Cyber Security Quiz: Defensive Technologies

Firewall Systems

• Need for Firewalls: Internet connectivity brings threats to information systems, so firewalls are used to establish a controlled link between the premises network and the Internet.
• Characteristics: Firewalls must pass all traffic from inside to outside, and vice versa, and only allow authorized traffic as defined by the local security policy.
• Types of Firewalls:
  • Packet filtering firewalls: apply rules to each incoming and outgoing IP packet.
  • Stateful filtering firewalls: tighten rules for TCP traffic by creating a directory of outbound TCP connections.
  • Application proxy firewalls: act as a relay of application-level traffic.
  • Circuit-level gateway firewalls: set up two TCP connections, one between the inner host and the outer host.

Intrusion Detection Systems (IDS)

• Security Intrusion: an unauthorized act of bypassing the security mechanisms of a system.
• Intrusion Detection: a hardware or software function that gathers and analyzes information from various areas within a computer or network to identify possible security intrusions.
• IDS Components: sensors, analysers, and user interface.
• Analysis Approaches:
  • Anomaly detection: involves collecting data on legitimate user behavior and analyzing current behavior to determine if it is an anomaly.
  • Signature/Heuristic detection: uses a set of known malicious data patterns or attack rules to identify known attacks.

Intrusion Prevention Systems (IPS)

• IPS: an extension of an IDS that includes the capability to attempt to block or prevent detected malicious activity.
• Host-Based IPS (HIPS):
  • Uses signature/heuristic or anomaly detection techniques to identify attacks.
  • Can make use of sandboxing to quarantine and analyze code.
• Network-Based IPS (NIPS):
  • Inline NIDS with the authority to modify or discard packets and tear down TCP connections.
  • Makes use of signature/heuristic and anomaly detection.

Honeypots

• Definition: decoy systems designed to lure a potential attacker away from critical systems, collect information about the attacker’s activity, and encourage the attacker to stay on the system long enough for administrators to respond.

• Characteristics: systems are filled with fabricated information, have no production value, and incoming communication is likely a probe, scan, or attack.

• HoneyNets: a collection of honeypots.### Firewall Systems, Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), and Honeypots

• Honeypot classifications:

  • Low interaction honeypot: software package that emulates IT services or systems to provide a realistic initial interaction; provides a less realistic target; often sufficient for use as a component of a distributed IDS to warn of imminent attack.
  • High interaction honeypot: a real system with a full operating system, services, and applications; more realistic target that may occupy an attacker for an extended period.

• Requirements of honeypots/honeynets:

  • Isolation: should be isolated from the production system and network; contain and study any malicious activity without putting actual production systems at risk.
  • Continuous monitoring: monitor continuously to analyze potential threats and behavior of attackers.
  • Deception: should be as realistic as possible to present an attractive target to potential attackers.

Access Control, Logical Access Control, Access Control Principles, Access Control Models, and Authentication, Authorisation, and Accountability (AAA)

Access Control

• Protecting security assets: the ultimate goal for any security practitioner is to secure all assets of their organization.
• Definition of access control: the process of protecting a resource so that it is used only by those allowed to; mitigations put into place to protect a resource from a threat such as to prevent unauthorized use.

Access Control Functions

• Identification: who is asking to access the asset?; subjects supplying identification information (e.g., username, user ID, account number).
• Authentication: can their identities be verified?; verifying the identification information (e.g., passphrase, PIN, biometric, password, OTP).
• Authorization: what can the requester access and do?; using criteria to determine what the subjects can do on objects (e.g., "I know who you are, I will allow you to do what you are allowed to").
• Accountability: how are actions traced to an individual to ensure the person who makes data or system changes can be identified?; audit logs and/or real-time monitoring to track subject activities with objects.

Access Control Principles

• Policy definition phase: defining who has access and what systems or resources they can use; tied to the authorization phase.
• Policy enforcement phase: grants/rejects requests for access based on the authorizations defined in the first phase; tied to identification, authentication, and accountability.

Access Control Models

• Types of access control:

  • Physical access control: cards control access to physical resources or fingerprint (less used); used at parking lots, elevators, office doors.
  • Logical access control: deciding which users can get into a system; monitoring what each user does on that system; restraining or influencing a user's behavior on that system.

• Enforcing access control:

  • The security kernel: enforces access control for computer systems; central point of access control; implements the reference monitor concept.
  • How access control is enforced: the subject requests access to an object; the security kernel intercepts the request; the security kernel refers to its rules base, also known as the security kernel database, to allow or deny access; all access requests handled by the system are logged for later tracking and analysis.

Logical Access Control Solutions

• Biometrics: static (e.g., fingerprints, iris granularity, retina blood vessels, facial features, hand geometry) and dynamic (e.g., voice infections, keyboard strokes, signature motions).
• Tokens: synchronous or asynchronous; smart cards and memory cards.
• Passwords: stringent password controls for users; account lockout policies; auditing logon events.
• Single sign-on: Kerberos process; secure European system for applications in a multi-vendor environment (SESAME).

