Slide Deck – Session 9 – FRSecure CISSP

FRSecure 2017 CISSP
Mentor Program
EVAN FRANCEN, PRESIDENT & CEO – FRSECURE
BRAD NIGH, SENIOR INFORMATION SECURITY ANALYST - FRSECURE
CLASS SESSION #9

CISSP Mentor Program Session #9
Domain 4: Communication and Network Security - Review
• Application Layer TCP/IP Protocols and Concepts
• Layer 1 Network Cabling
• LAN Technologies and Protocols
• LAN Physical Network Topologies
• WAN Technologies and Protocols
• Network Devices and Protocols
• Network Attacks

Domain 4: Communication and Network Security
Network Scanning Tools
• Determine and map network architecture
• Defenders use these tools to better understand (and defend) their
networks
• Attackers use them to identify a plan of attack including potential
attack victims
• Ping and traceroute
• Used to scan networks
• An attacker may use these tools to identify routes, networks, and hosts

Network Scanning Tools – nmap
NMAP GUIDE REVISITED – HAKIN9 TUTORIALS
https://hakin9.org/download/nmap-guide-revisited-hakin9-tutorials/
“Nmap – The Tool of Almost Endless Capabilities
By Evan Francen, President, FRSecure LLC & Information Security
Evangelist CISSP, CISM, CCSK
Before we start out and dig in, you need to know that Nmap can be a
very powerful tool in the hands of someone who knows how to use it
AND has an intimate knowledge of how TCP/IP works. If you don’t
know some of the TCP/IP basics like IP addressing, routing, ports, and
the structure of a TCP packet, it would be good idea to brush up on
these skills first. As you unlock your knowledge of TCP/IP, you’ll
embrace the beauty of Nmap that much more.”

Network Scanning Tools – Nmap/Zenmap (Windows)
• https://nmap.org/
• Nmap ("Network Mapper") is a free and open source (license) utility for network
discovery and security auditing. Many systems and network administrators also find it
useful for tasks such as network inventory, managing service upgrade schedules, and
monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine
what hosts are available on the network, what services (application name and version)
those hosts are offering, what operating systems (and OS versions) they are running, what
type of packet filters/firewalls are in use, and dozens of other characteristics. It was
designed to rapidly scan large networks, but works fine against single hosts. Nmap runs on
all major computer operating systems, and official binary packages are available for Linux,
Windows, and Mac OS X. In addition to the classic command-line Nmap executable, the
Nmap suite includes an advanced GUI and results viewer (Zenmap), a flexible data
transfer, redirection, and debugging tool (Ncat), a utility for comparing scan results (Ndiff),
and a packet generation and response analysis tool (Nping).

Network Scanning Tools - Scan Types
• Attackers may scan networks from layers 2-7
• Common scans include ARP scans, ICMP scans, and TCP and UDP scans
ARP Scans
• Once an attacker is on a LAN (by compromising a host on the LAN),
Layer 2 scans and attacks are possible
• A Layer 2 scan which sends ARP requests for each IP address on a
subnet, learning the MAC addresses of systems that answer.

TCP Scans
• A SYN scan sends a TCP SYN packet to ports on a host, reporting those that
answer SYN/ACK as open
• A “connect” scan completes the three-way handshake; a half-open
connection scan does not.
• Once the SYN/ACK is received in response to a SYN, the attacker has no need
to complete the handshake via an ACK
• Advantages to half-open connection scans: they are faster, and often not
logged (since the connection is never completed)

TCP Scans
• Attackers may also craft packets with strange flag combinations in an effort to
identify the operating system running on a target system:
• SYN/FIN flag combo
• SYN/RST
• all TCP flags set
• no TCP flags set

UDP Scans
• Send UDP packets to ports on a system, listening for answers
• Harder and slower than TCP scans
• No universal way for a UDP service to respond to a UDP packet
• UDP scans unreliable

Secure Communications - Authentication Protocols and
Frameworks
• Authenticates an identity claim over the network
• Good security design assumes that a network eavesdropper may sniff
all packets sent between the client and authentication server: the
protocol should remain secure

Secure Communications - PAP & CHAP
• PAP (Password Authentication Protocol)
• Very weak authentication protocol
• Sends the username and password in cleartext
• Insecure and should not be used
• CHAP (Challenge-handshake Authentication Protocol)
• A more secure authentication protocol
• Does not expose the cleartext password
• Not susceptible to replay attacks
• Relies on a shared secret: the password
• Password is securely created (such as during account enrollment) and stored on the CHAP server
• Since both the user and the CHAP server share a secret (the plaintext password), they can use that
secret to securely communicate
• The server stores plaintext passwords of each client (weakness)

Secure Communications - CHAP
CHAP Authentication
• To authenticate, the client first creates an initial (unauthenticated) connection via LCP
(Link Control Protocol). The server then begins the three-way CHAP authentication
process:
1. Server sends a challenge, which is a small random string (also called a nonce).
2. The user takes the challenge string and the password, uses a hash cipher such as MD5 to
create a hash value, and sends that value back to the CHAP server as the response.
3. The CHAP server also hashes the password and challenge, creating the expected
response. It then compares the expected response with the response received from the
user.
4. If the responses are identical, the user must have entered the appropriate password, and
is authenticated. If they are different, the user entered the wrong password, and access is
denied.

