4.0 - Identity and Access Management

Question 1

How often does Identification happen?

Answer 1

Identification is the process of ascribing a computer ID to an specific user, computer, network device, or computer process. It tends to only happen once, as that entity is brought into the network.

Question 2

What are AAA:

Answer 2

AAA stands for:

• Authentication - verifying identity (login)
• Authorization - permitting or denying access (rights and permissions)
• Accounting - tracking resource usage (log files?)

Question 3

What are the five broad categories of multi-factor authentication?

Answer 3

Multi-factor authentication can include:

• What you are (biometrics)
• What you have (token)
• What you know (password)
• Somewhere you are (geolocation)
• Something you do (physical performance)

Question 4

What is Identity Federation?

Answer 4

Federation or Identity Federation defines policies, protocols and practices to manage identies across systems and organizations.

Question 5

What are the advantages of SSO?

Answer 5

For the user, SSO reduces how often they will have to authenticate.

For the organization, SSO can lock a user out of all systems if one is compromised.

Question 6

What is a Transitive Trust relationship?

Answer 6

In a Transitive Trust Relationship. System A enters into a trust relationship with System B. Because System B already trusted System C, now System A also trusts System C. Inherited trust.

Question 7

Types of Accounts?

Answer 7

Accounts:

• Shared / Generic
• Guest
• Service
• Privileged

Question 8

What auditing method is good at finding compromises and attacks?

Answer 8

Audits of failed login attempts.

Question 9

What drives the application of account management?

Answer 9

Policies, defined by the business side of the house, should be the driving force behind account management decisions.

Question 10

What is Account Maintenance?

Answer 10

Account Maintenance is the routine screening of all attributes of an account. This questions whether the account is still valid, and whether the access rights are still correct.

Question 11

When might Location Based Policies be useful.

Answer 11

Location Based Policies may be a good idea for remote access, or organizations with many locations.

Question 12

What is Credential Management?

Answer 12

Credential Management is a process, service or software used to store and manage user credentials.

Question 13

What pros and cons does the NIST indicate about password rules?

Answer 13

In June of 2017, a NIST report stated that complexity rules designed to force entropy into passwords do so at the risk of user behavior such as writing them down or versioning them.

Nonetheless, the standard is to enforce minimum length, and three of the four: upper case, lower case, numbers and special characters.

Question 14

Who should inform the security team about employee departures?

Answer 14

The first line management should inform security when an employee leaves the organization. HR should be a back-stop, not a primary.

Question 15

Why does a system need a miniumum password age.

Answer 15

Minimum password age keeps a user from cycling through a number a passwords so their prefered password is no longer in the password history.

Question 16

What is Recertification?

Answer 16

Recertification is the process of verifying that all users are still employed and still require accounts.

Question 17

An employee has left the organization. What should be done?

Answer 17

Their account should be disabled (not deleted).

Question 18

How does LDAP connect?

Answer 18

LDAP connects to a Directory System Agent (DSA) on TCP/UDP 389.

SDAPS (LDAP over SSL) connects on port 636.

Question 19

How does Kerberos authentication work?

Answer 19

1. The user presents credentials and gets a TGT (Ticket-Granting Ticket) from the KDS (Key Distribution Server).
2. The user presents the TGT and a request for services to the KDS.
3. The KDS verifies the request and issues a Client-to-Server ticket.
4. The user presents the Client-to-Server ticket to the requested service.

All transactions are encrypted, making the system safe.

Question 20

What is TACACS+ used for?

Answer 20

Typically TACACS+ is used for admin access to routers and firewalls.

It typically runs on TCP port 49.

TACACS+ is not backwards compatible with TACACS. It has good separation of authentiction, authorization and accounting functions.

Comms are encrypted with a shared secret that is manually set on devices and never transmitted over a connection.

Question 21

How does TACACS+ authentication work?

