The Tower Defense Game In Your Network...Tower defense games like Plants vs. Zombies are loads of...

The Tower Defense

Game In Your Network Tower defense games like Plants vs. Zombies are loads of fun, and can

keep you occupied for years. Access Controls can certainly keep you

occupied for years as well. What strategies for effective management of

access controls can we learn from tower defense games to limit our

exposure from the zombies eating away at our network security? C’mon,

let’s use our BRAAIIINNNSS…

A. Spencer Wilcox, CISSP, CPP, SSCP @brasscount All images are copyright PopCap Games and used under fair use.

Tower Defense Games

• Tower Defense games are designed to protect a

central core from an external aggressor.

• The victory conditions for these games ultimately

rely on keeping the aggressor out through a

strategic application of offensive and defensive

mechanisms.

– Examples abound, but we will use one game by Pop

Cap Games throughout to exemplify the point:

It all starts with a Defensible Space

• Crime Prevention Through

Environmental Design (CPTED) – Surveillance

• Natural Surveillance = the ability to view

• Trim Hedges, Shrubs and trees

• Open Sight lines

• Limit hiding places

– Territoriality (Claim the Property) • Edged Lawns

• Lawn Borders

• Flower Beds

• Maintained Landscaping

• Pink Flamingos

– Access Control • Single points of entry (limit approaches)

• Protect windows

• Fences

• Low thorny bushes (barberry, holly, acacia)

• Limit ingress and egress points

• Shoulder-height fencing

– Maintenance • The Broken Windows Theory

• Maintaining an attractive nuisance

(ISC)2 e-Symposium 3

Physical Security is an Analogue to Cyber

• Territoriality – Firewalls

– Perimeter Defenses

– Logon Banners

• Surveillance – Logging

– Intrusion Detection

• Access Control – Limited Points of Entry (WAN Links)

– PROTECT WINDOWS…

– Ports and Services

– AAA

– Limit Ingress and Egress Points

(Account Management)

• Maintenance – Patching

– Documentation

– Inventory Management


Cyber may seem more complicated

Principles of Access Control: Authorization, Authentication, & Accounting


• Principle of Least Privilege

• Default Deny

• Roles

• Segregation of Duties

• Location

• Time of Day

• Identification

• Multi-Factor

• Session Control

• Non-Repudiation

• Logging

• Privilege Reviews

• Alerting / Alarming

Authorization Authentication Accounting

Principles of Access Control: Account and Rights Management


• Account Creation

• Access Authorization

• Access Removal • Delete vs. Disable

• Privileged Accounts

• Shared Accounts

• Generic Accounts

• Default Credentials

• Application Access

• Data Classification

• Single-Sign-On

• LDAP / Active Directory

• Rights Inheritance

• Group Membership

• Failed Attempt logging

• Granted Access logging

• Password Management • Complexity

• Frequency of Change

• Account Lockout

• Alternative Access

Controls • Callback

• SMS Passcode

• Port Knocking

Account Management Rights Management System Access

So, How Do We Defend The House?


In account hijacking, a hacker uses a compromised account to

impersonate the account owner. Typically, account hijacking is

carried out through phishing, sending spoofed emails to the

user, password guessing or a number of other hacking tactics.

In many cases, an email account is linked to a user’s various

online services, such as social networks and financial accounts.

The hacker can use the account to retrieve the person's

personal information, perform financial transactions, create new

accounts, and ask the account owner's contacts for money or

help with an illegitimate activity. http://www.techopedia.com/definition/24632/account-hijacking

Account Hijacking

Defenses

• Account Hijacking

• Privilege Escalation

• Brute Force Attacks

• Dictionary Attacks

• Session Hijacking

• Account Lockout DOS

• Multi-factor Authentication

• Session Control

• Non-Repudiation

• Logging


• Location Awareness

• Time of Day Awareness



• Password Management

• Account Lockout

• Alternative Access Controls

http://www.techopedia.com/definition/24632/account-hijacking






Privilege escalation is the act of exploiting a bug, design flaw or

configuration oversight in an operating system or software

application to gain elevated access to resources that are

normally protected from an application or user. https://en.wikipedia.org/wiki/Privilege_escalation

c

Privilege Escalation

Defenses








• Session Control

• Non-Repudiation

• Logging


• Principle of Least Privilege

• Default Deny

• Roles

• Segregation of Duties


• Rights Inheritance



• Shared Accounts






https://en.wikipedia.org/wiki/Privilege_escalation

https://en.wikipedia.org/wiki/Privilege_escalation









Brute force (also known as brute force cracking) is a trial and

error method used by application programs to decode

encrypted data such as passwords or Data Encryption

Standard (DES) keys, through exhaustive effort (using brute

force) rather than employing intellectual strategies http://searchsecurity.techtarget.com/definition/brute-force-cracking

Brute Force Attacks

Defenses

• Identification


• Session Control

• Logging







• Account Lockout



• Access Removal

• Shared Accounts


http://searchsecurity.techtarget.com/definition/brute-force-cracking








A dictionary attack is a method of breaking into a password-

protected computer or server by systematically entering every

word in a dictionary as a password. A dictionary attack can also

be used in an attempt to find the key necessary to decrypt an

encrypted message or document. http://searchsecurity.techtarget.com/definition/dictionary-attack

Dictionary Attacks

Defenses







cc • Multi-factor Authentication

• Session Control

• Logging







• Account Lockout



• Shared Accounts



http://searchsecurity.techtarget.com/definition/dictionary-attack






Session hijacking, sometimes also known as cookie hijacking is

the exploitation of a valid computer session—sometimes also

called a session key—to gain unauthorized access to

information or services in a computer system.. https://en.wikipedia.org/wiki/Session_hijacking

Session Hijacking

Defenses







• Session Control

• Non-Repudiation


• Account Lockout

• Application Access


https://en.wikipedia.org/wiki/Session_hijacking

https://en.wikipedia.org/wiki/Session_hijacking



In an account lockout attack, an attacker attempts to lock out

user accounts by purposely failing the authentication process

as many times as needed to trigger the account lockout

functionality. This in turn prevents even the valid user from

obtaining access to their account... The impact of such an

attack is compounded when there is a significant amount of

work required to unlock the accounts to allow users to attempt

to authenticate again. https://www.owasp.org/index.php/Account_lockout_attack

Account Lockout DOS

Defenses







• Logging


• Account Lockout




• Shared Accounts



https://www.owasp.org/index.php/Account_lockout_attack

https://www.owasp.org/index.php/Account_lockout_attack

The Tower Defense Game In Your Network...Tower defense games like Plants vs. Zombies are loads of...

Documents

Transcript of The Tower Defense Game In Your Network...Tower defense games like Plants vs. Zombies are loads of...