2. DISCUSSION ON
1. Identification of security principles in data
access design
2. Analyze Systems access and authentication
3. Identifying penetration tests
EDI Prepared by EDGAR 2
3. SECURITY PRINCIPLES IN DATA ACCESS
DESIGN
1. Principle of least privilege
The principle of least privilege states that a subject should be
given only those privileges that it needs in order to
complete its task.
• If a subject does not need an access right, the subject
should not have that right.
i.E Append permission only for logging process.
Temporary elevation of privilege should be relinquished
immediately
Granularity of privileges
The UNIX operating system does not apply access controls to
the user root. That user can terminate any process and
read, write, or delete any file. Thus, users who create
backups can also delete files. The administrator account
on Windows has the same powers.
EDI Prepared by EDGAR 3
4. 2 .PRINCIPLE OF FAIL-SAFE DEFAULTS
• The principle of fail-safe defaults states that, unless a subject is
given explicit access to an object, it should be denied access to
that object.
• Whenever access, privileges, or some security-related attribute
is not explicitly granted, it should be denied. Moreover, if the
subject is unable to complete its action or task, it should undo
those changes it made in the security state of the system before
it terminates. This way, even if the program fails, the system is
still safe.
Default access to an object is none „
Access Control Lists (ACLs), firewall examples. „
Restricting privileges at the time of creation
EDI Prepared by EDGAR 4
5. 2 .PRINCIPLE OF FAIL-SAFE DEFAULTS….Cont
• If the mail server is unable to create a file in the spool directory, it
should close the network connection, issue an error message, and
stop. It should not try to store the message elsewhere or to expand its
privileges to save the message in another location, because an
attacker could use that ability to overwrite other files or fill up other
disks (a denial of service attack). The protections on the mail spool
directory itself should allow create and write access only to the mail
server and read and delete access only to the local server. No other
user should have access to the directory.
• In practice, most systems will allow an administrator access to the mail
spool directory. By the principle of least privilege, that administrator
should be able to access only the subjects and objects involved in mail
queueing and delivery. As we have seen, this constraint minimizes the
threats if that administrator's account is compromised. The mail system
can be damaged or destroyed, but nothing else can be.
EDI Prepared by EDGAR 5
6. 3. Principle of Economy of Mechanism
• states that security mechanisms should be as simple as possible.
Fewer errors „
Testing and verification is easy
„ Assumptions are less
If a design and implementation are simple, fewer possibilities exist for
errors. The checking and testing process is less complex, because
fewer components and cases need to be tested.
The ident protocol [861] sends the user name associated with a process
that has a TCP connection to a remote host. A mechanism on host A
that allows access based on the results of an ident protocol result
makes the assumption that the originating host is trustworthy. If host B
decides to attack host A, it can connect and then send any identity it
chooses in response to the ident request.
EDI Prepared by EDGAR 6
7. 4 Principle of Complete Mediation
• The principle of complete mediation requires that all accesses
to objects be checked to ensure that they are allowed.
Whenever a subject attempts to read an object, the operating system
should mediate the action. First, it determines if the subject is allowed
to read the object. If so, it provides the resources for the read to
occur. If the subject tries to read the object again, the system should
check that the subject is still allowed to read the object. Most systems
would not make the second check. They would cache the results of
the first check and base the second access on the cached results.
Achieved through;
UNIX file descriptor „
DNS cache poisoning. „
Restrict caching policies „
Security vs. performance issues
EDI Prepared by EDGAR 7
8. 4 Principle of Complete Mediation Cont…
• The Domain Name Service (DNS)
caches information mapping host
names into IP addresses. If an attacker
is able to "poison" the cache by
implanting records associating a bogus
IP address with a name, one host will
route connections to another host
incorrectly
EDI Prepared by EDGAR 8
9. 5 Principle of Open Design
• The principle of open design states that the security of a
mechanism should not depend on the secrecy of its design or
implementation
Designers and implementers of a program must not depend on
secrecy of the details of their design and implementation to
ensure security.
