CISSP CBK #2 Access Control

advertisement
CISSP CBK #2
Access Control
Access Control
This Chapter presents the following material
• Identification Methods and technologies
• Authentication Methods
• DAC, MAC and role based (non-DAC) models
• Accountability, monitoring, and auditing
• Unauthorized Disclosure of Information
• Intrusion Detection Systems
• Threats to access control practices and
technologies
Access Controls
Access controls are security features that
control how people can interact with
systems, and resources.
Goal is to protect from un-authorized
access.
Access
• Access is the data flow between an
subject.
• Subject is a person, process or program
• Object is a resource (file, printer etc)
Access Control (157)
• Access control should support the CIA
triad!
• Let’s quickly go over the CIA triad again
Components of Access Control
(158)
Quick overview: details on each coming up
Identification – who am I? (userid etc)
Authentication – prove that I am who I say I
Authorization – now what am I allowed to
access
Auditing – Big Brother can see what I
accessed.
CISSP BUZZWORD
• Logical (technical) access controls are
used for these 4 items.*
– Things like smart cards and biometrics, and
passwords, and audit system, and SELinux
these are all examples of logical
Identification (159 & 162)
Identifies a user uniquely (hopefully)
• SSN, UID, SID, Username
• Should Uniquely identify a user for accountability
(don’t share)
• Standard naming scheme should be used
• Identifier should not indicate extra information
about user (like position)
• DO NOT SHARE (NO group accounts)
Authentication (160)
Proving who you say you are, usually one of
these 3
– Something you know (password)
– Something you have (smart card)
– Something you are (biometrics)
What is wrong with just using one of these
methods?
Strong Authentication (161)
Strong Authentication is the combination of 2
or more of these (also called multi-factor
authentication) and is encouraged!
– Strong Authentication provides a higher level
of assurance*
Authorization
• What does this mean?
• What are some type of authorization
mechanism? (ACLs, permissions)
• We will go more indepth on this later
• Authorization is a preventative “control”*
(we will talk about controls later)
Auditing
• What is the purpose of auditing?
• Auditing is a “detective” control* (we will
talk about this later)
Recap
• Identification – what is it?
• Authentication – how is this different from
identification
• Authorization – what does this mean?
• Auditing – what’s the point?
Identity Management (162)
• Identity management products are used to
id, authenticate and authorize users in an
automated means. It’s a broad term.
• These products may (or may not) include
– User account management
– Access controls
– Password management
– Single Sign on
– Permissions
ID Management and the CISSP
(164)
• Know for the exam that ID management
solutions include
– Directories
– Web Access Management
– Password Management
– Single Sign On
– Account Management
– Profile update
Profiles updates
• What is a profile (not a windows profile)
• A profiles is the collection of data about a
– Email
– Home address
– Phone
– Start date
– Certifications
– etc
Profile updates (117)
• IdM systems may have centralized tools to
manage profiles, may have “self service”
portals where users can update their own
info.
• Profiles are similar to ‘digital Identity’
Directories (165)
• Information about the users and resources
– LDAP (based on X.500)
• Key concept is namespaces (like branches of a
tree) and DN (distinguished names) Can anyone
explain namespaces and DNs?
• DN=CN and multiple DCs can include OUs
– Active Directory (an implementation of LDAP)
– Legacy NT (flat directory structure)
– Novell Netware (???)
Directories Role in ID management
• Specialized database optimized for
reading and searching operations
• Important because all resource info, users
attributes, authorization info, roles, policies
etc can be stored in this single place.
• Directories allow for centralized
management! However these can be
broken up and delegated. (trees in a
forest)
Meta and Virtual Directories (167)
• Meta-directories allow for a centralized
directory if users information is in multiple
different directories (meta-directories
synchronizes it’s data against the other
databases)
• Like meta-dirs, but instead of storing data,
just provide links or pointers to the data in
the alternate directory
• Advantages and Disadvantages?
Web Access management (168)
• Uses a webserver(s) to deliver resources
• Users authentications against the web server
using whatever Auth scheme implemented
• If authenticated requests and object
• Web server verifies authorization
• If so web server returns objects
• Mainly used for external users/access
• Very Web 2.0, you probably see a lot of this now
a days.
