Week 4: Overview of Security Concepts Flashcards
Access Control refers to
any hardware, software, or organizational/administrative policyor procedurethat
grants or restricts access
monitors and records attempts to access
identifies users attempting to access
The transfer of information from an object to a subject is called
access
subject
The subject(e.g. user) is the active element
object
The object(e.g. database) is the passive element
These three essential security principles are known as the
CIA Triad
Confidentiality
Integrity
Availability
Confidentiality
Confidentiality ensures that only authorized subjects can access objects
Integrity
Integrityensures that unauthorized or unwanted changes to objects are denied
Availability
Availabilityensures that authorized requests for objects are granted as quickly as system and network parameters allow
The term access control describes
The term access control describes a broad range of controls used to enforce these security principles (CIA)
Access controls can be divided into the following seven categories of function or purpose
- Preventive
- Deterrent
- Detective
- Corrective
- Recovery
- Compensation
- Directive
preventive access control
stop unwanted or unauthorized activity from occurring – Examplesof preventive access controls include • fences and locks • separation of duties and job rotation • data classification
deterrent access control
A deterrent access control is deployed to discourage violation of security policies
A deterrent implies certain consequences in the event of an attempted or successful violation
Examplesof deterrent access controls include
security guards & security cameras
trespass or intrusion alarms
detective access control
A detective access control is deployed to discover unwanted or unauthorized activity
Often detective controls operate after the fact
Examplesof detective access controls include security guards, guard dogs motion detectors review of recordings captured by security cameras audit trails honeypots or honeynets intrusion detection systems incident investigations
corrective access control
A corrective access control is deployed to restore systems after an unwanted or unauthorized activity has occurred
–
Usually corrective controls have only minimal capability to respond to access violations
Examplesof corrective access controls include
antivirus solutions
terminating access
recovery access control
A recovery access control is deployed to repair or restore functions and capabilities after a violation of security policies
Recovery controls have more advanced or complex capabilities to respond to access violations than corrective access controls
Examplesof recovery access controls include
backups and restores
fault-tolerant systems
compensation access control
A compensation access control is deployed to provide various options to other existing controls to aid in the enforcement and support of security policy
Examplesof compensation access controls include
personnel supervision, monitoring, and work task procedures
Can also include controls used instead of more desirable controls
For example, if a guard dog cannot be deployed due to proximity to residential areas, a motion detector with a spotlight and a barking sound playback device can be used
directive access control
A directive access control is deployed to direct or control the actions of subjects to force or encourage compliance with security policies
Examplesof directive access controls include
security guards and posted notifications
Types of Access Control Implementation
Administrative access controls
Logical/technical access controls
Physical access controls
Administrative access controls
The proceduresdefined by an organization’s security policy to implement and enforce overall access control
Hiring practices, background checks, and security training
Data classification
Logical/technical access controls
The hardware or software mechanisms used to manage access to resources and systems
Intrusion detection systems
Encryption, smart cards, passwords, and biometrics
Physical access controls
The physical barriers deployed to prevent direct contact with systems or areas within a facility
Guards, fences and locks
Several steps lead up to the ability to hold a person accountable for online actions
Identification Authentication Authorization Auditing Accountability / Monitoring
Identification
Identificationis the process by which a subject professes an identity
A user provides a username, a logon ID, a personal identification number (PIN), or a smart card to represent an identification process
Providing a process ID number also represents an identification process
Once a subject has identified itself, the claimed identity becomes accountable for any further actions undertaken by that subject
IT systems track activity by identities, not by subjects themselves
Authentication
Authenticationis the process of verifying that a claimed identity is valid
Requires that a subject provide additional information that must correspond exactly to the identity professed
Three factors of authentication
Type 1. Something you know: any string of characters you have memorized and can reproduce on a keyboard when prompted
passwords, PINs, lock combinations, passphrases
Type 2. Something you have: a physical device that you possess and must have on your person at the time of authentication
