MALICIOUS CODE

Any program, procedure, or other sequence of instructions that makes unauthorized modifications or triggers unauthorized actions

• Common Types of malicious code
• Viruses
• Worms
• Trojan horses
• Logic bombs
  
  
• Largest vulnerability is introducing malicious code
• Scan and evaluate all code coming in

APPLICATION ENVIROMENTS

• Local environment
• Applicaton (or application partition) runs largely on one platform
• Most code runs on a local machine
• Applications may connect to remote resources for additional information or functionality
• Database
• Remote validation
• Platform can be volatile since user interface components tend to mature quickly

• Distributed environment
• Web application
• Apps server
• Database

APPLICATIONS AND SYSTEMS DEVELOPMENT SECURITY

APPLICATION ISSUES


Software Development

• Often viewed as an art
• NOT AS formal as engineering

• Developers are naturally feature-oriented
  
• Large software projects offer high exposure to errors
  
• Developers want software to work
• Many developers and testers lack security training
• Pressure to deliver often requires cutting corners
  

ATTACK AND MONITOR OF THREATS AND WORMS

• Brute Force attacks
  
• Attempts to gain access many times using different input
• Password guessing and war dialing are examples

• Dictionary attacks
  
• More selective than a brute force
• Submits identification credentials from a dictionary, or a list of commonly used user IDs

• Denial of Service (DOS) attacks
  
• Attacker saturates network, rendering access to the system impossible or unbearably slow

• Spoofing attacks
  
• Attacker presents a substitute login screen
• Fake login screen stores the user ID and password, then displays a failed login message

• Man-in-the-Middle attack
  
• Uses a network sniffer or hardware/software that intercepts network packets, to grab traffic en route to another destination

• Monitoring
• Event log auditing
• System events
• Application events
• User events
• Keystroke monitoring
• Normally only used by hackers or to investigate suspected inappropriate activity
• HoneyPot
• Entices a potential hacker to attack

• Intrusion Detection
• Intrusion detection systems(IDS)
• Network-based IDS - monitors network segment
• Monitor a network or system
• Host-based IDS - monitors a single system
• Signature-based
• Contains a database of recognized attacks
• Activity is compared with signature database
• Sounds an alarm for suspcious activity
• Behaviour-based
• Detects usage anomalies
• Sometimes called an expert system
• Generally results in more false positives than signature-based IDS
• Penetration Testing
• Legal hacking
• Set of attacks to judge how vulnerable your system really is
• Exhaustive penetration tests can uncover vulnerabilities

SESAME

• SECURE EUROPEAN SYSTEM FOR APPLICATIONS IN A MULTIVENDOR ENVIRONMENT(SESAME)
• Uses public key crypto to distribute keys
• Priviledge Attribute Certificate passes authentication

KERBEROS

• Started as MIT's project Athena
• Provides authentication and message protection
• Uses symmetric key cryptography
• Provides end-to-end security
• Key Distribution Center(KDC)
• Holds all cryptographic keys
• Ticket
• Generated by the KDC to authenticate a subject
• Authentication service
• Part of the KDC that authenticate subjects and objects
• Kerberos Process
• Subject submit requests to access object via KDC
• KDC evaluates and sends Subject a Ticket
• Subject submits ticket to object
• Object examines ticket and grant subject access
  

SINGLE SIGN-ON

• Authentication factors
• Systems of authentication
• SSO Systems
• Kerebos
• SESAME
• KRYPTOKNIGHT
• NETSP
• Brand names : Encentutate , Protocom etc.
• Domain of control
• Sign-on once
• Users love it
• no one looks twice

TYPE 3 AUTHENTICATION

• What you are
• Biometrics
• Physical characteristics
• Iris/retina scan
• Fingerprint/handprint
• Voice Pattern
• Keystroke pattern
• Signature
• Issues with Type 3 Authentication
• False Rejection rate
• False Acceptance rate
• Crossover Error rate (Always choose lower crossover error rate)
  

TYPE 2 AUTHENTICATION

• Tokens
• Tickets
• One-time passwords
• What you have
• Smart Cards
• Synchronous / asynchronous
• Time-based passwords
• Asychronous device
• Challenge-response

IDENTIFICATION AND AUTHENTICATION

PHASES

Identification - What you know(passwords), What you have(tokens etc.) and What you are(biometrics)

Type I Authentication

• Passwords
• Character sequence

• PINs
• Numbers

• Passphrases
• Virtual passwords
• Strong Passwords
• Make it a policy
• Password Length
• Expiration date
• Good passwords
• Watch for mistakes
• Keep passwords secret
• Issues for Type I Authentication
• Weak Password are deployed (wife's name, pet's name , birthdate etc.)
• Reuse of passwords(passwords although strong are reused everywhere)
• Writing down of passwords
  

