Tuesday, October 4, 2016

OCTAVE Risk Management Frame work in a Nut Shell

OCTAVE  Stands for Operationally Critical Threat Asset and Vulnerability Evaluation.

  • It is by the organisation itself- using in-house domain experts and IT security resources.
  • Can be quick, flexible and focuses on critical risks.
  • Its main focus is on operational risk
  • Collaborative effort- using workshops, questionnaires, walk through, scenarios  and so on.
  • It basically has three steps:
    • Organisation wide view. This step has multiple processes
      • Identification of organisation assets  at all levels(management, operations)
      • Understanding threat to these assets and creation of threat profiles.
    • Technological view. Identification of critical assets and Infrastructure vulnerabilities.
      • Vulnerability assessment  and risk analysis using above generated threat profiles.
      • Evaluation of risk based on a criteria
    • Risk treatment strategy 
      • Categorisation of risk and deciding its mitigation plan
  • OCTAVE has two variants
    • OCTAVE-S :  A leaner version.
    • Allergo:  Has a focus on Information systems. It has 8 steps categorised into 4 phases.

Saturday, January 23, 2016



SMTP     Simple Mail Transport Protocol
MTA       Mail Transport Agent
MDA      Mail Delivery Agent
MSA      Mail Submission Agent
SASL      Simple Authentication Security Layer
GSSAPI  Generic Security Services Application Program Interface
CRAM    Challenge Response Authentication Mechanism
SCRAM   Salted Challenge Response Authentication Mechanism


What is it?  SMTP AUTH is a mechanism which can be additionally enabled for authentication between various elements of an email system consisting of MTAMDA, and MUA.  MTA and MDA would have SMTP and MUA would be an end point agent called Mail client.  SMTP AUTH includes authentication between SMTP-to-SMTP or SMTP- to-Mail client.  It is provided by “SMTP service extension” (ESMTP).  ESMTP can work with or without TLS (STARTTLS) and is only concerned with authentication.  If the whole channel is to be made confidential then TLS should be used 

ELHO keyword (in place of HELO) initiates the SMTP AUTH. The mechanism is started by ‘EHLO’ command and subsequent ‘AUTH’ keyword command with options initiates a SASL authentication mechanism.  SASL is a generic abstraction layer and not application dependent and hence provides separate authentication layer  for applications (SASL aware applications). RFC 4954 spells out the SMTP AUTH standard.


a. Authentication between Mail servers and other elements in the email distribution chain.
b. Provides mobile users who switch hosts the ability to use the same MTA without the need to  reconfigure their mail client's settings each time. 
c. User based external email access rather than IP based.

Mechanisms for SMTP AUTH

Commonly used SASL mechanisms with ESMTP are: 

  • PLAIN :  A single string from client to server is sent which is a Base64 representation of the credentials. RFC 4954 use of TLS for using this machanism.
  • LOGIN :  Again uses Base64 encoding however, credentials are exchanged in a set of client - server dialog.
  • GSSAPI : For use with mechanisms like kerberos.
  • CRAM-MD5 : Better than PLAIN and LOGIN mechanisms. Plaintext attacks possible and does not authenticate the server(refer RFC 4954). Also requires that password be stored in plain text in many implementations.
  • DIGEST-MD5 : MOre secure than CRAM-MD5 as it uses nounce. This mechanism also requires that password be stored in plain text in many implementations.
  • SCRAM  family (SCRAM-SHA-1 was a replacement for DIGEST-MD5).
  • EXTERNAL : for external authentication.
Other registered mechanisms are listed at  
Extract of example from RFC4954   where    S -> Server Message and     C-> client message

“4.1. Examples

   Here is an example of a client attempting AUTH using the [PLAIN] SASL
   mechanism under a TLS layer, and making use of the initial client

   S: ESMTP Server
   C: EHLO
   S: Hello
   S: 250 STARTTLS
   S: 220 Ready to start TLS
     ... TLS negotiation proceeds, further commands
         protected by TLS layer ...
   C: EHLO
   S: Hello
   S: 235 2.7.0 Authentication successful     “
TCP 587 is generally used by MSA and generally indicates SMTP AUTH usage. SMTP AUTH can also be used on tcp port 25.  MTA to MTA would generally use tcp port 25.  If SMTPS is being used then port 465(not approved by IANA) may be used indicating use of TLS. Therefore SMTP AUTH may impact the perimeter or network security devices and may require a redrafting of access rules.  Corresponding configuration would also be required on mail clients.


CRAM-MD5 is listed as Limited and Digest-MD5 is listed as obsolete by IANA (  ).  
Both CRAM-MD5 and DIGEST-MD5 require weak hashes or unsalted passwords to be stored for carrying out the authentication. Also MD5 has been proven to have certain vulnerabilities.  Considering these facts, SCRAM-SHA-1 or   SCRAM-SHA-1-PLUS or better as listed in the IANA site should be considered if the Servers support.  ‘PLUS’ refers to additional feature of channel-binding which prevents MiTM attacks.


Simple Authentication and Security Layer (SASL)
SMTP Service Extension for Authentication.    This document obsoletes RFC 2554.
ESMTP and LMTP Transmission Types Registration
SMTP Service Extension for    Secure SMTP over Transport Layer Security.
·           Message Submission for Mail
· Using Digest Authentication as a SASL Mechanism
·              SMTP Service Extension  for Authentication   (obsolete)
SCRAM-SHA-256 and SCRAM-SHA-256-PLUS  Simple Authentication and Security Layer (SASL) Mechanisms
(SCRAM-SHA-1and SCRAM-SHA-1-PLUS)Salted Challenge Response Authentication Mechanism (SCRAM) SASL and GSS-API Mechanisms


Other email authentication mechanisms apart from SMTP AUTH