CISSP Domain 5 - Flashcards
Introduction
- Access: Flow of information between a subject and an object
- Subject:
- Active entity that requests access to an object
- Can be a user, program or process
- Object:
- Passive entity that contains the desired information of functionality
- Access Control:
- Security feature that controls how subjects access objects
- Example: Mike needs to make a duplicate of a document on a copier, and must enter his password. Mike is the subject, the copier is the object, and the access control is the requirement to enter a password
Introduction - Access
Flow of information between a subject and an object
Introduction - Subject
- Active entity that requests access to an object
* Can be a user, program or process
Introduction - Object
Passive entity that contains the desired information of functionality
Introduction - Access Control
Security feature that controls how subjects access objects
Introduction - Example
Mike needs to make a duplicate of a document on a copier, and must enter his password. Mike is the subject, the copier is the object, and the access control is the requirement to enter a password
IAAA - Steps to Implement Access Controls
1) The subject must provide an identity
2) The subject must authenticate they are who they claim to be
3) The system validates the identity and authentication information, and then checks to see if the subject is authorized to access the object
4) The system records all activities between the subject and object for future accountability
IAAA - Logical Access Controls
Technical tools to carry out IAAA
IAAA - Identity - Definition
Uniquely represents a subject within a given environment
IAAA - Identity - Identity Attributes
- Uniqueness: Should represent something unique about the subject
- Non-descriptive: The identity name should not describe the role or purpose of the account
- Issuance: How the identity is issued to the subject (email, ID card, etc)
IAAA - Identity - Best Practices
- Each value should be unique for accountability
- A standard naming scheme should be followed
- The name should not describe the position or task
- The name should not be shared among multiple subjects
IAAA - Identity - Identity Management - Definition
The process of creating, managing and retiring identities
IAAA - Identity - Identity Management - Directories - Definition
Central locations where all subjects and objects are tracked
IAAA - Identity - Identity Management - Directories - Namespace
Hierarchical naming convention that uniquely identifies a location or object
IAAA - Identity - Identity Management - Directories - Objects in a directory
- Managed by a Directory Service
* Labeled and identified using a namespace
IAAA - Identity - Identity Management - Directories - X.500 and LDAP
- Each object:
- Common Name (CN): Identifies that object uniquely in the directory
- Distinguished Name (DN):
- Not required to be unique
- Made of Domain Components (DC’s)
- When you combine all of the DCs within a DN, you get back something that is unique in the entire directory
- X.500 directory database rules
- All objects are arranged in a hierarchical parent-child relationship
- Every object has a unique name made up of unique identifiers called ‘distinguished names’
- The supported attributes for objects are defined by a schema
IAAA - Identity - Identity Management - Directories - Meta-Directory
Aggregates information from multiple sources and presents a unified view
IAAA - Identity - Identity Management - Directories - Virtual Directory
Does not aggregate the data into its own database
IAAA - Identity - Identity Management - Web Access Management (WAM)
- Software layer that controls authentication and authorization within a web-based environment
- Most often: Associated with a Single Sign-On (SSO) experience
- Is coordinated authentication and authorization with external systems behind the scene
- Most common sequence
1) Initial authentication
2) WAM stores a cookie on the user’s computer containing some type of session identifier
3) Each web application will use WAM to retrieve this cookie and validate that it is still valid
4) If so, the user does not need to log in again - Different sub-domains cannot access each other’s cookies
IAAA - Authentication - Introduction
- Definition: Process of the subject proving it is who it claims to be
- 4 attributes for any authentication mechanism
- Transparent: User should not be aware of it
- Scalable: Not to create bottlenecks
- Reliable: No single point of failure
- Secure: Provides authentication and confidentiality
IAAA - Authentication - Factors
1) Something a person knows
2) Something a person has
3) Something a person is
IAAA - Authentication - Factors - 1) Something a person knows
- Examples: Password, PIN, Lock combination
* Risk: An attacker could acquire this knowledge
IAAA - Authentication - Factors - 2) Something a person has
- Examples: Swipe card, Smart token, Keys, Access badge
* Risk: An attacker could steal this
IAAA - Authentication - Factors - 3) Something a person is
- Examples: Fingerprint, Retina pattern, Gait, Voice print
* Risk: An attacker could physically emulate this
IAAA - Authentication - Factors - Single Factor Authentication
Using one of the 3 factors
IAAA - Authentication - Factors - Multifactor Authentication
- aka Strong Authentication
* Requires at least 2 factors
IAAA - Authentication - Managing Passwords - Introduction
- Balance needs to be reached
- Stringent policies
- Usability
IAAA - Authentication - Managing Passwords - Password Synchronization
- Definition: Having multiple systems update passwords at the same time
- Goal: To avoid supporting multiple sets of credentials per user
- Upside: If the password remains constant, the user is able to memorize a stronger password
- Downside: By stealing one set of credentials, an attacker can have access multiple systems
IAAA - Authentication - Managing Passwords - Self-Service Password Reset
- Goal: To avoid manual reset process which results in resource drain
- 3-step process
1) The user provides an alternative means of authentication
2) An e-mail is sent with a link. The link contains a random globally-unique identifier (GUID) that is tied to the password reset request
3) The link is clicked. The system allows the user to enter a new password
IAAA - Authentication - Managing Passwords - Assisted Password Reset
1) The user interacts with a helpdesk person
2) The helpdesk agent enters the answers to the security questions into an application
3) A new password is generated known to both the helpdesk person and the user
