Access controls permit management to specify what users can do, which resources they can access, and what operations they can perform on a system. Access controls provide system managers with the ability to limit and monitor who has access to a system and to restrain or influence the user’s behavior on that system. Access control systems define what level of access that individual has to the information contained within a system based on predefined conditions such as authority level or group membership. Access control systems are based on varying technologies, including passwords, hardware tokens, biometrics, and certificates to name a few. Each access control system offers different levels of confidentiality, integrity, and availability to the user, the system, and stored information.

A Systems Security Certified Practitioner candidate is expected to demonstrate knowledge in how different access control systems operate and are implemented to protect the system and its stored data. In addition, a candidate must demonstrate knowledge in account management, access control concepts, and attack methods that are used to defeat access control systems. Key areas of knowledge include

■ Implement logical access controls in terms of subjects

– Requirements for access controls

– Account creation and maintenance

■ Implement logical access controls in terms of objects

– Requirements for access controls

– Object groups

■ Implement authentication techniques, for example, single and multifactor authentication, single sign-on, offline authentication

■ Apply access control concepts, for example, discretionary access control (DAC), least privilege, and separation of duties

■ Manage Internet work trust architectures, for example, extranet, third-party connections.

Access Control Concepts

Access controls are those systems that provide for the ability to control “who” can do specifically “what” with respect to data, applications, systems, networks, and physical spaces. In the simplest of terms (and in a perfect world), an access control system grants system users only those rights necessary for them to perform their respective jobs.

For any access control subject to obtain any access to an access control object, there are three steps that must be accomplished (Figure 1.1).

Figure 1.1 Three steps to access control: identification, authentication, and authorization.

The term “access controls” is very broad in nature and can include everything from a simple password authentication that allows a user to access an e-mail account to a biometric retina scanner that unlocks the door to a critical data center.

What Is a Subject?

An access control subject is an active entity and can be any user, program, or process that requests permission to cause data to flow from an access control object to the access control subject or between access control objects.

Access control subjects include

■ Authorized users

■ Unauthorized users

■ Applications

■ Processes

■ Systems

■ Networks

The authorization provided to the access control subject by an access control system can include but is not limited to the following considerations:

The attributes of a subject are referred to as privilege attributes or sensitivities. When these attributes are matched against the control attributes of an object, privilege is either granted or denied.

In a typical access control system, additional subject-specific requirements may include

■ A secure default policy should be applied to any newly created subject.

■ The attributes of the subject should not be expressed in terms that can easily be forged such as an IP address.

■ The system should provide for a default deny on all permissions for the subject, thereby requiring that access to any object be explicitly created by an administrator.

■ In the absence of policy for a given subject, the default policy should be interpreted as default deny.

■ A user ID should remain permanently assigned to a subject.

Subject Group Considerations

The configuration of privileges in access control for an individual subject affords maximum granularity. In systems with perhaps hundreds or thousands of users, this granularity can quickly become a management burden. By incorporating multiple subjects with similar permissions, for example, job titles, within a group, the granularity is thereby coarsened and the administration of the access control system is simplified.

What Is an Object?

An access control object is a passive entity that typically receives or contains some form of data. The data can be in the form of a file, a program, or may be resident within system memory.

Access control objects

■ Data

■ Applications

■ Systems

■ Networks

■ Physical space, for example, the data center

Typical access control object considerations can include but are not limited to the following:

■ Restrict access to operating system configuration files and their respective directories to authorized administrators.

■ Disable write/modify permissions for all executable files.

■ Ensure that newly created files inherit the permissions of the directory in which they were created.

■ Ensure that subdirectories cannot override the permissions of parent directories unless specifically required by policy.

■ Log files should be configured to only permit appending data to mitigate the risk of a log file’s contents being purposely deleted or overwritten by a malicious user or process.

■ Encryption of data at rest can afford additional security and should be a consideration in the determination of the policies for access control objects.

Object Group Considerations

The configuration of privileges to access an individual object affords maximum granularity. It is not uncommon today for the number of objects within an access control system to number in the tens or even hundreds of thousands. While configuring individual objects affords maximum control, this granularity can quickly become an administrative burden. It is a common practice to assign the appropriate permissions to a directory, and each object within the directory inherits the respective parent directory permissions. By incorporating multiple objects with similar permissions or restrictions within a group or directory, the granularity is thereby coarsened and the administration of the access control system is simplified.

Discretionary Access Control

In DAC, the owner of the access control object would determine the privileges (i.e., read, write, execute) of the access control subjects. This methodology relies on the discretion of the owner of the access control object to determine the access control subject’s specific rights to afford the security of the access control object. Hence, security of the object is literally up to the discretion of the object owner. DACs are not very scalable; they rely on the decisions made by each individual access control object owner, and it can be difficult to find the source of access control issues when problems occur.

Rule Set–Based Access Controls

Rule Set–Based Access Controls are discretionary controls whereby the owner has the discretion to determine the rules to facilitate access. A Linux-specific open source initiative known as Rule Set–Based Access Control (RSBAC) has been in development since 1996 and in stable production since January 2000. RSBAC is based on the Abrams and LaPadula Generalized Framework for Access Control (GFAC). RSBAC works at the kernel level and affords flexible access control based on several modules:

■ Mandatory Access Control module (MAC)

■ Privacy module (PM)

■ Function Control module (FC)

■ File Flag module (FF)

■ Malware Scan module (MS)

■ Role Compatibility module (RC)

■ Function Control module (FC)

■ Security Information Modification module (SIM)

■ Authentication module (Auth)

■ Access Control List module (ACL)

All security relevant system calls in the Linux kernel are extended by RSBAC security enforcement code. The RSBAC security enforcement code calls the central decision component, which then in turn calls all active decision modules (see above listing) and generates a combined decision. This decision is then enforced by the RSBAC system call extensions. One of the original goals of RSBAC was to achieve Orange book B1 certification.

Role-Based Access Controls

Role-based access control (RBAC) is generally considered to be discretionary because the owner determines what roles have access. RBAC is also discretionary because the owner determines the rules. While there are several different implementations of nondiscretionary access controls, most implementations work on the principle of RBAC. RBAC works by assigning roles to access control subjects as well as labels to the access control objects that specify which roles are permitted access to the respective access control objects. Within an RBAC implementation, the ability to permit or deny the inheritance of roles within a given hierarchy is commonly available.

RBAC in many respects is similar to a well-managed work environment. Each employee has an assigned role and job function; they are only permitted access to the information necessary to accomplish their job function. The inheritance aspects of RBAC can be thought of like the organization chart at a well-managed company whereby roles can be inherited across employees at the same organizational level or downward in the organizational chart but perhaps not permitting inheritance of a role moving up the organizational chart to levels above the current assigned role.

Constrained User Interface

Constrained User Interface (CUI) is a methodology that restricts the user’s actions to specific functions by not allowing them to request functions that are outside of their respective level of privilege or role. The most common example of CUI can be found in online banking applications and ATMs where the limited menus are readily apparent until after the user has properly authenticated, thereby establishing their respective role/level of privilege.

Another type of CUI is often referred to as View-Based Access Control (VBAC); it is most commonly found in database applications to control access to specific parts of a database. The CUI in VBAC restricts or limits an access control subject’s ability to view or perhaps act on “components” of an access control object based on the access control subject’s assigned level of authority. Views are dynamically created by the system for each user-authorized access.

Simply put VBAC separates a given access control object into subcomponents and then permits or denies access for the access control subject to view or interact with specific subcomponents of the underlying access control object.

