Upload
rosamund-park
View
216
Download
2
Tags:
Embed Size (px)
Citation preview
2
Learning Objectives
Understand Main Security Goals Discuss Resources’ Access Control Discuss Password-Based Access Control
4
Dialog attack: Eavesdropping
Client PCBob Server
Alice
Dialog
Attacker (Eve) interceptsand reads messages
Hello
Hello
Intercepting confidential message being transmitted over the network
5
Dialog attack: message Alteration
Client PCBob
ServerAlice
Dialog
Attacker (Eve) interceptsand alters messages
Balance =$1
Balance =$1 Balance =
$1,000,000
Balance =$1,000,000
Intercepting confidential messages and modifying their content
8
Dialog attacks: Security Goal
If eavesdropping and message alteration attacks succeed, in which of the following ways the target can be affected?
a) Data files stored on hard drives might be deleted
b) Data files stored on hard drives might be altered
c) Corporate trade secret could be stolen
d) Competitors might get the victim company’s licensed info
e) Users might not be able to get network services for a certain period of time
f) The network might slow down
Confidentiality = Main goal in implementing defense systems against eavesdropping and message alteration.
9
Malware attacks: Security Goal
If malware attacks succeeded, in which of the following ways the victims could be affected?
a) Data files stored on hard drives might be deleted
b) Data files stored on hard drives might be altered
c) Corporate trade secret could be stolen
d) Competitors might get the victim company’s licensed info
e) Users might not be able to get network services for a certain period of time
f) The network might slow down
Integrity = Main goal of implementing defense systems against malware attacks.
10
DoS attack: Security Goal
If a DoS attack succeeded, in which of the following ways the victims could be affected?
a) Data files stored on hard drives might be deleted
b) Data files stored on hard drives might be altered
c) Corporate trade secret could be stolen
d) Competitors might get the victim company’s licensed info
e) Users might not be able to get network services for a certain period of time
f) The network might slow down
Availability = Main goal of implementing defense systems against DoS attacks.
11
Security GoalsThree main security goals:
Confidentiality of communications and proprietary information
Integrity of corporate data
Availability of network services and resources
CIA
Authenticity: ensuring that the data, transactions, communications or documents are genuine. Also validating that both parties involved are who they claim to be.
Non-repudiation: Ensuring that one party of a transaction cannot deny having received a transaction nor can the other party deny having sent a transaction.
13
Opening Question
Which of the following actions may be taken in order to strengthen the confidentiality of companies’ proprietary information?
a) Prevent employees from accessing files not needed for their job
b) Limit the number of computers each employee can use for logging in to the network
c) Encrypt any communications involving passwords
d) All of the above
14
What is Access Control?
Access control is the policy-driven limitation of access to systems, data, and dialogs
Access control prevents attackers from gaining access to systems’ resources, and helps stop them if they do
15
Three functions of Access Control
AAA process Authentication: assessing the identity of
individual claiming to have permission for using resources
Supplicant sends credentials to verifier for authentication
Authorization: what permissions the authenticated user has
What resources he/she can get access to
What he/she can do with these resources
Auditing: recording what people do in log files Log files can be analyzed in real-time or later for detecting violations
to authentication/authorization. Can help detect attacks
Credentials for authentication What you know (password, key, etc.) What you have (smart card, physical key, etc.) Who you are (fingerprint, etc.) What you do (pronunciation, writing, etc.)
16
Managing Access Control: Steps
1) Enumeration of (sensitive) resources
E.g. HR databases, servers with trade secrets
2) Determination of sensitivity level for each resource
E.g. mission-critical vs. non mission-critical
3) Determination of Who should have access? Role-Based Access Control (RBAC):
Determine the roles (or categories) of users. Example: IT employees, HR employees, Salesmen, etc.
List-Based Access Control (LBAC): System administrator could in some case create lists of
employees (not based on roles) for general-purpose resources
17
Managing Access Control: Steps (cont.)
4) Determination of What access rights should users have? For each Role-Resource and/or List-Resource:
See
Browse/Read
Read/Modify
Delete
…
…
Full Control
Allow Deny
5) Develop Access Control policies Printers availability: M-F, 6:00 AM-8:00 PM Server computers: only administrators and server operators can use them
for logging in Remote Access servers: Callback feature must be enabled Password policy: minimum 8-character long, level of complexity, expiration, …. Fair-use policy
18
Managing Access Control: Steps (cont.)
6) Implementing Policies/Access Control Use OS and other tools to configure access control
Mandatory Access Control: Administrator’s settings apply Discretionary Access Control: owner of resource could share & set
access rights
Perform penetration tests to test access control effectiveness
Perform security audits to test policies effectiveness Audit by internal employees
Audit by security firm
21
Types of account/password
Super account User can take any action on any resource Called Administrator (Windows), Supervisor
(Netware), root (UNIX) Hacking the super account = ultimate prize for
attackers Regular account
Limited access based on setting by the admin Could gain super account status by elevating
the privileges.
