Create your own awesome maps

Even on the go

with our free apps for iPhone, iPad and Android

Get Started

Already have an account?
Log In

Access Control Systems and Methodology by Mind Map: Access Control Systems and Methodology
5.0 stars - 7 reviews range from 0 to 5

Access Control Systems and Methodology

Access Control Measures


try to Prevent attacks from occuring

Can be partially effective with Defence in Depth

Not always effective

Works with Deterrent measures

Examples, Physical, Fences, Guards, Alternate Power Source, Fire Extinguisher, Badges, ID Cards, Mantraps, Turnstiles, Limiting access to physical resources through the use of bollards, locks, alarms, or, Administrative, Policies and procedures, Security awareness training, Separation of duties, Security reviews and audits, Rotation of duties, Procedures for recruiting and terminating employees, Security clearances, Background checks, Alert supervision, Performance evaluations, Mandatory vacation time, Technical, Access control software, such as firewalls, proxy servers, Anti-virus software, Passwords, Smart cards/biometrics/badge systems, Encryption, Dial-up callback systems, Audit trails, Intrusion detection systems (IDSs)

Firewalls, Packet Filtering, Decision based on IP and Port, Does not know state, very fast, Stateful, Knows if incoming packet was, in response to request, Unknown packets discarded, Proxy, Slow, Never a connection from, external to internal

Network Vulnerability Scanner, Nessus, GFI LanGuard, ISS, NAI

Vulnerability Assessment, Scanning key servers, Looks for common known, vulnerabilities

Penetration Tests, Simulates an attacker trying to, break in, Finds weaknesses, Only as good as the attacker, Does not provide, comprehensive view, Usually done after Vulnerability, Assessment

Security Assessment, Comprehensive view of, Network Security, Analyzes entire network from inside, Creates a complete list of risks, against critical assets


Assumes Attack is Successful

Tries to detect AFTER an attack occurs

Time critical when attack is occuring

Examples, Physical, Motion Detectors, CCTV, Smoke Detectors, Sensors, Alarms, Administrative, Audits, Regular performance reviews, Background Investigations, Force users to take leaves, Rotation of duties, Technical, Audits, Intrusion Detection Systems

Intrusion Detection Systems, Pattern Matching, Anomaly Detection


Deterrent, Discourages security violations (Preventative), Examples, Administrative, Acceptable Use agreements, Physical, Restricted Access signs, Technical, Logon banner, Warnings on Web Pages

Compensating, Provide alternatives to other controls

Corrective, Reacts to an attack and takes corrective action for data recovery

Recovery, Restores the operating state to normal after an attack or system failure

Areas of Application




Identity, Authentication, and Authorization

Identity and Authentication are not the same thing

Identity is who you say you are

Authentication is the process of verifying your Identity


User Identity enables accountability

Positive Identification

Negative Identification

Weak in terms of enforcement


Validates Identity

Involves stronger measure that


Usually requires a key piece of information only the user would know

User Acceptance needed for success

Must meet business requirements

Methods of Authentication, Something you, know, Methodologies, User Picked, Too simple, System Generated, Single Sign On, Access Control, password files, /etc/passwd, /etc/shadow, NT SAM, Normally stored as hashes, Cracking, Attempt to guess passwords, Access to password file, increases success (no Duh!), Attack Types, Dictionary, Quickest and Easiest, Not guaranteed to find all, passwords, Relies on human factors, Tries every word in dictionary, for match, Hybrid, uses dictionary in combination, with brute force, John the ripper, Brute force, Given enough time, brute, force will always work, Rainbow Crack, Negative, Users forget, Easy to compromise, users write down passwords, Easy for attackers to target, Brute force, Dictionary attack, Users tell others, Positive, Easiest to implement (passwords), Low cost, have, Token, Token Provides password, Changes on regular basis, More expensive to implement, each user needs token, additional software equipment, Users can lose tokens, are (Biometrics), Types, Hand, Fingerprint, ridges and valleys, 30-70 points of reference, Hand Geometry, Oldest known form of, Biometrics, Eye, Retina, capillary patterns, enrollment, five scans to enroll, 45 seconds, 1/2" from scanner, 320-400 points of, reference stored, Stored in 35 byte field, Certain people cannot enroll, Degenerative diseases exist, that compromise data fidelity, Iris, 240 reference points, enrollment, video camera at 3-10in, camera locates eye, locates left and right, edges of iris, Approach is horizontal due, to eyelid occlusion, excludes lower portion because, of moisture and reflection, image captured and processed, into 512 byte record, Less than 20 seconds, Subsequent verifications, at up to 40in, Verification takes 1-2 seconds, System tests for 'live' eye, o pupil size fluctuation, additional reading, Face, Thermograms, Photos, Facial feature identification, Detection, Locate the face, Isolation, Isolate features of the face, leaves features in rectangle, mask (binary mask), Mask values compared to database, Eigen, German word referring to, recursive mathematics, used in facial recognition, Eigen features (facial metrics), Eigenfaces, Voice Print, Mannerisms, Keystroke, Tread, Handwriting, Positive, Hard to lose, Does not require user, to have anything, Negative, Intrusive, Can cause Privacy issues, Costly, Each authenticating system, needs hardware, Key Factors, Reliability, False acceptance Rate (FAR), percentage of impostors, falsely authorized, False rejection Rate (FRR), percentage of ligitimate users, falsely rejected, Cross error Rate (CER), rate at which FAR and, FRR are equal, Equal Error Rate (EER), Better to have a higher, FRR than a high FAR, pissed off user vs a breach, User Acceptance, A high FRR will cause users to, Try to find ways around the system, Animosity, An intrusive enrollment, Animosity, Resistance, Cost, Some of the technolgoies, still very expensive, Increases technical complexity, Adds to operational loads, Somewhere you are, Based on GPS, Costly, Each system needs, additional Hardware, Works well with, classified data, Controlled access, Strong Authentication, Two Factor, Two different methods, used together, Multi-Factor, Centralized Control, RADIUS, Remote Authentication Dian in User Service, UDP based, RFC 2865, RFC 2866, Successor to TACACS, TACACS+, Terminal Access Controller Access Control System, TCP based, RFC 1492, Domains and Trusts, Windows Security Model, Domains, Groups, Users, Role-based Model

