Covered topics include:
- Identification methods and technologies
- Authentication methods, models, and technologies
- Discretionary, mandatory, and non-discretionary models
- Emanation security and technologies
- Intrusion detection systems
- Possible threats to access control practices and technologies
Security Principles
- Availability - Recovery mechanisms and fault tolerance are put into place to ensure the continuity of the availability of resources
- Integrity - When a security mechanism provides integrity, it protects data, or a resource, from being altered in an unauthorized fashion.
- Confidentiality - It is the assurance that information is not disclosed to unauthorized subjects.
Identity Management
- Various types of users need different levels of access
- Resources have different classification levels
- Diverse identity data must be kept on different types of users
- The corporate environment is continually changing
Biometrics - verifies an individual's identity by analyzing a unique personal attribute or behavior. This is one of the most effective and accurate methods of verifying identification however it is much more expensive and complex to implement than other methods. A Type I error is when a biometric system rejects an individual who should be accepted. Worse is a Type II error where the system accepts an impostor who should have been rejected.
Types of biometric identification methods include identifying a finger print, palm scan, hand geometry, retina scan, iris scan, signature dynamics, keyboard dynamics, voice print, facial scan, or hand topography.
More information can be found here: The Biometric Consortium
Other types of authentication methods that are less expensive and less complex to implement include: passwords, password management,
If an attacker is after a password, he or she can use but are not limited to these techniques:
Electronic monitoring - listening to network traffic to capture informationContinued.. Password Checkers, Password Hashing and Encrpytion, Passoword Aging, Limit Logon Attempts, Cognitive passwords, One-Time Passwords,
Access the password file - usually done on the authentication server
Brute force attacks - performed with tools that cycle through many possible character, number, and symbol combinations to uncover a password
Dictionary attacks - files of thousands of words are used to compare to the user's password until a match is found
Social engineering - an attacker falsely convinces an individual that he or she has the necessary authorization to access specific resources
Token Device - or password generator, is usually a handheld device that has an LCD display and pssible a keypad.
Synchronous - a synchronous token device sychronizes with the authentication service by using time or a counter as the core piece of authentication process.
Asynchronous - a token that is using asynchronous token-generation method uses a challange/response scheme to authenticate the user.
Example: RSA SecurID
Continued.. Cryptographic Keys, Passphrase, Memory Cards, Smart Cards.
Kerberos:
"This is a great name for a security technology that provides authentication functionality, with the purpose of protecting a company's assets. Kerberos is an authentication protocol and was designed in the mid-1980s as part of MIT's Project Athena. It works in a client/server model and is based on symmetric key cryptography."
Key Distribution Center (KDC) holds all users' and services' secret keys. It provides authentication service as well as key distribution functionality
Sesame
The Secure European System for Application in a Multi-vendor Environment project is a single sign on technology that was created to expand Kerberos functionality.
Discretionary Access Control (DAC) - enables the owener of the resouce to specify which subjects can access specific resouces.
Mandatory Access Control (MAC) - uses and data owners do not have as much freedom to determine who can access files. the operation system makes the final decision and can override the users' wishes
Role-Based Access Control (RBAC) or Nondicrectionary access control - uses a centrally administrated set of controls to determine how subjects and objects interact.
Access Control Techniques:
- Access control matrix
- ACL
- Capability table
- Content-based access
- Context-based access
- Restricted interface
- Rule-baesed
RADIUS (Remote Authentication Dial-IN User Service) is a client/server authentication protocol that authenticates and authorizes remote users.
TACACS (Terminal Access Controller Access Control System) combines it authentication and authorization processes, XTACACS separates authentication, authorization, and auditing processes, and TACACS+ is XTACACS with extended 2-factor user authentication
Decentralized Access Control Administration gives control of access to the people closer to the resources - the people who may better understand who should not have access to certain files, data, and resources.
Intrusion Dection System (IDS) are designed to detect a security breach unlike firewalls.
Other dectection systems include: Knowledge- or Signature-Based IDS, Statistical Anomaly-Based IDS, Protocol Anomaly-Based IDS, Traffic Anomaly-Based IDS, Rule Based IDS, State-Based IDS, Model-Based IDS,
Intrusion Prevention Systems (IPS) the traditional IDS only sends an alert when something bad is taking place, while the goal of an IPS is to detect theis activity and not allow the traffic to gain access to the target in the first place.
Threats to Access Control
Dictionary Attacks and Brute Force Attacks
No comments:
Post a Comment