Secure Communications - 802.1X and EAP
802.1X is:
• “Port Based Network Access Control”
• Includes EAP (Extensible Authentication Protocol)
• An authentication framework that describes many specific authentication protocols
• Designed to provide authentication at Layer 2, before a node receives an IP address
• Protects against the “roaming infected laptop”
• Available for both wired and wireless, but is most commonly deployed on WLANs
• An EAP client is called a supplicant, which requests authentication from an
authenticator

Domain 4: Communication and Network
Security
EAP Types
• LEAP (Lightweight Extensible Authentication Protocol)
• Cisco-proprietary protocol released before 802.1X was
finalized
• Has significant security flaws, and should not be used
• EAP-TLS (EAP-Transport Layer Security)
• Uses PKI, requiring both server-side and client-side certificates
• Establishes a secure TLS tunnel used for authentication
• Very secure due to the use of PKI, but is complex and costly
for the same reason

EAP Types
• EAP-TTLS (EAP Tunneled Transport Layer Security)
• Developed by Funk Software and Certicom
• Simplifies EAP-TLS by dropping the client-side certificate requirement, allowing other
authentication methods (such as password) for client-side authentication
• Easier to deploy than EAP-TLS, but less secure when omitting the client-side certificate
• PEAP (Protected EAP)
• Jointly developed by Cisco Systems, Microsoft, and RSA Security
• Similar to (and may be considered a competitor to) EAP-TTLS, including not requiring
client-side certificates

Secure Communications - VPN
• Secure data sent via insecure networks such as the Internet
• Goal is to provide the privacy provided by a circuit such as a T1, virtually
SLIP and PPP
• SLIP (Serial Line Internet Protocol)
• A Layer 2 protocol
• Provides IP connectivity via asynchronous connections such as serial lines and modems
• First introduced in 1988
• Allowed routing packets via modem links for the first time (previously, modems were
primarily used for nonrouted terminal access)
• Provides no built-in confidentiality, integrity, or authentication
• Largely replaced with PPP

• Secure data sent via insecure networks such as the Internet
• Goal is to provide the privacy provided by a circuit such as a T1, virtually
SLIP and PPP
• PPP (Point-to-Point Protocol)
• A Layer 2 protocol
• Based on HDLC
• Adds confidentiality, integrity, and authentication via point-to-point links
• Supports synchronous links (such as T1s) in addition to asynchronous links such as
modems

• PPTP (Point-to-Point Tunneling Protocol)
• Tunnels PPP via IP
• Developed by a consortium of vendors, including Microsoft, 3COM, and others
• Uses GRE (Generic Routing Encapsulation) to pass PPP via IP, and uses TCP for a control
channel (using TCP port 1723)
• L2TP (Layer 2 Tunneling Protocol)
• Combines PPTP and L2F (Layer 2 Forwarding, designed to tunnel PPP)
• Focuses on authentication and does not provide confidentiality
• Frequently used with IPSec to provide encryption
• L2TP can also be used on non-IP networks, such as ATM

• PPTP (Point-to-Point Tunneling Protocol)
• L2TP (Layer 2 Tunneling Protocol)

• IPv4 has no built-in confidentiality
• IPSec (Internet Protocol Security) was designed to provide
confidentiality, integrity, and authentication via encryption for IPv6
• IPSec has been ported to IPv4
• IPSec is a suite of protocols:
• Major two are Encapsulating Security Protocol (ESP) and Authentication Header
(AH)
• Each has an IP protocol number: ESP is protocol 50; AH is protocol 51.

IPSec Architectures
• IPSec has three architectures:
• Host-to-gateway
• Also called client mode
• Used to connect one system which runs IPSec client software to an IPSec gateway
• Gateway-to-gateway
• Also called point-to-point
• Connects two IPSec gateways, which form an IPSec connection that acts as a shared routable
network connection
• Host-to-host
• Connects two systems (such as file servers) to each other via IPSec
• Many modern operating systems, such as Windows 7 or Ubuntu Linux, can run IPSec natively,
allowing them to form host-to-gateway or host-to-host connections

Tunnel and Transport Mode
• IPSec can be used in tunnel mode or transport mode
• Tunnel mode provides confidentiality (ESP) and/or authentication (AH)
to the entire original packet, including the original IP headers
• Transport mode protects the IP data (layers 4-7) only, leaving the
original IP headers unprotected
• Both modes add extra IPSec headers (an AH header and/or an ESP
header)

SSL and TLS
• Secure Sockets Layer (SSL) was designed to protect HTTP (Hypertext Transfer
Protocol) data
• HTTPS uses TCP port 443
• TLS (Transport Layer Security) is meant to replace SSL. SSL v3.0 was deprecated in
June, 2015.
• The current version of TLS is 1.2, described in RFC 5246 (see:
http://tools.ietf.org/html/rfc5246); TLS 1.3 is in draft.
• Can be used to tunnel other IP protocols to form VPN connections
• SSL VPNs can be simpler
• SSL client software does not require altering the operating system
• IPSec is difficult to firewall; SSL is much simpler.

SSL and TLS

SSL and TLS
pseudorandom
function family
(PRF)

VoIP
Voice over Internet Protocol
• Carries voice via data networks
• Brings the advantages of packet-switched networks, such as lower cost and
resiliency, to the telephone
• Common VoIP protocols
• Real-time Transport Protocol (RTP), designed to carry streaming audio and video. VoIP
protocols carried by RTP include SIP (Session Initiation Protocol, a signaling protocol)
and H.323.
• SRTP (Secure Real-time Transport Protocol) may be used to provide secure VoIP,
including confidentiality, integrity, and secure authentication. SRTP uses AES for
confidentiality and SHA-1 for integrity.

