The following is a simple series of steps to configure an unsuccessful login limit in Solaris without the use of the PAM module. Account lockouts are an adequate measure to combat “brute force” attacks wherein unauthorized access is gained by attempting all possible passwords.

1) edit /etc/default/login and find the line RETRIES (probably commented out). Uncomment RETRIES and make sure it is equal to the maximum number of attempts required by policy (i.e. 5).

2) Then edit /etc/security/policy.conf Go to the end of the file, uncomment LOCK_AFTER_RETRIES, and change the setting to yes - LOCK_AFTER_RETRIES=YES

3) make sure /etc/user_attr has root with no lockout:

EXAMPLE:
more /etc/user_attr
#
# Copyright (c) 2003 by Sun Microsystems, Inc. All rights reserved.
#
# /etc/user_attr
#
# user attributes. see user_attr(4)
#
#pragma ident “@(#)user_attr 1.1 03/07/09 SMI”
#
adm::::profiles=Log Management
lp::::profiles=Printer Management
root::::auths=solaris.*,solaris.grant;profiles=Web Console Management,All;lock_after_retries=no

When someone locks their account, your will see *LK* at the beginning of their password hash in /etc/shadow. To unlock the account just type: passwd -u /locked_user. If you want to check the current failed login attempts for a user it will be the last number on the user’s entry in /etc/shadow.

I apologize for the lapse in posts as of late. Work has me tasked with two positions and training a new hire to fill a vacancy. In addition, I have been studying for the CISSP exam. Hence, the recent posts of CISSP Study Sheets and lack of free time to post about other security events. I am glad to report that I have passed my first attempt at the CISSP exam with much less study time investment as many are touting required. Here are the CISSP study resources I used and how much I believe they helped me:

5% - Attended a CBK seminar - 1 week
15% - Question Drills from www.CCCure.org - 500 questions total
30% - CISSP All-in-One Exam Guide - 15 hours 500 questions
50% - Past Experience - NA

To be honest, my past experience in physical security, database administration, release engineering, application security, law enforcement, and computer forensics provided more answers than all of my studying combined. The trick was wrapping real work experiences with the terminology and framework of which ISC2 has determined security professionals should be consistent. I accomplished this simply by using the Shon Harris’ CISSP All-in-One Exam Guide’s references and tips sections. Reading the1000 page book is not necessary for those with basic understanding of concepts and reasonable problem solving skills. Just focus on the finer points, the terminology, and then use the CD provided to do question drills. If you’re scoring 80% or better on the practice exams, you are on track to pass.

I’ll continue posting the CISSP Study Sheets as I create them. It’s an ongoing effort for the folks in my organization (and you) who have yet to pass or after numerous attempts. On a related note, you may want to research some test taking techniques once your studies are complete. I believe this to be the struggle with some of my colleagues.

I thought I’d bring to everyone’s attention an excellent and free computer security training tool for IT professionals. The Software Engineering Institute at Carnegie Mellon University hosts a Virtual Training Environment (VTE) with a number of free demos, labs, and lectures.

VTE is a revolutionary resource for information assurance, incident response and computer forensic training, with over 500 hours of material available. VTE blends the best of classroom instruction and self-paced online training, delivering training courses, anytime access to answers, and hands-on training labs all through a standard Web browser.

If you’re a sponsored DoD member, you will receive premium access to hands-on lab simulations. However, general public visitors still have a wealth of resources available to them through the VTE Public Library.

The public library offers demos and lectures in a variety of topics, such as forensics, cryptography, networking, and other subjects depicted in the screenshot above. The demonstrations are nice in that there usually is voice over narration that explains what the operator is doing and why. The lectures are hit and miss depending on the instructor. Some presenters are just terrible at public speaking and remind me of a high school speech class. Other’s are professionals in the field and provide valuable information. The lectures are usually accompanied by a powerpoint presentation, a transcript of the dialog, and a streaming video of the classroom in which it is being held. Below is an example of the lecture interface.

Overall, this site is a great training tool for those who learn better with visual and audio media. Visit the Virtual Training Environment for yourself and let me know your opinion.

