CISSP - Domain 5
Accountability - Protecting Audit Data and Log Information
'scrubbing' is deleting specific incriminating data w/ in audit logs. Audit logs should be protected by strict access control and stored on remote host. only certain individuals (admins, sec personnel) should view, modify, delete audit info. Integrity of the audit data ensured w/ digital signatures, hashing tools, strong access controls. confidentiality protected w/ encryption and access controls, even stored on write-once media (CD-ROM).
Mandatory Access Control (MAC)
(considered non-discretionary) more structured and strict than DAC; user cannot install software, change file permissions, add users, etc, system used by user for very focused and specific purposes, and that's it. Based on security label system, users given security clearance and data classified in the same way. security labels attached to all objects; every file, directory, device. MAC and DAC cannot be turned on/off; company must use OS designed to enforce it (ex: SE Linux and Trusted Solaris). Sensitivity Labels (security label) contains classification (sensitivity level like Secret, Confidential) and categories (enforce need-to-know rules like departments, projects, mgmt levels). commercial org might use confidential, proprietary, corporate, sensitive. software guard: front-end product allows interconnectivity btwn systems w/ diff security levels. hardware guard: hardware used (ex: NICs) inbtwn systems w/ diff security levels that need to comm.
remote access protocols (AAA protocols, authentication, authorization, auditing) - DIAMETER
(play on term RADIUS) protocol using TCP developed to build upon functionality of RADIUS and overcome its limitations, as well as combine TACACS+ functionality. Provides more flexibility and capabilities to meet new demands of today's complex and diverse networks. consists of two portions: - base protocol: provides secure comms among diameter entities, feature discovery, version negotiation w/ defined header formats, security options, commands, and AVPs. - extensions: built on top of base protocol to allow various technologies to use diameter for authentication. * unlike client/server process where server cannot speak to clients unless spoken to, diameter is a peer-based protocol allowing either end to initiate comms.
OAuth
(v 2.0 is current). Open standard for authorization to third parties. lets you authorize a website to use something you control at a diff website (ex: linkedin asks to use your google contacts, or website wants to use your contact emails addresses). if you agree, a pop-up from google asks whether you want to authorize linkedin to manage your contacts. if consent, linkedin gains access to your contacts until you rescind this authorization. four roles: - client: process requesting access to protected resource, could be linkedin. - resource server: server controlling resource client trying to access, could be google. - authorization server: system tracking which clients allowed to use which resources, and issues access tokens to those clients, could also be google, even same server. sometimes not even same entity. - resource owner: whoever owns protected resource, typically the user, and is able to grant permissions for others to use it, usually granted thru consent dialog box. Ex: User wants to tweet directly from linkedin. - User (resource owner) sends request to the client (linkedin), and is redirected to an authorization server. - client (linkedin) sends clientID, redirect URI, response type, and scopes to authorization server. - authorization server negotiates consent w/ resource owner, then sends to redirect URI an HTTPS-secured message back to client (linkedin) including in the message an authorization code (aka response type). - Client (linkedin) contacts authorization server directly w/ authorization code, clientID, and client secret. - authorization server verifies data and responds w/ access token to send requests to resource server to use as long as not expired or rescinded.
remote access protocols (AAA protocols, authentication, authorization, auditing) - RADIUS
- RADIUS: Remote Authentication Dial-In User Service; open UDP network protocol for client-server AAA to remote users. Most ISPs use RADIUS to authenticate customers. RADIUS has defined fields that accept certain values called attribute-value pairs (AVPs); clients just fill in the boxes w/ necessary info for receiving system to extract and process. - Access server requests remote user's logon credentials, passes them back to RADIUS server. - client software and access server negotiate thru handshake and agree upon authentication protocol (PAP, CHAP, or EAP). - client provides username/PW to access server over PPP connection (but only password is encrypted, other data cleartext). - Access server and RADIUS server comm over RADIUS protocol. - after authentication, client given IP address and connection parameters. access server notifies RADIUS server when session starts and stops (for billing). - RADIUS good for simpler environments where DENY/ACCEPT is good enough for remote access.
Weaknesses of Kerberos
- SPOF - must handle requests timely and scalable - secret keys and and session keys reside of user's workstation and can be captured - vulnerable to password guessing (KDC not know if dictionary attack taking place) but OS should be able to do this. - if keys too short, vuln to brute-force attacks - all client and server clocks need to be sync'd.
3 Authentication factors
- Something you know (ex: PIN, maiden name, lock combination, etc); is least expensive. - Something you have (ex: key, swipe card, badge); common for accessing facilities. - Something you are (ex: based on physical attribute, biometrics); most expensive. * authentication by knowledge, ownership, characteristic, respectively. * 'strong authentication (MFA, 2FA, 3FA): two or more factors used to authenticate a person's identity.
remote access protocols (AAA protocols, authentication, authorization, auditing) - TACACS, XTACACS, TACACS+
- TACACS: Terminal Access Controller Access Control System; TCP protocol combines authentication and authorization processes, XTACACS separates them, TACACS+ is XTACACS w/ extended 2FA. - TACACS uses fixed passwords for authentication while TACACS+ allows dynamic passwords (OTPs). - TACACS+ encrypts all data, and is not backwards compatible. Does support AppleTalk, NetBIOS, IPX. - TACACS+ better for complex environments needing granular and tighter control over remote authentication and authorization activities.
X.500 directory standard rules
- directory has tree structure w/ parent-child configuration. - each entry has unique name made up of attributes of specific object. - attributes dictated by defined schema. - unique identifiers called distinguished names. - OU = org unit, used as container of other OUs, users, resources. provide parent-child (or tree-leaf) org structure.
Directories
- directory of info pertaining to company's network resources and users, follows hierarchical database format, based on X.500 standard (ISO 9594) and type of protocol (ex: LDAP) allowing subjects and applications to interact w/ the directory. - objects managed by X.500 directory service. Directory service allows admin config and manage how ID, authentication, authorization, access control take place w/in network and w/ indiv systems. - objects labeled and identified w/ namespaces. each directory service has way identifying and naming objects, the directory service assigns distinguished names (DN) to each object, each DN represents collection of attributes (ex: domain component and common name) and is stored as an entry in the directory. - dc: .com - dc: .logicalSecurity - cn: .brett p
attackers go after passwords using...
