access control
Access Control, Authentication and Public Key Infrastructure
Lesson 2
Assessing Risk and Its Impact on Access Control
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
09/23/10
1
1
Learning Objective
Mitigate risk to an IT infrastructure’s confidentiality, integrity, and availability with sound access controls.
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
09/23/10
2
2
Key Concepts
Risks, threats, and vulnerabilities of IT infrastructure
Unauthorized access to IT infrastructure
Security in the seven domains of a typical IT infrastructure
Confidentiality, integrity, and availability throughout the seven domains with proper access controls
Layered, physical, and logical access control security strategy
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
09/23/10
3
3
DISCOVER: CONCEPTS
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
09/23/10
4
The Seven Domains of a Typical IT Infrastructure
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
09/23/10
5
Access Control Model
Network
Impact
Exploit
Vulnerability
Threat
Preventative
Controls
Detective
Control
Corrective
Control
Deterrent
Controls
Attacks
Results in
May trigger
Networks
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
09/23/10
6
Deterrent Controls: prevents likelihood of attacks
Preventative Controls: protects the network
Corrective Controls: minimizes effects of attacks
Detective Controls: monitors network
09/23/10
(c) ITT Educational Services, Inc.
6
Controls for Vulnerabilities
Technology-based controls
People-based controls
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
09/23/10
7
Technology-Based Controls
Authentication and Access
Biometrics, passwords, and tokens
Computer Level
Antivirus protection
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
09/23/10
8
Technology-Based Controls (Continued)
Network Technology
Intrusion detection systems (IDSs)
Encryption
Digital certificates
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
09/23/10
9
A Firewall Controls Network Traffic
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
09/23/10
10
Defense:
Risk: Insecure Direct Object Reference
Use an automated tool for real-time attack.
Monitor parameter manipulation–hidden/static.
Establish baseline configuration.
Risk: Cross-Site Request Forgery
Use an automated tool for real-time attack.
Alert/respond to parameter manipulation.
Use known attack signatures.
Establish baseline/monitor resource changes.
Risk: Security Misconfiguration
Use an automated tool for real-time attack.
Inspect outbound responses.
Investigate application failures.
09/23/10
(c) ITT Educational Services, Inc.
10
A VLAN Is a Primary Point
of Access Control
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
09/23/10
11
Defense:
Risk: Insecure Direct Object Reference
Use an automated tool for real-time attack.
Monitor parameter manipulation–hidden/static.
Establish baseline configuration.
Risk: Cross-Site Request Forgery
Use an automated tool for real-time attack.
Alert/respond to parameter manipulation.
Use known attack signatures.
Establish baseline/monitor resource changes.
Risk: Security Misconfiguration
Use an automated tool for real-time attack.
Inspect outbound responses.
Investigate application failures.
09/23/10
(c) ITT Educational Services, Inc.
11
A VPN Using IP Tunneling
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
09/23/10
12
Defense:
Risk: Insecure Direct Object Reference
Use an automated tool for real-time attack.
Monitor parameter manipulation–hidden/static.
Establish baseline configuration.
Risk: Cross-Site Request Forgery
Use an automated tool for real-time attack.
Alert/respond to parameter manipulation.
Use known attack signatures.
Establish baseline/monitor resource changes.
Risk: Security Misconfiguration
Use an automated tool for real-time attack.
Inspect outbound responses.
Investigate application failures.
09/23/10
(c) ITT Educational Services, Inc.
12
People-Based Controls
Contingency planning
Log file analysis
Background checks
User safety and response training
Backups
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
09/23/10
13
DISCOVER: PROCESS
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
09/23/10
14
Risk Management Cycle
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
09/23/10
15
Risk = Probability X Impact Matrix
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
09/23/10
16
Controls—Cost Vs. Benefit
Potential Loss
Due to Vulnerabilities
Controls
Vulnerabilities
Cost
of Controls
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
09/23/10
17
Controls—Cost Vs. Benefit (Continued)
Potential Loss
Due to Vulnerabilities
Controls
Vulnerabilities
Cost
of Controls
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
09/23/10
18
DISCOVER: CONTEXTS
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
09/23/10
19
Top 10 OWASP Vulnerabilities 2010
Injection
Cross-Site Scripting (XSS)
Broken Authentication and Session Management
Insecure Direct Object Reference
Cross-Site Request Forgery (XSRF)
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
09/23/10
(c) ITT Educational Services, Inc.
20
Top 10 OWASP Vulnerabilities 2010 (Continued)
Security Misconfiguration
Insecure Cryptographic Storage
Failure to Restrict Uniform Resource Locator (URL) Access
Insufficient Transport Layer Protection
Unvalidated Redirects and Forwards
OWASP Top Ten–2010
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
09/23/10
(c) ITT Educational Services, Inc.
21
Top 10 OWASP Vulnerabilities 2013
Injection
Broken Authentication and Session Management
Cross-Site Scripting (XSS)
Insecure Direct Object Reference
Security Misconfiguration
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
09/23/10
22
Top 10 OWASP Vulnerabilities 2013 (Continued)
Sensitive Data Exposure
Missing-Function Level Access Control
Cross-Site Request Forgery (XSRF)
Using Components with Known Vulnerabilities
Unvalidated Redirects and Forwards
OWASP Top Ten–2013
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
09/23/10
23
DISCOVER: RATIONALE
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
09/23/10
24
Risk: Injection
Example: The attacker’s hostile data tricks the interpreter into executing unintended commands or changing data.
