ISM Module 15 (study this one)
Unauthorized access
1. device theft 2. bypassing access controls 3. user/compute identity spoofing 4. elevation of user/compute priveleges 5.user identity spoofing 6.elevation of user privileges Unauthorized access is an act of gaining access to the information systems, which includes compute systems, network, storage, and management compute system of an organization illegally. An attacker may gain unauthorized access to the organization's application, data, or storage resources by various ways such as by bypassing the access control, exploiting a vulnerability in the operating system, hardware, or application, by elevating the privileges, spoofing identity, and device theft. The slide illustrates various ways in which an attacker may gain access to organization's resources via the application access domain and management access domain. Many organizations allow their employees to access some of the applications through mobile devices. This enables employees to access the application and data from any location. Mobile device theft may increase the risk of exposure of data to an attacker. An attacker may also gain unauthorized access to the organization's application or data by bypassing the access controls. This may be accomplished by using the stolen laptop of an employee. Another way of unauthorized access to resources is by spoof user identity from compute A and gain access to recourses accessible to that system and carry out an attack. Unauthorized access to the resources may be gained by elevation of privileges of compute system A to gain access to the resources of compute system B. An attacker may also carry out an attack from management access domain by impersonating the identity of an administrator or elevate his/her identity to administrator. Some of the controls that may reduce the risks include strong authentication and authorization, VLAN and VSAN, data encryption, and mobile device management.
Data Encryption
A cryptographic technique in which data is encoded and made indecipherable to hackers
man-in-the-middle attack
A form of eavesdropping where the attacker makes an independent connection between two victims and steals information to use fraudulently.
Kerberos
A network authentication protocol, which provides strong authentication for client/server applications by using secret-key cryptography. A client and server can prove their identity to each other across an insecure network connection.
Identity and Access Management
A process of managing user's identifiers, and their authentication and authorization to access storage infrastructure resources organizations may deploy the following authentication and authorization controls Identity and access management is the process of managing users identifiers and their authentication and authorization to access storage infrastructure resources. It also controls access to resources by placing restrictions based on user identities. In today's environment, an organization may collaborate with one or more cloud service providers to access various cloudbased storage services. This requires deploying multiple authentication systems to enable the organization to authenticate employees and provide access to cloud-based storage services. The key traditional authentication and authorization controls deployed in a storage environment are Windows ACLs, UNIX permissions, Kerberos, and Challenge-Handshake Authentication Protocol (CHAP). Alternatively, the organization can use Federated Identity Management (FIM) for authentication. A federation is an association of organizations (referred to as trusted parties) that come together to exchange information about their users and resources to enable collaboration. Federation includes the process of managing the trust relationships among the trusted parties beyond internal networks or administrative boundaries. FIM enables the organizations (especially cloud service providers) to offer services without implementing their own authentication system. The organization can choose an identity provider to authenticate their users. This involves exchanging identity attributes between the organizations and the identity provider in a secure way. The identity and access management controls used by organizations include OpenID and OAuth.
firewall
A security control designed to examine data packets traversing a network and compare them to a set of filtering rules can be deployed at: -network level -compute level -hypervisor level can be physical or virtual uses various parameters for traffic filtering
Intrusion detection and prevention system
A security tool that automates the process of detecting and preventing events that can compromise the confidentiality, integrity, or availability of IT resources signature-based detection technique: -scans for signatures to detect an intrusion -effective only for known threats Anomaly-based detection technique: -scans and analyzes events to deteect if they are statistically different from normal events -has the ability to detect various events Intrusion detection is the process of detecting events that can compromise the confidentiality, integrity, or availability of IT resources. An intrusion detection system (IDS) is a security tool that automates the detection process. An IDS generates alerts, in case anomalous activity is detected. An intrusion prevention system (IPS) is a tool that has the capability to stop the events after they have been detected by the IDS. These two controls usually work together and are generally referred to as intrusion detection and prevention system (IDPS). The key techniques used by an IDPS to identify intrusion in the environment are signature-based and anomaly-based detection. In the signature-based detection technique, the IDPS relies on a database that contains known attack patterns or signatures, and scans events against it. A signature can be an e-mail with a specific subject or an e-mail attachment with a specific file name that is known to contain a virus. This type of detection is effective only for known threats and is potentially circumvented if an attacker changes the signature (the e-mail subject or the file name in the attachment, in this example). In the anomaly-based detection technique, the IDPS scans and analyzes events to determine whether they are statistically different from events normally occurring in the system. This technique can detect various events such as multiple login failures, excessive process failure, excessive network bandwidth consumed by an activity, or an unusual number of e-mails sent by a user, which could signify an attack is taking place. The IDPS can be deployed at the compute system, network, or hypervisor levels.
Defense in Depth
A strategy that provides a layered approach to security. Instead of using one or two security controls, multiple controls are used. If one control fails, other controls continue to provide protection. 1. perimeter security (physical security) 2. remote access controls (vpn authentication, etc.) 3. network security (firewall, DMZ, etc.) 4. compute security (hardening, malware protection software, etc.) 5. storage security (encryption, zoning, etc.) An organization should deploy multiple layers of defense throughout the infrastructure to mitigate the risk of security threats, in case one layer of the defense is compromised. This strategy is referred to as defense-in-depth. This strategy may also be thought of as a "layered approach to security" because there are multiple measures for security at different levels. Defense-in-depth increases the barrier to exploitation—an attacker must breach each layer of defenses to be successful—and thereby provides additional time to detect and respond to an attack. This potentially reduces the scope of a security breach. However, the overall cost of deploying defense-in-depth is often higher compared to single-layered security controls. An example of defense-in-depth could be a virtual firewall installed on a hypervisor when there is already a network-based firewall deployed within the same environment. This provides additional layer of security reducing the chance of compromising hypervisor's security if network-level firewall is compromised.
