Cyber Security Notes PDF
Document Details
Uploaded by LegendaryMorningGlory
Tags
Summary
These notes cover cybersecurity awareness, key security terms, and concepts. They detail terms like assets, risk, vulnerability, and threat, and discuss threat actors, such as cybercriminals and hacktivists.
Full Transcript
Skill Enhancement Course Cyber-Security Notes Table of Contents Skill Enhancement Course 1 Cybersecurity Awareness: Key S...
Skill Enhancement Course Cyber-Security Notes Table of Contents Skill Enhancement Course 1 Cybersecurity Awareness: Key Security Terms & Concepts 2 Cybersecurity Awareness: Exposure to Security Risk 11 Cybersecurity Awareness: Security Foundations 16 Cyber Security Foundations 17 Cybersecurity Awareness: Key Security Terms & Concepts Cyber-Security Terms and Concept needs to be understood to understand the criticality of the information, threat, attack etc. Handle the request and concerns of the clients and customers Terms Asset That has a value for an organisation. They bring in value to the organisation and must be protected. Can be in tangible form (servers), or in intangible form (data) Information - databases, files (transactional, information procedures), archive information Software assets - OS, MS Office. System and application software. Physical assets - Systems, buildings, furniture, equipment, devices Services - Computing of voice and data, value added services Risk It is a probability that may or may not materialise. It is the potential of losing something that is valuable that can be high or low depending on the asset and the situation. Internal or external to the organisation, depending on where it originated. Total risk can never be eliminated, but can be reduced by eliminating certain risks. Exposure Something that increase the likelihood of the risk. The asset being exploited by the threat agent. Threat Exploits weakness and when exploited affects the confidentiality, integrity, availability, which eventually causes the destruction or modification of the asset. Can be intentional or unintentional. Man-made - data theft, denial-of-service (DoS) attack Natural - hurricane, flood Can exploit vulnerabilities or bugs, Threat actor Threats are originated by something that pushes a risk to a threat. This threat actor materialises the risk. He is the entity that is responsible for the threat. Also has a malicious intent, known as a malicious actor. Be a person or a group. They are not allowed or have access to the system, but do so through illegal means. Attacking the system through the vulnerability, deleting or doing harm to the system. Have a motive, steal information, unauthorized someone, disrupt the system, create a backdoor, delete the system. Outside, or insider of the organisation. Threat vector Can be a process, method, or tactic used by the threat actor to get access to the system Can be a malware, virus, downloaded by an insider, social engineering, phishing email, network vulnerability, vulnerability exploitation. Also known as attack vector Target The goal of the threat actor. Without a target, the security attack cannot exist. To gain valuable information or control. Can be an individual, application, server, or an organisation. Contains vulnerabilities, or security gaps that can be exploited. Vulnerability Flaw, error, weakness in a systems design that can be exploited by a threat actor. Can be exploited when discovered. The vulnerability leads to the exploitation of the system. Protected by security control or countermeasure, but they can also have vulnerability. 0-Day vulnerability is one that hasn’t been discovered before, but the security team must patch them and secure them immediately. Bug in protocol, SQL injection into an application Countermeasure Security measure. To protect valuable information. Threats can make the information vulnerable, and this is implemented to prevent a threat. They are not implemented alone. They are implemented in layers, known as defence-in-depth. Must implement multiple of them to circumvent a threat, when you cannot prevent a threat. Known as deterrents, rather than prevention, bc prevention is impossible due to multiple vulnerabilities. Threat Actors Advanced Persistent Threat (APT) Most dangerous as they are difficult to detect and keep an extremely low profile. Equipped with the most sophisticated tools. The motive is to get to the data but do not cause disruption or destruction. Their main goal is to get to the sensitive information. Cyber-criminals They are after the data, money or information, and will sell it in the underground web or black market. Ransomware is their main tool is to extract money out of their target. Money is their main motive. Hacktivist People or individual who are after a social cause. They have an agenda or follow a certain philosophy. The main goal is to expose secrets, or to stop any political agenda, or organisation whose practices do not seem in favour of the public. Terrorist They are against governments, and are after sensitive information. Their main goal is complete their objective. Will cause severe damage to the information systems, and infrastructure. Called as cyber-terrorists. Insider threats They are internal to the organisation, and have access to a lot of assets and information, and network services. They are within the organisation and will always have an upper edge over the external entities. The main goal is to bypass the implementations because they have a specific reason. They are only after the organisation. Script Kiddies People who are very inclined to sort of get into the system, to prove they can hack and end up causing damage. Nation states Well funded, directed and usually sponsored by the nations. Can steal information, data and have sophisticated tools. To cause espionage or disruption of services. External threat Sit outside the network and breach into the network. Internal Threat They are within the network and have access to the resources and valuable data. Target Anybody who is there on the internet. A server with open acces to the internet, or focused target. Typically they are found through reconnaissance, selcted adn they attacked through vulnerabilities. Find the web server that is hosting the target, and exploit the vulnerabilities within its countermeasures or security to gain access to the target. Reconnaissance is required to see the possibility of attack, to see the existing infrastructure, and the possibility of exploiting the vulnerability. Motivations could be data theft, disruption of the entire web application. They usually have a structured plan beforehand. Since IT has reached to every industry in the world, they can attack any industry. They go after the data to make it public or sell it for money. Types of targets ○ Chemical, Electronic, Manufacturing, Aerospace, Automotive, Government, Energy, Telecommunications, Consumer, and Healthcare. Threat agent initiates the threat which exploits the vulnerability. The vulnerability generates a risk which can damage an asset. The asset is exposed and can be handled by a countermeasures. Security Threat Internal Can put in security measures. Employees, contractors, consultantas, vendors. External Can put in countermeasures Nation-state, Hackers, hacktivist, script kiddies Natural Not in your control Hurricane, earthquake Mobile Technology Mobiles in an organisation are allowed to carried information, valuable or quantity, by the employees. Mobiles are prone to vulnerability. The organisation has an app that can be used to hold all the information, yet they are vulnerabilities. Human are vulnerable to a range of threats, despite the best security measures. Improper platform usage, insecure data storage, insecure communication, insecure authentication, insufficient cryptography, insecure authorisation, client code quality, code tampering, reverse engineering, and extraneous functionality. Mobile Malware Financial trojans have increased to a great extent, ransomware, and become a key threat. Distributed by poorly controlled app stores, repackaged existing apps, or SMS links. Largely designed to steal personal and financial information. Jailbroken iPhones and rooted Android phones are most vulnerable. Cloud Computing Backbone of the IT infrastructure, and most companies have moved their infrastructure in the cloud, or have partial infrastructure. The cloud is available on a subscription and metered basis. Another industries are also using, or completed switched. On-site infrastructure is difficult to scale and implement and assimilate. The cloud is infinitely scalable and assimilation. Cloud Threats ○ Management interface failure, virtual machine level (VM-level) attacks, malicious insider, service failure, weak authentication, inadequate infrastructure design, multi-tenancy, and misconfiguration. Cloud Application and Data threats ○ Social engineering, cross-site scripting (XSS), domain name system (DNS), SQL injection, sniffing, DoS or DDoS (Denial of service), OpenStack component, Man in the middle (MITM) attack, Advanced Persistent Threat (ATP) A threat that is well funded, highly skilled, establish their presence within the organisation, and difficult to trace. They will move deeper to find more valuable information. Advanced means that they use higher level of sophistication. Highly advanced methods of attack, expert skills and resources, use sophisticated and custom tools, all aimed at achieving their goals and purpose. Persistent means that they maintain an undetected presence, stay within the system for a long period of time, to obtain data without damage. Have specific goals and objectives until they are met, and intend to stay in the target zone long-term. Threat means motivated, skilled and persistent. Have coordinated human actions, capability, intent, and are resourceful and well-funded. Aimed at intellectual property, or government infrastructure. Characteristics Use social engineering as a key tool. Work with clear and defined objectives against a target. Well-funded by sponsors. Well-organised in the form of hierarchy. Low profile attacks. Extremely stealthy and remain undetected. Do not cause damage to avoid downtime to avoid detection. Do not follow the hit-and-run method. APT actors Nation state actors, organised crime groups, hacktivist groups, corporate espionage actors, cyberterrorists. Life cycle Reconnaissance. Initial intrusion to the network or system. Installing the backdoor. Obtaining