Authentication Types

• Authentication by knowledge: something you know (e.g., passwords, passphrases, PIN numbers).
• Authentication by ownership: something you own (e.g., synchronous token, asynchronous token, USB token, smart card).
• Authentication by characteristics: something unique to you (e.g., biometrics, static, what are you, dynamic, what you do).
• Authentication by location: somewhere you are (e.g., location, strong indicator of authenticity).

Access Control Models

• General principles:
  • Files and folders are managed by the operating system.
  • Applications, including shells, access files through an API.
  • Access control entry (ACE): allow/deny a certain type of access to a file/folder by user/group.
  • Access control list (ACL): collection of ACEs for a file/folder.
• Access control models:
  • Discretionary
  • Mandatory (sometimes called non-discretionary)
  • Rule-based
  • Attribute-based access control (ABAC)### Access Control Principles
• Access control is a fundamental security principle that ensures only authorized users, systems, or processes can access resources, systems, or data.
• Access control models are designed to enforce access control principles, including:
  • Discretionary Access Control (DAC)
  • Mandatory Access Control (MAC)
  • Role-Based Access Control (RBAC)
  • Attribute-Based Access Control (ABAC)

Discretionary Access Control (DAC)

• DAC is a principle that dictates the information owner decides who gets to access the system(s).
• It allows an entity to grant access rights to another entity, enabling them to access resources.
• DAC is often provided using an access matrix, listing subjects and objects.
• DAC is commonly used in operating systems such as Windows, Macintosh, and UNIX.

Access Control Lists (ACLs)

• ACLs are lists of users who are granted access privileges to a system or resource.
• ACLs contain user IDs and associated privileges, such as Read, Write, Update, Execute, Delete, or Rename.
• ACLs are used to manage access control and ensure secure access to resources.

User Provisioning

• User provisioning involves granting access to new employees, including checking management approvals.
• It ensures that new users have the necessary access rights to perform their job functions.

Non-Discretionary Access Control

• Non-Discretionary Access Control is a more secure approach than DAC, where access rules are closely managed by security administrators.
• Sensitive files are write-protected to ensure integrity, and readable only by authorized users.
• This approach ensures system security is enforced and tamper-proof.

Mandatory Access Control (MAC)

• MAC determines access levels based on the sensitivity of the resource.
• The system decides who gains access to information based on subjects, objects, and labels.
• MAC is often used in military and government systems with labels assigned to objects and access granted based on security clearance levels.

Role-Based Access Control (RBAC)

• RBAC uses specific rules to indicate what can and cannot happen between a subject and an object.
• It is based on the concept of "if X then Y" programming rules, providing fine-grained access control to resources.
• RBAC requires subjects to meet predefined rules before accessing an object.

Attribute-Based Access Control (ABAC)

• ABAC defines authorizations that express conditions on properties of both the resource and the subject.
• It provides flexibility and expressive power, making it suitable for complex environments.
• ABAC is commonly used in cloud services, where it evaluates predicates on both resource and user properties for each access.

Authentication, Authorization, and Accountability (AAA)

• AAA protocols are used to provide centralized access control, especially in remote access systems such as virtual private networks (VPNs).
• AAA protocols prevent internal LAN authentication systems from being attacked remotely.
• They are also used in mobile IP, providing access to mobile users with smartphones.

Centralized and Decentralized AAA

• Centralized AAA servers use protocols like RADIUS, TACACS+, and DIAMETER.
• Decentralized access control is in the hands of the people closest to the system users, using protocols like Password Authentication Protocol (PAP) and Challenge-Handshake Authentication Protocol (CHAP).

RADIUS

• RADIUS is a client-server protocol and software that enables remote access users to communicate with a central server to authorize their access to the requested system or service.
• It provides a single administered entry point, standardizing security and simplifying tracking of usage and network statistics.

TACACS+

• TACACS+ provides the same functionality as RADIUS, but with differences in its characteristics.
• It uses TCP as its transport protocol, making it suitable for complex environments with sophisticated authentication and authorization requirements.

DIAMETER

• DIAMETER is a protocol that builds upon the functionality of RADIUS and overcomes its limitations.
• It uses TCP as its transport protocol and provides flexibility and capabilities to meet the demands of modern and diverse networks.
• DIAMETER can deal with issues such as mobile IP and provides additional functionalities like roaming operations and replay attack protection.

Single Sign-On (SSO)

• SSO systems allow users to have one password for all corporate and back-office systems and applications.
• It increases the security of the overall system by reducing the number of passwords to remember.

Kerberos

• Kerberos is a Single Sign-On mechanism that provides authentication for client-server applications using symmetric-key cryptography.
• It assigns a unique key, called a ticket, to each user, allowing them to access resources based on the permission level associated with the ticket.

Federated Identities

• Federated Identities allow users to log in with service credentials, eliminating the need to create a new unique username and password.
• Examples of federated identities include Facebook and Google.