VBAC examples in a medical records database:

■ A billing clerk (access control subject) would be able to view the procedures, supplies, and related costs in a database (access control object) to be billed to a patient and would be restricted from seeing the result of any of the underlying tests and perhaps the doctors notes contained within the same database (access control object).

■ A nurse (access control subject) would be able to view the results of procedures and tests as well as the doctor’s notes but would be restricted from seeing the costs for the procedures and supplies.

VBAC examples in a firewall administrator’s management console:

■ A firewall user administrator (access control subject) would be able to add new users and reset user passwords in the firewalls database (access control object) but would be restricted from seeing alerts or altering the firewall ACL rules within the same database.

■ A firewall monitor (access control subject) would be able to see alerts in the firewall database (access control object) but would not be able to see or alter any information in the database relating to users or ACL rules.

■ A firewall virtual private network (VPN) administrator (access control subject) would have the ability to enter VPN-related rules into the firewall database (access control object) to facilitate creating a point-to-point VPN tunnel or perhaps to permit a client to server VPN connection. However, the users would have to already exist in the firewall database (access control object), and the VPN administrator (access control subject) would be restricted from seeing alerts and access control rules that did not specifically relate to the VPN operations within the database.

■ A firewall security officer (access control subject) would have full access to all information within the firewall database (access control object). While the view that is given to an access control subject may in fact only be a partial view of the information available from the access control object, it is important in the proper application of VBAC that the views presented to the access control subject appear normal, complete, and in context, without revealing signs of any missing information.

Content-Dependent Access Control

Content-Dependent Access Control (CDAC) is most commonly used to protect databases containing sensitive information; hence, CDAC can be thought of as mechanism for privacy enforcement. CDAC is commonly based on the Abrams and LaPadula GFAC. CDAC works by permitting or perhaps denying the access control subjects access to access control objects based on the explicit content within the access control object. A timely example is that with CDAC in a medical records database application, a health-care worker may have been granted access to blood test records; however, if that record contains information about an HIV test, the health-care worker may be denied access to the existence of the HIV test and the results of the HIV test. Only specific hospital staff would have the necessary CDAC access control rights to view blood test records that contain any information about HIV tests.

While high levels of privacy protection are attainable using CDAC, it comes at the cost of a great deal of labor in defining the respective permissions. It should be further noted that CDAC comes with a great deal of overhead in processing power as it must scan the complete record to determine if access can be granted to a given access control subject. This scan is done by an arbiter program to determine if access will be allowed.

Context-Based Access Control

Context-Based Access Control (CBAC) is primarily used in firewall applications to extend the firewall’s decision-making process beyond basic ACL decisions to decisions based on state as well as application-layer protocol session information. A static packet filtering firewall is a good example of a firewall that does not use CBAC. It looks at each and every packet and compares the packet to an ACL rule base to determine if the packet is to be allowed or denied. A stateful inspection firewall is a good example of a firewall that uses CBAC. The firewall also consider the “state of the connection”; i.e., if a packet arrives that is part of a continuing session that had previously been permitted to pass through the firewall then subsequent packets which are part of that session are allowed to pass without the overhead associated with comparing the packet to the ACL rules. CBAC affords a significant performance enhancement to a firewall.

CBAC is often confused with CDAC but they are two completely different methodologies. While CDAC makes decisions based on the content within an access control object, CBAC is not concerned with the content; it is only concerned with the context or the sequence of events leading to the access control object being allowed through the firewall.

In the example of blood test records for CDAC above, the access control subject would be denied access to the access control object because it contained information about an HIV test. CBAC could be used to limit the total number of requests for access to any blood test records over a given period of time. Hence, a health-care worker may be limited to accessing the blood test database more than 100 times in a 24-hour period.

While CBAC does not require that permissions be configured for individual access control objects, it requires that rules be created in relation to the sequence of events that precede an access attempt.

Temporal Isolation (Time-Based) Access Control

Temporal Isolation (Time-Based) Access Control is commonly used to enhance or extend the capabilities of RBAC implementations. This combined methodology is often referred to as Temporal Role-Based Access Control (TRBAC). TRBAC effectively applies a time limitation to “when” a given role can be activated for a given access control subject.

■ A high-level “top secret” role would be assigned to a given access control subject during the normal 8:00 A.M. to 5:00 P.M. working hours.

■ A lower-level “confidential” role would be assigned to the same access control subject during the 5:00 P.M. to 8:00 A.M. nonworking hours.

To decrease the labor of assigning TRBAC rules to each of many individual access control subjects, most implementations of TRBAC assign the temporal-based classification levels to the perhaps lower number of access control objects rather than to the access control subject. Hence, a given access control object would have a temporal-based classification level that is effective against all access control subjects

Temporal extensions are also used to enhance other access control methodologies. It is common today to find access control devices that support time-based access control rules. The temporal enhancement of the access control rule only allows the rule to be effective during the specified time period.

Nondiscretionary Access Control

The following is a definition of nondiscretionary access control from the National Institute of Standards and Technology (NIST) in May 19, 2006. “Most OS provide what is called discretionary access control. This allows the owner of each file, not the system administrator, to control who can read, write, and execute that particular file. Another access control option is called nondiscretionary access control. Nondiscretionary access control differs from discretionary access control in that the definition of access rules is tightly controlled by a security administrator rather than by ordinary users.”

Mandatory Access Control

Mandatory Access Control (MAC) is typically used in environments requiring high levels of security such as government or military systems. In MAC, the inherent problems of trying to rely on each system owner to properly control access to each access control object is eliminated by having the system participate in applying a mandatory access policy; the system owner applies the “need to know” element. This policy affords typically three object classification levels: top-secret, secret, and confidential. Each access control system subject (users and programs) are assigned clearance labels and access control system objects are assigned sensitivity labels. The system then automatically provides the correct access rights based on comparing the object and subject labels. MACs allow multiple security levels of both objects and subjects to be combined in one system securely.

Separation of Duties

This aspect access control establishes guidelines that require that no single person should perform a task from beginning to end, and that the task should be accomplished by two or more people to mitigate the potential for fraud in one person performing the task alone. Separation of duties is a key element in the Clark–Wilson formal model.

Architecture Models

Bell–LaPadula

The Bell–LaPadula confidentiality model provides the “mandatory” component of a MAC system with the following MAC parameters:

A common theme among applications of MAC is the “no read up–no write down” policy applied to each subject’s sensitivity level. This is the “mandatory” part of MAC. It is the implementation of the Bell–LaPadula security model:

■ Simple Security Property: The subject cannot read information from an object with a higher sensitivity level than the subjects.

■ Star Property: The subject cannot write information to an object with a sensitivity level that is lower than the subjects.

Biba

The Biba formal model was written by K. J. Biba in 1977 and is the basis for the “integrity” aspects of the MAC model. The Biba formal model provides for three primary rules:

■ An access control subject cannot access an access control object that has a lower integrity level.

■ An access control subject cannot modify an access control object that has a higher integrity level.

■ An access control subject cannot request services from an access control object that has a higher integrity level.

Clark–Wilson

The Clark–Wilson formal model was written by Dr. David D. Clark and David R. Wilson in 1987, and was updated in 1989. Like the Biba formal model, it addresses integrity. However, unlike the Biba formal model, the Clark–Wilson formal model extends beyond limiting access to the access control object by adding integrity considerations to the processes that occur while using the access control object.

The Clark–Wilson formal model effectively provides for the integrity of the access control object by controlling the process that can create or modify the access control object.