4) When the user logs in the next time, the system requires a new valid password to be provided before access will be granted
IAAA - Authentication - Managing Passwords - Single Sign-On (SSO)
- Keeps all passwords the same across multiple systems
- Provides a single infrastructure to manage credentials that all system leverage
- Thin clients:
- Can take advantage of SSO
- On boot up the device prompts the user for credentials, which are then authenticated using SSO to a central server or mainframe
- This allows the thin client to use multiple services with a single authentication step visible to the user
- Can take advantage of SSO
- Issues
- Can be very expensive
- Single point of failure
- Possible bottleneck
- An attacker can access multiple systems with a single set of credentials
IAAA - Authentication - Account Management
- Process of creating, modifying and decommissioning user accounts on all
appropriate systems - Automated process
-Required to effectively manage this activity- Benefits
- Reduces errors caused by manual data entry
- Each step in the process is tracked and logged (accountability)
- Ensures the appropriate amount of privileges are assigned
- Eliminates orphaned user accounts when employees leave the company
- Makes auditors happy
- Downside
- Very expensive to implement
- Benefits
IAAA - Authentication - User Provisioning
- Definition: The act of creating user objects and attributes
- User account: Includes other metadata
- User: Simply represents the object
- Profile:
- Created to accompany a user account
- Contains data as
- Addresses
- Phone numbers
IAAA - Authentication - Biometrics - Definition
Act of verifying an individual’s identity based on physiological or behavioral attributes
IAAA - Authentication - Biometrics - Physiological traits
- Physical attributes that are unique to the individual
- What you are
- Examples
- Fingerprints
- Voice print
IAAA - Authentication - Biometrics - Behavioral traits
- What you do
- Examples
- Handwriting signature
- Height
IAAA - Authentication - Biometrics - Error types
- Type 1 error
- Rejects an authorized individual
- False Rejection Rate (FRR)
- Type 2 error
- Accepts an unauthorized individual
- False Acceptance Rate (FAR)
- Much more concerning
- Crossover Error Rate (CER)
- Measures the point at which the FRR equals the FAR
- Is expressed as a percentage
IAAA - Authentication - Biometrics - Biometric data types
- Fingerprints: A complete record of ridges and valley on a finger
- Finger scan: Certain features of a fingerprint
- Palm scan: Fingerprint and the creases, ridges and grooves of the palm
- Hand geometry: The shape, length and width of hand and fingers
- Retina scan: Blood-vessel patterns on the back of an eyeball. Most invasive
- Iris scan: The colored portion surrounding the pupil. Most accurate
- Signature Dynamics: The speed and movements produced when signing a name
- Keystroke dynamics: The speed and pauses between each keypress as a password is typed
- Voice print:
- A number of words are recorded during enrollment
- During authentication the words are jumbled
- The user repeats them to prevent a recording from being played - Facial scan: Bone structure, nose ridge, eye widths, forehead size and chin shape
- Hand topography: A side camera captures the contour of the palm and fingers; not unique enough to be sued alone but can often be used with hand geometry
IAAA - Authentication - Biometrics - Downsides
- User acceptance
- Enrollment timeframe: The enrollment phase may take a long time
- Throughput: Acceptable elapsed time: 5 to 10 seconds
- Accuracy over time
IAAA - Authentication - Passwords - Attacker tactics to get a password
- Electronic monitoring
- Password file
- Brute-force attack
- Dictionary attack
- Rainbow table: Use all likely passwords in a table already hashed
- Social engineering
IAAA - Authentication - Passwords - Mitigation tactics
- After login, for the prior successful login attempt show
- Date/time
- How many unsuccessful attempts were made
- Location of the login
- Set clipping level
- Password aging: Limit the lifetime of a password
- Password history: The last 5-10 passwords should be stored
IAAA - Authentication - Passwords - Password Checker
Tool that checks the strength of passwords
IAAA - Authentication - Passwords - Password Cracker
Tool that tries to crack passwords using one or more attack techniques
IAAA - Authentication - Passwords - CAPTCHA
- Forces a person to enter information about a graphical image that is very difficult for computers to process
- This proves that a real person is entering information instead of a computer- based automated process
IAAA - Authentication - Passwords - One-Time Password (OTP)
- Good for a one-time use only
- Types
- Synchronous
- Asynchronous
- Formats
- Physical
- Smartphone app
- Text message
- Synchronous Token device
- Hand-held password generator with small screen and sometimes a keyboard
- Synchronized device: Both generate the same passwords simultaneously
- Counter-Synchronized Device: Requires the user to push a button
- Asynchronous Token device
- Uses a challenge/response scheme
- The authentication service sends a random value called a nonce to the user
- The user enters the nonce into the token device, which encrypts the nonce with a secret key
- The user then sends the encrypted nonce to the authentication service, which attempts to decrypt it with the shared secret key
- If the original and encrypted nonce result in the same value, the user is authenticated
IAAA - Authentication - Passwords - Cryptographic Key
- Highly secure way to authenticate
- Sequence
1) The authentication service provides a nonce
2) The user encrypts the nonce with their private key
3) The user sends the encrypted nonce and his digital certificate to the authentication service
4) The authentication service decrypts the nonce using the public key from the digital certificate
IAAA - Authentication - Passwords - Passphrase
- Made up of multiple words
- Reduced down via hashing or encryption into a simpler form
- Longer than a password
- Easier to remember
IAAA - Authentication - Cards - Memory Card
- Only stores data
- Examples
- Older ATM cards
- Older credit cards
- Risks: If the data contents of the memory card are not properly encrypted: Easy to read the PIN
IAAA - Authentication - Cards - Smart Card - Definition/Examples
- Memory Card with a tiny computer (chip)
- Examples:
- Credit cards containing on-board chips
- ATM cards containing on-board chips
