CSG3309

Protection Mechanisms

Security Technology
Security Controls
 Objectives
• Explain Defense-in-Depth and understand its purpose
• Describe NSA’s Information Assurance model
• Understand the types and categories of different security controls
• Describe Identity Access Managements systems (IAMs) and their
purpose
• Know the difference between discretionary and nondiscretionary
access controls
• Explain the difference between identification, authentication,
authorization and accountability
• List and describe a subset of technical and physical controls that can
be used for the protection of information assets
• Know the difference between symmetric and asymmetric encryption
Introduction

 Security controls improve an organizations ability to protect the

confidentiality, integrity and availability of information
 Defense-in-depth is a security strategy that uses multiple layers
and different types of controls to secure information assets
 Identity Access Management systems. (IAMs) are a configuration
of technologies, business processes, and policies that facilitate
identification management of information systems
 There are a multitude of technical and nontechnical control
products available to protect information assets
Defense in Depth
Requires multiple layers of technologies,
processes, procedures, awareness, and
training

Must focus on attacks from:

• Outside a network (the external environment)
• Trusted systems allowed to connect to the
network, or which may be compromised and
then used to attack the network from the inside
• Coworkers or trusted network or system
administrators (insider threats)
The Protect, Detect, React, Paradigm

NSA’s Information Assurance

and Defense-in-Depth
Conceptual Model

People, technology, and operational security

must be provided to ensure end-to-end
defense
Availability, confidentiality, integrity,
authentication, and nonrepudiation services
are key parts of ability to protect against,
detect, react to, and recover from attacks
 Control Elements
People Operations Technology

Policy and procedure Security policy Security policy

Vetting / security clearance, access Certification, accreditation Architectural standards

control (Personnel security)
Contractual Agreements (hiring and Business continuity Product criteria policy,
termination)

Internal Controls (need-to-know, least Readiness assessments Configuration guidance

privilege, separation of duties)
Physical security (monitoring access) Incident response procedures Risk assessment process for
integrated systems

Education and awareness training Disaster recovery Technological acquisition policy

NIST Cyber Security Framework
NIST Cyber Security Framework provides a framework of security
guidance for how organizations can improve their ability to prevent,
detect and respond to cyber attacks

The five core functions of the framework include:

 Identify: what processes and assets need protection
 Protect: what controls are available to protect assets, digitally and
physically
 Detect: what tools or techniques exist that can identify incidents
 Respond: what techniques can contain impacts of incidents
 Recover: what tools or techniques can restore capability
Types of Controls

three types of security controls:

• Preventative
• Detective
• Responsive

security control categories can include:

• Physical controls (locks, CCTV, alarms, man traps)
• Administrative controls (policy, procedures)
• Operational controls (encryption, security clearance)
• Technical controls (firewalls, access control)
Control Control type NIST CyberSec Framework Prevent, detect, respond

access Control technical protect prevent

security clearance operational protect prevent

business continuity administrative respond respond

plans

encryption technical protect prevent

Table 1: security
Firewalls technical protect /delay detect / prevent controls

physical (locks, fences, physical deter / delay / protect prevent

alarms)

