2019 FRSecure CISSP Mentor Program: Class Eight

2019 CISSP MENTOR
PROGRAM
May 6, 2019
-----------
Class 8 – May 6, 2019
Instructors:
• Brad Nigh, FRSecure Director of Professional Services & Innovation
• Evan Francen, FRSecure & SecurityStudio CEO

Last Wednesday we finished on time, can we do this
two times in a row?!
• Check-in.
• How many have read Chapter 1 - 5?
• Questions?
Nice weather, but we’re all committed.
CISSP® MENTOR PROGRAM – SESSION EIGHT
1
WELCOME BACK!
Only one class this week…
Only 106 slides tonight, and we’ll finish chapter 6, all in one night!

Last Wednesday we finished on time, can we do this
two times in a row?!
• Check-in.
• How many have read Chapter 1 - 5?
• Questions?
Nice weather, but we’re all committed.
2
WELCOME BACK!
Only one class this week…
Only 104 slides tonight, and we’ll finish chapter 6, all in one night!
Other Updates:
REMINDER: We’ve got a Slack channel setup for all students.
• Did you get the invite?!
• If not, email cisspmentor@frsecure.com and we’ll get
you one ASAP.
• Get some Q&A and activity going up in there!

1. What is the most secure type of firewall?
A. Packet Filter
B. Stateful Firewall
C. Circuit-level Proxy Firewall
D. Application-layer Proxy Firewall
3
QUIZ…
Will the real test be this easy too?!

1. What is the most secure type of firewall?
A. Packet Filter
B. Stateful Firewall
C. Circuit-level Proxy Firewall
D. Application-layer Proxy Firewall
4
QUIZ…

2. What WAN Protocol has no error recovery, relying on
higher-level protocols to provide reliability?
A. ATM
B. Frame Relay
C. SMDS
D. X.25
5
QUIZ…

2. What WAN Protocol has no error recovery, relying on
higher-level protocols to provide reliability?
A. ATM
B. Frame Relay
C. SMDS
D. X.25
6
QUIZ…

3. What is the most secure type of EAP?
A. EAP-TLS
B. EAP-TTLS
C. LEAP
D. PEAP
7
QUIZ…

3. What is the most secure type of EAP?
A. EAP-TLS
B. EAP-TTLS
C. LEAP
D. PEAP
8
QUIZ…

4. Which endpoint security technique is the most likely to
prevent a previously unknown attack from being
successful?
A. Signature-based antivirus
B. Host Intrusion Detection Systems (HIDS)
C. Application Whitelisting
D. Perimeter firewall
9
QUIZ…

4. Which endpoint security technique is the most likely to
prevent a previously unknown attack from being
successful?
A. Signature-based antivirus
B. Host Intrusion Detection Systems (HIDS)
C. Application Whitelisting
D. Perimeter firewall
10
QUIZ…

5. Which wireless security protocol is also known as the
RSN (Robust Security Network), and implements the
full 802.11i standard?
A. AES
B. WEP
C. WPA
D. WPA2
11
QUIZ…

5. Which wireless security protocol is also known as the
RSN (Robust Security Network), and implements the
full 802.11i standard?
A. AES
B. WEP
C. WPA
D. WPA2
12
QUIZ…

6. Restricting Bluetooth device discovery relies on the
secrecy of what?
A. MAC Address
B. Symmetric key
C. Private Key
D. Public Key
13
QUIZ…

6. Restricting Bluetooth device discovery relies on the
secrecy of what?
A. MAC Address
B. Symmetric key
C. Private Key
D. Public Key
14
QUIZ…

15
LET’S DO THIS!
Picking up where we left off.

• Authentication Methods
• Access Control Technologies
• Access Control Models
16
WHAT ARE WE GOING TO COVER?
Agenda – Domain 5: Identity and Access Management
Starting on page 293 this evening
Not a challenging domain, but don’t let your guard down.

Unique Terms and Definitions
• Crossover Error Rate (CER) – describes the point where the False
Reject Rate (FRR) and False Accept Rate (FAR) are equal.
• Discretionary Access Control (DAC) – gives subjects full control of
objects they have created or been given access to, including sharing the
objects with other subjects
• False Accept Rate (FAR) – occurs when an unauthorized subject is
accepted by the biometric system as valid. Also called a Type II error.
• False Reject Rate (FRR) – occurs when an authorized subject is
rejected by the biometric system as unauthorized. Also called a Type I
error.
• Mandatory Access Control (MAC) – system-enforced access control
based on subject’s clearances and object’s labels
• Role-Based Access Controls (RBAC) – subjects are grouped into roles
and each defined role has access permissions based upon the role, not
the individual
17
LECTURE
Domain 5: Identity and Access Management

Authentication Methods
• A subject first identifies his or her self; this identification cannot
be trusted
• The subject then authenticates by providing an assurance that
the claimed identity is valid
• A credential set is the term used for the combination of both the
identification and authentication of a user
• Three basic authentication methods: Type 1 (something you
know), Type 2 (something you have), and Type 3 (something you
are). A fourth type of authentication is some place you are.
18
LECTURE

