Chapter 2 - Identity & Access Management

Question 1

Identification

Answer 1

Occurs when users claim or profess their identity with identifiers such as usernames or email addresses

Question 2

Authentication

Answer 2

Proves an identity with some type of credentials such as a username and password.

Question 3

AAA

Answer 3

Authentication, authorization and accounting work together with identification to provide a comprehensive access management system.

• Authorization: if users can provide their identitiy, they are not automatically granted access to all resources within a system. Instead, they are granted authorization to access resources based on their proven identity
• Accounting methods track user activity and record it in activity logs, enabling admins to be able to create an audit trail

Question 4

Password keys

Answer 4

Used to reset passwords on a system. Often a bootable optical disc or bootable USB flash drive. After rebooting the system to the device they allow you to recover or reset all user and administrator passwords.

Question 5

KBA

Answer 5

Knowledge-Based-Authentication can be used to prove the identity of individuals.

1. Static KBA: typically used to verify your identity when you have forgotten your password, ie. being prompted to answer questions you previously did when registering such as your mother’s maiden name.
2. Dynamic KBA: identifies individuals without an account, often used for high-risk transactions such as with a financial institution or healthcare company. The site queries public and private data sources, such as credit reports or third party organizations, then crafts multiple choice questions only the user would know and often includes a “none of these apply” answer.

Question 6

Smart card

Answer 6

Credit-card sized cards that have an embedded microchip and certificate and uses certificate-based authentication to satisfy the “something you have” authentication, often used in 2FA.

They use embedded certificates with digital signatured and encryption.

Question 7

Certificates

Answer 7

Digital files that support cryptography for increased security.

-Embedded certificate holds a user’s private key (which is only accessible to the user) and is matched with a public key (that is publicly available to others). The private key is used each time the user logs on to a network.

PKI supports issuing and managing certificates

Question 8

Token key

Answer 8

Also called a key fob or a token, it’s an electronic device the size of a remote key of a car that includes an LCD (liquid crystal display) that displays a number, which changes periodically, such as every 60 seconds. They are sometimes called hardware tokens to differentiate them from software tokens.

The token is synced to a server that knows what the number is at any moment. It’s a one-time use, rolling password. Users often use tokens to authenticate via a website.

Question 9

HMAC

Answer 9

Hash-based Message Authentication Code uses a hash function and cryptographic key for manty different cryptographic functions.

Question 10

HOTP

Answer 10

HMAC-based One-Time Password is an open source standard used for creating one-time passwords, similar to those used in tokens or key fobs, using a secret key, incremental timer and HMAC to create a hash of the result, resulting in a HOTP value of six to eight digits.

*NOTE: a password created with HOTP remains valid until it is used and thus remains usable forever potentially if never used.

Question 11

TOTP

Answer 11

Time-based One-Time Password is similar to HOTP but uses a timestamp instead of a counter to expire after 30 seconds or whenever you choose. Also open source.

Hardware tokens that use the HOTP and TOTP standards are very inexpensive compared to ones using proprietary algorithms.

Question 12

SMS

Answer 12

Short Message Service, can be used to send a PIN for 2FA.

Push notifications can similarly be enabled for 2FA so users don’t need to re-enter data/remember a password, just press “allow” or similar, making it user friendly.

Question 13

FAR

Answer 13

False Acceptance Rate, in regards to the efficacy rate of user identification/authorization.

Alt: True Acceptance

Question 14

FRR

Answer 14

False Rejection Rate, in regards to the efficacy rate of user identification/authorization.

Alt: True Rejection

Question 15

CER

Answer 15

Crossover Error Rate, referring to the point with the FRR crosses over with the FAR. A lower CER indicates a biometric system is more accurate.

Biometric systems allow you to adjust the sensitivity or threshold level where errors occur. Increasing sensitivity decreases the number of false matches and increasing the number of false rejections, and vice versa.

Question 16

CAC or PIV cards

Answer 16

Common Access Cards or Personal Identification Verification cards, often used by military organizations showing pictures of a user and their personnel information, to be worn around a building and also include smart card capabilities.

Question 17

Service accounts

Answer 17

Service accounts fill the need when you need to run an application or service under the context of an account such as a SQL server database application running on a server, which needs access to resources on the server and on the network.

-Admins can create a regular user account and name it something like sqlservice, assign it appropriate privileges, and configure the SQL server to use this account.
-Like a regular end user account, the only difference being it’s used by the service or application, not an end user.

*Credential policies may require long, complex passwords but they should not expire, which will make the service or application stop.

Question 18

PAM

Answer 18

Privileged Access Management, or account management, allows an organization to apply more stringent security controls over accounts with elevated privileges, such as administrator or root-level accounts.

PAM implements the concept of just-in-time administration where admins don’t have administrative privileges until they need them, where they then send a request for the elevated privileges.
-After a pre-set time, such as 15 minutes, their account is automatically removed from the group, revoking the privileges.

