IST 712: 9/13/10 1IST 712: 9/13/10 1
Controlling Accessto Systems, Functions, Etc.
IST 712: 9/13/10 2
Objectives: September 13, 2010
• Quickly review previous discussions/demo’s– Key topics: Secret key/public key encryption approaches, digital
signature vs. digital certificate), SSL/TLS– Demo TrueCrypt encryption
• Consider issues and potential vulnerabilities associated with access control, including…– Identification, authentication, and authorization– Control concepts: separation of duties, least privilege, etc.– Access control attack types (high level only)– Access control measures– Testing access control
IST 712: 9/13/10 3
Objectives: September 9, 2010
• Quickly review previous discussions/demo’s– Key topics: Secret key/public key encryption approaches,
digital signature vs. digital certificate), SSL/TLS– Demo TrueCrypt encryption
• Consider issues and potential vulnerabilities associated with access control, including…– Identification, authentication, and authorization– Control concepts: separation of duties, least privilege, etc.– Access control attack types (high level only)– Access control measures– Testing access control
IST 712: 9/13/10 44
Demo: L0phtcrack 5.0Password Cracker
• We’ll start and allow the process to “churn” during class and check in from time to time.
• I’ll explain the process I’ve used later in our discussion
TrueCrypt
• Freeware data encryption product
(http://www.truecrypt.com))
• I use it personally, especially for portable data
• Easy to use and reliable• Allows access to
encyrpted (while “mounted”) and unencrypted portions of drive
• See Project 5-3, page 192
IST 712: 9/13/10
Flash drive with course info mounted as logical local drive Q:\
IST 712: 9/13/10 66
Access Control Concepts
• Identification– An unproven assertion of identity to a system (or other
entity)
• Authentication– A “test” which verifies that identity
• Authorization– The right, privilege, permission, etc for access to a resource
• Accountability– The system’s ability to identify actions and tie them to an
individual user (or program or function, etc)
IST 712: 9/13/10 77
Authentication Approaches
• Proving identity
– Most operating systems require users to enter userid and a password to “prove” identity
– Some other forms of authentication methods are allowed:
• Biometric logins
• Digital certificates
• Pass-through authentication (PAMS - pluggable authentication modules)
IST 712: 9/13/10 88
Authentication Methods
• Something you know
– Userid & password , the most common approach
• Something you have
– Token, smart cards, USB key, etc.
• Something you are
– Biometrics of some sort
– Fingerprint, iris scan, hand or facial geometry, voice recognition, etc.
IST 712: 9/13/10 9
Password Storage/Use (Systems)
• Typically in a database of some sort– SAM database, etc/password, etc/shadow
• Userids often in plaintext
• Passwords most often encrypted or hashed– If encrypted, can be retrieved in some cases (“forgot
password” option, for example)
– If hashed, cannot be retrieved and must be replaced
• Submitted userid/password <hash> is compared to
stored userid/hash
IST 712: 9/13/10 10
• Should be secret• Should NOT be shared
– Which concept is violated…for certain…if shared?
• Should NOT be written where others can find it– Exceptions?
• Can be stored in an encrypted file or vault– Risks?
Password Thoughts
IST 712: 9/13/10 1111
Authentication Risks
• Risk: Poor passwords– Human nature - complex passwords are difficult to
remember– Default passwords within operating systems– Intruders use automated software that attempts different
userid/password combinations
• Risk: Passwords can be sniffed– Passwords that pass in clear-text can be read by intruders – No requirement to guess the password…just read it!– Recall our FTP demo
IST 712: 9/13/10 1212
• Risk: Passwords hashes can be broken– Dictionary attack, brute force attack– Or…often…a hybrid approach
Authentication Risks
Encryption a
ab…….jayhawks
8F3C254A1866550F3AB81795
63A60F231E44…….