Type 1 Authentication: Something You Know
• Requires testing the subject with some sort of challenge and
response where the subject must respond with a knowledgeable
answer
• Subject is granted access on the basis of something they know,
such as a password or PIN (Personal Identification Number, a
number-based password)
• The easiest, and often weakest, form of authentication
19
LECTURE

Type 1 Authentication: Something You Know -
Passwords
• Passphrases
• Long static passwords, comprised of words in a phrase or sentence
• An example of a passphrase is: “I will pass the CISSP® in 2
months!”
• Usually have less randomness per character compared to shorter
complex passwords (such as “B$%Jiu⁎!”), but make up for the lack
of randomness with length
• One-time passwords
• Used for a single authentication
• Very secure but difficult to manage
• A one-time password is impossible to reuse and is valid for just one-
time use
20
LECTURE

Type 1 Authentication: Something You Know -
Passwords
• Dynamic passwords
• Change at regular intervals
• RSA Security makes a synchronous token device called SecureID
that generates a new token code every 60 seconds. The user
combines their static PIN with the RSA dynamic token code to
create one dynamic password that changes every time it is used.
• One drawback when using dynamic passwords is the expense of
the tokens themselves
• Strong authentication (also called multifactor authentication)
requires that the user present more than one authentication
factor
21
LECTURE

Type 1 Authentication: Something You Know –
Passwords
Password Hashes and Password Cracking
• In most cases, clear text passwords are not stored within an IT
system; only the hashed outputs
• Hashing is one-way encryption using an algorithm and no key
• When a user attempts to log in, the password they type is
hashed, and that hash is compared against the hash stored on
the system
• The hash function cannot be reversed: it is impossible to reverse
the algorithm and produce a password from a hash
• An attacker may run the hash algorithm forward many times,
selecting various possible passwords, and comparing the output
to a desired hash, hoping to find a match (and to derive the
original password). This is called password cracking.
22
LECTURE

Passwords
• Password hashes for modern UNIX/Linux systems are stored
in/etc/shadow (which is typically readable only by root)
• Windows systems store hashes both locally and on the domain
controller (DC) in a file called the security account management
file or SAM file
• Password hashes may be sniffed on networks or read from
memory
• The SAM file is locked while the Windows operating system is
running: tools such as fgdump by foofus.net
(http://www.foofus.net/fizzgig/fgdump/) can dump the hashes
from memory
23
LECTURE

Passwords
• Cain & Abel hash calculator (see http://www.oxid.it/cain.html).
The only difference between the two entries is that the “P” in
password is capitalized.
24
LECTURE

Passwords
Dictionary Attacks
• Uses a word list: a predefined list of words, and then runs each word through a hash
algorithm
• Fastest type of password attack, but often the least effective
Note - Attackers will often tune their dictionary to their target, adding a Spanish dictionary to their
word list for a target organization with Spanish speakers, or even a Klingon dictionary for an
organization with Star Trek fans. Packetstorm Security maintains multiple dictionaries at:
http://packetstormsecurity.org/Crackers/wordlists/.
• Many organizations require users to create passwords that have a special character, number,
capital letter, and be eight characters or greater
• Cain & Abel has cracked user deckard’s password with a dictionary attack: his password is
“replicant,” shown as “REPLICANT” as the LM hash, which ignores case
• Access to the SAM file (Windows) and shadow file (UNIX/Linux) should be restricted.
25
LECTURE

Passwords
Brute-Force and Hybrid Attacks
• Take more time, but are more effective
• Calculates the hash outputs for every possible password
• With the advances in CPU speeds and parallel computing, the ability to
brute-force complex passwords has been considerably reduced
• Attackers may also use a rainbow table for their password attack
• Acts as a database that contains the precomputed hashed output for most
or all possible passwords
• Rainbow tables are not always complete: they may not include possible
password/hash combinations.
• A hybrid attack appends, prepends, or changes characters in words from
a dictionary before hashing, to attempt the fastest crack of complex
passwords
26
LECTURE

Passwords
Tools
1. Brutus
Brutus is one of the most popular remote online password cracking
tools. It claims to be the fastest and most flexible password cracking
tool. This tool is free and is only available for Windows systems. It
was released back in October 2000.
27
LECTURE

Passwords
Tools
2. RainbowCrack
RainbowCrack is a hash cracker tool that uses a large-scale time-
memory trade off process for faster password cracking than
traditional brute force tools. Time-memory trade off is a computational
process in which all plain text and hash pairs are calculated by using
a selected hash algorithm. After computation, results are stored in the
rainbow table. This process is very time consuming. But, once the
table is ready, it can crack a password must faster than brute force
tools.
28
LECTURE

Passwords
Tools
3. Wfuzz
Wfuzz is another web application password cracking tool that tries to
crack passwords with brute forcing. It can also be used to find hidden
resources like directories, servlets and scripts. This tool can also
identify different kind of injections including SQL Injection, XSS
Injection, LDAP Injection, etc in Web applications.
29
LECTURE

