Exam 2- INFS 4300

Storage Segmentation via Containerization

(How to combat the risks of BYOD) Separating storage into separate business and personal "containers" •Managing each appropriately •Helps avoiding data ownership privacy issues •Allows companies to delete only business data when necessary without touching personal data

Advantages of Automated Patch Update Service

-Can save bandwidth and time -Administrators can approve or decline updates and force updates to install by specific date. -Administrators can approve updates for "detection" only; -allows them to see which computers will require the update without actually installing it.

Windows Server Update Services (WSUS)

-Enables system administrators to deploy the latest Microsoft product updates -Fully manages the distribution of updates that are released through Microsoft Update to computers on your network -Provides: -Centralized update management -Update management automation

Separation of Duties

-Fraud can result from a single user being trusted with complete control of a process -Requires two or more people responsible for function related to handling money -The system is not vulnerable to actions of a single person -The case of Terry Childs (San Francisco Municipality)

Job Rotation

-Individuals periodically moved between job responsibilities -Employees can rotate within their department or across departments •Advantages of job rotation 1. Limits amount of time individuals can manipulate security configurations 2. Exposes potential avenues for fraud 3. Uncovering vulnerabilities by individuals with different perspectives 4. Reduces employee "burnout" (less sloppiness)

Group-Based Access Control

-Permits the configuration of multiple computers by setting a single policy for enforcement •Example: Windows Group Policy -A provides centralized management and configuration of computers and remote users using Active Directory (AD) -Usually used in enterprise environments

Access Control Models

-Standards that provide a predefined framework for hardware or software developers •Major access control models -Discretionary Access Control (DAC) -Mandatory Access Control (MAC) -Role-Based Access Control (Ro-BAC) -Rule-Based Access Control (Ru-BAC)

Internet of Things

A global infrastructure that enables advanced services by interconnecting physical or virtual "things" based on interoperable information technologies

Access Control

Access Control-Granting or denying approval to use specific resources -Physical access control •Consists of fencing, hardware door locks, and mantraps to limit contact with devices -Technical access control •Consists of technology restrictions that limit users on computers from accessing data

Embedded Systems

Adding capabilities to devices that have never had computing power before •These devices include: •Embedded systems and the Internet of Things •Examples:•Medical devices •Aircraft •Vehicles •Industrial machines •Heating, ventilation, and air conditioning (HVAC) environmental systems

Attacks on Passwords

Attacks that can be used to discover passwords: •Social engineering -Phishing, shoulder surfing, dumpster diving •Capturing -Keyloggers -Man-in-the-middle and replay attacks •Resetting -Attacker gains physical access to computer and resets password •Offline attack -Most common type -Attackers steal file of password digests -Compare with their own digests they have created Offline password attacks include: •Brute force •Mask •Password collections

BYOD Benefits

Business benefits: •Management flexibility •Less oversight •Cost savings •Increased employee performance •Simplified IT infrastructure Employee benefits: •Choice of device •Choice of carrier •Convenience

Computer Hardware Security

Computer hardware security The physical security protecting the hardware of the host system •Most portable devices have a steel bracket security slot •A cable lock can be inserted into slot and secured to device Safe or secure cabinet -Allow devices to charge while stored as well as receive updates

Mobile Content Management (MCM)

Content management •Supports the creation and editing/modification of digital content by multiple employees •A mobile content management (MCM)system •Is tuned to provide content management to hundreds or even thousands of mobile devices used by employees in an enterprise

Application Development Stages

Development -Requirement analysis -Can the application meet the business needs? Testing -Checking for errors that could lead to security vulnerabilities Staging -Quality assurance of code functioning Production -Releasing and configuration

Chain of Trust

Each element of the boot process (e.g. hardware, software drivers) relies on the confirmation of the previous element to know that the entire process is secure Hardware root of trust- Strongest starting point is hardware, which cannot be modified -Security checks are "rooted" in hardware checks

