Sumy State University Department of Computer Science

Size: px

Start display at page:

Download "Sumy State University Department of Computer Science"

Lorin Tyler
6 years ago
Views:

1 Sumy State University Department of Computer Science

2 Lecture 1 (part 2). Access control. What is access control? A cornerstone in the foundation of information security is controlling how resources are accessed so they can be protected from unauthorized modification or disclosure. The controls that enforce access control can be technical, physical, or administrative in nature. These control types need to be integrated into policy-based documentation, software and technology, network design, and physical security components. 2

3 Lecture 1 (part 2). Access control. What is access control? Access controls are security features that control how users and systems communicate and interact with other systems and resources. They protect the systems and resources from unauthorized access and can be components that participate in determining the level of authorization after an authentication procedure has successfully completed. Although we usually think of a user as the entity that requires access to a network resource or information, there are many other types of entities that require access to other network entities and resources that are subject to access control. It is important to understand the definition of a subject and an object when working in the context of access control. 3

4 Lecture 1 (part 2). Access control. A subject is an active entity that requests access to an object or the data within an object. A subject can be a user, program, or process that accesses an object to accomplish a task. When a program accesses a file, the program is the subject and the file is the object. An object is a passive entity that contains information or needed functionality. An object can be a computer, database, file, computer program, directory, or field contained in a table within a database. When you look up information in a database, you are the active subject and the database is the passive object. 4

5 Lecture 1 (part 2). Access control. What is access control? Access control is extremely important because it is one of the first lines of defense in battling unauthorized access to systems and network resources. When a user is prompted for a username and password to use a computer, this is access control. Once the user logs in and later attempts to access a file, that file may have a list of users and groups that have the right to access it. If the user is not on this list, the user is denied. This is another form of access control. 5

6 Identification, Authentication, Authorization. What is identification? For a user to be able to access a resource, he first must prove he is who he claims to be, has the necessary credentials, and has been given the necessary rights or privilege to perform the actions he is requesting. Once these steps are completed successfully, the user can access and use network resources. Identification describes a method of ensuring that a subject (user, program, or process) is the entity it claims to be. Identification can be provided with the use of a username or account number. 6

7 Identification, Authentication, Authorization. What is authentication? To be properly authenticated, the subject is usually required to provide a second piece to the credential set. This piece could be a password, passphrase, cryptographic key, personal identification number (PIN), anatomical attribute, or token. These two credential items are compared to information that has been previously stored for this subject. If these credentials match the stored information, the subject is authenticated. 7

8 Identification, Authentication, Authorization. What is authorization? Once the subject provides its credentials and is properly identified, the system it is trying to access needs to determine if this subject has been given the necessary rights and privileges to carry out the requested actions. The system will look at some type of access control matrix or compare security labels to verify that this subject may indeed access the requested resource and perform the actions it is attempting. If the system determines that the subject may access the resource, it authorizes the subject. 8

9 Identification, Authentication, Authorization. Although identification, authentication and authorization have close and complementary definitions, each has distinct (різні) functions that fulfill a specific requirement in the process of access control. A user may be properly identified and authenticated to the network, but he may not have the authorization to access the files on the file server. On the other hand, a user may be authorized to access the files on the file server, but until she is properly identified and authenticated, those resources are out of reach. Figure 1 illustrates the three steps that must happen for a subject to access an object. 9

10 Identification, Authentication, Authorization. Three steps must happen for a subject to access an object: identification, authentication and authorization. 10

11 Identification, Authentication, Authorization. An individual s identity must be verified during the authentication process. The authentication process usually involves a two-step process: entering public information (a username, employee number, account number, or department ID), and then entering private information (a password, smart token, one-time password, or PIN). Entering public information is the identification step, while entering private information is the authentication step of the two-step process. Each technique used for identification and authentication has its pros and cons. Each should be properly evaluated to determine the right mechanism for the correct environment. 11

12 Identification, Authentication, Authorization. General factors for authentication Once a person has been identified through the user ID or a similar value, she must be authenticated, which means she must prove she is who she says she is. Three general factors can be used for authentication: 1)something a person knows, 2) something a person has, and 3)something a person is. They are also commonly called authentication by knowledge, authentication by ownership, and authentication by characteristic. 12