IAAA - Authentication - Cards - Smart Cards - Advantages
- PIN number: Can be required before data can be read
- Chip:
- Does the processing
- Doesn’t need an external system to perform validation
- If tampering is detected: Some smartcards will erase its information
IAAA - Authentication - Cards - Smart Cards - DisadvantageMore expensive than memory cards
More expensive than memory cards
IAAA - Authentication - Cards - Smart Cards - Power management methods
- Contact cards
- The reader
- Provides power to the cheap
- Establishes a 2-way communication path
- Contactless cards
- Have an antenna running the entire perimeter
- When the antenna comes very near an electromagnetic field, the field provides power and a communication path
- It’s an example of Radio Frequency Identification (RFID)
- May or may not employ encryption
- Combi cards: One chip that supports both methods
- Hybrid cards: Two chips. One for each method
- The reader
IAAA - Authentication - Cards - Smart Cards - Smart-card specific attacks
- Non-Invasive
- Side-channel attacks
- Differential power analysis: Watch the power emissions during processing
- Electromagnetic analysis: Watch the frequencies emitted
- Timing: Watch how long a process takes
- Software attacks: Provide instructions that exploit a vulnerability
- Side-channel attacks
- Invasive
- Fault generation
- Fault generation
1) Change the environment of the card
- Voltage
- Temperature
- Clock rate
2) Watch for differences - Microprobing: Access the internal circuitry directly
- Fault generation
- Fault generation
IAAA - Authentication - Cards - ISO 14443 (Cards)
- ISO 14443-1: Physical attributes
- ISO 14443-2: Initialization and anti-collision
- ISO 14443-3: Transmission protocol
IAAA - Authorization - Definition
Figuring if the authenticated subject is allowed to carry out the action he’s requesting
IAAA - Authorization - Access Criteria
- Role-Based: Based on the tasks a subject or group might need to perform
- Physical Location Restriction: Restricting access to a device
- Logical Location Restriction: Might be based on an IP address
- Time of Day Restriction: Perhaps certain functions are accessible only during business hours or week days
- Temporal Restriction: Allow access based on an absolute date or time
- Transaction-Type Restriction: Limit access to features or data depending on the activity that the subject is engaged in
IAAA - Authorization - Default to No Access
- All access control mechanisms should built upon it
- Disadvantage: It will take more work to properly configure the system for the first time
- Advantage: Significant drop in the number of accidental security holes
- Need-to-Know: Focused on permissions and ability to access information
- Least Privilege: Focused on privileges
- Authorization Creep:
- Tendency for an employee to gain more and more access over time as he changes positions
- Even if the old levels of access are no longer needed
- Typically, result of the lack of well-defined tasks and roles
- Solution
- As an employee changes roles, he should be removed from the current role/group and assigned to a new one that matches his new responsibilities
- Sarbanes-Oxley (SOX): Law that requires review of this process yearly
IAAA - Authorization - Default to No Access - Need to Know / Least Privilege
- Need-to-Know: Focused on permissions and ability to access information
- Least Privilege: Focused on privileges
They help provide protection for valuable assets by limiting access to these assets
IAAA - Authorization - Kerberos - Introduction
- One of the most common implementations for SSO
* Developed in the 80’s
IAAA - Authorization - Kerberos - Main components
- Key Distribution Center (KDC)
- Authentication Server (AS): Authenticates a principal
- Ticket Granting Service (TGS): Creates a ticket for a principal
- Principals: Users, Applications, Network services
- Realm
- Set of principals
- A KDC can be responsible for one or more realms
- Tickets: Proof of identity passed from principal to principal
- Authenticator: A packet of data containing:
- A principal’s information
- The principal’s IP address
- A timestamp
- A sequence number
- Timestamp and seq number help protect against replay attacks
IAAA - Authorization - Kerberos - Workflow
0) Bob wants to log in and send something to a printer
1) Bob logs into his workstation
2) Bob’s desktop send his username to the KDC’s AS. AS encrypts the password, generates a random session key and encrypts it with Bob’s password and sends it back. This is an AS ticket
3) Bob’s desktop will decrypt the session key using the password Bob entered. Now the KDC and Bob’s desktop share a session key
4) Bob sends something to a printer
5) Bob’s desktop sends the AS ticket obtained during login to the KDC’s TGS and asks for a ticket allowing it to print to the printer
6) The KDC validates Bob’s AS ticket
7) The KDC’s TGS generates a new random session key and sends back two copies to Bob’s Desktop and an authenticator and sends the print ticket to the printer
- One encrypted with Bob’s secret key
- One encrypted with the printer’s secret key
8) Bob’s desktop receives this new print ticket, decrypts the session key using Bob’s password, adds its own authenticator and sends the print ticket to the printer
9) The printer receives the ticket and decrypts the session key and the KDC’s authenticator using its secret key. If the decryption succeeds, it knows the ticket came from the KDC. If the decrypted authenticator matches Bob’s desktop authenticator, it knows Bob’s machine sent the message
10) The printer prints
IAAA - Authorization - Kerberos - SSO
After the first system authenticates, it will use a ticket from then on to represent the user’s identity and authentication. As the user moves from system to system, all we have to do is to pass the ticket along, and the authentication session will move with it
IAAA - Authorization - Kerberos - Weaknesses
- The KDC can be a SPOF: Solution: provide failover
- The KDC can be a bottleneck: Solution: provide sufficient hardware
- Both secret and shared keys are temporarily stored on machines acting on behalf of the principal and could be stolen. Solution: normal security precautions
- Is susceptible to password guessing. Solution: OS
- Data not in tickets are not encrypted. Solution: ensure network traffic is encrypted
- Short keys can be susceptible to brute-force attacks. Solution: enforce long keys by policy and configuration
- Kerberos requires all server and client clocks to be synchronized. Solution: normal network administration