EDI Prepared by EDGAR 9
10. 5 Principle of Open Desighn Cont…
• Example
• The Content Scrambling System (CSS) is a cryptographic
algorithm that protects DVD movie disks from unauthorized
copying. The DVD disk has an authentication key, a disk
key, and a title key. The title key is enciphered with the disk
key. A block on the DVD contains several copies of the disk
key, each enciphered by a different player key, and a
checksum of the disk key. When a DVD is inserted into a
DVD player, the algorithm reads the authentication key. It
then deciphers the disk keys using the DVD player's
unique key. When it finds a deciphered key with the correct
hash, it uses that key to decipher the title key, and it uses
the title key to decipher the movie
EDI Prepared by EDGAR 10
11. 6 Principle of Separation of Privilege
• The principle of separation of privilege states that a system
should not grant permission based on a single condition
This principle is equivalent to the separation of duty principle
Company checks for more than Ksh500,000 must be signed
by two officers of the company. If either does not sign, the
check is not valid. The two conditions are the signatures of
both officers.
Similarly, systems and programs granting access to
resources should do so only when more than one
condition is met. This provides a fine-grained control over
the resource as well as additional assurance that the
access is authorized.
EDI Prepared by EDGAR 11
12. 6 Principle of Separation of Privilege,Cont…
• On Berkeley-based versions of the UNIX operating
system, users are not allowed to change from their
accounts to the root account unless two conditions
are met. The first condition is that the user knows
the root password. The second condition is that the
user is in the wheel group (the group with GID 0).
Meeting either condition is not sufficient to acquire
root access; meeting both conditions is required.
EDI Prepared by EDGAR 12
13. 7 Principle of Least Common Mechanism
• The principle of least common mechanism states that
mechanisms used to access resources should not be shared.
Sharing resources provides a channel along which information can
be transmitted, and so such sharing should be minimized.
• A Web site provides electronic commerce services for a
major company. Attackers want to deprive the company of
the revenue it obtains from that Web site. They flood the
site with messages and tie up the electronic commerce
services. Legitimate customers are unable to access the
Web site and, as a result, take their business elsewhere.
• Here, the sharing of the Internet with the attackers' sites
caused the attack to succeed. The appropriate
countermeasure would be to restrict the attackers' access
to the segment of the Internet connected to the Web site.
EDI Prepared by EDGAR 13
14. 8. Principle of Psychological Acceptability
• The principle of psychological acceptability states that security
mechanisms should not make the resource more difficult to
access than if the security mechanisms were not present.
Configuring and executing a program should be as easy and as
intuitive as possible, and any output should be clear, direct,
and useful.
If a configuration file has an incorrect parameter, the error
message should describe the proper parameter through
recognizing the most important element in computer security;
which is Human
EDI Prepared by EDGAR 14
15. 8. Principle of Psychological
Acceptability,Cont…
• When a user supplies the wrong password during login, the
system should reject the attempt with a message stating that
the login failed. If it were to say that the password was
incorrect, the user would know that the account name was
legitimate. If the "user" were really an unauthorized attacker,
she would then know the name of an account for which she
could try to guess a password.
EDI Prepared by EDGAR 15
16. QUIZ 2
ANALYZING SYSTEM ACCES AND
AUTHENTICATION
Typically the process of identifying a certain user by a system
•Authenticatio is based on; Something that the user knows Eg
Passwords
•Something that the user has Eg Key,Smartcard
•Something that the user is Eg FingerPrinting,Voice recognition or
Retinal scan systems
EDI Prepared by EDGAR 16
17. AUTHENTICATION: 2 SUB CONCERNS
• GENERAL ACCESS AUTHENTICATION
To control whether or not a particular user has
ANY type of access right to the element in
question. Usually we consider these in the form of
a “User Account”.
• FUNCTIONAL AUTHORIZATION
Concern with individual user “rights”. What, for
example, can a user do once authenticated? Can
they figure the device or only see data.
EDI Prepared by EDGAR 17
19. AUTHENTICATION: PROCEDURE
• Authentication procedure
– Two-Party Authentication
• One-Way Authentication
• Two-Way Authentication
– Third-Party Authentication
• Kerberos
• X.509
– Single Sign ON
• User can access several network resources by
logging on once to a security system.
