Domain 5 - Identity and Access Management Flashcards
Digital Certificates
- may be used as an authN technique for user, service and device identities. Similar to those used to secure websites. Have both a public and private key. Usually issued by certificate authority in a PKI
Network access server
- client to a RADIUS server, RADIUS server provides AAA services
RADIUS
- uses UDP 1812/1813 and encrypts the password only, remote access
TACACS+
uses TCP 49 and encrypts entire session, admin access to network devices
Diameter
based on RADIUS and improves its weaknesses, NOT COMPATIBLE with RADIUS, used in LTE/4G networks
Kerberos
- authN protocol (UDP/TCP 88) for active directory (on prem and hybrid), provides confidentiality and integrity using SYMMETRIC key encryption, does not provide logging for accountability, common attacks include replay, pass the ticket, golden ticket, and kerberoasting
Need to know
- ensures subjects are only granted access to what they NEED for work tasks, subjects with clearance to access is only granted if they need to know
Least privilege
- subjects are granted only the privs they NEED to perform their job functions, includes rights to take action on a system
Separation of Duties/ responsibilities
- ensures that sensitive functions are split into tasks performed by 2 or more employees, helps prevent fraud and errors by adding checks and balances
Just in Time (JIT)
- modern/granular approach to least privilege, allows temp elevation of privilege as its needed and revoking at the end of the window, ie priviliged identiy management (PIM)/ priviliged access management (PAM), implemented through ephemeral accounts or broker and remove access strategy
Identification
- subject claims an identity ie provides a username
Authentication
- subject PROVES identity ie provides a password or MFA
Authorization
- after authentication, determines ACCESS based on proven identity
Accountability
- auditing logs/ trails record events including identity, provides PROOF
MFA
- something you know (PIN, password), something you have (trusted device), something you are (biometric), includes 2 or more authN factors, passwords are the WEAKEST form of authN,
Smartcards
- include microprocessors and cryptographic certificates,
Tokens (MFA)
- create one time passwords
Biometrics (MFA)
- identify based on physical characteristics like fingerprints/ retina scan. Know CROSSOVER ERROR RATE and how to calculate.
Facial recognition
- looks at shape of face, light and angle can affect it, windows Hello uses special infrared camera and is better than others,
Veins (MFA biometrics)
- uses blood vessels in palm for authentication
Gait analysis
- looks at how you walk for authN, works with low resolution
Crossover error rate (CER) (biometrics)
- identifies the accuracy of biometrice method, shows where false rejection and false rates are equal, to change this you increase/decrease sensitivity of the biometric device
FAR
- false acceptance rate, biometric authN, TYPE 2 ERROR
FRR
- false rejection rate, biometric authN, TYPE 1 ERROR
Single sign on (SSO)
- authN once and then access multiple objects with reauthentication, commons standards include: SAML, SESAME, KryptoKnight, Oauth, OpenID. KNOW SAML/ OAUTH 2.0/ OPENID
Security Assertion Markup Language (SAML)
XML based open standard data format for exchanging authN and authZ data between parties, mainly between an identity provider and service provider, Used often in Active Directory Federation services
Oauth 2.0
- open standard for authorization, commonly used for internet users to log into 3rd party websites using their Microsoft, Google, Facebook, etc. accounts without exposing their password
OpenID
- open standard, decentralized authN, allows users to log into multiple unrelated websites with one set of creds, creds are maintained by a 3rd party service referred to as an OpenID provider
Discretionary Access Control (DAC)
- EVERY OBJECT HAS AN OWNER, and the owner can grant or deny access to any other subjects ie new technology file system (NTFS)
Role based access control
- uses roles or groups, instead of assigning permissions directly to users they are placed in roles and admins assign privs to the roles. Ie cloud platforms like Azure, typically maps to JOB ROLES and cloning template user accounts
Rule based access control
- applies global rules to ALL SUBJECTS, rules are sometimes called restrictions or filters, ie FIREWALLS use rules that allow or block traffic to all users equally
Attribute based access control
- can include multiple attributes, more flexible than rule-based that applies to all subjects equally, often used by software defined networks (SDNs)
