Access Control Systems and Methodology

This Mind Map covers the Application and Systems Development domain on the Common Body of Knowledge (CBK). This domain addresses the important security concepts that apply to application software development. It outlines the environment where software is designed and developed and explains the critical role software plays in providing information system security.

Get Started. It's Free
or sign up with your email address
Access Control Systems and Methodology by Mind Map: Access Control Systems and Methodology

1. Access Control Measures

1.1. Preventive

1.1.1. try to Prevent attacks from occuring

1.1.2. Can be partially effective with Defence in Depth

1.1.3. Not always effective

1.1.4. Works with Deterrent measures

1.1.5. Examples Physical Fences Guards Alternate Power Source Fire Extinguisher Badges, ID Cards Mantraps Turnstiles Limiting access to physical resources through the use of bollards, locks, alarms, or Administrative Policies and procedures Security awareness training Separation of duties Security reviews and audits Rotation of duties Procedures for recruiting and terminating employees Security clearances Background checks Alert supervision Performance evaluations Mandatory vacation time Technical Access control software, such as firewalls, proxy servers Anti-virus software Passwords Smart cards/biometrics/badge systems Encryption Dial-up callback systems Audit trails Intrusion detection systems (IDSs)

1.1.6. Firewalls Packet Filtering Decision based on IP and Port Does not know state very fast Stateful Knows if incoming packet was Unknown packets discarded Proxy Slow Never a connection from

1.1.7. Network Vulnerability Scanner Nessus GFI LanGuard ISS NAI

1.1.8. Vulnerability Assessment Scanning key servers Looks for common known vulnerabilities

1.1.9. Penetration Tests Simulates an attacker trying to break in Finds weaknesses Only as good as the attacker Does not provide comprehensive view Usually done after Vulnerability Assessment

1.1.10. Security Assessment Comprehensive view of Network Security Analyzes entire network from inside Creates a complete list of risks against critical assets

1.2. Detective

1.2.1. Assumes Attack is Successful

1.2.2. Tries to detect AFTER an attack occurs

1.2.3. Time critical when attack is occuring

1.2.4. Examples Physical Motion Detectors CCTV Smoke Detectors Sensors Alarms Administrative Audits Regular performance reviews Background Investigations Force users to take leaves Rotation of duties Technical Audits Intrusion Detection Systems

1.2.5. Intrusion Detection Systems Pattern Matching Anomaly Detection

1.3. Other

1.3.1. Deterrent Discourages security violations (Preventative) Examples Administrative Physical Technical

1.3.2. Compensating Provide alternatives to other controls

1.3.3. Corrective Reacts to an attack and takes corrective action for data recovery

1.3.4. Recovery Restores the operating state to normal after an attack or system failure

1.4. Areas of Application

1.4.1. Administrative

1.4.2. Physical

1.4.3. Technical

2. Identity, Authentication, and Authorization

2.1. Identity and Authentication are not the same thing

2.1.1. Identity is who you say you are

2.1.2. Authentication is the process of verifying your Identity

2.2. Identity

2.2.1. User Identity enables accountability

2.2.2. Positive Identification

2.2.3. Negative Identification

2.2.4. Weak in terms of enforcement

2.3. Authentication

2.3.1. Validates Identity

2.3.2. Involves stronger measure that

2.3.3. indentification

2.3.4. Usually requires a key piece of information only the user would know

2.3.5. User Acceptance needed for success

2.3.6. Must meet business requirements

2.3.7. Methods of Authentication Something you know have are (Biometrics) Somewhere you are Based on GPS Costly Works well with Strong Authentication Two Factor Multi-Factor Centralized Control RADIUS TACACS+ Domains and Trusts

2.3.8. Protocols Originally designed for use with PPP Password Authentication Challenge Handshake Windows related Win2K native is secure Win2K in compatability mode is weakened by LM LM Support needed for LanManager (LM) NTLM and NTLM2 Kerberos Much more secure Still some concerns Now in use in Windows Features Process Strengths

