(My) CEH cheat sheet

This is the small (and I hope) useful cheat sheet for the CEH V8 certification.

This is strongly inspired from the CEH Certified Ethical Hacker Bundle, Second Edition book.

Basics

“Bit flipping” is one form of an integrity attack. In bit flipping, the attacker isn’t interested in learning the entirety of the plaintext message.

There are three main phases to a pen test: preparation, assessment, and conclusion.

Black box testing, the ethical hacker has absolutely no knowledge of the TOE. It’s designed to simulate an outside, unknown attacker, takes the most amount of time to complete.

White box testing, pen testers have full knowledge of the network, system, and infrastructure they’re targeting.

Gray box testing, is also known as partial knowledge testing. What makes this different from black box testing is the assumed level of elevated privileges the tester has. Whereas black box testing is generally done from the network administration level, gray box testing assumes only that the attacker is an insider.

Attack Types

EC Council broadly defines four attack types categories:

  • Operating system attacks Generally speaking, these attacks target the common mistake many people make when installing operating systems— accepting and leaving all the defaults. Things like administrator accounts with no passwords, all ports left open, and guest accounts (the list could go on forever) are examples of settings the installer may forget about.
  • Application-level attacks These are attacks on the actual programming codes of an application. Although most people are very cognizant of securing their OS and network, it’s amazing how often they discount the applications running on their OS and network. Many applications on a network aren’t tested for vulnerabilities as part of their creation and, as such, have many vulnerabilities built into them. Applications on a network are a goldmine for most hackers.
  • Shrink-wrap code attacks These attacks take advantage of the built-in code and scripts most off-the-shelf applications come with. These scripts and code pieces are designed to make installation and administration easier, but can lead to vulnerabilities if not managed appropriately.
  • Misconfiguration attacks These attacks take advantage of systems that are, on purpose or by accident, not configured appropriately for security.

An asset is an item of economic value owned by an organization or an individual. Identification of assets within the risk analysis world is the first and most important step.

A threat is any agent, circumstance, or situation that could cause harm or loss to an IT asset.

A vulnerability is any weakness, such as a software flaw or logic design, that could be exploited by a threat to cause damage to an asset.

18 U.S.C § 1029 and 1030

Basically, the law gives the U.S. government the authority to prosecute criminals who traffic in, or use, counterfeit access devices. In short, the section criminalizes the misuse of any number of credentials, including pass- words, PIN numbers, token cards, credit card numbers, and the like.

Cryptography

Symmetric Encryption – The formula for calculating how many key pairs you will need is N (N – 1) / 2 where N is the number of nodes in the network

Symmetric algorithms:

  • DES A block cipher that uses a 56-bit key (with 8 bits reserved for parity); fixed blocked size.
  • 3DES A block cipher that uses a 168-bit key. 3DES (called triple DES) can use up to three keys in a multiple-encryption method.
  • AES (Advanced Encryption Standard) A block cipher that uses a key length of 128, 192, or 256 bits, and effectively replaces DES.
  • IDEA (International Data Encryption Algorithm) A block cipher that uses a 128-bit key.
  • Twofish A block cipher that uses a key size up to 256 bits.
  • Blowfish A fast block cipher, largely replaced by AES, using a 64-bit block size and a key from 32 to 448 bits.
  • RC (Rivest Cipher) Encompasses several versions from RC2 through RC6. A block cipher that uses a variable key length up to 2,040 bits. RC6, the latest version, uses 128-bit blocks, whereas RC5 uses variable block sizes (32, 64, or 128).

Asymmetric Encryption

Generally: public key = encrypt, private key = decrypt.

Asymmetric algorithms:

  • Diffie-Hellman Developed for use as a key exchange protocol, Diffie- Hellman is used in Secure Sockets Layer (SSL) and IPSec encryption.
  • Elliptic Curve Cryptosystem (ECC) Uses points on an elliptical curve, in conjunction with logarithmic problems, for encryption and signatures. Uses less processing power than other methods, making it a good choice for mobile devices.
  • El Gamal Not based on prime number factoring, this method uses the solving of discrete logarithm problems for encryption and digital signatures.
  • RSA An algorithm that achieves strong encryption through the use of two large prime numbers. Factoring these numbers creates key sizes up to 4,096 bits. RSA can be used for encryption and digital signatures and is the modern de facto standard.

