Access Controls

Access controls seek to provide tools for

identification, authentication, authorization,
and accounting with regard to a particular
resources.
Identification
The act of identifying an actor or something
that is used to identify an actor.
 Authentication
- this step occurs when an identity is
confirmed through the use of a specific
process. This could be the process through
which the private key is used or perhaps
another biometric process such as reading a
fingerprint.
 Authorization
- Authorization is when an actor is given
permission to access a resource. In casual
conversation we may assume that
authorization is a foregone conclusion once
an actor has progressed this far, but in
actuality authorization relies on the previous
 steps being completed and may in fact fail.
Accounting
- finally accounting is the process through
which a record of access to the resource is
recorded. Accounting may be a log of users
who have signed in an log of what resources
they each accessed.
 General Principles and Techniques
Least Privilege
-the principle of least privilege states that an actor
should only be given access to resources as
necessary and with the permissions necessary to
complete their task. These resources may be
processes, programs, or even user accounts.
 Multi-factor Authentication (MFA)
-multi-factor authentication is a technique that
requires actors to provide two or more pieces
of information to be used as identification.
There are many popular products for MFA,
most of which are based on the time based
creation of a code. Google Authenticator and
Authy are each phone applications which
generate codes from a cryptographic seed
which is synced with the verifying system.
MAC, DAC, RBAC, and ABAC
- There are several different authorization
models that can be used. Mandatory Access
Control (MAC) requires all objects
(files, directories, devices, etc.) to have a
security label that identifies who can access
it and how.
Discretional Access Control (DAC)
simplifies things by allowing owners of
objects to determine which permissions
groups/users should be given to that object.
Role-Based Access Control (RBAC) builds
off of DAC uses a core set of roles within a
system to determine who has different levels
of access to objects. Attribute-Based access
control (ABAC) is a newer model that
builds off of RBAC and uses more general
attributes instead of just roles. ABAC can
determine who has different levels of access
to objects based on the attributes of the
object, the user, the action, or even an
external context.
 Table 2. Comparison between DAC, MAC, RBAC, and ABAC
Factors DAC MAC RBAC ABAC
Access Control to Through owner of Through fixed rules Through roles Through attributes
Information data
Access Control Discretion of owner Classification of Classification of roles Evaluation of
Based on of data users and data attributes
Flexibility fo High Low High Very high
Accessing
Information
Access Revocation Very complex Very easy Very easy Very easy
Complexity
Support for No Yes Yes Yes
Multilevel
Database System
Used in Initial Unix system The U.S. ATLAS experiment in The Federal
Department of CERN government
Defense
Physical Access
An organization’s building is a large ongoing
investment and is often an unexpected
security asset or weakness. Most technical
security controls can be completely bypassed
or disabled if physical security is not taken
into account.
 Gates
- it is easier to manage the
physical security of a location
when the amount of entry
points are limited.
Convenience and safety
dictate that even with such
considerations multiple points
of ingress are still needed. A security gate is
the most basic tool available the ensure that
only authorized actors gain access.
-A thorough risk assessment is often the
first step in planning where to put gates and
what types of gates to use.
 Biometrics
Biometric security devices
identify people based on or
more physical
characteristics. This has the
great advantage of
convenience.
Biometric traits are often broken into two
categories:
• physiological
• behavioral
 Key Cards
- Many security measures employ key cards
for access to rooms. A key card uses the
same form factor as a credit card, making it
easy for employees to carry in their wallets
or ID holders. Key cards may utilize
magnetic stripes or chips (in a similar
fashion to credit cards), radio frequency
identification (RFID), or near field
communication (NFC).
-Basic passive keycards are often subject to
skimming and cloning attacks.
 Proximity Cards
- the most ubiquitous
RFID card, the proximity
or prox card, is vulnerable to
a very basic cloning attack.
The keycard is a passive
electronics device, meaning it
utilizes a coil as both an antenna and a
source of power for its circuit. This has the
advantage of not requiring a battery only
working when the card is placed in an
electromagnetic field, like near the reader on
a door with an RFID reader. The RFID
reader will generate a 125 kHz radio frequen
cy field.
The prox card has a long antenna which
spirals around the outside. This antenna is
designed to be resonant at 125 kHz and when
powered by the field created by the reader it
charges a capacitor and provides current to an
IC. The IC then broadcasts the card’s ID.
There have been proposals for strengthen
RFID systems including using AES. It is
also possible to require another factor of
identification in addition to the keycard.
 Security Guards
The most versatile assets in any organization
are human assets and the same is true of
security guards. Security guards can be used
to verify IDs, enforce rules, stopped forced
entry, and take actions as necessary.
 Cameras
- cameras afford the operator
an "always on" view of a
location. Awareness that all
activity is being recorded
can persuade attackers to
aim for an easier target or
not continue with their
nefarious actions.
-The "eye in the sky" seems to have the
effect of keeping honest people honest, but is
often just seen as an obstacle for those intent
on breaking the rules. Despite this cameras
do have several technological advantages.
 Mantraps
A mantrap is a physical access control that
requires one person at a time enter through a
door. Also known as air locks, sally ports, or
access control vestibules, mantraps are used
to prevent tailgating, or following another
person through a secured door.
 Ready for Entry Door 1 Closes Keycard Accepted
Keycard Reader Activated Door 2 Opens