2.4. Authorization

2.4.1. What a subject can do once Authenticated

2.4.2. Most systems do a poor job

2.4.3. Tied closely to POLP

3. Threats

3.1. Application threats

3.1.1. Buffer overflows

3.1.2. Covert channel Timing channel. Storage channel

3.1.3. Data remanence

3.1.4. Dumpster diving

3.1.5. Eavesdropping

3.1.6. Emanations

3.1.7. Hackers

3.1.8. Impersonation

3.1.9. Internal intruders

3.1.10. Loss of processing capability

3.1.11. Malicious code

3.1.12. Masquerading/man-in-the-middle attacks

3.1.13. Mobile code

3.1.14. Object reuse

3.1.15. Password crackers

3.1.16. Physical access

3.1.17. Replay

3.1.18. Shoulder surfing

3.1.19. Sniffers

3.1.20. Social engineering

3.1.21. Spoofing

3.1.22. Spying

3.1.23. Targeted data mining

3.1.24. Trapdoor

3.1.25. Tunneling

3.2. Transmission Threats

3.2.1. Passive attacks involve monitoring or eavesdropping on transmissions.

3.2.2. Active attacks involve some modification of the data transmission or the creation of a false transmission.

3.2.3. Denial-of-Service (DoS) occurs when invalid data is sent in such a way that it confuses the server software and causes it to crash. Examples E-mail spamming Distributed Denial-of-Service Ping of Death Smurf SYN Flooding backhoe transmission loss backhoe cuts into the cabling system carrying transmission links smart pipes - provide damage detection information. Thus, if a cable were damaged, the smart pipe would be able to determine the type of damage to the cable, the physical position of the damage, and transmit a damage detection notification.

3.2.4. Distributed Denial-of-Service (DDoS) requires the attacker to have many compromised hosts which overload a targeted server with packets until the server crashes. A zombie is a computer infected with a daemon/ system agent without the owner’s knowledge and subsequently controlled by an attacker Clients: TFN2K Fixes

3.2.5. Ping of Death Fixes

3.2.6. Smurfing Fixes

3.2.7. SYN Flooding Fixes

3.3. Malicious Code Threats

3.3.1. Virus

3.3.2. Worms

3.3.3. Trojan Horse

3.3.4. Logic Bomb

3.3.5. Fixes Antivirus Awareness

3.4. Password Threats

3.4.1. An unauthorized user attempts to steal the file that contains a list of the passwords.

3.4.2. Users may create weak passwords that are easily guessed.

3.4.3. Social engineering can be used to obtain passwords

3.4.4. Sniffers can be used to intercept a copy of the password as it travels from the client to the authentication mechanism.

3.4.5. Trojan horse code can be installed on a workstation that will present an unauthorized login window to the user.

3.4.6. Hardware or software keyboard intercepts can be used to record all data typed into the keyboard

4. Top Level

4.1. Accountability

4.2. Access Controls

4.2.1. Discretionary Access Control

4.2.2. Mandatory Access Control

4.3. Lattices

4.4. Methods of Attack

4.4.1. Malicious Code Virus Worm Trojan Logic Bomb Trap Doors

4.4.2. Denial of Service Resource Exhaustion Fork Bomb Flooding Spamming

4.4.3. Cramming Buffer Overflow Stack Smashing Specifically crafted URLs

4.4.4. Brute Force

4.4.5. Remote Maintenance

4.4.6. TOC/TOU Time of Check Time of Use Exploits time base vulnerabilities

4.4.7. Interrupts Faultline Attacks Exploits hardware vulnerabilities

4.4.8. Code alteration Root kits When someone has altered your code

4.4.9. Inference Learning something through analysis Traffic analysis

4.4.10. Browsing Sift through large volumes of data for information

4.5. Overview

4.5.1. Controlling who can do what

4.5.2. Access Controls protect CIA

4.5.3. Access Controls reduce Risk

4.6. Threats to Access Control

4.6.1. User distrust of biometrics Order of Acceptance Voice Pattern Keystroke Pattern Signature Hand Geometry Hand Print Finger Print Iris Retina Pattern

