Basic Concepts of Access Control, Identification

and Authentication

1
 Session Overview

1. Introduction to access control

2. Identification
3. Authentication
– 3 factors of authentication
4. Session Summary

2
1. Access Control
Introduction

3
 Access Control (1 of 3)

Access control consists of mechanisms and procedures that aim

at protecting information against improper disclosure and
modification (confidentiality and integrity)

Access control is one of the most basic and important

information security control.

4
 Access Control (2 of 3)
Access control is performed by selectively restricting access to an
information system, such as a

– Personal computer, mobile device or server

– Network

– Web site, Database, Application or folder

– Physical location

5
 Access Control (3 of 3)

Key components of access control are

• Identification
• Authentication
• Authorization
• Audit trail

The sophistication of the access control mechanisms should be

commensurate to the sensitivity of the information that is to be
protected
6
2. Identification

7
 Identification (1 of 3)

Identification is the process of an entity communicating its

claimed identity to another entity.

An entity can be a person, a computer, a software programme or

any other type of entity.

8
 Identification (2 of 3)

On computer systems, identification is typically achieved by

entering an identifier called a username (or login ID).

9
 Identification (3 of 3)

• Person to computer
– PC, server or other system

• Computer to person

• Computer to computer

10
3.Authentication

11
 Authentication

Authentication is the process of proving a claimed identity.

12
 Authentication

Authentication is based on one or several of the following factors:

• Knowledge: Something the user knows

• Ownership: Something the user has
• Inherence: Something the user is or does

13
 Authentication – Knowledge factor

• PIN – Personal Identification Number

• Password
• Passphrase
• Answer to a security question – ex. Mother’s maiden name

14
 Authentication – Knowledge factor: How it works

Simple password-based authentication protocol

Step 2. Verify
Step 1. Username: Alice; Password: MyLittleSecret
against local
database
Username:
Step 3. ACK/NAK: Authentication Accepted or Refused Alice
Password:
MyLittleSecret
….

15
 Authentication – Knowledge factor: How it breaks
The simple password authentication protocol is not secure, and is
vulnerable to:
1. Eavesdropping on the communication channel
2. Replaying what the user communicated
3. Keylogger on user PC
4. Malware sniffing on the user computer
5. Dictionary and brute force attacks

An improvement consists of cryptographically protecting the

password when communicated, and including a challenge-response,
but the result still remains vulnerable to 3, 4 and 5.

16
 Authentication – Ownership factor
• Magnetic stripe card
• Smart card
– A card containing an integrated circuit enabling the storage and processing
of small amount of data; Can store and use cryptographic keys
– Contact or contactless (through Radio-Frequency induction)
– SIM (Subscriber Identity Module) card, EMV credit cards are examples
• RFID – Radio Frequency Identification
– Similar technology to contactless smart cards, but less processing power
and less memory
• Hardware tokens
• Secret cryptographic key on a computer

17
 Authentication – Inherence factor

Something a user is or does. Related to biometrics.

Two main categories:

• Physiological
– Ex. Fingerprint, facial recognition, iris/retina scan, DNA.

• Behavioral
– Ex. Voice recognition, typing rhythm.

18
4. Session Summary

19
 Session Summary

• Access control consists of mechanisms and procedures that aim

at protecting information against improper disclosure and
modification
• The Key components of access control are Identification,
Authentication, Authorization and Audit trail
• Identification is the process of an entity communicating its
claimed identity to another entity
– An entity can be a person, a computer, a software programme or any
other type of entity

20
 Session Summary

• Authentication is based on one or several of 3 factors:

– Knowledge: Something the user knows
• Ex. PIN, password, passphrase, challenge question
– Ownership: Something the user has
• Ex. Magnetic stripe card, smart card (with or without RFID), hardware tokens,
cryptographic keys
– Inherence: Something the user is or does
• Ex. Biometrics such as fingerprint scan, facial recognition, iris/retinal scan.

21
End of Session

22
Basic Concepts of Audit Trail

1
 Session Overview

1. Definition of an audit trail

2. Usage
3. Types of logs
4. Minimal events to log
5. Content of a log
6. Session Summary

2
Audit Trail

3
 1. Definition of an Audit Trail

A chronological record that reconstructs and examines the sequence

of activities surrounding or leading to a specific operation, procedure,
or event in a security-relevant transaction from inception to final
result.
Source: CNSSI 4009-2015

A record showing who has accessed an information technology (IT)

system and what operations the user has performed during a given
period
Source NIST SP 800-47

4
 1. Definition of an Audit Trail

A chronological record that reconstructs and examines the sequence

of activities surrounding or leading to a specific operation, procedure,
or event in a security-relevant transaction from inception to final
result.
Source: CNSSI 4009-2015

A record showing who has accessed an information technology (IT)

system and what operations the user has performed during a given
period
Source NIST SP 800-47

5
 2. Audit Trail Usage
As with many other information security controls, access control is
complemented with audit tails (security logging).

An audit trail can be used for:

• Diagnosing problems
• Reconstructing events
• Assuring accountability and segregation of duties
• Allowing for intrusion detection

6
 3. Types of Logs

An audit trail includes all of a subset of the following:

- Application logs: business and operations relevant events as
well as complementary events such as debug messages
- Access logs on Web servers
- Database logs: queries, modification to data, etc.
- Operating system logs: ex. Windows event logs
- Network logs
- Any other type of logs necessary to reconstruct a sequence of
activities performed
7
 4. Minimal Events to Log

Minimally, for information security purposes, the following events

should be logged:

– Successful and failed authentication

– High privilege accesses
– Modification to access policies and any other security configuration

8
 5. Content of a Log

Each event log should include the following:

– Who: the subject involved, or actor
– What: the operation done, the action
– When: timestamp
– Where: on what system, and what resource has been accessed or
modified
– Any additional detail

9
 Important Considerations for Audit Trails

• Availability: The period of time for which the audit trail must
be available will depend on the nature of logs and specific
requirements.
• Integrity: Mechanisms must be put in place to assure the
integrity of audit trails (requirements of auditors, court cases)

10
 Example log

*Date Time: [20180227 16:50:04]

*Server information:
Server Name: [] IP: [Can not resolve!!] Port: [8082]
*Client Information:
Computer Name:[Test] Port:[0]
Client IP: [127.0.0.1 ]
GUID:[]
*Action: Unload Client
*Connection status: Online
*Result: Connection established OK.