VoIP
Voice over Internet Protocol
• If the network goes down, both voice and network data go
down
• In the event of network compromise, use other methods such as cell
phones for out-of-band communication
• If an attacker has compromised a network, they may be able to
compromise the confidentiality or integrity of the VoIP calls on
that network
• Many VoIP protocols, such as SIP, provide little or no security
by default. In that case, eavesdropping on a VoIP call is as
simple as sniffing with a tool like Wireshark (see
http://www.wireshark.org), selecting the “Telephony → VoIP
Calls” menu, choosing a call and pressing “Player”

Wireless Local Area Networks
• Transmit information via electromagnetic waves (such as radio) or light
• The most common form of wireless data networking is the 802.11 wireless
standard
• The first 802.11 standard with reasonable security is 802.11i
DoS & Availability
• WLANs have no way to assure availability
• An attacker with physical proximity can launch a variety of Denial-of-Service
attacks, including polluting the wireless spectrum with noise
• Critical applications that require a reliable network should use wired
connections

Unlicensed Bands
• A “band” is a small amount of contiguous radio spectrum
• Industrial, Scientific, and Medical (ISM) bands are set aside for unlicensed use
(no license from an organization such as the Federal Communications
Commission (FCC) require to use them)
• Many wireless devices such as cordless phones, 802.11 wireless, and
Bluetooth use ISM bands
• Different countries use different ISM bands: two popular ISM bands used
internationally are 2.4 and 5 GHz

FHSS, DSSS, and OFDM
• Frequency Hopping Spread Spectrum (FHSS)
• Method of sending traffic via a radio band
• Designed to maximize throughput while minimizing the effects of interference
• Uses a number of small frequency channels throughout the band and “hops” through them in pseudorandom order
• Direct Sequence Spread Spectrum (DSSS)
• Method of sending traffic via a radio band
• Designed to maximize throughput while minimizing the effects of interference
• Uses the entire band at once, “spreading” the signal throughout the band
• Orthogonal Frequency-Division Multiplexing (OFDM)
• A newer multiplexing method
• Allows simultaneous transmission using multiple independent wireless frequencies that do not interfere with
each other

802.11 abgn

SSID and MAC Address Filtering
• 802.11 WLANs use a Service Set Identifier (SSID), which acts as a network name
• Wireless clients must know the SSID before joining the WLAN
• SSIDs are normally broadcasted; some WLANs are configured to disable SSID
broadcasts
• Relying on the secrecy of the SSID is a poor security strategy: a wireless sniffer in
monitor mode can detect the SSID used by clients as they join WLANs: this is true
even if SSID broadcasts are disabled
• MAC addresses are exposed in plaintext on 802.11 WLANs: trusted MACS can be
sniffed, and an attacker may reconfigure a nontrusted device with a trusted MAC
address in software

WEP
• Wired Equivalent Privacy protocol
• Has proven to be critically weak: new attacks can break any WEP key in
minutes
• Provides little integrity or confidentiality protection
• Its use is strongly discouraged. 802.11i and/or other encryption methods such
as VPN should be used in place of WEP
• Has 40 and 104-bit key lengths, and uses the RC4 cipher
• Frames have no timestamp and no replay protection

WEP has been widely criticized for a number of weaknesses.
◦ Weakness: Key Management and Key Size.
◦ Weakness: The Initialization Vector (IV) is Too Small.
◦ Weakness: The Integrity Check Value (ICV) algorithm is not appropriate.
◦ Weakness: WEP's use of RC4 is weak.
◦ Weakness: Authentication Messages can be easily forged.

802.11i
• The first 802.11 wireless security standard
• Provides reasonable security
• Describes a Robust Security Network (RSN), which allows pluggable authentication modules
• RSN allows changes to cryptographic ciphers as new vulnerabilities are discovered
• RSN is also known as WPA2 (Wi-Fi Protected Access 2), a full implementation of 802.11i
• By default, WPA2 uses AES encryption to provide confidentiality, and CCMP (Counter Mode CBC MAC Protocol) to
create a Message Integrity Check (MIC), which provides integrity
• WPA2 may (optionally) use the less secure RC4 (Rivest Cipher 4) and TKIP (Temporal Key Integrity Protocol) ciphers
to provide confidentiality and integrity, respectively.
The less secure WPA (without the “2”) was designed for access points that lack the power to implement the full
802.11i standard, providing a better security alternative to WEP. WPA uses RC4 for confidentiality and TKIP for
integrity. Usage of WPA2 is recommended over WPA.

Bluetooth
• Described by IEEE standard 802.15
• A Personal Area Network (PAN) wireless technology, operating in the same 2.4 GHz frequency as many types of
802.11 wireless
• Can be used by small low-power devices such as cell phones to transmit data over short distances
• Versions 2.1 and older operate at 3 mbps or less; Versions 3 (announced in 2009) and higher offer far faster
speeds
• Three classes of devices
• Class 3: under 10 meters
• Class 2: 10 meters
• Class 1: 100 meters
• Uses the 128-bit E0 symmetric stream cipher
• Cryptanalysis has proven it to be weak; attacks show the true strength to be 38 bits or less
• Sensitive devices should disable automatic discovery by other Bluetooth devices

PDAs
• Personal Digital Assistants (PDAs)
• PDA operating systems include Apple iPhone OS, Symbian OS, Palm,
Windows CE, Windows Mobile, Blackberry, and Google’s Android,
among others
• Two major issues regarding PDA security are loss of data due to theft or
loss of the device, and wireless security
• Sensitive data on PDAs should be encrypted

Wireless Application Protocol
• Designed to provide secure Web services to handheld wireless devices
• Based on HTML, and includes HDML (Handheld Device Markup
Language)
• Authentication is provided by Wireless Transport Layer Security
(WTLS), which is based on TLS
• A WAP browser is a microbrowser, connecting to a WAP gateway, which
is a proxy server designed to translate Web pages

