Domain 5 Flashcards
What is the access provisioning lifecycle?
- Account administration uses best-practice recommendations to only set up accounts for people who require them.
- Maintenance includes reviewing account data for errors and inconsistencies
- Monitoring includes auditing access authorizations and failures
- Revocation includes the removal of access when necessary
What is AAA?
1) Authentication - providing a password. Identity is who you are and you prove this with an ID/username
2) Authorization (user entitlement) - look at what access rights you have
3) Accountability (accountable) - actions individual users carry out. Depends upon proper ID of individuals. account sharing would negate this.
Entitlements means authorization
What is an identity?
- Identifies someone (e.g., username/ logon ID)
- fairly weak in terms of enforcement
- broken down into
- — positive identification
- — negative identification
- Key criteria
- — issuing of identity
- — naming standards
- — non-descriptive
- — tracking and auditing
- — unique
- — not shared
What is Authentication?
- Proves the identity claim (passwords)
- Validates the identity of a user
- Involves a stronger measure than identification
- Usually requires a key piece of information that only the user would know
NIST says stop changing passwords on a routine basis
Based on:
- something you know - password, PIN, etc. simplest to implement
- something you have - token, more expensive to implement
- something you are - biometrics, high cost and can cause privacy issues
- someplace you are - requiring local physical console access in a secure location. Can be based on GPS devices or IP based geo location
What is authorization?
- Authorization defines what someone can do once they are authenticated
- Most systems do a poor job of authorization
- Authorization is tied closely to the principle of least privilege
What are the characteristics of passwords?
- ideal case - one time password
- static password
- — normal passwords with or without expiration time - re-usable
- — user picked
- — system generated
- dynamic password
- — change every time password generating device is used (one time)
- account lockout
- — number of failed attempts
- — within a certain time frame
- — lock for a specified amount of time
- something you know
- often one of the weakest components of info sec
- password spraying - trying many passwords across many users - lockout wont work because by the time you go back to the same user you wont lockout
- password guessing - trying many passwords against one user
Passphrase = long password comprised of multiple words where spaces are optional. Compared to strong passwords, passphrases have less entropy per character, but have more overall entropy due to length. They are better than passwords.
What are types of password attacks?
1) Password guessing - simply attempting to authenticate as a user by guessing their password
2) Password cracking - an attempt to determine clear text password based on stolen password hashes
- — dictionary - uses a word list, hashing each entry to see if one matches the stolen hashes. Already has the password hashes
- — hybrid attack - begins with a wordlist and then adds or changes characters (e.g., banana 1; banana 2; banana 3)
- — brute force - attempts every possible password, eventually successful
- — rainbow tables - pre-computation brute force attack that calculates password hashes in advance of hash theft - crack the hash in advance and save it and then have a database and look them up later on - works when there is no salts. only if octopus always creates the same hash
What are salts?
a salt is a random number that is hashed along with the password.
- ensure that identical passwords will likely result in different hashes
- hash is different because the salt is different
- salts make pre-computation attacks impractical
- they make rainbow tables ineffective
What is a rainbow table?
It acts as a database that contains the pre-computed hashed output for most possible passwords.
—- they are not always complete: they may not include all possible password/hash combinations
Salts make rainbow tables ineffective
They use a space/time trad-off. you can save space (storage of the password/hash pairs) if you are willing to spend time (CPU time required to inflate chains of passwords/hashes). The behind the scenes details of the space/time tradeoff are fascinating
What is MFA?
two factor or strong authentication
- uses two different methods together to authenticate an individual
MFA can use tokens:
- tokens are smart cards which employ a chip that allows for processing and storage of keys/certs
- — counter-based - asynchronous dynamic password used only once. one time passcode is generated but there is not time window constraint for using the password. New passwords are genearted upon use rather than simply because a certain amount of time has passed. Can be pre generated and used at some later date
- — time based - synchronous dynamic password tokens - synchronous means same time. The dynamic password is constantly changing. Once the timer has expired, a brand new password will be generated and required for submission
- Though historically hardware based, both software based and out of band approaches are common
What are biometrics?
Identifying people by their physical traits.
They can be used to authenticate a person’s identity claim.
It is used for authentication much more than identification. “Who you are” means that the likelihood of misplacing the authentication device is much lower.
The trait must be individually unique
Concerns:
- how intrusive is it?
- can it resist forgery or counterfeiting?
- Reliability and accuracy are critical measures when selecting a biometric device
- the information is not properly protected and it is possible for someone to steal a biometric - this can be a critical problem because a user cannot change their biometric signature
- timeliness - initial enrollment time is a few minutes
What are biometric identifiers?
- Fingerprint - capture minutiae of fingerprint
- Palm scan
- Hand Geometry - includes many characteristics of the hand such as thickness, width, length and so on
- Voiceprint
- Retina Pattern - measures the blood vessels of the eye - intrusive - laser scan, must press eye against device, may provide illness information - its uncomfortable - dont want something that allows disease to spread - not the best
- Iris scan - using a camera, that recognizes an individuals eyes - not intrusive - color of your eye but color doesnt matter its looking at patterns
- Facial recognition - matches an individual’s facial patterns with the patterns stored in a database
**The best is usually fingerprint or iris depending but mostly iris because it can be done across the room and without someone knowing and your iris are unique between your own two eyes. Fingerprint advantages - inexpensive. On a laptop, fingerprint is better because its on a laptop and you own it and its the most affordable (remember cost)
The reason for different methods is based on reliability, cost and human factors
What are the error rates for biometric performance?
