Information Security Policy – Access Controls, Authorization, and Authentication

shabai

Chapter4IdentityandAccessManagement.docx

Home >Computer Science homework help >Information Security Policy – Access Controls, Authorization, and Authentication

Chapter 4 Identity and Access Management

THE FOLLOWING COMPTIA SECURITY+ EXAM OBJECTIVES ARE COVERED IN THIS CHAPTER:

· 2.2 Given a scenario, use appropriate software tools to assess the security posture of an organization.

· Protocol analyzer

· Network scanners: Rogue system detection;

· Network mapping

· Wireless scanners/cracker

· Password cracker

· Vulnerability scanner

· Configuration compliance scanner

· Exploitation frameworks

· Data sanitization tools

· Steganography tools

· Honeypot

· Backup utilities

· Banner grabbing

· Passive vs. active

· Command line tools: ping; netstat; tracert; nslookup/dig; arp; ipconfig/ip/ifconfig; tcpdump; nmap; netcat

· 2.3 Given a scenario, troubleshoot common security issues.

· Unencrypted credentials/clear text

· Logs and events anomalies

· Permission issues

· Access violations

· Certificate issues

· Data exfiltration

· Misconfigured devices: Firewall; Content filter; Access points

· Weak security configurations

· Personnel issues: Policy violation; Insider threat; Social engineering; Social media; Personal email

· Unauthorized software

· Baseline deviation

· License compliance violation (availability/integrity)

· Asset management

· Authentication issues

· 2.4 Given a scenario, analyze and interpret output from security technologies.

· HIDS/HIPS

· Antivirus

· File integrity check

· Host-based firewall

· Application whitelisting

· Removable media control

· Advanced malware tools

· Patch management tools

· UTM

· DLP

· Data execution prevention

· Web application firewall

· 4.1 Compare and contrast identity and access management concepts.

· Identification, authentication, authorization and accounting (AAA)

· Multifactor authentication: Something you are; Something you have; Something you know; Somewhere you are; Something you do

· Federation

· Single sign-on

· Transitive trust

· 4.2 Given a scenario, install and configure identity and access services.

· LDAP

· Kerberos

· TACACS+

· CHAP

· PAP

· MSCHAP

· RADIUS

· SAML

· OpenID Connect

· OAUTH

· Shibboleth

· Secure token

· NTLM

· 4.3 Given a scenario, implement identity and access management controls.

· Access control models: MAC; DAC; ABAC; Role-based access control; Rule-based access control

· Physical access control: Proximity cards; Smart cards

· Biometric factors: Fingerprint scanner; Retinal scanner; Iris scanner; Voice recognition; Facial recognition; False acceptance rate; False rejection rate; Crossover error rate

· Tokens: Hardware; Software; HOTP/TOTP

· Certificate-based authentication: PIV/CAC/smart card; IEEE 802.1x

· File system security

· Database security

This chapter covers a critical topic in security: controlling who can access your system, what resources they can access, and how to ensure that individuals are who they claim to be. At the most basic level, you can consider authentication and access control to be the two foundations of security. If you don’t do a good job on these tasks, it is unlikely that the rest of your security strategy will be effective.

This chapter starts by looking at the basics of access control and then explores remote access and authentication services. It concludes by examining access control implementation and best practices.

Security+ Terminology

Challenge Handshake Authentication Protocol (CHAP) An authentication protocol that periodically reauthenticates.

crossover error rate (CER) The point at which the FRR and FAR are equal. Sometimes called the equal error rate (ERR).

data execution prevention (DEP) Any technique that prevents a program from running without the user’s approval.

data loss prevention (DLP) Software or techniques designed to detect attempts to exfiltrate data.

false acceptance rate (FAR) The rate at which a biometric solution allows in individuals it should have rejected.

false rejection rate (FRR) The rate at which a biometric solution rejects individuals it should have allowed.

federation A collection of computer networks that agree on standards of operation, such as security standards.

HIDS A host-based intrusion detection system. An HIPS is a host-based intrusion prevention system.

Kerberos An authentication protocol developed at MIT that uses tickets for authentication.

least privileges The principle that any user or service will be given only enough access privileges to do its job and no more.

NIDS A network-based intrusion detection system. An NIPS is an intrusion prevention system. Unlike an HIDS/HIPS, an NIDS/NIPS scans an entire network segment.

network scanner A tool that enumerates your network and provides a map of the network.

OAUTH Open Authorization standard. It is a common method for authorizing websites or applications to access information.

Using Tools to Assess Your Network

A variety of tools are available that you can use to assess a network’s security. Such tools are a valuable part of any security professional’s work.

Protocol Analyzer

Protocol analyzers, also called packet sniffers, are some of the most common tools used by network administrators. Essentially, these tools look at the current traffic on a network and allow you to view that traffic and capture a copy of the traffic for later analysis. In this section, we will take a brief look at two of the most common tools.

Monitoring the traffic on your network is an essential step in security. Odd traffic could indicate a denial-of-service attack, someone exfiltrating data, or any number of security concerns. Protocol analyzers and packet sniffers are fundamental tools in network security, incident response, and network forensics.

tcpdump

tcpdump is a common packet sniffer for Linux. It works from the shell, and it is relatively easy to use. To start it, you just tell it what interface to listen to, like this:

tcpdump -i eth0

This causes tcpdump to capture the network traffic for the network card, eth0. You can also alter tcpdump’s behavior with a variety of command flags such as the following:

tcpdump -c 100 -i eth0

This tells tcpdump to capture only the first 100 packets on interface eth0 and then stop.

tcpdump -D

This command will display all the interfaces on your computer so you can select which one to use. You can see all three of these options in Figure 4.1 .

FIGURE 4.1 tcpdump

Wireshark

Wireshark is one of the most widely known network packet sniffers. Often a penetration tester can learn a great deal from simply sniffing the network traffic on a target network. Wireshark provides a convenient graphical user interface (GUI) for examining network traffic. It is a free download, which you can get at https://www.wireshark.org/ . This tool can be downloaded for Windows or Macintosh. It has a GUI as opposed to being command line based. You can see the main Wireshark interface in Figure 4.2 .

FIGURE 4.2 Wireshark

When using Wireshark, you can highlight any packet and then see the details of that packet, including the various network headers such as Ethernet, TCP, and IP. You can also right-click a specific packet and then choose to view the entire conversation associated with that packet. This can be seen in Figure 4.3 .

FIGURE 4.3 Wireshark follow conversation

Wireshark is a very versatile tool. It is worth taking the time to learn completely all the features of this tool. Fortunately, you’ll find a number of resources on the Wireshark page at https://www.wireshark.org/#learnWS to help you learn.

Network Scanners

Network scanning is different from packet sniffing. With network scanning, you are literally trying to find out what is on your network. This may seem like an odd task. Shouldn’t you already know what is on your network? Ideally you should. However, networks change over time, and not all changes are documented. A network scanner or network mapper can enumerate everything on your network, giving you an up-to-the-minute view of what is on your network.

It is also a perfect way to detect rogue systems. It is entirely possible that someone has added a computer, wireless access point, or even multiple servers that you didn’t know about. In some cases, this is just an undocumented addition to your network. In other cases, however, it is added for the specific purpose of circumventing security.

Solar Winds

SolarWinds is a commercial network scanner, and the developer offers a free 14-day trial version. You can see the network topology scan in Figure 4.4 .

You select an IP range, subnet, or list of IP addresses to scan and then start the scan. SolarWinds will produce a map of your network. You can then right-click any device on the network to get more details ( Figure 4.5 ).

FIGURE 4.4 SolarWinds network topology scan

FIGURE 4.5 SolarWinds scan results

This tool is a fully featured, easy-to-use network scanner.

