4.3 Given a scenario, implement identity and access management controls. Flashcards
Access Control Models
.
Access Control Models - MAC
With the mandatory access control (MAC) model, each individual (known as a subject) is assigned a clearance level such as restricted, secret, or top secret. The data and other assets in the organization are assigned classification labels that represent the sensitivity of the information. Examples of classification labels are public, confidential, secret, top secret, and unclassified, to name a few.
Access Control Models - DAC
Overview:
Discretionary access control (DAC) involves configuring permissions on a resource
Detail:
Discretionary access control, also known as DAC, is a model that decides who gets access to a resource based on a discretionary access control list (DACL). A DACL is a listing of users or groups (known as security principals) who are granted access to a resource, and the DACL typically determines what type of access the user has. That is, the DACL is the permissions assigned to a file. Each entry in the DACL is known as an access control entry (ACE).
In Microsoft environments, each security principal, such as a user account, computer account, or group, has a security identifier (SID) assigned to it. When a user logs on to the network, part of the authentication process is to generate an access token for the user (this is known as a logical token). The access token contains the user account SID, plus any SIDs for groups the user is a member of.
Access Control Models - ABAC
Attribute-based access control (ABAC) is an access control model that involves assigning attributes, or properties, to users and resources and then
using those attributes in rules to define which users get access to which resources. For example, you could configure a rule that specifies if the user has a Department attribute of Accounting and a City attribute of Boston, then they can access the file. This is different than RBAC or GBAC in the sense that those models only check whether the user is in the role or group.
Access Control Models - Role-based Access Control
Role-based access control involves placing users into containers (known as roles) and those roles are assigned privileges to perform certain tasks. When a user is placed in the role, they inherit any capabilities that the role has been assigned.
A number of applications use RBAC, such as Microsoft SQL Server and Microsoft Exchange Server. The following exercise shows how you can grant someone administrative access to a SQL Server by placing them in the sysadmin role.
Access Control Models - Rule-based Access Control
Rule-based access control, also known as RBAC, involves configuring rules on a system or device that allow or disallow different actions to occur. For example, a router uses RBAC to determine what traffic can enter or leave the network by checking rules in an ACL configured on the router.
Physical Access Control
A hacker can easily bypass the security of a system if the hacker can physically get to a system or server. Any security features of the operating systems are only valid if the operating system is running, so most hackers who wish to bypass the security of the operating system simply boot off a live DVD.
In order to prevent this from happening, you need to implement physical security within the organization to ensure that you control who gains physical access to the systems. Remember for the exam that physical security is an important method to help keep unauthorized individuals from gaining access to critical systems and networks.
Physical Access Control - Proximity Cards
Proximity cards are small credit card-sized cards that activate when they are in close proximity to a card reader. Many organizations use these for access points, such as the entry to a building or the entry to a controlled area within a building. The door uses an electronic lock that only unlocks when the user passes the proximity card in front of a card reader.
Bonus:
A proximity reader is a sensor device that reads the access code from a token or card. The two major types of proximity readers are user-activated and system-sensing. With a user-activated proximity reader, the employee keys in a code or swipes the access card by the sensor to gain access to the facility. A system-sensing proximity reader continuously sends out an interrogating signal that the user’s access device responds to by sending the access code to the sensor for the door to unlock. Key fobs are token devices that are also used with proximity readers so that users can just wave the token over the reader to gain access to the facility.
Physical Access Control - Smart Cards
Smart cards are credit card-sized cards that have an embedded microchip and a certificate. Users insert the smart card into a smart card reader, similar to how someone would insert a credit card into a credit card reader. The smart card reader reads the information on the card, including the details from the certificate, which provides certificate-based authentication.
Certificates, in more detail, but as an introduction, they are digital files that support cryptography for increased security. The embedded certificate allows the use of a complex encryption key and provides much more secure authentication than is possible with a simple password.
Additionally, the certificate can be used with digital signatures and data encryption. The smart card provides confidentiality, integrity, authentication, and non-repudiation.
