Uncategorized

Least privilege and separation of duties are two related IT security concepts that are critical in the prevention of fraud and other abuses by employees and other authorized system users.  The two principles are part of the broader topic of access control which addresses how user permissions are restricted to help ensure a secure environment.Known as insider threats, the list of ways that authorized users can cause mischief is sobering.  The crimes include fraud, stealing of company secrets, system sabotage and espionage. These are not rare occurrences.  The 2017 U.S. State of Cybercrime Survey from Carnegie Mellon University’s CERT Division found that 1-in-5 cyber attacks come from insiders.  More important, almost half (43%) of survey respondents said that insider attacks were more costly or damaging than outsider attacks. Least Privilege The principle of least privilege says that an individual should be given the bare minimum access needed to perform their job functions.  Consider a budget analyst that needs to review payroll information to complete a quarterly report. The analyst never needs to make any updates to the payroll data.  That employee should have read only privileges to payroll.Least privilege is a principle that is applied to both data and system functions.  When we think of data privileges, we are typically thinking of the ability to view information (read) and to change information (write), as well as creating and deleting records and files.In today’s networks, users access data in many different ways.  Some information is stored in files and folders on network drives, with permissions set by system administrators using the operating system tools.  Some information will be stored in content management and sharing systems that might have similar functionality to network drives, but permissions are managed using administrative tools provided by the management system itself.Much of an organization’s data is likely to be managed and accessed through software interfaces, such as an accounting or inventory management program.  Most organizations use many different programs from a variety of vendors. Each program will have its own security model. One program might enable privileges to be set on individual fields, while another might have privileges set on a screen-by-screen or module basis.  In the worst case, a program will offer little or no security and other measures will be required to ensure data integrity.When we think of system privileges, we are generally talking about activities such as logging in to computers and networks, starting programs, and installing software and hardware.  These activities open significant threat vectors and least privileges should be applied whenever possible.The opening of a system-level threat might be unintentional on the part of the employee.  For example, an employee with privileges to install software on their company issued laptop could easily introduce malware to the network.  If there is no legitimate business need for the employee to have such privileges, such risk cannot be justified.There are a handful of additional important terms and concepts associated with least privilege.Entitlement is a term used to refer to both the process of granting users privileges and the scope of those privileges. Privilege creep, or aggregation, refers to the tendency of users to accumulate privileges over time.  Users may gain privileges as job duties change or as they transition to new roles. While not a problem in and of itself, privilege creep can result in users having access to resources they no longer need which would then violate the principle of least privilege. Transitive Trust refers to a situation in which trust is passed across security objects, granting users privilege that may or may not be intended.  It is sometimes expressed as a logic relationship: if A trusts B and B trusts C, then A inherits trust of C. In the opposite case of non-transitive trust, the trust between A-B, and B-C does not create the inherited trust and A does not trust C.  The trust models among security objects should be evaluated to ensure least privilege is not violated.Separation of Duties The principle of separation of duties says that no user should have all the privileges necessary to complete a critical business function by themselves.  Instead, the critical business function should be divided into discrete tasks and the appropriate privilege granted to different users. By requiring the involvement of more than one employee, separation of duties helps prevent fraud and abuse.Consider the task of adding a new vendor to a purchasing system.  Creating fake vendors is a common element of invoicing fraud schemes.  Under separation of duties we would want to divide the function into a task to create a new vendor and a task to approve a new vendor, and then assign the tasks to different employees.  While it does not prevent fraud completely, separating the task in this way reduces the likelihood of fraud by forcing two or more employees to collude.Separation of duties is of particular concern to organizations that must comply with the Gramm-Leach-Bliley Act (GLBA) of 1999 and the Sarbanes-Oxley Act (SOX) of 2002 .  Both of these acts include stringent separation of duties requirements to protect privacy and prevent frauds and other crimes. Two Person Control Two person control, also called dual control, calls for two people to separately approve the completion of a sensitive business function.  For example, an accounting system might require two separate managers to both approve the issuance of a check over $25,000.  Similarly, a backup system might require the concurrence of two system administrators to completely purge backup data.Students preparing for exams often confuse the concepts of two-person control and separation of duties.  Two-person control requires two people to concur to perform a single action. Separation of duties requires that a single person not have the ability to perform two separate actions which, when combined, might pose a business risk.Understanding least privilege and separation of duties is an important component of your preparation for a variety of security certification programs.  If you’re interested in earning your next security certification, sign up for the free CertMike study groups for the CISSP, Security+, SSCP, or CySA+ exam....

