Categories of Access Control

The two categories of access controls are

• System access controls: Controls in this category protect the entire system and provide a first line of defense for the data contained on the system.

• Data access controls: Controls in this category are specifically implemented to protect the data contained on the system.

System access controls

System access controls are the hard and crunchy outside of a system, providing the first line of defense in information security. They protect systems and information by restricting access to the system.

Although system access controls can provide complete authentication, authorization, and accountability (AAA), it’s authentication for which they are renowned.

Authentication can be based on any of three factors.

• Something you know, such as a password or a personal identification number (PIN): This concept is based on the assumption that only the owner of the account knows the secret password or PIN needed to access the account. Of course, passwords are often shared, stolen, guessed, or otherwise compromised.

• Something you have, such as a smart card or token: This concept is based on the assumption that only the owner of the account has the necessary key to unlock the account. Of course, keys are often lost, stolen, borrowed, or duplicated.

• Something you are, such as fingerprint, voice, retina, or iris characteristics: This concept is based on the assumption that the finger or eyeball attached to your body is actually yours and uniquely identifies you. Of course, fingers and eyes can be lost or. . . . Actually, the major drawback
  with this authentication mechanism is acceptance - people are uneasy about using these systems.

 Instant Answer   Authentication is based on something you know, something you have, or something you are.

Two-factor authentication requires two of these three authentication factors for authentication. Three-factor authentication requires all three factors for authentication.

 Warning   A commonly cited example of an access control system that uses two-factor authentication is an automatic teller machine (ATM) card and a PIN. Purists might argue that the ATM card is actually a form of identification that you present to the ATM machine to establish your identity and that the PIN is the only authentication factor involved; thus, this doesn’t provide two-factor authentication. Save this debate for engaging conversation at a wild party. For the CISSP exam, this scenario is considered two-factor authentication.

Identification and authentication

The various identification and authentication (I&A) techniques that we discuss in this section include passwords/passphrases and PINs (knowledge-based), biometrics and behavior (characteristic-based), one-time passwords, tokens, and single sign-on (SSO).

The identification component is normally a relatively simple mechanism based on a username or, in the case of a system or process, based on a computer name, Media Access Control (MAC) address, Internet Protocol (IP) address, or Process ID (PID). The only requirements for identification are that it must uniquely identify the user and shouldn’t identify that user’s role or relative importance in the organization (there should be no labels like accounting or ceo). Common or shared accounts, such as root, admin, or system, should be avoided. Such accounts provide no accountability and are prime targets for a hacker.

 Instant Answer   Identification is the act of claiming a specific identity. Authentication is the act of verifying that identity.

“Polly wanna hacker?”

The distinction between hackersand crackers is now more commonly understood, particularly within the security community, but to ensure that there is absolutely no confusion, we shall do our civic duty here and make the distinction: Hacker=good, Cracker=bad. Hackers perform a vital role in the Internet and computing community by helping to debug source code, identify vulnerabilities, and improve software development - all of which serve the greater good. Conversely, crackers typically include script kiddies, cyberpunks, cyberterrorists, common criminals, and other vermin . . . all motivated by less noble causes.

The term hackeris commonly used to describe both hackers and crackers in general, much as the words he or him are sometimes used to describe males and females generally.

Passwords and passphrases

“A password should be like a toothbrush. Use it everyday; change it regularly; and DON’T share it with friends.” –USENET

Passwords are easily the most common authentication mechanism in use today. Although more advanced and secure authentication technologies are available, including tokens and biometrics, they’re typically used as supplements to or in combination with - rather than as replacements for - traditional usernames and passwords.

A passphrase is a variation on passwords that uses a sequence of characters or words rather than a single password. Although they’re generally more difficult to break than regular passwords, they’re also inconvenient to enter and share the same problems associated with passwords.

The CISSP candidate should understand the general problems associated with passwords as well as common password controls and management features.

Problems with passwords/passphrases include:

• Insecure: Passwords are generally insecure for several reasons, including:

  • Human nature: In the case of user-generated passwords, users often choose passwords that are easy to remember and consequently easy to guess (such as a spouse’s or pet’s name, birthday, anniversary, or hobby). Users may also be inclined to write down passwords (particularly system-generated passwords) or share their passwords.

  • Transmission and storage: Many applications and protocols (file transfer protocol [FTP] and PAP, respectively) transmit passwords in clear text. Passwords may also be stored in plain text files or by using a weak hashing algorithm.

• Easily broken: Passwords are susceptible to brute force and dictionary attacks (which we discuss later in this chapter in the section “Methods of attack”) by readily available programs such as Crack, John the Ripper, and l0phtcrack (pronounced loft-crack).

• Inconvenient: Entering passwords can be tiresome for users who are easily agitated. In an attempt to bypass these controls, users may select an easily typed, weak password; they may automate logons (for instance, selecting Remember my password in a browser) or neglect to lock their workstations or to log out when they leave their desks.

• Refutable: Transactions authenticated with only a password don’t necessarily provide absolute proof of a user’s identity. Authentication mechanisms must guarantee non-repudiation, which is a critical component of accountability. (For more on non-repudiation, see the earlier section “Accountability.”)