Furthermore, the Clark–Wilson formal model also provides for the separation of duties. This aspect of the Clark–Wilson formal model establishes guidelines that require that no single person should perform a task from beginning to end, and that the task should be accomplished by two or more people to mitigate the potential for fraud in one person performing the task alone.

Other Considerations of Clark–Wilson

Well-formed transaction: The well-formed transaction is the basis of the Clark–Wilson model and provides for integrity through the use of rules and certifications applied to data as it is processed through various states. A well-formed transaction also employs the use of separation of duties whereby the implementer of a transaction and the certifier of a transaction must be separate entities.

Access triple. Historically, the Clark–Wilson triple referred to the relationship between an authenticated user, the programs that operate on the data items, and the data themselves. Similarly an access triple refers to an authenticated user having permission to use a given program on a specific set of data.

Brewer–Nash: Chinese Wall

The Chinese Wall adds an additional element: the interrelationships of data to other models. In an example of the addition of a Chinese Wall to the Bell–LaPadula, not only would a given user be restricted to only accessing a specific set of data but also a further consideration of what other data sets the user had previously accessed would be examined before permitting access to the data. In an example of Clark–Wilson augmented with a Chinese Wall, not only is access to data restricted to a given process but also consideration is given to which other data the processes had been used on.

The goal of a Chinese Wall is to mitigate the risk of a conflict of interest. An example of the implementation of a Chinese Wall: access controls within a law office network would allow a consultant to initially have no restriction on which files they were permitted to access. Only after they accessed a given file for a given company would they receive restriction on which other files regarding other companies that they could then have further access to. In the simplest of terms, once you viewed confidential information about one organization, you would not be permitted to have further access to confidential information about any of their competitors.

Identification, Authentication, Authorization, and Accountability

Identity (Who Is the Subject?)

Identification asserts a unique user or process identity and provides for accountability. Identification of an access control subject is typically in the form of an assigned user name. This user name could be public information whether intentional or not. A good example is that in most networks, the user name that identifies the user for network access is also the identification used as the e-mail account identifier. Hence all one would have to do to determine the account holder’s user name would be to know the account holder’s e-mail address. An access control that relied on the user name alone to provide access would be an ineffective access control. To prove that the individual who presented the user name to the access control is the individual that the user name was assigned to, a secret is shared between the access control system and the respective user. This secret is the user’s password and is used to authenticate that the user who is trying to gain access is in fact the user who owns the rights associated with the respective identification.

Methods (User ID, PIN, Account Number)

Unique. Regardless of the method used (userID, PIN, account number), each one must be unique to be valid for any user. Further care must be taken so that users are not readily identifiable from that of another user’s userID. An example of this problem would be to simply use the user’s first initial and last name as his userID. Anyone knowing the user’s first and last name would then easily know the user’s userID.

Group. The configuration of privileges in access control for an individual subject affords maximum granularity. In systems with perhaps hundreds or thousands of users, this granularity can quickly become a management burden. By incorporating multiple subjects with similar permissions, such as job titles, within a group, the granularity is thereby coarsened and the administration of the access control system is simplified. However, it is important to note that group IDs are not recommended because individual accountability is lost.

Registration of New Users

Manual user registration provides for the greatest granularity but is also regarded as having too high of an administrative burden to be effective and is today often replaced with an automated provisioning solution. Automated provisioning solutions (identity management) provide a framework for managing access control policies by role, interconnection with IT systems, workflows to guide sign-off, delegated administration, password management, and auditing.

Periodic Review of Access Levels

The periodic review of user access levels is no longer simply a best practice and has been incorporated into current regulations including Sarbanes–Oxley. The mandatory periodic review of user access levels is necessary to ensure that each user’s privilege continues to be appropriate and reflects any changes in their access requirements as their role and or responsibilities within the enterprise change.

Clearance

The proper application of clearance is critical in those systems where access controls are based on security labels such as implementations of access control using the Bell–LaPadula model. Access control systems using clearances typically do so using a trusted user directory. Access to the directory is only available after successful authentication, and the directory must be trusted. Clearance levels like other general access levels must routinely be verified against each user’s actual requirements, designated access, and status.

Certificates play an important role today in improving trust within a user directory. Instead of simply looking up a user in a directory to determine the level of clearance, a certificate with additional attributes, such as clearance life cycle, can be used to verify by its digital signature that the clearance is valid.

Authentication (Proof of Identity)

Authentication is the process of verification that the identity presented to the access control system belongs to the party that has presented it. The three common factors in authentication are something you know, something you have, and something you are. In network authentication, the identification of the user is authenticated using a secret password that only the user would know. This would be referred to as simple authentication. There are more complex authentication methodologies such as “dual factor authentication” that not only require the secret that the user knows but also requires another layer of authentication in the form of something the user “has” in their possession—such as a security token, or something the user “is”—as in the case of biometric authentication, a fingerprint, or retina scan. We will discuss complex authentication methodologies such as dual factor later in this chapter. Again, the objective of authentication is to prove the identity of the user that is asking for some type of access from the access control system.

Knowledge

Knowledge is something that you know, such as a password.

Static passwords. Static passwords can be a password, a PIN, a passphrase, a graphic, etc. Regardless of length and character construction, static passwords that are not frequently changed are inherently insecure.

Secure storage is a necessity as legacy encryption of passwords in storage is typically easy to crack and makes unauthorized use of accounts a trivial matter for a determined malicious hacker. Tools such as Cain & Able along with Rainbow Tables can defeat the most commonly used password encryption methodologies in seconds.

Password resets when the user forgets his password consume a large volume of time in most IT support departments and also provide an effective entry vector for social engineering attacks. All too often password lockout mechanisms are disabled to reduce the number of required password resets, further increasing the risk of potential compromise. Automated password reset mechanisms range from the user being required to answer a series of personal questions that they previously provided responses for to newer technology-based reset mechanisms that use voice recognition to further automate the process.

Mass lockouts of user accounts are an effective denial of service attack. If a malicious hacker learns that you are using a standard “not unique” user name format making the user names for authentication easy to guess and that your access control system will lock out a user account after a given number of failed login attempts, it is a simple matter to quickly script an attack that walks through a failed login attempt creating a locked-out account for each and every user.

Ownership

Ownership is something the user has in his possession such as a smartcard or a token.

Smartcards. Typically, smartcards are credit card size, contain a tamper-resistant security system, are managed by a central administration system, and require a card reader device, such as the typical card reader on an ATM or fuel pump at a gasoline station. There are contact and contactless smartcards and readers.

A contact card reader requires physical contact with the card reader. There are two primary methodologies for contact card readers. A landing contact requires physical contact with the contacts (landing zone) on the card when it is placed within the reader. Typical standards for landing contact readers include ISO 7816. Landing contact readers are popular in physical access applications. A friction contact requires that the card landing contacts are wiped against the contact reader. Typical friction card readers are those used in credit card transactions at merchants.

Contactless card readers are quickly gaining in popularity and typically rely on radiofrequency identification (RFID) technology to facilitate reading. The additional security mechanisms found in contactless card applications can include challenge/response-based encryption safeguards to reduce the risk of “card skimming” whereby the account information is stolen in an otherwise legitimate transaction. It is believed that users prefer contactless cards because of their inherent ease of use, speed of transaction, and increased security.

Dynamic passwords. Dynamic passwords methodologies, also known as “onetime password,” are typically implemented by utilizing hardware or software token technology. Effectively, the password is changed after each authentication session. This effectively mitigates the risk of shoulder surfing or password sniffing as the password is only valid for the one session and cannot be reused.

