Chapter 3: Investigating Identity and Access Management Flashcards
This is the process of maintaining the log files that monitor when users login and log out.
Accounting
This is an entity that can validate that the credentials that are present are valid. This identity could be a certificate, token, or details such as a username or password.
Identity Provider
Username Attribute Smart Card Certification Token SSH Keys
The following can be used when accessing a person’s identity as it needs to be unique to them:
This can be digital that can either be a SAML used for federation services or a token used by Open Authentication (OAuth).
Token
These are used by an administrator using a secure connection to the server. First of all, the public and private key pair is made. The public key is stored on a server, and the private key is stored on the admin’s desktop.
SSH Keys
This identifier is linked to the account to grant access to the network in a Microsoft Active Directory environment. Once the account with this identifier is deleted, the identifier can never be used again and a new one will need to be created.
Security Identifier
This type of account has no real access. This type of account cannot install software – they give users limited access to the computer systems. There are two type of this account– one for the local machine and one for the domain.
User Account
This type of account is a legacy account that was designed to give limited access to a single computer without the need to create a user account. It is normally disabled because it can be seen as a security threat.
Guest Account
This type of account is given to external speakers who need access to the internet while delivering their presentation.
Sponsored Guest Account
TIP
A guest speaker should be allocated a sponsored guest account.
TIP
This type of account has a much higher access to the system and tend to be used by members of the IT team. Administrators are an example of this type of account.
Privilege Account
This type of account can install and manage the configuration of a server or a computer. This type of account has the privilege to create, delete, and manage user accounts. An Administrator should have two type of accounts – a user account for routine tasks, and then an admin account to carry out their admin duties.
Administrative Account
When software is installed on a privilege computer or server, it will need a higher level of privilege to run the software, but at the same time, we need a lower-level admin account so this type of account fits the bill.
Service Account
TIP
A service account is a type of administrator account used to run an application.
TIP
This type of account is for when a group of people perform the same duties, such as members of customer services, they can use this type of account. If you are trying to monitor or audit individual employees, then you cannot use this type of account.
Shared Account
This type of account are default admin accounts created by manufacturers for devices ranging from baby alarms to smart ovens and smart TVs. They all have default usernames and passwords. This becomes a problem for cybercrime because account credentials can be searched online easily, so it is advised to change the username and password associated with those default accounts.
Generic Accounts
TIP
If you do not change the password and username for household devices, known as IOT, it is possible for a cybercriminal to hack your home.
TIP
This type of token requires time synchronization, because the password needs to be used in a very short period of time, normally between 30 and 60 seconds. It could be used when you want to access secure cloud storage or your online bank account:
Time-Based One-Time Password (TOTP)
This type of token is a one-time password. The main distinguishing factor is that there is no time limit.
HMAC-Based One-Time Password (HOTP)
This is similar to a CAC, but it is used by federal agencies rather than the military.
Personal Identity Verification (PIV)
This is a port-based authentication protocol that is used when a device is connected to a switch or when a user authenticates to a wireless access point. Authentication is normally done by a certificate.
1EEE 802.1x
This location-based authentication can be used to block any attempt to login outside of the locations that have been determined as allowed regions. Geolocation can track your location by your IP address and the ISP that you are using.
Context-Aware Location
This location-based authentication can be used to identify where your phone is located by using Global Positioning System (GPS).
Smart Phone Location Services
This location-based authentication is a security feature used by cloud providers such as Microsoft with their Office 365 package to prevent fraud. If someone logs in from Toronto and thirty minutes later log into the service from Las Vegas, their login attempt will be blocked.
Impossible Travel Time
This location-based authentication is also used by cloud providers where they have a database of the devices used by each user. An email will be sent when the system cannot identify the device used to log in.
Risky Login
This is an additional layer of security where the user is authenticated and a SMS message is sent to the user’s phone. They then insert the code that was sent via message and are authenticated; this is has a time limit.
SMS Authentication
This technology authentication method can vary from a hardware that has received a one-time password to the fob or card used to gain access to a building via a card reader.
