Jim’s CISSP Notes
Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage

5: Identity & Access Management


IAM

  • processes and procedures, and tools and tech used to oversee and manage digitial identities

  • goal is to provide secure and auditable access to digital resources of the organization

  • revoloves around IAAA

    • identity
    • authentication
    • authorization
    • auditing / accounting

Identification, authentication, authorization and accountability

authorized users gain access through identification, authentication and authorization

  • identification

    • an individual makes a claim about an identity
  • authentication

    • individual proves identity to the satisfaction of the access control system
    exam tip:
    remember that identification and authentication are separate and distinct steps!
  • authorization

    • indidvidual is allowed to access the system and/or resources
  • example:

    • identification → username
    • authentication → password
    • authorization → access control list
  • accountability

    • tracks user activity
  • authentication, authorization and accountability are known as AAA

  • note that it’s important that IAM systems work across cloud and on-prem environments

Identification

  • process of making a claim
  • public information
  • identification must be unique
  • standard naming convention should be used
  • identifier shouldn’t contain extra information about the user

Usernames and access cards

identification mechanisms uniquely identify each user of a system

Username

  • usually easily identify an indvividual
  • commonly flast, i.e. jmckenna
  • shouldn’t be considered secret

Access cards

  • often proof of employment

  • may perform identification and authentication

  • magnetic stripe cards

    • easily duplicated
    • not secure
  • smart cards

    • more difficult to forge

    • has a chip

    • card readers

      • read chip on the card
  • proximity cards

    • placed near reader

    • passive cards

      • must be places inside the reader
      • powered by the reader
        * active cards
      • contain batteries
    • no matter what tech used for access cards, they must uniquely identify the user

Biometrics

  • uses the idea of “something you are”

  • good biometric systems provide

    • easy enrollment
    • low false acceptance rates
    • low false rejection rates
    • low intrusiveness (“creepy factor”)

Fingerprint

  • often found on devices
    • iPhone, iPad, laptops, etc.
  • allow for self-enrollment
  • low false acceptance
  • low false rejection

Eye scan

  • analyze color patterns of the iris
  • analyze blood vessels of the retina
  • seen as intrusive by some users

Voiceprint

  • requires users to speak a phrase
  • are subject to replay attacks
    • often combined w/ other authentication techniques

Facial recognition

  • scans a user’s facial structure
  • can be seen as intrustive to some users
  • error rates are improvinig

Other techniques

  • vein pattern analysis
  • gait analysis
  • hand geometry analysis

Registration and identity proofing

establishes an individual’s identity and creates their system account

Registration

  1. request
    request is made for a new identity, usually by someone like a hiring manger

  2. approval
    request is approved for the new identity, usually by someone like a HR or department manager

  3. identity proofing
    requested user is investigated, usually by an org registration authority

  4. issuance
    the new identity is created, usually by a system admin

  • separation of duties
    • ideally all steps are completed by different individuals

Identity proofing

  • must be performed carefully
  • use differing steps and documentation
    • photo ID (Form I-9 approved documents)
    • fingerprinting
    • background checks

Authentication

  • proving an identity
    • type 1: something you know
    • type 2: something you have
    • type 3: something you are
    • type 4: something you do

Authentication factors

Type 1

“something you know,” knowledge-based, cognitive

  • normally a password

    • strong passwords are long and complex
    • passphrases are better
      • easy to remember, hard to guess
  • answers to secret questions

  • password keys also provide knowledge-based authentication

Type 2

“something you have”

  • something you can touch
  • requires physical posession of a device
  • token devices, smart cards, memory cards, hardware keys, cryptographic keys, certificates, cookies

Type 3

“something you are”

  • biometric authentication

  • static

    • shouldn’t significantly change over time
      • bound to a person’s physiological traits
        • fingerprint, palmprint, hand geometry, iris, retina
  • dynamic

    • based on behavioral traits
      • voice, gait, signature, keyboard cadence, etc.
    • although they can be modified temporarily, they are difficult to modify for a longer period of time

Authentication attributes

  • weaker

  • should be used in conjection w/ type 1–3 factors

  • “somewhere you are”

  • “something you can do”

  • “something you exhibit”

  • “someone you know”

