ISSAP Session 2 31 August 2011 [email protected] Access Control 2 Questions from Session 1 ? Session 1 handout is posted on www.silverbulletinc.com/DM2 Contact Shelton Lee for credentials [email protected] Should have book by now. If not contact Paola Aviles (paola.aviles @lmco.com Must have by next Session (Sep 7) ISSAP Schedule – Ten Sessions 08/24/2011 Organization 08/29/2011 Access Control pg 3-62 08/31/2011 Access Control pg 62-117 09/07/2011 Cryptography pg 125-172 09/12/2011 Cryptography pg 173-212 09/14/2011 Physical Security pg 222-285 09/19/2011 Requirements pg 293-351 09/21/2011 BCP & DRP pg 357-371 09/26/2011 Telecommunications pg 379-440 09/28/2011 Review Access Control 2 Access Control Administration and Management Concepts Two types of processes, human and “automated feature” (service) have Accounts All Accounts are Authorized, Monitored, & Validated Processes ,ay be multiple but all must exist within the context of the owner Contexts exist with rights and permissions Access Control 2 System is a collection of resources One or more resources may be allocated to a context as objects. Resources may be shared or dedicated to processes Resources may consist of one or more objects Human interaction is through processes. System is a collection of resources Access Control 2 Resources may be consumable (disk storage) or enable system functionality (network adapter). System user is the principle subject of access control Object owner can determine use through Grants. Resources may be subject to access control or not. The most common problem in computing systems is a failure to exert control Access Control 2 Physical attack can succeed where logical may fail. Best form of access control uses encryption Effective access control is not easy to bypass SBO vs Real COTS vs Local development File Sharing is difficult to control – disallow where possible – isolate where not. Peer-to-peer backdoor. Users make mistakes First access control systems developed to protect users from each other. Access Control 2 Databases are special cases Data is manipulated Difficult to create boundaries Table, row, column Stored procedures must be trustable. Views, triggers, & stored proceedures Permissions organized into groups. Service accounts allow user seperation from data. Access Control 2 Service accounts can keep users from backend servers Used connects to web server Web server app usues service account to connect to database Database should never be co-resident on web server Compromise one – get both Access Control 2 Database issues Hashes are not encryption MD5 broken, sha-1 deprecated, sha-2 OK If cannot encrypt, use IPSEC tunnel to protect credentials Use router/firewall to limit connections Backend database access limited to ISOLAN access or dedicated management net. Any questions on the proxy methods ? Access Control 2 Rights Inherent : Ordinary, Administrative, System Limited at start Inherant with roles Admin & System effectively control system Should always logon as ordinary user Permits logging of actions even if just one admin account Granted rights All rights granted should be documented Tie to Roles or Groups Any change requires authorization Accounts should be monitored/logged “write only” best. May need traceability Access Control 2 Privilege is the combination of rights and permissions Risk Management is an important tool to use in determining what rights/permissions to grant to whom. Too lax invites attack Too strict may prevent effective operation Goal is to have security invisible to user unless triggered Access Control 2 Groups may simplify management of rights and permissions. Identify privilege needed for role Create group for that role Similar duties, different data Different duties, similar data Similar Duties and Data Difficulties Orphaned groups Duplicate Groups Separation of duty violations Single group with excess privilege User with multiple groups Easier just to “grant all” Access Control 2 Group Difficulties Failure to manage “least privilege” Excess privilege Insufficient groups Managing Groups Identify Purpose Membership Atributes Resource Attributes Control Changes Periodic Review Access Control 2 Role Based Access Control (RBAC) Groups are collections of users Roles are collections of privileges (rights & permissions) Role does not match an individual, it matches a function Issues Should person be able to hold more than one role concurrently Release one to gain another Is system that granular ? Access Control 2 MAC or DAC can be combined with RBAC Not same from all vendors Some allow concurrence, some deny Will not enforce separation of duties Access Control 2 Use of groups as roles Specify each role Map attributes Use a Matrix Map groups to specific roles or objects Avoid mapping groups to groups Do not assign objects to groups Use individual attributes Multiple accounts for users Tokens may be an issue Use system services as proxies Loopback Monitor for inappropriate use Audit for misuse Access Control 2 Task based TBAC Time allocations Sequencing – workflows Dependancies – prior elements More granular than RBAC Permissions shift depending on position in workflow Emerging mechanism Requires stable flow Access Control 2 Dual Control (really n-control) May have many parties Critical element that require joint participation One may be a service (timeclock) Requires separate audit Must have Rigid protocol Variety of controls in layers (DID) Access Control 2 Dual Control Fail Secure SOF : dual fail safe Firewall failure: deny all Resource intensive – use only when cost of loss justifies. Should not be used often Details should not be known – may point out attack vectors Access Control 2 Dual Control Audit must be separate and protected Key Management: periodic and out of control of users Key card decks Not trivial Access Control 2 Access Control by Location