Access Control and Identity Management Flashcards
AAA Model
Authentication
Authorization
Accounting
POLA/POLP
Principles of Least Access
Principles of Least Privilege
Identification
Process of IDing an entity for authentication
User ID guidelines:
* Uniqueness
* Non-descriptive (doesn’t say job)
* Issuance secure (process of getting ID)
Most common forms:
* User Name, User ID, Acct Number
Authentication
Verifies users ID One or more of three factors: * Something you know ** Passwords/PINs * Something you have ** ATM Card, CAC, Tokens * Something you are
Authentication Tokens Types
Passive or Stored Value * Storage device that store some kind of key * Magnetic strip or bar code * Static password Active * Processor that computes one-time password * Synchronous Dynamic Token * Asynchronous Dynamic Token
Type 1 Authentication Methods
Something you know
Passwords/PINs
Type 2 Authentication Methods
Something you have
ATM card, CAC, Tokens
Type 3 Authentication Methods
Something you are
Biometrics
CER
Crossover Error Rate
Least amount of both False Reject Rate and False Accept Rate
Strong Authentication
Multiple types of the same factor
Eg. Two “somethings you have”
SSO
Single Sign On
Authenticate only once
Eg uses SSO: Kerberos, SESAME, directory services
Kerberos
Principal - device on network Realm - like a domain KDC (Key Distribution Center) * AS (Authentication Server) * TGS (Ticket-Granting Server) * TGT (Ticket-Granting Ticket) * RTGS (Remote Ticket-Granting Service)
X.500 Standard
For Directory Services
Directory Services
Logical means of organizing resources
ACLs to control access to resources
LDAP
Lightweight Directory Access Protocol
Standardized directory access protocol Allows queries to be made of directories X.500 Standard Port 389 Port 636 for LDAP over TLS/SSL
Types of LDAP Authentication
Anonymous: * Username only Simple: Name/Password in clear Uses Port 389; port 636 over SSL SASL for secure
SASL
Simple Authentication and Security Layer
Can utilize Kerberos, MD5, S/Key, IPSec, TLS
DIT
Directory Information Tree
Microsoft’s Active Directory
Directory Services
Backbone for all security, access, and network implementations.
One or more servers manage
Tree structure
RADIUS
Remote Authentication Dial-In User Service
Centralized system for AAA
Supports PAP, CHAP and EAP
Only password is encrypted
UDP 1812 (Authentication), 1813 (Accounting)
Client = network access server Server = stores all authentication and network access information
Ability to audit and account
Diameter
AAA protocol suite designed to handle broadband and other connections
End-to-end encryption through IPSec, TLS or both
Mutual authentication
TCP port 3868
TACACS+
Terminal Access Controller Access Control System
Alternative to RADIUS Cisco product AAA performed separately Supports PAP, CHAP and EAP Multi-factor authentication Encrypts entire body of authentication packet
TCP port 49
Implicit/Explicit Deny
Implicit: By not specifically allowing access.
Explicit: By specifically denying
Least Privilege
Just what they NEED to do their job not what they WANT.
Need-to-know
You don’t need to know everything
Separation of Duties
Prevents fraud by requiring more than one person complete a critical process
Job Rotation
Rotate critical jobs so all data is not in the hands of one person.
Mandatory Vacation
Used by co to check for fraudulent workers
Non-Discretionary Access Controls
MAC - Mandatory Access Control
RBAC - Role-Based Access Control
- Rule based Access Control
DAC
Discretionary Access Control
Each object has an owner
Owner establishes privileges
Allows info to be shared easily
Access granted/denied based on ACL
MAC
Mandatory Access Control
- Security clearance sensitivity levels
- Access based on clearance and need to know
RBAC
Role-Based Access Control
- Based on responsibilities that come with your role
- Review frequently to prevent privilege creep
Rule-Based Access Control
Form of ACL that looks at every request and compares them
Access granted depending on result
Firewalls and Routers
ACL
Access Control List
Hold permissions for users/groups
Each entry can specify type of access
Eg. Read-only, Change, Full control
Privileges
Given because of where they work or the group they belong to
Rights
Assigned to an individual based upon need to know
Permissions
Based upon need to know File controls (read, write, modify, etc.)
Privilege Creep
Individuals gain a higher level of access than they normally need
Usually because of temporary access, accidentally, transferring depts.
Privilege Escalation
Vertical
* Lower privilege users access functions or content reserved for higher privilege users
Horizontal
* Normal user accesses functions/content reserved for other users.