S.S. Yau 1CSE465-591 Fall 2006 Administrative Security Procedural Controls.
-
date post
19-Dec-2015 -
Category
Documents
-
view
212 -
download
0
Transcript of S.S. Yau 1CSE465-591 Fall 2006 Administrative Security Procedural Controls.
S.S. Yau 1CSE465-591 Fall 2006
Administrative Administrative Security Security
Procedural Procedural ControlsControls
S.S. Yau 2CSE465-591 Fall 2006
ContentsContents Information StorageInformation Storage PasswordsPasswords
Password introductionPassword introduction Biometric passwordsBiometric passwords Password attack methodsPassword attack methods Managing passwordsManaging passwords
AuditingAuditing Auditing systemsAuditing systems Audit processAudit process
S.S. Yau 3CSE465-591 Fall 2006
Information StorageInformation Storage Information can be stored in various format Information can be stored in various format
on various storage media:on various storage media: Written documents and images on papers or Written documents and images on papers or
negativesnegatives Voice records on tapesVoice records on tapes Digital format information onDigital format information on
Floppy discFloppy disc Zip diskZip disk Flash memory (e.g. USB key drive, CF card, SD card)Flash memory (e.g. USB key drive, CF card, SD card) Hard driveHard drive CD - (R, RW)CD - (R, RW) DVD (+R, -R, -RW, +RW)DVD (+R, -R, -RW, +RW) TapeTape
S.S. Yau 4CSE465-591 Fall 2006
Information Storage Information Storage (Cont.)(Cont.)
Information storage Information storage management includesmanagement includes External marking of mediaExternal marking of media Destruction of mediaDestruction of media Sanitization of mediaSanitization of media Transportation of mediaTransportation of media Emergency destructionEmergency destruction
S.S. Yau 5CSE465-591 Fall 2006
PasswordsPasswords A A passwordpassword is information is information
associated with an entity that associated with an entity that confirms the entity’s identity.confirms the entity’s identity.
Has been widely used for long Has been widely used for long timetimeBank card PINBank card PINSSN associated with your SSN associated with your
mother’s maiden namemother’s maiden nameComputer account login, …Computer account login, …
T1: ch11.2, T2: ch12.2
S.S. Yau 6CSE465-591 Fall 2006
Biometric Biometric PasswordsPasswords
Face recognitionFace recognition Voice recognitionVoice recognition Iris codesIris codes FingerprintsFingerprints Handwritten signaturesHandwritten signatures KeystrokeKeystroke CombinationsCombinations
T1: ch11.4, T2: ch12.4
S.S. Yau 7CSE465-591 Fall 2006
Biometric Biometric Passwords Passwords (cont.)(cont.)
Advantages:Advantages: Automatic identification of an Automatic identification of an
individualindividual Better results than token or pinBetter results than token or pin
Problems:Problems: Performance: Performance:
Take large computing resourcesTake large computing resources Public acceptancePublic acceptance
People are afraid of giving their fingerprints People are afraid of giving their fingerprints or iris patterns for security recordsor iris patterns for security records
S.S. Yau 8CSE465-591 Fall 2006
Password Attack Password Attack MethodsMethods
Password GuessingPassword Guessing Most common attackMost common attack Attacker knows a login (from email/web page, etc) Attacker knows a login (from email/web page, etc) Attempts to guess passwordAttempts to guess password Success of attack depends on password chosen by Success of attack depends on password chosen by
useruser
Some categories of passwords that are easy to Some categories of passwords that are easy to guess: guess: Based on account namesBased on account names Based on user namesBased on user names Based on computer namesBased on computer names Dictionary wordsDictionary words Reversed dictionary wordsReversed dictionary words Dictionary words with some or all letters capitalizedDictionary words with some or all letters capitalized
S.S. Yau 9CSE465-591 Fall 2006
Password Attack Password Attack Methods Methods (cont.)(cont.) Password CapturePassword Capture
Watching over shoulder as password is Watching over shoulder as password is enteredentered
Using Trojan horse (virus-infected) programUsing Trojan horse (virus-infected) program Attacks on password entry due to faulty Attacks on password entry due to faulty
system designsystem design Eavesdropping: The password characters are Eavesdropping: The password characters are
