Domain 5 - Identity and Access Management Flashcards
ACCESS
is flow of information between a subject and an object
CONTROL
security features that control how users and systems communicate and interact with other systems and resources Subject - active entity that requests access to an object or data within the object (user, program)
Subject
active entity that requests access to an object or data within the object (user, program)
Object
is a passive entity that contains information (computer, database, file, program) access control techniques support the access control models
Approaches to Administration
Centralized administration
Decentralized administration
Hybrid
Centralized administration
one element responsible for configuring access controls. Only modified through central administration, very strict control
Decentralized administration
access to information is controlled by owners or creators of information, may not be consistency with regards to procedures, difficult to form system wide view of all user access at any given time
Hybrid
centralized control is exercised for some information and decentralized for other information
Identity Management: What 4 key principles does access control relies on?
IAAA Identification Authentication Authorization Accountability
Identification/Assertion
- Registration
– verify an individual’s identity and adds a unique identifier to an identity system
- ensuring that a subject is who he says he is
- bind a user to the appropriate controls based on the unique user instance
- Unique user name, account number etc. OR an issuance (keycard)
Authentication
- Process of Verifying the user
- User provides private data
- Establish trust between the user and the system for the allocation of privileges
Authorization
- resources user is allowed to access must be defined and monitored
- First piece of credentials Authorization
Accountability
who was responsible for an action?
- Logging – best way to provide accountability, change log for approved changes and change management process
What is the Relationship between Identity, Authentication, and Authorization?
- Identification provides uniqueness
- Authentication provides validity
- Authorization provides control
Logical Access Controls: tools used for IAAA
MAC Address – 48 bit number, supposed to be globally unique, but now can be changed by software, not a strong ID or auth. Tool
Single Sign On (SSO)
SSO referred to as reduced sign-on or federated ID management
Advantage - ability to use stronger passwords, easier administration, less time to access resources.
Disadvantage - once a key is compromised all resources can be accessed, if Db compromised all PWs compromised Thin client is also a single sign on approach
What areas of access control does KERBEROS address?
Kerberos addresses Confidentiality and integrity and authentication, not availability, can be combined with other SSO solutions Kerberos Is based on symmetric key cryptology (and is not a propriety control)
What type of cryptography is KERBEROS base on?
symmetric key cryptography
What are some benefits of KERBEROS?
inexpensive, loads of OS’s, mature protocol
What are some Disadvantage of KERBEROS?
takes time to administer, can be bottleneck or single point of failure
In KERBEROS, what is a Realm?
Indicates an authentication administrative domain. Its intention is to establish the boundaries within which an authentication server has the authority to authenticate a user, host or service.
KDC
Key Distribution Center, grants tickets to client for specific servers. Knows all secret keys of all clients and servers from the network, TGS and AS, single point of failure
AS
Authentication server
TGS
Ticket granting server
Discuss the Kerberos logon process.
- The user types a username and password into the client.
- The client encrypts the username with AES for trans. to the KDC.
- The KDC verifies the username against a database of known credentials.
- The KDC generates a symmetric key that will be used by the client and the Kerberos server. It encrypts this with a hash of the user’s password. The KDC also generates an encrypted timestamped TGT. The KDC then transmits the encrypted symmetric key and the encrypted time-stamped TGT to the client.
- The client installs the TGT for use until it expires. The client also decrypts the symmetric key using a hash of the user’s password. - Then the user can use this ticket to service to use the service as an application service
SESAME
- Public Key Cryptology
- European
- Needham-Schroeder protocol
Two tickets:
- One authentication, like Kerberos
- Other defines the access privileges a user has
- Works with PACS (Privileged Attribute Certificates)
- sesame uses both symmetric as asymmetric encryption (thus improvement upon Kerberos)
What is a weakness with SESAME?
only authenticates the first block and not the complete message
KRYPTOKNIGHT
IBM – thus RACF
SCRIPTING
scripts contain logon information that auths. users
DIRECTORY SERVICE
a centralized database that includes information about subjects and objects, .
Hierarchical naming schema, active directory has sophisticated security resources (group policy, user rights accounts, DNS services)
Categories of authentication factors: Type 1
authentication factor is something you know. Examples include a password, PIN, or passphrase.
Categories of authentication factors: Type 2
authentication factor is something you have. Physical devices that a user possesses can help them provide authentication. Examples include a smartcard (CAC), hardware token, smartcard, memory card, or USB drive.