Password Management (171)
• Allows for users to change their passwords,
• May allow users to retrieve/reset password
automatically using special information
(challenge questions) or processes
• Helpdesk assisted resets/retrievals (same as
above, but helpdesk people might ask questions
instead of automated)
• May handle password synchronization
Single Sign On
• Log in one time, and access resources
many places
• Not the same as password
synchronization
• SSO software handles the authorization to
multiple systems
• What is a security problems with this?
• What are advantages?
Account Management Software
• Idea is to centrally manage user accounts rather than to
manually create/update them on multiple systems
• Often include workflow processes that allow distributed
authorization. I.e.. A manager can put in a user request
or authorize a request, tickets might be generated for a
Key card system for their locations, Permissions might
be created for their specific needs etc.
• Automates processes
• Can includes records keeping/auditing functions
• Can ensure all accesses/accounts are cleaned up with
users leave.
Federation (I hate this word) (178)
• A Federation is multiple computing and/or
network providers agreeing upon standards of
operation in a collective fashion. (self governing
entities that agree on common grounds to easy
access between them)
• A federated Identity is an identity and
entitlements that can be used across business
boundaries. (MS passport, Google checkout)
Identity Management Overview
• Idea is to manage, identify and authorize users
in an automated fashion
• Know for the exam that ID management
solutions include
–
–
–
–
–
–
Directories
Web Access Management
Password Management
Single Sign On
Account Management
Profile update
Who needs ID management (178)
• Really everyone! (at least anyone that you
will probably deal with)
• See table on Page 178
Break?
Biometrics (179)
• Bio – life, metrics - measure
• Biometrics verifies (authenticates) an
individuals identity by analyzing unique
personal attribute (something they ARE)
• Require enrollment before being used*
(what is enrollment? Any ideas)
• EXPENSIVE
• COMPLEX
Biometrics (179)
• Can be based on
– behavior (signature dynamics) – might change over
time
– Physical attribute (fingerprints, iris, retina scans)
– We will talk about the different types of biometrics
later
• Can give incorrect results
• False negative – Type 1 error* (annoying)
• False positive – Type 2 error* (very bad)
CER (179)
• Crossover Error Rate (CER)* is an important
metric that is stated as a percentage that
represents the point at which the false rejection
rate equals the false positive rate.
• Lower number CER is better/more accurate*. (3
is better than an 4)
• Also called Equal Error Rate
• Use CER to compare vendors products
objectively
Biometrics (180)
• Systems can be calibrated, for example of you
adjust the sensitivity to decrease fall positives,
you probably will INCREASE false negatives,
this is where the CER come in.
• Draw diagram on board
• Some areas (like military) are more concerned
with one error than the other (ex. Would rather
deny a valid user than accept an invalid user)
• Can you think of any situations for each case?
Biometric problems?
•
•
•
•
Expensive
Unwieldy
Intrusive
Can be slow (should not take more than 510 seconds)*
• Complex (enrollment)
Biometric Types Overview* (182)
We will talk in more depth of each in the next couple slides
• Fingerprint
• Palm Scan
• Hand Geometry
• Retina Scan
• Iris Scan
• Keyboard Dynamics
• Voice Print
• Facial Scan
• Hand Topography
Fingerprint (182)
• Measures ridge endings an bifurcations
(changes in the qualitative or topological
structure) and other details called
“minutiae”
• Full fingerprint is stored, the scanners just
compute specific features and values and
sends those for verification against the
real fingerprint.
Palm Scan
• Creases, ridges, grooves
• Can include fingerprints
Hand Geometry
• Overall shape of hand
• Length and width of fingers
• This is significantly different between
individuals
Retina Scan
• Reads blood vessel patterns on the back
of the eye.
• Patterns are extremely unique
Iris Scan
•
•
•
•
•
•
•
Measures colors
Measures rifts
Measures rings
Measures furrow (wrinkle, rut or groove)
Most accurate of all biometric systems
IRIS remains constant through adulthood
Place scanner so sun does NOT shine
through aperture*
Signature Dynamics
• Most people sign in the same manner
(really???)