Series: CISSP Study Sheet
Entry: Security Architecture and Design

The CISSP Study Sheet Series identifies the most important details regarding each individual domain within the Common Body of Knowledge. You will want to expand your preparation beyond these study sheets, such as my top 3 favorite CISSP study resources. The intent of this study sheet is to act as a last minute cram of the most significant principles, theories, formulas, and terms for each domain. I recommend reading the CISSP Study Sheets just before the test, and then doing a “brain dump” of notes for the first 15 minutes onto the paper issued with the CISSP exam. Hopefully, you will have remembered enough to have created an authorized cheat sheet. The third study sheet will focus on the Security Architecture and Design domain.

Security Architecture and Design Study Sheet

Information Security Management System (ISMS) – planning, creation, and maintenance of data and the processing of such information.
Information Security Architecture (ISA) – high level structuring of the business’s security requirements.

Trusted Computing Base – hardware, software, and firmware components of a network or system that addresses the aspects of security.
Reference Monitor – a theoretical machine that mediates subject’s access to objects.
Security Kernel – tamper proof mechanism that controls access to system resources by enforcing the rules of the reference monitor.
Security Perimeter – the imaginary boundary separating the components of the Trusted Computer Base and those elements outside it.

Common Architecture Language – addresses and ensures the communication and motivation of stakeholders.
Architecture Model – the beginning template in order to formulate an individual plan.
IT Infrastructure Library (ITIL) – aids the implementation of a framework through documents pertaining to service support, service delivery, security and application management, ICT infrastructure management, planning to implement service management and the business perspective.
Zachman Framework – deals with many components on a two dimensional level and gives a holistic view of the organizational architecture.
Control Objectives for Information and related Technology (COBIT) – an IT governance framework, functioning at an operational level, which manages the collaboration of control requirements, business risk, and technical issues.
Committee Of Sponsoring Organizations (COSO) – a corporate governance framework, functioning at the strategic level, to provide reasonable assurance of achieving the organization’s mission and evaluating the internal control systems.
The Open Group Architecture Framework (TOGAF) – modeled for businesses, applications, data, and technology to provide a wide ranging approach to the design, planning, implementation, and governance of enterprise architecture.
Department of Defense Architecture Framework (DoDAF) – consists of operational, technical, and overarching views for government architectures.

Centralized Architecture – a mainframe based environment with central control of security measures.
Distributed Architecture – modern client server based environment needing standardized interfaces and protocols.
Thin Client Architecture – limiting of functions on a workstation to a more hybrid distributed and centralized approach.

CPU – performs mathematical and logical functions, and controls the timing of executions.
Secondary Storage – consists of non-volatile media, such as a hard drive, backup tape, floppy, or CD-ROM.
Virtual Storage - paging and swapping operations of secondary storage needed to enlarge a bank of memory.
Deadlock – occurs when multiple processes attempt to access the same resource simultaneously.

Process Isolation – preserving the integrity of an object, preventing object interaction, and creating independent object states using such tactics as segmented memory addressing, time multiplexing of shared resources, naming distinctions, encapsulation of objects, and virtual mapping.
Layering – Adds modularity to the system by separating processes and allowing layer communication only through defined interfaces.
Ring Protection – controlling access through numbered ring segments for the OS Kernel, Input / Output, utilities, and user applications. Privileged processes running in a low numbered inner ring whilst the higher numbered rings have access to less system resources.

Dedicated Security Mode – only processes one level of information classification and is restricted to just the user(s) with the appropriate security clearance.
Closed System – proprietary to a vendor.

TOC/TOU – Time of check / Time of use asynchronous attack takes advantage of timing event dependencies.
Covert Channel – unintentional timing and storage avenues that transmit data in violation of the security policy.
Covert Timing – the modulating use of system resources to enable process to process communications.
Covert Storage – permits processes to write to storage and allows other processes to read it.
Maintenance Hook – a programmer’s backdoor into an application for maintenance purposes. Remove before production.

Trust – all the security mechanisms are functioning correctly to protect sensitive information.
Assurance – the level of confidence that the security implementations will provide adequately protections during foreseeable circumstances.

Security Model – used during the development of security policies, system engineering, and software implementation.
Information Flow Security Model – tracks data to indentify if sensitive information is being transmitted to unprotected areas. This addresses Covert Channels.
State Machine Model – an abstract math model where state variables represent the system state. For example, if a system starts in a secure state, it needs to fail securely also.
Lattice Model – a mathematically descriptive model that provides upper and lower bounds of authorized access.
Non-Interference Model – preventative controls that limit subjects from violating security policy and affecting each other when operating in different domains.
Bell-LaPadula – a confidentiality model that disallows reading up and writing down.
Biba – an integrity model that prevents unauthorized users from making modifications and disallows reading down and writing up.
Clark-Wilson – an integrity model that uses access triple and limits rights to objects via applications.