user credentials. Installing tools for control. Performing privilege escalation. Performing lateral movement. Maintaining persistence. Equation Group One of the most well-known APT, well-funded and sophisticated, and operating since 2001. Targets only one victim at one time, and uses various malware platforms, such as EquationDrug, and GrayFish to steal information from the target. Uses a command and control centre to monitor the malware and receive information. Uses a malware to alter hard drive, fanny worm, to attack air-gapped (isolated) networks, replace CD-ROM with infected versions, shared its exploits with Stuxnet and Flame group. Key tools used ○ EquationDrug, DoublePulsar backdoor, Double Fantasy, FuzzBunch framework, EternalBlue, Eternal Synergy, EternalRomance, GrayFish Strengthen the APT Defences Assume that you are already compromised Dig deeper into errors and accidents Monitor the known and its related elements Broaden the scope Use next-gen security solutions Automate the investigation and validation process Insider Threats An internal person in the organisation, or any other entity within or related the organisation or system. Has legitimate access to the network and information. Can have overprivileged access. Can have access to privileged and confidential information. They are difficult to detect because they are invisible due to trust of employees. They bypass the exterior defence to being inside the organisation. They always have an edge over the exterior entities, due to knowledge of network, and legitimate accounts, and can access information in an unauthorised manner. Types of insider threats ○ Pure insider Fully embedded in the system and can wreck disruption due to access and privileges ○ Insider associate With limited access to the security network or system, like a contractor and security guard. ○ Insider affiliate They are related to someone who is within the system ○ Outside affiliate They are not related to anyone in the system, but will find ways into the organisation’s network. US - Computer Emergency Response Team (US - CERT) ○ Insider IT sabotage - misuses authorised level of access ○ Insider theft - used the IT systems to steal intellectual property ○ Insider fraud - uses IT to commit an identity fraud Reasons ○ Personal - anger, frustration, ideology, divided loyalty, ego, compulsive behaviour, adventure, or family problems. ○ Organisational - availability of confidentiality information, no classification of information, ease of access to network resources, no security policies in existence, no security trained employees, unwanted access, or odd shift working. FBI’s Behavioural Indicators of Insider threats. If the employees show one or more of these behaviours, they must be suspected. ○ Unwanted access, out of scope, copy of material, remote access at odd times, disregard of company policies, and odd working hours. Malware Stands for Malicious software, that disrupts the normal functioning of a system or network. Could also cripple the internet, or organisation. They can be designed to delete data, steal data, bypass access control, encrypt data, or cause performance degradation. Can be used as a weapon to launch attacks against a system or network. The entry point of the system is usually opened with the malware. It can be delivered through a phishing email, website, pirated software, open software to the system. Can work as an independent entity, or can be controlled by a command and control (C&C) server. Method of Malware ○ Perform reconnaissance, trick the user, infect the user’s device, and cause damage. Types of Malware ○ Trojan It pretends to be a legitimate software, and is often a carrier for other malware, such as a worm. Requires the user’s intervention in most cases. Can be delivered though download r email. Virus Attaches itself to other files. Can also attack itself to applications installers and media Triggers when an infected file is opened and executed. Designed to disrupt the system’s functionality by deleting data or corrupting applications and operating systems. Worm Replicate itself over the network. Can be delivered over the network or email. Scans for vulnerability, self-replicating and does not require user intervention. Can cause network performance issues after infecting the network’s systems. Ransomware Can encrypt the user’s data, and demands a ransom to decrypt the data. The data may not be decrypted after paying the ransom. Uses social engineering to trick the user. Halts the systems and displays a ransom message. Spyware Designed to collect information from the user’s system without their consent. Intends to collect and send the information to the threat actor. Intends to stay in the user’s system without being caught. Rootkit Designed to remotely provide access to a malicious entity. Used to execute remote commands to control the system of device. Designed to subvert the security controls. Difficult to remove. Adware Designed to display advertisements on a device’s screen. Can be triggered on a web browser or a program. Least harmful malware, but can be bundled with a spyware to track user's activities. Security Attack Conducted by a threat actor using a threat vector. Targeted at an individual or organisation. Can vary depending on the objective. Can be conducted by an insider or outsider. Usually done by exploiting a vulnerability or weakness in a system or network. Steps in an attack ○ Method 1 - Reconnaissance, scanning, access and escalation, exfiltration, sustainment, assault, and obfuscation. ○ Method 2 - Reconnaissance, weaponisation, delivery, exploitation, installation, command and control, and exfiltration. Used by botnet to launch a DDoS, or DoS Uncertainty in an Attack Phases ○ Prior security risk management ○ Real-time intrusion detection ○ Posterior forensic analysis Handling Uncertainty ○ Logical approach When there is not much data available, and you need to use logic to solve it. ○ Statistical approach Data is available to be gathered, and analysis can be performed to find the best approach based on the results. Cyber Security Foundations Cyber attacks 2016 Bangladeshi Bank Heist 2016 Indian debit card breach 2015 Ukraine Power grid attack 2014 Sony pictures hack After a cyber attack Organization name hits headlines! Loss in business: loss of customers, reputation/brand damage, trade secrets, strategies, plans leaked Legal penalties: lawsuits filed by customers for privacy breach. Regular functioning crippled: email systems down, automated payroll processing down, network outage etc. Defamation: Confidential emails leaked; etc. Information that needs protection Customer data, source code, design documents, financial reports , employee records, intellectual property, etc. Information systems: Computers, networks, other devices, cables etc. Category of attacks and security objectives violated Security objectives are also known as security goals, characteristics of information (and information systems). Often multiple objectives are compromised in a cyber-attack. In the case of sophisticated attacks multiple security objectives of multiple information systems are compromised. Information disclosure No secrecy on communication. Violates confidentiality Tampering Unauthorised alteration of message. Violates integrity Denial of service Website becomes unavailable for legitimate users. Violates availability Spoofing Attacker pretends to be an authentic user. Violates authenticity Elevation of privilege User does an action woithout sufficient priviledge. Violates authorisation Repudiation Falsely denying an action. Violates non-repudiation Information Security Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide: ○ Integrity which means guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity; ○ Confidentiality, which means preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information; and ○ Availability, which means ensuring timely and reliable access to and use of information. CIA/DAD Triad ○ The Confidentiality, Integrity and Availability are together called as the CIA triad. ○ Sometimes the alternate way of referring is a DAD triad. DAD triad is a negative form the CIA. DAD stands for Disclosure, Alteration & Denial. These are opposites to Confidentiality, integrity & availability. ○ The objectives of confidentiality, integrity & availability is the foundation of information security. All protection mechanisms aim to protect one or more of these objectives. AAA services ○ Authentication is verifying an identity. ○ Authorization is deciding whether a particular user is allowed to access a particular resource or function. ○ Accounting includes two other components - auditing & non-repudiation. Auditing is recording a log of activities of a user in a system. Accounting refers to reviewing the log file to check for violations and hold users answerable to their actions. It includes non-repudiation. AAA services are used to realize the CIA principles. For example, if you want a document to be confidential, within your team. You will assign 'read' permissions only for your team members. So you use authorization to enforce this requirement. Simply put, authentication & authorization are used to control access to a resource. Accounting is done to verify access if has not been violated Technical Terminology Asset Threat Threat agent Vulnerability A flaw or weakness in the system’s design, implementation or operation could be used exploited to compromise objectives Technical Impact Impact on the information or the functioning of the information or system Business impact Harm done to the business Attack vector Ways in which an attack can come Security Controls Protection mechanisms to prevent, block or to detect attacks. Multiple security controls are often implemented for better security. Fixing each vulnerability requires resources (money, time, effort). Since such resources are limited it is important to know which vulnerabilities are very important to fix or need not be fixed. Without this knowledge, you might end up spending too much in protecting against an attack that will never happen. There is a need to prioritize vulnerabilities. Two factors influences this priority: ○ Likelihood of an attack ○ Impact due to the attack A combined estimate of both these factors is called risk. Estimating risk is called risk analysis. Information security is stated as a "well informed sense of assurance that the risks and controls are in