Access Control Systems Overview

 

The purpose of access control systems and practices is to protect information from the threats of unauthorized disclosure, modification, or destruction.  Access controls fortify the confidentiality, integrity, and availability of information assets by identifying and authenticating both data and users. 

 

Access control is a broad topic that incorporates many basic security practices, with one of the most important relating to password usage.  Therefore, password standards are an important subset of access control standards. Although access to sensitive information on critical computer systems is best controlled with strong authentication practices, well designed reusable passwords may be adequate for controlling access to less sensitive information so long as robust password standards are in place and users knowledgeable about what is required of them regarding computer security.

 

Access Control Systems Standards

Minimum Security Option

 

Information Security-Related Access Controls:

 

1.      Allow the use of multiple purpose servers, resulting in the placement of e-mail, Web, database, etc. on the same host server.  This provides up-front cost savings; however, it may result in a loss of security. A same-host server strategy allows multiple avenues for hacker attacks and increases reliance on one server (i.e. when the server is down, all services are down).

 

2.      Provide all desktop systems with an automatic time-out feature that makes them inaccessible to an unauthorized individual after a period of keyboard inactivity. Simple examples of time-out features are password-protected screen-savers and automatic logoffs some systems provide. The length of time of inactivity that triggers the time-out feature will be determined by the sensitivity of applications and data.

Password Standards:

1.      Establish an effective minimum-length password standard.  Minimum password standards shall include, but not be limited to, the following items:

·        A minimum length for passwords (at least six characters) and instructions on unacceptable combinations, such as names of family members or pets, birth dates, sports teams, or common (dictionary) words.

·        Use of a manually enforced standard that requires users to change their passwords after a specified time period of every 90 to 120 days.

·        A strict prohibition on users’ sharing passwords or writing down passwords.

 

2.      Protect reusable passwords held in storage.  Provide a secure directory for the storage of reusable passwords held in the system password file.  Only allow the secure directory, and associated password file, to be accessed by limited numbers of system administration personnel with security-related responsibilities.

Optimum Security Option

 

Information Security-Related Access Controls:

 

1.      Consider single purpose servers.  Putting e-mail, Web, databases, etc. on separate host servers provides for higher up-front costs, but also provides for a major security enhancement since multiple-host strategies allow for fewer avenues of attack and decreases reliance on any one server.

2.      Physically separate networks with bridges, routers, firewalls, or other access control devices to help prevent users from intercepting data they are not authorized to access.

 

3.      Password-protect console terminal screens, even if just using screen-saver lock out software, and change these passwords regularly (every 30 to 60 days).

 

4.      Create and maintain security profiles for all users. Security profiles define users’ access to system facilities and data based upon their job responsibilities, helping to streamline the process of granting and revoking access rights to systems facilities and data by grouping rights together according to job function. Security profiles shall be promptly modified when employees change job positions or responsibilities in order to prevent their continued access to system facilities and data that are no longer appropriate. Finally, when employees leave, delete all their access rights immediately.

 

5.      Control access to desktop systems that are connected to mission critical networks or network segments that access sensitive information. Use a power-on logon ID and password combination or locked office to prevent unauthorized personnel from gaining control of desktop systems.

 

6.      Implement time-of-day controls over access to desktop systems connected to mission critical networks or network segments by limiting access to business hours only. Also implement other access control mechanisms for remote access users.  If authorized users need to use desktop systems connected to critical networks or network segments after normal business hours, allow their access to be granted on an exception basis.

 

7.      Provide control over computer and network utility programs that provide unrestricted access to sensitive data. Some utility programs provide unrestricted access to system commands and data by super-users (e.g., system or network administrators). When implementing software that gives super-users these abilities, provide compensating controls, such as segregation of duties, to limit their ability for autonomous actions. As an additional precaution, review system logs of all super-user actions frequently.