EDI Prepared by EDGAR 19
20. AUTHENTICATION:Two-Party Authentication
PROCEDURE
EDI Prepared by EDGAR 20
C l i e n t
U s e r I D & P a s s w o r d
S e r v e r I D &
P a s s w o r d
A u t h e n t i c a t e d
A u t h e n t i c a t e d
S e r v e r
O n e - w a y A u t h e n t i c a t i o n
T w o - w a y A u t h e n t i c a t i o n
T w o - P a r t y A u t h e n t ic a t io n s
21. AUTHENTICATION:Third-Party Authentication
PROCEDURE
EDI Prepared by EDGAR 21
Authenticated
ClientID,Passw
ord
ServerID,Passw
ord
Authenticated
E x c h a n g e K e y s
E x c h a n g e D a t a
C l i e n t S e r v e r
S e c u r i t y S e r v e r
T h ir d - P a r t y A u t h e n t ic a t io n s
22. IDENTIFYING PENETRATION TESTS
• The practice of testing a computer system, network or web
application to find vulnerabilities that an attacker could exploit
by simulating attacks from both internal and external threats
• To prevent a thief, you may need to think like a thief
Using tools and techniques very similar to those
employed by criminals
• Goals
– Determine the adequacy of security
measures
– Identify security deficiencies
– Recommend training
EDI Prepared by EDGAR 22
23. WHY PENETRATION TEST?
• To find poorly configured machines.
• Verify that security mechanisms are
working.
• Help organizations to tighten the Security
system.
EDI Prepared by EDGAR 23
24. PHASES OF A PENETRATION TEST
EDI Prepared by EDGAR 24
25. PROFILING
• Research phase
– Passive Reconnaissance
– Strategy
• Obtain publicly available information on target
– Tactics
• Query publicly accessible data sources
• Observe physical defenses
• Covertly survey company and employees
EDI Prepared by EDGAR 25
26. ENUMERATION
• Discovery Phase
– Active Reconnaissance
– Strategy
• Find detailed information
• Find possibly vulnerable points of entry
– Tactics
• Map the network
• Analyze and identify each individual host
• Survey physical security mechanisms
• Compile list of possible entry points for an
attacker
EDI Prepared by EDGAR 26
27. VULNERABILITY ANALYSIS
• Systematic examination of
vulnerabilities
– Procedure
• Using all the information gathered in the
previous phases, identify vulnerabilities in the
system
– Tactics
• Prioritize analysis of commonly misconfigured
services
• Use automated tools if applicable/available
EDI Prepared by EDGAR 27
28. EXPLOITATION
– Gaining access
– Procedure
• Verify previously identified vulnerabilities by
attempting to exploit them
• Show what access can be gain and what
assets can be affected
EDI Prepared by EDGAR 28
29. REPORTING
• The important part
– Procedure
• Compile findings into a complete report
– Include methods as well
• Make suggestions to fix vulnerabilities
EDI Prepared by EDGAR 29
30. TYPES OF PENETRATION TESTING
• Overt
– Also known as White Hat Testing, involves performing external and/or
internal testing with the knowledge and consent of the organization’s IT
staff, enabling comprehensive evaluation of the network or system security
posture.
• Covert
– Also known as Black Hat Testing, takes an adversarial approach by
performing testing without the knowledge of the organization’s IT staff but
with the full knowledge and permission of upper management
• External
– This testing is conducted from outside the organization’s security
perimeter. This offers the ability to view the environment’s security
posture as it appears outside the security perimeter—usually as seen from
the Internet—with the goal of revealing vulnerabilities that could be
exploited by an external attacker
• Internal
– In this type of testing, assessors work from the internal network and
assume the identity of a trusted insider or an attacker who has penetrated
the perimeter defenses. This kind of testing can reveal vulnerabilities that
could be exploited from inside, and demonstrates the potential damage an
internal attacker could cause
EDI Prepared by EDGAR 30