I.

II.

Smart cards a. Smart cards are more tamperproof than memory cards, but individuals have introduced computational errors into smart cards to uncover the encryption keys used and stored on the cards i. Fault generation attack: encryption functions after introducing an error (e.g. by changing input voltage, clock rate, temperature fluctuations) and reviews the correct result, which the card performs when no errors are introduced. Analysis of the difference can allow the attacker to reverse engineer the encryption process to uncover the encryption key. ii. Side channel attacks: nonintrusive; used to uncover sensitive information by monitoring and capturing the analog characteristics of all supply and interface connections and any other electromagnetic radiation produced by the processor during normal operation 1. Differential power analysis examining the power emissions released during processing 2. Electromagnetic analysis examining the frequencies emitted 3. Timing examining how long a specific process takes b. An ISO/IEC standard, 14443 outlines physical characteristics, initialization and anticollision, and transmission protocol for smart cards i. The DoD is rolling out smart cards across all of their agencies and NIST is developing a framework and conformance testing program for interoperability issues c. Software attacks are noninvasive attacks; input an algorithm on the card that will allow the attacker to extract account information d. Microprobing uses needles and ultrasonic vibration to remove the outer protecting material on the cards circuits so that data can be accessed and manipulated by tapping into the cards ROM chips Authorization a. Applications, security add-on packages, and resources can provide authorization functionality b. Granting access rights should be based on the level of trust a company has in a subject and the subjects need to know. Different access criteria can be enforced by roles, groups, location, time, and transaction types i. A role is based on a job assignment or function ii. If several users require the same type of access to information and resources, putting them into a group and then assigning rights and permissions to that group is easier to manage than assigning rights and permissions to each and every individual separately (one way access control is enforced through a logical access control mechanism) iii. Physical or logical location can be used to restrict access to a resource. This restriction is often implemented to restrict unauthorized individuals from reconfiguring the server remotely 1. Logical location restrictions are done through network address restrictions; network administrator ensures that status requests of an

III.

IV.

intrusion detection management console are accepted only from certain computers on the network using software iv. Time of day is a (logical) access control mechanism; temporal access can also be based on the creation date of a resource v. Transaction-type restriction can be used to control what data is accessed during certain types of functions and what commands can be executed on the data c. Access control mechanisms should default to no access (a user can have read, change, delete, full control, or no access permissions i. If nothing has been specifically configured for an individual or the group she belongs to, the user should not be able to access that resource ii. Most access control lists that work on routers and packet-filtering firewalls default to no access d. Need to know principle individuals should be given access only to the information they absolutely require in order to perform their job duties (Management determine the security requirements of individuals and how access is authorized; the security administrator configures the security mechanisms to fulfill these requirements) e. Authorization creep: As employees rotate, they are assigned more access rights and permissions; thereby posing a risk to a company because too many users have too much privilege access to the company assets i. Rights and permission reviews have been incorporated into many regulatory induced processes (including SOX regulations) Single Sign-On a. SSO capabilities allow a user to enter credential one time and access all pre-authorized resources in primary and secondary network domains; enables the administrator to streamline user accounts and better control access rights b. To work, every platform, application, and resource needs to accept the same credentials, in the same format, and interpret their meanings similarly i. It is rare to see a real SSO environment more common to see a cluster of computers and resources that accept the same credentials c. Kerberos is an authentication protocol designed in the mid-1980s that works in a client/server model and is based on symmetric key cryptography and provides end-to-end security i. Used for years in Unix systems and is currently the default authentication method for Windows 2000, 2002, and 2008 operating systems ii. Mac OS X, Solaris, and Linux 4 all use Kerberos authentication iii. Kerberos is a single sign-on system for distributed environments and the de factor standard for heterogeneous networks iv. Has scalability, transparency, reliability and security although its open architecture (vendors can customize a protocol) invites interoperability and incompatibility issues v. Designed specifically to eliminate the need to transmit passwords over the network; most Kerberos implementations work with shared secret keys Role-based access control

V.