13 Identification, Authentication, Authorization. Something a person knows (authentication by knowledge) can be, for example, a password, PIN, mother s maiden name, or the combination to a lock. Authenticating a person by something that she knows is usually the least expensive to implement. The downside to this method is that another person may acquire this knowledge and gain unauthorized access to a resource. 13

14 Identification, Authentication, Authorization. Something a person has (authentication by ownership can be a key, swipe card, access card, or badge. This method is common for accessing facilities, but could also be used to access sensitive areas or to authenticate systems. A downside to this method is that the item can be lost or stolen, which could result in unauthorized access. 14

15 Identification, Authentication, Authorization. Something specific to a person (authentication by characteristic) becomes a more interesting. This is based on a physical attribute. Authenticating a person s identity based on a unique physical attribute is referred to as biometrics. 15

16 Identification, Authentication, Authorization. Strong authentication contains two out of these three methods: something a person knows, has, or is. Using a biometric system by itself does not provide strong authentication. For a strong authentication process to be in place, a biometric system needs to be coupled with a mechanism that checks for one of the other two methods. For example, many times the person has to type a PIN number into a keypad before the biometric scan is performed. This satisfies the what the person knows category. 16

17 Identification, Authentication, Authorization. Whatever identification system is used, for strong authentication to be in the process, it must include two out of the three categories. This is also referred to as two-factor authentication. Strong authentication is also sometimes referred to as multiauthentication, which just means that more than one authentication method is used. Three-factor authentication is possible, which includes all authentication approaches. 17

Something the user knows: Password-Based Authentication Password-Based Authentication The use of passwords is fairly straightforward, as you probably already know from experience.

18 Something the user knows: Password-Based Authentication Password-Based Authentication The use of passwords is fairly straightforward, as you probably already know from experience. A user enters some piece of identification, such as a name or an assigned user ID; this identification can be available to the public or can be easy to guess because it does not provide the real protection. The protection system then requests a password from the user. If the password matches the one on file for the user, the user is authenticated and allowed access. If the password match fails, the system requests the password again, in case the user mistyped. 18

19 Password-Based Authentication What Is Password? Definition: Password a private word or combination of characters that only the user knows. Password a secret data value, usually a character string, that is used as authentication information. A password is usually matched with a user identifier that is explicitly presented in the authentication process, but in some cases, the identity may be implicit. 19

20 Password-Based Authentication Today, there are several methods used to break into a password-protected system. 1. Brute Force Attack 2. Dictionary Attack 3. Password Cracker/ Password Crack 4. Key Logger Attack 5. Password Sniffing... 20

21 Password-Based Authentication You can use these links or other What is Password Sniffing? - Types of Password Attacks Types of Password Security Attacks - What is a Keylogger?

22 Password-Based Authentication 22

23 Password-Based Authentication Other Common Characteristics of Passwords Most use only alphanumeric characters Most are in (password) dictionaries Many users re-use passwords across systems Some very common passwords: , password, , qwerty, abc123, letmein,... When forced to change passwords, most users change a single character 23

24 Password-Based Authentication Password Selection Strategies User education Ensure users are aware of importance of hard-toguess passwords Computer-generated passwords Generate random or pronounceable passwords (but poorly accepted by users) Reactive password checking Regularly check user s passwords, inform them if weak passwords Proactive password checking Advise user on strength when selecting a password 24

Worst passwords of 2016 The 2016 list of worst passwords demonstrates the importance of keeping names, simple numeric patterns, sports and swear words out of your passwords.

25 Worst passwords of 2016 The 2016 list of worst passwords demonstrates the importance of keeping names, simple numeric patterns, sports and swear words out of your passwords. * SplashData s fifth annual Worst Passwords List shows people continue putting themselves at risk. * 25

26 Token-Based Authentication 26

27 Token-Based Authentication 27

28 Token-Based Authentication 28

29 Biometric Authentication 29

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 7 Access Control Fundamentals

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 7 Access Control Fundamentals Objectives Define access control and list the four access control models Describe logical access control