BRUTE FORCE ATTACK
Encryptionjayhawkstwister
winter63A60F231E44F90456A6B722
02E3FF84290F
DICTIONARY ATTACK
Encryptionjayhawks 63A60F231E44
IST 712: 9/13/10 1313
Authentication Controls
• Know where hashes can be found. Protect!• Can be sniffed via the wire• Hashes are often made available in clear-text• Sensitive files on host computers
• Employ lockout feature• Three (or other number) “strikes” and the account is locked
out• Available in Windows but not enabled as a default
IST 712: 9/13/10 1414
Authentication Controls
– Set and enforce password policies• Increase length…Windows > 14 characters• Use upper/lower case, numbers, special characters• Use less predictable substitutions
– 0 → () (Two characters substitute for one)– M → /\/\ (Four special characters for one alpha character)
• Non-dictionary words, misspellings• Change regularly but don’t recycle• Consider “pass phrases” rather than passwords
– Avoid sending passwords in clear-text• Recall FTP demo• If you must, anticipate and use “throw away” passwords
IST 712: 9/13/10 1515
Authentication Controls
– Train workforce and reinforce with leadership
• Strong passwords on Post-It notes are NOT strong passwords
• Strong passwords shared with co-workers cease to be strong passwords
• Strong passwords passed via telephone, unencrypted email are subject to compromise
– Use advanced authentication technologies
• Biometrics, smart cards, two-factor authentication
IST 712: 9/13/10 16
Two Factor Authentication
• First factor: what user knows
• Second factor: what user has
– Password token
– USB key
– Digital certificate
– Smart card
• Superior to userid/password
IST 712: 9/13/10 17
Biometric Authentication
• Stronger than userid + password• Stronger than two-factor• Issues:
– Sensitivity– Exemplar collection/storage– Cost– Changes in characteristics
IST 712: 9/13/10 18
Other Authentication Issues
• Consistency of user credentials across multiple
environments– Variations in system capabilities
– Multiple passwords: User and management challenges
• Password reset issues/methods
• Compromised password management/handling
• “Trust relationships”
IST 712: 9/13/10 19
Authentication: Trust
• Trust is extended when a system or process allows
access without authentication
• Can occur with “remote shares”– Drive is shared “remotely”…with another computer…over
network, even Internet• Peer-to-peer clients
• Windows “File & Print Sharing”
– Sharing is often broader than realized or can be extended
by an intruder
IST 712: 9/13/10 20
Authentication: Trust
• Programs can “call”/trust other programs– Can be especially insidious with “scheduled jobs”– “Cascading trust” complicates
• Program A trusts Program B• But Program B trusts Program C…and so forth• A vulnerability in Program C (or D, E, F…) can lead to a
compromise
• Control: Audit trust regularly.– Know where trust relationships exist– Ensure each is “business critical”– Limit trust relationships to the greatest degree possible.
IST 712: 9/13/10 2121
Demo: Windows File & Sharing Permissions
IST 712: 9/13/10 22
Access Control Technologies
• LDAP (Lightweight Directory Access Protocol)
• Active Directory• RADIUS (Remote Authentication Dial In User Service)
• Diameter• TACACS (Terminal Access Controller Access Control System)
• Kerberos• Single Sign-on• Reduced Sign-on
Good news! These are provided for exposure to terms only!
IST 712: 9/13/10 2323
L0phtcrack 5.0 Demo
• Process:– Batch file to create accounts using bogus users and old passwords
class provided– Apply tool to “dump” SAM database
• Required “administrator” access– Import results of dump into L0phtcrack
• Observations/Questions:– Which passwords were most quickly cracked?– Have all been cracked? If not, what’s common to those NOT
cracked?– What types of cracks has L0phtcrack employed?– Might a different tactic provide more cracked passwords?
• Who might use the L0phtcrack tool in business?
IST 712: 9/13/10 2424
Change My Password…Again?
• All passwords are theoretically “crackable”…with time, often LOTS of time!