Insecure APIs
APIs are used to integrate with management software to perform activities such as: -resource provisioning and configuration -resource monitoring and management -orchestration APIs may be open or proprietary. Security of storage depends on API security. control measures: -design and develop APIs following security best practices -perform security review of APIs -access to APIs must be restricted to authorized users Application programming interfaces (APIs) are used extensively in software-defined and cloud environment. It is used to integrate with management software to perform activities such as resource provisioning, configuration, monitoring, management, and orchestration. These APIs may be open or proprietary. The security of storage infrastructure depends upon the security of these APIs. An attacker may exploit vulnerability in an API to breach a storage infrastructure's perimeter and carry out an attack. Therefore, APIs must be designed and developed following security best practices such as requiring authentication and authorization, input validation of APIs, and avoiding buffer overflows. Security review of the APIs must be performed by the organizations. Access to the APIs must be restricted to authorized users. These practices provide protection against both accidental and malicious attempts to bypass security.
Fabric binding
Allows only authorized switches to join a fabric -ensures unauthorized switches are segmented from a fabric -authorized switch can merge into a fabric -can be used along with port and port-type locking capabilities Fabric binding is another security control in an FC SAN environment that allows only authorized switches to join an existing fabric. Inter-switch links are only enabled between specified switches in the fabric. Each switch in the fabric obtains identical membership data that includes a list of authorized switches in the fabric. The port security controls such as port locking and port-type locking complement fabric binding by helping to prevent unauthorized access to a switch. Port locking persistently (even after a switch reboot) prohibits an unused switch port from being used. Port-type locking can be used to restrict how a specific switch port is used, such as preventing it from being initialized as an inter-switch link.
OpenID
An open standard for authentication in which an organization uses authentication services from an OpenID provider. OpenID is an open standard for authentication in which an organization, known as the relying party, uses authentication services from an OpenID provider, known as the identity provider. An OpenID provider maintains users credentials on their authentication system and enables relying parties to authenticate users requesting the use of the relying party's services. This eliminates the need for the relying party to deploy their own authentication systems. In the OpenID control, a user creates an ID with one of the OpenID providers. This OpenID then can be used to sign-on to any organization (relying party) that accepts Open ID authentication. This control can be used in the third platform environment to secure application access domain. The figure on the slide illustrates the OpenID concept by considering a user who requires services from the relying party. For the user to use the services provided by the relying party an identity (user ID and password) is required. The relying party does not provide their own authentication control, however they support OpenID from one or more OpenID providers. The user can create an ID with the identity provider and then use this ID with the relying party. The relying party, after receiving the login request, authenticates it with the help of identity provider and then grants access to the services.
Shared Technology Vulnerabilities
Attacker may exploit the vulnerabilities of tools used to enable multi-tenant environments examples of threats: -failure of controls that provide separation of memory and storage -hyperjacking attack involves installing a rogue hypervisor that takes control of compute system control measure: -examining program memory and processor registers for anomalies Technologies that are used to build today's storage infrastructure provide a multi-tenant environment enabling the sharing of resources. Multi-tenancy is achieved by using controls that provide separation of resources such as memory and storage for each application. Failure of these controls may expose the confidential data of one business unit to users of other business units, raising security risks. Compromising a hypervisor is a serious event because it exposes the entire environment to potential attacks. Hyperjacking is an example of this type of attack in which the attacker installs a rogue hypervisor that takes control of the compute system. The attacker now can use this hypervisor to run unauthorized virtual machines in the environment and carry out further attacks. Detecting this attack is difficult and involves examining components such as program memory and the processor core registers for anomalies.
authentication, authorization, and auditing
Authentication is a process to ensure that 'users' or 'assets' are who they claim to be by verifying their identity credentials. A user may be authenticated by a single-factor or multi-factor method. Single-factor authentication involves the use of only one factor, such as a password. Multi-factor authentication uses more than one factor to authenticate a user (discussed later in this module). Authorization refers to the process of determining whether and in what manner, a user, device, application, or process is allowed to access a particular service or resource. For example, a user with administrator's privileges is authorized to access more services or resources compared to a user with non-administrator (for example, read-only) privileges. Authorization should be performed only if authentication is successful. The most common authentication and authorization controls, used in a data center environment are Windows Access Control List (ACL), UNIX permissions, Kerberos, and Challenge-Handshake Authentication Protocol (CHAP). It is essential to verify the effectiveness of security controls that are deployed with the help of auditing. Auditing refers to the logging of all transactions for the purpose of assessing the effectiveness of security controls. It helps to validate the behavior of the infrastructure components, and to perform forensics, debugging, and monitoring activities.
media theft spoofing dr site identity
Backups and replications are essential business continuity processes of any data center. However, inadequate security controls may expose organizations confidential information to an attacker. There is a risk of a backup tape being lost, stolen, or misplaced, and the threat is even severe especially if the tapes contain highly confidential information. An attacker may gain access to an organization's confidential data by spoofing the identity of the DR site. When the replication session is started, an attacker's compute system may appear as the DR site to the primary site and the replication data is sent to the attacker's compute system. Some of the security controls that may reduce the risk due to these threats include physical security, encrypting data-at-rest and data-in-flight, and strong authentication and authorization.
