CISSP Guide to Security Essentials, Ch3

1
Access Controls
CISSP Guide to Security Essentials Chapter
2 Minor changes 6-13-11
2
Objectives

• Identification and Authentication
• Centralized Access Control
• Decentralized Access Control
• Access Control Attacks
• Testing Access Controls

3
Controlling Access
4
Identification and Authentication

• Identification unproven assertion of identity
• My name is
• Userid
• Authentication proven assertion of identity
• Userid and password
• Userid and PIN
• Biometric

5
Authentication Methods

• What the user knows
• Userid and password
• Userid and PIN
• What the user has
• Smart card
• Token
• What the user is
• Biometrics (fingerprint, handwriting, voice, etc.)

6
How Information Systems Authenticate Users

• Request userid and password
• Hash password
• Retrieve stored userid and hashed password
• Compare
• Make a function call to a network based
  authentication service

7
How a User Should Treat Userids and Passwords

• Keep a secret
• Do not share with others
• Do not leave written down where someone else can
  find it
• Store in an encrypted file or vault
• Use RofoForm

8
How a System Stores Userids and Passwords

• Typically stored in a database table
• Application database or authentication database
• Userid stored in plaintext
• Facilitates lookups by others
• Password stored encrypted or hashed
• If encrypted, can be retrieved under certain
  conditions
• Forgot password function, application emails to
  user
• If hashed, cannot be retrieved under any
  circumstance (best method)

9
Password Hashes

• Cain, Cracker top tab, right-click empty space,
  Add to List
• LM hash is weak, no longer used in Win 7
• NT hash is stronger, but not salted

10
Strong Authentication

• Traditional userid password authentication has
  known weaknesses
• Easily guessed passwords
• Disclosed or shared passwords
• Stronger types of authentication available,
  usually referred to as strong authentication
• Token
• Certificate
• Biometrics

11
Two Factor Authentication

• First factor what user knows
• Second factor what user has
• Password token
• USB key
• Digital certificate
• Smart card
• Without the second factor, user cannot log in
• Defeats password guessing / cracking

12
RSA was Hacked, and their Customers Too

• http//samsclass.info/RSA-alternatives.html

13
Biometric Authentication

• Stronger than userid password
• Stronger than two-factor?
• Can be hacked

14
Biometric Authentication (cont.)

• Measures a part of users body
• Fingerprint
• Iris scan
• Signature
• Voice
• Etc.

15
Biometric Authentication (cont.)

• False Accept Rate
• False Reject Rate

Occurrence
Sensitivity
16
Authentication Issues

• Password quality
• Consistency of user credentials across multiple
  environments
• Too many userids and passwords
• Handling password resets
• Dealing with compromised passwords
• Staff terminations

17
Access Control Technologies

• Centralized management of access controls
• LDAP
• Active Directory, Microsoft's LDAP
• RADIUS
• Diameter, upgrade of RADIUS
• TACACS
• Replaced by TACACS and RADIUS
• Kerberos
• Uses Tickets

18
Single Sign-On (SSO)

• Authenticate once, access many information
  systems without having to re-authenticate into
  each
• Centralized session management
• Often the holy grail for identity management
• Harder in practice to achieve integration issues

19
Reduced Sign-On

• Like single sign-on (SSO), single credential for
  many systems
• But no inter-system session management
• User must log into each system separately, but
  they all use the same userid and password

20
Weakness of SSO and RSO

• Weakness intruder can access all systems if
  password is compromised
• Best to combine with two-factor / strong
  authentication

21
iClicker Questions
22
A person hands you their business card. What
control function does this perform?

1. Identification
2. Authentication
3. Two-factor authentication
4. Biometrics authentication
5. Token authentication

1 of 6
23
A Website has a password-retrieval system that
emails you your current password. Which of these
systems is most likely used at the Web server to
store passwords?

1. Hashed
2. Hashed and salted
3. Encrypted
4. LDAP
5. Kerberos

2 of 6
24
To enter a building, you must show a photo ID to
the guard. The guard looks at the photo to make
sure it matches your real appearance. What
control function does this accomplish?

1. Identification
2. Token Authentication
3. Two-factor authentication
4. Biometric authentication
5. More than one of the above

3 of 6
25
To enter a building, you must show tell the guard
your name. The guard looks at a company directory
and compares a photo there to ensure it matches
your real appearance. What control function does
this accomplish?

1. Identification
2. Token Authentication
3. Two-factor authentication
4. Biometric authentication
5. More than one of the above

4 of 6
26
Which technique allows users to access many
systems after logging on once?

1. SSO
2. RSO
3. LDAP
4. RADIUS
5. TACACS

5 of 6
27
Which system uses a ticket-granting ticket?