CAM CAPABILITIES:
1. Allow users to access the privileged account without knowing the password.
2. Automatically change the privileged account password periodically.
3. Limit time users can use the privileged accoint
4. Allow users to check out credentials.
5. Log all access of credentials

ALWAYS REQUIRE ADMINISTRATORS TO USE 2 ACCOUNTS, WHICH HELPS PREVENT PRIVILEGE ESCALATION ATTACKS.

Question 19

Disablement Policy

Answer 19

Specifies how to manage accounts in different situations, i.e. disabling when a employees leave an organization.

Also disable default accounts to prevent them from being used.

Disabiling is often better than deleting to avoid deleting all encryption and security keys associated with the account. They would remain encrypted forever unless the company had a key escrow or recovery agent.
-Terminated employee, leave of absence. Disabling ensures the data associated with it remains available.

Question 20

Time-based logins

Answer 20

prevent users from logging on or accessing network resources during specific hours

often just prevents new network connections and won’t log out an active session if someone is already logged in and working

Question 21

Account audit

Answer 21

looks at the rights and permissions assigned to users and helps enforce the least privilege principle.

Usage auditing records user activity in logs. A usage auditing review looks at the logs to see what users are doing and can be used to re-create an audit trail.

Permission auditing reviews ensure users only have the access they need and no more and can detect privilege escalation creeps.

Question 22

COMPARING AUTHENTICATION SERVICES

Answer 22

A common authentication goal is to ensure unencrypted credentials are not sent across a network to avoid them being captured and analyzed with a protocol analyzer.

Question 23

SSO

Answer 23

Single Sign-On refers to a user’s ability to log on once and access multiple systems without logging on again. SSO increases security because the user only needs to remember one set of credentials and is less likely to write them down, and it’s much more convenient for users to access network resources if they only have to log in once.

EX: If a user needs to access multiple servers within a network to perform normal work. Without SSO they’d need one set of credentials to log in locally and another set of credentials for each of the servers. Many people would write these credentials down. SSO requires strong authentication to be effective, since an attacker gaining access would grant them access to multiple systems.

In a system with SSO capabilities the user logs onto the network once and the SSO system creates some form of SSO secure token used during the entire login session. Each type the user accesses a network resource, the SSO system uses this secure token for authentication.

Kerberos includes SSO capabilities in networks. There are also several SSO alternatives used on the internet.

Question 24

Kerberos

Answer 24

Kerberos is a network authentication mechanism used within Windows Active Directory domains and some Unix environments known as reals. Kerberos provides mutual authentication that can help prevent on-path attacks and uses tickets to help prevent replay attacks.

Kerberos includes several requirements for it to work properly:

1. A METHOD OF ISSUING TICKETS FOR AUTHENTICATION.
   The Key Distribution Center (KDC) uses a complex process of issuing ticket-granting tickets (TGTs) and other tickets. The KDC or TGT server packages user credentials with a a ticket. Tickets provide authentication for users when they access resources such as files on a file server. These tickets are sometimes referred to as tokens as in logical tokens.

i) when a user logs into their workstation or device and authenticates with the Kerberos
Authentication Server (AS) they receive a ticket-granting ticket (TGT).

ii) this TGT serves as proof of authentication and allows the user to obtain service tickets from the ticket-granting server (TGS) for accessing various network resources/services.

iii) with the service tickets obtained from the TGS, the user can seamlessly access multiple internal systems, servers, and applications without needing to provide credentials again.

2. TIME SYNCHRONIZATION. Kerberos version 5 requires all systems to be synchronized within 5 minutes of each other. This clock doing the time synchronization is responsible for time stamping tickets and ensuring they expire correctly.
3. A DATABASE OF SUBJECTS OR USERS. In a Microsoft environment, this is Active Directory, but it could be any database of users.

ALT: Kerberos is a network authentication protocol within a Microsoft Windows Active Directory domain or a Unix realm. It uses a database of objects such as Active Directory and a KDC (Key Distribution Center) or TGTs server to issue timestamped tickets that expire after a certain time period.

METAPHOR: think of Kerberos as a bouncer in a club. The bouncer (the Kerberos server) gives you a stamp (a ticket, called a “ticket-granting-ticket”) that you can show at various doors (servers) to get in without having to prove your identity each time.

Kerberos is a network authentication protocol that uses a trusted third party (the Kerberos server) to authenticate users and provide secure access to network resources without transmitting passwords over the network. It is a form of single sign on.

Question 24

Federated Identity Management System

Answer 24

A way to connect authentication mechanisms from different environments, such as different operating systems or different networks. These systems are often integrated as a federated database, which provides central authentication in a non-homogenous environment.

EX: power plant employees need to access the town’s school’s resources, but it’s not feasible to join these 2 networks together, so you can instead create a federation of the two networks. Then, power plant employees can log on using their power plant account and then access the shared school resources without logging on again,

Question 24

Federation

Answer 24

requires a federated identity management system that all members of the federation use, i.e. all members of the federation are the power plant and the school system. The members of the federation agree on a standard for federated identities and then exchange the information based on the standard.