• Monitor the motions and the pressure
while moving (as opposed to a static
signature)
• Type I (what is type I again?) error high
• Type II (what is type II again?) error low
Keyboard dynamics
• Measure the speeds and motions as you
type, including timed difference between
characters typed. For a given phrase
• This is more effective than a password
believe it or not, as it is hard to repeats
someone's typing style, where as it’s easy
to get someone's password.
Voice Print
• Enrollment, you say several different
phrases.
• For authentication words are jumbled.
• Measures speech patterns, inflection and
intonation (i.e.. pitch and tone)
Facial Scan
Geometric measurements of
• Bone structure
• Nose ridges
• Eye width
• Chin shape
• Forehead size
Hand Topography
• Peaks and valleys of hand along with
overall shape and curvature
• This is opposed to size and width of the
fingers (hand geometry)
• Camera on the side at an angle snaps a
pictures
• Not unique enough to stand on it’s own,
but can be used with hand geometry to
add assurance
Biometrics wrap up
We covered a bunch of different biometrics
• Understand some are behavioral* based
– Voice print
– Keyboard dynamics
– Can change over time
• Some are physically based
– Fingerprint
– Iris scan
Biometrics wrap Up
• Fingerprints are probably the most
commonly used and cheapest
• Iris scanning provides the most
“assurance”
• Some methods are intrusive
• Understand Type I and Type II errors
• Be able to define CER, is a lower CER
value better or worse?
Passwords (184)
What is a password? (someone tell me because I
forgot…)
• Works on what you KNOW
• Simplest form of authentication*
• Cheapest form of authentication*
• Oldest form of authentication
• Most commonly used form of authentication*
• WEAKEST form of authentication*
Problems with Passwords (184)
•
•
•
•
People write down passwords (bad)
People use weak passwords (bad)
People re-use passwords (bad)
If you make passwords to hard to
remember people often write them down
• If you make them too easy… they are
easily cracked
How to make a good password
•
•
•
•
•
Don’t use common words
Don’t use names or birthdates
Use at least 8 characters
Combine numbers, symbols and case
Use a phrase and take attributes of a
phrase, transpose characters
Attacks on Password (185)
•
•
•
•
Sniffing (Electronic Monitoring)
Brute force attacks
Dictionary Attack
Social Engineering (what is social
Engineering?)
• Rainbow tables – a table that contains
passwords in hash format for easy/quick
comparison
Passwords and the OS (184)
• The OS should enforce password
requirements
– Aging –when a password expires
– Reuse of old passwords
– Minimum number of characters
– Limit login attempts – disable logins after a
certain number of failed attempts
System password protection
• System should NOT store passwords in
plaintext. Use a hash (what is a hash?)
• Can encrypt hashes
• Passwords salts – random values added
to the encryption/hash process to make it
harder to brute force (one password may
hash/encrypt to multiple different results)
Cognitive passwords (187)
• Not really passwords, but facts that only a
user would know. Can be used to verify
who you are talking to without giving out
password, or for password reset
challenges.
• Not really secure, I’m not a big fan.
One Time Password
•
•
•
•
Password is good only once then no longer valid
Used in high security environments
VERY secure
Not vulnerable to electronic eavesdropping, but
vulnerable to loss of token, (though must have
pin)
• Require a token device to generate passwords.
(RSA SecureID key is an example)
One Time Password Token Type
One of 2 types
• Synchronous – uses time to synchronize
between token and authentication server
– Clocks must be synchronized!
– Can also use counter-sync which a button is
pushed that increments values on the token
and the server
OTP Token Types (189)
Asynchronous
– Challenge response
• Auth sends a challenge (a random value called a
nonce)*
• User enters nonce into token, along with PIN
• Token encrypts nonce and returns value
• Users inputs value into workstation
• If server can decrypt then you are good.
Other Types of Authentication (190)
• Digital Signature (talk about in more depth
in chapter 8).
– Take a hash value of a message, encrypt
hash with your private key
– Anyone with your public key can decrypt and
verify message is from you.
Passphrase (190)
• Simply a phrase, application will probably
make a “virtual password” from the
passphrase (etc a hash)
• Generally more secure than a password
– Longer
– Yet easier to remember
Memory Cards (191)
• NOT a smart card
• Holds information, does NOT process
• A memory card holds authentication info,
usually you’ll want to pair this with a PIN…
WHY? You tell me.