1) False Reject Rate (FRR)
- type 1 error
- likelihood people that should have successfully authenticated being rejected
- legitimate user is rejected
2) False accept rate (FAR)
- Type II error
- Likelihood unauthorized individuals are authenticated
- illegitimate users are accepted
- 2 is WORSE than 1 - prefer #1
3) Crossover Error Rate (CER)
- Used to compare accuracy of different devices
- Point where FRR and FAR are equal
- Also known as the equal error rate (EER)
IF you have a 2% Crossover error rate, the system is considered 98% accurate**
You tune the sensitivity level to determine FRR and FAR. Where they crossover is CER. The more sensitive, the more FRR you get but less FAR you get. The less sensitive, the more FAR you get but the less FRR
What are some biometric issues?
1) Key factors in selecting biometrics?
- reliability (FAR, FRR, CER/ERR)
- user friendliness / acceptance
- cost
2) Additional factors:
- enrollment time - time to register by providing samples of biometric characteristics
- Acceptable enrollment time is around 2 minutes**
- throughput time
- rate at which individuals, once enrolled, can be processed and identified or authenticated by a system
- acceptable throughput rates are in the range of 10 subjects per minute or 1 every 6 seconds***
What is single sign on? and what are the types?
Intended to greatly simplify authentication and decrease the amount of needed passwords.
Types:
1) Kerberos
2) SESAME
What is Kerberos?
Kerberos is a symmetric key authentication system that allows clients to securely access networked services. It its a third party authentication service that may be used to support SSO.
- time limited tickets are provided to allow access
- commonly used for single sign on
Encryption algorithms:
- Kerberos v4 employed DES; Kerberos v5 added Triple DES and RC4
Two key services:
- key distribution center (KDC) - access to all keys, issues TGTs
- Ticket granting service (TGS) - issues service tickets
- ***mutual authentication is a key benefit of Kerberos - one of the best things of kerberos
- lets say you have a bad KDC - it doesnt know your password so it wont be able to send you a session key with a legitimate password.
How does Kerberos work?
Notes:
- Key distribution center must know all users plain text passwords.
1) Identification - Alice has her password, a key. Alice wants to print on a printer called Bob. Alice goes and identifies herself.
2) Authentication - KDC encrypts a key with Alices password, this is key of Alice. Alice holds the session key encrypted with her own passowrd.
3) She now has a valid session key. Also sends a TGT which Alice cannot decrypt but holds as an encrypted object. Alice uses the session to encrypt an authenticator. IF the TGS can decrypt the authenticator then it authenticates Alice
4) Authorization - Alice gets authorized to print
TGT = ticket granting ticket
KDS and TGS do not need to talk to each other. they can be on different servers. They can be on the same but you dont need to.
Tickets have a lifetime of about 8-10 hours** a work day
What are the attacks on Kerberos?
1) KDC has passwords in plaintext - logical and physical security is paramount
2) denial of service / availability - KDC and TGS are single points of failure
3) Replay attacks - tickets can be copied and replayed, within a certain time window
4) password attacks / compromise - kerberos security depends upon only the KDC and user knowing the password
If you could re-build Kerberos today you would make it asymmetric
What is SESAME?
European version of Kerberos
Distributed access controls with symmetric and asymmetric necryption
What are directory services?
SSO needs a central trusted credential source
- directory services fir the mold nicely
It is the single source that can integrate with many and varied applications. SSO needs a central trusted credential source.
MS Directory LDAP is most popular
Why do we need screensavers and timeout controls?
Systems that display sensitive data should enable a screensaver or log off automatically after a set period of inactivity.
Common control - screensaver after 5 minutes and automatic log off after 10 minutes. - no hard and fast rule on this but depends on sensitivity of the system, location of the computer, regulatory mandates, etc.
What is federated identity management?
Single Sign-On is usually associated with authentication credentials within one enterprise. Federated identity management takes things beyond a single enterprise so that users cross multiple organizations can all authenticate an an application or service.
How can identity claims be made, properly authenticated, and then ultimately authorized with users across disparate organizations? Federated IdM helps address these very issues with two predominant Federated IdM standards which are OpenID and SAML
What is SAML?
Security assertions markup language (SAML) is an enterprise oriented federated identity management platform.
- provides a standards based means of allowing for communication of identity and authentication information
Allows users to leverage existing identity providers for authentication to disparate service providers. It also allows the communication of attributes that can be used for authorization, not just authentication by XACML
What are SAML terms and concepts?
- Service Provider (SP) - applications that can leverage identity/auth assertions from IdP
- Identity Provider (IdP) - the origin of the identity that creates assertions accepted by the SP
- Assertion Consumer Service - hosted by the SP and is where the IdP will send the assertions
- Simple SAML Authentication Flow
- — User agent requests resources from SP
- — User is authenticated via IdP
- — User is granted access to resource at SP
Can go online and sign in with a common login - this is private companies