Passwords have the following login controls and management features that should be configured in accordance with an organization’s security policy and security best practices:

• Length: The longer the better. A password is, in effect, an encryption key. Just as larger encryption keys (such as 128-bit or 256-bit) are better, so too are longer passwords. Systems should be configured to require a minimum password length of 6–8 characters.

• Complexity: Strong passwords contain a mix of upper-and lowercase letters, numbers, and special characters such as # and $. Be aware that certain special characters may not be accepted by some systems or may perform special functions (that is to say, in terminal emulation software).

• Aging: Maximum password aging should be set to require passwords at regular intervals: 30, 60, or 90 days is usually recommended. Minimum password aging - one day is usually recommended - should also be set to prevent users from easily circumventing password history controls.

• History: Password history settings (five is usually recommended) allow a system to remember previously used passwords. This security setting prevents users from circumventing maximum password aging by alternating between two or three familiar passwords when required to change their passwords.

• Limited attempts: This control limits the number of unsuccessful log-on attempts and consists of two components: counter threshold (3 is usually recommended) and counter reset (30 minutes is usually recommended).

• Lockout duration: When the counter threshold that we describe in the preceding bullet has been exceeded, the account is locked out. Lockout duration is commonly set to 30 minutes but can be set for any duration. If the duration is set to forever, an administrator must unlock the account. Some systems don’t notify the user when an account has been locked out but instead quietly alert the system administrator to a possible break-in attempt.

• Limited time periods: This control restricts the time of day that a user can log in. For example, limiting users to access during business hours only is very effective. However, this type of control is becoming less common in the modern age of the workaholic with erratic work hours and in the global economy.

• System messages: System messages include the following:

  • Logon banner: Welcome messages invite criminals to access your systems. Disable any welcome message and replace it with a legal warning that requires the user to click OK to acknowledge.

  • Last username: Many popular operating systems display the user-name of the last successful logon. This feature is a convenience for users (who only need to type in their password) and hackers (who only need to crack the password without worrying about matching it to a valid user account). Disable this feature.

  • Last successful logon: After successfully logging onto the system, this message tells the user the last time that he logged on. If the system shows that the last successful logon for a user was Saturday morning at 2 a.m. and the user knows that he couldn’t possibly have logged in at that time because he has a life, he’ll know that his account has been compromised and can report the incident accordingly.

We’re sure that you know many of the following widely available and well-known guidelines for creating more secure passwords:

• Mix upper-and lowercase characters.

• Replace letters with numbers (for example, replace e with 3).

• Combine two words by using a special character.

• Use the first letter from each word of a nonsense phrase from a nonsense song (for example, “Oops! ...I Did It Again” becomes O!Idia).

The problem with these guidelines is that they’re widely available and well known. In fact, hackers use some of these same guidelines to create their aliases or handles: super-geek becomes 5up3rg33k. A password like Qwerty12! satisfies these guidelines, but it’s not really a good password because it’s a relatively simple and obvious pattern. Many dictionary attacks include not only word lists, but also patterns such as these. One solution is to employ a software tool that helps users evaluate the quality of their passwords as they create them. These tools are commonly known as password/passphrase generators or password appraisers.

Personal Identification Numbers (PINs)

A PIN in itself is a relatively weak authentication mechanism because there are only 10,000 possible combinations for a 4-digit numeric PIN. Therefore, some other safeguard is usually used in combination with a PIN. For example, most ATMs confiscate your ATM card after three incorrect PIN attempts. A PIN used with a one-time token password and an account lockout policy is also very effective, allowing a user to attempt only one PIN/password combination per minute and then locking the account after three or five failed attempts as determined by the security policy.

Biometrics and behavior

The only absolute method for positively identifying an individual is to base authentication on some unique physiological or behavioral characteristic of that individual. Physiological characteristics, including fingerprints, hand geometry, and facial features such as retina and iris patterns, are used for biometric identification. Behavioral biometrics are based on measurements and data derived from an action and indirectly measure characteristics of the human body. Behavioral characteristics include voice, signature, and keystroke patterns.

Biometrics are based on the third factor of authentication - something you are. (To read about all three factors, peruse the earlier section “System access controls.”) The concept of I&A is applied slightly differently in biometric access control systems depending on their use, as follows.

• Physical access controls: The individual presents the required biometric characteristic, and the system attempts to identify the individual by matching the input characteristic to its database of authorized personnel. This is also known as a one-to-many search.

• Logical access controls: The user enters a username or PIN (or inserts a smart card) and then presents the required biometric characteristic for verification. The system attempts to authenticate the user by matching the claimed identity and the stored biometric image file for that account. This is also known as a one-to-one search.

The necessary factors for an effective biometrics access control system include

• Accuracy: This is the most important characteristic of any biometric system. The uniqueness of the body organ or characteristic being measured to guarantee positive identification is an important element of accuracy. In common biometric systems today, the only two organs that satisfy this requirement are the fingers/hands and the eyes.

