The chapter opens with a discussion of risk, which is familiar to anyone who has lost money gambling, but the word means more than that when we are talking about protecting networks. Let's consider some of the vocabulary on page 19"
The effects and the causes of risk are concern for everyone in an organization. The systems, the users, the policies, and the threat agents all affect whether there will be a successful attack on our organization.
On page 22, the text discusses a few important access control threats:
Most people would rather not use passwords at all, so it is the system administrator's job to force them to use something. The text describes a typical scenario in which a minimum password length is set, along with a complexity rule that the password must contain upper case, lower case, and numeric characters. Often a password policy would give users the choice of using symbols along with or instead of one of those character types. I believe the authors chose to simplify the math for their tables on pages 22 and 23 by limiting the number of possible characters. By the way, the authors use the words combination and permutation as though they were synonyms. They are not. This takes us to math again. Sorry, but this is necessary.
The area of math we need for a few minutes is called probability, which was created by Blaise Pascal and Pierre de Fermat, two mathematicians who created this area of mathematics after Pascal was consulted by Antoine Gombaud, a French writer who kind of pretended to be a nobleman, and who couldn't understand why he was losing money gambling on games he had made up himself. The story is worth reading, and so is this part of math. The point is that combinations and permutations are two different things.
The table on page 22 is correctly labeled as a table of permutations. If the order of the characters did not matter, that would be a combination. Let's consider an example with only numbers, and only three characters. 123, 132, 213, 231, 312, and 321 would all be equally acceptable: those are the possible combinations of those three digits, and they all count as the same. In gambling, this would be the equivalent of betting on those three numbers and boxing them.
This is not how passwords work. Since the order of characters in a password
does matter, that makes a password problem a permutation,
which means that each of the variant combinations must be considered separately.
When you calculate the number of possibilities in a permutation, you do
as the authors have done, You multiply the number of possible characters
(n) times itself for each position in the
password (r). If we have ten digits, know the length
is three, and know that repeats are allowed, the number
of permutations would be 10 * 10 * 10 = 1000. The equation for
that is just nr.
When the order does not matter, the equation changes considerably, resulting in a much smaller answer. Follow the link in the last sentence to a very good math lesson on the two concepts. Read the lesson behind that link if you don't understand factorials. If you do, the equation for the answer is (n + r -1)! / (r! * (n - 1)!). The answer is (10 + 3 -1)! / (3! * (10 - 1)!) = 220. There are only 220 combinations of three characters in a ten character universe, if order does not matter. If that looks terrible, don't worry. We will talk about it in class.
Back to our text, the reason we care about all that math is that it give us a way to understand the math on page 22. The more possible characters in each position, the greater the base number that must be raised to a power equal to the number of characters actually used in the password. This is why the table on page 22 looks like it does. Each row in the table holds numbers that are exponentially larger than the row before it. The table on page 23 explains that we care because it would take a hacker an exponentially longer time to crack a password by the brute force method: trying every possible password until the right one is discovered. The times in the chart, by the way, are theoretical. The actual time it would take would be determined by the time it takes to try a login, the number of failed logins you can before a your account is locked out, the duration of the automatic lockout, and whether the hacker know how long your password is to begin with.
The attacker our text is describing is in fact trying variations on user IDs as well as variations on passwords. This is much more complicated than trying to hack into a system when user IDs are known, or can be guessed. Let's join our authors on page 24. If the attacker is trying to break into our system by using passwords. Having broken in as a random user is not very valuable for a hacker. That only results in the access that has been granted to the hacked account. As the authors point out, the next step may be to learn about other users on the system, and to hack those accounts that we guess have heightened access, rights that can lead to full access to the system. Is there a better way to start an attack? The authors take a detour into another approach that works well, social engineering.
Social engineering is working the users of a system like a con artist. Think of Leonardo DiCaprio in Catch Me If You Can, interviewing an airline official to get the information he needed to impersonate a pilot. In the same way, a hacker can ask people for account information and get it because the people being asked often put no effort in keeping the information secret. It is probably true that people are the weakest link in any security chain. A social engineer would love to learn that the password policy shown on the right was actually in force for a target organization. What changes would you make to this terrible example of a policy?