smart cards, tokens, memory cards, physical location
Type 3: Something you are (biometrics): a physical characteristic of your person
fingerprints, iris patterns, hand geometry, writing a signature
Strong authentication requires
two or more factors
When two of the same factors are used together, the system is no more secure than it would be if just one factor was used, as a single type of attack could compromise both instances
Authorization
The process of authorization ensures that the requested activity or object access is possible given the rights and privileges assigned to the authenticated identity
access control matrix
For authorization: In most cases, the system evaluates an access control matrix that compares the subject, the object, and the intended activity
Auditing
Auditingis the process by which online activities of user accounts and processes are tracked and recorded
Auditing produces audit trails, which can be used to reconstruct events and to verify whether a security policy was violated
NIST Audit Documents
Minimum Security Requirements for Federal Information and Information Systems (FIPS 200)
Minimum Security Requirements for Multi-User Operating Systems (NIST IR 5153)
Requirements for audit data recording
Create, retain, and protect audit recordsto the extent needed to enable the monitoring, investigation, and reporting of unlawful, or unauthorized activity
Ensure that the actions of individual information system users can be uniquely tracedto those users so they can be held accountable for their actions
A subject must provide an ___ to a system to start the authentication process
identity
A subject’s identity is typically considered public information
Authentication verifies the ____ of the subject by comparing one or more factors against a database of valid identities
identity
Authentication factors are typically considered private information
Passwords
The most common, but weakest, authentication technique
Password types
Static vs. dynamic
- Static passwords always remain the same
- Dynamic passwords change after a specified interval of time or use
One-time or single-use passwords Passphrases Cognitive passwords (security questions)
One-time or single-use passwords
Dynamic passwords that change every time they are used
Passphrases
Strings of characters usually much longer than a password
Cognitive passwords (security questions)
Questions about facts that only a subject should know
Password Security
Never allow clear text transmission
Use strong one-way storage (i.e. hashing)
Password audit your own systems
-Use password verification and password-cracking tools against your own password file and require that discovered passwords be changed
Disable inactive accounts, delete old ones
Train users
-Protects from social engineering attacks
Change passwords based on sensitivity of data
Define and enforce a password policy
-Example: Minimum length, three or four character types
-Protects from brute-force and dictionary attacks
22
biometric factor
A biometric factor is a behavioral or physiological characteristic that is unique to a subject
Biometric factors can be used both as an identification and an authentication technique
Tokens
Type 2 Factor
Tokens(or smart tokens) are password-generating devices that subjects must carry with them
Static Tokens
swipe card, a smart card, or a USB RAM dongle
Synchronous dynamic password tokens
Generate passwords at fixed time intervals. Require synchronizing the clock on an authentication server with the clock on the token device
Asynchronous dynamic password tokens
Generate passwords based on occurrence of some event
Challenge-response tokens
Generate passwords based on instructions (challenges) from the authentication system
Single sign-on (SSO)
Single sign-on (SSO) is a mechanism that allows a subject to be authenticated only once on a system yet remain able to access multiple resources without repeated authentication prompts
Examplesof SSO mechanisms Kerberos SESAME KryptoKnight Directory services
Kerberos
Relies on AES symmetric-key (private-key) cryptography
Provides end-to-end security for authentication traffic between clients and the key distribution center (KDC)
Relies on a trusted server hosting the functions of the KDC, a ticket-granting service (TGS), and an authentication service (AS)
An exchange of tickets (cryptographic messages) between clients, network servers, and the KDC
Kerberos Login Process
- The user types a username and password into the client
- The client encrypts the credentials with AES for transmission to the KDC
- The KDC verifies the user credentials
- The KDC generates a ticket granting ticket (TGT) by hashing the user’s password
- The TGT is encrypted with AES for transmission to the client
- The client installs the TGT for use until it expires
Kerberos Service Access Process
1.The client sends its TGT back to the KDC with a request for access to a server or service
2.The KDC verifies the validity of the TGT and verifies that the user has sufficient privileges to access the requested resource
3.A service ticket (ST) is generatedand sent to the client
4.The client sends the ST to the serveror service host
5.The server verifies the validityof the ST with the KDC
6.Once identity and authorization is verified, Kerberos activity is complete
–The server or service host then opens a session with