compliance
Compliance is the act of adhering to, and demonstrating adherence to, external laws and regulations as well as to corporate policies and procedures. While building and offering resources and services to users, it is important to assess compliance against regulations and demands (discussed earlier). It is also important to review the security and privacy controls that are in place to ensure that appropriate controls are applied to the highest value and highest risk assets. There are primarily two types of policies controlling IT operations in an enterprise that require compliance: internal policy compliance and external policy compliance. Internal policy compliance controls the nature of IT operations within an organization. This requires clear assessment of the potential difficulties in maintaining the compliance and processes to ensure that this is effectively achieved. External policy compliance includes legal requirements, legislation, and industry regulations. These external compliance policies control the nature of IT operations related to the flow of data out of an organization. They may differ based upon the type of information (for example, source code versus employee records), and business (for example, medical services versus financial services). In order to meet compliance requirements, organizations must have compliance management in place. Compliance management ensures that an organization adheres to relevant policies and legal requirements. Policies and regulations can be based on configuration best practices and security rules. These include administrator roles and responsibilities, physical infrastructure maintenance timelines, information backup schedules, and change control processes. Compliance management activity includes periodically reviewing compliance enforcement in infrastructure resources and services. If it identifies any deviation from compliance requirements, it initiates corrective actions.
Goals of Information Security
Confidentiality, Integrity, Availability The goal of information security is to provide Confidentiality, Integrity, and Availability, commonly referred to as the security triad, or CIA. Confidentiality provides the required secrecy of information to ensure that only authorized users have access to data. Integrity ensures that unauthorized changes to information are not allowed. The objective of ensuring integrity is to detect and protect against unauthorized alteration or deletion of information. Availability ensures that authorized users have reliable and timely access to compute, storage, network, application, and data resources. Ensuring confidentiality, integrity, and availability are the primary objective of any IT security implementation. These are supported through the use of authentication, authorization, and auditing processes.
Windows ACL
DACL - Access control SACL - Which Accesses need to be audited supports object ownership in addition to ACLs -child objects inherit ACL of parent objects uses SID to control object access -sids uniquely identify a user or a user group
Application Hardening
Design with proper architecture, threat modeling, and secure coding. -installing current application updates includes process spawning control, executable file protection, and system tampering protection
infrastructure security considerations
Fundamental requirements of security pertain to both second and third platform infrastructures additional considerations required for third platform security -secure multi-tenancy -information owndership -mobile device security The fundamental requirements of information security and compliance, covered in this lesson, pertain to both second platform and third platform infrastructures. However, there are important additional considerations related to third platform (due to cloud environment), arising from information ownership, responsibility and accountability for information security, ability to access an application through mobile devices, and the infrastructure's multi-tenancy characteristic. Multi-tenancy refers to an architecture in which a cloud service provider uses a common set of IT resources to provide services to multiple consumers, or "tenants" of the infrastructure. Therefore, secure multi-tenancy is a key requirement for third platform infrastructure. Apart from multi-tenancy, third platform provides rapid elasticity, a feature rarely found in traditional data centers. Therefore, the tools used to provide information security must have the ability to detect newly provisioned resources and integrate with these scaled resources to provide security. Without these capabilities, it is difficult to monitor and manage the security of such an environment. Some of the key security areas cloud service providers and consumers must focus on are: authentication, identity and access management, data loss prevention and data breach notification, governance, risk, and compliance (GRC), privacy, network monitoring and analysis, security information and event logging, incident management, and security management.
Risk Monitoring
Identify measures of performance to assess whether process risks are an immediate threat.
Risk Identification
Identifying the potential project risks and documenting their characteristics.
Securing Hypervisor and Management Server
Install security updates. Harden hypervisor with CSI and DISA. Restrict core functionality to selected admins. The hypervisor and related management servers are critical components of the storage infrastructure because they control the operation and management of the virtualized compute environment. Compromising a hypervisor or management server places all VMs at a high risk of attack. Hypervisors may be compromised by hyperjacking or performing other forms of attack. Further, the management server may be compromised by exploiting vulnerabilities in the management software or by an insecure configuration. For example, an administrator may have configured a non-secured or non-encrypted remote access control. An attacker may take control of the management server by exploiting a security loophole of the system. This enables the attacker to perform unauthorized activities such as controlling all the existing VMs, creating new VMs, deleting VMs, and modifying VM resources. These types of attacks impact security of application access and management access domains. To protect against such attacks, securitycritical hypervisor updates should be installed when they are released by the hypervisor vendor. Hypervisor hardening should be performed, using specifications provided by organizations such as the Center for Internet Security (CIS) and Defense Information Systems Agency (DISA). Access to the management server should be restricted to authorized administrators. Access to core levels of functionality should be restricted to selected administrators. Network traffic should be encrypted when management is performed remotely. A separate firewall with strong filtering rules installed between the management system and the rest of the network can enhance security. Virtual machines store troubleshooting information in a log file that is stored on the storage presented to a hypervisor. An attacker may cause a virtual machine to abuse the logging function, causing the size of the log file to grow rapidly. Over the period of time, the log file can consume all the capacity of the storage presented to the hypervisor, effectively causing a denial of service. This can be prevented by configuring the hypervisor to rotate or delete log files when they reach a certain size. This option enables the administrator to configure the maximum size of the log file. When this size is reached, the hypervisor makes an archive copy of the log file and starts storing information in a new log file. Administrators can configure settings to maintain a specific number of old log files. When the configured limit is reached, the hypervisor automatically deletes the oldest file.
