Comparing Access Control Models

A subject is an active entity that accesses a passive object.

An object is a passive entity that provides information to active subjects.

• Permissions (権限)
• Refer to the access granted for an object and determine what you can do with it.
• Rights (権利)
  • Refer to the ablility to take an action on an object.
  • 例 : 社长有权利把这个业务关停
• Privileges (特権)
• A combination of rights and Permissions.
• 例 : root / administrator
• Understanding Authorization Mechanisms (了解授权机制)
• Implicit Deny (隐式拒绝)
  • A fundamental principle of access control is IMPLICIT DENY.
  • As deny by default.
• Access Control Matrix
• Capability Tables
  • Difference between an ACL and a capability table
  • ACLs are object focused and identify access granted to subjects for any specific object.
  • Capability tables are subject focused and identify the objects that subjects can access.
• Constrained Interface
  • Apps use contrained or restricted interface to restrict what users can do or see based on their privileges.
• Content-Dependent Control
  • Restrict access to data based on the content within an object. (Like a DB view table)
• Context-Dependent Control (上下文相关控制)
• Need to Know
• Least Privilege (最小特权)
• Seperation of Duties and Responsibilities (职责分离)
  • Ensure that sensitive functions are split into tasks performed by two or more employees.
• Defining Requirements with a Security Policy (使用安全策略定义需求)
• Policy usually does not go into details about how to fulfill the security needs or how to implement the policy.
• Professionals use the security policies as a guide to implement security requirement.
• Introducing Access Control Models
• Discretionary Access Control (DAC : 自主访问控制 / 任意アクセス制御)
  • Every object has an owner.
  • The owner can grant or deny access to any other subjects.
  • UNIX/ Windows's security model.
• Role-Based Access Control (RBAC : 基于角色的访问控制 / ロールベースのアクセス制御)
  • Uses rols or groups.
  • User accounts are placed in roles and administrators assigned privileges to the roles.
• Rule-Based Access Control ( 基于规则的访问控制 / ルールベースのアクセス制御)
  • Applies global rules to all subjects.
  • e.g. firewall.
• Attribute-Based Access Control (ABAC : 基于属性的访问控制 / 属性ベースのアクセス制御)
  • Rules can include multiple attributes.
  • Be much more flexible than a rule-based access control model.
• Mandatory Access Control (MAC : 强制访问控制 / 強制アクセス制御)
  • Use of labels applied to both subjects and objects.
• Risk-Based Access Control (基于风险的访问控制 / リスクベースのアクセス制御)
  • Grants access after evaluating risk.
  • Uses ML to make predictive conclustions about current activity based on past activity.
• Discretionary Access Control
• A DAC model is implemented using access control lists (ACLs) on object.
• Nondiscretionary Access Control (Non-DAC)
• The mojor difference b/w DAC and Non-DAC -> How they are controlled and managed.
  • Non-DAC
  • Centrally administer
  • Changes affect the entire environment.
  • Essier to manager
  • Less flexible
  • DAC
  • Allow owners to make their own changes.
  • Changes don't affect other parts of the environment
  • Diffitcal to manager
  • More flexible
• Non-DAC models
  • Role-Based Access Control (RBAC)
  • Preventing privilege creep.
  • It is chanllenging to identify and revoke all of a user's unneeded privileges when privileges are assigned to users directly.
  • Task-based access control (TBAC) is similar to RBAC.
    • Each user is assigned an array of tasks.
  • Rule-Based Access Control
  • DO NOT abbreviated as RBAC!
  • Firewall
    • The last rule might be deny all.
  • Attribute-Based Access Control (ABAC)
  • An advanced implementation of a rule-based access crontrol.
  • Many SDN applications use ABAC medels:
  • Rule-based access control applies to all users, but the ABAC can be much more specific.
  • Mandatory Access Controls (MAC)
  • A security domain is a collection of subjects and objects that share a common security policy.
  • Is prohibitive rather than permissive, and it uses an implicit deny philosophy.
  • Is more secure than the DAC model, but it isn't as flexible or scalable.
  • Key point
    • Every object and every subject has one or more labels.
    • These labels are predefined.
    • The System determines access based on assigned lebels.
  • Three types of environment
    • Hierarchical Environment (分层环境)
    • e.g. Someone with a Top secret clearance can accesss Top Secret data and Secret data.
    • Compartmentalized Environment (分隔环境)
    • The subject must have specific chearance for the object's security domain.
    • Hybrid Environment
    • Provides granular control over access but becomes increasingly difficult to manage as it grows.
  • Rule-Based Access Control
  • Several different elements considered:
    • The environment
    • The situation
    • Security policies
  • Two other things
    • Multifactor Authentication
    • Compliant Mobile Devices