Cross-site scripting (XSS) is one of the oldest exploits on the Internet, emerging within months of Netscape’s 1995 release of the first Javascript-enabled web browser.  More than two decades later XSS remains a significant threat, appearing as number seven on the Open Web Application Security Project (OWASP) list of the ten most critical web application security risks. What is an XSS Attack? XSS attacks are a type of injection where malicious code is inserted into otherwise benign code and then executes on an unsuspecting user’s computer.  Any dynamic web application that accepts input from a user and then uses that input as part of future output (reflected input) is potentially vulnerable to an XSS attack.Hypertext Markup Language (HTML), the language used to create web pages, makes it easy to include executable Javascript as part of the same code used to layout text, graphics and other features of a page.  Normally, this feature provides a safe and efficient way for a developer to add functionality. However, if the application includes reflected input, and proper security best practices have not been followed, bad actors can take advantage of this embedded Javascript feature to transport and execute their malicious code.Consider, as an example, a web form that collects comments from users, asking for information such as name, email address and a comment.  After the user hits the Submit button, a new page loads that displays the information just entered and thanks the user for their comment.  If instead of plain text, the user entered text that also included HTML with embedded Javascript, that Javascript would execute when the new page loaded.Of course, most users are unlikely to hack themselves by including malicious code in their own form submissions!  Much of the power of XSS attacks stems from their ability to defeat a key element of the web application security model known as same-origin policy.  Here, bad actors take advantage of another “feature” of HTML and the related Hypertext Transport Protocol (HTTP) that allows including form data in the parameters sent along with a Uniform Resource Locator (URL).  Using this method, the malicious code is actually stored in a link on a third party web page and sent to the web form when the user clicks on that link. Why are XSS Attacks Dangerous? There are many potential bad outcomes from a successful XSS attack.  Bad actors can get instant access to user data that might include credit card numbers, account numbers, usernames and passwords.  An XSS attack can also be part of a larger scheme that installs malicious code on the user’s system or redirects the user to a fake website where they are vulnerable to additional exploitation.  Although the direct harm is generally suffered by the user, organizations hosting web applications that are leveraged for XSS attacks can see their reputations diminished and may lose customers due to the perceived breach of trust. Defending Against XSS Attacks Since XSS attacks are primarily taking advantage of websites that reflect input indiscriminately, the first line of defense against XSS attacks is to validate and sanitize form data before it is accepted.  You should beware of simplistic solutions such as merely blocking inputs with HTML <script></script> tags, as these steps can be defeated. Instead, form elements should each be specifically validated. For example, email fields in a form should be configured to only accept properly formatted email addresses and reject all other input.The second line of defense, when supported by the environment being administered, is to apply a process called escaping to any untrusted data before it is used as output.  In escaping, certain text characters are replaced with an escape code to prevent Javascript or other code from accidentally executing.  Two very common characters to escape are the greater than and less than symbols (< and >) that are used to bracket HTML tags.  To sanitize untrusted text, these characters are replaced with the escape codes &lt; and &gt; respectively. The web browser recognizes these special codes and displays the proper character, but the risk of the web browser being confused and running untrusted code is eliminated.Understanding cross-site scripting is an important component of your preparation for a variety of security certification programs.  Think you have this concept mastered?  Try your hand at a practice test question.  If you're interested in receiving weekly practice test questions and a guided approach to learning your next security certification, sign up for the free CertMike study groups for the CISSP, Security+, SSCP, or CySA+ exam....

