1.5 Authentication, Authorization, Accountability

Question 1

Access Control - Guiding Principles

Answer 1

• Least privilege: if someone needs to do something to do their job, they should be able to do it
• Need to know: if someone needs to read something to do their job, they should be able to read it
• Least privilege is broader than need to know as it includes need to know within it
• When we take the principle of least privilege and need to know together we are trying to uphold the confidentiality, integrity, and availability of our data
• There is also the option of implicit deny – when a new file is created no one else has access until they are granted

Question 2

Controlling the insider threat with access controls

Answer 2

• As mentioned, insider threats pose a real security problem for organizations – the principle of least privilege helps if we implement the “and nothing more” portion
• Unfortunately though this isn’t usually the case because of “privilege creep” the notion that the longer someone stays in a company the more files they have access to
• This also doesn’t have to do with trust, someone can be a completely trustworthy person, it doesn’t matter at the end of the day when a ransomware attack encrypts all the files their user account has access to, trust is irrelevant

Question 3

Authentication: something that you know
- what makes a good password
- what is the derivative complex passphrase
- what is the true passphrase
- haystack tool
- ways passwords are discovered
- passwords - adminstrator settings
- password lockouts
- password issues
- password cracking software (offline vs online)
- cognitive passwords

Answer 3

• Something that you know
  o Credentials are the #1 sought after data
  o The most common form of authentication is information that you know – the password rule, unfortunately, are really challenging to implement
  o Passwords are really expensive as long-form passwords result in user training, help desk time unlocking accounts, lost productivity due to locked accounts, which all adds up (think of web surfing costs)
  o Consequently, because password rules are challenging, 123456 is the most common password
  o The common training is that good passwords are upper and lower case, special characters, numbers, and above 8 characters –
   Longer passwords are better than shorter ones because it’s a larger “password universe” which means how many possible passwords you can create given the allowed character sets and the number of positions
  o Password cracking software like John the Ripper and Hashcat are also smart enough to replace A with @ and S with $
  o because of this, and you’re supposed to have a different password for each account, how are you supposed to remember all of that?
• The derivative complex passphrase
  o You can do true passphrases whereby you write something you know and add characters and numbers in between like –
  o LMMs0aT (Little Miss Muffet sat (zero) on a Tuffet)
  o But you need one of these for each website, how will you ever remember that?
• True Passphrase:
  o Instead of using the derivative method, why not use the phrase itself?
  o Like LittleMissMuffetSat0onaTuffet
  o This even makes our password length longer too
  o If the site allows for spaces you can use that too
• Haystack tool:
  o The haystack tool shows how many days, months, years, centuries etc it would take for a password cracker software to guess your password based on its length and characters
• Ways passwords are discovered:
  o Interception over a network
  o Brute force guessing until the correct one is found
  o Keylogging to intercept a password when they are entered
  o Data breaches
  o Phishing and coercion
  o Stealing hashes
  o Password spraying – trying a small number of common passwords to access a large number of accounts
• Passwords – Administrator Settings
  o Maximum Password aging: Forces you to change your password every 60-90 days with the hope that if your password is compromised the window of opportunity for someone to use that password is smaller – also it is hoped that you change your password before someone is successful via a password cracking attack
  o Password histories: Causes the system to remember the last X number of passwords and then it doesn’t allow you to reuse that password
  o Minimum password aging: Prevents users from changing their password for X amount of days – this is because since password aging forces you to change your password and password histories prevents you from reusing passwords then some people change their passwords X amount of times and return to their original password – minimum password aging prevents that.
  o Password strength checkers: Helps determine the strength of a password based on characters and length – can also help prevent password histories by disallowing any new passwords that match with X amount of characters of a previous password
• Password lockouts: How many incorrect attempts until the account is locked (the clipping level) – used to be 3-5 attempts but since password requirements force users to have more complex passwords there should be more attempts
• Password issues:
  o Human nature shows that people tend to pick passwords that are easy to guess
  o Further, they tend to reuse the same passwords across numerous sites
  o Also, they tend to write their passwords down – if they do, at least use a password management system that encrypts the information and has authorization measures
• Password Cracking Software: Software that uses a variety of techniques to crack passwords – some available open-source and used to see if malicious actors can crack a password or test the strength of a password
  o Offline password crackers like John the Ripper or Hashcat has already obtained your password file by some means, and the cracking utility runs against that file. For example, they have an exploit they use to gain access to an administrator’s file that has other people’s passwords.
  o Online brute force software such as Brutus and Hydra work by attempting to log into an account repeatedly, typically using different passwords from a dictionary
• Cognitive passwords – Security questions – most people will input the actual true answer, but other people that you don’t want into your account can also find your information – you can put a fake mother’s maiden name because if actors compromise one account and ger your security answers they will work for other accounts