LanHelper

This tool is an inexpensive network mapper and scanner that you can download from www.hainsoft.com/download.htm . It installs rather quickly, and then you simply tell it to scan by clicking Network on the drop-down menu and then selecting one of the following:

· Scan Lan

· Scan IP

· Scan Workgroups

When the scan is done, you will see a list of all devices on the network, and you can click any one of them to get more details, as shown in Figure 4.6 .

FIGURE 4.6 LanHelper

Wireless Scanners and Crackers

Wireless networks are ubiquitous today. For this reason, scanning the wireless network, and even testing its security by attempting to crack it, is an important activity for any network administrator. The network scanners mentioned in the previous section can be used for wireless networks, but there are also tools specifically designed for Wi-Fi that you can use.

In addition to scanning, many of these Wi-Fi tools will attempt to crack your Wi-Fi. They will essentially attempt either to derive the password or to circumvent the security. It is important that network security professionals scan their network with tools like this to find issues before an attacker does.

Aircrack

Aircrack is one of the most popular tools for scanning and cracking Wi-Fi. It is a free download, and you can get it at www.aircrack-ng.org/ . There are actually a few tools in this download. One, called wzcook.exe, will try to extract wireless data, including the password, from the local machine on which it is installed. But that is not the part we are interested in here. The main tool is aircrack-ng. It is a command-line tool, and you can see it in Figure 4.7 .

FIGURE 4.7 Aircrack

It takes a bit of time to get comfortable with all the command-line flags. However, this is a very important tool and well worth the time spent. The reason why it is so important is that it is popular with attackers. If you scan your wireless network with the same tool that attackers are likely to use and you find problems and correct those, then your network is less vulnerable to wireless attacks.

Password Cracker

It is a reasonable assumption that an attacker will attempt to crack passwords on your network. With this fact in mind, it is also reasonable that you should attempt to use password crackers on your network. If you are able to crack one or more passwords, you are then aware of this security vulnerability and can take appropriate steps to remedy the issue. In this section, we will take a look at three widely used password crackers.

pwdump

pwdump is a common tool used by attackers, so it is a good thing for security professionals to use as well. The first step for many password cracking tools is to get a copy of the local password hashes from the Windows SAM file. The SAM file, or Security Accounts Manager, is where Windows stores hashes of passwords. The program pwdump will extract the password hashes from the SAM file. pwdump is a free download from www.openwall .com/passwords/windows-pwdump . Figure 4.8 is an image of the output of pwdump7. The actual hashes are redacted, since this was run on a live machine.

FIGURE 4.8 pwdump

Oftentimes, you will want to dump the hashes to an external file so that you can import them into a rainbow table tool. Rainbow tables are explained in detail in Chapter 8, “Cryptography,” but for now just know that they are tables of pre-computed hashes used to guess passwords. That is done quite easily by simply piping the output of pwdump to a test file. For example:

pwdump > passwordhashes.txt

Once you have the password hashes, you can use any rainbow table tool to check to see if the passwords can be recovered. This is one method for validating the strength of your organization’s passwords.

Ophcrack

Ophcrack is one of the most widely used password cracking tools. Ophcrack is important because it can be installed on a bootable CD. If used in that manner, you boot the system to the CD, thus circumventing Windows security, and proceed to try to crack the passwords. Ophcrack offers a small rainbow table free of charge; you must purchase the larger rainbow tables. You can download Ophcrack from http://ophcrack.sourceforge.net/ . It also does not require a separate process to dump the Windows SAM file. Instead, it will grab the data from the SAM file for you. The output from Ophcrack is shown in Figure 4.9 . The actual hashes and passwords are redacted.

FIGURE 4.9 Ophcrack

Regardless of which specific password cracking tool you use, such tools can be very important in verifying the security of your passwords. Essentially, you attempt to crack the passwords, and if you are successful, that indicates your passwords are not strong enough.

Vulnerability Scanners

It is important that you scan your network for vulnerabilities. The goal is to find and correct vulnerabilities before an attacker finds them. Some of these tools scan for general vulnerabilities, others specifically scan for web page vulnerabilities, and still others scan to see if your systems are configured properly. A few of the most widely used scanners will be discussed in this section.

Vulnerability scanners can be classified as active or passive. Active scanners will interact directly with the target network. Tools such as Nessus, MBSA, and OWASP ZAP, which will be discussed in more detail in this section, are active scanners. Passive scanning involves methods to search your network that do not directly interact with the network. This usually means websites that provide information. A few are listed here, with brief descriptions.

Netcraft.com This provides information about websites including what operating system they are running.

Shodan.io This site is a vulnerability search engine. You can search your own network’s domain name for vulnerabilities.

isc.sans.edu This is the SANS Institute cyber storm center, and it will provide information on current cyber threats.

Nessus

Nessus is the most widely used vulnerability scanner. You can find Nessus at https://www.tenable.com/products/ . It is a commercial tool that has tens of thousands of documented vulnerabilities in its library. You can scan Linux machines, Windows machines, routers, and just about everything on your network. The library of vulnerabilities is updated on a continuous basis, so you will always be able to check for the latest vulnerabilities. Nessus produces a report for each scan. You can see an example of such a report in Figure 4.10 .

FIGURE 4.10 Nessus report

The report is in HTML format, and you can drill down on any specific issue and read a detailed description of the issue as well as recommended remediation steps.

MBSA

Microsoft Baseline Security Analyzer is not the most robust vulnerability scanner. However, it is a free download, and in addition to finding vulnerabilities, it is useful in finding configuration issues with Windows machines. You can download MBSA from https://www.microsoft.com/en-us/download/details.aspx?id=7558 . In addition to being free, it is very easy to use. You can see the output from MBSA in Figure 4.11 .

FIGURE 4.11 MBSA output

As you can see, MBSA finds common Windows vulnerabilities and also lets you know if patches are required or issues exist with system passwords. Thus, it combines vulnerability scanning with configuration scanning.

OWASP Zap

Recall from Chapter 2, “Monitoring and Diagnosing Networks,” we discussed the Open Web Application Security Project (OWASP). They publish a list of top vulnerabilities. They also publish a free tool to scan for website vulnerabilities. This tool can be downloaded from https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project . It is also easy to use. Just enter the URL of the website you wish to check and click the button. You can see the output from OWASP in Figure 4.12 .

FIGURE 4.12 OWASP ZAP output

As you can see, the tool provides detailed information on everything it finds. Each item can be double-clicked for more detail. OWASP ZAP will tell you the details of the vulnerability, as well as the recommended remediation steps.

Exploitation Frameworks

In some cases, network administrators will take an additional step of actually attempting exploits on their network. This is often done as part of a penetration test. In such cases, it is often helpful to use an exploitation framework. Perhaps the most widely known such framework is Metasploit. This program can be downloaded from https://www.metasploit.com/ . There are free and commercial versions. The free version comes with the Kali Linux distribution.

Entire books have been written on Metasploit, and it is beyond the scope of this chapter to teach you the ins and outs of Metasploit. However, if you are interested in using a framework to test your network, it is highly recommended that you take the time to learn Metasploit.

Command-Line Tools

You can use a number of command line tools to ascertain information about your network. Some of these are basic networking utilities, whereas others are specific to network security. CompTIA often places an emphasis on these tools. It is important that you actually use each of these and be familiar with them for the Security+ exam. Also, as you will see in the following sections, each of these commands has several flags that you can use. The Security+ exam will expect you to know these flags as well as the basic commands. Many of these tools are also essential networking tools, and the Security+ exam will assume that this section is primarily a review, not new material.

ping

ping is a fundamental networking utility. It is part of both Windows and Linux. The ping utility is used to find out if a particular website is reachable. Occasionally Packet InterNet Gopher is suggested as an acronym for ping, but the original author of ping says that it is based on the sound of a sonar return. ping operates by sending Internet Control Message Protocol (ICMP) echo request packets to the target host and waits for an ICMP response, sometimes casually called a pong. You can see ping in use in Figure 4.13 .