Protocols, Originally designed, for use with PPP, Password Authentication, Protocol (PAP), Sends actual password in the clear., vulnerable to replay attack, Password sniffed off network and resent to server, Works wth both passwords and hases, Process, User enters password, Password sent unencrypted over network to PAP server, Can use hashes but still vulnerable to replay attack, Challenge Handshake, Authentication Protocol (CHAP), password never traverses network, Not vulnerable to replay attack, Process, Client initiates comms to server, Server sends back challenge to client, User enters password, Client uses password and challenge to create response, Client sends response to server, Server creates local version of valid response using original challenge and stored password., If responses are identical, server grants access, Server requests re-confirmation with this sequence when appropriate, Windows related, Win2K native is secure, Win2K in compatability mode is weakened by LM, LM Support needed for, WinNT pre SP4, Windows 9x, Macintosh, LanManager (LM), Uses hash to obfuscate password, passwords up to 14, char easily defeated, RainbowCrack, NTLM and NTLM2, Also uses Hashes, Vulnerable to DLL injection, Forces lsass.exe to show passwords in weak LM format, weak passwords can be cracked offline, John the Ripper, Lophtcrack, Kerberos, Much more secure, Still some concerns, Now in use in Windows, Default in Win2K, Default in XP, Default in Server 2K3, Features, Secret Key Protocol and distributed service for 3rd party authentication, Kerberos KDC is trusted intermediary similar to RADIUS server, Confidentiality: DES (CBC mode) Symmetric Encryption, Integrity: Crypto hash algorithyms, Authentication: Login password (local), Non-Repudiation: Knowlege of a password, Process, Username and Password Entered, username and password passed to local security subsystem, local security subsystem takes domain name specified and uses DNS to locate controller, When domain controller is found, local security subsystem contacts the Kerberos service on the domain controller, Requests session ticket for user, Session ticket will be used by users computer to authenticate with Kerberos service, Kerberos service contacts Active Directory to authenticate user, Kerberos service also accesses a Global Catalog Server to obtain users Universal Group Memberships, After authentication, Kerberos server return requested session ticket to users computer, Contains users SID, SIDs of all groups user belongs to, used in all future negotiations with Kerberos server, Local security subsystem sends copy of session ticket to Kerberos service on Domain controller, Users PC asks for another ticket, used to authenticate user to local PCs workstation service, AKA Workstation session ticket, Kerberos service on local PC authenticates user with new ticket, PCs Kerberos service consults AD, PCs Kerberos service consults GCS, After authentication the PCs Kerberos service sends a copy of the ticket to the users PC, Local Security subsystem creates access token using users SID and SIDs of any groups user is a member of from Workstation session ticket, Local Security Subsystem adds to token, Any local group memberships, Any local permissions, Any local access rights, Local security subsystem creates envrionment or process and attaches token, This is the authenticating token used to verify access requests, Strengths, Mutual authentication, Kerberos Ticket Granting Ticket, TGT confirms hashes, Sets temporal limits, Too far from ticket time can indicate spoofed ticket, Must be protected from attacks


What a subject can do once Authenticated

Most systems do a poor job

Tied closely to POLP


Application threats

Buffer overflows

Covert channel, Timing channel., Storage channel

Data remanence

Dumpster diving





Internal intruders

Loss of processing capability

Malicious code

Masquerading/man-in-the-middle attacks

Mobile code

Object reuse

Password crackers

Physical access


Shoulder surfing


Social engineering



Targeted data mining



Transmission Threats

Passive attacks, involve monitoring or eavesdropping on transmissions.