Hash algorithms:

  • MD5 (Message Digest algorithm) Produces a 128-bit hash value output, expressed as a 32-digit hexadecimal.
  • SHA-1 Developed by the NSA (National Security Agency), SHA-1 produces a 160-bit value output, and was required by law for use in U.S. government applications.
  • SHA-2 Developed by the NSA, actually holds four separate hash functions that produce outputs of 224, 256, 384, and 512 bits.

Trust Models

  • web of trust, multiple entities sign certificates for one another.
  • single authority system has a CA at the top that creates and issues certs. Users trust each other based on the CA itself.
  • hierarchical trust system also has a CA at the top (which is known as the root CA), but makes use of one or more intermediate CAs underneath it— known as registration authorities (RAs)—to issue and manage certificates.

Cryptography Attacks:

  • Known plaintext attack In this attack, the hacker has both plaintext and corresponding ciphertext messages—the more, the better. The plaintext copies are scanned for repeatable sequences, which are then compared to the ciphertext versions. Over time, and with effort, this can be used to decipher the key.
  • Ciphertext-only attack In this attack, the hacker gains copies of several messages encrypted in the same way (with the same algorithm). Statistical analysis can then be used to reveal, eventually, repeating code, which can be used to decode messages later on.
  • Replay attack Most often performed within the context of a man-in-the- middle attack. The hacker repeats a portion of a cryptographic exchange in hopes of fooling the system into setting up a communications channel. The attacker doesn’t really have to know the actual data (such as the password) being exchanged, he just has to get the timing right in copying and then replaying the bit stream. Session tokens can be used in the communications process to combat this attack.

A digital certificate is an electronic file that is used to verify a user’s identity, providing non-repudiation throughout the system.

  • Version This identifies the certificate format.. The most common version in use is 1.
  • Serial Number Fairly self-explanatory, the serial number is used to uniquely identify the certificate itself.
  • Subject Whoever or whatever is being identified by the certificate.
  • Algorithm ID (or Signature Algorithm) Shows the algorithm that was used to create the digital signature.
  • Issuer Shows the entity that verifies the authenticity of the certificate. The issuer is the one who creates the certificates.
  • Valid From and Valid To These fields show the dates the certificate is good through.
  • Key Usage Shows for what purpose the certificate was created.
  • Subject’s Public Key A copy of the subject’s public key is included in the digital certificate.
  • Optional fields These fields include Issuer Unique Identifier, Subject Alternative Name, and Extensions.

Reconnaissance:

FOR ECCouncil Vulnerability Research is part of the reconnaissance.

Difference in definition between reconnaissance and footprinting:

For many, recon is more of an overall, over-arching term for gathering information on targets, whereas footprint- ing is more of an effort to map out, at a high level, what the landscape looks like. They are interchangeable terms in CEH parlance, but if you just remember that footprinting is part of reconnaissance.

 

DNS is using port 53; Name lookups generally use UDP, whereas zone transfers use TCP.

DNS record types:

  • SRV- Service Defines the host name and port number of servers providing specific services, such as a Directory Services server.
  • SOA – Start Of Authority This record identifies the primary name server for the zone.The SOA record contains the host name of the server responsible for all DNS records within the namespace, as well as the basic properties of the domain.
  • PTR – Pointer Maps an IP address to a host name (providing for reverse DNS lookups).You don’t absolutely need a PTR record for every entry in your DNS namespace, but these are usually associated with e-mail server records.
  • NS – Name Server This record defines the name servers within your namespace.These servers are the ones that respond to your clients’ requests for name resolution.
  • MX -Mail Exchange This record identifies your e-mail servers within your domain.
  • CNAME – Canonical Name This record provides for domain name aliases within your zone. For example, you may have an FTP service and a web service running on the same IP address. CNAME records could be used to list both within DNS for you.
  • A – Address This record maps an IP address to a host name, and is used most often for DNS lookups.

DNS Footprinting tools: whois, nslookup, dig

Scanning and Enumeration

Relevant ICMP Message Types

  • 0: Echo Reply – Answer to a Type 8 Echo Request
  • 3: Destination Unreachable

Error message indicating the host or network cannot be reached.

