によって Walkowska Anna 17年前.
1554
もっと見る
for NDS and AD
Order of Acceptance
Retina Pattern
Finger Print
Hand Print
Signature
Keystroke Pattern
Voice Pattern
Sift through large volumes of
data for information
Traffic analysis
Learning something through
analysis
When someone has altered
your code
Root kits
Exploits hardware vulnerabilities
Faultline Attacks
Exploits time base vulnerabilities
Time of Use
Time of Check
Specifically crafted URLs
Buffer Overflow
Stack Smashing
Resource Exhaustion
Spamming
Flooding
SYN Flood
Fork Bomb
Trap Doors
Trojan
Worm
Must use Reference Monitor
Ensures interactions between Subjects and Objects are:
Irrevocable
Tamper-proofed
Verifiable
Role Based
Discretionary
Mandatory
Interaction dictated by policy
How are the rules enforced?
What are the business rules?
Rules evaluated in Security Reference Monitor to allow or disallow interaction
Rules = Attributes
Objects assigned security attributes
Subject assigned Security Attributes
In addition to rules
Can be used to group Subjects
Can be used to group Objects
Data objects = Classifications
Users/Subjects = Clearances
Windows NT4
No Access
UNIX
Execute
Write
Read
ports
sockets
devices
pipes
Directories
Files
Processes
Helps detect fraud
Most Secure = No Access
Each input processing path should be independent and have no internal relationships
Based on variations in the input there should be no way to predict the output
Additional reading
ucsb.edu
Sans Reading Room
Uses normal system resources to signal information
Can not be stopped
Can be introduced deliberately
Information flows from higher to lower classifications
Monitors changes introduced after the initial state
By Event
By chronology
Captures the state of a system at a given point of time
Example: Authentication
Authorized
Authorization Pending
Authenticated
Authentication Pending
Unauthenticated
related to access models
in the role based model, a role is defined in a set of operations on objects. The role represents a function or job in the application. The access rule is defined to bind a subject to the roles.
in the mandatory model, the access rule (s,o,t) is specified so that the flow relation between the subject (s) and the object (o) holds. Read and Write are the only considered forms of operations (t)
in lattice one security class is given to each entity in the system. A flow relation among the security classes is defined to denote that information in one class (s1) can flow into another class (s2).
the tuple
operation
Defined:
A type of dependency that relates two versions of the same object, and thus transformation of one state into another, at successive points in time.
Closely related to Lattice
Assigned classes dictate whether an object being accessed by a subject can flow into another class
Emphasizes Garbage in Garbage out
Manages access by evaluating system as a whole
Prompt revocation
Review
Logging
Update periodically
Review Account data
Good time for orientation/training
Verifies individual before providing access
Most important step
object
program
subject
Integrity Preserving (enforcement)
Transformational proceedures executed serially and not in parallel
Triples are carefully maintained
Subjects Identities are Authenticated
How integrity of constrained items is maintained
Integrity Monitoring (certification)
Notions
Unconstrained data items are validated
Accesses are logged
Duties are separated
Transformational procedures act validly
Constrained data items are consistent
External Consistency
Relation of the internal state of a system to the outside world
Internal Consistency
Properties of the internal state of the system
Integrity Property
Simple integrity property
A user cannot read data of a lower integrity level than theirs
A user cannot write data to a higher level than they are assigned
Strong tranquility property:
Labels never change during system operation
Weak Tranquility:
security policy
in such a way as to violate a defined
Security labels of subjects never change
Can only act on a single level
No write up
No read down
No Write Down (Property)
Prevents write-down trojans for declassifying data
No Read Up (Simple Property)
The property that any two elements must have unique least upper bound and greatest lower bound
A partial Ordering relation
A set of elements
Awareness
Antivirus
Fixes
Clients: TFN2K
A zombie is a computer infected with a daemon/ system agent without the owner’s knowledge and subsequently controlled by an attacker
requires the attacker to have many compromised hosts which overload a targeted server with packets until the server crashes.
backhoe transmission loss
smart pipes - provide damage detection information. Thus, if a cable were damaged, the smart pipe would be able to determine the type of damage to the cable, the physical position of the damage, and transmit a damage detection notification.
backhoe cuts into the cabling system carrying transmission links
SYN Flooding
Smurf
Ping of Death
Distributed Denial-of-Service
E-mail spamming
occurs when invalid data is sent in such a way that it confuses the server software and causes it to crash.
involve some modification of the data transmission or the creation of a false transmission.
involve monitoring or eavesdropping on transmissions.
