Difference between revisions of "Security course 30 April 2018"

From Jon's Wiki
Line 26: Line 26:
 
# Password management policies - e.g. time-out or reset request after x attempts, lock account after y attempts.
 
# Password management policies - e.g. time-out or reset request after x attempts, lock account after y attempts.
 
# Display when a user last logged in.
 
# Display when a user last logged in.
 +
 +
== Auditing ==
 +
 +
Log at least these events. We need who did what, where (source IP, device ID, etc.), and when:
 +
 +
# User logins.
 +
# Privileged operations e.g. create new user, role/permissions changes, etc.
 +
# failed attempts to elevate privileges.
 +
# failed attempts to access files, functions, services. (Was it temporarily down, or was it attacked?)
 +
# Security-related alerts and failures.

Revision as of 22:35, 29 April 2018

ACL
Access Control List.
Access Control
who can access which parts of a system, by assigning permissions to roles, users to groups, and roles to groups.
Authentication
confirmation of identity.
Authorisation
access control.
NZISS
New Zealand Internet Security Standard

Restrict database access to only the tables required, use a minimum of stored procedures to hide sensitive tables entirely (e.g. an AUTHENTICATE() stored procedure, and no access to the USER table.

CREATE FUNCTION AUTHENTICATE(u TEXT, p TEXT) RETURNS TABLE (username TEXT, property1, TEXT, ...) AS $$
BEGIN
  SELECT username, property1, ... FROM users WHERE username = u, password = CRYPT(p);
END;
$$ LANGUAGE plpgsql;
  1. Design software to use the lowest privilege level required to complete its tasks.
  2. Deny access by default.
  3. Check return values of all system calls.
  4. Validate all inputs - lengths, field types, ranges, controlled vocabularies.

Authentication

  1. User IDs - users must be unique. No shared 'office admin' accounts with naff passwords.
  2. Don't use shit passwords. Enforce minimum password complexity, use multi-factor auth, biometrics, etc.
  3. Encrypt user authentication data over the network (including database connections).
  4. Don't store passwords in clear text.
  5. Password management policies - e.g. time-out or reset request after x attempts, lock account after y attempts.
  6. Display when a user last logged in.

Auditing

Log at least these events. We need who did what, where (source IP, device ID, etc.), and when:

  1. User logins.
  2. Privileged operations e.g. create new user, role/permissions changes, etc.
  3. failed attempts to elevate privileges.
  4. failed attempts to access files, functions, services. (Was it temporarily down, or was it attacked?)
  5. Security-related alerts and failures.