Access Control System, BMS

• Protecting what needs to be protected with the available
technologies!
• Access control is the of Information Security!
Overview

Some Questions
• What is Access?
• What is the Access Mechanism?
• What is Access Control?
• The right
• Flow of information between subject and object
• Mechanism to protect the assets!

Identification,Authentication,
Authorization

Identification
• Method of establishing the subject’s identity
– User, Program,Process
• Use of username or other public information
• Identification component requirements…
– Each value should be unique
– Follow a standard naming scheme
– Non-descriptive of the user’s position or tasks
– Must not be shared between users

Authentication
• Method of proving the identity
• How to prove an identity?
– Something you know
– Something you have
– Something you are
• Use of passwords, token, or biometrics other private
information
• What is two factor authentication?
– Strongauthentication

Something you know
• Traditional authentication method
• Passwords
– Protected string of characters
– Most widely used
– Types
• Cognitivepasswords
• One time passwords (Dynamicpasswords)
• Passphrase

Cognitive passwords
• Fact or opinion based information
• Created through several experience based questions
• Easy to remember!
– A person will not forget his birthplace, favorite color,dog's
name, or the school he graduatedfrom.

One time passwords
• Only used once
• Used in sensitive cases and places
• Examples include
– Prepaidcards
– Token devices
• Token device generates the one-time password for the user to
submit to an authenticationserver

Passphrase
• Sequence of characters that is longer than a password --
Thus a phrase
– User enters this phrase into an application which transformsthe
value into a virtual password

Attacks against passwords
• Electronic monitoring
• Access the passwordfile
• Brute force attacks
• Dictionary attacks
• Social engineering
• Shoulder surfing

Something you have
• Requires possession of something such as a key, smart
card, or some other device
• Examples include…
– Keys
– Documents
– Token devices
– Memory cards
– Smartcards

Token device
• Software hardware hybrid object used to verify an
identity in an authentication process
• Token device, or password generator, is usually a
handheld device that has an LCD display and possibly a
keypad
– Token device is separate from the computer the user is
attempting toaccess

Token Device – Benefits/Limitations
• Benefits
– Not vulnerable to electronic eavesdropping
• Wiretapping
• Sniffing
– Provide two factorauthentication
• Limitations
– Human error
– Batterylimitation
– Token itself (Environmental factors)

Types of Token Devices
• Synchronous Token
– A synchronous token device synchronizes with the
authentication service by using time or a counter as the core
piece of the authenticationprocess.
• Asynchronous Token
– A token device using an asynchronous token generating method
employs a challenge/response scheme to authenticate a user.

Memory Card
• Holds information but cannot process
– A memory card can hold a user's authentication information,so
that the user only needs to type in a UserID or PIN.

Smart Card
• Holds and processes information
• After a threshold of failed login attempts, it can render
itself unusable
• PIN or password unlocks smart card functionality
• Smart card could be used for:
– Holding biometric data in template
– Responding to challenge
– Holding privatekey

Types of Smart Card
• Contact
– Requires insertion into a smart card reader with a direct
connection to a conductive micro-module on the surface of the
card (typically gold plated)
– Through these physical contact points, transmission of
commands, data, and card status takes place
• Contactless
– Requires only close proximity to a reader
– Both the reader and the card have antenna and it is via this
contactless link that two communicate

Smart Card attacks
• Micro-probing techniques
• Eavesdropping techniques
• Trojan Horse attacks
• Social engineering attacks

Something you are
• Special case of something you have
• Unique personal attribute is analyzed
• Encompasses all biometric techniques
– Fingerprints
– Retina scan
– Iris scan
– Hand geometry
– Facialscan

Biometric System
• A characteristic based system
– Includes all the hardware, associated software and
interconnecting infrastructure to enable the
identification/authenticationprocess
• Uses individual's unique physical characteristics in order
to identify and authenticate
– Each has its own advantages and disadvantages

Fingerprints
• Every person's fingerprint is unique
• Most affordable and convenient method of verifying a
person's identity
• The lines that create a fingerprint pattern are called
ridges and the spaces between ridges are called valleys.

Retina Scan
• Retinal scan technology maps the capillary pattern of the
retina
– A thin (1/50th inch) nerve on the back of the eye!
• Accurate
• Many people are hesitant to use the device /

Iris Scan
• Scans the iris or the colored portion of the eye
• For authentication the subject looks at the video camera
from a distance of 3-10 inches
• The entire enrollment process is less than 20 seconds,
and subsequent identification takes 1-2 seconds.
• Offers high accuracy!

Hand Geometry
• Measures specific characteristics of a person's hand such as length
of fingers and thumb, widths, and depth.
• Takes over 90 measurements of the length, width, thickness,
and surfacearea of a person's hand and fingers.
• Hand measurements occur with amazing speed, almost within one
second.
• A charge coupled device (CCD) digital camera is used to record
the hand's three dimensional shape.