11
6. Session Summary

12
 Session Summary (1 of 3)

• An audit trail is a record showing who has accessed an

informational resource and what operations the user has
performed during a given period
• Audit trails are used in
– Diagnosing problems
– Reconstructing events
– Assuring accountability and segregation of duties
– Allowing for intrusion detection

13
 Session Summary (2 of 3)
An audit trail includes all or a subset of the following:
- Application logs
- Database logs
- Operating system logs
- Access logs on Web servers
- Network logs

Minimally, from an information security standpoint, the following

events must be logged:
– Successful and failed authentication
– High privilege accesses
– Modification to access policies and any other security configuration

14
 Session Summary (3 of 3)

Each event log should include the Who, What, When, Where:
– The subject involved, or actor
– The operation done, the action
– A timestamp
– The system and resource that has been accessed or modified
– Any additional detail

Important consideration must be given to the availability and

integrity of an audit trail

15
End of Session

16
Basic Concepts of Authorization

1
 Session Overview

1. Authorization
1. Definition of authorization
2. Subject, operations and objects
3. Access control models
2. Security issues with improper authorization
3. Session Summary

2
1. Authorization

3
 1.1 Definition of Authorization

For a given identified and authenticated entity (also called

subject), authorization is the process of determining and
controlling what informational resources (also called objects) are
permitted to be accessed, and what operations can be performed
on these resources by the entity.

4
 1.2 Subject, Operations and Objects

Subject Operation Object

(user, group (read, write, (a resource such
of users or print, as a file,
a system) create, document,
modify, directory,
exec, database entry,
delete, etc) Web resource,
computer, device,
network)

5
 1.3 Access Control Models (1 of 2)

A privilege is a permission to perform an operation on an object.

An authorization policy (or access control policy) defines the (high

level) set of rules to which access control must be regulated.

An access control model provides a formal representation of the

authorization policy and its workings.

6
 1.3 Access Control Models (2 of 2)

The most popular access control models are:

• Access Control Matrices
• Access Control Lists
• Role-Based Access Control (RBAC)

7
2. Example of Security Issues with Improper
Authorization

8
 Société Générale Trading Loss (1 of 4)

• Jérôme Kerviel was a trader at Société Générale that was

convicted and imprisoned for breach of trust, forgery and
unauthorized use of the bank’s computers.

• Kerviel’s trading activities led to a loss of €4.9 billion

• Initially joined the middle office of the bank, working in its

compliance department.

9
 Société Générale Trading Loss (2 of 4)

Front office Middle office Back office

• Investment, • Compliance • Confirmation,

position • Control & payment,
management processing of settlement and
• Trading, arbitrage transactions accounting

10
 Société Générale Trading Loss (3 of 4)

• After working at the bank for 5 years, Kerviel moved from back
office to front office and became an arbitrage trader

• As an arbitrage trader, Kerviel was supposed to buy financial

instruments (call them A) and sell similar instruments (call
them B) at a slightly higher price on a different market with the
intent to make a profit at low risks.

11
 Société Générale Trading Loss (4 of 4)
• Kerviel would buy financial instruments A without selling similar
instruments B, taking a directional position that is opposite to the
risk mitigation policy and the role of an arbitrage trader.

• Kerviel would cover up his strategy by creating fake transactions on

instruments B and use access codes of back office users in an
unauthorized way in order to cancel these operations without the
middle office being able to detect the risk that was taken.

• A fraudulent position of 50 billion euros was finally detected which

ended up in a loss of over 4,9 billion euros

12
3. Session Summary

13
 Session Summary

• Authorization is the process of determining and controlling

what informational resources (also called objects) are
permitted to be accessed, and what operations can be
performed on these resources, by a subject.
• The 3 most common access control models are: access control
list, access control matrix and role based access control (RBAC)
• Cumulative privileges by a malicious user can cause significant
security issues

14
End of Session

15
 Authentication
Based on Inherence

1
 Session Overview

1. Authentication Schemes Based on Inherence

2. Vulnerabilities
3. Session Summary

2
1. Authentication Schemes Based on Inherence

3
 1.1 Inherence Factors
• Physiological
– Fingerprint
– Facial recognition
– Iris / Retina
– DNA

• Behavioral
– Voice recognition
– Typing rhythm
This Photo by Unknown Author is licensed under CC BY

4
 1.2 Biometric Authentication
Biometric authentication uses measurements of special characteristics of
an individual, which are read and compared to a reference record

Source:Ritam Dutta, Papri Ghosh, A New Approach Towards Biometric Authentication System in Palm Vein Domain, March 2012

5
 1.3 Fingerprint Based Authentication
Minutiae are the points where
friction ridges begin, terminate, or
split.

These points are used for

recognition purposes.

Source of image: www.biometrics.gov

6
1.4 Common Biometric Attributes Used in Authentication
Biometric attribute: Fingerprint Facial Iris Voice

Working Recognizes minutiae Analyzes unique From an infrared Analyzes the rhythm,
details against a shape, patterns and picture, recognizes tone and pitch of a
measurement positioning of facial striations, pits and voice and possibly
tremplate . May add features that are furrows against a other characteristics
temperature mapped (2D or 3D) measurement
monitor. template.

Vulnerabilities Use of 3-D molds Use of photographs Synthetic iris image Recording devices
or video material cannot perfectly
reproduce the
characteristics of the
vocal tract.
However, an
individual’s voice can
change with age and
other factors

7
2. Vulnerabilities

8
2.1 Vulnerabilities with Fingerprint

Gummi bears defeat fingerprint sensors

Sticky problem for biometrics firms

A Japanese cryptographer has demonstrated how fingerprint recognition devices can be

fooled using a combination of low cunning, cheap kitchen supplies and a digital camera.
First Tsutomu Matsumoto used gelatine (as found in Gummi Bears and other sweets) and a
plastic mould to create a fake finger, which he found fooled fingerprint detectors four times
out of five.

Flushed with his success, he took latent fingerprints from a glass, which he enhanced with a
cyanoacrylate adhesive (super-glue fumes) and photographed with a digital camera. Using
PhotoShop, he improved the contrast of the image and printed the fingerprint onto a
transparency sheet.

Here comes the clever bit.

Matsumoto took a photo-sensitive printed-circuit board (which can be found in many
electronic hobby shops) and used the fingerprint transparency to etch the fingerprint into the
copper.