Codes:

0—Destination network unreachable

1—Destination host unreachable

6—Network unknown

7—Host unknown

9—Network administratively prohibited 10—Host administratively prohibited

13—Communication administratively prohibited

  • 4: Source Quench A congestion control message
  • 5: Redirect Sent when there are two or more gateways available for the sender to use, and     the best route available to the destination is not the configured default gateway.

Codes:

0—Redirect datagram for the network

1—Redirect datagram for the host

  • 8: ECHO Request A ping message, requesting an Echo reply
  • 11:Time Exceeded The packet took too long to be routed to the destination (Code 0 is TTL expired).

The port numbers range from 0 to 65,535 and are split into three different groups:

  • Well-known: 0–1023
  • Registered: 1024–49151
  • Dynamic: 49152–65535

Some of the more important well-known port numbers to remember are:

  • FTP (20/21)
  • Telnet (23)
  • SMTP (25)
  • DNS (53),
  • POP3 (110)
  • NetBIOS (137–139)
  • SNMP (161/162)

The TCP header flags are:

  • URG (Urgent) When this flag is set, it indicates the data inside is being sent out of band.
  • ACK (Acknowledgment) This flag is set as an acknowledgment to SYN flags. This flag is set on all segments after the initial SYN flag.
  • PSH (Push) This flag forces delivery of data without concern for any buffering.
  • RST (Reset) This flag forces a termination of communications (in both directions).
  • SYN (Synchronize) This flag is set during initial communication establishment. It indicates negotiation of parameters and sequence numbers.
  • FIN (Finish) This flag signifies an ordered close to communications.

Nmap is the de-facto tool for footprinting networks. It is capable of finding live hosts, access points, fingerprinting

operating systems, and verifying services. It also has important IDS evasion capabilities.

nmap <scan options> <target>

-sA ACK scan

-sI FIN scan

-sL IDLE scan

-sN DNS scan

-sO NULL scan

-sP Ping scan

-sR RPC scan

-sS SYN scan

-sT TCP connect scan

-sW Window scan

-sX XMAS tree scan

-PI ICMP ping

-Po No ping

-PS SYN ping

-PT TCP ping

-oN normal output

-oX XML output

-T0 slowest – T4 fastest

Seven generic scan types for port scanning:

  • TCP Connect Runs through a full connection (three-way handshake) on all ports. Easiest to detect, but possibly the most reliable. Open ports will respond with a SYN/ACK, closed ports with a RST/ACK.
  • SYN Known as a “half-open scan.” Only SYN packets are sent to ports (no completion of the three-way handshake ever takes place). Open ports will respond with a SYN/ACK, closed ports with a RST/ACK.
  • FIN scans run the communications setup in reverse, sending a packet with the FIN flag set. Closed ports will respond with RST, whereas open ports won’t respond at all.
  • XMAS A Christmas scan is so named because the packet is sent with multiple flags (FIN, URG, and PSH) set. Closed ports will respond with RST, whereas open ports won’t respond at all
  • ACK Used mainly for Unix/Linux-based systems. Open ports will send RST, closed ports, no answer
  • IDLE Uses a spoofed IP address to elicit port responses during a scan. Designed for stealth, this scan uses a SYN flag and monitors responses as with a SYN scan.
  • NULL Almost the opposite of the XMAS scan. The NULL scan sends packets with no flags set. Responses will vary, depending on the OS and version, but NULL scans are designed for Unix/Linux machines.

War dialing is a process by which an attacker dials a set of phone numbers specifi- cally looking for an open modem.

War driving used to refer to, quite literally, driving around in a car looking for open access points. In the ethical hacking realm, it still indicates a search for open WAP

Simple Network Management Protocol was designed to manage IP-enabled devices across a network. As a result, if it is in use on the subnet, you can find out loads of information with properly formatted SNMP requests. Later versions of SNMP make this a little more difficult, but plenty of systems out there are still using the protocol in version 1.

Sniffers and Evasion

All Peoples Seems To Need Data Processing – mnemonic phrase to remember the layers.

  • ISO/OSI layers

Application – data

Presentation – data

Session   – data

Transport – segment

Network – packet

Data     -frames

Physical – byes

ISO/OSI to TCP/IP mapping(3 1 1 2)

  • TCP/IP Model layers

Application

Transport

Internet

Network Access

The MAC address that is burned onto a NIC is actually made of two sections.The first half of the address, 3 bytes (24 bits), is known as the Organizational Unique Identifier, and is used to identify the card manufacturer.The second half is a unique number burned in at manufacturing, to ensure no two cards on any given subnet will have the same address.