A federated identity links a user’s credentials from different networks or operating systems, but the federation treats it as one identity.

Question 24

SAML and XML

Answer 24

Secure-Assertion Markup Language (SAML) is an Extensible Markup Language (XML)-based data format used for SSO on web browsers.

Imagine 2 websites hosted by 2 different organizations who would normally require 2 separate, distinct credentials to access either site, but if they trust each other they can use SAML as a federated identity management system. Users would authenticate with one website and are not required to authenticate again when using the second site.

TLDR: SAML is an XML-based standard used to exchange authentication and authorization information between different parties. SAML provides SSO for web-based applications.

*SSO is used for identification and authentication, not authorization.

Question 25

OAuth

Answer 25

An open standard for authorization many companies use to secure access to protected resources. Instead of creating a different account for every website you access you can often use the same account you’ve created with Google, Facebook, PayPal or similar.

Think of OAuth as “open authorization”. It focuses on authorization, not authentication.

Question 26

OpenID

Answer 26

an authentication standard maintained by the OpenID foundation, where an OpenID provider holds the user’s credentials and a website that supports OpenID prompt users to enter their OpenID. Not as common these days.

Question 27

OIDC

Answer 27

OpenID Connection. Builds on OpenID for authorization and uses an OAuth 2.0 framework.

Instead of an authorization token OIDC uses a JavaScript Object Notation (JSON), Web Token (JWT), sometimes called an ID token.

Question 28

Role-BAC

Answer 28

Role-based access control. Uses roles based on jobs and functions.

A matrix is a planning document that matches roles with the required privileges.

Can be hierarchy based (admins, executives, project managers, team members etc.) or department based, or job / task/ function based.

Question 29

Group-based privilegescc

Answer 29

Admins using Role-BAC often implement roles as groups, or security groups. They assign rights and permissions (privileges) yo groups then add user accounts to the appropriate groups.

Reduces the administrative workload of access management as users in a group automatically inherit the privileges assigned to the group.

Question 30

Rule-BAC

Answer 30

Rule-based access control is often used with routers and firewalls but advanced implementations cause riles to trigger within applications as well.

You can for example give access to a database to employee B if employee A is absent. You can also create a rule in response to an event, for example in an IPS, where ACLs are modified after detecting an attacking, or granting additional permissions to a user in certain situations,

Question 31

DAC

Answer 31

Discretionary Access Control. Scheme where objects (such as files or folders) have an owner, and the owner establishes access for the objects - used in Windows and Unix-based systems.

A common example of DAC is NTFS (New Technology Filing System) used in Windows, with provides security by allowing users and admins to restrict access to files and folders with permissions.

Question 32

SIDs

Answer 32

Security Identifiers. Used in Microsoft systems to identify users. Is a long string of characters. System looks up the name associated with a SID and displays the SID. Groups are also identified with a SID.

Question 33

DACL

Answer 33

Discretionary Access Control List. Every object (ie file or folder) includes a DACL that identifies who can access it in a system using the DAC scheme.

The DACL is a list of Access Control Entries (ACEs). Each ACE is composed of a SID and permissions granted to the SID.
-Full control
-Modify
-Read & Execute
-Read
-Write

Each of these entries is an ACE, and combined, all of the entries are a DACL.

Question 34

MAC

Answer 34

There are many “MAC” acronyms, but in this context it means “Mandatory Access Control”, which is a scheme that uses labels (ie sensitivity labels or security labels) to determine access. Security admins assign labels to subjects (users) and objects (files or folders). When the labels match, the system can grant a subject access to an object. When they don’t, the access scheme blocks access.

Think of the military and “Top Secret” labels, which restricts access to those who need to know.

SELinux (Security-Enhanced Linux) is one of the few OS’s using a MAC scheme, whereas Windows uses DAC.

The security levels are often divided into a lattice where higher level clearances include lower level clearances.

Question 35

ABAC

Answer 35

Attribute-Based Access Control, evaluates attributes and grants access based on the value of those attributes. Attributes can be almost any characteristic of a user, the environment, or the resource. ABAC uses policies to evaluate attributes and grant access when the system detects a match in policy.

Many Software Defined Networks (SDNs) use ABAC schemes. Instead of rules on physical routers, policies in the ABAC system control the traffic. Use simple statements like “allow logged-on researchers to access research sites via the main network”. Policy statements typically include the following 4 elements:
1. Subject
2. Object
3. Action
4. Environment

TLDR: The ABAC scheme uses attributes defined in policies to grant access to resources. It’s commonly used in SDNs.

ABACs have a lot of flexibility and can enforce both a DAC and MAC scheme.

Question 36

Conditional Access

Answer 36

Exists within Azure Active Directory environments, can be used with traditional access control schemes but adds additional capabilities to enforce organizational policies. Uses policies which are if-then statements.

Conditional Access Policies use signals, which are similar to attributes in an ABAC scheme, such as:

-User or group membership
-IP location
-Device