a. The RBAC approach simplifies access control administration by allowing permissions to be managed in terms of user job roles i. A role is defined in terms of the operations and tasks the role will execute. When the analyst makes a request to access a sever, the operating system reviews the roles access levels before allowing an operation to occur ii. Introducing roles introduces the difference between rights being assigned explicitly and implicitly iii. The FBAC model is the best system for a company with high employee turnover (the administrator does not continually change the ACLS on the individual objects; he creates a role, assigns permission to this role, and maps the new user to this role) b. Core RBAC users, roles, permissions, operations and session are defined and mapped according the security policy i. Has a many-to-many relationship among individual users and privileges (many users can belong to many groups) ii. Session is a mapping between a user and a subset of assigned roles iii. Accommodates traditional but robust group-based access control iv. Can be configured to include time of day, location of role, day of week, etc for access decisions c. Hierarchical RBAC allows the administrator to set up an organizational RBAC model that maps to the organizational structures and functional delineations required in a specific environment i. Role relation defined user membership and privilege inheritance 1. Limited hierarchies only one level of hierarchy is allowed 2. General hierarchies allows for many levels of hierarchies ii. Static Separation of Duty Relations through RBAC used to deter fraud by constraining the combination of privileges (e.g. user cannot be a member of both the Cashier and Accounts Receivable groups) iii. Dynamic Separation of Duties Relations through RBAC used to deter fraud by constraining the combination of privileges that can be activated in any session d. Role based access control can be managed as 1) Non-RBAC (Users are mapped directly to applications and no rules are used); 2) Limited RBAC (Users are mapped to multiple roles and mapped directly to other applications that do not have role-based functionality); 3) Hybrid RBAC (Users are mapped to multi-application roles with only selected right assigned to those roles); 4) Full FBAC (Users are mapped to enterprise roles) e. Current access control models (MAC, DAC, RBAC) do not lend themselves to protecting data of a given sensitivity level but limit the functions that the users can carry out Access Control Techniques and Technologies a. Rule-based access control uses specific rules that indicate what can and cannot happen between a subject and an object; before a subject can access an object in a certain circumstance, it must meet a set of predefined rules b. Rule-based access (compulsory control) allows a developer to define specific and detailed situations in which a subject can or cannot access an object. Traditionally, it has

VI.

been used in MAC systems as an enforcement mechanism of the complex rules of access that MAC systems provide. i. Rule-based access is used in other systems and applications (e.g. content filtering) ii. Routers and firewalls use rules to determine which types of packets are allowed into a network c. Constrained User Interfaces i. Restrict users access abilities by preventing them from requesting certain functions or information or accessing specific system resources ii. Menus the options users are given are the command they execute; a shell is a type of virtual environment within a system. It is the users interface to the operating system and works as a command interpreter. If restricted shells are used, the shell only contains the commands the administrators wants the users to be able to execute. iii. Database views are mechanism used to restrict user access to data contained in databases iv. Physically constraining a user interface can be implemented by providing only certain keys on a keypad or certain touch buttons on a screen d. An access control matrix is a table of subjects and objects indicating what actions individual subjects can take on individual objects (usually an attribute of DAC models). The access rights can be assigned directly to the subjects (capabilities) or to the objects (ACLs) e. A capability table specifies the access rights a certain subject posses pertaining to specific objects. The capability corresponds to the subjects row in the access control matrix. Kerberos is a capability-based system. The ticket (token/key) is a capability table. A capability component is a data structure that contains a unique object identifier and the access rights the subject has to that object f. Access control lists are lists of subjects that are authorized to access and specific object (and define what level of authorization is granted). Authorization can be specified to an individual or group i. Map values from the access control matrix to the object. Whereas a capability corresponds to a row in the access control matrix, the ACL corresponds to a column of the matrix. g. Content-dependent access control access to objects is determined by the content within the object; used when corporations employ e-mail filters that look for specific strings h. Context-dependent access control it based on the context of a collection of information rather than on the sensitivity of the data i. Firewalls make context-based access decisions when they collect state information on a packet before allowing it into the network ii. A stateful firewall understands the necessary steps of communication for specific protocols and will not allow packets to go through that do not follow this sequence (stateful understands the necessary steps of a dialog session) IDS Sensors filters received data, discards irrelevant information, and detects suspicious activity

VII.

VIII.

