LECTURE THREE: INFORMATION

SYSTEMS ACCESS CONTROL

Lecturer : Mr Oguna
Introduction
• To secure an information system today, you should be
able to balance authorized access needs with system
and data protection.
• Because too much security prevents access, while too
little leaves the system vulnerable to data theft or
attack, controlling access to information systems will
help you ensure a proper balance of security and
access.
Objectives
At the end of the lecture you should be able:
• Identify security principles in data access design.
• Analyze system access and authentication.
• Identify intrusion detection systems.
3.1 Lecture Outline

3.3.1 Security principles in Data Access

3.3.2 Access Control Services
3.3.3 Access Control Categories
3.3.4 Discretionary and Mandatory access controls
3.3.5 System Access and Authentication
3.3.6 Access Control Attack Methods
3.3.7 Intrusion Detection Systems
3.3.8 End of lecture activities (self –tests)
3.3.9 Summary
3.3.10 Suggestion for further reading
3.4 Security Principles in Data Access
• In a dynamic business climate, you need multiple ways to
control access to an information system.
• In some cases, a system may require control based upon
organizational policy. Other situations may require access
control based upon a business process, work function, or
government/institutional regulation.
• By effectively evaluating data security requirements, you
ensure that you select an appropriate access control model
to protect your company's data.
3.4.1 Access Control

• Access control is the principle of determining and assigning privileges

to various resources, objects, and data. Ensure the proper
implementation of the CIA triad access control practices by limiting
and managing user access to highly classified information.
• In access control, the term subject is given to the entity requesting
access and the term object is given to the entity being accessed.
• The access control process limits the subject's access to objects using
pre-defined rules.
3.4.2 Least Privilege

• Least privilege is a security principle that limits the need to know

certain information.
• This principle ensures that employees and other system users have
only the minimum set of rights, permissions, and privileges that they
need to accomplish their jobs, without excessive privileges that can
provide them with unauthorized access to systems.
• The individual is limited to that data or information within a certain
area of interest and with the minimum exposure possible.
 3.4.3 Need to Know
• Need to know is a security principle based on an individual’s need to access
classified data resources to perform a given task or job function. If an
individual needs to access information to perform a job function, that
individual may access a portion of information.
• Access control rules are implemented by the security administrators once
senior management and the data owner determine who should have access
to what. It may seem impractical for senior management to determine who
has access to systems and data, but they hold full responsibility for security
within the organization.
• The data owner is closer to the data and is responsible for guiding senior
management as they make access limitations. Once the access determination
has been made, the security administrators are responsible for implementing
the restrictions in the access control system.
3.4.4 Separation of Duties

• Separation of duties (SoD) is a division of tasks between different

people to complete a business process or work function. From a
security standpoint, if a user seeks access to a system, then the
security administrator provides access control limits, and the data
owner and senior management define those limitations.
• The SoD concept provides checks and balances, which safeguard the
system from fraud, collusion, and mistakes.
3.5 Access Control Services

Implementing access control services involves:

1. Identifying the individual or entity attempting to access an object.
2. Verifying or authenticating the individual's identity.
3. Evaluating the rules to see what the individual is permitted to do.
4. Creating an audit trail by writing each access attempt and function
performed to a log file.
5. And, reviewing the log to see what was completed when and by
whom. This review is performed by managers and supervisors and
helps to create accountability in the system access process.
3.6 Access Control Categories

