Presentation is loading. Please wait.

Presentation is loading. Please wait.

YBS 4004 Konu: Erişim Yetkilendirme / Kimlik Doğrulama, vb. Kontroller ve Mekanizmalar.

Published byNikolas Busch Modified over 6 years ago

Similar presentations

Presentation on theme: "YBS 4004 Konu: Erişim Yetkilendirme / Kimlik Doğrulama, vb. Kontroller ve Mekanizmalar."— Presentation transcript:

1 YBS 4004 Konu: Erişim Yetkilendirme / Kimlik Doğrulama, vb. Kontroller ve Mekanizmalar

2 What is access control? Access control (Erişim Kontrolü) is the heart of security Definitions: The ability to allow only authorized users, programs or processes system or resource access The granting or denying, according to a particular security model, of certain permissions to access a resource An entire set of procedures performed by hardware, software and administrators, to monitor access, identify users requesting access, record access attempts, and grant or deny access based on rules.

3 I A A A IDENTIFICATION AUTHENTICATION AUTHORIZATION ACCOUNTABILITY

4 IDENTIFICATION (Kimlik Tanımlama)
Identification is the process by which a subject professes an identity and Accountability (Hesap sorulabilirlik) is initiated.

5 AUTHENTICATION (Kimlik Doğrulama)
Authentication is the process of verifying or testing that the claimed Identity is valid. Authentication requires that the subject provide additional information that must exactly correspond to the identity indicated.

6 AUTHORIZATION (Yetkilendirme)
Authorization ensures that the requested activity or object access is possible given the rights and privileges assigned to the authenticated identity.

7 ACCOUNTABILITY (Hesap Sorulabilirlik / Mesuliyet / İzlenebilirlik)
Accountability is basically loggging, recording, monitoring, reporting evertything in a reliable, legal, secure, trusted, assured manner. It starts from the very beginning (Identification) and goes on throughout the whole access control processes & any type of actions. In other words, security can only be maintained if subjects (user, etc) are held accountable for their actions. Thus, accountability builds on the concepts of identification, authentication, authorization, access control, and auditing.

8 Use & implement “IAAA” of Access Control so as to provide
Note that: Use & implement “IAAA” of Access Control so as to provide “C I A” of security

9 How can AC be implemented?
Hardware Software Application Protocol (Kerberos, IPSec) Physical Logical (policies)

10 What does AC hope to protect?
Data & Information - Unauthorized viewing, modification or copying System - Unauthorized use, modification or denial of service It should be noted that nearly every network operating system (NT, Unix, Vines, NetWare) is based on a secure physical infrastructure

11 OK, recall to real world; WHY and for WHOM these IAAA technologies, standards, methods, etc ???

12 Preventive AC (access control)
Awareness training Background checks Separation of duties Split knowledge Policies Data classification Effective user registration Termination procedures Change control procedures

13 Physical access control (these physical controls below are either preventive or detective)
Guards Locks Mantraps ID badges CCTV, sensors, alarms Fences - the higher the voltage the better Guard dogs

14 Preventative Detective Administrative Policies and procedures, pre-employment background checks, strict hiring practices, employment agreements, friendly and unfriendly employee termination procedures, vacation scheduling, labeling of sensitive materials, increased supervision, security awareness training, behavior awareness, and sign-up procedures to obtain access to information systems and networks. Polices and procedures, job rotation, sharing of responsibilities Technical Logical system controls, smart cards, bio-metrics, menu shell IDS, logging, monitoring, clipping levels Physical Restrict physical access, guards, man trap, gates Motion detectors, cameras, thermal detectors

15 Access Controls vs. privacy & legal issues
Expectation of privacy Policies Monitoring activity, Internet usage, Login banners should detail expectations of privacy and state levels of monitoring

16 Models of Access Control in Computers, Operating systems, IT systems
Discretionary (DAC) (İsteğe Bağlı) Mandatory (MAC) (Zorunlu) Role-based (Rol tabanlı) Rule-based (Kural tabanlı) Diğerleri (Context-based, Graph-based, etc.)