• A credit card or ATM card is a type of
memory card, so is a key/swipe card
• Usually insecure, easily copied.*
Smart Card (193)
•
•
•
•
Much more secure than memory cards
Can actually process information
Includes a microprocessor and ICs
Can provide two factor authentication, as you
the card can store authentication protected by a
pin. (so you need the card, and you need to
know something)
• Two type
– Contact
– contactless
Smart Card Attacks (193)
There are attacks against smart cards
• Fault generation – manipulate
environmental controls and measure
errors in order to reverse engineer logic
etc.
Smart Card Attacks
• Side Channel Attacks – Measure the cards
while they work
– Differential power analysis – measure power
emissions
– Electromagnetic analysis – example
frequencies emitted
Smart Card Attacks
• Micro probing* - using needles to
vibrations to remove the outer protection
on the cards circuits. Then tap into ROMS
if possible or “die” ROMS to read data
(use chemicals to stain ROMS and
determine values) (this is actually done…
someone just reversed engineered the
game boy BIOS using this method)
OK enough authentication already
Authorization
• Now that I am who I say I am, what can I
do?
– Both OSes and Applications can provide this
functionality.
– Authorization can be provided based on user,
groups, roles, rules, physical location, time of
day (temporal isolation)* or transaction type
(example a teller may be able to withdrawal
small amounts, but require manager for large
withdrawals)
Authorization principals (pg 197)
• Default NO access (implicit deny)*
• Need to Know
Authorization Creep* (197)
• What is authorization creep*?
(permissions accumulate over time even if
you don’t need them anymore)
• Auditing authorization can help mitigate
this. SOX requires yearly auditing.
Single Sign on (200)
• Why is this section here? It’s poorly
located, but anyway let’s follow the flow of
the book)
SSO
Idea
• One identification/authentication instance
for all networks/systems/resources
• Eases management
• Makes things more secure (not written
down passwords hopefully)
• Can focus budgets and time on securing
one method rather than many!
• Makes things integrated
SSO downsides
•
•
•
•
Centralized point of failure*
Can cause bottlenecks*
All vendors have to play nicely (good luck)
Often very difficult to accomplish* (golden
ring of network authentication)
• One ring to bind them all! (wait...no…) If
you can access once, you can access
ALL!
SSO technologies
• Kerberos (yeay!)
• SESAME
Kerberos (201)
• From MIT’s Athena project
• Designed to eliminate transmitting
passwords over the network.
• Scalable, reliable, secure, flexible
• Uses Symmetric Key cryptology*
Kerberos Components* (201)
• Key Distribution Center. (you CAN/SHOULD
have backups KDCs, though the exam states
that this is a central point of failure for
Kerberos*)
• Principals (users, applications, and services)
each principal gets an account!*
• Tickets, generated by TGS on KDC
• Important ticket is the Ticket Granting Ticket*
• Realm is the domain of all principals that a
Kerberos server provides tickets for.
Kerberos Process (202)
• Go over process on page 202*
• Understand the different between a
session key and a secret key* (pg 203)
• Note* Kerberos systems MUST be time
synchronized
Kerberos Problems*
• Single point of failure* (though this can be
made redundant)
• KDC must be scalable
• Secret keys are stored on the workstation,
if you can get these keys, you can break
things
• Same with session keys
• Vulnerable to password guessing
• Traffic is not encrypted if not enabled
SESAME
• European technology, developed to extend
Kerberos and improve on it’s weaknesses
• Sesame uses both symmetric and asymmetric
cryptography.
• Uses “Privileged Attribute Certificates” rather
than tickets, PACS are digitally signed and
contain the subjects identity, access capabilities
for the object, access time period and lifetime of
the PAC.
• PACS come from the Privileged Attribute Server.
SESAME procedure (205)
• See page 206, note that SESAME uses
public/private keys for initial
authentication. (send an authenticator
message, and a timestamp or random
number, sign this message)
Access Control Models (211)
A framework that dictates how subjects access
objects.
