3.7 Given a scenario, implement identity and account management controls. Flashcards
Identity
Identification is the process of ascribing a computer ID to a specific user, computer, network device, or computer process. The identification process is typically performed only once, when a user ID is issued to a particular user. User identification enables authentication and authorization to form the basis for accountability. For accountability purposes, user IDs should not be shared, and for security purposes, user IDs should not be descriptive of job function. This practice enables you to trace activities to individual users or computer processes so that users can be held responsible for their actions. Identification usually takes the form of a logon ID or user ID. A required characteristic of such IDs is that they must be unique.
Identity Provider (IdP)
The term identity provider (IdP) is used to denote a system or service that creates, maintains, and manages identity information. IdPs can range in scale and scope—from operating for a single system to operating across an enterprise. Additionally, they can be operated locally, distributed, or federated, depending on the specific solution. Multiple standards have been employed to achieve these services, including those built on the Security Assertion Markup Language (SAML), OpenID, and OAuth. These standards are covered in Chapter 24, “Implement Authentication and Authorization.”
Attributes
Identity attributes are the specific characteristics of an identity—name, department, location, login ID, identification number, e-mail address, and so on—that are used to accurately describe a specific entity. These elements are needed if one is to store identity information in some form of directory, such as an LDAP directory. The particulars of a schema need to be considered to include attributes for people, equipment (servers and devices), and services (apps and programs), as any of these can have an identity in a system.
Certificates
Certificate-based authentication is a means of proving identity via the presentation of a certificate. Certificates offer a method of establishing authenticity of specific objects such as an individual’s public key or downloaded software. A digital certificate is a digital file that is sent as an attachment to a message and is used to verify that the message did indeed come from the entity it claims to have come from. Using a digital certificate is a verifiable means of establishing possession of an item (specifically, the certificate).
Tokens
An access token is a physical object that identifies specific access rights and, in authentication, falls into the “something you have” factor.
. One of the ways that people have tried to achieve multifactor authentication is to add a biometric factor to the system. A less expensive alternative is to use hardware tokens in a challenge/response authentication process. In this way, the token functions as both a “something you have” and “something you know” authentication mechanism.
Smart Cards
Smart cards are devices that store cryptographic tokens associated with an identity. The form factor is commonly a physical card, credit card sized, that contains an embedded chip that has various electronic components to act as a physical carrier of information.
EXAM TIP
Remember the various uses for tokens, keys, and smart cards. An access token is a physical object that identifies specific access rights and, in authentication, falls into the “something you have” factor. SSH keys are primarily used for automated processes and services. A PIV card is a smart card used for federal employees and contractors. CAC cards are used by the U.S. DoD for active-duty military, Selected Reserve members, DoD civilians, and eligible contractors.
Geofencing
eofencing is the use of the Global Positioning System (GPS) and/or radio frequency identification (RFID) technology to create a virtual fence around a particular location and detect when mobile devices cross the fence. This enables devices to be recognized by others, based on location, and have actions taken. Geofencing is used in marketing to send messages to devices that are in a specific area such as near a point of sale, or just to count potential customers. Geofencing has been used for remote workers, notifying management when they have arrived at remote work sites, allowing things like network connections to be enabled for them. The uses of geofencing are truly only limited by one’s imagination.
Geotagging
Geotagging is the process of applying geotags (location information) to a specific item. The actual geotags can be in a variety of formats but are typically some form of an encoding of latitude and longitude. All sorts of digital data can be geotagged, including but not limited to photographs, videos, websites, and items posted on social media sites. Closely related is the concept of geocoding, which refers to the use of non-coordinate-based geographic metadata elements such as physical street addresses or building locations.
Access Policies
Access policies are a set of policies to assist in the management of the access control system. From simple policies covering password use, password length, expiration, and lockout, to more complex issues such as account expiration, recovery, and disablement, these directives provide the guidance for security personnel to manage access systems.
Password policies are needed to cover the details of items such as password length, complexity, reuse, and history. Password length and complexity may seem to be forever-increasing targets, but defining them is important to prevent people from using simple, easy-to-crack passwords. Having a formal policy that prohibits sharing of passwords or logging in to another person’s account (even with permission) may seem superfluous, but it will be needed when this policy is not in place and something goes wrong. Password reuse for users with both regular and elevated accounts can be an issue; if they use the same password for both accounts, is either really secure? Again, a policy provides appropriate guidance and rules.
Account Permissions
Administrator An administrator account has full control of the files, directories, services, and other resources on the local computer. The administrator account can create other local users, assign user rights, and assign permissions. The administrator account can take control of local resources at any time simply by changing the user rights and permissions. In Linux systems, the root account is used for administrative purposes, while in Windows the account is called either Administrator or Local Administrator.
- Standard user Standard accounts are the basic accounts you use for normal, everyday tasks. As a standard user, you can do just about anything you would need to do, such as running software and personalizing your desktop. Standard users may be limited from installing new programs.
- Guest The guest account should be disabled by default on installation. The guest account lets occasional or one-time users who do not have an account on the computer temporarily sign in to the local server or client computer with limited user rights. Guest accounts make the logging and identification of users impossible.
Account Audits
Account audits are like all other audits—they are an independent verification that the policies associated with the accounts are being followed. An independent auditor can check all of the elements of policies. Passwords can be checked using a password cracker—if it breaks a password, odds are the user wasn’t following the rules. The various restrictions, such as account lockout, and reuse can be checked. An auditor can verify that all the authorized users are still with the firm or are operating in an authorized capacity. Audits work to ensure the implementation of policies is actually working to specification