Data Shredding
Process of deleting data (remanence) and making it unrecoverable. Overwrite, Degaussing, Destroying media. Shredding algorithms
Adaptive Security
It learns behavior and detects fraudulent activity parameters used to learn about a user are: -behavioral profile - device-related profile - type of web browser being used - plug-ins used in a browser Security threats have evolved to the point that traditional security controls cannot respond to and be effective as standalone controls. Sophisticated techniques such as phishing, Man in the Middle, and others are used to gain unauthorized access to storage environment. To combat against such sophisticated attacks, organizations require the use of adaptive security controls. Adaptive security controls integrate with the organization's standalone controls such as IDPS and firewalls and use heuristics to learn user behavior and detect fraudulent activity. Controls such as behavioral profile, device-related profile, type of web browser, and plug-ins are used to establish the normal operating profile of the environment. The intelligence in the adaptive security control detects and identifies anomalies and blocks such anomalies - capabilities that may not be possible with traditional controls.
Port Binding
Limits the devices that can be attached to a specific switch port supported in both FC san and ethernet environments Port binding is a control used to limit the devices that can be attached to a specific switch port and is supported in both FC SAN and Ethernet environments. In an FC SAN, port binding maps a WWPN to a switch port. If a host tries to login to a port with a WWPN that is not allowed by the port binding, the WWPN login is rejected. In an Ethernet network, port binding maps the MAC address and IP address of a compute system to a specific switch port. A switch port will forward a packet only if the MAC address and the IP address in the packet are mapped to that port. Port binding mitigates but does not eliminate WWPN or MAC spoofing.
Malware Protection Software
Malware protection software is typically installed on a compute system or on a mobile device to provide protection for the operating system and applications. The malware protection software detects, prevents, and removes malware and malicious programs such as viruses, worms, Trojan horses, key loggers, and spyware. Malware protection software uses various techniques to detect malware. One of the most common techniques used is signature-based detection. In this technique, the malware protection software scans the files to identify a malware signature. A signature is a specific bit pattern in a file. These signatures are cataloged by malware protection software vendors and are made available to users as updates. The malware protection software must be configured to regularly update these signatures to provide protection against new malware programs. Another technique, called heuristics, can be used to detect malware by examining suspicious characteristics of files. For example, malware protection software may scan a file to determine the presence of rare instructions or code. Malware protection software may also identify malware by examining the behavior of programs. For example, malware protection software may observe program execution to identify inappropriate behavior such as keystroke capture. Malware protection software can also be used to protect operating system against attacks. A common type of attack that is carried out on operating systems is by modifying its sensitive areas, such as registry keys or configuration files, with the intention of causing the application to function incorrectly or to fail. This can be prevented by disallowing the unauthorized modification of sensitive areas by adjusting operating system configuration settings or via malware protection software. In this case, when a modification is attempted, the operating system or the malware protection software challenges the administrator for authorization.
Auditing
Process to evaluate the effectiveness of security enforcement controls
Storage Security Domains
Management, Application Access, and Backup/Replication/Archive) The information made available on a network is exposed to security threats from a variety of sources. Therefore, specific controls must be implemented to secure this information that is stored on an organization's storage infrastructure. In order to deploy controls, it is important to have a clear understanding of the access paths leading to storage resources. If each component within the infrastructure is considered a potential access point, the attack surface of all these access points must be analyzed to identify the associated vulnerabilities. To identify the threats that apply to a storage infrastructure, access paths to data storage can be categorized into three security domains: application access, management access, and backup, replication, and archive. The figure on the slide depicts the three security domains of a storage environment. The first security domain involves application access to the stored data through the storage network. Application access domain may include only those applications that access the data through the file system or a database interface. The second security domain includes management access to storage and interconnecting devices and to the data residing on those devices. Management access, whether monitoring, provisioning, or managing storage resources, is associated with every device within the storage environment. Most management software supports some form of CLI, system management console, or a webbased interface. Implementing appropriate controls for securing management applications is important because the damage that can be caused by using these applications can be far more extensive. The third domain consists of backup, replication, and archive access. This domain is primarily accessed by storage administrators who configure and manage the environment. Along with the access points in this domain, the backup and replication media also needs to be secured. To secure the storage environment, identify the attack surface and existing threats within each of the security domains and classify the threats based on the security goals — availability, confidentiality, and integrity.
Multi-factor authentication
Multi-factor authentication involves a combination of multiple methods of authentication. For example, an authentication method that uses smart cards as well as usernames and passwords can be referred to as multi-factor authentication. Multi-factor authentication uses more than one factor to authenticate a user. A commonly implemented two-factor authentication process requires the user to supply both something he or she knows (such as a password) and also something he or she has (such as a device). The second factor might also be a password generated by a physical device (known as token), which is in the user's possession. The password generated by the token is valid for a pre-defined time. The token generates another password after the pre-defined time is over. To further enhance the authentication process, additional factors may also be considered. Examples of additional factors that may be used include biometric identity. A multi-factor authentication technique may be deployed using any combination of these factors. A user's access to the environment is granted only when all the required factors are validated.
Account Hacking
Occurs when an attacker gains access to admin/user's accounts types of attacks phishing installing keystroke-logging malware man-in-the-middle control measures: multi-factor authentication, IPSec, IDPS, and firewall
Physical Security
Physical security is the foundation of any overall IT security strategy. Strict enforcement of policies, processes, and procedures by an organization is critical element of successful physical security. To secure the organization's storage infrastructure, the following physical security measures may be deployed: • Disable all unused IT infrastructure devices and ports • 24/7/365 onsite security • Biometric or security badge-based authentication to grant access to the facilities • Surveillance cameras [CCTV] to monitor activity throughout the facility • Sensors and alarms to detect motion and fire
Risk and Risk Management
Risk is the effect of uncertainty on business objectives. Risk management is a systematic process of assessing its assets, placing a realistic valuation on each asset, and creating a risk profile that is rationalized for each information asset across the business. Additionally, the organizations must establish a risk threshold to measure against each asset. Risk management involves identification, assessment, and prioritization of risks and institutes controls to minimize the impact of those risks.