17 Mandatory Access Control
Assigns sensitivity levels (labels) Every object is given a sensitivity label & is accessible only to users who are cleared up to that particular level. Only the administrators, not object owners, make change the object level Generally more secure than DAC Used in systems where security is critical, i.e., military Hard to program for and configure & implement Some Unix, Linux versions, MAC, IOS (kısmen)

18 Mandatory Access Control (Continued)
Downgrade in performance Relies on the system to control access Example: If a file is classified as confidential, MAC will prevent anyone from writing secret or top secret information into that file. All output, i.e., print jobs, floppies, other magnetic media must have be labeled as to the sensitivity level

19 Mandatory Access Control (Continued)
MAC mechanisms assign a security level to all information, assign a security clearance to each user, and ensure that all users only have access to that data for which they have a clearance Individuals Resources Server 1 “Top Secret” Principle: Read Down Access equal or less Clearance Write Up Access equal or higher Clearance Server 2 “Secret” Server 3 “Classified”

20 Discretionary Access Control
Access is restricted based on the authorization granted to the user Most basic, default, well-known Least secure Prime use to separate and protect users from unauthorized data Used by Windows, Unix, Android, Linux, etc. Relies on the object owner to control access

21 Discretionary AC Application Access List Individuals Resources
Server 1 Server 3 Server 2 Name Access Tom Yes John No Cindy Yes

22 Access control lists (ACL)
A file used by the access control system to determine who may access what computer programs and files, in what method and at what time Different operating systems have different ACL terms Types of access: Read/Write/Create/Execute/Modify/Delete/Rename

23 Standard UNIX file permissions

24 Standard Windows file permissions

25 Role-based (Rol tabanlı) Access Control
A user has access to an object based on the assigned role. Roles are defined based on job functions. Permissions are defined based on job authority and responsibilities within a job function. Operations on an object are invocated based on the permissions. The object is concerned with the user’s role and not the user. Most Database Management Systems use this. Some Linux / Unix, Windows have this type also.

26 Role-Based AC Individuals Roles Resources Role 1 Role 2 Role 3
Server 1 Server 2 Server 3 Users change frequently, Roles don’t

27 Rule-based (Kural tabanlı) Access Control
Access is allowed or denied to resource objects based on a set of rules defined by a system administrator. Access properties are stored in Access Control Lists (ACL) associated with each resource object. When a particular account or group attempts to access a resource, the operating system checks the rules contained in the ACL for that object. SE-Linux, bazı diğer Unix türevleri, bazı özel veri tabanı sistemleri, Ağ Güvenlik Duvarları (Network firewalls), İçerik filtreleme sistemleri

28 Rule-based (Kural tabanlı) Access Control
Örnekler: Permitting access for an account or group to a network connection at certain hours of the day or days of the week, etc. A rule might be to allow access to an IP address but block that IP address from use of a specific port, for example port 21 commonly used for FTP, or port 23 commonly used for Telnet. A rule might be to block a specific IP address, or block all IP addresses from accessing certain applications on the network, such as or video steaming.

29 Rule-based (Kural tabanlı) Access Control

30 Rule-based (Kural tabanlı) Access Control

31 Rule-based (Kural tabanlı) Access Control

32 4 Modelin Karşılaştırması
Role

33 Authentication 3 types of authentication:
Something you know - Password, PIN, mother’s maiden name, passcode, Something you have - ATM card, smart card, token, key, ID Badge, driver license, passport Something you are - Fingerprint, voice scan, iris scan, retina scan, body odor, DNA

34 Multi-factor authentication
2-factor authentication. To increase the level of security, many systems will require a user to provide 2 of the 3 types of authentication. ATM card + PIN Credit card + signature PIN + fingerprint Username + Password (NetWare, Unix, NT default) 3-factor authentication -- For highest security Username + Password + Fingerprint Username + Passcode + SecurID token