22
Reusable Password
Used to repeatedly to get access to a resource on multiple occasions
Bad because attacker can have time to crack it
Difficult to crack by remote guessing
Usually cut off after a few attempts
However, if intruder steals the password file, he/she can crack passwords at leisure
23
Password Cracking
With physical access or with password file in hand, attacker can use password cracking programs
Program Windows Linux
L0phtcrack (now LC5) √
Ophcrack √
John The Ripper √ √
RainbowCrack (uses lookup tables and hash functions) √ √
Crack √
Cain & Abel √
Programs usually come with "dictionaries" with thousands or even millions of entries of several kinds
Programs use brute-force cracking method Used by network admins to locate users with weak
password, and by attackers.
24
Cracking techniques
Dictionary attackFastest way to crack password. A “dictionary” file (a text file full of dictionary words) is loaded into a cracking application, which is run against user accounts located by the application.
Hybrid attackWill add numbers or symbols to the search words to successfully crack a password. Many people change their passwords by simply adding a number to the end of their current password.
Brute force attackMore suitable for complex passwords. May take a long time to work depending on the complexity of the password. Program will begin trying any and every combination of numbers and letters and running them against the hashed passwords on the computer. Passwords composed of random letters numbers and characters are most vulnerable to this type of attack.
25
Brute-force password cracking
Longer passwords take longer to crack Combining types of characters makes cracking
harder Alphabetic, no case (26 possibilities) Alphabetic, case (52) Alphanumeric (letters and numbers) (62) All keyboard characters (~80)
26
Password Length
PasswordLength In
Characters
1
2 (N2)
4 (N4)
6
8
10
Alphanumeric:Letters &
Digits (N=62)
62
3,844
14,776,336
56,800,235,584
2.1834E+14
8.39299E+17
All KeyboardCharacters
(N=~80)
80
6,400
40,960,000
2.62144E+11
1.67772E+15
1.07374E+19
Alphabetic,Case
(N=52)
52
2,704
7,311,616
19,770,609,664
5.34597E+13
1.44555E+17
Alphabetic,No Case
(N=26)
26
676
456,976
308,915,776
2.08827E+11
1.41167E+14
Q: Your password policy is: (a) the password must be 6 character long, (b) the password should include only decimal digits and lower case alphabetic characters. What is the maximum number of passwords the attacker would try in order to crack a password in your system?
27
Password Policies
Good password policy At least 8 characters long Change of case not at beginning Digit (0 through 9) not at end Other keyboard characters not at end Example: triV6#ial Completely random passwords are best but
usually are written down Password duration Regularly test the strength of internal passwords Disable passwords no longer valid
28
Password Policies (cont)
Shared passwords Not a good policy
Remove ability to learn who took actions; loses accountability
Usually not changed often or at all because of need to inform all sharers
29
Questions Q.1. ABC Inc. has a network with three users. The users have the following usernames:
aillia, jwillems, vhampton. A shared-password policy implemented by the network
administrator allowed the users to logon with the password abc123. Last night someone
committed an attack stealing sensitive corporate information after elevating the privileges
associated with the account they used to logon. Which of the following is true? (Choose all
that apply)
a) the audit log file could be checked to determine at what time the attacker logged inb) the audit log file could be checked to determine which user account was used in committing
the attackc) the audit log file could be checked to determine who committed the attackd) all of the above.
Q.2. If your answer to Q.1 above indicates that at least one of the statements is not true,
explain why.________________________________________________________________________________________________________________________________
30
Password Policies (cont)
Disabling accounts that are no longer valid
As soon as an employee leaves the firm, etc.
As soon as contractors, consultants leave
In many firms, a large percentage of all accounts are for people no longer with the firm
31
Password Policies (cont)
Lost passwords Password resets: Help desk gives new temporary
password for the account
Leave temporary password on answering machine
Opportunities for social engineering attacks
Self-service reset may be better
32
Summary Questions
What are the three main security goals? What security goal is jeopardized by a successful
eavesdropping attack? What is the difference between Role Based Access
Control and List Based Access Control? What is the difference between Mandatory Access
Control and Discretionary Access Control? What is a super account? What is the difference between dictionary cracking
and hybrid cracking? What is a shared password? Do you recommend
shared passwords? Why?
33
Alternativesto password
Access Cards Magnetic stripe cards Smart cards
Have a microprocessor and RAM Can implement public key encryption for
challenge/response authentication Token
Constantly changing password devices for one-time passwords
USB plug-in tokens
34
Alternatives to password (cont.)
Proximity Access Tokens Use Radio Frequency ID (RFID) technology Supplicant only has to be near a door or
computer to be recognized Two-Factor Authentication
◦ PINs for the second factor Short: 4 to 6 digits Can be short because attempts are manual Should not choose obvious combinations (1111,
1234) or important dates
35
Alternatives to password (cont.)
Biometric Authentication Authentication based on biological (bio)
measurements (metrics). Biometric authentication is based on something
you are (your fingerprint, iris pattern, face, hand geometry, and so forth)
Or something you do (write, type, and so forth) The major promise of biometrics is to make
reusable passwords obsolete