Information Systems Security Access Control

University of Indonesia Magister of Information Technology

Information Systems Security Access Control Arrianto Mukti Wibowo, M.Sc., Faculty of Computer Science University of Indonesia [email protected]


Access Control Systems & Methodology

University of Indonesia – University of Budi Luhur Magister of Information Technology

Tujuan domain • Mempelajari mekanisme dan metode yang dipergunakan para administrator/manager untuk mengontrol apa yang boleh diakses user, termasuk apa yang boleh dilakukan setelah otentikasi dan otorisasi, termasuk pemantauannya.


Topik bahasan • Identification, • authentication, • authorization, • access control models,

• access control techniques,

• access control methods, • access control administration, • threats to access controls


Who?


How?


What is access control? • Access control is the heart of security • Definitions: – The ability to allow only authorized users, programs or processes system or resource access – The granting or denying, according to a particular security model, of certain permissions to access a resource – An entire set of procedures performed by hardware, software and administrators, to monitor access, identify users requesting access, record access attempts, and grant or deny access based on preestablished rules.

7


How can AC be implemented? • Administrative controls – Policies – Procedures

• Logical controls – Passwords

• Physical controls – Electric door 8


What does AC hope to protect? • Data - Unauthorized viewing, modification or copying

• System - Unauthorized use, modification or denial of service • It should be noted that nearly every network operating system (NT, Unix, Vines, NetWare) is based on a secure physical infrastructure

9


Administrative access control • Awareness training • Background checks • Separation of duties

• Split knowledge • Policies • Data classification

• Effective user registration • Termination procedures • Change control procedures 10


Physical access control • Guards • Locks • Mantraps

• ID badges • CCTV, sensors, alarms • Biometrics

• Fences - the higher the voltage the better • Card-key and tokens • Guard dogs 11


Man Trap 1. Memeasukkan kartu identifikasi (what you have) 2. Mengetikkan 12 digit angka rahasia (what you know) 3. Komputer secara acak akan memilihkan katakata yang harus diucapkan ulang (who you are)


Typical Access Rights 

Read, inquiry or copy only



Write, create, update or delete only



Execute only



A combination of the above


Mandatory vs Discretionary Access Control • Mandatory – “The system decided how the data will be shared” – Enforces corporate security policy – Compares sensitivity of information resources

• Discretionary – “You decided how you want to protect and share your data” – Enforces data-owner-defined sharing of information resources


Mandatory Access Control • Assigns sensitivity levels, AKA labels • Every object is given a sensitivity label & is accessible only to users who are cleared up to that particular level. • Only the administrators, not object owners, make change the object level • Generally more secure than DAC

• Orange book B-level • Used in systems where security is critical, i.e., military • Hard to program for and configure & implement 15


Mandatory Access Control (Continued)

• Downgrade in performance • Relies on the system to control access • Example: If a file is classified as confidential, MAC will prevent anyone from writing secret or top secret information into that file.

• All output, i.e., print jobs, floppies, other magnetic media must have be labeled as to the sensitivity level 16


Discretionary Access Control • Access is restricted based on the authorization granted to the user • Orange book C-level • Prime use to to separate and protect users from unauthorized data

• Used by Unix, NT, NetWare, Linux, Vines, etc. • Relies on the object owner to control access 17


Access control lists (ACL) • A file used by the access control system to determine who may access what programs and files, in what method and at what time • Different operating systems have different ACL terms • Types of access: – Read/Write/Create/Execute/Modify/Delete/Rename

18


Standard UNIX file permissions Permission R (read) X (execute) W (write)

Allowed action, if Allow action if object is a object is a file directory Reads contents of a file List contents of the directory Execute file as a program Search the directory Change file contents Add, rename, create files and subdirectories

19


Standard NT file permissions Permission

Allowed action, if object is a file No access None List N/A Read RX Add N/A Add & Read N/A Change RWXD Full Control All R- Read X - Execute W - Write

Allow action if object is a directory None RX RX WX RWX RWXD All D - Delete

20


Authentication 3 types of authentication: 

Something you know - Password, PIN, mother‟s maiden name, passcode, fraternity chant



Something you have - ATM card, smart card, token, key, ID Badge, driver license, passport



Something you are - Fingerprint, voice scan, iris scan, retina scan, body odor, DNA 21


Multi-factor authentication 

2-factor authentication. To increase the level of security, many systems will require a user to provide 2 of the 3 types of authentication. 