balance". Cryptography The practice and study of secure communication in the presence of adversaries is called cryptography. Cryptography provides confidentiality and assurance of integrity, authenticity and non-repudiation. However cryptography is equally applicable to information at rest (information in hard disk). Confidentiality of data in transit and at rest can be done using shared key cryptography and public key cryptography. Integrity can be maintained by hashing. Authenticity and Non-Repudiation can be maintained by Digital signature. Cryptography can make use of encryption algorithms. Encryption algorithms turn messages and information into gibberish using a cypher, and a decryption algorithm with the same key can decode the cypher. A key is a very large integer, and the same key can be used for encryption and decryption. Tis method is called Shared key encryption or symmetric key encryption. Popular encryption algorithms are Advanced Encryption Standard (AES), Triple Data Encryption Standard (3DES), Blowfish, Twofish, Skipjack. Disadvantages of Shared and Symmetric Key Encryption ○ Secure key distribution is problematic Both the computers need to know the key. Through the network in plaintext form, the key can be shared. Then the key can be ‘sniffed’ by an attacker and further encrypted communication can be decrypted by the attacker. There is a need for a secure way for sharing the key. The keys can be shared through ‘out of band’ channel like a phone call, if humans intervene. But such techniques are tedious and often not possible, especially if the communicating parties are strangers or special devices like routers. ○ Not scalable Given a symmetric key system with n users, each pairwise communication requires a unique key. When a computer joins the group as the nth user, there needs to be (n-1) keys created for communication with a new computer. In total there will n*(n-1)/2 keys in a system of n users. The problem is as the number of users become large, the number of keys become extremely large (increases quadratically, O(n2)). It is very difficult to manage very large number of keys. Thus shared key cryptosystems are not scalable. Public Key Cryptography ○ Each user has a pair of key - a public and a private key. A private key is only known to the user, and a public key is known to everyone. A message encrypted with the public key can only be decrypted with the private key and vice versa. ○ Also known as asymmetric key cryptography. RSA and ELGammal are softwares that do this. ○ It is scalable, A user should know the receiver’s public key. The public keys are available to everyone in a key server. When a new computer joins, a new entry is created in the key server for their public key. The computer will have their private key with them. So there are only 2*n keys required (n users * [1 public key + 1 private key]). When the number of users increases linearly, the number of keys also increases linearly (O(n)). ○ Asymmetric key cryptography has a limitation – it is very slow. It is about 1000 times slower than symmetric key encryption. ○ Often, both these techniques are used together to combine their advantages. One of the problems with symmetric key cryptography was the need for a secure & efficient way of sharing the secret key. This problem is solved by using public key cryptography to share the secret key. Once the key is shared, all communication between sender & receiver will use symmetric-key cryptography. (Speed advantage). Hashing Compare this hash value and the hash value published on the web site of Kali Linux. If they both match, the OS file is unaltered (i.e. it is integral). If the values do not match it means the file has been corrupt (accidentally) or tampered (by an attacker). You will not want to install a corrupt file, because, the installation could fail, fully or partially. Or a corrupt unstable OS will be installed. You might not get the OS file from Kali Linux website. You might receive it from a friend or download it from some other file hosting site. The problem is malicious person could have tampered the OS file to insert ‘malware’ and before hosting the file. A hash function or algorithm is a cryptographic technique. It takes an arbitrarily long input and produces a fixed length hash value as its output. This hash value is also known as message digest. Input can be of any length. Output hash will be fixed length. One way function: Computationally easy to convert from message to hash. But it is computationally infeasible to get the actual message from hash. Collision free: It is very unlikely to find two different messages that will have the same hash value. Hashing is not just used for files (data at rest), it is applicable to messages transferred between computers (data in transit) also. To ensure integrity: ○ Whenever you install an important software in your device, you will not want a corrupt, tampered, malware laden or unstable file to be installed. To prevent this, it is important to check the integrity of the downloaded file before installing it. Hashing is widely used for performing such integrity checks. To ensure secure storage of passwords: ○ Typically password stores hold the passwords in the hashed form. Even if a hacker gets access to the store, the actual passwords cannot be retrieved. When a genuine user needs access, the password entered by the user will be hashed and matched with the passwords stored. Hash value match would result in user being successfully verified, and a mismatch indicates an invalid user. Digital Signature One person may deny that they have sent the message, or the message may have originated from an attacker or outside entity. Digital signature solves both of this. You know that the signer will use the private key to sign the document. The receiver will use the public key to verify the document. But you must have a pair of public-private keys to begin. Generate a digital ID. A digital ID is a password protected file that contains the following: ○ Private key ○ Public key ○ Identity information Identity information is information about the holder of the private key (in this example you). Name, email address, organization and country. The public key and the identify information are combined in a format called a public key certificate. The signature value in PDF implementation includes the following: ○ Digital signature (signed message digest) ○ Timestamp (time of signing) ○ Signer’s public key certificate Generation Algorithm ○ The message to be sent is hashed to get a hash 'h'. Hash 'h', is then encrypted using the sender’s private key (PriA) to generate signature 'S'. Sender sends the message along with it’s signature to receiver. The signature generated in above step is unique for a combination of a message and a private key. So, the signature will be different for different messages sent by the same user. ○ Verification Algorithm ○ The received message is hashed to generate hash 'hr'. The received signature is decrypted using sender’s public key (PubA), to generate another hash h’. If hr is found equal to h’, it means the signature is valid. Therefore, the message is authentic and sender cannot repudiate. ○ If the received message or signature is tampered during transit, then hr will not be equal to h’ (signature invalid). So digital signature also provides data integrity. In fact for a message to be authentic, it should be integral in the first place. ○ Application of Cryptography Cryptographic mechanisms such as encryption, hashing, digital signatures require computational resources such as CPU time and memory. Thus, they can impact performance. The choice of a cryptographic algorithm from all available options must be done by evaluating both the performance of each algorithm and the security levels they provide. Tradeoffs between performance and security will often be required. HTTP Secure (HTTPS) protocol is used to protect web transactions by encrypting the communication between browser and the web server. The technology used for encyrption is Transport Layer Security (TLS). (Earlier it was SSL). It relies on both symmetric and asymmetric cryptography. The following steps describe its working. ○ When a user visits a website, the website supplies the browser its public key. ○ The browser creates a random symmetric key (called session key), encrypts it using the website's public key and sends it the website. ○ The website then decrypts the session key using its private key. ○ The browser and the website use the session key for all further communication. SSL leverages the advanced functionality of asymmetric cryptography while encrypting & decrypting the vast majority of the data exchanged using the faster symmetric algorithm. Devices such as laptops and smart phones often contain highly sensitive information, if lost or stolen, could cause serious harm to an organization and its customers, employees, and affiliates. Encryption to protect the data on these devices in the event of theft of these devices. For example, Microsoft Windows operating system uses BitLocker and Encrypting File System (EFS) technologies for the purpose of encryption. Other common applications include, encrypting email, Digital Rights Management (DRM), wifi encryption. Breaking the Cryptography System In a 256 bit key system, there are 2256 possible keys. The decryption key is one among these possible keys. By trying out all of these 2256 possible keys in a trial and error manner, the cipher text can be decrypted. The larger the key size, the more time for a brute force attack and hence the more secure is the encryption system. Almost all cryptographic systems have a limited life span. Moore's law, a commonly cited trend in the advancement of computing power, states that the processing capabilities of a state-of-the-art microprocessor will double approximately every two years. This means that eventually processors will reach the amount of strength required to quickly find the encryption keys used for a communication. Network Security Network security refers to any activity taken to protect the availability of networks and confidentiality and integrity of data in the network. The Internet is an untrusted place. Anything coming from it could be potentially harmful. The organization’s network is a trusted zone. Data entering the intranet (trusted zone) from the Internet (untrusted zone) must be carefully scrutinized. There should be mechanisms to prevent certain data from