Implementing Authentication Systems

• Implementing SSO on the internet
• XML
  Many cloud-based providers use XML-based languages to share information for authentication and authorization.
• SAML (Security Assertion Markup Language)
  • Three entities
  • Principal or User Agent
  • Service Provider(SP)
  • Identity Provider(IdP)
  • Three types of XML messages (assertions) send by IdP
  • Authentication Assertion (认证声明)
  • Authorization Assertion
  • Attribute Assertion
  • SAML is a popular SSO standard on the internet, and is used to exchange AA information.
• OAuth 2.0 (Open Authorization)
  • Authorization token is used.
  • Doesn't provide authentizaton.
  • OAuth 2.0 is not backward compatible with OAuth 1.0
  • It exchanges API messages and uses a token ot show that access is authorized.
• OpenID
  • Maintained by the OpenID Foundation.
  • User -> Relying Party(RP) -> OpenID provider
• OIDC (OpenID Connect)
  • Maintained by the OpenID Foundation too.
  • OIDC uses the OAuth framework for authorization and builds on the OpenID technologies for authentication. OIDC uses JSON Web Tokens.
• Comparing SAML, OAuth, OpenID, and OIDC
  • https://guaiguailei.net/security/comparing-saml-oauth-openid-oidc
• Implementing SSO on Internal Network
• AAA Protocols
  • Protocols provide authentication, authorization, and accounting.
  • Protect internal LAN authentication systems and other servers from remote attacks.
• Kerberos (ケルベロス / カーベロス)
  • The most common and well-known ticket system.
  • Using the AES (Advanced Encryption Standard)
  • Provides confidentiality and integrity for authentication.
  • Helps protect against eavesdropping and replay attacks.
  • Uses several different elements:
  • Key Distribution Center (KDC : 密钥分发中心)
    • All clients and servers are registered with the KDC.
    • Maintains the secret keys for all network members.
  • Kerberos Authentication Server
    • Ticket-Granting Service (TGS : 票据授权服务) # can be hosted on another server
    • Authentication Service (AS : 认证服务)
  • Ticket
    • Is an encrypted message that provides proof that a subject is authorized to access an object.
    • Sometimes called a Service Ticket (ST)
  • Ticket-Granting-Ticket (TGT)
    • Provides proof that a subject has authenticated through a KDC and is authorized to request tickets to access other objects.
  • Kerberos Principal
  • Kerberos Realm
• RADIUS (Remote Authentication Dial-In User Service)
  • The RADIUS server also provides AAA services for multiple remote access servers.
  • Many internet service providers (ISPs) use RADIUS for authentication.
  • Uses UDP by default and encrypts only the password's exchange.
  • When using TLS, RADIUS uses TCP port 2083. RADIUS uses UDP port 1812 for RADIUS messages and UDP port 1813 for RADIUS Accounting messages.
  • RADIUS/TLS
    TLS encrypton for RADIUS over TCP (RadSec)
  • RADIUS provides AAA services between network access servers and a shared authentication server. The network access server is the client of the RADIUS authentication server.
• TACACS+ (Terminal Access Controller Access-Control System Plus)
  • Encrypts all of the authentication information, not just the password, as RADIUS does.
  • Uses TCP port 49.

