Access Control, Authentication, and Public Key Infrastructure
Lesson 5
Security Breaches and the Law
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
1
Laws and Data Breaches
Federal and state laws act as deterrents
Organizations are required to take steps to protect the sensitive data
An organization may have a legal obligation to inform all stakeholders
if a breach occurred
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
2
Federal Laws
Computer Fraud and Abuse Act (CFAA) designed to protect electronic data from theft
Digital Millennium Copyright Act (DMCA) prohibits unauthorized disclosure of data by circumventing an established technological measure
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
The Computer Fraud and Abuse Act (CFAA)[1] was enacted by Congress in 1986 as an amendment to existing computer fraud law (18 U.S.C. § 1030), which had been included in the Comprehensive Crime Control Act of 1984.
2008[1]
Eliminated the requirement that information must have been stolen through an interstate or foreign communication, thereby expanding jurisdiction for cases involving theft of information from computers;
Eliminated the requirement that the defendant’s action must result in a loss exceeding $5,000 and created a felony offense where the damage affects ten or more computers, closing a gap in the law;
Expanded 18 U.S.C. § 1030(a)(7) to criminalize not only explicit threats to cause damage to a computer, but also threats to (1) steal data on a victim’s computer, (2) publicly disclose stolen data, or (3) not repair damage the offender already caused to the computer;
Created a criminal offense for conspiring to commit a computer hacking offense under section 1030;
Broadened the definition of “protected computer” in 18 U.S.C. § 1030(e)(2) to the full extent of Congress’s commerce power by including those computers used in or affecting interstate or foreign commerce or communication; and
Provided a mechanism for civil and criminal forfeiture of property used in or derived from section 1030 violations.
3
State Laws
California Identity Theft Statute requires businesses to notify customers when personal information has been disclosed
Research specific laws that apply in your state.
You can begin by visiting your state’s
Office of Attorney General Web site.
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Kentucky State Laws
On April 10, Governor Beshear signed into law H.B. 232, designed to address the compromise of personally identifiable information of residents of the Bluegrass State. The law also requires cloud service providers that contract with educational institutions (K-12) to maintain the security of student data (name, address, email address, emails, and any documents, photos or unique identifiers relating to the student) and prohibits the sale or disclosure, or processing of student data for commercial purposes.
Like most states, Kentucky has defined personally identifiable information as first name or first initial and last name combined with any of the following data elements when the name or data element is not redacted:
Social Security number
Driver’s license number
Account number, credit or debit card number in combination with any required security code, access code or password permitting access to an individual’s financial account
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
First-Layer Access Controls
All physical security must comply with all applicable regulations
Access to secure computing facilities granted only to individuals with a legitimate business need for access.
All secure computing facilities that allow visitors must have an access log.
Visitors must be escorted at all times
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Most common and easiest form of access
To be effective: Requires the use of a secure channel through the network to transmit the encrypted password
Not very secure
WHY USE THEM??
Something you know
User friendly – People get the concept (like an ATM pin #)
Two factor authentication
– Combine passwords with a (smart card) token
– ATM card and PIN –improved protection
Easy to manage
Supported across IT platforms
6
Access Control Failures
People
Technology
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
People
Social engineering
Phishing and spear phishing attacks
Poor physical security on systems
File-sharing and social networking sites
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
8
Technology
Very weak password encryption
Web browsers are a major vector for unauthorized access
Web servers and other public-facing systems, are an entry point for unauthorized access
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
9
Privacy Impact Assessment (PIA)
A comprehensive process for determining the privacy, confidentiality, and security risks associated with the collection, use, and disclosure of personal information
Describes the measures used to mitigate and, if possible, eliminate identified risks
Required in the public sector for any new system that handles personally identifiable information (PII)
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
10
Privacy Impact Assessment (PIA) (Cont.)
Identifies the key factors involved in securing PII
Emphasizes the process used to secure PII as well as product
Has a sufficient degree of independence from the project implementing the new system
Has a degree of public exposure
Is integrated into the decision-making process
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
11
Security Breach Principles
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
The difference between a direct & an indirect attack is in a
direct attack, the computer being used is that of the criminal to commit a break-in of other computers/systems whereas an
indirect attack is where the actual computer or system being attacked is compromised to completely this objective.
12
System exploits
Eavesdropping
Social engineering
Denial of service (DoS) attacks
Indirect attacks
Direct attacks
Consequences
Security breaches can have serious consequences for an organization.
They can rely on:
Lax physical security
Inadequate logical access controls
A combination of both
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
13
Implications of Security Breaches
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
14
Damages organizations’ computer systems
Financial Impact
Legal action
Loss of reputation
Costs of contacting all of the individuals
Organization’s market share
Prevent or Mitigate Access Control Attacks
Example: Target
‹#›
Hackers originally gained access to Target’s network by stealing the access credentials, via a phishing attack, of a refrigeration contractor
Electronic interaction with Target was limited to billing, contract submission, project management
Sophisticated and prolonged attack at Target
Once the hackers infiltrated the Target network, they distributed malware to thousands of PoS machines designed to siphon off customer data
The stolen data was later uploaded from the Target network to an FTP server
Then, they set up a control server within Target’s internal network that acted as the central repository for the stolen credit card data
Example Discussion Activity
How could this attack have been prevented?
‹#›
Protecting the Enterprise
‹#›
Requires a coordinated defense involving people, processes and tools that span anti-malware, firewalls, applications, servers, network access controls, intrusion detection and prevention, security event monitoring, and more
Identity and Access Management (IAM)
Obtain visibility and control over user access privileges, who has access to what?
‹#›
Detective controls
Access policy
Automated account reconciliation
Authentication Attacks
‹#›
Occur when a web application authenticates users unsafely, granting access to web clients that lack the appropriate credentials
Access Control Attacks
‹#›
Occur when an access control check in the web application is incorrect or missing, allowing users unauthorized access to privileged resources such as databases and files
Web Applications
‹#›
Exposing these rich interfaces to anyone on the Internet makes web applications an appealing target for attackers who want to gain access to other users’ data or resources
Access Control
‹#›
Access control attacks attempt to bypass or circumvent access control methods
Access control begins with identification and authorization
Access Aggregation
‹#›
Collecting multiple pieces of non-sensitive information and combining, or aggregating, the pieces to learn sensitive information
Reconnaissance Attacks
‹#›
Access aggregation attacks that combine multiple tools to identify elements of a system, such as IP addresses, open ports, running services, and operating systems
Protecting Against Access Control Attacks
‹#›
Control physical access to systems
Control electronic access to password files
Encrypt password files
Create a strong password policy
Use password masking
Deploy multifactor authentication
Use account lockout controls
Use last logon notification
Educate users about security
Audit access controls
Actively manage accounts
Use vulnerability scanners
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Virtual Lab
Managing Group Policy Objects in Active Directory
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
If your educational institution included the Jones & Bartlett labs as part of the course curriculum, use this script to introduce the lab:
“In this lesson, you learned about ways that compromised access controls can result in security breaches. You also discovered the legal implications of security incidents. One effective way to help prevent security breaches is to enforce system logon security controls.
In the lab for this lesson, you will use the Group Policy Management tool to edit the default domain policy and set up a new password policy. You will also create a new group policy object (GPO) and apply it to an organizational unit.”
6/7/2016
28