- electronic monitoring: listening to network attack. - access password file: done on authentication server, file should be protected w/ access control and encryption. - brute-force attacks: tools cycle through possible character, number, symbol combinations. - dictionary attacks: files of thousands of words compared to user's password until match is found. - social engineering: attacker convinces individual has necessary authorization to access specific resources. - rainbow table: using table that contains all possible passwords already in hash format.
Authorization - Directory Services
- network directory service contains info about these resources and subjects and carries out access control activities. provides users access to network resources transparently, meaning don't need know location or steps to access them (ex: LDAP NetIQ, eDirectory, Microsoft AD).
Access Control Layers - Physical
- network segregation: server room and databases in certain area, doors have swipe card readers. - perimeter security: concerned w/ physically access to facilities, one environment may have guard authorizing people, another no authentication process and let everyone in, close circuit TVs, fences, lighting walkways and parking areas, motion detectors, sensors, alarms. - computer controls: control physical access to computers; locks on covers, removal of USB and optical drives to prevent copying info, etc. - work area separation: dictate only particular individuals access certain areas, ex: research companies not want office personnel enter labs. network admins only allow network staff in server rooms and wiring closets, only certain people in vaults. - cabling: some types of cables have protection around wires ensure no crosstalk, and routed throughout facility so not in way of employees or exposed to being cut/burnt/crimped/eavesdropped. - control zone: facility split into zones depending upon sensitivity of activity per zone.
Network- and Host- based IDS info
- network-based IDS: either host computers w/ necessary software of dedicated applicances -- w/ NIC in promiscusous mode (caputures all traffic, copies allpackets, apsses one copy to TCP stack and one to analyzer for patterns). - host-based IDS: can be installed on individual workstations and/or servers. HIDS usually make sure users not deleting system files, reconfig important settings, put system at risk in other ways. most environments have HIDS on critical servers only b/c resource overhead and admin nightmare. NIDS and HIDS can be: - signature-based: pattern matching, stateful matching - anomaly-based: statistical anomaly, protocol anomaly, traffic anomaly, rule- or heuristic-anomaly.
phishing and pharming
- phishing: type of social engineering to obtain personal info, credentials, credit card numbers, financial data, etc via 'lures'. - spear phishing: specific target, not large group. - whaling: specific target is big (CO, CFO, etc). - pharming: redirects victim to seemingly legit, yet fake, website via DNS poisoning (DNS server resolves hostname into incorrect IP address). can affect larger number of victims w/ out need to send emails, etc.
Access Control Layers - Administrative
- policy/procedures - personnel controls: how employees expected to interact w/ security mechanisms and address noncompliance issues. these controls indicate security actions taken when employee hired, terminated, suspended, transferred, promoted, etc. - supervisory structure: each employee has superior, that superior responsible for employee's actions. - security-awareness training: people usually weakest link, cause most security breaches and compromises. user needs know how properly access resources, why access controls in place, ramifications not using access controls properly, company can reduce security incidents. - testing: controls, mechanisms, procedures tested periodically ensure properly support security policy, goals, objectives.
Access Control Layers - Technical
- system access: username/password, Kerberos implementation, biometrics, PKI, RADIUS, TACACS+, smart card. - network architecture: constructed/enforced thru IP address ranges and subnets, and controlling comm flow btwn segments, firewalls blocking direct comms btwn internal systems and DMZ. - network access: routers, switches, firewalls, gateways all work as tech controls enforcing access into/out of network segments. - encryption and protocols: protect info as passing throughout network and residing on computers, ensure info received by correct entity and not modified during xmission. - auditing: tools and controls track activity w/ in network, on network device, or specific computer.
IDaaS integration issues
-Establishing connectivity: need ensure components comm securely. path for this traffic means creating new rules for firewalls and IDS/IPS, being restrictive enough to allow IdM traffic but nothing else. - Establishing trust: all traffic btwn nodes must be encrypted, almost certainly means PKI and CAs needed. potential issue w/ CAs is the CA may not be trusted by default by all nodes. - Incremental testing: need to test incrementally w/ roll out to ensure process works prior to go-live. - Integrated Federated Systems: degree to which systems are intertwined w/ others is sometimes not realized until attempt integrate new IdM and discover incompatible w/ external systems. take stock of every external dependency and ensure proposed solution compatible and correct parameters know/tested.
honeypot
A computer set up to entice would be attackers. It is often configured with weak security so that an attacker can easily hack into it, and usually has fake data that has no use to the company. *enticement: intruder commits a crime knowingly. *entrapment: intruder is induced or tricked into committing a crime.
Directories' Role in Identity Management
A directory used for IdM is specialized database software optimized for reading and searching b/c all resource info, user attributes, authorization profiles, roles, access control policies, etc stored in this one location. Some IdM apps need know user's authorization rights, role, employee status, clearance level so instead of app making requests to several databases it does it to one directory (ex: user attribute info (status, job desc, dept, etc.) in HR database, authentication info in Kerberos, role and group ID in SQL, resource-oriented authentication in AD on a DC -- these are commonly called 'identity stores' and located around network). 'meta-directory' gathers info from multiple sources and stores it on central directory; unified view of all users' digital identity info, syncs itself w/ identity stores periodically. 'virtual directory' same role as meta-directory but does not store info physically in it, only points to the physical location of where data resides.
Managed Service Accounts
Accounts used to run and manage services that have been deployed. Most service accounts have passwords that do not expire. It is important to carefully manage, audit, and monitor service accounts.