• Goal of change frequency is to keep time of use inside “crack time”
• Two ways to accomplish:– Lengthen “crack time” by strengthening password– Change password more frequently
Time to crack
NewPassword
Current Password
IST 712: 9/13/10 25
Access Attacks/Counters
• Buffer overflow– Programming flaw. Discussed more with applications.– Counter: Programming care and standards
• Script injection– Web application programming flaw– Similar in respects to buffer overflow. Addressed later.– Counter: Programming care and standards
• Data remanence– Data is not gone because it’s been “deleted”. Can still be
accessible.– Counter: Employee education. Recycling standards for
storage.
IST 712: 9/13/10 26
Access Attacks/Counters
• Denial of service– Local (DoS) or distributed (DDoS), launched from many
locations– Counter: Very limited
• Dumpster diving– Retrieving sensitive information from trash– Counter: Administrative controls; employee education
• Eavesdropping– Network sniffing (wired or wireless)…more later– “Shoulder surfing”– Mobile calls and/or public conversations
– Counter: Sniffing detection (limited); employee education
IST 712: 9/13/10 27
Access Attacks/Counters
• Emanations– Electromagnetic radiation (EMR) from monitors, cables– Counter: Education/understanding of specific risks. Some
electronic protections where warranted.
• Spoofing/masquerading– False IP addresses, stealing “cookies”, etc.– Counter: Firewall sophistication; awareness, effective web
application development
• Social engineering– Phishing, “spear phishing”, “whaling”, “pharming”– Counter: Education; email filtering
IST 712: 9/13/10 28
Access Attacks/Counters
• Password guessing/cracking– Discussed earlier– Counter: Also previously discussed
• Malicious code (aka malware)– Viruses, Trojan horses, worms– Counter:
• Firewalls; antivirus software; anti-spyware software; user education
• More in the next block, application security
IST 712: 9/13/10 2929
Authorization
• The follow-on question to authentication: “What can you do?”– Once a user is authenticated, associated authorization
level determines what he/she can do– Synonyms: rights, privileges, permissions, etc.
• Operating systems can grant privileges to users based on several mechanisms:– Type of userid (administrative users have more access
than guest users)– Group memberships - if userid belongs to a privileged
group, it inherits the privileges of the group– Direct grants – a user, “Joe Somebody”, can do backups
IST 712: 9/13/10 3030
Authorization Risks
• Risk: Users assigned the wrong privileges– Cause: Oversight or misconfiguration
• Joe Roberts (jroberts) was a system administrator…but left the company (Assume no action taken)
• Jessica Robertson is a new hire; requests “jrobertson” for userid but truncated to “ jroberts” due to length, local policy
• Jessica inherits admin privileges associated with the userid
– Cause: Lack of administrative discipline• Jessica arrives…system administrator is overworked• Rather than “granular” permissions, Jessica receives
“blanket” authorizations– Question: Does this imply that group permissions are bad??
IST 712: 9/13/10 3131
Authorizations: Risks
– Cause: Accumulated authorizations• Mary T began in accounting → Authorization Set #1• Mary promoted to supervisor → Authorization Set #2• Mary reassigned to internal audit → Authorization Set #3• Mary later assumes role as project manager → Authorization Set
#4• And so on…• Mary has accumulated (assuming no revocation actions) multiple
authorizations…many likely inappropriate to her current position
IST 712: 9/13/10 3232
Authorization Risks
• Risk: Processes assigned high privileges– Authorization pertains to programs & processes, not
simply users
– Processes (such as a backup process, web service, etc.)
can be assigned higher privileges than required
– Intruder breaks the process to gain the process’s
privileges • Example: Buffer overflows - covered later
• Higher privileges = greater potential impact/damage
IST 712: 9/13/10 3333
Authorization Controls
• Consistent, effective actions associated with hiring, transfer, termination, etc.
• Periodic audits of group memberships, permissions, etc.