the client
There are two primary categories of access control techniques
Discretionary Access Control (DAC)
Nondiscretionary Access Control
•Mandatory Access Control (MAC)
•Role Based Access Control (RBAC)
•Task Based Access Control (TBAC)
Discretionary Access Controls
Allow the owner or creator of an object to control and define subject access to that object
Access control is based on the discretion (in other words, a decision) of the owner
Access is granted or denied based on the identity of the subject (which is typically the user account name)
Often implemented using access control lists (ACLs)
-Each ACL defines the types of access granted or restricted to individuals or grouped subjects
Nondiscretionary Access Controls
Used in a rule-based system in which a set of rules, restrictions, or filters determines what can and cannot occur on the system
Access is not based on administrator or owner discretion and does not focus on user identity
Rule-based access control systems are more appropriate for environments that experience frequent changes to data permissions
Rule-based systems can implement sweeping changes just by changing centralized rules
Nondiscretionary Access Control Types
–Mandatory Access Control (MAC)
–Role Based Access Control (RBAC)
–Task Based Access Control (TBAC)
Mandatory Access Controls (MAC)
Rely upon the use of classification labels
Subjects are labeled by their level of clearance
Objects are labeled by their level of classification or sensitivity
Classifications within a MAC environment are of three types:
Hierarchical environments relate various classification labels in an ordered structure. Clearance in one level grants the subject access to objects in that level as well as in lower levels
Compartmentalized environments require the subject to have specific clearance for each of its independent security domains
Hybrid environments combine hierarchical and compartmentalized concepts so that each hierarchical level may contain isolated subdivisions
Systems that employ role-based (RBAC) or task-based (TBAC) access controls define a subject’s ability to access an object via
–subject roles (job descriptions)
–tasks(work functions).
Role-based access controls are useful in volatile environments with frequent personnel changes because access does not depend on subject identities
Access control administration
Access control administrationis the set of tasks and duties assigned to an administratorto manage
Account Administration
–Creating, maintaining, and closing user accounts
Account, Log, and Journal Monitoring
–Monitoring online activities
Access Rights and Permissions
–Assigning access to objects
–Principle of least privilege
user
A user is any subject who accesses objects on a system
owner
An owner is the person who has final responsibility for classifying and protecting objects
custodian
A custodian is a subject who has been assigned the day-to-day responsibility of properly storing and protecting objects
Monitoring
Is a programmatic means by which subjects are held accountable for their actions while authenticated on a system
Is a process by which unauthorized or abnormal activities may be detected on a system
Can help reconstruct events, provide evidence for prosecution, and produce problem reports and analysis
Intrusion Detection System (IDS)
An Intrusion Detection System (IDS)is a tool that automates the inspection of audit logs and real-time system events
–Primarily used to detect intrusion attempts
–Also used to detect system failures
–Watch for violations of confidentiality, integrity, and availability (CIA)
The goal of an IDS is to
–provide perpetrator accountability for intrusion activities
–enable timely and accurate response to intrusions
In general, IDSs can recognize
–attacks that come from external connections (such as the Internet)
–viruses and malicious code
–trusted internal subjects attempting to perform unauthorized activities
–unauthorized access attempts from trusted locations
IDS Event Response
IDSs have only limited capability to stop or prevent attacks
-Typical responses include blocking ports, protocols, or source addresses
When an IDS discovers a violation, it records details of the issue and discards the malicious packets
An IDS shoud be considered one of many components that a defense-in-depthapproach employs to protect a network
Host-Based IDS (HIDS)
Watches for suspicious activity on a single computer system
Can examine events in much greater detail than a network-based IDS
Network-Based IDS (NIDS)
Watches for suspicious activity occurring on the network medium
A single NIDS can monitor a large network if installed on its backbone
NIDSs are installed onto dedicated single-purpose computers
Knowledge-Based IDS
(or signature-based)
Uses a signature database
Attempts to match all monitored events to signatures in the database
If a match is found, the IDS assumes that an attack is taking place
Effective only against known attack methods
Behavior-Based IDS
(or anomaly detection)
Learns about the normal activities on a system by watching and tracking events
Once it has accumulated enough data about normal activity, it can detect abnormal and possibly malicious activities or events
The primary drawback is that it produces many false alarms
Honeypots
Honeypots attract intruders by presenting unpatched and unprotected security vulnerabilitiesas well as by hosting attractive but faux data