From this he made a gelatine finger using the print on the PCB, using the same process as
before. Again this fooled fingerprint detectors about 80 per cent of the time.
Source: John Leyden, The Register, 16 May 2002

9
3. Session Summary

10
 Session Summary (1 of 3)

• Authentication schemes based on inherence factor, or

biometrics, can be categorized into two types: Physiological or
Behavior
• Examples of physiological features used in authentication are:
Fingerprint, Facial, Iris, DNA
• Examples of behavioral features used in authentication are:
Voice recognition, Typing rhythm

11
 Session Summary (2 of 3)

• Biometric authentication schemes use special characteristics of

an individual, which are read, measured and compared to a
reference record
– Fingerprint based authentication uses minutiae which are the points
where friction ridges begin, terminate, or split.
– Facial recognition authentication uses unique shape, patterns and
positioning of facial features
– Iris scan authentication uses striations, pits and furrows
– Voice recognition authentication uses rhythm, tone and pitch of a
voice

12
 Session Summary (3 of 3)

• Biometric authentication schemes can be vulnerable to artificial

copies: 3-D molds, images, photographs and videos.
• Biometric readers can add liveness checks to mitigate these
vulnerabilities

13
End of Session

14
 Authentication
Based on Knowledge

1
 Session Overview

1. Authentication Schemes Based on Knowledge

2. Vulnerabilities
3. Session Summary

2
1. Authentication Schemes Based on Knowledge

3
 1.1 Knowledge Factors

• PIN – Personal Identification Number

• Password
• Passphrase
• Answer to a security question – ex. Mother’s maiden name

4
 1.2 Password Based Authentication

Simple password based authentication protocol

Step 2. Verify
Step 1. Username: Alice; Password: MyLittleSecret
against local
database
Username:
Step 3. ACK/NAK: Authentication Accepted or Refused Alice
Password:
MyLittleSecret
….

5
 1.3 Password Digest
• A more secure way to store a password is to transform it into
data that cannot be converted back into the original input
• A cryptographic hash function or symmetric encryption
algorithm can be used with a salt and in iteration
– Slow down computation time by using CPU or memory
• Common password digestion algorithms are
– Bcrypt
– Scrypt
– PBKDFv2
– Argon2

6
 1.4 Protecting the Password in Transit

• A password must also be secured in transit to avoid

eavesdropping and replay attacks
• Two methods to secure a password in transit:
– Using an encryption to secure the channel
– Using a nonce as a challenge

7
2. Vulnerabilities

8
 2.1 Shoulder Surfing

Shoulder surfing
– Spying over someone’s
shoulder in order to steal
personal authentication data
such as a PIN, password,
passphrase or answer to a
secret question

9
 2.2 Keyloggers and Malware

Keyloggers
• A keylogger or
keystroke recorder is
software or
hardware that
records the
keystrokes of a user,
typically covertly
• Various malware
implement a
keylogger function Source: amazon.ca

10
 2.3 Phishing & Social Engineering
Phishing
- Type of social engineering in
which an attacker sends a
fraudulent message with the
objective to trick the victim in
revealing sensitive information
such as authentication
credentials
- Different social engineering
schemes in general can be used
to obtain authentication
credentials
This image by unknown author is used under CC BY-SA-NC

11
 2.4 Password Crackers
A password cracker is a tool that allows the user to discover the cleartext
password associated to a password digest

Methods include:
- Dictionary attack: Trying each and every password from a list of passwords
(dictionary), possibly with certain variations
- Brute force: Trying each and every possible password among all possible
combinations respecting a certain policy
- Rainbow attack: Uses "rainbow tables" which are pre-computed hashes
that allows to accelerate an attack using time-memory trade-off

Known tools include:

- Cain and Abel, ophCrack, John the Ripper…

12
3. Session Summary

13
 Session Summary (1 of 2)
• Authentication schemes based on knowledge use some sort of
secret known by the user: PIN, password, passphrase, secret
answer
• The simple password based authentication protocol is subject
to several vulnerabilities
• A password digest is a transformation of the cleartext password
so that it cannot be converted back
– Use of a salt and iterations to slow down an attack
• In transit a password can be protected with the use of
encryption or a nonce in a challenge protocol

14
 Session Summary (2 of 2)

• Authentication schemes based on knowledge such as a

password are vulnerable to:
– Shoulder surfing
– Keyloggers and malware
– Phishing and social engineering attacks
– Password cracking: brute force, dictionary attacks, rainbow attacks, ..

15
End of Session

16
 Authentication
Based on Ownership

1
 Session Overview

1. Authentication Schemes Based on Ownership

2. Vulnerabilities
3. Session Summary

2
1. Authentication Schemes Based on Ownership

3
 1.1 Ownership Factors

• Magnetic stripe card

• Smart card
• Radio Frequency Identification (RFID)
• Hardware tokens
• Secret cryptographic key on a computer

4
 1.2 Magnetic Stripe Cards

Magnetic stripe ATM and Credit Cards

Track 1 :
%B_Primary Account Number_^_Name_^_
Expiration date YYMM_^_CVV or other discr data_?_LRC

Track 2:
;_PAN_=_Expiration date YYMM_3 digit Service code_
Discretionary data_?_LRC

Track 3: Most often not used

5
 1.3 Smart Cards
Integrated circuit cards that come
in two types:

• Memory cards
• Microprocessor cards

Radio Frequency Identification

(RFID) smart cards have an
embedded antenna

6
 1.4 GSM Authentication with SIM Card
Global System for Mobile communications (GSM)

IMSI = (this phone’s ID)

R = a 128-bit random number (the challenge)

EK(R) = the 128-bit random number encrypted

using the subscriber’s secret key K
(the response)

Source: Figure 2.10 from Introduction to Computer Security, M T. Goodrich & R. Tamassia

IMSI = International Mobile Subscriber Identity

7
 1.5 Hardware Tokens
A hardware token, usually in the
form of a credit card or a keychain
fob, with memory, processing
power and a digital display.