• Regular review of privileges assigned to people and processes– Minimum privileges consistent with business needs– Limiting privileges can generate…
• Administrative load• Potential employee ill will
– Can overlooked or disregarded
IST 712: 9/13/10 3434
Key Concept
• Principle of Least Privileges– Any user, program, process receives the minimum
privileges <routinely> required – Add permissions as justified– Remove/disable when no longer needed– In other words, start with nothing and add when needed,
delete when unneeded • Again…what issues will this approach sometimes
generate?• Security is always in tension with efficiency & cost
– What if a company can’t afford to do all it would really like to do? What might be “next best”?
– We’ll address shortly
IST 712: 9/13/10 3535
Another Key Concept
• Separation (or Segregation) of Duties– No single user should have privileges that would allow
unaided completion of a key business or technical process– Important functions should be divided to requirement
involvement of different individuals or functional groups– Examples: software changes, creation of computer/client
accounts, financial transactions
• Once again, though, security is always in tension with efficiency & cost– What if a company can’t afford to do all it would really like to
do? What might be “next best”?– Once again…response upcoming
IST 712: 9/13/10 3636
Risk: Critical Files & Directories
• Some files constitute “crown jewels” on a system• Compromise can have dire consequences lead to
system or data compromise– Files containing password hashes– Group memberships– Startup & shutdown scripts – Configuration files– Sensitive data files
• Controls– Identify all critical files and directories– Ensure only authorized users can access and/or modify
these files and directories
IST 712: 9/13/10 37
Types of Controls
• Technical controls– Authentication, access control lists (ACLs), firewalls,
encryption, remote access software, anti-virus/anti-spyware software
• Physical controls– Key card access, video surveillance, alarm systems
• Administrative controls– Policies (operating policies, security policies, system
acceptable use policies, etc.)
IST 712: 9/13/10 38
Categories of Controls
• Detective– Surveillance, logs, intrusion detections systems, etc.
• Deterrent controls– Guards, signs, visible surveillance
equipment, barbed/razor wire perimeter fencing
– Can also be detective, preventive
• Preventive– Firewalls, anti-virus, intrusion prevention systems, fencing,
bollards
• Corrective controls– Controls implemented to prevent recurrence of an exploit
or repeat of an event
IST 712: 9/13/10 39
Categories of Controls
• Recovery controls
– Also, post-incident. Actions to restore normal system operation
• Compensating controls
– “Compensating” refers to WHY a control is implemented
– Actions taken to compensate when another control cannot be put in place or fails in some way
• Layered, heterogeneous control mixes provide the defense in depth concept introduced earlier
IST 712: 9/13/10 40
Access Control Testing
• Penetration testing (aka “pen testing”)– Seeks to detect system defects, often exploitable
vulnerabilities…technical and/or physical– Fair number of automated tools available to aid process– Caution required to avoid unintended consequences
• Application vulnerability testing– Range of vulnerability scanning applications available– Seeks to identify issues with software and web applications
that can be maliciously exploited
• Audit log analysis– Regular review of selected system event and audit logs to
detect unexplained or suspicious activity
IST 712: 9/13/10 41
Objectives: September 13, 2010
• Quickly review previous discussions/demo’s– Key topics: Secret key/public key encryption approaches,
digital signature vs. digital certificate), SSL/TLS– Demo TrueCrypt encryption
• Consider issues and potential vulnerabilities associated with access control, including…– Identification, authentication, and authorization– Control concepts: separation of duties, least privilege, etc.– Access control attack types (high level only)– Access control measures– Testing access control
IST 712: 9/13/10 42
Upcoming Meetings
• September 20– Guest speaker: TBA (may move to another date)– Begin discussion of application security topics
• September 27– Conclude application security coverage– Complete a high level, topical review for Exam 1
• Please come with YOUR questions
• October 4– Exam 1– Only activity planned
Top Related