VPN technical protect prevent

intrusion Detection technical detect detect, respond

Security policy administrative deter / protect prevent, respond

SANS Top 20 Critical Security Controls
Inventory of Authorized and Unauthorized
Devices
Inventory of Authorized and Unauthorized
Software
Secure Configurations for Hardware and Software
on Mobile Devices, Laptops, Workstations, and
Servers
Continuous Vulnerability Assessment and
Remediation
Malware Defenses
Application Software Security
Wireless Access Control
Data Recovery Capability
Security Skills Assessment and Appropriate
Training to Fill Gaps
Secure Configurations for Network Devices such
as Firewalls, Routers, and Switches
Limitation and Control of Network Ports,
Protocols, and Services
Controlled Use of Administrative Privileges
Boundary Defense
Maintenance, Monitoring, and Analysis of Audit
Logs
Controlled Access Based on the Need to Know
Account Monitoring and Control
Data Protection
Incident Response and Management
Secure Network Engineering
Penetration Tests and Red Team Exercises
Security Controls
The size and scope of an organisation will likely determine what
framework, method or practice to follow. In this module we will look at
only a subset of controls that can be used for the protection of
information assets.
Prevent Detect Respond
Physical Locks, fences, ID cards, CCTV, alarms Security guards
biometrics
Technical Firewalls, access control, VPN,s Intrusion System patching,
encryption, SIEM, IAM detection firmware updates,
systems quarantine,
(IDPS) honeypots
Administrative Hiring and termination policies, Policy review, Incident response,
separation of duties, security logs and disaster recover,
clearance audits business continuity
 Technical Controls
IAM and Access Control
Identity Access Management (IAMs)
Configuration of technologies,
business processes, and policies that
facilitates identification management
of electronic identities, this typically
includes authentication and
authorization.
IAM’s ensure the right
people get access to the
right resources at the
right time
IAM Functions and Features
• Identity Federation - BYOID
• Single Sign On (SSO)
• Authentication / Multi-factor
authentication
• Account Management and Provisioning
(profile, preferences)
• Access Control
• API and Microservices security
• Regulation Compliance (GDPR, consent
management)
 Physical Controls
Closed-circuit television (CCTV):
CCTV is a video surveillance
technology that transmits captured
information to a central location or
security operations center (SOC).
• The main purpose is to act as a
deterrent and detect intrusions.
• Can be used as a verification
system for other security
measures.
• Can be single or combination of
systems that may or may not
integrate facial recognition.
Alarms:
Alarms systems can work in combination
with physical barriers, other security
systems or security guards to trigger a
response.
Alarms are typically installed to alert
security personnel when unauthorised
access is attempted or gained. Alarms can
include:
• Perimeter sensors and detection
systems
• Motion sensors, Security lighting
• Fire detectors
• Glass breakage detectors
• Duress alarms
Access Control

Access control:
method by which systems specify who may use a resource and how
they use it.

 Mandatory access controls (MACs): use data classification

schemes
 Nondiscretionary controls: strictly-enforced version of MACs that
are managed by a central authority (role based)
 Discretionary access controls (DACs): implemented at the
discretion of the data user
Access Control
Access Control Approaches
Access Control

NIST promotes attribute-based access controls (ABAC’s)

• Also known as policy-based access control.

• These are characteristics or attributes of a subject such as name, date of birth,
address, job function.

• When combined create a unique identity that distinguish the object from others,
often referred to as subject attributes.
• Becoming more popular than role based access control
Access Control

In general, all access control approaches rely on the following four

mechanisms, which represent the four fundamental functions of access
control systems:

• Identification: I am a user of the system

• Authentication: I can prove I’m a user of the system.
• Authorization: Here’s what I can do with the system.
• Accountability: You can track and monitor my use of the system.
Access Control

1 Identification

2 Authentication

3 Authorisation

AA Accountability
Access Control - Identification
Identification: mechanism whereby an unverified entity that seeks
access to a resource proposes a label by which they are known to the
system

 Supplicant: entity that seeks a resource

 Identifiers can be composite identifiers, concatenating elements-
department codes, random numbers, or special characters to make
them unique
 Some organizations generate random numbers
Access Control - Authentication
Authentication: the process of validating a supplicant’s purported
identity.

Authentication factors
Something a supplicant knows
Password: a private word or combination of characters that
only the user should know
Passphrase: a series of characters, typically longer than a
password, from which a virtual password is derived
• Becoming more popular
Access Control - Authentication (1)
Authentication factors (cont’d.)
• Something a supplicant has
Smart card: contains a computer chip that can verify and
validate information
Synchronous tokens
Asynchronous tokens

• Something a supplicant is
Relies upon individual characteristics
Strong authentication
Access Control – Multi-factor Authentication (2)

Authentication factors (cont’d.)

