Getting a Networking Job: Access Control - dummies

Getting a Networking Job: Access Control

By Peter H. Gregory, Bill Hughes

Access control is the main security issue facing networking professionals. At its heart, access control is all about who (or what) is allowed to access something. In business, users are required to identify themselves — and prove their identity — before they can use workstations and applications.

Basic concepts in access control

The basics of access control can be divided into two major categories:

  • Authentication: the technology that facilitates access to systems, data, and workspaces

  • Business processes used to manage access

Authentication

Authentication is the process of asserting one’s identity to a system to access its resources. The identity takes the form of a user ID, which is a value assigned to a person or machine.

Singlefactor authentication generally involves the presentation of a user ID and a password. This common form of authentication is more vulnerable to attack by adversaries due to its simplicity. The phrase “what you know” is associated with single-factor authentication because in this simplest form of authentication, the user has identified herself by presenting her user ID. The user then authenticates by stating something that she knows which is tied to her user ID.

A password is a secret word, phrase, or random characters used as a part of single-factor authentication. The quality of the password is an important factor that helps resist some forms of attack. Characteristics of password quality include length, complexity, expiration, recovery, and reuse.

Passwords are typically stored in hashed form. Hashing is an irreversible cryptographic function that creates a large number representing the password without exposing the password. The hash value then facilitates the confirmation of a correct password during the login process but prevents the extraction of passwords.

Multifactor authentication generally involves the presentation of a user ID, a password, and a token or biometric. This type of authentication is generally stronger than single-factor authentication. A token is a hardware device that is used in multifactor authentication and represents a far stronger form of authentication than single factor authentication. Multifactor authentication can also use some form of biometric, such as a fingerprint, a palm scan, an iris scan, or a voiceprint.

The phrase “what you are” is associated with biometric authentication because you’re using a part of your body to authenticate your presented identification.

Access control processes

Getting access control technology right is a challenge, but it’s not the biggest concern. The business processes supporting access controls are critical. If not implemented and managed correctly, the best access control technology is of little use.

Key processes in access control are collectively known as identity access management (IAM) and include the following:

  • Access provisioning: The process of provisioning access for a user should follow a strict, documented process. Every request should be properly approved by one person or group and performed by a different person or group. Records for all steps must be retained.

  • Internal transfers: Access management personnel need to be notified when an employee is transferred to another position to prevent an accumulation of privileges.

  • Employee termination: Access management personnel need to be notified immediately when an employee leaves the organization. All user accounts should be locked or removed and then double-checked.

  • Managing access controls for contractors, temps, and others: All personnel with access to organization systems and applications should be managed using the same set of processes.

  • Password recovery: Organizations need a solid process for users who forget their passwords. Otherwise, attackers may be able to use this process to take over an employee’s user account.

  • Periodic access reviews: Every aspect of access management must be periodically reviewed to ensure that each instance of access provisioning, termination, and transfers is performed correctly.

Access control attacks and countermeasures

Adversaries who are attempting to access resources in a target system frequently attack access controls. Methods of attack include the following:

  • Replay attack: An attacker intercepts an authentication, typically over a network, and replays the captured login credentials to try to gain unauthorized access to the target system.

  • Stealing password hashes: The attacker obtains the database of hashed passwords from a system. If the hashing method is weak, the attacker may be able to employ rainbow tables or other techniques to obtain account passwords. The technique known as salting prevents the use of rainbow tables.

  • Interception of passwords in transit: An attacker may be able to intercept login credentials if they are transmitted “in the clear” (unencrypted) over a network. This threat is eliminated if you discontinue Telnet and FTP in favor of SSH, FTPS, and SFTP.

  • Session hijacking: An attacker attempts to steal session cookies from a user’s web session; if successful, the attacker will be able to hijack the user’s session. The attacker may then be able to perform all functions that the user could perform. Session hijacking can be prevented with proper session management.

  • Key logger: An adversary may be able to use one of several methods to get key logger malware installed on a user’s system. If successful, the key logger will be able to intercept typed login credentials and transmit them to the adversary, who can use them later to access those same systems. Multifactor authentication and advanced malware prevention (AMP) tools can help thwart key loggers.

  • Social engineering: These techniques trick users into providing their login credentials. Techniques include

    • Phishing: The attacker sends an email that attempts to trick the user into clicking a link that takes the user to a phishing site, which is an imposter site used to request login credentials.

    • Watering hole attack: The attacker attacks a website and plants malware on the site that can, if successful, install a key logger or other malware on the victim’s workstation.

Emerging issues in access control

Issues that keep networking professionals up at night include these:

  • Key logging malware

  • Stolen password hashes

  • Users who select poor (easily guessed) passwords

  • Users who reuse personal passwords on business sites