Federated Identity Management - Service Provisioning Markup Language (SPML)
Allows for exchange of provisioning data between apps and cooperating orgs, allows for automation of user management (creation, amendments, revocation) and access entitlement config. Also allows for integration and interoperation of service provisioning requests across various platforms. made up of three main entities: Requesting Authority (RA) making request to set up new acct or edit existing one, Provisioning Service Provider (PSP) software that responds to account requests, and Provisioning Service Target (PST) entity carrying out provisioning activities on requested system. - request originates in software of the RA. RA creates SPML message, sends to software of PSP. - PSP reviews requests and compares to organization's approved acct creation criteria. if allowed, PSP sends new SPML message to end systems (PST) user actually needs to access. - PST sets up accts and configs necessary access rights. (If employee fired later, same process follow and all user accts deleted)
Federated Identity Management - Security Assertion Markup Language (SAML)
An XML standard allowing exchange of authentication and authorization data shared btwn security domains. If Acme Corp uses gmail as email platform, could set up relationship w/ google allowing you to maintain control over access credentials and enforcing password policies via SAML. - Acme Corp user attempts access gmail accounts. google uses user's browser to redirect request to Acme's SSO service w/ a SAML request. - Acme parses SAML request and authenticates user. Acme generates SAML response to back to user browser and browser sends to google. - google verifies SAML response and user is allowed to view gmail. * SAML provides authentication to federated identity management systems to allow business-to-business and business-to-consumer transactions. can also be used for web services (weather updates, stock prices, email, etc) provided on distributed systems.
Hybrid Federated Identity
Combines both on-premises and cloud solutions to provide federated identity services.
Establishment / Proofing / Registration
Determining what that user's identity will be. Proofing is the act of ensuring that a person is who he claims to be. Registration is act of entering the identity into the IAM solution.
Role definition
Determining which roles will be needed and which permissions each role should be granted.
emanation security
Electronic device emit electronic signals and attacker can have right equipment and be in right place to intercept the info from airwaves. Can also do it from fiber as light escapes cladding.
Federation
Federated identity: portable identity, and its associated entitlements, that is used across business boundaries. allows user be authenticated across multiple, IT system sand enterprises. 'web portal' fctns are parts of websites acting as point of access to info (ex: college portal for students, parents, faculty). presents info from diverse sources in unified manner, can offer various services (email, news, updates, stock prices, etc). Portals combine web services from several diff entities and present them in one central site.
Integrity
Info must be accurate, complete, and protected from unauthorized modification.
Just In Time (JIT)
JIT access enables organizations to grant access to applications or systems for predetermined periods of time, on an as-needed basis. With JIT provisioning, if a user doesn't already have an account in a target application, the IAM system creates the account for a user on the fly when the user first accesses the application.
Authorization - Kerberos
Kerberos example of SSO for distributed environments. Client/server model using symmetric key cryptography. default authentication method for Windows OS, Apple macOS, Oracle Solaris, Red Hat Enterprise Linux, also use it. Four elements for enterprise access control; scalability, transparency, reliability, security. can put time limit on credentials, too. - KDC: holds all users' and services' secret keys, provides authentication, key distribution. provides security to 'principles' (can be users, apps, or services). KDC must have acct for, and share secret key with, each principle. 'realm' is set of principles, Kerberos can have several realms so admins can logically group resources/users. - ticket: generated by ticket granting service (TGS) on KDC and given to principle when needs to authenticate to another principle. *user enters username/PW on computer, computer's kerberos software sends it to authentication service (AS), KDC sends back TGT encrypted w/ TGS's secret key. if authenticated, TGT decrypted and user gains access. *if need resource, system sends TGT to TGS on KDC w/ request to access resource. (TGT allows user prove been authenticated so can request resources). * TGS creates/sends second ticket (two instances of same session key, once encrypted w/ user's secret key and other encrypted w/ resource's secret key, as well as authenticator [id info on user, user's IP, sequence #, timestamp]) to user to use resource. *user system decrypts and extracts session key, adds second authenticator set of ID info to ticket, sends it to resource. *resource decrypts and extracts session key, decrypts and extracts two authenticators in ticket. if resource can decrypt/extract session key knows KDC created ticket b/c only KDC has the secret key to encrypt session key. if authenticator info KDC and user put into ticket matches, print server knows received ticket from correct principal.
OpenID Connect (OIDC)
Layer built on OAuth 2.0. allows transparent authentication and authorization of client resource requests. Most often used to allow web application (relying party) to authenticate an end user using third-party IdP, but also get info on that user from that IdP. Three flows: - Authorization code flow: relying party is provided authorization code (token) and use it to directly request ID token containing user info from the IdP. (considered more secure than implicit flow b/c authorization code is used to comm directly w/ IdP to get ID data, where ID data in implicit flow is sent thru the browser). - Implicit flow: relying party receives ID token containing user info w/ redirect response from IdP after authentication and consent. token is passed thru user's browser. - hybrid flow: combination of previous two flows. *like OAuth but when client sends authorization server clientID, redirect URI, response type, the scope is "OpenID". Authorization server goes thru same consent steps w/ user and authorization code w/ client, but client gets back access token and 'ID token' (JSON web token [JWT]) that client can use to extract ID data about user and gain other info if needed (these ID data elements are known as 'claims').
IDS Sensors
Network-based IDSs use sensors for monitoring, works as analysis engine, placed on network segment needing monitoring. receives raw data from event generator, compares it to signature database, profile, or model, depending on type of IDS. If a match sensor works w/ response module determine type of activity must take place (alerting via SMS or email, reconfig firewall, etc). Sensor's role to filter received data, discard irrelevant info, and detect suspicious activity. monitoring console monitors all sensors, supplies network staff overview of activities to enable network-based intrusion detection to work. sensor placement critical; can place sensor outside firewall to detect attacks and inside to detect actual intrusions. should also be in highly sensitive areas, DMZs, extranets.
legacy single sign on (SSO)
SSO allows user to authenticate one time, then access resources w/ out needing reauthenticate. Person attempts access to network application, application sends request for credentials to SSO software, SSO software responds to the application for person. SSO can be bottleneck and point of failure for those systems using SSO if it goes down. also expensive for larger environments.
user provisioning
The creation, maintenance, and deactivation of user objects and attributes as they exist in one or more systems, directories, or applications, in response to business processes. - user objects may represent employees, contractors, vendors, partners, customers, or other recipients of a service. - services may include email, access to database, access to file server, etc.
race condition
Two or more processes use shared resource, as in data w/in variable, but process 2 carried out task on data before process 1; result much diff than if process 1 carried it out first. In software, authentication and authorization steps split into two functions; possibility attacker use race condition to force authorization step 'before' authentication step.