4.6.2. Misuse of privilege

4.6.3. Poor administration knowledge

4.7. Current Practices

4.7.1. Implement MAC if possible

4.7.2. Use third party tools in RBAC for NDS and AD

4.7.3. Layered defences

4.7.4. Tokens

4.7.5. Biometrics

5. Systems and Methodologies

5.1. Mandatory (MAC)

5.1.1. All data has classification

5.1.2. All users have clearances

5.1.3. All clearances centrally controlled and cannot be overridden Users cannot change security attributes at request

5.1.4. Subjects can only access objects if they have the right access level (clearance)

5.1.5. Also known as Lattice Based Access Control (LBAC)

5.1.6. Examples of MAC Linux RSBAC Adamantix Project SE by NSA LIDS eTrust CA-ACF2 Multics-based Honeywell SCOMP Pump Purple Penelope

5.1.7. Strengths Controlled by system and cannot be overridden Not subject to user error Enforces strict controls on multi security systems Helps prevent information leakage

5.1.8. Weaknesses Protects only information in Digital Form Assumes following: Trusted users/administrators Proper clearances have been applied to subjects Users do not share accounts or access Proper physical security is in place

5.2. Discretionary (DAC)

5.2.1. User can manage Owners can change security attributes

5.2.2. Administrators can determine access to objects

5.2.3. Examples of DAC Windows NT4.0 Most *NIX versions Win2K can be included when context is limited to files and folders

5.2.4. Strengths Convenient Flexible Gives users control Ownership concept Simple to understand Software Personification

5.2.5. Weaknesses No distinction between users and programs Processes are user surrogates Processes can change access DAC generally assumes a Subject to user arbitrary discretion Higher possiblity of unintended results Open to malicious software Errors lead to possible great No protection against even

5.3. Non-Discretionary

5.4. Role based (RBAC)

5.4.1. Assigns users to roles or groups based on organizational functions

5.4.2. Groups given authorization to certain data

5.4.3. Centralized Authority

5.4.4. Database Management

5.4.5. Based on Capabilities

5.4.6. Access rights established for each role

5.4.7. Examples of RBAC Database functionality Adjusting the schema Default Sorting Order Ability to Query (Select) Microsoft Roles Data Reader Data Writer DENY Data Reader DENY Data Writer

5.5. Rule-Based (RSBAC)

5.5.1. Actions based on Subjects operating on Objects

5.5.2. Based on Generalized Framework for Access Control by Abrams and LaPadula

5.6. List Based (Access Control LIsts)

5.6.1. Associates lists of Users and their Privileges with each object

5.6.2. Each object has a list of default privileges for unlisted users

5.7. Token Based

5.7.1. Associates a list of objects and their privileges with each User

5.7.2. Opposite of List Based

5.8. New Implementations

5.8.1. Context Based Access Control (CBAC) XML Data Restrictions Quotas Preceeding actions

5.8.2. Privacy Aware RBAC (PARBAC)

6. Terms and Principles

6.1. Data owner

6.1.1. CEO

6.1.2. CFO

6.2. Data custodian

6.2.1. CIO

6.2.2. DBA

6.2.3. Server Admin

6.2.4. Network Admin

6.2.5. System Admin

6.3. Least Privilege

6.3.1. Access control needs good administration

6.3.2. Availability versus security Most Secure = No Access

6.3.3. What are the business needs

6.3.4. Reduce the misuse of Privilege

6.4. Centralized Contol

6.5. Decentralized Contol

6.6. Separation of Duties

6.6.1. Break jobs into multiple segments

6.6.2. More critical the job the more segmentation

6.7. Rotation of Duties

6.7.1. Rotate persons though roles

6.7.2. Prevent over familiarization with roles

6.7.3. Forced Leaves Helps detect fraud

6.8. Access Control Model Terminology

6.8.1. Subjects (Active) Users Processes

6.8.2. Objects (Passive) Files Directories pipes devices sockets ports

6.8.3. Rules (Filters) UNIX Read Write Execute Windows NT4 Read Write Execute No Access

6.8.4. Labels (Sensitivity) Users/Subjects = Clearances Data objects = Classifications In addition to rules Can be used to group Objects Can be used to group Subjects

6.8.5. Interaction Subject assigned Security Attributes Objects assigned security attributes Rules = Attributes Rules evaluated in Security Reference Monitor to allow or disallow interaction Interaction dictated by policy What are the business rules? How are the rules enforced?

