Chapter 11 Identity and Access Management Security

Question 1

Associated with an identity include information about a subject and often include their name, address, title, contact information, and other details about the individual

Answer 1

Attributes

Question 2

Create, store, and manage identity information as well as the permissions, groups, and other information needed to support the use of identities

Answer 2

IAM systems

Question 3

• Provide information about systems, users, and other information about the organization
• i.e. LDAP

Answer 3

Directory services

Question 4

What steps are required to implement a secure LDAP server?

Answer 4

• Enabling and requiring TLS keeps LDAP queries and authentication secure
• Setting password storage to use a secure method. LDAP passwords are often stored in plain text, additional methods are supported and should be used if possible
• Use password-based authentication in requiring TLS
  Replication of LDAP servers can help prevent denial-of-service attacks another service outages
• Access Control list for LDAP offer the ability to limit access to specific objects in the directory as well as for how entries are created, modified, and deleted

Question 5

Uses TCP traffic to provide AAA services

Answer 5

TACACS+

Question 6

• Can operate via TCP or UDP and operates in a client-server model
• Sends passwords that are obfuscated by a shared secret or md5 hash password security is not very strong

Answer 6

RADIUS

Question 7

Designed to operate on untrusted networks and uses encryption to protect its authentication traffic

Answer 7

Kerberos

Question 8

Users in Kerberos are known as what?

Answer 8

Principles

Question 9

Users in Kerberos called principles are composed of what three elements?

Answer 9

The primary - Frequently the username
The instance - Used to differentiate similar primaries
The realm - Consist of groups and principles

Question 10

• Systems to allow users to authenticate once and then to use multiple systems are services without having to use different usernames or passwords
• i.e. LDAP and the central authentication Service (CAS)

Answer 10

Single Sign-On

Question 11

Allow and identity to be reused on multiple sites while relying on authentication via single identity provider

Answer 11

Shared Authentication

Question 12

Shared Authentication Technologies include what?

Answer 12

OpenID
OAuth
OpenID Connect
Facebook Connect

Question 13

• An open-source standard for decentralized authentication

- Users create credentials with an identity provider like Google then sites (relying parties) use that identity

Answer 13

OpenID

Question 14

• Relies on access tokens which are issued by an authorization server and then presented to resource servers like third-party web applications
• Used by Google, Microsoft, Facebook and other sites to allow users to share elements of their identity or account information while authenticating via the original identity provider

Answer 14

OAuth

Question 15

Authentication layer built using the OAuth protocol

Answer 15

OpenID Connect

Question 16

Shared authentication system that relies on Facebook credentials for authentication

Answer 16

Facebook Connect

Question 17

Includes training and awareness, as well as threats like Insider attacks, phishing and social engineering

Answer 17

Personal based identity security

Question 18

Their roles in attacks on identity, including capturing credentials via local exploits; screen capture and keyboard capture applications

Answer 18

Endpoint Threats

Question 19

Can target systems that run identity services, or which can attack the servers and send identity and authentication data to AAA services

Answer 19

Server-based exploits

Question 20

Provide, consume and interact with identity services

Answer 20

Applications and services

Question 21

Are associated with users or groups

Answer 21

Rules, Rights, and Permissions

Question 22

Attacks against LDAP directory servers typically focus on what?

Answer 22

• Attacks against insecure binding (Connection)
• Improper LDAP access controls
• LDAP injection
• Denial-of-service attacks

Question 23

• Method that target unencrypted LDAP traffic either to capture the traffic or to exploit LDAP as an authentication service
• LDAP Attack

Answer 23

Attacks against insecure binding (Connection)

Question 24

Allows attackers to harvest directory information or to make modifications to directory entries that they should not be able to change
- LDAP Attack

Answer 24

Improper LDAP access controls

Question 25

Exploit web applications that build LDAP query using user input, allowing attackers to gather additional information or to make changes they should not be authorized to make by operating as the web service
- LDAP Attack

Answer 25

LDAP injection

Question 26

Most common attacks for OAuth and OpenID

Answer 26

Open redirects these result in users being redirected to untrusted sites, allowing phishing scams or permitting attackers to bypass security layers

Question 27

Common Kerberos attacks include what?

Answer 27

Administrator account attacks
Kerberos ticket reuse - Includes pass the ticket attacks which allows impersonation of legitimate users for the lifespan of the ticket
Ticket granting ticket (TGT) focused attacks - Allows complete access to the Kerberos connected systems, including creation of new tickets, account changes, and even the falsification of accounts or services

Question 28

RADIUS attacks often focus on what?

