ISA 562 1 Access Control ISA 562 Internet Security Theory & Practice
Dec 29, 2015
ISA 562 1
Access Control
ISA 562Internet Security Theory & Practice
2
Objectives and References
General (from ISC2 CBK Material ): Discuss Access Control mechanisms, measures and threats
Details (from Bishop’s Chapters 2): Access control assurance methods
General (from ISC2 CBK Material ): Intrusion detection/ intrusion prevention
Requirements & Concepts Some basic requirements of an access
control: Avoid disclosing sensitive data to unauthorized
users (Confidential) Provide sensitive information to authorized
users (Available) Reliable and dependable (Integrity preserving) Scalable and expandable (long life)
Some of the key concepts in Access control systems are: Separation of duties Least privilege Need-to-know Need-to-share (a contemporary buzz-phrase) Handle with care 3
What to protect?: Information classification
Based on business risk of content released to mal-actors
Example the US government classification Unclassified Confidential Secret Top secret
Will be discussed in detail
4
Kinds of Access Control Preventive Access controls
Avoid having unwanted actions/events by blocking the ability to do them.
Detective Identify unwanted actions or events after they occur.
Corrective Remedy circumstances that enabled the unwanted activity. Return to state prior to the unwanted activity.
Directive Dictated by higher authority in laws or regulations or those
specified in organization policy Deterrent
Prescribe punishment for noncompliance Recovery
Restore lost computing resources or capabilities. Compensating
Reinforce or replace normal controls that are unavailable
5
3 Types of access controls Administrative
Examples: separation of duties, dual control, etc
Physical Examples: fences, alarms, badges, CCTV, etc
Technical Examples: antivirus, antis-spam, logs, etc
Further examples in ISC2 book show how controls map to the access control types.
6
Steps in Accessing Systems Authentication
Use a unique identifier– Example: user ID, Account number, PIN
3 main datum used for authentication Something requester know
Passwords Pass-phrases
Something the requester is Biometrics Physical characteristics
Something the requester has Tokens (one-time passwords, time synchronized token) Smart Cards USB Tokens
Authorization Accounting
7
Using Tokens & Smartcards for Authentication
Asynchronous Token – challenge response
Synchronous token Time or event based Using one-time password or hashed values Authentication server knows expected value from the token
Smart Cards Contact Contact-less
8
Using Biometrics for Authentication
Have false (rejection, acceptance) rates. Crossover = they are equal, both tunable to
need. Examples static biometrics
Fingerprint or palm print Hand Geometry Retina
Example Dynamic biometrics Face /gesture Recognition Keystrokes Voice pattern
9
Identity Management
What is Identity management? Set of technologies used to manage user identity
information. When is it needed?
For manual service provisioning Manage sophisticated and complex environments To comply with regulations
What are the major challenges? Reliability of user profiles Consistency of user profiles across different systems/devices Scalability by supporting data volumes and peaks
More details in the IC3 book
10
Identity Management: benefits and technologies
Benefits Increasing productivity Reducing head-counting
Technologies Found in systems that support the identity
management process and managing data consistently and efficiently across multiple systems within an organization
Directories Web Access Management Password Management Legacy single sign-on’s
11
Access Control technologies
12
Single Sign-on
How they work One user ID and password for multiple
application servers through an authentication server.