Passwords
Tools
4. Cain and Abel
Cain and Abel is a well-known password cracking tool that is capable
of handling a variety of tasks. The most notable thing is that the tool is
only available for Windows platforms. It can work as sniffer in the
network, cracking encrypted passwords using the dictionary attack,
recording VoIP conversations, brute force attacks, cryptanalysis
attacks, revealing password boxes, uncovering cached passwords,
decoding scrambled passwords, and analyzing routing protocols.
30
LECTURE

Passwords
Tools
5. John the Ripper
John the Ripper is another well-known free open source password
cracking tool for Linux, Unix and Mac OS X. A Windows version is
also available. This tool can detect weak passwords. A pro version of
the tool is also available, which offers better features and native
packages for target operating systems. You can also download
Openwall GNU/*/Linux that comes with John the Ripper.
31
LECTURE

Passwords
Tools
6. THC Hydra
THC Hydra is a fast network logon password cracking tool. When it is
compared with other similar tools, it shows why it is faster. New
modules are easy to install in the tool. You can easily add modules
and enhance the features. It is available for Windows, Linux, Free
BSD, Solaris and OS X. This tool supports various network protocols.
32
LECTURE

Passwords
Tools
7. Medusa
Medusa is also a password cracking tool similar to THC Hydra. It
claims to be a speedy parallel, modular and login brute forcing tool. It
supports HTTP, FTP, CVS, AFP, IMAP, MS SQL, MYSQL, NCP,
NNTP, POP3, PostgreSQL, pcAnywhere, rlogin, SMB, rsh, SMTP,
SNMP, SSH, SVN, VNC, VmAuthd and Telnet. While cracking the
password, host, username and password can be flexible input while
performing the attack.
33
LECTURE

Passwords
Tools
8. OphCrack
OphCrack is a free rainbow-table based password cracking tool for
Windows. It is the most popular Windows password cracking tool, but
can also be used on Linux and Mac systems. It cracks LM and NTLM
hashes. For cracking Windows XP, Vista and Windows 7, free
rainbow-tables are also available.
34
LECTURE

Passwords
Tools
9. L0phtCrack
L0phtCrack is an alternative to OphCrack. It attempts to crack
Windows password from hashes. For cracking passwords, it uses
Windows workstations, network servers, primary domain controllers,
and Active Directory. It also uses dictionary and brute force attacking
for generating and guessing passwords. It was acquired by Symantec
and discontinued in 2006. Later L0pht developers again re-acquired it
and launched L0phtCrack in 2009.
35
LECTURE

Passwords
Tools
10. Aircrack-NG
Aircrack-NG is a WiFi password cracking tool that can crack WEP or
WPA passwords. It analyzes wireless encrypted packets and then
tries to crack passwords via its cracking algorithm. It uses the FMS
attack along with other useful attack techniques for cracking
password. It is available for Linux and Windows systems. A live CD of
Aircrack is also available.
36
LECTURE

Passwords
Salts
• Allows one password to hash multiple ways
• Some systems (like modern UNIX/Linux systems) combine a salt
with a password before hashing: “The designers of the UNIX
operating system improved on this method by using a random
value called a “salt.” A salt value ensures that the same password
will encrypt differently when used by different users. This method
offers the advantage that an attacker must encrypt the same
word multiple times (once for each salt or user) in order to mount
a successful password-guessing attack.”
• Makes rainbow tables far less effective (if not completely
ineffective)
37
LECTURE

Passwords
Password Management
• Typically, the minimum password management security features include the
following:
• Password history = set to remember 24 passwords
• Maximum password age = 90 days
• Minimum password age = 2 days (this is because users do not cycle through 24
passwords to return immediately to their favorite)
• Minimum password length = 8 characters
• Passwords must meet complexity requirements = true
• Store password using reversible encryption = false
• These are the minimum password security controls for the U.S. Department of
Defense and this standard has been adopted by the Microsoft community as the
baseline password complexity standard.
• It is not uncommon for users to write down passwords and store them within
wallets, address books, cell phones, and even sticky notes posted on their
monitors
38
LECTURE

Passwords
Password Control
• Complex passwords are harder to remember
• Users who write passwords down and leave them in an insecure
place (such as under a keyboard or stored in a wallet, purse, or
rolodex) can undermine the entire security posture of a system
39
LECTURE

Type 2 Authentication: Something You Have
• Something you have - requires that users possess something,
which proves they are an authenticated user
• A token is an object that helps prove an identity claim
• Possessing the car keys, credit cards, bank ATM cards,
smartcards, and paper documents
40
LECTURE

Synchronous Dynamic Token
• Time or counters are synchronized with an authentication server.
• Implemented in hardware (RSA SecureID) and software (Google
Authenticator).
• The authentication server expects a certain value based on time
or count, as part of the authentication scheme.
41
LECTURE

Synchronous Dynamic Token
• Time or counters are synchronized with an authentication server.
• Implemented in hardware (RSA SecureID) and software (Google
Authenticator).
• The authentication server expects a certain value based on time
or count, as part of the authentication scheme.
42
LECTURE

