Presentation is loading. Please wait.

Presentation is loading. Please wait.

Access Control and Site Security (Part 1) Thursday 1/17/2008) © Abdou Illia – Spring 2008.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Access Control and Site Security (Part 1) Thursday 1/17/2008) © Abdou Illia – Spring 2008."— Presentation transcript:

1 Access Control and Site Security (Part 1) Thursday 1/17/2008) © Abdou Illia – Spring 2008

2 2 Learning Objectives Understand Main Security Goals Discuss Resources’ Access Control Discuss Password-Based Access Control

3 Security Goals

4 4 Break-in and Dialog attacks: Security Goal If eavesdropping, message alteration attacks are successful, in which of the following ways the victims could be affected? a)Data files stored on hard drives might be deleted b)Data files stored on hard drives might be altered c)Corporate trade secret could be stolen d)Competitors might get the victim company’s licensed info e)Users might not be able to get network services for a certain period of time f)The network might slow down Confidentiality = Main goal in implementing defense systems against eavesdropping and message alteration.

5 5 Malware attacks: Security Goal If virus attacks are successful, in which of the following ways the victims could be affected? a)Data files stored on hard drives might be deleted b)Data files stored on hard drives might be altered c)Corporate trade secret could be stolen d)Competitors might get the victim company’s licensed info e)Users might not be able to get network services for a certain period of time f)The network might slow down Integrity = Main goal of implementing defense systems against malware attacks.

6 6 DoS attack: Security Goal If a DoS attack is successful, in which of the following ways the victims could be affected? a)Data files stored on hard drives might be deleted b)Data files stored on hard drives might be altered c)Corporate trade secret could be stolen d)Competitors might get the victim company’s licensed info e)Users might not be able to get network services for a certain period of time f)The network might slow down Availability = Main goal of implementing defense systems against DoS attacks.

7 7 Security Goals Three main security goals: C onfidentiality of communications and proprietary information I ntegrity of corporate data A vailability of network services and resources CIA

8 Resources Access Control

9 9 Opening Question Which of the following action might be taken in order to strengthen the confidentiality of companies’ proprietary information? a)Prevent employees from accessing files not needed in their job b)Limit the number of computers each employee could use for logging onto the network c)Encrypt any communications involving passwords d)All of the above

10 10 What is Access Control? Access control is the policy-driven limitation of access to systems, data, and dialogs Access control prevents attackers from gaining access to systems’ resources, and stopping them if they do

11 11 Managing Access Control: Steps 1) Enumeration of (sensitive) resources E.g. HR databases, servers with trade secrets 2) Determination of sensitivity level for each resource E.g. mission-critical vs. non mission-critical 3) Determination of “Who should have access?” Role-Based Access Control (RBAC): Determine the roles (or categories) of users. Example: IT employees, HR employees, Salesmen, etc. List-Based Access Control (LBAC): System administrator could in some case create lists of employees (not based on roles) for general-purpose resources

12 12 Managing Access Control: Steps (cont.) 4) Determination of “What access rights should users have?” For each Role-Resource and/or List-Resource: See Browse/Read Read/Modify Delete … … Full Control AllowDeny 5) Implementing Access Control Use OS and other tools to configure access control Mandatory Access Control: Administrator’s settings apply Discretionary Access Control: owner of resource could share & set access rights Harden the host computers: patches, firewalls, etc. Perform security audits to test access control effectiveness

13 13 Managing Access Control: Steps (cont.) 6) Determine/implement general access policies Enumerate policies for each category of sensitive resources. Examples: Printers availability: M-F, 6:00 AM-8:00 PM Server computers: only administrators and server operators could logon locally Remote Access servers: Callback enabled Implement policies Perform security audits to test policies effectiveness Audit by internal employees Audit by security firm

14 Password-Based Access Control

15 15 Types of account/password Super account User can take any action on any resource Called Administrator (Windows), Supervisor (Netware), root (UNIX) Hacking the super account = ultimate prize for attackers Regular account Limited access based on setting by the admin Could gain super account status by elevating the privileges.

16 16 Reusable Passwords Used to repeatedly to get access to a resource on multiple occasions Bad because attacker could have time to crack it Difficult to crack by guessing remotely Usually cut off after a few attempts However, if can steal the password file, can crack passwords at leisure

17 17 Password Cracking With physical access or with password file in hand, attacker can use password cracking programs ProgramWindowsLinux L0phtcrack (now LC5)√ Ophcrack√ John The Ripper√√ RainbowCrack (uses lookup tables and hash functions)√√ Crack√ Cain & Abel√ Programs usually come with "dictionaries" with thousands or even millions of entries of several kinds Programs use brute-force cracking method Used by network admins to locate users with weak password, and by attackers.

18 18 Brute-force password cracking Dictionary cracking vs. hybrid cracking Try all possible character combinations Longer passwords take longer to crack Combining types of characters makes cracking harder Alphabetic, no case (26 possibilities) Alphabetic, case (52) Alphanumeric (letters and numbers) (62) All keyboard characters (~80)

19 19 Figure 2-3: Password Length Password Length In Characters 1 2 (N 2 ) 4 (N 4 ) 6 8 10 Alphanumeric: Letters & Digits (N=62) 62 3,844 14,776,336 56,800,235,584 2.1834E+14 8.39299E+17 All Keyboard Characters (N=~80) 80 6,400 40,960,000 2.62144E+11 1.67772E+15 1.07374E+19 Alphabetic, Case (N=52) 52 2,704 7,311,616 19,770,609,664 5.34597E+13 1.44555E+17 Alphabetic, No Case (N=26) 26 676 456,976 308,915,776 2.08827E+11 1.41167E+14 Q: Your password policy is: (a) the password must be 6 character long, (b) the password should include only decimal digits and lower case alphabetic characters. What is the maximum number of passwords the attacker would try in order to crack a password in your system?