Displays a code that is the result of

a cryptographic transformation

Figure 2.4. Hardware token of Jason Andress, in The Basics of

Information Security (Second Edition), 2014

8
 1.5 Cryptographic Key
A secret or private cryptographic
key stored on a device

- Examples:
- Secure Shell (SSH)
- Secure Socket Layer (SSL)/
Transport Layer Security (TLS)

9
2. Vulnerabilities

10
 2.1 Vulnerabilities

Loss or theft

Skimming

Vulnerabilities in cryptographic
protocol or algorithms

11
 2.2 Card skimming

Source: https://www.engadget.com/2014-07-28-credit-card-skimming-explainer.html

12
2.3 Vulnerabilities in Cryptographic Protocols

• GSM has a history of using bad/weak

cryptographic algorithms

13
3. Session Summary

14
 Session Summary (1 of 2)
• Authentication schemes based on ownership factor rely on
something the user has or owns, such as: magnetic stripe card,
chip card, hardware token or cryptographic key stored on a
device
• Magnetic stripe cards store authentication data on tracks
• These are vulnerable to card skimming
• Smart cards are integrated circuit cards that come in two types:
memory cards and microprocessor cards. These can securely
store a cryptographic secret used in an authentication protocol
• Smart cards can be contactless with RFID / NFC technology

15
 Session Summary (2 of 2)

• Hardware tokens are in the form of a credit card or keychain

fob and contain a digital display that provides a code
• Another example of authentication based on ownership
consists of using a secret or private cryptographic key stored on
a device, such as used in SSH or SSL/TLS
• Many examples of vulnerabilities with such authentication exist
based on bad implementations or misuse of cryptographic
protocols or algorithms

16
End of Session

17
 Cryptographic
Challenge-Response
Protocols

1
 Session Overview

1. Basic Concepts of a Cryptographic Challenge-Response

1.2 Authentication Based on Timestamp
1.3 Authentication Based on a Random Value
2. Session Summary

2
1. Cryptographic Challenge-Response

3
 1.1 Concept
Claimant will demonstrate knowledge of a secret without revealing the secret
itself

This can be done using:

- One way hash functions
- Symmetric encryption algorithms
- Public key cryptography

The challenge is a time-variant value that can be in the form of:

- Timestamp
- A sequence number
- A random number chosen by the authenticator

4
 1.2 Challenge Based on Timestamp

Generation

Seed / Secret Key

Encryption
/ One way Authentication Code
Timestamp function

Verification
Seed / Secret Key
Encryption
/ One way Authentication Code
Time +/- interval function

5
 1.3 Challenge Based on Randomness (1 of 2)
GSM – SIM example

IMSI = (this phone’s ID)

R = a 128-bit random number (the challenge)

EK(R) = the 128-bit random number encrypted

using the subscriber’s secret key K
(the response)

Source: Figure 2.10 from Introduction to Computer Security, M T. Goodrich & R. Tamassia

6
 1.3 Challenge Based on Randomness (2 of 2)
SSL Handshake

Source: W. Stallings, “SSL: Foundation for Web Security”, Bd. 20, 1998.

7
2. Session Summary

8
 Session Summary
• Cryptographic challenge-response protocols are based on a
shared secret and a time-variant parameter
• Can be based on a timestamp, sequence value or random value
• Hardware authentication tokens display a code that is the
result of the cryptographic transformation of a seed (shared
secret key) and the current timestamp
• Several common authentication protocols, such as used in GSM
and SSL/TLS will use a cryptographic challenge-response
protocol based on a shared secret key or a public key certificate
and a random value

9
10
Password Digest and
Key Stretching

1
 Session Overview

1. Password digest functions

2. Key stretching algorithms

2
1. Password Digest Functions

3
 1.1 Simple Password Digest

Password Hash Digest

Function

Hello 4149da18aa8bfc2b1e382c6c26556d01a92c261b6436dad5e3be3fcc

4
 1.2 Password Digest Entries

Who has the same password ?

username hash
alice 4420d1918bbcf7686defdf9560bb5087d20076de5f77b7cb4c3b40bf46ec428b
jason 695ddccd984217fe8d79858dc485b67d66489145afa78e8b27c1451b27cc7a2b
mario cd5cb49b8b62fb8dca38ff2503798eae71bfb87b0ce3210cf0acac43a3f2883c
teresa 73fb51a0c9be7d988355706b18374e775b18707a8a03f7a61198eefc64b409e8
bob 4420d1918bbcf7686defdf9560bb5087d20076de5f77b7cb4c3b40bf46ec428b
mike 77b177de23f81d37b5b4495046b227befa4546db63c

Source: https://auth0.com/blog/adding-salt-to-hashing-a-better-way-to-store-passwords/

5
 1.3 Salt

Salt || Password Hash Digest

Function

Password stored as: Salt || Digest

Hello 4149da18aa8bfc2b1e382c6c26556d01a92c261b6436dad5e3be3fcc
6c39e274Hello dc942eb043ee30a6e73ed7227fd74775f2683a7680ac7d87f9be45ee

6
2. Key Stretching Algorithms

7
 2.1 PBKDF

Password Base Key Derivation Function (PBKDF2)

Salt || Password
HMAC Digest
Iterations

HMAC(Password, Salt) = H((Password xor opad || H((Password xor ipad) || Salt)

8
 2.2 Bcrypt

BCrypt

9
 2.3 Other Key Stretching Algorithms

Other commonly used password digest algorithms:

- Scrypt
- uses a large vector of pseudorandom bit strings as part of the algorithm in
order to require more memory usage.
- This makes hardware implementations more expensive, and less likely to be
accelerated using specialized hardware (ex. ASIC and FPGA)
- Argon2
- specifically designed to avoid acceleration from GPU
- winner of the password hashing competition in 2015

10
3. Session Summary

11
 Session Summary
• Adding a ‘salt’ to a password before hashing protects the
password digest from revealing 2 accounts that have the same
password
• Adding ‘iterations’ to the hashing process will slow down a
dictionary of brute force attack
• Common password digest algorithms are: PBKDF2, Bcrypt,
Scrypt and Argon
• Scrypt and Argon are designed to use more memory and avoid
the possibility to accelerate a dictionary or brute force attack
thru the use of specialized hardware

12
End of Session

13
Review of Cryptographic
Fundamentals

1
 Session Overview

1. Symmetric Encryption
2. Asymmetric Encryption / Public Key Cryptography
3. Cryptographic Hash Functions

2
1. Symmetric Encryption

3
 1.1 Encryption

Encryption is the process of transforming a message in such a

way that it is intelligible to authorized parties only

Two types of encryption:

• Symmetric encryption
• Asymmetric encryption (also called public key encryption)

4
 1.2 Symmetric encryption

E is the encryption algorithm

D is the decryption
P is a plaintext (the message to encrypt)
C is a ciphertext (encrypted version of the message)
K is a secret key

P E C C D P

K K

5
 1.3 Standard symmetric encryption algorithms

The most common symmetric encryption algorithms are:

• Data Encryption Standard (DES) (no longer considered secure)
• Triple-DES
– 2-key 3DES with 112 bits key
– 3-key 3DES with 168 bits key
• Advanced Encryption Standard (AES)
– Key sizes: 128, 192 or 256 bits

6
 1.4 Modes of operation

Source: https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation

7
 1.5 ECB is Not Secure

Source: https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation

8
2. Asymmetric Encryption

9
 2.1 Asymmetric Encryption
Instead of using a shared secret, there are two separate keys:
• A public key, Kpub used to encrypt a message. The public key is
PUBLIC, and can be seen and used by anyone
• A corresponding private key, Kpriv, which must remain private, and is
used to decrypt a message encrypted with the corresponding public
key

message E ciphertext ciphertext D message

Kpub Kpriv
This key, This key, has to
anyone can see be kept secret!