Categories of authentication factors: Type 3
authentication factor is something you are or something you do. It is a physical characteristic of a person identified with different types of biometrics.
Something a user knows TYPE 1
PASSWORDS cheap and commonly used password generators user chooses own (do triviality and policy checking)
Longer PW more effective than all else PWs never stored for web applications in a well-designed environment.
Salted hashes are stored and compared 62 choices (upper, lower, 10 numbers), add single character to PW and complexity goes up 62X
One-time password aka dynamic password
used only once
Static password
Same for each logon
Passphrase
easiest to remember. Converted to a virtual password by the system.
Cognitive password
easy to remember like your mother’s maiden name
brute force attack
try many different characters aka exhaustive
dictionary attack
try many different words
Social engineering
convince an individual to give access
Rainbow Tables
tables with passwords that are already in hash format, pre-hashed PW paired with high-speed look up functions
Implementation Attack
This is a type of attack that exploits weaknesses in the implementation of a cryptography system. It focuses on exploiting the software code, not just errors and flaws but the methodology employed to program the encryption system
Statistical Attack
exploits statistical weaknesses in a cryptosystem, such as floating-point errors and inability to produce truly random numbers. Statistical attacks attempt to find a vulnerability in the hardware or operating system hosting the cryptography application.
Seed SALT
NONCE, random values added to the encryption process to add more complexity
HAVAL
Hash of Variable Length (HAVAL) is a modification of MD5. HAVAL uses 1,024-bit blocks and produces hash values of 128, 160, 192, 224, and 256 bits. Not a encryption algorithm
Something a user has TYPE 2
Key, swipe card, access card, badge, tokens
What are the 4 types of Tokens?
Static password token
Synchronous (TIME BASED) dynamic
uses time or a counter between the token and the authentication server, secure-ID is an example
Asynchronous (NOT TIME BASED)
server sends a nonce (random value) This goes into token device, encrypts and delivers a one-time password, with an added PIN its strong authentication
Challenge/response token
generates response on a system/workstation provided challenge; synchronous – timing, asynchronous - challenge
Something a user is TYPE 3
What you do: behavioral What you are: physical
BIOMETRICS: TYPE 1 error
False rejection rate FRR -
BIOMETRICS: TYPE 2 error
False Acceptance rate FAR
CER Crossover Error Rate or EER Equal Error rate
where FRR = FAR.
The lower CER/ERR the more accurate the system.
zephyr chart
iris scans
Finger print
stores full fingerprint (one- to-many identification
finger scan
only the features (one to one identification)
Fingerprints
Are made up of ridge endings and bifurcations exhibited by the friction ridges and other detailed characteristics that are called minutiae
Retina Scans
Scans the blood-vessel pattern of the retina on the backside of the eyeball. Can show medical conditions MOST ACCURATE
Iris Scans
Scan the colored portion of the eye that surrounds the pupil.
Facial Scans
Takes attributes and characteristics like bone structures, nose ridges, eye widths, forehead sizes and chin shapes into account.
Palm Scans
The palm has creases, ridges and grooves throughout it that are unique to a specific person. Appropriate by itself as a Type 3 authenticator
Hand Geometry
The shape of a person’s hand (the length and width of the hand and fingers) measures hand geometry.
Voice Print
Distinguishing differences in people’s speech sounds and patterns.
Signature Dynamics
Electrical signals of speed and time that can be captured when a person writes a signature.
Keyboard Dynamics
Captures the electrical signals when a person types a certain phrase.
Hand Topology
Looks at the size and width of an individual’s hand and fingers.
SAML
To exchange authentication and authorization data between security domains.
SAML 2.0 enables web-based to include SSO
What are the Roles in SAML?
- Principal (user)
- Identity provider (IdP)
- Service provider (SP)
XML Signature
use digital signatures for authentication and message integrity based on XML signature standard.
Relies on XML Schema
Identity as a Service (IDaaS)
Identity as a Service, or Identity and Access as a Service is a third-party service that provides identity and access management, Effectively provides SSO for the cloud and is especially useful when internal clients access cloud-based Software as a Service (SaaS) applications.
Ability to provision identities held by the service to target applications
Access includes user authentication, SSO, authorization enforcement
Log events , auditing
Federation - sharing identity and authentication behind the scenes (like booking flight –> booking hotel without re authenticating) by using a federate identity so used across business boundaries SSO
Access Management enforces RULES!
