Uncategorized

26 Jul Privileged Account Management and Monitoring

Posted at 16:49h in Uncategorized by Mike Chapple 1 Comment

System and network administrators require a privileged account to perform higher-level activities within a network. These activities include changing settings, working with logs, provisioning new accounts, or managing sensitive datasets. These accounts require careful control and monitoring due to their ability to cause significant harm to the organization if used maliciously. The nature of this risk means that organizations must take steps to monitor the activities of privileged users to watch for signs of compromise or misuse. Additionally, IT leaders should ensure that their organizations issue privileged accounts in a very conservative manner and carefully control the privileges assigned to those accounts. Privileged Account Monitoring Organizations should design careful monitoring practices around their existing privileged accounts. First, they should watch for signs of account compromise. For example, you might want to create rules in your security information and event management (SIEM) systems that watch for: Privileged account use at unusual times or from unusual locations Simultaneous logins from disparate locations Unexpected increases in privileged account utilization Abnormal actions by privileged users In addition to watching for indications that a privileged account is compromised, organizations should also monitor the activities of authorized users for signs of misuse. For example, auditing systems might red flag the following activities: Deletion of log files or other audit trails Restoration of backups of sensitive systems Access to highly sensitive information that doesn’t match job responsibilities Modifying security settings SIEMs often include rulesets that provide a good starting point for these activities, but security analysts should craft and tune these rules to meet the specific needs of their organizations. Least Privilege and Separation of Duties Another way to protect against the abuse of privileged accounts is by following the principle of least privilege. This requires two separate actions. First, organizations should limit the assignment of privileged accounts to individuals who absolutely need them. Second, organizations should restrict the permissions assigned to those accounts to the minimum set necessary to perform an individual’s job. In practice, least privilege can be difficult to implement and manage. It’s far easier to simply give wide-ranging privileges to everyone in the IT department. This approach does require additional thought to implement and maintain, but it dramatically reduces the risk to the organization should a privileged account become compromised. Another key principle is separation of duties. This idea helps businesses in terms of auditability and in terms of keeping the network secure. The idea is that different privileged accounts can have different sets of privileges, and when these overlap less, there's less of a threat of someone really doing intensive damage inside the system. For example, if one person is responsible for approving new user accounts and another person is responsible for creating them, no one person can single-handedly create a new user, reducing the likelihood of fraud. Privileged accounts are a critical point of risk for organizations of all sizes and across industries. Security teams should take the time to assess their current privileged account management practices and make sure that they align with these best practices....

17 Jul Hash Functions

Posted at 15:28h in Uncategorized by Ralph Heymsfeld 0 Comments

Hash functions are a class of mathematical algorithms that take any digital data as input and generate an encoded value as output. These methods have many uses in computer science with some critically important security applications. Hash functions are used to help authenticate the source and integrity of files and to generate digital signatures. If you are preparing for the CISSP, Security+, CySA+, or another security certification exam, you will need to have an understanding of how hash functions can help protect systems, basic hashing terminology and the common algorithms that may be encountered. While it will not be necessary to know the inner workings of hash functions, you will need a high level understanding of the properties of hash functions and why some hash functions are more appropriate than others for security applications. The Message and Message Digest The input to the hash function is commonly called the message. The message can be any digital data including text, images, audio, and even very large program files. The output of the hash function is often called the message digest but be aware that there are many other names for the message digest, sometimes based on the way the hash function is being used. Common alternate terms include hash, hash value, hash total, CRC, fingerprint, checksum, and digital ID. How Hash Functions Are Used Perhaps the easiest way to begin understanding how hash functions work is to consider a few hashing examples. Below, we apply a standard security hashing algorithm called SHA-256 to three sentences: 1) Humpty Dumpty sat on a wall: 1b9ed7aa6346ee2c6e0faf0f75997b9308916160239b1844e7a77bee183f355d 2) Mary had a little lamb: efe473564cb63a7bf025dd691ef0ae0ac906c03ab408375b9094e326c2ad9a76 3) Mary had a little lomb: 94c6af4c0b5d493181a0a762b9023b90b295fbad1e28a6f1616a4af59209ba7c At a glance we can identify two characteristics of a security grade hash function. First, regardless of the length of the input, the output of the hash function is a fixed length. Second, a minor change in the input will produce a significant change in the output. Examples 2 and 3 differ by a single character (lamb vs lomb), but the outputs are completely different. Hash functions provide a quick, easy and reliable method to verify the integrity of a message. Suppose, for example, that an important software patch was available for system administrators to download from a website and run on their servers. If the software publisher also provided a message digest, the administrators could run the patch through the hash function after downloading to ensure that the patch had not been infected with malware or been otherwise corrupted. The Characteristics of Cryptographic Hash Functions While there are many hashing algorithms, not all of them are well suited for security purposes. The subset of hash functions that are suitable for security use are called cryptographic hash functions. The ideal cryptographic hash function meets the following basic requirements: It accepts a message of any length It produces a fixed-length message digest It is easy (and therefore fast) to compute the message digest for any given message The hash is irreversible - it is not possible to generate a message from its message digest A small change in a message should generate large changes in the message value The hash is collision free, meaning it is not feasible that two different messages would result in the same hash value Common Hashing Algorithms Over the years, numerous hashing algorithms have been introduced and recommended for security purposes. Some algorithms have gone out-of-favor after weaknesses have been identified. The exam will expect you to be familiar with current algorithms, along with some of the older ones. It is recommended that you review the following descriptions and pay particular attention to the length of the message digest for each algorithm. Secure Hash Algorithm (SHA-1) Designed by the U.S. Government (National Security Agency). Produces a 160-bit message digest. Went out of favor because of possible collisions. Secure Hash Algorithm (SHA-2, SHA-3) SHA-2 replaced SHA-1 and includes a set of variants - SHA-224, SHA-256, SHA-384, and SHA-512. The number in the variant indicates the length of the digest. SHA-224 has a 224-bit message digest, and so on. SHA-3 was introduced in 2015 as a “drop in replacement” for SHA-2. It includes the same variants. Message Digest 5 (MD5) MD5 and its predecessors MD2 and MD4 produce 128-bit digests. These algorithms are no longer recommended due to detected vulnerabilities. Message Digest 6 (MD6) Developed in 2008 to replace MD5 and earlier MD types. Produces variable length message digests up to 512-bits. Hash of Variable Length (HAVAL) A similar algorithm to MD5 that produces variable length digests of 128, 160, 192, 224 or 256-bits. HAVAL is vulnerable to collisions. Hash Message Authentication Code (HMAC) Combines a shared key with hashing for an additional layer of security. Produces a variable length message digest. Understanding hash functions is an important component of your preparation for a variety of security certification programs. If you’re interested in earning your next security certification, sign up for the free CertMike study groups for the CISSP, Security+, SSCP, or CySA+ exam...