35 ACCESS CONTROLS’ IMPLEMENTATIONS PROBLEMS & RISKS BEST-PRACTICES

36 Problems with passwords
Insecure - Given the choice, people will choose easily remembered and hence easily guessed passwords such as names of relatives, pets, phone numbers, birthdays, hobbies, etc. Easily broken - Programs such as crack, SmartPass, PWDUMP, NTCrack & l0phtcrack can easily decrypt Unix, NetWare & NT passwords. Dictionary attacks are only feasible because users choose easily guessed passwords! Inconvenient - In an attempt to improve security, organizations often issue users with computer-generated passwords that are difficult, if not impossible to remember Repudiable - Unlike a written signature, when a transaction is signed with only a password, there is no real proof as to the identity of the individual that made the transaction

37 Classic password rules
The best passwords are those that are both easy to remember and hard to crack using a dictionary attack. The best way to create passwords that fulfill both criteria is to use two small unrelated words or phonemes, ideally with a special character or number. !! DON’T EVER USE: common names, DOB, spouse, phone #, etc. word found in dictionaries password as a password systems defaults How can we use & choose strong passwords? (animation)

38 Password Attacks - Methodology
On-line Attacks Off-line Attacks

39 Password Attacks – types & tools
Brute force (online or off-line) L0phtcrack others Dictionary (online or off-line) Crack John the Ripper Trojan horse login program (online)

40 Password management Configure system to use string passwords
Set password time and lengths limits Limit unsuccessful logins Limit concurrent connections Enabled auditing How policies for password resets and changes Use last login dates in banners

41 Password management !! Don’t forget; Passwords are like
...your underwear or your toothbrush !!

42

43

44

45

46 Biometrics Authenticating a user via human characteristics
Using measurable physical characteristics of a person to prove their identification Fingerprint (ie, my notebook, live demo) signature dynamics Iris Hand geometry retina voice face DNA, blood

47 Advantages of Biometrics
Can’t be lent like a physical key or token and can’t be forgotten like a password Good compromise between ease of use, template size, cost and accuracy Basically lasts forever -- or at least until amputation or dismemberment Makes network login & authentication effortless

48 Biometric Disadvantages
Still relatively expensive per user Companies & products are often new & immature No common API or other standard Some hesitancy for user acceptance

49

50 Biometric privacy issues
Tracking and surveillance - Ultimately, the ability to track a person's movement from hour to hour Anonymity - Biometric links to databases could dissolve much of our anonymity when we travel and access services Profiling - Compilation of transaction data about a particular person that creates a picture of that person's travels, preferences, affiliations or beliefs

51 Practical biometric applications
Network access control Staff time and attendance tracking Authorizing financial transactions Government benefits distribution (Social Security, welfare, etc.) Verifying identities at point of sale Using in conjunction with ATM , credit or smart cards Controlling physical access to office buildings or homes Protecting personal property Prevent against kidnapping in schools, play areas, etc. Protecting children from fatal gun accidents Voting/passports/visas & immigration

52 Tokens Used to facilitate one-time passwords Physical card S/Key
Smart card Access token

53

54 Tokens generally implemented with 2-factor authentication
Maybe Hardware or Software SmartCards; (detailed info on next slide) Static Password (with pin) Owner Authenticates to the token Token authenticates to the system Synchronous Dynamic Password (OTP; One-Time Password); Token – generates passcode value Pin – user knows Token and Pin entered into PC Must fit in valid time window (ie, my RSA token,banks’ SMS) Asynchronous (another type of OTP); Similar to synchronous, new password is generated asynchronously, No time window Challenge Response (another type of OTP); System generates challenge string User enters into token Token generates response entered into workstation Mechanism in the workstation determines authentication

55 This diagram shows the micro-module embedded into the plastic substrate or card.  Prior to embedding, a cavity is formed or milled into the plastic card.  Then either a cold or hot glue process bonds the micro-module to the card.  

56 Single sign-on (SSO) User has one password for all enterprise systems and applications That way, one strong password can be remembered and used All of a users accounts can be quickly created on hire, deleted on dismissal Hard to implement and get working Kerberos, CA-Unicenter, Memco Proxima, IntelliSoft SnareWorks, Tivoli Global Sign-On, x.509

57 Monitoring (IAAA - Last “A” – Accountability)
IDS Logs Audit trails Network tools

58 Banners Banners display at login or connection stating that the system is for the exclusive use of authorized users and that their activity may be monitored (ie; “router, switch, server telnet logins”, “Windows logon”, “smtp, http, etc connection response”, etc.) Not foolproof, but a good start, especially from a legal perspective Make sure that the banner does not reveal system information, i.e., OS, version, hardware, etc.

