Make a function call to a network based authentication
service
How a User Should Treat Userids and Passwords:
Keep a secret
Do not share with others
Do not leave written down where someone else can find it
Store in an encrypted file or vault
Use RofoForm
How a System Stores Userids and Passwords:
Typically stored in a database table
Application database or
authentication database
Userid stored in plaintext
Facilitates lookups by others
Password stored encrypted or
hashed
If encrypted, can be retrieved under certain conditions
“Forgot
password” function, application emails to user
If
hashed, cannot be retrieved under any circumstance (best method)
Password Hashes:
Cain, Cracker top tab, right-click empty space, Add to
List
LM hash is weak, no longer used in Win 7
NT
hash is stronger, but not salted
Strong Authentication:
Traditional userid + password authentication has known
weaknesses
Easily guessed passwords
Disclosed or shared passwords
Stronger types of authentication available, usually
referred to as “strong authentication”
Token
Certificate
Biometrics
Two Factor Authentication:
First factor: what user knows
Second factor: what user has
Password token
USB key
Digital certificate
Smart card
Without the second factor, user cannot log in
Defeats password guessing /
cracking
Biometric Authentication:
Stronger than userid + password
Stronger than two-factor?
Can be hacked
Measures a part of user’s body
Fingerprint
Iris scan
Signature
Voice
Authentication Issues:
Password quality
Consistency of user credentials across multiple
environments
Too many userids and passwords
Handling password resets
Dealing with compromised passwords
Staff terminations
Access Control Technologies:
Centralized management of access controls
LDAP
Active Directory, Microsoft's LDAP
RADIUS
Diameter, upgrade of RADIUS
TACACS
Replaced by TACACS+ and RADIUS
Kerberos
Uses Tickets
Single Sign-On (SSO):
Authenticate once, access many information systems
without having to re-authenticate into each
Centralized session management
Often the “holy grail” for identity management
Harder in practice to achieve
– integration issues
Reduced Sign-On:
Like single sign-on (SSO), single credential for many systems
But… no inter-system session management
User must log into each system separately, but they all
use the same userid and password
Weakness of SSO and RSO:
Weakness: intruder can access all systems if password is
compromised
Best to combine with two-factor / strong authentication
Access Control Attacks:
Intruders will try to defeat, bypass, or trick access
controls in order to reach their target
Attack objectives:
Guess credentials
Malfunction of access controls
Bypass access controls
Replay known good logins
Trick people into giving up
credentials
Buffer Overflow:
Cause malfunction in a way that permits illicit access
Send more data than application was designed to handle
properly
“Excess” data corrupts
application memory
Execution of arbitrary code
Malfunction
Countermeasure: “safe” coding that limits length of input
data; filter input data to remove unsafe characters
Script Injection:
Insertion of scripting language characters into
application input fields
Execute script on server side
SQL injection – obtain data from application database
Execute script on client side
– trick user or browser
Cross site scripting
Cross site request forgery
Countermeasures: strip “unsafe” characters from input
Data Remanence:
Literally: data that remains after it has been “deleted”
Examples
Deleted hard drive files
Data in file system “slack
space”
Erased files
Reformatted hard drive
Discarded / lost media: USB
keys, backup tapes, CDs
Countermeasures: improve media physical controls
Denial of Service (DoS):
Actions that cause target system to fail, thereby denying
service to legitimate users
Specially crafted input that
causes application malfunction
Large volume of input that
floods application
Distributed Denial of Service (DDoS)
Large volume of input from
many (hundreds, thousands) of sources
Countermeasures: input filters, patches, high capacity
Dumpster Diving:
Literally, going through company trash in the hopes that
sensitive printed documents were discarded that can be retrieved
Personnel reports, financial
records
E-mail addresses
Trade secrets
Technical architecture
Countermeasures: on-site shredding
Eavesdropping:
Interception of data transmissions
Login credentials
Sensitive information
Methods
Network sniffing (maybe from a
compromised system)
Wireless network sniffing
Countermeasures: encryption, stronger encryption
Emanations:
Electromagnetic radiation that emanates from computer
equipment
Network cabling
More prevalent in networks with coaxial cabling
CRT monitors
Wi-Fi networks
Countermeasures: shielding, twisted pair network cable,
LCD monitors, lower power or eliminate Wi-Fi
Spoofing and Masquerading:
Specially crafted network packets that contain forged
address of origin
TCP/IP protocol permits forged
MAC and IP address
SMTP protocol permits forged
e-mail “From” address
Countermeasures: router / firewall configuration to drop
forged packets, judicious use of e-mail for signaling or data transfer
Social Engineering:
Tricking people into giving out sensitive information by
making them think they are helping someone
Methods
In person
By phone
Schemes
Log-in, remote access,
building entrance help
Countermeasures: security awareness training
Phishing:
Incoming, fraudulent e-mail messages designed to give the
appearance of origin from a legitimate institution
“Bank security breach”
“Tax refund”
“Irish sweepstakes”
Tricks user into providing sensitive data via a forged
web site (common) or return e-mail (less common)
Countermeasure: security awareness training
Pharming:
Redirection of traffic to a forged website
Attack of DNS server (poison
cache, other attacks)
Attack of “hosts” file on
client system
Often, a phishing e-mail to
lure user to forged website
Forged website has appearance
of the real thing
Countermeasures: user awareness training, patches, better
controls
Password Guessing:
Trying likely passwords to log in as a specific user
Common words
Spouse / partner / pet name
Significant dates / places
Countermeasures: strong, complex passwords, aggressive
password policy, lockout policy
Password Cracking:
Obtain / retrieve hashed passwords from target
Run password cracking program
Runs on attacker’s system – no
one will notice
Attacker logs in to target system using cracked passwords
Countermeasures: frequent password changes, controls on
hashed password files, salting hash
Malicious Code:
Viruses, worms, Trojan horses, spyware, key logger
Harvest data or cause system malfunction
Countermeasures: anti-virus, anti-spyware, security
awareness training
No comments:
Post a Comment