MAC Spoofing Set the MAC address of a NIC to the same value as another

MAC Flooding Overwhelm the CAM (content addressable memory) table of the switch so it coverts to hub mode

ARP Poisoning Inject incorrect information into the ARP caches of two or more endpoints.

 

Snort rule:

alert tcp !HOME_NET any -> $HOME_NET 31337 (msg :"BACKDOOR ATTEMPT-Backorifice")

If you happen to come across a packet from any address that is not my home network, using any source port, intended for an address within my home network on port 31337, alert me with the message ‘BACKDOOR ATTEMPT-Back- orifice.’”

Span port = port mirroring

False negative – when an IDS reports a particular stream as clean but it’s not

Wireshark display filters

Display filters work basically like: proto.field operator value

Analyse the following examples:

tcp.flags == 0x29
ip.addr != 192.168.1.1
tcp.port eq 25 or icmp
ip.src==192.168.0.0/16 and ip.dst==192.168.0.0/16
http.request.uri matches "login.html"

Tcpdump syntax:

tcmdump flag(s) interface

Attacking a System

EC-Council rules for the passwords:

  • The password must not contain any part of the user’s name. For example, a password of “[email protected]!” wouldn’t work for the CEH exam, because you can clearly see my name there.
  • The password must have a minimum of eight characters. Eight is okay. Nine is better. Seven? Not so good.
  • The password must contain characters from at least three of the four major components of complexity—that is, special symbols (such as @&*#$), uppercase letters, lowercase letters, and numbers. [email protected] contains all four, whereas use8chars uses only two.

LM Hashing – 7 spaces hashed = AAD3B435B51404EE

Four main attack types are defined within CEH.

  • passive online attack basically amounts to sniffing a wire in the hopes of either intercepting a password in clear text or attempting a replay or man-in- the-middle (MITM) attack.
  • active online, occurs when the attacker begins simply trying passwords—guessing them, for lack of a better word
  • offline attacks occur when the hacker steals a copy of the password file (remember our discussion on the SAM file earlier?) and works the cracking efforts on a separate system.
  • non-electronic = the social engineering.

sidejacking. The idea is to steal the cookies exchanged between two systems and ferret out which one to use as a replay-style attack

Social Engineering and Physical Security

Human-Based Attacks

  • Dumpster diving
  • Impersonation
  • Technical support
  • Shoulder surfing
  • Tailgating and piggybacking

Computer-Based Attacks

  • phishing.

Types of Social Engineers

  • Insider Associates Have limited authorized access, and escalate privileges from there.
  • Insider Affiliates Are insiders by virtue of an affiliation, they spoof the identity of the insider.
  • Outsider Affiliates Are nonͲtrusted outsiders that use an access point that was left open.

Physical Security

Three major categories of physical security measures:

  • Physical measures include all the things you can touch, taste, smell, or get shocked by. For example, lighting, locks, fences, and guards with Tasers are all physical measures.
  • Technical measures are a little more com- plicated. These are measures taken with technology in mind, to protect explicitly at the physical level. For example, authentication and permissions may not come across as phys- ical measures, but if you think about them within the context of smart cards and bio- metrics, it’s easy to see how they should become technical measures for physical security.
  • Operational measures are the policies and procedures you set up to enforce a security-minded operation.

Web-Based Hacking

This dot-dot-slash attack is also known as a variant of “Unicode” or unvalidated input attack.

SQL injection attacks types:

  • Union query The thought here is to make use of the UNION command to return the union of your target database with one you’ve crafted to steal data from it.
  • Tautology An overly complex term used to describe the behavior of a database system when deciding whether or not a statement is true. Because user IDs and passwords are often compared, and the “true” measure allows access, if you trick the database by providing something that is already true (1 does, indeed, equal 1), then you can sneak by.
  • Blind SQL injection This occurs when the attacker knows the database is susceptible to injection, but the error messages and screen returns don’t come back to the attacker. Because there’s a lot of guesswork and trial and error, this attack takes a long while to pull off.
  • Error-based SQL injection This isn’t necessarily an attack so much as an enumeration technique. The objective is to purposely enter poorly constructed statements in an effort to get the database to respond with table names and other information in its error messages.