Token Key
An email is sent to the user when access to their systems has been received by an unusual device; for example, if I access Dropbox from a friend’s laptop.
Push Notification
This authentication technology method will trigger a phone when someone has accessed a system.
Phone Call
This authentication technology method is an internet standard where the server signs a token with its private key and sends it to a user to prove who they are. It can also be used to digitally sign documents and email. It is used by Open Authentication (OAuth).
JavaScript Object Notation Web Token (JWT)
These codes change after a period of time, like a PIN for a smart card. These are commonly used by broadband engineers.
Static Codes
This could be using Kerberos, who completes a Ticket Granting Ticket session that results in a ticket that can be exchanged to give access to applications. It could also be used for certificate-based authentication or, in the case of the cloud, use conditional access to gain access to applications.
Authentication Applications
This looks like a USB device and works in conjunction with your password to provide multifactor authentication. An example would be YubiKey.
Password Keys
These chips are normally built into motherboards of a computer and they become useful when you are using Full Disk Encryption (FDE).
Trusted Platform Module (TPM)
This is normally used by financial institutions, banks, or email providers to identify someone when they want a password reset.
Two different type of this authentication management:
- Static KBA
- Dynamic KBA
Knowledge-Based Authentication (KBA)
These are questions that are common to the user. For example: “ What is the name of your first school?” These are pretty weak.
Static KBA
These are deemed to be more secure because they do not consist of questions provided beforehand.
Dynamic KBA
This is an authentication framework allowing point-to-point connections. These are commonly used with wireless communication.
Extensible Authentication Protocol (EAP)
This is a version of EAP that encapsulated the EAP data and made it more secure for WLANS.
Protected Extensible Authentication Protocol (PEAP)
This form of EAP was developed by Cisco. It does not use certificates, but protected access credentials instead. It is used in wireless networks.
EAP-FAST (Flexible Authentication via Secure Tunneling)
This form of EAP needs X509 certificates installed on endpoints for authentication.
EAP-TLS
This form of EAP needs the certificates to be installed on the server. It creates a tunnel for the users’ credentials to travel through.
EAP-TTLS
This server is UDP-based and it authenticates servers such as VPN servers, Remote Access Servers (RAS) servers, and 802.1x authenticating switch. This server could be used to check any remote access policies and verify that authentication was allowed by contacting the domain controller.
RADIUS Server
These clients could be VPN servers, RAS servers, and the 802.1x authentication switch. Each of these clients needs a private key that is sometimes known as the session key or shared secret to join the RADIUS environment.
RADIUS authentication uses UDP port 1812
RADIUS accounting uses UDP port 1813
RADIUS Clients
This is a more modern version of RADIUS that works on TCP.
Diameter is the AAA server that uses EAP.
Diameter
This is the Cisco AAA server that uses TCP, and uses TCP port 49 for authentication.
TACACS+
Allows someone working remotely, either from a hotel room or home, to connect securely through the internet to the corporate network.
Virtual Private Network (VPN)
This is a legacy protocol that pre-dated the VPN. This client used modems and a dial-up network using telephone lines. It was very restricted in speed.
Remote Access Services (RAS)
There are numerous methods of authentication used by VPN or RAS:
- Password Authentication Protocol (PAP)
- Challenge Handshake Authentication Protocol (CHAP)
- MS CHAP/MSCHAP version 2
Authentication for VPN/RAS
This authentication method for a VPN or RAS should be avoided at all costs as the passwords are transmitted as clear text and can easily captured.
Password Authentication Protocol (PAP)
This authentication method for a RAS server is done with a four-stage process:
- Client makes connection request to RAS
- RAS replies with challenge that is a random string.
- Client uses password as encryption key to encrypt challenge.
- RAS encrypts the original challenge with a password stored for the user. If both values match, the client logs in.
Challenge Handshake Authentication Protocol (CHAP)
This is Microsoft’s version of MS CHAP. This is the newer version of MS CHAP and can be sued by both VPN and RAS.
MS CHAP/MSCHAP version 2
This is a solution that helps protect the privilege accounts within a domain, preventing attacks such as pass the hash, pass the ticket, and privilege escalation. This gives visibility in terms of who is using privilege accounts and what tasks they are being used for.