False rejection, false acceptance, crossover error rate

  • false rejection
    type I error
    • system fails to recognize an authorized user
    • less serious
      • results in loss of availability
    • measured by false rejection rate (FRR)
  • false acceptance
    type II error
    • system misidentifies an individual as an authorized user
    • serious error
      • results in unauthorized indivduals have access to a system
    • measured by false acceptance rate (FRR)
  • crossover error rate
    CER
    • FAR and FRR aren’t good measures on their own
    • as the false rejection rate goes down, the false acceptance rate goes up, and vice versa
    • FRR ↓ = FAR ↑, FRR ↑ = FAR ↓
    • CER represents when an admin tunes a system to have an equal FAR and FRR value
CER

Type 2 Devices

Token Devices

  • one time password generator — password is only used once, then is no longer valid
  • reduces vulnerability to sniffing
  • simple to implement (unless you’re a RAT)
  • can be costly — hardware token expense
  • users can lose or damage devices
  • two types: synchronous or asynchronous
    • synchronous
      • synchronizes with an authentication server
      • frequently based on time
      • if damaged or battery dies, needs to by resynched
    • asynchronous
      • challenge-response
        • user logs in
        • authentication returns a challenge to the user
        • user types the challenge into the device
        • token returns a reply
      • only a user’s token can respond with the expected reply
      • more complex that sychronous
      • may provide better protection against sniffing

OTP devices

  • types

    • physical token
      • user presses a button to generate a code
      • proves that they are in possession of the token
  • soft token

    • user retrieves code from app running on their phone
    • alternative for users that don’t want to carry around a token
  • technology

    • HOTP
      HMAC-based one-time password
      • uses a shared secret and a counter
      • creates a new code w/ each button press
  • TOTP
    time-based one-time password

    • uses a shared secret and the time of day
    • creates a new code every x seconds
  • static codes

    • can be created to provide a backup to an MFA device
    • dangerous
      • users should be informed that these codes must be protected

SMS and push notifications

  • both are considered to be less secured
  • phone numbers can be spoofed or stolen

Smart cards

  • verify info stored on chip in the card
  • more secure than memory cards
  • can actually process information
  • includes a microprocessor
  • often integrated with PKI
  • two types:
    • contact
    • contactless
  • threats
    • fault generation:
      • manipulate environmental controls
      • measure errors in order to reverse engineer logic
    • side channel attacks:
      • measure cards while they work (TEMPEST)
        • differential power analysis: measure power emissions
        • electromagnetic analysis: sample the frequencies emitted
    • microprobing
      • remove outer protection of the card’s cicuits
      • tap into ROM if possible
      • “die” ROM to read data

Multifactor authentication

  • authentication mechanisms can be tricked

  • MFA combines two or more authentication techniques from two or more of the three authentication categories

  • provides a higher level of assurance

    exam tip:
    many pick biometric as the best authentication, but any one source can be compromised.
    always look for more than one type.
  • mutual authentication is beneficial

  • factors must be from different types

    • i.e. a password and security questions are not MFA
      • both are type 1 factors
    look out!
    look out for questions on the exam like this.

Password authentication protocols

PAP (password authentication protocol)

  • client and server both know the password
  • client sends username/password in plaintext
  • not secure!
    • offers no encryption
    • must only be used w/in an encrypted channel

CHAP (challenge handshake authentication protocol)

  1. client and server both know the password
  2. server sends a random challenge
  3. client computes a hash of the challenge + password
  4. client sends hash to the server
  5. server computes a hash of the challenge + password
  6. server compares it’s hash result w/ the hash result from the client
  • acceptible security

  • MS-CHAP and MS-CHAP2

    • Microsoft-developed versions of CHAP
    • both are insecure

Federation and SSO

both seek to reduce burden of IAM on users and admins

  • XML (eXtensible Makrup Language)
    • universal format for storing information
  • SPML / SCIM (Service Provisioning Markup Lanuguage / System for Cross-domain Identity Management)
    • XML-based formats for exchanging user and resource information and controlling provisioning
  • SAML / OpenID (Security Assertion Markup Language)
    • provides an XML-based framework for exchanging security-related info over networks

Federated identity management

  • individuals have accounts across multiple systems
  • FIM systems share identity info
  • reduces the number of individual identiees that a user must have

SSO (single sign-on)

  • shares a single authentication session across multiple systems
    • avoids users needing to log in multiple times
  • presents a single login screen then creates a session that persists across other systems
    • session length can be length of a work day
    • users will then only need to log in once at the beginning of their day
  • allows for:
    • reduction in user and IT frustration
    • reduction of IT budget in managing disparate accounts

RADIUS and TACACS

both provide a centralized approach to AAA

RADIUS (remote authentication dial-in user service)