Cloud Identity
users are created and managed in Office 365
Directory Synchronization
users are created and managed in an on premises identity provider
Federated Identity
on-premises identity provider handles login request. Usually used to implement SSO -
MS AD using MS AD Federation Services
- Third Party based identity
- Shibboleth SAML 2.0
Authorization Mechanisms / Access Control
DAC - Discretionary Access Control
MAC - Mandatory Access Control
role-BAC - role-based access control
rule-BAC - rule-based access control
What Authentication mechanism does Window use?
Kerberos
What Authentication mechanism do wireless networks, modems, and network devices use?
RADIUS
What Authentication mechanism do web applications use?
OAuth
What Authentication mechanism do network devices use?
TACACS+
Role-BAC (RBAC)
task-based access controls define a subject’s ability to access an object based on the subject’s role or assigned tasks, is often implemented using groups, form of nondiscretionary. OFF BUSINESS DESIGN
Hybrid RBAC
Limited RBAC
CAN MODEL ALL GROUPS OFF ORGANIZATION #! USED
Rule-BAC
based on rules within an ACL, uses a set of rules, restrictions, or filters to determine what can and cannot occur on a system.
It includes granting a subject access to an object, or granting the subject the ability to perform an action.
A distinctive characteristic about rule-BAC models is that they have global rules that apply to all subjects.
One common example of a ruleBAC model is a firewall.
Firewalls include a set of rules or filters within an ACL, defined by an administrator.
The firewall examines all the traffic going through it and only allows traffic that meets one of the rules.
Government #1
Mandatory Access Control
BELL Model!
Lattice based
Label – all objects and subjects have a label Authorization depended on security labels which indicate clearance and classification of objects (Military).
Restriction: need to know can apply. Lattice based is part of it! (A as in mAndatory!).
Non-discretionary access control / Mandatory
A central authority determines what subjects have access based on policies. Role based/task based. Also lattice based can be applied (greatest lower, least upper bounds apply)
Discretionary Access Control
Graham Denning
Access through ACL’s. Discretionary can also mean: Controlled access protection (object reuse, protect audit trail). User directed
Performs all of IAAA, identity based access control model
- hierarchical x500 standard protocol like LDAP for allowing subjects to interact with the directory
- Organized through name spaces (Through Distinguished names )
- Needs client software to interact
- META directory gathers information from multiple sources and stores them into once central directory and synchronizes
- VIRTUAL directory only points where the data resides
DACs allows the owner, creator, or data custodian of an object to control and define access to that object. All objects have owners, and access control is based on the discretion or decision of the owner. As the owner, the user can modify the permissions of the file to grant or deny access to other users. Identity-based access control is a subset of DAC because systems identify users based on their identity and assign resource ownership to identities. A DAC model is implemented using access control lists (ACLs) on objects. Each ACL defines the types of access granted or denied to subjects. It does not offer a centrally controlled management system because owners can alter the ACLs on their objects at will. Access to objects is easy to change, especially when compared to the static nature of mandatory access controls.
Access Control Models
Access control models use many different types of authorization mechanisms, or methods, to control who can access specific objects.
Implicit Deny
basic principle that most authorization mechanisms use it. The implicit deny principle ensures that access to an object is denied unless access has been explicitly granted to a subject.
Access Control Matrix
An access control matrix is a table that includes subjects, objects, and assigned privileges. When a subject attempts an action, the system checks the access control matrix to determine if the subject has the appropriate privileges to perform the action
Capability Tables
They are different from ACLs in that a capability table is focused on subjects (such as users, groups, or roles). For example, a capability table created for the accounting role will include a list of all objects that the accounting role can access and will include the specific privileges assigned to the accounting role for these objects. The difference between an ACL and a capability table is the focus. ACLs are object focused and identify access granted to subjects for any specific object. Capability tables are subject focused and identify the objects that subjects can access. Comparing Permissions, Rights, and Privileges When studying access control topics, you’ll often come across the terms permissions, rights, and privileges. Some people use these terms interchangeably, but they don’t always mean the same thing.
Permissions
refer to the access granted for an object and determine what you can do with it. If you have read permission for a file, you’ll be able to open it and read it. You can grant user permissions to create, read, edit, or delete a file on a file server. Similarly, you can grant user access rights to a file, so in this context, access rights and permissions are synonymous
Rights
refers to the ability to take an action on an object. For example, a user might have the right to modify the system time on a computer or the right to restore backed-up data. This is a subtle distinction and not always stressed. You’ll rarely see the right to take action on a system referred to as a permission.