a. It is more difficult for NIDS to work on a switched network because data are transferred through independent virtual circuits and not broadcasted. The IDS sensor acts as a sniffer and cannot access all traffic in these individual circuits. All the data on each individual virtual private network must be copied and placed on one port (spanning port) where the sensor is located. b. A monitoring console monitors all sensors and supplies the network staff with an overview of the activities of all sensors in the network i. Sensors should be placed in highly sensitive areas, DMZs, and extranets. They can be placed outside a firewall to detect attacks and inside a firewall (in the perimeter network) to detect actual instrusions c. If the network traffic volume exceeds the IDS systems threshold, attacks may go unnoticed. In very high traffic environments, multiple sensors should be in place to ensure all packets are investigated Intrusion Prevention Systems a. Traditional IDs only detects that something bad may be taking place b. A honeypot is a computer set up as a sacrificial lamb on the network; to entice attackers; the system is not locked down and has open ports and services enabled. They honeypot contains no real company information i. This enables the administrator to know when certain types of attacks occur so he can fortify the environment and perhaps identify the hacker ii. Enticement: the system only has open ports and services that an attacker might want to exploit iii. Entrapment: the system has a web page indicating the user can download files then one the user does this, the administrator charges him with trespassing (i.e. the intruder is induced to commit a crime) c. A packet or network sniffer is a general term for programs or devices that can examine traffic on a LAN segment. Traffic that is transferred over a network medium is transmitted as electric signals encoded in binary representation. The sniffer has a protocol analysis capability to recognize the different protocol values to properly interpet their meaning. i. The sniffer must access a network adaptor that works in promiscuous mode and a driver the captures the data. The filtered data are stored in a buffer, and this information is displayed to a user and/or captured in logs ii. Hackers can use network sniffers to learn about what type of data is passed over a specific network segment and to modify the data in an unauthorized manner Memory mapping a. The physical memory addresses that the CPU uses are called absolute addresses. The indexed memory addresses that software uses are regerred to as logical ddresses. The relative addresses are based on a known address with an offset value added. i. When an application needs its instructions and data processed by the CPU, the physical addresses are loaded into the base and limit registers. ii. When a thread indicates the instructions need to be processed it provides a logical address.

IX.

X.

iii. The memory manager maps the logical address to the physical address so the CPU knows where the instruction is located. iv. Absolute addresses are loaded into the CPUs registers b. When an application makes a request for a memory segment, it is allocated a specific memory amount by the operating system. When the application is done with memory, it should tell the operating system to release the memory so it is available to other applications i. Some applications are written poorly and do not indicate to the system that this memory is no longer in use; memory leaks can be caused by OS, applications, and software drivers ii. Hackers can exploit memory leaks using denial-of-service (DoS) attacks iii. A garbage collector is software that runs an algorithm to identify unused committd memory and then tell the OS to mark that memory as available Virtual memory a. Secondary storage- nonvolatile storage media (e.g. computers hard drive, floppy disks, and CD-ROMS) b. Virtual memory system uses hard drive space to extend its RAM memory space i. Swap space reserved hard drive space used to extend RAM capabilities; Windows use the pagefile.sys file to reserve this space ii. When a system fills up its volatile memory space, it writes data from memory onto the hard drive. 1. Virtual memory paging: When a program requests access to this data, it is retrieved from the hard drive back into memory in specific units (pages) a. Application requests access to memory; memory manager looks up which segments are allocated w=to that process; memory manager accesses memory frame for process; memory manager returns data held in memory 2. Internal control locks, maintained by the OS, keep track of what page frames are residing in RAM and what is available offline iii. When a system is shut down, or processes that were using the swap space are terminated, the pointers to the pages are reset to available even though the actual data written to the disk is still physically there (can be compromised or captured) 1. Routines should erase swap spaces after a processes is done with it and before a system shuts down iv. If a program, file, or data are encrypted and saved on the hard drive, they will be decrypted when used y the controlling program. While these unencrypted data are sitting in RAM, the system could write out the data to the swap space on the hard drive, in their unencrypted state. CPU Modes and Protection Rings a. Protection rigns provide strict boundaries and definitions for what the processes that work within each ring can access and what operations that can successfully execute

XI.

i. Processes that operate within the inner rings have more privileges than process operating in the outer rings because the inner rings only permit the most trusted components and processes to operate within them ii. Processes in the inner rings exist in privileged or supervisor mode while processes in outer rings execute in user ode iii. The actual ringer architecture used y a system is dictator by the processor and operating system. The hardware chip is constructed to provide a certain number of rings and the operating system must be developing to work in this ring structure. b. OS components operate in a ring that gives them the most access to memory locations, peripheral devices, system drivers, and sensitive configuration parameters. i. If an application tries to send instructions to the CPU that fall outside its permission level, the CPU treats this violation as an exception and may shoe a general protection fault or exception error and try to shut down the application c. The most common architecture provides four rings: Ring 0 operating system kernel; Ring 1 Remaining parts of the OS; Ring 2 I/O drivers and utilities; Ring 3 Applications and user activity i. Protections ring sprovide an intermediate layer between subjects and objects; each subject and object is logically assigned a number depending upon the level of trust the OS assigns it. Entities can only access and directly communicate with objects in their own ring. 1. When an application needs access to components in rings it cannot directly access, it makes a request of the OS to perform the necessary tasks through system calls Operating system architecture a. Operating system architecture is the framework that dictates how the OSs services and functions are placed and how they interact b. A monolithic operating system architecture modules of code can call upon each other as needed; communication between different modiles is not structured and controlled and data hiding is not provided. MS_DOS is a monolithic operating system c. Layered operating system (THE, VAX/VMS, Multics, and Unix separates system functionality into hierarchical layers i. THE (Technische Hogeschool Eindhoven) multiprogramming system had five layers of functionality; layer 0 controlled access to the processor and provided multiprogramming functionality; layer 1 carried out memory management; layer 2 provided inter-process communication; layer 3 deal with I/O devices; layer 4 was where the application resided; layer 5 was the user layout and not implemented directly by THE ii. Provide data hiding instructions and data (packaged up as procedures) at various layers do not have direct access to instructions and data at any other layers 1. Each procedure at each layer has access only to its own data and a set of functions that is requires to carry out its own tasks.

