Access Controls. CISSP Guide to Security Essentials Chapter 2

Similar documents
Data Communication. Chapter # 5: Networking Threats. By: William Stalling

Full file at

Ethical Hacking and Prevention

CompTIA Security+ Malware. Threats and Vulnerabilities Vulnerability Management

Chapter 10: Security. 2. What are the two types of general threats to computer security? Give examples of each.

AURA ACADEMY Training With Expertised Faculty Call Us On For Free Demo

Curso: Ethical Hacking and Countermeasures

Define information security Define security as process, not point product.

5. Execute the attack and obtain unauthorized access to the system.

Ethics and Information Security. 10 주차 - 경영정보론 Spring 2014

CHAPTER 8 SECURING INFORMATION SYSTEMS

Chapter 19 Security. Chapter 19 Security

Chapter 4. Network Security. Part I

CS System Security 2nd-Half Semester Review

CISSP CEH PKI SECURITY + CEHv9: Certified Ethical Hacker. Upcoming Dates. Course Description. Course Outline

COMPUTER NETWORK SECURITY

Home Computer and Internet User Security

jk0-022 Exam Questions Demo CompTIA Exam Questions jk0-022

CISNTWK-440. Chapter 4 Network Vulnerabilities and Attacks

Security and Authentication

Overview. Handling Security Incidents. Attack Terms and Concepts. Types of Attacks

Chapter 11: Networks

CTS2134 Introduction to Networking. Module 08: Network Security

Security+ SY0-501 Study Guide Table of Contents

Securing Information Systems

Exam : JK Title : CompTIA E2C Security+ (2008 Edition) Exam. Version : Demo

CompTIA Security+ (2008 Edition) Exam

Securing Information Systems

CompTIA Security+ (Exam SY0-401)

Web insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.

Wireless Attacks and Countermeasures

Securing Information Systems

ETHICAL HACKING & COMPUTER FORENSIC SECURITY

Post-Class Quiz: Access Control Domain

Cyber Security Practice Questions. Varying Difficulty

COPYRIGHTED MATERIAL. Contents. Part I: The Basics in Depth 1. Chapter 1: Windows Attacks 3. Chapter 2: Conventional and Unconventional Defenses 51

Language-Based Protection

CS System Security Mid-Semester Review

Certified Ethical Hacker (CEH)

Chapter 11: It s a Network. Introduction to Networking

Comptia.Certkey.SY0-401.v by.SANFORD.362q. Exam Code: SY Exam Name: CompTIA Security+ Certification Exam

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

Endpoint Security - what-if analysis 1

SINGLE COURSE. NH9000 Certified Ethical Hacker 104 Total Hours. COURSE TITLE: Certified Ethical Hacker

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

Cyber Criminal Methods & Prevention Techniques. By

Cyber Security & Ethical Hacking Training. Introduction to Cyber Security Introduction to Cyber Security. Linux Operating System and Networking: LINUX

GCIH. GIAC Certified Incident Handler.

Course overview. CompTIA Security+ Certification (Exam SY0-501) Study Guide (G635eng v107)

Best Practices Guide to Electronic Banking

Frequently Asked Questions (FAQ)

DoS Attacks Malicious Code Attacks Device Hardening Social Engineering The Network Security Wheel

ECDL / ICDL IT Security. Syllabus Version 2.0

Mobile MOUSe HACKING REVEALED ONLINE COURSE OUTLINE

MU2a Authentication, Authorization & Accounting Questions and Answers with Explainations

CompTIA Security+ Certification

ACS / Computer Security And Privacy. Fall 2018 Mid-Term Review

SECURE USE OF IT Syllabus Version 2.0

Chapter 4 Network and Internet Security

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 3 Protecting Systems

Firewalls, Tunnels, and Network Intrusion Detection

Web Cash Fraud Prevention Best Practices

تاثیرفناوری اطالعات برسازمان ومدیریت جلسه هشتم و نهم

Chapter 2. Switch Concepts and Configuration. Part II

Syllabus: The syllabus is broadly structured as follows:

NETWORK THREATS DEMAN

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

Chapter 10: Security and Ethical Challenges of E-Business

Securing Information Systems

Accounting Information Systems

Unique Phishing Attacks (2008 vs in thousands)

ISC2. Exam Questions CISSP. Certified Information Systems Security Professional (CISSP) Version:Demo

Intruders, Human Identification and Authentication, Web Authentication

Information Technology Enhancing Productivity and Securing Against Cyber Attacks

Drone /12/2018. Threat Model. Description. Threats. Threat Source Risk Status Date Created

Course 831 EC-Council Certified Ethical Hacker v10 (CEH)

Radius, LDAP, Radius, Kerberos used in Authenticating Users

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks

CompTIA Security+(2008 Edition) Exam

SANS SEC504. Hacker Tools, Techniques, Exploits and Incident Handling.

Introduction to Penetration Testing: Part One. Eugene Davis UAH Information Security Club February 21, 2013

Chapter 6 Network and Internet Security and Privacy

Locking down a Hitachi ID Suite server

Software Development & Education Center Security+ Certification

ISO/IEC Common Criteria. Threat Categories

Octopus Online Service Safety Guide

(2½ hours) Total Marks: 75

Advanced Ethical Hacking & Penetration Testing. Ethical Hacking

2. INTRUDER DETECTION SYSTEMS

CEH: CERTIFIED ETHICAL HACKER v9

Point ipos Implementation Guide. Hypercom P2100 using the Point ipos Payment Core Hypercom H2210/K1200 using the Point ipos Payment Core

HY-457 Information Systems Security

CUNY John Jay College of Criminal Justice MATH AND COMPUTER SCIENCE

Lecture 9 User Authentication

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 10 Authenticating Users

Security Assessment Checklist

Course 831 Certified Ethical Hacker v9

Scanning. Introduction to Hacking. Networking Concepts. Windows Hacking. Linux Hacking. Virus and Worms. Foot Printing.

Computer Security 3e. Dieter Gollmann. Security.di.unimi.it/1516/ Chapter 4: 1

Transcription:

Access Controls CISSP Guide to Security Essentials Chapter 2

Objectives Identification and Authentication Centralized Access Control Decentralized Access Control Access Control Attacks Testing Access Controls CISSP Guide to Security Essentials 2

Identification and Authentication Identification: unproven assertion of identity My name is userid CISSP Guide to Security Essentials 3

Identification and Authentication (cont.) Authentication: proven assertion of identity Userid and password Userid and PIN Biometric CISSP Guide to Security Essentials 4

Authentication Methods What the user knows Userid and password Userid and PIN What the user has Smart card Token CISSP Guide to Security Essentials 5

Authentication Methods (cont.) What the user is Biometrics (fingerprint, handwriting, voice, etc.) CISSP Guide to Security Essentials 6

How Information Systems Authenticate Users Request userid and password Hash password Retrieve stored userid and hashed password Compare Make a function call to a network based authentication service CISSP Guide to Security Essentials 7

How a User Should Treat Userids and Passwords Keep a secret Do not share with others Do not leave written down where someone else can find it Store in an encrypted file or vault CISSP Guide to Security Essentials 8

How a System Stores Userids and Passwords Typically stored in a database table Application database or authentication database Userid stored in plaintext Facilitates lookups by others CISSP Guide to Security Essentials 9

How a System Stores Userids Stored (cont.) and Passwords (cont.) Password stored encrypted or hashed If encrypted, can be retrieved under certain conditions Forgot password function, application emails to user If hashed, cannot be retrieved under any circumstance CISSP Guide to Security Essentials 10

Strong Authentication Traditional userid + password authentication has known weaknesses Easily guessed passwords Disclosed or shared passwords CISSP Guide to Security Essentials 11

Strong Authentication (cont.) Stronger types of authentication available, usually referred to as strong authentication Token Certificate Biometrics CISSP Guide to Security Essentials 12

Two Factor Authentication First factor: what user knows Second factor: what user has Password token USB key Digital certificate Smart card CISSP Guide to Security Essentials 13

