Access Control Systems and Methodology
Important elements of biometric devices
- *Accuracy* - separates authentic users from imposters • FRR - False Reject Rate (*Type I Error*) • FAR - False Accept Rate (*Type II Error*) • Cross-Over Error Rate (*CER*) - *Processing speed* - how fast the accept or reject decision is determined - *User acceptability* - *Protection* of biometric data
Types of Controls
- *Administrative* - policies and procedures, including personnel controls such as security clearances, background checks. - *Technical (Logical)* - anti-virus software, password protection, firewalls, auditing - *Physical* - locks, alarms, badge systems.
Need for Identity Management
- *Dissatisfaction* of employees, customers, and partners resulting from their need to maintain an excessive number of user IDs (8 to 12 IDs). - *Inability* to evaluate regulatory compliance due to lack of properly identified user populations and their association to resources. - *Weaknesses* insecurity routinely identified during audits as a result of disparate and inefficient administrative processes.
Types of Identification
- *UserID* such as: • The *username* • *Account* number • Personal identification number (*PIN*) - Badge system - Biometric devices • Can be used for both identification and authentication
*Role-Based* Access Control
- Access control decisions are *based* on job function. - Each role (*job function*) will have its own access capabilities. - Access capabilities are *inherited* by users assigned a job function. - Determination of role is *discretionary* and is in compliance with security access control policy. - Groups of users need similar or identical privileges: • Generally associated with DAC • Privileges appropriate to functional roles are assigned: --> Individual users are enrolled in appropriate roles --> Privileges are inherited
*Rule-Based* Access Control
- Access is based on a *list of rules* that determine authorization. - System *owners* create or authorize the rules. • Specify privileges granted to users. - Mediation mechanism *enforces* the rules to ensure authorized access. • Intercepts every request, compares it to user authorizations, and makes decision.
Audit trail function
- Alert staff to suspicious activity for investigation. - Provide details on extent of intruder activity. - Provide information for legal proceedings.
*Identification*
- Asserts user identity (*unique*) - Provides accountability (with protected audit trail) • Traces activities to individuals • Holds users responsible for actions
Types of Authentication
- Authentication by Knowledge • what a person *knows* - Authentication by Ownership • what a person *has* - Authentication by Characteristic • what a person *is/does*
Directories
- Centralize *management* of data: • Users • Other objects in the enterprise, such as user groups, servers, printers, etc. - Store data on one or more directory servers. - Provide data access: • Using client applications • *Normally* through standard protocols, such as LDAP (Lightweight Directory Access Protocol), or X.500. - Key limitation - Integration with legacy systems.
Authentication by *Ownership*: Asynchronous Token Device
- Challenge-response scheme (*question and answer*) - Based on one-time pad (*encryption technique*)
Authentication by *Ownership*: One-time Passwords
- Changed after every use - *dynamic*. • Usually *token* or *hardware* based. - Generated by a token, often in conjunction with a pin or other secret. - Generation methods: • Asynchronous • Synchronous
Auditing Issues & Concerns
- Control the volume of data • Event filtering or clipping level determine the amount of log detail captured. • Auditing tools can reduce log size. - Establish procedures in advance - *Train* personnel in pertinent log review. - Protect and ensure against unauthorized access. • Disabling auditing or deleting/clearing logs. - Protect the audit logs from unauthorized changes. - Store/archive audit logs securely.
*Separation of duties*
- Define elements of a process or work function. - Divide elements among different functions.
List the threats to access controls
- Denial of Service - Buffer Overflows - Mobile Code - Malicious Software
MAC vs. DAC
- Discretionary Access Controls involve only the resource owner's permission. - Mandatory Access Controls require the owner's and system's permission (based on labeling).
Security Domains
- Domain of trust that *shares* a single security policy and single management. - Access control parameters in which a program is operating. • Set of objects a subject can access - *Principle of separation* protects resources. • Resources encapsulated in distinct address spaces.
Authentication by *Ownership*: Synchronous Token Device
- Event, Location or Time-Based synchronization. - Authentication Server knows the expected value from the token and the user must input it or be in close proximity.
Access Control Lists (ACLs)
- Most common implementation of Discretionary Access Controls - Specifies a list of users who are allowed access to each object - Often implemented with Access Control Matrices - Access to ACL files should be protected
Audit Event Types
- Network connection event data - System-level event data - Application-level event data - User-level event data • Keystroke activity
Identity Management Challenges: *Types* of Principles
- Outsiders - Insiders
Mandatory access control
- Owner & system determine who has access - System decision based on privilege (clearance) of subject (user) & sensitivity (classification) of object (file) - Requires labeling - Based on the organization's security policy - Puts limitations on authorizers
Identity Management Challenges: *Kinds* of Data
- Personal information - Legal information - Login credentials to managed systems
*Corrective*
- Remedy circumstance/mitigate damage - Restore controls
Hierarchical domain relationship
- Subjects can access objects in equal or lower domains - Domains of higher privilege protected from domains of lower privilege
Mandatory Access Control (MAC)
- Used for systems that process *highly* sensitive data - Assign *sensitivity* labels to all objects and clearance labels to all subjects - Object's sensitivity level and the subjects *clearance* level determine access - Permits processing of multiple levels on one system
What is Access Control?
A *collection* of mechanisms that work together to protect the assets of the enterprise.
Audit trail
A record of system activities.
Single Sign-On
Allows users to authenticate *once* to a central Single Sign-On system, which stores every user's login ID and password to *all* supported applications.
*Compensating*
Alternative control (e.g. Supervision)
*Preventive*
Avoid incident
Audit trail configuration
Capture data generated by system, network, application, and user activities.
*Deterrent*
Discourage incident
Single Sign-On
Enables a user to logon once to the enterprise and access all additional authorized network resources.
*Detective*
Identify incident
Identity Management Challenges: *Life Cycle*
Initial setup, Change and maintenance, tear down
*Least privilege*
Limit users and processes to access only resources necessary to perform assigned functions.
Discretionary access control
Owner determines who has access & what privileges they have
*Recovery*
Restore conditions to normal
Social Engineer
Someone who uses deception, influence, and persuasion, against businesses or individuals, usually targeting their information.
Authentication by *Knowledge*: Password
Standard form of authentication
Identity Management Technologies
Systems focus on *streamlining* the identity management process, and *managing* data *consistently* across multiple systems.
Authentication by *Characteristic*: Biometric Devices
The individual's identity is confirmed by either: • *Physiological* trait - Unique: fingerprint, retina, iris • *Behavioral* characteristic - keystroke, signature pattern
Cross Over Error Rate (CER)
The value of FAR and FRR when the sensitivity is configured so that FAR and FRR are equal.
*Accountability*
Tracks what the user did and when it was done
Authentication by *Knowledge*: Passphrase
Used as an alternative to a password. They are longer to enter and usually harder to crack
Social Engineering
Uses influence and persuasion to deceive people by convincing them that the social engineer is someone he is not, or by manipulation. As a result, the social engineer is able to take advantage of people to obtain information with or without the use of technology.
Authentication
Verifies who the user is and whether access is allowed
*Authorization*
What the user is allowed to do