UNIT–III: Identity and access Management, configuration management

DEFINITION OF OPERATIONAL SECURITY

Operational security (OPSEC), also known as procedural security, is a risk management process that
encourages managers to view operations from the perspective of an adversary in order to protect
sensitive information from falling into the wrong hands.

THE FIVE STEPS OF OPERATIONAL SECURITY

The processes involved in operational security can be neatly categorized into five steps:

Identify your sensitive data, including your product research, intellectual property, financial statements,
customer information, and employee information. This will be the data you will need to focus your resources on
protecting.

Identify possible threats. For each category of information that you deem sensitive, you should identify
what kinds of threats are present. While you should be wary of third parties trying to steal your information, you
should also watch out for insider threats, such as negligent employees and disgruntled workers.

Analyze security holes and other vulnerabilities. Assess your current safeguards and determine what, if
any, loopholes or weaknesses exist that may be exploited to gain access to your sensitive data.

Appraise the level of risk associated with each vulnerability. Rank your vulnerabilities using factors
such as the likelihood of an attack happening, the extent of damage that you would suffer, and the amount of
work and time you would need to recover. The more likely and damaging an attack is, the more you should
prioritize mitigating the associated risk.

Get countermeasures in place. The last step of operational security is to create and implement a plan to
eliminate threats and mitigate risks. This could include updating your hardware, creating new policies regarding
sensitive data, or training employees on sound security practices and company policies. Countermeasures should
be straightforward and simple. Employees should be able to implement the measures required on their part with
or without additional training.

BEST PRACTICES FOR OPERATIONAL SECURITY

Follow these best practices to implement a robust, comprehensive operational security program:

 Implement precise change management processes that your employees should follow
when network changes are performed. All changes should be logged and controlled so they
can be monitored and audited.
 Restrict access to network devices using AAA authentication. In the military and other
government entities, a “need-to-know” basis is often used as a rule of thumb regarding
access and sharing of information.
 Give your employees the minimum access necessary to perform their jobs. Practice
the principle of least privilege.
 Implement dual control. Make sure that those who work on your network are not the
same people in charge of security.
  Automate tasks to reduce the need for human intervention. Humans are the weakest
link in any organization’s operational security initiatives because they make mistakes,
overlook
ok details, forget things, and bypass processes.
 Incident response and disaster recovery planning are always crucial components of a
sound security posture. Even when operational security measures are robust, you must have a
plan to identify risks, respond to them, and mitigate potential damages.

Risk management involves being able to identify threats and vulnerabilities before they become
problems. Operational security forces managers to dive deeply into their operations and figure out
where their information
ion can be easily breached. Looking at operations from a malicious third
third-party’s
perspective allows managers to spot vulnerabilities they may have otherwise missed so that they can
implement the proper countermeasures to protect sensitive data.

Ports and its security

 Ports are another essential asset through which security can be breached. In computer science, ports are of two

types - physical ports (which is a physical docking point where other devices get connected) and logical ports

(which is a well-programmed docking point through which data flows over the internet). Security and its

consequences lie in a logical port. So, in this chapter, you will learn about the different measures that you need

to take to protect your system through the use of ports.

Table of Contents

1. Understanding Logical Ports

2. Security of Logical Ports

3. Risky Ports and Their Attacks

Understanding Logical Ports

In Computer Science, each logical connection is assigned a specific number. It ranges from 0 to 65536 in case of

UDP ports and 0 to 65535 in case of TCP ports. These are end-points to logical connections that determine

which service to use in TCP/IP or UDP. The numbering of logical ports also helps to identify to which port it

must send traffic to. So, whenever a data communication is handled by TCP/IP as client-server architecture, it

uses the TCP port 80 (or 443, which is another TCP port for https). The official port numbers are listed and

assigned by the Internet Assigned Number Authority (IANA), and they divided these ports into three sub-

categories:

 Well-Known Ports (0-1023)

 Registered Ports (1024 - 49,151)
 Dynamic / Private Ports (49,152 - 65,535)

Security of Logical Ports

Every logical port is subject to the threat to a system, but some of the commonly used ports receive a lot of

attention from cybercriminals. Cybercriminals use the vulnerability scanners and port scanning techniques for

identifying opened ports on any system or server. Next, they can identify (from these open ports) what kind of

services (HTTP, SMTP, FTP, DNS, SSH, Telnet or VCN) are running and the kind of system being used by the

target victim. Here's the list of potential logical ports that are the targets of cybercriminals.