IAAA - Authorization - Security Domains
- Definition: Logical groupings of resources that are managed by the same security policy and the same group who manages them (The same “security umbrella”)
- Usually segmented by the level of trust that subjects within that domain need
- Often arranged hierarchically
IAAA - Federation - Introduction
- Federated Identity: Portable identity (along with any access rights) that can be used across organizational boundaries
- Different than SSO, which is constrained to be used within an organization’s own boundaries
- Requires two organizations to enter into a partnership to share information in real-time
- Web portal:
- Made up of portlets: Browser-based plug-ins that are self-contained buckets of functionality usually served up by different organizations
- For all of the portlets to work correctly, they must all share the identity of the authenticated user and there must be a high level of trust between all owners of the portlets
IAAA - Federation - Access Control and Markup Languages: GML/SGML/HTML/XML
- Generalized Markup Language (GML): Back in the 80’s
- Standard Generalized Markup Language (SGML): Created from GML
- Hypertext Markup Language (HTML): The standard on which all browsers operate
- Extensible Markup Language (XML): Later gathered together all of the previous ones
IAAA - Federation - Access Control and Markup Languages: SMPL/SAML/XACML
- Service Provisioning Markup Language (SMPL):
- Provides a vehicle for automated configuration of users and entitlements
- 3 main entities
* Requesting Authority (RA): Software sending a change request to a PSP
* Provisioning Service Provider (PSP): Software that will validate and distribute the change request to one or more PSTs
* Provisioning Service Target (PST): The system acting on the change request - Security Assertion Markup Language (SAML): If a user wants to authenticate with Party 1 using Party 2’s credentials, SAML is used to carry out this request using the browser as the middle man
- Extensible Access Control Markup Language (XACML): Standardized way of communicating access rights and security policies
IAAA - Federation - Access Control and Markup Languages: Web Services / SOA
- Web Services:
- Services only accessible over the web
- Can be used by SAML and XACML
- Primary technologies
- Representative State Transfer (REST)
- Very simple format
- Low overhead
- Low security
- Simple Object Access Protocol (SOAP)
- Heavy format
- Considerable security built-in
- Representative State Transfer (REST)
- Service Oriented Approach (SOA): Pattern for creating independent services across business domains that can work together
IAAA - Federation - Access Control and Markup Languages: How does SAML, HTTP and SOAP/REST work together?
SAML is wrapped in SOAP/REST, which is transmitted over HTTP
IAAA - Federation - OpenID
- Similar communication method to SAML
- 3 entities
- End User
- Resource Party
- OpenID Provider
- Example
- Facebook based authentication to web sites
- Facebook: OpenID Provider
- You: The end user
- The site: Resource Party
- Facebook based authentication to web sites
IAAA - Federation - OAuth
- OAuth
- Works with OpenID
- Provides OpenID Authorization mechanisms
- OAuth2
- Replaces OpenID
- Provides Authentication and Authorization
IAAA - Identity Services
- Identity as a Service (IaaS)
- Offers: SSO, Federated IdM, Password-management services
Drawbacks:
- The provider may not be able to meet all regulatory requirements. Some regulated industries may be non-compliant
- IdM: Among the most sensitive data a company maintains. This model moves this info out of the company’s control
- Integration of legacy applications: Not always straightforward or possible
- Offers: SSO, Federated IdM, Password-management services
- Objectives
- Connectivity
- All connection points must be encrypted and monitored via IDS/IPS
- Only IdM traffic should pass through these connection points
- Firewalls and PKI must be properly configured
- Incremental Rollout
- Implement a portion and test before continuing
- This will uncover unforeseen issues and help isolate where a problem is occurring
- Connectivity
Access Control Models - Definition
Defines rules and how they are applied to subjects and objects
Access Control Models - Discretionary Access Control (DAC) - Introduction
- You can adjust access at your own discretion
- Allows each user to control access to anything that user owns
- Rights can be given to either named users or groups
- Very flexible and not very secure
- Most common desktop OS’s use it
Access Control Models - Discretionary Access Control (DAC) - Access Control Lists (ACLs)
- Foundational part of a DAC
- An ACL for an object contains
- A list of subjects who may access the object
- The permissions available for that subject
- Inheritance
- An ACL for a parent is automatically applied to children as they are added
- Can be overridden. It’s commonly not, though
Access Control Models - Mandatory Access Control (MAC) - Introduction
aka Nondiscretionary Access Control (NDAC)
Users have absolutely no ability to change the level of access granted to other users
Commonplace in government systems
Access Control Models - Mandatory Access Control (MAC)
- Security Label
- Attached to every subject and object
- Contains:
- A single classification (clearance level)
- One or more categories
- Classifications
- Hierarchical
- The level above is more trusted than the level below
- Multilevel Security System (MLS)
- Allows a subject to access an object at a different classification
- A subject can access an object if the subject’s security clearance dominates the object’s classification
- Examples
- SELinux
- Trusted Solaris
Access Control Models - Role-Based Access Control - Introduction
- Middle ground between DAC and MAC
- Takes away ACLs
- Only allows centrally managed groups
- Role
- Task within the organization
- Users are assigned a role
- Rights are assigned directly to a role
Access Control Models - Role-Based Access Control - RBAC components
- Core RBAC
- When a user logs in
- Gathers all possible roles and permissions granted via those roles and make them available for access decisions
- Hierarchical RBAC
- Allows the administrator to model the roles based on the actual organizational structure
- Benefit: Makes management even easier with inheritance
- Flavors:
- Limited hierarchies: Inheritance only once
- General hierarchies: Inheritance is allowed for multiple levels simultaneously
Access Control Models - Role-Based Access Control - Separation of Duties
