student logging?
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
Fundamentals of Information Systems Security www.jblearning.com Page 9
All rights reserved.
 What is a kernel?
▪ The kernel is the essential
center of a computer
operating system (OS). It
is the core that provides
basic services for all other
parts of the OS. It is the main
layer between the OS and
hardware, and it helps with
process and memory
management, file systems,
device control and networking.

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
Fundamentals of Information Systems Security www.jblearning.com Page 10
All rights reserved.
 The Security Kernel
▪ Enforces access control for computer
systems
▪ Central point of access control
▪ Implements the reference monitor concept

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
Fundamentals of Information Systems Security www.jblearning.com Page 11
All rights reserved.
 What is a security Kernel
▪ It is the core of a secure computing environment, which can be
implemented in the form of a hardware component installed in
a computer or network topology, a software implementation,
or a firmware system installed in a computer microchip. By
whatever means, the kernel becomes the central location for
establishing access permissions for a computer or network's
resources.
Reference monitor is a
module that controls all
software access to data
objects or devices

The reference monitor verifies
the nature of the request against
a table of allowable access types
for each process on the system.
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
Fundamentals of Information Systems Security www.jblearning.com Page 12
All rights reserved.
 Enforcing Access Control
1. The subject requests access to an
object. The security kernel intercepts the
request.
2. The security kernel refers to its rules
base, also known as the security kernel
database. It uses these rules to
determine access rights. Access rights
are set according to the policies an
organization has defined.
3. The kernel allows or denies access
based on the defined access rules. All
access requests handled by the system
are logged for later tracking and
analysis.

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
Fundamentals of Information Systems Security www.jblearning.com Page 13
All rights reserved.
 Drafting Access Control Policies
Four central components of access control policy:
People who use the system or
Users processes (subjects)

Resources Protected objects in the system

Activities that authorized users
Actions can perform on resources

Optional conditions that exist
Relationships between users and resources

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
Fundamentals of Information Systems Security www.jblearning.com Page 14
All rights reserved.
 Logical Access Control Solutions
Logical Controls Solutions
Biometrics Static: Fingerprints, iris granularity, retina blood
vessels, facial features, and hand geometry
Dynamic: Voice inflections, keyboard strokes, and
signature motions
Tokens Synchronous or asynchronous
Smart cards and memory cards

Passwords Stringent password controls for users
Account lockout policies
Auditing logon events

Single sign-on Kerberos process
Secure European System for Applications in a
Multi-Vendor Environment (SESAME)

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
Fundamentals of Information Systems Security www.jblearning.com Page 15
All rights reserved.
 Asynchronous vs Synchronous
Tokens

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
Fundamentals of Information Systems Security www.jblearning.com Page 16
All rights reserved.
 Smart Cards Access Control

Kerberos is a protocol for
authenticating service
requests between trusted
hosts across an untrusted
network, such as the
internet.

Pluggable Authentication Modules (PAM)
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
Fundamentals of Information Systems Security www.jblearning.com Page 17
All rights reserved.
 Authorization Policies
Group
Authority-level
Authorization membership
policy
policy

An authorization policy either grants or excludes
User- permission to a user or user group, acting in one or
assigned more roles, to perform an operation on a type of object,
privileges for a resource which is scoped by its resource type.

The elements of an authorization policy are described below:
User: Who initiates the operation?
User group: A set of users who can initiate the operation.
Role: A collection of permissions that can be assigned to users or user groups.
Operation: An action such as create, delete, modify, distribute, or view.
Object type: A categorization of the object that the operation is performed on. For example,
monitoring data, event, or role.
Resource: The entity that the operation is being performed against such as a specific managed
system group or managed system.
Resource type: A categorization of the resource. Managed system groups, managed systems, and
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
sets of roles
Fundamentals are the
of Information predefined
Systems Security resource types.
www.jblearning.com Page 18
All rights reserved.
 Methods and Guidelines for
Identification
Username
Methods Smart card
Biometrics

Actions
Guidelines
Accounting

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
Fundamentals of Information Systems Security www.jblearning.com Page 19
All rights reserved.
 Authentication Types
Knowledge Something you know

Ownership Something you have (smart card)

Characteristics Something unique to you

Location Somewhere you are

Action Something you do/how you do it

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
Fundamentals of Information Systems Security www.jblearning.com Page 20
All rights reserved.
 Authentication by Knowledge
▪ Password
Weak passwords easily cracked by brute-force or dictionary attack
What are Password best practices?
▪ Passphrase
Stronger than a password: is a sentence-like string of words used for
authentication that is longer than a traditional password, easy to
remember and difficult to crack.