Shoulder surfing, is another useful technique: watching a user type to learn ID, password, and other useful information. This is also social engineering, and so is paying attention to what people do. Of course, to do that you have to be inside the possibly secure facility. That's not a big problem in most cases. The text mentions a classic example of tailgating, following an authorized user through a door that requires you to scan an ID to pass through it. The hacker in the text had his hands full of briefcase, coffee cup, keys, and a box of doughnuts. He smiled and asked for help getting through the door. People usually oblige that request. Around holidays, presents are also a good ruse, as well as anything else allowed in the office, like a potted plant, or a bouquet of flowers. Anything to make you look like a nice person whose hands are too full to use your own ID to open the door.
Access Control Vulnerabilities
The text explains that passwords should never be stored on a system in an unencrypted form. A file full of such information is too valuable to hackers to allow it to exist. Most network operating systems provide a method that encrypts a password before a user submits it for authentication using a hash function. A hash function takes a plaintext block of any size and converts it to an encrypted block of a specific size. This is often done with passwords and PINs. The idea is to use the same hash function each time a user enters a password, and to compare the hash to a stored version of the hashed password, which is the only version of the password that is saved on the system. This method makes sure that anyone reading the file that holds the hash versions cannot know what the actual passwords are. Hash algorithms work only in one direction: you can't use the hash algorithm to decrypt the hash output. You can only compare to see if the hash of the user's input matches the saved hash.
An experienced hacker could use rainbow tables, in an attempt to work around the hash. A rainbow table holds the hash values of known words and numbers. The idea is to capture a user's hashed submission, then compare it to the data in a rainbow table. If the hacker finds a match, the password is no longer secret. How do you capture the hash? That's what is actually stored in the system. If the attacker can access the Security Account Manager data file on a workstation or server (Windows), that's helpful because it contains the encrypted passwords for known users. No user on the system should be granted more rights than are needed to do the work they should be doing, but every system has some user IDs that must be granted the highest level of rights. The text warns us that there are also instances in which an application must have specific high level rights (to a folder or a file), but it should never be necessary to grant administrator level rights to the whole system.
The text returns to the concept of risk assessment on page 26. It poses a good question that has more than one answer. How shall we count the value of an asset? This is easier to answer once we choose between two points of view:
The text continues with a discussion that leads to a complicated calculation. You need to pay attention to each step. The text presents the concepts in a different order than I have seen before. I think this one is clearer:
Risk Management Strategies
The text lists four major strategies for managing risk in your environment. Here are five:
The text continues with a multipoint discussion about making risk assessment an ongoing strategy. It boils down to the idea that things change, that you need to make sure of what you own, what it is worth to you (now and in the future), and how much effort you should spend to protect it. So, we have spent some effort finding out what we have, ranking the assets by some scale, and determining that we should do it again this time next year. Now what?
Now, we think about the means to protect some of those assets. The text points out that firewalls and managed switches can protect multiple devices on the segments of our network that flow data through them. In a managed environment, we can set policies that manage the rights to every device, but it makes sense to use the economies afforded to us by traffic choke points in our networks.
The text also suggests that we take a multilayered approach to security. This means that a security solution will have multiple layers, requiring an attacker to get through several kinds of protection before accessing data. Diversity should be part of the layering concept. Diversity means that each layer of security is different in some way from the other layers, so an attacker will not be able to use the same exploit to get through all the layers. A layered approach is also called a defense in depth.
Security for Staff
The text tells us that we should spend some time on training our users in security. A better way to think about this is to think about having a Security Education, Training, and Awareness (SETA) program. There are three parts to a SETA program, two of which apply to all of our employees, one applies to our technical/professional staff:
Security for Workstations
The text discusses three protection methods that apply to workstations:
Security for LANs
The text recommends that we concentrate on three items to protect each LAN:
Security for LAN to WAN links
Our security measures can only extend over what we control, so we should take particular measures to protect at the boundary, the perimeter, between our assets and the rest of the world.
Security for Remote Access
Staff who must connect to our network remotely should be enabled to use Virtual Private Network connections. They should also be trained to never make a connection through any unencrypted wireless channel.
Security for Systems and Applications
This is like the security for operating systems mentioned above. The best approach relies on security patches from the publishers of the software involved, as well as protecting the devices that use this software with the methods listed above.
The text ends the chapter with some observations about what should be done in particular situations. The first is a private sector company described as having a border firewall and a DMZ for its web servers. They had installed anti-virus and spam protection for their email system. They were also using some access controls, but we are not told what they were.
The text proposes a series of steps toward improving this system:
The second case study is for a public sector agency whose security needs are meant to be strong. As an exercise, I will ask you to analyze the situation and proposed changes in this section.