XII.

iii. A monolithic OS provides only ne ayer of security, while in a layered system, each layer should provide its own security and access control 1. Modularizing software and code increases the assurance level of the system d. Another approach works within a client/server architecture portions of software and functionality that were previously in the monolithic kernel are now at the higher levels of the operating system. The OS functions are divided into different processes that run in user mode i. The goal of a client/server architecture is to move as much code as possible from working in kernel mode (privileged mode) so the system has a leaner kernel (microkernel) 1. The requesting process is referred to as the client, and the processes that fulfills the request is called the server 2. The serve process can be a file systems server, memory server, I/o server, or process server (called subsystems); the client is either a user process or another O/S process ii. In a network , an application works in a client/server model because it provides distributed computing capabilities. The client portion of the application resides on the work stations and the server portion is usually a back-end database or server. Security Policy provides the framework for the systems security architecture a. A trusted system must have an architecture that provides the capabilities to protect itself from untrusted processes, intentional, or accidentally compromises, and attacks at different layers of the system i. Trust ratings obtained through formal evaluations require a defined subset of subjects and objects, explicit domains, and the isolation of processes so their access can be controlled and the activities performed on them can be audited 1. When a system is testing against specific criteria, a rating is assigned to the system. The criteria will determine if the security policy is being properly supported and enforced. ii. The security kernel comprises all resources that supervise system activity in accordance with the systems security policy and is part of the operating system that controls access to system resources 1. For the security kernel to operate, the individual processes must be isolated from each other and domains must be defined to dictate which objects are available to which subjects b. Multilevel security policies prevent information from flowing from a higher security level to a lower security level c. Least privilege a process has no more privileges than necessary to fulfill its functions i. If a process needs to have its status elevated so it can interact directly with a system resource, the processs status should be dropped as soon as its tasks are complete 1. Less privileged processes call upon the processes with complete system privileges in the kernel to process sensitive operations

XIII.

Security Models a. A model is a symbolic representation of a policy that maps the desires of policymakers into a set of rules that a computer system must follow i. A security model maps the abstract goals of the policy to information system terms by specifying explicit data structures and techniques necessary to enforce the security policy ii. The security model is represented by mathematical relationships and formulas; which are mapped to system specifications and then developed by programmers through programming code b. State machine models an abstract mathematical model that uses state variables to represent the system state i. A given state consists of all current permission and all current instances of subjects accessing the objects. 1. State transitions activities that can alter the state; developers of an operating system need to look at different state transitions to determine if a system that starts up in a secure state can be put into an insecure state 2. To allow a transition, the objects security attributes and the access rights of the subject must be reviewed and allowed by the operating system 3. A system that has employed a state model will be in a secure state in each and every instance of its existence ii. If subjects can access objects only by means that are concurrent with the security policy, the system is secure iii. A state machine model provides mathematical constructs that represent sets (subjects and objects) and sequences. When an object accepts an input, this modifies a state variable ( e.g. [Name, Value]) 1. Developers must define what and where the state variables and then define a secure state for each state variable 2. Developers must define and identify allowable state transition functions a. After the state transition functions are defined, they must be tested to verify that the overall machine state will not be compromised b. Developers must identify all the initial states (default variable values) and outline how these values can be changed so the resulting values (final states) still ensure the system is safe c. Division B Mandatory Protection MAC is enforced through security labels. The architecture is based on the Bell-LaPadula security model, and evidence of reference monitor enforcement must be available i. B1: Labeled Security each data object must have a classification label, each subject must have a clearance label. The system compares the security labels to ensure that requested actions are acceptable. Data leaving the system also have an accurate security level. The security policy is based on an informal statement and the design specifications are reviewed and verified ii. B2: Structured Protection the security policy is clearly defined and coumented, and the system design and implemtnation are subjected to more thorough review

XIV.