Keyboard Dynamics
• Looks at the way a person types at a keyboard
• Also called Typing Rhythms!
• Keyboard dynamics measures two distinct variables:
– Dwell time: The amount of time one holds a particular key
– Flight time: The amount of time one moves between the keys
• Keyboard dynamic system can measure one's keyboard
input up to 1000 times per second!

Voice Print
• A voice reference template is constructed
– To construct, an individual must speak a set of phrases several
times as the system builds the template.
– Voice identification systems incorporate several variables
including pitch, dynamics, and waveform.

Facial Scan
• Incorporates two significant methods:
– Detection
– Recognition
• Detection involves locating the human face within an
image.
• Recognition is comparing the captured face to other
faces that have been saved and stored in a database.
Processà

Biometric Performance
• Biometric performance is most commonly measured in
two ways:
– False Rejection Rate (FRR) – Type1
– False Acceptance Rate (FAR) – Type 2
• The FRR is the probability that you are not authenticated
to access your account.
• The FAR is the chance that someone other than you is
granted access to your account.

Crossover Error Rate
• Crossover Error Rate (CER) value is when Type 1 and Type
2 errors are equal.
– (Type 1 = Type 2 errors) = CER metric value
• System ABC has 1 out of 100 Type 1 errors = 1%
• System ABC has 1 out of 100 type 2 errors = 1%
• System ABC CER = 1
• The lower the CER value, the higher accuracy
• System with a CER of 5 has greater accuracy than a
system with CER of 6

Types of Access Controls
• There are three types of Access Controls:
– Administrativecontrols
• Define roles, responsibilities, policies, and administrative functions
to manage the control environment.
– Technicalcontrols
• Use hardware and software technology to implement access
control.
– Physicalcontrols
• Ensure safety and security of the physical environment.

AdministrativeControls
• Ensure that technical and physical controls areunderstood
and properlyimplemented
– Policies and procedures
– Security awarenesstraining
– Asset classification and control
– Employment policies and practices (background checks, job
rotations, and separation of duties)
– Accountadministration
– Account, log monitoring
– Review of audit trails

Technical Controls
• Examples of Technical Controls are:
– Encryption
– Biometrics
– Smartcards
– Tokens
– Access controllists
– Violation reports
– Audit trails
– Network monitoring and intrusion detection

Physical Controls
• Examples of Physical Controls are:
– HVAC
– Fences, locked doors, and restrictedareas
– Guards and dogs
– Motion detectors
– Video cameras
– Fire detectors
– Smoke detectors

Categories of Access Controls
• Preventive € Avoid incident
• Deterrent € Discourage incident
• Detective € Identify incident
• Corrective € Remedy circumstance/mitigate damage
and restorecontrols
• Recovery € Restore conditions to normal
• Compensating € Alternative control
• Directive

Administrative Preventive Controls
• Policies and procedures
• Effective hiring practices
• Pre-employment background checks
• Controlled termination processes
• Data classification and labeling
• Security awareness
• Risk assessments and analysis
• Creating a security program
• Separation of duties

Administrative Detective Controls
• Job rotation
• Sharing responsibilities
• Inspections
• Incident response
• Use of auditors

Technical Preventive Controls
• Passwords
• Biometrics
• Smart cards
• Encryption
• Databaseviews
• Firewalls
• ACLs
• Anti-virus

Technical Detective Controls
• IDS
• Reviewing audit logs
• Reviewing violations of clipping levels
• Forensics

Physical Preventive Controls
• Badges
• Guards and dogs
• CCTV
• Fences, locks, man-traps
• Locking computer cases
• Removing floppy and CD-ROM drives
• Disabling USB port

Physical Detective Controls
• Motion detectors
• Intrusion detectors
• Video cameras
• Guard responding to an alarm

Centralized Access Control
Methodologies

Centralized Access Control Methodologies
• (ISC)2 discusses the following methodologies:
– RADIUS -- Remote Authentication Dial-In User Service
– TACACS -- Terminal Access Controller Access Control Systems
– DIAMETER

RADIUS
• Provides centralized authentication, authorization and
accounting management for network services
• Works on a Client/Server model
• Functions:
– To authenticate users or devices before granting them access to
a network
– To authorize users or devices for certain network services
– To account for usage of services used

TACACS
• TACACS has been through three generations:
– TACACS, XTACACS and TACACS+
• TACACS uses passwords for authentication
– TACACS+ allows users to use dynamic (one-time) passwords
– TACACS+ encrypts all the data
• TACACS uses UDP
– TACACS+ uses TCP