• Access controls fall into different areas or categories depending on

their functions. The purpose of access controls may be preventative
to stop unauthorized access, detective to identify an unauthorized
attempt to access, or corrective to rectify a situation that leads to
unauthorized access.
• In most cases, preventative, detective, and corrective access controls
are sufficient to maintain the CIA triad. However, deterrent, recovery,
and compensating access controls are additional tools used to protect
systems and facilities
• Preventative access control stops a subject's unauthorized access to
an object. I&A (Identification and Authentication) in conjunction with
authorization are preventative access control methods. The others are
locks, doors, and other physical barriers.
• Detective access control processes identify attempts to access an
entity without proper authorization. The purpose of the detective
control is to alert the administrators to the attempted security
violation.
• The corrective access control mechanism responds to the security
violation to reduce or completely eliminate the impact. An intrusion
prevention system (IPS) is a technical corrective process that stops
unauthorized access over a computer network.
• A deterrent access control discourages individuals from violating
security policies. A policy against using protocol analyzers or sniffers
in a network could be considered a deterrent, especially if the penalty
is the loss of employment.
• Recovery access control is used to return the system to an operational
state after a failure to protect the CIA triad. Recovery controls include
backup tapes and offsite journaling.
• A compensating access control is often used when the system cannot
provide protection required by policy. For example, corporate policy
might require using a smart card ID system for entry into and exit out
of secure areas. At a remote site, a smart card system has not been
installed. . A written log of entry and exit times is also maintained.
 3.7 Discretionary and Mandatory Access Controls

• Discretionary access control (DAC) is a means of

restricting access to objects based on the identity of the
subjects and/or groups to which they belong. Assigning a
user ID and password to an individual user is an
exemplary case of DAC.
• Mandatory access control (MAC) is a means of restricting
access to objects based on the sensitivity (as represented
by a label) of the information contained in the objects
and the formal authorization (for example, clearance) of
subjects to access information of such sensitivity.
Non-Discretionary Access Control Techniques
• Role-based access control (RBAC) is implemented when the subject's
access to objects is based on the job performed by the subject. In RBAC,
administrators create groups that provide access controls and then assign
users to the groups.
• Rule-based access control is based on a set of operational rules or
restrictions. For example, the set of firewall restriction rules is a rule-based
access control.
• Content dependent access control limits the subject's access to objects by
examining object data to see if the subject has access rights.
• Constrained interfaces access control limits access to information by
constraining the interface.
• Time-based access control limits when an individual can access the system.
3.8 System Access and Authentication

• Information systems security requires both denial and access

to data.
• To ensure that only authorized users are granted access to
the system, it is important to validate their identities and
determine if access should be granted.
• A comprehensive system of identification and authentication
is an effective tool to fulfill user access requirements, while
efficiently controlling access to select parts of your
information systems.
3.8.1 Identification Types
In system access, there are two specific types of identification:
• An ID card is a physical device that often contains a picture of the
subject, the subject's name, and other identifying characteristics.
Matching the picture on the ID card to the carrier is one way of
providing identification.
• A user ID is a string of characters, unique to one individual, used to
provide identification of the user to the system being accessed. User
IDs are not kept secret from others, but the disclosure of a user ID
may lead to attempts to access a system without permission.
 3.8.2 Authentication Types
• The methods used to authenticate identity have been broken down into
three distinct areas: something you know, something you have, and
something you are.
• Something you know as an authentication factor includes the use of
passwords and password variants such as passphrases and personal
identification numbers (PINs).
• In a something you have method, the individual possesses a physical device
of some type that provides authentication capabilities. Devices in this
category include magnetic strip cards, proximity cards, smart cards, or
token devices.
• The something you are method uses biometric measurements or personal
attributes for authentication.
There are several types of biometric devices used in something you are authentication
common among them being:
• Fingerprint. Capturing and comparing fingerprints of the individual with known fingerprints
to determine a match.
• Handprint. Capturing and comparing handprints of the individual with known handprints to
determine a match.
• Hand geometry. Comparing the hand structure of an individual to a previously captured
hand structures to determine a match.
• Iris Scan. Comparing the patterns of the colored part of the eye to known iris images to
determine a match.
• Retina scan. Comparing the blood vessel patterns in the back of the eye to known patterns.
This method can be affected by pregnancy, diabetes, and diseases of the eye.
• Voice print. Comparing a spoken phrase to a registered phrase spoken by the individual.
• Facial recognition. Comparing the facial structure to a registered facial structure to
determine a match.
Biometrics Errors
• Type I errors, also known as false rejection rates (FRRs), exist when
an authorized individual is denied access. Systems with high
sensitivity levels often result in Type I errors because they tend to
reject authorized individuals more often.
• Type II errors, also known as false acceptance rates (FARs), exist
when an unauthorized individual is given access. Systems with low
sensitivity levels often result in type II errors because they allow more
unauthorized access because they lack sufficient detection
capabilities.
• The point at which the two errors intersect on a graph is called the
crossover error rate (CER).
• The biometric measurements with the lowest CERs provide the best
protection. Because they are often the most expensive, they are
generally unacceptable to system users.
3.9 Access Control Attack Methods