Asynchronous Dynamic Token
• Not synchronized with a central server
• Most common variety is challenge-response tokens
• Systems produce a challenge, or input for the token device
• The user manually enters the information into the device along with
their PIN, and the device produces an output
• Output is then sent to the system
• Combining access control types is recommended
• Using more than one type of access control is referred to as
strong authentication or multifactor authentication
43
LECTURE

Asynchronous Dynamic Token
• Not synchronized with a central server
• Most common variety is challenge-response tokens
• Systems produce a challenge, or input for the token device
• The user manually enters the information into the device along with
their PIN, and the device produces an output
• Output is then sent to the system
• Combining access control types is recommended
• Using more than one type of access control is referred to as
strong authentication or multifactor authentication
44
LECTURE

Type 3 Authentication: Something You Are
• Something you are - biometrics, which uses physical
characteristics as a means of identification or authentication
• Biometrics may be used to establish an identity, or to
authenticate (prove an identity claim)
• Associated with the physical traits of an individual, it is more
difficult for that individual to forget, misplace, or otherwise lose
control of the access capability
• Care should be given to ensure appropriate accuracy and to
address any privacy issues that may arise
• Should be reliable, and resistant to counterfeiting
• Data storage required to represent biometric information (called
the template or the file size) should be relatively small: 1000
bytes or less is typical
45
LECTURE

Biometric Fairness, Psychological Comfort, and Safety
• Biometrics should not cause undue psychological stress to
subjects, and should not introduce unwarranted privacy issues
• Biometric controls must be usable by all staff, or compensating
controls must exist
• Potential exchange of bodily fluid is a serious negative for any
biometric control: this includes retina scans (where a user
typically presses their eye against an eyecup), and even
fingerprint scanning (where many subjects touch the same
scanner)
• Fully passive controls, such as iris scans, may be preferable
(there is no exchange of bodily fluid)
46
LECTURE

Biometric Enrollment and Throughput
• Enrollment describes the process of registering with a biometric
system: creating an account for the first time
• Enrollment is a one-time process that should take 2 minutes or less.
• Throughput describes the process of authenticating to a
biometric system
• Also called the biometric system response time
• A typical throughput is 6-10 seconds
47
LECTURE

Accuracy of Biometric Systems
• Should be considered before implementing a biometric control
program
• Three metrics are used to judge biometric accuracy: the False
Reject Rate (FRR), the False Accept Rate (FAR), and the
Crossover Error Rate (CER).
48
LECTURE

• False Reject Rate (FRR)
• When an authorized subject is rejected by the biometric system as
unauthorized
• Also called a Type I error
• Cause frustration of the authorized users, reduction in work due to
poor access conditions, and expenditure of resources to revalidate
authorized users
• False Accept Rate (FAR)
• Occurs when an unauthorized subject is accepted as valid
• Risks an unauthorized user gaining access
• Also called a Type II error
49
LECTURE

Note - A false accept is worse than a false reject: most organizations
would prefer to reject authentic subjects to accepting impostors. FARs
(Type II errors) are worse than FRRs (Type I errors). Two is greater
than one, which will help you remember that FAR is Type II, which are
worse than Type I (FRRs).
Over 40 data points are usually collected and compared in a typical
fingerprint scan. The accuracy of the system may be lowered by
collecting fewer minutiae points (ten or so). This will lower the FRR, but
raise the FAR. It also increases the possibility that a user’s fingerprints
would be easier to counterfeit.
50
LECTURE

• Crossover Error Rate (CER)
• Describes the point where the False Reject Rate (FRR) and
False Accept Rate (FAR) are equal
• Also known as the Equal Error Rate (EER)
• The overall accuracy of a biometric system
• As the accuracy of a biometric system increases, FARs will
rise and FRRs will drop
• As the accuracy is lowered, FARs will drop and FRRs will
rise
51
LECTURE

• Crossover Error Rate (CER)
• Describes the point where the False Reject Rate (FRR) and
False Accept Rate (FAR) are equal
• Also known as the Equal Error Rate (EER)
• The overall accuracy of a biometric system
• As the accuracy of a biometric system increases, FARs will
rise and FRRs will drop
• As the accuracy is lowered, FARs will drop and FRRs will
rise
52
LECTURE

Types of Biometric Controls
• Fingerprints
• The most widely used biometric control
• Smartcards can carry fingerprint information
• Smart keyboards require users to present a fingerprint to
unlock a computer’s screen saver
• The data used for storing each person’s fingerprint must be
of a small enough size to be used for authentication
• The data is a mathematical representation of fingerprint
minutiae, specific details of fingerprint friction ridges, which
include whorls, ridges, bifurcation, and others
53
LECTURE

• Retina Scan
• A laser scan of the capillaries which feed the retina of the
back of the eye
• Can seem personally intrusive because the light beam must
directly enter the pupil, and the user usually needs to press
their eye up to a laser scanner eye cup
• Health information of the user can be gained through a retina
scan: conditions such as pregnancy and diabetes can be
determined, which may raise legitimate privacy issues
• Exchange of bodily fluids is possible
54
LECTURE

• Retina Scan
back of the eye
55
LECTURE
Exam Warning - Retina scans are rarely used because of health risks and
invasion-of-privacy issues. Alternatives should be considered for biometric
controls that risk exchange of bodily fluid or raise legitimate privacy
concerns.