Active attacks, involve some modification of the data transmission or the creation of a false transmission.

Denial-of-Service (DoS), occurs when invalid data is sent in such a way that it confuses the server software and causes it to crash., Examples, E-mail spamming, Distributed Denial-of-Service, Ping of Death, Smurf, SYN Flooding, backhoe transmission loss, backhoe cuts into the cabling system carrying transmission links, smart pipes - provide damage detection information. Thus, if a cable were damaged, the smart pipe would be able to determine the type of damage to the cable, the physical position of the damage, and transmit a damage detection notification.

Distributed Denial-of-Service (DDoS), requires the attacker to have many compromised hosts which overload a targeted server with packets until the server crashes., A zombie is a computer infected with a daemon/ system agent without the owner’s knowledge and subsequently controlled by an attacker, Clients: TFN2K, Fixes

Ping of Death, Fixes

Smurfing, Fixes

SYN Flooding, Fixes

Malicious Code Threats



Trojan Horse

Logic Bomb

Fixes, Antivirus, Awareness

Password Threats

An unauthorized user attempts to steal the file that contains a list of the passwords.

Users may create weak passwords that are easily guessed.

Social engineering can be used to obtain passwords

Sniffers can be used to intercept a copy of the password as it travels from the client to the authentication mechanism.

Trojan horse code can be installed on a workstation that will present an unauthorized login window to the user.

Hardware or software keyboard intercepts can be used to record all data typed into the keyboard

Top Level


Access Controls

Discretionary Access Control

Mandatory Access Control


Methods of Attack

Malicious Code, Virus, Worm, Trojan, Logic Bomb, Trap Doors

Denial of Service, Resource Exhaustion, Fork Bomb, Flooding, SYN Flood, Spamming

Cramming, Buffer Overflow, Stack Smashing, Specifically crafted URLs

Brute Force

Remote Maintenance

TOC/TOU, Time of Check, Time of Use, Exploits time base vulnerabilities

Interrupts, Faultline Attacks, Exploits hardware vulnerabilities

Code alteration, Root kits, When someone has altered, your code

Inference, Learning something through, analysis, Traffic analysis

Browsing, Sift through large volumes of, data for information


Controlling who can do what

Access Controls protect CIA

Access Controls reduce Risk

Threats to Access Control

User distrust of biometrics, Order of Acceptance, Voice Pattern, Keystroke Pattern, Signature, Hand Geometry, Hand Print, Finger Print, Iris, Retina Pattern

Misuse of privilege

Poor administration knowledge

Current Practices

Implement MAC if possible

Use third party tools in RBAC, for NDS and AD

Layered defences



Systems and Methodologies

Mandatory (MAC)

All data has classification

All users have clearances

All clearances centrally controlled and cannot be overridden, Users cannot change security attributes at request

Subjects can only access objects if they have the right access level (clearance)

Also known as Lattice Based Access Control (LBAC)

Examples of MAC, Linux, RSBAC Adamantix Project, SE by NSA, LIDS, eTrust CA-ACF2, Multics-based Honeywell, SCOMP, Pump, Purple Penelope

Strengths, Controlled by system and cannot be overridden, Not subject to user error, Enforces strict controls on multi security systems, Helps prevent information leakage

Weaknesses, Protects only information in Digital Form, Assumes following:, Trusted users/administrators, Proper clearances have been applied to subjects, Users do not share accounts or access, Proper physical security is in place

Discretionary (DAC)

User can manage, Owners can change security attributes

Administrators can determine access to objects

Examples of DAC, Windows NT4.0, Most *NIX versions, Win2K can be included when, context is limited to files and, folders

Strengths, Convenient, Flexible, Gives users control, Ownership concept, Simple to understand, Software Personification

Weaknesses, No distinction between users, and programs, Processes are user surrogates, and can run arbitrary code, Processes can change access, control attributes, DAC generally assumes a, benign software environment, Subject to user arbitrary discretion, Higher possiblity of unintended, results, Open to malicious software, Errors lead to possible great, escalation of privilege, No protection against even, "trusted" user error


Role based (RBAC)

Assigns users to roles or groups based on organizational functions

Groups given authorization to certain data

Centralized Authority

Database Management

Based on Capabilities

Access rights established for each role

Examples of RBAC, Database functionality, Adjusting the schema, Default Sorting Order, Ability to Query (Select), Microsoft Roles, Data Reader, Data Writer, DENY Data Reader, DENY Data Writer

Rule-Based (RSBAC)

Actions based on Subjects, operating on Objects

Based on Generalized Framework, for Access Control by Abrams and, LaPadula

List Based (Access Control LIsts)