• Uses access control technologies and security
mechanisms to enforce the rules
• Business goals and culture of the organization
will prescribe which model it uses
• Every OS has a security kernel/reference
monitor (talk about in another chapter) that
enforces the access control model.
Access Control Models
•
•
•
•
DAC
MAC
Roles based
Each will be discussed in upcoming slides
DAC
Discretionary Access Control*
• Owner or creator of resource specifies
which subjects have which access to a
resource. Based on the Discretion of the
data owner*
• Common example is an ACL (what is an
ACL?)
• Commonly implemented in commercial
products (Windows, Linux, MacOS)
MAC
Mandatory Access Control*
• Data owners cannot grant access!*
• OS makes the decision based on a
security label system*
• Users and Data are given a clearance
level (confidential, secret, top secret etc)*
• Rules for access are configured by the
security officer and enforced by the OS.
MAC (212)
MAC is used where classification and
confidentiality is of utmost importance…
military.
Generally you have to buy a specific MAC
system, DAC systems don’t do MAC
– SELinux
– Trusted Solaris
MAC sensitivity labels
• Again all objects in a MAC system have a
security label*
• Security labels can be defined the organization.
• They also have categories to support “need to
know” @ a certain level.
• Categories can be defined by the organization
• If I have “top secret” clearance can I see all
projects in the “secret” level???
Role Based Access Control (214)
• Also called non-discretionary.
• Uses a set of controls to determine how subjects and
objects interact.
• Allows you to be assigned a role, and your roles dictates
your access to a resources, rather than your direct user.
• This scales better than DAC methods
• You don’t have to continually change ACLs or
permissions per user, nor do you have to remember
what perms to set on a new user, just make them a
certain role
• You can simulate this with “groups” in Windows and
Linux, especially with LDAP/AD.
Role based Access control
When to use
• If you need centralized access
• If you DON’T need MAC ;)
• If you have high turnover*
Software and Hardware Guards
• Allow the exchange of data between
trusted and less trusted systems. We will
talk about this in another chapter, let’s not
worry about it now.
Access Control technologies that
support access control models
(217)
We will talk more in depth of each in the next
few slides.
• Rule-based Access Control
• Constrained User Interfaces
• Access Control Matrix
• Access Control Lists
• Content-Dependant Access Control
• Context-Dependant Access Control
Rule Based Access Control (217)
• Uses specific rules that indicate what can and
cannot transpire between subject and object.
• “if x then y” logic
• Before a subject can access and object it must
meet a set of predefined rules.
– ex. If a user has proper clearance, and it’s between
9AM -5PM then allow access
• However it does NOT have to deal specifically
with identity/authorization
– Ex. May only accept email attachments 5M or less
Rules Based Access Control
• Is considered a “compulsory control”
because the rules are strictly enforced and
not modifiable by users.
• Routers and firewalls use Rule Based
access control heavily
Constrained User Interfaces (218)
Restrict user access by not allowing them see certain data
or have certain functionality
•
Views – only allow access to certain data (canned
interfaces)
•
Restricted shell – like a real shell but only with certain
commands. (like Cisco's non-enable mode)
•
Menu – similar but more “gui”
•
Physically constrained interface – show only certain
keys on a keypad/touch screen. – like an ATM. (a
modern type of menu) Difference is you are physically
constrained from accessing them.
Access Control Matrix* (220)
• Table of subjects and objects indicating
what actions individuals subjects can take
on individual objects*
– See page 220 (top)
Capability Table*
• Bound to subjects, lists what permissions
a subject has to each object
• This is a row in the access matrix
• (see 220 bottom)
• NOT an ACL.. In fact the opposite
ACL*
•
•
Lists what (and how) subjects may
access a certain object.
It’s a column of an access matrix
– See page 220
Content Dependant Access
Controls (221)
• Access is determined by the type of data.
– Example, email filters that look for specific
things like “confidential”, “SSN”, images.
– Web Proxy servers may be content based.
Context Dependant Access Control
(221)
• System reviews a Situation then makes a
decision on access.
– A firewall is a great example of this, if session
is established, then allow
– Another example, allow access to certain
body imagery if previous web sessions are
referencing medical data.