Multi-factor authentication combines authentication
techniques from two or more categories

• Something you know

• Something you are
• Something you have
• Something you do
• Somewhere you are
Access Control - Authorization

 Authorization: the matching of an authenticated entity

to a list of information assets and corresponding access
levels
 Usually an ACL or Access Control Matrix
 Authorization can be handled in one of three ways
Authorization for each authenticated user
Authorization for members of a group
Authorization across multiple systems
 Authorization tickets, also know as single sign on (SSO)
Access Control - Accountability

 Accountability (auditability): ensures that all actions on a

system—authorized or unauthorized—can be attributed to an
authenticated identity
 Most often accomplished by means of system logs and database
journals, and the auditing of these records
 Systems logs record specific information
 Logs have many uses
Access Control Architectural Models
Access Control Matrix Illustrate access control implementations and can
help organizations quickly make improvements
through adaptation. Models include:
Object Resource (file Resource (printer)
1)
• Trusted computing base (TCB)
User 1 Read / write Read / write • ITSEC: An international set of criteria for evaluating
computer systems
• Bell-LaPadula confidentiality model
User 2 read Read / write • Biba integrity model
Group Read / write / Read / write • Designed to prevent corruption of higher
(payroll) execute integrity entities
• Clark-Wilson integrity model
• Graham-Denning access control model

Composed of set of objects, set of subjects, and set

of rights
Biometrics – authentication/authorization
 Approach based on the use of measurable human characteristics/traits
to authenticate identity.
 automated methods of recognizing a person based on a physiological
or behavioral characteristic
 Only fingerprints, retina of eye, and iris of eye and DNA are considered
truly unique.
 Evaluated on false reject rate, false accept rate, and crossover error
rate.
 Highly reliable/effective biometric systems are often considered
intrusive by users.
Biometric recognition characteristics
Biometric effectiveness and acceptance

Permanenc
Biometrics Universality Uniqueness Collectability Performance Acceptability Circumvention
e

Face H L M H L H L

Facial
H H L H M H H
Thermogram

Fingerprint M H H M H M H

Hand
M M M H M M M
Geometry

Hand Vein M M M M M M H

Eye: Iris H H H M H H H

Low L
Medium M
High H
Biometric effectiveness and acceptance

Universalit
Biometrics Uniqueness Permanence Collectability Performance Acceptability Circumvention
y

Eye: Retina H H M L H L H

DNA H H H L H L L

Odor and Scent H H H L L M L

Voice M L L M L H L

Signature L L L H L H L

Keystroke L L L M L M M

Gait M L L H L H M

Low L
Medium M
High H
Technical Controls
Firewalls
Firewalls

Combination of hardware and software that filters or prevents specific

information from moving between the outside (untrusted) network and
the inside (trusted) network.

May be:
 Separate computer system
 Software service running on existing router or server
 Separate network containing supporting devices
Firewalls

Use and Purpose

 examine traffic entering or passing through a part

of the network
 make decisions about what to let through and
what to deny
Firewalls Processing Modes (1)

Processing modes by which firewalls can be

categorized:

packet filtering
application layer proxy
MAC layer firewalls (stateful)
hybrids
Firewalls Processing Modes (2)
• Packet filtering firewalls - examine header information of data
packets
• Application gateway firewalls - frequently installed on a
dedicated computer, separate from the filtering router; also
known as a proxy server. Commonly used in combination with
packet filtering
• MAC layer firewalls - designed to operate at the media access
control layer of OSI network model
• Hybrid firewalls - combine elements of other types of
firewalls, that is, elements of packet filtering and proxy
services, or of packet filtering firewalls
Sample Firewall Rule and Format

Service (e.g. HTTP, Action (Allow or

Source Address Destination Address
SMTP, FTP) Deny)

172.16x.x 10.10.x.x Any Deny

192.168.x.x 10.10.10.25 HTTP Allow

192.168.0.1 10.10.10.10 FTP Allow

Firewall Types and the OSI Model
Selecting the Right Firewall

When selecting firewall, consider a number of factors:

• What firewall offers right balance between protection and
cost for needs of organization?
• Which features are included in base price and which are
not?
• Ease of setup and configuration? How accessible are staff
technicians who can configure the firewall?
• Can firewall adapt to organization’s growing network?