  Another important element of accuracy is the system’s ability to detect and reject forged or counterfeit input data. The accuracy of a biometric system is normally stated as a percentage, in the following terms.

  • False Reject Rate (FRR) or Type I error: Authorized users who are incorrectly denied access, stated as a percentage. Reducing a system’s sensitivity reduces the FRR but increases the False Accept Rate (FAR).

   Instant Answer   The False Reject Rate (or Type I error) is the percentage of authorized users who are incorrectly denied access.

  • False Accept Rate (FAR) or Type II error: Unauthorized users who are incorrectly granted access, stated as a percentage. Increasing a system’s sensitivity reduces the FAR but increases the FRR.

     Instant Answer   The False Accept Rate (or Type II error) is the percentage of unauthorized users who are incorrectly granted access.

  • Crossover Error Rate (CER): The point at which the FRR equals the FAR, stated as a percentage. (See Figure 4-1.) Because FAR and FRR can be adjusted by changing a system’s sensitivity, the CER is considered the most important measure of biometric system accuracy.

    
    Figure 4-1: Use CER to compare FAR and FRR.

     Instant Answer   The Crossover Error Rate (CER) is the point at which the FRR equals the FAR, stated as a percentage.

• Speed and throughput: Speed and throughput describes the length of time required to complete the entire authentication procedure. This includes stepping up to the system; inputting a card or PIN (if required); entering biometric data (such as inserting a finger or hand in a reader, pressing a sensor, aligning an eye with a camera or scanner, speaking a phrase, or signing a name); processing the input data; and opening and closing an access door (in the case of a physical access control system). Another important measure is the initial enrollment time required to create a biometric file for a user account. Generally accepted standards are a speed of less than five seconds, a throughput rate of six to ten per minute, and enrollment time of less than two minutes.

• Data storage requirements: Data storage requirements have become a less significant but still interesting issue because data storage media costs have decreased. Biometric system input file sizes can be as small as 9 bytes or as large as 10,000 bytes, averaging 256–1,000 bytes.

• Reliability: Reliability is an important factor in any system. The system must operate continuously and accurately without frequent maintenance outages.

• Acceptability: Acceptance by users is the biggest hurdle to widespread implementation of biometric systems. Certain privacy and ethics issues arise with the prospect of these systems being used to collect medical or other physiological data about employees. Other factors include intrusiveness of the data collection procedure and required physical contact with common system components, such as pressing an eye against a plastic cup or placing lips close to a microphone for voice recognition.

   Instant Answer   Acceptability by users is the most common problem with biometric systems.

Table 4-1 summarizes the generally accepted standards for the factors described in the preceding list.

Table 4-1: Generally Accepted Standards for Biometric Systems
Open table as spreadsheet

Characteristic	Standard
Accuracy	CER<10%
Speed	5 seconds
Throughput	6–10 minutes
Enrollment time	<2 minutes

Common types of physiological biometric access control systems include

• Finger scan systems: These are the most common biometric systems in use today, accounting for approximately 78 percent of total sales in biometric technology. Finger scan systems analyze the ridges, whorls, and minutiae (bifurcations and ridge endings, dots, islands, ponds and lakes, spurs, bridges, and crossovers) of a fingerprint to create a digitized image that uniquely identifies the owner of the fingerprint.

   Remember   Finger scan systems, unlike fingerprint recognition systems, don’t store an image of the entire fingerprint - only a digitized file describing its unique characteristics. This fact should allay the privacy concerns of most users. See Table 4-2 for general characteristics of finger scan systems.

  Table 4-2: General Characteristics of Finger Scan and Hand Geometry Systems
  Open table as spreadsheet

  Characteristic	Finger Scan	Hand Geometry
  Accuracy	<1%–5% (CER)	<1%–2% (CER)
  Speed	1–7 seconds	3–5 seconds
  File size	~250–1500 bytes	~10 bytes
  Advantages	Non-intrusive, inexpensive	Small file size
  Disadvantages	Sensor wear and tear; may be affected by swelling, injury, or wearing rings	Sensor wear and tear; may be affected by swelling, injury, or wearing rings

• Hand geometry systems: Like finger scan systems, hand geometry systems are also nonintrusive and therefore generally more easily accepted than other biometric systems. These systems are also generally more accurate than finger scan systems and have some of the smallest file sizes compared with other biometric system types. Three-dimensional hand geometry data is acquired by a digital camera that simultaneously captures a vertical and a horizontal image of the subject’s hand. The digitized image records the length, width, height, and other unique characteristics of the hand and fingers. See Table 4-2 for general characteristics of hand geometry systems.

• Retina pattern: These systems record unique elements in the vascular pattern of the retina. Major concerns with this type of system are fears of eye damage from a laser (which is actually only a camera with a focused low-intensity light) directed at the eye and, more feasibly, privacy concerns. Certain health conditions such as diabetes and heart disease are known to cause changes in the retinal pattern, which may be detected by these types of systems. See Table 4-3 for general characteristics of retina pattern systems.

