Chapter 6

Chapter 6: Ensuring Controlled Access

Key Terms

Access Control List (ACL) – It is a list that specifies the authorized users of the system and their access rights

Access Rights – It is access assigned to each individual subject

Account Management – The process by which user access is administered and supervised

Accountability – Information assurance and security performance for all responsible parties

Analysis Engine Methods – They are data-based anomaly detection system

Authentication – It is the security service that establishes the validity of a transmission, message, or originator

Authorization – A person is given access to acquire specific items of information

Bell-LaPadula – It is a security model that uses the classification level of the data and the access rights of the subject to decide what data a particular subject can access and what it can do with it

Biba Model – It is a security model that ensures the integrity of subjects and objects in a system

Clark-Wilson Model – It is a transaction-based security model that uses the personnel security concept of separation of duties to ensure that authorized users do not make unauthorized changes to data

Digital Certificate – It is a public document containing information that identifies a user, as well as the user’s encryption key, the validity period for the certificate and other information

Discretionary Access Control (DAC) – In this model, the owner of each data file assigns users’ rights

Identification – It asserts and verifies the user’s identity

Identity Management – It is an automated system that involves an integrated set of processes and technologies deployed across the entire enterprise

Intrusion Detection System – It identifies and isolates attacks on the system

Multifactor Authentication – The combination of two or three different approaches to create a single access control function

Mutual Authentication – A process in which each side of an electronic communication verifies the authenticity of the other during the transmission of the message

One-Time Password – A password system that is embedded in hardware and only functions once for each use

Password Management – A process to assign and maintain password

Pattern-Matching IDS – It scans incoming network packets for specific byte sequence signatures stored in a database of known attacks

Penetration Testing– It denotes activities undertaken to identify and exploit security vulnerabilities

Permissions – They are rights granted to subjects

Policy-Based Access Control – Access control based on a list that regulates access to each object

Privileges – They are rights granted to subjects

Role-Based Access Control (RBAC) – It is a specialized technique involving the assignment of access permissions to objects that are associated with given roles

Single Sign-on- It coordinates passwords across a range of platforms and applications

State-Matching – It scans for attack behaviors in the traffic stream

Statistical Anomaly-Based IDS – They use anomalous behavior as the basis of their response

Tokens – They are an identification and authorization device

Traffic Anomaly-Based – These systems watch for unusual traffic activities

Transformation Processes (TP) – It ensures that the subject ahs the proper classification

Unconstrained Data Items (UDI) – They are data items deemed not valuable enough to control

Validation – It is an integrity check of data to ensure that the data item being modified is valid and the results of the modification are valid

