Ch 2: Controlling Access to Information and Functions

Objectives Controlling Access Access Control Attacks Testing Access Controls Controlling Access Identification and Authentication Identification: unproven assertion of identity My name is 0 Userid Authentication: proven assertion of identity 0 Userid and password 1 Userid and PIN 2 Biometric Authentication Methods What the user knows 3 Userid and password 4 Userid and PIN What the user has 5 Smart card 6 Token What the user is 7 Biometrics (fingerprint, handwriting, voice, etc.) How Information Systems Authenticate Users Request userid and password 8 Hash password 9 Retrieve stored userid and hashed password 10 Compare Make a function call to a network based authentication service How a User Should Treat Userids and Passwords Keep a secret Do not share with others Do not leave written down where someone else can find it Store in an encrypted file or vault 11 Use RofoForm How a System Stores Userids and Passwords Typically stored in a database table 12 Application database or authentication database 13 Userid stored in plaintext Facilitates lookups by others 14 Password stored encrypted or hashed If encrypted, can be retrieved under certain conditions Forgot password function, application emails to user If hashed, cannot be retrieved under any circumstance (best method)

CNIT 125 Bowne

Page 1 of 8

Ch 2: Controlling Access to Information and Functions

Password Hashes Cain, Cracker top tab, right-click empty space, Add to List LM hash is weak, no longer used in Win 7 NT hash is stronger, but not salted

Strong Authentication Traditional userid + password authentication has known weaknesses 15 Easily guessed passwords 16 Disclosed or shared passwords Stronger types of authentication available, usually referred to as strong authentication 17 Token 18 Certificate 19 Biometrics Two Factor Authentication First factor: what user knows Second factor: what user has 20 Password token 21 USB key 22 Digital certificate 23 Smart card Without the second factor, user cannot log in 24 Defeats password guessing / cracking Biometric Authentication Stronger than userid + password Stronger than two-factor? 25 Can be hacked Measures a part of users body 26 Fingerprint 27 Iris scan 28 Signature 29 Voice 30 Etc.

CNIT 125 Bowne

Page 2 of 8

Ch 2: Controlling Access to Information and Functions

Authentication Issues Password quality Consistency of user credentials across multiple environments Too many userids and passwords Handling password resets Dealing with compromised passwords Staff terminations Access Control Technologies Centralized management of access controls 31 LDAP Active Directory, Microsoft's LDAP 32 RADIUS Diameter, upgrade of RADIUS 33 TACACS Replaced by TACACS+ and RADIUS 34 Kerberos Uses Tickets Single Sign-On (SSO) Authenticate once, access many information systems without having to re-authenticate into each Centralized session management Often the holy grail for identity management 35 Harder in practice to achieve integration issues Reduced Sign-On Like single sign-on (SSO), single credential for many systems But no inter-system session management User must log into each system separately, but they all use the same userid and password Weakness of SSO and RSO Weakness: intruder can access all systems if password is compromised Best to combine with two-factor / strong authentication Access Control Attacks Access Control Attacks Intruders will try to defeat, bypass, or trick access controls in order to reach their target Attack objectives 36 Guess credentials 37 Malfunction of access controls 38 Bypass access controls 39 Replay known good logins 40 Trick people into giving up credentials Buffer Overflow Cause malfunction in a way that permits illicit access Send more data than application was designed to handle properly 41 Excess data corrupts application memory 42 Execution of arbitrary code 43 Malfunction Countermeasure: safe coding that limits length of input data; filter input data to remove unsafe characters

CNIT 125 Bowne

Page 3 of 8

Ch 2: Controlling Access to Information and Functions

Script Injection Insertion of scripting language characters into application input fields 44 Execute script on server side SQL injection obtain data from application database 45 Execute script on client side trick user or browser Cross site scripting Cross site request forgery Countermeasures: strip unsafe characters from input Data Remanence Literally: data that remains after it has been deleted Examples 46 Deleted hard drive files 47 Data in file system slack space 48 Erased files 49 Reformatted hard drive 50 Discarded / lost media: USB keys, backup tapes, CDs Countermeasures: improve media physical controls Denial of Service (DoS) Actions that cause target system to fail, thereby denying service to legitimate users 51 Specially crafted input that causes application malfunction 52 Large volume of input that floods application Distributed Denial of Service (DDoS) 53 Large volume of input from many (hundreds, thousands) of sources Countermeasures: input filters, patches, high capacity 54 Dumpster Diving Literally, going through company trash in the hopes that sensitive printed documents were discarded that can be retrieved 55 Personnel reports, financial records 56 E-mail addresses 57 Trade secrets 58 Technical architecture Countermeasures: on-site shredding Eavesdropping Interception of data transmissions 59 Login credentials 60 Sensitive information Methods 61 Network sniffing (maybe from a compromised system) 62 Wireless network sniffing Countermeasures: encryption, stronger encryption Emanations Electromagnetic radiation that emanates from computer equipment 63 Network cabling More prevalent in networks with coaxial cabling 64 CRT monitors 65 Wi-Fi networks Countermeasures: shielding, twisted pair network cable, LCD monitors, lower power or eliminate Wi-Fi