Typical passwords range from 8-16 characters on average, while
passphrases can reach up to 100 characters in length.

▪ Account lockout policies
▪ Audit logon events

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
Fundamentals of Information Systems Security www.jblearning.com Page 21
All rights reserved.
 Authentication by Ownership
▪ Synchronous token—
Time-based synchronization system: Two Factor Authentication (TF-
A) and Time-based One-Time-Password (OTP) that changes in time
intervals, the current time is used to generate it.
Event-based synchronization system: Event-based OTP. Press a
button to get a token to access, Every click event generates a new OTP.
Continuous authentication: Proximity authentication is the process of
authenticating users of a system via their presence (proximity) using
either a proximity token or a smartphone. If the user is in close enough
proximity to the computer, then a prepared set of credentials are
automatically verified and the user is authenticated.

▪ Asynchronous token—Calculates a number at both the
authentication server and the device
USB token
Smart card
Memory cards (magnetic stripe)
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
Fundamentals of Information Systems Security www.jblearning.com Page 22
All rights reserved.
 © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
Fundamentals of Information Systems Security www.jblearning.com Page 23
All rights reserved.
 Asynchronous Token Challenge-
Response

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
Fundamentals of Information Systems Security www.jblearning.com Page 24
All rights reserved.
 Authentication by
Characteristics/Biometrics

Static Dynamic
(physiological) (behavioral)
measures measures

What you
What you do
are

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
Fundamentals of Information Systems Security www.jblearning.com Page 25
All rights reserved.
 Concerns Surrounding Biometrics

Accuracy

Reaction
Acceptability
time

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
Fundamentals of Information Systems Security www.jblearning.com Page 26
All rights reserved.
 Types of Biometrics
Facial Voice
Fingerprint
recognition pattern

Keystroke
Palm print Iris scan
dynamics

Hand Retina Signature
geometry scan dynamics

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
Fundamentals of Information Systems Security www.jblearning.com Page 27
All rights reserved.
 Authentication by Location and
Action
▪ Location
Strong indicator of authenticity
Additional information to suggest granting
or denying access to a resource
▪ Action
Stores the patterns or nuances of how you
do something
Record typing patterns

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
Fundamentals of Information Systems Security www.jblearning.com Page 28
All rights reserved.
 Authentication by Location

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
Fundamentals of Information Systems Security www.jblearning.com Page 29
All rights reserved.
 Authentication by Action

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
Fundamentals of Information Systems Security www.jblearning.com Page 30
All rights reserved.
 Authentication by Action

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
Fundamentals of Information Systems Security www.jblearning.com Page 31
All rights reserved.
 Single Sign-On (SSO)
▪ Sign on to a computer or network once
▪ Identification and authorization credentials
allow user to access all computers and
systems where authorized
▪ Reduces human error
▪ Difficult to put in place

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
Fundamentals of Information Systems Security www.jblearning.com Page 32
All rights reserved.
 SSO Processes (Implementation)

Kerberos

Secure European System for Applications in
a Multi-Vendor Environment (SESAME)

Lightweight Directory Access Protocol
(LDAP)

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
Fundamentals of Information Systems Security www.jblearning.com Page 33
All rights reserved.
 Policies and Procedures for
Accountability

Log files
Monitoring and reviews
Data retention
Media disposal
Compliance requirements

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
Fundamentals of Information Systems Security www.jblearning.com Page 34
All rights reserved.
 Formal Models of Access Control

Discretionary access control (DAC)

Mandatory access control (MAC)

Nondiscretionary access control

Rule-based access control

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
Fundamentals of Information Systems Security www.jblearning.com Page 35
All rights reserved.
 Discretionary Access Control
▪ OS DAC: The owner of the resource decides who gets in
and changes permissions as needed
▪ Considerations when setting up OS-based DAC
policy:
Access control method (User or a Group of users)
New user registration
Periodic review (Stop them when they are no longer
needed)
▪ Application-based DAC: The application denies access
based on context or content. The application presents
only options that are authorised for the current user.