X X X

Door 2
Keycard
Door 1 Access
Network Access
 Active Directory
- Active Directory (AD) is a directory service
typically used in Windows networks to
control and track resources. AD is a
Microsoft technology that enables
centralized network management. Active
Directory relies upon the Lightweight
Directory Access Protocol (LDAP)
for its communications. While AD is
probably the largest deployed user of LDAP
other implementations for various operating
systems exist, including Apple Open
Directory, RH Directory Server, and Open
LDAP. LDAP is often used by internal
applications and process.
 Privileged Identity Management (PIM)
Privileged Identity Management (PIM) is a
method of managing access to resources
such as locations, commands, audit reports,
and services. PIM aims to provide more
granular access control.
 Privileged Access Management (PAM)
- Privileged Access Management (PAM) is a
framework for safeguarding identities with
advanced capabilities, such as superusers in
a *NIX system. PAM is common in the
Linux world, where it is used to control how
administrators log in.
- PAM supports many more features than the
older "become root and perform admin
tasks" model. With PAM passwords can be
set to expire, better auditing can be put in
place, and privilege escalation can be made
temporary.
 Identity and Access Management (IAM)
- Identity and Access Management is a
framework for managing digital identities.
IAM manages the user database, logs when
users sign in and out, manages the creation
of groups or roles, and allows for the
assignment and removal of access privileges.
 Unix File Permissions
From its inception, Unix was designed to be
a multi-user environment, and as such, a lot
of attention was paid to file permissions.
Every file in a Unix system has an owner
and a group. Each file also has permissions
for owner, group, and all users.
 ACLs
- Access Control Lists (ACL) are used to
permit or deny access based on a
characteristic. They tend to be based on a
simple characteristic and either deny access
to anyone not on the list, allowlist, or deny
access to anyone who is on the list, denylist.
 SSH Keys
- Secure Shell Server (SSH) supports the use
of asymmetric encryption keys for
authentication. Most severs support RSA,
DSA, and ECDSA keys, with RSA being the
most common. An SSH server maintains a
list of authorized keys, typically in
~/.ssh/authorized_keys, that can be used to
connect to the server. When a client
connects, the SSH server issues a challenge
asking the client to sign a random piece of
data using their private key.
 Sessions and Cookies
- HTTP sessions can also be used to control
access to a resource. This is often employed
in web applications. Upon successful sign-
in, a user is given a cookie with a
cryptographically tamper resistant session
ID. Every request the user makes to that site
will include that cookie.
 Single Sign On (SSO)
-Given the ubiquitous nature of web
applications, maintaining separate
usernames and passwords can be difficult
for users. A recent trend has been to support
Single Sign On, where one identity provider
is used to confirm that users are who they
claim to be. There are a few protocols that
make this possible, including SAML and
OAuth. SAML stands for Security Assertion
Markup Language and is an XML based
Single Sign On solution.
The SAML workflow centers around the
SAML identity provider or IDP. The
following steps take place to grant access to
a resource via SAML:
-OAuth is not technically a full-fledged
authentication protocol, but it is often used
as part of one. The following diagram
highlights the differences between OpenID
authentication and an OAuth flow:
 Pseudo-Authentication using OAuth

Give me the valet key* to

your house (account) so Please issue me a
that I know you are the valet key* for the core APIs
owner of the house