  



ATM card + PIN Credit card + signature PIN + fingerprint Username + Password (NetWare, Unix, NT default)

3-factor authentication -- For highest security  

Username + Password + Fingerprint Username + Passcode + SecurID token

22


Problems with passwords 

Insecure - Given the choice, people will choose easily remembered and hence easily guessed passwords such as names of relatives, pets, phone numbers, birthdays, hobbies, etc.



Easily broken - Programs such as crack, SmartPass, PWDUMP, NTCrack & l0phtcrack can easily decrypt Unix, NetWare & NT passwords. 

Dictionary attacks are only feasible because users choose easily guessed passwords!



Inconvenient - In an attempt to improve security, organizations often issue users with computer-generated passwords that are difficult, if not impossible to remember



Repudiable - Unlike a written signature, when a transaction is signed with only a password, there is no real proof as to the identity of the individual that made the transaction 23


Kerugian Password • Eavesdropper mencuri password saat sedang diucapkan • Maling bisa mencuri daftar password di server • Password mungkin mudah ditebak • Guna meningkatkan keamanan penggunaan password, mungkin komputer justru malah meningkatkan ketidaknyamanan penggunaan komputer. Mis: komputer yang memilihkan password, harus ganti password setelah sekian lama


Classic password rules • The best passwords are those that are both easy to remember and hard to crack using a dictionary attack. The best way to create passwords that fulfill both criteria is to use two small unrelated words or phonemes, ideally with a special character or number. Good examples would be hex7goop or -typetin • Don‟t use: – common names, DOB, spouse, phone #, etc. – word found in dictionaries – password as a password

– systems defaults

25


On-Line password guessing & prevensinya • Dictionary attack • Ada komputer yang memaksa pemasukkan password hanya oleh manusia (bukan program). Manusia relatif tidak cepat. • Ada maximum retries. Mis: kartu ATM bisa ditelan. Tapi bisa menyebabkan vandalisme: jika dia punya seluruh username, dia bisa coba bikin program yang mencoba login ke seluruh username. Setelah 5 kali, system akan lock! • Ada cara lain: setiap memasukkan password yang salah akan diproses secara l a m b a t s e k a l I .. .. .. ! • Bisa mendeteksi: last successful & unsucessfull login dari mana dan kapan • Ada yang memaksa user menggunakan password yang dibuat oleh komputer: user tak senang mengingatnya… sehingga user menulisnya di kertas! Mis: geocities • Suka pakai kombinasi @$*%$ angka huruf BESAR • Ada juga yang memaksa ganti password setelah sekian lama


Off-line Password Guessing • Menebak password melalui hashnya, karena hash dari password yang umum pasti sama • Backup dari disk yang ada di server juga harus dienkripsi


Password distribution • User datang ke administrator. Kalo ada orang menyamar? • Pakai KTP/SIM/KTM yang ada fotonya • User di depan terminal khusus memilih passwordnya. • Atau user diberi password yang dipakai untuk login pertama kali, habis itu dipaksa mengganti password. Disebut pre-expired password • Cara yang tidak tepat: passwordnya adalah NPM, dan memberitahu dengan cara broadcast (misalnya posting di papan pengumuman). • Kalau di bank, kita akan dikirimi surat yang isinya PIN kita. Pendapat anda?


Authentication Token • • • •

What you have! kunci rumah, kartu kredit bisa dicuri! Mungkin keuntungannya psikologis: orang kurang rela meminjamkan kartu ketimbang password! • Biasanya butuh hardware tambahan: misalnya smart card / magentic card reader


Smart Card Ukuran kartu kredit, tapi di dalamnya ada processor. Ada macammacam: • PIN protected memory card: isi hanya bisa dibuka kalau PIN-nya benar • Cryptographic challenge & response cards • Contactless smart card Kegunaannya: – Bank Cards: debit & credit – ID-card, termasuk untuk login. One card for all access – Wallet for e-cash – Payphone – Loyality program – Ticket parkir – Health-card: bisa jaga rahasia

Bank Card Dr. John Tralala 4532 1234 8321 3912 exp 04/03


Biometrics • Authenticating a user via human characteristics • Using measurable physical characteristics of a person to prove their identification – Fingerprint – signature dynamics – Iris – retina – voice – face – DNA, blood 31


Identifikasi Fisik Manusia

Fingerprint scan

Hand Signature

Hand Geometry


Advantages of fingerprint-based biometrics 

Can‟t be lent like a physical key or token and can‟t be forgotten like a password



Good compromise between ease of use, template size, cost and accuracy



Fingerprint contains enough inherent variability to enable unique identification even in very large (millions of records) databases



