To properly implement access control, 4 steps must be executed.
1) The subject must provide an identity, which is public information such as a username or account number
2) The subject must authenticate they are who they claim to be by providing private information such as a password or smart token
3) The system validates the identity and authentication information, and then checks to see if the subject is authorized to access the object
4) The system records all activities between the subject and object for future accountability Logical access controls are technical tools (usually software components) used to carry out
identification, authentication, authorization and accountability. Note that the terms ‘logical’ and ‘technical’ are interchangeable in this context. While operating systems always implement the above access controls, it is important to understand that software applications riding on top of OSs also may do this – sometimes simply extending the OSs capabilities, and sometimes implementing their own stand- alone infrastructure. Whichever the case may be, the principles described in this section equally apply.
Identity
An identity uniquely represents a subject within a given environment. When creating and issuing an identity, 3 attributes should be addressed:
• Uniqueness – the identity should represent something unique about the subject
• Non-descriptive – the identity name should not describe the role or purpose of the account • Issuance – how the identity is issued to the subject (email, ID card, etc)
Best practices for identities are:
• Each value should be unique for accountability • A standard naming scheme should be followed • The name should not describe the position or task • The name should not be shared among multiple subjects
Identity Management
Identity Management (IdM) is the process of creating, managing and retiring identities. This undertaking can be a huge task, and there are many software tools on the market today to help. We are going to cover the various types of technologies required to properly manage identities.
Directories
A directory is a central location where all subjects and objects are tracked (everything in a directory is called an ‘object’, so don’t get confused between directory-lingo and access management lingo), along with authentication and authorization details. Most directories follow the X.500 standard which defines a hierarchical format, and the Lightweight Directory Access Protocol (LDAP) which allows other applications to interact with the directory. The objects in a directory are managed by a directory service and are labeled and identified using a namespace – a hierarchical naming convention that uniquely identifies a location or object. When using X.500 and LDAP, the directory service assigns a common name (CN) and a distinguished name (DN) to each object . The object’s DN identifies that object uniquely in the directory, but the object’s CN is not required to be unique. The DN is made up of several objects called domain components (DC) – each DC is not unique by itself, but when you combine all of the DCs within a DN, you get back something that is unique in the entire directory. For example, to identify a user with an email address of ‘[email protected]’ we could have:
DN: cn=george.washington, dc=whitehouse, dc=us, dc=gov CN: George Washington
An X.500 directory database follows certain rules:
• All objects are arranged in a hierarchical parent-child relationship
• Every object has a unique name made up of unique identifiers called ‘distinguished names’ • The supported attributes for objects are defined by a schema
In a Windows network environment, a user will log into a domain controller (DC) that contains a hierarchical database. The DC is running a directory service called ‘Active Directory’ that will authenticate and authorize a user.
A directory is basically a centralized database, but is not necessarily the authority on the data it contains. For example, an employee’s office number might be contained with some other HR database, while authentication information could be stored in a Kerberos server, while the user roles a user belongs to is actually stored in the directory itself. In this case, the directory is a meta-directory – it aggregates
information from multiple sources and presents a unified view. The directory is responsible for maintain in-synch with each authoritative data source that it aggregates. If a directory does not aggregate the data into its own database, but instead simply points to the external databases containing the information, it is called a virtual directory.
Web Access Management
Web access management (WAM) is a software layer that controls authentication and authorization within a web-based environment. It can be proprietary logic built into a web site or a plug-in module that facilitates the process using external systems, but most often is associated with a single sign-on (SSO) experience. For example, a user logs on to the company intranet for the latest corporate news, switches to a help desk application, and then access the company directory to locate a fellow employee. All 3 of those sites are completely different web applications running on different servers and know nothing about each other, yet only one log in was required. This is an example of SSO and is why we have WAM. In this example, WAM is coordinated authentication and authorization with external systems behind the scene, and all 3 web applications are aware of these internal systems. The most common method of implementing WAM is that after the initial authentication, WAM stores a cookie on the user’s computer containing some type of session identifier. Each web application will use WAM to retrieve this cookie and validate that it is still valid – if so, the user does not need to log in again. This assumes that all web application same accessed using the same sub-domain (the sub-domain is the ‘mydomain.com’ part of ‘www.mydomain.com’) – different sub-domains cannot access each other’s cookies. This cookie is checked every time the browser requests a new page or resource from the web server.
Authentication
Identification and Authentication require two different pieces of information (public and private
information), but are used together to authenticate a subject. Authentication is the process of the subject proving it is who it claims to be. With machine authentication, this will usually be a digital certificate or a password; with users it can be a number of things - people can authenticate with 3 different ‘factors’:
• Something a person knows – something a person stores in their memory, such as a password, pin, entry code for a vehicle or combination for a lock; an attacker could acquire this knowledge • Something a person has – a physical possession, such as a swipe card, a smart token, keys or an
access badge; an attacker could steal this
• Something a person is – a unique physical attribute, such as fingerprint, retina pattern, their gait or voice print; an attacker could physically emulate this
While most authentication is single factor (requires only one factor from the list above), strong authentication, or multifactor authentication, requires at least 2 factors. Most commonly only a password is required, which is among the weakest type of authentications.