Associates lists of Users and, their Privileges with each object

Each object has a list of default, privileges for unlisted users

Token Based

Associates a list of objects and their privileges with each User

Opposite of List Based

New Implementations

Context Based Access Control (CBAC), XML Data Restrictions, Quotas, Preceeding actions

Privacy Aware RBAC (PARBAC)

Terms and Principles

Data owner



Data custodian



Server Admin

Network Admin

System Admin

Least Privilege

Access control needs good administration

Availability versus security, Most Secure = No Access

What are the business needs

Reduce the misuse of Privilege

Centralized Contol

Decentralized Contol

Separation of Duties

Break jobs into multiple segments

More critical the job the more segmentation

Rotation of Duties

Rotate persons though roles

Prevent over familiarization with roles

Forced Leaves, Helps detect fraud

Access Control Model Terminology

Subjects (Active), Users, Processes

Objects (Passive), Files, Directories, pipes, devices, sockets, ports

Rules (Filters), UNIX, Read, Write, Execute, Windows NT4, Read, Write, Execute, No Access

Labels (Sensitivity), Users/Subjects = Clearances, Data objects = Classifications, In addition to rules, Can be used to group Objects, Can be used to group Subjects

Interaction, Subject assigned Security Attributes, Objects assigned security attributes, Rules = Attributes, Rules evaluated in Security Reference Monitor to allow or disallow interaction, Interaction dictated by policy, What are the business rules?, How are the rules enforced?

Types of Access Control Systems for File Systems, Mandatory, Discretionary, Role Based, Must use Reference Monitor, Ensures interactions between Subjects and Objects are:, Verifiable, Tamper-proofed, Irrevocable


hacker who conduct tricks on others, but are not intending to inflict any long-lasting harm.


Access Management

Account Administration, Most important step, Verifies individual before providing access, Good time for orientation/training

Maintenance, Review Account data, Update periodically

Monitoring, Logging, Review

Revocation, Prompt revocation

Access Control Modes

Information Flow, Manages access by evaluating system as a whole, Emphasizes Garbage in Garbage out, Closely related to Lattice, Assigned classes dictate whether an object being accessed by a subject can flow into another class, Defined:, A type of dependency that relates two versions of the same object, and thus transformation of one state into another, at successive points in time., the tuple, subject, object, operation, related to access models, in lattice one security class is given to each entity in the system. A flow relation among the security classes is defined to denote that information in one class (s1) can flow into another class (s2)., in the mandatory model, the access rule (s,o,t) is specified so that the flow relation between the subject (s) and the object (o) holds. Read and Write are the only considered forms of operations (t), in the role based model, a role is defined in a set of operations on objects. The role represents a function or job in the application. The access rule is defined to bind a subject to the roles.

State Machine, Example: Authentication, Unauthenticated, Authentication Pending, Authenticated, Authorization Pending, Authorized, Captures the state of a system at a given point of time, Monitors changes introduced after the initial state, By chronology, By Event

Covert Channels, Information flows from higher to lower classifications, Can be introduced deliberately, Can not be stopped, Uses normal system resources to signal information, Additional reading, Sans Reading Room,

Non-Interference, Based on variations in the input there should be no way to predict the output, Each input processing path should be independent and have no internal relationships

Access Control Models


Deals with Information Flow

Formalizes network security models

Shows how information can or cannot flow

Drawn as a graph with directed arrows

Properties of a Lattice, A set of elements, A partial Ordering relation, The property that any two elements must have unique least upper bound and greatest lower bound

Confidentiality: Bell-LaPadula

Deals with confidentiality

Two Key principles, No Read Up (Simple Property), No Write Down (Property), Prevents write-down trojans for declassifying data

Also: Strong Property, No read down, No write up, Can only act on a single level

Tranquility Properties, Weak Tranquility:, Security labels of subjects never change, in such a way as to violate a defined, security policy, Strong tranquility property:, Labels never change during system operation

Integrity: Biba

Deals with integrity

Opposite of BLP, No read down, No write up

Two key principles, Simple integrity property, A user cannot write data to a higher level than they are assigned, A user cannot read data of a lower integrity level than theirs, Integrity Property

Developed by Ken Biba in 1975

Commercial: Clark-Wilson

Deals with Integrity

Adapted for Commercial use

Two Properties, Internal Consistency, Properties of the internal state of the system, External Consistency, Relation of the internal state of a system to the outside world

Separation of Duties

Rules, Integrity Monitoring (certification), Notions, Constrained data items are consistent, Transformational procedures act validly, Duties are separated, Accesses are logged, Unconstrained data items are validated, Integrity Preserving (enforcement), How integrity of constrained items is maintained, Subjects Identities are Authenticated, How integrity of constrained items is maintained, Triples are carefully maintained, Transformational proceedures executed serially and not in parallel

Triples, subject, program, object