Anda di halaman 1dari 41

Access Control and Physical Security Janine L. Spears, Ph.D.

May 22, 2012 DePaul University CNS 340


1

This Evenings Agenda

1. Announcements
a) Quiz #3 b) Group project c) Review of NW security process

2. Access control
3. Physical security 4. Convergence

Announcements (1 of 2)

Attendance points posted thru week 8 Discussion forum points posted thru week 7 HW #5 due this Thurs by 11:59pm CST
Submit both the required and extra credit work in 1 doc

Quiz #3:
Quiz posted: available Thurs, May 24th

Quiz deadline: Mon, May 28th, 11:59pm CST


Timed quiz once quiz is accessed: 75 minutes
3

Announcements: Quiz #3 (2 of 2)

9 multiple choice questions taken from (25 pts):


Weeks 6-8 lectures 2 questions on policies, 3 on encryption, 4 network security

1 short answer question (up to 3 bonus pts) Study for quiz by:
Reading lecture slides; focus on topics discussed in class

Searching internet on terms you need more info on


Trinckes & Harris books may provide supplemental info
4

Group Project: Browser Security (1 of 4)

Some examples of things that can go wrong for an online user (threats)
Malware code is implanted in JavaScript that is run when a user accesses a malware hosting web site Spyware is installed on a users computer that tracks browsing history Search engine queries are intercepted A user goes believes he/she went to a chosen web site, but instead is redirected to a bogus web site Browser fingerprinting that is combined with other data to reveal an individual users identity
5

Group Project: Browser Security (2 of 4)

Some examples of weaknesses that may exist in an online users computing environment (vulnerabilities)
HTTPS has been found to have significant structural weaknesses Browser software is not current A user accesses web sites that commonly host malware A user has no way of determining if malware, spyware, or adware is installed on his/her computer Confidential data is transmitted from the users computer to a web site as clear text
6

Group Project: Browser Security (3 of 4)

What your team is tasked to do:


For an identified vulnerability, consider what could go wrong if that vulnerabilities is exploited (what is the threat?) For an identified threat, consider what weakness in a users computing environment may enable that threat to realized (what is the vulnerability?) OR

For an identified threat, consider who (e.g., person, orgn, industry, technology) may carry out that threat (who/what is the threat agent?)
7

Group Project: Browser Security (4 of 4)

Initial instructions state that the majority of your group class presentation should be on software
This is no longer required. Your team is free to discuss a threat/vulnerability (e.g., HTTPS, digital certificates, spyware functionality, etc.) and/or a technology (e.g., browser add-on, etc.). Only topic requirement is that it is related to a browser/internet vulnerability, threat, or threat agent Only 1 (not 2) threat/threat agent/vulnerability is required so that you can cover a topic in more depth At least briefly state who (or what) is the entity likely to carry out the threat (threat agent); this could also be a groups key topic
(e.g., who are the advertising intermediaries that sell consumer web history data? How do certificate authorities issue digital certificates, and what are the vulnerabilities?) 8

Ideally there will be a variety of topics and tools presented

Group Project: Browser Security (4 of 4)

Example of threat agents: who are these folks? What data are they collecting? To whom do they sell data?

Network Security: Review from Week 8

Vulnerability assessment is used to uncover weaknesses in an organizations computing environment.

Penetration testing is used to see if unauthorized access can be obtained (e.g., from a hacker) Remediation refers to controls (or safeguards) put in place to plug weaknesses found
10

Network Security: Typing the Pieces Together

Phases of a Penetration Test

11
Trinckes, 2010, Figure 10.3

Access Control Physical Security Convergence

Access Control

Organizations were estimated to spend $5 billion on identity and access mgmt (IAM) systems in 2010
The market is expected to grow to $12 billion by Source: Hovav & Berger, CAIS 2009 2014

In the banking/finance and IT industries, IAM is among the top 3 security initiatives
Source: Deloitte 2009, 2010 12

Access Control Physical Security Convergence

Access Control AKA Identity and Access Management

Identity and access management (IAM) is concerned with:


verifying the digital identity of an entity attempting to gain access to system resources
granting permissions to system functions and data, based on pre-defined roles assigned to the identity placing constraints on access to alleviate conflicts in the segregation of duties monitoring & auditing
Source: Spears 2011
13

Access Control Physical Security Convergence

Identity and Access Management Systems (1 of 2)

IAM systems:
Automate and enforce IAM policies for
identity lifecycles
provisioning process user authentication password management

Provide a central repository of identities, roles, authorizations across enterprise systems


Provide log management features

Also typically provide


Single sign-on capabilities Encryption Audit reports
14

Access Control Physical Security Convergence

Identity and Access Management Systems (2 of 2)

Source: Peterson et al., J of Accountancy 2008

15

Access Control Physical Security Convergence

Inherent Complexities in IAM (1 of 2)

What has spurred IAM systems?

What are some of the issues that arise in managing IAM?