Question 4

Authentication: something that you have
- token based authentication (sunchronous, asynchronous, possession-based)

Answer 4

o A device that you hold in your hand
o Token-based authentication – one time password system defeats a replay attack
 They can be
* Synchronous: time-based (e.g., RSA securID token – displays 6 new characters every 60 seconds)
* Asynchronous: challenge/response systems (cryptocard where you get sent a numeric challenge upon logging in, you punch in the challenge on the crypto card then a response appears on the screen and you type that into your keyboard to authenticate)
* Possession-based: proximity systems (like an apple watch of Iphone)
 The issue with all of this is that loss may disable use
o Most token-based authentication is a one-time password where you use it once and never again – this again prevents replay attacks, which happens when an actor captures and reuses your authentication information – hence the name replay as they replay your authentication

Question 5

Authentication: something that you are

Answer 5

takes your biometrics and stores it as a template into the system – when using it matches your attempt to the template and grants authorization if it reaches a certain percentage threshold of a match (80%), since no match is every perfect you have to figure out that threshold, too high you can’t ever get a match, too low and anyone can authenticate
o Something you are examples: fingerprint, facial recognition, voice recognition, retina scanning, iris scanning
o Something you do: keyboard typing dynamics, biometric signature, they way you walk (none of these are very accurate)

Question 6

MLA v 2FA

Answer 6

• MLA: Anytime that you use something you know, have, and are – when you combine two or more of these together you have multi-factor authentication. This will always make it harder to defeat and more secure. Remember there is a difference between MLA and 2FA.

Question 7

Authorization:
- subject and object
- discretionary access control
- role-based access control

Answer 7

• Subject and object: The subject is anything/anyone that is trying to access something else – whereas the object is the thing the subject is trying to access. When a user on the system tries to aces a file, the user is the subject and the file is the object.
• Discretionary access control: Every object in the computer has a subject user account assigned as the owner of the file. They operate on implicit deny where the owner of the file can change the permission and grant access to other users. Discretionary because the change in permissions is at the discretion of the file’s owner.
• Role-Based access control: The active directory domain controller creates a user group and you create an account and place an account in the group. For example, the accounting group affiliation grants all the stuff you need to do your work, when a new accountant is hired you place them in that group. This is a good and easy way for managing access and requires little thought – but on the other side it violates the principle of least privilege… if someone is placed in the accountant group but is in accounts receivable, they would still have access to accounts payable files even though they don’t need to do that to perform their duties, this is a failure of the principle of least privelege – the other downside is privilege creep: the longer someone is in an organization the more groups they will be a part of and inevitably the more files they have access to because their previous permissions haven’t been revoked

Question 8

Accountability
- logging and auditing
- what is the best way to manage logs

Answer 8

• Logging and auditing: We went to the trouble of authentication then controlled access, now the logs tell us what really happened. You go into the logs to see what is abnormal, for that you need to be able to define what normal is, which means you need to monitor logs regularly. Security incident event management systems (SIEMs) tell you the logs and produce trend reports. These also help you create baslines with which you can base clipping levels from –
• For example, by regularly monitoring logs you can create a baseline of how many password log-in attempts it takes to sign in, and then you can create an abnormality if someone attempts 40 passwords
• Logs can also be used in court so long as you can prove the veracity of evidence – which means prove that the numbers haven’t been edited by a human in anyway, which could only happen if 1) there was a hacker, and 2) the system administrator made a mistake
• The best way to keep logs pristine is to have a central log server and have a rule that says: system adminstrators cannot have final access to their logs. Meaning:
  o When a computer generates a log entry it copies onto a local file and is also sent to the central log server
  o The administrator of the system generating the log entry uses local log entries and has no access to the central log server
  o Once the log file is full then the central log server digitally signs it and ships it to a central storage repository and starts a fresh log file
• The advantage to this is also that let’s say a local log file was tampered with, since you can now compare it with the central log file then it becomes clear what the person editing the local file wanted to hide