59 Rule of “least privilege”
One of the most fundamental principles of info. sec. States that: Any object (user, administrator, program, system) should have only the least privileges the object needs to perform its assigned task, and no more. An Acess Control system that grants users only those rights necessary for them to perform their work Limits exposure to attacks and the damage an attack can cause Physical security example: car ignition key vs. door key

60 Implementing least privilege
Ensure that only a minimal set of users have root access Don’t make a program run setuid to root if not needed. Rather, make file group-writable to some group and make the program run setgid to that group, rather than setuid to root Don’t run insecure programs on the firewall or other trusted host

61 Attacks to IAAA (Similar to topics we’ve covered in Week 5)
Passive attack - Monitor network traffic and then use data obtained or perform a replay attack. Hard to detect Active attack - Attacker is actively trying to break-in. Exploit system vulnerabilities Spoofing Crypto attacks Denial of service (DoS) - Not so much an attempt to gain access, rather to prevent system operation Smurf, SYN Flood, Ping of death Mail bombs

62 Vulnerabilities of IAAA and Acess Control implementations (in general)
Physical Natural Floods, earthquakes, terrorists, power outage, lightning Hardware/Software Media Corrupt electronic media, stolen disk drives Emanation Communications Human Social engineering, disgruntled staff

Download ppt "YBS 4004 Konu: Erişim Yetkilendirme / Kimlik Doğrulama, vb. Kontroller ve Mekanizmalar."

Similar presentations

Lecture 6 User Authentication (cont)

Lecture 6 User Authentication (cont)
Access Control Chapter 3 Part 3 Pages 209 to 227.

Access Control Chapter 3 Part 3 Pages 209 to 227.
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
Access Control Methodologies

Access Control Methodologies
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 2 Operating System Security Fundamentals.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 2 Operating System Security Fundamentals.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
CSCI 530 Lab Authentication. Authentication is verifying the identity of a particular person Example: Logging into a system Example: PGP – Digital Signature.

CSCI 530 Lab Authentication. Authentication is verifying the identity of a particular person Example: Logging into a system Example: PGP – Digital Signature.
2  A system can protect itself in two ways: It can limit who can access the system. This requires the system to implement a two-step process of identification.

2  A system can protect itself in two ways: It can limit who can access the system. This requires the system to implement a two-step process of identification.
7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.

7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.
Security Measures Using IS to secure data. Security Equipment, Hardware Biometrics –Authentication based on what you are (Biometrics) –Biometrics, human.

Security Measures Using IS to secure data. Security Equipment, Hardware Biometrics –Authentication based on what you are (Biometrics) –Biometrics, human.
E-business Security Dana Vasiloaica Institute of Technology Sligo 22 April 2006.

E-business Security Dana Vasiloaica Institute of Technology Sligo 22 April 2006.
Air Force Association (AFA) 1. 1.Access Control 2.Four Steps to Access 3.How Does it Work? 4.User and Guest Accounts 5.Administrator Accounts 6.Threat.

Air Force Association (AFA) 1. 1.Access Control 2.Four Steps to Access 3.How Does it Work? 4.User and Guest Accounts 5.Administrator Accounts 6.Threat.
Computer Security An overview of terms and key concepts.

Computer Security An overview of terms and key concepts.
AIS, 20141 Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)

AIS, Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)
Access Control Systems & Methodology

Access Control Systems & Methodology
Switch off your Mobiles Phones or Change Profile to Silent Mode.

Switch off your Mobiles Phones or Change Profile to Silent Mode.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.

How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Today’s Lecture Covers < Chapter 6 - IS Security

Today’s Lecture Covers < Chapter 6 - IS Security
Information Systems Security Operational Control for Information Security.

Information Systems Security Operational Control for Information Security.
Networking and Health Information Exchange Unit 9b Privacy, Confidentiality, and Security Issues and Standards.

Networking and Health Information Exchange Unit 9b Privacy, Confidentiality, and Security Issues and Standards.

Similar presentations

Ads by Google