Mobile device management
Several organizations allow their employees to access organization's internal application and resources via mobile devices. This introduces a potential threat to the organization's resources as theft of these devices may expose resources to an attacker. This type of threat can be minimized by the use of mobile device management. Mobile device management is a control that restricts access to organization's resources only to authorized mobile devices. The MDM solution consists of two components: the server component and the client component. The server component is responsible for performing device enrollment, administration, and management of mobile devices. The client component is installed on the mobile device that needs access to the organization's resources. The client receives commands from the server component which it executes on the mobile device. To enroll the device, an MDM client is installed on the mobile device. The client component is used to connect to the server component to receive administration and management commands. To connect to the server component, the user is required to provide MDM authentication server and user credentials details. Typically, the authentication server is placed in a DMZ. These credentials are authenticated by the MDM authentication server. Devices that are successfully authenticated are redirected to the MDM server. Now the authenticated mobile devices are enrolled and can be managed. Further, these mobile devices can be granted access to the applications and other resources. MDM solution enables organizations to enforce organization's security policies on the user's mobile devices. The solution also provides the organizations the administrative and management control to the user's mobile device. With this control the organization will have the ability to remotely wipe the data on the enrolled devices or brick the device when a threat is detected.
Security concepts and relationships
The slide illustrates relationship among various security concepts in a data center environment. An organization (owner of the asset) wants to safeguard the asset from threat agents (attackers) who seek to abuse the assets. Risk arises when the likelihood of a threat agent (an attacker) to exploit the vulnerability arises. Therefore, the organizations deploy various countermeasures to minimize risk by reducing the vulnerabilities. Risk assessment is the first step to determine the extent of potential threats and risks in an infrastructure. The process assesses risk and helps to identify appropriate controls to mitigate or eliminate risks. Organizations must apply their basic information security and risk-management policies and standards to their infrastructure. Some of the key security areas that an organization must focus on while building the infrastructure are: authentication, identity and access management, data loss prevention and data breach notification, governance, risk, and compliance (GRC), privacy, network monitoring and analysis, security information and event logging, incident management, and security management. These security areas are covered later in this module.
Risk and risk management steps
There are four key steps of risk management that an organization must perform before offering resources or services to the users: risk identification, risk assessment, risk mitigation, and monitoring.
OS hardening
Tightening security during the design and coding of the OS.
Key Security Threats Across Domains
Unauthorized access denial of service distributed denial of service attack loss of data malicious insiders account hacking insecure APIs Shared technology vulnerabilities media theft
Site-to-site VPN connection
Which method is used to establish a VPN connection between a primary and remote data center to perform secure remote replication?
Windows ACL and Unix Permission
Windows ACLs and UNIX Permissions form the first level of protection to compute resources (application servers, file servers, and file sharing environment such as NAS) by restricting accessibility and sharing. These permissions are deployed over and above the default behaviors and attributes associated with files and folders. In addition, various other authentication and authorization controls, such as Kerberos and directory services are implemented to verify the identity of network users and define their privileges. Windows supports two types of ACLs: discretionary access control lists (DACLs) and system access control lists (SACLs). The DACL, commonly referred to as the ACL, is used to determine access control. The SACL determines which accesses need to be audited if auditing is enabled. In addition to these ACLs, Windows also supports the concept of object ownership. The owner of an object has hard-coded rights to that object, and these rights do not need to be explicitly granted in the SACL. The owner, SACL, and DACL are all statically held as attributes of each object. Windows also offers the functionality to inherit permissions, which allows the child objects existing within a parent object to automatically inherit the ACLs of the parent object. ACLs are also applied to directory objects known as security identifiers (SIDs). These are automatically generated by a Windows server or domain when a user or group is created, and they are abstracted from the user. In this way, though a user may identify his login ID as "User1," it is simply a textual representation of the true SID, which is used by the underlying operating system. Internal processes in Windows refer to an account's SID rather than the account's username or group name while granting access to an object. ACLs are set by using the standard Windows Explorer GUI but can also be configured with CLI commands or other third-party tools.
Risk Mitigation
a process whereby the organization takes concrete actions against risks, such as implementing controls and developing a disaster recovery plan
Network Monitoring
active: monitoring tools transmit data between two endpoints that are monitored passive: information about a link or device is collected by proving the link or device
Oauth
an open authorization control allows a client to access protected resources from a resource server on behalf of a resource owner entities involved authorization: -resource owner -resource server -client -authorization server 1.authorization request from client to resource owner 2. authorization grant sent from resource owner to client 3.authorization grant client to authorization sever 4. access token sent from auth server to client 5. access token from client sent to resource server 6. service request sent from resource server to client OAuth is an open authorization control that allows a client to access protected resources from a resource server on behalf of a resource owner. This control can be used in the third platform environment to secure application access domain. There are four entities involved in the authorization control: resource owner, resource server, client, and authorization server. A resource owner is an entity capable of granting access to a protected resource. A resource server is the compute system hosting the protected resources, capable of accepting and responding to protected resource requests using access tokens. A client is an application making protected resource requests on behalf of the resource owner with the resource owner's authorization. An authorization server is the compute system issuing access tokens to the client after successfully authenticating the resource owner and obtaining authorization. The authorization server may be the same server as the resource server or a separate entity. The figure on the slide illustrates the steps involved in OAuth process as described in Request for Comments (RFC) 6749 published by Internet Engineering Task Force (IETF): 1. The client requests authorization from the resource owner. The authorization request can be made directly to the resource owner, or indirectly via the authorization server. 2. The client receives an authorization grant, which is a credential representing the resource owner's authorization to access its protected resources. It is used by the client to obtain an access token. Access tokens are credentials used to access protected resources. An access token is a string representing an authorization issued to the client. The string is usually opaque to the client. Tokens represent specific scopes and durations of access, granted by the resource owner, and enforced by the resource server and authorization server.