07 Jul Job Rotation and Mandatory Vacations

Posted at 17:57h in Uncategorized by Ralph Heymsfeld 0 Comments

Job rotation and mandatory vacation policies are two security best practices that help to prevent employee fraud and abuse. Both of these practices discourage fraud and other abuses because employees know another person will be soon be assuming their duties and the new person would be likely to discover any patterns of bad behavior. Although job rotation and mandatory vacations are often thought of as human resources policies, they must also be considered in their IT security context where they play a significant role in access control. If you are studying for a security certification exam you will need to understand how the policies are defined and their importance in the security framework. Job Rotation A policy that compels employees to rotate into different jobs, or at least rotate some of their duties, has many benefits for the employee and the organization. Employees are less likely to become stale or “burned out” in their positions and will become enriched by learning new skills. Also, by cross-training the staff, no business critical skills are limited to a single person and the organization is better able to cope with injury, illness and employee turnover. Routine job rotation is a powerful fraud deterrent and helps prevent other misdeeds such as sabotage and information misuse as well. It is much harder for a fraudster to cover their tracks if another employee will be stepping into their shoes. The same logic makes job rotation useful in detecting fraud once it has occurred, and even finding innocent mistakes as the next employee transitions into the role with a fresh set of eyes. Of course, no solution is perfect and job rotation can also expose a company to risk. As an employee learns additional roles in the organization and the procedures associated with those roles, that employee is more likely to discover vulnerabilities to be exploited. Job rotation policies place a responsibility on IT security staff to ensure that the principle of least privilege is maintained. As employees transition through multiple roles and are assigned new duties, they are likely to be granted additional system privileges. Left unchecked, they will almost certainly accumulate more privileges than they need to perform their current duties. This accumulation of excess privileges is called privilege creep. To counter privilege creep it is important to periodically review the privileges and other access rights of rotating employees and remove rights that are no longer needed to do their jobs. Mandatory Vacations Mandatory vacation policies have a fraud deterrent purpose similar to job rotation. Many companies will have a policy of requiring employees in sensitive positions to take mandatory vacations of five or ten consecutive business days. These policies are particularly common in the finance industry where complex embezzlement and fraud schemes might require the bad actor to take steps daily to cover up the crimes. As with job rotation, the knowledge that another person will be performing their duties and examining their work is often enough to deter the fraudster. If they are undeterred, the mandatory vacation policy makes it more likely they will be caught. It is not uncommon for security conscious organizations to also schedule audits to coincide with mandatory vacations to increase the likelihood of discovering fraud and other crimes. Understanding job rotation and mandatory vacation policies is an important component of your preparation for a variety of security certification programs. If you’re interested in earning your next security certification, sign up for the free CertMike study groups for the CISSP, Security+, SSCP, or CySA+ exam....