Basically lasts forever -- or at least until amputation or dismemberment



Makes network login & authentication effortless 33


Biometric Disadvantages 

Still relatively expensive per user



Companies & products are often new & immature



No common API or other standard



Some hesitancy for user acceptance

34


Performance Issues • False Rejection Rate (type 1 error): prosentase subjek yang benar, tapi ditolak • False Acceptance Rate (type 2 error): prosentase subjek yang invalid, tapi diakui sistem • Cross Error Rate (CER): FRR sama dengan FAR • Masalahnya kalau sensitifitas dinaikkan, FRR naik, FAR turun. Perlu dicarititik optimum, yakni CER


Cross Error Rate FRR FAR

% CER

Sensitifitas


Random Number Generator • Misalnya KeyBCA • Challenge & respond

• Termasuk apa? – What you know? – What you have? – Who you are?


Logical Access Control


Logical Access Controls • Akses kontrol infrastruktur TI dapat dilakukan pada berbagai tingkat – Front end & Back end – How networks segregate & protect access to information resources.

• Paths of Logical Access – General points of entry • Network connectivity • Remote access • Operator console • Online workstations or terminals


Logical Access Controls: Protection • Logical Access Control Software – Prevents unauthorized access and modification to an organization‟s sensitive data and use of system critical functions – Semua layer: networks, operating systems, databases & application systems – Fungsi software: • Identifikasi dan otentikasi • Otorisasi akses • Monitor: Logging aktifitas user, reporting

– Implementasi paling efektif: tingkat networks dan operating system (membatasi privileges pada low level)


Logical Access Controls

Operating systems access control • User identification and authentication mechanisms • Restricted logon IDs • Rules for access to specific information resources

• Create individual accountability and auditability • Create or change user profiles • Log events

• Log user activities • Report capabilities


Database and/or application-level access control • Create or change data files and database profiles • Verify user authorization at the application and transaction levels

• Verify user authorization within the application • Verify user authorization at the field level for changes within a database

• Verify subsystem authorization for the user at the file level • Log database/data communications access activities for monitoring access violations


Single sign-on (SSO) SSO is the process for the consolidating all organization platform-based administration, authentication and authorization functions into a single centralized administrative function. A single sign-on product that interfaces with:  client-server and distributed systems  mainframe systems  network security including remote access mechanisms


Single Sign On


Single sign-on (SSO) advantages Multiple passwords are no longer required, therefore, whereby a user may be more inclined and motivated to select a stronger password It improves an administrator‟s ability to manage users‟ accounts and authorizations to all associates systems

It reduces administrative overhead in resetting forgotten passwords over multiple platforms and applications It reduces the time taken by users to log into multiple applications and platforms


Single sign-on (SSO) disadvantages Support for all major operating system environments is difficult The costs associated with SSO development can be significant when considering the nature and extent of interface development and maintenance that may be necessary The centralized nature of SSO presents the possibility of a single point of failure and total compromise of an organization‟s information assets


Key Distribution Centre (gambaran umum)


Untung rugi KDC • Keuntungan: – kalau ada user baru, tinggal menambahkan di KDC – kalau seorang user ter-compromised, tidak semua node akan tercompromised

• Kerugiannya: – KDC bisa memalsukan jati diri orang lain – KDC adalah titik lemah dari sistem – Performa KDC bisa berkurang kalau banyak sekali orang berhubungan ke KDC pada waktu yang bersamaan.


Contoh KDC: Kerberos 5 • Dimuat dalam RFC 1510 oleh Kohl dan Neuman pada tahun 1993, dan source code-nya bisa diambil dari http://web.mit.edu. • Produk yang menggunakan antara lain OSF Distributed Computing Environment (DCE) dan Windows 2000.


Objek Kerberos •

Authentication: Token yang dibuat oleh client dan dikirim ke server untuk membuktikan jati diri user • Ticket: diterbitkan oleh TGS (ticket granting service), yang dapat “ditunjukkan” oleh klien kepada suatu server layanan tertentu (misalnya database server). • Session key: kunci random yang dibuat oleh Kerberos dan diberikan kepada klien saat ingin berkomunikasi dengan server tertentu. Catatan: • Klien membutuhkan „ticket‟ dan session key untuk berhubungan dg server tertentu, dimana ticket tersebut memiliki periode pemakaian beberapa jam.



Rule of least privilege • One of the most fundamental principles of infosec • States that: Any object (user, administrator, program, system) should have only the least privileges the object needs to perform its assigned task, and no more. • An AC system that grants users only those rights necessary for them to perform their work

• Limits exposure to attacks and the damage an attack can cause • Ensure that only a minimal set of users have root access 52


Information Systems Security Access Control

Recommend Documents