Access Control

Muhammad Wajahat Rajab

Overview
Protecting what needs to be protected with the available
technologies!
Access control is the
of Information Security!

Some Questions
What is Access?
What is the Access Mechanism?
What is Access Control?
The right
Flow of information between subject and object
Mechanism to protect the assets!

Identification, Authentication,
Authorization

Identification

Identification
Method of establishing the subjects identity
User, Program, Process

Use of username or other public information

Identification component requirements

Each value should be unique

Follow a standard naming scheme
Non-descriptive of the users position or tasks
Must not be shared between users

Authentication

Authentication
Method of proving the identity
How to prove an identity?
Something you know
Something you have
Something you are

Use of passwords, token, or biometrics other private

information
What is two factor authentication?
Strong authentication

Something you know

Traditional authentication method
Passwords
Protected string of characters
Most widely used
Types
Cognitive passwords
One time passwords (Dynamic passwords)
Passphrase

Cognitive passwords
Fact or opinion based information
Created through several experience based questions
Easy to remember!
A person will not forget his birthplace, favorite color, dog's
name, or the school he graduated from.

One time passwords

Only used once
Used in sensitive cases and places
Examples include
Prepaid cards
Token devices
Token device generates the one-time password for the user to
submit to an authentication server

Passphrase
Sequence of characters that is longer than a password -Thus a phrase
User enters this phrase into an application which transforms the
value into a virtual password

Attacks against passwords

Electronic monitoring
Access the password file
Brute force attacks
Dictionary attacks
Social engineering
Shoulder surfing

Something you have

Requires possession of something such as a key, smart
card, or some other device
Examples include

Keys
Documents
Token devices
Memory cards
Smart cards

Token device
Software hardware hybrid object used to verify an
identity in an authentication process
Token device, or password generator, is usually a
handheld device that has an LCD display and possibly a
keypad
Token device is separate from the computer the user is
attempting to access

Token Device Benefits/Limitations

Benefits
Not vulnerable to electronic eavesdropping
Wiretapping
Sniffing

Provide two factor authentication

Limitations
Human error
Battery limitation
Token itself (Environmental factors)

Types of Token Devices

Synchronous Token
A synchronous token device synchronizes with the
authentication service by using time or a counter as the core
piece of the authentication process.

Asynchronous Token
A token device using an asynchronous token generating method
employs a challenge/response scheme to authenticate a user.

Synchronous Token

Asynchronous Token Device

Memory Card
Holds information but cannot process
A memory card can hold a user's authentication information, so
that the user only needs to type in a UserID or PIN.

Smart Card
Holds and processes information
After a threshold of failed login attempts, it can render
itself unusable
PIN or password unlocks smart card functionality
Smart card could be used for:
Holding biometric data in template
Responding to challenge
Holding private key

Types of Smart Card

Contact
Requires insertion into a smart card reader with a direct
connection to a conductive micro-module on the surface of the
card (typically gold plated)
Through these physical contact points, transmission of
commands, data, and card status takes place

Contactless
Requires only close proximity to a reader
Both the reader and the card have antenna and it is via this
contactless link that two communicate

Smart Card attacks

Micro-probing techniques
Eavesdropping techniques
Trojan Horse attacks
Social engineering attacks

Something you are

Special case of something you have
Unique personal attribute is analyzed
Encompasses all biometric techniques

Fingerprints
Retina scan
Iris scan
Hand geometry
Facial scan

Biometric System
A characteristic based system
Includes all the hardware, associated software and
interconnecting infrastructure to enable the
identification/authentication process

Uses individual's unique physical characteristics in order

to identify and authenticate
Each has its own advantages and disadvantages

Fingerprints
Every person's fingerprint is unique
Most affordable and convenient method of verifying a
person's identity
The lines that create a fingerprint pattern are called
ridges and the spaces between ridges are called valleys.

Retina Scan
Retinal scan technology maps the capillary pattern of the
retina
A thin (1/50th inch) nerve on the back of the eye!

Accurate
Many people are hesitant to use the device

Iris Scan
Scans the iris or the colored portion of the eye
For authentication the subject looks at the video camera
from a distance of 3-10 inches
The entire enrollment process is less than 20 seconds,
and subsequent identification takes 1-2 seconds.
Offers high accuracy!

Hand Geometry
Measures specific characteristics of a person's hand such
as length of fingers and thumb, widths, and depth.
Takes over 90 measurements of the length, width,
thickness, and surface area of a person's hand and
fingers.
Hand measurements occur with amazing speed, almost
within one second.
A charge coupled device (CCD) digital camera is used to
record the hand's three dimensional shape.

Keyboard Dynamics
Looks at the way a person types at a keyboard
Also called Typing Rhythms!
Keyboard dynamics measures two distinct variables:
Dwell time: The amount of time one holds a particular key
Flight time: The amount of time one moves between the keys

Keyboard dynamic system can measure one's keyboard

input up to 1000 times per second!