Benefits Efficient log-on process Users may create stronger passwords No need for multiple passwords
Major Drawback A compromised password allows intruder into
all resources of the owner of that account
13
Single Sign-on using Kerberos
14
Single Sign-on – Kerberos and SESAME
Kerberos Key Distribution Center serves two functions Authentication Server (AS) Ticket Granting Server (TGS)
Kerberos Issues Security depends on careful implementation and maintenance Lifetime for authentication credentials should be as short as feasible
using time stamps to minimize the threat of replayed credentials The KDC must be physically secured, it could be a point of single
failure Redundancy is recommended The KDC should be hardened and not allow any non-Kerberos
activity SESAME
Stands for Secure European System for applications in a multi-vendor environment
Developed to address some of the Kerberos weaknesses Supports SSO Improves key management by using both Symmetric and
Asymmetric keys
15
Directory Service and Security Domains
Directory Services Consist of applications that provide the means
to hierarchically organize and manage information about network users and resources and to retrieve the information by name association
Security Domains Set of objects that a subject in an information
system is allowed to access Hierarchical domain relationship Equivalence classes of subjects
16
Access Control & Assurance
Mechanisms used to assure that access control mechanisms are in place and in a good standing: Audit Trail analysis and monitoring
is a record of system activities Assessment tools
Audit tools cover a wide spectrum of cost, complexity, etc and must be tailored to the specific goals of the audit
17
The Access Control Matrix ModelChapter 2 from Bishop’s book
Chapter 2: Access Control Matrix Overview Access Control Matrix Model
Boolean Expression Evaluation History
Protection State Transitions Commands Conditional Commands
Special Rights Principle of Attenuation of Privilege
Overview Protection state of system
Describes current settings, values of system relevant to protection
Access control matrix Describes protection state precisely Matrix describing rights of subjects State transitions change elements of matrix
Description
objects (entities)
subj
ects
s1
s2
…
sn
o1 … om s1 … sn
Subjects S = { s1,…,sn } Objects O = { o1,…,om } Rights R = { r1,…,rk }
Entries A[si, oj] R A[si, oj] = { rx, …, ry }
means subject si has rights rx, …, ry over object oj
Example 1 Processes (subjects) p, q Files (objects) f, g Rights r, w, x, a, o
f g p qp rwo r rwxo wq a ro r rwxo
Example 2 Procedures inc_ctr, dec_ctr, manage Variable counter Rights +, –, call
counter inc_ctr dec_ctr manageinc_ctr +dec_ctr –manage call call call
Boolean Expression Evaluation ACM controls access to database fields
Subjects have attributes Verbs define type of access
example, read, write Rules associated with (objects, verb) pair
(foo, write)
Subject attempts to access object Rule for object, verb evaluated, grants or
denies access
Example Subject Alice
Attributes role (artist), groups (creative) Verb paint
Default 0 (deny unless explicitly granted) Object picture
Rule:paint: ‘artist’ in subject.role and
‘creative’ in subject.groups andtime.hour ≥ 0 and time.hour < 5
ACM at 3AM and 10AM
… picture …
… a
nnie
…
paint
At 3AM, time conditionmet; ACM is:
… picture …
… a
nnie
…
At 10AM, time conditionnot met; ACM is:
AC by History and Inference
Database:name position age salaryAlice teacher 45 $40,000Bob aide 20 $20,000Cathy principal37 $60,000Dilbert teacher 50 $50,000Eve teacher 33 $50,000
Queries:1.sum(salary, “position = teacher”) = 140,0002.sum(salary, “age > 40 & position = teacher”) should not be answered (deduce Eve’s salary)
ACM of Database Queries
Oi = { objects referenced in query i }
f(oi) = permission set of query i
f(oi) = {read} for oj Oi, if |j = 1,…,iOj| < 2
f(oi) = for oj Oi, otherwise
O1 = { Alice, Dilbert, Eve } and no previous query set, so: A[asker, Alice] = f(Alice) = { read } A[asker, Dilbert] = f(Dilbert) = { read} A[asker, Eve] = f(Eve) = { read }
and the query can be answered
But Query 2