FIGURE 4.13 ping

The most common flags for ping are described in Table 4.1 .

TABLE 4.1 Common ping flags

-t	Continues pinging until stopped—for example, ping -t www.google.com.
-a	Resolves the address to a hostname, if you are pinging an IP address.
-i	Specifies the Time To Live value for packages.
-w	Waits a specified number of milliseconds for a response before sending the next ping.
-l	Sets the size of the packets. For example, ping -l 20000 www.google.com will send 20,000 byte packets to google.com .

netstat

The netstat command is also part of both Windows and Linux. It displays current network connections. The basic command is shown in Figure 4.14 .

FIGURE 4.14 netstat

Some of the more commonly used netstat flags are described in Table 4.2 .

TABLE 4.2 Common netstat flags

-A	Shows the address of any protocol
-a	Shows the state of sockets
-c	Shows statistics for the network buffer cache
-n	Shows active TCP connections
-o	Shows the active TCP connection and the process ID that started them
-p	Shows protocols
-s	Shows statistics per protocol

tracert

This command is tracert in Windows and traceroute in Linux. It will tell you the entire path to a given address. It is often said that ping tells you if a given address is reachable and tracert or traceroute tells you how to get there. A basic tracert is shown in Figure 4.15 .

FIGURE 4.15 tracert

The common flags for this command are described in Table 4.3 .

TABLE 4.3 Common tracert flags

-h	Maximum hops. By default it is 30, but you can change it.
-w	Time out.
-6	Force using IPv6.
-4	Force using IPv4.

nslookup/dig

The nslookup command is a bit different than the other commands. It will start by verifying that the machine can connect to the DNS server. Then, however, it also opens a command prompt wherein you can enter DNS-related commands. You can see the basic nslookup in Figure 4.16 .

FIGURE 4.16 nslookup

From the prompt, you can attempt a zone transfer:

run: nslookup.exe

type: ls -d domain_name <enter>

A zone transfer is when you attempt to get the DNS server to send you all of its zone information. A properly configured DNS server will refuse. It is a good idea to attempt this to verify whether or not your DNS server is secure.

arp

The arp (Address Resolution Protocol) command maps IP addresses to MAC addresses. Unlike the other commands, this one will only work with at least one flag, so let’s list the more common flags first in Table 4.4 and then demonstrate arp.

TABLE 4.4 Common arp flags

-d	Removes a listing from the arp cache. You won’t use this very often.
-a	Displays all of the current arp entries for all interfaces. This is the most common flag.
-g	Displays all of the current arp entries for all interfaces. Same as -a.
-N	Lists arp cache for a specified interface.

You can see arp in use in Figure 4.17 .

FIGURE 4.17 arp

ipconfig/ip/ifconfig

ipconfig in Windows (ifconfig in Linux) is one of the more basic network commands. It will provide you with information about your network interfaces. You can see the basic command in use in Figure 4.18 .

FIGURE 4.18 ipconfig

The common ipconfig flags are shown in Table 4.5 .

TABLE 4.5 Common ipconfig flags

/all	Show all information for all network interfaces.
/release	Release any dynamically assigned IP addresses.
/renew	Renew the dynamically assigned IP address.

nmap

nmap is a free download for Windows or Linux. It is not part of the operating system. It is often used to port scan machines. This can reveal what services are running as well as information about the target machine’s operating system. You can scan a range of IP addresses as well as a single IP.

nmap also lets you set a number of flags (either with the command-line version of nmap or the Windows version) that customize your scan. The allowed nmap flags are listed in Table 4.6 .

TABLE 4.6 Allowed nmap flags

-O	Detects operating system
-sP	Is a ping scan
-sT	TCP connect scan
-sS	SYN scan
-sF	FIN scan
-sX	Xmas tree scan
-sN	NULL scan
-sU	UDP scan
-sO	Protocol scan
-sA	ACK scan
-sW	Windows scan
-sR	RPC scan
-sL	List/DNS scan
-sI	Idle scan
-Po	Don’t ping
-PT	TCP ping
-PS	SYN ping
-PI	ICMP ping
-PB	TCP and ICMP ping
-PM	ICMP netmask
-oN	Normal output
-oX	XML output
-oG	Greppable output
-oA	All output
-T	Timing
-T0	Paranoid
-T 1	Sneaking
-T 2	Polite
-T 3	Normal
-T 4	Aggressive
-T 5	Insane

Here are some basic scans:

Basic nmap scan

nmap 192.168.1.1

Scan a range of IP addresses

nmap 192.168.1.1-20

Scan to detect operating system, use TCP scan, and use sneaky speed

nmap -O -PT -T1 192.168.1.1

netcat

The netcat utility also does not come with the operating system, but it is a free download for Windows or Linux. This utility allows you to read and write to network connections using either TCP or UDP. Here are some examples:

Open a connection to a mail server on port 25

nc mymail.server.net 25

listen on port 12345

nc -l -p 12345

You can see a basic netcat command in use in Figure 4.19

FIGURE 4.19 netcat

Some of the most common netcat flags used are listed in Table 4.7 .

TABLE 4.7 Common netcat flags

-l	Listen mode (default is client mode)
-L	Listen harder (supported only on Windows version of netcat). This option makes netcat a persistent listener that starts listening again after a client disconnects.
-u	UDP mode (default is TCP).
-p	Local port (in listen mode, this is the port listened on; in client mode, this is the source port for all packets sent).
-e	Program to execute after connection occurs, connecting STDIN and STDOUT to the program.

Additional Tools

There are many other tools with which any network security professional must be familiar. Each of these tools provide assistance with various aspects of security. Some commonly used networking tools are described in this section.

General Networking Tools

Data sanitization tools are used to ensure that data is entirely wiped from a given device before it is repurposed. The prevalence of deleted file recovery tools makes data sanitization very critical.

Backup utilities are also critical for network security. Making regular backups of your servers and workstations is a fundamental part of network security. Specific approaches on to how to back up your data will be discussed in Chapter 12, “Disaster Recovery and Incident Response.” However you approach your backup strategy, it is critical that you have utilities that effectively and securely automate the process.

Banner grabbing is a technique that attackers use to gather information about a website before launching an attack. A banner is a text file on a web server that describes the operating system and the web server software. If an attacker can grab the banner, then he or she will have information about the web server to plan the attack. Network administrators sometimes use banner grabbing tools or techniques to check their web server to see what sort of information the attacker might have access to.

Honeypot

Honeypots were briefly introduced in Chapter 2, “Monitoring and Diagnosing Networks.” Just to review, a honeypot is a fake system designed to attract an attacker so that he or she focuses on the fake system rather than on your actual system. Honeypots are also generally set up to perform a great deal of monitoring and tracing in order to gather evidence of an attack. A number of honeypot tools are available, and a few are discussed briefly here:

Nova Network Security Nova sells a product that is both an intrusion detection system and a honeypot: www.novanetworksecurity.com/ .

Honeynet Project The Honeynet project is an open source honeypot and honeynet project: www.honeynet.org/ .

Web Application Security Project The Web Application Security project has a collaborative project that supports a distributed honeypot: http://projects.webappsec.org/w/page/29606603/Distributed%20Web%20Honeypots .

Steganography Tools

The process of steganography will be explored in detail in Chapter 8, “Cryptography.” For now, you need to understand that it is a process whereby you can hide data in files. In fact, entire files can be hidden in other files.

A number of tools are available on the Internet, some for free, which allow an attacker to hide data steganographically without even needing to understand how steganography works. These tools are sometimes used by insiders to exfiltrate confidential information. A few such tools are listed here:

Invisible Secrets This a low-cost commercial product that can hide data in either an image or sound file. You can find out more at www.invisiblesecrets.com .