Answer 21

TACACS+ can use many types of autheticaiton, Typcially a remote connection is made to a NAS (Network Access Server) on the remote network. The NAS authenticates the user, then sends a START message to the requested device. The communication between the user and the requested device begins.

Commands used are START, REPLY and CONTINUE.

Question 23

Describe TACACS+ Authorization.

Answer 23

TACACS+ Authorization can occur before authetication, in which “unknown user” is used. Once authenticated, credentials are passed to authorization.

A REQUEST is made for a service. a RESPONSE may include time and IP restrictions.

Question 24

Describe TACACS+ Accounting.

Answer 24

Like Authentication and Authorization, Accounting is optional in TACACS+.

It uses three record (not message types): START, STOP and UPDATE. The time, user and process is noted for each. UPDATE records note that a task is still being performed.

Question 25

What authentication methods does PPP support?

Answer 25

PPP supports these types of authentication:

• PAP (uses cleartext)
• CHAP (is secure)

Question 26

What features does PPP have that makes CHAP authentication possible?

Answer 26

PPP supports these functions for CHAP:

• Encapsulated datagrams
• Establish test links using Link Control Protocol
• Establish different network protocols using NCP (Network Control Protocol)

Question 27

PAP vs. CHAP

Answer 27

PAP uses cleartext and is now depreciated. CHAP is secure.

Question 28

Describe MSCHAP.

Answer 28

MSCHAP is the Microsoft version of CHAP. Ver 1 is depreciated. MSCHAPv2 offers mutual authentication.

Question 29

Is RADIUS traffic secure?

Answer 29

Traffic between RADIUS servers (typcially a NAS) is secured with a manually-entered key.

Traffic from the PC to the RADIUS server is typcially not encrypted.

Question 30

What is RADIUS accounting designed for.

Answer 30

RADIUS was designed during the dialup era. As a result, its accounting functions are designed primarily to collect data for user billing.

Question 31

What is SAML?

Answer 31

SAML (Secuirty Assertation Markup Language) is an SSO for web applications. It defines methods to share credentials between security domains.

SAML is popular with SaaS applications.

Question 32

What does OAuth do?

Answer 32

OAuth (Open Authentication) allows companies such as Google, Facebook and Twitter to permit users to share account information with third-parties.

Did you login to a website using your FB credentials? That used OAuth.

Question 33

How does OpenID work with OAuth?

Answer 33

OpenID allows systems to request information about authenticated sessions and end users. This begins the authentication step for OAuth 2.0.

Question 34

What is Sibboleth?

Answer 34

Sibboleth is a federated SSO service, based around SAML, which is not gained much acceptance.

Question 35

How do Secure Tokens work?

Answer 35

Secure token process:

1. User requests access with credentials
2. Secure token service validates
3. Secure token is provided to user
4. Client stores the token and includes it with all requests.
5. Server verifiies token on each request.

This sytem is highly scalable. Tokens can be shared and transported.

Question 36

What is NTLM?

Answer 36

NTLM (NT LAN Manager) is a suite of Microsoft security protocols. Both NTLM and LANMAN have been widely replaced by Kerberos. It uses MD4, which is now deprecated.

Question 37

Describe MAC access control.

Answer 37

MAC (Mandatory Access Control) puts a label on each object and give the user a similar label. If the item is “Top Secret” the user must have “Top Secret” access to view it.

A user cannot change the security level of an item that is at their level.

This is referred to as Multilevel Security.

Question 38

Describe DAC access control.

Answer 38

In DAC (Descretionary Access Control) objects have an owner who can decide which users have access to that object. Users can be assigned access individually or through group memberships.

It is up to the object owner’s “descretion” who they will grant access to.

Unlike MAC access control, DAC uses ACLs to track access.

Question 39

Describe ABAC access control.

Answer 39

Under ABAC (Attribute-Based Access Control), an attribute of the object can determine the access for a user.

For instance a doctor may have access to medical records, but only for the patients tagged as enrolled at her clinic.

