Domain 5 - Identity and Access Management Flashcards
Information
Includes all of the organizations data. Needs to be protected
Systems
Includes any and all IT systems that provide a service (File, Web)
Facilities
Any Physical location that an org rents/owns. Physical security protects the building
Subject
A subject is an active entity that accesses a passive object to receive information from an object. When authorized, subjects can modify objects.
Object
An object is a passive entity that provides information to active subjects. Includes files, DB’s, computers, programs, processes etc
Access Control
Access Control is any hardware, software or administrative policy that controls access to the resources. The goal is to prevent unauthorized access and provide authorized access
Access Control Steps
- ) Identify and authenticate users
- ) Determine if access is authorized
- ) Grant or restrict access based on the subject’s identity
- ) Monitor and record access attempts
Preventive Access Control
A preventive control attempts to stop unwanted or unauthorized activity from occurring.
Detective Access Control
A detective control attempts to discover or detect unwanted or unauthorized activity. Detective controls operate after the fact and can discover the activity only after it has occurred
Corrective Access Control
A corrective control modifies the environment to return systems to normal after an unwanted or unauthorized activity has occurred.
Deterrent Access Control
A deterrent control attempts to discourage security policy violations. Depends on People
Directive Access Control
A directive control attempts to direct, confine, or control the actions of subjects to force or encourage compliance with security policies
Compensation Access Control
A compensation control provides an alternative when
it isn’t possible to use a primary control, or when necessary to increase the effectiveness
of a primary control
Administrative Access Control
Administrative access controls are the policies and
procedures defined by an organization’s security policy and other regulations or
requirements.
Logical/Technical Access Control
Logical access controls (also known as technical access controls) are the hardware or software mechanisms used to manage access and to provide
protection for resources and systems.
Physical Controls
Physical access controls are items you can physically touch. They include physical mechanisms deployed to prevent, monitor, or detect direct contact with
systems or areas within a facility
Confidentiality
Access controls help ensure that only authorized subjects can access objects.
Integrity
Integrity ensures that data or system configurations are not modified without authorization, or if unauthorized changes occur, security controls detect the changes.
Availability
Authorized requests for objects must be granted to subjects within a reasonable amount of time.
Identification
The process of a subject claiming or professing an identity. A subject must provide an identity to a system to start the AAA process
Authentication
Verifies the identity of the account by comparing it against a DB of valid identities. Authentication Info needs to be protected
Authorization
Subjects are granted access to objects based on proven identities. Authorization indicates who is trusted to perform specific operations.
Accountability
Users and other subjects can be held accountable for their actions when auditing is implemented. Auditing tracks subjects and records when they access objects, creating an audit trail in one or more audit logs
Auditing
Auditing is the process of tracking and recording
subject activities within logs.
Type 1
Something you know
Type 2
Something you have
Type3
Something you are
Tokens
Password generating device.
- ) Synchronous Dynamic Password Tokens
- )Asynchronous Dynamic Password Tokens
Biometric Type 1 Error
When a valid subject is not authenticated. False negative Authentication. False Rejection rate (FRR)
Biometric Type 2 Error
When an valid subject is authenticated. False Positive Authentication. False Acceptance Rate (FAR)
Crossover Error Rate (CER)
The point where FAR and FRR % are equal
Identity Management Types
- ) Centralized - Single entity
2. ) Decentralized - Various entities through out the system
Single Sign-On (SSO)
Is a centralized access control technique that enables a subject to authenticated once on a system and access multiple resources without authenticating again
Ticket Authentication
A mechanism that employs a third party entity to prove identification and provide authentication. Example: Kerberos
Key Distribution Center (KDC)
The key distribution center (KDC) is the trusted third party that provides authentication services. Kerberos uses symmetric-key cryptography to authenticate clients to servers. All clients and servers are registered with the KDC, and it maintains the secret keys for all network members.
Kerberos Authentication Server
The authentication server hosts the functions of
the KDC: a ticket-granting service (TGS), and an authentication service. The authentication service verifies or rejects the authenticity and timeliness of tickets. This server is often called the KDC.