Assets and threats
assets- information,hardware, and software security considerations: - must provide easy access to authorized users - must be difficult for potential attackers to compromise - cost of securing the assets should be a fraction of the value of the assets threat- potential attacks that can be carried out attacks can be classified: - passive attacks attempt to gain unauthorized access into the system - active attacks attempt data modification, denial of service (DoS), and repudiation attacks Information is one of the most important assets for any organization. Other assets include hardware, software, and other infrastructure components required to access the information. To protect these assets, organizations deploy security controls. These security controls have two objectives. The first objective is to ensure that the resources are easily accessible to authorized users. The second objective is to make it difficult for potential attackers to access and compromise the system. The effectiveness of a security control can be measured by two key criteria. One, the cost of implementing the system should be a fraction of the value of the protected data. Two, it should cost heavily to a potential attacker, in terms of money, effort, and time, to compromise and access the assets. Threats are the potential attacks that can be carried out on an IT infrastructure. These attacks can be classified as active or passive. Passive attacks are attempts to gain unauthorized access into the system. Passive attacks pose threats to confidentiality of information. Active attacks include data modification, denial of service (DoS), and repudiation attacks. Active attacks pose threats to data integrity, availability, and accountability.
installing keystroke-logging malware
attacker installs malware in administrators or users compute system malware captures users credentials and sends to the attacker
risk assessment
determines the level of risk to the firm if a specific activity or process is not properly controlled
auhtentication
enables authentication among client and server multi-factor authentication, kerberos, chap, and openID
virtual LAN and Virtual San
ensure security by providing isolation over shared infrastructure restricting communication among different departments zoning provides additional level of security within a vsan In a storage environment, VLAN and VSAN ensure security by providing isolation over the shared infrastructure. Each department of an organization may be provided VLANs and VSANs to ensure their data is separated from other departments. A Virtual Local Area Network (VLAN) is a virtual network created on a local area network (LAN) consisting of virtual and/or physical switches. VLAN technology can divide a large LAN into smaller virtual LANs or combine separate LANs into one or more virtual LANs. A VLAN enables communication among a group of nodes based on the functional requirements of the group, independent of the node's location in the network. Similarly, Virtual Storage Area Network (VSAN) enables the creation of multiple logical SANs over a common physical SAN. They provide the capability to build larger consolidated fabrics and still maintain the required security and isolation between them. Zoning should be done for each VSAN to secure the entire physical SAN.
information security availability
ensures authorized users have reliable and timely access to resources
information security integrity
ensures unauthorized changes to data are not allowed
Virtual Private Network (VPN)
extends a users private network across a public network -enables to apply internal network's security and management policies over the VPN connection In the storage environment, a virtual private network (VPN) can be used to provide a user a secure connection to the storage resources. VPN is also used to provide secure siteto-site connection between a primary site and a DR site when performing remote replication. VPN can also be used to provide secure site-to-site connection between an organization's data center and cloud. A virtual private network extends an organization's private network across a public network such as Internet. VPN establishes a point-to-point connection between two networks over which encrypted data is transferred. VPN enables organizations to apply the same security and management policies to the data transferred over the VPN connection as applied to the data transferred over the organization's internal network. When establishing a VPN connection, a user is authenticated before the security and management policies are applied. There are two methods in which a VPN connection can be established: remote access VPN connection and site-to-site VPN connection. In a remote access VPN connection, a remote client (typically client software installed on the user's compute system) initiates a remote VPN connection request. A VPN server authenticates and provides the user access to the network. This method can be used by administrators to establish a secure connection to data center and carry out management operations. In a site-to-site VPN connection, the remote site initiates a site-to-site VPN connection. The VPN server authenticates and provides access to internal network. One typical usage scenario for this method is when deploying a remote replication or connecting the cloud.
Information Security
includes a set of practices that protect information and information systems from unauthorized access, use, deletion, modification, and disruption Information is an organization's most valuable asset. This information, including intellectual property, personal identities, and financial transactions, is routinely processed and stored in storage systems, which are accessed through the network. As a result, storage is now more exposed to various security threats that can potentially damage business-critical data and disrupt critical services. Organizations deploy various tools within their infrastructure to protect the asset. These tools must be deployed on various infrastructure assets, such as compute (processes information), storage (stores information), and network (carries information) to protect the information. As organizations are adopting third platform, in which cloud is a core element, one of the key concerns they have is 'trust'. Trust depends on the degree of control and visibility available to the information's owner. Therefore, securing storage infrastructure has become an integral component of the storage management process in second platform and third platform environment. It is an intensive and necessary task, essential to manage and protect vital information. Information security includes a set of practices that protect information and information systems from unauthorized disclosure, access, use, destruction, deletion, modification, and disruption. Information security involves implementing various kinds of safeguards or controls, in order to lessen the risk of an exploitation or a vulnerability in the information system which could otherwise cause a significant impact to organization's business. From this perspective, security is an ongoing process, not static, and requires continuous revalidation and modification. Securing the storage infrastructure begins with understanding the goals of information security.