- Important security tool to prevent fraud
- Hierarchical RBAC can help
- Static separation of duty (SSD): Constrains the combination of privileges
- Dynamic separation of duty (DSD): Constrains the combination of privileges that can be active within the same session
Access Control Models - Role-Based Access Control - RBAC management
- Non-RBAC
- No roles
- Users: Mapped directly to applications
- Limited RBAC
- Roles + No roles
- Users: Mapped to multiple roles as well as being mapped to application that do not have role-based support
- Hybrid RBAC
- Pseudo Roles
- Users: Mapped to roles for multiple applications with only selected rights assigned
- Full RBAC
- Enterprise roles
- Users: Mapped to enterprise roles
Access Control Models - Rule-Based Role-Based Access Control (RB-RBAC)
- Built right on top of RBAC
- Extends its capabilities to include if…then coding
- Anti-spam and firewall filters operate using rule-based decisions every day
Access Control Techniques and Technologies - Constrained User Interface
- The user interface that can limit a user’s ability to access data or functionality
- Primary methods
- Menus: Limit the options the user can chose from
- Shells: Limit the commands available on a shell
- Database views: Limit the data that can be viewed by creating a virtual view of the data
- Physical constraints: Limit the physical controls the user can access such as keys or touch-screen buttons
Access Control Techniques and Technologies - Access Control Matrix
- Table of subjects and objects on opposite axis
- The intersection of each row and column dictates the level of access a subject has to the object
- Normally used with DAC systems
- Matrix types
- Capability Table
- Specifies the rights a subject has to a specific object
- A capability can take the form of a token, ticket or key
- Used by Kerberos
- ACL: For a given object, a list of all subjects and their corresponding rights
- Capability Table
Access Control Techniques and Technologies - Content-Based Access Control
- Control access based on the content of an object
- Drawback: The technique has no context on which to base decisions
- Examples
- E-mail filters
- Web filters
Access Control Techniques and Technologies - Context-Based Access Control
- Is able to dig deeper to understand the context in which information is being used
- Stateful firewalls use this technique to determine if a SYN attack is underway
Access Control Administration - Centralized Access Control Administration - Introduction
Requires that a single individual or department controls all access to resources
Access Control Administration - Centralized Access Control Administration - Remote Authentication Dial-In User Service (RADIUS) - Introduction
- Well-established network protocol
- Provides authentication and authorization services to remote clients
- Normally used in conjunction with an access server that communicates directly with a client desiring remote connectivity
Access Control Administration - Centralized Access Control Administration - Remote Authentication Dial-In User Service (RADIUS) - Radius process
1) Remote client contacts the access server via PPP and provides credentials
2) The access server forwards the credentials to the RADUIS server using the RADIUS protocol
3) After the RADIUS server authenticates and authorizes the client, the access server an IP address to the client
Access Control Administration - Centralized Access Control Administration - Remote Authentication Dial-In User Service (RADIUS) - Design limitations
- Uses UDP for communication: It must contain a considerable amount of overhead to ensure proper delivery of data over a connectionless protocol
- Encryption:
- RADIUS encrypts passwords between AS and server
- All other data is sent in clear text: Invitation to replay attacks
- Only the PPP protocol is supported
- It’s implemented in a client/server architecture: Only the client can initiate communication
- Does not support a very large number of AVP’S (Attribute Value Pairs): It’s not useful for very granular rights
Access Control Administration - Centralized Access Control Administration - Terminal Access Controller Access Control System (TACACS)
Doesn’t address the issues that RADIUS has
Access Control Administration - Centralized Access Control Administration - Extended TACACS (XTACACS)
Separates authentication and authorization steps: Better than TACACS and RADIUS
Access Control Administration - Centralized Access Control Administration - TACACS+
- Not backwards compatible with TACACS or XTACACS
- Advantages
- Uses TCP instead of UDP
- Encryption: Everything is encrypted, not just the password
- Supports a very large number of AVP’s: Very granular rights are possible
- Supports not only PPP. Appletalk, NetBIOS, IPX…
- Supports
- 2-factor authorization
- One-time (dynamic) passwords
- Design limitations: Implemented in a client/server architecture. Same as TACACS and XTACACS
Access Control Administration - Centralized Access Control Administration - Diameter - Introduction
- Meant to replace RADIUS
- Has all of the advantages of TACACS+
- Based on a peer-to-peer model
- Provides upgrade path for RADIUS and TACACS+
- Adds error handling: Much better stability
Access Control Administration - Centralized Access Control Administration - Diameter - Main components
- Base protocol
- Secure communication between Diameter entities
- Feature discovery
- Version negotiation
- Header formats
- Security options
- A list of commands
- A large number of AVPs
- Extensions
- Authentication
- PAP, CHAP, EAP
- End-to-end encryption
- Replay attack protection
- Authorization
- Supports redirects, secure proxies, relays, and brokers
- Reauthorization on-demand
- Unsolicited disconnects
- State reconciliation
- Auditing
- Reporting, roaming operations (ROAMOPS) accounting, monitoring
- Authentication
Access Control Administration - Centralized Access Control Administration - Mobile IP
- Technology that allows a mobile device to move from network to network without changing its IP address
- Supported by assigning a quasi-permanent home IP address to the mobile device that all traffic can be sent to
- The Mobile IP server tracks the current address of the mobile device, called the care-of address, and forwards all traffic sent to the home IP address to the care-of address in real-time
Access Control Administration - Decentralized Access Control Administration
- Introduction
- Data owners: Take care of managing access to data
- I own some data, so shouldn’t I know best who has need to access the data?