1. Active Directory
2. RSO
3. LDAP
4. RADIUS
5. TACACS

5 of 6
28
Access Control Attacks
29
Access Control Attacks

• Intruders will try to defeat, bypass, or trick
  access controls in order to reach their target
• Attack objectives
• Guess credentials
• Malfunction of access controls
• Bypass access controls
• Replay known good logins
• Trick people into giving up credentials

30
Buffer Overflow

• Cause malfunction in a way that permits illicit
  access
• Send more data than application was designed to
  handle properly
• Excess data corrupts application memory
• Execution of arbitrary code
• Malfunction
• Countermeasure safe coding that limits length
  of input data filter input data to remove
  unsafe characters

31
Script Injection

• Insertion of scripting language characters into
  application input fields
• Execute script on server side
• SQL injection obtain data from application
  database
• Execute script on client side trick user or
  browser
• Cross site scripting
• Cross site request forgery
• Countermeasures strip unsafe characters from
  input

32
Cross-Site Scripting (XSS)

• One client posts active content, with ltscriptgt
  tags or other programming content
• When another client reads the messages, the
  scripts are executed in his or her browser
• One user attacks another user, using the
  vulnerable Web application as a weapon

32
33

• ltscriptgtalert("XSS vulnerability!")lt/scriptgt
• ltscriptgtalert(document.cookie)lt/scriptgt
• ltscriptgtwindow.location"http//www.ccsf.edu"lt/scr
  iptgt

33
34
XSS Scripting Effects

• Steal another user's authentication cookie
• Hijack session
• Harvest stored passwords from the target's
  browser
• Take over machine through browser vulnerability
• Redirect Webpage
• Many, many other evil things

34
35
Data Remanence

• Literally data that remains after it has been
  deleted
• Examples
• Deleted hard drive files
• Data in file system slack space
• Erased files
• Reformatted hard drive
• Discarded / lost media USB keys, backup tapes,
  CDs
• Countermeasures improve media physical controls

36
Denial of Service (DoS)

• Actions that cause target system to fail,
  thereby denying service to legitimate users
• Specially crafted input that causes application
  malfunction
• Large volume of input that floods application
• Distributed Denial of Service (DDoS)
• Large volume of input from many (hundreds,
  thousands) of sources
• Countermeasures input filters, patches, high
  capacity

37
Dumpster Diving

• Literally, going through company trash in the
  hopes that sensitive printed documents were
  discarded that can be retrieved
• Personnel reports, financial records
• E-mail addresses
• Trade secrets
• Technical architecture
• Countermeasures on-site shredding

38
Eavesdropping

• Interception of data transmissions
• Login credentials
• Sensitive information
• Methods
• Network sniffing (maybe from a compromised
  system)
• Wireless network sniffing
• Countermeasures encryption, stronger encryption

39
Emanations

• Electromagnetic radiation that emanates from
  computer equipment
• Network cabling
• More prevalent in networks with coaxial cabling
• CRT monitors
• Wi-Fi networks
• Countermeasures shielded cables, LCD monitors,
  lower power or eliminate Wi-Fi

40
Spoofing and Masquerading

• Specially crafted network packets that contain
  forged address of origin
• TCP/IP protocol permits forged MAC and IP address
• SMTP protocol permits forged e-mail From
  address
• Countermeasures router / firewall configuration
  to drop forged packets, judicious use of e-mail
  for signaling or data transfer

41
Social Engineering

• Tricking people into giving out sensitive
  information by making them think they are
  helping someone
• Methods
• In person
• By phone
• Schemes
• Log-in, remote access, building entrance help
• Countermeasures security awareness training

42
Phishing

• Incoming, fraudulent e-mail messages designed to
  give the appearance of origin from a legitimate
  institution
• Bank security breach
• Tax refund
• Irish sweepstakes
• Tricks user into providing sensitive data via a
  forged web site (common) or return e-mail (less
  common)
• Countermeasure security awareness training

43
Pharming

• Redirection of traffic to a forged website
• Attack of DNS server (poison cache, other
  attacks)
• Attack of hosts file on client system
• Often, a phishing e-mail to lure user to forged
  website
• Forged website has appearance of the real thing
• Countermeasures user awareness training,
  patches, better controls

44
Password Guessing

• Trying likely passwords to log in as a specific
  user
• Common words
• Spouse / partner / pet name
• Significant dates / places
• Countermeasures strong, complex passwords,
  aggressive password policy, lockout policy

45
(No Transcript)
46
Password Cracking

• Obtain / retrieve hashed passwords from target
• Run password cracking program
• Runs on attackers system no one will notice
• Attacker logs in to target system using cracked
  passwords
• Countermeasures frequent password changes,
  controls on hashed password files, salting hash

47
Malicious Code

• Viruses, worms, Trojan horses, spyware, key
  logger
• Harvest data or cause system malfunction
• Countermeasures anti-virus, anti-spyware,
  security awareness training

48
iClicker Questions
49
Which risk can be reduced by using BitLocker disk
encryption?

1. Sniffing
2. Emanations
3. Buffer overflow
4. Script injection
5. Data remanance

1 of 5
50
Which term refers to a non-indexed portion of a
hard disk?

1. Emanation
2. Buffer overflow
3. Script injection
4. Slack space
5. Worm

2 of 5
51
You want to determine who sent you an email
message. Which of these values can you trust?

1. Source MAC Address
2. Source IP Address
3. "From" email address
4. More than one of the above
5. None of the above

3 of 5
52
Which countermeasure will protect you from social
engineering?