Managing Passwords
If password is the sole authentication factor used within an environment to access systems (and it almost always is except for the most secure facilities), then how passwords are managed becomes very
important. There is a balance that needs to be struck between stringent policies and usability. For example, if a company requires passwords to be so strong that they cannot be easily memorized and
must be changed every other week, users will resort to writing them down which will defeat having strong passwords to begin with. On the other hand, having change password and strength policies that are too lax may make users happy, but will weaken the company’s security posture significantly and introduce unacceptable vulnerabilities.
Adding to the problem is the lack supporting a single set of credentials across multiple systems – if each system requires a unique password (and possibly a unique identity), you are guaranteed that users will write these passwords down somewhere. To avoid this a company can implement password
synchronization – having multiple systems update their respective passwords at the same time. If the password remains constant, the user is able to memorize a stronger password. The downside of this is that by stealing one set of credentials, an attacker can have access multiple systems. But a stronger password offsets this and strikes an acceptable balance.
Another potential problem with password management is the ability to manage forgotten passwords – a manual reset process requiring IT personnel will be a serious resource drain and fraught with mistakes – an automated solution needs to be implemented but with the proper level of identification controls to ensure fraud does not take place.
Self-Service Password Reset
One answer is a self-service password reset, and is a 3-step process: 1) The user provides an alternative means of authentication:
a. The user answers a personal question (something they know); the correct answer was provided when the original account was setup
b. The user provides a smart card, access card or token (something they have) c. The user provides a fingerprint or retina scan (something they are)
2) An email is sent with a link to reset the password to the email address on file – this provides another layer of security as only that person should be able to access that email; the link contains a random globally-unique identifier (GUID) that is tied to the password reset request
3) The link is clicked and the system allows the user to enter a new password
Assisted Password Reset
Another option is the assisted password reset – this uses the same information as the self-service password reset, but instead of interacting with a system the user interacts with a helpdesk person, who enters the answers to the security questions into an application. At this point, a new password is generated known to both the helpdesk person and the user, but when the user logs in the next time, the system requires a new valid password to be provided before access will be granted.
Single Sign-On
A third option is single sign on (SSO). Like password synchronization, SSO keeps all passwords the same across multiple systems. But where password synchronization requires each system to maintain its own credential set (just kept in-synch), SSO provides a single infrastructure to manage credentials that all system leverage. SSO is not without its problems though – it can be very expensive to implement, and becomes a single point of failure and possible bottleneck. Older systems may also lack the hooks to plug in an SSO solution. And like password synchronization, SSO creates a vulnerability in which an attacker can access multiple systems with a single set of credentials.
While we are on the subject of SSO, let’s think back to the idea of directory services we touched on in Identity Management. A directory service provides the single infrastructure required for SSO – if it is based on the X.500 standard, the LDAP protocol can be used to authenticate and manage the credentials. Thin clients that do not possess the required amounts of local storage or memory can also take
using SSO to a central server or mainframe – this allows the thin client to use multiple services with a single authentication step visible to the user.
Managing Accounts
Account management is the process of creating, modifying and decommissioning user accounts on all appropriate systems. When this is carried out manually, accounts are left in-place too long and too much power is handed out. Some type of automated process is required to effectively manage this activity – one that leverages workflows to model the desired process and can transparently update multiple systems without requiring any type of manual intervention. This results in the following benefits:
• Reduces errors caused by manual data entry
• Each step in the process is tracked and logged (accountability) • Ensures the appropriate amount of privileges are assigned
• Eliminates orphaned user accounts when employees leave the company • Makes auditors happy
The downside is that these types of systems are very expensive to implement. But if a longer-term view is taken, the return on investment (ROI) for such a system almost always outweighs the short-term costs. While account management deals with user accounts, user provisioning is the act of creating user
objects and attributes – a ‘user account’ includes other metadata including passwords and auditing, while user simply objects represent the user. Normally a profile is created to accompany a user account, containing such things as addresses, phone numbers and email addresses. If a user is allowed to update their own profile information, then the system offers self-service.
Biometrics
Biometrics is the act of verifying an individual’s identity based on physiological or behavioral attributes. Physiological traits are physical attributes that are unique to the individual such as fingerprints, voice print or retina scan. A behavioral trait is a characteristic of an individual that is not guaranteed to be unique among all people, but sufficiently unique to be used in conjunction with another authentication method. Behavioral traits include handwriting signature, height or a walking gait. A physiological trait ‘what you are’ while a behavioral trait is ‘what you do’.