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
Fundamentals of Information Systems Security www.jblearning.com Page 36
All rights reserved.
 © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
Fundamentals of Information Systems Security www.jblearning.com Page 37
All rights reserved.
 OS-Based DAC example:
OS DAC example:

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
Fundamentals of Information Systems Security www.jblearning.com Page 38
All rights reserved.
 Application-Based DAC example:

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
Fundamentals of Information Systems Security www.jblearning.com Page 39
All rights reserved.
 Mandatory Access Control
▪ Determine the level of restriction by how sensitive the
resource is (classification label)
▪ System and owner make the decision to allow access
▪ Temporal isolation/time-of-day restrictions (restricts
access to specific times. It first classifies the sensitivity
level of objects. Then it allows access to those objects
only at certain times).
▪ MAC is stronger than DAC

The system and the owner jointly make the decision to allow access. The
owner gives the need-to-know element. Not all users with a privilege or
clearance level for sensitive material need access to all sensitive
information. The system compares the subject and object labels.
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
Fundamentals of Information Systems Security www.jblearning.com Page 40
All rights reserved.
 MAC Bell-La Padula
confidentiality model

Top Secret

Secret

Official
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
Fundamentals of Information Systems Security www.jblearning.com Page 41
All rights reserved.
 MAC Subjects and Objects labels
▪ Sensitivity labels, or classifications, are applied to all objects
(resources).
▪ Privilege- or clearance-level labels are assigned to all subjects (users
or programs).
▪ In the UK, Security clearance (otherwise referred to as National
Security Vetting, or NSV) is straightforward – namely, something that
enables the holder to have access to certain information.

▪ There are five main levels of security clearance in the UK:
Baseline Personnel Security Standard (BPSS)
Security Check (SC) and (eSC)
Counter-Terrorism Check (CTC)
Developed Vetting (DV)
Enhanced Developed Vetting (eDV)
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
Fundamentals of Information Systems Security www.jblearning.com Page 42
All rights reserved.
 Rule-Based Access Control
Also known as Attribute-Based Access Control (ABAC) is based on a list of
rules that determine who should be granted access. Data owners make or allow
the rules. They specify the privileges granted to users, such as read, write, and
execute.

The success of rule-based access control depends on the level of trust you
have with the data owners.

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
Fundamentals of Information Systems Security www.jblearning.com Page 43
All rights reserved.
 Nondiscretionary Access Control
▪ Access rules are closely managed by a
security administrator, not the system owner
or ordinary users.
▪ Sensitive files are write-protected for integrity
and readable only by authorised users
▪ More secure than discretionary access control
▪ Ensures that system security is enforced and
tamperproof

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
Fundamentals of Information Systems Security www.jblearning.com Page 44
All rights reserved.
 Nondiscretionary Access Control

(Official Clearance)

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
Fundamentals of Information Systems Security www.jblearning.com Page 45
All rights reserved.
 Access Control Lists (ACL)

Linux and OS X

Permissions Read, write, execute

Applied to File owners, groups, global users

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
Fundamentals of Information Systems Security www.jblearning.com Page 46
All rights reserved.
 Linux and OS X ACL Example

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
Fundamentals of Information Systems Security www.jblearning.com Page 47
All rights reserved.
Linux and OS X ACL Example

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
Fundamentals of Information Systems Security www.jblearning.com Page 48
All rights reserved.
 Access Control Lists (cont.)

Windows

Share permissions Full, change, read, deny

Full, modify, list folder contents,
Security
read-execute, read, write,
permissions
special, deny

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
Fundamentals of Information Systems Security www.jblearning.com Page 49
All rights reserved.
Windows ACL Example

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
Fundamentals of Information Systems Security www.jblearning.com Page 50
All rights reserved.
 Role-Based Access Control
Another type of access control is role-based access control (RBAC).
An RBAC policy bases access control approvals on the jobs the user
is assigned.

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
Fundamentals of Information Systems Security www.jblearning.com Page 51
All rights reserved.
 MAC DAC or RBAC (Roll-Based AC)

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
Fundamentals of Information Systems Security www.jblearning.com Page 52
All rights reserved.
 Content-Dependent Access Control
Content Dependent Access Control. Access to the objects is based on the
content within the object. Example: Database Views, E-mail filtering etc.