The buffer overflow attack categories are as follows:

  • Stack This idea comes from the basic premise that all program calls are kept in a stack and executed in order. If you affect the stack with a buffer overflow, you can perhaps change a function pointer or variable to allow code execution.
  • Heap Also referred to as heap overflow, this attack takes advantage of the memory “on top of” the application, which is allocated dynamically at runtime. Because this memory usually contains program data, you can cause the application to overwrite function pointers.
  • NOP Sled A NOP sled makes use of a machine instruction called “no-op.” In the attack, a hacker sends a large number of NOP instructions into the buffer, appending command code instruction at the end. Because this attack is so common, most IDSs protect against it.

Dangerous Functions for buffer overflows

The following functions are dangerous because they do not check the size of the destination buffers:

gets()

strcpy()

strcat()

printf()

Wireless Network hacking

802.11 Specifications

Spec   Distance Speed Freq

802.11a 30M     54Mbps   5Ghz

802.11b 100M   11Mbps 2.4Ghz

802.11g 100M   54Mbps 2.4Ghz

802.11n 125M   100Mbps+ 2.4Ghz, 5Ghz

 

WEP Uses RC4 for the stream cipher with a 24b initialization vector

Key sizes are 40b or 104b

WPA Uses RC4 for the stream cipher but supports longer keys; 48 bits IV

WPA/TKIP Changes the IV with each frame and includes key mixing

WPA2 Uses AES as the stream cipher and includes all the features of TKIP; 48 bits IV.

 

Rogue APs (evil twins) may also be referenced as a “mis- association” attack.

 

Bluetooth attackes :

Bluesmacking is simply a denial-of-service attack against a device.

Bluejacking consists of sending unsolicited messages to, and from, mobile devices.

Bluesniffing is exactly what it sounds like, and, finally.

Bluescarfing is the actual theft of data from a mobile device.

Trojans and Other Attacks

Windows will automatically run everything located in Run, RunServices, RunOnce, and RunServicesOnce

Virus types:

  • Boot sector virus Also known as a system virus, this virus type actually moves the boot sector to another location on the hard drive, forcing the virus code to be executed first. They’re almost impossible to get rid of once you get infected. You can re-create the boot record—old-school fdisk or mbr could do the trick for you—but it’s not necessarily a walk in the park.
  • Shell virus Working just like the boot sector virus, this virus type wraps itself around an application’s code, inserting its own code before the application’s. Every time the application is run, the virus code is run first.
  • Multipartite virus Attempts to infect both files and the boot sector at the same time. This generally refers to a virus with multiple infection vectors. This link describes one such DOS-type virus: http://www.f-secure.com/v-descs/ neuroqui.shtml. It was multipartite, polymorphic, retroviral, boot sector, and generally a pretty wild bit of code.
  • Macro virus Usually written with VBA (Visual Basic for Applications), this virus type infects template files created by Microsoft Office—normally Word and Excel. The Melissa virus was a prime example of this.
  • Polymorphic code virus This virus mutates its code using a built-in polymorphic engine. These viruses are very difficult to find and remove because their signatures constantly change.
  • Metamorphic virus This virus type rewrites itself every time it infects a new file.

DOS attack types:

  • SYN attack The hacker will send thousands upon thousands of SYN packets to the machine with a false source IP address. The machine will attempt to respond with a SYN/ACK but will be unsuccessful (because the address is false). Eventually, all the machine’s resources are engaged and it becomes a giant paperweight.
  • SYN flood In this attack, the hacker sends thousands of SYN packets to the target, but never responds to any of the return SYN/ACK packets. Because there is a certain amount of time the target must wait to receive an answer to the SYN/ACK, it will eventually bog down and run out of available connections.
  • ICMP flood Here, the attacker sends ICMP Echo packets to the target with a spoofed (fake) source address. The target continues to respond to an address that doesn’t exist and eventually reaches a limit of packets per second sent.
  • Application level A simple attack whereby the hacker simply sends more “legitimate” traffic to a web application than it can handle, causing the system to crash.
  • Smurf The attacker sends a large number of pings to the broadcast address of the subnet, with the source IP spoofed to that of the target. The entire subnet will then begin sending ping responses to the target, exhausting the resources there. A fraggle attack is similar, but uses UDP for the same purpose.
  • Ping of death In the ping of death, an attacker fragments an ICMP message to send to a target. When the fragments are reassembled, the resultant ICMP packet is larger than the maximum size and crashes the system.