- Advantage: Removes potential bottlenecks and bureaucracy
- Disadvantages: For larger organizations, significantly increase the likelihood that employees will gain unneeded access
Access Control Methods - Administrative Controls - Introduction
- Senior management
- Responsible for providing the security goals
- But delegates the actual implementation
- Indicate the personnel controls that should be used
- Specify how testing of the controls are to be carried out
Access Control Methods - Administrative Controls - Policies and procedures
- Existence of appropriate policies and procedures
- Well-documented
- Kept up-to-date
Access Control Methods - Administrative Controls - Personnel controls
- Covers the hiring, promotion, move, suspension, and termination of employees
- Addresses
- How employees should interact with the various security mechanisms
- What will happen if an employee does not follow the policies
Access Control Methods - Administrative Controls - Supervisory controls
- Ensures
- Every employee has a supervisor
- That the supervisor is responsible for the employee’s actions
Access Control Methods - Administrative Controls - Security-awareness training
- People are the weakest link
- So employees need to understand
- The proper use of security controls
- Why they exist
- The consequences of bypassing them
Access Control Methods - Administrative Controls - Testing
- Defines how often periodic testing will be carried out
- Examples
- Drills
- Physical disruptions
- Pentesting
- Quizzing employees to vet policy knowledge
- Required review of procedures to ensure relevancy
Access Control Methods - Physical Controls - Network Segregation
Require all hardware to be placed in a restricted areas behind secured doors, normally requiring access cards
Access Control Methods - Physical Controls - Perimeter Security
- Protects
- Individuals
- Facilities
- Components inside the facilities
- Requiring
- Identification badges
- CCTV
- Fences
- Deterrent lighting
- Motion detectors
- Window and door sensors
- Alarms
- Indirect deterrent location and appearance of a building
Access Control Methods - Physical Controls - Computer Controls
- Protects computer hardware
- Providing cover locks
- Removal of USB and optical drives to prevent unauthorized copying
- Dampening of electrical emissions to prevent wireless eavesdropping
Access Control Methods - Physical Controls - Work Area Separation
Restricting physical access to a walled-off area to only a few authorized people
Access Control Methods - Physical Controls - Data Backups
Providing a secure method for the transfer and storage of data backups
Access Control Methods - Physical Controls - Cabling
- Properly shielded: To prevent emissions and crosstalk
* Conceal: To prevent tampering and physical damage
Access Control Methods - Physical Controls - Control Zones
Division of the physical facility into security zones with applicable access controls
Access Control Methods - Technical Controls - Introduction
- May have a hardware component
- Always have a software component
- Ensure CIA
Access Control Methods - Technical Controls - System Access
- Access control models
- Username/password mechanisms
- Kerberos implementations
- Biometrics devices
- PKI
- RADIUS/TACACS/Diameter servers
Access Control Methods - Technical Controls - Network Architecture
- Logically separating network components by using
- Subnets
- VLANs
- DMZ’s
- Implementing IDS/IPS
Access Control Methods - Technical Controls - Network Access
- Methods implemented in
- Routers
- Switches
- Firewalls
- Gateways
Access Control Methods - Technical Controls - Encryption and Protocols
- Preserve
- Confidentiality
- Integrity
- Enforces specific paths for communication
Access Control Methods - Technical Controls - Auditing
- Tracking activity within
- Network
- Network device
- Computer
- Used to point out weaknesses to be fixed
Accountability - Definition
Result of implementing audit tracking
Accountability - Functions
- Detect intrusions
- Track unauthorized activities back to the user
- Reconstruct events and system conditions
- Create problem reports
- Provide material for legal actions
Accountability - Auditing Data Points
- User Actions
- Logon attempts
- Security violations
- Resources and services used
- Commands executed
- Application Events
- Error messages
- Files modified
- Security violations
- System Activities
- Performance
- Logon attempts (ID, date/time)
- Lockouts if users and terminals
- Use of utilities
- Files altered
- Peripherals accessed
Accountability - Availability standpoint
- Monitor the health of a system or application
* Reconstruct events that lead to a system crash
Accountability - Security perspective
- Alert the administrator to suspicious activities to be investigated at a later time
- After an attack has occurred
- How long/far an attack went on
- What damage may have been done
Accountability - Protective Measures for Log Files
- What we are protecting against: Log scrubbing
- Last step of carrying out an intrusion
- The attacker will try and remove any information from log files that will alert an administrator to his presence or activity
- Store on a remote host
- No one should be able to view, modify or delete log files except for an administrator
- Integrity must be ensured by using digital signatures, hashing and implementing proper access controls
- Loss of the data must be prevented by secure storage and committing to write-once media (such as CD-ROM)
- Any unauthorized attempt to access logs should be captured and reported
- A chain of custody should be securely stored to prove who had access to audit logs and when for legal reasons
- Implement simplex communication: Severing the “receive” pairs in an Ethernet cable to force one-way communication only to prevent retrieval of log information by the source who is writing the data
- Replicate log files to ensure a backup in case of deletion of the primary copy
- Implement cryptographic hash chaining: Each log entry contains the hash of the previous entry, allowing the removal or modification of previous entries to become detectable
Accountability - Clipping
- Applying the proper level of filtering, such that only important details are logged
- Reduces the impact of logging on system/application performance
- Keeps log file sizes down
Accountability - Log Reviews
- Event Oriented: Results from a disruption or security breach
- Audit Trails: Periodic reviews to detect unusual behavior from users, applications or systems
- Real-Time Analysis: An automated system correlates logs from various systems
- Audit-Reduction Tool:
- Discards irrelevant data to make reviews easier
- Security Information and Event Management (SIEM): To automate the sifting and correlation of all logs