Mandatory access control (MAC)
- uses labels applied to subjects and objects, ie top secret user can access top secret document, called LATTICE BASED
Logical/ Technical controls
- hardware/ software used to manage access to resources and provide protection, ie encryption, smart cards, passwords, biometrics, ACLs, protocols, firewalls, IDS
Physical controls
- provide protection to facility and real world objects, ie guards, fences, motion detectors, locks, windows, lights, cable protections, swipe cards, dogs, cameras, mantraps, alarms
Administrative controls
-policies and procedures defined by organization sec policy, focuses on personnel and business practices, ie policy, hiring practices, background checks, data classification, security training, vacation history, reviews, work supervision
Preventative (sec control)
- stop unwanted/ unauthZ activity from occuring, ie fences, locks, biometrics, mantraps, alarms, job rotation, data classification, pentesting, ACL
Detective Controls
- discover unwanted/ unauthZ activity, often after the fact NOT realtime, ie security guards, dogs, trails, IDS, honeypots, job rotation, mandatory vacation
Corrective controls
- restore systems to normal after an unwanted/ unauthZ activity has occurred, ie antivirus, IDS, BCP, Sec policy
Compensating controls
- provide options to other existing controls to aid in enforcement of sec policy, ie DRP with alternate office location in case building is damaged in fire
Directive controls
- direct/ confine/ control actions of a subject to force/ encourage compliance with sec policy, ie guards, dogs, policy, posted notification, exit signs, supervising work tasks, awareness training
Recovery controls
- repair or restore resources/ functions after a violation of sec policy, more advanced/ complex than a corrective control, ie backups/ restores, fault tolerant drives, server clustering, AV software, database shadowing
Deterrent control
- discourage violation of sec policy, picks up where preventative policy leaves off, ie locks, fences, badges, guards, cameras, alarms, seperation of duties, awareness training, encyrption, auditing, firewalls
Risk
- possibility that a threat can exploit a vulnerability and cause damage to assets
Asset valuation
- identifies value of assets, threat modeling identifies threats against these assets
Vulnerability analysis
- identifies weaknesses in an orgs valuable assets
Dictionary attacks
- use all dictionary words to guess the correct password
Brute force
- tries all possible strings, password complexity and length and attacker tools determine efficacy
Spoofed logon screen
- fake login screen, sends username and password to attacker
Sniffer attack
- aka snooping, attacker uses packet capturing tool to capture, analyze, and read data sent over a network, encrypting data in transit is going to stop this kind of attack
Spoofing attacks
- attacker is pretending to be someone else, tries to obtain creds, includes email spoofing, phone number spoofing, IP spoofing
Social engineering
- attempt by attacker to convince someone to provide information or perform an action they wouldn’t normally perform
Phishing
- trick users into giving up personal information, clicking a malicious link, or opening a malicious attachment, #1 cyber attack in the world
Spear phishing
- targets specific users
Whaling
- spear phishing against execs or other high level targets
Vishing
- phishing with VoIP
Access aggregation
- attacker combines nonsensitive information to learn sensitive information, used in recon
Prevention (access control attacks)
- long/ complex passwords and changed periodically, account lockout after X attempts, strong password policy, secure endpoints so that spoofed logon screens are not able to be implemented, phishing protections
Tempest
- allows reading of monitors from a distance, effective on CRT monitors, Legacy attack, Shoulder surfing is the modern variant
White noise
- broadcasting false traffic at all times to mask presence of real emanations, distracting signal
Theft prevention
- RFID, barcoding, and inventory. Risk reduction around asset theft
shadowed passwords
/etc/password would show an X
synchronous token
ie google authenticator
asynchronous token
require a challenge to be entered on the token to provide a response
static tokens
physical devices that can contain creds
federation
federation server processes authentication requests from users and issues security tokens
ie user logs into a third-party website by using their Gmail or AD login credentials
enrollment
initial creation of user accounts