10
 2.2 Standard Symmetric Algorithms

The most common public key encryption algorithms are:

• RSA
– Key sizes: 2048, 3072 or 4096 bits
• Diffie-Hellman and MQV key agreement protocols
• Elliptic Curve algorithms
– Key sizes: 224+ bits

11
 2.3 Secret Key Exchange Using Public Key Encryption

Step 3 C

Kpriv_Bob
Step 1 Pick a random secret symmetric key K Step 4 Alice and Bob now share a secret
key K
Step 2 Lookup Bob’s public key Kpub_Bob

K E C C D K

Kpub_Bob Kpriv_Bob

12
3. Cryptographic Hash Functions

13
3.1 Cryptographic Hash Function
A hash function is a mathematical
function that takes a message of
arbitrary length, and efficiently
outputs a message of fixed length,
called a digest.

14
 3.2 Hash Digest

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Suspendisse a nulla
placerat, accumsan augue sed, lobortis odio. Donec faucibus metus eu augue
dignissim, ut efficitur est finibus. Vivamus rutrum urna nibh, quis ornare ligula
venenatis sed. In consectetur felis sit amet dapibus aliquet. Nam malesuada mi
nec lobortis iaculis.

71ae bc08 9abb d90a 850a 8faa 201f 2048

15
 3.3. Properties
A cryptographic hash function is a hash function with the following
properties:
• Pre-image resistance: Given a random digest, it is unfeasible to
determine a message that produces that digest
– Given y, hard to find x such that H(x) = y
• Second-pre-image resistance: Given a random message, and the
corresponding output of the hash function, it is unfeasible to find a
second message that outputs the same hash value
– Given x, and y = H(x), hard to find x’ ≠ x such that H(x’) = y
• Collision resistance: It is unfeasible to find any two distinct
messages that produce the same digest
– Hard to find x and x’, such that x’ ≠ x and H(x) = H(x’)

16
 3.4 Standard Cryptographic Hash Algorithms

Most common cryptographic hash functions are:

• MD5 (no longer considered secure)
• SHA-1 (phased out)
• SHA-2
– SHA-224, SHA-256, SHA-384, SHA-512
• SHA-3
– Internally different from the MD5-like structure of SHA-1 and SHA-2

17
4. Session Summary

18
 Session Summary (1 of 3)
• An encryption algorithm transforms a plaintext into a
ciphertext using an encryption key
• A corresponding decryption algorithm allows to decrypt a
ciphertext into a plaintext using a decryption key
• Symmetric encryption algorithms use the same secret key for
encryption and for decryption
• AES is presently the most common symmetric encryption
algorithm, using a key of 128, 192 or 256 bits
• CBC, CFB and OFB are common and secure block cipher modes
of operations

19
 Session Summary (2 of 3)

• Asymmetric encryption algorithms use a public encryption key

to encrypt and a corresponding but separate private key to
decrypt
• Asymmetric encryption algorithms are used in practice to share
a symmetric encryption key
• RSA, MQV, DH are common asymmetric encryption and key
exchange algorithms for which it is recommended to use at
least 2048 bit keys
• Elliptic curve cryptography use smaller key sizes

20
 Session Summary (3 of 3)

• A cryptographic hash function takes a messages of arbitrary

size and produces an output, called digest, of fixed size
• Secure cryptographic hash functions satisfy the properties of
pre-image resistance, second pre-image resistance and collision
resistance
• SHA-2 and SHA-3, with digest lengths of 224 bits to 512 bits are
commonly used

21
End of Session

22
Authorization

1
 Session Overview

1. Authorization
2. Access Control Matrix
3. Access Control List
4. Session Summary

2
1. Authorization

3
 1.1 Concept

Subject Operation Object

(user, group (read, write, (a resource such
of users or print, as a file,
a system) create, document,
modify, directory,
exec, database entry,
delete, etc) Web resource,
computer, device,
network)

4
1.2 Terminology
A privilege is a permission to
perform an operation on an object.

An authorization policy (or access

control policy) defines the (high
level) set of rules to which access
control must be regulated.

An access control model provides a

formal representation of the
authorization policy and its
workings.

5
2. Access Control Matrix

6
 2.1 Access Control Matrix

An access control matrix is a table that defines privileges.

File 1 File 2 Directory 1 Directory 2

User A read read read, exec read, exec
User B read,write read read,write,exec read, exec
User C read read

7
 2.2 Access Control Matrix - Limitations
The main disadvantages of an
access control matrix is its size.

Example:
On a system that has 1,000 subjects
and 1,000,000 objects, the matrix
will have 1 billion entries!

8
3. Access Control List

9
 3.1 Access Control List

An access control list (ACL) model defines for each object O, a list L
that enumerates all subjects along with their privileges on O.

An ACL is simply a column in an access control matrix (without the

empty entries).

The ACL of an object can be stored directly with the object as part
of its metadata.

File 1 User A: read User B: read, write

10
 3.2 Access Control List - Limitation
The main disadvantage with ACLs is
that they don’t provide for an
efficient way to enumerate all of
the privileges of a given subject:

• You need to search the access

control list of every object.

• This needs to be done, for

example, when revoking a user.

11
4. Session Summary

12
 Session Summary
• An access control model provides a formal representation of
authorization rules.
• An access control matrix is a model that represents access privileges
in a matrix, with the first column representing the list of subjects
and the first row representing the list of objects. Each entry defines
the access privileges of a subject on an object.
• The main limitation of an access control matrix is its size.
• An access control list defines, for a given object, the list of subjects
and their access rights on the given object.
• An access control list is a column in an access control matrix.
• Its main disadvantage is the complexity to search all access rights
associated to a subject.

13
End of Session

14
Role Based Access Control and
Attribute Based Access Control

1
 Session Overview

1. Role Based Access Control (RBAC)

2. Attribute Based Access Control (ABAC)

Duration:

2
1. Role Based Access Control (RBAC)

3
 1.1 RBAC

Subject Role Privilege

The privileges of a given subject are given by the union of the privileges of the
roles that are assigned to the subject.

