Chapter 5: Identity and Access Management Flashcards

1
Q

Subject

A

Person, Process or Program

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Object

A

A resource (file, printer, etc…)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Access Controls

A

Are security features that control how people can interact with systems and resourcesLogical, Administrative and Physical.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

IAAA of Access Control

A

Identification - Make a Claim (userid etc)Authentication - Provide support (proof) of your claimAuthorization - What rights and permission you haveAuditing - Accountability matching actions to subjects

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Identification

A

Public Information (usually we aren’t concerned with protecting identities)Identification must be unique for accountabilityStandard naming schemes should be usedIdentifier should not indicate extra information about user (like job position)-User ID-Account Number-RFID-IP or MAC address

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Authentification 3 types

A

Proving your identityType 1: Something you know - Password, Graphic Images…etcType 2: Something you have - Tokens, Smart Cards, CertsType 3: Something you are - Bio metrics

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Biometric Concerns

A

AccuracyType I Error: False Rejection–A legitimate user is barred from access. Is caused when a system identifies too much information. This causes excessive overhead.Type II Error: False Acceptance—An impostor is allowed access. This is a security threat and comes when a system doesn’t evaluate enough informationAs FRR goes down, FAR goes up and vice versaThe level at which the two meet is called CER (Crossover Error Rate). The lower the number, the more accurate the systemIris Scans are the most accurate*** iris can reveal heath info

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Strong Authentication

A

2 or more biometrics is best stand aloneStrong Authentication is the combination of 2 or more of these and is encouraged!Strong Authentication provides a higher level of assurance* Strong Authentication is also called multi-factor authentication*Watch out! Most people want to choose biometrics as the best authentication, but any one source can be compromised. Always look for more than one type!Mutual Authentication is beneficial

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Authorization

A

The concept of ensuring that someone who is authenticated is allowed access to a resource. Authorization is a preventative controlRace conditions would try to cause authorization happen before authentication

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Asynchronuous token Devices

A

Asynchronous/ Challenge ResponseUser logs inAuthentication returns a challenge to the userUser types challenge string into token device and presses enter.Token devices returns a replyOnly that specific user’s token device could respond with the expected reply.More Complex than synchronousMay provide better protection against sniffing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Memory Cards

A

NOT a smart cardHolds information, does NOT processA memory card holds authentication info, usually you’ll want to pair this with a PIN… WHY?A credit card or ATM card is a type of memory card, so is a key/swipe card Usually insecure, easily copied.*

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Smart Card (191)

A

Much more secure than memory cardsCan actually process informationIncludes a microprocessor and ICsCan provide two factor authentication, as you the card can store authentication protected by a pin. (so you need the card, and you need to know something)Two typesContact ContactlessThere are attacks against smart cards1. Fault generation – manipulate environmental controls and measure errors in order to reverse engineer logic2. Side Channel Attacks – Measure the cards while they workDifferential power analysis – measure power emissionsElectromagnetic analysis – example frequencies emitted3. Micro probing* - using needles to vibrations to remove the outer protection on the cards circuits. Then tap into ROMS if possible or “die” ROMS to read data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Single Sign on Pros/Cons

A

ProsEase of use for end usersCentralized ControlEase of administrationConsSingle point of failureStandards necessaryKeys to the kingdom

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

SSO Technologies

A

Kerberos, SESAME, LDAP, Microsoft Active Directory

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Kerberos

A

A network authentication protocol designed from MITs project Athena. Kerberos tries to ensure authentication security in an insecure environmentUsed in Windows2000+ and some UnixAllows for single sign onNever transfers passwordsUses Symmetric encryption to verify IdentificationsAvoids replay attacks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Kerberos Components

A

Principals – users or network servicesKDC – Key Distribution Center, stores secret keys (passwords) for principalsAuthenticating Service (AS)Ticket Granting Service (TGS)Tickets: provide access to specific network services (ex. File sharing)Realms – a grouping of principals that a KDC provides service for, looks like a domain nameExample: somedepartment.mycompany.com

17
Q

Kerberos Concerns

A

Computers must have clocks synchronized within 5 minutes of each otherTickets are stored on the workstation. If the workstation is compromised your identity can be forged.If your KDC is hacked, security is lostA single KDC is a single point of failure and performance bottleneckStill vulnerable to password guessing attacks

18
Q

SESAME

A

European technology, developed to extend Kerberos and improve on it’s weaknessesSesame uses both symmetric and asymmetric cryptography.Uses “Privileged Attribute Certificates” rather than tickets, PACS are digitally signed and contain the subjects identity, access capabilities for the object, access time period and lifetime of the PAC.PACS come from the Privileged Attribute Server.

