Accountability and Access Control Course Objectives

• Access Control
• – Identification and Authentication – Techniques – Methodology – Administration

  Access Controls

• Access controls are security features that control how people can interact with systems, and resources.
• Goal is to protect from

  un-authorized access .

• Access is the data flow between subject

  

Access Control’s Types

• Access controls are necessary to protect the confidentiality, integrity, and availability of objects.
• – That is commonly called by CIA.
• – It is sound silly, but still represent the idea 

• • In fact, no single access control mechanism

  is deployed in such environment.

  Access Control’s Types (2)

• Access Control Types
• – Preventive – Deterrent – Detectives – Correctives – Recovery

Preventive Access Control

• Sometimes called a preventative access control.
• This access control is deployed to stop unwanted or unauthorized activity form occurring.
• Fences, locks, biometric, lighting, alarm

Deterrent Access Control

• To discourage a violation of security policy, where prevention control leaves off.
• It doesn’t stop with trying to prevent an action, instead, it goes further to exact consequences in the event of an attempted or successful violation.

Detective Access Control

• Detective access controls is deployed to discover unwanted or unauthorized activities.
• Detective access control include security guards, motion detector, reviewing an event captured by security cameras,

Corrective Access Control

• Deployed to restore system to normal after unwanted or unauthorized activities have occurred.
• Corrective control have only minimal capabilities to respond to access violations.

Recovery Access Control

• Deployed to repair resource, function, and capabilities after violation of security policies.
• Recovery control have more advance capabilities to response to access violation than corrective control.

Compensation Access Control

• Deployed to provided various options to aid in enforcement and support of security policy.
• Include security policy requirement, personnel supervision, monitoring, and work task procedure.

Administrative Access Control

• Policies and procedures defined by organization to implement overall access control.
• Administrative control focus on 2 areas: personnel and business practices .
• Include policies, procedures, hiring

  

Logical and Physical

Access Control

• Logical access controls are hardware and software mechanism used to manage access to resources or systems.
• – Password, encryption, firewall, access control list, etc
• Physical access control is physical barrier deployed to prevent direct contact to

  

The Process of Accountability

• Several steps lead up to the ability to hold the people accountable:
• – Identification – Authentication – Authorization – Auditing, and

Identification

• User provided user name, logon ID, personal identification number (PIN) or a smart card to represent identification process.
• Information system tracks activities by identity, not by subject themselves.

  Authentication

• • Process of verifying or testing that claimed

  identity is valid.

• – Type 1 Authentication ( something you know )

• Passwords • PIN
• Lock Combination, etc
• – Type 2 Authentication (

  something you have )

• Smart card

  

Authentication

• Process of verifying or testing that claimed identity is valid.

  something you are )

• – Type 3 Authentication (
• Fingerprint • Voiceprint • Retina pattern
• Face shape recognition

Authorization

• Once subject is authenticated, its access must be authorized.
• Authorization indicated who is trusted to perform specific operation.

  Auditing

• Auditing is process by which online activities of user accounts and processes are tracked and recorded.
• Auditing produces audit

  trails/path , which

  can be used to reconstruct events and to verify whether a security policy or

  based NIST- Minimum Security

Requirement

• Audit data recording must comply with:
• – Create, protect, and retain information system

  audit record to the extend needed to enable the monitoring, analysis, investigation, unlawful/illegal reporting, unauthorized,

inappropriate information system activity.

that the action of individual

• – Ensure

  Recap

  Answer and give an explanation for the questions below:

• – Identification – what is it?
• – Authentication – how is this different from identification?
• – Authorization – what does this mean?
• – Auditing – what’s the point?

  

Identification and Authentication

Technique

• Authentication verify the identity of the subject (user) by comparing one or more factor in database of valid identities.
• Both

  identification and authentication are always occur together.

  

Identification and Authentication

Technique (2)

• Password • Biometrics • Tokens • Tickets • Single Sign On

  Password

• The common authentication technique, but consider the weakest form of protection.
• Password are poor security mechanism for several reasons: – Easy to guest or crack.
• – Many users, write it down
• – Easy shared, write down, and forgotten

  Biometric

• Biometric fall into Type 3 authentication category, “something you are”.
• A biometric factors

  are behavioral or physiological characteristic that is unique to every single subject.

• Types biometric factors:
• – Fingerprint

  Biometric Factor Rating

• Biometric devices are rated for performance in producing false negative and false positive authentication.
• Most biometric devices have a

  sensitivity

adjustment so they can be tuned to be

  more or less sensitive. _{True positive = correctly identified}

  Biometric Factor Rating

• The ratio of Type 1 errors to valid authentication known as False Rejection Rate (FRR) .
• The ratio of Type 2 errors to valid authentication known as False Acceptance Rate (FAR).
• The point at which FRR and FAR is equal known as

  Crossover Error Rate

  Appropriate Biometric Usage

  Biometric Factors Fingerprint Iris scan

Token (Smart Token)

• Smart Tokens are password-generating devices which is an example of Type 2 factor, “ something you have ”.
• Token can be a static password, like an ATM card (or others), and users have to supply the ATM card and users’ PIN.
• Otherwise, the Token can also be one-time or dynamic password which look like a small

  Token Types

• There are 4 types of Token:
• – Static – Synchronous dynamic password
• – Asynchronous dynamic password: challenge- response

Token Types (Cont.)

• – Can be a smart card, a floppy disk, USB RAM, or even something as simple as a key for physical lock.
• – Static Token often require an additional factor like password or biometric factor.
• – Commonly use a

  Token Types (Cont.)

• – Generating password at fix time intervals.
• – Time interval token require synchronizing the clock on an authentication server with the clock on a token device.

  Synchronous Dynamic

• – Subject enters generated

  Password password into the system as

Token Types (Cont.)

• Auth sends a challenge (a random value called a nonce)*
• User enters nonce into token, along with PIN
• Token encrypts nonce and returns value
• Users inputs value into

Ticket Authentication

• Ticket Authentication is mechanism that employs a third party to prove identification and authentication.
• The most common and well known ticket system is Kerberos .

  

Single Sign On

• • With Single Sign On (SSO), once a subject

  is authenticated, it can roam the network

  freely and access resource and services

  without further authenticating challenges.

• SSO disadvantages

  :

• – Once an account is compromised, a malicious subject gains unrestricted access.

  Single Sign On