In addition, a hierarchy can be defined. If role R1 is above role R2, than R1

inherits all privileges of R2.

4
1.2 RBAC Example

Source: Introduction to Computer Security, M

T. Goodrich & R. Tamassia

5
2. Attribute Based Access Control (ABAC)

6
 2.1 ABAC

ABAC is an authorization model in

which access to objects is
controlled by evaluating rules
against the attributes of the
subject, the object and the
environment relevant to the
request.

7
 2.2 ABAC Example

Subject Object Context

- Age - Type of record - Time

- Title - Classification - Region
- Department - Location - Risk
- Role

8
3. Session Summary

9
 Session Summary

• In RBAC, privileges are associated to roles, not directly to

subjects, and roles are assigned to subjects.
• The privileges of a subject corresponds to the union of the
roles assigned to the subject.
• A role R1 that is above a role R2 will inherent its privileges.
• ABAC is an authorization model in which access to objects is
controlled by evaluating rules against the attributes of the
subject, the object and the environment.

10
End of Session

11
Digital Identity and Blockchain

1
 Session Overview

1. Digital Identity
2. Review of Bitcoin and blockchain
3. Blockchain for digital identity

Duration:

2
1. Digital Identity

3
 1.1 Digital Identity
The set of digital attributes that are
associated to an entity.

Examples:
• Name, surname
• Government ID
• Banking ID
• Academic credentials
• Login credentials & biometrics
• Web surfing habits
• Social media attributes
• Other attributes

4
2. Review of Bitcoin and Blockchain

5
2.1 Bitcoin

An electronic “payment system”

– Decentralized (peer-to-peer)
– Cryptographic
– Scarce: 21 000 000
– Divisible: 0.00000001 BTC
– Verifiable and irrevocable
– (Potentially) anonymous: like
cash money

6
 2.2 Blockchain
The blockchain is the underlying
technology of Bitcoin, Ethereum and
Litecoin

It is a distributed general ledger

- Series of interconnected blocks
- Each block contains a cryptographic
hash of the previous block, a
timestamp and transaction data
- Blocks are immutable

Can be utilized to record digital data of

any value

7
 2.3 Transaction
Transaction
Alice Bob

Transaction element 1

Transaction element 2
Signature Transaction from Alice to
algorithm Bob Kpub_Bob
Transaction element 3

Transaction element n

Kpriv_Alice

8
 2.4 Transactions in a Block

Transaction 1 Transaction 2 Transaction 3

…
Broadcast

x BTC H

1st Block … Challenge

H New Block
Proof
00 00…00 3A B4 57 13 06 55 81

Difficulty
9
3. Blockchain for Digital Identity

10
 4.1 Traditional Digital Identity

University Government Bank …

11
 4.2 Digital Identity on Blockchain
• On a Blockchain, the public keys serve as identifiers, they are called
DIDs (Decentralized Identifiers);
• A qualification or credential can be issued as a transaction on the
blockchain: The issuer uses their digital signature to provide a
credential to a recipient, identified by its DID

credential
verification

Blockchain /
distributed ledger

12
Session Summary

13
 Session Summary
• A digital identity consists of the set of digital attributes associated to an entity
• Bitcoin is an electronic payment system that is decentralized, cryptographic,
scarce, verifiable and irrevocable.
• A Bitcoin transaction is an electronic signature that is recorded on the
Blockchain. The public key serves as the identifier of the entity involved in the
transaction.
• Ethereum and Litecoin also use Blockchain, a distributed general ledger
• A blockchain is a series of interconnected blocks, each containing a cryptographic
hash of the previous block, a timestamp and transaction data. These blocks are
immutable.
• A blockchain can be used to record electronic payments, and more generally any
type of digital data
• Blockchain can be used to implement digital identity. The public keys serve as
identifiers (decentralized identifiers (DID)).

14
15
Cloud Identity and Access Management (IAM)
Solutions

1
 Session Overview

1. Introduction to cloud IAM solutions

2. Typical features of cloud IAM solutions
3. Pros and Cons

Duration:

2
1. Cloud IAM Solutions

3
1.1 Introduction
• Historically, IAM solutions have
been implemented on-prem
using directory services such as
Microsoft AD of OpenLDAP
• Cloud IAM solutions help
organizations speed up
deployment and maintenance

4
 1.2 Cloud IAM Features
Most Cloud IAM solutions will offer the following features:
• Identity provisioning
• Single access control point for all cloud services
• Single sign-on (SSO)
• Multi-factor authentication (MFA)
• Risk-based authentication

5
 1.3 Pros and Cons

• Faster deployment • Bigger target and single point for

• No maintenance (patching, cybercriminals
upgrades) • Integration of legacy systems and
• High availability and scalability hybrid envrionments
• Integration with cloud
applications
• Usually a high level of security

6
Session Summary

7
 Session Summary (1 of 2)
• Historically, IAM solutions have been implemented on-premise, mostly
with directory services such as Microsoft AD and Open LDAP
• With the advent of cloud computing, several cloud-based IAM solutions
offer faster to deploy, scalable and reliable IAM solutions
• Most cloud IAM solutions offer identity provisioning, a single access
control point, SSO, MFA and Risk-based authentication

8
 Session Summary (2 of 2)
• Some of the benefits of a cloud IAM solution includes faster
deployment, no patching of upgrading, high availability and scalability,
integration with cloud applications and a high level of security
• Cons include the fact that a cloud IAM solution is a single point target for
cybercriminals, and difficulty to integrate legacy applications in hybrid
environments

9
10
Federated Identity Management

1
 Session Overview

1. The problem federated identity solves

2. Federated identity management
3. Oauth 2.0 access tokens

2
1. Federated Identity

3
 1.1 The Problem

Organization A Organization B

Identity Management Identity Management

Applications Shared
Application

4
 1.2 Federated Identity Management
• The Identity Provider (IdP) is the
system entity that provides the
authentication assertions
• The service provider (SP) is the
entity that provides the shared
service and verifies the
authentication assertions
• The authentication assertions are
in the form of a token or ticket
• Technologies include SAML,
Oauth, OpenID, JSON Web
Tokens (JWT), etc..
• Allows for SSO

