Access Controls. CISSP Guide to Security Essentials Chapter 2

Transcription

1 Access Controls CISSP Guide to Security Essentials Chapter 2

2 Objectives Identification and Authentication Centralized Access Control Decentralized Access Control Access Control Attacks Testing Access Controls CISSP Guide to Security Essentials 2

3 Identification and Authentication Identification: unproven assertion of identity My name is userid CISSP Guide to Security Essentials 3

4 Identification and Authentication (cont.) Authentication: proven assertion of identity Userid and password Userid and PIN Biometric CISSP Guide to Security Essentials 4

5 Authentication Methods What the user knows Userid and password Userid and PIN What the user has Smart card Token CISSP Guide to Security Essentials 5

6 Authentication Methods (cont.) What the user is Biometrics (fingerprint, handwriting, voice, etc.) CISSP Guide to Security Essentials 6

7 How Information Systems Authenticate Users Request userid and password Hash password Retrieve stored userid and hashed password Compare Make a function call to a network based authentication service CISSP Guide to Security Essentials 7

8 How a User Should Treat Userids and Passwords Keep a secret Do not share with others Do not leave written down where someone else can find it Store in an encrypted file or vault CISSP Guide to Security Essentials 8

9 How a System Stores Userids and Passwords Typically stored in a database table Application database or authentication database Userid stored in plaintext Facilitates lookups by others CISSP Guide to Security Essentials 9

10 How a System Stores Userids Stored (cont.) and Passwords (cont.) Password stored encrypted or hashed If encrypted, can be retrieved under certain conditions Forgot password function, application s to user If hashed, cannot be retrieved under any circumstance CISSP Guide to Security Essentials 10

11 Strong Authentication Traditional userid + password authentication has known weaknesses Easily guessed passwords Disclosed or shared passwords CISSP Guide to Security Essentials 11

12 Strong Authentication (cont.) Stronger types of authentication available, usually referred to as strong authentication Token Certificate Biometrics CISSP Guide to Security Essentials 12

13 Two Factor Authentication First factor: what user knows Second factor: what user has Password token USB key Digital certificate Smart card CISSP Guide to Security Essentials 13

14 Two Factor Authentication (cont.) Without the second factor, user cannot log in Defeats password guessing / cracking CISSP Guide to Security Essentials 14

15 Biometric Authentication Stronger than userid + password Stronger than two-factor CISSP Guide to Security Essentials 15

16 Biometric Authentication (cont.) Measures a part of user s body Fingerprint Iris scan Signature Voice Etc. CISSP Guide to Security Essentials 16

17 Authentication Issues Password quality Consistency of user credentials across multiple environments Too many userids and passwords CISSP Guide to Security Essentials 17

18 Authentication Issues (cont.) Handling password resets Dealing with compromised passwords Staff terminations CISSP Guide to Security Essentials 18

19 Access Control Technologies Centralized management of access controls LDAP Active Directory RADIUS CISSP Guide to Security Essentials 19

20 Access Control Technologies (cont.) Centralized management (cont.) Diameter TACACS Kerberos CISSP Guide to Security Essentials 20

21 Single Sign-On (SSO) Authenticate once, access many information systems without having to re-authenticate into each Centralized session management CISSP Guide to Security Essentials 21

22 Single Sign-On (cont.) Often the holy grail for identity management Harder in practice to achieve integration issues CISSP Guide to Security Essentials 22

23 Single Sign-On (cont.) Weakness: intruder can access all participating systems if password compromised Best to combine with two-factor / strong authentication CISSP Guide to Security Essentials 23

24 Reduced Sign-On Like single sign-on (SSO), single credential for many systems But no inter-system session management User must log into each system separately CISSP Guide to Security Essentials 24

25 Reduced Sign-On (cont.) Weakness: intruder can access all systems if password is compromised Best to combine with two-factor / strong authentication CISSP Guide to Security Essentials 25

26 Access Control Attacks Intruders will try to defeat, bypass, or trick access controls in order to reach their target CISSP Guide to Security Essentials 26

27 Access Control Attacks (cont.) Attack objectives Guess credentials Malfunction of access controls Bypass access controls Replay known good logins Trick people into giving up credentials CISSP Guide to Security Essentials 27

28 Buffer Overflow Cause malfunction in a way that permits illicit access Send more data than application was designed to handle properly Excess data corrupts application memory Execution of arbitrary code Malfunction CISSP Guide to Security Essentials 28

29 Buffer Overflow (cont.) Countermeasure: safe coding that limits length of input data; filter input data to remove unsafe characters CISSP Guide to Security Essentials 29

30 Script Injection Insertion of scripting language characters into application input fields Execute script on server side SQL injection obtain data from application database CISSP Guide to Security Essentials 30

31 Script Injection (cont.) Insertion (cont.) Execute script on client side trick user or browser Cross site scripting Cross site request forgery Countermeasures: strip unsafe characters from input CISSP Guide to Security Essentials 31

