The Tower Defense
Game In Your Network Tower defense games like Plants vs. Zombies are loads of fun, and can
keep you occupied for years. Access Controls can certainly keep you
occupied for years as well. What strategies for effective management of
access controls can we learn from tower defense games to limit our
exposure from the zombies eating away at our network security? C’mon,
let’s use our BRAAIIINNNSS…
A. Spencer Wilcox, CISSP, CPP, SSCP @brasscount All images are copyright PopCap Games and used under fair use.
Tower Defense Games
• Tower Defense games are designed to protect a
central core from an external aggressor.
• The victory conditions for these games ultimately
rely on keeping the aggressor out through a
strategic application of offensive and defensive
mechanisms.
– Examples abound, but we will use one game by Pop
Cap Games throughout to exemplify the point:
It all starts with a Defensible Space
• Crime Prevention Through
Environmental Design (CPTED) – Surveillance
• Natural Surveillance = the ability to view
• Trim Hedges, Shrubs and trees
• Open Sight lines
• Limit hiding places
– Territoriality (Claim the Property) • Edged Lawns
• Lawn Borders
• Flower Beds
• Maintained Landscaping
• Pink Flamingos
– Access Control • Single points of entry (limit approaches)
• Protect windows
• Fences
• Low thorny bushes (barberry, holly, acacia)
• Limit ingress and egress points
• Shoulder-height fencing
– Maintenance • The Broken Windows Theory
• Maintaining an attractive nuisance
(ISC)2 e-Symposium 3
Physical Security is an Analogue to Cyber
• Territoriality – Firewalls
– Perimeter Defenses
– Logon Banners
• Surveillance – Logging
– Intrusion Detection
• Access Control – Limited Points of Entry (WAN Links)
– PROTECT WINDOWS…
– Ports and Services
– AAA
– Limit Ingress and Egress Points
(Account Management)
• Maintenance – Patching
– Documentation
– Inventory Management
(ISC)2 e-Symposium 4
Cyber may seem more complicated
Principles of Access Control: Authorization, Authentication, & Accounting
(ISC)2 e-Symposium 5
• Principle of Least Privilege
• Default Deny
• Roles
• Segregation of Duties
• Location
• Time of Day
• Identification
• Multi-Factor
• Session Control
• Non-Repudiation
• Logging
• Privilege Reviews
• Alerting / Alarming
Authorization Authentication Accounting
Principles of Access Control: Account and Rights Management
(ISC)2 e-Symposium 6
• Account Creation
• Access Authorization
• Access Removal • Delete vs. Disable
• Privileged Accounts
• Shared Accounts
• Generic Accounts
• Default Credentials
• Application Access
• Data Classification
• Single-Sign-On
• LDAP / Active Directory
• Rights Inheritance
• Group Membership
• Failed Attempt logging
• Granted Access logging
• Password Management • Complexity
• Frequency of Change
• Account Lockout
• Alternative Access
Controls • Callback
• SMS Passcode
• Port Knocking
Account Management Rights Management System Access
So, How Do We Defend The House?
(ISC)2 e-Symposium 7
In account hijacking, a hacker uses a compromised account to
impersonate the account owner. Typically, account hijacking is
carried out through phishing, sending spoofed emails to the
user, password guessing or a number of other hacking tactics.
In many cases, an email account is linked to a user’s various
online services, such as social networks and financial accounts.
The hacker can use the account to retrieve the person's
personal information, perform financial transactions, create new
accounts, and ask the account owner's contacts for money or
help with an illegitimate activity. http://www.techopedia.com/definition/24632/account-hijacking
Account Hijacking
Defenses
• Account Hijacking
• Privilege Escalation
• Brute Force Attacks
• Dictionary Attacks
• Session Hijacking
• Account Lockout DOS
• Multi-factor Authentication
• Session Control
• Non-Repudiation
• Logging
• Alerting / Alarming
• Location Awareness
• Time of Day Awareness
• Failed Attempt logging
• Granted Access logging
• Password Management
• Account Lockout
• Alternative Access Controls
So, How Do We Defend The House?
