-
use the security Triad (CIA)
-
when you use it you can define
-
Objects: assets that require access control. A passive object
-
Subjects: Either humands or entities like systems, process, and devices. Require Access to objects.
-
Access: anything a subject is permitted to do with or to an object.
(NIST 800-63B is the best source to read)[https://pages.nist.gov/800-63-3/sp800-63b.html]
User/Subject and Resources/Object: Subjects access an object
Subject -> Reference Monitor -> Object (The reference monitor will deny access by default)
Don't just consider technical security/logical security
Encryption can also be a form of access control
- Authorization
- Audit
- Accountability
- Identification
- Nonrepudiation
- ID entity attempting access
- Verify ID
- Evaluate Rules
- Log each access attempt
- Review Logs
In CIA Triad
- Preventative
- Detective
- Corrective
- Directive
Windows uses Discretionary Access Control. Uses Access Control Lists for each object
Mandatory Access Control: Classifying your info. Clearance level for each user (think Bell Lapuda or Biba)
Non-Discretionary Access Control: Role-Based and Rule Based
Role-Based Access Control: maps subjecs to objects based on the user's role in the organization.
Rule-Based Access Control: Based on a list of predefined rules.
Identification Must be
- unique
- content dependent
- Time bound
Identification helps for accountability
- Sponsorship authorized entity sponsoring the subject
- Entrollment: Initial provisioning.
- Credential production: by service provder.
- Issuance: Provided to subject.
- Type 1: something a user or entity knows. Known secrets.
- Type 2: something a user has possession of
- Type 3: Measurement of one of the user's biological characteristics.
- Type 4: Where the person is.
Passwords are the cheapest to do but easiest to crack or bypass.
- Passwords need to come with policies for changing, creation, and storage
- Pin numbers fall into this same category
- Something you know (password)
- Something you have (security token)
- Something you are (biometrics)
-
NIST SP 800-63-3 "Digital Identity Guidelines"
-
IAL 1: lowest level, only requires user to self-assert an identity.
-
IAL 2: Requires submission of identity documentation and proofing to the Credential Srvice Provider (CSP). Frequently used in employment situations.
-
IAL 3: Requires physical presence and formal review.
-
For ZeroTrust, you need access control at all levels.
-
Authentication is proving identity
-
Authorization is what they are allowed to do
Hashing Can Also Prove authenticity
- Provisioning - Granting Access
- DeProvisioning - Taking it away
Tokens:
- Synchronous depends on timing
- Asynchronous: depends on a math formula. you type a number and it gives you one
Biometrics
- most expensive
- Need to look at the convergence of the False Reject Rate (type 1 error) and False accept rate(type 2 error). False Accept is worse than a False Reject.
- Crossover error rate is where the two meet.
- See pages 122 and 123 of 11th Hour for the different types
- A false accept is worse for security than a false reject
- Kerberos. Uses a Key Distribution Server and a Ticket Granting Server
- sends username only to the authentication server. Server sends back text that can only be decrypted by the password
- You do not send the password over the wire
- Tacacs and Tacacs2
- Federations: trust between resources and account domains.
- uses pki
- think web sites for this one
- Denial of Service
- Buffer Overflows
- for Passwords, brute force and the use of rainbow tables
Brute Force is random letters, numbers, symbols being tried against a password. Mitigated by complex passwords
Rainbow Tables. Compares encryption hashes with other ones to find the password
Maintenance Hooks: A Backdoor made for good use but is being abused
Buffer Overflows: Manipulating memory
Human Based Attacks
- most successful in the last few years
- Guessing what the user may do or uses
- shoulder surfing
- dumpster diving
- outright theft of something
- social engineering (such as phishing attacks)
Intrusion Detection Systems
- appliance or software
- detects traffic in the network and will notify you. It will not stop an attack. And IPS or Intrusion Prevention System will stop an attack.
- Snort-is a major application for this (open source)
- can be signature based or behavior based. Behavior base builds a baseline and will ID issues after time
Network Based IDS will take info from capturing packets Host Based takes info from logs
Logical Security Layer is considered the technical domain
Penetration testing does not involve making any changes or modifications within a network. Instead it involves determining what vulnerabilities exist so that changes can be made after the fact
Information Classification: Practice of differentiating between types of information assets and providing some guidance as to how sensitive information will need to be protected.
When Access Control is based on the content, it is considered content dependent access control
NIST 800-145 defines deployment and definition of Cloud Computing.
- Data Map: Shows where your data is going. So you can know who as access to it.
Sentry AI Google Data Center Security Microsoft Identity Readout Microsoft Identity Management Readout
-
Review Microsoft Password Guideance PDF Document
-
Need to know AAL Authenticator Assurance Levels in SP800-63B. See the summary of requirements
-
Knowbe4.com 11 ways to defeat 2fa Roger Grimes
-
OWASP Session Management Cheat Sheet
-
Difference Between Centralized and Decentralized Access Control.
-
Centralized Control: Once place,
-
Decentralized: Multiple Places. Allows for more granularity
-
Do not confuse Decentralized Access Control and DAC (discretionary access control)
-
Ping Identity "What is Single-Sign On"
-
Fido and SAML are not synonymous
-
Mandatory Access Control is for confidentiality of the data
-
Discretionary Access Control: gives subjects full control of object.
-
Attribute-based access control:
-
Risk based access control
Read the links in the slide show for part 2. An illustrated guide to oauth and openid Connect.