A biometric system measures the trait in real-time and compares it to a record created during an earlier enrollment process. The results must be very sensitive yet reliable. When a biometric system fails to properly identify an individual, it can result in two types of errors:
• Type 1 error – rejects an authorized individual • Type 2 error – accepts an unauthorized individual
The frequency of a type 1 error results in a number called a false rejection rate (FRR). Type 2
frequencies result in a false acceptance rate (FAR). While the ultimate goal is to keep both numbers low, type 2 errors are much more concerning – it is far better for authorized individuals to be occasionally forced to repeat the authentication step, than it is to occasionally provide unauthorized individuals access to the protected resource or facility.
When comparing the accuracy of various biometric systems, it is helpful to have some kind of objective way to measure their respective performance. That is why each system provides a crossover error rate (CER), which measures the point at which the FRR equals the FAR and is expressed as a percentage. For example, a system could be configured to be so sensitive that the FAR is 0%, but at that level the FRR might be 90% - that means no unauthorized individuals are accepted, but it also means that 90% of authorized individuals are rejected as well. The closer to 0% the CER is the better the overall accuracy. A system with a CER of 3% is better than a system with a CER of 4%. However, an organization very
concerned with security might purchase a biometric system with a CER of 3, but tweak it after
installation to lower the FAR to 1% at the expense of raising the FRR to 10% - fewer unauthorized false positives at the expense of more authorized false negatives.
During the enrollment process, the biometric system measures the individual’s trait and converts that information into a digital signature which may be hashed. During authentication, the measurement is repeated, and the two values are compared. Obtaining a 100% match rate is unreasonable as many environmental factors such as smudges, misaligned sensors or lighting may affect results from day-to- day.
The various types of biometric data are:
• Fingerprints – a complete record of ridges and valley on a finger • Finger scan – certain features of a fingerprint
• Palm scan – fingerprint and the creases, ridges and grooves of the palm • Hand geometry – the shape, length and width of hand and fingers
• Retina scan – blood-vessel patterns on the back of an eyeball (most invasive) • Iris scan- the colored portion surrounding the pupil (most accurate)
• Signature Dynamics – the speed and movements produced when signing a name
• Keystroke dynamics – the speed and pauses between each keypress as a password is typed • Voice print – a number of words are recorded during enrollment; during authentication the words
are jumbled and the user repeats them to prevent a recording from being played • Facial scan – bone structure, nose ridge, eye widths, forehead size and chin shape
• Hand topography- a side camera captures the contour of the palm and fingers; not unique enough to be sued alone but can often be used with hand geometry
Some biometrics check for a pulse and heat of a body part to ensure it has not been cut off. The downsides of biometric systems are:
• User acceptance – many people feel uncomfortable
• Enrollment timeframe – the enrollment phase may take a long time to reach an acceptable CER level due to tweaking or the individual enrollment process
• Throughput – biometric systems can greatly increase the time required before access is granted; an acceptable elapsed time from start to response is 5 to 10 seconds
• Accuracy over time – living things change
Passwords
As we said earlier, passwords are probably the most common – and weakest – forms of authentication. An attacker will try the following tactics to get a password:
• Electronic monitoring – sniffing network traffic or recording keystrokes; if an attacker can capture the network packet containing the encrypted password, he might be able to simply replay the packet later to gain access
• Password file – the authentication server stores passwords in a file of some type; if the attacker can gains access to that file, she has the password
• Brute-force attack – use an automated tool to try and login by cycling through many possible combinations of characters, numbers and symbols until a match is found
• Dictionary attack – words in the native language are used to guess the password • Rainbow table – use all likely passwords in a table already hashed (quicker) • Social engineering – convince the owner to reveal their password
• After login, for the prior successful login attempt show the date/time, how many unsuccessful attempts were made and the location of the login; the user will be alerted to a possible attack • After X number of failed attempts within the last Y seconds, lock the account for Z minutes (this
is called the clipping level, and temporary locking prevents brute-force, dictionary or rainbow attacks)
• Record an audit trail recording both successful and unsuccessful login attempts, including the date/time, the user ID and the location where the attempt was made
• Limit the lifetime of a password - force the user to change it at recurring intervals (this is called password aging)
• Do not allow previously used passwords to be chosen when changing a password; the last 5-10 passwords should be stored to prevent this.
A password checker should be employed by security to check the strength of passwords but only after obtaining the proper management permission. The same tool may be used by an attacker but then it is called a password cracker. Systems should never send password sin clear text – it should hash them if encryption is not involved. Unix/Linux hashes passwords and stores them in a shadow file, and might add a salt before encryption to further randomize encryption keys.
There are several methods for a user entering a password to authenticate. We have previously discussed cognitive password when discussing resetting passwords – these are opinion-based questions that a user answers during enrollment, such as ‘What color was your first car?”. This is an authentication by