Access Control and Site Security (Part 1)Learning ObjectivesBasic systems’ attacksDialog attack: EavesdroppingDialog attack: message AlterationFlooding Denial-of-Service (DoS) attackSecurity GoalsDialog attacks: Security GoalMalware attacks: Security GoalDoS attack: Security GoalSlide 11Resources Access ControlOpening QuestionWhat is Access Control?Three functions of Access ControlManaging Access Control: StepsManaging Access Control: Steps (cont.)Slide 18Password-Based Access ControlPowerPoint PresentationTypes of account/passwordReusable PasswordPassword CrackingCracking techniquesBrute-force password crackingPassword LengthPassword PoliciesPassword Policies (cont)QuestionsSlide 30Slide 31Summary QuestionsAlternatives to passwordAlternatives to password (cont.)Slide 35Slide 36Review QuestionsAccess Control and Site Security (Part 1)January 27, 2014)© Abdou Illia – Spring 20142Learning ObjectivesUnderstand Main Security GoalsDiscuss Resources’ Access ControlDiscuss Password-Based Access ControlBasic systems’ attacks34Dialog attack: EavesdroppingClient PCBobServerAliceDialogAttacker (Eve) interceptsand reads messagesHelloHelloIntercepting confidential message being transmitted over the network5Dialog attack: message AlterationClient PCBobServerAliceDialogAttacker (Eve) interceptsand alters messagesBalance =$1Balance =$1Balance =$1,000,000Balance =$1,000,000Intercepting confidential messages and modifying their content6Flooding Denial-of-Service (DoS) attack Message Flood ServerOverloaded ByMessage FloodAttackerSecurity Goals8Dialog attacks: Security GoalIf eavesdropping and message alteration attacks succeed, in which of the following ways the target can be affected?a) Data files stored on hard drives might be deletedb) Data files stored on hard drives might be alteredc) Corporate trade secret could be stolend) Competitors might get the victim company’s licensed infoe) Users might not be able to get network services for a certain period of timef) The network might slow downConfidentiality = Main goal in implementing defense systems against eavesdropping and message alteration.9Malware attacks: Security GoalIf malware attacks succeeded, in which of the following ways the victims could be affected?a) Data files stored on hard drives might be deletedb) Data files stored on hard drives might be alteredc) Corporate trade secret could be stolend) Competitors might get the victim company’s licensed infoe) Users might not be able to get network services for a certain period of timef) The network might slow downIntegrity = Main goal of implementing defense systems against malware attacks.10DoS attack: Security GoalIf a DoS attack succeeded, in which of the following ways the victims could be affected?a) Data files stored on hard drives might be deletedb) Data files stored on hard drives might be alteredc) Corporate trade secret could be stolend) Competitors might get the victim company’s licensed infoe) Users might not be able to get network services for a certain period of timef) The network might slow downAvailability = Main goal of implementing defense systems against DoS attacks.11Security GoalsThree main security goals:Confidentiality of communications and proprietary informationIntegrity of corporate dataAvailability of network services and resourcesCIAAuthenticity: ensuring that the data, transactions, communications or documents are genuine. Also validating that both parties involved are who they claim to be.Non-repudiation: Ensuring that one party of a transaction cannot deny having received a transaction nor can the other party deny having sent a transaction.Resources Access Control13Opening QuestionWhich of the following actions may be taken in order to strengthen the confidentiality of companies’ proprietary information?a) Prevent employees from accessing files not needed for their jobb) Limit the number of computers each employee can use for logging in to the networkc) Encrypt any communications involving passwordsd) All of the above14What is Access Control?Access control is the policy-driven limitation of access to systems, data, and dialogsAccess control prevents attackers from gaining access to systems’ resources, and helps stop them if they do15Three functions of Access ControlAAA processAuthentication: assessing the identity of individual claiming to have permission for using resourcesSupplicant sends credentials to verifier for authenticationAuthorization: what permissions the authenticated user hasWhat resources he/she can get access toWhat he/she can do with these resourcesAuditing: recording what people do in log filesLog files can be analyzed in real-time or later for detecting violations to authentication/authorization. Can help detect attacksCredentials for authenticationWhat you know (password, key, etc.)What you have (smart card, physical key, etc.)Who you are (fingerprint, etc.)What you do (pronunciation, writing, etc.)16Managing Access Control: Steps1) Enumeration of (sensitive) resourcesE.g. HR databases, servers with trade secrets2) Determination of sensitivity level for each resourceE.g. mission-critical vs. non mission-critical3) Determination of Who should have access?Role-Based Access Control (RBAC):Determine the roles (or categories) of users. Example: IT employees, HR employees, Salesmen, etc.List-Based Access Control (LBAC):System administrator could in some case create lists of employees (not based on roles) for general-purpose resources17Managing Access Control: Steps (cont.)4) Determination of What access rights should users have?For each Role-Resource and/or List-Resource:SeeBrowse/ReadRead/ModifyDelete……Full ControlAllow Deny5) Develop Access Control policiesPrinters availability: M-F, 6:00 AM-8:00 PMServer computers: only administrators and server operators can use them for logging inRemote Access servers: Callback feature must be enabledPassword policy: minimum 8-character long, level of complexity, expiration, ….Fair-use policy18Managing Access Control: Steps (cont.)6) Implementing Policies/Access ControlUse OS and other tools to configure access controlMandatory Access Control: Administrator’s settings applyDiscretionary Access Control: owner of resource could share & set access rightsPerform penetration tests to test access control effectivenessPerform security audits to