Second most important issue is cost

 Technical Controls
Content Filters and VPN’s
Content Filters

 Software filter—not a firewall — that allows administrators

to restrict content access from within network
 Essentially a set of scripts or programs restricting user
access to certain networking protocols/Internet locations
 Primary focus to restrict internal access to external material
 Most common content filters restrict users from accessing
non-business web sites or deny incoming span
Virtual Private Networks (VPN)

 Private and secure network connection between systems;

uses data communication capability of unsecured and
public network
 Securely extends organization’s internal network
connections to remote locations beyond trusted network
 Three VPN technologies defined:
• Trusted VPN
• Secure VPN
• Hybrid VPN (combines trusted and secure)
Virtual Private Networks (VPN)

VPN must accomplish:

Encapsulation of incoming and outgoing data
Encryption of incoming and outgoing data
Authentication of remote computer and (perhaps) remote user
as well

VPNs can use two modes

1. Transport
2. Tunnel
Transport Mode VPN
Tunnel Mode VPN
Technical Controls
Encryption
Cryptology Terminology

Algorithm Encipher
Bit stream cipher Encrypt
Block cipher Key/Cryptovariable
Cipher or cryptosystem Keyspace
Ciphertext/Cryptogram Link encryption
Code Plaintext/Cleartext
Decipher Steganography
Decrypt Work factor
Encryption

Cryptology: science of encryption; combines cryptography and

cryptanalysis
 Cryptography: process of making and using codes to secure
transmission of information
 Cryptanalysis: process of obtaining original message from encrypted
message without knowing algorithms
 Encryption: converting original message into a form unreadable by
unauthorized individuals
 Decryption: the process of converting the ciphertext message back
into plaintext
Cipher Methods
Plaintext can be encrypted through
 Bit stream: each plaintext bit transformed into cipher bit,
one bit at a time
 Block cipher: message divided into bit blocks (i.e. 16-bit
blocks) and each is transformed into an encrypted block
of cipher bits using an algorithm and key
Cryptographic Algorithms

Often grouped into two broad categories, symmetric and

asymmetric
• Today’s popular cryptosystems use hybrid combination of
symmetric and asymmetric algorithms
Symmetric and asymmetric algorithms are distinguished by
the type of keys used for encryption and decryption
operations
Symmetric and Asymmetric Encryption
Symmetric use the same key for both encryption and decryption
Encryption
all parties must exchange the key used to encrypt the data
before it can be decrypted

uses two types of algorithms (block and stream)

generally faster and more efficient than asymmetric

Asymmetric Also known as public-key encryption

Encryption
Uses two different but related keys

Either key can encrypt or decrypt message

If Key A encrypts message, only Key B can decrypt

Highest value when one key serves as private key and the other
serves as public key
Encryption Key Power

When using ciphers,

size of the crypto
variable or key is
very important

Strength of many
encryption
applications and
cryptosystems are
measured by key
size
Hash Functions

 Mathematical algorithms that generate message

summary/digest to confirm message identity and confirm no
content has changed
 Hash algorithms: publicly known functions that create hash
value
 Use of keys not required
oMessage authentication code (MAC), however, may be attached to a
message
 Used in password verification systems to confirm identity of
user
Various Hash Values
 Technical Controls
Honeypots and Padded Cell
Systems
Honeypots, Honeynets and Padded Cell Systems (1 of 3)

• Honeypots: decoy systems designed to lure potential

attackers away from critical systems
• Honeynets: several honeypots connected together
on a network segment
• Honeypots are designed to:
– Divert an attacker from accessing critical systems
– Collect information about the attacker’s activity
– Encourage the attacker to stay on a system long enough
for administrators to document the event and perhaps
respond
Honeypots, Honeynet and Padded Cell Systems (2 of 3)

• Padded cell system: protected honeypot that cannot

be easily compromised
• In addition to attracting attackers with tempting
data, a padded cell operates in tandem with a
traditional IDPS
• When the IDPS detects the attackers, padded cell
system seamlessly transfers them to a special
simulated environment where they can cause no
harm—hence the name padded cell
Honeypots, Honeynet and Padded Cell Systems (3 of 3)
Advantages
• Attackers can be diverted to targets
they cannot damage
• Administrators have time to decide
how to respond to an attacker
• Attackers’ actions can be easily and
more extensively monitored, and
records can be used to refine threat
models and improve system
protections
• Honeypots may be effective at
catching insiders who are snooping
around a network
Disadvantages
• Legal implications of using such
devices are not well understood
• Honeypots and padded cells have
not yet been shown to be
generally useful security
technologies
• An expert attacker, once diverted
into a decoy system, may become
angry and launch a more
aggressive attack against an
organization’s systems
• Administrators and security
managers need a high level of
expertise to use these systems
Honeypots
 Technical Controls
Intrusion Detection and
Prevention
Objectives

