CyberOps 18-20
Access Control Models: Discretionary access control (DAC) Mandatory access control (MAC) Role-based access control (RBAC) Attribute-based access control (ABAC) Rule-based access control (RBAC) Time-based access control (TAC) ********** Another access control model is the "principle of least privilege". Which specifies a limited, as-needed approach to granting user and process access rights to specific information and tools. The principle of least privilege states that users should be granted the minimum amount of access required to perform their work function. ********** A common exploit is known as "privilege escalation". In this exploit, vulnerabilities in servers or access control systems are exploited to grant an unauthorized user, or software process, higher levels of privilege than they should have. After the privilege is granted, the threat actor can access sensitive information or take control of a system.
(DAC) -This is the least restrictive model and allows users to control access to their data as owners of that data. -DAC may use ACLs or other methods to specify which users or groups of users have access to the information. (MAC) -This applies the strictest access control and is typically used in military or mission critical applications. -It assigns security level labels to information and enables users with access based on their security level clearance. (RBAC) (Non-discretionary access control) -Access decisions are based on an individual's roles and responsibilities within the organization. -Different roles are assigned security privileges, and individuals are assigned to the RBAC profile for the role. -Roles may include different positions, job classifications or groups of job classifications. -*****Also known as a type of "non-discretionary access control." (ABAC) -ABAC allows access based on attributes of the object (resource) to be accessed, the subject (user) accessing the resource, and environmental factors regarding how the object is to be accessed, such as time of day. (RBAC) -Network security staff specify sets of rules regarding or conditions that are associated with access to data or systems. -These rules may specify permitted or denied IP addresses, or certain protocols and other conditions. -Also known as Rule Based RBAC. (TAC) -TAC Allows access to network resources based on time and day.
Business Policies: Company, Employee, & Security Policies
***Company policies:*** >These policies establish the rules of conduct and the responsibilities of BOTH employees and employers. >>Policies protect the rights of workers as well as the business interests of employers. >>>Depending on the needs of the organization, various policies and procedures establish rules regarding: -employee conduct, -attendance, -dress code, -privacy, -and other areas related to the terms and conditions of employment. ***Employee policies:*** >These policies are created and maintained by human resources staff to identify: -employee salary, -pay schedule, -employee benefits, -work schedule, -vacations, -(and more.) >>They are often provided to new employees to review and sign. ***Security policies:*** >These policies identify -a set of security objectives for a company, -define the rules of behavior for users and administrators, -and specify system requirements. >>These objectives, rules, and requirements collectively ensure the security of a network and the computer systems in an organization. >>>Much like a continuity plan, a security policy is a constantly evolving document based on: -changes in the threat landscape, -vulnerabilities, -and business & employee requirements.
Centralized AAA -More scalable and manageable than local AAA
-A centralized AAA system may independently maintain databases for authentication, authorization, and accounting. -It can leverage Active Directory or Lightweight Directory Access Protocol (LDAP) for user authentication and group membership, while maintaining its own authorization and accounting databases. -Devices communicate with the centralized AAA server using either the >Remote Authentication Dial-In User Service (RADIUS) or >Terminal Access Controller Access Control System (TACACS+) protocols.
BYOD security policy
-Specify the goals of the BYOD program. -Identify which employees can bring their own devices. -Identify which devices will be supported. -Identify the level of access employees are granted when using personal devices. -Describe the rights to access and activities permitted to security personnel on the device. -Identify which regulations must be adhered to when using employee devices. -Identify safeguards to put in place if a device is compromised. Password protected access -Use unique passwords for each device and account. Manually control wireless connectivity -Turn off Wi-Fi and Bluetooth connectivity when not in use. Connect only to trusted networks. Keep updated -Always keep the device OS and other software updated. Updated software often contains security patches to mitigate against the latest threats or exploits. Back up data -Enable backup of the device in case it is lost or stolen. Enable "Find my Device" -Subscribe to a device locator service with remote wipe feature. Provide antivirus software -Provide antivirus software for approved BYOD devices. Use Mobile Device Management (MDM) software -MDM software enables IT teams to implement security settings and software configurations on all devices that connect to company networks.
