3.7 Identity and Account Management Controls Flashcards

1
Q
• Who are you?
– A service needs to vouch for you
– Authentication as a Service
• A list of entities
– Users and devices
• Commonly used by SSO applications or an
authentication process
– Cloud-based services need to know who you are
• Uses standard authentication methods
– SAML, OAuth, OpenID Connect, etc.
A

Identity provider (IdP)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q
• An identifier or property of an entity
– Provides identification
• Personal attributes
– Name, email address, phone number, Employee ID
• Other attributes
– Department name, job title, mail stop
• One or more attributes can be used for identification
– Combine them for more detail
A

Attributes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

• Digital certificate - Assigned to a person or device
• Binds the identity of the certificate owner to a
public and private key
– Encrypt data, create digital signatures
• Requires an existing public-key infrastructure (PKI)
– The Certificate Authority (CA) is the trusted entity
– The CA digitally signs the certificates

A

Certificates

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

• Smart card
– Integrates with devices - may require a PIN
• USB token - Certificate is on the USB device

A

Tokens and cards

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

• Secure Shell (SSH) - Secure terminal communication
• Use a key instead of username and password
– Public/private keys - Critical for automation
• Key management is critical
– Centralize, control, and audit key use
• SSH key managers - Open source, Commercial

A

SSH keys

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q
• Create a public/private key pair
– ssh-keygen
• Copy the public key to the SSH server
– ssh-copy-id user@host
• Try it out
– ssh user@host
– No password prompt!
A

SSH key-based authentication

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

• An account on a computer associated with a
specific person
– The computer associates the user with a specific
identification number
• Storage and files can be private to that user
– Even if another person is using the same
computer
• No privileged access to the operating system
– Specifically not allowed on a user account
• This is the account type most people will use
– Your user community

A

User accounts

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

• Shared account
– Used by more than one person
– Guest login, anonymous login
• Very difficult to create an audit trail
– No way to know exactly who was working
– Difficult to determine the proper privileges
• Password management becomes difficult
– Password changes require notifying everyone
– Difficult to remember so many password changes
– Just write it down on this yellow sticky paper
• Best practice: Don’t use these accounts

A

Shared and generic accounts

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

• Access to a computer for guests
– No access to change settings, modify applications,
view other user’s files, and more
– Usually no password
• This brings significant security challenges
– Access to the userspace is one step closer to an exploit
• Must be controlled
– Not the default - Removed from Windows 10 build 10159

A

Guest accounts

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

• Used exclusively by services running on a computer
– No interactive/user access (ideally)
– Web server, database server, etc.
• Access can be defined for a specific service
– Web server rights and permissions will be different than
a database server
• Commonly use usernames and passwords
– You’ll need to determine the best policy for
password updates

A

Service accounts

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q
• Elevated access to one or more systems
– Administrator, Root
• Complete access to the system
– Often used to manage hardware, drivers, and
software installation
• This account should not be used for normal
administration
– User accounts should be used
• Needs to be highly secured
– Strong passwords, 2FA
– Scheduled password changes
A

Privileged accounts

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

• Control access to an account
– It’s more than just username and password
– Determine what policies are best for an organization
• The authentication process
– Password policies, authentication factor policies,
other considerations
• Permissions after login - Another line of defense

A

Account policies

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

• Is everything following the policy?
– You have to police yourself
• It’s amazing how quickly things can change
– Make sure the routine is scheduled
• Certain actions can be automatically identified
– Consider a tool for log analysis

A

Perform routine audits

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

• Permission auditing
– Does everyone have the correct permissions?
– Some Administrators don’t need to be there
– Scheduled recertification
• Usage auditing - How are your resources used?
– Are your systems and applications secure?

A

Auditing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

• Make your password strong - Resist brute-force attack
• Increase password entropy
– No single words, no obvious passwords
• What’s the name of your dog?
– Mix upper and lower case and use special characters
• Don’t replace a o with a 0, t with a 7
• Stronger passwords are at least 8 characters
– Consider a phrase or set of words
• Prevent password reuse
– System remembers password history, requires
unique passwords

A

Password complexity and length

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

• Too many incorrect passwords will cause a lockout
– Prevents online brute force attacks
– This should be normal for most user accounts
– This can cause big issues for service accounts
• You might want this
• Disabling accounts
– Part of the normal change process
– You don’t want to delete accounts
• At least not initially
• May contain important decryption keys

A

Account lockout and disablement

17
Q

• Network location
– Identify based on IP subnet
– Can be difficult with mobile devices
• Geolocation - determine a user’s location
– GPS - mobile devices, very accurate
– 802.11 wireless, less accurate
– IP address, not very accurate
• Geofencing
– Automatically allow or restrict access when the
user is in a particular location
– Don’t allow this app to run unless you’re near the
office
• Geotagging
– Add location metadata to a document or file
– Latitude and longitude, distance, time stamps
• Location-based access rules
– Your IP address is associated with an IP block in Russia
– We don’t have an office in Russia
– You were in Colorado Springs an hour ago
– Permission not granted
• Time-based access rules
– Nobody needs to access the lab at 3 AM

A

Location-based policies