Two Factor Authentication (cont.) Without the second factor, user cannot log in Defeats password guessing / cracking CISSP Guide to Security Essentials 14

Biometric Authentication Stronger than userid + password Stronger than two-factor CISSP Guide to Security Essentials 15

Biometric Authentication (cont.) Measures a part of user s body Fingerprint Iris scan Signature Voice Etc. CISSP Guide to Security Essentials 16

Authentication Issues Password quality Consistency of user credentials across multiple environments Too many userids and passwords CISSP Guide to Security Essentials 17

Authentication Issues (cont.) Handling password resets Dealing with compromised passwords Staff terminations CISSP Guide to Security Essentials 18

Access Control Technologies Centralized management of access controls LDAP Active Directory RADIUS CISSP Guide to Security Essentials 19

Access Control Technologies (cont.) Centralized management (cont.) Diameter TACACS Kerberos CISSP Guide to Security Essentials 20

Single Sign-On (SSO) Authenticate once, access many information systems without having to re-authenticate into each Centralized session management CISSP Guide to Security Essentials 21

Single Sign-On (cont.) Often the holy grail for identity management Harder in practice to achieve integration issues CISSP Guide to Security Essentials 22

Single Sign-On (cont.) Weakness: intruder can access all participating systems if password compromised Best to combine with two-factor / strong authentication CISSP Guide to Security Essentials 23

Reduced Sign-On Like single sign-on (SSO), single credential for many systems But no inter-system session management User must log into each system separately CISSP Guide to Security Essentials 24

Reduced Sign-On (cont.) Weakness: intruder can access all systems if password is compromised Best to combine with two-factor / strong authentication CISSP Guide to Security Essentials 25

Access Control Attacks Intruders will try to defeat, bypass, or trick access controls in order to reach their target CISSP Guide to Security Essentials 26

Access Control Attacks (cont.) Attack objectives Guess credentials Malfunction of access controls Bypass access controls Replay known good logins Trick people into giving up credentials CISSP Guide to Security Essentials 27

Buffer Overflow Cause malfunction in a way that permits illicit access Send more data than application was designed to handle properly Excess data corrupts application memory Execution of arbitrary code Malfunction CISSP Guide to Security Essentials 28

Buffer Overflow (cont.) Countermeasure: safe coding that limits length of input data; filter input data to remove unsafe characters CISSP Guide to Security Essentials 29

Script Injection Insertion of scripting language characters into application input fields Execute script on server side SQL injection obtain data from application database CISSP Guide to Security Essentials 30

Script Injection (cont.) Insertion (cont.) Execute script on client side trick user or browser Cross site scripting Cross site request forgery Countermeasures: strip unsafe characters from input CISSP Guide to Security Essentials 31

Data Remanence Literally: data that remains after it has been deleted Examples Deleted hard drive files Data in file system slack space CISSP Guide to Security Essentials 32

Data Remanence (cont.) Examples (cont.) Erased files Reformatted hard drive Discarded / lost media: USB keys, backup tapes, CDs Countermeasures: improve media physical controls CISSP Guide to Security Essentials 33

Denial of Service (DoS) Actions that cause target system to fail, thereby denying service to legitimate users Specially crafted input that causes application malfunction Large volume of input that floods application CISSP Guide to Security Essentials 34

Denial of Service (cont.) Distributed Denial of Service (DDoS) Large volume of input from many (hundreds, thousands) of sources Countermeasures: input filters, patches, high capacity CISSP Guide to Security Essentials 35

Dumpster Diving Literally, going through company trash in the hopes that sensitive printed documents were discarded that can be retrieved Personnel reports, financial records E-mail addresses CISSP Guide to Security Essentials 36

Dumpster Diving (cont.) Dumpster Diving (cont.) Trade secrets Technical architecture Countermeasures: on-site shredding CISSP Guide to Security Essentials 37

Eavesdropping Interception of data transmissions Login credentials Sensitive information Methods Network sniffing (maybe from a compromised system) Wireless network sniffing CISSP Guide to Security Essentials 38