Lecture Outline

1. Principles of Access Control
   1. Access control is a multifaceted process that regulates the right of access to a computer, its attached network, or the physical facilities
   2. Access Control describes the regulation of interaction between subjects and objects within a given environment
   3. The access control process centers around the following three principles:
      1. Identity - Asserts and verifies the user’s identity
         1. Identification determines the subject’s identity
         2. Authentication determines the access rights that have been assigned to that identity
      2. Authority - Authorizes user access privileges
         1. Authorization allows access only to those areas of the system, resources, and operations that the subject is permitted to access
      3. Accountability - Tracks user actions, then analyzes and reports
         1. It tracks usage to ensure that access rules have not been violated
   4. Identification and Authentication: Establishing Identity
      1. The identification function establishes the identity of every person or process that seeks access to organizational assets
      2. Passwords: Something You Know
         1. They are the simplest and most economical means of identifying an individual subject to the system
         2. They are easy to assign and maintain
         3. A capable password management system will consistently
            1. Allow legitimate users to directly register for access
            2. Allow forgotten passwords to be authenticated and reset by user
            3. Allow IT support staff to authenticate callers for password management
            4. Synchronize users across a range of platforms (also known as single sign-on)
            5. Provide for immediate cancellation of passwords of individuals who leave the organization
         4. Problem with Passwords
            1. Individuals cannot remember multiple passwords
            2. Secrecy is compromised when users write the passwords on paper
            3. Short passwords are easily compromised by brute force means
         5. Single Sign-On
            1. It coordinates passwords across a range of platforms and applications
            2. It can be very cost-efficient method of password management
            3. It operates by storing every subject’s login ID and password on an authentication server
            4. Refer to Figure 6-1 (Page 142) for the Single Sign-On Process Illustration
            5. The drawbacks are if password is breached and the server failure affects the availability of system services
         6. One-Time Passwords
            1. The actual password function is handled in hardware
            2. It reduces the unauthorized access problem by authenticating only the current session
            3. Refer to Figure 6-2 (page 143) for the One-Time Password Illustration.
            4. The primary advantage of a one-time password is that an eavesdropper (man-in-the-middle) who might capture it could never use it again
      3. Token-Based Security: Something You Have
         1. Identification and authorization devices presented at the time of access are normally called tokens
         2. Token-based authentication devices provide secure enterprise-wide access control
         3. Smart Cards, Swipe Cards, Security flash-drives are examples of Token-Based Security
         4. Theft and loss of tokens are the chief vulnerabilities associated with using smart cards as the only means for access control
      4. Biometrics: Something You Are
         1. Biometrics authentication uses physical characteristics
         2. In biometric authen­tication, the subject asserts identity by presenting a unique personal characteristic such as a fingerprint to a reader
         3. Biometric authentication access control processes are highly secure because they confirm identity by means of physical characteristics that cannot be duplicated
      5. Combining Approaches: Multifactor Authentication
         1. The combination of two or three different approaches to create a single access control function is called multifactor authentication
         2. For example – ATM requires two-factor authentication – A card and a pin number
      6. Approaches for Establishing Identity in Cyberspace
         1. Digital Signatures
            1. The “signatures” are generated from an electronic message by mathematical means
            2. MD-5 algorithm produces a unique 128 bit “signature” value from any message of arbitrary length, known as the message digest
            3. The value is calculated from an encryption key that only the user possesses
         2. Digital Certificates
            1. It is a third party confirmation that verifies that the message did indeed come from the entity it claims to have come from
            2. This certification process is supported by Public Key Infrastructures (PKIs)
            3. A digital certificate is a public document that contains informa­tion that identifies a user, as well as the user’s encryption key, the validity period for the certificate and other information
            4. The digital certificate is unique to the individual user
            5. PKIs usually entail a Certificate Authority (CA), a key directory, and associated management rules
            6. PKI’s function is to verify and register the identity of users through a Registration Authority (RA). Once they are registered, each user is given a digital certificate.
      7. Mutual Authentication: Ensuring Identity During Transmission
         1. Each side of an electronic communi­cation verifies the authenticity of the other during the transmission of the message
         2. Mutual Authenticationprocesses are espe­cially important when remote clients are attempting to assert their identity to servers
         3. Kerberos
            1. It uses encryption, so a client can prove its identity to a server and the server can in turn authenticate itself to the client within a secure transaction
            2. The client presents the ticket to the server that it wishes to access as a proof of identity
            3. The receiving server knows that the incoming message is authentic if the ticket is valid
            4. The tickets are time-stamped so attempted reuse will not be successful
            5. Refer to Figure 6-3 (Page 146) for Illustration of the Kerberos Authentication Process
         4. CHAP
            1. It stands for Challenge Handshake Authentication Protocol (CHAP)
            2. It provides authentication services across a point-to-point link employing the Point-to-Point Protocol (PPP) part of the Internet
            3. It uses a periodic authentication pro­cess to ensure that only authorized parties are involved in the transmission
            4. Refer to Figure 6-4 (Page 147) for Illustration about the CHAP authentication process