Tokens. While tokens are available in many different form factors, there are two basic types of tokens in use today: synchronous and asynchronous.

With a synchronous token, time is synchronized between the token device and the authentication server. The current time value is enciphered along with a secret key on the token device and is presented to the access control subject for authentication. A popular synchronous token from RSA called “SecureID” provides for a new six- to eight-digit code every 60 seconds; it can operate for up to 4 years and can be programmed to cease operation on a predetermined date. The synchronous token requires fewer steps by the access control subject to successfully authenticate:

■ The access control subject reads the value from his or her token device.

■ The value from the token device is entered into the login window along with the access control subject’s PIN.

■ The authentication server calculates its own comparative value based on the synchronized time value and the respective access control subject’s PIN. If the compared values match, access is granted.

An asynchronous token, such as the event-driven, asynchronous token from Secure Computing called SafeWord, provides a new one time password with each use of the token. While it can be configured to expire on a specific date, its lifetime depends on its frequency of use. The token can last from 5 to 10 years and effectively extend the time period typically used in calculating the total cost of ownership in a multifactor authentication deployment. In the use of an asynchronous one-time password token, the access control subject typically executes a five-step process to authenticate identity and have access granted:

1. The authentication server presents a challenge request to the access control subject.

2. The access control subject enters the challenge into his/her token device.

3. The token device mathematically calculates a correct response to the authentication server challenge.

4. The access control subject enters the response to the challenge along with a password or PIN number.

5. The response and password or PIN number is verified by the authentication server and if correct, access is granted.

The use of a PIN together with the value provided from the token helps to mitigate the risk of a stolen or lost token being used by an unauthorized person to gain access through the access control system.

RFID. Early RFID-based products had a reputation for poor security as they were deployed without taking advantage of the integral security mechanisms that are readily available for use with the underlying technology. As RFID technology has evolved, its adoption in access control applications has increased significantly in comparison to traditional friction and contactless card applications. RFID technology effectively provides for a hands-free access control solution. The increased computational capabilities delivered by current-generation RFID technologies allow several security enhancements that are simply not available with the use of legacy technologies.

Characteristic

A characteristic is a physical characteristic of the user, also referred to as “what a person does” or “what a person is,” that allows for the confirmation of an individual’s identity based on either a physiological condition such as a fingerprint or retina scan or a behavioral characteristic such as keystrokes, speech recognition, or signature dynamics.

Biometrics

Biometrics is classified as behavioral and physiological. Good examples of behavioral biometrics are signature analysis, voice pattern recognition, and keystroke dynamics.

■ Signature analysis. The handwritten signature is unique to each individual. Most access control signature analysis access devices use a 3D analysis of the signature, which includes both the pressure and form of the signature. Signature analysis dynamically measures the series of movements, which contain biometric characteristics, such as acceleration, rhythm, pressure, and flow. Signature analysis access control devices have become popular with credit card merchants for authorization of credit card transactions.

■ Voice pattern recognition. Voice pattern recognition works by creating a database of unique characteristics of the access control subject’s voice. The access control subject then simply speaks at or near a microphone, and the access control device compares the current voice pattern characteristics to the stored characteristics to determine if access is to be granted. Biology, not technology, is the issue with voice recognition. As the subject ages, the characteristics of the voice naturally change. Voice characteristics can change under stress, and during an emergency situation the access control subject could be denied access simply because of the stress he/she was under at that moment. Further, it is possible to create an error simply by altering the inflection of a given phrase. Voice recognition is an inexpensive methodology to implement, but because of the high probability of error it is best used to compliment another more accurate technology, such as iris scanning, and not to be relied on as a primary access control device.

■ Keystroke dynamics. Keystroke dynamics, like the other forms of authentication devices mentioned above, rely on characteristics that are unique to an individual. In the case of keystroke dynamics, it is the characteristics of the access control subject as the user name and password (actually pass phrase) is typed on the keyboard. The normal characteristics of the individual are learned over time and typically can be enrolled with six or eight samples. The individual characteristics used by the typical keystroke analysis device include, but are not limited to:

– The length of time each key is held down

– The length of time between keystrokes

– The typing speed

– The tendencies to switch between a numeric keypad and keyboard numbers

– The keystroke tendencies involved in capitalization

■ The accuracy of keystroke dynamics can be easily impacted by hand injuries, fatigue, arthritis, and perhaps temperature. Hence, while keystroke dynamics is regarded as the lowest-cost authentication mechanism, it cannot yet be used reliably in a single-factor or perhaps two-factor (using passphrase) authentication methodology, and is better suited to compliment another technology such as iris scanning in a two-factor authentication scheme. It is important to note however, that, it does provide continuous authentication, if that is desirable.

There are several biometric devices that make use of the user’s personal physiological data in access control applications:

■ Fingerprint verification technology. Fingerprint verification typically requires seven characteristics or matching points to either enroll a new access control subject or to verify an existing access control subject. The task is not as difficult as it may seem as the human finger contains 30–40 characteristics or matching points. The fingerprint reader does not store an image of the fingerprint. Rather it creates a geometric relationship between the characteristics or matching points and stores and then compares that information.

■ Hand geometry technology. Hand geometry verification is typically accomplished by building a five-element array of finger lengths determined from scanned matching points at the base and end of each finger. The stored five-element array is compared to a new hand scan, and a mathematical calculation is performed to determine the geometric distance between the respective arrays.

■ Eye features/retina scan. The retina scan is one of the oldest and most accurate biometric authentication methodologies. Dating back to 1930, it was recognized that each human retina had unique characteristics, but it was 1984 before the first commercial retina scanner was released to the public. Traditionally, the retina scan has been reserved only for the most secure application of physical access control systems. The retina scan simply maps the blood vessels in the back of the eye and only requires 10 or so seconds to complete a scan. There is no known technology that can forge a retina scan signature, and as the blood vessels quickly decay upon death, a retina scan on a dead individual will not create the same signature as that of the live individual. Hence a retina scan prevents unauthorized access.

■ Eye features/iris scan. Iris scanning is based on scanning the granularity of the richly detailed color bands around the pupil. The color bands are well defined at birth and change little over the subject’s lifetime. The typical iris scanner maps nearly 247 variables in the iris and can do so at a distance of 19–20 inches. This makes the iris scanner potentially more accurate than a fingerprint, with only 40–80 characteristics, and is less obtrusive then a retina scanner as it does not require the same close proximity to the reading device or a light shining into the eye.

■ Facial recognition. Like the fingerprint reader and hand geometry devices, facial recognition uses a mathematical geometric model of certain landmarks of the face such as the cheekbone, tip of the nose, and eye socket orientation, and measures the distance between them. There are approximately 80 separate measurable characteristics in the human face, but most facial recognition systems only rely on 14–22 characteristics to perform their recognition.

Biometric Implementation Issues

User acceptance is one of the most critical factors in the success of any biometric-based implementation. To minimize the risk of improper use, which can cause failed access, the device should not cause discomfort or concern and must be easy to use.

Biometric accuracy is measured by two distinct rates: the False Rejection Rate (FRR), referred to as type 1 error, and the False Acceptance Rate (FAR), referred to as type 2 error. The actual methodologies of the measurement of accuracy may differ in each type of biometric device, but simply put, you can obtain a good comparative accuracy factor by looking at the intersection point at which the type 1 error rate equals the type 2 error rate as shown in Figure 1.2. This value is commonly referred to as the crossover error rate (CER). The biometric device accuracy increases as the crossover value becomes smaller as shown in Table 1.1.