• Understand what intrusion detection systems are and

why we need them
• Describe network-based and host-based IDPS systems
• Explain the advantages and disadvantages of host-based
and network-based IDPS
• Know the difference between a signature based and
anomaly based IDPS
• Explain how IDPS can be implemented via one of three
basic control strategies
Objectives

• Explain System Information and Event Management

Systems (SIEM) and why we use them
• Understand the benefits of using SIEM software
• List different SIEM software products on the market
• Understand the importance of logging
• Summarise common features offered by SIEM products
• Explore SPLUNK and its features
Introduction

• Protection of organisations assets relies at least as

much on managerial controls as on technical
safeguards.
• Properly implemented technical solutions guided
by policy are essential to an information security
program.
• Advanced technologies can be used to enhance the
security of information assets.
Intrusion Détection System
An intrusion occurs when an attacker attempts to gain entry into an
organization’s information systems.
• Intrusion prevention consists of activities that deter an intrusion.
• Intrusion detection consists of procedures and systems that
identify system intrusions.
• Intrusion reaction encompasses actions an organization
undertakes when intrusion event is detected.
• Many IDPSs enable administrators to configure systems to notify
them directly of trouble via e-mail or pagers.
• Systems can also be configured to notify an external security
service organization of a “break-in.”
IDS Terminology

• Alarm clustering and compaction • Noise

• Alarm filtering • False negative
• Alert/alarm • False positive
• Confidence value • Site policy
• Evasion • Site policy awareness
• False attack stimulus • True attack stimulus
• Tuning
The cyberattack and kill chain

Source: https://countuponsecurity.com/tag/kill-chain/.
Intrusion detection and prevention systems

Figure 7-2 Source: Whitman & Mattord, 2017

Why Use IDPS?
• Intrusion detection:
– Primary purpose to identify and report an intrusion
– Can quickly contain an attack and prevent/mitigate the loss or
damage
– Detect and deal with preambles to attacks
• Data collection allows the organization to examine what happened
after an intrusion and why.
• Serves as a deterrent by increasing the fear of detection.
• Can help management with quality assurance and continuous
improvement.
Types of IDPS

IDPSs operate as network-based or host-based

systems.
• Network-based IDPS focus on protecting network
information assets.
– Wireless IDPS focuses on wireless networks
– Network behavior analysis: IDPS examines traffic flow on a
network in an attempt to recognize abnormal patterns

• Host-based IDPS (HIDPS)

– Resides on a particular computer or server (host) and
monitors activity only on that system
Types of IDPS (NIDPS)

• Network-based IDPS is focused on protecting network

information assets.
• Resides on a computer or device connected to a segment of an
organization’s network; looks for indications of attacks
– When examining packets, an NIDPS looks for attack patterns
within network traffic
– Installed at specific place in the network where it can
monitor traffic going into and out of a particular network
segment
Types of IDPS (NIDPS)

Determines whether attack has occurred/is under way, by

comparing measured activity to known signatures in
knowledge base
Done by using special implementation of TCP/IP stack:
• In the process of protocol stack verification, NIDPSs
look for invalid data packets.
• In the application protocol verification, higher-order
protocols are examined for unexpected packet behavior
or improper use.
OSI Model
Advantages of NIDPS

– Good network design and placement of NIDPS

can enable an organization to monitor a large
network with few devices
– NIDPSs are usually passive and can be deployed
into existing networks with little disruption to
normal network operations
– NIDPSs are not usually susceptible to direct
attack and may not be detectable by attackers
Disadvantages of NIDPS

– Can become overwhelmed by network volume and fail

to recognize attacks
– Require access to all traffic to be monitored
– Cannot analyze encrypted packets
– Cannot reliably ascertain if an attack was successful or
not
– Some forms of attack are not easily discerned by
NIDPSs, specifically those involving fragmented
packets
Functions of NIDPS

• Wireless NIDPS
– Monitors and analyzes wireless network traffic
– Issues associated with it include physical security,
sensor range, access point and wireless switch
locations, wired network connections, cost and
wireless switch locations
• Network behavior analysis systems
– Identify problems related to the flow of traffic
Functions of NIDPS