(My) CISSP Notes – Access control

Note: This notes were made using the following books: “CISPP Study Guide” and “CISSP for dummies”.

The purpose of access control is to allow authorized users access to appropriate data and deny access to unauthorized users and the mission and purpose of access control is to protect the confidentiality, integrity, and availability of data. Access control is performed by implementing strong technical, physical and administrative measures. Access control protect against threats such as unauthorized access, inappropriate modification of data, loss of confidentiality.

Basic concepts of access control

CIA triad and his opposite (DAD) – see (My) CISSP Notes – Information Security Governance and Risk Management

A subject is an active entity on a data system. Most examples of subjects involve people accessing data files. However, running computer programs are subjects as well. A Dynamic Link Library file or a Perl script that updates database files with new information is also a subject.

An object is any passive data within the system. Objects can range from databases to text files. The important thing remember about objects is that they are passive within the system. They do not manipulate other objects.

Access control systems provide three essential services:

  • Authentication – determines whether a subject can log in.
  • Authorization – determines what an subject can do.
  • Accountability – describes the ability to determine which actions each user performed on a system.

Access control models

Discretionary Access Control (DAC)

Discretionary Access Control (DAC) gives subjects full control of objects they have been given access to, including sharing the objects with other subjects. Subjects are empowered and control their data.

Standard UNIX and Windows operating systems use DAC for filesystems.

  • Access control list (ACLs) provides a flexible method for applying discretionary access controls. An ACL lists the specific rights and permissions that are assigned to a subject fora given object.
  • Role-Based Access Control (RBAC) is another method for implementing discretionary access controls. RBAC defines how information is accessed on a system based on the role of the subject. A role could be a nurse, a backup administrator, a help desk technician, etc. Subjects are grouped into roles and each defined role has access permissions based upon the role, not the individual.

Major disadvantages of DAC include:

  • lack of centralized administration.
  • dependence of security-conscious resource owners.
  • difficult auditing because of the large volume of log entries that can be generated.

Mandatory Access Control (MAC)

Mandatory Access Control (MAC) is system-enforced access control based on subject’s clearance and object’s labels. Subjects and Objects have clearances and labels, respectively, such as confidential, secret, and top secret.

A subject may access an object only if the subject’s clearance is equal to or greater than the object’s label. Subjects cannot share objects with other subjects who lack the proper clearance, or “write down” objects to a lower classification level (such as from top secret to secret). MAC systems are usually focused on preserving the confidentiality of data.

In MAC, the system determines the access policy.

Common MACs models includes Bell-La Padula, Biba, Clark-Wilson; for more infos about these models please see : (My) CISSP Notes – Security Architecture and Design .

Major disadvantages of MAC control techniques include:

  • lack of flexibility.
  • difficulty in implementing and programming.

Access control administration

An organization must choose the type of access control model : DAC or MAC. After choosing a model, the organization must select and implement different access control technologies and techniques. What is left to work out is how the organization will administer the access control model. Access control administration comes in two basic flavors: centralized and decentralized.

Centralized access models systems maintains user account information in a central location. Centralized access control systems allow organizations to implement a more consistent, comprehensive security policy, but they may not be practical in large organizations.

Exemples  of centralized access control systems and protocols commonly used for authentication of remote users:

  • LDAP
  • RAS – Remote Access Service servers utilize the Point-to-Point Protocol (PPP) to encapsulate IP packets. PPP incorporates the following three authentication protocols: PAP (Password Authentication Protocol), CHAP (Challenge Handshake Authentication Protocol), EAP (Extensible Authentication Protocol).
  • RADIUS – The Remote Authentication Dial In User Service protocol is a third-party authentication system. RADIUS is described in RFCs 2865 and 2866, and uses the User Datagram Protocol (UDP) ports 1812 (authentication) and 1813 (accounting).
  • Diameter is RADIUS’ successor, designed to provide an improved Authentication, Authorization, and Accounting (AAA) framework. RADIUS provides limited accountability, and has problems with flexibility, scalability, reliability, and security. Diameter also uses Attribute Value Pairs, but supports many more: while RADIUS uses 8 bits for the AVP field (allowing 256 total possible AVPs), Diameter uses 32 bits for the AVP field (allowing billions of potential AVPs). This makes Diameter more flexible, allowing support for mobile remote users, for example.
  • TACACS -The Terminal Access Controller Access Control System is a centralized access control system that requires users to send an ID and static (reusable) password for authentication. TACACS uses UDP port 49 (and may also use TCP).