auditing
is a process that determines the validity and reliability of information about the enforcement of controls presented by an organization. Audit also provides an assessment of the organization's security controls and their ability to provide the organizations the logs required to verify the controls. Auditing of the data center infrastructure can be performed by internal auditors (an auditing team within the organization) or external auditors (from an external organization). The auditor makes an independent assessment of the security controls in the information system to determine if they meet the requirements and are running as originally intended. Key activities that provide the basis for a security audit of a data center infrastructure include: • Review and evaluate the security controls to detect, prevent, and stop an attack in accordance with an organization's internal policies. Additionally, review and evaluate physical security. • Determine how identity management is performed for accessing organization's resources and services. • Determine whether adequate disaster recovery processes are available to provide uninterrupted access to the users. • Review and evaluate whether appropriate governance processes are available to meet organization's requirements.
Malicious Insiders
legitimate users who purposely or accidentally misuse their access to the environment and cause some kind of business-affecting incident intentional misuse of access to negatively impact CIA controle measures: -strict access control policies -security audit and data encryption - disable employee accounts immediately after separation -segregation of duties (role-based access control) -background investigation of candidates before hiring Today, most organizations are aware of the security threats posed by outsiders. Countermeasures such as firewalls, malware protection software, and intrusion detection systems can minimize the risk of attacks from outsiders. However, these measures do not reduce the risk of attacks from malicious insiders. According to Computer Emergency Response Team (CERT), a malicious insider could be an organization's current or former employee, contractor, or other business partner who has or had authorized access to an organization's compute systems, network, or storage. These malicious insiders may intentionally misuse that access in ways that negatively impact the confidentiality, integrity, or availability of the organization's information or resources. For example, consider a former employee of an organization who had access to the organization's storage resources. This malicious insider may be aware of security weaknesses in that storage environment. This is a serious threat because the malicious insider may exploit the security weakness. Control measures that can minimize the risk due to malicious insiders include strict access control policies, disabling employee accounts immediately after separation from the company, security audit, encryption, and segregation of duties (role-based access control, which is discussed later in this module). A background investigation of a candidate before hiring is another key measure that can reduce the risk due to malicious insiders.
Loss of data
occurs due to various reasons other than malicious attacks causes of data loss include: -accidental deletion by an admin -destruction resulting from natural disasters If organization is a service provider then they should publish: -protection controls deployed for data protection -appropriate terms/conditions and penalties related to data loss Control measure -data backup and replication Data loss can occur in a storage environment due to various reasons other than malicious attacks. Some of the causes of data loss may include accidental deletion by an administrator or destruction resulting from natural disasters. In order to prevent data loss, deploying appropriate measures such as data backup or replication can reduce the impact of such events. Organizations need to develop strategies that can avoid or at least minimize the data loss due to such events. Examples of such strategies include choice of backup media, frequency of backup, synchronous/asynchronous replication, and number of copies. Further, if the organization is a cloud service provider then they must publish the protection controls deployed to protect the data stored in cloud. The providers must also ensure appropriate terms and conditions related to data loss and the associated penalties as part of the service contract. The service contract should also include various BC/DR options, such as backup and replication, offered to the consumers
Key Security Controls
physical security identity and access management role-based access control netowork monitoring and analysis firewall intrusion detection and prevention system adaptive security virtual private network virtual LAN and virtual SAN zoning and iSNS discovery domain port binding and fabric binding securing hypervisor and management server VM,OS, and application hardening malware protection software mobile device management LUN masking data encryption data shredding
denial of services
prevents legitimate users from accessing resources or services -example: exhausting network bandwidth or cpu cycles -could be targeted against compute systems, networks, and storage resources DDOS is a variant of DoS attack -serveral systems launch coordinated DoS attack on target(s) -DDoS master program is installed on a compute system - Master program communicates to agents at designated time -agents initiate the attack on receiving the command Control measure -impose restrictions and limits on resource consumption A Denial of Service (DoS) attack prevents legitimate users from accessing resources or services. DoS attacks can be targeted against compute systems, networks, or storage resources in a storage environment. In all cases, the intent of DoS is to exhaust key resources, such as network bandwidth or CPU cycles, thereby impacting production use. For example, an attacker may send massive quantities of data over the network to the storage system with the intention of consuming bandwidth. This prevents legitimate users from using the bandwidth and the user may not be able to access the storage system over the network. Such an attack may also be carried out by exploiting weaknesses of a communication protocol. For example, an attacker may cause DoS to a legitimate user by resetting TCP sessions. Apart from DoS attack, an attacker may also carry out Distributed DoS attack. A Distributed DoS (DDoS) attack is a variant of DoS attack in which several systems launch a coordinated, simultaneous DoS attack on their target(s), thereby causing denial of service to the users of the targeted system(s). In a DDoS attack, the attacker is able to multiply the effectiveness of the DoS attack by harnessing the resources of multiple collaborating systems which serve as attack platforms. Typically, a DDoS master program is installed on one compute system. Then, at a designated time, the master program communicates to a number of "agent" programs installed on compute systems. When the agents receive the command, they initiate the attack. The principal control that can minimize the impact of DoS and DDoS attack is to impose restrictions and limits on the network resource consumption. For example, when it is identified that the amount of data being sent from a given IP address exceeds the configured limits, the traffic from that IP address may be blocked. This provides a first line of defense. Further, restrictions and limits may be imposed on resources consumed by each compute system, providing an additional line of defense.