RFID
• Radio Frequency Identification (RFID)
• A technology used to create wirelessly readable tags for animals or objects
• There are three types of RFID tags:
• Active
• Have a battery
• An active tag broadcasts a signal
• Can operate via larger distances
• Devices like toll transponders
• Semi-passive
• Have a battery
• Semi-passive RFID tags rely on a RFID reader’s signal for power
• Passive
• Have no battery
• Rely on the RFID reader’s signal for power
• Tracking inventory in a warehouse

RFID
• Signals may be blocked with a Faraday Cage
• Cage can be as simple as aluminum foil wrapped around an object
• Instructions for building a Faraday Cage wallet (designed to protect smart cards with RFID chips) from
aluminum foil and duct tape are available at:
http://howto.wired.com/wiki/Make_a_Faraday_Cage_Wallet

Remote Access
ISDN
• Integrated Services Digital Network (ISDN)
• An earlier attempt to provide digital service via “copper pair,” the POTS (Plain
Old Telephone Service)
• Devices are called terminals
• Basic Rate Interface (BRI) service provides two 64K digital channels (plus a
16K signaling channel) via copper pair
• PRI (Primary Rate Interface) provides twenty-three 64K channels, plus one
16K signaling channel

Remote Access
DSL
• Digital Subscriber Line (DSL)
• “last mile” solution similar to ISDN: use existing copper pairs to provide digital
• Common types of DSL are
• Symmetric Digital Subscriber Line (SDSL, with matching upload and download speeds)
• Asymmetric Digital Subscriber Line (ADSL, featuring faster download speeds than upload)
• Very High Rate Digital Subscriber Line (VDSL, featuring much faster asymmetric speeds)
• HDSL (High-data-rate DSL), which matches SDSL speeds using two pairs of copper; HDSL is used to
provide inexpensive T1 service
• As a general rule, the closer a site is to the Central Office (CO), the faster the
available service

Remote Access
DSL

Remote Access
Cable Modems
• Used by Cable TV providers to provide Internet access via broadband
cable TV
• Broadband, unlike baseband, has multiple channels (like TV channels)
• Dedicating bandwidth for network services requires dedicating
channels for that purpose
• Unlike DSL, Cable Modem bandwidth is typically shared with neighbors
on the same network segment

Remote Access
Callback & Caller ID
• Callback
• Modem-based authentication system
• User connects via modem and authenticates. The system hangs up, and calls the user
back at the preconfigured number.
• Caller ID
• Similar method: in addition to username and password, it requires calling from the
correct phone number
• Caller ID can be easily forged: many phone providers allow the end user to select any
Caller ID number of their choice. This makes Caller ID a weak form of authentication.

Remote Access
Instant Messaging
• Allows two or more users to communicate with each other via real-time “chat”
• Chat may be one-to-one, or many-to-many via chat groups
• In addition to chatting, most modern instant messaging software allows file sharing, and sometimes audio and
video conferencing
• IRC (Internet Relay Chat)
• A global network of chat servers and clients created in 1988
• Still very popular even today
• IRC servers use TCP port 6667 by default, but many IRC servers run on nonstandard ports
• IRC can be used for legitimate purposes, but is also used by malware, which may “phone home” to a command-and-control
channel via IRC (among other methods)
• Other chat protocols and networks include AOL Instant Messenger (AIM), ICQ (short for “I seek you”), and
Extensible Messaging and Presence Protocol (XMPP) (formerly known as Jabber).
• Organizations should have a policy controlling the use of chat software and technical controls in place to monitor
and, if necessary, block their usage.

Remote Access
Remote Meeting Technology
• A newer technology that allows users to conduct online meetings via
the Internet, including desktop sharing functionality
• Two commercial remote meeting solutions are “GoToMeeting” by Citrix
Systems, and Microsoft Office Live Meeting
• Some solutions allow users to remotely control another connected PC.
• Many of these solutions are designed to tunnel outbound SSL or TLS
traffic, which can often pass via firewalls and any Web proxies

We did it!
Done with Domain 4 – Quiz is forthcoming
Now on to Domain 5: Identity and Access Management (Controlling
Access and Managing Identity)

Domain 5: Identity and Access Management
• Authentication Methods
• Access Control Technologies
• Access Control Models

Unique Terms and Definitions
• Crossover Error Rate (CER) – describes the point where the False Reject Rate (FRR)
and False Accept Rate (FAR) are equal.
• Discretionary Access Control (DAC) – gives subjects full control of objects they have
created or been given access to, including sharing the objects with other subjects
• False Accept Rate (FAR) – occurs when an unauthorized subject is accepted by the
biometric system as valid. Also called a Type II error.
• False Reject Rate (FRR) – occurs when an authorized subject is rejected by the
biometric system as unauthorized. Also called a Type I error.
• Mandatory Access Control (MAC) – system-enforced access control based on
subject’s clearances and object’s labels
• Role-Based Access Controls (RBAC) – subjects are grouped into roles and each
defined role has access permissions based upon the role, not the individual

Cornerstone access control concepts
The CIA triad
• CIA stands for confidentiality, integrity, and availability
• All three work together to provide assurance that data and systems
remain secure
• Do not assume that one part of the triad is more important than
another
• Every IT system will require a different prioritization of the three
• The opposite of CIA is disclosure, alteration, and destruction (DAD)

Confidentiality
• Keeping data secret
• Data must only be accessible to users who have the clearance, formal access
approval, and the need to know
• National security information
• Laws (example) - Health Insurance Portability and Accountability Act (HIPAA),
requires that medical providers keep the personal and medical information of their
patients private
• Information may be disclosed by unauthorized access to the system, the unencrypted
transmission of data across an insecure network, or a trusted user relaying
information to an unauthorized user
• Most users have no idea how easy it would be for someone to compromise
confidentiality

Integrity
• Protects against unauthorized alteration of data
• Important when the correctness of data is vital
Availability
• Ensures that information is readily accessible to authorized users or
programs as the information is needed
• Often the least considered part of the CIA triad, but most noticed when
not functioning properly.
• The protection of CIA is everyone’s responsibility in some part.