6.8.6. Types of Access Control Systems for File Systems Mandatory Discretionary Role Based Must use Reference Monitor Ensures interactions between Subjects and Objects are:

6.9. pranksters

6.9.1. hacker who conduct tricks on others, but are not intending to inflict any long-lasting harm.

7. Techniques

7.1. Access Management

7.1.1. Account Administration Most important step Verifies individual before providing access Good time for orientation/training

7.1.2. Maintenance Review Account data Update periodically

7.1.3. Monitoring Logging Review

7.1.4. Revocation Prompt revocation

7.2. Access Control Modes

7.2.1. Information Flow Manages access by evaluating system as a whole Emphasizes Garbage in Garbage out Closely related to Lattice Assigned classes dictate whether an object being accessed by a subject can flow into another class Defined: A type of dependency that relates two versions of the same object, and thus transformation of one state into another, at successive points in time. the tuple subject object operation related to access models in lattice one security class is given to each entity in the system. A flow relation among the security classes is defined to denote that information in one class (s1) can flow into another class (s2). in the mandatory model, the access rule (s,o,t) is specified so that the flow relation between the subject (s) and the object (o) holds. Read and Write are the only considered forms of operations (t) in the role based model, a role is defined in a set of operations on objects. The role represents a function or job in the application. The access rule is defined to bind a subject to the roles.

7.2.2. State Machine Example: Authentication Unauthenticated Authentication Pending Authenticated Authorization Pending Authorized Captures the state of a system at a given point of time Monitors changes introduced after the initial state By chronology By Event

7.2.3. Covert Channels Information flows from higher to lower classifications Can be introduced deliberately Can not be stopped Uses normal system resources to signal information Additional reading Sans Reading Room

7.2.4. Non-Interference Based on variations in the input there should be no way to predict the output Each input processing path should be independent and have no internal relationships

8. Access Control Models

8.1. Lattice

8.1.1. Deals with Information Flow

8.1.2. Formalizes network security models

8.1.3. Shows how information can or cannot flow

8.1.4. Drawn as a graph with directed arrows

8.1.5. Properties of a Lattice A set of elements A partial Ordering relation The property that any two elements must have unique least upper bound and greatest lower bound

8.2. Confidentiality: Bell-LaPadula

8.2.1. Deals with confidentiality

8.2.2. Two Key principles No Read Up (Simple Property) No Write Down (Property) Prevents write-down trojans for declassifying data

8.2.3. Also: Strong Property No read down No write up Can only act on a single level

8.2.4. Tranquility Properties Weak Tranquility: Security labels of subjects never change in such a way as to violate a defined security policy Strong tranquility property: Labels never change during system operation

8.3. Integrity: Biba

8.3.1. Deals with integrity

8.3.2. Opposite of BLP No read down No write up

8.3.3. Two key principles Simple integrity property A user cannot write data to a higher level than they are assigned A user cannot read data of a lower integrity level than theirs Integrity Property

8.3.4. Developed by Ken Biba in 1975

8.4. Commercial: Clark-Wilson

8.4.1. Deals with Integrity

8.4.2. Adapted for Commercial use

8.4.3. Two Properties Internal Consistency Properties of the internal state of the system External Consistency Relation of the internal state of a system to the outside world

8.4.4. Separation of Duties

8.4.5. Rules Integrity Monitoring (certification) Notions Integrity Preserving (enforcement) How integrity of constrained items is maintained Subjects Identities are Authenticated How integrity of constrained items is maintained Triples are carefully maintained Transformational proceedures executed serially and not in parallel

8.4.6. Triples subject program object

8.5. Others