  • first used for modem pools
  • allows many apps to rely on the same authentication source
  • example:
    • a user wants to access a service
      user → RADIUS client → RADIUS server → AD or LDAP
    • the user is either allowed or denied access
      user ← RADIUS client ← RADIUS server ← AD or LDAP
      or
      user ← RADIUS client ← RADIUS server ← AD or LDAP
tip:
a RADIUS client is usually on an application server.
  • disadvantages
    • uses UDP, which is unreliable
    • doesn’t encrypt the entire authentication sequence
      • just the password

TACACS (terminal access controller access-control system)

  • alternative to RADIUS
  • TACACS
    • 1980s
    • uses UDP
  • XTACACS (extended TACACS)
    • proprietary system developed by Cisco
    • separated AAA functionc
    • uses UDP
  • TACACS+
    • open system developed by Cisco
    • uses TCP
    • fully encrypts authentication session

Kerberos and LDAP

Kerberos Basics

  • one of the core protocols of Microsoft Active Directory
  • ticket based authentication system
  • network authentication protocol
  • tries to ensure authentication security in an unsecure environment
  • used in Windows 2K+ and some Unix flavors
  • allows for single sign on
  • never transfers passwords
  • uses symmetric encryption to verify identifications
  • avoids replay attacks
  • main goal: users need to authenticate themselves without sending password over the network

Kerberos Components

  • Authentication Server (AS): allows authentication of a user and issues a TGT
  • Ticket Generating Ticket (TGT)
  • Ticket Granting Service (TGS): after receiving a TGT from a user, the TGS issues a ticket for a particular user to access a particular service
  • Key Distribution Center (KDC): a system that runs the TGT and AS
  • ticket: means of distributing a session key
  • principles: users, applications, services
  • Kerberos software: integrated into most OSes. Win2K and up support it

Kerberos Process

  1. user uses Kerberos client to provide username/password

  2. user’s Kerberos client creates clear text authentication requests and sends to authentication server

  3. authentication server looks up the user and retrieves the user’s password

  4. authentication server sends two messages back to the client

    • randomly generated session key
      • used for future communication between the client and the ticket granting server
      • encrypted using the client’s password
    • ticket granting ticket
      • includes
        • info about client
        • copy of the client’s TGS session key
      • encrypted using a key known only to the ticket granting server
  5. client receives messages

    • decrypts the first message using the user’s password
      • gives it access to the client TGS session key
      • if the user didn’t enter the correct password this step won’t work
  6. when client wishes to access a service, client contacts the ticket granting server and sends two things

    • copy of the ticket granting ticket and identity of the requested service
    • an authenticator
      • containing:
        • client’s ID
        • current time
      • encrypted using client TGS session key
  7. TGS receives messages

    1. decrypts the ticket granting ticket to retrieve the client TGS session key
    2. use the client TGS key to decrypt the authenticator and retrieve the client ID and timestamp.
  8. TGS randomly generates a client server session key that the client will use to communicate with the desired service.

  9. TGS then sends two messages back to the client.

    • client server ticket
      • encrypted using the services secret key
      • contains the randomly generated client server session key
    • copy of the client server session key
      • encrypted with the client TGS session key
  10. client receives these two messages and is ready to complete the service authentication process

  11. client sends two messages to the service * client server ticket that the client received from the ticket granting server * new authenticator encrypted with a client server session key

  12. service receives these two messages * decrypts the first message to retrieve the client server session key * uses this key to decrypt the authenticator * validate the client granting access to the service.

Kerberos Concerns

  • computers must have clocks synced within five minutes
  • tickets stored on the workstation
    • if the workstation is compromised, an identity can be forged
  • if the KDC is hacked, security is lost
  • a single KDC is a single point of failure and performance bottleneck
  • still vulnerable to password guessing

LDAP

lightweight directory access protocol

  • means to query a centralized directory service such as LDAP
    protocol port
    Kerberos 88
    LDAP 389
    LDAPS 636

NTLM (NT LAN manager)

  • previously used on Windows systems before Kerberos

  • depends on a hash-based challenge-response protocol

  • security issues

    • weak encryption
    • pass-the-hash
      • allows use of credentials from one system to access another system

SAML (security assertion markup language)

