Access Control and Site Security (Part 1) Thursday 1/17/2008) © Abdou Illia – Spring 2008

2 Learning Objectives Understand Main Security Goals Discuss Resources’ Access Control Discuss Password-Based Access Control

Security Goals

4 Break-in and Dialog attacks: Security Goal If eavesdropping, message alteration attacks are successful, in which of the following ways the victims could be affected? a)Data files stored on hard drives might be deleted b)Data files stored on hard drives might be altered c)Corporate trade secret could be stolen d)Competitors might get the victim company’s licensed info e)Users might not be able to get network services for a certain period of time f)The network might slow down Confidentiality = Main goal in implementing defense systems against eavesdropping and message alteration.

5 Malware attacks: Security Goal If virus attacks are successful, in which of the following ways the victims could be affected? a)Data files stored on hard drives might be deleted b)Data files stored on hard drives might be altered c)Corporate trade secret could be stolen d)Competitors might get the victim company’s licensed info e)Users might not be able to get network services for a certain period of time f)The network might slow down Integrity = Main goal of implementing defense systems against malware attacks.

6 DoS attack: Security Goal If a DoS attack is successful, in which of the following ways the victims could be affected? a)Data files stored on hard drives might be deleted b)Data files stored on hard drives might be altered c)Corporate trade secret could be stolen d)Competitors might get the victim company’s licensed info e)Users might not be able to get network services for a certain period of time f)The network might slow down Availability = Main goal of implementing defense systems against DoS attacks.

7 Security Goals Three main security goals: C onfidentiality of communications and proprietary information I ntegrity of corporate data A vailability of network services and resources CIA

Resources Access Control

9 Opening Question Which of the following action might be taken in order to strengthen the confidentiality of companies’ proprietary information? a)Prevent employees from accessing files not needed in their job b)Limit the number of computers each employee could use for logging onto the network c)Encrypt any communications involving passwords d)All of the above

10 What is Access Control? Access control is the policy-driven limitation of access to systems, data, and dialogs Access control prevents attackers from gaining access to systems’ resources, and stopping them if they do

11 Managing Access Control: Steps 1) Enumeration of (sensitive) resources E.g. HR databases, servers with trade secrets 2) Determination of sensitivity level for each resource E.g. mission-critical vs. non mission-critical 3) Determination of “Who should have access?” Role-Based Access Control (RBAC): Determine the roles (or categories) of users. Example: IT employees, HR employees, Salesmen, etc. List-Based Access Control (LBAC): System administrator could in some case create lists of employees (not based on roles) for general-purpose resources

12 Managing Access Control: Steps (cont.) 4) Determination of “What access rights should users have?” For each Role-Resource and/or List-Resource: See Browse/Read Read/Modify Delete … … Full Control AllowDeny 5) Implementing Access Control Use OS and other tools to configure access control Mandatory Access Control: Administrator’s settings apply Discretionary Access Control: owner of resource could share & set access rights Harden the host computers: patches, firewalls, etc. Perform security audits to test access control effectiveness

13 Managing Access Control: Steps (cont.) 6) Determine/implement general access policies Enumerate policies for each category of sensitive resources. Examples: Printers availability: M-F, 6:00 AM-8:00 PM Server computers: only administrators and server operators could logon locally Remote Access servers: Callback enabled Implement policies Perform security audits to test policies effectiveness Audit by internal employees Audit by security firm

Password-Based Access Control

15 Types of account/password Super account User can take any action on any resource Called Administrator (Windows), Supervisor (Netware), root (UNIX) Hacking the super account = ultimate prize for attackers Regular account Limited access based on setting by the admin Could gain super account status by elevating the privileges.

16 Reusable Passwords Used to repeatedly to get access to a resource on multiple occasions Bad because attacker could have time to crack it Difficult to crack by guessing remotely Usually cut off after a few attempts However, if can steal the password file, can crack passwords at leisure

17 Password Cracking With physical access or with password file in hand, attacker can use password cracking programs ProgramWindowsLinux L0phtcrack (now LC5)√ Ophcrack√ John The Ripper√√ RainbowCrack (uses lookup tables and hash functions)√√ Crack√ Cain & Abel√ Programs usually come with "dictionaries" with thousands or even millions of entries of several kinds Programs use brute-force cracking method Used by network admins to locate users with weak password, and by attackers.

18 Brute-force password cracking Dictionary cracking vs. hybrid cracking Try all possible character combinations Longer passwords take longer to crack Combining types of characters makes cracking harder Alphabetic, no case (26 possibilities) Alphabetic, case (52) Alphanumeric (letters and numbers) (62) All keyboard characters (~80)

19 Figure 2-3: Password Length Password Length In Characters 1 2 (N 2 ) 4 (N 4 ) Alphanumeric: Letters & Digits (N=62) 62 3,844 14,776,336 56,800,235, E E+17 All Keyboard Characters (N=~80) 80 6,400 40,960, E E E+19 Alphabetic, Case (N=52) 52 2,704 7,311,616 19,770,609, E E+17 Alphabetic, No Case (N=26) , ,915, E E+14 Q: Your password policy is: (a) the password must be 6 character long, (b) the password should include only decimal digits and lower case alphabetic characters. What is the maximum number of passwords the attacker would try in order to crack a password in your system?

20 Dictionary and Hybrid cracking Dictionary cracking 1 Try common words (“password”, “ouch,” etc.) There are only a few thousand of these Cracked very rapidly Hybrid cracking 2 Used when dictionary cracking fails Common word with one or few digits at end, etc. 1 Also called dictionary attack 2 Also called to as hybrid attack

21 Password Policies Good passwords At least 6 characters long Change of case not at beginning Digit (0 through 9) not at end Other keyboard characters not at end Example: triV6#ial

22 Password Policies (cont) Shared passwords Not a good policy Remove ability to learn who took actions; loses accountability Usually is not changed often or at all because of need to inform all sharers

23 Questions Q.1. ABC Inc. has a network with three users. The users have the following usernames: aillia, jwillems, vhampton. A shared-password policy implemented by the network administrator allowed the users to logon with the password abc123. Last night someone committed an attack stealing sensitive corporate information after elevating the privileges associated to the account they used to logon. Which of the following is true? (Choose all that apply) a) the audit log file could be checked to determine at what time the attacker logged in b) the audit log file could be checked to determine which user account was used in committing the attack c) the audit log file could be checked to determine who committed the attack d) all of the above. Q.2. If your answer to Q.1 above indicates that at least one of the statements is not true, explain why. ________________________________________________________________

24 Password Policies (cont) Disabling passwords that are no longer valid As soon as an employee leaves the firm, etc. As soon as contractors, consultants leave In many firms, a large percentage of all accounts are for people no longer with the firm

25 Password Policies (cont) Lost passwords Password resets: Help desk gives new password for the account Opportunities for social engineering attacks Leave changed password on answering machine

26 Reading Questions (Part 1) Answer Chapter 2 Reading Questions (Part 1) posted to the course web site.

27 Summary Questions What are the three main security goals? What security goal is jeopardized by a successful eavesdropping attack? What is the difference between Role Based Access Control and List Based Access Control? What is the difference between Mandatory Access Control and Discretionary Access Control? What is a super account? What is the difference between dictionary cracking and hybrid cracking? What is a shared password? Do you recommend shared passwords? Why?