Review of Access Control
Technology / Techniques
•
Constrained User Interfaces*
–
view, shell, menu, physical
•
•
•
•
•
Access Control Matrix*
Capability Tables*
ACL*
Content Dependant Access Control
Context Dependant Access Control
•
You should really know ALL of these and be
able to differential between similar types!
Centralized Access Control
Administration (223)
What is it?
• A centralized place for configuring and
managing access control
• All the ones we will talk about (next) are
“AAA” protocols*
– Authentication
– Authorization
– Auditing
Centralized Access Control
Technologies
We will talk about each of these in the
upcoming slides
• Radius
• TACACS, TACACS+
• Diameter
Radius* (223)
• Initially developed by Livingston to authenticate modem
users
• Access Server sends credentials to Radius server.
Which sends back authorization and connection
parameters (IP address etc) (see diagram on 224)
• Can use multiple authentication type (PAP, CHAP, EAP)
• Uses UDP port 1812 , and auditing 1813*
• Sends Attribute Value Pair (Ex. IP=192.168.1.1)
• Access server notifies Radius server on disconnect (for
auditing)
What is radius used for
• Network access
– Dial up
– VLAN provisioning
– IP address assignment
Radius benefits
• It’s been around, a lot of vendor support
Radius issues
• Radius can share symmetric key between
NAS and Radius server, but does not
encrypt attribute value pairs, only user
info. This could provide info to people
doing reconnaissance
• PAP password go clear text from dial up
user to NAS
TACACS(+) (225)
• TACACS uses fixed passwords
• TACACS uses TCP or UDP port 49
• TACACS is old (1990) TACACS+ replaces
it
• TACACS+ can support one time
passwords
• Provides the same functionality of Radius
• TACACS+ uses TCP port 49
TACACS+ benefits
• TCP? Is this a benefit? Discuss…
• Encrypts ALL traffic
• TACACS+ separates each AAA function.
– For example can use AD for authentication
(radius can actually do this too.. But you have
to write plug-ins)
• Has more AVP pairs than Radius, more
flexible
Diameter (229)
• Builds upon Radius
• Similar functionality to Radius and
TACACS+
• NOT Backwards compatible with Radius
(book is wrong) but is similar and an
upgrade path
• Uses TCP, or STCP (stream TCP)
Diameter benefits
• With Diameter the DS can connect to the
NAS (i.e.. Could say kick user off now).
Radius servers only respond to client
requests.
• Has a lot more AVP pairs (2^32 rather than
2^8)
Centralized Access Controls
overview
• Idea centralize access control
• Radius, TACACS, diameter
• Is Active Directory a type of Centralized
Access Control?
• Decentralized is simply maintaining
access control on all nodes separately.
Controls and Control Types*
STOP
• Before we move on you need to
understand the definitions/terms that we
are about to cover for the exam. (controls
and control types) They are used
ambiguously on the exam, so you need to
think about them. We will give an overview
now, but we’ll keep seeing them again and
again.
Controls and Control Types*
Not directly in book
•
•
There are Controls and Control types,
need to understand these `
Controls
– Administrative
– Physical
– Technical
Now we’ll talk about control types
Control types (241 skip ahead)
• Types (can occur in each “control” category)
–
–
–
–
–
Deterrent – intended to discourage attacks
Preventative – intended to prevent incidents
Detective – intended to detect incidents
Corrective – intended to correct incidents
Recovery – intended to bring controls back up to
normal operation
– Compensative – provides alternative controls to other
controls
Administrative Controls (back to
231)
• Personnel – HR practices
• Supervisory – Management practices
(supervisor, corrective actions)
• Training – that’s pretty obvious
• Testing – not technical, and
managements* responsibility to ensure it
happens
Physical Controls (223)
• Physical Network Segregation (not logical)
– ensure certain networks segments are
physically restricted
• Perimeter Security – CCTV, fences,
security guards, badges
• Computer Controls – physical locks on
computer equipment, restrict USB access
etc.