  Table 4-3: General Characteristics of Retina and Iris Pattern Systems
  Open table as spreadsheet

  Characteristic	Retina Pattern	Iris Pattern
  Accuracy	1.5% (CER)	< 0.5% (CER)
  Speed	4–7 seconds	2.5–4 seconds
  File size	~96 bytes	~256–512 bytes
  Advantages	Overall accuracy	Best overall accuracy
  Disadvantages	Perceived intrusiveness; sanitation and privacy concerns	Subject must remain absolutely still; colored contact lenses and glasses cannot be worn; clear contacts are generally okay.

• Iris pattern: These systems are by far the most accurate on any type of biometric system. The iris is the colored portion of the eye surrounding the pupil. The complex patterns of the iris include unique features such as coronas, filaments, freckles, pits, radial furrows, rifts, and striations. The characteristics of the iris, formed shortly before birth, remain stable throughout life. The iris is so unique that even the two eyes of a single individual have different patterns. A camera directed at an aperture mirror scans the iris pattern. The subject must glance at the mirror from a distance of approximately 3–10 inches. It’s technically feasible but perhaps financially infeasible to perform an iris scan from a distance of several feet. See Table 4-3 for general characteristics of iris pattern systems.

Common types of behavioral biometric systems include

• Voice recognition: These systems capture unique characteristics of a subject’s voice and may also analyze phonetic or linguistic patterns. Most voice recognition systems are text dependent, requiring the subject to repeat a specific phrase. This functional requirement of voice recognition systems also helps improve their security by providing two-factor authentication: something you know (a phrase) and something you are (your voice). See Table 4-4 for general characteristics of voice recognition systems.

• Signature dynamics: These systems typically require the subject to sign his name on a signature tablet. Of course, signatures commonly exhibit some slight changes because of different factors and they can be forged. See Table 4-4 for general characteristics of signature dynamic systems.

  Table 4-4: General Characteristics of Voice Recognition and
  Open table as spreadsheet

  Characteristic	Voice Recognition	Signature Dynamics
  Accuracy	<10% (CER)	1% (CER)
  Speed	10–14 seconds	5–10 seconds
  File size	~1,000–10,000 bytes	~1,000–1,500 bytes
  Advantages	Inexpensive; non-intrusive	Non-intrusive
  Disadvantages	Accuracy, speed, file size; affected by background noise, voice changes; can be imitated	Signature tablet wear and tear; speed; can be forged

 Tip   In general, the CISSP candidate doesn’t need to know the specific characteristics and specifications of the different biometric systems, but you should know how they compare with other biometric systems. For example, know that iris pattern systems are more accurate than retina pattern systems.

One-time passwords

A one-time password is a password that is valid for one logon session only. A one-time password is considered a dynamic password; that is, it changes at some regular interval or event. Conversely, a static password is a password that is the same for each logon. Similar to the concept of a one-time pad in cryptography (which we discuss in Chapter 8), a one-time password provides maximum security for access control.

 Cross-Reference   Two examples of one-time password implementations are tokens (which we discuss in the next section) and the S/Key protocol. The S/Key protocol, developed by Bellcore and defined in RFC 1760, is client/server based and uses MD4 and MD5 to generate one-time passwords (MD4 and MD5 are algorithms used to verify data integrity through the creation of a 128-bit message digest from data input. We discuss both in Chapter 8.)

Tokens

Tokens are access control devices such as key fobs, dongles, smart cards, magnetic cards, and keypad or calculator-type cards that store static passwords (or digital certificates) or generate dynamic passwords. The three general types of tokens are

• Static password tokens: Store a static password or digital certificate.

• Synchronous dynamic password tokens: Continuously generate a new password or passcode at a fixed time intervals (for example, 60 seconds) or event (such as each time that a button is pressed). Typically, the passcode is valid only during a fixed time window (say, two minutes) and only for a single logon (that is, if logging on to more than one system, you must wait for the next passcode).

• Asynchronous (or challenge-response) dynamic password tokens:

Generate a new password or passcode asynchronously by calculating the correct response to a system-generated random challenge string that’s manually entered into the token by its owner.

Tokens provide two-factor authentication ( something you have and something you know) by either requiring the owner to authenticate to the token first or by requiring that a secret PIN is entered along with the generated password. Both RADIUS and Terminal Access Controller Access Control System (TACACS+; which we discuss later in the upcoming section “Centralized access controls”) support various token products.

 Instant Answer   Tokens can be used to generate one-time passwords and provide two-factor authentication.

Single sign-on (SSO)

The concept of single sign-on (SSO) addresses a common problem for users and security administrators alike.

From the security administrator’s perspective, multiple accounts mean multiple vulnerabilities. Every account that exists in a system, network, or application is a potential point of unauthorized access. Multiple accounts belonging to a single user represent an even greater vulnerability:

• Users that require access to multiple systems or applications must often maintain numerous different passwords. This inevitably leads to shortcuts in creating and recalling passwords; weak passwords with only slight variations are used and more likely to be written down.

• Multiple accounts also affect user productivity (and sanity!). Someone has to create and maintain accounts; supporting, removing, resetting, and disabling passwords, as well as unlocking accounts.