Understanding Access Control Attacks

• Crackers, Hackers, and Attackers
• Crackers (破解者 / クラッカー)
  • Are malicious individuals who are intent on waging an attack against a person or system.
  • In many situations, crackers are simply criminals.
• Hackers (黑客 / ハッカー)
• Risk Elements
• A threat is a potential occurrence that can result in an undesirable outcome. (威胁是可能导致不良结果的潜在事件)
• Common Access Control Attacks
• Privilege Escalation (权限提升)
  • Privilege escalation is often described as horizontal privilege escalation and vertical privilege escalation.
  • Horizontal privilege escalation
  • Gains similar privileges as the first compromised user, but from other accounts.
  • Vertical privilege escalation
  • Gains significantly greater privileges
    1. Use vertical privilege escalation techniques to gain administrator privileges on the user's computer.
    2. Use horizontal privilege escalation techniques to access ohter computers in the network ("lateral movement" / 横向运动).
• Using the su and sudo Commands
  • su command
  • sudo command
• Minimizing the Use of sudo
• Privilege Escalation with PowerShell
  • Many Windows systems have PowerShell installed by default.
  • Whenever possible, it's best to create a service account instead of using the local system account.
• Password Attacks
  • Passwords are the weakest form of authentication.
  • It's important to change default passwords.
  • Account databases can be Windows-based Security Account Manager (SAM) file or the /etc/shadow file on Linux systems.
• Dictionary Attack (字典攻击)
  • Using a predefined database or list of common or expected passwords.
  • one-upped-constructed passwor (单构密码)
• Brute-Force Attack (暴力攻击)
  • Is an attempt to discover passwords for user accounts by systematically attempting all possible combinations of letters, numbers, and symboles.
  • Comparative Analysis / Reverse-hash Matching
  • Repeating the process that guesses password and calculating the hash of it then to compare it against the stored hash in the offline database.
  • Better hashing functions are collision resistant.
• Spraying Attack (喷洒攻击)
  • Attacks in online password attacks, attempting to bypass account lockout security controls.
  • Similar to Reverse Brute-Force Attack
• Credential Stuffing Attack
  • Only checks a single username and password on each site.
• Birthday Attack
  • Focuses on finding collisions. Its name comes from a statistical phenomenon known as the birthday paradox.
  • The birthday paradox states that if there are 23 people in a room, there is a 50 percent chance that any two of them will have the same birthday.
• Rainbow Table Attack
  • Precomputed hashes raindow table is very large in size.
  • A salt is a group of random bits added to a password before hashing it.
  • Adding a pepper to a salted password increases the security, making it more difficult to crack.
  • A pepper is a large constant number stored outside the DB holding the salted, hashed passwords, such as a configuration value on a server or a constant stored within application code.
• Mimikatz
  • Benjamin Delpy created Mimikatz in 2007 to perform some experiments in Windows security while learning C.
  • SSO methods store credentials in memory, and Mimikatz exploits this by reading memory credentials.
  • Some capabilities of Mimikatz:
  • Read passwords from memory.
  • Extract Kerberos Tickets.
  • Extract Certificates and Private Keys.
  • Read LM and NTLM Password Hashes in Memory.
  • Read Cleartext Passwords in Local Security Authority Subsystem Service (LSASS).
  • List Running Processes.
  • Attackers can run Mimikatz as fileless malware on remote systems.
• Pass-the-Hash Attack (PtH Attack)
  • Allows an attacker to send a captured hash of a password to an authenticating service.
  • The best protection is to prevent the infection of the first computer.
• Kerberos Exploitation Attack
  • Includes the following:
  • Overpass the Hash
  • Pass the Ticket
  • Silver Ticket
  • Golden Ticket
  • Kerberos Brute-Force
  • ASREPRoast
  • Kerberoasting
• Sniffer Attack (嗅探器攻击 / 盗聴攻撃 / スニファー攻撃 / スニファーアタック)
  • Wireshark tool
  • To prevent successful sniffing attacks:
  • Encrypt all sensitive data.
  • Avoid the use of insecure protocols and use secure protocols.
  • Use onetime passwords when encryption is not possible or feasible.
  • Protect network devices with physical security.
  • Monitor the network for signatures from sniffers.
• Spoofing Attacks
  • IP spoofing attack
  • Replace a valid source IP address.
  • Email spoofing attack
  • Spoof the email address in the From field.
  • Phone Number spoofing attack
  • Replace the actual calling number with a phone number that includes the same area code as the called number.
• Core Protection Methods
• Control physical access to systems
• Control electronic access to files.
• Hash and salt passwords.
  • Argon2, bcrypt, PBKDF2
• Use password masking.
• Deploy Multifactor authenticating.
• Use account lockout controls.
• Use last logon notification.
• Educate users about security.

Summary

Exam Essentials

• Identify common authorization mechanisms.
• Describe key concepts of the Discretionary Access Control (DAC) model.
• Describe key concepts of the Role-Based Access Control (RBAC) model.
• Describe key concepts of the rule-based access control model.
• Describe key concepts of the Attribute-Based Access Control (ABAC) model.
• Describe key concepts of the Mandatory Access Control (MAC) model.
• Describe key concepts of the risk-based access control model.
• Understand single sign-on methods used on the internet.
• Describe Kerberos.
• Understand the purpose of AAA protocols.
• Describe privilege escalation.
• Know about pass-the-hash attacks.
• Know about Kerberos exploitation attacks.
• Know how brute-force and dictionary attacks work.
• Understand how salt and pepper thwart password attacks.
• Understand sniffer attacks.
• Understand spoofing attacks.

Review Questions:

1 B
2 B
3 B
4 A
5 D
6 A
7 D
8 B
9 B
10 B
11 C
12 D → A
13 A
14 A
15 D
16 C
17 C → B
18 B
19 D
20 C

正解率：18 / 20 = 90%