5
 1.3 Oauth 2.0 Access Token (1 of 2)
• An Oauth access token is a string
representing an authorization
issued by an IdP to a subject
• Includes specific scope and
duration of access granted by the
resource owner and enforced by
the service provider
• May denote an identifier used to
retrieve the authorization
information or may self-contain
the authorization information
• Cryptographically signed
Source: https://darutk.medium.com/oauth-access-token-implementation-30c2e8b90ff0

6
1.4 Oauth 2.0 Access Token (2 of 2)

Source: https://darutk.medium.com/oauth-access-token-implementation-30c2e8b90ff0

7
Session Summary

8
 Session Summary
• Federated identity solves the problem of authenticating subjects of a
security domain A that are accessing resources in a distinct security
domain B, without needing to share the subjects authentication
credentials
• Federated identity management uses authentication assertions in the
form of a ticket or token that are generated by the identity provider IdP
and verifiable by the service provider SP
• Examples of technologies that implement these concepts include SAML,
Oauth, OpenID, JSON Web Tokens (JWT)
• Oauth 2.0 access token is a string that represents authorization and
includes a scope and duration. It can include an identifier used to
retrieve the authorization information or it can be self-contained. They
are verifiable.
9
10
Cyber Attack Models

1
 Session Overview

1. Introduction to Cyber Attack Models

2. The MITRE ATT&CK model

2
1. Cyber Attack Models

3
 1.1 Introduction
• A cyber attack model represents
the different steps or sequences
of events involved in an attack on
an IT environment
• Useful for:
– Developing strategies and controls
to detect, stop and contain a cyber
attack
– Testing existing security controls:
ex. preparing a Red Team
– Analyzing and remediating a
security incident

4
1.2 Cyber Kill Chain

Source: https://www.techtag.de/it-und-hightech/it-security/cyber-kill-chain-it-infrastruktur/

5
 1.3 Other Models
Cyber Kill Chain MITRE ATT&CK Diamond Model
Reconnaissance Reconnaissance
Weaponize Resource development
Deliver Initial access
Exploit Execution
Install Persistence
Command &
Privilege escalation
control
Defense evasion
Credential access
Discovery
Lateral movement
Collection Source: http://www.activeresponse.org/wp-content/uploads/2013/07/diamond.pdfe.org

Command and control

Actions Exfiltration
Impact

6
2. MITRE ATT&CK Model

7
 2.1 ATT&CK
• ATT&CK
– Adversarial Tactics, Techniques &
Common Knowledge
– Tactics are the adversary’s
objectives – the “why”
– Techniques are the “how”
• ATT&CK Navigator
– Can be used to browse and
annotate the ATT&CK matrix and
view techniques associated to
threat groups or software
Source: https://www.mitre.org/

8
2.2 WannaCry Example

9
2.3 Techniques

10
2.4 Procedures and Mitigations

11
Session Summary

12
 Session Summary
• A cyber attack model represents the different steps or sequences of
events involved in a cyberattack
• Can be used to develop strategies and controls to detect and mitigate
cyberthreats, to plan the testing of existing controls or to facilitate the
analyses and remediation of a security incident
• The Cyber Kill Chain is one of the first such models
– Recon; Weaponize; Deliver; Exploit; Install; C2; Actions
• ATT&CK is a more recent model that expands on the steps and
represents in a matrix the different tactics and specific techniques used
– Based on a common knowledge
– The ATT&CK navigator can be used to browse and annotate the matrix

13
14
Preventive and Detective Controls

1
 Session Overview

1. Preventive and detective controls

2. Cybersecurity controls
– System Hardening, vulnerability and patch management
– Antimalware and Endpoint Detection and Response (EDR)
– Firewall, Intrusion Prevention System (IPS) and Web Application
Firewall (WAF)
– Data Loss Prevention (DLP)
– Security Information and Event Management (SIEM)
– UEBA, NTA and XDR

2
1. Preventive vs Detective

3
 1.1 Introduction
Preventive controls aim at stopping Detective controls aim at identifying
a threat and preventing an incident a threat in action and responding
• Focus on reducing the probability of a • Focus on detecting and responding rapidly
successful attack • Compensates inefficiencies of preventive
• Better than responding controls
• Does not require a high level of • Not if you get breached but when
knowledge corresponding to identifying • Response to fast evolution of threats
an intrusion • Ex. SIEM, EDR
• Ex. Patching, firewall, antivirus

4
2. Technological Controls

5
 2.1 System Hardening P
System hardening is the process of
securing a system by reducing its
surface of vulnerabilities.

This includes
- Removing unnecessary software
and services
- Modifying configuration to
heighten security
- Changing default passwords and
removing unnecessary accounts

6
2.2 Vulnerability and Patch Management P

Source: https://security.gatech.edu/vulnerability-management

7
2.3 Antimalware P
• Antimalware is software used to
scan, detect and remove malware.
• Initially developed to defend
against computer viruses, now
evolved to protect against Trojan
Horses, ransomware, adware and
spyware and other forms of
malware
• Signature-based vs heuristic-based
(static or dynamic (sandboxing)) vs
behavior-based

8
2.4 Endpoint Detection and Response (EDR) P D
• EDR is an evolution of
antimalware
• Includes antimalware function
with additional features:
– Continuous gathering and
storage of events for further
analyses or investigations
– Prompts user with a preventive
list of actions or can
automatically isolate the
endpoint
– Makes use of AI
– Mostly lightweight agents

9
 2.5 Firewall P
A Firewall is a system that aims at
protecting computers and networks
by filtering incoming and outgoing
traffic based on a predefined set of
rules

Source image: http://www.microsoft.com/security/pc-security/firewalls-whatis.aspx

10
 2.6 Intrusion Prevention System P D
An intrusion prevention system (IPS) is a
network threat prevention tool that
monitors network traffic in order to
detect and prevent vulnerability exploits.

Can work based on signature-based

detection (like an antivirus) or behavior
based (statistical anomaly detection,
comparing random samples of traffic to a
baseline performance)
When a threat is detected, an IPS can
- Send an alarm to an administrator
- Drop malicious packets
- Block traffic from a specific source
address

11
 2.7 Web Application Firewall (WAF) P D
A WAF monitors traffic between a web application and the Internet.

Works like an IPS but is specific to HTTP traffic.

Generally monitors and detects SQL injection, Cross-site scripting (XSS)

and file inclusion attacks.

Source: https://cutcopywaste.com/elizabethville/what-is-web-application-firewall.php

12
 2.8 Data Loss Prevention P D
DLP solutions identify potentially
sensitive data based on a policy,
content and context, and adopts
remediation actions in order to
prevent the loss, leakage or misuse
of data.

