Access Control
6.2 User Access Management 1 Account Authorization
Account authorization is also known as user registration. Whatever you call this process, the function of it will remain the same. This process allows for authorized users to establish initial access to the system and, moreover, what access on the system they will have. Unfortunately, more often than not, organizations tend to use an ad hoc approach to user registration. It is recommended to have defined policies and procedures that govern new account creation and access permissions. This process takes place in most types of access control technologies but has an increased role in access control that uses digital certificates. This is due to the fact that the digital certificate must be generated and distributed to the end user; the process can be somewhat automated using a technology known as a registration authority.
6.2.2
Access Privilege Management
After a user has been with a company for a long period of time, access permissions may no longer align with current job responsibilities. The information security manager should have a procedure in place to review access permissions on a regular basis and make sure that the permissions are appropriate based on the job function of the user. Moreover, the information security manager should also review accounts on the system to make sure that all user accounts have a corresponding user. It is common for users who have left the company to still have valid user accounts on the system. As previously mentioned, there should be a AU1957_C006.fm Page 142 Monday, September 20, 2004 3:23 PM
procedure in place when an employee is terminated so that the access is revoked quickly.
6.2.3
Account Authentication Management
In addition to managing the ongoing user permissions and revoking no longer needed accounts, the information security manager should also have a password management scheme in place. Passwords should be changed on a regular basis; the current industry standard is around 30 days. However, the time to change passwords should reflect the security necessary to protect the information on the system. It is not uncommon for an organization to change passwords every 90 days, or longer. In addition to having users change their passwords regularly, passwords should be well selected. A well-selected password will be at least eight characters in length, not based on a dictionary word, and contain at least one unique character. The reason for these criteria is to make it more difficult for an attacker to use a password cracking utility quickly. There are two primary types of password cracking utilities: dictionary and brute force. A dictionary password cracking utility is freely available on the Internet and will a have word list of around 60,000 common words. An attacker will typically begin a password attack using the dictionary cracking tool. This tool, while not guaranteed to succeed in the attack, is much faster than the brute-force password cracking tool. A brute-force password cracking tool, also freely available from the Internet, will try every possible combination of characters until it is successful. In recent tests, we have seen that cracking an 11-character password with a brute-force password cracking tool over a wide area network can take in excess of a month. This means that if you have a good password change policy, you will change the password before the brute-force password cracking utility has adequate time to break the password.
With the common end user having, on average, an eight-character password to remember for information technology resources, it can be difficult for him or her to remember all of the passwords that are suffi- ciently long and unique while also having the passwords change every 30 days. There is a technology available to help the information security manager and the end user with password management. This technology is single sign-on. The advantage to single sign-on is that each user has only one password to remember for access to all network resources. This allows the administrator to make the password both more complex and changed more frequently without a large increase in the number of calls to the help desk from those who have forgotten to reset their passwords. Single sign-on technology has been beaten about the past few years, and AU1957_C006.fm Page 143 Monday, September 20, 2004 3:23 PM
is often still thought of as a mythical technology. In actuality, single sign- on may not be possible but reduced sign-on is a very real possibility.
There are two primary approaches to single sign-on: script-based single sign-on and host-based single sign-on. With script-based single sign-on, the user logs in to the primary network operating system and when this happens, the operating system runs a log-in program, often called a log- in script, that will authenticate the user to other systems on the network. The disadvantage to using this type of single sign-on is that the password stored in the log-in script is often stored in plaintext, which means that no encryption is used to protect the password in the file. Any entity that reads this file will be able to recover the username and password for that user. Also, these username and password combinations are often transmitted on the network in plaintext. This allows any malicious user with a network sniffer to capture the username and password. A network sniffer (see Figure 6.1) is a utility available for free on the Internet that is used to read all the network packets on a network segment. This utility can be used for troubleshooting, but can also be used maliciously to record log-in attempts. The second type of single sign-on implementation is much mor e commonly used than the script-based method mentioned previously. This second type is known as host-based single sign-on because it uses a
FIGURE 6.1 Network Sniffer
centralized authentication server or host. This implementation requires the user to log into the authentication server and, when the user tries to access other network resources, those applications contact the authenti- cation server to verify the user’s access. There are a large number of protocols that can be used for this type of single sign-on. Some of the more common include Kerberos and RADIUS. There are a large number of secondary authentication protocols that are not used as often; these include protocols such as SESAME and RADIUS’ successor, DIAMETER. Many of these authentication protocols can be configured to send the username and password encrypted, and this can stop malicious users from intercepting the username and password with a network sniffer.