• Types of events commonly detected

include denial-of-service (DoS) attacks,
scanning, worms, unexpected application
services, and policy violations
• Offer intrusion prevention capabilities that
are both passive and inline
Types of IDPS (HIDPS)

• Host-based IDPS (HIDPS)

– Resides on a particular computer or server (host) and monitors
activity only on that system
– Benchmarks and monitors the status of key system files and
detects when intruder creates, modifies, or deletes files
– Advantage over NIDPS:
can access encrypted information traveling over network and
make decisions about potential/actual attacks
Advantages of HIDPS

– Can detect local events on host systems and detect attacks that
may elude a network-based IDPS
– Functions on host system, where encrypted traffic will have been
decrypted and is available for processing
– Not affected by use of switched network protocols
– Can detect inconsistencies in how applications and systems
programs were used by examining records stored in audit logs
Disadvantages of HIDPS

• Pose more management issues

• Vulnerable both to direct attacks and attacks against
the host operating system
• Does not detect multi-host scanning, nor scanning of
non-host network devices
• Susceptible to some DoS attacks
• Can use large amounts of disk space
• Can inflict a performance overhead on its host systems
Modes of IDPS - signature

IDS systems use two mode of operation, signature

based and anomaly based. Some systems use both
simultaneously
1. Signature-based detection
– Examines network traffic in search of patterns that match known
signatures
– looks at checksums and/or message authentication
– usually quicker
– Widely used because many attacks have clear and distinct signatures
– Problem with this approach is that new attack patterns must
continually be added to the IDPS’s database of signatures
Modes of IDPS - anomaly

2. Anomaly-based, sometimes referred to as behavior

based
– Anomaly-based detection collects statistical summaries by observing
traffic known to be normal
– When measured activity is outside the baseline parameters or clipping
level, IDPS sends an alert to the administrator
– IDPS can detect new types of attacks
– Requires much more overhead and processing capacity than
signature-based detection
– May generate many false positives
IDPS response behaviour

• IDPS response to external stimulation depends on

the configuration and function; many response
options are available.
• IDPS responses can be classified as active or passive.
– Active response: collecting additional information about
the intrusion, modifying the network environment, and
taking action against the intrusion
– Passive response: setting off alarms or notifications, and
collecting passive data through SNMP traps
Selecting IDPS (1 of 2)

• Technical and policy considerations

– What is your systems environment?
– What are your security goals and objectives?
– What is your existing security policy?
• Organizational requirements and constraints
– What requirements are levied from outside the
organization?
– What are your organization’s resource constraints?
Selecting IDPS (2 of 2)

• IDPSs product features and quality

– Is the product sufficiently scalable for your
environment?
– How has the product been tested?
– What user level of expertise is targeted by the
product?
– Is the product designed to evolve as the
organization grows?
– What are the support provisions for the product?
Deployment and Implementation of IDPS

• An IDPS can be implemented via one of three basic

control strategies:
– Centralized: All IDPS control functions are
implemented and managed in a central location.
– Fully distributed: All control functions are applied
at the physical location of each IDPS component.
– Partially distributed: Combines the two; while
individual agents can still analyze and respond to
local threats, they report to a hierarchical central
facility to enable organization to detect widespread
attacks.
Deployment and Implementation IDPS

• IDPS deployment
– Great care must be taken when deciding where to locate
components.
– Planners must select a deployment strategy that is based
on a careful analysis of the organization’s information
security requirements and causes minimal impact.
– NIDPS and HIDPS can be used in tandem to cover the
individual systems that connect to an organization’s
network and the networks themselves.
Deployment and Implementation IDPS

NIST recommends four locations for

NIDPS sensors
Location 1: Behind each external
firewall, in the network DMZ
Location 2: Outside an external
firewall
Location 3: On major network
backbones
Location 4: On critical subnets
Summary

IDPS
• Describe what intrusion detection systems are and
why we need them
• Know the difference between network-based and host-
based IDPS systems
• Know the difference between a signature based and
anomaly based IDPS
• Explain how IDPS can be implemented via one of three
basic control strategies