ISM W32 Flashcards
(23 cards)
What is identity management?
NIST: “Identity management systems are responsible for the creation, use, and termination of electronic identities …”
SO/IEC 24760-1:2019: “processes and policies involved in managing the lifecycle and value, type and optional metadata
of attributes in identities known in a particular domain”
AMONG OTHER LOL…………..
Why identity management?
FOR AUTHENTICATION
- We need identities to know what entities are being authenticated.
FOR AUTHORISATION AND ACCESS CONTROL
- We need identities to define access control rules.
- We need to know what entities are allowed what access under which conditions.
FOR ACCOUNTIBILITY
ENTITY VS IDENTITY
YOU TOLD ME YOU KNOW ALL ABOUT THIS BUT ILL POP IT HERE ANYWAY:
Entity vs Identity: a many-to-many relationship
- One entity can have multiple identities.
- One identity can be allocated/claimed/used by multiple entities.
- An identity management (IdM) system or an identity provider (IdP/IDP) is often used to manage (e.g., create, maintain, expire)
identities, including mappings to entities.
Identity vs Identifier (ID)
- Identities are normally identified via a unique identifier to avoid
ambiguity in the authentication process.
Real vs Virtual
- Example: a person’s real name vs a person’s pen name
Physical vs Electronic
- Example: a person’s real name vs a person’s email address
ATTRIBUTES, IDENTIFIER, CREDENTIALS?
ATTRIBUTES:
- ITU-T X.1250 (2009): “Information bound to an entity that specifies a characteristic of the entity.”
- IDENTIFIER is a special attribute of an entity.
- An attribute may be self-claimed by an entity but may also be assigned by an attribute authority (AA).
- IdM is about verifying attribute assertions: An entity claims to hold one or more specific attributes.
CREDENTIALS:
- ITU-T X.1250 (2009): “… used to support the authentication of entities – either one or both parties to an information exchange or transaction.”
(Examples: digital certificates, government-issued credentials, SIM cards, automatic teller machine (ATM) cards).
What is federated identity management (FIM) and why is it needed?
slide 13 and 14 DIAGRAMS VERY IMPORTANT HERE - I HAVE ALSO SENT PICS
WHAT IS FIM?
SEPARATION OF AUTHENTICATION AND AUTHORISATION:
- Authentication: between users and identity providers (IdPs)
- Authorisation: between users and service providers (SPs)
THE TRUST MODEL
- Users / SPs trust IdPs + IdPs / SPs do not trust users
!!!SEE FIG. 1 FOR SIMPLE DIAGRAM of FIM trust model (slide 13)
!!!SEE FIG. 2 for more complicated version of model (seems important) IdP split into 3 seperate entities (slide 14)
THE PROBLEM
- All of us use many different computing systems at the same time.
- ⇒ It is more complicated and error-prone to manage all such systems separately, for both users and managers.
THE NEED
- Attribute authentication:
Many systems only need to authenticate one or more relevant attribute(s) of a user (e.g., if you are a UniKent student).
A SOLUTION
- Use a federation to manage access control (authentication and authorisation) across multiple systems
- ⇒ Single sign-on (SSO): A user can access resources at many different systems by logging in just once.
What is access control?
THE GENERAL PROCEDURE:
- The access requester is called a subject or a principal, which can be a user or a non-user entity.
- Reference monitor: the monitor (enforcer) of the access policies
WHAT IS ACCESS CONTROL:
THREE ASPECTS
A. Who issued the request?
Who: a person, a process, a
machine, an entity, …
B. What is requested?
C. Which rules (policies) are
applicable when deciding on the
access request?
TWO (MANAGEMENT) STEPS
1. Authentication
2. Authorisation
What is accountability?
Cambridge Dictionary
- “the fact of being responsible for what you do and able to give a satisfactory reason for it, or the degree to which this happens”
IETF RFC 4949 “Internet Security Glossary, Version 2” (2007)
“The property of a system or system resource that ensures that the
actions of a system entity may be traced uniquely to that entity, which can then be held responsible for its actions.”
NIST CSRC (Computer Security Resource Center) Glossary
“… property that ensures that the actions of an entity may be traced uniquely to that entity.”
Reasons of accountability
- Legal compliance
- Contractual obligations
- Business needs
- Quality assurance
- Performance monitoring
- Staff training and education
- Ethical requirements
- Social goods
- Personal needs or wishes
TYPES OF AUDITING
- AUDIT SERVICE: “A security service that records information needed to ESTABLISH ACCOUNTABILITY for system events and for the actions of system entities that cause them.”
- SECURITY AUDIT: “An INDEPENDANT REVIEW AND EXAMINATION of a system’s RECORDS AND ACTIVITIES to determine the ADEQUACY OF SYSTEM CONTROLS, ensure COMPLIANCE WITH ESTABLISHED SECURITY POLICY AND PROCEDURES, detect breaches in security services, and recommend any changes that are indicated for countermeasures.”