Risk based access control
Uses risk to make access decisions. It performs a risk analysis to estimate the risk value related to each access request. The estimated risk value is then compared against access policies to determine the access decision.
Verification one-to-one v one-to-many
Verification 1:1: measurement of identity against a single claimed identity (ex: is this person who he/she claims to be?). Verification 1:n: measurement of a single identity compared against multiple identities (who is this person?).
Authorization - Default to No Access
access control should default to no access. if access no explicitly allowed, should be implicitly denied.
content-dependent access control
access to objects determined by the content w/ in object. content of the database fields dictate which users see specific info w/ in the database tables (ex: nurse can see labs in med records but not HIV labs). used when orgs use email filters looking for specific strings, such as 'confidential', 'social security number', 'top secret'. also used to control web surfing.
Hierarchical RBAC
allows admin set up org RBAC model mapping to org structures and functional delineations. Most often, higher in chain of command you are, more access you have. Hierarchical RBAC... - uses role relations in defining user membership and privilege inheritance (nurse can access some, lab accesses others, docs can access both -- doc inherits rights assigned to lab and nurse). - reflects org structures - supports 2 types of hierarchies: * limited (one level of hierarchy allowed; role 1 inherits from role 2 and no other) * general (allows many levels of hierarchies; role 1 inherits role 2 and role 3 permissions). Separation of duties: * static separation of duties (SSD) thru RBAC: deter fraud by constraining combination of privileges [can't be cashier and accounts receivable]. * dynamic separation of duties (DSD) thru RBAC: deter fraud by constraining combination of privileges activated in any session [cannot be cashier and cashier supervisor at same time] but can be member of both.
Authorization - Single Sign On (SSO)
allows user enter credentials one time and access all resources in primary and secondary nework domains.easier to sign on once for many things, and too much time devoted to resetting passwords for users who forget them. To work properly, every platform, app, and resource needs to accept same type of credentials in same format and interpret meanings the same. Rare to see real SSO environment, usually a cluster accept same credentials but not everything. SSO technologies: - Kerberos (KDC and tickets, symmetric cryptology) - Security domains: resources under same sec policy and managed by same group - directory services: tech allows resources named standardized manner, access control centrally maintained - thin clients: terminals rely upon central server for access control, processing, storage
password synchronization
allows user to maintain just one password across multiple systems; product will sync password to other systems and applications transparently to the user. (problem: same password for multiple resources).
proofing of identity
almost always carried out by HR who would have had to verify an identity for tax and benefit purposes. new account request sent to employee's manager who verifies the permissions person needs.
one time password (OTP)
also called dynamic password, good only once. two general types: - synchronous (synchronous token): time-based. - asynchronous (asynchronous token): not time-based. - token most common implementation for OTP, generates one-time password for user to submit to authentication server. commonly in three formats: dedicated physical device w/ small screen displaying OTP, smartphone application, and service sending SMS to a phone. *soft token: tokens generated in software.
Federated Identity Management - Service-Oriented Architecture (SOA) environments
architecture based on services, providing way to use independent services on diff systems in diff business domains in one consistent manner. ex: your company has employee directory in CRM, as well as help-desk ticketing application, all on a web portal. This is most likely being provided through an SOA b/c employee directory in CRM is w/ in marketing dept and ticketing is w/ in the IT dept, but can interact w/ both in one interface.
Authorization - Authorization Creep
as people work at same place over long periods their access changes. w/out process to deny access to objects/data no longer needed they have far more access than required.
Confidentiality
assurance that info is not disclosed to unauthorized individuals, programs, or processes. activities need to be controlled, audited, monitored. *confidential info could be health records, financial account info, criminal records, source code, trade secrets, military tactical plans.
spoofing at logon
attacker uses program that presents fake logon screen, tricks user into attempting log on. fake error message can appear indicating user mistyped credentials, at which point program hands control over to OS prompting user for username and PW and user logs in w/out knowing malicious program captured first entry.
Smart card attacks
attackers have introduced computational errors to smart cards w/ goal of uncovering encryption keys. the "errors" manipulate some environmental components of the card (changing input voltage, clock rate, temperature fluctuations). attacker reviews results of encryption fctn after the error and reviews correct result, when no errors introduced. analysis of diff results may allow reverse-engineer encryption process. *referred to as 'fault generation'. other side-channel attacks: differential power analysis (examine power emissions during processing), electromagnetic analysis (diff freqs emitted), and timing (how long process takes). software attacks: noninvasive, goal is input instructions that allow attacker extract account info. 'microprobing' uses needleless and ultrasonic vibration to remove outer protective material on card's circuits. once completed, data can be accessed and manipulated by tapping into card's ROM chips.
Accountability - Review of Audit Information
audit trails can be reviewed manually or automated; either way they must be reviewed and interpreted. real-time, or near real-time, audit analysis can use automated tool to review audit info as it is created. retention of info should be in company's security policy and procedures. 'audit-reduction tool' reduces amount of info w/in audit log, discarding mundane tasks and records system performance, security, user functionality that is useful. security event management (SEM) also called security info and event management (SIEM) systems, gather logs from various devices (servers, firewalls, routers, IPS/IDS, proxies, etc) and correlate log data to provide analysis via centralization, standardization, and normalization.