Identification and AAA
• Identification provides an identity to a system
• Alone it is just a claim
• Must be proven via authentication, which proves an identity claim
• A username is identification and a password is one method for providing authentication
• Identities must be unique
• AAA stands for authentication, authorization, and accountability
• Identity is implied in AAA
• Authorization describes the actions an identified and authorized user is allowed to take on a
system
• Accountability describes the ability to determine which actions each user performed on a system
• Sharing accounts (identities) harms accountability: policy should forbid sharing accounts, and
security awareness should be conducted to educate users of this risk
• Authorization creep occurs when subjects not only maintain old access rights but
gain new ones as they move from one division to another within an organization.

Subjects and objects
• A subject is an active entity on a data system
• People accessing data files
• Running computer programs (e.g. a Dynamic Link Library file or a Perl script that
updates database files)
• An object is any passive data within the system
• Can range from databases to text files
• Do not manipulate other objects

Access control models
• The primary models are Discretionary Access Control (DAC), Mandatory
Access Control (MAC), and Non-Discretionary Access Control
• Do not think of one model being better than another
• Each model is used for a specific information security purpose

Discretionary Access Controls (DAC)
• Gives subjects full control of objects they have been given access to,
including sharing the objects with other subjects
• Subjects are empowered and control their data
• Standard UNIX and Windows operating systems use DAC for filesystems
• If a subject makes a mistake, such as attaching the wrong file to an
email sent to a public mailing list, loss of confidentiality can result
• Mistakes and malicious acts can also lead to a loss of integrity or
availability of data

Mandatory Access Controls (MAC)
• System-enforced access control based on subject’s clearance and object’s labels
• Subjects and Objects have clearances and labels, respectively, such as confidential, secret,
and top secret
• A subject may access an object only if the subject’s clearance is equal to or greater than
the object’s label
• Subjects cannot share objects with other subjects who lack the proper clearance, or
“write down” objects to a lower classification level (such as from top secret to secret)
• Usually focused on preserving the confidentiality of data
• Expensive and difficult to implement
• Clearing users is an expensive process
• Some examples of MAC systems are Honeywell’s SCOMP and Purple Penelope
• Developed under tight scrutiny of the U.S. and British Governments
• Another example is the Linux Intrusion Detection System (LIDS; see http://www.lids.org)
• LIDS is a specially hardened Linux distribution that uses MAC

Non-Discretionary Access Control
• Role-Based Access Control (RBAC) defines how information is accessed on a system
based on the role of the subject
• Subjects are grouped into roles and each defined role has access permissions based
upon the role, not the individual
• According to NIST (see: http://csrc.nist.gov/rbac)
• Keeps each role separate on the system and reduces the exposure of more sensitive
accounts
• RBAC is a type of non-discretionary access control because users do not have
discretion regarding the groups of objects they are allowed to access, and are unable
to transfer objects to other subjects
• Task-based access control is another non-discretionary access control model
• Based on the tasks each subject must perform, such as writing prescriptions, or restoring data from a backup tape, or opening a
help desk ticket
• Focusing on specific tasks, instead of roles

Content and Context-Dependent Access Controls
• Not full-fledged access control methods
• Typically play a defense-in-depth supporting role
• May be added as an additional control, typically to DAC systems
• Content-dependent access control
• Adds additional criteria beyond identification and authentication: the actual content the subject is attempting to access
• Example: All employees of an organization may have access to the HR database to view their accrued sick time and
vacation time. Should an employee attempt to access the content of the CIO’s HR record, access is denied.
• Context-dependent access control
• Applies additional context before granting access
• A commonly used context is time

Centralized Access Control
• Concentrates access control in one logical point for a system or organization
• Can be used to provide Single Sign-On (SSO), where a subject may
authenticate once, and then access multiple systems
• Can centrally provide the three “A’s” of access control: Authentication,
Authorization, and Accountability
• Authentication: proving an identity claim
• Authorization: authenticated subjects are allowed to take on a system
• Accountability: the ability to audit a system and demonstrate the actions of subjects

Decentralized Access Control
• Allows IT administration to occur closer to the mission and operations of the
organization
• Also called distributed access control
• Provides more local power: each site has control over its data
• The U.S. military uses decentralized access control in battlefield situations
Exam Warning - Do not get confused on the CISSP exam if asked about DAC compared
to decentralized access control. DAC stands for discretionary access control.
Decentralized access control will always be spelled out on the exam.

Authentication Methods
• A subject first identifies his or her self; this identification cannot be
trusted
• The subject then authenticates by providing an assurance that the
claimed identity is valid
• A credential set is the term used for the combination of both the
identification and authentication of a user
• Three basic authentication methods: Type 1 (something you know),
Type 2 (something you have), and Type 3 (something you are). A fourth
type of authentication is some place you are.