Orange Book (TCSEC) – the Trusted Computer System Evaluation Criteria was maintained by the U.S. Department of Defense and is an older means to evaluate the security functions supporting confidentiality.
ITSEC – the Information Technology Security Evaluation Criteria is an international evaluation tool that separates assurance and functionality ratings (EF).
Common Criteria – Created from the fundamentals of TCSEC and ITSEC, the Common Criteria is an international standard, or ISO 15408, and is the latest means of evaluating system security.
Evaluation Assurance Level (EAL) – a measurement of 1-7 identifying and verifying the security functions that address confidentiality, integrity, and availability.

Certification – validation that the technical and non technical controls on a system are suitable for the operational environment.
Accreditation – management’s formal acceptance of the certification and approval of the system to operate in a specific environment.

More CISSP Study Sheets and other CISSP resources.

I thought it would be entertaining to host a contest for the funniest most humorous computer security story. I know they exist. Not only do I deal with the day to day stuff, I’ve participated in a collaborative experiment with Foundstone to test companywide user security awareness. The scenarios that resulted were quite humorous and probably trumped my favorite experience during normal daily activities. Here is how the contest will work.

Contest Requirements

Submit your story to bouch at secureputer dot com
It should be 100+ words
Related to IT and primarily Security
Not made up or stolen from another source (honor system)
You can submit more than one story. I know I have many.
and of course so funny I’ll fall off my chair

Contest Rewards

1 Year Magazine Subscription of your choice. If notified that you are the winner, I will provide instructions via email on how to claim your prize.

Contest Results

On November 15th 2008 I’ll post the submissions and a poll for you to vote on your favorites. On Christmas Eve 2008 (December 24th 2008), the poll will end and the winner will receive a Holiday gift of a free 1 year subscription to a magazine of choice.

I’ll include a couple of my own tales, but will exclude them from being voted for. I wish everyone the best of luck and I hope to host quite a few contests in the coming years. I enjoy hosting contests and have no problem funding prizes for participants of SecurePuter.com.

My heart goes out to all the families that lost loved ones 7 years ago on that most tragic day. I salute the men and woman who stepped up to fight the terrorist threat head on. To the soldiers wounded and killed in the battles that followed, you are in my prayers. A moment of silence for you all

….

Support the Serving

To the military men and woman still fighting this terrible war, take care of yourselves and be safe. My former unit, in which I served in Operation Enduring Freedom, is currently deployed to Iraq and is training the Iraqi police departments. You are doing a great service. We need them to take care of their own so that U.S. Troops can come home. I hope all is going well for the 344th and I promise to send another care package full of beef jerky and sunflower seeds soon. If you didn’t know, those two foods are the most sought after items in a care package.

In addition, any donations SecurePuter.com receives this month will go directly toward the creation of more care packages. If you are so generous, the donation button is in the bottom of the sidebar.

The article presented an interesting comparative analogy of the historic Pirates of the Barbary States and nowadays hackers. The thesis revolves around the measures taken by the United States to defend itself from pirates in the early days of independence and international trade. Aaron compares the Tripoli, Morocco, Tunis and Algiers sponsored Barbary pirates to paid hacker coalitions. Much like ancient pirate fleets, hacker groups are being hired by nations to attack other nations, such as the Russia Georgia incident. These hackers could be considered internet mercenaries or modern day pirates.

The article also parallels the extortion demanding pirates with modern day computer security protections. If the pirates didn’t exist, no tribute would need to have been paid for safe travels. If malicious hackers didn’t exist, there would be no need to spend a fortune on security products for safe internet travels. Aaron preaches drastic measures, such as Jefferson’s philosophy “Millions for defense, not one cent for tribute”, is needed to properly defend the United States in the new “sea”, the world wide web.

I hope all have enjoyed the content thus far.

I was asked by a co-worker how I keep track of so many passwords for so many accounts, all of which have to change annually. I told her I use a custom formula in my head that allows me to determine what a password is on a given account. I don’t have to remember 100 passwords, only the formula.