Where You Are: Geolocation

Geolocation •The identification of the location of a person or object using technology •Used most often to reject imposters instead of accepting authorized users

Secure Booting (Attacks)

Malware can infect the BIOS too. -To combat the BIOS attacks, UEFI (Unified Extensible Firmware Interface) was developed. -In conjunction with UEFI, Secure Boot standard was also created -When using UEFI and Secure Boot, a computer checks the digital signature of each piece of boot software -Only if signatures are deemed valid, the computer boots -Ensures no malware has tampered with the boot process

Mask Attack (Attacks on Passwords)

Mask Attack •Uses placeholders for characters in certain positions of the password •The goal is to reduce the number of potential candidates •Making assumptions about users' behavior •Faster than brute-force attacks •Parameters that can be entered in a mask attack include: -Password length -Character set -Language -Pattern

Mobile Application Management (MAM)

Mobile Application Management (MAM)- Unlike MDMs' focus on the device, MAMs cover application management. •Initially controlled apps through app wrapping •When the app is launched, a passcode must be entered before it starts functioning

Mobile Device Management (MDM)

Mobile Device Management (MDM)-Tools that allow a device to be managed remotely by an organization •Usually involve: •A server component that sends out management commands to mobile devices •A client component to receive and implement the management commands •An administrator can perform over the air (OTA) updates or configuration changes to one device Examples: Microsoft Intune, XenMobile

Mobile Management Tools

Mobile device management (MDM) Mobile application management (MAM) Mobile content management (MCM)

Internet of Things Security Implications

Most IoT vendors are concerned with making products as inexpensive as possible, leaving out security protections Few IoT devices have the capacity for being updated to address exposed security vulnerabilities IoT and embedded systems that can receive patches often see long gaps between the discovery of the vulnerability and a patch being applied

Business Applications of Internet of Things

New Revenue •The power to unlock new revenue models Data Generation •Adding great value in making informed business decisions Smoother Logistics •Beneficial to warehouses, distribution centers and dispatch process of the supply chain Better User Experience •The universal accessibility, synchronized connectivity, and the speed

Physical Security

Physical security includes: 1. External perimeter defenses -Barriers -guards -Motion detection devices 2. Internal physical access security -Door locks -Access logs •Includes an access list for logging authorized/unauthorized individuals -Mantraps •Space with two sets of interlocking doors -Protected distribution systems (PDS) for cabling •A system of cable conduits for protecting communications •Used by the Department of Defense (DoD)

Identity and Access Services

RADIUS- •Remote Authentication Dial In User Service -Developed in 1992 -Became an industry standard •RADIUS client -Typically a device such as a wireless access point •RADIUS server -Authenticates and authorized the client request •Advantage: -Messages are never sent directly between the wireless device (supplicant) and the RADIUS server Terminal Access Control Access Control System+ (TACACS+)- •Developed by Cisco •Service similar to RADIUS •Commonly used on UNIX devices •Handles authentication, authorization, and accounting (AAA) services •Communicates by forwarding user authentication information to a centralized server •When choosing a AAA protocol to use on a Cisco-based network, TACACS+ is the right choice.

Internet of Things Security Risk Controls

Reviewing risks: •Perform penetration testing to assess the risk of connected devices •Evaluate the risk and build a priority list for addressing primary security concerns, such as authentication and encryption. Rigorous encryption: •all data (at rest and in transit) should have end-to-end encryption. Assuring integrity: •Ensuring secure boot every time the device starts up •Securing over-the-air updates Strategizing for scale: •Developing a scalable security framework and architecture ready to support all IoT deployments. •Working with third parties that have the scale and expertise in this area Strong authentication: •Ensuring authentication schemes allow only trusted connections to the endpoints. •Using digital certificates (used to verify the identity of sender and receiver) and public key infrastructure(PKI) (used to verify that a particular public key belongs to a certain entity).

