Access Control and Site Security (Part 1)Learning ObjectivesBasic systems’ attacksDialog attack: EavesdroppingDialog attack: message AlterationFlooding Denial-of-Service (DoS) attackSecurity GoalsDialog attacks: Security GoalMalware attacks: Security GoalDoS attack: Security GoalSlide 11Resources Access ControlOpening QuestionWhat is Access Control?Three functions of Access ControlManaging Access Control: StepsManaging Access Control: Steps (cont.)Slide 18Password-Based Access ControlPowerPoint PresentationTypes of account/passwordReusable PasswordPassword CrackingCracking techniquesBrute-force password crackingPassword LengthPassword PoliciesPassword Policies (cont)QuestionsSlide 30Slide 31Summary QuestionsAlternatives to passwordAlternatives to password (cont.)Slide 35Slide 36Review QuestionsAccess Control and Site Security (Part 1)January 27, 2014)© Abdou Illia – Spring 20142Learning ObjectivesUnderstand Main Security GoalsDiscuss Resources’ Access ControlDiscuss Password-Based Access ControlBasic systems’ attacks34Dialog attack: EavesdroppingClient PCBobServerAliceDialogAttacker (Eve) interceptsand reads messagesHelloHelloIntercepting confidential message being transmitted over the network5Dialog attack: message AlterationClient PCBobServerAliceDialogAttacker (Eve) interceptsand alters messagesBalance =$1Balance =$1Balance =$1,000,000Balance =$1,000,000Intercepting confidential messages and modifying their content6Flooding Denial-of-Service (DoS) attack Message Flood ServerOverloaded ByMessage FloodAttackerSecurity Goals8Dialog attacks: Security GoalIf eavesdropping and message alteration attacks succeed, in which of the following ways the target can be affected?a) Data files stored on hard drives might be deletedb) Data files stored on hard drives might be alteredc) Corporate trade secret could be stolend) Competitors might get the victim company’s licensed infoe) Users might not be able to get network services for a certain period of timef) The network might slow downConfidentiality = Main goal in implementing defense systems against eavesdropping and message alteration.9Malware attacks: Security GoalIf malware attacks succeeded, in which of the following ways the victims could be affected?a) Data files stored on hard drives might be deletedb) Data files stored on hard drives might be alteredc) Corporate trade secret could be stolend) Competitors might get the victim company’s licensed infoe) Users might not be able to get network services for a certain period of timef) The network might slow downIntegrity = Main goal of implementing defense systems against malware attacks.10DoS attack: Security GoalIf a DoS attack succeeded, in which of the following ways the victims could be affected?a) Data files stored on hard drives might be deletedb) Data files stored on hard drives might be alteredc) Corporate trade secret could be stolend) Competitors might get the victim company’s licensed infoe) Users might not be able to get network services for a certain period of timef) The network might slow downAvailability = Main goal of implementing defense systems against DoS attacks.11Security GoalsThree main security goals:Confidentiality of communications and proprietary informationIntegrity of corporate dataAvailability of network services and resourcesCIAAuthenticity: ensuring that the data, transactions, communications or documents are genuine. Also validating that both parties involved are who they claim to be.Non-repudiation: Ensuring that one party of a transaction cannot deny having received a transaction nor can the other party deny having sent a transaction.Resources Access Control13Opening QuestionWhich of the following actions may be taken in order to strengthen the confidentiality of companies’ proprietary information?a) Prevent employees from accessing files not needed for their jobb) Limit the number of computers each employee can use for logging in to the networkc) Encrypt any communications involving passwordsd) All of the above14What is Access Control?Access control is the policy-driven limitation of access to systems, data, and dialogsAccess control prevents attackers from gaining access to systems’ resources, and helps stop them if they do15Three functions of Access ControlAAA processAuthentication: assessing the identity of individual claiming to have permission for using resourcesSupplicant sends credentials to verifier for authenticationAuthorization: what permissions the authenticated user hasWhat resources he/she can get access toWhat he/she can do with these resourcesAuditing: recording what people do in log filesLog files can be analyzed in real-time or later for detecting violations to authentication/authorization. Can help detect attacksCredentials for authenticationWhat you know (password, key, etc.)What you have (smart card, physical key, etc.)Who you are (fingerprint, etc.)What you do (pronunciation, writing, etc.)16Managing Access Control: Steps1) Enumeration of (sensitive) resourcesE.g. HR databases, servers with trade secrets2) Determination of sensitivity level for each resourceE.g. mission-critical vs. non mission-critical3) Determination of Who should have access?Role-Based Access Control (RBAC):Determine the roles (or categories) of users. Example: IT employees, HR employees, Salesmen, etc.List-Based Access Control (LBAC):System administrator could in some case create lists of employees (not based on roles) for general-purpose resources17Managing Access Control: Steps (cont.)4) Determination of What access rights should users have?For each Role-Resource and/or List-Resource:SeeBrowse/ReadRead/ModifyDelete……Full ControlAllow Deny5) Develop Access Control policiesPrinters availability: M-F, 6:00 AM-8:00 PMServer computers: only administrators and server operators can use them for logging inRemote Access servers: Callback feature must be enabledPassword policy: minimum 8-character long, level of complexity, expiration, ….Fair-use policy18Managing Access Control: Steps (cont.)6) Implementing Policies/Access ControlUse OS and other tools to configure access controlMandatory Access Control: Administrator’s settings applyDiscretionary Access Control: owner of resource could share & set access rightsPerform penetration tests to test access control effectivenessPerform security audits to
View Full Document