Biometric Factors
Biometrics is the process of authenticating to a system or network by using a physical characteristic of yourself such as a fingerprint, retina pattern, or voice pattern. Biometrics offers the highest level of security as it relates to authentication, but is not as common as a simple username and password–type authentication due to the expense.
Biometric Factors - Fingerprint Scanner
A fingerprint scanner scans your fingerprint and compares it with the system-stored fingerprint that you previously submitted during enrollment. A similar system is a palm scanner.
Biometric Factors - Retinal Scanner
A retinal scanner scans the pattern of blood vessels around the retina of your eye and compares it with the system-stored image.
Biometric Factors - Iris Scanner
An iris scanner scans the colored part of your eye that surrounds the pupil and compares it with the system-stored image
Biometric Factors - Voice Recognition
A voice-recognition system requires you to speak and verifies your voice pattern based on the system-stored sample you previously submitted.
Biometric Factors - Facial Recognition
A facial-recognition system verifies features of your face based on your system-stored digital image.
Biometric Factors - False Acceptance Rate (Type II)
A type II error is the opposite of a type I error in that it allows someone to access the system who is not authorized to access the system. This type of error is known as the false acceptance rate (FAR).
Biometric Factors - False Rejection Rate (Type I)
A type I error is known as the false rejection rate (FRR) and occurs when the biometric system fails to authenticate someone who is authorized to access the system.
Biometric Factors - Crossover Error Rate
Biometric devices are sometimes rated by the percentage of errors that occur using a value known as the crossover error rate (CER). The CER is a number representing when the number of type I errors equals the number of type II errors. For example, if 5 out of 100 authentication attempts are type I errors and 5 out of 100 authentication attempts are type II errors, then the CER is 5. The lower the CER value, the more accurate the biometric system is.
Tokens
.
Tokens - Hardware
A small device that is typically used to identify an
individual and is used in the authentication process. Of the different types of hardware tokens, the most popular is a device that displays a random number on it for 30 to 60 seconds (see Figure 10-2). The user enters that random number along with their username and password in order to log on.
Note that hardware tokens can also be physical objects that users need to have in their possession to gain access to a building, such as a card or device attached to a keychain that is swiped past an electronic reader to enter an area of the building.
Tokens - Software
Very similar to a hardware token except that it is
software (an app) stored on a computing device instead of being its own separate hardware device.
Tokens - HOTP/TOTP
HOTP
HMAC-based One-Time Password is a Hash-based Message Authentication Code (HMAC) algorithm used to generate passwords.
TOTP
Time-based One-Time Password is an algorithm used by authentication systems that involves passwords being generated based on the current time.
Certificate-based Authentication
Certificate-based authentication requires the user or client computer to authenticate to the network by presenting a Public Key Infrastructure (PKI) client-side certificate to the authentication system.
The authentication system verifies the certificate by checking the following:
- Is the certificate from a trusted certificate authority (CA)?
- Has the certificate validation period expired?
- Has the certificate been revoked?
Certificate-based Authentication - PIV/CAC/Smart Card
CAC
A Common Access Card (CAC) is a specialized type of smart card ** used by the U.S. Department of Defense. ** In addition to including the capabilities of a smart card, it also includes a picture of the user and other readable information. Users can use the CAC as a form of photo identification to gain access into a secure location. For example, they can show their CAC to guards who are protecting access to secure areas. Once inside the secure area, users can use the CAC as a smart card to log on to computers.
PIV
a Personal Identity Verification (PIV) card is a specialized type of smart card ** used by U.S. federal agencies. ** It also includes photo identification and provides confidentiality, integrity, authentication, and non-repudiation for the users, just as a CAC does.
CACs and PIVs both support dual-factor authentication (sometimes called two-factor authentication) because users generally log on with the smart card and by entering information they know such as a password. Additionally, just as with smart cards, these cards include embedded certificates used for digital signatures and encryption.