2. Authorization: Controlling Access
   1. Authorization asserts specific rights to use the system, which have been granted to an individual (subject)
   2. Permissions or Privileges - users’ specific rights of access are established and enforced
   3. Authorization involves the determination that an authenticated subject has attained the required level of trust to access a given object
   4. Untrusted or unknown subjects will be denied access until authenticated
   5. A security domain incorporates all related objects, with common protection needs, into a single manageable entity
   6. The overall access control process is composed of identification and authentication functions, which assert that a subject’s identity is valid, based on individual characteristics, or membership in various pre­defined groups
   7. Types of Permission: Methods for Granting Access
      1. Policy-Based Access Control
         1. Access Control List (ACL) is the most frequent example of Policy-Based Access Control
         2. An ACL is a list that specifies the authorized users of the system and their access rights
         3. The list identifies not only the individual subject, but also the access that that subject has for each particular object
         4. By specification of the individual access rights of each person on the list, ACLs can control the access permissions of mul­tiple users or groups
         5. The advantage of an ACL is that it allows the administrator to designate access rights separately, for every individual
         6. Refer to Figure 6-5 (Page 149) for Access Control List Illustration
      2. Discretionary Access Controls (DAC)
         1. It is the most common model for access control in large systems
         2. The owner of the protected object decides which users get access, and what access rights they can have
         3. The controls are discretionary in that privileges are assigned based on subject charac­teristics
         4. Refer to Figure 6-6 (Page 149) for Illustration about Discretionary Access Control (DAC)
         5. It is implemented by three different approaches
         6. Role-Based Access Control (RBAC)
            1. It is a specialized technique involving the assign­ment of access permissions to objects that are associated with given roles
            2. Access permissions are assigned based on the specific roles that the user fulfills
            3. Refer to Figure 6-7 (Page 150) for RBAC Illustration
            4. Users and programs (subjects) are granted permission to access system objects based on the duties that they perform, not by their security classification
         7. Content-Dependent Access Control
            1. It uses information that is provided by the object being accessed
            2. The content is accessed based on the security rights of the individual seeking access
         8. Temporal Access Control
            1. In this approach, events rather than type of specific designations drive it
            2. The system continuously monitors user actions against set policies
            3. The advantage of such an approach is that it allows the organization to anticipate and protect itself from some types of known undesirable events, such as hacker attempts late at night
            4. The disadvantage is that the chain of events that lead to a given decision is not always predictable
      3. Mandatory Access Control (MAC)
         1. It restricts a subject’s access to objects based on a set of security attributes
         2. It is a required function for some federal government and military
         3. MAC prevents users from sharing objects arbitrarily and uses a specific set of policies or security rules to define the sharing of data within the organization
         4. Refer to Figure 6-8 (Page 153) for Illustration of the Mandatory Access Control
      4. Real-World Access Control: Automating the Process
         1. In a large complex organization, real-time and dynamic allocation of access privileges is an important system capability, due to simultaneous access request
         2. Automated identity managementsystems involve an integrated set of processes and technologies bundled into a continuously evolving solution that must be coor­dinated and deployed across the entire enterprise in order for it to be effective
         3. The following are the five basic condition requirements:
            1. Identity Architecture – The identity infrastructure is a complete and coherent set of processes for identity management
            2. Privilege Setting – Organization has to define and enforce privileges explicitly assigned to each person or process seeking access
            3. Identify Reference – This automated function is implemented through a reference monitor
            4. Enforcement of Privilege - Privileges are granted or denied based on the system’s ability to authenticate the identity of an indi­vidual (subject) seeking access to an object
            5. Continuous Maintenance – The system must modify user identities and access rights on a continuous and dynamic basis
3. Setting Up the System: Account Management
   1. It describes the process by which user access is administered and supervised
   2. The role of account management is to link user identities to the specific applications, databases, and services they are permitted to access
   3. The account management function is built around three related processes:
      1. Creation of new system access
      2. Modification to system access
      3. Termination of system access
   4. The privileges that are assigned to an individual should be evalu­ated at execution time to grant or revoke access to specific objects within the system
4. Intrusion Detection: Backstopping Access Control
   1. The information assurance has four general goals:
      1. Preventive, where the goal is to avoid the occurrence
      2. Detective, where the aim is to identify characterize the occurrence
      3. Corrective, which seeks to remedy the circumstance
      4. Compensating, where alternative control is provided
   2. Intrusion Detection Systems: Keeping the Perimeter Secure
      1. They are built around boundary sensors
      2. A boundary sensor is a software utility that is located at the perimeter of the protected space and monitors traffic into and out of the system to identify potential attacks or malicious attempts to intrude
      3. Intrusion Prevention Systems (IPSs) have the ability to both monitor access as well as respond appropriately in the case of an attack
   3. Types of Intrusion Detection: Automated Versus Human Centered
      1. The function of the IDS is to identify and isolate attacks
      2. Network-Based IDS (NIDS)
         1. They detect attacks by capturing and analyzing net­work packets
      3. Host-Based IDS (HIDS)
         1. They operate on information collected and analyzed by an individual computer system