Physical Controls continued
• Work Area Separation – keep accountants
out of R&D areas
• Cabling – shielding, Fiber
• Control Zone – break up office into logical
areas (lobby – public, R&D- Top Secret,
Offices – secret)
Technical or Logical controls (235)
Using technology to protect
• System Access – Kerberos, PKI, radius
(specifically access to a system)
• Network Architecture – IP subnets, VLANS ,
DMZ
• Network Access – Routers, Switches and
Firewalls that control access
• Encryption – protect confidentiality, integrity
• Auditing – logging and notification systems.
Ok we went out of order.. Skip to
247
• This is out of WAY out of order, but for the
exam you should know the table on 247
(Access control practices) let’s read it
together.
Unauthorized Disclosure of
Information
Sometimes things are disclosed unintentionally. In the next couple slides we
will talk about
• Object reuse
• Emanation security
Object reuse (248)
• Media may be re-used without cleaning off
old data!
• Fix this
– Destroy or wipe (destroy) old data
– Why destroy?
– What is degaussing?*
Emanation Security (249)
• All devices give off electrical / magnetic signals.
This can be used against you (we’ve all seen
Alias and 24?)
• Hard/expensive to do often but not always.
• A non-obvious example is reading info from a
CRT bouncing off something (we’ve seen CSI
right?)
• Tempest* is a standard to develop
countermeasures to protect against this.
• Let’s talk about emanation countermeasures
Emanation Countermeasures
• Faraday cage – a metal mesh cage
around an object, it negates a lot of
electrical/magnetic fields.
• White Noise – a device that emits uniform
spectrum of random electronics signals.
You can buy sounds frequency white noise
machines. (call centers, doctors)
• Control Zones – protect sensitive devices
in special areas with special walls etc.
Intrusion detection (250)
IDS allow you to detect intrusion and unauthorized
access.
Different types (we will discuss), but usually
consist of
• Sensors
• Storage
• Analysis engine
• Management Console
• (see diagram on 260)
NIDS
• Network Based
– Monitor network traffic ONLY
– Can be of multiple types (discuss later)
– Watch out for switches (use mirroring), and
subnets (use multiple sensors)
HIDS
• Host based – installed on computers
– Monitor logs
– Monitor system activity
– Monitor configuration files
– Could monitor network traffic to and from the
computer installed on only.
– Multiple types – discussed later
IDS types (251)
• Signature based – like a virus scanner,
look for known attack signature
• MUST be updated with new signatures
• Will not stop unknown attacks (0-day)
• Relatively high rate of assurance
• Commonly used
Statistical Anomaly Based IDS /
heuristic
• Based on what is “normal” behavior (builds
a profile)
• Detects when thing are not normal
• Very subjective • Very high rate of false positives, may lead
to info being ignored. –
• Require high degree of knowledge and
maintenance to run • Can possibly detect zero days +
Protocol* based IDS
• What is a protocol? Anyone?
• Understand the protocols it’s watching
(like HTTP, SMTP)
• Looks for deviations from the normal
protocol traffic
• Good to combined with other IDS types
(signature based, or statistical based)
• A lot of protocols are open to interpretation
which can confuse protocol based IDS*
Rules Based 255
• Uses expert system/knowledge based
systems.
• These use a database of knowledge and
an “inference engine”) to try to mimic
human knowledge. It’s like of a person
was watching data in real time and had
knowledge of how attacks work.
IDS review
• Signature Based
• Anomaly Based
• Rule Based
• When studding review the table on page
257
IPS
• Like an IDS, but actively take steps to
neutralize attacks in real time. (doest
require IDS functionality)
• Might reset TCP connections, might
updates firewall rules to block traffic.
• Cool right?
• May create problems in troubleshooting
network behavior/issues.
Honey Pots/ Honey Nets (263)
• Computer or network setup to “distract”
attackers to this machine/net rather than
the real machines.
• Can be restricted and monitored so you
can see who’s trying to do what, and stop
them.
• Be weary of enticement vs. entrapment.
Can anyone explain the difference?
Threats to Access Control
We will talk about these later.. But let’s review
these now
• Dictionary attacks – what is this?
• Sniffers – what is this?
• Brute force attacks – how is this different then a
dictionary attack.
• Spoofing login/trusted path
• Phishing
• Identity theft
Wow that was a lot, lets review
• Read quick tips on pg 269
• Lets’ review the questions from the book.
Download