Question 40

Describe Role-based RBAC.

Answer 40

RBAC (Role Based Access Control) grants users memberships in groups based on the job role. Then groups (not users) are granted rights to the network objects.

Question 41

Describe Rule-based RBAC.

Answer 41

RBAC (Rule Based Access Control) uses a set of rules in the ACL.

For instance: No user may have access to payroll after 5 p.m. As with MAC, only admins can change the rules.

Rule Based RBAC is usually used along with another access control method.

Question 42

What is the difference between Proximity Cards and Smart Cards?

Answer 42

Prox cards are read-only and have no security.

Smart cards use encryption and can pass more data than a prox card.

Question 43

What is a biometric template?

Answer 43

A biometric template is a numeric value created by the biometric device that describes the analog data received by the device. This value is compared to the value in the database to determine if the user should be authenticated.

Question 44

Retinal scanner vs. Iris Scanner?

Answer 44

Retinal Scanner:

• Scans with a laser, very close up
• Low user acceptance

Iris Scanner:

• Further away, photo not laser
• Photos can be taken w/o user knowledge and then a custom contact lens created to spoof the system.
• Some medical conditions can be detected, creating privacy issues.

Question 45

Describe false-positives and false-negatives with biometrics.

Answer 45

False-positive - an unauthorized user is granted access.

False-negative - the correct user is denied access

Question 46

What are the false acceptance and rejection rates in biometrics?

Answer 46

These occur when the match and nonmatch probability curves overlap. A threshold between the two needs to be set, creating to possible issues:

• FAR (False Acceptance Rate) is the rate of false-positives. Non-authenticated users who are still able to gain access.
• FRR (False Rejection Rate) is the rate of false-negatives. Authenticated users who are unable to access the system.

Question 47

What is the CER in biometrics?

Answer 47

CER (Crossover Error Rate) is the rate where both the accept and reject error rates are the same. The approve/reject threshold is usually set at or near the CER.

Question 48

How do you calculate FAR and FRR?

Answer 48

Do FRR first.

FRR (False Rejection Rate) = Percent of users who cannot enroll (FER) or get false-negatives after enrollment. Out of 1000 users, 5 could not enroll, and 50 of the remaining 995 got false-negatives. FRR = 5.02 percent.

FAR (False Acceptance Rate) = Percent of users who are accepted to the system even though they should have been. 25 of 995 users matched another user’s biometric. FAR = 2.51 percent

Lower FRR and FAR are good. Similar numbers are preferrable.

Question 49

How do tokens work in access management?

Answer 49

Tokens represent:

• Something you have
• A device that can store more info than the user can memorize

They can be:

• Hardware - SecureID, etc.
• Software - a sysmetric key stored on the client, or public key crypto using a PIN

Question 50

These protocols are used to create one-time passwords.

Answer 50

HOTP (HMAC-based One-Time Password)

TOTP (Time-based One-Time Password)

Question 51

What is a PIV card?

Answer 51

A PIV (Personal Identity Verification) card is a US government-issued smart card for access to federal facilites and information systems. It carries a certificate along with the user’s credentials.

Question 52

What is a CAC card?

Answer 52

A CAC (Common Access Card) card is a US DoD-issued smart card given to active duty, Select Reserve members, DoD civilians and select contractors.

It carries a certificate along with the user’s credentials.

Question 53

What is IEEE 802.1x

Answer 53

IEEE 802.1x is the standard for port-based authentication on edge routers. It describes authentication methods such as RADIUS.

Question 54

What security issue does IEEE 802.1x contain?

Answer 54

802.1x authentication occurs only upon initial connection. This allows a user to insert themselves into the connection by changing packets and using a hub.

Solution: Pair 802.1x with a VPN or IPsec, which provides persistent security.

Question 55

How is database security typically handled.

Answer 55

Most databse systems have built-in security, including encryption. Security issues and access levels should be addressed as the sytem is designed. Security overhead is typically negligible.