 Cross-Reference   See Chapter 8 for a review of the basics of cryptography.

Alas, SSO is that great Utopian solution that users and security administrators alike thirst for and seek. SSO allows a user to present a single set of logon credentials, typically to an authentication server, which then transparently logs the user on to all other enterprise systems and applications for which that user is authorized. Of course, SSO is not without disadvantages, which include

• Woo-hoo!: After you’re authenticated, you’ve got the keys to the kingdom. Read that as unrestricted access to all authorized resources!

• Labor intensive: SSO can be difficult and time consuming to implement. But, hey - that’s why you get paid (or should get paid) the big bucks!

SSO is commonly implemented by third-party ticket-based solutions, including

• Kerberos: Kerberos, commonly used in the Sun Network File System (NFS) and Windows 2000, is perhaps the most popular ticket-based authentication protocol in use today. Kerberos is named for the fierce, three-headed dog that guards the gates of Hades in Greek mythology (not to be confused with Ker-beer-os, the fuzzy, six-headed dog sitting at the bar that keeps looking better and better!). This protocol is an open systems protocol that was developed at the Massachusetts Institute of Technology (MIT, also known as Millionaires in Training) in the mid-1980s. The CISSP exam requires a general understanding of Kerberos operation. Unfortunately, Kerberos is a complex protocol with many different implementations and no simple explanation. The following step-by-step discussion is a basic description of Kerberos operation:

  1.  Cross-Reference   The Kerberos client prompts the subject (such as a user) for identification and authentication (username and password). Using the authentication information (password), the client temporarily generates and stores the subject’s secret key by using a one-way hash function and then sends the subject’s identification (username) to the Key Distribution Center (KDC). (See Chapter 8 for a discussing of hash functions.) The password/secret key is not sent to the KDC. See Figure 4-2.

     
     Figure 4-2: Kerberos: Logon initiation (Step 1).

  2. The KDC Authentication Service (AS) verifies that the subject (known as a principal) exists in the KDC database. The KDC Ticket Granting Service (TGS) then generates a Client/TGS Session Key encrypted with the subject’s secret key, which is known only to the TGS and the client (temporarily). The TGS also generates a Ticket Granting Ticket (TGT), comprising the subject’s identification, the client network address, the valid period of the ticket, and the Client/TGS Session Key. The TGT is encrypted by using the secret key of the TGS server, which is known only to the TGS server. The Client/TGS Session Key and TGT are then sent back to the client. See Figure 4-3.

     
     Figure 4-3: Kerberos: Client/TGS Session Key and TGT generation (Step 2).

  3. The client decrypts the Client/TGS Session Key with the secret key that was generated by using the subject’s password, authenticates the subject (user), and then erases the stored secret key to avoid possible compromise. The TGT, which was encrypted with the secret key of the TGS server, cannot be decrypted by the client. See Figure 4-4.

     
     Figure 4-4: Kerberos: Logon completion (Step 3).

  4. When the subject requests access to a specific object (such as a server, also known as a principal), it sends the TGT, the object identifier (such as a server name), and an authenticator to the TGS server. The authenticator is a separate message that contains the client ID and a timestamp, and using the Client/TGS Session Key encrypts it. See Figure 4-5.

     
     Figure 4-5: Kerberos: Requesting services (Step 4).

  5. The TGS server generates both a Client/Server Session Key, which is encrypted by using the Client/TGS Session Key, and a Service Ticket, which comprises the subject’s identification, the client network address, the valid period of the ticket, and the Client/Server Session Key. The Service Ticket is encrypted by using the secret key of the requested object (server), which is known only to the TGS server and the object. The Client/Server Session Key and Service Ticket are then sent back to the client. See Figure 4-6.

     
     Figure 4-6: Kerberos: Client/ Server Session Key and Service Ticket generation (Step 5).

  6. The client decrypts the Client/Server Session Key by using the Client/Server TGS Key. The Service Ticket, which was encrypted with the secret key of the requested object, cannot be decrypted by the client. See Figure 4-7.

     
     Figure 4-7: Kerberos: Decrypt Client/ Server Session Key (Step 6).

  7. The client can then communicate directly with the requested object (server). The client sends the Service Ticket and an authenticator to the requested object (server). The authenticator, comprising the subject’s identification and a timestamp, is encrypted by using the Client/Server Session Key that was generated by the TGS. The object (server) decrypts the Service Ticket by using its secret key. The Service Ticket contains the Client/Server Session Key, which allows the object (server) to then decrypt the authenticator. If the subject identification and timestamp are valid (according to the subject identification, client network address, and valid period specified in the Service Ticket), then communication between the client and server is established. The Client/Server Session Key is then used for secure communications between the subject and object. See Figure 4-8.

     
     Figure 4-8: Kerberos: Client/ Server communications (Step 7).

