discussion-7

Colin Horn

Week7Slides2.pptx

Home >Information Systems homework help >discussion-7

Access Control, Authentication, and Public Key Infrastructure

Lesson 7

Public Key Infrastructure and Encryption

Testing Access Control Systems

Access Control Security Models

www.jblearning.com

Page ‹#›

Access Control, Authentication, and PKI

www.jblearning.com

Public Key Infrastructure (PKI)

A framework that:

Consists of programs, procedures, and security policies

Employs public key cryptography and the X.509 standard (digital certificates) for secure communications

Is a hybrid system of symmetric and asymmetric key algorithms

Page ‹#›

Access Control, Authentication, and PKI

www.jblearning.com

Components of PKI

Page ‹#›

Access Control, Authentication, and PKI

www.jblearning.com

In cryptography, a certificate authority or certification authority (CA) is an entity that issues digital certificates. A digital certificate certifies the ownership of a public key by the named subject of the certificate.

A registration authority (RA) is an authority in a network that verifies user requests for a digital certificate and tells the certificate authority(CA) to issue it.

Certificate authority

Registration authority

Certificate server

Certificate repository

Certificate validation

Key Recovery Service

Time server

Signing server

Encryption Process

Encryption is the process of applying an algorithm to cleartext (or plaintext) data, resulting in ciphertext

Page ‹#›

Access Control, Authentication, and PKI

www.jblearning.com

3/5/17

Encryption and Cryptography Terms

Cryptosystem

A hardware or software system that provides encryption and decryption

Is made up of the encryption algorithm, the keys, and the software and protocols

Secret piece of the cryptosystem is the key

Keyspace is the range of values that construct the key

Page ‹#›

Access Control, Authentication, and PKI

www.jblearning.com

Ensuring Integrity, Confidentiality, Authentication, and Nonrepudiation

Page ‹#›

Access Control, Authentication, and PKI

www.jblearning.com

3/5/17

Confidentiality

Integrity

Authentication

Nonrepudiation

Ensures that only the intended recipient can read a message

Ensures message recipient can be certain that message received was message sent

Allows someone to prove his or her identity to another

Ensures that a third party can verify that a message came from the purported sender

Symmetric Key Encryption Process

Page ‹#›

Access Control, Authentication, and PKI

www.jblearning.com

3/5/17

Shared Key Encryption

Encryption Data sent to System 2

System 2 applies shared key to decrypt encrypted data

Original Data

Page ‹#›

Access Control, Authentication, and PKI

www.jblearning.com

3/5/17

Data

Key

Encryption Process on System 1

Asymmetric Key Encryption Process, Public Key

Page ‹#›

Access Control, Authentication, and PKI

www.jblearning.com

3/5/17

Asymmetric Encryption Process Model

Joan’s Public Key on Internet (With Certificate Provider)

Request Joan’s public key to encrypt message to send over Internet

Joan’s public key is available to all Internet users

Composes message

Encrypts w/Joan’s public key

Sends message

Joan receives message.

Decrypts message with her computer’s private key

Joan’s private key is only available to her.

Message

Page ‹#›

Access Control, Authentication, and PKI

www.jblearning.com

3/5/17

Business Requirements for Cryptography

Ensuring software and data integrity

Ensuring secure collaboration between entities inside and outside an organization

Ensuring secure cloud computing

Providing secure transactions with consumers

Page ‹#›

Access Control, Authentication, and PKI

www.jblearning.com

3/5/17

Digital Certificates

Are used by individuals and servers to provide unknown third parties with a known secure copy of their public encryption key

Certificate authority (CA) issues digital certificates after verifying the identity of the end user

Registration authority (RA) verifies the identity of an individual, initiates the certification process with a CA on behalf of the user, and performs certificate life-cycle management

Page ‹#›

Access Control, Authentication, and PKI

www.jblearning.com

3/5/17

Digital Signature Process

Page ‹#›

Access Control, Authentication, and PKI

www.jblearning.com

3/5/17

Digital Signature Verification

Page ‹#›

Access Control, Authentication, and PKI

www.jblearning.com

3/5/17

Components of Key Management

Page ‹#›

Access Control, Authentication, and PKI

www.jblearning.com

3/5/17

Key Management

Key generation

Key distribution

Key storage

Key usage

Key recovery

Key termination

Key archival

Key Management Considerations

Key should be long enough to provide the necessary level of protection

Keys should be random and algorithm should use the full keyspace

Key’s lifetime should correspond with the sensitivity of the data

The more a key is used, the shorter its lifetime should be

Page ‹#›

Access Control, Authentication, and PKI

www.jblearning.com

3/5/17

Symmetric Versus Asymmetric Algorithms

Page ‹#›

Access Control, Authentication, and PKI

www.jblearning.com

3/5/17

What PKI Is and What It Is Not

Is a strong authentication mechanism

Provides integrity, confidentiality, authentication, and nonrepudiation in a single framework

Is not an answer to all security questions or concerns

Does not provide authorization

Does not ensure that the end user can be trusted

Page ‹#›

Access Control, Authentication, and PKI

www.jblearning.com

3/5/17

Potential Risks Associated with PKI

If PKI key management is mishandled, entire PKI system could fail

Managing a secure environment with multiple keys and multiple entities can be overwhelming