Decentralized access control allows IT administration to occur closer to the mission and operations of the organization. In decentralized access control, an organization spans multiple locations, and the local sites support and maintain independent systems, access control databases, and data. Decentralized access control is also called distributed access control.

Access control defensive categories and types

Access control is achieved throughout an entire et of control which , identified by purpose, include;

  • preventive controls, for reducing risks.
  • detective controls, for identifying violations and incidents.
  • corrective controls, for remedying violations and incidents.
  • deterrent controls, for discouraging violations.
  • recovery controls, for restoring systems and informations.
  • compensating controls, for providing alternative ways of achieving a task.

These access control types can fall into one of three categories: administrative, technical, or physical.

  1. Administrative (also called directive) controls are implemented by creating and following organizational policy, procedure, or regulation.
  2. Technical controls are implemented using software, hardware, or firmware that restricts logical access on an information technology system.
  3. Physical controls are implemented with physical devices, such as locks, fences, gates, security guards, etc.

Preventive controls prevents actions from occurring.

Detective controls are controls that alert during or after a successful attack.

Corrective controls work by “correcting” a damaged system or process. The corrective access control typically works hand in hand with detective access controls.

After a security incident has occurred, recovery controls may need to be taken in order to restore functionality of the system and organization.

The connection between corrective and recovery controls is important to understand. For example, let us say a user downloads a Trojan horse. A corrective control may be the antivirus software “quarantine.” If the quarantine does not correct the problem, then a recovery control may be implemented to reload software and rebuild the compromised system.

Deterrent controls deter users from performing actions on a system. Examples include a “beware of dog” sign:

A compensating control is an additional security control put in place to compensate for weaknesses in other controls.

Here are more clear-cut examples:

Preventive

  • Physical: Lock, mantrap.
  • Technical: Firewall.
  • Administrative: Pre-employment drug screening.

Detective

  • Physical: CCTV, light (used to see an intruder).
  • Technical: IDS.
  • Administrative: Post-employment random drug tests.

Deterrent

  • Physical: “Beware of dog” sign, light (deterring a physical attack).
  • Administrative: Sanction policy.

Authentication methods

A key concept for implementing any type of access control is controlling the proper authentication of subjects within the IT system.

There are three basic authentication methods:

  • something you know – requires testing the subject with some sort of challenge and response where the subject must respond with a knowledgeable answer.
  • something you have – requires that users posses something, such as a token, which proves they are an authenticated user.
  • something you are – is biometrics, which uses physical characteristics as a means of identification or authentication.
  • A fourth type of authentication is some place you are – describes location-based access control using technologies such as the GPS, IP address-based geo location. these controls can deny access if the subject is in incorrect location.

Biometric Enrollment and Throughput

Enrollment describes the process of registering with a biometric system: creating an account for the first time.

Throughput describes the process of authenticating to a biometric system.

Three metrics are used to judge biometric accuracy:

  • the False Reject Rate (FRR) or Type I error- a false rejection occurs when an authorized subject is rejected by the biometric system as unauthorized.
  • the False Accept Rate (FAR) or Type II error- a false acceptance occurs when an unauthorized subject is accepted as valid.
  • the Crossover Error Rate (CER) –  describes the point where the False Reject Rate (FRR) and False Accept Rate (FAR) are equal. CER is also known as the Equal Error Rate (EER). The Crossover Error Rate describes the overall accuracy of a biometric system.
Use CER to compare FAR and FRR

Use CER to compare FAR and FRR

Types of biometric control

Fingerprints are the most widely used biometric control available today.

A retina scan is a laser scan of the capillaries which feed the retina of the back of the eye.

An iris scan is a passive biometric control. A camera takes a picture of the iris (the colored portion of the eye) and then compares photos within the authentication database.

In hand geometry biometric control, measurements are taken from specific points on the subject’s hand: “The devices use a simple concept of measuring and recording the length, width, thickness, and surface area of an individual’s hand while guided on a plate.”

Keyboard dynamics refers to how hard a person presses each key and the rhythm by which the keys are pressed.