• SESAME: The Secure European System and Applications in a Multi-vendor Environment (SESAME) project, developed by the European Computer Manufacturer’s Association (ECMA), is a ticket-based system, like Kerberos, with some additional security enhancements. It uses public key cryptography to distribute secret keys, incorporates a trusted authentication server at each host, employs MD5 and CRC-32 one-way hash functions, and uses two separate certificates (or tickets) to provide authentication and define access privileges.

   Cross-Reference   See Chapter 8 for more information on one-way hash functions.

• KryptoKnight: Developed by IBM, KryptoKnight is another example of a ticket-based SSO authentication system that establishes peer-to-peer relationships between the Key Distribution Center (KDC) and its principals.

 Instant Answer   Kerberos, SESAME, and KryptoKnight are three examples of ticket-based authentication protocols that provide SSO services.

Methodologies and implementation

Access control methodologies are generally classified as either centralized or decentralized. Within each of these classifications, numerous protocols and models are available for implementation. For the CISSP exam, you should be able to identify the various protocols and models used in centralized and decentralized access control systems.

Centralized access controls

Centralized access control systems maintain user account information in a central location. Examples of centralized access control systems and protocols commonly used for authentication of remote users include

• LDAP: Lightweight Directory Access Protocol (LDAP) is both an IP protocol and a data model. LDAP (pronounced EL-dap) is used to support authentication and directory functions for both persons and resources. Several vendors have implemented LDAP, including

  • Active Directory from Microsoft

  • eTrust Directory from CA

  • Apache Directory Server

  • Novell eDirectory

  • IBM SecureWay and Tivoli Directory Server

  • Sun Directory Server

  Several open source versions of LDAP are also available, including OpenLDAP and tinyldap.

• RAS: Remote Access Service (RAS) servers utilize the Point-to-Point Protocol (PPP) to encapsulate IP packets and establish dial-in connections over serial and ISDN links. PPP incorporates the following three authentication protocols:

  • PAP: The Password Authentication Protocol (PAP) uses a two-way handshake to authenticate a peer to a server when a link is initially established. PAP transmits passwords in clear text and provides no protection from replay or brute force attacks.

  • CHAP: The Challenge Handshake Authentication Protocol (CHAP) uses a three-way handshake to authenticate both a peer and server when a link is initially established and, optionally, at regular intervals throughout the session. CHAP requires both the peer and server to be preconfigured with a shared secret that must be stored in plain text. The peer uses the secret to calculate the response to a server challenge by using an MD5 one-way hash function. MS-CHAP, a Microsoft enhancement to CHAP, allows the shared secret to be stored in an encrypted form.

  • EAP: The Extensible Authentication Protocol (EAP) adds flexibility to PPP authentication by implementing various authentication mechanisms including MD5-challenge, S/Key, generic token card, digital certificates, and so on. EAP is implemented in many wireless networks.

• RADIUS: The Remote Authentication Dial-In User Service (RADIUS) protocol is an open-source, User Datagram Protocol-(UDP) based client-server protocol. Defined in the RFC 2058 and 2059, RADIUS provides authentication and accountability. A user provides username/password information to a RADIUS client by using PAP or CHAP. The RADIUS client encrypts the password and sends the username and encrypted password to the RADIUS server for authentication.

  Note: Passwords exchanged between the RADIUS client and RADIUS server are encrypted, but passwords exchanged between the PC client and the RADIUS client are not necessarily encrypted - if using PAP authentication, for example. However, if the PC client happens to also be the RADIUS client, all password exchanges will be encrypted regardless of the authentication protocol being used.

• Diameter: This next-generation RADIUS protocol overcomes RADIUS’ deficiencies. Diameter is backward compatible with RADIUS and provides an upgrade path for RADIUS-based environments. Diameter is not an acronym, but a pun on the term RADIUS (in geometry, the diameter of a circle is twice its radius).

• TACACS: The Terminal Access Controller Access Control System (TACACS) is a UDP-based access control protocol, originally developed for the MILNET (U.S. Military Network), which provides authentication, authorization, and accountability (AAA). The original TACACS protocol has been significantly enhanced, primarily by Cisco, as XTACACS (no longer used) and TACACS+ (which is the most common implementation of TACACS). TACACS+ is TCP-based (port 49) and supports practically any authentication mechanism (PAP, CHAP, MS-CHAP, EAP, token cards, Kerberos, and so on). The basic operation of TACACS+ is similar to RADIUS, including the caveat about encrypted passwords between client and server. The major advantages of TACACS+ are its wide support of various authentication mechanisms and granular control of authorization parameters. RADIUS and TACACS+ use dynamic passwords and TACACS uses static passwords.

 Instant Answer   LDAP, RAS (PAP and CHAP), RADIUS, Diameter, and TACACS are examples of centralized access control for remote access.