Subnets, vlans, hard zoning If not present, there is no exposure Topology Can be shaped to control exposure IsoLans, Internet Islands Control by subnet Flat topology impossible to control Subnet by function Onion approach: users close to outside. Access Control 2 Subnet threats IP stealing (can mitigate with routers) DHCP not used on protected subnets Remote access may need limitation or proxy eVPN, RDP, VNC Network sniffing (promiscuous mode) Any traffic on wire is subject to compromise Limit traffic on wire Routers, FC switch Access Control 2 Geographical Assignment by location or department FQDNs may provide too much information Subnet allocation may do the same Roaming profiles makes difficuly unless user context is diffeerent from servers – no users on server LANs. Access Control 2 Control by device type Must be able to identify devices MAC address Connection string SNMP Device recognition places in category Policy enforcement by device and OS type. May require flat network Access Control 2 Physical and Logical addresses Control at layer 2-3 (switches and routers) Limit not only addresses but also ports Requires subnetting May use non-broadcast addressing internally, RFC 1918 Advantage: ease of implimentation and low cost Disadvantage: manual registration, difficult to scale Limited enforcement Capability for spoofing More popular in last century, few devices allow full control now. Access Control 2 Network Based Access Control Device oriented 802.1x standard Uses certificate based device authentication RADIUS server authentication Advantage Standards based (but not a very popular one) Policy enforable Auditing support at authenticating server Disadvantage Few devices support Manual registration required Certificate based – software required to manage Authentication only Access Control 2 Third Party Software More popular in last century Dedicated and specialized: either fits or doesn’t Advantage Can be very powerful through SBO Tech Support available Policy enforcement Automated deployment Issues Cost Imaginary fuctionality – smoke and mirrors May not support all device types Access Control 2 Summation of types Join logical and physical: consider both in architecture Layer control: DID, dissimilar protections Map and Inventory Network (must know what you are protecting) Conduct traffic pattern analysis Use sniffer Conduct triage Map physical structure Implement rules on networking equipment Monitor Compliance: effectively relies on feedback Access Control 2 Authentication Entity: person or process Identity: designator for subject Authentication factor: proof presented Authenticator: mechanism to compare assertation to database Database: listing of identities and authentication factors Access Control 2 Authentication factors Something you know (password) Something you have (smart card, token) Something you are (biometrics) Three qualities of suitability for authentication Known only to entity Impossible to reproduce Impractical to replicate Access Control 2 Passwords (something you know) Obsolete Few bother to consider what is needed Complexity overrated (Rainbow Series 1985) Replaced by tokens and smart cards Access Control 2 Token Based Badges Strength: Low Cost, visual confirmation Weakness: Easy to spoof or counterfeit Considerations Mandate use of pictures Manage badge like credential (change periodically) Integrate machine readable feaures (bar code, mag stripe, proximity Differentiate design and holder Access Control 2 Mag Stripe Low cost Easy to use (POS terminal) Easy to rekey OTOH Can be copied Vulnerable to magnetic fields Easily abused OTGH Controls similar to badges Two factor for sensitive area Chalenge-Response for recoding Access Control 2 Proximity Card Same attributes as badge plus prox Simple Management Easy to use OTOH Expensive readers Masquerading May be spoofed OTGH Similar to mag stripe except for rewriting Reaffirm validity of user Strategically deploy readers Protect controllers Access Control 2 Common token issues Loss (mitigate with 2nd factor) Damage (replacement, alternative means) Proprietary system (PIV, GSC, ISO 7816) HR (revocation issue) Binding to individual (need to have multifactor) Access Control 2 Biometrics Falsing (positive/negative) Enrollment time Response time Security (use) Implimentation Cost Acceptance Storage Changes Access Control 2 Biometrics Fingerprint Hand Geometry Iris Retina Facial Recognition Access Control 2 Design Considerations Requirements Gummy Bears Expense vs attacks Safeguard of minutae Keyboard/Biomeric logger Access Control 2 Design Validation Access Control System Requirements met Operational need met Functionality met Weaknesses mitigated Access Control 2 Design considerations Unique identifier not SSAN Sources: avoid duplications Use requirements matrix Requirements: clear statement of need and abilities Interpretation – clear statements Access Control 2 Effectiveness Identify gaps Policy deficiencies Identify ways to misinterpret & circumvent Weakness Identify countermeasures Defense in depth Access Control 2 Testing Exercise controls Penetration testing Vulnerability assessment Secure code review Scans Access Control 2 Repeatability Test with multiple combinations Methodology Test cases Developing test cases Entities and authentication factors Subjects and Rights Objects and Permissions Outliers and exceptions Access Control 2 Risk based considerations Unconventional alternatives Enumerate risk Monitor Weaker Controls Cost sensitivity Manual processes Open Source Solutions Access Control 2 Thoughts Access control is not easy and is evolving Threats are evolving also Security must make choices as to what is practical vs what is obsolete or emerging Do not want to be a beta tester Problem is continuing and not static Access Control 2 Questions ? No session on Monday Next session 7 September
© Copyright 2026 Paperzz