This is a digital attack that attempts to get under a security system by accessing low-level system functions.
A trapdoor is an opening that system developers use to bypass the user authentication process in software. It may be inadvertently left available after software delivery.
This is the act of masquerading as a different IP address. Packets can be formatted with false (or fake) addresses to hide the originator’s true location. It involves an intruder connected to the network and pretending to be a trusted host.
This occurs when an unauthorized user tries to con authorized users into providing the information needed to access systems
This is the process of direct visual observation of monitor displays to obtain access to sensitive information.
This is the passive capture of a packet and its subsequent retransmission to produce an unauthorized effect.
This refers to the possibility that sensitive data is available to a new subject. It may occur when magnetic media or memory is reassigned to a new subject and the media or memory still contains one or more objects that have not been purged before the reassignment.
This involves someone who intercepts and manipulates packets being sent to a networked computer. A masquerade takes place when one entity pretends to be a different entity.
Impersonation is masquerading as an authorized user to gain unauthorized access.
Emanations are electronic signals that radiate from hardware devicesRadio-frequency (RF) computer devices are all susceptible to emanation interception. In the United States, TEMPEST /equipment is designed to eliminate this problem.
This is the use of software (sniffers) to monitor packets or wiretapping telecommunication links to read transmitted data.
This is when individuals access discarded trash to obtain user identifications, passwords, and other data.
Data remanence occurs when some data, after the magnetic media is written over or degaussed, still remains on the magnetic media.
A covert channel is one that violates the organization’s security policy through an unintended communications path.
Covert channels have the potential for occurring when two or more subjects or objects share a common resource.
Storage channel
A storage channel utilizes changes in stored data to transfer information in an unintended manner.
Timing channel.
A timing channel utilizes the timing of occurrences of an activity to transfer information in an unintended manner.
The buffer overflow problem is one of the oldest and most common problems in software. It can result when a program fills up its buffer of memory with more data than its buffer can hold.
When the program begins to write beyond the end of the buffer, the program’s execution path can be changed. This can lead to the insertion of malicious code that can be used to destroy data or to gain administrative privileges on the program or machine.
Preceeding actions
Quotas
XML Data Restrictions
privileges for unlisted users
their Privileges with each object
LaPadula
for Access Control by Abrams and
operating on Objects
Microsoft Roles
DENY Data Writer
DENY Data Reader
Data Writer
Data Reader
Database functionality
Ability to Query (Select)
Default Sorting Order
Adjusting the schema
Higher possiblity of unintended
No protection against even
"trusted" user error
Errors lead to possible great
escalation of privilege
Open to malicious software
results
No distinction between users
Subject to user arbitrary discretion
DAC generally assumes a
benign software environment
Processes can change access
control attributes
Processes are user surrogates
and can run arbitrary code
and programs
Software Personification
Simple to understand
Gives users control
Ownership concept
Flexible
Convenient
Win2K can be included when
folders
context is limited to files and
Most *NIX versions
Windows NT4.0
Owners can change security attributes
Assumes following:
Proper physical security is in place
