CSE 4380 Exam 1 (2)

User Authentication

-The process of verifying an identity claimed by or for a system entity

-Fundamental building block and first line of defense

Steps of authentication

Identification and Verification

Problems with various forms of authentication

-Password can be stolen

-Tokens could be stolen or forged

-A lot of overhead for managing passwords and tokens

Password Authentication

- widely used line of defense against intruders

> user provides name/login and password

> system compares password with the one stored for that specified login

- the user ID:

> determines that the user is authorized to access the system

> determines the user's privileges

> is used in discretionary access control

Password Vulnerabilities

Offline dictionary attack (System Files)

Specific account attack

Popular password attack

Password guessing against a single user

Workstation hijacking

Exploiting user mistakes

Exploiting multiple password use

Electronic monitoring

Password Vulnerability Countermeasures

-Enforcing password policies

-System logon protocols

-Etc.

Hashed Passwords with Salt Value

-Password is combined with a fixed-length salt value to make attacks harder

-MD5 and Bcrypt are common hash/salt schemes used

Advantages of salt value

-Without salt, attacker can pre-compute hashes of all common passwords once

-With salt, attacker must compute hashes of all common passwords for each possible salt value.

Password Cracking

-Dictionary Attacks

-Rainbow Table Attacks(Not feasible with larger salt values)

-Custom GPU Hardware and cloud-based cracking tools exist

Multi-Factor Authentication

-A method of confirming users claimed identities by using a combination of two or more different factors

Remote User authentication

- Authentication over a network, the Internet, or a communications link is more complex

- Additional security threats such as:

eavesdropping, capturing a password, replaying an

authentication sequence that has been observed

Authentication Security Issues

-Client Attacks

-Host Attacks

-Eavesdropping, Theft, copying

-Replay(Repeats previous user response)

-Mitigated with longer unpredictable passwords and multi factor authentication.

Access Control

-Constraints what a user can do directly as well as what programs executing on behalf of the users are allowed to do.

-Coexists with identification and verification

Access Control Elements

subject, object, and access right

Discretionary Access Control (DAC)

-User oriented security policy

-Entity has rights to enable another entity to access a resource

-Uses a control matrix, which has subjects for rows and objects for columns

Access Control List (ACL)

-Access rights stored with objects

-ACL can contrain default entries

-Elements of ACL include individuals and groups

-Linked list with each node containing the subject and the access rights for each object

-ACL requires authentication

-Used in UNIX and Windows

Capability List

- The subject is stored with the access right for each subject.

- A linked list where each node is an object and access right and the head is the subject

DAC Security Issues

It is prone to trojan horse attacks to grant an attacker privileges

Role-Based Access Control (RBAC)

-Access control based on employee job functions rather than data ownership since company owns objects.

-Based on roles users assume in organization

Role

Represents users and defines permissions

Security Management with RBAC

-User-role relationship changes over time

-Roles are likely to be static

-Role Permissions relatively stable

Advantages of RBAC

-Authorization management (Easy revocation of rights)

-Hierarchal roles

-Least Privilege

-Separation of duties

Attribute-based access control (ABAC)

This is an access control paradigm whereby access rights are granted to users with policies that combine attributes together.

Subject Attributes

-A subject is an active entity that causes

information to flow among objects

- Attributes define the identity and characteristics of the

subject

Object Attributes

-Information system-related entity containing or receiving information

-Can make access control decisions

Environment Attribues

-Describes operation or technical environment in which information access occurs

ABAC Logical access control model

-Relies on evaluation of attributes of subject and object

-Can enforce any access control rule

ABAC Policies

Set of rules and relationships that govern allowable behavior within an organization, based on privileges of subjects

Intrusion

A security event, in which an intruder gains or attempts to gain access to a system

Anomaly Detection

Current observed behavior is analyzed to determine whether this behavior is that of a legitimate user or that of an intruder

Signature/Heuristic Detection

Uses a set of known malicious data patterns or attack rules that are compared with current behavior. Also known as misuse detection. Can only identify known attacks for which it has patterns or rules.

Signature Detection (Misuse Detection)

-IDS uses attack signatures to detect intrusion

-Signatures are events that describe a known attack

-Attacks of the same kind show the same patterns

Signature Detection (Misuse Detection) Advantages

Very good at detecting attacks without creating false alarms

Signature Detection (Misuse Detection) Disadvantages

-Can only detect attacks they know of, so system must be constantly updated to detect new attacks

-Some misuse detection cannot detect variants of a certain attack

Anomaly Detection Advantages

-Can detect unusual behavior

-Can produce information used to identify attack signatures

Anomaly Detection Disadvantages

-Produce a large number of false alarms

-Require event records to identify normal behavior patterns

host-based intrusion detection system (HIDS)

-Adds specialized layer of security to vulnerable systems

-Can use anomaly or signature based approaches

-Monitors suspicious behavior (intrusions, suspicious events, sends alerts)

Network-Based Intrusion Detection System (NIDS)

-Deploying sensors at strategic locations

-Inspect network traffic and user activities

Network Based vs. Host Based

-Network based can detect intrusions that cross a network segment

-Host Based can examine log files and inbound/outbound packets

-In an organization it is best to use both.

Confusion Matrix

A matrix that has if an intrusion is made in the columns and if there was an alarm in the rows. The data in the matrix consists of if there were true positives or false alarms.

Firewall

Hardware and software that isolates an organizations internal network from the internet at large.

Need for firewalls

-Protecting LANs

-Establish a controlled link

-Used as perimeter defense

Firewall goals

-Traffic inside and outside the firewall must pass through it

-Only authorized traffic will be allowed to pass

Firewall Filter Characterisitcs

-IP Address

-Application protocol

-User identity

-Network Activity

packet-filtering firewall

- Applies rules to each incoming and outgoing IP packet

- Typically a list of rules based on matches in the IP or TCP header

- Forwards or discards the packet based on rules match

Packet Filter Advantages

-Simplicity

-Typically transparent to users and are very fast

Packet Filter Disadvantages

-Cannot prevent attacks that are application specific

-Limited logging functionality

-Does not support advanced user authentication

-Vulnerable to TCP/IP protocol bugs

-Improper configuration can lead to breaches

Stateful Inspection Firewall

-Tightens rules for TCP traffic by creating a directory of outbound TCP connections:

-There is an entry for each currently established connection.

-Reviews packet information but also records information about TCP connections

-Keeps track of TCP sequence numbers to prevent attacks that depend on the sequence number

-Inspects data for protocols like FTP, IM, and SIPS commands

Application level gateway

-Acts as a relay to application level traffic

-Must have proxy code for each application

-Tends to be more secure than packet filter

-Disadvantage is the additional processing and overhead.