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
Fundamentals of Information Systems Security www.jblearning.com Page 53
All rights reserved.
 Constrained User Interface
Methods of constraining users: a user’s ability to get
into—or interface with—certain system resources is
restrained by two things: The user’s rights and permissions
are restricted, and constraints are put on the device or
program providing the interface.

Physically
Database constrained
Menus Encryption
views user
interfaces

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
Fundamentals of Information Systems Security www.jblearning.com Page 54
All rights reserved.
 Physical Constrained User
Interface

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
Fundamentals of Information Systems Security www.jblearning.com Page 55
All rights reserved.
 Menu Constrained User Interface

F4
Administrator

F7
Back Office

F8
Training Mode

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
Fundamentals of Information Systems Security www.jblearning.com Page 56
All rights reserved.
 Menu Constrained User Interface

F7
Back Office

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
Fundamentals of Information Systems Security www.jblearning.com Page 57
All rights reserved.
 Other Access Control Models

Bell-LaPadula model

Biba integrity model

Clark and Wilson integrity model

Brewer and Nash integrity model

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
Fundamentals of Information Systems Security www.jblearning.com Page 58
All rights reserved.
 Effects of Breaches in Access
Control
Disclosure of private information
Corruption of data
Loss of business intelligence
Danger to facilities, staff, and systems
Damage to equipment
Failure of systems and business processes

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
Fundamentals of Information Systems Security www.jblearning.com Page 59
All rights reserved.
 Threats to Access Controls
▪ Gaining physical access to device
▪ Eavesdropping by observation (Password on paper!)
▪ Bypassing security
▪ Exploiting hardware and software
▪ Reusing or discarding media (recover erased or altered
information from discarded or reused media)
▪ Electronic eavesdropping (wiretapping network cables)
▪ Intercepting communication
▪ Accessing networks (Many organizations build their
networks with more drops (female connectors at wall
plates) than they need
▪ Exploiting applications © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
Fundamentals of Information Systems Security www.jblearning.com Page 60
All rights reserved.
 What is this?

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
Fundamentals of Information Systems Security www.jblearning.com Page 61
All rights reserved.
 Is your data deleted?

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
Fundamentals of Information Systems Security www.jblearning.com Page 62
All rights reserved.
 Effects of Access Control Violations

Loss of customer confidence

Loss of business opportunities

New regulations imposed on the organization

Bad publicity

More oversight

Financial penalties

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
Fundamentals of Information Systems Security www.jblearning.com Page 63
All rights reserved.
 Credential and Permissions
Management
▪ Systems that provide the ability to collect,
manage, and use the information
associated with access control
▪ Microsoft offers Group Policy and Group
Policy Objects (GPOs) to help
administrators manage access controls

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
Fundamentals of Information Systems Security www.jblearning.com Page 64
All rights reserved.
 Centralized and Decentralized
Access Control
▪ Centralized authentication, authorization, and
accounting (AAA) servers
RADIUS: Most popular; two configuration files
TACACS+: Internet Engineering Task Force (IETF)
standard; one configuration file
DIAMETER: Base protocol and extensions
SAML: Open standard based on XML for exchanging
both authentication and authorization data

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
Fundamentals of Information Systems Security www.jblearning.com Page 65
All rights reserved.
 Decentralized Access Control
▪ Access control is in the hands of the people
closest to the system users
▪ Password Authentication Protocol (PAP)
▪ Challenge-Handshake Authentication Protocol
(CHAP)
▪ Mobile device authentication, Initiative for Open
Authentication (OATH)
HMAC-based one-time password (HOTP)
Time-based one-time password (TOTP)

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
Fundamentals of Information Systems Security www.jblearning.com Page 66
All rights reserved.
 Privacy
▪ Communicate expectations for privacy in acceptable
use policies (AUPs) and logon banners
▪ Monitoring in the workplace includes:
Opening mail or email
Using automated software to check email
Checking phone logs or recording phone calls
Checking logs of web sites visited
Getting information from credit-reference agencies
Collecting information through point-of-sale (PoS)
terminals
Recording activities on closed-circuit television (CCTV)

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
Fundamentals of Information Systems Security www.jblearning.com Page 67
All rights reserved.
 Summary
▪ Access control concepts and technologies
▪ Formal models of access control
▪ How identity is managed by access control
▪ Developing and maintaining system access
controls

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
Fundamentals of Information Systems Security www.jblearning.com Page 70
All rights reserved.