Deep Sound This is a free download that allows you to hide data in sound files: http://jpinsoft.net/deepsound .

Open Stego This is an open source steganography tool that can be found at www.openstego.com . It is somewhat limited, but it will provide basic steganography.

Troubleshooting Common Security Issues

The Security+ exam will assume that you can troubleshoot common security issues. In this section, we will discuss those common issues and how to address them.

Access Issues

Access issues are a broad category of security anomalies that are very common. Whenever there is any situation where someone is able to access data they should not be able to access, then that is an access violation. These violations are divided into two broad categories.

The first involves permission issues. One of the cornerstones of security is the concept of least permissions. Each user or service is provided only with sufficient permissions to do their job. Any permission beyond that is a permission issue that could lead to an access violation.

One way such permission issues occur is when a user is moved from one role on the network to another. It is important that their old permissions be replaced with the new permissions, rather than the new permissions being added to the old ones. If the network administrator is not careful, the user will ultimately have significantly more permissions than their job requires. The fundamental way to address permissions issues is to compare each user’s permissions to the requirements of their job.

Access violations occur when someone accesses, or attempts to access, data that they should not be accessing. For example, if a user accesses files to which they have not been given permission, that is an access violation. Violations can occur from inside employees accessing data beyond what they have been authorized to access, or by outside attackers who have not been authorized to access any data but are doing so anyway.

There is a second definition of access violation, not related to permissions. This definition involves memory management. When an application running on a computer is able to access the memory of another application, this is also an access violation. This is sometimes even more narrowly defined as software trying to access protected memory. When the hardware of a system notifies the operating system that some software has attempted to access a restricted area of memory, this is called a segmentation fault, or access violation.

Often, access violations (defined as someone accessing data that they should not be accessing) are best discovered by examining the logs of a given system. For example, a database log should show what users accessed what data and when. By scanning the database log for anomalies, you can detect access violations.

Access violations are closely related to authentication problems. Whenever someone is able to circumvent the normal authentication process, this may lead to an access violation. Here are some common issues that you should check for on your network:

Good Passwords Passwords should be at least 10 characters long, implement complexity requirements, and be changed from time to time.

Password Storage Passwords should be stored as a hash using a salt algorithm. Hashes and salt will be discussed in detail in Chapter 8.

Least Privileges Ensure that once a user is authenticated, he or she is only given just enough privileges to do their job.

Protocols There are modern authentication protocols, such as Kerberos, which are discussed later in this chapter. You should ensure that you are using these protocols.

Strong Authentication Later in this chapter, we will be discussing different types of authentication. Make sure that you are using two-factor authentication whenever possible.

When you fail to implement any one of these guidelines, the entire security of your network is compromised.

Configuration Issues

Whenever any device or software is not configured correctly, this presents a significant security concern. Misconfiguration can be failing to enable some security mechanism, using a weak security configuration, or simply incorrectly configuring the system’s settings. This applies to workstations, servers, routers, switches, and all other devices on your network. However, the problem is even more disconcerting for certain devices.

Your firewall(s) provide the frontline of protection for your network. Unfortunately, modern firewalls have become increasingly complex. This can lead to a misconfigured firewall. If the firewall is misconfigured, it can lead to a possible point of access for an attacker. Common firewall configuration issues include not properly configuring the rules of the firewall—this includes inbound and outbound rules. Another firewall configuration issue is allowing traffic to exit the network that should not be allowed.

For any system, some common configuration issues include the following:

Default Passwords All systems come with a default login. This login must be changed immediately.

Failure to Patch Network items such as firewalls, access points, switches, and routers all have operating systems that must be patched, just as you patch your computers.

Regardless of the system, it should be configured to meet a security baseline. The security baseline is essentially an overall approach to security that provides a basic level of protection across the major portions of your network. Configuration issues can lead to deviations from that security baseline.

Issues with configuring content filters also pose a security risk. In addition to the issues just listed, a content filter must be carefully configured so that it blocks the content that you wish to block without accidentally blocking legitimate traffic. Usually it takes a bit of time and effort to get the configuration exactly correct.

Misconfigured access points are a serious security concern. Any access point, particularly a wireless access point, requires careful security configuration. Along with issues such as default passwords and patching, additional security concerns include these:

Limit Admin Access Wireless access points have an administrative panel. This should only be accessible via a physical connection, not via wireless.

Filtering Most access points offer some level of filtering. It should be turned on and configured.

Logging Access points typically offer logging that must be turned on and configured.

Digital Certificate Issues

Although not a device, digital certificates also must be configured and implemented properly. Digital certificates will be discussed in detail in Chapter 8, but let’s address a few issues here.

The first step involves issuing certificates in a secure manner. This means ensuring that the proper key size is selected and making certain that the private key is stored securely.

The next common issue involves the use of self-signed certificates. These should be used sparingly since they are not authenticated by a trusted third party. It is better to have an organizational certificate authority issue certificates.

Certificate revocation is another important issue to address. This is particularly important when your organization has its own certificate authority. When you have your own certificate authority, then you are responsible for ensuring that the revoked certificates are not used on your network. This can be as simple as ensuring that the certificate revocation list is updated and published frequently.

Personnel Issues

It is often said in cybersecurity that the greatest threat is the insider. Unfortunately, this is true. Whether it comes from intentional malfeasance from a disgruntled employee or simply a mistake due to lack of knowledge or carelessness, the fact is that insiders can cause a tremendous amount of damage. Sadly, many of the security concerns related to insiders cannot be alleviated with the application of technology.

The most obvious issue with insiders is the failure to follow policies. Policy violations undermine your entire network’s security. Policy violations often occur through simple ignorance. The policies have not been adequately communicated to the staff or are not clear. However, intentional violations are also a significant insider threat about which you must be aware.

Insiders are also vulnerable to social engineering. Social engineering is essentially using interpersonal skills to attempt to elicit information. Someone could call employees in your organization pretending to be from technical support and attempt to get passwords from users. Other applications of social engineering are less obvious. For example, the attacker might call claiming to be conducting an IT survey for a major company, while all the time attempting to gather information about your network.

Social media is also a problem in many ways. First, it can be a means of distracting employees and reducing productivity. More important, however, it may be a conduit for information exfiltration. Employees might disclose information about confidential projects or other sensitive information. This often occurs in the context of the employee either boasting about some new innovation in your company or complaining about the extra work the new project causes. Either way, the end result is that information about your company is released to the outside world.

The use of personal email at work is another security concern. When an employee checks their personal email from a company workstation, any malware that might be sent to that email address will now infect the company network. Moreover, the employee’s personal email may not have the rigorous security precautions that you have on your company network.

Other Issues

One serious risk to all organizations is the installation of unauthorized software. Any organization has a process for vetting and controlling the software that is installed on its network. If unauthorized software is installed, this can be the beginning of many problems.

The most obvious issue is that the unauthorized software could have significant security flaws. Since the software was not tested or vetted, its security won’t be known. It is even possible that the unauthorized software is actually a Trojan horse, bringing malware into the organization.

Unauthorized software is closely related to license compliance violations. Copyrights are serious legal issues, and your company should strive to comply with copyright laws. Installing unlicensed software is a violation of copyright law. Whether the software is authorized by your IT department or is unauthorized, you must vigilant in ensuring that unlicensed copies of applications are not installed on your network.

Unlicensed software is itself a subset of the topic of asset management. The larger the organization, the more challenging it can be to have clear management of all of your company IT assets. Whether it is laptops, servers, or software, you have to maintain an accurate inventory of everything your company owns and where it is currently located.

SMS/MMS messages can also be a security risk, albeit a minor one. Many companies choose to limit text messages based on when they can be sent, from where, and what content. Particularly, sending pictures can be a security issue in secure areas.

