2.4 - Authentication and Authorization Design Concepts Flashcards

1
Q

Directory Services

A
  • A feature that keep all of an organization’s usernames / passwords in a single database
  • Also contains computers, printers, and other devices that might be connected to a network
  • Large distributed database
  • Constantly replicated so that every DB is always up to date with latest info
  • This means a user only needs one set of credentials for all services
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Microsoft Active Directory

A
  • One of the most common examples of Directory Services
  • Accessed via Kerberos protocol or LDAP
  • This allows access to a DB from an external device
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Federation

A
  • Instead of maintaining your own DB of usernames / passwords (Directory Services)
  • Federation allows users access to your network from information that is stored by a third party
  • Federation is an alternative - Use authentication information that is already at another site
  • Not just employees - partners, suppliers, customers, etc.
  • Provides SSO and more
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Enable Federation

A
  • Need to coordinate authentication / authorization between two organizations
  • Ex: Log in page that allows you to log into site X via Facebook, LinkedIn, Twitter, etc.
  • Once trust relationship is established with this third party, users can use other credentials to log in to your network
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Attestation

A
  • Want to make sure users are connecting to our network using our hardware (not a 3rd party)
  • Prove the hardware you’re using is really yours (a system you can trust)
  • AKA can the hardware attest that it is the hardware it should be
  • Ex: if managing a single device, it’s easy to determine this, but if you’ve got thousands of devices you need to automate it
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Remote Attetstation

A
  • Remote device provides operational support to a verification server
  • Will allow / prevent access to network
  • Encrypted and digitally signed with the TPM (Trusted Platform Module) of the remote device
  • An IMEI (International Mobile Equipment Identification Number) or other unique hardware component can be included in the report
  • This will confirm that the device on the other end of the communication is trustworthy and allowed access
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

SMS

A
  • Short Message Service (text message)
  • Login factor can be sent via SMS to send a code and the user uses this code to login
  • This confirms that you are the person that has the phone (hardware in your position)
  • An example of Remote Attestation
  • However generally seen as less secure than other methods (ex: user an reprogram the number that the code is being sent to. they can also be intercepted.) These types of issues are relatively rare, but they exist
  • MFA is better than single authentication.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Push Notification

A
  • Instead of an SMS, can rely on a similar process to an SMS notification
  • server is “pushing” Authentication Factor is to a specialized app on a device.
  • Usually on a mobile device
  • Another example of Remote Attestation
  • Security Concerns: The app receiving the push notification could have vulnerabilities that let 3rd parties see info or perhaps it doesn’t have encryption
  • Probably more secure than SMS with the right app
  • MFA is better than single authentication
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Authentication Apps

A
  • Pseudo random token generators
  • Useful authentication factor
  • Ex: RSA physical device or RSA app
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

TOTP

A
  • Time-based One-Time Password algorithm
  • Use a secret key and the time of day
  • No incremental counter
  • Usually available around 30 sec
  • One time synchronization process, for setup, with a secret key + time of day. The authentication server and token generator will know what the next number in sequence will be based on the time of day
  • Used by many token generators (like RSA)
  • Commonly used: enter user name, password, open app and enter the number in a box (If you’ve used MFA ex: Microsoft, google, etc probably used TOTP, it’s pretty common OTP method)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

HOTP

A
  • HMAC-based One-Time Password algorithm
  • Another authentication method
  • One-time password
  • Similar to TOTP, but instead of having a number that changes every 30 sec, you have a number you use once then throw away
  • Keys are based on a keyed hash method code (HMAC) and a counter (go down a list and use the code then cross it off and go down the list)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

HMAC

A
  • Keyed-hash message authentication code
  • keys are based on a secret code + counter (check codes off list)
  • Example of HOTP (HMAC - based One-Time Password Algorithm)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Token-based authentication

A
  • Hash is different every time, could be an app
  • will integrate with server for authentication
  • Can be an example of HOTP
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Hardware and software token available

A
  • Need additional technology to make this work
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Phone call

A
  • An automated process can call you and tell you the pseudo random token generators
  • Similar disadvantages to SMS (can be intercepted or forwarded, phone number can be added to a phone number (meaning it rings across multiple phones simultaneously so someone else can answer first))
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Exploiting an application

A
  • Attackers often exploit an application’s vulnerability.
  • Once you exploit one binary, you can exploit them all
  • Ex: A Windows 10 exploit affects all Windows 10 users
  • But, what if all computers were running different software? (Solution: Software diversity. Ex: Unique binaries, functionally identical)
17
Q

Software Diversity

A
  • A solution to the problem if a hacker can exploit one application they can exploit them all
  • Ex: Each compiled application is a little different but functionally they’re the same
  • Final binary file is different every time you compile (doesn’t change the way the application works)
  • Hackers may not be able to use an exploit on the same application on a different person’s machine
  • Does create extra work during development and deployment, but adds a layer of security
18
Q

Automation and Scripting

A
  • Create automation around deployment and issues that arise during deployment
  • Ex: Continuous monitoring a certain drive so that it doesn’t get too full. If it does you can automatically work to free up disk space.
  • Very important for cloud (automatic provisioning / deprovisioning)
19
Q