 15 Netstat
 20/21 FTP
 22 SSH
 23 Telnet
 25 SMTP
 50/51 IPSec
 53 DNS
 67/68 BOOTP
 69 TFTP
 79/49 TACACS+
 80 HTTP
 88 Kerberos
 110 POP3
 111 Port Map
 119 NNTP
 123 NTP
 137-139 NetBIOS
 143 IMAP
 161 SNMP
 389 LDAP
 443 SSL
 445 SMB
 500 IPSec/ISAKMP
 520 RIP
 546/547 DHCP
 636 SLDAP
 1512 WINS
 1701 L2TP
 1720 323
 1723 PPTP
 1812/13 RADIUS
 3389 RDP
 5004/5005 RTP
 5060/5061 SIP

Risky Ports and Their Attacks

Here are some of the critical ports that are prone to cyber attacks.

The port 21 of TCP helps in connecting an FTP server which carries a bunch of vulnerabilities such as

anonymous authentication, directory traversal and helps in performing an XSS attack.

Another port 23 (Telnet Port), is fundamentally unsafe because the data is in unmasked form and remains in

plain text. Here, attackers can listen to or scrounge for sensitive data and also can inject commands (in the form

of Man-in-the-middle (MITM) attack).

The DNS port number 53 acts as an exit route for cybercriminals. Since DNS are rarely monitored and filtered

so once the cybercriminal gets all the information required they can use this port to get out after clearing their

logs and tracks.

Again, port number 80 (supports HTTP) which received browser traffic is prone to SQL injections, cross-site

scripting (XSS), cross-site request forgeries (CSRF), and buffer overruns.

So, as a security professional, it is essential to detect (by scanning for all opened ports) and close all those ports

which are not in use by the server or system to prevent a security breach. Use of proper and updated firewall

also helps in checking the data packets your system will send and receive over the network and logical port

blocking technique will eventually block those ports that are not in use by that particular system.

Network protocols and its security

Network security is one of the essential branches of cybersecurity, and protocols play a vital role in securing the

network. Because of its top-notch needs and the internet continues to evolve at a fast pace, the computer

network grows faster and along with comes the cybercrime in networks. So, it is essential to know the protocols

that govern the data flow in a network. In this chapter, you will learn about the most prominent network security

protocols and their uses.

Table of Contents

1. What Are Network Security Protocols?

2. Some Network Security Protocols

What Are Network Security Protocols?

There are various categories of protocols like routing protocols, mail transferring protocols, remote

communication protocols, and many more. Network security protocols are one such category which makes sure

that the security and integrity of the data are preserved over a network. Various methodologies, techniques, and

processes are involved in these protocols to secure the network data from any illegitimate attempt in reviewing

or extracting the actual content of data.

Some Network Security Protocols

 Here are the lists of some popular network security protocols that you must know to implement them as and

when required:

1. IPSec protocol is classified by the IETF IPSec -Internet Engineering Task Force (IETF) Work Group which
offers authentication of data, integrity, as well as privacy between 2 entities. Manual or dynamic association of
management in cryptographic keys is done with the help of an IETF-specific key managing protocol named
Internet Key Exchange (IKE).
2. SSL, i.e., Secure Sockets Layer is a standard security mechanism used for preserving a secure internet
connection by safeguarding different sensitive data which is being sent and receives between 2 systems; which
also helps in averting cybercriminals from reading as well as modifying personal data, packets or details in the
network.
3. Secure Shell (SSH) was invented in the year 1995, which is a cryptographic network security protocol used for
securing data communication over a network. It permits command-line login remotely as well as the execution
of specific tasks remotely. Various functionalities of FTP are incorporated in SSH. SSH-1 and SSH-2 are the
latest of its kind.
4. Hyper Text Transfer Protocol Secure (HTTPS) is a secured protocol used to secure data communication
among two or more systems. It set up an encrypted link with the help of Secure Socket Layer (SSL) now
known as Transport Layer Security (TLS). Since data transferred using HTTPS is in the encrypted format, so,
it stops cybercriminals from interpretation as well as alteration of data throughout the transfer from browser to
the web server. Even when the cybercriminals capture the data packets, they will not be able to read them
because of the strong encryption associated with the data packets.
5. Kerberos is another network validation protocol which was intended for providing a tough authentication
between client-server applications by the help of secret key cryptography. According to the Kerberos network
validation protocol, all of its services and workplaces correspond to an insecure network which makes it more
secure and responsible.