Security Technologies

You can implement a variety of security technologies to make your network more secure. Most network administrators implement a combination of multiple technologies. However, the challenge becomes how to interpret the output from these technologies. In this section, we will review this issue for various technologies.

Intrusion Detection Systems

A host-based intrusion detection system (HIDS) or host-based intrusion prevention system (HIPS) is a vital part of your security. Such devices detect activity that indicates a likely intrusion. There are a variety of such systems, some commercial and some open source. Obviously, you will need to consult the documentation of your specific device in order to interpret the output completely from your HIDS/HIPS, but some general guidelines apply to all such devices.

The first thing to keep in mind is that no HIDS/HIPS is 100 percent effective. All such systems will have some false positives (legitimate traffic labeled as an attack) and false negatives (attacks labeled as legitimate traffic). The key is to interpret what your HIDS/HIPS is telling you properly in order to determine if you need to alter the configuration to get more accurate readings.

This leads to the first issue with interpreting HIDS/HIPS output—that is, matching traffic identified as an attack with the actual traffic on your network. As stated earlier, there will be some false positives. Thus, you should expect that some of the traffic that has been identified as an attack will actually match activity on that host, which you can confirm is legitimate traffic. As you note the number of false positives, you can alter the configuration of your HIDS/HIPS to lower the frequency of false positives.

For an HIPS, this will be even easier, since it blocks suspected attacks. Those will be clearly identified in the logs of your HIPS, regardless of which HIPS you are using.

As stated earlier, actually interpreting the logs and output from your HIDS/HIPS will require you to refer to the documentation of that specific product. But let’s look at one specific IDS/IPS: the SNORT IDS/IPS. This is an open source HIDS/HIPS, and its logs provide a good example. Here is a sample log:

[116:56:1] (snort_decoder): T/TCP Detected

This may look very cryptic to you, and it may not provide you with any information that you can use. The first number (116) is the generator ID, and it indicates what Snort component generated this alert. The second number (56) is sometimes called a Signature ID, or a Snort ID. It will identify the rule that triggered this alert. The third number (1) is the revision ID, which identifies the revision number of the attack signature that matched this alert. The text tells you what was detected. In this case, it was normal TCP traffic.

NIST SP 800-94 Guide to Intrusion Detection and Prevention Systems (IDPS) provides guidance as to IDS systems, both host based (HIDS) and network based (NIDS). You can view this document here: http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-94 .pdf . The standard describes various types of IDS/IPS, how they function, and typical components. This can be a valuable resource when choosing your own IDS.

Antimalware

There are a variety of antimalware applications, including standard antivirus as well as advanced antimalware applications. Just like HIDS/HIPS, these will sometimes have false positives and false negatives. Fortunately, most of these applications provide much more user-friendly output than HIDS/HIPS, and it is far easier to interpret the output. Figure 4.20 shows the output from Malwarebytes, a popular antivirus tool.

FIGURE 4.20 Malwarebytes

This output is very clear. It identifies the item that was suspect, the date and time it was detected, the type (file, folder, registry key, and so forth), and the exact location. Most antivirus and even more advanced antimalware products provide equally readable output. Then, as the user, you can determine if you wish to restore or delete the item.

More advanced antimalware tools have more robust scanning algorithms, scan for more anomalies, and offer more options in how to deal with such issues. They also often offer add-in features such as HIDS/HIPS, firewall, and similar security services, but they still tend to have the type of easy-to-use interface that you see in Figure 4.20 .

Firewalls and Related Devices

Whether you are using a host-based firewall or a web-application firewall (WAF), you will still need to know how to interpret the logs of these systems. As with HIDS/HIPS, you will ultimately have to refer to the documentation for your specific firewall in order to interpret the results properly.

For an example of a firewall log, let’s examine the Windows Firewall log.

In most versions of Windows, this will be found at %windir%\system32\logfiles\ firewall\. This log will be empty if you have not turned on logging. You can have the firewall turned on but not be logging. To turn on logging, open the Windows Firewall console (wf.msc) and choose Actions ➢ Properties. You will then see a screen much like the one shown in Figure 4.21 .

FIGURE 4.21 Windows Firewall

Simply click the Logging button to turn on logging. Here is an example of what log entries might look like:

2017-04-09 10:10:45 ALLOW TCP 192.168.0.104 192.168.0.100 52174 23

2017-04-09 10:10:54 DROP TCP 192.168.0.104 192.168.0.100 52175 21

Both entries start with a date in year-month-day format followed by the time. Then a description of what occurred follows. In both example entries, TCP traffic was occurring from IP 192.168.0.104 to IP 192.168.0.100. The first entry was allowed, but the second was blocked. The last item is the port that traffic was using. Thus, in this log, traffic was allowed on port 23 (Telnet) but blocked on port 21 (FTP).

Each vendor’s logs will have a different format, so you will need to review the documentation that came with your firewall. We’ve provided a basic understanding of how firewall logs work. It is important to realize that firewall logs can contain a wealth of information about attempted breaches of your network.

Other Systems

In addition to the three most common security technologies (HIDS/HIPS, antivirus, and firewalls), other security technologies have output you may wish to review.

File integrity checking systems are very common. Tripwire is a well-known product that has both an open source and a commercial version. All file integrity products are configured to check to see if certain files have been changed and to record such activity. Many products, like Tripwire, will return the file to its previous state. However, if you don’t check the logs, you may not be aware that such a change was even attempted. Even if your file integrity product does correct such issues, it is important to know that they occurred.

Application whitelisting is a common technique used by security professionals. An application whitelist is a list of applications that are allowed on a given computer or network. If an application is not on the list, then it is not allowed. A variety of products can be used to enforce these application whitelisting policies. Such products will also log attempts to install unauthorized applications. It is important to check these logs, as you will want to know if, for example, some user on your network attempted to install a password cracker.

Many network administrators also control what removable media can be used, such as USB drives and optical disks. A number of tools exist for enforcing these policies. Again, however, you must review the tool’s logs to see if someone has been attempting to violate these policies. If a user on your network repeatedly attempts to install a USB drive that is not allowed, this could indicate a desire to exfiltrate data.

As you are probably aware, patch management is a challenge in a network environment. Unlike with home use, you cannot simply set up automatic updates on all systems. Instead, you must install patches on a test machine and verify that the patch or update works appropriately before rolling it out. Several products are available that can automate this process for you. It is important to check the logs of any patch management software to review issues with failed patches, patches that had to be rolled back, or any scenario in which the patch application was not successful.

A unified threat management (UTM) system, sometimes called a USM (unified security management) system, includes combinations of all the other devices we discussed earlier in this chapter, including firewall, IDS, and antivirus, as well as other items, such as load balancing and VPN. The procedure for reviewing logs will depend on the specific device you select. However, one major advantage is that you will have a single place to review logs rather than having to check multiple devices and systems logs.

Data loss prevention (DLP) software attempts to detect exfiltration of data. It does this by monitoring outgoing network traffic to look for key files going out. It can also monitor data storage of sensitive documents to log when data is accessed. As with the other technologies that we have examined, you will need to consult your manufacturer’s documentation to know how to interpret the logs for your system.

Data execution prevention (DEP) has become increasingly popular. Microsoft introduced this with Windows Vista. When an application tries to launch, the user must approve the execution before it can proceed. Other vendors produce more complex DEP systems. These systems log any time an application tried to execute, even if it was blocked. This could be a valuable resource for learning about malware. Even if the malware is blocked, you would want to know that there was an attempt to execute.

Identity and Access Management Concepts

Understanding the difference between identification and authentication is critical to answering access control questions correctly on the Security+ exam. Identification means finding out who someone is. Authentication is a mechanism of verifying that identification. Put another way, identification is claiming an identity; authentication is proving it.

Identification vs. Authentication

In the physical world, the best analogy would be that any person can claim to be anyone (identification). To prove it (authentication), however, that person needs to provide some evidence, such as a driver’s license, passport, or other nonrefutable proof.