CI

A
  • Continuous Integration
  • Application developers may be constantly updating and merging several times a day
  • A lot of chances for security issues
  • Need security checks during development
  • Documented security baselines is the bare minimum
  • Large-scale security analysis during the testing phase (significant problems will have already been covered)
20
Q

CD

A
  • Continuous Delivery (or deployment)
  • Automated checks during testing process and release
  • Click a button and deploy an application
21
Q

CD 2

A
  • Continuous Deployment
  • Testing, deployment process is automated
  • Automatically deploy to production (assuming no issues)
22
Q

Biometric (authentication factors)

A
  • Refers to something you are
  • Ex: finger print scanner on phones, laptops, doors
  • Ex: Retina to authenticate, relatively unique and don’t often change making them a good biometric
  • Ex: Iris (front of eye)
  • Ex: Voice recognition
  • Ex: face recognition
  • All of them are uncertain science (differences in users, sensitives in readers) have to spend some time making sure sensitivity levels are accurately authentication
23
Q

Biometric factor (rarely used)

A
  • Gait analysis, but a pretty unique biometric
  • Veins, vascular scanners in arms
24
Q

FAR

A
  • False Acceptance Rate
  • Likelihood that an unauthorized user will be accepted
  • Often used when discussing biometrics
  • Need to increase FAR if your FAR is too high
25
Q

FRR

A
  • False Rejection Rate
  • When an authorized user is denied access to something they should have access to
  • Opposite from FAR (False Acceptance Rate)
  • A large number of FRR can cause frustration
  • Solution: you’d need to decrease sensitivity if your FRR rate is too high
26
Q

CER

A
  • Crossover Error Rate
  • Defines the overall accuracy of a biometric system
  • The rate at which the FAR (False Acceptance Rate) and FRR (False Rejection Rate are equalized (or at least minimized both)
  • “Sweet spot”
27
Q

AAA Framework

A
  • Authentication, Authorization, and Accounting
  • Authentication- Are we who we say we are? (Ex: user name associates an account with an individual)
  • During Authentication, you have to prove this (Ex: password, biometric factor, etc.)
  • Authorization: What do you have access to? (Ex: A particular file share or printer access)
  • Accounting: Who authenticated onto a network? (Ex: On premise or cloud based accounting )
  • Cloud is often 3rd party, centralized platform, often includes API integration, may also have additional cloud options
28
Q

Cloud-based security authentication

A
  • The “A” in Accounting in the AAA Framework
  • Cloud is often managed by a 3rd party
  • Centralized platform
  • Often includes API integration
  • May also have additional cloud options
29
Q

On-Premises Authentication System

A
  • Another option for the “A” in Accounting in the AAA framework (vs Cloud)
  • Internal monitoring / management
  • Need internal expertise
  • External access must be granted and managed
  • Need processes in place for outside users who need access to authenticate
30
Q

Factors

A
  • Something you know
  • Something you have
  • Something you are
  • From here you can add attributes
31
Q

Attributes

A
  • These are add-ons to the 3 factors for authentication ( a bit more fluid)
  • Somewhere you are
  • Something you can do
  • Something you exhibit
  • Someone you know
32
Q

Something you know

A
  • Authentication Factor (1 of 3)
  • Something you know (in your brain)
  • Ex: password , secret word/ phrase, PIN
  • Very common authentication factor
  • Ex: Pattern for unlocking a phone
  • An example of a factor
33
Q

Something you have

A
  • Authentication Factor (1 of 3)
  • Ex: A smart card, can integrate with a laptop (usually combining with PIN, aka something you know)
  • Ex: a USB token (certificate is on the USB) or software based version
  • Ex: SMS code to your phone
34
Q

Something you are

A
  • Authentication Factor (1 of 3)
  • Biometric factor
  • Ex: fingerprint, iris scan, voice print
  • Usually a mathematical representation of your biometrics
  • Difficult to change so you can associate with an individual
  • Biometrics should be combined with others, not foolproof
35
Q

Somewhere you are

A
  • Authentication Attribute
  • Provides a factor based on location
  • Ex: Transaction only completes if you’re in a certain geography (ex: in US)
  • EX: IPV4, not perfect, but can provide more info (sometimes can give wrong location of a country in IPV4. IPV6 doesn’t list specific countries but gives a good amount of info on whether user is authenication)
  • Ex: GPS or wireless triangulation (again not perfect) and can spoof GPS (ex: near an identified mobile or 802.11 network)
36
Q

Something you can do

A
  • Authentication Attribute
  • Personal way of doing something
  • May seem similar to biometrics, but this is much broader
  • Ex: signature
37
Q

Something you exhibit

A
  • Authentication Attribute
  • Ex: gait analysis
  • Ex: The way you type or tming b/n key stroks
38
Q

Someone you know

A
  • Authentication Attribute- Can give you more credibility
  • A social factor
  • Ex: used in cryptography when creating web of trust of creating a digital signature