Glossary OWASP Top. ABCDEFGHIJKLMNOPQRSTUVWXYZAAccess Control List. A list of credentials attached to a resource indicating whether or not the credentials have access to the resource. Also referred to as an ACL. ACLs are typically used for authorizing actions in applications. Active Attack. Any attack that involves actions that are detectable as an attack by the target. A port scan is active because it can be detected by the remote host. Of course it isnt really an attack. An active attack might involve posting data to an endpoint with the hope of achieving XSS or SQL Injectino. 3. 1. Secret Key Cryptography. Secret key cryptography methods employ a single key for both encryption and decryption. As shown in Figure 1A, the sender uses the key. Transport Layer Security TLS and its predecessor, Secure Sockets Layer SSL, both frequently referred to as SSL, are cryptographic protocols that provide. Logging of regular http requestresponse activity that is later analyzed for potential vulnerabilities is passive. Advanced Encryption Standard AESA fast general purpose block cipher standardized by NIST the National Institute of Standards and Technology. The AES selection process was a multi year competition, where Rijndael was the winning cipher. Anti debugger. Referring to technology that detects or thwarts the use of a debugger on a piece of software. Anti tampering. Referring to technology that attempts to thwart the reverse engineering and patching of a piece of software in binary format. Architectural security assessment. See also Threat Model. ASN. 1. Abstract Syntax Notation is a language for representing data objects. It is popular to use this in specifying cryptographic protocols, usually using DER Distinguished Encoding Rules, which allows the data layout to be unambiguously specified. See also Distinguished Encoding Rules. Asymmetric cryptography. Cryptography involving public keys, as opposed to cryptography making use of shared secrets. See also Symmetric cryptography. Audit. In the context of security, a review of a system in order to validate the security of the system. Generally, this either refers to code auditing or reviewing audit logs. See also Audit log, Code auditing. Audit log. Records that are kept for the purpose of later verifying that the security properties of a system have remained intact. Authenticate and encrypt. When using a cipher to encrypt and a MAC to provide message integrity, this paradigm specifies that one authenticates the plaintext and encrypts the plaintext, possibly in parallel. This is not secure in the general case. See also Authenticate then encrypt, Encrypt then authenticate. Authenticate then encrypt. When using a cipher to encrypt and a MAC to provide message integrity, this paradigm specifies that one authenticates the plaintext and then encrypts the plaintext concatenated with the MAC tag. This is not secure in the general case, but usually works well in practice. See also Authenticate and encrypt, Encrypt then authenticate. Authentication. The process of verifying that someone or something is the actual entity that they claim to be. Authentication is what happens when you log into a system. It compares your credentials often user name and password with a previously established known value such that the system can know that you are who you say you are. For sensitive systems, there is a trend toward using two factor authentication 2. FA which essentially means that users must supply two different secrets, usually one is a password something they know and the other is a pin supplied via text verifying something they have. Authorization. Authorization is the process of determining whether an authenticated subject a user can see, change, delete or take other actions upon data. For example, if you log into a time keeping application, submit your timesheet and then your boss approves it, the act of logging in is authenticating, the act of filling out your timesheet and submitting should only be something your user is authorized to do and approving the timesheet is something only the boss is authorized to do. Authorization is tied to both 4 and 7 of the 2. OWASP Top 1. 0. BBackdoor. Malicious code inserted into a program for the purposes of providing the author covert access to machines running the program. Base 6. 4A method for encoding binary data into printable ASCII strings. Every byte of output maps to six bits of input minus possible padding bytes. Big endian. Refers to machines representing words most significant byte first. While x. 86 machines do not use big endian byte ordering instead using little endian, the Power. PC and SPARC architectures do. This is also network byte order. See also Little endian. Birthday attack. Take a function f that seems to map an input to a random output of some fixed size a pseudo random function or PRF. A birthday attack is simply selecting random inputs for f and checking to see if any previous values gave the same output. Statistically, if the output size is S bits, then one can find a collision in 2. S2 operations, on average. Bit flipping attack. In a stream cipher, flipping a bit in the ciphertext flips the corresponding bit in the plaintext. If using a message authentication code MAC, such attacks are not practical. Blacklist. When performing input validation, the set of items that if matched result in the input being considered invalid. If no invalid items are found, the result is valid. See also Whitelist. Blinding. A technique used to thwart timing attacks. Block cipher. An encryption algorithm that maps inputs of size n to outputs of size n n is called the block size. Data that is not a valid block size must somehow be padded generally by using an encryption mode. The same input always produces the same output. See also Stream cipher. Blowfish. A block cipher with 6. Bruce Schneier. This cipher is infamous for having slow key setup times. Brute force attack. An attack on an encryption algorithm where the encryption key for a ciphertext is determined by trying to decrypt with every key until valid plaintext is obtained. Buffer overflow. A buffer overflow is when you can put more data into a memory location than is allocated to hold that data. Languages like C and C that do no built in bounds checking are susceptible to such problems. These problems are often security critical. CCASee also Certification Authority. Canary. A piece of data, the absence of which indicates a violation of a security policy. Several tools use a canary for preventing certain stack smashing buffer overflow attacks. See also Buffer overflow, Stack smashing. Capture replay attacks. When an attacker can capture data off the wire and replay it later without the bogus data being detected as bogus. Carter Wegman Counter data encryption modeA parallelizable and patent free high level encryption mode that provides both encryption and built in message integrity. CAST5. A block cipher