Dynamic signatures measure the process by which someone signs his/her name. This process is similar to keyboard dynamics, except that this method measures the handwriting of the subjects while they sign their name.

A voice print measures the subject’s tone of voice while stating a specific sentence or phrase. This type of access control is vulnerable to replay attacks (replaying a recorded voice), so other access controls must be implemented along with the voice print.

Facial scan technology has greatly improved over the last few years. Facial scanning (also called facial recognition) is the process of passively taking a picture of a subject’s face and comparing that picture to a list stored in a database.

Access control technologies

There are several technologies used for the implementation of access control.

Single Sign-On (SSO) allows multiple systems to use a central authentication server (AS). This allows users to authenticate once, and then access multiple, different systems.

SSO is an important access control and can offer the following benefits:

  • Improved user productivity.
  • Improved developer productivity – SSO provides developers with a common authentication framework.
  • Simplified administration.

The disadvantages of SSO are listed below and must be considered before implementing SSO on a system:

  • Difficult to retrofit.
  • Unattended desktop. For example a malicious user could gain access to user’s resources if the user walks away from his machine and leaves in log in.
  • Single point of attack .

SSO is commonly implemented by third-party ticket-based solutions including Kerberos, SESAME or KryptoKnight.

Kerberos is a third-party authentication service that may be used to support Single Sign-On. Kerberos uses secret key encryption and provides mutual authentication of both clients and servers. It protects against network sniffing and replay attacks.

Kerberos has the following components:

  • Principal: Client (user) or service
  • Realm: A logical Kerberos network
  • Ticket: Data that authenticates a principal’s identity
  • Credentials: a ticket and a service key
  • KDC: Key Distribution Center, which authenticates principals
  • TGS: Ticket Granting Service
  • TGT: Ticket Granting Ticket
  • C/S: Client Server, regarding communications between the two

Kerberos provides mutual authentication of client and server.Kerberos mitigates replay attacks (where attackers sniff Kerberos credentials and replay them on the network) via the use of timestamps.

The primary weakness of Kerberos is that the KDC stores the plaintext keys of all principals (clients and servers). A compromise of the KDC (physical or electronic) can lead to the compromise of every key in the Kerberos realm. The KDC and TGS are also single points of failure.

SESAME is Secure European System for Applications in a Multi-vendor Environment, a single sign-on system that supports heterogeneous environments.

“SESAME adds to Kerberos: heterogeneity, sophisticated access control features, scalability of public key systems, better manageability, audit and delegation.”20 Of those improvements, the addition of public key (asymmetric) encryption is the most compelling. It addresses one of the biggest weaknesses in Kerberos: the plaintext storage of symmetric keys.

Assessing access control

A number of processes exist to assess the effectiveness of access control. Tests with a narrower scope include penetration tests, vulnerability assessments, and security audits.

Penetration tests

Penetration tests may include the following tests:

  • Network (Internet)
  • Network (internal or DMZ)
  • Wardialing
  • Wireless
  • Physical (attempt to gain entrance into a facility or room)

A zero-knowledge (also called black box) test is “blind”; the penetration tester begins with no external or trusted information, and begins the attack with public information only.

A full-knowledge test (also called crystal-box) provides internal information to the penetration tester, including network diagrams, policies and procedures, and sometimes reports from previous penetration testers.

Penetration testers use the following methodology:

  • Planning
  • Reconnaissance
  • Scanning (also called enumeration)
  • Vulnerability assessment
  • Exploitation
  • Reporting

Vulnerability testing

Vulnerability scanning (also called vulnerability testing) scans a network or system for a list of predefined vulnerabilities such as system misconfiguration, outdated software, or a lack of patching. A vulnerability testing tool such as Nessus (http://www.nessus.org) or OpenVAS (http://www.openvas.org) may be used to identify the vulnerabilities.

Security audit

A security audit is a test against a published standard. Organizations may be audited for PCI (Payment Card Industry) compliance, for example. PCI includes many required controls, such as firewalls, specific access control models, and wireless encryption.

Security assessments

Security assessments view many controls across multiple domains, and may include the following:

  • Policies, procedures, and other administrative controls
  • Assessing the real world-effectiveness of administrative controls
  • Change management
  • Architectural review
  • Penetration tests
  • Vulnerability assessments
  • Security audits