Here is the Here you

valet key* go
Google –
The Identity Provider
& the API Provider

*valet key = limited scope

OAuth Token adapted from a drawing by @_nat_en
 Kerberos
-Kerberos is an authentication protocol for
client server connections. It was developed
by MIT in the 1980s and is most largely
deployed on Windows networks, but many
Linux distributions support using it for
authentication as well.
Some of these services may run on the same
machine and they are almost always abbreviated:
Authentication Server (AS) performs the
authentication step with clients
Ticket-Granting Service (TGS) service which
creates and signs tickets
Ticket-Granting Tickets (TGT) time
stamped and encrypted (with the TGS secret
key) ticket that grants the ability to create
tickets and sessions for services.
Key Distribution Center (KDC) runs the
TGS and grants TGTs
Service Principle Name (SPN) name of a
service that uses Kerberos authentication.
Tokenization
- Tokenization may be used as part of an
access control scheme to protect sensitive
information. Information that would be
highly valuable if compromised is replaced
with a random token known to the parties
involved in the transaction.
 Vulnerability
Management and
Compliance
It is not only good practice, but also a matter
of law that information infrastructure be
secured. In order to better understand what
that legalities are and how vulnerabilities can
and should be addressed, we need to make
sure we understand the key terms used:
Vulnerability a weakness or lack of counter
measure that can be exploited by a threat
Vulnerability Management the process of
identifying, classifying, and remediating
vulnerabilities
Asset something that we are trying to protect
Threat the vulnerability being exploited
Risk the impact of an exploit taking place
Control/Countermeasure actions
taken/configurations to remediate
vulnerabilities
 Vulnerability Management
The first step in managing vulnerabilities is
gathering information:
•Hardware information including the
operating systems being used and type of
device (laptop, server, IoT, etc.)
•Network information including IP addresses,
MAC addresses, and details about the
network segment
•Domain information including domain name
and workgroup
•Information about applications used and
their approval status
•Information from security tools currently
running on the device
•Owner information for the device
 CVEs
Vulnerabilities are classified/published in a
US national vulnerability database operated
by the MITRE corporation. The database is
known as Common Vulnerabilities and
Exposures or CVE for short. Typically these
vulnerabilities are reported by vendors vetted
by MITRE, and finally given a number.
 CVSS
The Common Vulnerability Scoring System
is a system used to assess the severity of
exploits and vulnerabilities. Once a CVE is
created a CVSS is also creating, taking into
account the prevalence of the exploit, its ease
of use, and its ability to do harm. CVSSs use
a scale of zero to ten, zero being the least
severe and ten being the most severe:
•0.0: None C ommon
•0.1-3.9: Low V ulnerability
•4.0-6.9: Medium
S coring
• 7.0-8.9: High
•9.0-10.0: Critical S ystem
 Evaluation
- Once information has been gathered and the
threats are understood it is time to perform an
evaluation.
Compliance
-Both business and legal standards have been
established to ensure that all parts of the
information security CIA triad are protected.
Taking measures to follow these standards is
known as compliance. This section will
outline the details of many important
policies and businesses comply with.
 Compliance Tools
-In order to determine if systems are in
compliance, compliance audits are performed.
These may be automated, and may be as
simple as endpoint software that periodically
scans machines.
Risk assessment is an important part of
compliance that determines just how
damaging one of the violations discovered
may be.
Change controls are used to ensure that
changes that need to happen are put in place
and to track down changes that led to the
violations of the security policies.
PII/PCI
- Personally Identifiable Information (PII)
and Payment Card Industry (PCI)
compliance is probably the largest sector of
compliance.
 PCI DSS
- PCI DSS stands for Payment Card
Industry Data Security Standards. It is
mandated by the major credit card
companies and maintained by the Payment
Card Industry Security Standards Council
(PCI SSC).
 PHI/HIPPA
- Protected Health Information (PHI) is
another type of protected data covered by
various legal and industry standards. PHI
may be a medical history, admissions
information for medical facilities,
prescription information, or health insurance
data.
 SOX/GLBA
-The Sarbanes-Oxley Act (SOX) was passed
following the busting of the dotcom bubble
to help combat financial fraud. SOX details
some basic CIA measures (as do most
regulations):
Confidentiality encryption, data loss
prevention
Integrity access control, logging
Accessibility data retention, audits, public
disclosure of breaches.
-The Gram-Leach-Bliley Act (GLBA) is
another act designed to protect CIA and
provide more information for the customer.
 GDPR
-The General Data Protection Regulation
(GDPR) is a less targeted, but more far-
reaching European Union law requiring
that customers be notified if they are
being tracked.
 US Patriot Act/PRISM
-Not all regulations that require compliance
are concerned with protecting information.
Some regulations are designed to specifically
weaken confidentiality for spying by
government entities.
-These could be logs of phone calls, samples
of network traffic, or location information.
Later in 2007, the Protect America Act
(PAA) expanded on this surveillance
requiring more companies to comply with
requests for information. This act ushered in
the PRISM program, uncovered by the
Edward Snowden leaks, which forced
companies to comply with a world-wide
internet surveillance program.
Thank You!
By: Group 4