As a security professional, it is essential to know these protocols and where they are used. There are scenarios

where HTTPS becomes HTTP (basically known as downgrading HTTP attack), or at times where your company

page opened without HTTPS or SSL, you can understand that either the link is opened from a spam mail or

illicit mail or anyone is trying to perform a phishing attack. Or, someone is trying to compromising the internal

network by the downgrading of HTTP attack.

https://campus.barracuda.com/product/nextgenfirewallf/doc/53248523/how-to-configure-port-
protocol-protection/

Protection technologies:

3 advanced prevention technologies expected to grow in 2018

New technologies will help organizations decrease the attack surface and
simplify security operations.

Now, we’ve had technologies for blocking cyber attacks and malware for decades (i.e.
antivirus software, firewalls, IPS, etc.), so what exactly is advanced prevention?

Advanced prevention sits at the intersection of two other cybersecurity trends:

1. Software-defined security functionality. Software-defined everything makes it easier to
deploy, configure, and scale security controls.
2. Artificial intelligence. AI uses algorithms to comb through mountains of data to increase
detection/blocking efficacy, provide granular risk scoring, and fine-tune decision making.

In the past, many security controls were based upon rules/heuristics and often required
ample time for deployment, configuration, customization, etc. When the two advanced
prevention trends come together, they produce security controls that are easier to deploy,
easier to operate, and offer more accurate detection/blocking rates. Thus, organizations can
deploy advanced prevention controls, decrease the attack surface, reduce security noise,
and focus precious human resources on high-value tasks.

Five advanced prevention technologies:

1. Next-generation endpoint security software,
2. threat intelligence gateways,
3. secure DNS,
4. micro-segmentation,
5. and intelligent application controls.

Here are a few more for consideration:

1. Software-defined perimeter (SDP) technologies. no one has an SDP budget right now,
but everyone has an SDP requirement. This is because SDP is built specifically for cloud
and mobility. What SDP really does is modernize the concept of a VPN by setting up a
secure tunnel between users/devices and applications regardless of their location. Users get
the convenience of direct connection to applications and services, while CISOs-(chief
information security officer) gain the security benefits of “zero-trust” networking. In this way,
SDP qualifies as advanced prevention because it enforces RBAC rules (role-based access
control), limiting approved users’ purview of the network at large.

many SDP providers, including Cyxtera (formerly Cryptzone), Google (BeyondCorp),

Vidder, ScaleFT, and Zscaler.

2. Risk-based intelligent vulnerability management. Despite years of innovation and VC

investment, vulnerability management remains one of the biggest operational challenges
for most organizations. Why? It’s a numbers game — large enterprises have thousands of
systems with different software revisions and configurations deployed across global
networks. How do you prioritize patching activities when CVE(Common Vulnerabilities and
Exposures) scores and vulnerability scanning tools report thousands of high-priority
incidents requiring immediate remediation?

Fast forward to 2018, and risk-based intelligent vulnerability management tools can
consume terabytes of configuration data, asset data, vulnerability data, and threat
intelligence to create a fine-grained analysis of which systems really need immediate
patching. Risk-based intelligent vulnerability management qualifies as advanced
prevention because it can be used to decrease the attack surface while streamlining
operations.
3. Smart phone-based multi-factor authentication (MFA): While 28 percent of
organizations already use smart phone-based MFA, 55 percent are either piloting,
 evaluating, or planning to use this technology in the future. Smart phone-based MFA will
complement the software-defined technology described above to further decrease the
attack surface. Vendors such as CA, Duo, Okta, RSA, SafeNet, and Symantec will play
here.

What is IAM? Identity and access management explained

IAM products provide IT managers with tools and technologies for controlling
user access to critical information within an organization.

What IAM terms should I know?