Properly maintaining a PKI comes with a financial burden

Page ‹#›

Access Control, Authentication, and PKI

www.jblearning.com

3/5/17

Implementations of Business Cryptography

Encrypting hard drives as a preventive measure in case a laptop or other mobile device is stolen

Encrypting removable devices such as universal serial bus (USB) drives

Encrypting instant messaging communication

Encrypting file transfers within and outside of the network

Encrypting highly sensitive data

Encrypting information on mobile devices

Page ‹#›

Access Control, Authentication, and PKI

www.jblearning.com

3/5/17

Security Auditing

Page ‹#›

Access Control, Authentication, and PKI

www.jblearning.com

Define the physical scope of audit

Document audit results

Specify and implement new/updated controls

Perform security risk assessment

Develop the audit plan

Define the process scope of the audit

Conduct historical due diligence

Penetration Testing

Preferably called security assessment

Process of actively evaluating your information security measures

Page ‹#›

Access Control, Authentication, and PKI

www.jblearning.com

Purpose of Testing Access Control Systems

Testing ensures that weaknesses are found and can be dealt with before they are exploited

Tests should incorporate testing methodologies at different stages of development:

Software design

Hardware development

Penetration testing

Penetration testing: The act of simulating an attack on an organization’s resources

Page ‹#›

Access Control, Authentication, and PKI

www.jblearning.com

3/5/17

What Needs to Be Tested?

Off-the-shelf products: operating systems, applications, databases, networking equipment etc.

Bespoke development products: dynamic Web sites, in-house applications etc.

Telephony products: war-dialing, remote access etc.

Wireless products: Wireless fidelity (Wi-Fi), Bluetooth etc.

Personnel: screening process, social engineering etc.

Physical: access controls, dumpster diving etc.

Page ‹#›

Access Control, Authentication, and PKI

www.jblearning.com

All parts of the way that your organization captures, stores, and processes information can be assessed; the systems that the information is stored in, the transmission channels that transport it, and the processes and personnel that manage it.

Off-the-shelf products: operating systems, applications, databases, networking equipments etc.

Bespoke development products: dynamic Web sites, in-house applications etc.

Telephony products: war-dialing, remote access etc.

Wireless products: Wireless fidelity (Wi-Fi), Bluetooth etc.

Personnel: screening process, social engineering etc.

Physical: access controls, dumpster diving etc.

3/5/17

Security Monitoring, Incident Handling, and Testing

Monitoring and incident handling are the day-to-day activities

Testing and upgrading system usually occurs annually

Page ‹#›

Access Control, Authentication, and PKI

www.jblearning.com

3/5/17

Security Monitoring, Incident Handling, and Testing (Cont.)

Testing functionality of original design

Before purchase of new system, perform risk assessment on old system

Determine existing major weaknesses

Development of test plan and scope

Impact/vulnerabilities

Breach planning

Gap analysis

Intrusive versus nonintrusive testing

Page ‹#›

Access Control, Authentication, and PKI

www.jblearning.com

3/5/17

Vulnerability Scanners

Attempts to identify vulnerabilities in the hosts scanned

Helps identify out-of-date software versions, applicable patches, or system upgrades

Validates compliance with or deviations from the organization's security policy

Page ‹#›

Access Control, Authentication, and PKI

www.jblearning.com

Vulnerability scanners take the concept of a port scanner to the next level. Like a port scanner, a vulnerability scanner identifies hosts and open ports, but it also provides information on the associated vulnerabilities (as opposed to relying on human interpretation of the results). Most vulnerability scanners also attempt to provide information on mitigating discovered vulnerabilities.

Vulnerability scanners provide system and network administrators with proactive tools that can be used to identify vulnerabilities before an adversary can find them. A vulnerability scanner is a relatively fast and easy way to quantify an organization's exposure to surface vulnerabilities.

3/5/17

Common Vulnerability Scanners

Page ‹#›

Access Control, Authentication, and PKI

www.jblearning.com

Network-based scanners are used primarily for mapping an organization's network and identifying open ports and related vulnerabilities. In most cases, these scanners are not limited by the operating system of targeted systems. The scanners can be installed on a single system on the network and can quickly locate and test numerous hosts.

Host-based scanners have to be installed on each host to be tested and are used primarily to identify specific host operating system and application misconfigurations and vulnerabilities. As host-based scanners are able to detect vulnerabilities at a higher degree of detail than network-based scanners, they usually require not only host (local) access but also a “root” or administrative account.