CNIT 125 Bowne

Page 4 of 8

Ch 2: Controlling Access to Information and Functions

Spoofing and Masquerading Specially crafted network packets that contain forged address of origin 66 TCP/IP protocol permits forged MAC and IP address 67 SMTP protocol permits forged e-mail From address Countermeasures: router / firewall configuration to drop forged packets, judicious use of e-mail for signaling or data transfer Social Engineering Tricking people into giving out sensitive information by making them think they are helping someone Methods 68 In person 69 By phone Schemes 70 Log-in, remote access, building entrance help Countermeasures: security awareness training Phishing Incoming, fraudulent e-mail messages designed to give the appearance of origin from a legitimate institution 71 Bank security breach 72 Tax refund 73 Irish sweepstakes Tricks user into providing sensitive data via a forged web site (common) or return e-mail (less common) Countermeasure: security awareness training Pharming Redirection of traffic to a forged website 74 Attack of DNS server (poison cache, other attacks) 75 Attack of hosts file on client system 76 Often, a phishing e-mail to lure user to forged website 77 Forged website has appearance of the real thing Countermeasures: user awareness training, patches, better controls Password Guessing Trying likely passwords to log in as a specific user 78 Common words 79 Spouse / partner / pet name 80 Significant dates / places Countermeasures: strong, complex passwords, aggressive password policy, lockout policy Password Cracking Obtain / retrieve hashed passwords from target Run password cracking program 81 Runs on attackers system no one will notice Attacker logs in to target system using cracked passwords Countermeasures: frequent password changes, controls on hashed password files, salting hash Malicious Code Viruses, worms, Trojan horses, spyware, key logger Harvest data or cause system malfunction Countermeasures: anti-virus, anti-spyware, security awareness training

CNIT 125 Bowne

Page 5 of 8

Ch 2: Controlling Access to Information and Functions

Access Control Concepts Access Control Concepts Principles of access control Types of controls Categories of controls Principles of Access Control Separation of duties 82 No single individual should be allowed to perform high-value or sensitive tasks on their own Financial transactions Software changes User account creation / changes Principles of Access Control Least privilege 83 Persons should have access to only the functions / data that they require to perform their stated duties 84 Server applications Don't run as root 85 User permissions on File Servers Don't give access to others' files 86 Workstations User Account Control Principles of Access Controls (cont.) Defense in depth 87 Use of multiple controls to protect an asset 88 Heterogeneous controls preferred If one type fails, the other remains If one type is attacked, the other remains Examples 89 Nested firewalls 90 Anti-virus on workstations, file servers, e-mail servers Types of Controls Technical 91 Authentication, encryption, firewalls, anti-virus Physical 92 Key card entry, fencing, video surveillance Administrative 93 Policy, procedures, standards Categories of Controls Detective controls Deterrent controls Preventive controls Corrective controls Recovery controls Compensating controls

CNIT 125 Bowne

Page 6 of 8

Ch 2: Controlling Access to Information and Functions

Detective Controls Monitor and record specific types of events Does not stop or directly influence events 94 Video surveillance 95 Audit logs 96 Event logs 97 Intrusion detection system Deterrent Controls Highly visible Prevent offenses by influencing choices of would-be intruders Deterrent Controls (cont.) A purely deterrent control does not prevent or even record events 98 Signs 99 Guards, guard dogs (may be preventive if they are real) 100 Razor wire Preventive Controls Block or control specific events 101 Firewalls 102 Anti-virus software 103 Encryption 104 Key card systems 105 Bollards stop cars (as shown) Corrective Controls Post-event controls to prevent recurrence Corrective refers to when it is implemented 106 Can be preventive, detective, deterrent, administrative Examples (if implemented after an incident) 107 Spam filter 108 Anti-virus on e-mail server 109 WPA Wi-Fi encryption Recovery Controls Post-incident controls to recover systems Examples 110 System restoration 111 Database restoration Compensating Controls Control that is introduced that compensates for the absence or failure of a control Compensating refers to why it is implemented 112 Can be detective, preventive, deterrent, administrative Examples 113 Daily monitoring of anti-virus console 114 Monthly review of administrative logins 115 Web Application Firewall used to protect buggy application

CNIT 125 Bowne

Page 7 of 8

Ch 2: Controlling Access to Information and Functions

Testing Access Controls Testing Access Controls Access controls are the primary defense that protect assets Testing helps to verify whether they are working properly Types of tests 116 Penetration tests 117 Application vulnerability tests 118 Code reviews Penetration Testing Automatic scans to discover vulnerabilities 119 Scan TCP/IP for open ports, discover active listeners 120 Potential vulnerabilities in open services 121 Test operating system, middleware, server, network device features 122 Missing patches Example tools: Nessus, Nikto, SAINT, Superscan, Retina, ISS, Microsoft Baseline Security Analyzer Application Vulnerability Testing Discover vulnerabilities in an application Automated tools and manual tools Example vulnerabilities 123 Cross-site scripting, injection flaws, malicious file execution, broken authentication, broken session management, information leakage, insecure use of encryption, and many more Audit Log Analysis Regular examination of audit and event logs Detect unwanted events 124 Attempted break-ins 125 System malfunctions 126 Account abuse, such as credential sharing Audit log protection 127 Write-once media 128 Centralized audit logs

Last modified 2-1-10

CNIT 125 Bowne

Page 8 of 8