Decentralized access controls

Decentralized access control systems maintain user account information in separate locations by different administrators throughout an organization or enterprise. Examples of decentralized access control systems include

• Multiple domains and trusts: A domain is a collection of users, computers, and resources (such as printers) with a common security policy and single administration. In smaller organizations, a single domain may be defined; this is considered a centralized access control. However, larger organizations or enterprises typically establish multiple domains along organizational or geographical boundaries, such as separate Marketing, Accounting, Sales, and Research domains, or separate Chicago, Seattle, Paris, and Tokyo domains. One-way trust relationships or trust models facilitate communications between multiple domains. For example, if the Marketing domain explicitly trusts the Research domain, then all users in the Research domain are permitted access to resources in the Marketing domain. Unless a trust relationship in the reverse direction is established (Research trusts Marketing), users in the Marketing domain can’t access resources in the Research domain.

•  Cross-Reference   Databases: Access to databases is controlled through a database management system (DBMS). A DBMS restricts access by different subjects (users) to various objects (such as data and operations) in a database. A view is a logical operation that can be used to restrict access to specific information in a database, hide attributes, and restrict queries available to a user. Views are a type of constrained user interface that restricts access to specific functions by not allowing a user to request it. We cover additional database security methods in Chapter 7.

 Instant Answer   A database view is a type of constrained user interface.

Methods of attack

Gaining access (getting through that hard and crunchy outside) to a system or network is a hacker’s first objective. Several methods of attack are commonly used against access control systems, including

• Brute force or dictionary attack: With this method, the attacker attempts every possible combination of letters, numbers, and characters to crack a password, passphrase, or PIN. A dictionary attack is essentially a more focused type of brute force attack in which a predefined word list is used. Such word lists or dictionaries, including foreign language and special-interest dictionaries, are widely available on the Internet for use in password-cracking utilities such as l0phtcrack and John the Ripper.

• Buffer or stack overflow: Buffer overflows constitute the most common and successful type of computer attacks today. Although often used in denial-of-service attacks, buffer overflows in certain systems or applications may enable an attacker to gain unauthorized access to a system or directory. A teardrop attack is a type of stack overflow attack that exploits vulnerabilities in the IP protocol.

• Man-in-the-middle attacks: This method involves an attacker intercepting messages between two parties and forwarding a modified version of the original message. For example, an attacker may substitute his own public key during a public key exchange between two parties. The two parties believe that they’re still communicating with each other and unknowingly encrypt messages by using the attacker’s public key rather than the intended recipient’s public key. The attacker can then decrypt secret messages between the two parties, modify their contents as desired, and send them on to the unwary recipient.

• Packet (or password) sniffing: In this method, an attacker uses a sniffer to capture network packets and analyze their contents, such as usernames/passwords and shared keys.

• Session hijacking: This method is similar to a man-in-the-middle attack except that the attacker impersonates the intended recipient instead of modifying messages in transit.

• Social engineering: This low-tech method is one of the most effective and easily perpetrated forms of attack. Common techniques involve dumpster diving, shoulder surfing, raiding cubicles (passwords on monitors and under mouse pads), and plain ol’ asking. This latter brazen technique can simply be the attacker calling a user, pretending to be a system administrator and asking for the user’s password, or calling a help desk pretending to be a user and asking to have the password changed.

Data access controls

Data access controls are, well, the hard and crunchy middle. Probably not your favorite candy, something like a freeze-dried Cadbury’s Creme Egg, but effective information security requires defense in depth.

Data access controls protect systems and information by restricting access to system files and user data based on object (user) identity. Data access controls also provide authorization and accountability, relying on system access controls to provide identification and authentication.

Access control techniques

Data access control techniques are generally categorized as either discretionary or mandatory. The CISSP candidate must fully understand the concept of discretionary and mandatory access controls and be able to describe specific access control methods under each category.

Discretionary access control

A discretionary access control (DAC) is an access policy determined by the owner of a file (or other resource). The owner decides who is allowed access to the file and what privileges they have.

 Instant Answer   In DAC, the owner determines the access policy.

Two important concepts in DAC are

• File and data ownership: Because the access policy is determined by the owner of the resource (including files, directories, data, system resources, and devices), every object in a system must have an owner. Theoretically, an object without an owner is left unprotected. Normally, the owner of a resource is the person who created the resource (such as a file or directory), but in certain cases, the owner may need to be explicitly identified as an administrative function.

• Access rights and permissions: These are the controls that an owner can assign to individual users or groups for specific resources. Various systems (Windows-based, UNIX-based, and Novell-based) define different sets of permissions that are essentially variations or extensions of three basic types of access:

  • Read (R): The subject can read contents of a file or list contents of a directory.

  • Write (W): The subject can change the contents of a file or directory (including add, rename, create, and delete).

  • Execute (X): If the file is a program, the subject can run the program.

Access control lists (ACLs) provide a flexible method for applying discretionary access controls. An ACL lists the specific rights and permissions that are assigned to a subject for a given object.

 Remember   ACLs are implemented differently on various operating systems. Although the CISSP exam doesn’t directly test your knowledge of specific operating systems or products, you should be aware of this fact. Also, understand that ACLs in this context are different from ACLs used on routers, which have nothing to do with DAC.

Role-based access control is another method for implementing discretionary access controls. Role-based access control assigns group membership based on organizational or functional roles. Individuals may belong to one or many groups (acquiring cumulative permissions or limited to the most restrictive set of permissions for all assigned groups), and a group may contain only a single individual (corresponding to a specific organizational role assigned to one person). Access rights and permissions for objects are assigned to groups rather than (or in addition to) individuals. This strategy greatly simplifies the management of access rights and permissions.