• There are two basic approaches: attacking the software

components and attacking the human elements.
• The simplest method is to capture a user ID and steal a
password.
• An unauthorized user might also attempt to guess the
password through a brute force process.
• If two-factor authentication is used, then the attacker will
have to defeat both methods to gain access.
3.9.1 Software Based Access Control

• DOS
• Malicious software
• Brute force
• Dictionary attack
• Sniffing
• Emanation
• Object reuse
• Trapdoor and backdoor
• Spoofing
3.9.2 Human Based Access Control
Attacks
• Guessing
• Shoulder surfing
• Dumpster diving
• Theft
• Social engineering
• Spoofing
3.10 Intrusion Detection Systems

• An intrusion detection system (IDS) is a software solution that

identifies and addresses potential attacks on a computer (or
host) or a network. IDSs can be pattern based, where the IDS
searches for certain data sequences that can identify a
potential attack. Pattern-based systems use a signature file
provided by the software vendor.
• Another type of IDS is behavior based or anomaly driven.
These systems detect changes in normal operating data
sequences and identify abnormal sequences.
3.10 Intrusion Detection Systems Modes

IDS systems can be used into two modes.

The first mode is monitoring, where the IDS system
analyzes traffic as it passes by and provides alerts to
the administrators if unacceptable traffic patterns
arrive. This is truly an intrusion detection
implementation.
The second mode is prevention. An intrusion
prevention system (IPS) is a similar device to IDS, but
instead of just monitoring, it is placed inline. All traffic
flows through the IPS.
 IDS categories
• Network. IPS or IDS systems or appliances that monitor network traffic and
restrict (IPS) or alert (IDS) when unacceptable traffic is seen.
• Host-based. An IDS or IPS capability installed on a workstation or server to
protect that single device.
• Signature-based. An IDS or IPS solution that uses a predefined set of rules
provided by a software vendor to identify traffic that is unacceptable.
• Anomaly-based. An IDS or IPS solution that uses a database of
unacceptable traffic patterns identified by analyzing traffic flows. Anomaly-
based systems are dynamic and create a baseline of acceptable traffic flows
during their implementation process.
 IDS categories
• Protocol-based. These IDS implementations focus on a limited number of
protocols rather than the entire network traffic. Placing a protocol-based
IDS that monitors HTTP traffic in front of a web server would be an example
of this type of implementation.
• Application protocol-based. Similar to protocol-based IDS systems,
application protocol-based IDS could analyze specific application traffic,
such as SQL requests and responses between an application server and a
database server.
• Hybrid. Hybrid systems implement two or more IDS approaches.
• Passive or reactive system. Passive systems alert when violations occur.
Reactive systems block traffic when violations occur.
 1.9 Self – Test Questions

a) What is the simplest way to attack an access control system?

b) With which types of access control systems are you most familiar?
c) How would you compare their effectiveness to their convenience?
d) Have you ever experienced an access control attack on your information
systems?
e) How did you or your organization respond to the known attacks?
f) What methods or techniques were implemented to prevent attacks?
3.11 Summary

• In this lecture, we explored a broad range of security

concepts and best practices designed to meet the
demands of increasingly specialized information systems
security.
• We realized that before security policies are defined or
network issues are addressed, it is important to ensure
that your information system resources are secure.
• In this regard you analyzed information systems access
control.
3.12 Suggestion for further reading

• Charles P Fleeger, Security in Computing, Prentice Hall, 3rd Edition.

• William Stallings: Cryptography & Network Security Principles and
Practice, Prentice Hall, 3rd Edition
• Bruce Schneier, Beyond Fear.