Users do not share accounts or access
Proper clearances have been applied to subjects
Trusted users/administrators
Protects only information in Digital Form
Helps prevent information leakage
Enforces strict controls on multi security systems
Not subject to user error
Controlled by system and cannot be overridden
Purple Penelope
Pump
SCOMP
Multics-based Honeywell
eTrust CA-ACF2
Linux
LIDS
SE by NSA
RSBAC Adamantix Project
Users cannot change security attributes at request
Kerberos
Strengths
Kerberos Ticket Granting Ticket
Must be protected from attacks
Sets temporal limits
Too far from ticket time can indicate spoofed ticket
TGT confirms hashes
Mutual authentication
Local security subsystem creates envrionment or process and attaches token
This is the authenticating token used to verify access requests
Local Security Subsystem adds to token
Any local access rights
Any local permissions
Any local group memberships
Local Security subsystem creates access token using users SID and SIDs of any groups user is a member of from Workstation session ticket
After authentication the PCs Kerberos service sends a copy of the ticket to the users PC
Kerberos service on local PC authenticates user with new ticket
PCs Kerberos service consults GCS
PCs Kerberos service consults AD
Users PC asks for another ticket
AKA Workstation session ticket
used to authenticate user to local PCs workstation service
Local security subsystem sends copy of session ticket to Kerberos service on Domain controller
After authentication, Kerberos server return requested session ticket to users computer
used in all future negotiations with Kerberos server
SIDs of all groups user belongs to
Contains users SID
Kerberos service also accesses a Global Catalog Server to obtain users Universal Group Memberships
Kerberos service contacts Active Directory to authenticate user
When domain controller is found
Session ticket will be used by users computer to authenticate with Kerberos service
Requests session ticket for user
local security subsystem contacts the Kerberos service on the domain controller
local security subsystem takes domain name specified and uses DNS to locate controller
username and password passed to local security subsystem
Username and Password Entered
Features
Non-Repudiation: Knowlege of a password
Authentication: Login password (local)
Integrity: Crypto hash algorithyms
Confidentiality: DES (CBC mode) Symmetric Encryption
Kerberos KDC is trusted intermediary similar to RADIUS server
Secret Key Protocol and distributed service for 3rd party authentication
Now in use in Windows
Default in Server 2K3
Default in XP
Default in Win2K
Still some concerns
Much more secure
Windows related
NTLM and NTLM2
Vulnerable to DLL injection
weak passwords can be cracked offline
Lophtcrack
John the Ripper
Forces lsass.exe to show passwords in weak LM format
Also uses Hashes
LanManager (LM)
passwords up to 14
char easily defeated
RainbowCrack
Uses hash to obfuscate password
LM Support needed for
Macintosh
Windows 9x
WinNT pre SP4
Win2K in compatability mode is weakened by LM
Win2K native is secure
Originally designed
Challenge Handshake
Server requests re-confirmation with this sequence when appropriate
If responses are identical, server grants access
Server creates local version of valid response using original challenge and stored password.
Client sends response to server
Client uses password and challenge to create response
Server sends back challenge to client
Client initiates comms to server
Not vulnerable to replay attack
password never traverses network
Authentication Protocol (CHAP)
Password Authentication
Can use hashes but still vulnerable to replay attack
Process
Password sent unencrypted over network to PAP server
User enters password
vulnerable to replay attack
Works wth both passwords and hases
Password sniffed off network and resent to server
Sends actual password in the clear.