1. Shielded cables
2. Encrypting hard drives
3. Antivirus software
4. On-site shredding
5. None of the above

4 of 5
53
Which countermeasure will protect you from
emanations?

1. Shielded cables
2. Encrypting hard drives
3. Antivirus software
4. On-site shredding
5. None of the above

5 of 5
54
Access Control Concepts
55
Access Control Concepts

• Principles of access control
• Types of controls
• Categories of controls

56
Principles of Access Control

• Separation of duties
• No single individual should be allowed to
  perform high-value or sensitive tasks on their
  own
• Financial transactions
• Software changes
• User account creation / changes

57
Principles of Access Control

• Least privilege
• Persons should have access to only the functions
  / data that they require to perform their stated
  duties
• Server applications
• Don't run as root
• User permissions on File Servers
• Don't give access to others' files
• Workstations
• User Account Control

58
Principles of Access Controls (cont.)

• Defense in depth
• Use of multiple controls to protect an asset
• Heterogeneous controls preferred
• If one type fails, the other remains
• If one type is attacked, the other remains
• Examples
• Nested firewalls
• Anti-virus on workstations, file servers, e-mail
  servers

59
Types of Controls

• Technical
• Authentication, encryption, firewalls, anti-virus
• Physical
• Key card entry, fencing, video surveillance
• Administrative
• Policy, procedures, standards

60
Categories of Controls

• Detective controls
• Deterrent controls
• Preventive controls
• Corrective controls
• Recovery controls
• Compensating controls

61
Detective Controls

• Monitor and record specific types of events
• Does not stop or directly influence events
• Video surveillance
• Audit logs
• Event logs
• Intrusion detection system

62
Deterrent Controls

• Highly visible
• Prevent offenses by influencing choices of
  would-be intruders

63
Deterrent Controls (cont.)

• A purely deterrent control does not prevent or
  even record events
• Signs
• Guards, guard dogs (may be preventive if they are
  real)
• Razor wire

64
Preventive Controls

• Block or control specific events
• Firewalls
• Anti-virus software
• Encryption
• Key card systems
• Bollards stop cars (as shown)

65
Corrective Controls

• Post-event controls to prevent recurrence
• Corrective refers to when it is implemented
• Can be preventive, detective, deterrent,
  administrative
• Examples (if implemented after an incident)
• Spam filter
• Anti-virus on e-mail server
• WPA Wi-Fi encryption

66
Recovery Controls

• Post-incident controls to recover systems
• Examples
• System restoration
• Database restoration

67
Compensating Controls

• Control that is introduced that compensates for
  the absence or failure of a control
• Compensating refers to why it is implemented
• Can be detective, preventive, deterrent,
  administrative
• Examples
• Daily monitoring of anti-virus console
• Monthly review of administrative logins
• Web Application Firewall used to protect buggy
  application

68
Testing Access Controls
69
Testing Access Controls

• Access controls are the primary defense that
  protect assets
• Testing helps to verify whether they are working
  properly
• Types of tests
• Penetration tests
• Application vulnerability tests
• Code reviews

70
Penetration Testing

• Automatic scans to discover vulnerabilities
• Scan TCP/IP for open ports, discover active
  listeners
• Potential vulnerabilities in open services
• Test operating system, middleware, server,
  network device features
• Missing patches
• Example tools Nessus, Nikto, SAINT, Superscan,
  Retina, ISS, Microsoft Baseline Security Analyzer

71
Application Vulnerability Testing

• Discover vulnerabilities in an application
• Automated tools and manual tools
• Example vulnerabilities
• Cross-site scripting, injection flaws, malicious
  file execution, broken authentication, broken
  session management, information leakage, insecure
  use of encryption, and many more

72
Audit Log Analysis

• Regular examination of audit and event logs
• Detect unwanted events
• Attempted break-ins
• System malfunctions
• Account abuse, such as credential sharing
• Audit log protection
• Write-once media
• Centralized audit logs

73
iClicker Questions
74
The movie theatre has one employee who sells
tickets, and another who examines them and tears
them when you enter. What security function does
this accomplish?

1. Separation of duties
2. Least Privilege
3. Defense in depth
4. Detective control
5. Deterrent control

1 of 5
75
CCSF does not give teachers keys to the
buildings. What security function does that
accomplish?

1. Corrective control
2. Least Privilege
3. Defense in depth
4. Deterrent control
5. Detective control

2 of 5
76
Safeway has a guard at the front door, but the
guard has no gun and no police powers. What
purpose does the guard serve?

1. Detective control
2. Deterrent control
3. Preventive control
4. Corrective control
5. None of the above

3 of 5
77
Employees are stealing on the job, so the company
hires a spy to work with them, and send in secret
reports. What function does the spy serve?

1. Defense in depth
2. Detective control
3. Deterrent control
4. Preventive control
5. Corrective control

4 of 5
78
A company uses Symform to save a copy of critical
backup files on the Web. What security function
does this accomplish?

1. Defense in depth
2. Detective control
3. Preventive control
4. Corrective control
5. Recovery control

5 of 5