A simple topology of a "defense-in-depth" approach: IMPORTANT (( SOMETHING FROM THE INTERNET)) | | R1 | | [FIREWALL] | | R2 | | LAN 1 1) The edge router screens the traffic (R1) 2) Edge router sends it to the dedicated firewall appliance (FIREWALL) 3) The firewall passes it to the Internal Router(R2) 4) R2 will apply *final* filtering rules on the traffic BEFORE it is forwarded to its destination (LAN 1)
/Edge router - The first line of defense is known as an edge router (R1 in the figure). - The edge router has a set of rules specifying which traffic it allows or denies. - It passes all connections that are intended for the internal LAN to the firewall. //Firewall - The second line of defense is the firewall. - The firewall is a checkpoint device that performs additional filtering and tracks the state of the connections. - It denies the initiation of connections from the outside (untrusted) networks to the inside (trusted) network while enabling internal users to establish two-way connections to the untrusted networks. - It can also perform user authentication (authentication proxy) to grant external remote users access to internal network resources. ///Internal router - Another line of defense is the internal router (R2 in the figure). - It can apply final filtering rules on the traffic before it is forwarded to its destination.
RADIUS
>>Functionality It combines authentication and authorization but separates accounting, which allows less flexibility in implementation than TACACS+ >>Standard Open/RFC standard >>Transport UDP ports 1812 and 1813, or 1645 and 1646 >>Protocol CHAP Unidirectional challenge and response from the RADIUS security server to the RADIUS client >>Confidentiality Encrypts only the password in the access-request packet from the client to the server. The remainder of the packet is unencrypted, leaving the username, authorized services, and accounting unprotected. >>Customization Has no option to authorize router commands on a per-user or per-group basis >>Accounting Extensive
TACACS+ (TACACS Plus)
>>Functionality It separates authentication, authorization, and accounting functions according to the AAA architecture. This allows modularity of the security server implementation. >>Standard Mostly Cisco supported >>Transport TCP port 49 >>Protocol CHAP Bidirectional challenge and response as used in Challenge Handshake Authentication Protocol (CHAP) >>Confidentiality Encrypts the entire body of the packet but leaves a standard TACACS+ header. >>Customization Provides authorization of router commands on a per-user or per-group basis >>Accounting Limited
Identify Vulnerabilities Threat identification provides an organization with a list of likely threats for a particular environment. When identifying threats, it is important to ask several questions:
>What are the possible vulnerabilities of a system? >Who may want to exploit those vulnerabilities to access specific information assets? >What are the consequences if system vulnerabilities are exploited and assets are lost? ***** Identifying vulnerabilities on a network REQUIRES an understanding of: -The important applications that are used, -as well as the different vulnerabilities of that application and hardware. *****
Security Policy
A comprehensive security policy has a number of benefits, including the following: -Demonstrates an organization's commitment to security -Sets the rules for expected behavior -Ensures consistency in system operations, software & hardware acquisition & use, and maintenance -Defines the legal consequences of violations -Gives security staff the backing of management Security policies are used to: -inform users, staff, and managers of an organization's requirements for protecting technology and information assets. -A security policy also specifies the mechanisms that are needed to meet security requirements and provides a baseline from which to acquire, configure, and audit computer systems and networks for compliance.
Network Security Policy
A network must be designed to: - Control who is allowed to connect to it and what they are allowed to do when they are connected. - The policy specifies how network administrators, corporate users, remote users, business partners, and clients access network resources. - Mandate the implementation of an accounting system that tracks who logged in and when and what they did while logged in. - Some compliance regulations may specify that access must be logged and the logs retained for a set period of time.
defense-in-depth approach analogy: The Onion PROTECTS THE ASSETS (((THIS IS NOT to be confused with the Security Onion suite of network security tools.)))
