Access Control in Information Security

Access Control Access Control Maram Bani Younes

Access Control Is the basic foundation of information security implemented differently depending on whether the implementation is physical, technical or administrative. Categories include: Preventive Detective Corrective Deterrent Recovery Directive Compensating Often used in combination

Access Control Preventive Controls: These are designed to stop an unauthorized activity before it occurs, such as access controls, authentication mechanisms, and encryption. Detective Controls: These are designed to detect and respond to unauthorized activities or incidents after they have occurred, such as intrusion detection systems and security information and event management (SIEM) tools. Corrective Controls: These are designed to correct or mitigate the impact of unauthorized activities or incidents, such as patching systems and restoring backups. Deterrent Controls: These are designed to discourage potential attackers or intruders from attempting unauthorized activities, such as security cameras and warning banners.

Access Control Recovery Controls: These are designed to restore systems and data to their normal state after an incident, such as disaster recovery plans and backup and restore procedures. Directive Controls: These are designed to direct or influence user behavior, such as security policies, training, and awareness programs. Compensating Controls: These are designed to compensate for the lack of effectiveness or presence of other controls, such as manual reviews and audits.

Access Control A comprehensive threat analysis will identify the areas that will provide the greatest cost-benefit impact. The field of access control is constantly evolving. Organizations need to know what is available and what methods will best address their issues. Data and system access control are NOT the same. User might have access to a system but not to the data. Access control assurance addresses the due diligence aspect of security. Implementing a control is part of due care, but due diligence involves regularly checking to ensure that the control is working as expected.

Key Concepts Separation of duties No one person should have control over the process. Allowing this could allow a person to manipulate the system for personal gain. Process should be broken down into individual steps executed by different people. Rotation of duties prevents collusion between two or more people. This minimizes the chance of or exposes fraud. Core element of the Clark-Wilson Integrity model Least privilege only allow access to resources that are absolutely needed for work

Information Classification Is the PROPER assessment of the sensitivity and criticality of information Objectives: Identify info that needs to be protected Standardize labeling Alert authorized holders of protection requirements Comply with laws, regulation, etc. Benefits keeps cost down Example of classification: Public, internal use only and company confidential Compartmentalized information information that requires special privilege to access

Information Classification Procedures Scope risk analysis will evaluate data for classification. Things to consider: Exclusive possession (trade secrets, etc.) Usefulness Cost to recreate Legal or regulatory liability Operational impact Etc. Process goal is to achieve a consistent approach to handling classified information Marking and labeling Human readable Machine readable Assurance regular internal and possibly external audits should be done

Access Control Types Administrative policies and procedures. Technical/logical use of hardware and software controls Physical manual, structural or environmental controls to protect facilities and resources Give examples for each !

Access Control Categories Preventive block unwanted actions. Detective identify, log and alert management of unwanted actions (during or after event) Corrective remedy the circumstances that enabled event Directive controls dictated by organizational and legal authorities Deterrent Prescribe some sort of punishment Recovery restore lost resources or capabilities Compensating backup controls that come into effect when normal controls are unavailable

Access Control Threats 1. Denial of service 2. Password crackers Dictionary Brute force Rainbow tables 3. Keystroke loggers 4. Spoofing/masquerading

System Access Control Identification process of recognizing users or resources as valid accounts Authentication verification of the identity of the person or node Authorization determines what a user or node is allowed to do once identified and authenticated Accountability ability to track user activity

Identification Methods Most common is UserID, account number, email or PIN Biometrics can also be used MAC and IP address used primarily to identify a node on the network Security user registration user interacts with a registration authority to become an authorized member of the domain 1. UserID, encryption keys, job title, email, etc. 2. User validation

Authentication Methods Knowledge (something you know) Ownership (something you have) Characteristics (something you are) Examples?