ACCESS CONTROL IMPLEMENTATION

Centralized Authentication

• All access to objects controlled by a single entity
• Ease of administration
• Allows for strict access control
• Can be slower with a large no. of users
• Single point of failure

RADIUS SERVER
REMOTE AUTHENTICATION DIAL-IN USER SERVER

• Serve dial-up connetctions
• Authenticates and authorizes users, normally through dial-up connections
• Provides the authentication mechanism

TACACS
TERMINAL ACCESS CONTROLLER ACCESSS CONTROL SYSTEM

• Authentication and authorization for direct access
• TACACS+ implements 2-factor authentication
• Single-factor authentication requires only 1 piece of input
• 2-factor authentication requires 2 pieces of input

DECENTRALIZED

• Remote authentication
• Access administration is handled closer to the objects being controlled
• More adnministration overhead
• Security domain
• Sphere of influence
• Defines a group of objects a subject can access
• Subjects can be constrained using domains

HYBRID MODEL

• Combination of centralized and decentralized models
• Used in systems where some data or resources must be more tightly secured than others
• Centralized authentication for high security resources
• Sensitive files
• Database

• Decentralized authentication for other objects
• Local files

ACCESS CONTROL TECHNIQUES

CONTROL TYPES

Controls apply to threat events
Preventative => avoid
Detective =>identify
Deterrent =>discourage
Corrective => Fix
Recovery => restore


CONTROL CATEGORIES

• Physical preventative control
• Badges and access cards
• Technical preventative control
• Database views
• Encryption
• Antivirus software
• Administrative detective control
• LOGS , EVENTS ETC.
  

SECURITY LABELS

• Assign classification levels to objects
• A subject must hold a clearance at or above the classification level of an object to access it
• Security systems use labels in access tables or in runtime evaluation rules

DISCRETIONARY ACCESS CONTROLS

• Identity-based access control
• Owner specifies which subjects can access objects
• Most common access control in commercial systems

MANDATORY ACCESS CONTROLS

• Rule-based access control
• Each resource and user has a specific label
• Subject's security clearance is compared to object's security label

NONDISCRETIONARY ACCESS CONTROLS

• Role-based access control
• Access is granted based on user's job description
• Lattice-based access control
• Access is granted based on both subject's role and the task

Common in environments with frequent personnel changes


ACCESS CONTROL LISTS

• Specific about which users can access which objects
• Subjects mahy be users , roles or groups

CISSP - ACCESS CONTROL SYSTEMS & METHOLOGY

ACCESS CONTROL SYSTEMS & METHOLOGY

ACCESSS CONTROL

Protects data from unauthorized access
Confidentiality - no unauthorized reads
Integrity - no unauthrized writes

Subject

• An entity that requests access to data(active) Object

Object

• An entity that contains or controls data(passive)

Least Privilege

Grant subjects enough access to perform required tasks
Goal is to minimise accidental authorization


Accountability

Log subject's access to everything
Ensure subject adhere to security policy
Prevent unauthorized behaviour

Physical Access
Controls (safeguard to protect object from threat)
3 types of object controls:
physical access controls
logical access controls
administrative access controls

Physical access controls
Controls that limit physical access to objects
Examples :
Perimeter security
Fences
Walls
Limited access doors /rooms
Locked doors

Cable Security
Shielding from interferences and emanations
Cabling media choice (fiber optic)
Conduit or other physical protection

Segregation of duties
Minimize "shoulder surfing"
Keeps a single person from completing a sensitive process

Administrative Access
Policies & Procedures
Security awareness training
Hiring practices
Monitoring

Logical Access
Technical controls
Object access restrictions
only allow access by authorized users

Encryption
Only allow authorized users to read data

Network architecture / segregation

Technical Controls

• Object access restrictions
• Only allow access by authorized users

Encryption

Only allowed authorized users to read data

Network architecture segregation

Use architecture to keep network segments separate

CISSP EXAM PREREQUSITES

PREREQUSITES FOR CISSP EXAM

• Must have 4 years of working experience in the IT security field
• Or 3 years of IT security working experience plus a college degree
• The exam fees is 500USD
• Passing Score is 700 marks and above

CISSP EXAM OBJECTIVES

CISSP EXAM Objectives

The exam consists of 250 questions with up to 6 hours to answer all the questions

The exam covers 10 domains of IT SECURITY namely:

• Access Control Systems & Methodology
• Applications & Systems Development
• Business Continuity Planning
• Cryptography
• Law, Investigation & Ethics
• Operations Security
• Physical Security
• Security Architecture & Models
• Security Management Practices
• Telecommunications, Network & Internet Security