3 CISSPGuidetoSecurityEssentials_Ch02.pdf

Full Transcript

CISSP Guide to Security Essentials, Second Edition Chapter 2 Access Control © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. Objectives Identification and Authentication Centralized Access Control Decentralized Access Control Access Control Attacks Access Provisioning Life Cycle Testing Access Controls © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. CISSP Guide to Security Essentials, 2e 2 Identification and Authentication Identification: unproven assertion of identity – “My name is…” – user id Authentication: proven assertion of identity – User id and password – User id and PIN – Biometric © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. CISSP Guide to Security Essentials, 2e 3 Authentication Methods What the user knows – User id and password – User id and PIN What the user has – Smart card – Token What the user is – Biometrics (fingerprint, handwriting, voice, etc.) © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. CISSP Guide to Security Essentials, 2e 4 How Information Systems Authenticate Users Request userid and password – Hash password – Retrieve stored userid and hashed password – Compare the hashes – If they are equal, user has entered the correct password © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. CISSP Guide to Security Essentials, 2e 5 How a User Should Treat Userids and Passwords Keep a secret Do not share with others Do not leave written down where someone else can find it Store in an encrypted file or vault © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. CISSP Guide to Security Essentials, 2e 6 How a System Stores Userids and Passwords Typically stored in a database table – Application database or authentication database – Userid stored in plaintext Facilitates lookups by others – Password stored encrypted or hashed If encrypted, can be retrieved under certain conditions – “Forgot password” function, application emails to user If hashed, cannot be retrieved under any circumstance “Salting” should be employed when hashing a password, to resist rainbow table attacks © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. CISSP Guide to Security Essentials, 2e 7 CISSP Guide to Security Essentials, 2e 8 Strong Authentication Traditional userid + password authentication has known weaknesses – Easily guessed passwords – Disclosed or shared passwords Stronger types of authentication available, usually referred to as “strong authentication” – Token – Certificate – Biometrics © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. CISSP Guide to Security Essentials, 2e 9 Multi-Factor Authentication Single factor: what user knows Two factor: what user knows and has – – – – Password token USB key Digital certificate Smart card Without the second factor, user cannot log in – Defeats password guessing / cracking © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. CISSP Guide to Security Essentials, 2e 10 Biometric Authentication Stronger than userid + password Stronger than token-based Measures a part of user’s body – – – – – Fingerprint Iris scan Signature Voice Etc. © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. CISSP Guide to Security Essentials, 2e 11 Authentication Issues Password quality Consistency of user credentials across multiple environments Too many userids and passwords Handling password resets Dealing with compromised passwords Staff terminations © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. CISSP Guide to Security Essentials, 2e 12 Access Control Technologies Centralized management of access controls – Lightweight Directory Access Protocol (LDAP) – Active Directory – RADIUS – Diameter – TACACS – Kerberos © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. CISSP Guide to Security Essentials, 2e 13 Single Sign-On (SSO) Authenticate once, access many information systems without having to re-authenticate into each Centralized session management Often the “holy grail” for identity management – Harder in practice to achieve – integration issues Weakness: intruder can access all participating systems if password compromised Best to combine with two-factor / strong authentication © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. CISSP Guide to Security Essentials, 2e 14 SSO CISSP Guide to Security Essentials, 2e 15 CISSP Guide to Security Essentials, 2e 16 Reduced Sign-On Like single sign-on (SSO), single credential for many systems But… no inter-system session management User must log into each system separately Weakness: intruder can access all systems if password is compromised Best to combine with two-factor / strong authentication © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. CISSP Guide to Security Essentials, 2e 17 Access Control Processes Access requests and provisioning Internal transfer Termination Periodic access review Internal and external audit CISSP Guide to Security Essentials, 2e 18 Access Requests and Provisioning Steps in a basic formal process – – – – Request Review Approve Provision Recordkeeping for each step © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. CISSP Guide to Security Essentials, 2e 19 Internal Transfer User’s access rights that are specific to the job he or she is leaving should be terminated User’s accesses needed in new position should be formally requested Lack of these processes results in “accumulation of privileges” © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. CISSP Guide to Security Essentials, 2e 20 Termination Former employee access rights should be revoked upon termination – Access revoked typically with in 24 hours – Access should be revoked immediately if the termination is adverse (e.g. organization is firing employee, or employee quits without giving notice) – Some organizations immediately terminate all access as soon as employee gives notice of termination © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. CISSP Guide to Security Essentials, 2e 21 Periodic Access Reviews Reviews to verify effectiveness of access control processes – Verify that terminations are performed, and within set time – Verify that all granted access rights were requested, reviewed, and approved – Look for user accounts that have not been used in an extended period of time – Look for combinations of access rights that would result in a segregation of duties conflict – Look for access rights that would violate the principle of least privilege © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. CISSP Guide to Security Essentials, 2e 22 Internal and External Audits Organizations often undergo audits of access controls and access control processes – Internal – audits performed by company staff – External – audits performed by external audit firm or industry regulators © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. CISSP Guide to Security Essentials, 2e 23 Access Control Attacks Intruders will try to defeat, bypass, or trick access controls in order to reach their target Attack objectives – – – – – Guess credentials Malfunction of access controls Bypass access controls Replay known good logins Trick people into giving up credentials © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. CISSP Guide to Security Essentials, 2e 24 Buffer Overflow Cause malfunction in a way that permits illicit access Send more data than application was designed to handle properly – “Excess” data corrupts application memory – Execution of arbitrary code – Malfunction Countermeasure: “safe” coding that limits length of input data; filter input data to remove unsafe chars © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. CISSP Guide to Security Essentials, 2e 25 Script Injection Insertion of scripting language characters into application input fields – Execute script on server side SQL injection – obtain data from application database – Execute script on client side – trick user or browser Cross site scripting Cross site request forgery Countermeasures: strip “unsafe” characters from input CISSP Guide to Security Essentials, 2e 26 Data Remanence Literally: data that remains after it has been “deleted” Examples – – – – – Deleted hard drive files Data in file system “slack space” Erased files Reformatted hard drive Discarded / lost media: USB keys, backup tapes, CDs Countermeasures: improve media physical controls © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. CISSP Guide to Security Essentials, 2e 27 Denial of Service (DoS) Actions that cause target system to fail, thereby denying service to legitimate users – Specially crafted input that causes application malfunction – Large volume of input that floods application Distributed Denial of Service (DDoS) – Large volume of input from many (hundreds, thousands) of sources Countermeasures: input filters, patches, high capacity attack scrubbers © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. CISSP Guide to Security Essentials, 2e 28 Dumpster Diving Literally, going through company trash in the hopes that sensitive printed documents were discarded that can be retrieved – – – – Personnel reports, financial records E-mail addresses Trade secrets Technical architecture Countermeasures: on-site shredding © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. CISSP Guide to Security Essentials, 2e 29 Eavesdropping Interception of data transmissions – Login credentials – Sensitive information Methods – Network sniffing (maybe from a compromised system) – Wireless network sniffing Countermeasures: encryption, stronger encryption © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. CISSP Guide to Security Essentials, 2e 30 Emanations Electromagnetic radiation that emanates from computer equipment – Network cabling More prevalent in networks with coaxial cabling – CRT monitors – Wi-Fi networks Countermeasures: shielding, twisted pair network cable, LCD monitors, lower power or eliminate Wi-Fi © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. CISSP Guide to Security Essentials, 2e 31 Spoofing and Masquerading Specially crafted network packets that contain forged address of origin TCP/IP protocol permits forged MAC and IP address SMTP protocol permits forged e-mail From address Countermeasures: router / firewall configuration to drop forged packets, judicious use of e-mail for signaling or data transfer © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. CISSP Guide to Security Essentials, 2e 32 Social Engineering Tricking people into giving out sensitive information by making them think they are helping someone Methods – In person – By phone Schemes – Log-in, remote access, building entrance help Countermeasures: security awareness training © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. CISSP Guide to Security Essentials, 2e 33 Phishing Incoming, fraudulent e-mail messages designed to give the appearance of origin from a legitimate institution – “Bank security breach” – “Tax refund” – “Irish sweepstakes” Tricks user into providing sensitive data via a forged web site (common) or return e-mail (less common) Countermeasures: security awareness training © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. CISSP Guide to Security Essentials, 2e 34 Pharming Redirection of traffic to a forged website – – – – Attack of DNS server (poison cache, other attacks) Attack of “hosts” file on client system Often, a phishing e-mail to lure user to forged website Forged website has appearance of the real thing Countermeasures: user awareness training, patches, better controls © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. CISSP Guide to Security Essentials, 2e 35 Password Guessing Trying likely passwords to log in as a specific user – Common words – Spouse / partner / pet name – Significant dates / places Countermeasures: strong, complex passwords, aggressive password policy © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. CISSP Guide to Security Essentials, 2e 36 Password Cracking Obtain / retrieve hashed passwords from target Run password cracking program – Runs on attacker’s system – no one will notice Attacker logs in to target system using cracked passwords Countermeasures: frequent password changes, controls on hashed password files, more © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. CISSP Guide to Security Essentials, 2e 37 Malicious Code Viruses, worms, Trojan horses, spyware, key logger Harvest data or cause system malfunction Countermeasures: anti-virus, anti-spyware, security awareness training © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. CISSP Guide to Security Essentials, 2e 38 Access Control Concepts Principles of access control Types of controls Categories of controls © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. CISSP Guide to Security Essentials, 2e 39 Principles of Access Control Separation of duties – No single individual should be allowed to perform high-value or sensitive tasks on their own Financial transactions User account creation / changes Least privilege – Persons should have access to only the functions / data that they require to perform their stated duties © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. CISSP Guide to Security Essentials, 2e 40 Principles of Access Controls (cont.) Defense in depth – Use of multiple controls to protect an asset – Heterogeneous controls