Identity and Access Management Need for identity management needed to manage, authenticate, authorize, provision, de-provision and protect identities Challenges the more complex a network and data protection system, the more challenging to manage Identity management technologies designed to centralize and streamline the management of user ids, authentication and authorization

Identity Management Challenges Consistency user data entered across different systems MUST be consistent Reliability user profile data should be reliable. Especially if used to control access to data or resources Usability multiple logins over multiply systems might not be the best idea Efficiency using an identity management system can decrease costs and improve productivity for both users and administrators Scalability the management system used must be able to scale to support the data, systems and peak transaction rates

Identity Management Challenges Principals Insiders employees and contractors Outsiders customers, partners, vendors, etc. Data different types of data about principals must be managed Personal, legal and access control Some of this data might have regulatory requirements Life Cycle Initial setup when user joins Change and maintenance routine pw change, name changes, etc. Tear-down when user leaves

Identity Management Technologies Web Access Management (WAM) Password management Account management Profile update Define, examples !

Access Control Technologies Single sign-on Kerberos SESAME - protocol developed by the European Union. Also known as SSO Web Portal Access Directory services Security domains

Access Control Lists (ACL) Most common implementation of Discretionary Access Control (DAC) Provide easy method to specify which users are allowed access to which objects Objects/subjects Files/users O.S. dependent Each OS has its own way of representing ACLs. UNIX 3 subjects: owner, group and world w/ 3 permissions: Read ,Write, Execute ACL support in Linux is available for Ext2, Ext3, IBJ JFS, ReiserFS and SGI XFS Microsoft has unlimited # of subjects and 26 permissions

Intrusion Detection Systems = Packet 1. Network Based NIDS = Permission 2. Host-Based HIDS =Process 3. Application-Based AIDS APIDS

Intrusion Detection Systems 1. Network-Based IDS: A Network-Based IDS monitors network traffic for signs of suspicious activity. It examines packet headers and payloads, looking for patterns that indicate potential attacks, such as port scanning, denial-of- service attacks, and malware traffic. This type of IDS is usually deployed on the perimeter of the network and can detect threats that may be missed by other security controls.

Intrusion Detection Systems 2- Host-Based IDS: A Host-Based IDS monitors the activity on a single computer or device, looking for signs of suspicious behavior or unauthorized access. It analyzes system logs and event data, It can detect threats such as malware infections, unauthorized access attempts, and system configuration changes. This type of IDS is usually deployed on critical servers or endpoints and can provide an additional layer of security against targeted attacks.

Intrusion Detection Systems 3. Application-Based IDS: An Application-Based IDS monitors application activity for signs of potential security threats. It examines traffic to and from specific applications, looking for suspicious behavior or anomalies that could indicate an attack, such as SQL injection or cross-site scripting. This type of IDS is usually deployed in conjunction with other security controls, such as web application firewalls, to provide more comprehensive protection against application-level attacks.

Intrusion Prevention Systems 1. Host-based 2. Network-based 3. Content-based 4. Rate-based KPI (Key Performance Indicator) - measure effectiveness

Intrusion Prevention Systems Host-based IPS: This type of IPS is installed on individual hosts or endpoints, such as desktop computers, laptops, servers, or mobile devices. HIPS typically use a combination of signature-based and behavioral-based analysis to detect and prevent attacks on the host. HIPS can detect attacks that bypass network-based security measures, such as malware that is delivered through a USB drive or phishing emails.

Intrusion Prevention Systems Network-based IPS: This type of IPS is placed at the network perimeter or inside the network to monitor and analyze network traffic. NIPS can detect and prevent attacks before they reach the targeted host or endpoint. NIPS typically use signature-based and anomaly-based analysis to identify malicious traffic patterns, such as port scanning, brute force attacks, or denial-of-service attacks.

Intrusion Prevention Systems Content-based IPS: This type of IPS is designed to inspect and analyze the content of network traffic, such as email messages, web pages, or file transfers. CIPS can detect and prevent attacks that use specific keywords, file types, or network protocols. CIPS typically use signature-based and heuristic-based analysis to identify suspicious content, such as spam, phishing, or malware.

