Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Overview
Protecting what needs to be protected with the available
technologies!
Access control is the
of Information Security!
Some Questions
What is Access?
What is the Access Mechanism?
What is Access Control?
The right
Flow of information between subject and object
Mechanism to protect the assets!
Identification, Authentication,
Authorization
Identification
Identification
Method of establishing the subjects identity
User, Program, Process
Authentication
Authentication
Method of proving the identity
How to prove an identity?
Something you know
Something you have
Something you are
Cognitive passwords
Fact or opinion based information
Created through several experience based questions
Easy to remember!
A person will not forget his birthplace, favorite color, dog's
name, or the school he graduated from.
Passphrase
Sequence of characters that is longer than a password -Thus a phrase
User enters this phrase into an application which transforms the
value into a virtual password
Electronic monitoring
Access the password file
Brute force attacks
Dictionary attacks
Social engineering
Shoulder surfing
Keys
Documents
Token devices
Memory cards
Smart cards
Token device
Software hardware hybrid object used to verify an
identity in an authentication process
Token device, or password generator, is usually a
handheld device that has an LCD display and possibly a
keypad
Token device is separate from the computer the user is
attempting to access
Limitations
Human error
Battery limitation
Token itself (Environmental factors)
Asynchronous Token
A token device using an asynchronous token generating method
employs a challenge/response scheme to authenticate a user.
Synchronous Token
Memory Card
Holds information but cannot process
A memory card can hold a user's authentication information, so
that the user only needs to type in a UserID or PIN.
Smart Card
Holds and processes information
After a threshold of failed login attempts, it can render
itself unusable
PIN or password unlocks smart card functionality
Smart card could be used for:
Holding biometric data in template
Responding to challenge
Holding private key
Contactless
Requires only close proximity to a reader
Both the reader and the card have antenna and it is via this
contactless link that two communicate
Micro-probing techniques
Eavesdropping techniques
Trojan Horse attacks
Social engineering attacks
Fingerprints
Retina scan
Iris scan
Hand geometry
Facial scan
Biometric System
A characteristic based system
Includes all the hardware, associated software and
interconnecting infrastructure to enable the
identification/authentication process
Fingerprints
Every person's fingerprint is unique
Most affordable and convenient method of verifying a
person's identity
The lines that create a fingerprint pattern are called
ridges and the spaces between ridges are called valleys.
Retina Scan
Retinal scan technology maps the capillary pattern of the
retina
A thin (1/50th inch) nerve on the back of the eye!
Accurate
Many people are hesitant to use the device
Iris Scan
Scans the iris or the colored portion of the eye
For authentication the subject looks at the video camera
from a distance of 3-10 inches
The entire enrollment process is less than 20 seconds,
and subsequent identification takes 1-2 seconds.
Offers high accuracy!
Hand Geometry
Measures specific characteristics of a person's hand such
as length of fingers and thumb, widths, and depth.
Takes over 90 measurements of the length, width,
thickness, and surface area of a person's hand and
fingers.
Hand measurements occur with amazing speed, almost
within one second.
A charge coupled device (CCD) digital camera is used to
record the hand's three dimensional shape.
Keyboard Dynamics
Looks at the way a person types at a keyboard
Also called Typing Rhythms!
Keyboard dynamics measures two distinct variables:
Dwell time: The amount of time one holds a particular key
Flight time: The amount of time one moves between the keys
Voice Print
A voice reference template is constructed
To construct, an individual must speak a set of phrases several
times as the system builds the template.
Voice identification systems incorporate several variables
including pitch, dynamics, and waveform.
Facial Scan
Incorporates two significant methods:
Detection
Recognition
Biometric Performance
Biometric performance is most commonly measured in
two ways:
False Rejection Rate (FRR) Type1
False Acceptance Rate (FAR) Type 2
CER Concept
Authorization
Authorization
Controls
Technical controls
Use hardware and software technology to implement access
control.
Physical controls
Ensure safety and security of the physical environment.