  • allows for SSO w/in a browser across different applications

  • three parties

    • principal
      • the user
  • identity provider

    • org providing proof of identity
  • service provider

    • org providing the web-based app that the user wants to use

Steps

  1. principal requests resource use from service provider
  2. service provider redirects to SSO page of the identity provider
  3. principal requests SSO from identity provider
  4. identity provider responds w/ XTML (SAML)
  5. principal requests assertion from service provider and provides SAML
  6. service provider redirects principal to service

Benefits

  • authenticated session may last for a period of time specified by the identity provider
    • user doesn’t need to reauthenticate during this time
    • provides a true SSO experience
  • service provider uses identity providers authentication w/out gaining access to the user’s password
    • password remains a shared secret between the user and the identity provider

IDaaS (identity as a service)

  • allows orgs to move IAM to the cloud
  • example: OneLogin

Directory integration

  • syncs w/ org’s existing on-prem or cloud-based directories to obtain info

Application integration

  • replaces authentication services for SaaS products
  • simplifies user and admin experience

Considerations

  • IDaaS allow the use of MFA
  • need to verify that IDaaS solution meets the org’s requirements for IAM
  • need to conduct security review of the product

OAuth and OpenID Connect

  • related protocoles
  • provide federated SSO for the web

OAuth

  • authorization protocol

OpenID Connect

  • authentication protocol

Certificate-based authentication

  • digital certificates may be used for authentication

    • contain a signed copy of a user’s/system’s public key
  • key-based authentication

    1. user create a key pair
      • keep the private key
      • provide the public key to the server
    2. user makes a connection request
    3. server creates a random challenge and sends to user
    4. user encrypts the random challenge w/ private key and send back to server
    5. server decrypts encrypted challenge w/ public key
      • if a match, user is authenticated
  • CAs create digital certs for public keys used in authentication

  • cert authentication use

    • SSH
    • smartcards (CAC/PIV)
    • network access (802.1x)

Accountability

Accountability

ability to trace every action back to a user

Accountability requirements

  • identification

    • each user must have a unique identifier
    • shared or generic accounts must not be used
      • users can’t can’t say “I didn’t do it!”
  • authentication

    • strong authentication prevents unauthorized individuals from gaining access
    • prevents users from denying their activity
      • users can’t claim “I was hacked!”

Auditing and logging

  • systems must track user activity w/ auditing mechanisms
  • logs must be secure
    • admins or users could delete logs to cover tracks
    • logs should be sent to a locked down centralized log server

Session management

  • should use timeouts and screensavers to disconnect users

  • timeouts

    • disconnect user sessions after a predetermined time
      • not user friendly
    • disconnect user sessions after period of inactivity
      • more user friendly
    • require re-authentication to complete sensitive activited
      • more user friendly
  • screensavers

    • common timeout mechanism
    • locks machine and requires re-authentication to deactivate screensaver

Account Control

Account and privilege management

Account management tasks

  • implement least privilege

    • least privilege
      • users should only have minimum permissions necessary for their job function
  • implement separation of duties

    • separation of duties
      • sensitive functions should require action by two separate users
  • implement job rotation

    • job rotation

      • regularly move people between jobs to prevent fraud
    • mandatory vacations

      • enforce periods when employees have no access to systems
    • manage account lifecycle

Account lifecycle

  • provisioning

    • creating new users and granting permissions
  • job changes

    • modify roles
    • modify permissions
    • recertification
      • reviewing access on a regular basis and removing any unnecessary access
  • deprovisioning

    • revoking permissions and deleting identities of terminated users

Account types

different account types require different access controls

  • user account

    • accounts for normal users
      • accountants, receptionists, HR, legal, etc.
    • standard permissions
    • standard monitoring
  • privileged accounts

    • accounts for completing admin functions
      • server maintenance, changing object permissions, etc.
    • shouldn’t be used for routine activities
      • i.e. shouldn’t log in with admin account to complete a time sheet
    • admin permissions
    • strong controls for use
    • monitor all actions
  • guest account

    • should have a temporary lifetime
    • limited permissions
    • standard monitoring
  • shared account

    • reduces accountability
    • shouldn’t be used
  • service account

    • provides access to internal server processes
    • shouldn’t have interactive login rights

    tip:

    • all accounts should be used for a purpose
    • avoid shared responsibility accounts

Account and password policies

  • group policy

    • used in Windows to apply configuration settings to users and computers
  • password policy

    • most common authentication mechanism
    • should be at least eight characters long
    • should contain upper case, lower case, digits, special characters
    • NIST guidance is that complex passwords should be allowed_, but not_ required
  • password expiration policy