Intrusion Prevention Systems Rate-based IPS: This type of IPS is focused on preventing denial-of- service attacks by limiting the rate or volume of network traffic. RIPS can detect and prevent attacks that flood the network with a large number of packets or connections. RIPS typically use threshold-based and statistical-based analysis to control the flow of traffic, such as limiting the number of connections per IP address or blocking traffic from known malicious sources.

IDS/IPS Examples Anomaly Multiple failed logins User logged in at unusual times Unexplained changes to system clocks Unusual number of error messages Unexplained system shutdowns/restarts

IDS/IPS Examples Response Dropping suspicious packets Denying access to suspicious users Reporting suspicions to other system hosts/firewalls Changing IDS configurations

IDS/IPS Examples Alert Email Pager Audible alarm

Access Control Assurance Audit trail monitoring Vulnerability assessment tools

Penetration Testing Overview Definition Areas to test Methods of testing Testing procedures Testing hazards

Penetration Testing Overview What is Penetration Testing ? is a simulated cyberattack against a computer system, network, or application in order to identify security weaknesses and vulnerabilities that could be exploited by malicious attackers.

Penetration Testing Overview The main objective of penetration testing is to evaluate the security of a system by attempting to exploit its vulnerabilities in a controlled and safe manner. This process involves various techniques such as: scanning for open ports and services, attempting to bypass security controls, exploiting software vulnerabilities, and using social engineering tactics to gain access to sensitive information.

Areas to Test Application security Denial of Service (DoS) War dialing Wireless penetration Social engineering Private Branch Exchange (PBX) and Internet Protocol (IP) telephony

Penetration Testing Methods Attack perspectives External Internal

Penetration Testing Methods Attack strategies (v. important) Zero-knowledge Partial-knowledge Full-knowledge Targeted Double-blind

Penetration Testing Methods Zero-knowledge: In this strategy, the tester has no prior knowledge of the target system or environment. The tester starts with no information and must gather all necessary information during the testing process. This approach simulates a real-world scenario where an attacker has no prior knowledge of the target.

Penetration Testing Methods Partial-knowledge: In this strategy, the tester has some prior knowledge of the target system or environment. This knowledge can include information such as the IP address, operating system, or applications used. The tester uses this information to guide the testing process.

Penetration Testing Methods Full-knowledge: In this strategy, the tester has complete knowledge of the target system or environment. This knowledge can include usernames, passwords, network diagrams, and other sensitive information. This approach simulates an attack by an insider or a skilled attacker who has already compromised the system.

Penetration Testing Methods Targeted: In this strategy, the tester focuses on a specific area or component of the target system, such as a web application or a database server. The tester has some prior knowledge of the target area and uses specialized tools and techniques to test the security of that area.

Penetration Testing Methods Double-blind: In this strategy, neither the tester nor the target system administrators have any prior knowledge of the testing. The tester is given a scope of work and must use their skills and knowledge to identify and exploit vulnerabilities without any guidance or assistance. This approach simulates a real-world scenario where an attacker has no prior knowledge of the target system and must identify vulnerabilities on their own.

Testing Steps Discovery Enumeration Vulnerability mapping Exploitation

Testing Steps Discovery: This stage involves gathering information about the target network or system. It may include activities such as port scanning, network mapping, and reconnaissance to identify potential attack vectors.

Testing Steps Enumeration: In this stage, the tester attempts to identify active hosts, open ports, and running services on the target network or system. This information can be used to identify vulnerabilities that can be exploited.

Testing Steps Vulnerability mapping: This stage involves identifying and mapping potential vulnerabilities in the target system or network. This can be done using automated tools or manual techniques and can include activities such as vulnerability scanning and penetration testing.

Testing Steps Exploitation: In this final stage, the tester attempts to exploit identified vulnerabilities to gain unauthorized access to the target system or network. This may involve using known exploits or developing custom exploits to take advantage of specific weaknesses in the target environment.

Testing Hazards and Reporting Production interruption Application abort System crash Documentation Identified vulnerabilities Countermeasure effectiveness Recommendations KPI Key Performance Indicators