Type 1 Authentication: Something You Know
• Requires testing the subject with some sort of challenge and response
where the subject must respond with a knowledgeable answer
• Subject is granted access on the basis of something they know, such as
a password or PIN (Personal Identification Number, a number-based
password)
• The easiest, and often weakest, form of authentication

Type 1 Authentication: Something You Know - Passwords
• The cornerstone for access control to IT systems
• Relatively easy and cheap to implement
• Static passwords
• Reusable passwords that may or may not expire
• Typically user-generated and work best when combined with another
authentication type, such as a smart card or biometric control

• Passphrases
• Long static passwords, comprised of words in a phrase or sentence
• An example of a passphrase is: “I will pass the CISSP® in 2 months!”
• Usually have less randomness per character compared to shorter complex
passwords (such as “B$%Jiu⁎!”), but make up for the lack of randomness with
length
• One-time passwords
• Used for a single authentication
• Very secure but difficult to manage
• A one-time password is impossible to reuse and is valid for just one-time use

• Dynamic passwords
• Change at regular intervals
• RSA Security makes a synchronous token device called SecureID that generates a
new token code every 60 seconds. The user combines their static PIN with the RSA
dynamic token code to create one dynamic password that changes every time it is
used.
• One drawback when using dynamic passwords is the expense of the tokens
themselves
• Strong authentication (also called multifactor authentication) requires
that the user present more than one authentication factor

Type 1 Authentication: Something You Know – Passwords
Password Hashes and Password Cracking
• In most cases, clear text passwords are not stored within an IT system; only the
hashed outputs
• Hashing is one-way encryption using an algorithm and no key
• When a user attempts to log in, the password they type is hashed, and that hash is
compared against the hash stored on the system
• The hash function cannot be reversed: it is impossible to reverse the algorithm and
produce a password from a hash
• An attacker may run the hash algorithm forward many times, selecting various
possible passwords, and comparing the output to a desired hash, hoping to find a
match (and to derive the original password). This is called password cracking.

• Password hashes for modern UNIX/Linux systems are stored in/etc/shadow
(which is typically readable only by root)
• Windows systems store hashes both locally and on the domain controller (DC)
in a file called the security account management file or SAM file
• Password hashes may be sniffed on networks or read from memory
• The SAM file is locked while the Windows operating system is running: tools
such as fgdump by foofus.net (http://www.foofus.net/fizzgig/fgdump/) can
dump the hashes from memory

• Cain & Abel hash calculator (see http://www.oxid.it/cain.html). The
only difference between the two entries is that the “P” in password is
capitalized.

Dictionary Attacks
• Uses a word list: a predefined list of words, and then runs each word through a hash algorithm
• Fastest type of password attack, but often the least effective
Note - Attackers will often tune their dictionary to their target, adding a Spanish dictionary to their
word list for a target organization with Spanish speakers, or even a Klingon dictionary for an
organization with Star Trek fans. Packetstorm Security maintains multiple dictionaries at:
http://packetstormsecurity.org/Crackers/wordlists/.
• Many organizations require users to create passwords that have a special character, number, capital
letter, and be eight characters or greater
• Cain & Abel has cracked user deckard’s password with a dictionary attack: his password is
“replicant,” shown as “REPLICANT” as the LM hash, which ignores case
• Access to the SAM file (Windows) and shadow file (UNIX/Linux) should be restricted.

Dictionary Attacks

Brute-Force and Hybrid Attacks
• Take more time, but are more effective
• Calculates the hash outputs for every possible password
• With the advances in CPU speeds and parallel computing, the ability to brute-force
complex passwords has been considerably reduced
• Attackers may also use a rainbow table for their password attack
• Acts as a database that contains the precomputed hashed output for most or all possible
passwords
• Rainbow tables are not always complete: they may not include possible password/hash
combinations.
• A hybrid attack appends, prepends, or changes characters in words from a dictionary
before hashing, to attempt the fastest crack of complex passwords

Tools
1. Brutus
Brutus is one of the most popular remote online password cracking
tools. It claims to be the fastest and most flexible password cracking tool.
This tool is free and is only available for Windows systems. It was
released back in October 2000.

Tools
2. RainbowCrack
RainbowCrack is a hash cracker tool that uses a large-scale time-memory
trade off process for faster password cracking than traditional brute
force tools. Time-memory trade off is a computational process in which
all plain text and hash pairs are calculated by using a selected hash
algorithm. After computation, results are stored in the rainbow table.
This process is very time consuming. But, once the table is ready, it can
crack a password must faster than brute force tools.

Tools
3. Wfuzz
Wfuzz is another web application password cracking tool that tries to
crack passwords with brute forcing. It can also be used to find hidden
resources like directories, servlets and scripts. This tool can also identify
different kind of injections including SQL Injection, XSS Injection, LDAP
Injection, etc in Web applications.

Tools
4. Cain and Abel
Cain and Abel is a well-known password cracking tool that is capable of
handling a variety of tasks. The most notable thing is that the tool is only
available for Windows platforms. It can work as sniffer in the network,
cracking encrypted passwords using the dictionary attack, recording VoIP
conversations, brute force attacks, cryptanalysis attacks, revealing
password boxes, uncovering cached passwords, decoding scrambled
passwords, and analyzing routing protocols.

Tools
5. John the Ripper
John the Ripper is another well-known free open source password
cracking tool for Linux, Unix and Mac OS X. A Windows version is also
available. This tool can detect weak passwords. A pro version of the tool
is also available, which offers better features and native packages for
target operating systems. You can also download Openwall GNU/*/Linux
that comes with John the Ripper.

Tools
6. THC Hydra
THC Hydra is a fast network logon password cracking tool. When it is
compared with other similar tools, it shows why it is faster. New modules
are easy to install in the tool. You can easily add modules and enhance
the features. It is available for Windows, Linux, Free BSD, Solaris and OS
X. This tool supports various network protocols.

Tools
7. Medusa
Medusa is also a password cracking tool similar to THC Hydra. It claims to
be a speedy parallel, modular and login brute forcing tool. It supports
HTTP, FTP, CVS, AFP, IMAP, MS SQL, MYSQL, NCP, NNTP, POP3,
PostgreSQL, pcAnywhere, rlogin, SMB, rsh, SMTP, SNMP, SSH, SVN, VNC,
VmAuthd and Telnet. While cracking the password, host, username and
password can be flexible input while performing the attack.