Figure 1.2 The actual methodologies of the measurement of accuracy may differ in each type of biometric device, but simply put, you can obtain a good comparative accuracy factor by looking at the intersection point at which the type 1 error rate (FRR) equals the type 2 error rate (FAR). (From Ruggles, T., A report on the comparison of biometric techniques, http://www.bio-tech-inc.com/bio.htm).

Table 1.1 Biometric Crossover Accuracy

A further comparison of biometric technologies is provided in Table 1.2.

Table 1.2 Comparison of Biometric Technologies

Source: Liu, S., and Silverman, M., A practical guide to biometric security technology, IT Professional, 3, 27–32, 2005. With permission.

In reusable password authentication, the access control subject had to remember a perhaps difficult password. In token-based authentication, the access control subject had to retain possession of the token device. In biometric, characteristic-based authentication, the actual access control subject “is” the authentication device.

Physical Use as Identification

Biometrics takes advantage of the unique physical traits of each user and arguably is the most effective methodology of identifying a user. It is important to note that in physical security, biometrics is often used as an identification mechanism, while in logical security biometrics is often used as an authentication mechanism. As biometric technologies evolve, accuracy rates are increasing, error rates are declining, and improved ease-of-use is increasing user acceptance.

The accuracy of biometrics has been found to improve when multiple techniques are combined. The FBI is currently working on a next-generation database that will combine the use of fingerprint, face, iris, and palm matching capabilities to improve overall accuracy.

Multifactor Authentication

For many years knowledge-based authentication in terms of passwords was the most common methodology in use in access control systems. Weakness in the implementation of encryption (hashing) for passwords has effectively rendered these knowledge-based methodologies obsolete.

In October 2005, the Federal Financial Institutions Examination Council provided a recommendation (http://www.ffiec.gov/pdf/authentication_guidance.pdf) to U.S. banks that included, in part, a requirement to replace passwords and single factor authentication with multifactor authentication. The recommendation clearly pointed out that passwords alone were simply no longer a secure methodology for authenticating users in the current Internet environment.

The best practice in access control is to implement at least two of the three common techniques for authentication in your access control system:

■ Knowledge based

■ Token based

■ Characteristic based

Two-Factor vs. Three-Factor Authentication

In two-factor authentication, typically the mechanism used provides for something the user has in the form of a physical token that generates a one-time password and something the user knows in the form of a PIN number that is appended to the one-time password that is generated by the token. This methodology is regarded as more secure than historical single-factor methodologies such as traditional passwords; however, it does little to definitively identify the user. This can be significantly improved upon by incorporating a third factor in the form of a biometric that in fact identifies the user. An example of a recent entry in the three-factor authentication market is the RSA AuthenTec Fingerprint device from Privaris. It incorporates a fingerprint reader to identify the user as well as being something the user “has,” and also incorporates the traditional one time password and PIN combination found in common two-factor authentication tokens.

Dual Control

Dual control, also referred to as “split-knowledge,” is built on the principle that no one person should have access to information that would allow the person to determine the encryption key used to encrypt protected information more quickly than a brute force attack of the entire key-space. Effectively, the determination of any part of the encryption key would require collusion between at least two different trusted individuals. Encryption—splitkeys—is just one example of dual control. It has been said that because of its inherent complexity, dual control is not difficult to accomplish, but is easy to get wrong.

Continuous Authentication

While traditional one-time authentication, otherwise known as transactional authentication, takes place only once before granting access, continuous authentication takes place both before granting access and then continuously through the entire duration of the users connection to maintain the granted access.

Periodic Authentication

The most common use of periodic authentication first provides for traditional challenge/response authentication requiring user interaction and then begins periodically to issue challenge/response authentication queries with the users token to determine if the user has physically left the area where he had authenticated. This methodology aids in reducing the risk that a user would walk away from a device or system he has authenticated access to before properly logging out.

Time Outs

If the user leaves the proximity of the device authenticated after a specific time period, the user is automatically logged off and the authentication process would start over, requiring user intervention to accomplish initial authentication before continuous authentication could again resume. Naturally, the shorter the timeout period, the higher the security that can be provided; however, as always, it comes at the cost of being intrusive to the user.

Reverse Authentication

In the age of the explosive growth in the use of the Internet for financial transactions, we were quickly blindsided by phishing attacks that used social engineering to fool users into authenticating to fake “look-a-like” Web sites, thereby allowing the phisher to steal the user’s credentials and then impersonating the user on the actual “real” Web site. With the advent of phishing it is no longer enough to simply authenticate the user in Web-based transactions. Today, it is necessary to also authenticate the Web site/page to the user as part of the authentication process. Bank of America was a pioneer in reverse authentication with their roll-out PassMark, a reverse authentication system that relies on a series of pictures that the user could identify and use to accomplish the authentication of the Bank of America Web site. Some had believed that the picture approach of PassMark was too simplistic and raised doubts about the technology. However, PassMark quickly grew in acceptance and was adopted by more than 50% of the online banking market.

Certificate-Based Authentication

Certificate-based authentication relies on the machine that the user authenticates from having a digital certificate installed that is used in part along with the encrypted user’s password to authenticate both the user and the device the user is authenticating from. Effectively, the use of a certificate in the authentication process adds an additional element in security by validating that the user is authorized to authenticate from the device they are using because of the presence of the digital certification within the device. Great care must be taken in the management of the digital certificates by the Certificate Authority to ensure that the use of certificates is properly controlled and certificate renewal and revocations are accomplished in a timely and effective manner.

Authorization

What you can do once you are authenticated is most often controlled by a reference monitor. A reference monitor is typically defined as the service or program where access control information is stored and where access control decisions are made. A reference monitor will typically decide if access is to be granted based on an ACL within the reference monitor. Once access is granted, what the subject can then do is controlled by the authorization matrix or table (see Table 1.3).

Table 1.3 Authorization Table: Matrix of Access Control Objects, Access Control Subjects, and Their Respective Rights

Access to Systems vs. Data, Networks

Defining ACLs that only address access to systems can facilitate unintended user access to data that perhaps the user should not have had access to. Including access controls to specific data within a given system increases overall security. Consideration must also be given to a user’s access to those networks that are connected to a system that the user is authorized to access to mitigate the risk of the user inadvertently having access to systems and or data accessible through a connected network that they were not necessarily intended to have access to.

Access Control Lists/Matrix

An authorization table is a matrix of access control objects, access control subjects, and their respective rights as shown in Table 1.3. The authorization table is used in some DAC systems to provide for a simple and intuitive user interface for the definition of access control rules. While an authorization table provides for an increase in ease of use, it does not solve the inherent issue of DAC in that you are still relying on the access control object owner to properly define the access control rules. Further, the use of an authorization table does not decrease the instance of errors or violations that may occur when changes are made within the authorization table.

An access control matrix is used in a DAC system to provide for a simple user interface to implement an ACL. The access control matrix determines the access rights for access control objects to access control subjects as shown in Table 1.4. Like the authorization table mentioned above, the access control matrix does not decrease the instance of errors or violations that may occur when changes are made within the access control matrix.

Table 1.4 Access Control Matrix Determines the Access Rights for Access

Directories

Lightweight Directory Access Protocol (LDAP) is an application protocol used for querying and modifying directory services over TCP/IP. An LDAP directory is a logically and hierarchically organized group of objects and their respective attributes using an LDAP Directory Tree. An LDAP directory tree typically starts with domain names at the top of the hierarchy followed by organizational boundaries, then groups followed by users and data, such as groups of documents.