    • passwords should be required to be changed at a regular interval
    • should guard against password reuse
    • NIST guidance is that passwords should never expire
  • lockout policy

    • lock out accounts after many incorrect login attempts
  • disablement

    • unused accounts should be disabled
  • password recovery mechanisms

    • allow users to reset passwords on a self-service basis
    • relieves burden on help desk
    • improves users satisfaction

Role management

  • role
    • groups permissions to allow shared security settings

    • Windows security group

      • implements role-based security

Benefits

  • simplifies account management
    • admins can assign permissions to a new user by adding them to an existing role
    • admins can remove permissions to a departing user by removing them from their role
    • removes need to add new permissions to every account
      • new permission can be added to role instead
      • this cascades down to all users in the role
  • replaces the need for shared accounts

Account monitoring

protects against security incidents

Inaccurate permissions

  • can block access needed for work (not enough access)
  • can also violate least privilege (too much access)
  • need to watch for privilege creep

User account audits

used to ensure that users have accurate permissions

  • pull list of account permissions

  • reviews w/ management

  • makes adjustments as needed

  • pay attention to users that have switched jobs/roles

  • attestation

    • formal approval of user permissions
  • unauthorized use

    • illegal actions by legitimate users
  • should examine user, as well as system and service accounts

    • system and service accounts shouldn’t have interactive login rights

Continuous account monitoring systems

  • watch for suspicious activities
  • alerts admins of anomolies

Access policy violations

  • things to look for
    • impossible travel time logins
    • unusual network location logins
    • unusual time-of-day logins
    • deviations from normal behavior
    • deviations in colume of data being transferred

Geotagging and geofencing

  • geotagging
    • tags logs w/ user location
  • geofencing
    • alerts admins if devices leave pre-set boundaries

Privileged access management

safeguard admin accounts

  • password vaulting

    • store admin password
    • may remote into a server w/ admin account username and password
      • prevents owner of admin account from even knowing password
    • may provide just-in-time access
  • command proxying

    • eliminates need for direct server access
    • PAM system sends commands to services/servers as the admin account
  • monitoring

    • logs admin account activity
  • credential management

    • rotates passwords and keys
  • PAM solutions will need to provide emergency access workflows

  • sudo (super user do)

    • allows users to temporarily assume admin rights
    • use should be minimized

Provisioning and de-provisioning

Provisioning

  • after onboarding

    • creates authentication credentials
    • grants appropriate authorizations
  • workflow should be established for internal job transfers as well

  • should avoid privilege creep

    • privilege creep
      • users accumulate privileges when transferring jobs/roles
      • violates least privilege

Deprovisioning

  • during offboarding
    • disables accounts

    • revokes access at appropriate time

    • prompt terminations is critical

      • prevents users from accessing resources w/o permission
      • critical when user leaves under adverse circumstances
  • routine workflow
    • disables accounts on a routine basis
    • used for planned departures
  • emergency workflow
    • immediate suspension of access
    • used for unexpected departures
    • timing is critical!
      • too early, may inform of impending termination
      • too late, may allow access to resources afrter termination

Authorization

Basics

final step in granting access to a resource or system

  • authorization is ensuring that someone who is authenticated is allowed to access a resource

    • authorization is a preventative control
  • OSes and applications can provide authorization functionality

  • authorization can be based on:

    • user
    • groups
    • roles
    • rules
    • temporal isolation: time of day
    • transaction type

Least privilege principle

  • users should only have minimum permissions necessary for their job function
  • limits damage from insider attacks
    • users only have permissions for limited number of things
  • limits damage from external attacks
    • stolen accounts only have permissions to do a limited number of things

Separation of duties

  • no individual should possess permissions that when combined allow them to perform a highly sensitive action
  • ex. accountant creating a new vendor and cutting checks to that vendor
exam tip:
be able to identify least privilege and separation of duties if given a scenario.

Privilege creep

  • users accumulate privileges when transferring jobs/roles
  • violates least privilege
  • auditing can help mitigate
  • RBAC can defend against creep

Account reviews

  • limit privilege creep
  • can be automated or manual

Access Management

  • controlling a subject’s access to an object
  • controls assignment of rights/privleges to accounts
  • Per (ISC)², IAM solutions:

    “focus on harmonizing the provisioning of users and managing their access across multiple systems with different native access control systems.”