 

8.      Provide the same level of physical and logical access control to backup files of sensitive data as is provided to production versions of network and system applications and data files, particularly those backup files stored at offsite locations.

 

9.      Disable user accounts after a preset period of inactivity and completely purge them after a longer period of inactivity. To ensure a system does not contain old, unused user accounts, deactivate any account that has not been used within a period of time set forth in your security standards (90 days is common). Then, if no request for reactivation is received within another period of time (30 days is common), purge the account from the system completely. Be sure, before purging an account, that irreplaceable files are not destroyed or made unable to access due to the purge. Check with data owners to be sure all account data access will still be available after a purge.

10.  Disable user IDs after multiple unsuccessful logon attempts (usually 3 to 5), and have the system notify the security administrator when this threshold is reached, to allow for investigation of the situation. This will discourage system hackers from using automated (war dialer) programs that attempt to calculate user logon ID and password combinations. Be aware that implementation of this control may provide an effective denial-of-service hacker attack (i.e. the disabling of a user-id is initiated by a hacker in order to lock out the legitimate user). 

 

11.  Provide for the review of audit trails or logs to detect multiple attempts at guessing user passwords that avoid reaching the disability threshold (3 to 5) in any one session.

 

12.  Have the system set-up to display the date and time of the last successful logon each time the user signs on, in order to help users detect whether someone has illicitly obtained a valid password and accessed their applications and/or data. Training users to observe this date and time and to report any anomalies should be a part of the court’s user security awareness and education programs.

 

13.  If the court uses a Wireless LAN, then steps should be taken to ensure the security of the network and network traffic.  The wired equivalent privacy (“WEP”) optional encryption scheme should be used to provide access control (preventing unauthorized users, who lack a correct WAP key, from gaining access to the network) and privacy (protect wireless LAN data streams by encrypting them and allowing decryption only by users with correct WEP keys).  In addition to using WEP, the following functionality should be provided:

 

·        Base wireless LAN authentication on device independent items such as usernames and passwords, which users possess and use regardless of the clients on which they operate. 

·        Use mutual authentication between a client and an authentication (RADIUS) server

·        Use WEP keys that are generated dynamically upon user authentication

·        Use session based WEP keys

 

Password Standards:

1.      Enhance password standards – they shall include, but not be limited to, the following:

·        A minimum length for passwords (at least seven characters with a numeric digit) and instructions on acceptable combinations of numbers, letters, and symbols. For example, using a password with a minimum of seven characters and at least one character from the numeric or special characters categories provides much better control than more obvious or easily guessed combinations. Dictionary words (in English or even common foreign languages, like Spanish) are to be prohibited.

·        Use an automatic system prompt that requires users to change their passwords after a specified period of time (usually every 60 to 90 days).

 

2.      Immediately change all default passwords on critical mainframe, network, and PBX (private branch exchange) telephone switch components. Vendors typically deliver firewalls, servers, PBXs and other critical network and computer components with default passwords that are either listed in product documentation or may be easily be guessed by attackers.

 

3.      Encrypt reusable passwords in storage. Provide encryption of reusable passwords held in the system password file.

 

4.      Select security subsystems and applications that provide a password history to prevent the reuse of recent passwords.  A password history bars reuse of recent passwords based on either a period of time (e.g., no reuse of passwords used within the last year) or a specific number of previously used passwords (e.g., no reuse of the last 10 or 12 passwords).

 

5.      Encrypt reusable passwords in transmission. Provide encryption of reusable passwords while they are in transit through the network to lessen their susceptibility to network packet sniffing or hijacking, Trojan horses, and similar other attacks.  As an alternative, only allow use of one-time passwords when they are used in transit over the network.