Authorization - Security Domains
builds upon definition of domain by adding resources w/in logical structure (domain) that are working under same security policy and managed by same group. Domains separated by logical boundaries (routers, firewalls. domains can be architected in hierarchical manner dictating relationship btwn different domains and ways subject w/in diff domains can communicate. Comm channels controlled by security agents (firewalls, router ACLs, directory services), and individual domains isolated by subnet mask address.
password manager (password vault)
can be stand-alone application or feature w/in another application (like a web browser) that stores user identifiers and passwords in encrypted data store. user needs only remember master password. can offer random password generation.
smart card
capability to process info b/c has microprocessor and integrated circuits. smart card can provide 2FA b/c user HAS card and KNOWS PIN. can also hold info encrypted. Two categories of smart cards: - contact: gold seal on face of the card, electrical fingers wipe against card in exact position chip contacts located, supplies power and data I/O to chip. - contactless: has antennas wire surrounding perimeter of card, when comes w/in electromagnetic field of reader antenna generates energy to power internal chip, authentication completed by OTP employing challenge/response value or providing private key if w/ in PKI environment. (two versions of contactless are hybrid [two chips so can use both contact and contactless formats] and combi [one microprocessor can comm w/ both contact and contactless formats]).
keystroke dynamics
captures electrical signals when person types specified phrase of their speed and motions.
identity repository
centralized directory; can be amalgam of HR database, identity data, and other identity stores, or a database of pointers to identity data in the other stores.
profile update
collection of data associated w/ a user; data can be email address, home address, phone number, etc. when profile contains nonsensitive data user can update himself, called 'self-service'.
system account access review
conduct system acct access reviews periodically and when certain conditions met; every system acct eventually needs to be disabled or deprovisioned.
palm scan
creases, ridges, grooves throughout that are unique to a specific person. also includes fingerprints of each finger. hand geometry: shape of hand that includes length, shape, width. differs significantly btwn people. system compares each finger and hand as a whole.
context-dependent access control
decisions based on context of collection of info rather than sensitivity of the data; reviews the situation. ex: firewalls make context-based decisions when collecting state info on packet before allowing it into network. some software can track user's access requests in sequence, making decisions based on previous requests.
deprovisioning
deprovisioning can leave orphaned resources (files created by someone who was fired or quit). should xfer ownership of resources to someone else.
Identification
describes method by which subject (user, program, process) claims to have specific identity (username, acct number, email address). secure identities should have 3 aspects: uniqueness, nondescriptive (credential set not indicate purpose of account; ex: administrator), issuance (elements provided by authority; ex: ID cards issued by security/HR). digital identity made up of attributes (dept, role, clearance, etc), entitlements (resources available to them, authoritative rights in company, etc), traits (biometric info, height, sex, etc).
Identity Management (IdM)
describes use of products to identify, authenticate, authorize users thru automated means; user acct mgmt, access control, credential mgmt, SSO, right and permissions mgmt. IdM reqs mgmt of identified entities, attributes, credentials, entitlements. Can be directories, web access management, PW mgmt, legacy sign-on, acct mgmt, profile update.
Intrusion Detection System (IDS)
detects security breaches, unauthorized use, attacks on computer, network, and/or telecom infrastructure and sounds an alarm by flashing message or sending email, even reconfiguring firewall ACL settings. All IDSs have three common components: sensors (collect traffic and user activity data and sends to analyzer), analyzers (looks for suspicious activity and if finds it sends alert to admin interface), admin interfaces. IDSs can watch for attacks, parse audit logs, terminate a connection, alert admins, expose hacker's techniques, illustrate vulns to be addressed, possibly help track down hackers. - network-based: monitor network comms - host-based: analyze activity w/ in particular computer system
Authorization - Access criteria
diff access criteria enforced by roles, groups, location, time, transaction types. - using 'roles' is efficient way assign rights to type of user who performs certain task, role is based on job assignment or function. - using 'groups' is another way, if several users require same type of access to info and resources put them into group then assign rights/permission to that group. - physical or logical location: access granted only if user can log on interactively to a computer, meaning user must be physically at computer and enter credentials locally. - time of day (or temporal isolation): access controlled to objects during specific times of day. - transaction type: restrictions control what data is accessed during certain types of fctns and what commands carried out on the data.
facial scan
diff bone structures, nose ridges, eye widths, forehead sizes, chin shapes; all captured during facial scan and compared to earlier captured scan. can be fooled by photo; thwart that by performing three-dimensional measurement (projecting thousands of infrared dots on face).
hand topography
different peaks and valleys of the hand, along w/ overall shape and curvature. place hand on system, off to the side camera snaps side-view pic of hand from diff view and angles. topography not unique enough by itself so is commonly used w/ hand geometry. some look for pulse and/or heat to make sure not a fake hand.
Discretionary Access Control (DAC)
enables owner of the resource to specify which subjects can access specific resources. network admin allows resource owner(s) control who has access to their files, most common implementation of DAC thru ACLs dictated/set by owners and enforced by OS. Permissions of No Access, Read (r), Write (w), Execute (x), Delete (d), Change (c; can read/write/execute/delete), and Full Control (all above plus edit permissions) exist. *non-discretionary access control means access decisions not made at discretion of user but put int place by authoritative entity (security admin) to protect assets (PC time, alter system config files, etc).
Accountability - Auditing
ensures users accountable for their actions, verifies security policies are enforced, can be investigative tool. important to maintain proper chain of custody to ensure data collected properly and accurately represented in case used for criminal proceedings or investigations. - store audits securely - right audit tools keep size of logs under control - logs protected from unauthorized changes - train right ppl to review data in the right manner - ability delete logs only avialable to admins - logs contain activities of all high-privileged accounts Must config clipping level for each event: * system-level events: sys performance, logon attempts, logon ID, data/time logons, lockouts, devices used, functions performed, requests to alter config files. * app-level events: error messages, files opened/closed, modifications of files, security violations w/ in apps. * user-level events: identification and authentication attempts, files-services-resources used, commands initiated, security violations.
cognitive password
fact- or opinion-based info to verify an individual's identity. user enrolled by answering questions based on life experiences. help desk staff use them to make sure talking to right person based on answers to those questions.
Access
flow of info btwn subject and object.
asynchronous token device
generating method w/ challenge/response to authenticate user. authenticatoin server sends user a challenge, random value, also called nonce. user enters this random value into token device, device encrypts and returns value for user as OTP. user sends OTP and user ID, authentication server decrypts and compares challenge.
synchronous token device
handheld device w/ LCD display possibly a keypad. separate from the computer. device and authentication service must be sync'd. device presents user w/ list of characters to be entered (the token). synchronous token device: syncs w/ authentication service by time or a counter. if time-based, device and authentication service must hold same time w/ internal clocks. time value on device and secret key used to create OTP. user enters it into PC and is passed to authentication service, where decrypted and compared to value expected. counter-synchronization (event-based): user initiates creation of OTP pushing a button on device, device and authentication service advance to next authentication value. this value and a base secret hashed and displayed to the user, user enters into PC w/ user ID. *SecurID: from RSA Security is well-known time-based token, does math on time, date, and ID of token card. Another version required PIN on the device (this creates a 2FA situation).
memory cards
holds info but cannot process info. can hold identification data pulled by the card reader. can have PIN associated w/ card, too (ATM cards).
