What the CISSP Won't Teach You - Part Trois

Tuesday, July 05, 2011

Boris Sverdlik


What the CISSP Won't Teach You Part One, Part Two

What the CISSP won't teach you part Trois (Access Controls Part#1)

My password is “password” plus the year I’m safe right? Why no Timmy, no you are not.

While passwords are just a small piece of what we need to know about access controls, they are sort of important.

Passwords and PINs are the utmost basic access controls. Every modern operating system has the capability to enforce strong passwords.

A strong password is at least 15 characters long consists of at least three of the following:

  • Upper Case
  • Lower Case
  • Number
  • Special Character

While ISC2 will want you to learn things like information entropy and formulas that include some random base 10 calculations, you only need to know the following things in the real world.

Passwords, using current hashing methods are becoming more and more easily cracked due to Graphic Processors; people much smarter than I (@purehate_ ) have developed methods to crack SHA1 hashed passwords at ridiculous speeds.

According to his site can crack a password up to 7 characters using all 95 characters on a keyboard (a total of 69,833,729,609,375 trillion matches) in around 4 days.

imageSo how do we protect ourselves? Enforce passwords that are at the very least 15 characters. The 8 characters that were once thought of as “best practices” followed the LanMan Hash mechanism that only required the cracking of the first 7 characters.

This was years ago and irrelevant by any means. Password attacks are the very common and getting more and more prevalent considering all the hashes being pasted to Pastebin these days.

A dedicated attacker will not scour Pastebin to get your password, although “inurl: password” used to be a common attack vector. More common amongst the dedicated attacker is getting as much background information as possible on his or her target.

Humans are for the most part predictable, and as an attacker builds the dossier on their target they also build a customized dictionary that can be very successful for password guessing.

People tend to use things that are easy to remember such as:

  • Kids names
  • Spouse names
  • Birthdays
  • Anniversaries
  • Favorite Teams
  • Home towns
  • Etc.

When I go on physical pen tests, I typically look around the office for things would be easy for me to remember as a user. You’d be surprised how successful that has been.

So how do we block password based attacks? Simple; Implement lockout procedures, require strong passwords (15 characters+), train your users on the importance of picking passwords that are random.

I’d like to say use one time passwords or dual factor authentication, but we all know usability always trumps security. Also, since your development staff sucks at preventing SQL injections, you might want to not just hash your passwords but use state encryption as well.

Strong Authentication Mechanisms should be two-factor:

  • Something you have (Smart Card, Key Fob)
  • Something you know (Password, Pin)
  • Something you are (Fingerprint, Retina, Signature) I’m not going to go into any of the privacy concerns associated with this one)

Now that we have covered passwords, lets discuss Access Controls. Access controls come in multiple forms.

  • Physical (Security Guards, Cameras, Card Readers, Locks, etc.)
  • Technical (Firewalls, Roles, ACLS, DMZs, etc.)
  • Administrative (Policy, “Honor System”)

Most organizations do not include physical security as part of their information security program. As security professionals we know that attackers, don’t care how they get in.

Your Internet posture may be bulletproof, but how does that help if your front door is wide open?  Why put a lock on the door, if you have a hung ceiling above it? Attackers think outside the box and so must you.

A skilled cat burglar will first case the place before they try to break in. Take a walk through your lobby entrance and look at it as an outsider what do you see? The typical setup is a camera, a locked door, card reader, maybe an alarm panel and if they were really diligent a motion detector.

What good are these if you can just climb over the wall? Or better yet cut through the drywall? Get where am I’m going? Lock picking is a hobby most of us hold, so unlocking a door is easy.

When you design your physical controls, keep that in mind. Shared areas should be blocked off with concrete. Do not use Drywall or penetrable materials. The casual adversary doesn’t care if he is caught. The dedicated attacker does not want to be detected.

Cameras are great at detection, but if no one is actively watching them that is all that they are detective controls. A Camera with a blind spot can be easily circumvented, as such should never be in a shared area. Anyone can use a blind spot to their advantage and create an obstructed view.

RFID cards for physical access have become more of a security through obscurity mechanism. Card Reader/Writers are extensively available for purchase and the old bump and steal will pretty much get you through the door. Forget the movies, this is real life and these technologies exist and are in use by attackers.

Physical access controls should take on the same authentication mechanisms that we use in the logical world. Two Factor authentications should be used for all physical access methods. This is essentially the only way to ensure that the casual attacker stays out of the front door.

Access controls are a broad subject, so I will be breaking this up into subsections. The next section will address Logical controls.
Cross-posted from Jaded Security

Possibly Related Articles:
Network Access Control
Information Security
SQl Injection CISSP Passwords Attacks hackers Multifactor Authentication Targeted Attacks
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.