From last slide:f(oi) = { read } for oj in Oi, if | j = 1,…,iOj|
<2f(oi) = for oj in Oi, otherwise
2. O2 = { Alice, Dilbert } but | O2 O1 | = 2 soA[asker, Alice] = f(Alice) = A[asker, Dilbert] = f(Dilbert) = and query cannot be answered
State Transitions Change the protection state of system Xi is a state of the ACM at time i |– represents transition
Xi |– Xi+1: command moves system from state Xi to Xi+1
Xi |– * Xi+1: a sequence of commands moves system from state Xi to Xi+1
Commands often called transformation procedures, because the transform the sate of the access control matrix
Primitive Operations create subject s, create object o
Creates new row, column in ACM; creates new column in ACM
destroy subject s, destroy object o Deletes row, column from ACM; deletes
column from ACM enter r into A[s, o]
Adds r rights for subject s over object o delete r from A[s, o]
Removes r rights from subject s over object o
Access control requests Transforms sate of the access control
matrix An access control request can be precisely
defined using Pre-conditions Post-conditions
Use notation (from Z) Pre-state without primes Post-state with primes
Example: pre-state - A[alice, file1] is the permission set of Alice to file 1 before a requests, and A’[alice, file1] is a post-state
Create Subject – pre and post conditions
Pre-condition: s S Primitive command: create subject s Post-conditions:
S = S { s }, O = O { s } (y O)[a[s, y] = ] (x S)[a[x, s] = ] (x S)(y O)[a[x, y] = a[x, y]]
Create Object Precondition: o O Primitive command: create object o Post-conditions:
S = S, O = O { o } (x S)[a[x, o] = ] (x S)(y O)[a[x, y] = a[x, y]]
Add Right Precondition: s S, o O Primitive command: enter r into a[s, o] Post-conditions:
S = S, O = O a[s, o] = a[s, o] { r } (x S)(y O – { o }) [a[x, y] = a[x, y]] (x S – { s })(y O) [a[x, y] = a[x, y]]
Delete Right Precondition: s S, o O Primitive command: delete r from a[s, o] Postconditions:
S = S, O = O a[s, o] = a[s, o] – { r } (x S)(y O – { o }) [a[x, y] = a[x, y]] (x S – { s })(y O) [a[x, y] = a[x, y]]
Destroy Subject Precondition: s S Primitive command: destroy subject s Postconditions:
S = S – { s }, O = O – { s } (y O)[a[s, y] = ], (x S)[a´[x, s] = ] (x S)(y O) [a[x, y] = a[x, y]]
Destroy Object Precondition: o O Primitive command: destroy object o Postconditions:
S = S, O = O – { o } (x S)[a[x, o] = ] (x S)(y O) [a[x, y] = a[x, y]]
Creating File Process p creates file f with r and w
permissioncommand create•file(p, f)
create object f;enter own into A[p, f];enter r into A[p, f];enter w into A[p, f];
end
Mono-Operational Commands Make process p the owner of file gcommand make•owner(p, g)
enter own into A[p, g];end
Mono-operational command Single primitive operation in this command
Conditional Commands Let p give q r rights over f, if p owns fcommand grant•read•file•1(p, f, q)
if own in A[p, f]then
enter r into A[q, f];end
Mono-conditional command Single condition in this command
Multiple Conditions Let p give q r and w rights over f, if p
owns f and p has c rights over qcommand grant•read•file•2(p, f, q)
if own in A[p, f] and c in A[p, q]then
enter r into A[q, f];enter w into A[q, f];
end
Copy Right Allows possessor to give rights to another Often attached to a right, so only applies
to that right r is read right that cannot be copied rc is read right that can be copied
Is copy flag copied when giving r rights? Depends on the model and its instantiation
Own Right Usually allows possessor to change entries
in ACM column Owner of an object can add, delete rights for
others May depend on what system allows
Can’t give rights to specific (set of) users Can’t pass copy flag to specific (set of) users
Attenuation of Privilege Principle says you can’t give rights you do
not possess Restricts addition of rights within a system Usually ignored for owner
Why? Owner gives herself rights, gives them to others, deletes her rights.
Main Points Access control matrix simplest abstraction
mechanism for representing protection state
Transitions alter protection state 6 primitive operations that alter the
matrix Transitions can be expressed as commands
composed of these operations and, possibly, conditions