TEMPEST
how to develop countermeasures that control spurious electrical signals emitted by electrical equipment. special shielding used on equipment to suppress the signals as they radiate from devices. TEMPEST equipment is implemented to prevent intruders picking up info thru airwaves and must meet specific standards. devices (monitors, printers, etc.) have outer metal coating to create Faraday cage. this tech is complex and expensive, therefore only used in highly sensitive areas. - alternative: use white noise or control zone concept. * white noise, uniform spectrum of random electrical signals over full spectrum so attacker cannot decipher real info from noise. * control zone, putting databases and/or server rooms in center of building, using material to prevent leak of electrical signals, etc.
IDS and network traffic
if traffic volume exceeds IDS's threshold, attacks may go unnoticed; diff sensors should be set up to analyze each packet for diff signatures so analysis load broken up over diff points.
Core RBAC
integrated in every RBAC implementation b/c is the foundation of the model. Core RBAC has - many-to-many relationship among individual users and privileges (user can belong to many groups, all w/ various privileges). - uses session as mapping btwn user and subset of assigned roles (each log on creates session and user has access to various privileges based on their user role). - accommodates traditional but robust group-based access control. *RBAC can also use time of day, day of week, location of role, etc. for access decisions.
smart card standardization
interoperability is big problem right now. ISO/IEC standards for smart cards: ISO/IEC 14443-1: physical characteristics ISO/IEC 14443-2: radio freq pwr and signal interface ISO/IEC 14443-3: initialization and anticollision ISO/IEC 14443-4: transmission protocol
authoritative system of record (ASOR)
location where identity info originates and is maintained. should have most up-to-date and reliable identity info. tree-like structure tracking subjects and authorization chains.
Federated Identity Management - Access Control & Markup Languages
markup language is way to structure text and data sets, it dictates how to be viewed and used. when adjust margins in word processor, you are marking up the text in the processor's markup language. Industry needed interoperability, so made Extensible Markup Language (XML); universal and foundational standard providing structure for other independent markup languages to be built from and remain interoperable. Each markup language has own functionality but follow core rules of XML. *Org for Advancement of Structured Info Standards (OASIS) develops/manages these standardized languages.
network service
mechanism that identifies resources (printers, file servers, DCs, peripheral devices) on a network.
access control monitoring
method of keeping track of who attempts to access specific company resource
Accountability - Keystroke Monitoring
monitors keystrokes during active session. usually done for special cases and only specific length of time b/c amount of info captured is overwhelming. If company wants to do this auditing, should state so in security policy, address issue in security awareness training, and present banner notice to users that activities at computer may be monitored in this fashion; it also protects the company from violating individual's privacy.
Iris scan
most accurate scan because high number of reference coordinates and remains consistent throughout adulthood. colored portion of eye around pupil. unique patterns, rifts, colors, rings, coronas, furrows. captured by camera, compared w/ info gathered during enrollment phase.
user access review
need process to review periodically (or upon certain conditions) every user account to ensure don't have active accts no longer needed. user accts should be disabled or deprovisioned when terminated, or other situations (sabbatical, extended vacation, hospitalization, long-term disability, investigation for wrong-doing, unexpected disappearance).
OpenID
open standard for user authentication by third parties. Like SAML but user's credentials are maintained not by their company, but by third party. Useful b/c company does not need to develop/maintain own authentication system. Instead, free to use any IdP (identity provider) or group of IdPs that conforms to the standard. OpenID has 3 roles: end user, relying party (server owning resource user trying to access), OpenID provider (the IdP the end user already has an acct with and will authenticate user to relying party). -user's agent (typically a browser) requests a protected resource from relying party. - relying party connects to OpenID provider and creates shared secret for this transaction (used later). - relying party server redirects user agent (browser) to the OpenID provider for authentication. once authenticated, browser receives redirect to relying party; redirect contains authentication token, known as the OpenID, containing field signed w/ shared secret so relying party is assured user is authenticated.
password checkers
orgs test user-chosen passwords using tools performing dictionary and/or brute-force attacks to detect weak passwords. tools called 'password checker' is really a password cracker used by security professionals; usually used by hackers most of the time and are one and the same.
password policies
password generators can be used create passwords, shouldn't create complicated, unpronounceable, dictionary words. admins should set certain number failed login attempts (type of clipping level) w/ threshold for lockout period. also set lifetime for password and length, with diff cases and special characters.
password hashing and encryption
passwords hashed (usually w/ MD4 or MD5) to protect them, then stored. Linux and Unix use a file titled "shadow". Unix systems use salt (random values at the end of a string) to change the hash even if using the same password.
Signature-based IDS _ pattern matching
pattern matching: look for signatures of attacks based on cases (source IP, etc.), but weak against zero-day attacks.
provisioning
pertains to creation of user objects or accounts. for people, part of the onboarding process. digital identities issued only to the right folks, usually involving reviews/approvals from HR staff, individual's supervisor, and IT dept. also pertains to system accts, usually associate w/ services and automated agents and oftentimes require privileged access. documentation always important.
Authentication
process by which system verifies identity of the subject, usually by requiring piece of info only the claimed identity should have. could be password, passphrase, cryptographic key, personal ID number (PIN), anatomical attribute, or token. *Identification and authentication make up subject's 'credentials'.
Dictionary Attack
program fed lists (dictionaries) of commonly used words or character combinations, hashes them, then compares values to identify previously discovered hashed passwords. countermeasures: * don't allow PWs sent in cleartext * encrypt PWs /w encryption or hashing * employ one-time PWs or tokens * use hard-to-guess PWs * rotate PWs frequently * employ IDS to detect suspicious behavior * use dictionary-cracking tool identify bad PWs * use special characters, #s, upper/lower case * protect PW files
network sniffers
program or device examining traffic on LAN segment, has access to network adapter that works in promiscuous mode and a driver that captures the data. very hard to detect. normally used by white hats to track problems w/ the network.
passwords
protected string of characters used to authenticate an individual. identification w/ password most common authentication system but also weakest.
mobile IP
protocol allowing mobile devices to keep IP address while roaming; a 'home' IP address and a 'care-of' IP address.