20 20 Dictionary and Hybrid cracking Dictionary cracking 1 Try common words (“password”, “ouch,” etc.) There are only a few thousand of these Cracked very rapidly Hybrid cracking 2 Used when dictionary cracking fails Common word with one or few digits at end, etc. 1 Also called dictionary attack 2 Also called to as hybrid attack

21 21 Password Policies Good passwords At least 6 characters long Change of case not at beginning Digit (0 through 9) not at end Other keyboard characters not at end Example: triV6#ial

22 22 Password Policies (cont) Shared passwords Not a good policy Remove ability to learn who took actions; loses accountability Usually is not changed often or at all because of need to inform all sharers

23 23 Questions Q.1. ABC Inc. has a network with three users. The users have the following usernames: aillia, jwillems, vhampton. A shared-password policy implemented by the network administrator allowed the users to logon with the password abc123. Last night someone committed an attack stealing sensitive corporate information after elevating the privileges associated to the account they used to logon. Which of the following is true? (Choose all that apply) a) the audit log file could be checked to determine at what time the attacker logged in b) the audit log file could be checked to determine which user account was used in committing the attack c) the audit log file could be checked to determine who committed the attack d) all of the above. Q.2. If your answer to Q.1 above indicates that at least one of the statements is not true, explain why. ________________________________________________________________

24 24 Password Policies (cont) Disabling passwords that are no longer valid As soon as an employee leaves the firm, etc. As soon as contractors, consultants leave In many firms, a large percentage of all accounts are for people no longer with the firm

25 25 Password Policies (cont) Lost passwords Password resets: Help desk gives new password for the account Opportunities for social engineering attacks Leave changed password on answering machine

26 26 Reading Questions (Part 1) Answer Chapter 2 Reading Questions (Part 1) posted to the course web site.

27 27 Summary Questions What are the three main security goals? What security goal is jeopardized by a successful eavesdropping attack? What is the difference between Role Based Access Control and List Based Access Control? What is the difference between Mandatory Access Control and Discretionary Access Control? What is a super account? What is the difference between dictionary cracking and hybrid cracking? What is a shared password? Do you recommend shared passwords? Why?

Download ppt "Access Control and Site Security (Part 1) Thursday 1/17/2008) © Abdou Illia – Spring 2008."

Similar presentations

Point3r$. Password Introduction Passwords are a key part of any security system : –Work or Personal Strong passwords make your personal and work.

Point3r$. Password Introduction Passwords are a key part of any security system : –Work or Personal Strong passwords make your personal and work.
UNIT 20 The ex-hacker.

UNIT 20 The ex-hacker.
Windows XP Tutorial Securing Windows. Introduction This presentation will guide you through basic security principles for Windows XP.

Windows XP Tutorial Securing Windows. Introduction This presentation will guide you through basic security principles for Windows XP.
Password Cracking Lesson 10. Why crack passwords?

Password Cracking Lesson 10. Why crack passwords?
Access Control Chapter 3 Part 3 Pages 209 to 227.

Access Control Chapter 3 Part 3 Pages 209 to 227.
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
1 Preparing Windows 2000 installation (Week 3, Wednesday 2/25/2006) © Abdou Illia, Spring 2006.

1 Preparing Windows 2000 installation (Week 3, Wednesday 2/25/2006) © Abdou Illia, Spring 2006.
Access Control Methodologies

Access Control Methodologies
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
Cryptography and Network Security Chapter 20 Intruders

Cryptography and Network Security Chapter 20 Intruders
Security (Part 2) School of Business Eastern Illinois University © Abdou Illia, Spring 2007 (Week 13, Thursday 4/5/2007)

Security (Part 2) School of Business Eastern Illinois University © Abdou Illia, Spring 2007 (Week 13, Thursday 4/5/2007)
11 SUPPORTING LOCAL USERS AND GROUPS Chapter 3. Chapter 3: Supporting Local Users and Groups2 SUPPORTING LOCAL USERS AND GROUPS  Explain the difference.

11 SUPPORTING LOCAL USERS AND GROUPS Chapter 3. Chapter 3: Supporting Local Users and Groups2 SUPPORTING LOCAL USERS AND GROUPS  Explain the difference.
January 14, 2010 Introduction to Ethical Hacking and Network Defense MIS 4600 - © Abdou Illia.

January 14, 2010 Introduction to Ethical Hacking and Network Defense MIS © Abdou Illia.
CSCI 530 Lab Authentication. Authentication is verifying the identity of a particular person Example: Logging into a system Example: PGP – Digital Signature.

CSCI 530 Lab Authentication. Authentication is verifying the identity of a particular person Example: Logging into a system Example: PGP – Digital Signature.
7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.

7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.
1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.

1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.
11 WORKING WITH USER ACCOUNTS Chapter 6. Chapter 6: WORKING WITH USER ACCOUNTS2 CHAPTER OVERVIEW Understand the differences between local user and domain.

11 WORKING WITH USER ACCOUNTS Chapter 6. Chapter 6: WORKING WITH USER ACCOUNTS2 CHAPTER OVERVIEW Understand the differences between local user and domain.
Air Force Association (AFA) 1. 1.Access Control 2.Four Steps to Access 3.How Does it Work? 4.User and Guest Accounts 5.Administrator Accounts 6.Threat.

Air Force Association (AFA) 1. 1.Access Control 2.Four Steps to Access 3.How Does it Work? 4.User and Guest Accounts 5.Administrator Accounts 6.Threat.
Windows This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr. Stephen.

Windows This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr. Stephen.
AIS, 20141 Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)

AIS, Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)

Similar presentations

Ads by Google