Access Control and Site Security (Part 1) January 26, 2015) © Abdou Illia – Spring 2015

Access Control and Site Security (Part 1)

January 26, 2015)

© Abdou Illia – Spring 2015

2

Learning Objectives

Understand Main Security Goals Discuss Resources’ Access Control Discuss Password-Based Access Control

Basic systems’ attacks

3

4

Dialog attack: Eavesdropping

Client PCBob Server

Alice

Dialog

Attacker (Eve) interceptsand reads messages

Hello

Hello

Intercepting confidential message being transmitted over the network

5

Dialog attack: message Alteration

Client PCBob

ServerAlice

Dialog

Attacker (Eve) interceptsand alters messages

Balance =$1

Balance =$1 Balance =

$1,000,000

Balance =$1,000,000

Intercepting confidential messages and modifying their content

6

Flooding Denial-of-Service (DoS) attack

Message Flood

ServerOverloaded ByMessage Flood

Attacker

Security Goals

8

Dialog attacks: Security Goal

If eavesdropping and message alteration attacks succeed, in which of the following ways the target can be affected?

a) Data files stored on hard drives might be deleted

b) Data files stored on hard drives might be altered

c) Corporate trade secret could be stolen

d) Competitors might get the victim company’s licensed info

e) Users might not be able to get network services for a certain period of time

f) The network might slow down

Confidentiality = Main goal in implementing defense systems against eavesdropping and message alteration.

9

Malware attacks: Security Goal

If malware attacks succeeded, in which of the following ways the victims could be affected?







Integrity = Main goal of implementing defense systems against malware attacks.

10

DoS attack: Security Goal

If a DoS attack succeeded, in which of the following ways the victims could be affected?







Availability = Main goal of implementing defense systems against DoS attacks.

11

Security GoalsThree main security goals:

Confidentiality of communications and proprietary information

Integrity of corporate data

Availability of network services and resources

CIA

Authenticity: ensuring that the data, transactions, communications or documents are genuine. Also validating that both parties involved are who they claim to be.

Non-repudiation: Ensuring that one party of a transaction cannot deny having received a transaction nor can the other party deny having sent a transaction.

Resources Access Control

13

Opening Question

Which of the following actions may be taken in order to strengthen the confidentiality of companies’ proprietary information?

a) Prevent employees from accessing files not needed for their job

b) Limit the number of computers each employee can use for logging in to the network

c) Encrypt any communications involving passwords

d) All of the above

14

What is Access Control?

Access control is the policy-driven limitation of access to systems, data, and dialogs

Access control prevents attackers from gaining access to systems’ resources, and helps stop them if they do

15

Three functions of Access Control

AAA process Authentication: assessing the identity of

individual claiming to have permission for using resources

Supplicant sends credentials to verifier for authentication

Authorization: what permissions the authenticated user has

What resources he/she can get access to

What he/she can do with these resources

Auditing: recording what people do in log files Log files can be analyzed in real-time or later for detecting violations

to authentication/authorization. Can help detect attacks

Credentials for authentication What you know (password, key, etc.) What you have (smart card, physical key, etc.) Who you are (fingerprint, etc.) What you do (pronunciation, writing, etc.)

16

Managing Access Control: Steps

1) Enumeration of (sensitive) resources

E.g. HR databases, servers with trade secrets

2) Determination of sensitivity level for each resource

E.g. mission-critical vs. non mission-critical

3) Determination of Who should have access? Role-Based Access Control (RBAC):

Determine the roles (or categories) of users. Example: IT employees, HR employees, Salesmen, etc.

List-Based Access Control (LBAC): System administrator could in some case create lists of

employees (not based on roles) for general-purpose resources

17

Managing Access Control: Steps (cont.)

4) Determination of What access rights should users have? For each Role-Resource and/or List-Resource:

See

Browse/Read

Read/Modify

Delete

…

…

Full Control

Allow Deny

5) Develop Access Control policies Printers availability: M-F, 6:00 AM-8:00 PM Server computers: only administrators and server operators can use them

for logging in Remote Access servers: Callback feature must be enabled Password policy: minimum 8-character long, level of complexity, expiration, …. Fair-use policy

18

Managing Access Control: Steps (cont.)

6) Implementing Policies/Access Control Use OS and other tools to configure access control

Mandatory Access Control: Administrator’s settings apply Discretionary Access Control: owner of resource could share & set

access rights

Perform penetration tests to test access control effectiveness

Perform security audits to test policies effectiveness Audit by internal employees

Audit by security firm

Password-Based Access Control

20

21

Types of account/password

Super account User can take any action on any resource Called Administrator (Windows), Supervisor

(Netware), root (UNIX) Hacking the super account = ultimate prize for

attackers Regular account

Limited access based on setting by the admin Could gain super account status by elevating

the privileges.