Multiple identities for a single individual Flaws in role designs
Multiple roles leading to data leakage

Complexity in system architectures


E.g., distributed computing; cloud computing

Complexity in ERP systems Coding flaws in IAM scripts Limited built-in auditing

16

Access Control Physical Security Convergence

Inherent Complexities in IAM (2 of 2)

An example of IAM complexity for ERP systems: For a small organization that: uses 100 transactions
(requiring 2 authorization objects for each transaction)

among 200 end users who fill a total of 20 different roles there are 800,000 ways to configure ERP security (100*2*200*20).
17
Source: Hendrawirawan et al., Information Systems and Control Journal 2007

Access Control Physical Security Convergence

Access Control

Access control has two components:


1. Policy
Users typically define who gets access to what applications Role-based access control Segregation of duties Data classification Password policy Two-factor authentication Etc.

2. Technology
Implements policy; administered by IT orgn Must balance security effectiveness; ability to do job; and user acceptance

18

Access Control Physical Security Convergence

Access Control Policy in the Form of Security Controls

Several reputable security frameworks provide guidance on developing access control policies, controls, and audit procedures Examples of guidance on access controls from security frameworks:
1. ISO 27002
2. COBIT 3. NIST SP 800-53

The PCI DSS also has an access control component


(required of companies processing credit card transactions)
19

Access Control Physical Security Convergence

ISO 27002

Clause: A.11 Access control

Main Category (Control Objective): A.11.2 User access management Controls:


A.11.2.1 User registration A.11.2.2 Privilege management A.11.2.3 User password management A.11.2.4 Review of user access rights
20

Access Control Physical Security Convergence

COBIT
Domain: Delivery & Support (DS) Process: DS5 Ensure Systems Security Control Objective: DS5.3 Identity Management Control Activities: Ensure that all users (internal, external and temporary) and their activity on IT systems are uniquely identifiable.

Enable user identities via authentication mechanisms.

Confirm that user access rights to systems and data are in line with defined and documented business needs and that job rqmts are attached to user identities.
Ensure that user access rights are requested by user management, approved by system owners and implemented by the security-responsible person. Maintain user identities and access rights in a central repository. Deploy cost-effective technical and procedural measures, and keep them current to establish user identification, implement authentication and enforce access rights. 21

Access Control Physical Security Convergence

NIST SP800-53

Class: Technical Family (Control Objective): Access Control Controls:


AC-1: Access Control Policy and Procedures AC-2: Account Management AC-3: Access Enforcement AC-4: Information Flow Enforcement AC-5: Separation of Duties AC-6: Least Privilege AC-7: Unsuccessful Login Attempts AC-8: System Use Notification Etc

22

Access Control Physical Security Convergence

Miscellaneous Access Control Concepts / Practices (1 of 5)

User provisioning:
is the creation, maintenance and deactivation of user objects and user attributes

Authorization:
defines the ability of a specific user to perform certain tasks, such as deleting or creating files, after authentication has taken place.

Authentication:
refers to verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in an information system.
23

Access Control Physical Security Convergence

Miscellaneous Access Control Concepts / Practices (2 of 5)

Role-based access control (RBAC):


refers to access control that is based on user roles (i.e., a collection of access authorizations a user receives based on an explicit or implicit assumption of a given role).
NIST SP 800-53, p. B-11

A given role may apply to a single individual or to several individuals.

role permissions may be inherited through a role hierarchy and typically reflect the permissions needed to perform defined functions within an 24 organization.

Access Control Physical Security Convergence

Miscellaneous Access Control Concepts / Practices (3 of 5)

Least privileges:
allowing only authorized accesses for users (and processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions.
Source: NIST SP 800-53, p. F-9

Though this term is typically used in the context of system/database access, the concept should also be applied to sensitive data, regardless of its form.
An example of applying least privileges as a simple, costeffective security measure for protecting the SSN (e.g., on paper forms and elsewhere)
25

Access Control Physical Security Convergence

Miscellaneous Access Control Concepts / Practices (4 of 5)

Separation of duties (AKA segregation of duties): attempts to ensure there is no conflict of interest in types of access authorized for one user Examples:
1. Person who administers access is different from person who audits system access 2. Person who is authorized to order purchases is different from person authorized to pay invoice

Auditors or risk managers may define SoD ctrls

26

Access Control Physical Security Convergence

Miscellaneous Access Control Concepts / Practices (5 of 5)

A person may authenticate him/herself in three ways, by providing:


1. Something you know (e.g., password) 2. Something you have (e.g., token)

3. Something you are (e.g., fingerprint)

When two of these methods is used, its called twofactor authentication


27

Access Control Physical Security Convergence

Examples of Two-Factor Authentication

If a user is prompted for a password, and then prompted for a pass phrase, would that be two-factor authentication?