Authentication systems or methods are based on one or more of these five factors:

· Something you know, such as a password or PIN. This is often referred to as Type I.

· Something you have, such as a smartcard, token, or identification device. This is often referred to as Type II.

· Something you are, such as your fingerprints or retinal pattern (often called biometrics). This is often referred to as Type III.

· Something you do, such as an action you must take to complete authentication. This does not have a type (I, II, III).

· Somewhere you are (this is based on geolocation). This does not have a type (I, II, III).

Because of the use of mobile computing, “somewhere you are” authentication is not often used, since users are likely to log in from diverse locations. In fact, many sources do not include “somewhere you are” as an authentication factor.

Systems authenticate each other using similar methods. Frequently, systems pass private information between each other to establish identity. Once authentication has occurred, two systems can communicate in the manner specified in the design. Several common methods are used for authentication, and they fall within the categories of either single factor or multifactor. Each offers something in terms of security and should be considered when you’re evaluating authentication schemes or methods.

Another method that is becoming popular is out-of-band authentication. This is a process whereby the system you are authenticating gets information from public records and asks you questions to help authenticate you. For example, the system might retrieve your credit report and then query you about specific entries in it.

Authentication (Single Factor) and Authorization

The most basic form of authentication is known as single-factor authentication (SFA), because only one type of authentication is checked. SFA is most often implemented as the traditional username/password combination. A username and password are unique identifiers for a logon process. Here’s a synopsis for how SFA works: When users sit down in front of a computer system, the first thing a security system requires is that they establish who they are. Identification is typically confirmed through a logon process. Most operating systems use a user ID (username) and password to accomplish this. These values can be sent across the connection as plain text or they can be encrypted.

The logon process identifies that you are who you say you are to the operating system and possibly the network. Figure 4.22 illustrates the logon and password process. Note that the operating system compares this information to the stored information from the security processor, and it either accepts or denies the logon attempt. The operating system might establish privileges or permissions based on stored data about that particular user ID.

FIGURE 4.22 A logon process occurring on a workstation

Whenever two or more parties authenticate each other, it is known as mutual authentication. A client may authenticate to a server, and a server may authenticate to a client when there is a need to establish a secure session between the two and employ encryption. Mutual authentication ensures that the client is not unwittingly connecting and providing its credentials to a rogue server, which can then turn around and steal the data from the real server.

Ordinarily, mutual authentication will be implemented when the data to be sent during the session is of a critical nature, such as financial or medical records.

Multifactor Authentication

When two or more access methods are included as part of the authentication process, you’re implementing a multifactor authentication system. A system that uses smartcards and passwords is referred to as a two-factor authentication system. This example requires both a smartcard and a logon password process.

A multifactor system can consist of a two-factor system, three-factor system, or any number of factors. As long as more than one factor is involved in the authentication process, it is considered a multifactor system.

For obvious reasons, the two or more factors employed should not be from the same category. Although you do increase difficulty in gaining system access by requiring the user to enter two sets of username/password combinations, it is much preferred to pair a single username/password combination with a biometric identifier or other security check.

When taking the Security+ exam, keep in mind the number of authentication factors in each type. For example, using a smartcard and a password is two-factor authentication. However, using a password and a PIN is one-factor authentication because both involve “something you know.”

Biometrics

A very secure way to authenticate users is via the use of biometrics. Biometric authentication is Type III, something you are. These can be fingerprint scanners, full hand scanners, eye scanners (including retinal or iris scanners), facial recognition, or voice recognition.

Eye scanners tend to be very accurate. Full hand scanners are more accurate than simply a single fingerprint scanner. However, all of these methods will have both a false acceptance rate (FAR) and a false rejection rate (FRR). Your first thought might be that you want the FRR to be higher than the FAR. However, it is recommended that both rates be equal. This is because the same algorithms are being used to reject or accept. Fluctuations between FRR and FAR indicate a possible issue with the algorithm itself.

The point at which the FRR and FAR are equal is called the crossover error rate (CER) or sometimes the equal error rate (ERR). With any biometric system, you want to reach the CER/ERR and then make that rate as low as possible.

Federations

A federation is a collection of computer networks that agree on standards of operation, such as security standards. Normally, these are networks that are related in some way. In some cases, it could be an industry association that establishes such standards.

Another example of a federation would be an instant messaging (IM) federation. In this scenario, multiple IM providers form common communication standards, thus allowing users on different platforms with different clients to communicate freely.

In other situations, a group of partners might elect to establish common security and communication standards, thus forming a federation. This would facilitate communication between employees in each of the various partners.

A federated identity is a means of linking a user’s identity with their privileges in a manner that can be used across business boundaries (for example, Microsoft Passport or Google checkout). This allows a user to have a single identity that they can use across different business units and perhaps even entirely different businesses.

A federated identity sounds similar to a single sign-on, but do not confuse the two. Single sign-on is about having one password for all resources on a given network. Federated identities relate to being able to access resources on diverse networks.

Potential Authentication and Access Problems

There are two problem areas that you should know about for the Security+ exam as they apply to authentication/access issues: transitive access and client-side attacks. Let’s address both of these.

Transitive Access

The word transitive means involving transition—keep this in mind as you learn how transitive access problems occur. With transitive access, one party (A) trusts another party (B). If the second party (B) trusts another party (C), then a relationship can exist where the first party (A) also may trust the third party (C). This is sometimes described as transitive trust.

In early operating systems, this process was often exploited. In current operating systems, such as Windows Server 2016, the problems with transitive access are solved by creating transitive trusts, which are a type of relationship that can exist between domains (the opposite is nontransitive trusts). When the trust relationship is transitive, the relationship between party (A) and party (B) flows through as described earlier (for instance, A now trusts C). In all versions of Active Directory, the default is that all domains in a forest trust each other with two-way, transitive trust relationships.

Although this process makes administration much easier when you add a new child domain (no administrative intervention is required to establish the trusts), it leaves open the possibility of a hacker acquiring more trust than they should have by virtue of joining the domain. We’ll explore how to validate the trust relationship in Windows Server 2012, which is a step toward addressing this problem.

LDAP

Lightweight Directory Access Protocol (LDAP) is a standardized directory access protocol that allows queries to be made of directories (specifically, pared-down X.500-based directories). If a directory service supports LDAP, you can query that directory with an LDAP client, but it’s LDAP itself that is growing in popularity and is being used extensively in online white and yellow pages.

LDAP is the main access protocol used by Active Directory. It operates, by default, at port 389. The LDAP syntax uses commas between names.

Because a breach of LDAP can be quite serious, some organizations use secure LDAP. With secure LDAP (LDAPS), all LDAP communications are encrypted with SSL/TLS, and port 636 is used.

Throughout this book, you will see various port numbers mentioned. These port numbers are often the subject of questions on the Security+ exam (as well as other security-related certifications), so it is a good idea for you to get to know them.

PAP, SPAP, and CHAP

These three authentication protocols represent the evolution of authentication. The oldest, PAP (Password Authentication Protocol), will likely seem rather primitive and unsecure to you. However, that is because it is quite old and not used any longer.

PAP

Password Authentication Protocol is an old and insecure method of authentication. Essentially the username and password are sent in clear text. PAP was used before packet sniffers became widely available. It is now insecure and should not be used.

SPAP

Shiva Password Authentication Protocol simply encrypts the username and password. This prevents a packet sniffer from getting the username and password, but it does nothing to limit replay attacks or session hijacking.

CHAP

Challenge Handshake Authentication Protocol is a modern authentication protocol in use today. With this protocol, when users send their username and password to the server (encrypted, of course), the server first authenticates the user. Then once authentication is complete, the server directs the client computer to generate some random number (often a cryptographic hash) and send that to the server (encrypted as well, of course). Then the server will periodically challenge the client to reproduce that number/hash. If the client session has been compromised, then the client will be unable to produce that number/hash, and the server will terminate the session. Microsoft has a proprietary version of this called MS-CHAP.