Major disadvantages of discretionary access control techniques include

• Lack of centralized administration

• Dependence on security-conscious resource owners

• Many popular operating systems defaulting to full access for everyone if the owner doesn’t explicitly set permissions

• Difficult, if not impossible, auditing

Mandatory access control

A mandatory access control (MAC) is an access policy determined by the system rather than the owner, in contrast to DAC. MAC is used in multilevel systems that process highly sensitive data, such as classified government and military information. A multilevel system is a single computer system that handles multiple classification levels between subjects and objects. Two important concepts in MAC are

•  Cross-Reference   Sensitivity labels: In a MAC-based system, all subjects and objects must have labels assigned. A subject’s sensitivity label specifies its level of trust. An object’s sensitivity label specifies the level of trust required for access. In order to access a given object, the subject must have a sensitivity level equal to or higher than the requested object. For example, a user (subject) with a Top Secret clearance (sensitivity label) is permitted access to a file (object) with a Secret classification level (sensitivity label) because her clearance level exceeds the minimum required for access. We discuss classification systems in Chapter 6.

• Data import and export: Controlling the import of information from other systems and export to other systems (including printers) is a critical function of MAC-based systems, which must ensure that sensitivity labels are properly maintained and implemented so that sensitive information is appropriately protected at all times.

 Instant Answer   In MAC, the system determines the access policy.

Rule-based access control is one method for applying mandatory access control. Actually, all MAC-based systems implement a simple form of rule-based access control by matching an object’s sensitivity label and a subject’s sensitivity label to determine whether access should be granted or denied. Additional rules can be applied by using rule-based access control to further define specific conditions for access to a requested object.

Lattice-based access controls are another method for implementing mandatory access controls. A lattice model is a mathematical structure that defines greatest lower-bound and least upper-bound values for a pair of elements, such as a subject and an object. This model can be used for complex access control decisions involving multiple objects and/or subjects. For example, given a set of files with multiple classification levels, the lattice model determines the minimum clearance level that a user requires to access all the files.

Major disadvantage of mandatory access control techniques include

• Lack of flexibility

• Difficulty in implementing and programming

• User frustration

Access control models

Models are used to express access control requirements in a theoretical or mathematical framework that precisely describes or quantifies its function. Common access control models include Bell-LaPadula, Biba, Clark-Wilson, noninterference, access matrix, and information flow. We introduce these models in the following sections and also cover them more in Chapter 9.

Bell-LaPadula (Basic security theorem)

Published in 1973, the Bell-LaPadula model was the first formal confidentiality model of a mandatory access control system. Bell-LaPadula is a state machine model that addresses only the confidentiality of information. A secure state is defined and maintained during transitions between secure-states. The basic premise of Bell-LaPadula is that information cannot flow downward. Bell-LaPadula defines the following two properties:

• simple security property (ss property): A subject cannot read information from an object with a higher sensitivity label ( no read up, or NRU).

• *-property (star property): A subject cannot write information to an object with a lower sensitivity label ( no write down, or NWD).

 Instant Answer   Bell-LaPadula addresses confidentiality.

Biba

Published in 1977, the Biba integrity model (sometimes referred to as Bell-LaPadula upside down) was the first formal integrity model. Biba is a lattice-based model that addresses the first goal of integrity - ensuring that modifications to data are not made by unauthorized users or processes. (For more on lattice-based models, read the earlier section “Mandatory access control.” See Chapter 6 for a complete discussion of the three goals of integrity.) Biba defines the following two properties:

• simple integrity property: A subject cannot read information from an object with a lower integrity level (no read down).

• *-integrity property (star integrity property): A subject cannot write information to an object with a higher integrity level (no write up).

Clark-Wilson

Published in 1987, the Clark-Wilson integrity model establishes a security framework for use in commercial activities, such as the banking industry. Clark-Wilson addresses all three goals of integrity (read more about this in Chapter 6) and identifies special requirements for inputting data based on the following items and procedures:

• Unconstrained data item (UDI): Data outside the control area, such as input data.

• Constrained data item (CDI): Data inside the control area (integrity must be preserved).

• Integrity verification procedures (IVP): Checks validity of CDIs.

• Transformation procedures (TP): Maintains integrity of CDIs.

 Instant Answer   Biba and Clark-Wilson both address integrity.

Noninterference model

A noninterference model, in general, ensures that the actions of different objects and subjects are not seen by and don’t interfere with other objects and subjects on the same system.

Access matrix model

An access matrix model, in general, provides object access rights ( read/write/ execute, or R/W/X) to subjects in a DAC system. An access matrix consists of access control lists (ACLs) and capability lists. (For more on DAC and ACLs, peruse the earlier section “Discretionary access control.”)

Information flow model

An information flow model, in general, is a lattice-based model in which objects are assigned a security class and value and their direction of flow is controlled by a security policy.