A threat actor would have to "peel away" at a network's defenses layer by layer in a manner similar to peeling an onion. Only after penetrating each layer would the threat actor reach the target data or system. Outer Layer --to--> Inner layer as follows: -Firewall -IPS (Intrusion Prevention System) -Content Filtering -Authentication, Authorization, & Accounting (AAA) -Hardened Devices -(ASSETS)
Zero Trust Security
A zero trust security framework helps to: -Prevent unauthorized access, -contain breaches, -and reduce the risk of an attacker's lateral movement through a network. //Zero trust is a comprehensive approach to securing ALL access across networks, applications, and environments. \\This approach helps secure access from users, end-user devices, APIs, IoT, microservices, containers, and more. //It protects an organization's workforce, workloads, and the workplace. \\The principle of a zero trust approach is, "never trust, always verify." (Assume zero trust any time someone or something requests access to assets.) //In a Zero trust approach, any place at which an access control decision is required should be considered a perimeter.
AAA Authentication It can be used to authenticate users for administrative access or it can be used to authenticate users for remote network access.
Cisco provides two common methods of implementing AAA services: Local & Server-Based Local: This method is sometimes known as self-contained authentication because it authenticates users against locally stored usernames and passwords, as shown in the figure. Local AAA is ideal for small networks. Server-Based: This method authenticates against a central AAA server that contains the usernames and passwords for all users, as shown in the figure. Server-based AAA authentication is appropriate for medium-to-large networks.
The "CIA triad" consists of three components of information security:
Confidentiality - Only authorized individuals, entities, or processes can access sensitive information. Integrity - This refers to the protection of data from unauthorized alteration. Availability - Authorized users must have uninterrupted access to the network resources and data that they require.
Cyber Security Analysts Must
Cybersecurity analysts must prepare for any type of attack. Must first identify: Assets - Anything of value to an organization that must be protected including servers, infrastructure devices, end devices, and the greatest asset, data. Vulnerabilities - A weakness in a system or its design that could be exploited by a threat actor. Threats - Any potential danger to an asset.
Cryptography: Network data can be encrypted (made unreadable to unauthorized users) by using cryptography applications.
Examples of devices that use Cryptography: The conversation between two IP phone users can be encrypted. The files on a computer can also be encrypted. These are just a few examples. Cryptography can be used almost anywhere that there is data communication. In fact, the trend is toward all communication being encrypted.
Policies that may be included in a security policy.
Identification and authentication policy -Specifies authorized persons that can have access to network resources and identity verification procedures. Password policies -Ensures passwords meet minimum requirements and are changed regularly. Acceptable Use Policy (AUP) -Identifies network applications and uses that are acceptable to the organization. It may also identify ramifications if this policy is violated. Remote access policy -Identifies how remote users can access a network and what is accessible via remote connectivity. Network maintenance policy -Specifies network device operating systems and end user application update procedures. Incident handling procedures -Describes how security incidents are handled. ***** AUP, appropriate use policy, should be AS explicit ASpossible to avoid misunderstanding. -This component defines what users are allowed and not allowed to do on the various system components. -This includes the type of traffic that is allowed on the network.
Asset management consists of:
Inventorying all assets, and then developing and implementing policies and procedures to protect them. This task can be daunting considering many organizations must protect internal users and resources, mobile workers, and cloud-based and virtual services. Organizations need to identify where critical information assets are stored, and how access is gained to that information.
To remain effective, a network security professional must:
Keep abreast of the latest threats - This includes subscribing to real-time feeds regarding threats, routinely perusing security-related websites, following security blogs and podcasts, and more. Continue to upgrade skills - This includes attending security-related training, workshops, and conferences. Note: Network security has a very steep learning curve and requires a commitment to continuous professional development.
Regulatory and Standards Compliance
Network security professionals must be familiar with the laws and codes of ethics that are binding on Information Systems Security (INFOSEC) professionals. -Many organizations are mandated to develop and implement security policies. -Compliance regulations define what organizations are responsible for providing and the liability if they fail to comply. -The compliance regulations that an organization is obligated to follow depend on the type of organization and the data that the organization handles.