X500 relies also on the use of a single Directory Information Tree (DIT) with a hierarchical organization of entries that are distributed across one or more servers. Every directory entry has what is referred to as a Distinguished Name, which is formed by combining its Relative Distinguished Name (RDN), one or more attributes of the entry itself, and the RDN of the superior entries reaching all the way up to the root of the DIT.

Active Directory (AD, originally called NT Directory Services) stores data and information within a central database, is highly scalable, and provides a wide variety of other network services including LDAP-like directory services, authentication, and Domain Name System–based naming. While AD is primarily used for assignment of policies because of its many attributes, it is commonly used by separate services to facilitate software distribution within a network.

Think of directory structures like LDAP, X500, and AD as a telephone directory where all entries are based on an alphabetical order and have attached addresses and telephone numbers.

Single Sign-On

Single Sign-On (SSO) can best be defined as an authentication mechanism that allows a single identity to be shared across multiple applications. Effectively, it allows the user to authenticate once and gain access to multiple resources.

The primary purpose of SSO is for the convenience of the user. With that in perspective, SSO can also help in mitigating some of the inherent risks of access control subjects using a different password or authentication mechanism for each of the many systems they access in a large network. Simply put, the chances of a security breach naturally increase as the number of passwords and or authentication mechanisms increase. This must, of course, be balanced against the additional risk of using SSO in that once implemented, a malicious hacker now only has to obtain a single set of authentication credentials and then has access to all of the systems that the respective access control subject was permitted to access.

The following advantages as well as disadvantages of SSO must also be considered:

Risks

Single point of failure. With all of your users credentials stored on a single authentication server, the failure of that server can prevent access for those users to all applications that it had provided authentication services for.

Single point of access. Because SSO affords a single point of access, it is more prone to mass denial of service attacks where by entire groups of users can be denied access to systems by attacking the single point of access.

Implementation

Kerberos. Kerberos, described in RFC 1510, was originally developed by the Massachusetts Institute of Technology (MIT) and has become a popular network authentication protocol for indirect (third-party) authentication services. It is designed to provide strong authentication using secret-key cryptography. It is an operational implementation of key distribution technology and affords a key distribution center, authentication service, and ticket granting service. Hosts, applications, and servers all have to be “Kerberized” to be able to communicate with the user and the ticket granting service.

Like the previously discussed indirect authentication technologies, Kerberos is based on a centralized architecture, thereby reducing administrative effort in managing all authentications from a single server. Furthermore, the use of Kerberos provides support for:

■ Authentication: You are who you say you are.

■ Authorization: What can you do once you are properly authenticated?

■ Confidentiality: Keep data secret.

■ Integrity: Data received are the same as the data that were sent.

■ Nonrepudiation: Determines exactly who sent or received a message.

The process in the use of Kerberos is substantially different from those indirect authentication technologies we have previously reviewed and is considerably more complex. The following is a simplified explanation of the Kerberos process that was adapted for use here from Applied Cryptography: Protocols, Algorithms, and Source Code in C by Bruce Schneier (New York, NY: Wiley, 1993).

1. Before an access control subject can request a service from an access control object, it must first obtain a ticket to the particular target object; hence, the access control subject first must request from the Kerberos Authentication Server (AS) a ticket to the Kerberos Ticket Granting Service (TGS). This request takes the form of a message containing the user’s name and the name of the respective TGS.

2. The AS looks up the access control subject in its database and then generates a session key to be used between the access control subject and the TGS. Kerberos encrypts this session key using the access control subject’s secret key. Then, it creates a Ticket Granting Ticket (TGT) for the access control subject to present to the TGS and encrypts the TGT using the TGS’s secret key. The AS sends both of these encrypted messages back to the access control subject.

3. The access control subject decrypts the first message and recovers the session key. Next, the access control subject creates an authenticator consisting of the access control subject’s name, address, and a time stamp, all encrypted with the session key that was generated by the AS.

4. The access control subject then sends a request to the TGS for a ticket to a particular target server. This request contains the name of the server, the TGT received from Kerberos (which is already encrypted with the TGS’s secret key), and the encrypted authenticator.

5. The TGS decrypts the TGT with its secret key and then uses the session key included in the TGT to decrypt the authenticator. It compares the information in the authenticator with the information in the ticket, the access control subject’s network address with the address the request was sent from, and the time stamp with the current time. If everything matches, it allows the request to proceed.

6. The TGS creates a new session key for the user and target server and incorporates this key into a valid ticket for the access control subject to present to the access control object server. This ticket also contains the access control subject’s name, network address, a time stamp, and an expiration time for the ticket—all encrypted with the target server’s secret key—and the name of the server. The TGS also encrypts the new access control subject target session key using the session key shared by the access control subject and the TGS. It sends both messages to the access control subject.

7. The access control subject decrypts the message and extracts the session key for use with the target access control object server. The access control subject is now ready to authenticate himself or herself to the access control object server. He or she creates a new authenticator encrypted with the access control subject target session key that the TGS generated. To request access to the target access control object server, the access control subject sends along the ticket received from Kerberos (which is already encrypted with the target access control object server’s secret key) and the encrypted authenticator. Because this authenticator contains plaintext encrypted with the session key, it proves that the sender knows the key. Just as important, encrypting the time of day prevents an eavesdropper who records both the ticket and the authenticator from replaying them later.

8. The target access control object server decrypts and checks the ticket and the authenticator, also confirming the access control subject’s address and the time stamp. If everything checks out, the access control object server now knows the access control subject is who he or she claims to be, and the two share an encryption key that they can use for secure communication. (Since only the access control subject and the access control object server share this key, they can assume that a recent message encrypted in that key originated with the other party.)

9. For those applications that require mutual authentication, the server sends the access control subject a message consisting of the time stamp plus 1, encrypted with the session key. This serves as proof to the user that the access control object server actually knew its secret key and was able to decrypt the ticket and the authenticator.

To provide for the successful implementation and operation of Kerberos, the following should be considered:

■ Overall security depends on a careful implementation.

■ Requires trusted and synchronized clocks across the enterprise network.

■ Enforcing limited lifetimes for authentication based on time stamps reduces the threat of a malicious hacker gaining unauthorized access using fraudulent credentials.

■ The Key Distribution Server must be physically secured.

■ The Key Distribution Server must be isolated on the network and should not participate in any non-Kerberos network activity.

■ The AS can be a critical single point of failure.

Kerberos is available in many commercial products, and a free implementation of Kerberos is available from MIT.

Accountability

Accountability is a critical component of any access control system, and the use of unique user and process identities combined with an audit trail is the cornerstone of that accountability.

Standard Format Logs

An authentication log contains information about both successful and unsuccessful authentication attempts. An access control log contains information about access control requests made on behalf of a client or resource.

ISO 27002 is the replacement for the now obsolete ISO 17799. It is an information security management standard that includes standards for the establishment and maintenance of logs in section 10.10 that includes in part:

■ Recording, when relevant and within the capacity of the logging system, all key events, including the data/time and details of the event, the user ID associated, terminal identity and/or location, network addresses and protocols, records of successful and unsuccessful system accesses or other resource accesses, changes to system configurations, use of privileges, use of system utilities and applications, files accessed and the kinds of access, and alarms raised by the access control or any other protection system, for example, ID/IP.

■ Appropriate privacy protection measures for logged data that is appropriately confidential.

■ Appropriate security protections of a technical, physical, and administrative nature, such as division of responsibilities, to ensure integrity and availability of audit logs.