Privileges
are the combination of rights and permissions. For example, an administrator for a computer will have full privileges, granting the administrator full rights and permissions on the computer. The administrator will be able to perform any actions and access any data on the computer.
Constrained Interface Applications
(restricted interfaces) to restrict what users can do or see based on their privileges. Applications constrain the interface using different methods. A common method is to hide the capability if the user doesn’t have permissions to use it. Other times, the application displays the menu item but shows it dimmed or disabled.
Content-Dependent
internal data of each field, data stored by a field, restrict access to data based on the content within an object. A database view is a content-dependent control. A view retrieves specific columns from one or more tables, creating a virtual table.
Context-Dependent
require specific activity before granting users access. For example, it’s possible to restrict access to computers and applications based on the current day and/ or time. If users attempt to access the resource outside of the allowed time, the system denies them access.
Work Hours
context-dependent control
Need to Know
ensures that subjects are granted access only to what they need to know for their work tasks and job functions. Subjects may have clearance to access classified or restricted data but are not granted authorization to the data unless they actually need it to perform a job.
Least Privilege
ensures that subjects are granted only the privileges they need to perform their work tasks and job functions. This is sometimes lumped together with need to know. The only difference is that least privilege will also include rights to take action on a system.
Separation of Duties and Responsibilities
ensures that sensitive functions are split into tasks performed by two or more employees. It helps to prevent fraud and errors by creating a system of checks and balances.
SPML
Service Provisioning Markup Language
an XML-based language designed to allow platforms to generate and respond to provisioning requests.
SAML
used to make authorization and authentication data
XACML
used to describe access controls
SOAP
Simple Object Access Protocol, is a messaging protocol and could be used for any XML messaging, but is not a markup language itself.
Reconnaissance
What is Reconnaissance?
While malicious code often relies on tricking users into opening or accessing malware, other attacks directly target machines. Performing reconnaissance can allow an attacker to find weak points to target directly with their attack code. To assist with this targeting, attacker-tool developers have created a number of automated tools that perform network reconnaissance.
IP Probes
(also called IP sweeps or ping sweeps) are often the first type of network reconnaissance carried out against a targeted network. With this technique, automated tools simply attempt to ping each address in a range. Systems that respond to the ping request are logged for further analysis. Addresses that do not produce a response are assumed to be unused and are ignored.
Nmap tool
one of the most common tools used to perform both IP probes and port scans. IP probes are extremely prevalent on the Internet today. Indeed, if you configure a system with a public IP address and connect it to the Internet, you’ll probably receive at least one IP probe within hours of booting up. The widespread use of this technique makes a strong case for disabling ping functionality, at least for users external to a network. Default settings miss @64 K ports When nmap scans a system, it identifies the current state of each network port on the system. For ports where nmap detects a result, it provides the current status of that port:
Open - The port is open on the remote system and there is an application that is actively accepting connections on that port.
Closed - The port is accessible on the remote system, meaning that the firewall is allowing access, but there is no application accepting connections on that port.
Filtered Nmap
is unable to determine whether a port is open or closed because a firewall is interfering with the connection attempt
Port Scans
After an attacker performs an IP probe, they are left with a list of active systems on a given network. The next task is to select one or more systems to target with additional attacks. Often, attackers have a type of target in mind; web servers, file servers, and other servers supporting critical operations are prime targets. To narrow down their search, attackers use port scan software to probe all the active systems on a network and determine what public services are running on each machine. For example, if the attacker wants to target a web server, they might run a port scan to locate any systems with a service running on port 80, the default port for HTTP services.
Vulnerability Scans
The third technique is the vulnerability scan. Once the attacker determines a specific system to target, they need to discover a specific vulnerability in that system that can be exploited to gain the desired access permissions. A variety of tools available on the Internet assist with this task. Some of the more popular tools for this purpose include Nessus, OpenVAS, Qualys, Core Impact, and Nexpose. These packages contain a database of known vulnerabilities and probe targeted systems to locate security flaws. They then produce very attractive reports that detail every vulnerability detected. From that point, it’s simply a matter of locating a script that exploits a specific vulnerability and launching an attack against the victim.