• Retina Scan
back of the eye
56
LECTURE

• Iris Scan
• A passive biometric control
• A camera takes a picture of the iris (the colored portion of the
eye) and then compares photos within the authentication
database
• Works through contact lenses and glasses
• Each person’s two irises are unique, even twins’ irises
• Benefits include high-accuracy, passive scanning (which may
be accomplished without the subject’s knowledge), and no
exchange of bodily fluids
57
LECTURE

• Iris Scan
• A passive biometric control
• A camera takes a picture of the iris (the colored portion of the
eye) and then compares photos within the authentication
database
• Works through contact lenses and glasses
• Each person’s two irises are unique, even twins’ irises
• Benefits include high-accuracy, passive scanning (which may
be accomplished without the subject’s knowledge), and no
exchange of bodily fluids
58
LECTURE

• Hand Geometry
• Measurements are taken from specific points on the subject’s
hand
• The devices use a simple concept of measuring and
recording the length, width, thickness, and surface area of an
individual’s hand while guided on a plate.
• Devices are fairly simple, and can store information in as little
as 9 bytes
59
LECTURE

• Hand Geometry
• Measurements are taken from specific points on the subject’s
hand
• The devices use a simple concept of measuring and
recording the length, width, thickness, and surface area of an
individual’s hand while guided on a plate.
• Devices are fairly simple, and can store information in as little
as 9 bytes
60
LECTURE

• Keyboard Dynamics
• Refers to how hard a person presses each key and the rhythm by
which the keys are pressed
• Cheap to implement and can be effective
• As people learn how to type and use a computer keyboard, they
develop specific habits that are difficult to impersonate, although not
impossible
• Dynamic Signature
• Measure the process by which someone signs his/her name
• Measuring time, pressure, loops in the signature, and beginning and
ending points all help to ensure the user is authentic
61
LECTURE

• Voice Print
• Measures the subject’s tone of voice while stating a specific
sentence or phrase
• Vulnerable to replay attacks (replaying a recorded voice), so
other access controls must be implemented along with the
voice print
• State random words, protecting against an attacker playing
pre-recorded specific phrases
62
LECTURE

• Facial Scan
• Has greatly improved over the last few years
• Also called facial recognition
• Process of passively taking a picture of a subject’s face and comparing that
picture to a list stored in a database
• Not frequently used for biometric authentication control due to the high cost
• Law enforcement and security agencies use facial recognition and scanning
technologies for biometric identification to improve security of high-valued,
publicly accessible targets
63
LECTURE

• Facial Scan
• Superbowl XXXV was the first major sporting event that used facial
recognition technology to look for potential terrorists. Cameras were placed
at every entrance and each attendee’s face was scanned and compared to a
list of active terrorist threats. The technology worked and, although no
terrorists were identified, 19 petty criminals were identified. The companies
that make the systems claim they are primarily a deterrent control.
• Casinos have used the same facial recognition technology since 2003.
• Apple’s iPhone X
64
LECTURE

Transition…
Now for Access Control Technologies.
65
LECTURE

Centralized Access Control
• Concentrates access control in one logical point for a
system or organization
• Can be used to provide Single Sign-On (SSO), where a
subject may authenticate once, and then access multiple
systems
• Can centrally provide the three “A’s” of access control:
Authentication, Authorization, and Accountability
• Authentication: proving an identity claim
• Authorization: authenticated subjects are allowed to take on a system
• Accountability: the ability to audit a system and demonstrate the actions of
subjects
66
LECTURE

Decentralized Access Control
• Allows IT administration to occur closer to the mission and
operations of the organization
• Also called distributed access control
• Provides more local power: each site has control over its
data
• The U.S. military uses decentralized access control in
battlefield situations
67
LECTURE
Exam Warning - Do not get confused on the CISSP exam if asked about DAC
compared to decentralized access control. DAC stands for discretionary access
control. Decentralized access control will always be spelled out on the exam.

Single Sign-On (SSO)
• Allows multiple systems to use a central
authentication server (AS)
• Allows users to authenticate once, and then access
multiple, different systems
• Allows security administrators to add, change, or
revoke user privileges on one central system
68
LECTURE

As outlined in the IBM article, “Build and Implement a Single Sign-On Solution” by Chris
Dunne, September 30, 2003, SSO is an important access control and can offer the
following benefits:
• “Improved user productivity. Users are no longer bogged down by multiple logins
and they are not required to remember multiple IDs and passwords. Also, support
personnel answer fewer requests to reset forgotten passwords.”
• “Improved developer productivity. SSO provides developers with a common
authentication framework. In fact, if the SSO mechanism is independent, then
developers do not have to worry about authentication at all. They can assume
that once a request for an application is accompanied by a username, then
authentication has already taken place.”
• “Simplified administration. When applications participate in a single sign-on
protocol, the administration burden of managing user accounts is simplified. The
degree of simplification depends on the applications since SSO only deals with
authentication. So, applications may still require user-specific attributes (such as
access privileges) to be set up.”
69
LECTURE