Security measures are required to protect against the unauthorized changes in access control logs. NIST has published an excellent guide to log management (publication 800-92) that includes a requirement to conduct periodic audits of the security of log management infrastructure that includes the following security objectives:

■ The infrastructure log servers are fully hardened and can perform functions in support of log management only.

■ The systems generating logs are secured appropriately (e.g., fully patched, unneeded services disabled).

■ Access to both system-level and infrastructure logs and logging software (both on the hosts and on media) is strictly limited, and the integrity of the logs and software is protected and verified.

■ All network communications involving log data are protected appropriately as needed.

The first step after a successful intrusion by a malicious hacker is to clean your access control logs to remove all traces of his actions in the system intrusion.

Remote Access Methods

Centralized Remote Access

With centralized remote access, the access control subject credentials are stored on a central server. This architecture is common in network environments. The centralized server can be positioned within a protected network and therefore offers additional security. Centralized authentication allows both additional access control subjects and access control objects to be added, thereby making this methodology more scalable. Its strength is consistent administration of creating, maintaining, and terminating credentials, but its weaknesses include credentialing delays and single point of failure. Popular centralized implementations are RADIUS, TCACS+, and Diameter.

Remote Authentication Dial-In User Services

Remote Authentication Dial-In User Service (RADIUS) is a popular Internet Engineering Task Force (IETF) implementation of an indirect authentication service. It is similar to Terminal Access Controller Access Control System (TACACS) in that it uses a remote access server to forward the access control subject’s information to an authentication server, and then the authentication server either returns the user’s associated rights or denies access. Another common feature is that RADIUS centralizes and reduces administrative workload. However, unlike TACACS and Extended TACACS (XTACACS), the RADIUS implementation of indirect authentication utilized encryption by design not as an afterthought.

RADIUS in an IETF configuration offers a set of 255 standard attributes that are used to communicate AAA information between a client and a server. RADIUS in a Vendor-Specific Attribute (VSA) implementation can extend the standard IETF attributes to an additional 255 VSA. RADIUS is used by a number of network product vendors and is regarded as a de facto industry standard for indirect authentication.

Terminal Access Controller Access Control System

TACACS is an older and once popular remote access authentication system and protocol that allows one or more remote access servers to send identification information to a TACACS authentication server for authentication and authorization. The implementation of TACACS provides indirect authentication technology that can be divided into three functional areas known as “AAA” (triple A):

■ Authentication

■ Authorization

■ Accounting

Simplicity was one of the reasons TACACS was once so popular:

■ The user attempts to log-in on the remote access server.

■ The remote access server forwards the user’s identification information to the TACACS authentication server.

■ After receiving the identification information from the remote access server, the authentication server either returns authorization information or it denies any access for the user.

Simplicity was perhaps involved in a serious security issue that was built in to TACACS by design. The communications between the remote access server and the authentication server is performed unencrypted (i.e., in clear text). Hence, it is a simple matter for a malicious hacker to see the user’s identification information as well as the returned authorization information, thereby dramatically simplifying the potential compromise of the user’s account.

Because of its centralized access control architecture, it offers a single point of administration, thereby reducing the effort and associated costs when compared to administering multiple separate authentication systems in decentralized architecture.

Extended Terminal Access Controller Access Control System

A second version of TACACS, called XTACACS, provided extensions to the original TACACS protocol for the support of both SLIP/PPP and CHAP/ARAP authentication.

Terminal Access Controller Access Control System Plus

TACACS+ is a later version of TACACS that among other enhancements is best noted for having solved the original TACACS communications security issues by encrypting the communications between the remote access server and the authentication server.

Diameter

Diameter is defined in RFC3588 and was derived from the RADIUS protocol and is generally believed to be the next-generation AAA protocol. Diameter is a peer-to-peer architecture and every host can act as a client or a server. The primary differences between Diameter and RADIUS are shown in Table 1.5.

TABLE 1.5 Primary Differences between Diameter and RADIUS

Decentralized Remote Access

With decentralized remote access, the access control subject credentials are stored on the local device. This architecture is common on stand-alone devices such as a home PC or some physical access control devices. While local authentication offers easy system maintenance in comparison to a centralized authentication methodology, it can be difficult to add additional access control objects; therefore, it is most often regarded as not scalable.

Password Authentication Protocol/Challenge Handshake Authentication Protocol

Both Password Authentication Protocol (PAP) and Challenge Handshake Authentication Protocol (CHAP) are Point-to-Point (PPP) authentication protocols defined in RFC1334. It provides for a method of encapsulating datagrams over serial links. It includes the Link Control Protocol (LCP) to establish, configure, and test the data link connection. It also includes a family of Network Control Protocols (NCPs) for establishing and configuring different network-layer protocols. The primary differences are

Other Access Control Areas

Physical Security

Physical security plays a significant role in preventing unauthorized access to networks, systems, and data. There are four layers of physical security:

■ Environmental design: fences, metal barriers, building and office layout, warning signs, and trenches

■ Mechanical and electronic access control: doors, locks, and the keys that control the locks

■ Intrusion detection: alarms

■ Video monitoring

Portable Device Security

Mobile Phones

Current-generation mobile phones have the processing power of desktop PCs of just a few short years ago. Further, their proliferation and the access that has been granted to network resources to mobile phones are growing at an alarming rate. Of greatest concern is the lack of ability to secure the data stored on the mobile phone as well as to provide for proper access control when permitting access to network resources by mobile phones. Access control policies need to be updated to address the use of current-generation mobile phones to protected network resources. Previous-generation mobile phones did not have the ability to store large amounts of data and had little capability to access network assets. However, they still required consideration in access control:

■ Malicious person can use mobile phones in social engineering attacks to circumvent access controls.

■ Eavesdropping on an analog phone is trivial and can require little more than a radio receiver tuned to the correct frequency.

■ Eavesdropping on a digital phone is more difficult but is not outside of the realm of possibilities with the right equipment.

■ Care needs to be taken in passing credentials using mobile phone conversations.

USB, CD, and DVD Drives

USB drives have been found to be involved in numerous high-profile data breaches. It has been noted that in the TJX breach involving the theft of 45,000,000 customer records had allegedly begun when malicious hackers used USB drives to install malware on employment kiosks in a store’s public area in their efforts to gain access into the corporate network.

Current popular operating system software simply provides little, if any, security mechanisms to prevent an unauthorized person from inserting a USB drive into an unattended computer and either install or run programs at the same level of authority as the user or to copy any data accessible from the PC to the USB drive.

USB drive sizes are increasing at the same time their prices are coming down, which will only make their popularity continue to grow.

USB drive risks are not limited to commercial organizations. Recently, a report from the Mainichi Daily News noted that Japan’s military has confessed to losing a USB device that contained troop deployment maps for a joint Japan–U.S. military exercise. Table 1.6 shows how much data can be potentially removed from your network with an unauthorized USB drive.

TABLE 1.6 Amount of Data That Can Be Potentially Removed from Your Network with an Unauthorized USB Drive

Solutions are evolving to provide both control over which approved USB devices can be used on enterprise PCs and what data is permitted to be copied to/from them (data in transit), as well as the enforcement of the use of encryption to safeguard data (at rest) that is permitted by policy to be written to a USB drive.

CD drives have been another vehicle used for both the unauthorized installation of unapproved and potentially malicious software and the theft of both Personally Identifiable Information (PII) and intellectual property (IP). Further, writable CD drives are quickly being replaced by manufacturers of PCs with writable DVD drives. Capacity has quickly gone from 640 MB (CD) to 4.7 GB (DVD). New-technology BlueRay DVD is quickly becoming an affordable commodity and will push the capacity to 50 GB of data that can potentially be written to a single disk.