Buzzwords come and go, but a few key terms in the identity management space are worth
knowing:

 Access management: Access management refers to the processes and technologies used to control
and monitor network access. Access management features, such as authentication, authorization,
trust and security auditing, are part and parcel of the top ID management systems for both on-
premises and cloud-based systems.

 Active Directory (AD): Microsoft developed AD as a user-identity directory service for Windows
domain networks. Though proprietary, AD is included in the Windows Server operating system
and is thus widely deployed.

 Biometric authentication: A security process for authenticating users that relies upon the user’s
unique characteristics. Biometric authentication technologies include fingerprint sensors, iris and
retina scanning, and facial recognition.

 Context-aware network access control: Context-aware network access control is a policy-based

method of granting access to network resources according to the current context of the user
seeking access. For example, a user attempting to authenticate from an IP address that hasn’t been
whitelisted would be blocked.

 Credential: An identifier employed by the user to gain access to a network such as the user’s
password, public key infrastructure (PKI) certificate, or biometric information (fingerprint, iris
scan).

 De-provisioning: The process of removing an identity from an ID repository and terminating

access privileges.

 Digital identity: The ID itself, including the description of the user and his/her/its access
privileges. (“Its” because an endpoint, such as a laptop or smartphone, can have its own digital
identity.)

 Entitlement: The set of attributes that specify the access rights and privileges of an authenticated
security principal.

 Identity as a Service (IDaaS): Cloud-based IDaaS offers identity and access management
functionality to an organization’s systems that reside on-premises and/or in the cloud.

 Identity lifecycle management: Similar to access lifecycle management, the term refers to the
entire set of processes and technologies for maintaining and updating digital identities. Identity
 lifecycle management includes identity synchronization, provisioning, de-provisioning, and the
ongoing management of user attributes, credentials and entitlements.

 Identity synchronization: The process of ensuring that multiple identity stores—say, the result of
an acquisition—contain consistent data for a given digital ID.

 Lightweight Directory Access Protocol (LDAP): LDAP is open standards-based protocol for
managing and accessing a distributed directory service, such as Microsoft’s AD

 Multi-factor authentication (MFA): MFA is when more than just a single factor, such as a user
name and password, is required for authentication to a network or system. At least one additional
step is also required, such as receiving a code sent via SMS to a smartphone, inserting a smart card
or USB stick, or satisfying a biometric authentication requirement, such as a fingerprint scan.

 Password reset: In this context, it’s a feature of an ID management system that allows users to re-
establish their own passwords, relieving the administrators of the job and cutting support calls.
The reset application is often accessed by the user through a browser. The application asks for a
secret word or a set of questions to verify the user’s identity.

 Privileged account management: This term refers to managing and auditing accounts and data
access based on the privileges of the user. In general terms, because of his or her job or function, a
privileged user has been granted administrative access to systems. A privileged user, for example,
would be able set up and delete user accounts and roles.Provisioning: The process of creating
identities, defining their access privileges and adding them to an ID repository.

 Risk-based authentication (RBA): Risk-based authentication dynamically adjusts authentication

requirements based on the user’s situation at the moment authentication is attempted. For example,
when users attempt to authenticate from a geographic location or IP address not previously
associated with them, those users may face additional authentication requirements.

 Security principal: A digital identity with one or more credentials that can be authenticated and
authorized to interact with the network.
 Single sign-on (SSO): A type of access control for multiple related but separate systems. With a
single username and password, a user can access a system or systems without using different
credentials.

 User behavior analytics (UBA): UBA technologies examine patterns of user behavior and
automatically apply algorithms and analysis to detect important anomalies that may indicate
potential security threats. UBA differs from other security technologies, which focus on tracking
devices or security events. UBA is also sometimes grouped with entity behavior analytics and
known as UEBA.

IAM definition
 Identity and access management (IAM) in enterprise IT is about defining and
managing the roles and access privileges of individual network users and the
circumstances in which users are granted (or denied) those privileges.

 Those users might be customers (customer identity management) or employees

(employee identity management.

 The core objective of IAM systems is one digital identity per individual. Once that
digital identity has been established, it must be maintained, modified and
monitored throughout each user’s “access lifecycle.”
  Thus, the overarching goal of identity management is to “grant access to the right
enterprise assets to the right users in the right context, from a user’s system onboarding
to permission authorizations to the offboarding of that user as needed in a timely
fashion.”