The disadvantages of SSO are listed below and must be considered before
implementing SSO on a system:
• “Difficult to retrofit. An SSO solution can be difficult, time consuming, and
expensive to retrofit to existing applications.”
• “Unattended desktop. Implementing SSO reduces some security risks,
but increases others. For example, a malicious user could gain access
to a user’s resources if the user walks away from his machine and
leaves it logged in. Although this is a problem with security in general, it
is worse with SSO because all authorized resources are compromised.
At least with multiple logons, the user may only be logged into one
system at the time and so only one resource is compromised.”
• “Single point of attack. With single sign-on, a single, central
authentication service is used by all applications. This is an attractive
target for hackers who may decide to carry out a denial of service
attack.”
70
LECTURE

Access Provisioning Lifecycle
• After an access control model has
been chosen.
• Identity Lifecycle – provisioning,
maintenance
(passwords/rights/privileges),
changes, re-provisioning,
reconciliation/audit
71
LECTURE

Access Provisioning Lifecycle
IBM describes the following identity lifecycle rules:
• “Password policy compliance checking
• Notifying users to change their passwords before they expire
• Identifying life cycle changes such as accounts that are
inactive for more than 30 consecutive days
• Identifying new accounts that have not been used for more
than 10 days following their creation
• Identifying accounts that are candidates for deletion because
they have been suspended for more than 30 days
• When a contract expires, identifying all accounts belonging to
a business partner or contractor’s employees and revoking
their access rights”
72
LECTURE

User Entitlement, Access Review and Audit
• Authorization creep
• occurs when subjects not only maintain old access rights but
gain new ones as they move from one role to another within
an organization
• User rights (or entitlements) must be routinely
reviewed
73
LECTURE

Federated Identity Management (FIdM)
• Applies SSO on a wider scale; cross-organization to Internet
• Trusted authority for digital identities across multiple
organizations
• Microsoft Account, Google Account, GitHub and others.
• SAML, Oauth, OpenID, etc.
• SAML is an XML-based framework for exchanging security
information, including authentication data
74
LECTURE

• Identity as a service (IDaaS) - Gartner Inc., divides IDaaS
services into two categories:
• Web access software for cloud-based applications such as software
as a service (SaaS)
• Web-architected applications; and cloud-delivered legacy identity
management services.
• LDAP – Lightweight Directory Access Protocol – common, open
protocol for interfacing and querying directory service information
over a network. TCP/UDP port 389. LDAPS (LDAP over TLS);
TCP 636 & 3269
75
LECTURE

Single Sign-On (SSO) - Kerberos
• A third-party authentication service that may be used to support
Single Sign-On
• Kerberos (http://www.kerberos.org/) was the name of the three-
headed dog that guarded the entrance to Hades (also called
Cerberus) in Greek mythology
• The three heads of the mythical Kerberos were meant to signify
the three “A”s of AAA systems: authentication, authorization, and
accountability
• The original Kerberos mainly provided authentication
76
LECTURE
Highly Testable

• Kerberos FAQ (see http://www.faqs.org/faqs/kerberos-
faq/user/) states:
• Kerberos is a network authentication system for use on
physically insecure networks
• Based on the key distribution model presented by Needham
and Schroeder
• Allows entities communicating over networks to prove their
identity to each other while preventing eavesdropping or
replay attacks
• Provides for data stream integrity (detection of modification)
and secrecy (preventing unauthorized reading) using
cryptography systems such as DES (Data Encryption
Standard)
77
LECTURE

• Kerberos FAQ (see http://www.faqs.org/faqs/kerberos-
faq/user/) states:
• Kerberos is a network authentication system for use on
physically insecure networks
• Based on the key distribution model presented by Needham
and Schroeder
• Allows entities communicating over networks to prove their
identity to each other while preventing eavesdropping or
replay attacks
• Provides for data stream integrity (detection of modification)
and secrecy (preventing unauthorized reading) using
cryptography systems such as DES (Data Encryption
Standard)
78
LECTURE

• Uses secret key encryption
• Provides mutual authentication of both clients and servers
• Protects against network sniffing and replay attacks
• Current version of Kerberos is version 5, described by RFC 4120
(http://www.ietf.org/rfc/rfc4120.txt)
79
LECTURE

• Kerberos has the following components:
• Principal: Client (user) or service
• Realm: A logical Kerberos network
• Ticket: Data that authenticates a principal’s identity
• Credentials: a ticket and a service key
• KDC: Key Distribution Center, which authenticates principals
• TGS: Ticket Granting Service
• TGT: Ticket Granting Ticket
• C/S: Client Server, regarding communications between the
two
80
LECTURE

two
81
LECTURE

two
82
LECTURE

• Strengths:
• Provides mutual authentication of client and server
• If a rogue KDC pretended to be a real KDC, it would not have
access to keys
• mitigates replay attacks (where attackers sniff Kerberos
credentials and replay them on the network) via the use of
timestamps
83
LECTURE