32 Data Remanence Literally: data that remains after it has been deleted Examples Deleted hard drive files Data in file system slack space CISSP Guide to Security Essentials 32

33 Data Remanence (cont.) Examples (cont.) Erased files Reformatted hard drive Discarded / lost media: USB keys, backup tapes, CDs Countermeasures: improve media physical controls CISSP Guide to Security Essentials 33

34 Denial of Service (DoS) Actions that cause target system to fail, thereby denying service to legitimate users Specially crafted input that causes application malfunction Large volume of input that floods application CISSP Guide to Security Essentials 34

35 Denial of Service (cont.) Distributed Denial of Service (DDoS) Large volume of input from many (hundreds, thousands) of sources Countermeasures: input filters, patches, high capacity CISSP Guide to Security Essentials 35

36 Dumpster Diving Literally, going through company trash in the hopes that sensitive printed documents were discarded that can be retrieved Personnel reports, financial records addresses CISSP Guide to Security Essentials 36

37 Dumpster Diving (cont.) Dumpster Diving (cont.) Trade secrets Technical architecture Countermeasures: on-site shredding CISSP Guide to Security Essentials 37

38 Eavesdropping Interception of data transmissions Login credentials Sensitive information Methods Network sniffing (maybe from a compromised system) Wireless network sniffing CISSP Guide to Security Essentials 38

39 Eavesdropping (cont.) Countermeasures: encryption, stronger encryption CISSP Guide to Security Essentials 39

40 Emanations Electromagnetic radiation that emanates from computer equipment Network cabling More prevalent in networks with coaxial cabling CRT monitors Wi-Fi networks CISSP Guide to Security Essentials 40

41 Emanations (cont.) Countermeasures: shielding, twisted pair network cable, LCD monitors, lower power or eliminate Wi-Fi CISSP Guide to Security Essentials 41

42 Spoofing and Masquerading Specially crafted network packets that contain forged address of origin TCP/IP protocol permits forged MAC and IP address SMTP protocol permits forged From address CISSP Guide to Security Essentials 42

43 Spoofing and Masquerading (cont.) Countermeasures: router / firewall configuration to drop forged packets, judicious use of for signaling or data transfer CISSP Guide to Security Essentials 43

44 Social Engineering Tricking people into giving out sensitive information by making them think they are helping someone Methods In person By phone CISSP Guide to Security Essentials 44

45 Schemes Social Engineering (cont.) Log-in, remote access, building entrance help Countermeasures: security awareness training CISSP Guide to Security Essentials 45

46 Phishing Incoming, fraudulent messages designed to give the appearance of origin from a legitimate institution Bank security breach Tax refund Irish sweepstakes CISSP Guide to Security Essentials 46

47 Phishing (cont.) Tricks user into providing sensitive data via a forged web site (common) or return (less common) Countermeasures: security awareness training CISSP Guide to Security Essentials 47

48 Pharming Redirection of traffic to a forged website Attack of DNS server (poison cache, other attacks) Attack of hosts file on client system Often, a phishing to lure user to forged website Forged website has appearance of the real thing CISSP Guide to Security Essentials 48

49 Pharming (cont.) Countermeasures: user awareness training, patches, better controls CISSP Guide to Security Essentials 49

50 Password Guessing Trying likely passwords to log in as a specific user Common words Spouse / partner / pet name Significant dates / places CISSP Guide to Security Essentials 50

51 Password Guessing (cont.) Countermeasures: strong, complex passwords, aggressive password policy CISSP Guide to Security Essentials 51

52 Password Cracking Obtain / retrieve hashed passwords from target Run password cracking program Runs on attacker s system no one will notice Attacker logs in to target system using cracked passwords CISSP Guide to Security Essentials 52

53 Password Cracking (cont.) Countermeasures: frequent password changes, controls on hashed password files, more CISSP Guide to Security Essentials 53

54 Malicious Code Viruses, worms, Trojan horses, spyware, key logger Harvest data or cause system malfunction Countermeasures: anti-virus, antispyware, security awareness training CISSP Guide to Security Essentials 54

55 Access Control Concepts Principles of access control Types of controls Categories of controls CISSP Guide to Security Essentials 55

56 Principles of Access Control Separation of duties No single individual should be allowed to perform high-value or sensitive tasks on their own Financial transactions User account creation / changes CISSP Guide to Security Essentials 56

57 Principles of Access Control (cont.) Least privilege Persons should have access to only the functions / data that they require to perform their stated duties CISSP Guide to Security Essentials 57

58 Principles of Access Controls (cont.) Defense in depth Use of multiple controls to protect an asset Heterogeneous controls preferred If one type fails, the other remains If one type is attacked, the other remains CISSP Guide to Security Essentials 58