 IAM systems provide administrators with the tools and technologies to change a user’s
role, track user activities, create reports on those activities, and enforce policies on an
ongoing basis. These systems are designed to provide a means of administering user
access across an entire enterprise and to ensure compliance with corporate policies and
government regulations.

IAM tools
Identity and management technologies include (but aren’t limited to) password-
management tools, provisioning software, security-policy enforcement applications,
reporting and monitoring apps and identity repositories.

Six IAM technologies with low maturity, but high current business value:

1. API security enables IAM for use with B2B commerce, integration with the cloud,
and microservices-based IAM architectures. Forrester sees API security solutions
being used for single sign-on (SSO) between mobile applications or user-managed
access. This would allow security teams to manage IoT device authorization and
personally identifiable data.
2. Customer identity and access management (CIAM) allow "comprehensive
management and authentication of users; self-service and profile management; and
integration with CRM, ERP, and other customer management systems and
databases," according to the report.
3. Identity analytics (IA) will allow security teams to detect and stop risky identity
behaviors using rules, machine learning, and other statistical algorithms.
4. Identity as a service (IDaaS) includes "software-as-a-service (SaaS) solutions that
offer SSO from a portal to web applications and native mobile applications as well
as some level of user account provisioning and access request management."
5. Identity management and governance (IMG) provides automated and repeatable
ways to govern the identity life cycle. This is important when it comes to
compliance with identity and privacy regulations.
6. Risk-based authentication (RBA) solutions "take in the context of a user session
and authentication and form a risk score. The firm can then prompt high-risk users
for 2FA and allow low-risk users to authenticate with single factor (e.g., username
plus password) credentials".

Why do I need IAM?

Identity and access management is a critical part of any enterprise security plan, as it is
inextricably linked to the security and productivity of organizations in today’s digitally
enabled economy.
Compromised user credentials often serve as an entry point into an organization’s network
and its information assets. Enterprises use identity management to safeguard their
information assets against the rising threats of ransomware, criminal hacking, phishing and
other malware attacks.

What IAM means for compliance management

The General Data Protection Regulation (GDPR) is a more recent regulation that
requires strong security and user access controls. GDPR mandates that organizations
safeguard the personal data and privacy of European Union citizens.

What are the benefits of IAM systems

Implementing identity and access management and associated best practices can give you
a significant competitive advantage in several ways. Nowadays, most businesses need to
give users outside the organization access to internal systems. Opening your network to
customers, partners, suppliers, contractors and, of course, employees can increase
efficiency and lower operating costs.

How IAM works

In years past, a typical identity management system comprised four basic elements:
A directory of the personal data the system uses to define individual users (think of it as an
identity repository);
A set of tools for adding, modifying and deleting that data (related to access lifecycle
management);
A system that regulates user access (enforcement of security policies and access
privileges);
An auditing and reporting system (to verify what’s happening on your system).
Regulating user access has traditionally involved a number of authentication methods for
verifying the identity of a user, including passwords, digital certificates, tokens and smart
cards.

Are IAM platforms based on open standards?

Authorization messages between trusted partners are often sent using Security Assertion
Markup Language (SAML). This open specification defines an XML framework for
exchanging security assertions among security authorities. SAML achieves interoperability
across different vendor platforms that provide authentication and authorization services.
SAML isn’t the only open-standard identity protocol, however. Others include OpenID,
WS-Trust (short for Web Services Trust) and WS-Federation (which have corporate
backing from Microsoft and IBM), and OAuth (pronounced “Oh-Auth”), which lets a
user’s account information be used by third-party services such as Facebook without
exposing the password.

What are the challenges or risks of implementing IAM?

“The biggest challenge is that old practices that were put in place to secure legacy systems
simply don’t work with newer technologies and practices,” Shaw adds, “so often people have
to reinvent the wheel and create duplicate workloads and redundant tasks. If the legacy
practice was done poorly, trying to reinvent it on a newer paradigm will go poorly as well.”
https://www.csoonline.com/article/2120384/what
https://www.csoonline.com/article/2120384/what-is-iam-identity-and-access
access-management-
explained.html

https://www.edureka.co/blog/introduction
https://www.edureka.co/blog/introduction-to-identity-and-access-managementiam/
managementiam/

Identity — the element or combination of elements used to uniquely describe a person or

machine. It can be what you know, such as a password or a personal identification (ID)
number

Access — the information representing the rights that the identity was granted.