preferred If one type fails, the other remains If one type is attacked, the other remains Examples – Nested firewalls – Anti-virus on workstations, file servers, e-mail servers © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. CISSP Guide to Security Essentials, 2e 41 Types of Controls Technical – Authentication, encryption, firewalls, anti-virus Physical – Key card entry, fencing, video surveillance Administrative – Policy, procedures, standards © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. CISSP Guide to Security Essentials, 2e 42 Categories of Controls Detective controls Deterrent controls Preventive controls Corrective controls Recovery controls Compensating controls © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. CISSP Guide to Security Essentials, 2e 43 Detective Controls Monitor and record specific types of events Does not stop or directly influence events – – – – Video surveillance Audit logs Event logs Intrusion detection system © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. CISSP Guide to Security Essentials, 2e 44 Deterrent Controls Designed to prevent specific actions by influencing choices of would-be intruders Does not prevent or even record events – Signs – Guards, guard dogs – Razor wire © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. CISSP Guide to Security Essentials, 2e 45 Preventive Controls Block or control specific events – – – – – – – Firewalls Anti-virus software Encryption Key card systems Fencing Bollards Crash guards © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. CISSP Guide to Security Essentials, 2e 46 Corrective Controls Post-event controls to prevent recurrence “Corrective” refers to when it is implemented – Can be preventive, detective, deterrent, administrative Examples – Spam filter – Anti-virus on e-mail server – WPA Wi-Fi encryption © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. CISSP Guide to Security Essentials, 2e 47 Recovery Controls Post-incident controls to recover systems “Recovery” refers to when it is implemented – Can be detective, preventive, deterrent, administrative Examples – System restoration – Database restoration © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. CISSP Guide to Security Essentials, 2e 48 Compensating Controls Control that is introduced that compensates for the absence or failure of a control “Compensating” refers to why it is implemented – Can be detective, preventive, deterrent, administrative Examples – Daily monitoring of anti-virus console – Monthly review of administrative logins © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. CISSP Guide to Security Essentials, 2e 49 Testing Access Controls Access controls are the primary defense that protect assets Testing helps to verify whether they are working properly Types of tests – – – – Security scanning and penetration testing Application vulnerability tests Application code reviews Audit log analysis © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. CISSP Guide to Security Essentials, 2e 50 Security Scanning and Penetration Testing Security scans will discover vulnerabilities – – – – – Scan TCP/IP for open ports, discover active “listeners” Potential vulnerabilities in open services Test operating system, middleware, server, network device features Missing patches Example tools: Rapid7, Qualys, Nessus, Nikto, Retina, ISS, Microsoft baseline security scanner Penetration testing goes further and employs manual techniques to identify and exploit specific vulnerabilities © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. CISSP Guide to Security Essentials, 2e 51 Application Vulnerability Testing Discover vulnerabilities in an application Automated tools and manual tools Example vulnerabilities – Cross-site scripting, injection flaws, malicious file execution, broken authentication, broken session management, information leakage, unsecure use of encryption, and many more © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. CISSP Guide to Security Essentials, 2e 52 Application Code Reviews Manual reviews of changes to source code – Reviews performed by someone other than the developer who made the change Automated scans of source code – Identification of logic flaws – Identification of security flaws © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. CISSP Guide to Security Essentials, 2e 53 Audit Log Analysis Regular examination of audit and event logs Detect unwanted events – Attempted break-ins – System malfunctions – Account abuse Audit log protection – Write-once media – Centralized audit logs © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. CISSP Guide to Security Essentials, 2e 54 Summary Identification is unproven assertion of identity. Authentication is proven assertion of identity. Multi-factor authentication is authentication that relies on two or more factors: knowledge-based, possession-based, or entity-based. Two-factor authentication uses any two of these. Biometric authentication includes something the user is. Examples include fingerprint, hand scan, iris scan. © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. CISSP Guide to Security Essentials, 2e 55 Summary (cont.) Authentication standards include LDAP, TACACS, RADIUS, Kerberos, and Diameter. Single sign-on (SSO) provides a single identity with session management across applications. Reduced sign-on provides a single identity across applications but no session management. Access controls are attacked by several methods, including buffer overflow, script injection, malicious code, denial of service, eavesdropping, spoofing, social engineering, phishing, and password attacks. © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. CISSP Guide to Security Essentials, 2e 56 Summary (cont.) Malicious code is used to attempt to interfere with or gain control of a system. Access management processes include access requests and provisioning, internal transfers, terminations, periodic reviews, and audits. Separation of duties: split tasks between two or more Least privilege: minimize user access Defense in depth: protect assets with many controls © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. CISSP Guide to Security Essentials, 2e 57 Summary (cont.) Audit log analysis helps to detect unwanted events. Types of controls: technical, physical, administrative Categories of controls: detective, deterrent, preventive, corrective, recovery, compensating Access controls are tested with security scanning, penetration testing, application vulnerability testing, log analysis, and code reviews. © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. CISSP Guide to Security Essentials, 2e 58