Kerberos

Kerberos is an authentication protocol named after the mythical three-headed dog that stood at the gates of Hades. Originally designed by MIT, Kerberos is very popular as an authentication method. It allows for a single sign-on to a distributed network.

Kerberos authentication uses a key distribution center (KDC) to orchestrate the process. The KDC authenticates the principal (which can be a user, program, or system) and provides it with a ticket. After this ticket is issued, it can be used to authenticate against other principals. This process occurs automatically when another principal performs a request or service.

Kerberos is a common standard in network environments. Its only significant weakness is that the KDC can be a single point of failure. If the KDC goes down, the authentication process will stop. Figure 4.23 illustrates the Kerberos authentication process and the ticket being presented to systems that are authorized by the KDC. It should be noted that this figure is a simplified explanation of Kerberos. There are more details, but those are not covered in the Security+ exam.

FIGURE 4.23 Kerberos authentication process

When using Kerberos, the user authenticates to the KDC and is given a ticket granting ticket (TGT). This ticket is encrypted and has a time limit of up to 10 hours. The ticket lists the privileges of that user (much like a token). Each time the user wishes to access some resource on the network, the user’s computer presents the KDC with the TGT; the TGT then sends that user’s computer a service ticket, granting the user access to that service. Service tickets are usually only good for up to 5 minutes. The user’s computer then sends the service ticket to the server the user is trying to access. As a final authentication check, that server then communicates with the TGT to confirm and validate the service ticket.

Working with RADIUS

Remote Authentication Dial-In User Service (RADIUS) is a mechanism that allows authentication of remote and other network connections. Originally intended for use on dial-up connections, it has moved well beyond that and offers many state-of-the-art features. The RADIUS protocol is an IETF standard, and it has been implemented by most of the major operating system manufacturers. A RADIUS server can be managed centrally, and the servers that allow access to a network can verify with a RADIUS server whether an incoming caller is authorized. In a large network with many connections, this allows a single server to perform all authentications.

The term caller may seem outdated, but Windows Server 2012 (as well as 2008 and 2003) all refer to the ability to access a system remotely as dial-in privileges. Although few people are actually “dialing,” or calling in, the terms have stuck.

Figure 4.24 shows an example of a RADIUS server communicating with an ISP to allow access to a remote user. Notice that the remote ISP server is functioning as a client to the RADIUS server. This allows centralized administration of access rights.

FIGURE 4.24 The RADIUS client manages the local connection and authenticates against a central server

You should use RADIUS when you want to improve network security by implementing a single service to authenticate users who connect remotely to the network. Doing so gives you a single source for the authentication to take place. Additionally, you can implement auditing and accounting on the RADIUS server.

The major difficulty with a single-server RADIUS environment is that the entire network may refuse connections if the server malfunctions. Many RADIUS systems allow multiple servers to be used to increase reliability. All of these servers are critical components of the infrastructure, and they must be protected from attack.

TACACS, TACACS+, XTACACS

Terminal Access Controller Access Control System (TACACS) is a client-server-oriented environment, and it operates in a manner similar to RADIUS. Extended TACACS (XTACACS) replaced the original version and combined authentication and authorization with logging to enable auditing.

The most current method, or level, of TACACS is TACACS+. It replaces the previous two incarnations. TACACS+ allows credentials to be accepted from multiple methods, including Kerberos. The TACACS client-server process occurs in the same manner as the RADIUS process.

Cisco has widely implemented TACACS+ for connections. TACACS+ has become widely accepted as an alternative to RADIUS.

Remember, RADIUS and TACACS (or any of its variations such as TACACS+ or XTACACS) can be used to authenticate connections.

OATH

Open Standard for Authorization (OATH) is a common method for authorizing websites or applications to access information. It allows users to share information with third-party applications.

It is designed to work with HTTP and allows access tokens to be issued to third-party clients with the approval of the resource owner. Thus a resource owner, such as a social media website user, can authorize a third party to access his or her data.

One-Time Passwords

As the name suggests, these can be used one time and never again. A common application is the time-based one-time password (or TOTP) such that a password is issued but is only good for a finite period of time. After it is used once or the time expires, it is no longer a valid password. Bank websites often use this if you need to reset your password. A TOTP is sent to your phone, and you have a limited time to log in and change your password.

Another variation is the keyed-hash message authentication code (HMAC)-based one-time password (HOTP). These are often used in physical tokens, which we will discuss later in this chapter. Hashes, message authentication code (MAC), and HMAC will be discussed in detail in Chapter 8.

SAML

Security Assertion Markup Language (SAML) is a markup language, much like HTML. It uses tags, but rather than defining web page elements (as HTML does), it defines security authorization.

SAML is used to exchange authentication and authorization information between identity providers and service providers. It is often used in web browser single sign-on implementations.

Shibboleth is a single sign-on system used widely on the Internet. The name derives from a bible story where the word shibboleth was used as a password. The Shibboleth system uses SAML. Open ID

OpenID

OpenID is an authentication service often done by a third party, and it can be used to sign into any website that accepts OpenID.

Install and Configure Identity and Access Services

There are several approaches to access control, each with its own strengths and weaknesses. In this section, we will review access control methodologies.

Mandatory Access Control

Mandatory access control (MAC) is a relatively inflexible method for how information access is permitted. In a MAC environment, all access capabilities are predefined. Users can’t share information unless their rights to share it are established by administrators. Consequently, administrators must make any changes that need to be made to such rights. This process enforces a rigid model of security. However, it is also considered the most secure security model.

For a MAC model to work effectively, administrators and network designers must think relationships through carefully in advance of implementation. The advantage of this model is that security access is well established and well defined, making security breaches easier to investigate and correct. A well-designed MAC model can make the job of information control easier and can essentially lock down a network. The major disadvantages of this model are its lack of flexibility and the fact that it requires change over time. The inability of administrative staff to address these changes can sometimes make the model hard to maintain.

This model is used in environments where confidentiality is a driving force. It often employs government and military classifications (labels), such as Top Secret and others.

Discretionary Access Control

In a discretionary access control (DAC) model, network users have some flexibility regarding how information is accessed. This model allows users to share information dynamically with other users. The method allows for a more flexible environment, but it increases the risk of unauthorized disclosure of information. Administrators have a more difficult time ensuring that information access is controlled and that only appropriate access is issued.

A classic example of DAC is the permission structure that exists for “other” files in the Unix/Linux environment. All permissions in this operating system fall within three groups of users: owner, group, and other. The permissions associated with the owner and the group to which the owner belongs are based on their roles, but all of those who are not the owner, or a member of the owner’s group, fall within the category of other.

The permissions for this group are set separately from the other two and, with very few special exceptions, are a combination of read, write, and execute. Within this environment, you can create a database and give yourself (owner) permission to read and write, give other admins (group) only read permission, and not give any permission to those not in admin (other).

You could just as easily create a script file that cleans up log files and frees space on a workstation. To do this, you would give yourself (owner) all rights, give other admins (group) the ability to read and execute, and give basic users (other) the right only to execute.

Role-Based Access Control

Role-based access control (RBAC) models approach the problem of access control based on established roles in an organization. RBAC models implement access by job function or by responsibility. Each employee has one or more roles that allow access to specific information. If a person moves from one role to another, the access for the previous role will no longer be available. RBAC models provide more flexibility than the MAC model and less flexibility than the DAC model. They do, however, have the advantage of being strictly based on job function as opposed to individual needs.

Instead of thinking “Denise needs to be able to edit files,” RBAC uses the logic “Editors need to be able to edit files” and “Denise is a member of the Editors group.” This model is always good for use in an environment in which there is high employee turnover.