- “AUDIT TRAILS are examples of control measurements that are recorded as part of system operations.”
- Relevant for “archive”, “attack sensing, warning, and response”, “IDENTIFICATION PROTOCOL”, “intrusion detection”, “KEY MANAGEMENT”, “LOGIN”, “POLICY”, “time stamp”
AUDIT POLICIES
Sound audit policies are needed!
Such policies can define the following:
- What evidence will be collected
(What events and information will be LOGGED ⇒ EVENT LOGGING is a key element of auditing).
- Who can access evidence collected
- Who manage what
- When an investigation should be triggered
- When disciplinary and legal actions should be taken
- When external parties should be informed/involved
- What post-incident actions should be considered
- How staff training and communications should be organised
EVENT LOGGING
TYPES? +
WHAT INFORMATION SHOULD BE LOGGED?
DIFFERENT TYPES OF EVENTS:
- Login (authentication) events
- Authorisation events
- Resource access events
- Device connection events
- Changes of resources (e.g., a new resource added, an old resource removed/archived, and the content of a
resource changed)
- System/software/hardware updates
- Configuration changes
- Policy changes
WHAT INFORMATION SHOULD BE LOGGED?
- Who? Whom?
- Where?
- When? / How often? / How long?
- What?
- How many/much?
- How?
- Why?
WHO/WHAT CAN/SHOULD DO LOGGING?
HARDWARE
- Networking devices (router, switches, firewalls, …), personal computers, mobile devices, …
SOFTWARE/SYSTEMS/SERVICES
- Operating systems, local applications, mobile apps, cloud services, managed services, online services, …
ORGANISATIONS
- Law enforcement agencies (LEAs), Internet service providers (ISPs), online platforms, identity providers (IdPs), vendors, telecom operators, all employers, …
PEOPLE
- Managers, administrators, IT staff, security staff, financial and HR staff, governance and compliance staff, teachers and school staff
WHERE CAN LOGS BE STORED?
MAIN MEMORY @ Local devices
- Such data can be recovered via memory dump.
EXTERNAL MEMORY @ Local devices
- Hard disk, portable storage media, permanent storage media (e.g.,
CD-R discs), …
DATABASES
- Local, remote or distributed (e.g., a blockchain system)
REMOTE SERVERS
SPECIAL DEVICES
- IoT devices, mobile devices, …
CLOUD STORAGE
Authentication vs accountability
Authentication without accountability is dangerous!
- We need to know who did what.
- ⇒ Accountability of all users
- ⇒ Audit trials of all user logins and logouts should be kept.
Different authentication techniques can help:
POSSESSION-based authentication: Can be used to log hardware devices involved.
INHERENCE-based authentication: Can be used to log biometric information of people involved.
CONTEXT-based authentication: Can be used to log contextual factors
involved (e.g., geo-locations).
CONTINUOUS authentication: Can be used to create a continuous audit trial of each user during login
authorisation vs accountability
Authorisation without accountability is dangerous!
- The grantor (authoriser) should be responsible for all authorisation
decisions.
ACCOUNTABILITY OF THE GRANTER (authoriser)
- The grantor (authoriser) needs to know what the authorisee has been doing.
ACCOUNTABILITY OF THE AUTHORISEE
- The access control policymakers should be responsible for any policy decisions made.
ACCOUNTIBILITY OF THE POLICYMAKERS
Delegation without accountability is dangerous!
- ⇒ Accountability of the delegator and the delegate
What is non-repudiation all about?
NON-REPUDIATION = SOURCE OF ORIGIN VERIFICATION
- No-repudiation can give a reliable record of who did what.
- Relevant techniques: MACs (Message Authentication Codes), digital signatures, biometrics ETC.
TRUSTED THIRD PARTIES ARE OFTEN USED AS PROXIES:
CERTIFICATE AUTHORITIES (CAs) for issuing and verifying digital certificates
IDENTITY PROVIDERS (IdPs) for managing and verifying digital identities
CREDENTIAL ISSUERS for issuing VERIFIABLE CREDENTIALS (VCs) and credential verifiers for verifying VCs
GOVERNMENT BODIES for issuing and verifying passports and visas
INSIDER THREAT DETECTION: who and what to do
WHAT INSIDERS?
MALICIOUS INSIDERS (e.g., employees who steal / sell trade secrets)
NEGLIGENT INSIDERS (e.g., employees who did not follow policies)
UNINTENTIONAL INSIDERS (e.g., employees who mis-communicate)
INFILTRATORS external parties who have gained access to internal systems therefore become an “insider” temporarily
IS THIS A REAL PROBLEM?