Privilege Access Management (PAM)
This is a remote forest that has a very high level of security.
bastion forest
Gives the admin just enough privileges to carry out a certain task.
Just Enough Administration (JEA)
Manages the users in groups. These store objects such as users and computers as x500 objects. These objects form what is called a distinguished name and are organized and stored by the _____. It is comprised of three different objects, DC (Domain), Organization Unit (OU), and CN(anything else). ____ is the active directory storeman responsible for storing the X500 objects.
Lightweight Directory Access Protocol(LDAP)
This is the Microsoft authentication protocol introduced with the release of Windows Server 2000. It is the only authentication protocol that uses tickets, Updated Sequence Numbers, and is time stamped. If ____ authentication fails, this is normally down to the user’s computer or device clock being out of sync with the domain controller by 5 minutes or more.
Kerberos
This is the process for Kerberos for obtaining your service tickets. This is where the user sends their credentials to a domain controller that starts the authentication process and, when it has been confirmed, it will send back a service ticket that has a 10 hour lifespan.
Ticket Granting Ticket (TGT)
This can be placed on your LAN to keep the domain computers and servers in sync with each other.
Network Time Protocol (NTP)
This is used to prove who the user is. It exchanges their service ticket for a session ticket. The server then allows them access to the resources.
Service Ticket
This provides a single sign-on as the user needs to log in only once. It then uses the service ticket to prove who they are, and a session ticket is returned
Single Sign-On/Mutual Authentication
This is a legacy authentication protocol that stores passwords using the MD4 hash that is very easy to crack. It is susceptible to the pass-the-hash attack. Kerberos prevents the pass-the-hash attack as it uses an encrypted database.
NT Lan Manager (NTLM)
This is where you have a parent domain and maybe one or more child domains that trust one another so long as the conditions allow it: these are called trees. For example, between the parent domain and each child domain is a two-way transitive trust, where resources can be shared two ways. Since the parent domain trusts both child A and Child B, it can be said that Child A and Child B transitively trust each other as long as admin for each allow it.
Transitive trust
A term used for a domain; it could be a parent or a child domain.
trees
TIP
You need to remember that Kerberos is the only authentication protocol that uses tickets. It also prevents replay attacks as it uses USN numbers and timestamps. It can also prevent pass-the-hash attacks.
TIP
TIP
When the exam mentions a third-party authentication, this can only mean federation services. Federation services require cookies to be enabled.
TIP
This kind of service is used when two different companies want to authenticate between each other when they participate in a joint venture. The companies don’t want to merge but rather keep their identity and have their own management in place. These are known as third-parties. Each company has their own directory database and normally only has access to their respective domain, but with this type of trust, they can use each others’ domains as long as they have alternative credentials.
Federation Services
These are extended attributes used by their directory services. They are, in addition to the basic attributes, comprising of the following:
Employee ID
Email Address
User-Extended Attributes
it is a XML-based authentication, which is used to pass the extended attribute credentials between company A and Company B in a federation service setup.
Security Assertion Mark-up Language (SAML)
Mr. Red from Company A wants access to limited resources from Company B so he contacts them through a web browser and Company B asks him for his Employee ID and password.
Company B now uses the SAML to pass authentication details of Mr. Red to Company A. Mr. Red’s domain controller confirms that they are correct then Company B sends out a certificate to Mr. Red’s laptop. This certificate is used next time for authentication. They could alternatively use cookies.
Federation Services - Authentication and Federation Services - Exchange of Extended Attributes
TIP
When the exams mentions authentication using extended attributes, this can only mean federation services. Cookies used for authentication would also be federation services.
TIP
This is an open source federation service product that uses SAML authentication. It would be used for small federation service environment. This can also use cookies alternatively.
Shibboleth
This is used in a domain environment. This is where someone logs into the domain and then can access several resources. such as the file or email server, without needing to input their credentials again. Federation services and Kerberos is a good example of ____.
Single Sign-on (SSO)
Provides authorization to enable third-party applications to obtain limited access to a web service.