authorization
process of determining access rights of a user, device, application, or process to a service or resource authorization should be performed only if authentication is successful
virtual machine hardening
process used to change the default configuration of a vm tune config of vm features to operate in secure manner vm templates must be hardened to a known security baseline
Vulnerabilities and security controls
vulnerabilities are weaknesses that an attacker exploits to carry out attacks security considerations -attack surface - attack vectors - work factor Managing vulnerabilities: - minimize the attack surface - maximize the work factor - install security controls Security controls reduce the impact of vulnerabilities controls can be: - technical: antivirus, firewalls , and IDPS - non-technical: admin policies and physical controls Controls are categorized as: - preventive - detective - corrective Vulnerability is a weakness of any information system that an attacker exploits to carry out an attack. The components that provide a path enabling access to information are vulnerable to potential attacks. It is important to implement adequate security controls at all the access points on these components. Attack surface, attack vector, and work factor are the three factors to consider when assessing the extent to which an environment is vulnerable to security threats. Attack surface refers to the various entry points that an attacker can use to launch an attack, which includes people, process, and technology. For example, each component of a storage infrastructure is a source of potential vulnerability. An attacker can use all the external interfaces supported by that component, such as the hardware and the management interfaces, to execute various attacks. These interfaces form the attack surface for the attacker. Even unused network services, if enabled, can become a part of the attack surface. An attack vector is a step or a series of steps necessary to complete an attack. For example, an attacker might exploit a bug in the management interface to execute a snoop attack. Work factor refers to the amount of time and effort required to exploit an attack vector. Having assessed the vulnerability of the environment, organizations can deploy specific control measures. Any control measures should involve all the three aspects of infrastructure: people, process, and technology, and their relationship. To secure people, the first step is to establish and assure their identity. Based on their identity, selective controls can be implemented for their access to data and resources. The effectiveness of any security measure is primarily governed by the process and policies. The processes should be based on a thorough understanding of risks in the environment, should enable recognizing the relative sensitivity of different types of data, and help determine the needs of various stakeholders to access the data. Without an effective process, the deployment of technology is neither cost-effective nor aligned to organizations' priorities.
Challenge Handshake Authentication Protocol (CHAP)
provides a method for initiators and targets to authenticate each other by utilizing a secret code 1. initiates a login to the target 2. chap challenge sent to initator 3. takes shared secret and calculates value using a oneway hash function 4. returns hash value to the target 5. computes the expected hash value from the shared secret and compares the value received from initator 6. if value matches, authentication is acknowledged The Challenge-Handshake Authentication Protocol (CHAP) is a basic authentication control that has been widely adopted by network devices and compute systems. CHAP provides a method for initiators and targets to authenticate each other by utilizing a secret code or password. CHAP secrets are usually random secrets of 12 to 128 characters. The secret is never exchanged directly over the communication channel; rather, a one-way hash function converts it into a hash value, which is then exchanged. A hash function, using the MD5 algorithm, transforms data in such a way that the result is unique and cannot be changed back to its original form. If the initiator requires reverse CHAP authentication, the initiator authenticates the target by using the same procedure. The CHAP secret must be configured on the initiator and the target. A CHAP entry, composed of the name of a node and the secret associated with the node, is maintained by the target and the initiator. The same steps are executed in a two-way CHAP authentication scenario. After these steps are completed, the initiator authenticates the target. If both the authentication steps succeed, then data access is allowed. CHAP is often used because it is a fairly simple protocol to implement and can be implemented across a number of disparate systems.
information security confidentiality
provides required secrecy of information ensures only authorized users have access to data
Unix Permissions
read, write, execute specifies operations by ownership relation with respect to a file: -What the owner can do? -what the owner group can do? -what everyone else can do?
LUN Masking
refers to the assignment of LUNs to specific host bus adapter world-wide names protects against unauthorized access to storage can be implemented on -host -switch -storage sytem stronger varient of LUN masking uses source fiber channel address
two methods to establish a VPN connection
remote access VPN conection site-to-site vpn connection
remote access VPN
remote client initiates a remote vpn connection request vpn server authenticates and grants access to organizations netowork
authorization
restricts accessibility and sharing of files and folders windows ACLs, unix permissions, and OAuth
Phishing
social engineering attack used to deceive users carried out by spoofing e-mail containing link to a fake website users credentials entered on the fake site are captured
Authentication
the process of ensuring that you are who you say you are two methods: single-factor and multi-factor
trust
visibility + control
Zoning and iSNS discovery Domain
zoning -logically segments node ports into groups -communication occurs among node parts within a group - WWPM-based zoning prevents unauthorized access when node ports are re-cabled to different fabric ports - port zoning reduces the risk of WWPN spoofing iSNS discovery domains -function in the same way as FC zones -enable functional groupings of devices in an IP SAN -devices in the same functional group can communicate with one another Zoning is a Fibre Channel switch control that enables node ports within a fabric to be logically segmented into groups and to communicate with each other within the group. There are three types of zoning. World Wide Port Name-based zoning is the most commonly used to prevent unauthorized access when node ports are re-cabled to different fabric ports. However, it is possible that a rogue compute system could join the fabric, then spoof a legitimate WWPN and thereby gain access to resources in a zone. If WWPN spoofing is a key concern, then port zoning and port binding can be used. Internet Storage Name Service (iSNS) discovery domains function in the same way as FC zones. Discovery domains provide functional groupings of devices in an IP SAN. For devices to communicate with one another, they must be configured in the same discovery domain. State change notifications inform the iSNS server when devices are added to or removed from a discovery domain.