with 6. It is patent free, and generally considered sound, but modern algorithms with larger block sizes are generally preferred e. AES. CBC Mode. See also Cipher Block Chaining mode. CBC MACA simple construction for turning a block cipher into a message authentication code. It only is secure when all messages MACd with a single key are the same size. However, there are several variants that thwart this problem, the most important being OMAC. See also OMAC. CCM mode. See also Counter mode with CBC MAC CCM. Certificate. A data object that binds information about a person or some other entity to a public key. The binding is generally done using a digital signature from a trusted third party a certification authority. Certificate Revocation List. A list published by a certification authority indicating which issued certificates should be considered invalid. Certificate Signing Request. Data about an entity given to a certification authority. The authority will package the data into a certificate and sign the certificate if the data in the signing request is validated. Certification Authority. An entity that manages digital certificates i. Verisign and Instant. SSL are two well known CAs. CFB mode. See also Cipher Feedback mode. Chain responder. An OCSP responder that relays the results of querying another OCSP responder. See also OCSP. Choke point. In computer security, a place in a system where input is routed for the purposes of performing data validation. The implication is that there are few such places in a system and that all data must pass through one or more of the choke points. The idea is that funneling input through a small number of choke points makes it easier to ensure that input is properly validated. Active Directory Security Active Directory Enterprise Security, Methods to Secure Active Directory, Attack Methods Effective Defenses, Power. Shell, Tech Notes, Geek TriviaActive Directory has several levels of administration beyond the Domain Admins group. In a previous post, I explored Securing Domain Controllers to Improve Active Directory Security which explores ways to better secure Domain Controllers and by extension, Active Directory. For more information on Active Directory specific rights and permission review my post Scanning for Active Directory Privileges Privileged Accounts. This post provides information on how Active Directory is typically administered and the associated roles rights. Domain Admins is the AD group that most people think of when discussing Active Directory administration. This group has full admin rights by default on all domain joined servers and workstations, Domain Controllers, and Active Directory. It gains admin rights on domain joined computers since when these systems are joined to AD, the Domain Admins group is added to the computers Administrators group. Enterprise Admins is a group in the forest root domain that has full AD rights to every domain in the AD forest. It is granted this right through membership in the Administrators group in every domain in the forest. Administrators in the AD domain, is the group that has default admin rights to Active Directory and Domain Controllers and provides these rights to Domain Admins and Enterprise Admins, as well as any other members. Schema Admins is a group in the forest root domain that has the ability to modify the Active Directory forest schema. Since the Administrators group is the domain group that provides full rights to AD and Domain Controllers, its important to monitor this groups membership including all nested groups. The Active Directory Power. Shell cmdlet Get ADGroup. Member can provide group membership information. Default groups in Active Directory often have extensive rights many more than typically required. For this reason, we dont recommend using these groups for delegation. Where possible, perform custom delegation to ensure the principle of least privilege is followed. The following groups should have a DC prefix added to them since the scope applies to Domain Controllers by default. Furthermore, they have elevated rights on Domain Controllers and should be considered effectively Domain Controller admins. Backup Operators is granted the ability to logon to, shut down, and perform backuprestore operations on Domain Controllers assigned via the Default Domain Controllers Policy GPO. This group cannot directly modify AD admin groups, though associated privileges provides a path for escalation to AD admin. Backup Operators have the ability to schedule tasks which may provide an escalation path. They also are able to clear the event logs on Domain Controllers. Print Operators is granted the ability to manage printers and loadunload device drivers on Domain Controllers as well as manage printer objects in Active Directory. By default, this group can logon to Domain Controllers and shut them down. This group cannot directly modify AD admin groups. Server Operators is granted the ability to logon to, shut down, and perform backuprestore operations on Domain Controllers assigned via the Default Domain Controllers Policy GPO. This group cannot directly modify AD admin groups, though associated privileges provides a path for escalation to AD admin. To a lesser extend, well group Remote Desktop Users into this category as well. Remote Desktop Users is a domain group designed to easily provide remote access to systems. In many AD domains, this group is added to the Allow log on through Terminal Services right in the Default Domain Controllers Policy GPO providing potential remote logon capability to DCs. We also see that many times the following is configured via GPO linked to the Domain Controllers OU Remote Desktop Users granted Allow log on through Terminal Services right via Group Policy linked to the Domain Controllers OU. Server Operators granted Allow log on through Terminal Services right via Group Policy linked to the Domain Controllers OU. Server Operators granted Log on as a batch job right via GPO providing the ability to schedule tasks. Review the GPOs linked to the Domain and the Domain Controllers OU and ensure the GPO settings are appropriate. We often find that a servers GPO is also linked to the Domain Controllers OU and it adds a Server Admins group to the local Administrators group. Since Domain Controllers dont have a local Administrators group, the DC updates the domain Administrators group by adding Server Admins. This scenario makes all members of Server Admins Active Directory admins. Any groupaccount granted logon locally rights to Domain Controllers should be scrutinized. Server Operators Backup Operators have elevated rights on Domain Controllers and should be monitored. The Active Directory Power. Shell cmdlet Get ADGroup. Member can provide group membership information. Other default groups with elevated rights Continue reading.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
November 2017
Categories |