Voice Print
A voice reference template is constructed
To construct, an individual must speak a set of phrases several
times as the system builds the template.
Voice identification systems incorporate several variables
including pitch, dynamics, and waveform.

Facial Scan
Incorporates two significant methods:
Detection
Recognition

Detection involves locating the human face within an

image.
Recognition is comparing the captured face to other
faces that have been saved and stored in a database.

Facial Scan -- Process

Biometric Performance
Biometric performance is most commonly measured in
two ways:
False Rejection Rate (FRR) Type1
False Acceptance Rate (FAR) Type 2

The FRR is the probability that you are not authenticated

to access your account.
The FAR is the chance that someone other than you is
granted access to your account.

Crossover Error Rate

Crossover Error Rate (CER) value is when Type 1 and Type
2 errors are equal.
(Type 1 = Type 2 errors) = CER metric value
System ABC has 1 out of 100 Type 1 errors = 1%
System ABC has 1 out of 100 type 2 errors = 1%
System ABC CER = 1

The lower the CER value, the higher accuracy

System with a CER of 5 has greater accuracy than a
system with CER of 6

CER Concept

Authorization

Authorization

Controls

Types of Access Controls

There are three types of Access Controls:
Administrative controls
Define roles, responsibilities, policies, and administrative functions
to manage the control environment.

Technical controls
Use hardware and software technology to implement access
control.

Physical controls
Ensure safety and security of the physical environment.

Administrative Controls
Ensure that technical and physical controls are understood
and properly implemented

Policies and procedures

Security awareness training
Asset classification and control
Employment policies and practices (background checks, job
rotations, and separation of duties)
Account administration
Account, log monitoring
Review of audit trails

Technical Controls
Examples of Technical Controls are:

Encryption
Biometrics
Smart cards
Tokens
Access control lists
Violation reports
Audit trails
Network monitoring and intrusion detection

Physical Controls
Examples of Physical Controls are:

HVAC
Fences, locked doors, and restricted areas
Guards and dogs
Motion detectors
Video cameras
Fire detectors
Smoke detectors

Categories of Access Controls

Preventive Avoid incident

Deterrent Discourage incident
Detective Identify incident
Corrective Remedy circumstance/mitigate damage
and restore controls
Recovery Restore conditions to normal
Compensating Alternative control
Directive

Categories of Access Controls

Administrative Preventive Controls

Policies and procedures

Effective hiring practices
Pre-employment background checks
Controlled termination processes
Data classification and labeling
Security awareness
Risk assessments and analysis
Creating a security program
Separation of duties

Administrative Detective Controls

Job rotation
Sharing responsibilities
Inspections
Incident response
Use of auditors

Technical Preventive Controls

Passwords
Biometrics
Smart cards
Encryption
Database views
Firewalls
ACLs
Anti-virus

Technical Detective Controls

IDS
Reviewing audit logs
Reviewing violations of clipping levels
Forensics

Physical Preventive Controls

Badges
Guards and dogs
CCTV
Fences, locks, man-traps
Locking computer cases
Removing floppy and CD-ROM drives
Disabling USB port

Physical Detective Controls

Motion detectors
Intrusion detectors
Video cameras
Guard responding to an alarm

Jotting them together

Centralized Access Control

Methodologies

Centralized Access Control Methodologies

(ISC)2 discusses the following methodologies:
RADIUS -- Remote Authentication Dial-In User Service
TACACS -- Terminal Access Controller Access Control Systems
DIAMETER

RADIUS
Provides centralized authentication, authorization and
accounting management for network services
Works on a Client/Server model
Functions:
To authenticate users or devices before granting them access to
a network
To authorize users or devices for certain network services
To account for usage of services used

RADIUS Process

RADIUS Implementation

TACACS
TACACS has been through three generations:
TACACS, XTACACS and TACACS+

TACACS uses passwords for authentication

TACACS+ allows users to use dynamic (one-time) passwords
TACACS+ encrypts all the data

TACACS uses UDP

TACACS+ uses TCP

TACACS at Work

Diameter

"New and improved" RADIUS

RADIUS is limited in its methods of authenticating users
Diameter does not encompass such limitations
Can authenticate wireless devices and smart phones
Open for future growth
Users can move between service provider networks and
change their points of attachment

Single Sign-On Technologies

Single Sign On (SSO)

A system that enables a user to access multiple computer
platforms
User logs in just once
Access granted to permitted resources
Login only required until after the user logs out
Examples include:

Kerberos
SESAME
Security Domains
Thin Clients

Kerberos
A computer network authentication protocol
Allows principals communicating over a non-secure network to
prove their identity to one another in a secure manner.