• Weaknesses:
• KDC stores the plaintext keys of all principals (clients and servers)
• A compromise of the KDC (physical or electronic) can lead to the
compromise of every key in the Kerberos realm
• KDC and TGS are single points of failure: if they go down, no new
credentials can be issued
• Replay attacks are still possible for the lifetime of the authenticator (An
attacker could sniff an authenticator, launch a denial-of-service attack
against the client, and then assume or spoof the client’s IP address)
• Any user may request a session key for another user
• Kerberos does not mitigate a malicious local host: plaintext keys may exist in
memory or cache
84
LECTURE

Single Sign-On (SSO) - SESAME
• Secure European System for Applications in a Multi-vendor
Environment
• A single sign-on system that supports heterogeneous
environments
• Can be thought of as a sequel of sorts to Kerberos
• It addresses one of the biggest weaknesses in Kerberos: the
plaintext storage of symmetric keys
• Uses Privilege Attribute Certificates (PACs) in place of Kerberos’
tickets
• More information on SESAME is available at:
https://www.cosic.esat.kuleuven.be/sesame/
85
LECTURE

Access Control Protocols And Frameworks - RADIUS
• Remote Authentication Dial In User Service (RADIUS) protocol
• A third-party authentication system
• Described in RFCs 2865 and 2866
• Uses the User Datagram Protocol (UDP) ports 1812
(authentication) and 1813 (accounting)
• Formerly used the (unofficially assigned) ports of 1645 and 1646
for the same respective purposes; some continue to use those
ports
• Considered an “AAA” system
• Authenticates a subject’s credentials against an authentication database
• Authorizes users by allowing specific users’ access to specific data objects
• Accounts for each data session by creating a log entry for each connection
made
86
LECTURE

• Request and response data is carried in Attribute Value Pairs
(AVPs)
• According to RFC 2865 (http://tools.ietf.org/html/rfc2865),
RADIUS supports the following codes:
• Access-Request
• Access-Accept
• Access-Reject
• Accounting-Request
• Accounting-Response
• Access-Challenge
• Status-Server (experimental)
• Status-Client (experimental)
87
LECTURE

• Request and response data is carried in Attribute Value Pairs
(AVPs)
• According to RFC 2865 (http://tools.ietf.org/html/rfc2865),
RADIUS supports the following codes:
• Access-Request
• Access-Accept
• Access-Reject
• Accounting-Request
• Accounting-Response
• Access-Challenge
• Status-Server (experimental)
• Status-Client (experimental)
88
LECTURE

Access Control Protocols And Frameworks - Diameter
• RADIUS’ successor
• Designed to provide an improved Authentication, Authorization,
and Accounting (AAA) framework
• Also uses Attribute Value Pairs, but supports many more:
• RADIUS uses 8 bits for the AVP field (allowing 256 total possible AVPs)
• Diameter uses 32 bits for the AVP field (allowing billions of potential AVPs)
• Uses a single server to manage policies for many services, as
opposed to RADIUS which requires many servers to handle all of
the secure connection protocols
• Provides AAA functionality
• More reliable by using the Transmission Control Protocol (TCP)
• Currently a draft standard, first described by RFC 3588
(http://tools.ietf.org/html/rfc3588)
89
LECTURE

Access Control Protocols And Frameworks - TACACS
and TACACS+
• Terminal Access Controller Access Control System (TACACS)
• Centralized access control system that requires users to send an ID and
static (reusable) password for authentication
• TACACS uses UDP port 49 (and may also use TCP)
• Reusable passwords have security vulnerability: the improved TACACS+
provides better password protection by allowing two-factor strong
authentication
• TACACS+ is not backwards compatible with TACACS
• TACACS+ uses TCP port 49 for authentication with the TACACS+ server
• The actual function of authentication is similar to RADIUS
• RADIUS only encrypts the password (leaving other data, such as
username, unencrypted); TACACS+ encrypts all data below the
TACACS+ header
90
LECTURE

PAP and CHAP
• Password Authentication Protocol (PAP)
• Defined by RFC 1334 (http://tools.ietf.org/html/rfc1334#section-2)
• Not a strong authentication method
• User password and it is sent across the network in clear text
• When received by the PAP server, it is authenticated and validated
91
LECTURE

PAP and CHAP
• Challenge Handshake Authentication Protocol (CHAP)
• Defined by RFC 1994 (http://www.faqs.org/rfcs/rfc1994.html)
• Provides protection against playback attacks
• Uses a central location that challenges remote users
• “CHAP depends upon a ‘secret’ known only to the authenticator and the
peer. The secret is not sent over the link. Although the authentication is only
one-way, by negotiating CHAP in both directions the same secret set may
easily be used for mutual authentication.”
• A sniffer that views the entire challenge/response process will not be able to
determine the shared secret
92
LECTURE

PAP and CHAP
• Challenge Handshake Authentication Protocol (CHAP)
• Defined by RFC 1994 (http://www.faqs.org/rfcs/rfc1994.html)
• Provides protection against playback attacks
• Uses a central location that challenges remote users
• “CHAP depends upon a ‘secret’ known only to the authenticator and the
peer. The secret is not sent over the link. Although the authentication is only
one-way, by negotiating CHAP in both directions the same secret set may
easily be used for mutual authentication.”
• A sniffer that views the entire challenge/response process will not be able to
determine the shared secret
93
LECTURE

