Chapter 11 Identity and Access Management Security Flashcards
Associated with an identity include information about a subject and often include their name, address, title, contact information, and other details about the individual
Attributes
Create, store, and manage identity information as well as the permissions, groups, and other information needed to support the use of identities
IAM systems
- Provide information about systems, users, and other information about the organization
- i.e. LDAP
Directory services
What steps are required to implement a secure LDAP server?
- Enabling and requiring TLS keeps LDAP queries and authentication secure
- Setting password storage to use a secure method. LDAP passwords are often stored in plain text, additional methods are supported and should be used if possible
- Use password-based authentication in requiring TLS
Replication of LDAP servers can help prevent denial-of-service attacks another service outages - Access Control list for LDAP offer the ability to limit access to specific objects in the directory as well as for how entries are created, modified, and deleted
Uses TCP traffic to provide AAA services
TACACS+
- Can operate via TCP or UDP and operates in a client-server model
- Sends passwords that are obfuscated by a shared secret or md5 hash password security is not very strong
RADIUS
Designed to operate on untrusted networks and uses encryption to protect its authentication traffic
Kerberos
Users in Kerberos are known as what?
Principles
Users in Kerberos called principles are composed of what three elements?
The primary - Frequently the username
The instance - Used to differentiate similar primaries
The realm - Consist of groups and principles
- Systems to allow users to authenticate once and then to use multiple systems are services without having to use different usernames or passwords
- i.e. LDAP and the central authentication Service (CAS)
Single Sign-On
Allow and identity to be reused on multiple sites while relying on authentication via single identity provider
Shared Authentication
Shared Authentication Technologies include what?
OpenID
OAuth
OpenID Connect
Facebook Connect
- An open-source standard for decentralized authentication
- Users create credentials with an identity provider like Google then sites (relying parties) use that identity
OpenID
- Relies on access tokens which are issued by an authorization server and then presented to resource servers like third-party web applications
- Used by Google, Microsoft, Facebook and other sites to allow users to share elements of their identity or account information while authenticating via the original identity provider
OAuth
Authentication layer built using the OAuth protocol
OpenID Connect
Shared authentication system that relies on Facebook credentials for authentication
Facebook Connect
Includes training and awareness, as well as threats like Insider attacks, phishing and social engineering
Personal based identity security
Their roles in attacks on identity, including capturing credentials via local exploits; screen capture and keyboard capture applications
Endpoint Threats
Can target systems that run identity services, or which can attack the servers and send identity and authentication data to AAA services
Server-based exploits
Provide, consume and interact with identity services
Applications and services
Are associated with users or groups
Rules, Rights, and Permissions
Attacks against LDAP directory servers typically focus on what?
- Attacks against insecure binding (Connection)
- Improper LDAP access controls
- LDAP injection
- Denial-of-service attacks
- Method that target unencrypted LDAP traffic either to capture the traffic or to exploit LDAP as an authentication service
- LDAP Attack
Attacks against insecure binding (Connection)
Allows attackers to harvest directory information or to make modifications to directory entries that they should not be able to change
- LDAP Attack
Improper LDAP access controls
Exploit web applications that build LDAP query using user input, allowing attackers to gather additional information or to make changes they should not be authorized to make by operating as the web service
- LDAP Attack
LDAP injection
Most common attacks for OAuth and OpenID
Open redirects these result in users being redirected to untrusted sites, allowing phishing scams or permitting attackers to bypass security layers
Common Kerberos attacks include what?
Administrator account attacks
Kerberos ticket reuse - Includes pass the ticket attacks which allows impersonation of legitimate users for the lifespan of the ticket
Ticket granting ticket (TGT) focused attacks - Allows complete access to the Kerberos connected systems, including creation of new tickets, account changes, and even the falsification of accounts or services
RADIUS attacks often focus on what?
Session replay
Targeting RADIUS shared secret
Denial-of-service attacks
Credential based attacks
Common active directory attacks include what?
Malware focused attacks - Place credential capturing or exploit based malware onto AD servers
Credential theft
Privilege escalation attacks
Service accounts
Domain administrator
The use of down level versions of protocols ie NTLM v1 and LANMAN, NetBIOS, and unsigned LDAP and SMB to capture credentials or to conduct other attacks
States that users should be provided only with the least set of privileges or permissions required to perform their job function
Least privilege
A steady accrual of additional rights over time as account owners change roles
Privilege creep
Occurs when an attacker takes the identity of a legitimate user
Impersonation attacks
Focuses on taking over an already existing session, either by acquiring the session key or cookies used
Session hijacking
Focuses on exploiting flaws to gain elevated permissions or access
Privilege escalation attacks
Combines multiple malicious software tools to provide continued access to a computer while hiding your own existence
Rootkits
Context-based authentication includes what?
- User roles and group membership related to application or service access
- IP address and or IP reputation, providing information on whether and remote IP is known to be a part of a botnet
- Time of day, often related to job role or working hours
- Location-based information like their GPS location
- Frequency of access
- Device based including information about the web browser and youth and other data that can provide device fingerprint
Authentication decisions to be made based on information about the user, the systems the user is connecting from, or other information that is relevant to the system or organization performing the authentication.
Context-based authentication
Service provides authentication services, typically as a cloud hosting service
Identity as a Service (IDaaS)
Configuring a SIEM or other security monitoring device to look for the following types of events can provide what significant security benefits?
- Privileged account usage
- Privilege changes and grants
- Account creation and modification
- Employee termination and terminated account usage
- Account lifecycle management events
- Separation-of-duty violations
Move trust boundaries outside of your own organization, resulting in new concerns when designing and implementing
Federated identities
Members of a federation must provide identities, make assertion about those identities to relying parties, and release information to relying parties about identity holders
Identity provider
What four major technologies serve as the core of Federated identity or current federations?
- SAML
- Active Directory Federation Services (ADFS)
- OAuth
- OpenID Connect
- XML-based language used to send authentication and authorization data between identity providers and service providers
- Frequently used to enable single sign-on for web applications and services
SAML
- Provides authentication and identity information that’s claims to third-party partner sites.
- Partner sites didn’t use trust policies to match claims to claim supported by the service and then uses those claims to make authorization decisions
Active Directory Federation Services (ADFS)
Provides an authorization framework designed to allow third-party applications to access HTTP based services
OAuth
- Allows the authorization server to issue an ID token in addition to the authorization token provided by OAuth
- Often paired with OAuth to provide Authentication
OpenID Connect
Active Directory Federation Services (ADFS) process is what?
- The user attempts to access the ADFS enabled web application hosted by resource partner
- The ADFS web agent on the partners web server checks for a ADFS cookie if it’s their access is granted
- The Resource Partners ADFS checks for a SAML token from the account partner, if it’s not found, ADFS performs home realm discovery
- Home realm discovery identifies the Federation server associated with the user and then authenticates the user via the home realm
- The account partner then provides a security token with identity information in the form of claims, and sends that user back to the resource partner adfs server
- Validation then occurs normally and uses its trust policy to map the account partner claims to claims the web application support
- A new SAML token is created by a ADFS that contains the resource partner claims and it’s cookie is stored on the user’s computer
OAuth flows recognize what four parties?
Clients - applications that users want to use
Resource owners - the end users
Resource servers - Servers provided by a service that the resource owner wants the application to use
Authorization servers - servers owned by the identity provider
Response plan for Federated identity varies based on the role you organization holds in Federation list them
- Identity providers are typically responsible for notifying account owners and may be responsible for notifying with relying parties
- Service providers need to determine what their response would be if the identity provider were compromised as well as a range of smaller incidents