Big changes are in store for the Certified Information Systems Security Professional (CISSP) exam!  In a major break from past exam experiences, (ISC)2 recently announced a shift to adaptive testing on December 18, 2017.  CISSP candidates taking the exam in English on or after that date will face the adaptive exam.  There's no option to choose the old-style exam. This is an immediate and complete change to the testing format.Are you preparing for the CISSP adaptive exam? Join the free CertMike CISSP Study Group and I'll help you with a weekly practice schedule, exam tips, and access to a community of fellow CISSP candidates. What is Adaptive Testing? In a traditional testing experience, exam writers design a lengthy set of questions designed to test students knowledge of a set of topics.  Students attempting the exam then sit down and walk through that set of questions.  They can freely move back and forth through the exam revising their answers until time expires.In an adaptive exam, the exam writers create a pool of questions but each exam is customized to the skill and ability of the individual test-taker.  The exam starts out with easy questions and then becomes progressively more difficult as candidates answer questions correctly.  This approach avoids asking candidates unnecessary questions by assuming that if you're able to answer difficult questions on a topic, you would also be able to answer easier questions on similar topics. How Many Questions are on the CISSP Exam? The major benefit of adaptive testing is that exams will be shorter in length.   Under the old format, the CISSP exam contained 250 multiple choice questions.  You'll find that the adaptive exam will vary in length for each student but will have a minimum of 100 questions and a maximum of 150 questions.  The exam is designed to continue asking you questions until you reach one of three different stopping conditions:Reaching a statistically significant result.  Once you've answered a minimum of 100 questions, the exam will stop if the testing engine is 95% confident that you will either pass or fail the exam.  (Technically, you only need to answer 75 "operational" questions to pass the exam, but I'll address that later.) Reaching the maximum test length.  You will never receive more than 150 questions.  If you answer 150 questions and the exam software is unable to reach a conclusion with 95% confidence, it will use the questions that you've already answered to make a determination about your exam performance.  This may be either a passing or failing determination, based on your answers. Running out of time.  When you exceed the three-hour time limit for the exam, the exam will stop immediately.  If you have not answered at least 100 questions, you will automatically fail the exam.  If you've answered the minimum number of questions, the exam software will use your answers to make a passing or failing determination.How Long is the CISSP Exam? The lower number of questions also means that you'll spend less time taking the exam.  While the standard exam clocked in as a six-hour test-taking marathon, you'll only have three hours to complete the adaptive exam.  Under the old format, you had 1.4 minutes to answer each question on the exam.  Depending on how many questions you receive on the adaptive exam, you'll have between 1.2 and 1.8 minutes to answer each question.  That means there won't be much of a change in the pace of the exam, but you'll spend much less time in the testing center. How Will Adaptive Testing Change the Exam Experience? The difficulty of the questions on the exam will change from the standard format. If you're doing well on the exam, the questions will get progressively harder as you work your way through the test.  If you notice questions getting more difficult, don't panic.  That's a good indication that you're doing well on the exam.Another significant change in the adaptive exam is that you won't be able to move freely through the exam.  Gone are the days of skipping questions and revisiting your answers later.  Each time you answer a question, you lock in your choice and won't be able to revise your answer.  The exam software decides what questions to pose to you based on your answers to previous questions.  Changing your answers would disrupt this adaptive experience.  Therefore, you need to be much more careful as you move through the exam.  You won't have an opportunity to double-check your work. What's the CISSP Passing Score? In an adaptive testing format, it becomes much more difficult to determine your score.  There's no simple relationship between the number of questions you answer correctly and your final score.  You'll receive more credit for answering difficult questions and reduced credit for answering simpler questions.  You also won't receive a score at the end of the exam. Instead, you'll simply be told whether you've successfully passed the exam or failed to meet the standard.This may seem cryptic and opaque, but there's a reason for this seemingly odd behavior.  The testing engine continuously evaluates your performance as you take the exam.  It's designed to always present you with a question that you have a 50% chance of successfully answering.  Therefore, you will probably feel like you are not doing well as you take the exam.  By design, you should only answer half of the questions correctly. Should I Prepare Differently? No, you won't need to prepare any differently for the adaptive exam than you would for the standard test.  The adaptive exam covers the same material as the standard test.  It simply presents the questions in a different manner.If you'd like to get ready for the exam, join my free CISSP study group.  I'll provide you with weekly emails that guide you through the study process step-by-step. Does the Exam Still Include Beta Questions? Yes, you will receive an exam that consists of approximately 75% operational questions and 25% developmental questions.  The developmental questions do not count toward your score.  (ISC)2 is testing them for future use on the exam.  You won't know which questions are...