entering the network. Firewall and Intrusion Detection System (IDS) work as security against attacks like DoS, etc DDoS Attacks A large number of malware infected computers send a huge volume of requests to the target host (victim), resulting in the victim’s loss of availability. A infected computer is called a bot. An IoT device in this example, was the bot. A group of bots that receive instructions from an attacker (on whom to target and when to target) is called a botnet. The OVH DDoS attack is a connection-flooding DDoS attack: Server's normal operation: for each request from a host, a server will allot some memory. When a deluge of requests is received the server’s memory is exhausted. So the server will stop accepting new requests. Firewall A firewall is a special computer that is placed between an organization’s intranet and the Internet. In general a firewall is a a special computer or software running on a general purpose computer or router. It controls what data (network packets) enters or leaves the network. A traditional packet filter firewall, and more sophisticated firewalls like proxy firewalls, web application firewalls. All communication between the Internet and the intranet flow through this firewall. A firewall has an access control list. Each entry is called a rule. The firewall inspects every packet's headers – source and destination IP addresses and ports etc. It compares the header information with each rule in the access control list, in an if-else if-else way. If a packet matches a particular rule, then, the action specified under that rule is applied. The action could be allowed a packet or deny entry/exit for a packet. Host based Firewalls The firewalls are placed between two networks and hence are called network firewalls. A firewall that is placed between a computer and a network is called a host based firewall. It controls traffic between the applications in the computer and the rest of the network. Windows firewall is an example. Apart from controlling access to internal sites, a firewall is used to block several types of attacks like DDoS or to enforce an organization’s network policy (eg: Employees not allowed to access Internet websites). Demilitarised Zone Here the public server is between two firewalls (A & B). This area where public sites are hosted is called a demilitarized zone (DMZ). Firewall ‘A’ will be configured to block incoming port 80 packets (like before). Firewall ‘B’ will allow incoming port 80 packets but might have other rules that protects the DMZ itself. Thus public sites could be accessed from Internet, but not the internal sites. Public facing severs are more likely to be ‘hacked’. An attacker after hacking a host will attempt to ‘move horizontally’ by hacking other hosts in the same network. In the case of DMZ it much more difficult to do this horizontal movement across the two firewalls. Intrusion Detection System An unauthorized user logs on to a machine. An authorized user disables logging functionality in a router. A worm (a type of malware) spreads to all the hosts in the network. An authorized user (say an employee) downloads all employee directory records to his computer. An unusually high number of login attempts in a host. All the above examples involve an user (or computer process) trespassing or attempting to trespass into a network (or host). Such trespasses are as intrusions. A firewall cannot be useful in detecting or stopping such intrusions. An Intrusion Detection System (IDS) is used to detect such intrusions. An IDS is a dedicated computer or a software running on a general purpose computer. It is positioned at certain points in the network. The IDS sniffs all the packets at that point. It analyses the contents of network packets (headers and application data) and the sequence of packets. If the analysis result indicates an intrusion, an alert message is sent to the administrator. An IDS can also use different log files (generated by hosts) as input for detecting intrusions. There are two kinds of IDS based on how packets are analysed. ○ Signature based IDS Each type of intrusion have a characteristic pattern: Certain sequence of events. Certain format of data etc. Information that describes this pattern is called a signature or a rule. A signature based IDS contains a large database of attack signatures. The IDS inspects the packets (or log files) and compares them to each signature in the database. If any of them matched, then an alert is issued to the administrator. Disadvantage: Signature based IDS cannot prevent unknown attacks (because signatures are not available). Most IDSs are signature based IDS ○ Anomoly based IDS Can detect previously unknown intrusions. Such an IDS will observe the normal traffic in a network and creates a ‘traffic profile’. It then looks for network traffic that is statistically unusual and issues an alert. Anomoly based IDS can also observe the normal behaviour of users to create a 'behaviour profile'. If it sees a deviation from the normal behaviour, it issues an alert. An IDS can generate false positives. If a safe packet is determined as suspicious, then it is called as false positive. Many false positives could be detected if the signatures (aka rule) are too restrictive. An IPS (Intrusion Prevention System) not only issues an alert but also attempts to block an intrusion. However blocking may not always be possible. Hence detection is the next solution. The purpose of detection is to respond to an intrusion as soon as possible to minimize the damage. The threats to network security is not limited to Denial of Service attacks. There are numerous other threats such as - port scans, network mapping, OS vulnerability scanning, worms, viruses, email spam. The firewall and IDS can prevent or detect such threats. But they should be configured properly in the first place. Similarly, all devices attached to a network should be configured properly. Application Security Though it is easy to fix the SQL injection vulnerability, these attacks are common and have resulted in huge losses. Neither cryptography nor network security can prevent the SQL injection attacks. The attack will happen irrespective of the use of encryption (HTTPS) or not. Also, for the network security devices, the communication (containing the SQL injection attack input) from client to web application looks safe. Security defects in applications are introduced in the implementation (coding) phase or in the design phase. Defects introduced in the implementation phase are security bugs. Defects introduced in the design phase are security flaws. Failing to do server side input validation is an example of a security design flaw. An improperly implemented input validation logic is a security bug. Developing secure applications involves preventing these security bugs and flaws. It is achieved by, following established, ○ secure coding practices ○ secure design principles Secure coding is a practice to avoid introducing security bugs in the software. Security professionals have analyzed previous attacks targeting applications and have discovered that most vulnerabilities have arisen from common coding errors: ○ OWASP Top 10 Application Security Risks ○ SANS Top 25 Dangerous Software Errors As a developer/tester/code reviewer your objective is to ensure your applications don't have these common security bugs. These guides provide secure alternatives for each of the errors (for developers) and tips on how to detect these errors (for testers, code reviewers). Security design flaws can be avoided by following established secure design principles: ○ OWASP Security by design principles ○ IEEE Avoiding the Top 10 Software Security Design Flaws ○ SANS Top 25 Dangerous Software Errors Principle of least privilege ○ Users should have no more privileges than required for carrying out their normal functions. ○ Applications, have user accounts in the database so that they can the access database. If the web application's functionality is just to retrieve records from the database, then it is sufficient to have a read privilege. ○ In fact, permissions should be tuned so that the application user account will not be able to read tables of other applications. We say 'mitigating' because it does not eliminate the vulnerability, but instead significantly reduces the severity of the vulnerability. For example, the number of records exposed due to an SQL injection vulnerability will be reduced if the least privilege principle is followed. Principle of defence in depth ○ Use of multiple security controls to mitigate a vulnerability. So that even if one fails, we can hope that other controls can prevent an attack. ○ Defence in depth is having multiple obstacles before an attacker to make it very difficult for the attacker. Application security is not limited to following secure coding practices and design principles. A crucial component of application security is security testing. Security testing provides an assurance that the application is secure. Most of the common security bugs (like SQL injection) can be detected by automated security testing tools. Moreover, in this section we saw SQL injection attack. But there are a lot of other severe attacks like cross site scripting attacks, buffer overflow exploits, cross site request forgery attacks, session hijacking etc. Threat Modelling When an application is deployed, many threat agents predominantly from the Internet, try to attack that application. A single security loophole in the application can cause severe damage to it. Hence, every organization wants their applications to be secure and protected against such damages. This demands for designing and developing secure applications without loopholes. Threat modelling is one important activity carried out in the design phase of the software development life-cycle that helps in identifying and addressing security loopholes. This activity enables organizations to develop highly secure applications. Threat modelling is a process where the design of the application is analysed to find potential security problems. Following are the steps involved in threat modelling process: ○ The design of the application, usually represented as a Data Flow Diagram (DFD) will be taken for analysis. ○ A threat modelling team comprising software designers/developers and software security analysts will analyse the DFD and brainstorm to identify potential security problems (threats) that can endanger