Password Basics

Passwords are the oldest and most widely used form of authentication, but also the weakest. To get the biggest bang for your buck, you must choose a password that incorporates as many character variations and the longest length possible. That means numbers, letters (both uppercase and lower), punctuation marks, any symbols allowed by the system, and at least 8 characters in length. If you are logging into multiple systems or websites, varying your password is also recommended. If a password is compromised, you don’t want the attacker to gain access to every account you own on a single password. Each account a user holds should have its own unique password.

You will want to develop a personal method of managing multiple passwords. That way you will only need to remember the method, not each individual password. To develop your personal technique, open your mind and create something easy to remember but hard to guess.

Create a Multiple Password Formula

This is an example. Design your own using any number of things. Take characteristics of your life that are static and some that are dynamic. Let’s create a 10 character password that is different for each system or website, and will be changed every year. We’ll need to create a formula that is simple to remember.

John Smith
Spouse: Kristen Smith
DOB: 04/12/1972

A fictitious password for a Fidelity account.

1st and 2nd character
The first and last letter of the computer or website’s name.
“fy” for Fidelity
This should change for each account. If the computer is named Yoda the characters would be “ya”; if it was Bank of America “ba”. Therefore, we have unique passwords for each account.

3rd character
A separation symbol
“.” A period
Includes a non alpha numeric character to increase the number of password possibilities if attempted to crack.

4th and 5th characters
Capitalized initials, but the last letters
“NH” for John Smith
Adding capitalized letters doubles the password possibilities value of using alpha characters.

6th character
Another separator
“_” underscore

7th character
Last number of my year of birth plus the last two digits of the current year
“0” for ’72 plus ‘08
Used as an easy mathematical equation that varies from year to year.

8th character
Capitalized first letter of Significant other’s name
“K”
A simple & easy to remember letter

9th and 10th characters
The last 2 digits of the current year
“08”
Another revolving couple characters that are used when changing passwords yearly.

Now when John Smith logs into Fidelity he types in “fy.NH_0K08” which is much better than him using a birthday “04121972.” Instead of just 10 to the 8th power in possibilities, this technique has given him much more security against password crackers due to the incorporation of so many character types.

Once you have a method of your own constructed, it will only be a short time until you have the formula memorized and it becomes just as simple as typing in a birthday. For John Smith all he has to remember is first and last letter of website, period, capitalized reverse initials, underscore, last number of DOB + year, capitalized K (note the ones that are capitalized are initials which is an easy association), and the current year.

You could get however extreme you want with your own technique. Maybe taking the first letter of the site “F”, finding its place in the alphabet “6” and using that to determine which letter in your name to use. John Smith – 6th letter – “m”. You see? This could get as difficult as you wish. Just make sure your not using the same password for each account and that it changes at least yearly.

Password Reset Concerns

If you had a password formula such as this, you would rarely need to have your password reset. The questions often asked for password reset authorization are, in reality, a second password. A fellow security blogger wrote an article titled, “A Different Approach to Password Reset” that effectively outlines such concerns. Below is an excerpt.

Mother’s Maiden Name - public record
Street you grew up on - can be findable.
Place of Birth - discoverable
Name of Pet - guessable (top list of pet names on Internet, or just check their facebook)

Do yourself a favor and create your multiple password formula now.

Series: CISSP Study Sheet
Entry: Access Control

The CISSP Study Sheet Series identifies the most important details regarding each individual domain within the Common Body of Knowledge. You will want to expand your preparation beyond these study sheets, such as my top 3 favorite CISSP study resources. The intent of this study sheet is to act as a last minute cram of the most significant principles, theories, formulas, and terms for each domain. I recommend reading the CISSP study sheets just before the test, and then doing a “brain dump” of notes for the first 15 minutes onto the paper issued with the CISSP exam. Hopefully, you will have remembered enough to have created an authorized cheat sheet. This second study sheet will focus on the Access Control domain.

Access Control Study Sheet

Access Control Attacks – Denial of Service, wardialing, brute force, shoulder surfing, dumpster diving, sniffing, spoofing, and dictionary attacks.
Identity Management – centralized technologies designed to control access rights of specific identities, such as directories LDAP, NIS, or DNS.
Data Classification – a multitier labeling of information that dictates how a piece of data should be treated.

Identification – unique usernames recognized on computer systems.
Authentication – proof of the claimed identity. Something you know…Something you have…Something you are.
Authorization – what the identity is permitted to do.
Accountability – the use of such things as audit trails to hold responsible the activity of the user.