Different types include:

- Endpoint
- Storage
- Network or cloud

13
2.9 Security Information and Event Management D
A SIEM is a software solution that
aggregates events from various
systems across a network and offers
real-time analysis and alerting.

Correlation rules based on use cases.

Also consolidates security logs for

compliance and audit purposes.

14
 2.10 UEBA, NTA, XDR P D
• User and Entity Behaviour Analytics (UEBA): Monitors and analyses
traffic patterns from users and entities, compared to a baseline
• Network Traffic Analytics (NTA): Monitors and analyses all traffic flows
• Both types of solutions are based on AI and machine learning, advanced
analytics and rule-based detection
• XDR
• X stands for Any Data source
• Combines EDR, UEBA and NTA in a single solution

15
Session Summary

16
 Session Summary (1 of 5)
• Preventive controls aim at stopping a threat and preventing an incident
by reducing the probability of a successful attack.
– These controls generally do not require a high level of knowledge with regards to
identifying an intrusion
• Detective controls focus on detecting and responding rapidly to
incidents. They compensate the inefficiencies of preventive controls and
requires knowledgeable staff.
• Both types of controls must be combined in a cyber defence strategy.

17
 Session Summary (2 of 5)
• System hardening focuses on reducing its vulnerability surface by
removing unnecessary software and services, modifying configuration
and changing default passwords and unnecessary accounts.
• Vulnerability management is the process of discovering assets within a
network and identifying security vulnerabilities.
• It is complemented by patch management which consists of updating
operating systems and software running on it.
• At a high level of maturity, all threat vectors are periodically scanned and
prioritized, patching is continuous and key performance indicators are
integrated to enterprise risk management.

18
 Session Summary (3 of 5)
• Antimalware is software that will scan, detect and remove malware.
• It is signature-based, with some solutions offering heuristic analysis,
either static (analysis of code) or dynamic (executing code in a sandbox
environment), or behavior-based (analysis of certain events).
• EDRs are an evolution of antimalware, with continuous gathering and
storage of events, and make use of artificial intelligence.
• They are mostly in the form of a lightweight agent installed on endpoints
and prompt users with preventive actions or can automatically isolate an
endpoint.

19
 Session Summary (4 of 5)
• A Firewall protects computers and networks by filtering
incoming and outgoing traffic based on a predefined set of
rules.
• An IPS monitors network traffic in order to detect and prevent
vulnerability. It can block or send an alert. The analysis is
signature-based or behaviour-based (statistical anomaly
detection).
• A WAF works like an IPS but is specific to HTTP traffic. It can
detect SQL injection, Cross-site scripting (XSS) and file inclusion
attacks.

20
 Session Summary (5 of 5)
• DLP solutions identify potentially sensitive data based on a policy,
content and context, and adopt remediation actions.
• They are specific to endpoint, storage, network or cloud.
• A SIEM aggregates events from various systems across a network
and offers real-time analysis and alerting based on correlation
rules. It also consolidates security logs for compliance and audit
purposes.
• UEBA monitors and analyses traffic from user and entities
compared to a baseline. NTA does the same for all type of network
traffic. They use AI and machine learning, advanced analytics, and
rule-based detection.
• An XDR combines the functions of an EDR, UEBA and NTA.

21
22
Audit Logs and Security Monitoring

1
 Session Overview

1. Audit Logs
2. Security Monitoring

2
1. Audit Logs

3
 1.1 Audit Logs
An audit log (or audit trail), is a record
of events and activities.

The event logs are generated by

devices across a network: network
devices, operating systems,
middleware, database management
systems, applications.

Different formats and protocols exist,

the most popular are
• Syslog
• Windows Event Log
• JSON log formats

4
 1.2 Advantages of an Audit Log

Security Troubleshooting Risk Incident Compliance

Monitoring and Management Investigation
Performance
Monitoring

5
 1.3 Fields of a Log Event
Who, What, When, Where and any
additional information that is
relevant.

The following fields should be

present in every event log:

Subject: user id or name, group,

name of account that executed the
operation
Action: the operation corresponding
to the event. Ex. Read, write, delete
Datetime: timestamp of when the
operation (log event) occurred
Source: IP address and/or name of
the client server, name of the
application

6
 1.4 Example Event Log

Additional
information

Source
(application,
computer)
Action Date/time
(Windows
Event ID
1001 is an
Subject
error code)
(user)

Source: https://www.ictshore.com/php/install-php-on-windows/attachment/php0001-05-windows_event_viewer/

7
2. Security Monitoring

8
 2.1 SIEM

Security Information Management (SIM)

– Long-term storage of log events,
as well as analysis and reporting

Security Event Manager (SEM)

– Real-time monitoring, correlation
of events and alerting

A SIEM combines both SIM and SEM

9
 2.2 SIEM Capabilities
Log Management: Collection and aggregation of event logs from various
sources, including network devices, desktops, servers, operating systems,
middleware, database management systems, applications, etc..
Retention: Long-term storage necessary for threat hunting, forensics and
compliance
Normalization: Transformation of the various standards into a uniform
format for processing
Correlation and analysis: A variety of correlation techniques to integrate
the information from various event logs
Alerting: Notification of certain correlated events
Reporting: Visualisation of alerts and informational charts

10
2.3 SIEM Architecture

11
 2.4 SIEM Use Cases

Source: Swift, David (2010). "Successful SIEM and Log Management Strategies for Audit and Compliance". SANS Institute.
https://en.wikipedia.org/wiki/Security_information_and_event_management

12
Session Summary

13
 Session Summary (1 of 2)
• An audit log (or audit trail), is a record of events and changes
• Different standards exist, the most popular are Syslog, Windows Event
Log, and JSON log formats
• Can be generated by various devices and systems in a network
• Used for security monitoring, troubleshooting and performance
monitoring, incident investigation, risk management and compliance
• Every event log should minimally include Who (subject), What (action),
When (datetime), Where (source) and any additional information

14
 Session Summary (2 of 2)
• Security monitoring is acheived using a SIEM
– SIM for long-term storage of log events, analysis and reporting
– SEM for Real-time monitoring, correlation of events and alerting
• SIEM capabilities include log management, retention, normalization,
correlation and analysis, alerting and reporting
• A typical SIEM architecture includes forwarding log events from various
devices to a collector or aggregator, an analysis tier that applies
correlation rules, storage of logs, alerting and a presentation layer
• Various security monitoring use cases can be defined based on defined
rules on event sources with defined triggers to achieve monitoring goals

15
16