- Insider Threat Report 2018 (Veriato): “53% … have confirmed insider attacks against their organization in the previous 12 months”
IDENTIFYING INSIDERS = IDENTIFYING THOSE ACCOUNTABLE
MONITORING INSIDE THREATS
- Require close monitoring and logging of all internal systems and interfaces with external systems
WHAT ARE THE DEFINITIONS OF
1. DIGITAL FORENSICS
2. E-DISCOVERY (electronic discovery)
AND WHAT KEY USE DO THEY SHARE?
BOTH CAN BE USED FOR ESTABLISHING ACCOUNTABILITY
DIGITAL FORENSICS (DF)
ISO/IEC 30121:2015: “scientific tasks, techniques and practices used in the investigation of stored or transmitted binary information or data for legal purposes”
(A closer but broader term: digital investigation)
ELECTRONIC DISCOVERY/E DISCOVERY
- ISO/IEC 27050-1:2019: “discovery that includes the identification, preservation, collection, processing, review, analysis, or
production of Electronically Stored Information”
(Industrial counterpart of digital forensics)
What are SIEM systems, what is CTI?
And what do they have in common?
SIEM AND CTI BOTH HELP PROVIDE NEEDED DATA AND INTELLIGENCE TO SUPPORT LOGGING, AUDITING, ACCOUNTABILITY ETC.
SIEM = SECURITY INFORMATION AND EVENT MANAGEMENT
- Event logs are often managed as part of an SIEM system to facilitate data collection, storage, analysis, and exchanges.
- Many other data are also collected, e.g., data from IDSs/IPSs
(intrusion detection/prevention systems), various software and hardware sensors, and external sources.
CTI = CYBER THREAT INTELLIGENCE
- Useful data about cyber threats from different sources, e.g., COMMON VULNERABILITIES AND EXPOSURE (CVE), online social media and darknet.
- CTI can be made part of the SIEM system or be separately managed.
WHAT ARE SOC’s AND WHAT DO THEY DO?
slide 34 DIAGRAM VERY IMPORTANT HERE (lifecycle of cyber incident management) - I HAVE ALSO SENT PICS
SOC = SECURITY OPERATIONS CENTRE
!!!SEE FIG. 3 FOR SIMPLE DIAGRAM LIFECYCLE OF CYBER INCIDENT MANAGEMENT (slide 34)
A KEY UNIT FOR ENABLING ACCOUNTABILITY WITHIN AN ORGANISATION
- Evidence management is the key: preserving evidence, analysing evidence, and assessing evidence.
- McAfee: “a centralized function within an organization employing people, processes, and technology to continuously monitor and improve an organization’s security posture while preventing, detecting, analyzing, and responding to cybersecurity incidents.”
KEY ACTIVITIES OF AN SOC:
- NCSC UK: integration, management and review of traffic feeds; protective monitoring; initial triage and analysis; vulnerability management; alerting and response; incident management;
root cause analysis; patching & remediation; correlation management; SIEM tuning; continuous improvement; key
management
WHAT ARE CSIRTs? HOW DO THEY DIFFER FROM SOCs?
slide 34 DIAGRAM VERY IMPORTANT HERE (lifecycle of cyber incident management) - I HAVE ALSO SENT PICS
CCSIRT = CYBER/COMPUTER SECURITY INCIDENT RESPONSE TEAM
!!!SEE FIG. 3 FOR SIMPLE DIAGRAM LIFECYCLE OF CYBER INCIDENT MANAGEMENT (slide 34)
- Also known as CERT (CMU’s registered trade mark): CYBER/COMPUTER EMERGENCY RESPONSE TEAM
- And as CIRT (ITU term): CYBER/COMPUTER INCIDENT RESPONSE TEAM
- CSIRTs tend to have a NARROWER SCOPE than SOCs.
- CSIRTs may not be the one in charge of accountability.
- An SOC usually serves a single organisation, but a CSIRT often goes beyond an organisation and SERVES A WHOLE SECTOR, A NATION OR A LARGER REGION (e.g., for the whole EU).
- The differences between them are not a clear cut.
- THEY OFTEN WORK TOGETHER AND SHARE RESOURCES
WHAT ARE ISACs?
ISAC = INFORMATION SHARING AND ANALYSIS CENTRE
- Sectoral, national or regional centres set up to facilitate ISM-related
information sharing and exchanges between people and organisations
- They help enhance effectiveness and efficiency of the whole sector/nation/region’s ISM and cyber incident response capabilities.
- An example: UK NCSC’s CYBER SECURITY INFORMATION SHARING PARTNERSHIP (CiSP)
CSIRTs AND ISACs WORK TOGETHER
- They often have overlapping constituencies.
- Cross-CSIRT organisations as ISACs between CSIRTs