3/5/17

Network-based scanners

Host-based scanners

Benefits of Vulnerability Scanning

Identifies:

Active hosts on network

Active and vulnerable services (ports) on hosts

Applications and banner grabbing

Operating systems

Vulnerabilities associated with discovered operating systems and applications

Page ‹#›

Access Control, Authentication, and PKI

www.jblearning.com

3/5/17

Benefits of Vulnerability Scanning (Continued)

Misconfigured settings

Testing compliance with host application usage or security policies

Establishing a foundation for penetration testing

Page ‹#›

Access Control, Authentication, and PKI

www.jblearning.com

3/5/17

Penetration Testing and Teams

Penetration testing:

Is most accurate way to assess an infrastructure’s true vulnerability

Simulates actual attack

Is an intrusive testing method

Is risky for the attacking team

Pen test team members should carry authorization memo from upper management

Page ‹#›

Access Control, Authentication, and PKI

www.jblearning.com

3/5/17

Rules of Engagement

Specific Internet Protocol (IP) addresses or ranges to be tested

Any restricted hosts, systems, and subnets not to be tested

A list of acceptable testing techniques, such as social engineering and denial of service (DoS), and tools, such as password crackers and network sniffers

Page ‹#›

Access Control, Authentication, and PKI

www.jblearning.com

Formal permissions are often called the rules of engagement.

3/5/17

Rules of Engagement (Continued)

Times when testing is to be conducted (for example, during business hours, after business hours)

Identification of a finite period for testing

IP addresses of the machines from which penetration testing will be conducted

Page ‹#›

Access Control, Authentication, and PKI

www.jblearning.com

Formal permissions are often called the rules of engagement.

IP addresses help administrators to differentiate the legitimate penetration testing attacks from actual malicious attacks.

3/5/17

Penetration Testing Teams

Red Team

The attacker

Blue Team

The defending team

Attacker and defender know test is taking place

Tiger Team

External testers who operate in a double-blind penetration test

Page ‹#›

Access Control, Authentication, and PKI

www.jblearning.com

3/5/17

Performing the Penetration Test: Methodology

Technological, or focus on uncovering weaknesses to social engineering

Page ‹#›

Access Control, Authentication, and PKI

www.jblearning.com

3/5/17

Planning and preparation

Information gathering

Vulnerability detection

Penetration attempt

Analysis and reporting

Clean-up

Preparing the Final Test Report

Identify gaps and risk exposures and assess impact

Develop remediation plans for closing identified security gaps prioritized by risk exposure

Prepare cost magnitude estimate

Prioritize security solutions based on risk exposure

Page ‹#›

Access Control, Authentication, and PKI

www.jblearning.com

3/5/17

Access Control Security Models: Confidentiality Models

Bell-LaPadula

A hybrid state machine/lattice model used in most government and military applications

Page ‹#›

Access Control, Authentication, and PKI

www.jblearning.com

Confidentiality Models Continued

Brewer-Nash Model

Designed to mitigate conflicts of interest (COI)

Chinese Wall

Read/write access to files is governed by membership of data in conflict-of-interest classes and datasets

Page ‹#›

Access Control, Authentication, and PKI

www.jblearning.com

Integrity Models

Biba Model- sort of the inverse of the Bell LaPadula Model

Addresses the goal of integrity to prevent unauthorized subjects from making modifications to objects

No read down, no write up

Example: a monk may write a prayer book that can be read by commoners, but not one to be read by a high priest. Conversely, a monk may read a book written by the high priest, but may not read a pamphlet written by a lowly commoner.

Page ‹#›

Access Control, Authentication, and PKI

www.jblearning.com

Integrity Models Continued

Clark-Wilson Model

A subject must go through a middleman, called program, to reach the object

Subject  Program  Object

The program enforces

Separation of duties

Well-formed transactions (TLC)

T: No Tampering

L: Proper Logging

C: Consistency

Page ‹#›

Access Control, Authentication, and PKI

www.jblearning.com

Models that cover all of CIA

Graham-Denning Model

Matrix based model that shows how subjects and objects should be securely created and deleted

The model has eight basic protection rules (actions) that outline:

How to securely create an object.

How to securely create a subject.

How to securely delete an object.

How to securely delete a subject.

How to securely provide the read access right.

How to securely provide the grant access right.

How to securely provide the delete access right.

How to securely provide the transfer access right.

Coined the term “monitor” to describe the mechanism that enforces access from subjects to objects

Subjects  Monitor  Objects

Page ‹#›

Access Control, Authentication, and PKI

www.jblearning.com

Models that cover all of CIA continued

Harrison-Ruzzo-Ullman Model

Primarily deals with the integrity of access rights in the system

Extended the Graham-Denning Model

Finalized the access control matrix

The access matrix contains one row for each subject and one column for each object

The intersection of the row and column is the rights that a subject has over a specific object

Safe to think of an access control matrix as an ACL

Subject  Access Control Matrix  Object

Page ‹#›

Access Control, Authentication, and PKI

www.jblearning.com

Week 7 Assignments

Read Chapters 13 and 14

Review/Research Access Control Models

Complete Labs and Quizzes

Study for and complete Final Exam

Page ‹#›

Access Control, Authentication, and PKI

www.jblearning.com

If your educational institution included the Jones & Bartlett labs as part of the course curriculum, use this script to introduce the lab:

"In this lesson, you learned that testing is a crucial activity for any IT department because it provides assurance that access controls and other security systems are working as designed.

In the lab for this lesson, you will use the encryption utility GnuPG (GPG) to test the security of the message transmission. To do that, you will create a digitally signed message for another user. Then, you will retrieve that message (as the other user) and use GPG to verify the digital signature."

3/5/17