Eavesdropping (cont.) Countermeasures: encryption, stronger encryption CISSP Guide to Security Essentials 39

Emanations Electromagnetic radiation that emanates from computer equipment Network cabling More prevalent in networks with coaxial cabling CRT monitors Wi-Fi networks CISSP Guide to Security Essentials 40

Emanations (cont.) Countermeasures: shielding, twisted pair network cable, LCD monitors, lower power or eliminate Wi-Fi CISSP Guide to Security Essentials 41

Spoofing and Masquerading Specially crafted network packets that contain forged address of origin TCP/IP protocol permits forged MAC and IP address SMTP protocol permits forged e-mail From address CISSP Guide to Security Essentials 42

Spoofing and Masquerading (cont.) Countermeasures: router / firewall configuration to drop forged packets, judicious use of e-mail for signaling or data transfer CISSP Guide to Security Essentials 43

Social Engineering Tricking people into giving out sensitive information by making them think they are helping someone Methods In person By phone CISSP Guide to Security Essentials 44

Schemes Social Engineering (cont.) Log-in, remote access, building entrance help Countermeasures: security awareness training CISSP Guide to Security Essentials 45

Phishing Incoming, fraudulent e-mail messages designed to give the appearance of origin from a legitimate institution Bank security breach Tax refund Irish sweepstakes CISSP Guide to Security Essentials 46

Phishing (cont.) Tricks user into providing sensitive data via a forged web site (common) or return e-mail (less common) Countermeasures: security awareness training CISSP Guide to Security Essentials 47

Pharming Redirection of traffic to a forged website Attack of DNS server (poison cache, other attacks) Attack of hosts file on client system Often, a phishing e-mail to lure user to forged website Forged website has appearance of the real thing CISSP Guide to Security Essentials 48

Pharming (cont.) Countermeasures: user awareness training, patches, better controls CISSP Guide to Security Essentials 49

Password Guessing Trying likely passwords to log in as a specific user Common words Spouse / partner / pet name Significant dates / places CISSP Guide to Security Essentials 50

Password Guessing (cont.) Countermeasures: strong, complex passwords, aggressive password policy CISSP Guide to Security Essentials 51

Password Cracking Obtain / retrieve hashed passwords from target Run password cracking program Runs on attacker s system no one will notice Attacker logs in to target system using cracked passwords CISSP Guide to Security Essentials 52

Password Cracking (cont.) Countermeasures: frequent password changes, controls on hashed password files, more CISSP Guide to Security Essentials 53

Malicious Code Viruses, worms, Trojan horses, spyware, key logger Harvest data or cause system malfunction Countermeasures: anti-virus, antispyware, security awareness training CISSP Guide to Security Essentials 54

Access Control Concepts Principles of access control Types of controls Categories of controls CISSP Guide to Security Essentials 55

Principles of Access Control Separation of duties No single individual should be allowed to perform high-value or sensitive tasks on their own Financial transactions User account creation / changes CISSP Guide to Security Essentials 56

Principles of Access Control (cont.) Least privilege Persons should have access to only the functions / data that they require to perform their stated duties CISSP Guide to Security Essentials 57

Principles of Access Controls (cont.) Defense in depth Use of multiple controls to protect an asset Heterogeneous controls preferred If one type fails, the other remains If one type is attacked, the other remains CISSP Guide to Security Essentials 58

Examples Principles of Access Controls (cont.) Nested firewalls Anti-virus on workstations, file servers, e-mail servers CISSP Guide to Security Essentials 59

Technical Types of Controls Authentication, encryption, firewalls, anti-virus Physical Key card entry, fencing, video surveillance Administrative Policy, procedures, standards CISSP Guide to Security Essentials 60

Categories of Controls Detective controls Deterrent controls Preventive controls Corrective controls Recovery controls Compensating controls CISSP Guide to Security Essentials 61

Detective Controls Monitor and record specific types of events Does not stop or directly influence events Video surveillance Audit logs Event logs Intrusion detection system CISSP Guide to Security Essentials 62

Deterrent Controls Designed to prevent specific actions by influencing choices of would-be intruders CISSP Guide to Security Essentials 63

