Accountability and

Access Control

Slide ke-1 Mata Kuliah: Keamanan Jaringan

Course Objectives

• Access Control

– Identification and Authentication – Techniques

Access Controls

• Access controls are security features that control how people can interact with

systems, and resources.

• Goal is to protect from un-authorized access.

• Access is the data flow between subject and resources. Subject is a person,

Access Control’s Types

• Access controls are necessary to protect the confidentiality, integrity, and availability of objects.

– That is commonly called by CIA.

– It is sound silly, but still represent the idea 

• In fact, no single access control mechanism is deployed in such environment.

Access Control’s Types (2)

• Access Control Types

– Preventive – Deterrent – Detectives – Correctives – Recovery

– Compensation – Administrative

Preventive Access Control

• Sometimes called a preventative access control.

• This access control is deployed to stop unwanted or unauthorized activity form occurring.

• Fences, locks, biometric, lighting, alarm system, encryption, auditing, CCTV,

Deterrent Access Control

• To discourage a violation of security

policy, where prevention control leaves off. • It doesn’t stop with trying to prevent an

action, instead, it goes further to exact consequences in the event of an

attempted or successful violation.

Detective Access Control

• Detective access controls is deployed to discover unwanted or unauthorized

activities.

• Detective access control include security guards, motion detector, reviewing an

Corrective Access Control

• Deployed to restore system to normal after unwanted or unauthorized activities have occurred.

• Corrective control have only minimal capabilities to respond to access

violations.

Recovery Access Control

• Deployed to repair resource, function, and capabilities after violation of security

policies.

• Recovery control have more advance

capabilities to response to access violation than corrective control.

Compensation Access Control

• Deployed to provided various options to aid in enforcement and support of security policy.

• Include security policy requirement,

Administrative Access Control

• Policies and procedures defined by

organization to implement overall access control.

• Administrative control focus on 2 areas:

personnel and business practices. • Include policies, procedures, hiring

practices, data classification, security training, vacation history, work

Logical and Physical

Access Control

• Logical access controls are hardware and

software mechanism used to manage access to resources or systems.

– Password, encryption, firewall, access control list, etc

• Physical access control is physical barrier deployed to prevent direct contact to

systems.

The Process of Accountability

• Several steps lead up to the ability to hold the people accountable:

Identification

• User provided user name, logon ID,

personal identification number (PIN) or a smart card to represent identification

process.

Authentication

• Process of verifying or testing that claimed identity is valid.

– Type 1 Authentication (something you know)

• Passwords • PIN

• Lock Combination, etc

– Type 2 Authentication (something you have)

Authentication

• Process of verifying or testing that claimed identity is valid.

– Type 3 Authentication (something you are)

• Fingerprint • Voiceprint

• Retina pattern

• Face shape recognition • Hand geometry

Authorization

• Once subject is authenticated, its access must be authorized.

Auditing

• Auditing is process by which online

activities of user accounts and processes are tracked and recorded.

• Auditing produces audit trails/path, which can be used to reconstruct events and to verify whether a security policy or

NIST-

based

Minimum Security

Requirement

• Audit data recording must comply with:

– Create, protect, and retain information system audit record to the extend needed to enable the monitoring, analysis, investigation,

unlawful/illegal reporting, unauthorized, inappropriate information system activity.

– Ensure that the action of individual

Recap

Answer and give an explanation for the questions below:

– Identification – what is it?

– Authentication – how is this different from identification?

– Authorization – what does this mean?

Identification and Authentication

Technique

• Authentication verify the identity of the

subject (user) by comparing one or more factor in database of valid identities.

Identification and Authentication

Technique (2)

• Password • Biometrics • Tokens

• Tickets

Password

• The common authentication technique, but consider the weakest form of protection.

• Password are poor security mechanism for several reasons:

– Easy to guest or crack. – Many users, write it down

– Easy shared, write down, and forgotten – Transmitted password often easy to broke

Biometric

• Biometric fall into Type 3 authentication category, “something you are”.

• _{A biometric factors are behavioral or}

physiological characteristic that is unique to every single subject.

• Types biometric factors:

– Fingerprint

– Face, iris, retina, palm scan – Hand geometry

Biometric Factor Rating

• Biometric devices are rated for

performance in producing false negative and false positive authentication.

• Most biometric devices have a sensitivity

adjustment so they can be tuned to be

more or less sensitive.

True positive = correctly identified

True negative = correctly rejected

Biometric Factor Rating

• The ratio of Type 1 errors to valid authentication known as False Rejection Rate (FRR).

• The ratio of Type 2 errors to valid authentication known as False Acceptance Rate (FAR).

• The point at which FRR and FAR is equal known as

Appropriate Biometric Usage

Zephyr Chart is often used to compare different types of biometric solution, before choose the suitable one at your specific

Biometric Factors

Retina scan

Fingerprint Iris scan

Token (Smart Token)

• Smart Tokens are password-generating devices which is an example of Type 2 factor, “something you have”.

• Token can be a static password, like an ATM card (or others), and users have to supply the ATM card and users’ PIN.

• Otherwise, the Token can also be one-time or dynamic password which look like a small

calculator.

Token Types

• There are 4 types of Token:

– Static

– Synchronous dynamic password

Token Types (Cont.)

– Can be a smart card, a floppy disk, USB RAM, or even something as simple as a key for physical lock. – Static Token often require

an additional factor like password or biometric factor.

– Commonly use a

cryptographic key provided an authentication

mechanism.

Token Types (Cont.)

– Generating password at fix time intervals.

– Time interval token require synchronizing the clock on an authentication server with the clock on a token device.

– Subject enters generated

password into the system as an identification mechanism, and PIN/password as an

authentication mechanism.

Token Types (Cont.)

• Auth sends a challenge (a random value called a

nonce)*

• User enters nonce into token, along with PIN

• Token encrypts nonce and returns value

• Users inputs value into workstation

• If server can decrypt then you are good.

Ticket Authentication

• Ticket Authentication is mechanism that

employs a third party to prove identification and authentication.

Single Sign On

• With Single Sign On (SSO), once a subject is authenticated, it can roam the network freely and access resource and services without further authenticating challenges.

• SSO disadvantages:

– Once an account is compromised, a malicious subject gains unrestricted access.

Single Sign On

Single Sign On: A mechanism to solve difficulties in managing disparate accounts.