Identify Threats: defense-in-depth
Organizations must use a defense-in-depth approach to identify threats and secure vulnerable assets. **This approach uses multiple layers of security at: >The network edge, >Within the network, >And on network endpoints (the hosts) ***** Routers and firewalls ARE NOT the only devices that are used in a defense-in-depth approach. Other Security Devices: -IPS (Intrusion Prevention Systems) -AMP (Advanced Malware Protection) -Web and email content security systems -Identity services -Network access controls -(and more...)
Network Intelligence Communities
SANS SysAdmin, Audit, Network, Security (SANS) Institute resources are largely free upon request and include: The Internet Storm Center - the popular internet early warning system NewsBites, the weekly digest of news articles about computer security. @RISK, the weekly digest of newly discovered attack vectors, vulnerabilities with active exploits, and explanations of how recent attacks worked Flash security alerts Reading Room - more than 1,200 award-winning, original research papers. SANS also develops security courses. Mitre The Mitre Corporation maintains a list of common vulnerabilities and exposures (CVE) used by prominent security organizations. FIRST Forum of Incident Response and Security Teams (FIRST) is a security organization that brings together a variety of computer security incident response teams from government, commercial, and educational organizations to foster cooperation and coordination in information sharing, incident prevention and rapid reaction. SecurityNewsWire A security news portal that aggregates the latest breaking news pertaining to alerts, exploits, and vulnerabilities. (ISC)2 International Information Systems Security Certification Consortium (ISC2) provides vendor neutral education products and career services to more than 75,000+ industry professionals in more than 135 countries. CIS The Center for Internet Security (CIS) is a focal point for cyber threat prevention, protection, response, and recovery for state, local, tribal, and territorial (SLTT) governments through the Multi-State Information Sharing and Analysis Center (MS-ISAC). The MS-ISAC offers 24x7 cyber threat warnings and advisories, vulnerability identification, and mitigation and incident response.
AAA Operation Authentication, Authorization, and Accounting Protocol
The Authentication, Authorization, and Accounting (AAA) protocol provides the necessary framework to enable scalable access security. //Authentication -Users and administrators must prove that they are who they say they are. -Authentication can be established using username and password combinations, challenge and response questions, token cards, and other methods. -AAA authentication provides a centralized way to control access to the network. //Authorization -After the user is authenticated, authorization services determine which resources the user can access and which operations the user is allowed to perform. -An example is "User 'student' can access host server XYZ using SSH only." //Accounting -Accounting records what the user does, including what is accessed, the amount of time the resource is accessed, and any changes that were made. -Accounting keeps track of how network resources are used. -An example is "User 'student' accessed host server XYZ using SSH for 15 minutes."
Identify Assets
The collection of all the devices and information owned or managed by the organization are assets. The assets constitute the attack surface that threat actors could target. These assets must be inventoried and assessed for the level of protection needed to thwart potential attacks.
"Security Artichoke" The changing landscape of networking, such as the evolution of borderless networks, has changed this analogy to the "security artichoke", which benefits the threat actor.
Threat actors no longer have to "peel away" each layer. They only need to remove certain "artichoke leaves." The bonus is that each "leaf" of the network may reveal sensitive data that is not well secured. Not every leaf needs to be removed in order to get at the heart of the artichoke. The hacker chips away at the security armor along the perimeter to get to the "heart" of the enterprise.
What device would be used as a second line of defense in a defense-in-depth approach? Firewall
Topic 18.1.0 - In a defense-in-depth approach, the edge router would form the first line of defense. The firewall would be the second line of defense followed by the internal router making up the third line of defense.
What device would be used as the third line of defense in a defense-in-depth approach? Internal Router
Topic 18.1.0 - In a defense-in-depth approach, the edge router would form the first line of defense. The firewall would be the second line of defense followed by the internal router making up the third line of defense.
What is a characteristic of a layered defense-in-depth security approach? The failure of one safeguard does not affect the effectiveness of the other safeguards.
Topic 18.1.0 - In the layered defense-in-depth security approach, the different layers work together to create a security architecture in which the failure of one safeguard does not affect the effectiveness of the other safeguards.