Diameter
• "New and improved" RADIUS
• RADIUS is limited in its methods of authenticating users
• Diameter does not encompass such limitations
• Can authenticate wireless devices and smart phones
• Open for future growth
• Users can move between service provider networks and
change their points of attachment

Single Sign On (SSO)
• A system that enables a user to access multiple computer
platforms
• User logs in just once
• Access granted to permitted resources
• Login only required until after the user logs out
• Examples include:
– Kerberos
– SESAME
– Security Domains
– Thin Clients

Kerberos
• A computer network authentication protocol
– Allows principals communicating over a non-secure network to
prove their identity to one another in a secure manner.
• Principals
– Any user or service that interacts with a network
– Term that is applied to anything within a network that needs to
communicate in an authorized manner

Kerberos components
• Components of Kerberos
– Key Distribution Center (KDC)
• Holds all of the principals' secret keys
• Principals authenticate to the KDC before networking can take
place
– Authentication Server (AS)
• Authenticates user at initial logon
• Generation of initial ticket to allow user to authenticate to local
system
– Ticket Granting Service (TGS)
• Generates of tickets to allow subjects to authenticate to each
other

SESAME
• Secure European System for Applications in a Multi-
Vendor Environment
• Uses symmetric and asymmetric cryptographic
techniques
• Uses Privileged Attribute Certificates (PACs)
• PACs are generated by the Privileged Attribute Server
(PAS)
• After a user successfully authenticates to the
Authentication Server (AS), the PAS then creates a PAC
for the user to present to the resource that is being
accessed!

Security Domains
• Based on trust between resources or services on a
domain that share a single security policy and single
management
• The security policy defines the set of objects that each
user has the ability to access
• A similar mission and single point of management
responsibility

Security Domains -- Bull’s Eye View

Thin Clients
• Diskless computers are called dumb terminals or thin
clients
• Client/Server technology forces users to log onto a
central server just to be able to use the computer and
access network resources.
• Server downloads the Operating System, or interactive
operating software to the terminal

Access Control Models
• Frameworks that dictate how subjects access objects
• Three Main Types
– Discretionary Access Control (DAC)
– Mandatory Access Control (MAC)
– Role Based Access Control (RBAC)

Discretionary Access Control
• Allows the owner of the resource to specify which
subjects can access which resources
• Access control is at the discretion of the owner
• DAC defines access control policy
– That restricts access to files and other system resources based
on identity
• DAC can be implemented through Access Control Lists
(ACLs)

Access Control Matrix
• Access Control Lists (ACLs)
– Specifies the list of subjects that are authorized to access a
specific object
• Capability Lists
– Specifies the access rights a certain subject possesses pertaining
to specific objects

Mandatory Access Control
• Based on security label system
• Users given security clearance and data is classified
• Used where confidentiality is of utmost importance
• MAC is considered a policy based control
• Every object and subject is given a sensitivity label
– Classificationlevel
• Secret, Top secret, Confidential, etc
– Category
• Information warfare, Treasury, UN, etc

Mandatory Access Control
Subject Classificationlevel Category
Umair Secret Finance
Tayyeb Secret HR
Object Classificationlevel Category
Financerecords Secret Finance
Employeerecords Secret HR

Role Based Access Control
• Uses centrally administered set of controls to determine
how subjects and objects interact
• Decisions based on the functions that a user is allowed to
perform within an organization
• An advantage of role based access controls is the ease of
administration
• Capability tables are sometimes seen in conjunction with
role-based access controls
• Best for high turn over organizations

Access Control Techniques
• Rules Based Access Control
• Constrained User Interface
• Content Dependent Access Control
• Context Dependent Access Control

Introduction
• Process of simulating attacks on Information Systems
– At the request of the owner, senior management
• Uses set of procedures and tools designed totest
security controls of a system
• Emulates the same methods attackersuse

Steps
• Discovery
• Enumeration
• Vulnerability mapping
• Exploitation
• Report to management

Step 1
• Discovery
– Gathering information about the target
– ReconnaissanceTypes
• Passive
• Active

Step 2
• Enumeration
– Performing port scans and resource identificationmethods
– Gaining specific information on the basis of information
gathered during reconnaissance
– Includes use of dialers, port scanners, network mapping,
sweeping, vulnerability scanners, and so on

Step 3
• Vulnerability Mapping
– Identifying vulnerabilities in identified systems and resources
– Based on these vulnerabilities attacks are carried out

Step 4
• Exploitation
– Attempting to gain unauthorized access by exploiting the
vulnerabilities

Step 5
• Report to management
– Delivering to management documentation of test findings along
with suggestedcountermeasures

Access Control System, BMS

More Related Content

What's hot (20)

Similar to Access Control System, BMS (20)

More from Mohammad Azam Khan (19)

Recently uploaded (20)

Access Control System, BMS