Deterrent Controls (cont.) Does not prevent or even record events Signs Guards, guard dogs Razor wire CISSP Guide to Security Essentials 64

Preventive Controls Block or control specific events Firewalls Anti-virus software Encryption Key card systems CISSP Guide to Security Essentials 65

Preventive Controls (cont.) Block or control specific events (cont.) Fencing Bollards Crash guards CISSP Guide to Security Essentials 66

Corrective Controls Post-event controls to prevent recurrence Corrective refers to when it is implemented Can be preventive, detective, deterrent, administrative CISSP Guide to Security Essentials 67

Corrective Controls (cont.) Examples Spam filter Anti-virus on e-mail server WPA Wi-Fi encryption CISSP Guide to Security Essentials 68

Recovery Controls Post-incident controls to recover systems Recovery refers to when it is implemented Can be detective, preventive, deterrent, administrative CISSP Guide to Security Essentials 69

Examples Recovery Controls (cont.) System restoration Database restoration CISSP Guide to Security Essentials 70

Compensating Controls Control that is introduced that compensates for the absence or failure of a control Compensating refers to why it is implemented Can be detective, preventive, deterrent, administrative CISSP Guide to Security Essentials 71

Compensating Controls (cont.) Examples Daily monitoring of anti-virus console Monthly review of administrative logins CISSP Guide to Security Essentials 72

Testing Access Controls Access controls are the primary defense that protect assets Testing helps to verify whether they are working properly CISSP Guide to Security Essentials 73

Testing Access Controls (cont.) Types of tests Penetration tests Application vulnerability tests Code reviews CISSP Guide to Security Essentials 74

Penetration Testing Automatic scans to discover vulnerabilities Scan TCP/IP for open ports, discover active listeners Potential vulnerabilities in open services CISSP Guide to Security Essentials 75

Penetration Testing (cont.) Penetration Testing (cont.) Test operating system, middleware, server, network device features Missing patches Example tools: Nessus, Nikto, SATAN, Superscan, Retina, ISS, Microsoft baseline security scanner CISSP Guide to Security Essentials 76

Application Vulnerability Testing Discover vulnerabilities in an application Automated tools and manual tools CISSP Guide to Security Essentials 77

Application Vulnerability Testing (cont.) Example vulnerabilities Cross-site scripting, injection flaws, malicious file execution, broken authentication, broken session management, information leakage, unsecure use of encryption, and many more CISSP Guide to Security Essentials 78

Audit Log Analysis Regular examination of audit and event logs Detect unwanted events Attempted break-ins System malfunctions Account abuse CISSP Guide to Security Essentials 79

Audit Log Analysis (cont.) Audit log protection Write-once media Centralized audit logs CISSP Guide to Security Essentials 80

Summary Identification is unproven assertion of identity Authentication is proven assertion of identity Two-factor authentication includes something the user knows and something the user has CISSP Guide to Security Essentials 81

Summary (cont.) Biometric authentication includes something the user is. Examples include fingerprint, hand scan, iris scan Authentication standards include LDAP, TACACS, RADIUS, and Diameter CISSP Guide to Security Essentials 82

Summary (cont.) Single sign-on (SSO) provides a single identity with session management across applications Reduced sign-on provides a single identity across applications but no session management CISSP Guide to Security Essentials 83

Summary (cont.) Access controls are attacked by several methods, including buffer overflow, script injection, malicious code, denial of service, eavesdropping, spoofing, social engineering, phishing, and password attacks CISSP Guide to Security Essentials 84

Summary (cont.) Separation of duties: split tasks between two or more Least privilege: minimize user access Defense in depth: protect assets with many controls Types of controls: technical, physical, administrative CISSP Guide to Security Essentials 85

Summary (cont.) Categories of controls: detective, deterrent, preventive, corrective, recovery, compensating Access controls are tested with penetration testing, application vulnerability testing, and code reviews CISSP Guide to Security Essentials 86

Summary (cont.) Audit log analysis helps to detect unwanted events CISSP Guide to Security Essentials 87

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback