Access Controls
Exploring Ways to Securely Manage Access
Gregory M. Kapfhammer
November 11, 2024
Key computer computer security tasks?
- Authentication: Confirm the identity of a user
- Authorization: Control access to resources
- Accounting: Track usage of resources
- Reminders:
- Must effectively offer all features in a system!
- Both hardware and software must be secure!
Least Privilege Principle
- Principle: Only permit necessary access
- Resources: Processes, programs, user accounts
- Benefits: Reduces attack surface, limits malware spread
- Compliance: Easier audits, limited Internet access
Key Questions: - What do you prefer more secure or easy-to-use?
- What are principles to striking the right balance?
Multi-Factor Authentication (MFA)
- Definition: Two or more identification components
- Categories: Username, password, token codes, biometrics
- Popular Products: Google Authenticator, Authy, RSA IDs
Concrete examples of multi-factor authentication: - Password and fingerprint scan
- Password and security token
- Password and facial recognition
Benefits and drawbacks of multi-factor authentication?
Authenticating a Person
- Three main strategies for authentication:
- Authentication based on what you know
- Authentication based on what you have
- Authentication based on what you are
- Each of these are an identification factor
In-Class Discussion - What is an example of each type of authentication?
- What are the strengths and weaknesses of each type?
What comes next after authentication?
- Provide authorization for both users and administrators
- Attach an identity to processes and resources
- Define access control lists (ACLs) for resources
- Enforce permissions for users and groups
Authorization Models
- MAC: Mandatory Access Control
- High security, complex implementation
- DAC: Discretionary Access Control
- Flexible, owner-controlled, less secure
- RBAC: Role-Based Access Control
- Role-based, flexible, common
- ABAC: Attribute-Based Access Control
- Attribute-based, flexible, rule-based
What are the similarities and differences between sudo and su?
- Similarities:
- Execute commands with elevated privileges
- Require authentication to gain elevated privileges
Let’s explore the detailed differences between sudo and su!
Using the sudo and su Commands
- Differences:
- Usage:
sudo: Executes a single command with superuser privileges. Example:sudo apt update.su: Switches to the superuser account or another user account. Example:suorsu - username.
- Scope:
sudo: Limited to the command being executedsu: Provides privileges to a shell until exit
- Usage:
How do we manage multiple users who need to securely use an operating system?
- User account
- Group accounts
- Privileged accounts
- Service accounts
Identity Management
- Privileged Identity Management (PIM)
- Purpose: Granular access control
- Features: Better reporting, anomaly detection
- Privileged Access Management (PAM)
- Purpose: Safeguard identities, advanced capabilities
- Usage: Common in Linux, temporary privilege escalation
- Identity and Access Management (IAM)
- Framework: Manages digital identities
- Functions: User database, access privileges, groups/roles
Unix File Permissions
- Design: Owner (or “user”), group, all users (or “others”)
- Permissions: Read (1), Write (2), Execute (4)
- Example: Read + Execute = 5 = (1 + 4)
chmodCommand: Set permissions- Format:
chmod 710 <filename> - 710: Owner (7), Group (1), Others (0)
- Format:
chownCommand: Change owner/group- Format:
chown <owner>.<group> <filename> - Note: Group optional
- Format:
Understanding Permissions
Illustrating Unix File Permissions
- Source: Access Controls Chapter of Computer Systems Security: Planning for Success
- Although concepts are consistent, different versions of Linux/Unix may use slightly different approaches
Access Control Lists
drwxr-xr-x - gkapfham users 31 Oct 07:27 .git
drwxr-xr-x - gkapfham users 2 Sep 18:16 .github
.rw-r--r-- 2.4k gkapfham users 2 Sep 18:23 .gitignore
drwxr-xr-x - gkapfham users 29 Oct 12:48 .quarto
drwxr-xr-x - gkapfham users 12 Sep 07:54 _extensions
drwxr-xr-x - gkapfham users 16 Sep 11:34 _freeze
drwxr-xr-x - gkapfham users 2 Sep 18:16 _include
.rw-r--r-- 125 gkapfham users 2 Sep 19:17 _publish.yml
.rw-r--r-- 1.8k gkapfham users 18 Sep 20:27 _quarto.yml
drwxr-xr-x - gkapfham users 31 Oct 07:30 _site
drwxr-xr-x - gkapfham users 18 Sep 21:35 css
drwxr-xr-x - gkapfham users 2 Sep 18:43 icons
drwxr-xr-x - gkapfham users 2 Sep 18:47 images
.rw-r--r-- 5.4k gkapfham users 28 Oct 21:21 index.qmd
drwxr-xr-x - gkapfham users 30 Oct 09:16 projects
.rw-r--r-- 247 gkapfham users 3 Sep 09:08 README.md
drwxr-xr-x - gkapfham users 29 Oct 07:27 schedule
drwxr-xr-x - gkapfham users 31 Oct 07:30 slides
drwxr-xr-x - gkapfham users 29 Oct 15:12 syllabusWhere does the operating system store an access control list?
Access Control List Storage
- Linux: Extended attributes
- Windows: NTFS file system
- macOS: HFS+ file system
Important Considerations: - Security: ACLs must be protected
- Performance: ACLs can slow down file access
- Maintenance: Regularly review and update ACLs
Who are the users on your laptop?
root:x:0:0:System administrator
messagebus:x:4:4:D-Bus system message bus daemon user
polkituser:x:28:995:PolKit daemon
cups:x:36:20:CUPS printing services
lightdm:x:78:78:Light Display Manager
systemd-coredump:x:151:993:Core dump user
systemd-network:x:152:152:Network management daemon
systemd-resolve:x:153:153:Resolver daemon
systemd-timesync:x:154:154:Time synchronization daemon
nm-openvpn:x:217:217:Virtual Private Network user
fwupd-refresh:x:992:991:Firmware update daemon
systemd-oom:x:993:992:Systemd Out Of Memory user
rtkit:x:994:994:RealtimeKit daemon for audio
nixbld1:x:30001:30000:Nix build user 1- Wow, there are many users on a NixOS system!
- What are the purposes of these users?
- Who created these users and what are their permissions?
How do we securely manage access to network resources?
- Authentication: Verifying the identity of a user
- Login: Establishing a user session
- Single Sign-On (SSO): One identity provider, many services
Network Access Management
Single Sign-On (SSO)
- Purpose: One identity provider for multiple services
- Benefits: Simplifies user management, enhances security
- Protocols: SAML, OpenID, OAuth
OpenID and OAuth
- OpenID: Decentralized, multiple IDPs
- OpenID Connect (OIDC): Modern, REST API
- OAuth: Allows websites to access user profile parts
- Usage: Often part of authentication protocols
SAML Details
- Definition: Security Assertion Markup Language
- Workflow:
- User accesses service
- Redirect to SAML IDP with request
- User logs in, credentials verified
- SAML IDP sends credentials to service
- Benefits:
- Centralized identity provider
- Single sign-on for multiple services
What are the benefits of using SSO and SAML?
- Benefits of SSO:
- Simplifies user management
- Enhances overall security
- Reduces password fatigue
In addition to providing software security, we must also maintain physical security!
- Physical Access: Protect buildings, contents, and data
- Complements: Enhance effectiveness of technical controls
Physical Access
- Importance: Protect buildings, contents, and data
- Risk: Technical controls bypassed if physical security fails
- Quick Examples:
- Gates, biometrics, key cards, proximity cards
- Let’s explore biometrics and cards in more detail!
Biometrics
- Definition: Identify based on physical traits
- Advantages: Convenient, hard to steal/impersonate
- Types:
- Physiological (e.g., fingerprints or iris)
- Behavioral (e.g., voice, signature)
Discussion Questions: - What are the risks associated with biometrics?
- What are the ethical considerations for using biometrics?
Key Cards
- Usage: Access to rooms
- Types: Magnetic stripes, RFID, NFC
- Risks: Skimming, cloning attacks
- Mitigation: Monitor areas, educate users
Discussion Questions: - What are the benefits and drawbacks of using key cards?
- How can you prevent attackers from cloning key cards?
- How should you educate users about key card use?
How do we evaluate the trade-offs of different authentication and authorization solutions?
Evaluation Metrics in Security
- Precision
- Equation: TP / (TP + FP)
- High precision: few false positives
- Recall
- Equation: TP / (TP + FN)
- High recall: few false negatives
- Accuracy
- Equation: (TP + TN) / (TP + FP + TN + FN)
- Overall correctness of the system
- F1-Score
- Equation: 2 * (Precision * Recall) / (Precision + Recall)
- Balance between precision and recall
Evaluation Metrics: Precision
Evaluation of a Biometric-based Authentication System
- True Positives (TP): 80
- False Positives (FP): 10
- True Negatives (TN): 90
- False Negatives (FN): 20
Precision=TPTP+FP Precision=8080+10=8090≈0.89
Evaluation Metrics: Recall
Evaluation of a Biometric-based Authentication System
- True Positives (TP): 80
- False Positives (FP): 10
- True Negatives (TN): 90
- False Negatives (FN): 20
Recall=TPTP+FN Recall=8080+20=80100=0.80
Evaluation Metrics: Accuracy
Evaluation of a Biometric-based Authentication System
- True Positives (TP): 80
- False Positives (FP): 10
- True Negatives (TN): 90
- False Negatives (FN): 20
Accuracy=TP+TNTP+FP+TN+FN Accuracy=80+9080+10+90+20=170200=0.85
Evaluation Metrics: F1-Score
Evaluation of a Biometric-based Authentication System
- True Positives (TP): 80
- False Positives (FP): 10
- True Negatives (TN): 90
- False Negatives (FN): 20
F1-Score=2×Precision×RecallPrecision+Recall F1-Score=2×0.89×0.800.89+0.80=2×0.7121.69≈0.84
Does the F1-Score accurately measure the effectiveness of a security solution?
- What is more important?
- Precision: Few false positives
- Recall: Few false negatives
Summary of Access Control
Key Concepts
Security Layers
- Least privilege principle
- Authorization models
- Identity & access management
Evaluation Metrics
- FP, TP, TN, FN
- Precision, recall, accuracy
- F1-score balances metrics
Best Practices
Implementation
- Multi-factor authentication
- Network access management
- Single-sign-on solutions
Exploration
- Compare security options
- Don’t “roll your own” auth
- Understand key trade-offs
Security Synapse
Access Controls Exploring Ways to Securely Manage Access Gregory M. Kapfhammer November 11, 2024