- Situational awareness
- Ability to make sense of the current state in spite of a large number of data points and complex relationships
- Result of correct usage of a SIEM
Accountability - Keystroke Monitoring
- Captures each keystroke and records the resulting characters in a file
- Unusual
- Done in case an employee is suspected of wrong-doing
- Usually done with care: It can constitute a violation of an employee’s privacy if it has not been clearly spelled out in some type of employee training or an on-screen banner that monitoring of this type may take place
- Attackers use this technique to capture credentials: Usually through a trojan horse
Implementing Access Control - “Must Do” Items
- Ensure that access criteria is well-defined and strict
- Enforce need-to-know and least-privilege patterns
- Reduce and monitor any type of unlimited access
- Look for and remove redundant access rules, user accounts and roles
- Audit user, application and system logs on a recurring basis
- Protect audit logs properly
- Only known and non-anonymous accounts should be given access
- Limit and monitor usage by highly-privileged accounts
- Enforce lockouts after unsuccessful login attempts
- Never leave default passwords
- Make sure that passwords are required to be changed periodically, only strong passwords are allowed, are not shared and are always encrypted both in-transit and at-rest
- Ensure accounts are removed that are no longer after an employee leaves
- Suspend inactive accounts after 30 to 60 days
- Disable ports, feature and services that are not absolutely required
Implementing Access Control - Common Attacks
- Social engineering
- Covert channels
- Malicious code
- Sniffing (wired, wireless)
- Object reuse (not properly erasing previous contents)
- Capturing electromagnetic emissions
Implementing Access Control - TEMPEST
- Standard created by DoD to combat the capturing of electromagnetic emissions
- Limits electrical emissions by wrapping the product in a metal shield called a Faraday cage
- Very expensive process
Implementing Access Control - Alternatives to TEMPEST
- White Noise
- Random electrical signals are created across the entire communication band
- An attacker is unable to distinguish valid signals from the background noise
- Control Zones: Housing rooms or even buildings in a Faraday cage
Monitoring and Reacting to Access Control - Intrusion Detection System (IDS) - Introduction
- Detects intrusion attempts, which are the unauthorized use of, or attack upon, a network or devices attached to the network
- Passive component that does not take any action other than generating alerts
- It looks for passing traffic that is suspicious, or monitors logs in real-time, and any anomalous behavior can trigger an alarm
Monitoring and Reacting to Access Control - Intrusion Detection System (IDS) - Components
- Sensor: Collects information and sends it to the analyzer
- Analyzer: Looks for suspicious activity and send alerts to the administration interface
- Administration Interface: Processes alerts, which can result in
- Visual message
- Text message
- Phone call
- SNMP alert
Monitoring and Reacting to Access Control - Intrusion Detection System (IDS) - Functions
- Highlight vulnerabilities in a network
- Expose techniques used by an attacker
- Produce evidence for subsequent legal action
Monitoring and Reacting to Access Control - Intrusion Detection System (IDS) - Types of IDS’s - Network-based IDS (NIDS) - Definition
Watches network traffic
Monitoring and Reacting to Access Control - Intrusion Detection System (IDS) - Types of IDS’s - Network-based IDS (NIDS) - Sensors
- Can be: Hardware devices or software in a server
- Has to have a NIC that is in promiscuous mode
- Sniffs packets as they pass by
- Uses a protocol analyzer: To examine each packet based on the protocol the packet is using
- Switching problem:
- Most networks are switched, so not all traffic can be seen
- To overcome this: Connect to a spanning port in the switch
Monitoring and Reacting to Access Control - Intrusion Detection System (IDS) - Types of IDS’s - Network-based IDS (NIDS) - Traffic collection
- Sometimes: NIDS can be self-contained within a firewall or other dedicated device
- Normally: Distributed solution with various sensors scattered across the network at strategic points
- Good practices
- A sensor in the DMZ
- A sensor inside of the intranet
- Sensors in sensitive entry points, such as a wireless AP connection
- Resources requirements
- Depends on how deep a sensor digs into each passing packet
- Good idea:
- Place multiple sensors in each location
- Each sensor analyzing packets for a subset of signatures or patterns
Monitoring and Reacting to Access Control - Intrusion Detection System (IDS) - Types of IDS’s - Host-based IDS (HIDS)
- Definition: Can see anything that goes on inside of an operating system running on a “host” computer
- High cost: Normally only installed in servers
Monitoring and Reacting to Access Control - Intrusion Detection System (IDS) - Types of IDS’s - Application-based IDSs (AIDSs)
- Have very intimate knowledge of the inner-workings of a given application
- Are useful if the application uses encryption that would hide activity from NIDS or HIDS
Monitoring and Reacting to Access Control - Intrusion Detection System (IDS) - Detection types - Signature-Based - Introduction
- aka Knowledge-Based or Pattern-Matching
- Most popular detection type
- Requires that its “signatures” be constantly updated in order to remain effective
- Cannot detect “zero-day” attacks
- Compares traffic patterns in real-time to a list of patterns known to represent an attack
- If a match is found it will generate an alert
Monitoring and Reacting to Access Control - Intrusion Detection System (IDS) - Detection types - Signature-Based - Upside/Downside
- Upside: Very low false-positive rate
* Downside: High false-negative rate
Monitoring and Reacting to Access Control - Intrusion Detection System (IDS) - Detection types - Signature-Based - Attacks it can detect
- Land attack: Source and destination IP addresses are the same
- Xmas attack: Sets all TCP header flags to 1
Monitoring and Reacting to Access Control - Intrusion Detection System (IDS) - Detection types - Signature-Based - Stateful Matching
- Monitors the contents of memory on a host
- Take continuous snapshots, called a state, of the contents of volatile and non-volatile memory within a host and compare it with the last captured state
- The difference between the two states is then compared to a database and if the changes match a pattern, an alert is generated
Monitoring and Reacting to Access Control - Intrusion Detection System (IDS) - Detection types - Anomaly-Based - Introduction