Mandatory and discretionary access control

Mandatory access control (MAC)

  • OS restricts authorizations
    • based on labels on users and objects
    • OS compares labels on users and objects and decides if user can make requested actions
    • users are not allowed to change authorizations
  • rarely used in production environments
  • most common example is SELinux

Discretionary access control (DAC)

  • permissions may be set by owners of files, computers or resources
  • most common method
  • most common example is NTFS permissions in Windows

ACLs (access control lists)

  • resource owners set DAC permissions using ACLs

  • table of usernames and permissions grants to each user

  • NTFS example permissions

    • full control: permission to do anything
    • read: read a file (duh)
    • read and execute: read files and execute executable files
    • write: write changes to a file
    • modify: write and delete permission

Database access control

MSSQL example

  • SQL Server authentication

    • use local database accounts
  • Windows authentication

    • use host Windows server user accounts
  • Mized authentication

    • use both SQL server and Windows server accounts
  • most other databases can use similar database-based and OS-based authentication

Role-based authorization

  • manages permissions through roles assigned to users by admins

Account-based authorization

  • manages permissions by admins granting explicit permissions to each account

Advanced authorization concepts

Implicit deny

  • any action not explicitly allowed must be denied
  • firewalls are the best example of this principle

RBAC (role-based access control)

  • permissions are grouped together in functional roles
  • users are assigned to those roles

ABAC (attribute-based access control)

  • admins make access control decisions
    • based on characteristics of a user/object/environment
  • allows for conditional access conditions

Location-based control

  • limits access based on geographical locations
  • i.e. you can’t log into the VPN from Iran

Time-based control

  • limites access based on login time
  • i.e. receptionists can’t login during the weekends

Access Control Attacks

Social engineering

  • manipulates people

    • diverging sensitive info
    • performing an action that undermines security
  • uses several psychological factors:

    • authority and trust
      • people defer to authority
  • intimidation

    • scaring people
  • consensus / social proof

    • herd mentality
  • scarcity

    • getting the last one
  • urgency

    • time is running out
  • familiarity / liking

    • people will say yes to people that are likeable
  • education is the solution to social engineering attacks

Impersonation attacks

  • come in many forms

Spam

  • unsolicited email

  • phishing

    • spam iliciting info

    • often used in recon stage of an attack

    • spear phishing

      • targeted attacks on certain invidivuals
      • usually have higher success rates
    • invoice attacks

      • send fake invoices to accounting and payment departments
      • hope that fake invoice is inadvertently paid
        * whaling
      • target senior executives
      • often use fake subpoenas
  • prepending attacks

    • [INTERNAL / SAFE] impersonate security filters on email systems (just like that)

Pharming

  • use fake websites
  • typosquatting allows for user confusion
  • often used in conjunction w/ phishing or DNS poisoning

Vishing

  • voice phishing
  • watch Kitboga on Twitch

Smishing and SPIMing

  • SMS and IM phishing

Spoofing

  • faking an identity

  • as with social engineering, education is key

Identity fraud and pretexting

ID fraud

  • targets an individual
  • attempts impersonate individual to gain access to accounts, funds, etc.

Pretexting

  • series of steps taken to impersonate
    • attacker contacts various agencies and orgs in an attempt to gain access
    • combine info known about the user as well as security questions
    • attempt to gain a foothold in one system to springboard into others
  • difficult to defend against
    • requires security at every step
  • strong authentication procedures provide protection

Watering hole attacks

  • websites can effectively spread malware

    • users usually trust a website
    • browser add-ons can often have vulnerabilities
    • users are conditioned to not read popups or alerts
  • steps

    1. attacker identifies and compromises popular website
    2. attacker chooses a client exploit and bundles in a botnet
    3. attacker places malware on website
    4. attacker waits for infected systems to “phone home”
  • limitations

    • attackers can’t just build a website
      • have to use popular website
    • content filters can often block malicious material

Physical social engineering

Shoulder surfing

  • watching someone’s screen

  • solutions

    • be aware of surroundings
    • use screen filters

Dumpster diving

  • digging through the trash

  • solution

    • shred sensitive documents
      • shred everything
    • can still be recycled
    • Bob will pick it up for you

Tailgating

  • slipping in behind someone

  • solutions

    • anti-tailgating policy
    • turnstiles

Access

  • data flow between a subject and an object
    • subject is active — person, process, program
    • object is passive — file, database, printer
  • access controls: security mechanisms than control how a subject can interact with objects
    • access controls should:
      • support the CIA triad
      • regulate what a subject can do to an object
      • be layered
      • provide both proactive and reactive protection