BYOD Risks

Risks associated with enterprise deployment models: •Users may erase the installed built-in limitations on their mobile device, which disables the built-in security features •Personal mobile devices are often shared among family members and friends, subjecting sensitive corporate data installed on a user's device to outsiders •Different mobile devices have different hardware and OSs that technical support staff might have to support •Users' accessing untrusted content via SMS and MMS. About 68 percent of all healthcare security breaches were the result of the loss or theft of a mobile device •It might be difficult securing the personal smartphone from an employee who left the company •Users must guard against shoulder surfing •Strangers who want to view sensitive information

Secure DevOps methodology (used in Agile projects) includes

Security automation -Tools for scanning vulnerabilities Continuous integration -Ensuring that security features are incorporated at each iteration Baselining -Creating a starting point for comparison purposes in order to measure success. Provisioning -The enterprise-wide configuration, development, and management of multiple types of IT system resources Deprovisioning -Removing a resource that is no longer needed

Patch Management

Security patch - software security update public released to repair discovered vulnerabilities Feature update - includes enhancements to the software to provide new or expanded functionality -Might not address security vulnerability Service pack - accumulates security updates and additional features -How can companies ensure that employees won't install an untested, vendor released patch? -Automated patch update service-Manage patches locally rather than rely on vendor's online update service

Supply Chain Infections

Supply chain- A network that moves a product from the supplier to the customer Supply chain infections- The different steps in the supply chain has opened the door for malware to be injected into products during their manufacturing or storage Example: In 2018, Bloomberg reported that China had secretly implanted tiny chips into the motherboards of servers to spy on US companies such as Apple and Amazon Supply chain infections are extremely dangerous If malware is planted in the ROM firmware of a device-Difficult or impossible to clean an infected device Users may be receiving infected devices at the point of purchase, unaware of the infection -Cannot be easily prevented

Secure Booting

System booting: The process of a computer starting up by itself without external assistance BIOS (Basic Input/Output System)- Firmware used on early computers to hold the boot process -Ability to update the BIOS with a firmware update opened the door for a threat actor to create malware to infect the BIOS

What you Know: Passwords

The most common type of authentication today •Inexpensive and relatively easy to use/manage •Passwords provide only weak protection Password Weaknesses •Weakness of passwords is linked to the limitations of human memory •Long, complex passwords are difficult to memorize •Easy passwords are easy to crack •Users must remember many complex passwords for many different accounts (lack of uniqueness) •Users should not re-use strong passwords for different accounts

Bring Your Own Device (BYOD)

The practice of allowing employees to use their own computers and smartphones to connect to company information.

BYOD Security Management

Traditional security controls: •Disabling unused features •Using strong authentication •Using screen lock •Remote wiping: If a device is lost or stolen and cannot be located, it may be necessary to perform a remote wiping, which erases sensitive data stored on the device.

Types of Authentication Credentials

Types of authentication credentials •Where you are -Example: a military base •What you have -Example: key fob to lock your car •What you are -Example: facial characteristics recognized •What you know -Example: combination to a locker •What you do -Example: do something to prove authenticity

OS Security Configuration

Typical OS security configuration should include: Disabling unnecessary ports and services -E.g. turning off unnecessary windows services and ports Disabling default accounts/passwords -E.g. built-in administrator accounts Employing least functionality -Users should have the minimum and absolutely necessary set of permissions for perform their tasks Application whitelisting/blacklisting -Creating default-deny and default-allow lists Group Policy allows a single configuration to be set and deployed to many or all users.

Single Sign-on (SSO)

• Identity management •Users have various online accounts across various platforms •Using a single authentication credential shared across multiple platforms •SSO aims to reduce burden of usernames and passwords to just one •The downside: usually proprietary

What You Have: Tokens, Cards, and Cell Phones

• Multifactor authentication -When a user is using more than one type of authentication credential -Example: what a user knows and what a user has could be used together for authentication •Single-factor authentication -Using just one type of authentication •Most common items used for authentication: -Tokens, cards, and cell phones

Role-Based Access Control

• Role-Based Access Control (Ro-BAC) -Access permissions are based on user's job function •Assigns permissions to particular roles in an organization -Users are assigned to those roles •For example, instead of creating a user account for John Smith, the role Business_Manager can be created. -Privileges can be assigned based on the job function requirements.