Risk: Broken Authentication and Session Management
Example: The attackers compromise passwords, keys, or authentication tokens to assume other users’ identities.
Risk: Cross-Site Scripting (XSS)
Example: The attackers are allowed to execute scripts in the victim’s browser, session hijack, deface Web sites, and introduce malware.
Implications of 2013 Top 10 Risks
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
09/23/10
25
Defense:
Risk: Injection
Use an automated tool for real-time attack.
Positive input validation.
No OS commands via Web.
Risk: Cross-Site Scripting
Use an automated tool for real-time attack.
Positive input validation
Use HTTP only cookie attribute.
Risk: Cross-Site Scripting
Use an automated tool for real-time attack.
Monitor sessions for hijacking.
Use tested frameworks for development/deployment.
09/23/10
(c) ITT Educational Services, Inc.
25
Implications of 2013 Top 10 Risks (Continued)
Risk: Insecure Direct Object Reference
Example: The attacker can manipulate the reference to access other objects without authorization.
Risk: Security Misconfiguration
Example: The attackers become familiar with internal workings of applications or violate privacy.
Risk: Sensitive Data Exposure
Example: An attacker alters or steals confidential data, such as credit card numbers and login credentials.
.
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
09/23/10
26
Defense:
Risk: Insecure Direct Object Reference
Use an automated tool for real-time attack.
Monitor parameter manipulation–hidden/static.
Establish baseline configuration.
Risk: Cross-Site Request Forgery
Use an automated tool for real-time attack.
Alert/respond to parameter manipulation.
Use known attack signatures.
Establish baseline/monitor resource changes.
Risk: Security Misconfiguration
Use an automated tool for real-time attack.
Inspect outbound responses.
Investigate application failures.
09/23/10
(c) ITT Educational Services, Inc.
26
Implications of 2013 Top 10 Risks (Continued)
Risk: Missing Function-Level Access Control
Example: Failure to verify function-level access rights on the server allows attackers to forge requests and gain unauthorized access to applications.
Risk: Cross-Site Request Forgery (XSRF)
Example: Browser sends pre-authenticated request to vulnerable application.
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
09/23/10
27
Defense:
Risk: Insecure Direct Object Reference
Use an automated tool for real-time attack.
Monitor parameter manipulation–hidden/static.
Establish baseline configuration.
Risk: Cross-Site Request Forgery
Use an automated tool for real-time attack.
Alert/respond to parameter manipulation.
Use known attack signatures.
Establish baseline/monitor resource changes.
Risk: Security Misconfiguration
Use an automated tool for real-time attack.
Inspect outbound responses.
Investigate application failures.
09/23/10
(c) ITT Educational Services, Inc.
27
Implications of 2013 Top 10 Risks (Continued)
Risk: Using Components with Known Vulnerabilities
Example: Attackers exploit vulnerable components, like libraries and frameworks, to take control of servers and alter or steal data.
Risk: Unvalidated Redirects and Forwards
Example: Attackers may use forwards or redirects without proper validation to access unreliable Web sites or applications and direct user to malware or phishing sites.
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
09/23/10
28
Defense:
Risk: Insecure Direct Object Reference
Use an automated tool for real-time attack.
Monitor parameter manipulation–hidden/static.
Establish baseline configuration.
Risk: Cross-Site Request Forgery
Use an automated tool for real-time attack.
Alert/respond to parameter manipulation.
Use known attack signatures.
Establish baseline/monitor resource changes.
Risk: Security Misconfiguration
Use an automated tool for real-time attack.
Inspect outbound responses.
Investigate application failures.
09/23/10
(c) ITT Educational Services, Inc.
28
Summary
Risks, threats, and vulnerabilities of IT infrastructure
Unauthorized access to IT infrastructure
Security in the seven domains of a typical IT infrastructure
Confidentiality, integrity , and availability throughout the seven domains with proper access controls
Layered, physical, and logical access control security strategy
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
09/23/10
29
Virtual Lab
Managing Windows Accounts and Organizational Units
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
If your educational institution included the Jones & Bartlett labs as part of the course curriculum, use this script to introduce the lab:
"In this lesson, you learned about the risk of unauthorized access to the IT infrastructure and how to ensure confidentiality, integrity, and availability throughout the seven domains with proper access controls. You also learned about the purpose of access control models, which help to prevent or mitigate risks.
In the lab for this lesson, you will use the Microsoft Active Directory Users and Computers utility to create and manage Active Directory user accounts. You will delete existing user accounts, and then create organizational units and add users to them. Understanding how to manage Active Directory helps you more efficiently manage access controls in a Windows environment."
3/30/2015
30
OPTIONAL SLIDES
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
09/23/10
31
Network Diagram
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
09/23/10
32
Defense:
Risk: Insecure Direct Object Reference
Use an automated tool for real-time attack.
Monitor parameter manipulation–hidden/static.
Establish baseline configuration.
Risk: Cross-Site Request Forgery
Use an automated tool for real-time attack.
Alert/respond to parameter manipulation.
Use known attack signatures.
Establish baseline/monitor resource changes.
Risk: Security Misconfiguration
Use an automated tool for real-time attack.
Inspect outbound responses.
Investigate application failures.
09/23/10
(c) ITT Educational Services, Inc.
32