Академический Документы
Профессиональный Документы
Культура Документы
Objectives Controlling Access Access Control Attacks Testing Access Controls Controlling Access Identification and Authentication Identification: unproven assertion of identity My name is 0 Userid Authentication: proven assertion of identity 0 Userid and password 1 Userid and PIN 2 Biometric Authentication Methods What the user knows 3 Userid and password 4 Userid and PIN What the user has 5 Smart card 6 Token What the user is 7 Biometrics (fingerprint, handwriting, voice, etc.) How Information Systems Authenticate Users Request userid and password 8 Hash password 9 Retrieve stored userid and hashed password 10 Compare Make a function call to a network based authentication service How a User Should Treat Userids and Passwords Keep a secret Do not share with others Do not leave written down where someone else can find it Store in an encrypted file or vault 11 Use RofoForm How a System Stores Userids and Passwords Typically stored in a database table 12 Application database or authentication database 13 Userid stored in plaintext Facilitates lookups by others 14 Password stored encrypted or hashed If encrypted, can be retrieved under certain conditions Forgot password function, application emails to user If hashed, cannot be retrieved under any circumstance (best method)
Page 1 of 8
Strong Authentication Traditional userid + password authentication has known weaknesses 15 Easily guessed passwords 16 Disclosed or shared passwords Stronger types of authentication available, usually referred to as strong authentication 17 Token 18 Certificate 19 Biometrics Two Factor Authentication First factor: what user knows Second factor: what user has 20 Password token 21 USB key 22 Digital certificate 23 Smart card Without the second factor, user cannot log in 24 Defeats password guessing / cracking Biometric Authentication Stronger than userid + password Stronger than two-factor? 25 Can be hacked Measures a part of users body 26 Fingerprint 27 Iris scan 28 Signature 29 Voice 30 Etc.
Page 2 of 8
Page 3 of 8
Page 4 of 8
Page 5 of 8
Access Control Concepts Access Control Concepts Principles of access control Types of controls Categories of controls Principles of Access Control Separation of duties 82 No single individual should be allowed to perform high-value or sensitive tasks on their own Financial transactions Software changes User account creation / changes Principles of Access Control Least privilege 83 Persons should have access to only the functions / data that they require to perform their stated duties 84 Server applications Don't run as root 85 User permissions on File Servers Don't give access to others' files 86 Workstations User Account Control Principles of Access Controls (cont.) Defense in depth 87 Use of multiple controls to protect an asset 88 Heterogeneous controls preferred If one type fails, the other remains If one type is attacked, the other remains Examples 89 Nested firewalls 90 Anti-virus on workstations, file servers, e-mail servers Types of Controls Technical 91 Authentication, encryption, firewalls, anti-virus Physical 92 Key card entry, fencing, video surveillance Administrative 93 Policy, procedures, standards Categories of Controls Detective controls Deterrent controls Preventive controls Corrective controls Recovery controls Compensating controls
Page 6 of 8
Page 7 of 8
Testing Access Controls Testing Access Controls Access controls are the primary defense that protect assets Testing helps to verify whether they are working properly Types of tests 116 Penetration tests 117 Application vulnerability tests 118 Code reviews Penetration Testing Automatic scans to discover vulnerabilities 119 Scan TCP/IP for open ports, discover active listeners 120 Potential vulnerabilities in open services 121 Test operating system, middleware, server, network device features 122 Missing patches Example tools: Nessus, Nikto, SAINT, Superscan, Retina, ISS, Microsoft Baseline Security Analyzer Application Vulnerability Testing Discover vulnerabilities in an application Automated tools and manual tools Example vulnerabilities 123 Cross-site scripting, injection flaws, malicious file execution, broken authentication, broken session management, information leakage, insecure use of encryption, and many more Audit Log Analysis Regular examination of audit and event logs Detect unwanted events 124 Attempted break-ins 125 System malfunctions 126 Account abuse, such as credential sharing Audit log protection 127 Write-once media 128 Centralized audit logs
Page 8 of 8