Cards

• Smart card contains integrated circuit chip that holds information and can be either: •Contact cards- a "pad" that allows electronic access to chip contents •Contactless cards (proximity cards) •Common access card (CAC) -Issued by US Department of Defense -Bar code, magnetic strip, and bearer's picture

What You Are: Biometrics

• Standard biometrics •Uses a person's unique physical characteristics for authentication •Face, hand, or eye characteristics are used to authenticate •Specialized biometric scanners •Fingerprint scanner types -Static fingerprint scanner- takes a picture and compares with image on file -Dynamic fingerprint scanner- uses small slit or opening

Tokens

• Used to create a one-time password (OTP) -Authentication code that can be used only once or for a limited period of time •Hardware security token -Typically a small device with a window display -Generate a one-time password for use in the second step of logging in. -An option for situations where using a landline, cell phone, or other mobile device is not feasible.

What You Do: Behavioral Biometrics

•Behavioral biometrics -Authenticates by normal actions the user performs •Keystroke dynamics -Attempts to recognize user's typing rhythm -All users type at a different pace -Provides up to 98 percent accuracy •Uses two unique typing variables -Dwell time (time it takes to press and release a key) -Flight time (time between keystrokes)

Biometric Disadvantages

•Cost of hardware scanning devices •Readers have some amount of error -Reject authorized users -Accept unauthorized users •Biometric systems can be "tricked" (e.g, using fingerprints from a water glass, using iris pictures)

Rule-Based Access Control (Ru-BAC)

•Dynamically assigns roles to subjects based on a set of rules. •When user attempts access, system checks object's rules to determine access permission •Often used for managing user access to one or more systems -Business changes may trigger application of the rules specifying access changes

Employee Accounts

•Employee offboarding -Actions to be taken when an employee leaves an enterprise -Orphaned accounts- user accounts that remain active after an employee has left -Dormant account- an account that has not been accessed for a lengthy period

Brute force (Attacks on Passwords)

•Every possible combination of letters, numbers, and characters used to create encrypted passwords and matched against stolen file •Slowest, most thorough method

Location-Based Policies

•Geofencing relies upon location-based policies -Or establishing the geographical boundaries of where a mobile device can be used •These policies become the basis for how authorization requests from mobile devices are evaluated.

Access Control Steps

•Identification: -User enters user name •Authentication: -User provides password •Authorization: -User authorized/unauthorized to log in •Access: -The authorized user allowed to access resources •Accounting: -Information recorded in log file

Least Privilege Principle

•Least privilege in access control -Only the minimum amount of privileges necessary to perform a job or function should be allocated •Helps reduce the attack surface by eliminating unnecessary privileges that could provide an avenue for an attacker

Mandatory Vacations

•Limits fraud, because perpetrator must be present daily to hide fraudulent actions •Audit of employee's activities usually scheduled during vacation for sensitive positions

Mandatory Access Control (MAC)

•Most restrictive access control model -User has no freedom to set any controls or distribute access to other subjects •Two elements -Labels- Every entity is an object and is assigned a classification label that represents the relative importance of the object -Levels- a hierarchy based on the labels is used •Top secret has a higher level than secret, which has a higher level than confidential

Cognitive Biometrics

•Relates to perception, thought process, and understanding of the user •Easier for user to remember because it is based on user's life experiences •Difficult for an attacker to imitate

Discretionary Access Control (DAC)

•The most flexible model •Every object has an owner •Owners have total control over their objects •Owners can give permissions to other subjects over their objects •Two significant weaknesses: -Relies on decision by the end user to set the proper level of security -A subject's permissions will be "inherited" by any programs that the subject executes