Principals
Any user or service that interacts with a network
Term that is applied to anything within a network that needs to
communicate in an authorized manner

Kerberos components
Components of Kerberos
Key Distribution Center (KDC)
Holds all of the principals' secret keys
Principals authenticate to the KDC before networking can take
place

Authentication Server (AS)

Authenticates user at initial logon
Generation of initial ticket to allow user to authenticate to local
system

Ticket Granting Service (TGS)

Generates of tickets to allow subjects to authenticate to each
other

Kerberos Process

SESAME
Secure European System for Applications in a MultiVendor Environment
Uses symmetric and asymmetric cryptographic
techniques
Uses Privileged Attribute Certificates (PACs)
PACs are generated by the Privileged Attribute Server
(PAS)
After a user successfully authenticates to the
Authentication Server (AS), the PAS then creates a PAC
for the user to present to the resource that is being
accessed!

SESAME Process

Security Domains
Based on trust between resources or services on a
domain that share a single security policy and single
management
The security policy defines the set of objects that each
user has the ability to access
A similar mission and single point of management
responsibility

Security Domains -- Bulls Eye View

Thin Clients
Diskless computers are called dumb terminals or thin
clients
Client/Server technology forces users to log onto a
central server just to be able to use the computer and
access network resources.
Server downloads the Operating System, or interactive
operating software to the terminal

Access Control Models

Access Control Models

Frameworks that dictate how subjects access objects
Three Main Types
Discretionary Access Control (DAC)
Mandatory Access Control (MAC)
Role Based Access Control (RBAC)

Discretionary Access Control

Allows the owner of the resource to specify which
subjects can access which resources
Access control is at the discretion of the owner
DAC defines access control policy
That restricts access to files and other system resources based
on identity

DAC can be implemented through Access Control Lists

(ACLs)

Access Control Matrix

Access Control Lists (ACLs)

Specifies the list of subjects that are authorized to access a
specific object

Capability Lists
Specifies the access rights a certain subject possesses pertaining
to specific objects

Access Control Matrix

Mandatory Access Control

Based on security label system

Users given security clearance and data is classified
Used where confidentiality is of utmost importance
MAC is considered a policy based control
Every object and subject is given a sensitivity label
Classification level
Secret, Top secret, Confidential, etc

Category
Information warfare, Treasury, UN, etc

Mandatory Access Control

Subject

Classification level

Category

Umair

Secret

Finance

Tayyeb

Secret

HR

Object

Classification level

Category

Finance records

Secret

Finance

Employee records

Secret

HR

Role Based Access Control

Uses centrally administered set of controls to determine
how subjects and objects interact
Decisions based on the functions that a user is allowed to
perform within an organization
An advantage of role based access controls is the ease of
administration
Capability tables are sometimes seen in conjunction with
role-based access controls
Best for high turn over organizations

Access Control Techniques

Access Control Techniques

Rules Based Access Control

Constrained User Interface
Content Dependent Access Control
Context Dependent Access Control

Penetration Testing
Muhammad Wajahat Rajab
ACE, CISSP (Associate), BS (TE)

Introduction
Process of simulating attacks on Information Systems
At the request of the owner, senior management

Uses set of procedures and tools designed to test

security controls of a system
Emulates the same methods attackers use

Steps

Discovery
Enumeration
Vulnerability mapping
Exploitation
Report to management

Step 1
Discovery
Gathering information about the target
Reconnaissance Types
Passive
Active

Step 2
Enumeration
Performing port scans and resource identification methods
Gaining specific information on the basis of information
gathered during reconnaissance
Includes use of dialers, port scanners, network mapping,
sweeping, vulnerability scanners, and so on

Step 3
Vulnerability Mapping
Identifying vulnerabilities in identified systems and resources
Based on these vulnerabilities attacks are carried out

Step 4
Exploitation
Attempting to gain unauthorized access by exploiting the
vulnerabilities

Step 5
Report to management
Delivering to management documentation of test findings along
with suggested countermeasures

Types
Zero knowledge
Partial knowledge
Full knowledge

Questions

Question 1

Which of the following refers to a series of characters

used to verify a user's identity?
A.
B.
C.
D.

Token Serial number

UserID
Password
Security ticket

Question

Which of the following refers to a series of characters

used to verify a user's identity?
A.
B.
C.
D.

Token Serial number

UserID
Password
Security ticket

Question 2

Which type of access control allows owners to specify

who can access their files?
A.
B.
C.
D.

Discretionary
Relational
Mandatory
Administrative

Question

Which type of access control allows owners to specify

who can access their files?
A.
B.
C.
D.

Discretionary
Relational
Mandatory
Administrative

Question 3

The three primary methods for authentication of a user

to a system or network are?
A.
B.
C.
D.

Passwords, Tokens, and Biometrics

Authorization, Identification, and Tokens
Passwords, Encryption, and Identification
Identification, Encryption, and Authorization

Question

The three primary methods for authentication of a user

to a system or network are?
A.
B.
C.
D.

Passwords, Tokens, and Biometrics

Authorization, Identification, and Tokens
Passwords, Encryption, and Identification
Identification, Encryption, and Authorization

Thank You!