the security of the application. ○ The identified set of threats to the applications are collectively called as a threat model. ○ Threat modelling team will identify vulnerabilities that might be exploited by the identified threats and will identify suitable counter-measures to address all the threats in the threat model. Need for Threat Modelling Software designers and developers approach software security in two ways - "Security as Afterthought" (not a good practice) and "Security Early in the SDLC" (best practice). ○ Helps in building a very robust application that is secure by design, by identifying security defects even before the code is written. ○ Drastically reducing the effort in redesigning and rewriting the software (as in the case of Security as Afterthought approach). Software Development Life Cycle (SDLC) is a process implemented by software developers to design and test their software. It helps in improving the quality of the software and looks after the overall development of the software. It is divided into many phases where each phase has its own significance. Earlier, software development practice treated security as an “afterthought” i.e. security will become a focus only during the testing phase of the SDLC after the software has been designed and implemented. During security testing, many security defects might be identified in the application which will require redesign of the software or rewriting some code of the software to correct the defect. This redesign and rewriting code is a significant source of wasteful effort. This rising and significant wasteful effort forced software designers/developers to adopt the new approach - Security Early in the SDLC. Current software development practice has shifted from the approach of “security as afterthought” to “thinking about security early in the SDLC – in the design phase”. This approach is also known as “shift left (in the SDLC)”. One of the key activities in this approach is threat modelling. ○ Design related security defects are identified by analysing the design documents and the design will be corrected. ○ Potential implementation (or code) related security defects will be anticipated by analysing the design documents, and necessary precautions will be taken to avoid such defects before even beginning the implementation phase. In the SDLC model, the cost to resolve an issue increases in the later phases of development. Thus, it is important to run a thorough assessment on the application to know the current status of the security level and resolve the potential threats as early as possible. That is why, threat modelling is introduced in the design phase. Following are some the benefits of implementing Threat Modeling: ○ Allows architects and designers to evaluate the design of the application for vulnerabilities in the design phase. ○ Helps in future release of a software to evaluate whether new security controls need to be put in place or existing controls are sufficient. ○ Helps in cost reduction by mitigating threats in early SDLC. ○ Reduces cost by removing maximum security defects before development. ○ Provides a clear "line of sight" across a project and cut down errors and efforts. Threat Modelling involves the following steps: ○ Step 1: Identify security objectives - Enumerate the security objectives of the application, i.e. the security requirements that must be fulfilled by the application. ○ Step 2: Create an Application Overview - Identify important characteristics and elements (such as relational database servers, business logic, application server, client-side application) of the systems and external actors (users, administrators or other systems/applications) that affect the application. All these functionalities should be understood before implementing other steps. A fine understanding of all the functionalities of the application helps in defining the scope of the application. An overview of a particular application will help in getting details of all the possible vulnerabilities present in the application. This step helps you to identify relevant threats during step 4. ○ Step 3: Decompose your application - Draw a model of the application that details the interaction (data flow) between various elements in the application. ○ Step 4: Identify threats - Analyse the model of the application to identify threats relevant to your application and context. ○ Step 5: Identify vulnerabilities - Analyse the application to identify vulnerabilities in various elements that can be exploited by various threats. After threats and vulnerabilities are identified, security controls or countermeasures for these threats/vulnerabilities must be identified. All this information will be documented. Assets of an application are one of the main reasons behind any cyber-attack. Weak measures taken to protect the assets can aid hackers in exploiting the application. Assets can be broadly classified into: ○ Data: Any sensitive data like Customer Information, User ID, Passwords, Credit card information ○ Resources: Resources can again be classified into software and hardware resources Software: Application, application database, third party software and any software that needs to be secured Hardware: Application, web and database servers All these assets need to be documented in order to protect them from the atrocities of potential hackers. An application grants some set of access rights specifically defined for its users. These access rights are the trust levels implied by an application. These trust levels need to be documented in order to monitor the access rights at every entry point and required to engage with the asset of an application. Also, data flow diagrams can be developed with privilege boundaries using the information about the trust levels. A high-level visualization of the working of an application can be provided by Data Flow Diagrams (DFDs). DFDs help in understanding how the data is designed to flow within the system. All the documented components play a major role while drafting a DFD. The below DFD is drawn using a tool (we will see more on this later). It is also common to use a whiteboard and marker to draw the DFD. The DFD is a model of the application, and the process of drawing this DFD is simply called as modelling the application. Vulnerabilities are divided into different categories: - ○ Authentication and Authorization vulnerabilities ○ Input/Data validation vulnerabilities ○ Configuration management vulnerabilities ○ Sensitive data vulnerabilities ○ Session management vulnerabilities ○ Cryptography vulnerabilities ○ Parameter manipulation vulnerabilities ○ Exception management vulnerabilities ○ Auditing and logging vulnerabilities Microsoft’s DREAD Microsoft’s DREAD Threat-Risk ranking model can be used to determine the ranking of a threat. In order to determine the threat, basic questions to be answered for each factor of risk, for example: ○ For Damage: How big would the damage be if the attack succeeded? ○ For Reproducibility: How easy is it to reproduce an attack to work? ○ For Exploitability: How much time, effort, and expertise is needed to exploit the threat? ○ For Affected Users: If a threat were exploited, what percentage of users would be affected? ○ For Discoverability: How easy is it for an attacker to discover this threat? Each risk component is assigned a value between 0 (low) and 9 (high) so that a quantifiable score can be created for potential threats. It helps in prioritizing the security responses according to the rank of the individual threats. One can define the rating as low (L), medium (M) and high (H) on the following basis of the value received by calculating the average of the DREAD components of a particular threat i.e. (D+R+E+A+D)/5 The techniques and controls that are used to mitigate the exploitation that can be caused by a potential threat through known or unknown vulnerabilities are called as countermeasures. Documenting the identified threats, vulnerabilities, countermeasures and other details are important. If this information was not documented, it is very likely that some threats are not addressed even though they were identified during the threat modeling process. Threat modeling is a manually intensive task that relies solely on the specification documents, data flow diagrams and the knowledge of an individual which is abstract in nature. There are chances of threats being missed mainly because one particular data flow has not been analysed or because of insufficient knowledge of the person about emerging threats. Since manual threat modeling is time-consuming, most threat models are drawn holistically at a software architecture/design level and not at individual use case level. Because of this, threats related to a specific use case may be missed out. A threat modeling tool can help in alleviating these difficulties. Benefits of using a threat modeling tool: ○ Make use of rich knowledge of threat repository (library) for a given component. ○ Draw Data Flow Diagrams (DFD) easily. ○ Automate the identification of threats and vulnerabilities. ○ Automatically come up with required countermeasures. ○ Generate documents. External Entities This is an external interactor that is outside your area of control. It could be a user that is calling your API or web application, or it could be another component that calls your API. Example-People, Other Systems, Microsoft.com, etc. Process It is a collection of code or web methods or components that performs some computations on the data. It is basically a group of functions that performs some actions. Example- DLLs, EXEs, COM object, Services, Assemblies, etc. Data Flow It basically represents the communication links used for data transfer between entities or components within the system. Example-Function call, Network traffic, Remote Procedure Call (RPC), etc. Data Store A unit that holds the data. That is, Data repository. Example-Database, Registry, Queue/Stack, etc. Trust Boundary Occurs when one component doesn’t trust the other component outside its boundary without sufficient authorization. Example-Process boundary, File system, etc. Using these components, one can draw a model (precisely the data flow diagram) of the application. But the model so formed can be an incorrect one. This is a complete threat model because the source of data is present in this diagram. Here, the customer is the external entity that sends data to the SQL database through