Table 1.7 shows how much data can potentially be removed from your network with a writable CD/DVD/Blue Ray drive.

Table 1.7 Amount of Data That Can Potentially Be Removed from Your Network with a Writable CD/DVD/Blue Ray Drive

Bypass of Logical Security

Access to Computers and Equipment

A malicious person that was able to bypass logical security on a user’s PC within your enterprise network would obtain all rights and privileges of that user within the network that he compromised. Typically, once gaining a user’s level of access, the malicious hacker quickly utilizes escalation of privilege attacks to elevate his level of privilege to that of system administrator. Effectively, what started out as a simple breach of an otherwise low-level user’s PC can quickly escalate into a breach where the malicious hacker has administrative privilege of your entire network.

Clear Desk/Clean Screen

The continued growth of the losses associated with insider threats within the enterprise network have shifted a Clear Desk/Clean Screen policy from that of a best practice to that which is now a part of Industry Standards such as BS17799 and others. The elements of a Clean Desk/Clean Screen policy can include, but not be limited to:

■ At the end of each day, or when desks and offices are unoccupied, any “confidential” information must be locked away in pedestals, filing cabinets, or offices, as appropriate.

■ All wastepaper, which contains any personal or confidential information or data, must be placed in the confidential waste sacks located in each service station. Under no circumstances should this type of wastepaper be thrown away with normal rubbish in the wastepaper bins.

■ Whenever you leave your desk and your PC is switched on, it is essential that you ALWAYS “lock” your screen by pressing “Ctrl, Alt, Delete” and then enter, to confirm that you wish to lock your workstation.

■ Locking your screen not only prevents someone else from using your PC, which is logged on in your name, but it also prevents someone from reading confidential information left open on your screen.

■ If working on sensitive information, and you have a visitor to your desk, lock your screen to prevent the contents from being read.

Sample Questions

1. Which is of the following is not one of the three principle components of access control systems?

a. Access control objects

b. Biometrics

c. Access control subjects

d. Access control systems

2. Which of the following are behavioral traits in a biometric device?

a. Voice Pattern

b. Signature Dynamics

c. Keystroke Dynamics

d. All of the above

3. In the measurement of biometric accuracy, which of the following is commonly referred to as a “type 2 error”?

a. Rate of false acceptance—False Acceptance Rate (FAR)

b. Rate of false rejection—False Rejection Rate (FRR)

c. Crossover error rate (CER)

d. All of the above

4. Which is of the following is not one of the three functional areas of TACACS known as AAA (triple A)?

a. Authentication

b. Authorization

c. Availability

d. Accounting

5. Which of the following is an International Telecommunications Union—Telecommunications Standardization Sector (ITU-T) recommendation originally issued in 1998 for indirect authentication services using public keys?

a. Radius

b. X.509

c. Kerberos

d. SESAME

6. Which of the following is NOT one of the three primary rules in a Biba formal model?

a. An access control subject cannot access an access control object that has a higher integrity level.

b. An access control subject cannot access an access control object that has a lower integrity level.

c. An access control subject cannot modify an access control object that has a higher integrity level.

d. An access control subject cannot request services from an access control object that has a higher integrity level.

7. Which of the following is an example of a firewall that does not use Context Based Access Control?

a. Application proxy

b. Static packet filter

c. Stateful inspection

d. Circuit gateway

8. In consideration of the three basic types of authentication, which of the following is incorrect?

a. Knowledge based = password

b. Token based = smartcard

c. Characteristic based = biometric

d. None of the above

9. In the authorization provided to the access control subject by an access control system, which of the following is not a consideration for an Access Control Subject?

a. Temporal—time of day, day of request

b. Password or token utilized

c. False Rejection Rate

d. Locale from where the access control subject authenticated

10. Password selection is typically based on which of the following criteria?

a. Minimum password length

b. Authorizations, rights, and permissions

c. Required usage of letters, case, numbers, and symbols in the makeup of the password

d. All of the above

11. Which of the following should be considered in the routine monitoring of an access control system?

a. The regular monitoring of changes to accounts can help to mitigate the risk of misuse or unauthorized access.

b. All changes to accounts within the access control system should be logged and reviewed on a regular basis.

c. Particular attention should focus on any newly created accounts as well as any escalation of the privileges for an existing account to make certain that the new account or the increased privileges are authorized.

d. All of the above

12. Which of the following is not true in the consideration of Object Groups?

a. It is a common practice to assign the appropriate permissions to a directory, and each object within the directory inherits the respective parent directory permissions.

b. Although configuring individual objects affords maximum control, this granularity can quickly become an administration burden.

c. By incorporating multiple objects with similar permissions or restrictions within a group or directory, the granularity is thereby coarsened and the administration of the access control system is simplified.

d. Configuring individual objects affords maximum control; this granularity can reduce administration burden.

13. In the three basic types of authentication, which of the following are related to “something you have”?

a. Synchronous or asynchronous token

b. Biometric

c. Smartcard

d. All of the above

14. Which of the following is an asynchronous device?

a. Time-based token

b. Event-based token

c. All of the above

15. Which of the following are characteristics in biometric behavioral–keystroke dynamics?

a. The length of time each key is held down

b. Tendencies to switch between a numeric keypad and keyboard numbers

c. Acceleration, rhythm, pressure, and flow

d. All of the above

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

Table of Contents for 1. Access Controls

Create new playlist

Sign In

Sign Up

Chapter 1

Access Controls

Paul Henry

Contents

Access Control Concepts

What Is a Subject?

Subject Group Considerations

What Is an Object?

Object Group Considerations

Discretionary Access Control

Rule Set–Based Access Controls

Role-Based Access Controls

Constrained User Interface

Content-Dependent Access Control

Context-Based Access Control

Temporal Isolation (Time-Based) Access Control

Nondiscretionary Access Control

Mandatory Access Control

Separation of Duties

Architecture Models

Bell–LaPadula

Biba

Clark–Wilson

Other Considerations of Clark–Wilson

Brewer–Nash: Chinese Wall

Identification, Authentication, Authorization, and Accountability

Identity (Who Is the Subject?)

Methods (User ID, PIN, Account Number)

Registration of New Users

Periodic Review of Access Levels

Clearance

Authentication (Proof of Identity)

Knowledge

Ownership

Characteristic

Biometrics

Biometric Implementation Issues

Physical Use as Identification

Multifactor Authentication

Two-Factor vs. Three-Factor Authentication

Dual Control

Continuous Authentication

Periodic Authentication

Time Outs

Reverse Authentication

Certificate-Based Authentication

Authorization

Access to Systems vs. Data, Networks

Access Control Lists/Matrix

Directories

Single Sign-On

Risks

Implementation

Accountability

Standard Format Logs

Remote Access Methods

Centralized Remote Access

Remote Authentication Dial-In User Services

Terminal Access Controller Access Control System

Extended Terminal Access Controller Access Control System

Terminal Access Controller Access Control System Plus

Diameter

Decentralized Remote Access

Password Authentication Protocol/Challenge Handshake Authentication Protocol

Other Access Control Areas

Physical Security

Portable Device Security

Mobile Phones

USB, CD, and DVD Drives

Bypass of Logical Security

Access to Computers and Equipment

Clear Desk/Clean Screen

Sample Questions

Table of Contents for
1. Access Controls