19
Q

KryptoKnight

A

Should only be known as an older obsolete SSO Technology

20
Q

TCSEC Access control models

A

TCSEC(Trusted Computer System Evaluation Criteria—Orange BookDAC (Discretionnary Access Control)MAC (Mandatory Access Control)Established LaterRBAC (Role based Access Control)

21
Q

DAC

A

Discretionary Access ControlSecurity of an object is at the owner’s discretionAccess is granted through an ACL (Access Control List)Commonly implemented in commercial products and all client based systemsIdentity Based

22
Q

MAC

A

Mandatory Access ControlData owners cannot grant access!OS makes the decision based on a security label systemSubject’s label must dominate the object’s labelUsers and Data are given a clearance level (confidential, secret, top secret etc)Rules for access are configured by the security officer and enforced by the OS.MAC is used where classification and confidentiality is of utmost importance… military. Generally you have to buy a specific MAC system, DAC systems don’t do MACSELinuxTrusted Solaris (now called Solaris with Trusted Extensions)

23
Q

Mac Sensitivity Levels

A

All objects in a MAC system have a security label*Security labels can be defined the organization.They also have categories to support “need to know” at a certain level.Categories can be defined by the organization

24
Q

Role Based Control

A

Also called non-discretionary.Uses a set of controls to determine how subjects and objects interact. Don’t give rights to users directly. Instead create “roles” which are given rights. Assign users to roles rather than providing users directly with privileges.When to use*If you need centralized accessIf you DON’T need MAC ;)If you have high turnover

25
Q

Rule Based Access Control

A

Uses specific rules that indicate what can and cannot transpire between subject and object.“if x then y” logicBefore a subject can access and object it must meet a set of predefined rules. ex. If a user has proper clearance, and it’s between 9AM -5PM then allow access (Context based access control)However it does NOT have to deal specifically with identity/authorizationEx. May only accept email attachments 5M or lessIs considered a “compulsory control” because the rules are strictly enforced and not modifiable by users.Routers and firewalls use Rule Based access control*

26
Q

Constrained User Interface

A

Restrict user access by not allowing them see certain data or have certain functionality (see slides)Views – only allow access to certain data (canned interfaces)Restricted shell – like a real shell but only with certain commands. (like Cisco’s non-enable mode)Menu – similar but more “gui”Physically constrained interface – show only certain keys on a keypad/touch screen. – like an ATM. (a modern type of menu) Difference is you are physically constrained from accessing them.

27
Q

Control Dependent Access

A

Access is determined by the type of data. Example, email filters that look for specific things like “confidential”, “SSN”, images. Web Proxy servers may be content based.

28
Q

Contect Dependent Access Control

A

System reviews a Situation then makes a decision on access.A firewall is a great example of this, if session is established, then allow traffic to proceed.In a web proxy, allow access to certain body imagery if previous web sessions are referencing medical data otherwise deny access.

29
Q

Centralized Access Control Admin

A

A centralized place for configuring and managing access controlAll the ones we will talk about (next) are “AAA” protocolsAuthenticationAuthorizationAuditing

30
Q

Centralized Access Control Technologies

A

RadiusTACACS, TACACS+Diameter

31
Q

Radius

A

Remote Authentication Dial-in User Service (RADIUS) is anauthentication protocol that authenticates and authorizesusers Handshaking protocol that allows the RADIUS server toprovide authentication and authorization information tonetwork server (RADIUS client) Users usually dial in to an access server (RADIUS client) thatcommunicates with the RADIUS server RADIUS server usually contains a database of users andcredentials Communication between the RADIUS client and server isprotectedRadius ProsIt’s been around, a lot of vendor supportRadius ConsRadius can share symmetric key between NAS and Radius server, but does not encrypt attribute value pairs, only user info. This could provide info to people doing reconnaissance

32
Q

TACACS+

A

Provides the same functionality of RadiusTACACS+ uses TCP port 49TACACS+ can support one time passwordsEncrypts ALL traffic dataTACACS+ separates each AAA function.For example can use an AD for authentication, and an SQL server for accounting.Has more AVP than Radius… more flexible

33
Q

Diameter

A

DIAMETER is a protocol designed as the next generationRADIUS RADIUS is limited to authenticating users via SLIP andPPP dial-up modem connections– Other device types use different protocol types Internet protocol that supports seamless and continuousconnectivity for mobile devices - such as PDAs, laptops,or cell phones with Internet data capabilities Move between service provider networks and changetheir points of attachment to the Internet Including better message transport, proxying, sessioncontrol, and higher security for AAA transactions

34
Q

TEMPEST

A

a standard to develop countermeasures to protect for emanation security

35
Q

Faraday Cage

A

a metal mesh cage around an object, it negates a lot of electrical/magnetic fields.

36
Q

White Noise

A

a device that emits radio frequencies designed to disguise meaningful transmission.

37
Q

Control Zones

A

protect sensitive devices in special areas with special walls etc.