RSA SecurID
http://www.rsa.com/node.aspx?id=1159

PhoneFactor
http://www.phonefactor.com/
28

Access Control Physical Security Convergence

Biometric Access Control

Access control via biometrics is the process of using body measurements to authenticate a user (something you are) Some examples of biometric technologies:
1. Fujitsu Palm Secure
Demo: http://www.citrix.com/tv/#videos/430

2. Biometric Fingerprint 3. VoiceVault 4. Iris Guard's IG-AD100 Iris Camera System

Must strike balance between technological effectiveness and user acceptance


29

Access Control Physical Security Convergence

Passwords (1 of 3)

30

Access Control Physical Security Convergence

Passwords (2 of 3)

Top 10 most common passwords (PC Magazine May 8, 2007)


1. 2. 3. 4. 5. 6. 7. 8. 9. 10. password 123456 qwerty abc123 letmein monkey myspace1 password1 blink182 (your first name)

If you recognize yours, you may as well hand over your wallet or purse to the first person you see on the street.
31

Access Control Physical Security Convergence

Passwords (3 of 3)

Common recommendations for stronger passwords


At least 8 characters in length At least one letter, number, non-alphanumeric

Sample orgnl password policy


http://www.sans.org/resources/policies/Password_Policy.pdf

Compliance with password policies can be evaluated using security software called password auditors

32

Access Control Physical Security Convergence

Passphrases and Security Questions

Passphrase
Sequence of words; similar to a password, but longer Can be used various ways.
E.g., Dear, lets dine tonight in a restaurant with atmosphere! DLDTRWA!

Security questions
A form of a shared secret Majority of US financial institutions use to authenticate users before allowing them to reset a password RSA tool comes with 150 preset security questions What is the vulnerability with this form of authentication?
33

Access Control Physical Security Convergence

Physical Security

Physical security is concerned with physical measures designed to safeguard personnel; to prevent unauthorized access to equipment, installations, material, and documents; and to safeguard them against espionage, sabotage, damage, and theft (DOD, NATO). Physical security describes both measures that prevent or deter attackers from accessing a facility, resource, or information stored on physical media and guidance on how to design structures to resist various hostile acts (Wikipedia).
34

Access Control Physical Security Convergence

Four Core Layers of Physical Security (1 of 2)

1. Crime prevention through environmental design (CPTED)


CPTED based strategies emphasize enhancing the perceived risk of detection and apprehension; intended to deter a criminal act. Used primarily as a prevention mechanism Examples: barbed wire, warning signs and fencing, concrete bollards, metal barriers, vehicle height-restrictors, site lighting, security guard

2. Access control
Mechanical and electronic measures to control access into facilities Used primarily as a prevention mechanism Examples: mechanical locks & keys; electronic locks; biometric locks; security guard
35
Source: Whitman & Mattord, 2009

Access Control Physical Security Convergence

Four Core Layers of Physical Security (2 of 2)

3. Intrusion detection (alarm)


Monitors for and signals existence of an attack Used primarily as a response mechanism Can also be a deterrent Examples: burglar alarm; motion detector; smoke detector; security guard

4. Surveillance and monitoring


Used primarily as a response mechanism Primarily used for incident verification and historical analysis Examples: CCTV, IP camera; security guard
36
Source: Whitman & Mattord, 2009

Access Control Physical Security Convergence

Physical Security

Other misc. areas of physical security include:


Heating, ventilation, and air conditioning Electrical power management Computer theft Social engineering (using people skills to obtain confidential info
from employees; e.g., phone, PC, in person)

Physical security is often managed by:


Facilities management department (larger sites) Outsourced (smaller sites)
37
Source: Whitman & Mattord, 2009

Access Control Physical Security Convergence

The Convergence of Physical and Logical Security

Convergence refers to some form of collaboration or integration between the physical security and IT security technologies and/or groups: Two general forms of convergence:
1. changing the orgnl structure to merge the physical and logical groups and align policies and budgets 2. more commonly, orgns are rolling out converged technologies

This convergence goes by various names:


Convergence of Physical and Logical Security Convergence of Physical and Digital Security Convergence of Physical and IT Security
38

Access Control Physical Security Convergence

The Convergence of Physical and Logical Security

Features of convergence:
Information sharing Cross-support across areas of expertise Convergence of security technologies

Examples of convergent technologies:


identity and access management anti-theft tags in retail stores IP-based surveillance cameras
39

Access Control Physical Security Convergence

The Convergence of Physical and Logical Security

Benefits of convergence
Synergy across skill sets Reduced costs through greater efficiencies Holistic approach to security Can collaborate where it makes sense

40

Access Control Physical Security Convergence

The Convergence of Physical and Logical Security

Challenges for convergence


Cultural differences (J. Edgar Hoover vs. Bill Gates) Differences in background and training Differences in skill sets (law enforcement vs IT) Embracement vs. skepticism toward new technology Differences in salaries Ownership battles

Sources:
http://www.scmagazineus.com/An-urge-to-converge-Physical-and-logicalidentity-and-access-management/article/151829/ http://www.computerworld.com/s/article/108571/Security_Convergence
41