Ticket-Granting Ticket
ticket-granting ticket (TGT) provides proof that a subject has authenticated through a KDC and is authorized to request tickets to access other
objects.
A TGT is encrypted and includes a symmetric key, an expiration time, and the user’s IP address. Subjects present the TGT when requesting tickets to access objects.
Ticket
A ticket is an encrypted message that provides proof that a subject is authorized to access an object. It is sometimes called a service ticket (ST).
Identity Management
Is the management of user identities and their credentials
SAML
Security Assertion Markup Language. An XML based language that is used to exchange AA info between federated organizations
SPML
Security Provisioning Markup Language. Newer version of XML. Specifically designed for exchanging user information for federated SSO. Based on DSML
Scripted Access
Establish Communication links by providing an automated process to transmit logon credentials at the start of a logon session
SESAME
To address weaknesses in KERBEROS
KryptoKnight
Ticket-based - IBM. User P2P instead of third party
Newer SSO models
OAuth and OpenID. OAuth 2.0 is not backwards compatible. OpenID foundation looks after OpenID not IETF
RADIUS
Centralizes authentication for remote connections. Typically used when the org has more than one network access server. Provides AAA. UDP. RFC2865
Identity and Access Provisioning Life Cycle
- ) Provisioning - Enrollment
- ) Account Review - Excessive and Creeping Privileges
- ) Account Termination - ASAP
Permissions
Access granted for an object and determine what you can do with it
Rights
Refer to the ability to take action on an object
Privileges
Combination of Rights and Permissions
Authorization Mechanisms
- ) implicit Deny
- ) Access Control Matrix
- ) Capability Matrix
- ) Constrained Interface
- ) Content Dependent Control
- ) Context Dependent Control
- ) Need to Know
- ) Lease Privilege
Constrained Interface
Application use these to restrict what the user can see or do based on their privileges
Context-Dependent Control
Require a specific activity before granting a user access. E-Commerce apps. Pay before you download
Need to Know
Subjects are granted access only to what they need to know for their tasks. Subjects may have clearence but are not granted authorization to data unless they need to perform an action
Least Privilege
Similar to Need to Know but it also includes rights to take action on an system
Security Policy
A document that defines the security requirements of the organization. It identifies the assets that need protection and the extent to which it needs to be protected by the Security Solution.
Discretionary Access Control (DAC)
Allows the owner, creator, or data custodian of an object to control and define access to that object. All objects have owners, and access control is based on the discretion or decision of the owner.
Implemented using ACL’s
Role Based Access Control (RBAC)
Defines the subject’s ability to access an object based on the subject’s role or assigned tasks.
Implemented using Groups
Privilege Creep
Is the tendency for the privileges to accrue for the users over time as their roles and access needs change.
Rule Based Access Control (RuBAC)
Uses a set of rules, restriction or filters to determine what can and/or cannot occur on a system. Includes Granting the subject access to an object or granting the subject the ability to perform an action
Mandatory Access Control (MAC)
relies on the use of classification labels. Each
classification label represents a security domain, or a realm of security. A security domain is a collection of subjects and objects that share a common security policy.
MAC Features
- ) Compartmentalization
- ) Need to Know
- ) Better security than DAC
Compartmentalization
No relation between one security domain and another. Each domain represents and isolated compartment
Steps for Risk Management
- ) Identifying Assets
- ) Identifying Threats
- ) Identifying Vulnerabilities
Asset Valuation
Refers to identifying the actual value of assets with the goal of prioritizing them.
Threat modelling
Refers to the process of identifying, understanding and categorizing potential threats. The goal is to identify a potential list of threats to systems and analyze the risk
SD3+C
Secure By design, Secure by default, Secure in Deployment and Communication
Threat modelling Approaches
- ) Asset focused
- ) Attacker focused
- ) Software focused
Vulnerability Analysis
Attempts to discover weaknesses in these systems against potential threats
Protection Methods
- ) Control Physical Access to systems
- ) Control Electronic access to files
- ) Encrypt password files
- ) MFA
- ) Account Lockout Control
- ) Password Masking
- ) Use last logon message