plaintextplaintext The login screen is fakedThe login screen is faked Unlimited password retriesUnlimited password retries
Storage AttackStorage Attack Analyze un-encrypted audit trailsAnalyze un-encrypted audit trails Password is stored as plain textPassword is stored as plain text
S.S. Yau 10CSE465-591 Fall 2006
Managing PasswordsManaging Passwords Need password policies and good user education Need password policies and good user education Ensure every account has a default passwordEnsure every account has a default password Ensure users change the default passwords to Ensure users change the default passwords to
something they can remember something they can remember Protect password file from general accessProtect password file from general access Set technical policies to enforce good passwords Set technical policies to enforce good passwords
Minimum length (>6) Minimum length (>6) Require a mix of upper & lower case letters, numbers, Require a mix of upper & lower case letters, numbers,
punctuation punctuation Block known dictionary wordsBlock known dictionary words Require change of password periodicallyRequire change of password periodically
S.S. Yau 11CSE465-591 Fall 2006
AuditingAuditing Auditing is a technique for Auditing is a technique for
determining security violationsdetermining security violations LoggingLogging is the recording of events is the recording of events
or statistics to provide information or statistics to provide information about system use and performanceabout system use and performance
AuditingAuditing is the analysis of log is the analysis of log records to present information records to present information about the system in a clear and about the system in a clear and understandable mannerunderstandable manner T1:
ch21.1 T2: ch24.1
S.S. Yau 12CSE465-591 Fall 2006
Auditing Auditing (cont.)(cont.)
Generally, to support auditing, the Generally, to support auditing, the automated information system automated information system generates logs that indicate:generates logs that indicate: What happenedWhat happened Who did itWho did it What went wrongWhat went wrong How far some information spreadsHow far some information spreads Who had access to some informationWho had access to some information … …… …
S.S. Yau 13CSE465-591 Fall 2006
Auditing SystemsAuditing Systems
An auditing system consists of An auditing system consists of three components:three components: The logger: collect dataThe logger: collect data The analyzer: analyze the collected The analyzer: analyze the collected
datadata The notifier: report the results of The notifier: report the results of
analysisanalysis T1: ch21.2 T2: ch24.2
S.S. Yau 14CSE465-591 Fall 2006
Auditing Systems Auditing Systems (cont.)(cont.)
LoggerLogger:: The type and quantity of The type and quantity of
information are decided by system information are decided by system or program configuration or program configuration parametersparameters
Information may be recorded in Information may be recorded in binary or human-readable form or binary or human-readable form or transmit directly to an analysis transmit directly to an analysis systemsystem
S.S. Yau 15CSE465-591 Fall 2006
Auditing Systems Auditing Systems (cont.)(cont.)
Logger Logger (cont.)(cont.):: Examples of auditable events:Examples of auditable events:
Login Login LogoffLogoff Operating system changesOperating system changes User-invoked operating system commandsUser-invoked operating system commands User-invoked applicationsUser-invoked applications Read of dataRead of data Creation of objectsCreation of objects Network eventsNetwork events
S.S. Yau 16CSE465-591 Fall 2006
Auditing Systems Auditing Systems (cont.)(cont.)
Analyzer:Analyzer: An analyzer takes a log as input and An analyzer takes a log as input and
analyzes it.analyzes it. The results of analysis may lead to changes The results of analysis may lead to changes
in the data being recorded, or detection of in the data being recorded, or detection of some events or problems, or both.some events or problems, or both.
Example: Example: Audit analysis mechanism used by an intrusion Audit analysis mechanism used by an intrusion
detection system to detect attacks by analyzing detection system to detect attacks by analyzing log recordslog records
S.S. Yau 17CSE465-591 Fall 2006
Auditing Systems Auditing Systems (cont.)(cont.)