Anomaly-based IDS _ protocol-anomaly
protocol-anomaly: have specific knowledge of each protocol they monitor; anomaly pertains to format and behavior of a protocol. protocols also have theoretical usage (per their RFC) and real-world usage (where vendors stretch their typical use). successful attacks emploit vulns in protocols themselves (ex: ARP not have protection against ARP attacks, ICMP used in Loki attack to move data one place to another, IP headers easily modified for spoofed attacks).
Radio Frequency Identification (RFID)
provides data comm thru radio waves. object contains electronic tag w/ integrated circuit for storing and processing data, modulating and demodulating RF signal, can be identified and communicated with thru reader w/ antenna for receiving/xmitting signals. common security issue is RFID data can be captured in transit across radio waves (has no encryption).
object reuse
reassigning to a subject media previously contained one or more objects, i.e., before reusing a hard drive, USB, or tape, it is cleared of any residual info on it. also applies to objects reused by computer processes, such as memory locations, variables, registers. any sensitive info left by process should be securely cleared before another process can access the object. *some hackers have made sectors of a hard drive appear 'bad' to an OS, thereby hiding data in it.
Availability
resources must be available to users in timely manner, fault tolerance and recovery in place to ensure continuity of availability of resources.
Constrained user interfaces
restrict users' access by not allowing to request certain functions or info, or have access to specific system resources. three major types: menus and shells, database views, physically constrained interfaces (implemented by providing only certain keys on a keypad or certain touch buttons on a screen, ex: buttons on an app are the only ones you can choose).
fingerprints
ridge ending and bifurcations, exhibited by friction ridges and other detailed characteristics called minutiae. 'fingerprint' systems store full fingerprint, but 'finger-scan' extracts specific features from print and stores just that information.
Anomaly-based IDS _ rule-based anomaly
rule-based: commonly associated w/ an expert system (has knowledge base, inference engine, rule-based programming). knowledge represented as rules (if situation, then action), data to be analyzed referred to as facts. ex: system logs pulled by IDS and put in fact database; preconfig'd rules applied to data to find anything suspicious. IF user creates file1 AND file2, SUCH THAT in the same directory, THEN call Admin Tool TRIGGER send alert. Inference engine can infer new info from provided data using inference rules.
Access controls
security features control how users and system scomm and interact w/ other system sand resources. protect from unauthorized access and can participate in determine level of authorization.
password resets (self-service and assisted)
self-service: allows user to change password themselves, authenticating thru question and answer. assisted: help-desk employee (authenticating user first), but after password reset should ask user to change password again ensuring only user knows it.
passphrase
sequence of characters longer than a password. user enters phrase, application transforms value into virtual password. more secure than password because longer and harder obtain by attacker. user more likely to remember passphrase than password.
Session Management
session: agreement btwn two parties to comm interactively. session management is process of establishing, controlling, terminating sessions, usually for security reasons. controlling session can involve logging start and end and anything inbtwn, even indicia of malicious activity. most common reasons for terminating sessions: timeout, inactivity, anomaly (suspicious behaviors like requests for data larger than usual or comms w/ unusual/forbidden destinations).
password aging
set expiration date for passwords forces users to change them; may also keep list of last 'n' passwords to avoid overuse.
Authorization - Need to Know
similar to the least-privilege principle, based on concept given access only to info absolutely require to perform job duties.
Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA)
skewed representation of characteristics a person must enter to prove subject is human and no automated tool ('bot).
Application-based IDS
specialized IDS can monitor specific apps, very fine grained and detailed. used to capture specific app attack types, but will miss general OS-based attacks. Implemented where critical app carrying out encryption functions that would obfuscate its comm channels from other types of IDS.
Federated Identity Management - Simple Object Access Protocol (SOAP)
specification outlines how info pertaining to web services is exchanged in structured manner, provides basic messaging framework allowing users to request service, and in exchange, service made available to that user. ex: if need to interact w/ CRM system hosted by SalesForce, you log into company's portal and click link for salesforce. portal takes request and authentication data, package it up in SAML format (for authentication) and encapsulate data into SOAP message (for the CRM system). message xmitted over HTTP to salesforce, once authenticated provided w/ screen showing customer database.
capability table
specifies access rights a certain subject possesses to specific objects. diff from ACL b/c subject is bound to capability table, where object bound to the ACL. - capability is a row in the matrix - ACL is a column in the matrix, mapping values from access control matrix to the object
voice print
speech sounds and patterns have many subtle differences.
Signature-based IDS _ state-based
state-based: when OS sees user log on, user open app, app comms w/ another app, etc. is a state transition. specific state changes occur w/ specific attacks. ex: remote buffer overflow; remote user connects, remote user sends data to app, data executed and overwrites buffer and possibly other memory segments, malicious code executes. (initial state is prior to attack, compromised state is after attack). ex: land attack, attacker modifies packet so receiving system replies to its own IP address. also weak against zero-day attacks.
Anomaly-based IDS _ statistical-anomaly
statistical-anomaly: behavioral-based system, put into learning mode to build profile of environment's normal activities, then all future traffic/activities compared to it. each packet given anomaly score indicating degree of irregularity. if score higher than threshold of normal behavior preconfigured action takes place. can detect zero-day attacks, and low-and-slow attacks (packets sent over long period of time). also gets high number of false-positives; need determine proper thresholds for statistically significant deviations.
subject v object
subject can be user, program, process that accesses object to accomplish a task. object is a passive entity containing info or needed functionality; can be a computer, database, file, program, directory, field in a table w/ in a database. *4 steps for subject to access object: identification, authentication, authorization, accountability.
sudo
sudo command is a program for Unix/Linux systems that allows users to run programs with the security privileges of another user, by default the superuser. The use of sudo can allow users to issue commands as a superuser. Minimizing its use is recommended.
retina scan
system reads blood-vessel pattern of retina on backside of the eyeball. extremely invasive and involve privacy issues. info is obtained can be used in diagnosis of medical conditions, so can be considered PHI and subject to HIPAA.
access control matrix
table of subjects and objects indicating what actions subjects can take upon objects, data structures that programmers implement as table lookups used/enforced by OS. this is usually an attribute of DAC models, access rights assigned directly to subjects or the objects.
logical access controls
technical tools for identification, authentication, authorization, accountability. Logical access controls can be embedded w/in OS, apps, add-on security pkgs, database and telecom management systems. *logical and technical can be used interchangeably when person enters public info (employee number, username, account number) that is the identification step. when person enters private info (password, smart card, OTP, PIN, etc) that is the authentication step.