the web application. Also, there is proper data flow between SQL Database and Web Server and between Customer and Web Server. Tthe rules that need to be followed while drawing the model of the application are: ○ Data stores should have a sink - When you mention a database or a data store, remember to include the entity that will be using that store. ○ Data doesn’t flow magically - Don’t connect two entities without an intermediate process. ○ Data doesn’t appear magically - A Web Server needs an interface (such as an API) to connect to a data store. ○ There should not be any required component missing - Skipping any component in the diagram will make it incomplete. ○ Right flow of data - The flow of data should be in appropriate direction. The arrows should be drawn such that it correctly shows that the data is flowing from which component to which component. Access Management Subject A subject is an entity, usually a user, device, or process, that requests access to resources or services in a system. The subject is often authenticated and authorized before access is granted. Object An object is a resource or entity within a system that a subject wants to access. Objects can be files, databases, services, or any data that subjects need to interact with. Identity Identity refers to the distinct attributes or characteristics that uniquely define a subject within a system. It is what distinguishes one user or entity from another and is often verified through authentication processes. Attributes An identity store is a repository that holds identity information such as usernames, passwords, roles, and attributes. It is where authentication and authorization decisions draw information from. Examples include Active Directory, LDAP, or custom databases. Identity store An identity store is a repository that holds identity information such as usernames, passwords, roles, and attributes. It is where authentication and authorization decisions draw information from. Examples include Active Directory, LDAP, or custom databases. Access Access refers to the ability of a subject to interact with an object in a system. It can be read, write, execute, or any form of interaction allowed by the system's policies. Authentication Authentication is the process of verifying the identity of a subject. This typically involves confirming that a subject is who they claim to be, often through passwords, biometrics, tokens, or other verification methods. Authorization Authorization is the process of determining what actions a subject is allowed to perform on an object. Once a subject is authenticated, authorization policies define what resources or services they can access and what actions they can take. Accountability Accountability ensures that all actions and access to resources by subjects are logged, tracked, and can be audited. This ensures that any unauthorized or malicious actions can be traced back to the responsible party, promoting transparency and security. Single Sign On SSO is an authentication process that allows a user to access multiple applications or systems with a single set of login credentials. Instead of requiring separate usernames and passwords for each application, SSO enables users to authenticate once and gain access to all authorized systems without having to log in again for each one. How SSO Works: 1. User Authentication: When a user tries to access an application or service, they are redirected to the SSO authentication service. The user provides their login credentials (username and password, for example) to the SSO service. 2. Token Generation: Once authenticated, the SSO service generates a security token or session that contains the user's identity and access information. This token is encrypted and passed back to the application or system the user is trying to access. 3. Access to Applications: The application verifies the token with the SSO service. If the token is valid, the application grants the user access without requiring them to log in again. 4. Token Reuse: As the user navigates to other applications within the same SSO environment, the existing token can be reused. The user does not need to re-enter their credentials, as long as the token is still valid. Benefits of SSO: ○ User Convenience: Users only need to remember one set of credentials, reducing the hassle of multiple logins. ○ Improved Security: SSO can enhance security by centralizing authentication and allowing for stronger, more consistent security policies (e.g., multi-factor authentication). ○ Reduced IT Burden: IT departments spend less time managing multiple passwords and can focus on securing a single authentication point. ○ Streamlined User Experience: Users can easily switch between applications without repeated logins, improving productivity. Risks and Considerations: ○ Single Point of Failure: If the SSO system is compromised, an attacker could potentially gain access to all connected applications. ○ Session Management: Managing token expiration and ensuring users are logged out securely across all applications can be challenging. ○ Compatibility: Not all applications may support SSO, requiring careful integration planning. Examples of SSO: ○ Enterprise SSO: Common in corporate environments where employees access multiple internal systems (e.g., HR systems, email, file storage). ○ Web SSO: Used for accessing various web applications like Google services (Gmail, Google Drive, YouTube) with one Google account. ○ Federated SSO: Allows users to authenticate across multiple organizations or domains (e.g., using your Google credentials to log into third-party websites). SSO simplifies the user experience while maintaining security, making it a popular choice for both enterprises and service providers. Password Management With SSO enabled IAM systems in organisation, single credentials are sufficient to access all the internal applications. Although, this makes it easy for the uses to access, it also makes it easy for a hacker to gain control of all the linked application at once on hacking this single password. Hence, it is also necessary to build strong access mechanisms to avoid any such violation of access rights by having set strong password and by managing it. Password management refers to the practices, tools, and strategies used to create, store, manage, and secure passwords. Effective password management is crucial in maintaining strong cybersecurity, as passwords are often the first line of defense against unauthorized access to systems, applications, and data. Key Aspects of Password Management: Password Creation: ○ Strong Passwords: Passwords should be complex, using a combination of uppercase and lowercase letters, numbers, and special characters. They should also be sufficiently long (e.g., at least 12-16 characters) to resist brute-force attacks. ○ Avoid Common Passwords: Users should avoid easily guessable passwords such as "password123," "qwerty," or any personal information like birthdays. Password Storage: ○ Secure Storage: Passwords should never be stored in plain text. Instead, they should be stored using cryptographic hashing algorithms, which convert passwords into a secure format that cannot be easily reversed. ○ Password Managers: These are software tools that securely store and organize passwords. They can generate strong, random passwords and store them in an encrypted vault, accessible only with a master password or through multi-factor authentication. Password Policies: ○ Regular Updates: Organizations often enforce policies that require users to change passwords regularly (e.g., every 60-90 days). However, it's important not to make this too frequent, as it may lead to weaker password practices. ○ Password Reuse: Users should be discouraged from reusing passwords across different accounts. A compromise on one account could lead to vulnerabilities in others if the same password is used. Multi-Factor Authentication (MFA): ○ Additional Layer: Password management can be greatly enhanced by implementing MFA, which requires users to provide two or more verification factors (e.g., a password and a fingerprint, or a password and a code sent to a mobile device). ○ Reduced Risk: Even if a password is compromised, the additional factor makes unauthorized access much more difficult. Password Recovery: ○ Secure Recovery Processes: Password recovery mechanisms (e.g., security questions, email resets) should be secure and not easily exploitable. Recovery processes should involve multi-factor authentication whenever possible. ○ User Education: Users should be educated about the risks of phishing and social engineering attacks, which often target password recovery processes. Monitoring and Alerts: ○ Breach Detection: Some password managers and security tools monitor for data breaches and notify users if their credentials have been exposed, prompting them to change passwords immediately. ○ Login Alerts: Users can enable alerts that notify them when a login attempt is made from an unrecognized device or location. Password Sharing: ○ Avoid Sharing: Passwords should not be shared. If sharing is necessary, it should be done through secure means (e.g., using a password manager’s sharing feature that keeps passwords encrypted). ○ Role-Based Access Control: Instead of sharing passwords, organizations should implement role-based access control (RBAC) where each user has access to the resources they need without sharing accounts. User Training and Awareness: ○ Phishing Awareness: Educate users about phishing attacks that attempt to steal passwords through deceptive emails or websites. ○ Password Hygiene: Promote good password hygiene practices, such as not writing down passwords in insecure places, and being cautious of where passwords are entered. Benefits of Good Password Management: ○ Enhanced Security: Strong and well-managed passwords reduce the likelihood of unauthorized access and data breaches. ○ Simplified Management: Password managers simplify the process of handling multiple strong passwords, reducing the burden on users. ○ Compliance: Many regulatory frameworks (e.g., GDPR, HIPAA) require organizations to implement strong password management practices to protect sensitive information. Challenges in Password Management: ○ User Resistance: Users might resist adopting strong passwords or password managers due to perceived complexity or inconvenience. ○ Password Fatigue: Managing numerous passwords without proper tools can lead