Which device is usually the first line of defense in a layered defense-in-depth approach? An Edge Router
Topic 18.1.0 - The edge router connects an organization to a service provider. The edge router has a set of rules that specify which traffic is allowed or denied.
Which type of business policy establishes the rules of conduct and the responsibilities of employees and employers? Company
Topic 18.2.0 - Business policies set a baseline of acceptable use. Company policies establish the rules and conduct and the responsibilities of both employees and the employer. Company policies protect the rights of the workers as well as the business interests of the company.
Which type of access control applies the strictest access control and is commonly used in military or mission critical applications? *****ANSWER: Mandatory access control (MAC) A) Mandatory access control (MAC) B) Discretionary access control (DAC C) Non-discretionary access control - Also known as role-based access control (RBAC). D) Attribute-based access control (ABAC)
Topic 19.1.0 - Access control models are used to define the access controls implemented to protect corporate IT resources. The different types of access control models are as follows: Mandatory access control (MAC) - The strictest access control that is typically used in military or mission critical applications. Discretionary access control (DAC) - Allows users to control access to their data as owners of that data. Access control lists (ACLs) or other security measures may be used to specify who else may have access to the information. Non-discretionary access control - Also known as role-based access control (RBAC). Allows access based on the role and responsibilities of the individual within the organization. Attribute-based access control (ABAC) - Allows access based on the attributes of the resource to be accessed, the user accessing the resource, and the environmental factors such as the time of day.
The three pillars of zero trust are: Workforce, Workloads, and Workplace.
Zero Trust for Workforce: - This pillar consists of people (e.g., employees, contractors, partners, and vendors) who access work applications by using their personal or corporate-managed devices. This pillar ensures only the right users and secure devices can access applications, regardless of location. Zero Trust for Workloads: - This pillar is concerned with applications that are running in the cloud, in data centers, and other virtualized environments that interact with one another. It focuses on secure access when an API, a microservice, or a container is accessing a database within an application. Zero Trust for Workplace: - This pillar focuses on secure access for any and all devices, including on the internet of things (IoT), that connect to enterprise networks, such as user endpoints, physical and virtual servers, printers, cameras, HVAC systems, kiosks, infusion pumps, industrial control systems, and more.
Information security deals with protecting information and information systems from:
unauthorized access, use, disclosure, disruption, modification, or destruction.
AAA Accounting Logs Centralized AAA also enables the use of the Accounting method. Accounting records from all devices are sent to centralized repositories, which simplifies auditing of user actions. | >>>>>One widely deployed use of accounting is | >>>>>to combine it with AAA authentication. | | >>>>>This helps with managing access to internetworking | >>>>>devices by network administrative staff. >>>>>Accounting provides more security than just authentication<<<<< -The AAA servers keep a detailed log of exactly what the authenticated user does on the device, as shown in the figure. -This includes all EXEC and configuration commands issued by the user. -The log contains numerous data fields, including the username, the date and time, and the actual command that was entered by the user. -This information is useful when troubleshooting devices. It also provides evidence against individuals who perform malicious actions.
| Network Accounting -Network accounting captures information for all Point-to-Point Protocol (PPP) sessions, including packet and byte counts. | Connection Accounting -Connection accounting captures information about all outbound connections that are made from the AAA client, such as by SSH. | EXEC Accounting -EXEC accounting captures information about user EXEC terminal sessions (user shells) on the network access server, including username, date, start and stop times, and the access server IP address. | System Accounting -System accounting captures information about all system-level events (for example, when the system reboots or when accounting is turned on or off). | Command Accounting -Command accounting captures information about the EXEC shell commands for a specified privilege level, as well as the date and time each command was executed, and the user who executed it. | Resource Accounting -The Cisco implementation of AAA accounting captures "start" and "stop" record support for connections that have passed user authentication. The additional feature of generating "stop" records for connections that fail to authenticate as part of user authentication is also supported. Such records are necessary for users employing accounting records to manage and monitor their networks.