Tools
8. OphCrack
OphCrack is a free rainbow-table based password cracking tool for
Windows. It is the most popular Windows password cracking tool, but
can also be used on Linux and Mac systems. It cracks LM and NTLM
hashes. For cracking Windows XP, Vista and Windows 7, free rainbow-
tables are also available.

Tools
9. L0phtCrack
L0phtCrack is an alternative to OphCrack. It attempts to crack Windows
password from hashes. For cracking passwords, it uses Windows
workstations, network servers, primary domain controllers, and Active
Directory. It also uses dictionary and brute force attacking for generating
and guessing passwords. It was acquired by Symantec and discontinued
in 2006. Later L0pht developers again re-acquired it and launched
L0phtCrack in 2009.

Tools
10. Aircrack-NG
Aircrack-NG is a WiFi password cracking tool that can crack WEP or WPA
passwords. It analyzes wireless encrypted packets and then tries to crack
passwords via its cracking algorithm. It uses the FMS attack along with
other useful attack techniques for cracking password. It is available for
Linux and Windows systems. A live CD of Aircrack is also available.

Salts
• Allows one password to hash multiple ways
• Some systems (like modern UNIX/Linux systems) combine a salt with a
password before hashing: “The designers of the UNIX operating system
improved on this method by using a random value called a “salt.” A salt value
ensures that the same password will encrypt differently when used by
different users. This method offers the advantage that an attacker must
encrypt the same word multiple times (once for each salt or user) in order to
mount a successful password-guessing attack.”
• Makes rainbow tables far less effective (if not completely ineffective)

Password Management
• Typically, the minimum password management security features include the following:
• Password history = set to remember 24 passwords
• Maximum password age = 90 days
• Minimum password age = 2 days (this is because users do not cycle through 24 passwords to return immediately to
their favorite)
• Minimum password length = 8 characters
• Passwords must meet complexity requirements = true
• Store password using reversible encryption = false
• These are the minimum password security controls for the U.S. Department of Defense and this
standard has been adopted by the Microsoft community as the baseline password complexity
standard.
• It is not uncommon for users to write down passwords and store them within wallets, address
books, cell phones, and even sticky notes posted on their monitors

Password Control
• Complex passwords are harder to remember
• Users who write passwords down and leave them in an insecure place
(such as under a keyboard or stored in a wallet, purse, or rolodex) can
undermine the entire security posture of a system

Type 2 Authentication: Something You Have
• Something you have - requires that users possess something, which
proves they are an authenticated user
• A token is an object that helps prove an identity claim
• Possessing the car keys, credit cards, bank ATM cards, smartcards, and
paper documents

Asynchronous Dynamic Token
• Not synchronized with a central server
• Most common variety is challenge-response tokens
• Systems produce a challenge, or input for the token device
• The user manually enters the information into the device along with their PIN, and the
device produces an output
• Output is then sent to the system
• Combining access control types is recommended
• Using more than one type of access control is referred to as strong
authentication or multifactor authentication

Asynchronous Dynamic Token

Type 3 Authentication: Something You Are
• Something you are - biometrics, which uses physical characteristics as a means of
identification or authentication
• Biometrics may be used to establish an identity, or to authenticate (prove an identity
claim)
• Associated with the physical traits of an individual, it is more difficult for that
individual to forget, misplace, or otherwise lose control of the access capability
• Care should be given to ensure appropriate accuracy and to address any privacy
issues that may arise
• Should be reliable, and resistant to counterfeiting
• Data storage required to represent biometric information (called the template or the
file size) should be relatively small: 1000 bytes or less is typical

Biometric Fairness, Psychological Comfort, and Safety
• Biometrics should not cause undue psychological stress to subjects, and
should not introduce unwarranted privacy issues
• Biometric controls must be usable by all staff, or compensating controls must
exist
• Potential exchange of bodily fluid is a serious negative for any biometric
control: this includes retina scans (where a user typically presses their eye
against an eyecup), and even fingerprint scanning (where many subjects
touch the same scanner)
• Fully passive controls, such as iris scans, may be preferable (there is no
exchange of bodily fluid)

Biometric Enrollment and Throughput
• Enrollment describes the process of registering with a biometric
system: creating an account for the first time
• Enrollment is a one-time process that should take 2 minutes or less.
• Throughput describes the process of authenticating to a biometric
system
• Also called the biometric system response time
• A typical throughput is 6-10 seconds

Accuracy of Biometric Systems
• Should be considered before implementing a biometric control
program
• Three metrics are used to judge biometric accuracy: the False Reject
Rate (FRR), the False Accept Rate (FAR), and the Crossover Error Rate
(CER).

• False Reject Rate (FRR)
• When an authorized subject is rejected by the biometric system as unauthorized
• Also called a Type I error
• Cause frustration of the authorized users, reduction in work due to poor access
conditions, and expenditure of resources to revalidate authorized users
• False Accept Rate (FAR)
• Occurs when an unauthorized subject is accepted as valid
• Risks an unauthorized user gaining access
• Also called a Type II error

Note - A false accept is worse than a false reject: most organizations would prefer
to reject authentic subjects to accepting impostors. FARs (Type II errors) are
worse than FRRs (Type I errors). Two is greater than one, which will help you
remember that FAR is Type II, which are worse than Type I (FRRs).
Over 40 data points are usually collected and compared in a typical fingerprint
scan. The accuracy of the system may be lowered by collecting fewer minutiae
points (ten or so). This will lower the FRR, but raise the FAR. It also increases the
possibility that a user’s fingerprints would be easier to counterfeit.

