S.S. Yau 1CSE465-591 Fall 2006 Administrative Security Procedural Controls.

S.S. Yau 1CSE465-591 Fall 2006

Administrative Administrative Security Security

Procedural Procedural ControlsControls


ContentsContents Information StorageInformation Storage PasswordsPasswords

Password introductionPassword introduction Biometric passwordsBiometric passwords Password attack methodsPassword attack methods Managing passwordsManaging passwords

AuditingAuditing Auditing systemsAuditing systems Audit processAudit process


Information StorageInformation Storage Information can be stored in various format Information can be stored in various format

on various storage media:on various storage media: Written documents and images on papers or Written documents and images on papers or

negativesnegatives Voice records on tapesVoice records on tapes Digital format information onDigital format information on

Floppy discFloppy disc Zip diskZip disk Flash memory (e.g. USB key drive, CF card, SD card)Flash memory (e.g. USB key drive, CF card, SD card) Hard driveHard drive CD - (R, RW)CD - (R, RW) DVD (+R, -R, -RW, +RW)DVD (+R, -R, -RW, +RW) TapeTape


Information Storage Information Storage (Cont.)(Cont.)

Information storage Information storage management includesmanagement includes External marking of mediaExternal marking of media Destruction of mediaDestruction of media Sanitization of mediaSanitization of media Transportation of mediaTransportation of media Emergency destructionEmergency destruction


PasswordsPasswords A A passwordpassword is information is information

associated with an entity that associated with an entity that confirms the entity’s identity.confirms the entity’s identity.

Has been widely used for long Has been widely used for long timetimeBank card PINBank card PINSSN associated with your SSN associated with your

mother’s maiden namemother’s maiden nameComputer account login, …Computer account login, …

T1: ch11.2, T2: ch12.2


Biometric Biometric PasswordsPasswords

Face recognitionFace recognition Voice recognitionVoice recognition Iris codesIris codes FingerprintsFingerprints Handwritten signaturesHandwritten signatures KeystrokeKeystroke CombinationsCombinations

T1: ch11.4, T2: ch12.4


Biometric Biometric Passwords Passwords (cont.)(cont.)

Advantages:Advantages: Automatic identification of an Automatic identification of an

individualindividual Better results than token or pinBetter results than token or pin

Problems:Problems: Performance: Performance:

Take large computing resourcesTake large computing resources Public acceptancePublic acceptance

People are afraid of giving their fingerprints People are afraid of giving their fingerprints or iris patterns for security recordsor iris patterns for security records


Password Attack Password Attack MethodsMethods

Password GuessingPassword Guessing Most common attackMost common attack Attacker knows a login (from email/web page, etc) Attacker knows a login (from email/web page, etc) Attempts to guess passwordAttempts to guess password Success of attack depends on password chosen by Success of attack depends on password chosen by

useruser

Some categories of passwords that are easy to Some categories of passwords that are easy to guess: guess: Based on account namesBased on account names Based on user namesBased on user names Based on computer namesBased on computer names Dictionary wordsDictionary words Reversed dictionary wordsReversed dictionary words Dictionary words with some or all letters capitalizedDictionary words with some or all letters capitalized


Password Attack Password Attack Methods Methods (cont.)(cont.) Password CapturePassword Capture

Watching over shoulder as password is Watching over shoulder as password is enteredentered

Using Trojan horse (virus-infected) programUsing Trojan horse (virus-infected) program Attacks on password entry due to faulty Attacks on password entry due to faulty

system designsystem design Eavesdropping: The password characters are Eavesdropping: The password characters are

plaintextplaintext The login screen is fakedThe login screen is faked Unlimited password retriesUnlimited password retries

Storage AttackStorage Attack Analyze un-encrypted audit trailsAnalyze un-encrypted audit trails Password is stored as plain textPassword is stored as plain text

S.S. Yau 10CSE465-591 Fall 2006

Managing PasswordsManaging Passwords Need password policies and good user education Need password policies and good user education Ensure every account has a default passwordEnsure every account has a default password Ensure users change the default passwords to Ensure users change the default passwords to

something they can remember something they can remember Protect password file from general accessProtect password file from general access Set technical policies to enforce good passwords Set technical policies to enforce good passwords

Minimum length (>6) Minimum length (>6) Require a mix of upper & lower case letters, numbers, Require a mix of upper & lower case letters, numbers,

punctuation punctuation Block known dictionary wordsBlock known dictionary words Require change of password periodicallyRequire change of password periodically

S.S. Yau 11CSE465-591 Fall 2006

AuditingAuditing Auditing is a technique for Auditing is a technique for

determining security violationsdetermining security violations LoggingLogging is the recording of events is the recording of events

or statistics to provide information or statistics to provide information about system use and performanceabout system use and performance

AuditingAuditing is the analysis of log is the analysis of log records to present information records to present information about the system in a clear and about the system in a clear and understandable mannerunderstandable manner T1:

ch21.1 T2: ch24.1

S.S. Yau 12CSE465-591 Fall 2006

Auditing Auditing (cont.)(cont.)

Generally, to support auditing, the Generally, to support auditing, the automated information system automated information system generates logs that indicate:generates logs that indicate: What happenedWhat happened Who did itWho did it What went wrongWhat went wrong How far some information spreadsHow far some information spreads Who had access to some informationWho had access to some information … …… …

S.S. Yau 13CSE465-591 Fall 2006

Auditing SystemsAuditing Systems

An auditing system consists of An auditing system consists of three components:three components: The logger: collect dataThe logger: collect data The analyzer: analyze the collected The analyzer: analyze the collected

datadata The notifier: report the results of The notifier: report the results of

analysisanalysis T1: ch21.2 T2: ch24.2

S.S. Yau 14CSE465-591 Fall 2006

Auditing Systems Auditing Systems (cont.)(cont.)