XV.

and testing procedures; requires more stringent authentication mechanisms and well-defined interfaces among layers. Subjects and devices need labels and the system cannot allow covert channels. A trusted path for logon and authentication processes must exist (that cannot be compromised). Operator and administration functions are separated within the system to provide more trusted and protected operational functionality. Distinct address spaces must isolate processes and a covert channel analysis should be conducted. iii. B3: Security Domains More granularity is provided in each protection mechanism and the programming code that is not necessary to support the security policy is excluded. The reference monitor components must be small enough to test and tamperproof. The security administrator role is clearly defined. When the system starts up and loads its operating system and components, it must be done in an initial secure state to ensure that any weakness of the system cannot be exploited in this slice of time. d. Division A: Verified Protection formal methods used to ensure that all subjects and objects are controlled with the necessary DAC and MAC i. A1: Verified Design The assurance of an A1 system is higher than a B3 system because of the formality in the way the A1 system was designed, the way the specifications were developed, and the level of detail in verification techniques. Formal techniques prove the equivalence between the specifications and the security policy model. A more stringent change configuration is implemented and the overall design can be verified. Delivery to the customer may also be scrutinized. e. TCSEC addresses confidentiality but not integrity The Orange Book and Rainbow Series a. The Orange Book mainly addresses government and military requirements and expectations for their computer systems. Many people within the security field have pointed out several deficiencies in the Orange Book when it is being applied to systems that are to be used in commercial areas i. It looks specifically at the OS and not at other issues like networking, databases, etc. ii. It focuses mainly on one attribute of security confidentiality iii. It works with government classifications and not the protection classifications commercial industries use iv. It has a relatively small number of ratings b. The Orange Book emphasizes controlling which users can access a system and not what they can fo with the information once authorized. Commercial organizations are more concerned about the integrity of their data. TOC/TOU countermeasures a. To protect against race condition attacks, programmers should use atomic operations when only one system call is used to check authentication and then grant access in one task. This should prevent the processor from switiching to another process in between two tasks.

b. To avoid TOC/TOU attacks, the operating system should apply software locks to items it will use when it is carrying out its checking tasks (e.g. if a user requests access to a file, while the system is validating the users authorization, it should put a software lock on the file being requested) i. Locks can be applied to files easily but it is more difficult to secure database components and table entries XVI. Buffer Overflows occur when too much data are accepted as input to an application or operating system. a. A buffer is an allocated segment of memory. An attacker can insert code of a specific length into the bugger, followed by the commands the attacker wants executed. i. The purpose of a buffer flow may be to make a mess by shoving arbitrary data into various memory segments; or to accomplish a specific task by pushing into the memory segment a carefully crafted set of data 1. The task could be to open a command shell with administrative privilege or execute malicious code b. Software may be written to accept data from a user, website, database or another application. A procedure is code than can carry out a specific type of function on the data and return the result to the requesting software. i. When a programmer writes a piece of software that will accept data, this data will be stored in a variable. When the software calls upon a procedure to execute, it stacks the necessary instructions and data in a memory segment for the procedure to read from. ii. Data accepted from an outside entity is placed in a variable which resides in a buffer. The buffer must be the right size to accept the inputted data. iii. The buffers can hold data which are placed on a memory stack XVII. Parameters are passed into empty variables and put into a linear construct (memory stack) which acts like a queue for the procedure to pull from while it carries out a calculation a. The return pointer is a pointer to the requesting applications memory address that tells the procedure to return control to the requesting application after the procedure has worked through all values on the stack. b. The applications places on top of the return pointer the rest of the data inputted and sends a request to the procedure to execute the calculation c. The procedure takes the data off the stack starting at the top and carries out its functions on all the data and returns the result and control back to the application once it hits the return pointer d. The stack is just a segment in memory that allows communication between the requesting application and procedure or subroutine i. Requesting applications must conduct bounds checking to ensure the inputted data are of an acceptable length e. In a carefully crafter buffer overflow attack, the stack is filled properly so the return pointer can be overwritten and control is given to the malicious instructions that have been loaded onto the stack instead of back to the requesting application. This allows the malicious instructions to be executed in the security context of the requesting application.

f.

Windows core is written in the C language and has layers and layers of object-oriented code on top of it. When a procedure needs to call on the oepratin gsystem to conduct some task, it calls upon a system service via an API call. i. The C language is susceptible to buffer overflow attacks because it allows for direct pointer manipulations to occur. Specific commands can provide access to low-level memory addresses without carrying out bounds checking The C functions that do perform the necessary boundary checking include strncpy(), strncat(), snprintf(), and vsnprintf(). ii. When a buffer overflow is identified, the vendor usually sends out a patch. Some
products installed on systems can alsowatch for input values that might result in buffer overflows