- When an anomaly-based IDS is first installed, it is put into a learning mode for a while, where it watches all traffic passing by and assumes the traffic is “normal”
- It then creates a database of these normal traffic patterns, and when it is taken out of learning mode, it will alert if the network traffic deviates from this baseline
Monitoring and Reacting to Access Control - Intrusion Detection System (IDS) - Detection types - Anomaly-Based - Upside/Downside
Advantage: It can detect new attacks
Disadvantage: Any alert requires a very skilled engineer to analyze the data to determine if the anomaly is indeed an attack
Monitoring and Reacting to Access Control - Intrusion Detection System (IDS) - Detection types - Anomaly-Based - Statistical algorithm
- When the IDS detects patterns outside of the norm
- It will assign a degree of irregularity to the pattern and continue to monitor it
- If the pattern continues the assigned degree increases to the point at which it passes a given threshold, resulting in an alert
- Because of this algorithm, anomaly-based IDSs can detect attacks that are designed to fly under the radar to avoid attention
Monitoring and Reacting to Access Control - Intrusion Detection System (IDS) - Detection types - Anomaly-Based - False positives / False negatives
- High number of false positives
- Low number of false-negatives
- Fine tuning the threshold is important to achieve a reliable ratio
Monitoring and Reacting to Access Control - Intrusion Detection System (IDS) - Detection types - Anomaly-Based - Additional filters - Protocol Anomaly-Based
- Understands the various protocols passing by: Allowing it to dig a little deeper and add some context to patterns
- This is a very useful filter because most attacks happen at the protocol level
- Attacks it can detect
- ARP poisoning:
- Data Link Layer attack
- A rogue client pretends to own an IP it does not
- Loki attacks
- Network Layer attack
- ICMP packets are used to hide data
- Session Hijacking
- Transport Layer attack
- An attacker uses sequence numbers to jump in and take over a socket connection
- ARP poisoning:
Monitoring and Reacting to Access Control - Intrusion Detection System (IDS) - Detection types - Anomaly-Based - Additional filters - Traffic Anomaly-Based
- Watch for changes in relative patterns: Looks for acceptable patterns that do match the normal frequency or time range
- Examples
- Notices login activity in the middle of the night and generates an alert that would be ignored in the middle of a week day
- Notices a significant increase in traffic that is considered to be normal, but decide that a DoS attack is underway
Monitoring and Reacting to Access Control - Intrusion Detection System (IDS) - Detection types - Rule-Based
- aka Heuristic-Based IDS
- It’s an expert system
- Components:
- Facts: Data that comes in from a sensor or system that is being monitored
- Knowledge Base: If…then rules that analyze facts and take action
- Inference Engine: Uses artificial intelligence to infer relationships
- Advantage: Improved levels of false-positives and false-negatives
- Disadvantages:
- Cannot detect new attacks
- If the rules are overly complex: Excessive resource consumption
Monitoring and Reacting to Access Control - Intrusion Detection System (IDS) - Attacker tactics
- Identify which IDS is in use and adapt to avoid discovery
* Flood the network with bogus data to distract the IDS
Monitoring and Reacting to Access Control - Antimalware behavior blocking
- Vendors allow malicious software to execute on a host and then gather the changes that were made to the system
- Antimalware systems then can use this behavior to detect malicious activity
Monitoring and Reacting to Access Control - Intrusion Prevention System (IPS)
It’s an IDS with a reactive behavior
Monitoring and Reacting to Access Control - Honeypot
- Introduction
- A server that has purposefully been left vulnerable
- Contains no data or services that is of value to the company
- Not connected to any other systems except for the ability to let a network administrator know that it is being attacked
- Reasons to use it
- It distracts the attacker so that our real systems are left alone
- It allows us to study the attack in real-time so that we can harden other areas on-the-fly based on the activities
- It gives us time to discover the identity of the attacker
- We can collect evidence from the attack for subsequent legal action
- Entrapment
- Tricking an attacker to encourage him to make the attack
- It’s illegal
- Enticement
- Redirecting the attacker’s efforts that he has already determined to carry out
- It’s OK
Threats to Access Control - Dictionary Attack
- Definition
- Carried out by a program that is fed a list of commonly used words or combinations of characters
- The program will iterate through all possible combinations and attempt to guess the password
- Countermeasures
- Perform dictionary attacks to find weak passwords, and force the user to change it
- Require strong passwords
- Require passwords to be changed frequently
- For attacks against a user interface
- Use lockout thresholds
- Use one-time password tokens
- Use an IDS to detect this type of activity
- For attacks directly against a file
- Never store passwords in clear text
- Protect password files
Threats to Access Control - Brute-Force Attack
- Definition
- aka Exhaustive attack
- Iterates through every possible character until a match is found
- Guaranteed to be 100% successful (With time)
- Countermeasures: Same as Dictionary
Threats to Access Control - War-Dialing
- Automatically dialing through a list of phone numbers until a modem answers
- Countermeasures
- Perform brute-force attacks against all company phone number ranges to find hanging modems
- Make sure only necessary phone numbers are public
Threats to Access Control - Hybrid Attack
- Combination of dictionary and brute-force attacks
- Dictionary attack is used to discover at least a part of the password
- Then a brute-force attack is used to discover the remaining portion
Threats to Access Control - Rainbow Attack
- Can be Dictionary or brute force
- The hashes for all relevant values are pre-computed into a “rainbow table”
- Only useful against files
- User interface will be the limiting factor
Threats to Access Control - Spoofing at Logon
- Requires a malicious program to be installed on a workstation or server
- User attempts to login, the malicious program will prompt for credentials instead of the OS logon screen
- The malicious program claims that credentials were invalid and immediately hands control over to OS
- End result: The user never realizes that credentials were just stolen