 

6.      Use commercially available applications to test the validity of users’ passwords.  Such applications (often called password crackers) are available to test for users’ passwords that are easily guessed. Use these applications to screen users’ passwords at the point they are created to ensure, for example, that no passwords are used that match words in the dictionary and, therefore, are susceptible to dictionary attacks.  Other tests performed by these applications include user name and user-id checks (both backward and forward versions of a user’s name and user-id), and repetitive and/or sequential alpha and numeric checks (for example: 123456, 654321, abcdef, fedcba), as well as numerous variations.  Examples of password cracker software (some available in the public domain or as freeware or shareware) include:

·        10phtcrack (“Lophtcrack” with a lower case “L” and a zero in the “o” spot)

·        Brute 2.0

·        Crack4.1 (for C-code)

·        Claymore.zip (for Windows)

·        Revel11.exe (known as “Revelation”)

·        Cracker Jack or Unix Password Cracker (for UNIX)

Maximum Security Option

 

 

Information Security-Related Access Controls:

 

1.      Use strong authentication to restrict access to critical systems and processes and sensitive data; control network remote access; and limit access to system administrator control functions of critical network devices.[1] Strong authentication methods include, but are not limited to, one-time and/or non-word passwords, digital certificates, and biometrics.

 

2.      Require single purpose servers.  Putting e-mail, Web, databases, etc. on separate host servers provides for higher up-front costs, but also provides for a major security enhancement since multiple-host strategies allow for fewer avenues of attack and decreases reliance on any one server.

 

3.      Segment networks to prevent interception of data. Because internal networks are susceptible to “packet sniffers” and other techniques for intercepting sensitive data, separate internal networks into segments so that dissemination of data is restricted to a controlled subset of users.

 

 

 

4.      Limit control of servers to local consoles in a physically secured area. To discourage console-based attacks on servers, particularly attempts to retrieve restricted data such as password files, limit access of server-control devices to consoles physically attached to servers found in secure areas. This allows for strict control of physical access to the console.

 

5.      For any required systems administration of servers provided remotely, use strong authentication and encrypted sessions to control access through the remote device.

 

6.      Centralize the connection points of a court’s network in secure locations. Physically secure and closely monitor these network connection points, as they are vulnerable to packet sniffing efforts. Install network connection points in physically secure closets or rooms with other critical network devices.

 

7.      Transfer storage of sensitive data or mission critical processes from desktop systems to servers located in secure areas. Desktop systems are susceptible to theft, access by unauthorized personnel, destruction, and/or failure. If sensitive or mission critical data must reside on desktop systems, protect them with controls like encryption and backup.

 

8.      Permanently remove all sensitive files from hard drives before disposing of obsolete desktop systems, since simply erasing files is not adequate. Use commercially available software to ensure all traces of files have been eradicated beyond recovery. Depending on data sensitivity, also provide for physical destruction of old hard drives before disposal.

 

9.      Password-protect access to notebook or laptop computers and consider encryption of all sensitive files on these computers’ hard drives. Because portable computers are easy to steal, minimize opportunities for thieves to obtain sensitive information that may be stored on them. The first line of defense is to require a logon ID/password combination to gain access to the PC operating system. Encrypt sensitive files so that even if the portable computer is stolen and successfully penetrated, the thieves cannot access the data.

 

10.  To reduce the number of unsuccessful logon attempts, delay the display of a logon prompt after an unsuccessful access attempt with incrementally longer time delays after each unsuccessful attempt. This helps to eliminate numerous repeated access attempts, like a hacker might use, while not disabling the account and requiring administrative action for later authorized use.

 

 

 

 

 

Password Standards:

 

1.      Password standards shall be enhanced again, such as:

·        A minimum length for passwords (eight characters with at least one numeric digit included) and instructions on acceptable combinations of numbers, letters, and symbols. For example, using a password with a minimum of eight characters and at least one character from each of the alpha, numeric, and special characters categories provides much better control than more obvious combinations.

 

·        Use an automatic system prompt that requires users to change their passwords after a specified period of time (every 30 days) or number of uses. Systems should require more frequent password changes for users with extensive access privileges (e.g., network or system administrators, DBA, etc.).