(ISC)2 e-Symposium 8
Privilege escalation is the act of exploiting a bug, design flaw or
configuration oversight in an operating system or software
application to gain elevated access to resources that are
normally protected from an application or user. https://en.wikipedia.org/wiki/Privilege_escalation
c
Privilege Escalation
Defenses
• Account Hijacking
• Privilege Escalation
• Brute Force Attacks
• Dictionary Attacks
• Session Hijacking
• Account Lockout DOS
• Multi-factor Authentication
• Session Control
• Non-Repudiation
• Logging
• Alerting / Alarming
• Principle of Least Privilege
• Default Deny
• Roles
• Segregation of Duties
• LDAP / Active Directory
• Rights Inheritance
• Group Membership
• Privileged Accounts
• Shared Accounts
• Generic Accounts
• Default Credentials
• Failed Attempt logging
• Granted Access logging
• Alternative Access Controls
So, How Do We Defend The House?
• Account Hijacking
• Privilege Escalation
• Brute Force Attacks
• Dictionary Attacks
• Session Hijacking
• Account Lockout DOS
(ISC)2 e-Symposium 9
Brute force (also known as brute force cracking) is a trial and
error method used by application programs to decode
encrypted data such as passwords or Data Encryption
Standard (DES) keys, through exhaustive effort (using brute
force) rather than employing intellectual strategies http://searchsecurity.techtarget.com/definition/brute-force-cracking
Brute Force Attacks
Defenses
• Identification
• Multi-factor Authentication
• Session Control
• Logging
• Alerting / Alarming
• Location Awareness
• Time of Day Awareness
• Failed Attempt logging
• Granted Access logging
• Password Management
• Account Lockout
• Alternative Access Controls
• LDAP / Active Directory
• Access Removal
• Shared Accounts
• Generic Accounts
So, How Do We Defend The House?
(ISC)2 e-Symposium 10
A dictionary attack is a method of breaking into a password-
protected computer or server by systematically entering every
word in a dictionary as a password. A dictionary attack can also
be used in an attempt to find the key necessary to decrypt an
encrypted message or document. http://searchsecurity.techtarget.com/definition/dictionary-attack
Dictionary Attacks
Defenses
• Account Hijacking
• Privilege Escalation
• Brute Force Attacks
• Dictionary Attacks
• Session Hijacking
• Account Lockout DOS
cc • Multi-factor Authentication
• Session Control
• Logging
• Alerting / Alarming
• Location Awareness
• Time of Day Awareness
• Failed Attempt logging
• Granted Access logging
• Password Management
• Account Lockout
• Alternative Access Controls
• LDAP / Active Directory
• Shared Accounts
• Generic Accounts
• Default Credentials
So, How Do We Defend The House?
(ISC)2 e-Symposium 11
Session hijacking, sometimes also known as cookie hijacking is
the exploitation of a valid computer session—sometimes also
called a session key—to gain unauthorized access to
information or services in a computer system.. https://en.wikipedia.org/wiki/Session_hijacking
Session Hijacking
Defenses
• Account Hijacking
• Privilege Escalation
• Brute Force Attacks
• Dictionary Attacks
• Session Hijacking
• Account Lockout DOS
• Session Control
• Non-Repudiation
• Location Awareness
• Account Lockout
• Application Access
• Privileged Accounts
So, How Do We Defend The House?
(ISC)2 e-Symposium 12
In an account lockout attack, an attacker attempts to lock out
user accounts by purposely failing the authentication process
as many times as needed to trigger the account lockout
functionality. This in turn prevents even the valid user from
obtaining access to their account... The impact of such an
attack is compounded when there is a significant amount of
work required to unlock the accounts to allow users to attempt
to authenticate again. https://www.owasp.org/index.php/Account_lockout_attack
Account Lockout DOS
Defenses
• Account Hijacking
• Privilege Escalation
• Brute Force Attacks
• Dictionary Attacks
• Session Hijacking
• Account Lockout DOS
• Logging
• Alerting / Alarming
• Account Lockout
• LDAP / Active Directory
• Group Membership
• Privileged Accounts
• Shared Accounts
• Generic Accounts
• Default Credentials
Top Related