Notifier:Notifier: The notifier informs the analyst and other The notifier informs the analyst and other
entities of the results of the audit. entities of the results of the audit. Actions may be taken in response to these Actions may be taken in response to these
results.results. Example: Example:
Consider a login system, in which three Consider a login system, in which three consecutive failed login attempts disable the user’s consecutive failed login attempts disable the user’s account. When a user’s failed login attempts account. When a user’s failed login attempts reaches 3 times, audit system will invoke the reaches 3 times, audit system will invoke the notifier, which will report the problem to notifier, which will report the problem to administer and disable the account. administer and disable the account.
S.S. Yau 18CSE465-591 Fall 2006
Audit ProcessAudit Process
Audits teamAudits team Accountants + people who are fascinated in Accountants + people who are fascinated in
auditingauditing Needed expertise variesNeeded expertise varies
CISA - Certified Information Systems AuditorCISA - Certified Information Systems Auditor CISM - Certified Information Systems CISM - Certified Information Systems
ManagerManager
Check Check www.isaca.orgwww.isaca.org (Information Systems Audit and Control (Information Systems Audit and Control Organization) for further informationOrganization) for further information
S.S. Yau 19CSE465-591 Fall 2006
Steps of Audit ProcessSteps of Audit Process
1. Planning Phase1. Planning Phase
2. Testing Phase2. Testing Phase
3. Reporting Phase3. Reporting Phase
S.S. Yau 20CSE465-591 Fall 2006
Planning PhasePlanning Phase Entry MeetingEntry Meeting Define ScopeDefine Scope Learn ControlsLearn Controls Historical IncidentsHistorical Incidents Past AuditsPast Audits Site SurveySite Survey Review Current IA PoliciesReview Current IA Policies QuestionnairesQuestionnaires Define ObjectivesDefine Objectives Develop Audit Plan / ChecklistDevelop Audit Plan / Checklist
S.S. Yau 21CSE465-591 Fall 2006
Testing PhaseTesting Phase Evaluate Audit PlanEvaluate Audit Plan
What data will be collectedWhat data will be collected How/when it will be collectedHow/when it will be collected Site employees’ involvementSite employees’ involvement Other relevant questionsOther relevant questions
Data CollectionData Collection Based on scope/objectivesBased on scope/objectives
Types of DataTypes of Data Activities involving physical securityActivities involving physical security Interview staffInterview staff Vulnerability assessmentsVulnerability assessments Access control assessmentsAccess control assessments
S.S. Yau 22CSE465-591 Fall 2006
Reporting PhaseReporting Phase Exit Meeting - Short ReportExit Meeting - Short Report
Immediate problemsImmediate problems Questions & answer for site managersQuestions & answer for site managers Preliminary findingsPreliminary findings NOT able to give in depth informationNOT able to give in depth information
Long Report After Going Through DataLong Report After Going Through Data Objectives/scopeObjectives/scope How data was collectedHow data was collected Summary of problemsSummary of problems In depth description of problemsIn depth description of problems Glossary of termsGlossary of terms ReferencesReferences
Any computer misuse or abuse should be Any computer misuse or abuse should be reported and law enforcement may be involved if reported and law enforcement may be involved if neededneeded
S.S. Yau 23CSE465-591 Fall 2006
ReferencesReferences
M. Merkow, J. Breithaupt, M. Merkow, J. Breithaupt, Information Information Security: Principles and PracticesSecurity: Principles and Practices, , Prentice Hall, August 2005, ISBN Prentice Hall, August 2005, ISBN 01315472910131547291
Matt Bishop, Matt Bishop, Introduction to Computer Introduction to Computer SecuritySecurity, Addison-Wesley, 2004, ISBN: , Addison-Wesley, 2004, ISBN: 03212474420321247442
Matt Bishop, Matt Bishop, Computer Security: Art and Computer Security: Art and ScienceScience, Addison- Wesley, 2002, ISBN: , Addison- Wesley, 2002, ISBN: 02014409970201440997