Administrative Controls
Ensure that technical and physical controls are understood
and properly implemented
Technical Controls
Examples of Technical Controls are:
Encryption
Biometrics
Smart cards
Tokens
Access control lists
Violation reports
Audit trails
Network monitoring and intrusion detection
Physical Controls
Examples of Physical Controls are:
HVAC
Fences, locked doors, and restricted areas
Guards and dogs
Motion detectors
Video cameras
Fire detectors
Smoke detectors
Job rotation
Sharing responsibilities
Inspections
Incident response
Use of auditors
Passwords
Biometrics
Smart cards
Encryption
Database views
Firewalls
ACLs
Anti-virus
IDS
Reviewing audit logs
Reviewing violations of clipping levels
Forensics
Badges
Guards and dogs
CCTV
Fences, locks, man-traps
Locking computer cases
Removing floppy and CD-ROM drives
Disabling USB port
Motion detectors
Intrusion detectors
Video cameras
Guard responding to an alarm
RADIUS
Provides centralized authentication, authorization and
accounting management for network services
Works on a Client/Server model
Functions:
To authenticate users or devices before granting them access to
a network
To authorize users or devices for certain network services
To account for usage of services used
RADIUS Process
RADIUS Implementation
TACACS
TACACS has been through three generations:
TACACS, XTACACS and TACACS+
TACACS at Work
Diameter
Kerberos
SESAME
Security Domains
Thin Clients
Kerberos
A computer network authentication protocol
Allows principals communicating over a non-secure network to
prove their identity to one another in a secure manner.
Principals
Any user or service that interacts with a network
Term that is applied to anything within a network that needs to
communicate in an authorized manner
Kerberos components
Components of Kerberos
Key Distribution Center (KDC)
Holds all of the principals' secret keys
Principals authenticate to the KDC before networking can take
place
Kerberos Process
SESAME
Secure European System for Applications in a MultiVendor Environment
Uses symmetric and asymmetric cryptographic
techniques
Uses Privileged Attribute Certificates (PACs)
PACs are generated by the Privileged Attribute Server
(PAS)
After a user successfully authenticates to the
Authentication Server (AS), the PAS then creates a PAC
for the user to present to the resource that is being
accessed!
SESAME Process
Security Domains
Based on trust between resources or services on a
domain that share a single security policy and single
management
The security policy defines the set of objects that each
user has the ability to access
A similar mission and single point of management
responsibility
Thin Clients
Diskless computers are called dumb terminals or thin
clients
Client/Server technology forces users to log onto a
central server just to be able to use the computer and
access network resources.
Server downloads the Operating System, or interactive
operating software to the terminal
Capability Lists
Specifies the access rights a certain subject possesses pertaining
to specific objects
Category
Information warfare, Treasury, UN, etc
Classification level
Category
Umair
Secret
Finance
Tayyeb
Secret
HR
Object
Classification level
Category
Finance records
Secret
Finance
Employee records
Secret
HR
Penetration Testing
Muhammad Wajahat Rajab
ACE, CISSP (Associate), BS (TE)
Introduction
Process of simulating attacks on Information Systems
At the request of the owner, senior management
Steps
Discovery
Enumeration
Vulnerability mapping
Exploitation
Report to management
Step 1
Discovery
Gathering information about the target
Reconnaissance Types
Passive
Active
Step 2
Enumeration
Performing port scans and resource identification methods
Gaining specific information on the basis of information
gathered during reconnaissance
Includes use of dialers, port scanners, network mapping,
sweeping, vulnerability scanners, and so on
Step 3
Vulnerability Mapping
Identifying vulnerabilities in identified systems and resources
Based on these vulnerabilities attacks are carried out
Step 4
Exploitation
Attempting to gain unauthorized access by exploiting the
vulnerabilities
Step 5
Report to management
Delivering to management documentation of test findings along
with suggested countermeasures
Types
Zero knowledge
Partial knowledge
Full knowledge
Questions
Question 1
Question
Question 2
Discretionary
Relational
Mandatory
Administrative
Question
Discretionary
Relational
Mandatory
Administrative
Question 3
Question
Thank You!