59 Examples Principles of Access Controls (cont.) Nested firewalls Anti-virus on workstations, file servers, servers CISSP Guide to Security Essentials 59

60 Technical Types of Controls Authentication, encryption, firewalls, anti-virus Physical Key card entry, fencing, video surveillance Administrative Policy, procedures, standards CISSP Guide to Security Essentials 60

61 Categories of Controls Detective controls Deterrent controls Preventive controls Corrective controls Recovery controls Compensating controls CISSP Guide to Security Essentials 61

62 Detective Controls Monitor and record specific types of events Does not stop or directly influence events Video surveillance Audit logs Event logs Intrusion detection system CISSP Guide to Security Essentials 62

63 Deterrent Controls Designed to prevent specific actions by influencing choices of would-be intruders CISSP Guide to Security Essentials 63

64 Deterrent Controls (cont.) Does not prevent or even record events Signs Guards, guard dogs Razor wire CISSP Guide to Security Essentials 64

65 Preventive Controls Block or control specific events Firewalls Anti-virus software Encryption Key card systems CISSP Guide to Security Essentials 65

66 Preventive Controls (cont.) Block or control specific events (cont.) Fencing Bollards Crash guards CISSP Guide to Security Essentials 66

67 Corrective Controls Post-event controls to prevent recurrence Corrective refers to when it is implemented Can be preventive, detective, deterrent, administrative CISSP Guide to Security Essentials 67

68 Corrective Controls (cont.) Examples Spam filter Anti-virus on server WPA Wi-Fi encryption CISSP Guide to Security Essentials 68

69 Recovery Controls Post-incident controls to recover systems Recovery refers to when it is implemented Can be detective, preventive, deterrent, administrative CISSP Guide to Security Essentials 69

70 Examples Recovery Controls (cont.) System restoration Database restoration CISSP Guide to Security Essentials 70

71 Compensating Controls Control that is introduced that compensates for the absence or failure of a control Compensating refers to why it is implemented Can be detective, preventive, deterrent, administrative CISSP Guide to Security Essentials 71

72 Compensating Controls (cont.) Examples Daily monitoring of anti-virus console Monthly review of administrative logins CISSP Guide to Security Essentials 72

73 Testing Access Controls Access controls are the primary defense that protect assets Testing helps to verify whether they are working properly CISSP Guide to Security Essentials 73

74 Testing Access Controls (cont.) Types of tests Penetration tests Application vulnerability tests Code reviews CISSP Guide to Security Essentials 74

75 Penetration Testing Automatic scans to discover vulnerabilities Scan TCP/IP for open ports, discover active listeners Potential vulnerabilities in open services CISSP Guide to Security Essentials 75

76 Penetration Testing (cont.) Penetration Testing (cont.) Test operating system, middleware, server, network device features Missing patches Example tools: Nessus, Nikto, SATAN, Superscan, Retina, ISS, Microsoft baseline security scanner CISSP Guide to Security Essentials 76

77 Application Vulnerability Testing Discover vulnerabilities in an application Automated tools and manual tools CISSP Guide to Security Essentials 77

78 Application Vulnerability Testing (cont.) Example vulnerabilities Cross-site scripting, injection flaws, malicious file execution, broken authentication, broken session management, information leakage, unsecure use of encryption, and many more CISSP Guide to Security Essentials 78

79 Audit Log Analysis Regular examination of audit and event logs Detect unwanted events Attempted break-ins System malfunctions Account abuse CISSP Guide to Security Essentials 79

80 Audit Log Analysis (cont.) Audit log protection Write-once media Centralized audit logs CISSP Guide to Security Essentials 80

81 Summary Identification is unproven assertion of identity Authentication is proven assertion of identity Two-factor authentication includes something the user knows and something the user has CISSP Guide to Security Essentials 81

82 Summary (cont.) Biometric authentication includes something the user is. Examples include fingerprint, hand scan, iris scan Authentication standards include LDAP, TACACS, RADIUS, and Diameter CISSP Guide to Security Essentials 82

83 Summary (cont.) Single sign-on (SSO) provides a single identity with session management across applications Reduced sign-on provides a single identity across applications but no session management CISSP Guide to Security Essentials 83

84 Summary (cont.) Access controls are attacked by several methods, including buffer overflow, script injection, malicious code, denial of service, eavesdropping, spoofing, social engineering, phishing, and password attacks CISSP Guide to Security Essentials 84

85 Summary (cont.) Separation of duties: split tasks between two or more Least privilege: minimize user access Defense in depth: protect assets with many controls Types of controls: technical, physical, administrative CISSP Guide to Security Essentials 85

86 Summary (cont.) Categories of controls: detective, deterrent, preventive, corrective, recovery, compensating Access controls are tested with penetration testing, application vulnerability testing, and code reviews CISSP Guide to Security Essentials 86

87 Summary (cont.) Audit log analysis helps to detect unwanted events CISSP Guide to Security Essentials 87