Entitlements — the collection of access rights to perform transactional functions.

Note: The term entitlements is used occasionally and synonymously with access rights.

Provisioning- Provisioning refers to an identity’s creation, change, termination, validation,

approval, propagation, and communication

Identity management.-Identity
Identity manag
management
ement should be a part of ongoing companywide
activities. It includes the establishment of an IAM strategy; administration of IAM policy
statement changes; establishment of identity and password parameters; management of
manual or automated IAM systems and processes; and periodic monitoring, auditing,
reconciliation, and reporting of IAM systems.

Enforcement- Enforcement includes the authentication, authorization, and logging of

identities as they are used within the organization’s IT systems. The enforceme
enforcement of access
rights primarily occurs through automated processes or mechanisms.
Figure 2. Diagram of an automated provisioning process logical flow

https://www.isaca.org/Journal/archives/2013/Volume
https://www.isaca.org/Journal/archives/2013/Volume-5/Pages/Solving-the--Identity-and-
Access-Management-Conundrum.aspx?utm_referrer=
Conundrum.aspx?utm_referrer=
Configuration management: Configuration management is all about bringing consistency in
the infrastructure. This is done by ensuring that the current design system, state and
environment is known, trusted and agreed upon by everyone.

Configuration management helps record all the changes made in the system.

As a broader subject, configuration management (CM) refers to the process of systematically

handling changes to a system in a way that it maintains integrity over time.

Security configuration management(SCM):

Network security begins with asset discovery. This foundational control advises
organizations to develop an inventory of all authorized and unauthorized devices and
software. Using that information, IT security personnel can track and correct all authorized
devices and software. They can also deny access to unauthorized and unmanaged products, as
well as prevent unapproved software from installing or executing on network devices. Once
enterprises have discovered all their assets, they can move on to security configuration
management (SCM).

SCM and Foundational Controls

IT security and IT operations meet at SCM because this foundational control blends together
key practices, such as vulnerability assessment, automated remediation and configuration
assessment. Organizations can, therefore, leverage a software-based SCM solution to reduce
their attack surfaces by proactively and continuously monitoring and hardening the security
configurations of their environment’s operating systems, applications and network devices.

SCM and Compliance

Compliance auditors can also use security configuration management to monitor an

organization’s compliance with mandated policies. These standards range from the Health
Insurance Portability and Accountability Act of 1996 (HIPAA) for organizations that collect
medical information to the Payment Card Industry Data Security Standard (PCI DSS) for just
about anyone who handles branded credit cards.

Security configuration management consists of four steps.

The first step is asset discovery.

Next, organizations should define acceptable secure configurations as baselines for each
managed device type. They can do so using guidance published by the Center for Internet
Security (CIST) or the National Institute of Standards and Technology (NIST).

From there, they assess their managed devices according to a predefined frequency policy.

Finally, they should make sure someone fixes the problem or grants it an exception.
Strategic SCM

Many SCM solutions come with additional features that organizations can use to better
protect their networks. Here are a few of which enterprises should remain aware:

 OS and Application Support: If they intend to get the most out of security
configuration management, companies must make sure their solution provides support
for every operating system and application they use in their environment.
 Policy Flexibility: The best types of SCM solutions offer numerous policies and
configurations, thereby allowing organizations to adjust the tool to their own
requirements. Along that same vein, companies should also have the option of
customizing preset policies, defining new policies, and adding new baseline
configurations and/or benchmarks.
 Scalability: Organizations should make sure they can customize the frequency,
impact, and scope of their security configuration management solution’s scanning
protocols. That flexibility should include the ability to strategically distribute scanners
around the network so as to not needlessly tax endpoints. It should also come with the
ability to manage remote devices, such as by issuing alerts when one such product
requires assessment because it has not connected to the network in some time.
 Closure of the Operational Loop: Companies can choose to manually act on their
SCM’s solutions by reporting configuration issues to the help desk. Even so, it’s
advantageous for a company if their solution automatically reports those issues and in
so doing closes the operational loop. Organizations should also look for functionality
that reduces false positives such as when someone has granted an authorized
exception.