Difference between revisions of "Security course 30 April 2018"
From Jon's Wiki
Line 26: | Line 26: | ||
# Password management policies - e.g. time-out or reset request after x attempts, lock account after y attempts. | # Password management policies - e.g. time-out or reset request after x attempts, lock account after y attempts. | ||
# Display when a user last logged in. | # Display when a user last logged in. | ||
+ | |||
+ | == Auditing == | ||
+ | |||
+ | Log at least these events. We need who did what, where (source IP, device ID, etc.), and when: | ||
+ | |||
+ | # User logins. | ||
+ | # Privileged operations e.g. create new user, role/permissions changes, etc. | ||
+ | # failed attempts to elevate privileges. | ||
+ | # failed attempts to access files, functions, services. (Was it temporarily down, or was it attacked?) | ||
+ | # Security-related alerts and failures. |
Revision as of 22:35, 29 April 2018
- ACL
- Access Control List.
- Access Control
- who can access which parts of a system, by assigning permissions to roles, users to groups, and roles to groups.
- Authentication
- confirmation of identity.
- Authorisation
- access control.
- NZISS
- New Zealand Internet Security Standard
Restrict database access to only the tables required, use a minimum of stored procedures to hide sensitive tables entirely (e.g. an AUTHENTICATE() stored procedure, and no access to the USER table.
CREATE FUNCTION AUTHENTICATE(u TEXT, p TEXT) RETURNS TABLE (username TEXT, property1, TEXT, ...) AS $$ BEGIN SELECT username, property1, ... FROM users WHERE username = u, password = CRYPT(p); END; $$ LANGUAGE plpgsql;
- Design software to use the lowest privilege level required to complete its tasks.
- Deny access by default.
- Check return values of all system calls.
- Validate all inputs - lengths, field types, ranges, controlled vocabularies.
Authentication
- User IDs - users must be unique. No shared 'office admin' accounts with naff passwords.
- Don't use shit passwords. Enforce minimum password complexity, use multi-factor auth, biometrics, etc.
- Encrypt user authentication data over the network (including database connections).
- Don't store passwords in clear text.
- Password management policies - e.g. time-out or reset request after x attempts, lock account after y attempts.
- Display when a user last logged in.
Auditing
Log at least these events. We need who did what, where (source IP, device ID, etc.), and when:
- User logins.
- Privileged operations e.g. create new user, role/permissions changes, etc.
- failed attempts to elevate privileges.
- failed attempts to access files, functions, services. (Was it temporarily down, or was it attacked?)
- Security-related alerts and failures.