This is also sometimes called group-based control or group-based permissions. Essentially, Windows operating systems work in this fashion. Your permissions on a Windows-based domain are determined by the group(s) into which you are placed. These groups are, in effect, roles.

Rule-Based Access Control

Rule-based access control (RBAC) uses the settings in preconfigured security policies to make all decisions. These rules can be to

· Deny all but those who specifically appear in a list (an allow list)

· Deny only those who specifically appear in the list (a true deny list)

Entries in the list may be usernames, IP addresses, hostnames, or even domains. Rule-based models are often being used in conjunction with role-based models to add greater flexibility.

The easiest way to implement rule-based access control is with access control lists (ACLs), discussed later in this chapter. ACLs create the rules by which the access control model functions.

ABAC

Attribute-based access control (ABAC) is a relatively new method for access control. It is defined in NIST 800-162, Attribute Based Control Definition and Considerations. According to that standard:

A logical access control methodology where authorization to perform a set of operations is determined by evaluating attributes associated with the subject, object, requested operations, and, in some cases, environment conditions against policy, rules, or relationships that describe the allowable operations for a given set of attributes.

Essentially, the access control mechanism looks at subjects that are attempting to access a given object but considers all of the various attributes associated with the subject and object in making the access control decision. A subject is an active entity (generally an individual, process, or device). An object is some resource that the subject is attempting to access. Attributes are characteristics that define specific aspects of the subject, object, environment conditions, and/or requested actions that are predefined and preassigned by an authority.

If, for example, a traveling sales representative is attempting to access customer records on a company network, an ABAC system would not only look at the sales rep’s access rights, but also at the entire scenario. Is the rep logging in from a machine or a location that he or she has not used before? Is the rep logging in at an unusual time? What is the rep attempting to do? The sales rep might be given access to read files, but not to edit or delete files. In essence, ABAC is a more robust access control methodology that examines the entire scenario in making access control decision.

Smartcards

Smartcards are generally used for access control and security purposes. The card itself usually contains a small amount of memory that can be used to store permissions and access information.

Smartcards are difficult to counterfeit, but they’re easy to steal. Once a thief has a smartcard, they have access to all that the card allows. To prevent this, many organizations don’t put any identifying marks on their smartcards, making it harder for someone to use them. A password or PIN is required to activate most smartcards, and encryption is employed to protect the contents. With many smartcards, if you enter the wrong PIN multiple times (usually three), the card will shut down to enhance security further.

Many European countries are beginning to use smartcards instead of magnetic-strip credit cards because they offer additional security and can contain more information. The United States has made moves in this direction, but it has not fully implemented chip and pin.

Smartcards are now sometimes implemented as proximity cards. These cards have an RFID (radio frequency identifier) chip that will transmit authentication information when the card is in range of an authentication device.

There are two main types of smartcards: common access cards and personal identification verification cards. We will discuss these smartcards in the following sections.

Common Access Card

The first type of smartcard is the common access card (CAC). These cards are issued by the Department of Defense (DoD) as a general identification/authentication card for military personnel, contractors, and non-DoD employees. A picture appears on the front of the card with an integrated chip beneath and a barcode. A magnetic strip and another barcode appears on the back of the card.

A CAC is used for accessing DoD computers, signing email, and implementing PKI (public key infrastructure). In 2008, the most recent year for which data is available, over 17 million cards had been issued. You can find current information on the CAC here: www.cac.mil .

Personal Identification Verification Card

What the CAC is for military employees, the personal identity verification (PIV) (referenced by CompTIA as personal identification verification card) is to federal employees and contractors. Per Homeland Security Presidential Directive number 12 (HSPD-12), the PIV will eventually be required of all U.S. government employees and contractors. The PIV will be required to gain access (physical and logical) to government resources.

Tokens

A token is some physical device that is used to gain access. It could be a wireless keycard, a key fob, or any physical device. These are sometimes called security tokens. Tokens often contain a digital certificate, and the certificate is used to authenticate the user. There are software implementations of tokens, but the original meaning of the term was a hardware device.

Software-based security tokens are part of a two-factor authentication device. Software tokens are stored on the device and used to authenticate the user. They can be as simple as a password that is in an encrypted file, or perhaps a digital certificate.

There are many ways that a token could operate. It might have a stored password, simply called a static password token. Another method is to rotate through passwords based on some algorithm. The token and the authentication server used synchronized clocks to determine which password should be used at what time. There are also one-time passwords that are generated based on some algorithm. The last type of token is a challenge response token. The authentication server encrypts a challenge (typically a random number, or at least data with some random parts) with a public key; the device proves it possesses a copy of the matching private key by providing the decrypted challenge.

File and Database Security

Maintaining security of your network will necessitate maintaining security of your most sensitive data. That is usually going to be on a file or database server. When an attacker breaches your network or an insider seeks data to exfiltrate, the most likely target will be either file or database servers.

Much of the security discussed in this chapter already is applicable to file and database servers. For example, both types of servers should have their own firewall, and the logs of that firewall should be reviewed periodically. Both types of servers should have an HIDS, and the log for that HIDS should be reviewed periodically. And, of course, any server (any computer at all) should have antivirus.

The authentication and access control methods discussed in this chapter are also applicable to file and database servers. It is critical that you limit access to these servers to a need-to-know basis. It is also important that any user with access can only access as much as they need to perform their job tasks—that is, the principle of least privileges.

Summary

This chapter introduced you to a number of tools that you can use to gather data about your network. For the Security+ exam, you should be able to define the tool types, such as vulnerability scanners and password crackers. For your job duties as a security administrator, you should be able to utilize several of these tools. The command-line tools also comprise common test questions on the Security+ exam.

Next the chapter examined troubleshooting configuration issues. This is a very broad topic, and no single chapter could fully address it. The main point to understand is that if your security devices and services are not properly configured, that misconfiguration is itself a security vulnerability.

This chapter introduced a number of security technologies and explained how to view their output. That includes IDS, firewall, antivirus, and other related technologies. You should be familiar with how to view outputs from these systems.

The chapter also addressed access control and identity management. The key difference between authentication and identification is that authentication means that someone has accurate information, whereas identification means that accurate information is proven to be in possession of the correct individual.

The most basic form of authentication is known as single-factor authentication (SFA), because only one set of values is checked. To increase security, it is necessary to use multifactor authentication, which involves two or more values that are checked.

This chapter examined the various types of authentication services in use, including RADIUS and different variations of TACACS. It also looked at tunneling protocols, smartcards, and other means of access control.

ACLs are being implemented in network devices and systems to enable the control of access to systems and users. ACLs allow individual systems, users, or IP addresses to be ignored.

Exam Essentials

Be able to describe the various tools. Understand vulnerability scanners, port scanners, password crackers, and related tools. Know conceptually how they function. Be very familiar with command-line tools such as ipconfig, ping, and arp.

Understand configuration issues. Proper configuration of all security and network devices is essential and will be on the exam. You should also have a general idea of how to read and interpret output from security devices.

Be able to describe the roles of access control. The four primary roles are MAC, DAC, and RBAC (both types of RBAC). Mandatory access control (MAC) establishes rigid access control methods in the organization. Discretionary access control (DAC) allows for flexibility in access control. Role-based access control (RBAC) is based on the role the individual or department has in the organization. In a fourth type, rule-based access control (RBAC), settings in preconfigured security policies, are used to make all decisions.

Explain the relative advantages of the technologies available to you for authentication. You have many tools available to you to help establish authentication processes. Some of these tools start with a password and user ID. Others involve physical devices or the physical characteristics of the person who is requesting authentication.

Understand least privilege. Least privilege states that when assigning permissions, you should give users only the permissions they need to do their work and no more. The biggest benefit to following this policy is the reduction of risk.