         2. They reside on a host and detect apparent intrusions through the audit function
   4. Common Network-Based IDS (NIDS)
      1. Pattern Matching
         1. It scans incoming network packets for specific byte sequence signatures stored in a database of known attacks
      2. State Matching
         1. It scans for attack behaviors in the traffic stream itself rather than the presence of an individual packet signature
      3. Analysis Engine
         1. They use anomalous behavior, such as multiple failed logons or users logging in at strange hours, or unexplained system shutdowns and restarts, as the basis for their response
      4. Protocol Anomaly
         1. The anomalies in a protocol anomaly-based system are identified from criteria that have been established by the Internet Engineering Task Force
      5. Traffic Anomaly
         1. These systems watch for unusual traffic activities, such as a flood of TCP packets or a new service suddenly appearing on the network
      6. Refer to Table 6-1 (Page 160) for Common Network-Based Methods for Intrusion Detection
   5. Host-Based IDS (HIDS)
      1. They do their work through the audit function and monitoring audit trails
      2. The types of events captured in an audit trail include
         1. Network connection event data
         2. System-level event data
         3. Application-level event data
         4. User-level event data
         5. Keystroke activity
      3. The most important success factor in auditing is to establish and maintain a set of best practices to ensure the process itself is secure and being executed in the most effective possible manner
   6. Security Assessments: Penetration Testing
      1. Penetration testing is often referred to as “ethical” or “samurai” hacking
      2. It is the act of simulating an attack on the system at the request of the owner
      3. “Pen” testing evaluates system security by attacking it
      4. The following are the types of pen tests:
         1. Zero-Knowledge - where the tester has no relevant information about the tar­get. It is performed by an independent third party
         2. Partial-Knowledge - where the tester may have some information about the target
         3. Full-Knowledge - the tester has intimate knowledge of the target environment
      5. Pen testing methods are based on four activities:
         1. Discovery - where the target is identified and documented
         2. Enumeration - where the tester attempts to gain more knowledge about the target through intrusive methods
         3. Vulnerability Mapping - where the tester maps the profile gained in the test environment to known vulnerabilities
         4. User and privileged access - using the knowledge they have gained
      6. The final report contains the results that can help an organization to identify:
         1. Vulnerabilities of the system
         2. Gaps in security measures
         3. IDS and intrusion response capability
         4. Whether anyone is monitoring audit logs
         5. How suspicious activity is reported
         6. Potential countermeasures
      7. The following types of penetration-testing strategies can be used:
         1. Application security testing - where the goal is to evaluate the controls and the application’s process flow
         2. Denial of Service (DoS) testing - where the purpose is to assess a system’s suscepti­bility to attacks that could render it inoperable
         3. War dialing - where the purpose is to identify, analyze, and exploit modems, remote access devices, and maintenance connections
         4. Wireless network penetration testing - which seeks to identify security gaps or flaws in the design, implementation, and operation of wireless technologies
         5. Social Engineer­ing - where the tester uses social interaction to gather information in order to penetrate the organization’s systems
5. Common Access Control Models
   1. Classification-Based Security Models: Bell-LaPadula
      1. Bell-LaPadulawas developed by the United States government in the 1970s
      2. The Bell-LaPadula model is a framework for managing different classification levels intended to limit the disclosure of information between dissimilar levels
      3. It uses a hierarchical classification structure
      4. The model uses the classification level of the data and the access rights of the subject to decide what data a particular subject can access and what it can do with it
      5. Refer to Figure 6-9 (Page 163) for illustration of the Bell-LaPadula Model
      6. The model centers on the definition of a set of subjects along with data objects and their relative security levels
      7. Two rules define the mandatory access control policies for Bell-LaPadula:
         1. The simple-security property - which states: “A subject can only read an object if the security level of the subject is higher than or equal to the security level of the object (no read up)”
         2. The “*” property (pronounced “star property”) - which dictates that “A subject can only write to an object if the security level of the object is higher than or equal to the security level of the subject (no-write-down.”
   2. Integrity-Based Security Models: Biba
      1. It is a formal approach centered on ensuring the integrity of subjects and objects in a system
      2. Integrity levels are used to define the access rights, instead of security classifications
      3. Integrity levels indi­cate the level of “trust” that can be placed in information kept at different levels
      4. The primary objective of Biba is to limit the modification of information, rather than its flow between levels
      5. Refer to Figure 6-10 (Page 165) for illustration of Biba
      6. Biba operates on two rules as follows:
         1. A subject with a lower classification cannot write data to a higher classification
         2. A subject with a higher classification cannot read data from a lower classification
   3. Transaction-Based Security Models: Clark-Wilson
      1. It uses transactions as the basis for its access control decision making
      2. It ensures the integrity of data
      3. It uses the personnel security concept of separa­tion of duties to ensure that authorized users do not make unauthorized changes to data
      4. It defines two levels of integrity (rather than four) as follows:
         1. Constrained data items (CDI) - which are the controlled assets
         2. Unconstrained data items (UDI) - which are not deemed valuable enough to control
      5. The following are two processes to control CDIs:
         1. Integrity verification processes (IVP) - which ensures that the CDI meets speci­fied integrity constraints
         2. Transformation processes (TP) - which changes the state of data from one valid state to another
      6. Refer to Figure 6-11 (page 167) for Clark-Wilson Model Illustration