OAuth 2.0
This open authentication method uses OAuth to allow users to log in to a web application without needing to manage the user’s account. It allows users to authenticate by using their google, Facebook, or Twitter account.
Open ID Connect
- Fingerprint Scanner
- Retina Scanner
- Iris Scanner
- Voice Recognition
- Facial Recognition
- Vein
- Gait Analysis
Authorization via Biometrics
Released with Windows 10, it uses an infrared camera making it better than regular cameras as they can have trouble with lighting.
Windows Hello
It accepts unauthorized users and allows them to gain access. This is known as a Type ll error. Unauthorized users are allowed; look for the middle letter as an A.
False Acceptance Rate (FAR)
It is where legitimate users who should gain access are rejected and cannot get in. This is known as a Type l error. Authorized users are rejected; look for the middle letter as an R.
False Rejection Rate (FRR)
TIP
When looking at FAR or FRR, remember to look at the middle letter. Authorized users are rejected, the middle letter in FRR is R for reject. Unauthorized users are allowed so we look for the middle letter being A therefore we get FAR. Remember Authorized that starts with A does not belong to FAR that has an A as the middle letter. A does not select A.
Tip
This is where the FAR and FRR are equal. If you are going to purchase a biometric system, you need a system that has a low CER.
Crossover Error Rate (CER)
With a biometric system, you would want one with a low efficacy rate. This can be measured by looking at the CER point. You need a device with a low efficacy rate and a CER of less than 5%.
Efficacy Rates
Could be more than two different factors; it just means multiple factors.
Multi-Factor Authentication
This would be username, PIN, or your dare of birth;
Something You Know
Biometric authentication
Something You Are
Things like swiping a card, inserting your signature, or your gait.
Something You Do
The location you are in.
Somewhere You Are
Security Token, key fob, Date of birth.
Something You Have
This is made easy by the use of proximity cards, while guards on reception can also control access to the company. We can apply multi-factor authentication by using smart card authentication.
On-Premises Authentication
This method should adopt a zero-trust model, where every connection is deemed to be a hacker as we cannot see who is logging. We could then use conditional statements to prove who is the person logging in, by using if-then statements. The three areas of conditional access are Signal, Decision, and Enforcement.
In The Cloud Authentication
This could be user or group, location, device, calculated risk, and the application that needs to be accessed.
Signal
This could range from allow to block, or require multifactor authentication (MFA).
Decision
Access to the application that has been approved.
Enforcement
These providers have a central database of the devices that a person uses to log in. If the system deems that the device cannot be approved, it will notify user of a risky login. If that is not approved, the user will be denied.
Cloud Service Providers (CSPs)
TIP
In the Sec+ exam, when people move department, they are given new accounts and the old account remains active until it has been disabled.
TIP
Employing Leaving
Extended Absence Period
Guest Account
Reasons for Disabling an Account
Process where an auditor will review all the user accounts. If auditor finds anything wrong, they will report their findings to management. They are the snitch.
Account Recertification
Ensuring that account are created in accordance with the standard naming convention, disabled when the employee initially leaves, and then deleted after a certain time period has been reached.
Account Maintenance
If you want to know immediately when there is a change to a user account, such as it being given higher privileges, then you need active account monitoring or you need to set up a SIEM system.
TIP
This system is used for real-time monitoring and can be used to aggregate, decipher, and normalize non-standard log formats; The only time this system will not provide the correct information is when the wrong filters are used or where we scan the wrong host
Security Information and Event Management
- Account Management
- Account Expiry
- Time and Day Restriction
- Account Lockout
SEIM Filters
TIP
If a time restriction is to be placed on a group of contractors, RBAC will be used. Time and day restrictions can only be used for individuals.
TIP
TIP
If group-based access is used in the exam question, then the solution will be a group-based access solution.
TIP
Enforce Password History
Password Reuse
Maximum Password Age
Minimum Password Age
Complex Passwords
Store Passwords Using Reversible Encryption (Disable when you can)
Account Lockout - Threshold
Account lockout - Duration
Passwords - Group Policy Configurations
