Bài giảng Access Control

Access ControlContentsAccess Control ModelsAuthentication ModelsLogging ProceduresConducting Security AuditsRedundancy PlanningDisaster Recovery ProceduresOrganizational PoliciesAccess Control FundamentalsJérôme KervielRogue trader, lost €4.9 billionLargest fraud in banking history at that timeWorked in the compliance department of a French bankDefeated security at his bank by concealing transactions with other transactionsArrested in Jan 2008, out and working at a computer consulting firm in April 2008Access ControlThe process by which resources or services are granted or denied on a computer system or networkThere are four standard access control models as well as specific practices used to enforce access controlAccess Control TerminologyIdentificationA user accessing a computer system would present credentials or identification, such as a usernameAuthenticationChecking the user’s credentials to be sure that they are authentic and not fabricated, usually using a passwordAuthorizationGranting permission to take the actionA computer user is granted accessTo only certain services or applications in order to perform their dutiesCustodianThe person who reviews security settingsAlso called AdministratorAccess Control TerminologyAccess Control TerminologyComputer access control can be accomplished by one of three entities: hardware, software, or a policyAccess control can take different forms depending on the resources that are being protectedOther terminology is used to describe how computer systems impose access control:Object – resource to be protectedSubject – user trying to access the objectOperation – action being attemptedAccess Control TerminologyAccess ControlAccess Control ModelsMandatory Access ControlDiscretionary Access ControlRole-Based Access ControlRule-Based Access ControlMandatory Access Control (MAC) modelMost restrictive model—used by the militaryObjects and subjects are assigned access levelsUnclassified, Classified, Secret, Top SecretThe end user cannot implement, modify, or transfer any controlsDiscretionary Access Control (DAC) modelThe least restrictive--used by Windows computers in small networksA subject has total control over any objects that he or she ownsAlong with the programs that are associated with those objectsIn the DAC model, a subject can also change the permissions for other subjects over objectsDAC Has Two Significant WeaknessesIt relies on the end-user subject to set the proper level of securityA subject’s permissions will be “inherited” by any programs that the subject executesUser Account Control (UAC)Asks the user for permission when installing softwarePrinciple of least privilegeUsers run with limited privileges by defaultApplications run in standard user accountsStandard users can perform common tasksRole Based Access Control (RBAC) modelSometimes called Non-Discretionary Access ControlUsed in Windows corporate domainsConsidered a more “real world” approach than the other modelsAssigns permissions to particular roles in the organization, such as “Manager” and then assigns users to that roleObjects are set to be a certain type, to which subjects with that particular role have accessRole Based Access Control (RBAC) modelSometimes called Non-Discretionary Access ControlUsed in Windows corporate domainsConsidered a more “real world” approach than the other modelsAssigns permissions to particular roles in the organization, such as “Manager” and then assigns users to that roleObjects are set to be a certain type, to which subjects with that particular role have accessRule Based Access Control (RBAC) modelAlso called the Rule-Based Role-Based Access Control (RB-RBAC) model or automated provisioningControls access with rules defined by a custodianExample: Windows Live Family SafetyAccess Control Models (continued)Best Practices for Access ControlSeparation of dutiesNo one person should control money or other essential resources aloneNetwork administrators often have too much power and responsibilityJob rotationIndividuals are periodically moved from one job responsibility to anotherBest Practices for Access ControlLeast privilegeEach user should be given only the minimal amount of privileges necessary to perform his or her job functionImplicit denyIf a condition is not explicitly met, access is deniedFor example, Web filters typically block unrated sitesAccess Control MethodsThe methods to implement access control are divided into two broad categoriesLogical access control Physical access controlLogical Access Control MethodsLogical access control includesAccess control lists (ACLs)Group policiesAccount restrictionsPasswordsAccess Control List (ACL)A set of permissions attached to an objectSpecifies which subjects are allowed to access the objectAnd what operations they can perform on itEvery file and folder has an ACLAccess control entry (ACE)Each entry in the ACL table in the Microsoft Windows, Linux, and Mac OS X operating systemsWindows Access Control Entries (ACEs)In Windows, the ACE includesSecurity identifier (SID) for the user or groupAccess mask that specifies the access rights controlled by the ACEA flag that indicates the type of ACEA set of flags that determine whether objects can inherit permissionsAdvanced Security Settings in Windows 7Group PolicyA Microsoft Windows feature that provides centralized management and configuration of computers and remote usersUsing the Microsoft directory services known as Active Directory (AD)Group Policy is used in corporate domains to restrict user actions that may pose a security riskGroup Policy settings are stored in Group Policy Objects (GPOs)Account RestrictionsTime of day restrictionsLimit when a user can log on to a systemThese restrictions can be set through a Group PolicyCan also be set on individual systemsAccount expirationThe process of setting a user’s account to expireOrphaned accounts are user accounts that remain active after an employee has left an organizationCan be controlled using account expirationAccount RestrictionsTime of day restrictionsLimit when a user can log on to a systemThese restrictions can be set through a Group PolicyCan also be set on individual systemsAccount expirationThe process of setting a user’s account to expireOrphaned accounts are user accounts that remain active after an employee has left an organizationCan be controlled using account expirationAccount RestrictionsAccount RestrictionsPasswordsThe most common logical access controlSometimes referred to as a logical tokenA secret combination of letters and numbers that only the user knowsA password should never be written downMust also be of a sufficient length and complexity so that an attacker cannot easily guess it (password paradox)Passwords MythsAttacks on PasswordsBrute force attackSimply trying to guess a password through combining a random