Vulnerability scanners
Vulnerability scanners are used to test a system for known security vulnerabilities and weaknesses
A vulnerability scanner is only as useful as its database of security issues
Use of vulnerability scanners in cooperation with IDSs
penetration
A penetrationoccurs when an attack is successfuland an intruder is able to breach the perimeter of a computer system
Penetration testing
Penetration testing is one common method to test the strength of security measuresand discover all detectable weaknesses in the security perimeter
Penetration testing should be performed only with the consent and knowledge of management and security staff
–Performing unapproved security testing could
•cause productivity losses
•trigger emergency response teams
•potentially earn jail time
Firewall and where it’s deployed
A firewall is a network device used to filter trafficand is deployed
–between a private network and a link to the Internet
–between departments within an organization
Firewall filters
Firewalls filter traffic based on a set of rules, also called filtersor access control lists,distinguishing authorized traffic from unauthorized traffic
Firewall types
Static packet filtering firewall
Application level gateway (proxy) firewall
Circuit level gateway (circuit proxy) firewall
Statefulinspection firewall
Static packet filtering firewall
Filters traffic by examining a message header
Operate at Layer 3
Easily circumvented through spoofing
Application level gateway (proxy) firewall
Filters traffic based on content and address
Each type of application must have its own proxy
Operates at Layer 7
Negatively affects network performance
Circuit level gateway (circuit proxy) firewall
Used to establish communication sessions between trusted partners
Permits or denies forwarding decisions based solely on the endpoint designations of the communication circuit (source and destination addresses and service port numbers)
Operates at Layer 5
Stateful inspection firewall
Filters based on content and context of traffic
Source and destination addresses, application usage, source of origin, and relationship between current packets and the previous packets
Operates at Layers 3 and 4
Denial-of-service (DoS)
Denial-of-service (DoS)attacks prevent a system from processing or responding to legitimate traffic or requests
There are several types of DoS flood attacks
A single attacking system flooding a victim with a steady stream of packets
Distributed Denial of Service (DDoS)
-DDoSattacks can be stopped by blocking packets from the compromised systems, but this can also result in blocking legitimate traffic because the sources of the flood packets are victims themselves
Distributed Reflective Denial of Service (DRDoS)
SYN-Flood
Smurf
Distributed Reflective Denial of Service (DRDoS)
DRDoSattacks take advantage of the normal operation mechanisms of key Internet services, such as router update protocols (e.g., smurfattacks)
Numerous update/control packets are sent to various servers/routers with a spoofed source address for the intended victim, which will receive the response packets
SYN-Flood
A SYN flood occurs when numerous SYN packets are sent to a server but the sender never replies to the server’s SYN/ACK with the final ACK
The server waits for the client’s ACK, holding open a session and consuming system resources
Smurf Attack
Occurs when an amplifying server or networkis used to flood a victim with useless data
An amplifying server or network is any system that generates multiple response packets, such as Internet Control Message Protocol (ICMP) echo packets, from a single submitted packet
A common smurf attack method is to send a message to the broadcast address for a subnet or network with the victim’s spoofed address
–Every node on that network produces one or more response packets for the victim
If the amplification network can produce sufficient response packet volume, the victim will experience a DoS
Countermeasures for smurf attacks include disabling directed broadcasts on all network border routers
Spoofing Attacks
Spoofing is the art of pretending to be something you’re not
Spoofing attacks consist of replacing a valid source and/or destination IP address with false ones
grants attackers the ability to hide their identities
Countermeasures:
- enabling source/destination verification on routers
- employing an IDS to detect and block attacks
Man-in-the-Middle
A man-in-the-middle attack occurs when a malicious user is able to gain a position between the two endpoints of an ongoing communication
sniffer attack(or snooping attack)
Attackers sniffing the traffic between two parties
store-and-forward or proxy mechanism
Attackers positioning themselves in the line of communication where they act as a store-and-forward or proxy mechanism
To perform this type of attack, the attacker must alter routing information to impersonate a server from the perspective of the client and to impersonate the client from the perspective of the server
The attacker is invisible to both ends of the communication link
Spamming Attacks
Spam is the term that describes unsolicited email, newsgroup, or discussion forum messages
–As innocuous as an advertisement
–As malignant as floods of unrequested messages with viruses or Trojan horses attached
Also considered a type of DoS