Access Control Protocols And Frameworks - Microsoft
Active Directory Domains
• Microsoft Windows Active Directory uses the concept of domains
as the primary means to control access
• For authentication purposes, Microsoft bases their authentication
of trust relationships on RFC 1510, the Kerberos Authentication
Protocol, and it is fully integrated into Microsoft Windows
operating systems since Windows 2000.
• Each domain has a separate authentication process and space
• Each domain may contain different users and different network
assets and data objects
• If a two-way trust between domains is created, then the users
and data objects from each domain can be accessed by groups
belonging to either domain.
94
LECTURE

Access Control Protocols And Frameworks - Microsoft
Active Directory Domains
As stated by Microsoft,
• “How a specific trust passes authentication requests depends on how it
is configured; trust relationships can be one-way, providing access from
the trusted domain to resources in the trusting domain, or two way,
providing access from each domain to resources in the other domain.
Trusts are also either nontransitive, in which case trust exists only
between the two trust partner domains, or transitive, in which case trust
automatically extends to any other domains that either of the partners
trusts.”
• Microsoft trust relationships fall into two categories; nontransitive and
transitive. Nontransitive trusts only exist between two trust partners.
Transitive trusts exist between two partners and all of their partner
domains. For example, if A trusts B, in a transitive trust, A will trust B and
all of B’s trust partners.
95
LECTURE

Another Transition…
Now for Access Control Models.
96
LECTURE

Access control models
• The primary models are Discretionary Access Control
(DAC), Mandatory Access Control (MAC), and Non-
Discretionary Access Control
• Do not think of one model being better than another
• Each model is used for a specific information security
purpose
97
LECTURE

Discretionary Access Control (DAC)
• Gives subjects full control of objects they have been
given access to, including sharing the objects with
other subjects
• Subjects are empowered and control their data
• Standard UNIX and Windows operating systems use
DAC for filesystems
• If a subject makes a mistake, such as attaching the
wrong file to an email sent to a public mailing list, loss
of confidentiality can result
• Mistakes and malicious acts can also lead to a loss of
integrity or availability of data
98
LECTURE

Mandatory Access Control (MAC)
• System-enforced access control based on subject’s clearance and object’s labels
• Subjects and Objects have clearances and labels, respectively, such as
confidential, secret, and top secret
• A subject may access an object only if the subject’s clearance is equal to or
greater than the object’s label
• Subjects cannot share objects with other subjects who lack the proper clearance,
or “write down” objects to a lower classification level (such as from top secret to
secret)
• Usually focused on preserving the confidentiality of data
• Expensive and difficult to implement
• Clearing users is an expensive process
• Some examples of MAC systems are Honeywell’s SCOMP and Purple Penelope
• Developed under tight scrutiny of the U.S. and British Governments
• Another example is the Linux Intrusion Detection System (LIDS; see
http://www.lids.org)
• LIDS is a specially hardened Linux distribution that uses MAC
99
LECTURE

Non-Discretionary Access Control
• Role-Based Access Control (RBAC) defines how information is
accessed on a system based on the role of the subject
• Subjects are grouped into roles and each defined role has access
permissions based upon the role, not the individual
• According to NIST (see: http://csrc.nist.gov/rbac)
• Keeps each role separate on the system and reduces the exposure of
more sensitive accounts
• RBAC is a type of non-discretionary access control because users do
not have discretion regarding the groups of objects they are allowed to
access, and are unable to transfer objects to other subjects
• Task-based access control is another non-discretionary access control
model
• Based on the tasks each subject must perform, such as writing prescriptions, or restoring data from a
backup tape, or opening a help desk ticket
• Focusing on specific tasks, instead of roles
100
LECTURE

Content and Context-Dependent Access Controls
(Rule-based)
• Not full-fledged access control methods
• Typically play a defense-in-depth supporting role
• May be added as an additional control, typically to DAC systems
• Content-dependent access control
• Adds additional criteria beyond identification and authentication: the actual content the
subject is attempting to access
• Example: All employees of an organization may have access to the HR database to
view their accrued sick time and vacation time. Should an employee attempt to access
the content of the CIO’s HR record, access is denied.
• Context-dependent access control
• Applies additional context before granting access
• A commonly used context is time
101
LECTURE

And now we’re done…
102
LECTURE

We made it through Class 8!
Easy, but fundamental.
Please try to catch up in your reading and get some chatter going
in Slack!
• We left off on page 324 in the book.
• Monday (5/13) we’ll start with Chapter 7: Security Assessment
and Testing.
• The next domain is a little more fun and practical.
• Come with questions!
Have a great evening, talk to you next Monday!
103
LECTURE

2019 FRSecure CISSP Mentor Program: Class Eight

More Related Content

What's hot (20)

Similar to 2019 FRSecure CISSP Mentor Program: Class Eight (20)

Recently uploaded (20)

2019 FRSecure CISSP Mentor Program: Class Eight