to fatigue, where users start using weaker passwords or reusing them across platforms. Tools and Best Practices: ○ Password Managers: Tools like LastPass, 1Password, and Dashlane help manage and securely store passwords. ○ Password Generation: Use password managers to generate strong, unique passwords for each account. ○ Regular Audits: Organizations should conduct regular audits of password practices and update policies as needed. Effective password management is critical for both individuals and organizations to protect against unauthorized access and maintain the integrity of sensitive information. Identity Federation Federated Identity Management (FIM) is managing a single identity information among multiple enterprises to let users use the same identity information to gain access across inter and intra enterprise networks. Identity federation is a system that allows users to authenticate across multiple systems, organizations, or domains using a single identity credential. It facilitates secure and seamless access to resources across different security domains without the need for multiple separate login credentials. Identity federation is commonly used in environments where users need to access resources from different organizations or services, such as in business partnerships or when using cloud services. Federated Identity: ○ A federated identity is a single digital identity that is trusted across multiple systems or organizations. Users can use this identity to access various services without needing to create separate accounts for each one. Identity Provider (IdP): ○ The Identity Provider is the entity that authenticates the user and issues a token or credential asserting the user’s identity. Examples of IdPs include organizations, social media platforms (like Google or Facebook), or dedicated services like Microsoft Azure AD. Service Provider (SP): ○ The Service Provider is the entity or system that the user wants to access. The SP relies on the IdP to authenticate the user and then grants access based on the identity and attributes provided by the IdP. Trust Relationships: ○ Identity federation relies on trust relationships between the Identity Provider and the Service Provider. These relationships are often established through digital certificates or shared cryptographic keys, ensuring that tokens or credentials from the IdP are accepted by the SP. Single Sign-On (SSO): ○ Identity federation often incorporates SSO, allowing users to log in once and access multiple services without needing to re-authenticate. SSO within a federated identity context works across different domains or organizations. Standards and Protocols: ○ SAML (Security Assertion Markup Language): A widely-used XML-based standard for exchanging authentication and authorization data between IdPs and SPs. ○ OAuth: A protocol that allows third-party services to exchange tokens for resource access, often used for delegated access. ○ OpenID Connect: An identity layer built on top of OAuth 2.0, providing an easy-to-use protocol for federated authentication. How Identity Federation Works: ○ User Authentication: A user attempts to access a service provided by an SP. The SP redirects the user to the IdP for authentication, often through a web-based interface. ○ Token Generation: The IdP authenticates the user (e.g., using username and password, multi-factor authentication). Upon successful authentication, the IdP generates a token or assertion containing the user’s identity information and attributes. ○ Token Exchange: The user is redirected back to the SP with the token provided by the IdP. The SP verifies the token with the IdP and, if valid, grants the user access to the requested service. ○ Access Granted: The user can now access the service without needing a separate login for that specific SP. Benefits of Identity Federation: ○ User Convenience: Users can access multiple services across different organizations or domains with a single set of credentials, reducing password fatigue and the need to remember multiple logins. ○ Security: Identity federation centralizes authentication, allowing organizations to enforce consistent security policies, such as strong password requirements and multi-factor authentication. ○ Scalability: Organizations can easily integrate with partners, vendors, and cloud services without managing separate user accounts for each service. ○ Streamlined IT Management: IT departments can manage identities centrally, reducing the administrative overhead associated with managing multiple user accounts and credentials. Use Cases of Identity Federation: ○ Enterprise Collaboration: Companies in a partnership might use identity federation to allow employees from one organization to access resources from another without requiring new accounts. ○ Cloud Services: Users can log into cloud services (e.g., Microsoft 365, Salesforce) using their corporate credentials, thanks to federation between the enterprise's IdP and the cloud provider. ○ Education: Universities often use federated identity to allow students to access resources across different campuses or partner institutions. Challenges and Considerations: ○ Trust Management: Establishing and maintaining trust relationships between IdPs and SPs can be complex, especially when multiple organizations are involved. ○ Interoperability: Ensuring that different systems and protocols (e.g., SAML, OAuth) work together seamlessly can be challenging, especially in heterogeneous environments. ○ Security Risks: If the IdP is compromised, it could lead to unauthorized access across multiple systems, making the security of the IdP critical. Examples of Identity Federation: ○ Shibboleth: A widely used open-source identity federation system, particularly in the education sector. ○ SAML Federation: Often used in enterprise environments for federated access to cloud services. ○ OAuth with OpenID Connect: Commonly used for social logins, where users can log in to third-party websites using credentials from services like Google or Facebook. Identity federation simplifies and secures access across multiple systems, making it a powerful tool in modern cybersecurity and identity management strategies. Authorisation Secure access management is carried out with the aid of Authentication, Authorisation and Accountability (AAA) services. As seen earlier, authentication was carried out to provide access to legitimate subjects on the right set of objects. Besides authentication, it is imperative to manage access permission on objects for different category of subjects. This next level of Access Management is carried out by Authorisation. Authorisation is a process of granting access permissions to subjects on various objects based on the subject's nature of work and job role. This will significantly cut down the undesirable access gained by the subjects. Authorisation also helps in keeping a tab on number of access violations. Authorization is the process of determining what actions a user or system is allowed to perform on a resource after they have been authenticated. It controls access to data, services, and functionalities based on the user’s identity, role, or other attributes, ensuring that only authorized users can perform specific actions within a system. Authentication vs. Authorization: ○ Authentication verifies the identity of a user (e.g., confirming they are who they claim to be). ○ Authorization determines what the authenticated user is allowed to do (e.g., what files they can access or what operations they can perform). Permissions: ○ Permissions define specific rights or privileges assigned to a user, group, or role. For example, permissions might include reading a file, writing to a database, or executing a command. Roles: ○ Roles group users with similar responsibilities and assign them a common set of permissions. Role-Based Access Control (RBAC) is a common method where roles like "admin," "user," or "guest" determine what a user can do within a system. Access Control Models: ○ Discretionary Access Control (DAC): Access is granted based on the identity of the user and the discretion of the resource owner. The owner can assign permissions to others. ○ Mandatory Access Control (MAC): Access is based on fixed policies established by a central authority, often involving classifications and labels (e.g., classified, secret). ○ Role-Based Access Control (RBAC): Access is determined based on roles assigned to users, and permissions are granted based on those roles. ○ Attribute-Based Access Control (ABAC): Access decisions are based on attributes of users, objects, and the environment, such as time of day, location, or the sensitivity of the data. Access Control Lists (ACLs): ○ ACLs are lists that specify which users or systems are allowed or denied access to specific resources. An ACL might list specific users and their permissions, such as "read," "write," or "execute." Policy Enforcement Point (PEP) and Policy Decision Point (PDP): ○ PEP: The component that enforces access control decisions by allowing or denying access based on the authorization policy. ○ PDP: The component that makes the decision on whether to allow or deny access, based on the policies in place. Least Privilege Principle: ○ This principle dictates that users should be granted the minimum level of access—or permissions—necessary to perform their job functions. It helps reduce the risk of unauthorized access or misuse of privileges. Auditing and Logging: ○ Authorization processes should include logging and auditing mechanisms to track who accessed what resources and when. This helps in detecting unauthorized access attempts and ensuring compliance with policies. How Authorization Works: ○ User Authentication: The process begins with the user being authenticated, usually by providing credentials (e.g., username and password). ○ Policy Evaluation: Once authenticated, the system evaluates authorization policies to determine what resources the user can access. This might involve checking roles, permissions, and other attributes. ○ Decision Making: The system's PDP makes a decision based on the evaluation. If the user's attributes and permissions align with the policy, access is granted; otherwise, it is denied. ○ Access Enforcement: The system's PEP enforces the decision by either allowing or denying the user access to the resource. The action is logged for auditing purposes. Types of Authorization: ○ Role-Based Authorization: Users are assigned roles, and permissions are granted based on these roles. For example, an "Admin" role might have full access, while a "User" role has limited access. ○ Attribute-Based Authorization: Access decisions are made based on attributes such as user location, time of access, or the sensitivity of the data. This allows for more granular and context-aware access control. ○ Policy-Based Authorization: Authorization is based on predefined policies that specify the conditions under which access is granted or denied. Policies can be simple (e.g., "Admins can access all resources") or complex (e.g., "Access is granted if the user is in the office and it's during business hours"). Common Use Cases: ○ Enterprise Systems: Employees might have different levels of access to corporate resources based on their role in the organization (e.g., HR staff can access employee records, while IT staff can access system configurations). ○ Cloud Services: Users are granted or denied access to cloud resources based on their identity, roles, and policies defined by the cloud provider. ○ Web Applications: Users are authorized to perform actions (e.g., view, edit, delete) based on their role within the application, such as "admin" or "regular user." Challenges in Authorization: ○ Complexity: As systems grow and evolve, managing and maintaining authorization rules and policies can become complex, leading to potential security gaps. ○ Dynamic Environments: In dynamic environments like cloud computing, where resources and users frequently change, keeping authorization policies up to date is challenging. ○ Consistency: Ensuring that authorization policies are consistently applied across all systems and resources can be difficult, especially in large, distributed environments. Best Practices: ○ Implement the Principle of Least Privilege: Always assign the minimum necessary permissions to users. ○ Regularly Review Permissions: Periodically review and update permissions to ensure they align with current user roles and responsibilities. ○ Use Role-Based Access Control (RBAC): Group users by roles to simplify the management of permissions. ○ Audit and Monitor Access: Regularly audit and monitor access logs to detect and respond to unauthorized access attempts. ○ Automate Policy Management: Use tools and systems that allow for automated management and enforcement of authorization policies, especially in large or complex environments. Authorization is a critical aspect of cybersecurity, ensuring that only authorized users can access and interact with specific resources, thus protecting sensitive data and maintaining system integrity. Accountability Despite the controlled access management through authentication and authorization there are chances of attacks by internal threat agents to compromise the enterprise Information System (IS). This necessitates logging of day-to-day activities of the subject w.r.t usage of enterprise IS. Hence, it is advisable to enable auditing and logging features at organizational end. This is taken care by Accountability. Accountability is to establish responsibility for one's actions/events performed on system back in time by tracing, logging and auditing. This will ensure to keep up the security objective of Non-Repudiation. Audit Trails: ○ An audit trail is a chronological record of activities and events that occur within a system. These records include details such as who performed an action, what action was performed, when it was performed, and from where it was performed. ○ Audit trails are crucial for post-incident analysis, allowing organizations to trace back actions to specific users or processes and understand the sequence of events leading to a security incident. Logging and Monitoring: ○ Logging involves recording events and activities within a system, such as logins, file access, and changes to configurations. Monitoring refers to the continuous observation of these logs to detect anomalies, unauthorized access, or other suspicious activities. ○ Effective logging and monitoring provide real-time insights and historical data that help maintain accountability. Non-Repudiation: ○ Non-repudiation ensures that a user or entity cannot deny the authenticity of their actions or communications. This is often achieved through digital signatures, cryptographic hashing, and secure logging. ○ Non-repudiation is critical in legal and compliance contexts, where it’s necessary to prove that certain actions were performed by specific individuals. User Identification and Authentication: ○ Accountability relies on strong user identification and authentication mechanisms to ensure that actions are attributed to the correct individual or entity. Without reliable authentication, it’s difficult to hold users accountable for their actions. ○ Multi-factor authentication (MFA) and biometrics are examples of methods that enhance the reliability of user identification. Access Control and Permissions: ○ Proper access control mechanisms ensure that users can only perform actions for which they are authorized. By restricting access based on roles, permissions, and policies, organizations can limit the scope of actions a user can take, making it easier to hold them accountable for their activities. ○ Role-based access control (RBAC) and attribute-based access control (ABAC) are common methods used to manage permissions and maintain accountability. Policy Enforcement: ○ Organizations define policies that dictate acceptable behavior, security practices, and compliance requirements. Accountability is enforced by ensuring that users and systems adhere to these policies. ○ Violations of policies are logged and monitored, and users are held accountable for non-compliance. Incident Response: ○ Accountability plays a critical role in incident response. When a security incident occurs, accountability ensures that the actions leading up to and following the incident are well-documented and can be reviewed to identify the responsible parties. ○ Effective incident response depends on the ability to trace actions, understand the cause of the incident, and take corrective measures. Compliance and Legal Requirements: ○ Many regulations and standards (e.g., GDPR, HIPAA, ISO 27001) require organizations to maintain accountability by tracking and auditing user activities. Failure to do so can result in legal consequences and fines. ○ Accountability ensures that organizations can demonstrate compliance with these regulations by providing detailed records of activities and access. How Accountability Works: ○ User Actions: Users interact with the system by performing actions such as logging in, accessing files, or executing commands. Each of these actions is logged by the system. ○ Logging and Auditing: The system logs the details of these actions, including the user’s identity, the action taken, the time and date, and the outcome. This log data is stored securely for future reference. Auditing tools analyze these logs to ensure compliance with policies and detect any unauthorized or suspicious activities. ○ Monitoring and Alerts: Monitoring systems continuously observe logs and user activities in real time. If an anomaly or policy violation is detected, the system may generate an alert for further investigation. Alerts can be configured to notify administrators immediately, allowing for a quick response to potential security threats. ○ Review and Analysis: In the event of a security incident, the audit trail is reviewed to determine what actions were taken, who was responsible, and how the incident occurred. This information is crucial for responding to the incident and preventing future occurrences. Accountability measures ensure that all steps are documented, and corrective actions are taken. Importance of Accountability: ○ Security: Accountability deters malicious or negligent behavior by ensuring that all actions are tracked and can be traced back to an individual or system. This makes it easier to identify and address security breaches. ○ Transparency: It promotes transparency within an organization, as users know their actions are being monitored and recorded. This encourages adherence to policies and ethical behavior. ○ Trust: Accountability builds trust between users and the organization, as it ensures that everyone is responsible for their actions and that any misconduct will be addressed. ○ Compliance: Many industry regulations require organizations to maintain accountability for user actions. Failing to do so can lead to legal penalties, loss of reputation, and financial losses. ○ Incident Resolution: Accountability facilitates faster and more effective incident resolution by providing a clear and detailed record of events, helping to identify the root cause and responsible parties. Challenges in Accountability: ○ Data Volume: In large organizations, the volume of log data can be overwhelming, making it challenging to analyze and maintain effectively. ○ Privacy Concerns: While accountability requires monitoring and logging, it must be balanced with privacy concerns to avoid overreach or misuse of user data. ○ Complex Environments: In complex, distributed environments, maintaining a clear and consistent audit trail across multiple systems and platforms can be difficult. ○ False Positives: Monitoring systems may generate false positives, leading to unnecessary alerts or investigations that can drain resources. Best Practices for Maintaining Accountability: ○ Implement Strong Authentication: Ensure that all users are properly authenticated using strong methods such as MFA, so actions can be reliably attributed. ○ Regularly Review and Update Policies: Keep security and access control policies up to date and ensure they reflect current organizational needs and compliance requirements. ○ Automate Monitoring and Alerts: Use automated tools to monitor logs and generate alerts, reducing the likelihood of human error and improving response times. ○ Conduct Regular Audits: Regularly audit logs and access records to ensure compliance with policies and identify any unauthorized activities. ○ Educate Users: Make sure that all users are aware of the accountability measures in place and understand their responsibilities within the system. Accountability is a cornerstone of cybersecurity, ensuring that all actions within a system are tracked, traceable, and auditable, thereby protecting the organization from unauthorized access, data breaches, and non-compliance.