combination of charactersPasswords typically are stored in an encrypted form called a “hash”Attackers try to steal the file of hashed passwords and then break the hashed passwords offlineHow to Get the HashesEasy way: Just use CainCracker tab, right-click, "Add to List"Attacks on PasswordsDictionary attackGuess passwords from a dictionaryWorks if the password is a known common passwordRainbow tablesMake password attacks faster by creating a large pregenerated data set of hashes from nearly every possible password combinationWorks well against Windows passwords because Microsoft doesn't use the salting technique when computing hashes Attacks on PasswordsRainbow TablesGenerating a rainbow table requires a significant amount of timeRainbow table advantagesCan be used repeatedly for attacks on other passwordsRainbow tables are much faster than dictionary attacksThe amount of time needed on the attacking machine is greatly reducedRainbow Table AttackRainbow TablesGenerating a rainbow table requires a significant amount of timeRainbow table advantagesCan be used repeatedly for attacks on other passwordsRainbow tables are much faster than dictionary attacksThe amount of time needed on the attacking machine is greatly reducedPasswords (continued)One reason for the success of rainbow tables is how older Microsoft Windows operating systems hash passwordsA defense against breaking encrypted passwords with rainbow tablesHashing algorithm should include a random sequence of bits as input along with the user-created passwordThese random bits are known as a saltMake brute force, dictionary, and rainbow table attacks much more difficultNo Salt!To make hashing stronger, add a random "Salt" to a password before hashing itWindows doesn't salt its hash!Two accounts with the same password hash to the same result, even in Windows 7!This makes it possible to speed up password cracking with precomputed Rainbow TablesDemonstrationHere are two accounts on a Windows 7 machine with the password 'password'This hash is from a different Windows 7 machineLinux Salts its HashesPassword PolicyA strong password policy can provide several defenses against password attacksThe first password policy is to create and use strong passwordsOne of the best defenses against rainbow tables is to prevent the attacker from capturing the password hashesA final defense is to use another program to help keep track of passwordsDomain Password PolicySetting password restrictions for a Windows domain can be accomplished through the Windows Domain password policyThere are six common domain password policy settings, called password setting objectsUsed to build a domain password policyDomain Password PolicyAccess Control MethodsThe methods to implement access control are divided into two broad categoriesLogical access control Physical access controlPhysical Access ControlPhysical access control primarily protects computer equipmentDesigned to prevent unauthorized users from gaining physical access to equipment in order to use, steal, or vandalize itPhysical access control includes computer security, door security, mantraps, video surveillance, and physical access logsPhysical Computer SecurityPhysically securing network servers in an organization is essentialRack-mounted servers4.45 centimeters (1.75 inches) tallCan be stacked with up to 50 other servers in a closely confined areaKVM (Keyboard, Video, Mouse) SwitchNeeded to connect to the serversCan be password-protectedPhysical Computer SecurityPhysical Computer SecurityDoor SecurityHardware locksPreset lockAlso known as the key-in-knob lockThe easiest to use because it requires only a key for unlocking the door from the outsideAutomatically locks behind the person, unless it has been set to remain unlockedSecurity provided by a preset lock is minimalDeadbolt lockExtends a solid metal bar into the door frameMuch more difficult to defeat than preset locksRequires that the key be used to both open and lock the doorLock Best PracticesChange locks immediately upon loss or theft of keysInspect all locks on a regular basisIssue keys only to authorized personsKeep records of who uses and turns in keysKeep track of keys issued, with their number and identificationMaster keys should not have any marks identifying them as mastersLock Best PracticesSecure unused keys in a locked safeSet up a procedure to monitor the use of all locks and keys and update the procedure as necessaryWhen making duplicates of master keys, mark them “Do Not Duplicate,” and wipe out the manufacturer’s serial numbers to keep duplicates from being orderedCipher LockCombination locks that use buttons that must be pushed in the proper sequence to open the doorCan be programmed to allow only the code of certain individuals to be valid on specific dates and timesCipher locks also keep a record of when the door was opened and by which codeCipher locks are typically connected to a networked computer systemCan be monitored and controlled from one central locationCipher Lock DisadvantagesBasic models can cost several hundred dollars while advanced models can be even more expensiveUsers must be careful to conceal which buttons they push to avoid someone seeing or photographing the combinationTailgate SensorUses infrared beams that are aimed across a doorwayCan detect if a second person walks through the beam array immediately behind (“tailgates”) the first personWithout presenting credentialsPhysical TokensObjects to identify usersID BadgeThe most common types of physical tokensID badges originally were visually screened by security guardsToday, ID badges can be fitted with tiny radio frequency identification (RFID) tagsCan be read by an RFID transceiver as the user walks through the door with the badge in her pocketRFID tagMantrapBefore entering a secure area, a person must enter the mantrapA small room like an elevatorIf their ID is not valid, they are trapped there until the police arriveMantraps are used at high-security areas where only authorized persons are allowed to enterSuch as sensitive data processing areas, cash handling areas, critical research labs, security control rooms, and automated airline passenger entry portalsMantrapVideo SurveillanceClosed circuit television (CCTV)Using video cameras to transmit a signal to a specific and limited set of receiversSome CCTV cameras are fixed in a single position pointed at a door or a hallwayOther cameras resemble a small dome and allow the security technician to move the camera 360 degrees for a full panoramic viewPhysical Access LogA record or list of individuals who entered a secure area, the time that they entered, and the time they left the areaCan also identify if unauthorized personnel have accessed a secure areaPhysical access logs originally were paper documentsToday, door access systems and physical tokens can generate electronic log documents