Answer 28

Session replay
Targeting RADIUS shared secret
Denial-of-service attacks
Credential based attacks

Question 29

Common active directory attacks include what?

Answer 29

Malware focused attacks - Place credential capturing or exploit based malware onto AD servers
Credential theft
Privilege escalation attacks
Service accounts
Domain administrator
The use of down level versions of protocols ie NTLM v1 and LANMAN, NetBIOS, and unsigned LDAP and SMB to capture credentials or to conduct other attacks

Question 30

States that users should be provided only with the least set of privileges or permissions required to perform their job function

Answer 30

Least privilege

Question 31

A steady accrual of additional rights over time as account owners change roles

Answer 31

Privilege creep

Question 32

Occurs when an attacker takes the identity of a legitimate user

Answer 32

Impersonation attacks

Question 33

Focuses on taking over an already existing session, either by acquiring the session key or cookies used

Answer 33

Session hijacking

Question 34

Focuses on exploiting flaws to gain elevated permissions or access

Answer 34

Privilege escalation attacks

Question 35

Combines multiple malicious software tools to provide continued access to a computer while hiding your own existence

Answer 35

Rootkits

Question 36

Context-based authentication includes what?

Answer 36

• User roles and group membership related to application or service access
• IP address and or IP reputation, providing information on whether and remote IP is known to be a part of a botnet
• Time of day, often related to job role or working hours
• Location-based information like their GPS location
• Frequency of access
• Device based including information about the web browser and youth and other data that can provide device fingerprint

Question 37

Authentication decisions to be made based on information about the user, the systems the user is connecting from, or other information that is relevant to the system or organization performing the authentication.

Answer 37

Context-based authentication

Question 38

Service provides authentication services, typically as a cloud hosting service

Answer 38

Identity as a Service (IDaaS)

Question 39

Configuring a SIEM or other security monitoring device to look for the following types of events can provide what significant security benefits?

Answer 39

• Privileged account usage
• Privilege changes and grants
• Account creation and modification
• Employee termination and terminated account usage
• Account lifecycle management events
• Separation-of-duty violations

Question 40

Move trust boundaries outside of your own organization, resulting in new concerns when designing and implementing

Answer 40

Federated identities

Question 41

Members of a federation must provide identities, make assertion about those identities to relying parties, and release information to relying parties about identity holders

Answer 41

Identity provider

Question 42

What four major technologies serve as the core of Federated identity or current federations?

Answer 42

1. SAML
2. Active Directory Federation Services (ADFS)
3. OAuth
4. OpenID Connect

Question 43

• XML-based language used to send authentication and authorization data between identity providers and service providers
• Frequently used to enable single sign-on for web applications and services

Answer 43

SAML

Question 44

• Provides authentication and identity information that’s claims to third-party partner sites.
• Partner sites didn’t use trust policies to match claims to claim supported by the service and then uses those claims to make authorization decisions

Answer 44

Active Directory Federation Services (ADFS)

Question 45

Provides an authorization framework designed to allow third-party applications to access HTTP based services

Answer 45

OAuth

Question 46

• Allows the authorization server to issue an ID token in addition to the authorization token provided by OAuth
• Often paired with OAuth to provide Authentication

Answer 46

OpenID Connect

Question 47

Active Directory Federation Services (ADFS) process is what?

Answer 47

1. The user attempts to access the ADFS enabled web application hosted by resource partner
2. The ADFS web agent on the partners web server checks for a ADFS cookie if it’s their access is granted
3. The Resource Partners ADFS checks for a SAML token from the account partner, if it’s not found, ADFS performs home realm discovery
4. Home realm discovery identifies the Federation server associated with the user and then authenticates the user via the home realm
5. The account partner then provides a security token with identity information in the form of claims, and sends that user back to the resource partner adfs server
6. Validation then occurs normally and uses its trust policy to map the account partner claims to claims the web application support
7. A new SAML token is created by a ADFS that contains the resource partner claims and it’s cookie is stored on the user’s computer

Question 48

OAuth flows recognize what four parties?

Answer 48

Clients - applications that users want to use
Resource owners - the end users
Resource servers - Servers provided by a service that the resource owner wants the application to use
Authorization servers - servers owned by the identity provider

Question 49

Response plan for Federated identity varies based on the role you organization holds in Federation list them

Answer 49

• Identity providers are typically responsible for notifying account owners and may be responsible for notifying with relying parties
• Service providers need to determine what their response would be if the identity provider were compromised as well as a range of smaller incidents