22

Reusable Password

Used to repeatedly to get access to a resource on multiple occasions

Bad because attacker can have time to crack it

Difficult to crack by remote guessing

Usually cut off after a few attempts

However, if intruder steals the password file, he/she can crack passwords at leisure

23

Password Cracking

With physical access or with password file in hand, attacker can use password cracking programs

Program Windows Linux

L0phtcrack (now LC5) √

Ophcrack √

John The Ripper √ √

RainbowCrack (uses lookup tables and hash functions) √ √

Crack √

Cain & Abel √

Programs usually come with "dictionaries" with thousands or even millions of entries of several kinds

Programs use brute-force cracking method Used by network admins to locate users with weak

password, and by attackers.

24

Cracking techniques

Dictionary attackFastest way to crack password. A “dictionary” file (a text file full of dictionary words) is loaded into a cracking application, which is run against user accounts located by the application.

Hybrid attackWill add numbers or symbols to the search words to successfully crack a password. Many people change their passwords by simply adding a number to the end of their current password.

Brute force attackMore suitable for complex passwords. May take a long time to work depending on the complexity of the password. Program will begin trying any and every combination of numbers and letters and running them against the hashed passwords on the computer. Passwords composed of random letters numbers and characters are most vulnerable to this type of attack.

25

Brute-force password cracking

Longer passwords take longer to crack Combining types of characters makes cracking

harder Alphabetic, no case (26 possibilities) Alphabetic, case (52) Alphanumeric (letters and numbers) (62) All keyboard characters (~80)

26

Password Length

PasswordLength In

Characters

1

2 (N2)

4 (N4)

6

8

10

Alphanumeric:Letters &

Digits (N=62)

62

3,844

14,776,336

56,800,235,584

2.1834E+14

8.39299E+17

All KeyboardCharacters

(N=~80)

80

6,400

40,960,000

2.62144E+11

1.67772E+15

1.07374E+19

Alphabetic,Case

(N=52)

52

2,704

7,311,616

19,770,609,664

5.34597E+13

1.44555E+17

Alphabetic,No Case

(N=26)

26

676

456,976

308,915,776

2.08827E+11

1.41167E+14

Q: Your password policy is: (a) the password must be 6 character long, (b) the password should include only decimal digits and lower case alphabetic characters. What is the maximum number of passwords the attacker would try in order to crack a password in your system?

27

Password Policies

Good password policy At least 8 characters long Change of case not at beginning Digit (0 through 9) not at end Other keyboard characters not at end Example: triV6#ial Completely random passwords are best but

usually are written down Password duration Regularly test the strength of internal passwords Disable passwords no longer valid

28

Password Policies (cont)

Shared passwords Not a good policy

Remove ability to learn who took actions; loses accountability

Usually not changed often or at all because of need to inform all sharers

29

Questions Q.1. ABC Inc. has a network with three users. The users have the following usernames:

aillia, jwillems, vhampton. A shared-password policy implemented by the network

administrator allowed the users to logon with the password abc123. Last night someone

committed an attack stealing sensitive corporate information after elevating the privileges

associated with the account they used to logon. Which of the following is true? (Choose all

that apply)

a) the audit log file could be checked to determine at what time the attacker logged inb) the audit log file could be checked to determine which user account was used in committing

the attackc) the audit log file could be checked to determine who committed the attackd) all of the above.

Q.2. If your answer to Q.1 above indicates that at least one of the statements is not true,

explain why.________________________________________________________________________________________________________________________________

30


Disabling accounts that are no longer valid

As soon as an employee leaves the firm, etc.

As soon as contractors, consultants leave

In many firms, a large percentage of all accounts are for people no longer with the firm

31


Lost passwords Password resets: Help desk gives new temporary

password for the account

Leave temporary password on answering machine

Opportunities for social engineering attacks

Self-service reset may be better

32

Summary Questions

What are the three main security goals? What security goal is jeopardized by a successful

eavesdropping attack? What is the difference between Role Based Access

Control and List Based Access Control? What is the difference between Mandatory Access

Control and Discretionary Access Control? What is a super account? What is the difference between dictionary cracking

and hybrid cracking? What is a shared password? Do you recommend

shared passwords? Why?

33

Alternativesto password

Access Cards Magnetic stripe cards Smart cards

Have a microprocessor and RAM Can implement public key encryption for

challenge/response authentication Token

Constantly changing password devices for one-time passwords

USB plug-in tokens

34

Alternatives to password (cont.)

Proximity Access Tokens Use Radio Frequency ID (RFID) technology Supplicant only has to be near a door or

computer to be recognized Two-Factor Authentication

◦ PINs for the second factor Short: 4 to 6 digits Can be short because attempts are manual Should not choose obvious combinations (1111,

1234) or important dates

35


Biometric Authentication Authentication based on biological (bio)

measurements (metrics). Biometric authentication is based on something

you are (your fingerprint, iris pattern, face, hand geometry, and so forth)

Or something you do (write, type, and so forth) The major promise of biometrics is to make

reusable passwords obsolete

36


37

Review Questions

Answer Review Questions 2 posted to the Notes’ section of course web site.

Documents

Access Control and Site Security (Part 1) January 26, 2015) © Abdou Illia – Spring 2015