1Access Control and Site Security (Part 1)Thursday 1/17/2008)© Abdou Illia – Spring 20082Learning Objectives Understand Main Security Goals Discuss Resources’ Access Control Discuss Password-Based Access ControlSecurity Goals24Break-in and Dialog attacks: Security Goal If eavesdropping, message alteration attacks are successful, in which of the following ways the victims could be affected?a) Data files stored on hard drives might be deletedb) Data files stored on hard drives might be alteredc) Corporate trade secret could be stolend) Competitors might get the victim company’s licensed infoe) Users might not be able to get network services for a certain period of timef) The network might slow downConfidentiality = Main goal in implementing defense systems against eavesdropping and message alteration.5Malware attacks: Security Goal If virus attacks are successful, in which of the following ways the victims could be affected?a) Data files stored on hard drives might be deletedb) Data files stored on hard drives might be alteredc) Corporate trade secret could be stolend) Competitors might get the victim company’s licensed infoe) Users might not be able to get network services for a certain period of timef) The network might slow downIntegrity = Main goal of implementing defense systems against malware attacks.6DoS attack: Security Goal If a DoS attack is successful, in which of the following ways the victims could be affected?a) Data files stored on hard drives might be deletedb) Data files stored on hard drives might be alteredc) Corporate trade secret could be stolend) Competitors might get the victim company’s licensed infoe) Users might not be able to get network services for a certain period of timef) The network might slow downAvailability = Main goal of implementing defense systems against DoS attacks.37Security Goals Three main security goals:Confidentiality of communications and proprietary informationIntegrity of corporate dataAvailability of network services and resourcesCIAResources Access Control9Opening Question Which of the following action might be taken in order to strengthen the confidentiality of companies’ proprietary information?a) Prevent employees from accessing files not needed in their jobb) Limit the number of computers each employee could use for logging onto the networkc) Encrypt any communications involving passwordsd) All of the above410What is Access Control? Access control is the policy-driven limitation of access to systems, data, and dialogs Access control prevents attackers from gaining access to systems’ resources, and stopping them if they do11Managing Access Control: Steps1) Enumeration of (sensitive) resources E.g. HR databases, servers with trade secrets2) Determination of sensitivity level for each resource E.g. mission-critical vs. non mission-critical3) Determination of “Who should have access?” Role-Based Access Control (RBAC): Determine the roles (or categories) of users. Example: IT employees, HR employees, Salesmen, etc. List-Based Access Control (LBAC): System administrator could in some case create lists of employees (not based on roles) for general-purpose resources12Managing Access Control: Steps (cont.)4) Determination of “What access rights should users have?” For each Role-Resource and/or List-Resource:……DeleteFull ControlRead/ModifyBrowse/ReadSeeAllow Deny5) Implementing Access Control Use OS and other tools to configure access control Mandatory Access Control: Administrator’s settings apply Discretionary Access Control: owner of resource could share & set access rightsHarden the host computers: patches, firewalls, etc. Perform security audits to test access control effectiveness513Managing Access Control: Steps (cont.)6) Determine/implement general access policies Enumerate policies for each category of sensitive resources. Examples: Printers availability: M-F, 6:00 AM-8:00 PM Server computers: only administrators and server operators could logon locally Remote Access servers: Callback enabled Implement policies Perform security audits to test policies effectiveness Audit by internal employees Audit by security firmPassword-Based Access Control15Types of account/password Super account User can take any action on any resource Called Administrator (Windows), Supervisor (Netware), root (UNIX) Hacking the super account = ultimate prize for attackers Regular account Limited access based on setting by the admin Could gain super account status by elevating the privileges.616Reusable Passwords Used to repeatedly to get access to a resource on multiple occasions Bad because attacker could have time to crack it Difficult to crack by guessing remotely Usually cut off after a few attempts However, if can steal the password file, can crack passwords at leisure17Password Cracking  With physical access or with password file in hand, attacker can use password cracking programs√Crack√√RainbowCrack (uses lookup tables and hash functions)√Ophcrack√Cain & Abel√√John The Ripper√L0phtcrack (now LC5)LinuxWindowsProgram Programs usually come with "dictionaries" with thousands or even millions of entries of several kinds Programs use brute-force cracking method Used by network admins to locate users with weak password, and by attackers.18Brute-force password cracking Dictionary cracking vs. hybrid cracking Try all possible character combinations Longer passwords take longer to crack Combining types of characters makes cracking harder Alphabetic, no case (26 possibilities) Alphabetic, case (52) Alphanumeric (letters and numbers) (62) All keyboard characters (~80)719Figure 2-3: Password LengthPasswordLength InCharacters12 (N2)4 (N4)6810Alphanumeric:Letters &Digits (N=62)623,84414,776,33656,800,235,5842.1834E+148.39299E+17All KeyboardCharacters(N=~80)806,40040,960,0002.62144E+111.67772E+151.07374E+19Alphabetic,Case(N=52)522,7047,311,61619,770,609,6645.34597E+131.44555E+17Alphabetic,No Case (N=26)26676456,976308,915,7762.08827E+111.41167E+14Q: Your password policy is: (a) the password must be 6 character long, (b) the password should include only decimal digits and lower case alphabetic characters. What is the maximum number of passwords the attacker would try in order to crack a password in your system?20Dictionary and Hybrid cracking