Protocol (PAP)
for use with PPP
Centralized Control
Domains and Trusts
Role-based Model
Domains
Users
Groups
Windows Security Model
TACACS+
RFC 1492
TCP based
Terminal Access Controller Access Control System
RADIUS
Successor to TACACS
RFC 2866
RFC 2865
UDP based
Remote Authentication Dian in User Service
Strong Authentication
Multi-Factor
Two Factor
Two different methods
used together
Somewhere you are
Works well with
Controlled access
classified data
Each system needs
additional Hardware
Based on GPS
Something you
are (Biometrics)
Key Factors
Cost
Adds to operational loads
Increases technical complexity
Some of the technolgoies
still very expensive
User Acceptance
An intrusive enrollment
Resistance
A high FRR will cause users to
Animosity
Try to find ways around the system
Reliability
Better to have a higher
FRR than a high FAR
pissed off user vs a breach
Equal Error Rate (EER)
Cross error Rate (CER)
rate at which FAR and
FRR are equal
False rejection Rate (FRR)
percentage of ligitimate users
falsely rejected
False acceptance Rate (FAR)
percentage of impostors
falsely authorized
Costly
Each authenticating system
needs hardware
Intrusive
Can cause Privacy issues
Does not require user
to have anything
Hard to lose
Types
Mannerisms
Handwriting
Tread
Keystroke
Voice Print
Face
Eigen
Eigenfaces
Eigen features (facial metrics)
German word referring to
used in facial recognition
recursive mathematics
Facial feature identification
Isolation
Mask values compared to database
leaves features in rectangle
mask (binary mask)
Isolate features of the face
Detection
Locate the face
Photos
Thermograms
Eye
Iris
additional reading
System tests for 'live' eye
o pupil size fluctuation
Verification takes 1-2 seconds
Subsequent verifications
at up to 40in
Less than 20 seconds
image captured and processed
into 512 byte record
excludes lower portion because
of moisture and reflection
Approach is horizontal due
to eyelid occlusion
locates left and right
edges of iris
camera locates eye
video camera at 3-10in
240 reference points
Retina
Degenerative diseases exist
that compromise data fidelity
Certain people cannot enroll
enrollment
Stored in 35 byte field
320-400 points of
reference stored
1/2" from scanner
45 seconds
five scans to enroll
capillary patterns
Hand
Hand Geometry
Oldest known form of
Biometrics
Fingerprint
30-70 points of reference
ridges and valleys
have
Users can lose tokens
More expensive to implement
additional software equipment
each user needs token
Changes on regular basis
Token Provides password
Token
know
Positive
Low cost
Easiest to implement (passwords)
Negative
Easy to compromise
Users tell others
Easy for attackers to target
Dictionary attack
users write down passwords
Users forget
Attack Types
Brute force
Rainbow Crack
Given enough time, brute
force will always work
Hybrid
John the ripper
uses dictionary in combination
with brute force
Dictionary
Tries every word in dictionary
for match
Relies on human factors
Not guaranteed to find all
passwords
Quickest and Easiest
Cracking
Access to password file
increases success (no Duh!)
Attempt to guess passwords
Access Control
Normally stored as hashes
password files
NT SAM
/etc/shadow
/etc/passwd
Methodologies
Single Sign On
System Generated
User Picked
Too simple
Restores the operating state to normal after an attack or system failure
Reacts to an attack and takes corrective action for data recovery
Provide alternatives to other controls
Warnings on Web Pages
Logon banner
Restricted Access signs
Acceptable Use agreements
Discourages security violations (Preventative)
Anomaly Detection
Pattern Matching
Intrusion Detection Systems
Force users to take leaves
Background Investigations
Regular performance reviews
Audits
Alarms
Sensors
Smoke Detectors
CCTV
Motion Detectors
Creates a complete list of risks
against critical assets
Analyzes entire network from inside
Comprehensive view of
Network Security
Usually done after Vulnerability
Assessment
Does not provide
comprehensive view
Only as good as the attacker
Finds weaknesses
Simulates an attacker trying to
break in
Looks for common known
vulnerabilities
Scanning key servers
NAI
ISS
GFI LanGuard
Nessus
Proxy
Never a connection from
external to internal
Slow
Stateful
Unknown packets discarded
Knows if incoming packet was
in response to request
Packet Filtering
very fast
Does not know state
Decision based on IP and Port
Technical
Intrusion detection systems (IDSs)
Audit trails
Dial-up callback systems
Encryption
Smart cards/biometrics/badge systems
Passwords
Anti-virus software
Access control software, such as firewalls, proxy servers
Administrative
Mandatory vacation time
Performance evaluations
Alert supervision
Background checks
Security clearances
Procedures for recruiting and terminating employees
Rotation of duties
Security reviews and audits
Separation of duties
Security awareness training
Policies and procedures
Physical
Limiting access to physical resources through the use of bollards, locks, alarms, or
Turnstiles
Mantraps
Badges, ID Cards
Fire Extinguisher
Alternate Power Source
Guards
Fences