Who you are… Ok, you are you…What can you do…What you did.

Preventative – access controls enabled to stop unwanted actions by blocking the ability to do them.
Detective – access controls that identify the unwanted actions after they have occurred.
Corrective – access controls which cure the enabling of unwanted actions and restore previous conditions.
Directive – government laws and organizational policy that determines what is allowable.
Deterrent – the repercussions of not following directives.
Recovery – access controls involving the restoration of computing resources after an incident.
Compensating – backup and contingency controls that reinforce normal operations.

Least Privilege – allowing for only the minimum resources needed to accomplish tasks.
Need to Know – not everyone with a secret clearance needs to know everything classified at secret. Certain information should remain only with the persons required to know it.
Separation of Duties – requires collusion of two or more people to commit fraud instead of a single entity having control of complete transactions.

Administrative – access controls related to policies and personnel, such as separation of duties and procedures.
Technical – logical access controls utilizing software and hardware solutions, such as encryption.
Physical – environmental and material access controls, such as doors and locks.

All Access Controls should default to no access.

Password – most used form of access control, but susceptible to brute force and dictionary attacks.
Passphrase – a series of words converted into a password that is not as vulnerable as a simple password.
Password Synchronization – allows users to access multiple systems with one password.
Self Service Password – the ability for users to reset their own passwords without administrative assistance.
Assisted Password Reset – Identification and authentication of a user prior to password reset. Usually through a question and answer process.
One Time Password – a time based synchronous changing of passwords to avoid shoulder surfing and replay attacks.
Single Sign On – centralized authentication database that gives access to numerous resources from one authentication, such as SESAME.
Kerberos – an SSO protocol using a ticket from the key distribution center for authentication in a single security domain. The ticket granting service then generates new tickets with the session keys.

Discretionary Access Control (DAC) – data owner designated access via identity permissions of users or group.
Mandatory Access Contorl (MAC) – sensitivity labeling of information to restrict access via two attributes to an object from unauthorized users.
Role Based Access Control (RBAC) – A form of DAC that uses the owner’s discretion to categorize access based on a users specific function or role.
Content Dependant Access Control – an object’s content is analyzed by an arbiter program to determine access privileges.
Nondiscretionary Access Control – role based access control managed by the system’s administrator rather than the data owner.

Centralized Access Control – One individual, device, or group makes the decision for network access, such as RADIUS, TACACS+, and Diameter.
Decentralized Access Control – the network access decision is distributed locally, such as peer to peer.

Access Control Lists (ACLs) – a common DAC that designates what users have access to an object, and what functions they are allowed to do on that object.
Capability Table – much like an ACL, but bound to a subject and lists what objects he or she can access.
Constrained User Interface – disallows the ability of a user to interact with certain objects, such as grayed out icons and database views.
Tempest – a way to combat the electrical signals in the airwaves.
Audit Logs – protected and reviewed record of user activities, system events, and application actions.
Keystroke Monitoring – a form of auditing that records every keystroke performed by a user.

Physiological Biometrics – identification and authentication controls recognizing physical characteristics, such as fingerprints and retina scans.
Behavioral Biometrics – identification and authentication controls recognizing mannerisms, such as voice inflections and keyboard strokes.
Biometrics Type I error – rejection of an authorized individual.
Biometrics Type II error – imposter was authenticated.
Smart Card – a physical access control device for authentication

User Provisioning – creation, maintenance, and removal of user attributes in systems, applications, and directories.
HR database – having been developed first and maintained by personal, the HR database is the primary source for user identification.

Intrusion Detection System (IDS) – monitors events in real time to detect intrusion attempts via statistical or signature based analysis, and alerts administrators of a possible attack.
Intrusion Prevention System (IPS) – acts as an IDS but also has advanced capability to stop or prevent attacks.
Host Based IDS & IPS – analyzes single computers for suspicious activity using audit logs and processing irregularities.
Network Based IDS & IPS – analyzes network packets, discards dangerous traffic, and alerts administrators.
Penetration Testing – a series of steps used to bypass systems security controls to gain unrestricted access to systems and data.

Degaussing – returns media to its original state through magnetism.
Phishing – a social engineering attempt to gather sensitive information.

More CISSP Study Sheets and other CISSP resources.