LoggerLogger:: The type and quantity of The type and quantity of

information are decided by system information are decided by system or program configuration or program configuration parametersparameters

Information may be recorded in Information may be recorded in binary or human-readable form or binary or human-readable form or transmit directly to an analysis transmit directly to an analysis systemsystem

S.S. Yau 15CSE465-591 Fall 2006


Logger Logger (cont.)(cont.):: Examples of auditable events:Examples of auditable events:

Login Login LogoffLogoff Operating system changesOperating system changes User-invoked operating system commandsUser-invoked operating system commands User-invoked applicationsUser-invoked applications Read of dataRead of data Creation of objectsCreation of objects Network eventsNetwork events

S.S. Yau 16CSE465-591 Fall 2006


Analyzer:Analyzer: An analyzer takes a log as input and An analyzer takes a log as input and

analyzes it.analyzes it. The results of analysis may lead to changes The results of analysis may lead to changes

in the data being recorded, or detection of in the data being recorded, or detection of some events or problems, or both.some events or problems, or both.

Example: Example: Audit analysis mechanism used by an intrusion Audit analysis mechanism used by an intrusion

detection system to detect attacks by analyzing detection system to detect attacks by analyzing log recordslog records

S.S. Yau 17CSE465-591 Fall 2006


Notifier:Notifier: The notifier informs the analyst and other The notifier informs the analyst and other

entities of the results of the audit. entities of the results of the audit. Actions may be taken in response to these Actions may be taken in response to these

results.results. Example: Example:

Consider a login system, in which three Consider a login system, in which three consecutive failed login attempts disable the user’s consecutive failed login attempts disable the user’s account. When a user’s failed login attempts account. When a user’s failed login attempts reaches 3 times, audit system will invoke the reaches 3 times, audit system will invoke the notifier, which will report the problem to notifier, which will report the problem to administer and disable the account. administer and disable the account.

S.S. Yau 18CSE465-591 Fall 2006

Audit ProcessAudit Process

Audits teamAudits team Accountants + people who are fascinated in Accountants + people who are fascinated in

auditingauditing Needed expertise variesNeeded expertise varies

CISA - Certified Information Systems AuditorCISA - Certified Information Systems Auditor CISM - Certified Information Systems CISM - Certified Information Systems

ManagerManager

Check Check www.isaca.orgwww.isaca.org (Information Systems Audit and Control (Information Systems Audit and Control Organization) for further informationOrganization) for further information

S.S. Yau 19CSE465-591 Fall 2006

Steps of Audit ProcessSteps of Audit Process

1. Planning Phase1. Planning Phase

2. Testing Phase2. Testing Phase

3. Reporting Phase3. Reporting Phase

S.S. Yau 20CSE465-591 Fall 2006

Planning PhasePlanning Phase Entry MeetingEntry Meeting Define ScopeDefine Scope Learn ControlsLearn Controls Historical IncidentsHistorical Incidents Past AuditsPast Audits Site SurveySite Survey Review Current IA PoliciesReview Current IA Policies QuestionnairesQuestionnaires Define ObjectivesDefine Objectives Develop Audit Plan / ChecklistDevelop Audit Plan / Checklist

S.S. Yau 21CSE465-591 Fall 2006

Testing PhaseTesting Phase Evaluate Audit PlanEvaluate Audit Plan

What data will be collectedWhat data will be collected How/when it will be collectedHow/when it will be collected Site employees’ involvementSite employees’ involvement Other relevant questionsOther relevant questions

Data CollectionData Collection Based on scope/objectivesBased on scope/objectives

Types of DataTypes of Data Activities involving physical securityActivities involving physical security Interview staffInterview staff Vulnerability assessmentsVulnerability assessments Access control assessmentsAccess control assessments

S.S. Yau 22CSE465-591 Fall 2006

Reporting PhaseReporting Phase Exit Meeting - Short ReportExit Meeting - Short Report

Immediate problemsImmediate problems Questions & answer for site managersQuestions & answer for site managers Preliminary findingsPreliminary findings NOT able to give in depth informationNOT able to give in depth information

Long Report After Going Through DataLong Report After Going Through Data Objectives/scopeObjectives/scope How data was collectedHow data was collected Summary of problemsSummary of problems In depth description of problemsIn depth description of problems Glossary of termsGlossary of terms ReferencesReferences

Any computer misuse or abuse should be Any computer misuse or abuse should be reported and law enforcement may be involved if reported and law enforcement may be involved if neededneeded

S.S. Yau 23CSE465-591 Fall 2006

ReferencesReferences

M. Merkow, J. Breithaupt, M. Merkow, J. Breithaupt, Information Information Security: Principles and PracticesSecurity: Principles and Practices, , Prentice Hall, August 2005, ISBN Prentice Hall, August 2005, ISBN 01315472910131547291

Matt Bishop, Matt Bishop, Introduction to Computer Introduction to Computer SecuritySecurity, Addison-Wesley, 2004, ISBN: , Addison-Wesley, 2004, ISBN: 03212474420321247442

Matt Bishop, Matt Bishop, Computer Security: Art and Computer Security: Art and ScienceScience, Addison- Wesley, 2002, ISBN: , Addison- Wesley, 2002, ISBN: 02014409970201440997

S.S. Yau 1CSE465-591 Fall 2006 Administrative Security Procedural Controls.

Documents

Transcript of S.S. Yau 1CSE465-591 Fall 2006 Administrative Security Procedural Controls.