Authorization - Thin Clients
thin-client technology another type of SSO b/c users authenticate only to central server or mainframe, which then provides access to all authorized and necessary resources. user starts it, it runs short list of instructions, points itself to server that downloads OS or interactive OS to the terminal.
Anomaly-based IDS _ traffic-anomaly
traffic-anomaly: detect changes in traffic patterns, as in DoS attacks or new service that appears; once profile is built all future traffic compared to that profile. thresholds tunable.
Intrusion Prevention System (IPS)
transitional IDS only detects something bad. goal of IPS is detect and disallow something bad. IPS can be host-based or network-based, like IDS. can be content-based (decisions based upon protocol analysis or signature matching capabilities), can also use rate-based metric (focusing on volume of traffic like floods of packets or excessive system scans, or even low-and-slow attacks).
brute-force attacks (aka exhaustive attack)
trying every possible combination until correct one identified. most effective way to uncover PWs is through hybrid attack (combination of dictionary and brute-force) where dictionary attack found beginning of PW and brute-force finds the rest. war dialer inserts long list of phone numbers into dialing program in hopes of finding a modem (even fax machine) to exploit. countermeasures: * perform brute-force attacks find weaknesses and hanging modems * make sure only necessary phone numbers made public * provide access control methods making brute-force attacks less successful * monitor/audit for such activity * employ IDS * set lockout thresholds
Identity as a Service (IDaaS)
type of software as a service configured to provide SSO, federated IdM, and password mgmt services. can be... - on-prem: all resources remain under your phys control. makes sense where networks are not directly connected to Internet, such as critical infrastructure and military orgs. - outsourced: IdM managed through contracted vendor. Issue: some regulated industries not able to leverage IDaaS and remain compliant b/c outsourced IdM provider cannot meet regulations. Also, this is critical data that now resides off-site and presents security concern.
access control list
used in OS, apps, router configs. lists of subjects authorized to access a specific object, and define level of authorization granted.
Federated Identity Management - Extensible Access Control Markup Language (XACML)
used to express security policies and access rights to assets provided thru web services and other apps. SAML is way to send authentication info (password, key, digital cert) in standard format. XACML is both access control policy language and processing model to be interpreted and enforced in standard manner. ex: when password sent to system B, rules engine on that system interpret and enforce XACML access control policies. if access policies are created in XACML format, then can be installed on both system A and system B for consistent security enforcement.
Attribute-Based Access Control (ABAC)
uses attributes of any part of system to define allowable access. attributes can belong to subjects, objects, actions, or contexts. possible attributes could be... - subjects: clearance, position, title, dept - objects: classification, files pertaining to particular project, HR records, location - actions: review, approve, comment, archive, config, restart - context: time of day, project status (open/closed), fiscal year, ongoing audit
Role-Based Access Control (RBAC)
uses centrally administrated set of controls, levels can be based upon necessary operations and tasks a user needs to do. lets access to resources based on the role user holds w/ in company. RBAC simplifies access control by allowing permissions managed in terms of user job roles. best for business w/ high turnover. *rights/permissions assigned explicitly are assigned to a person. rights/permissions assigned implicitly are assigned to a role or group. RBAC managed in following ways: - non-RBAC: users mapped directly to apps and roles not used. - limited RBAC: users mapped to multiple roles and mapped directly to other types of apps that do not have role-based access functionality. - hybrid RBAC: users mapped to multipapplication roles w/ only selected rights assigned to those roles. - full RBAC: users mapped to enterprise roles.
Rule-Based Access Control
uses specific rules indicate what can and cannot happen btwn subject and object, built on top of RBAC and is commonly called RB-RBAC. Based on "if x, then y" rules. can be simple as in "if user ID matches unique user ID in digital cert then user has access", or set of complex rules as in "if user accessing system btwn Monday and Friday btwn 8am and 5pm, and if security clearance equals or dominates object classification, and if has need-to-know, then user has access".
cryptographic keys
using private key to generate digital signature. could be in place of password. digital signatures are forms of authentication in environments that require higher security. digital signature uses private key to encrypt hash value (message digest). This is the act of digitally signing. digital signature attached to message proves message originated from specific source and message not changed in transit.
biometrics
verifies individual's identity analyzing unique personal attributes or behavior. much more expensive and complex than other identity verification processes. Physical attributes like iris, retina, fingerprints more accurate b/c don't typically change and harder to impersonate. biometric authentication should take no longer than 10 seconds. 2 categories: physiological (what you are) and behavioral (what you do). system must be calibrated... - Type I (false rejection rate [FRR]: rejects authorized individual. - Type II (false acceptance rate [FAR]): accepts unauthorized individual. most dangerous. * crossover error rate (CER) (aka equal error rate): percentage metric where false rejection rate equals false acceptance rate. CER of 3 more accurate than CER of 4.
web access management (WAM)
web access management controls what users can access using web browsers to interact w/ web-based enterprise assets; main gateway btwn users and corporate web-based resources. commonly a plug-in for web server, will query directory, authentication server, potentially a back-end database before serving up resource. Also provides SSO. Basic components: browser, web server w/ WAM front processor, policy server on back end connected to policy database and directory, policy manager on a PC. process: - user logs in to web server w/ credentials. - web server requests WAM platform to authenticate user against LDAP directory and retrieves authorizations from policy database. - user requests access to resource. - web server verifies object access authorized and allows access to resource.
signature dynamics
when person signs something, produces electrical signals via physical motions captured by system. *don't confuse w/ digitized signature, that is simply an e-copy of a signature.