• Crossover Error Rate (CER)
• Describes the point where the False Reject Rate (FRR) and
False Accept Rate (FAR) are equal
• Also known as the Equal Error Rate (EER)
• The overall accuracy of a biometric system
• As the accuracy of a biometric system increases, FARs will rise
and FRRs will drop
• As the accuracy is lowered, FARs will drop and FRRs will rise

Types of Biometric Controls
• Fingerprints
• The most widely used biometric control
• Smartcards can carry fingerprint information
• Smart keyboards require users to present a fingerprint to unlock a
computer’s screen saver
• The data used for storing each person’s fingerprint must be of a
small enough size to be used for authentication
• The data is a mathematical representation of fingerprint minutiae,
specific details of fingerprint friction ridges, which include whorls,
ridges, bifurcation, and others

• Retina Scan
• A laser scan of the capillaries which feed the retina of the back of the eye
• Can seem personally intrusive because the light beam must directly enter the pupil,
and the user usually needs to press their eye up to a laser scanner eye cup
• Health information of the user can be gained through a retina scan: conditions such
as pregnancy and diabetes can be determined, which may raise legitimate privacy
issues
• Exchange of bodily fluids is possible Exam Warning - Retina scans are rarely used because of health risks
and invasion-of-privacy issues. Alternatives should be considered for
biometric controls that risk exchange of bodily fluid or raise legitimate
privacy concerns.

• Iris Scan
• A passive biometric control
• A camera takes a picture of the iris (the colored portion of the eye) and then
compares photos within the authentication database
• Works through contact lenses and glasses
• Each person’s two irises are unique, even twins’ irises
• Benefits include high-accuracy, passive scanning (which may be accomplished
without the subject’s knowledge), and no exchange of bodily fluids

• Hand Geometry
• Measurements are taken from specific points on the
subject’s hand
• The devices use a simple concept of measuring and
recording the length, width, thickness, and surface area of
an individual’s hand while guided on a plate.
• Devices are fairly simple, and can store information in as
little as 9 bytes

• Keyboard Dynamics
• Refers to how hard a person presses each key and the rhythm by which the keys are
pressed
• Cheap to implement and can be effective
• As people learn how to type and use a computer keyboard, they develop specific habits
that are difficult to impersonate, although not impossible
• Dynamic Signature
• Measure the process by which someone signs his/her name
• Measuring time, pressure, loops in the signature, and beginning and ending points all
help to ensure the user is authentic

• Voice Print
• Measures the subject’s tone of voice while stating a specific sentence or phrase
• Vulnerable to replay attacks (replaying a recorded voice), so other access controls
must be implemented along with the voice print
• State random words, protecting against an attacker playing pre-recorded specific
phrases

• Facial Scan
• Has greatly improved over the last few years
• Also called facial recognition
• Process of passively taking a picture of a subject’s face and comparing that picture to a list stored in a
database
• Not frequently used for biometric authentication control due to the high cost
• Law enforcement and security agencies use facial recognition and scanning technologies for biometric
identification to improve security of high-valued, publicly accessible targets

• Facial Scan
• Superbowl XXXV was the first major sporting event that used facial recognition technology to look for
potential terrorists. Cameras were placed at every entrance and each attendee’s face was scanned and
compared to a list of active terrorist threats. The technology worked and, although no terrorists were
identified, 19 petty criminals were identified. The companies that make the systems claim they are
primarily a deterrent control.
• Casinos have used the same facial recognition technology since 2003.

Single Sign-On (SSO)
• Allows multiple systems to use a central authentication server (AS)
• Allows users to authenticate once, and then access multiple, different
systems
• Allows security administrators to add, change, or revoke user privileges
on one central system

As outlined in the IBM article, “Build and Implement a Single Sign-On Solution” by Chris Dunne,
September 30, 2003, SSO is an important access control and can offer the following benefits:
• “Improved user productivity. Users are no longer bogged down by multiple logins and they are not
required to remember multiple IDs and passwords. Also, support personnel answer fewer requests
to reset forgotten passwords.”
• “Improved developer productivity. SSO provides developers with a common authentication
framework. In fact, if the SSO mechanism is independent, then developers do not have to worry
about authentication at all. They can assume that once a request for an application is accompanied
by a username, then authentication has already taken place.”
• “Simplified administration. When applications participate in a single sign-on protocol, the
administration burden of managing user accounts is simplified. The degree of simplification depends
on the applications since SSO only deals with authentication. So, applications may still require user-
specific attributes (such as access privileges) to be set up.”

The disadvantages of SSO are listed below and must be considered before implementing
SSO on a system:
• “Difficult to retrofit. An SSO solution can be difficult, time consuming, and expensive
to retrofit to existing applications.”
• “Unattended desktop. Implementing SSO reduces some security risks, but increases
others. For example, a malicious user could gain access to a user’s resources if the
user walks away from his machine and leaves it logged in. Although this is a problem
with security in general, it is worse with SSO because all authorized resources are
compromised. At least with multiple logons, the user may only be logged into one
system at the time and so only one resource is compromised.”
• “Single point of attack. With single sign-on, a single, central authentication service is
used by all applications. This is an attractive target for hackers who may decide to
carry out a denial of service attack.”

Questions?
We made it through Class #9!
We made it through Domain 4: Communication and Network Security and
halfway through Domain 5: Identity and Access Management! We rock!
Homework for Thursday (4/27)
◦ Finish reading Domain 4: Communication and Network Security – We will get
through the rest of this domain on Thursday (For real this time!). Come with
questions!
◦ Start reading Domain 5: Identity and Access Management
Stay dry (in Minnesota) and have a great mid-week!

Slide Deck – Session 9 – FRSecure CISSP

More Related Content

What's hot (20)

Viewers also liked (10)

Similar to Slide Deck – Session 9 – FRSecure CISSP (20)

More from FRSecure (20)

Recently uploaded (20)

Slide Deck – Session 9 – FRSecure CISSP