Time
12 hours 41 minutes
Difficulty
Advanced
CEU/CPE
15

Video Description

Things take off fairly quickly in this section as we dig into IAAA. As with many of the other sections in this course, we examine the threats and exploits present with each process. This is a reminder that threats and risks are an ever present reality in the online world and we can never let our guard down! We begin the video by mentioning that secure software design is vital and begins with the process of authentication and identity management. It's imperative to use secure technologies in software and systems design as this is the surface where attackers focus. Authentication and identity management consists of several key elements. We mentioned in the intro section that identification is about making a claim for who you are. In turn, authentication is the process whereby users support their identity claim. These controls are managed via services, policies, and procedures for managing and provisioning a digital identity. These security controls are then in turn audited annually under the Sarbanes-Oxley Act (SOX). This is essential for maintaining legal compliance by organizations bound by this law. We then discuss credential management and the exploits targeting identity and access processes. A few of the exploits covered are cross site forgeries of credentials using cookie theft. Other credentials that are vulnerable to theft are passwords and session IDs. It's essential that measures are taken to secure these items! The section is concluded with a discussion about solutions for mitigating the aforementioned risks. A common risk in this area is that of privilege escalation. Credential management is an important process for protecting unauthorized access especially with the move towards super sign on solutions. An example of this is using your Facebook ID to sign into many different accounts.

Video Transcription

00:04
now, the last thing that we want to look at in relation to secure software design is we want to make sure that we're using secure technologies as they're available to us and make sure that we're considering all the elements in which our software could be compromised.
00:19
One of the things that we would think about first would be authentication and identity management, and this is very, very
00:25
big today, especially because we're because we're looking at sharing this authentication information across boundaries, and we'll talk about a little bit later. We'll talk about Federated Trusts, and service is now when we talk about identification, we've already said that's making a claim. So I claim to be Kelly Hander. Hand
00:45
authentication gives me a way of supporting that. Whether it's a password, a smart card, some sort of biometric means, whatever that is.
00:52
So when we talk about identity and access management, what we're looking at here, all the service is that policies and procedures of ways that we used to manage a digital identity. So how that account gets created, how that account gets managed, how we allow
01:11
um,
01:12
elements of that control to being monitored in updated or or that identity.
01:18
Then we also have to think about the security controls that we put on Ah, and that we used to manage our digital identities, you know, especially to make sure that we're under legal compliance. You know, Sarbanes Oxley socks, which I mentioned earlier, is very accountability oriented, very heavy on auditing,
01:38
so verifying that identity is very, very important in relation to socks.
01:42
We think about credential management.
01:46
Earlier, we discussed things like cross site scripting and see surf attacks and specifically, the sea surf, which again stands for cross site Request for forgery
01:56
takes advantage of my pre established session and the fact that that session information might be stored as a cookie on my system and it might be stored in plain text. So we want to make sure that any credentials that I have in any sort of, whether their passwords or session ideas or
02:14
any type of information along those lines, we want to make sure that that information
02:19
is protected. We want to make sure that we have proper authorization and the privilege escalation doesn't happen. We want to have good, strong authentication mechanisms in place so that we don't allow unauthorized access.
02:32
Uh, in any time we talk about, you know, strong authenticity, we think about multi factor authentication, the use of certificates. We may talk about using bi metrics. We might talk about using smart cards. You need those other elements and then this idea of single sign on,
02:51
uh, which is what allows me to log on to the domain with a single set of credentials, my user name and password frequently.
02:58
And that allows me access to all Resource is in the domain.
03:02
Now, the problem with that is the idea of keys to the kingdom. If I just need one password to access everything in the domain,
03:09
all in attacker needs is that one password to access everything in the domain.
03:15
And what we're moving towards today is an eye is an idea of super sign on, not just single sign on, but super sign on and what we're seeing more and Maura's. I provide one set of credentials like, for instance, my social media credentials, whether it's Facebook or Twitter, whatever that might be.
03:32
And those credentials allow me access to many different resource is whether it's the Washington Post, whether it's Pandora Radio whether or not it's, uh, you know, reading a car through hurts or whatever brands I would use. So the idea is being able to forward this authentication information
03:53
across Federated Trust
03:54
really expands the idea of identity and access management, but also credential management as well.

Up Next

ISC2 CISSP

Our free online CISSP (8 domains) training covers topics ranging from operations security, telecommunications, network and internet security, access control systems and methodology and business continuity planning.

Instructed By

Instructor Profile Image
Kelly Handerhan
Senior Instructor