Domain 5 - Identity and Access Management Flashcards
Centralized administration
one element responsible for configuring access controls. Only modified
through central administration, very strict control,
Decentralized administration
access to information is controlled by owners or creators of
information, may not be consistency with regards to procedures, difficult to form system wide view of
all user access at any given time
SSO Advantage
Ability to use stronger passwords, easier administration, less time to access resources.
SSO Disadvantage
once a key is compromised all resources can be accessed, if Db compromised all PWs
compromised
KERBEROS Key Type
Guards a network with three elements: authentication, authorization, & auditing. SYMMETRIC
KEYS
Kerberos addresses Confidentiality and integrity and authentication, not availability, can be combined
with other SSO solutions
Kerberos Is based on symmetric key cryptology (and is not a propriety control)
Time synchronization is critical, 5 minutes is bad
Kerboros Advantages
Benefits: inexpensive, loads of OS’s, mature protocol. Passwords are never exchanged only hashes of passwords
Kerboros Disadvantages
Disadvantage: takes time to administer, can be bottleneck or single point of failure
The Kerberos logon process
• The user types a username and password into the client.
• The client encrypts the username with AES for trans. to the KDC.
• The KDC verifies the username against a database of known credentials.
• The KDC generates a symmetric key that will be used by the client and the Kerberos server. It
encrypts this with a hash of the user’s password. The KDC also generates an encrypted timestamped TGT. The KDC then ransmits the encrypted symmetric key and the encrypted timestamped TGT to the client.
• The client installs the TGT for use until it expires. The client also decrypts the symmetric key
using a hash of the user’s password.
• Then the user can use this ticket to service to use the service as
an application service
SESAME
- Public Key Cryptology
- European
- Needham-Schroeder protocol
SESAME weakness
only authenticates the first block and not the complete message
Rainbow Tables
(tables with passwords that are already in hash format, pre-hashed PW paired with
high-speed look up functions
Implementation Attack
This is a type of attack that exploits weaknesses in the Implementation of a
cryptography system. It focuses on exploiting the software code, not just errors and flaws but the
methodology employed to program the encryption system
Statistical Attack
Exploits statistical weaknesses in a cryptosystem, such as floating-point errors and inability to produce truly random numbers. Statistical attacks attempt to find a vulnerability in the
hardware or operating system hosting the cryptography application.
HAVAL
Hash of Variable Length (HAVAL) is a modification of MD5. HAVAL uses 1,024-bit
blocks and produces hash values of 128, 160, 192, 224, and 256 bits. Not a encryption
algorithm
Synchronous (TIME BASED) dynamic
Uses time or a counter between the token and the
authentication server, secure-ID is an example
Asynchronous (NOT TIME BASED)
Server sends a nonce (random value) This goes into token device, encrypts and delivers a one-time password, with an added PIN its strong authentication
Challenge/response token
Generates response on a system/workstation provided challenge; synchronous – timing, asynchronous - challenge
SAML (SOAP)
To exchange authentication and authorization data between security domains.
SAML 2.0 enables web-based to include SSO.
Most used federated SSO
XML Signature – use digital signatures for authentication and message integrity based on XML
signature standard.
Relies on XML Schema
SAML Roles
Principal (user)
• Identity provider (IdP)
• Service provider (SP)
Identity as a Service
Is a third-party service that provides
identity and access management, Effectively provides SSO for the cloud and is especially useful when
internal clients access cloud-based Software as a Service (SaaS) applications.
• Ability to provision identities held by the service to target applications
• Access includes user authentication, SSO, authorization enforcement
• Log events , auditing
• Federation - sharing identity and authentication behind the scenes (like booking flight →
booking hotel without re authenticating) by using a federate identity so used across business
boundaries
• SSO
• Access Management enforces RULES!
Access Control Matrix
An access control matrix is a table that includes subjects, objects, and
assigned privileges. When a subject attempts an action, the system checks the access control matrix to
determine if the subject has the appropriate privileges to perform the action
Capability Tables
They are different from ACLs in that a capability table is focused on subjects
(such as users, groups, or roles). For example, a capability table created for the accounting role will
include a list of all objects that the accounting role can access and will include the specific privileges
assigned to the accounting role for these objects
ACL focus
ACLs are object focused and identify access granted to subjects for any specific object.
Capability table focus
Capability tables are subject focused and identify the objects that subjects can access.
Permissions
Refer to the access granted for an object and determine what you can do with it. If you
have read permission for a file, you’ll be able to open it and read it. You can grant user permissions to
create, read, edit, or delete a file on a file server. Similarly, you can grant user access rights to a file, so
in this context, access rights and permissions are synonymous
Rights
Refers to the ability to take an action on an object. For example, a user might have the right to
modify the system time on a computer or the right to restore backed-up data. This is a subtle distinction
and not always stressed. You’ll rarely see the right to take action on a system referred to as a
permission.
Privileges
Are the combination of rights and permissions. For example, an administrator for a
computer will have full privileges, granting the administrator full rights and permissions on the
computer. The administrator will be able to perform any actions and access any data on the computer.
Constrained Interface Applications
(restricted interfaces) to restrict what users can do or see based on their privileges. Applications constrain the interface using different methods. A common method is
to hide the capability if the user doesn’t have permissions to use it. Other times, the application
displays the menu item but shows it dimmed or disabled.
Content-Dependent
Internal data of each field, data stored by a field, restrict access to data based
on the content within an object. A database view is a content-dependent control. A view retrieves
specific columns from one or more tables, creating a virtual table.
Context-Dependent
Require specific activity before granting users access. For example, it’s possible
to restrict access to computers and applications based on the current day and/or time. If users attempt
to access the resource outside of the allowed time, the system denies them access.
Service Provisioning Markup Language, or SPML
An XML-based language designed to allow
platforms to generate and respond to provisioning requests
Nmap tool
One of the most common tools used to perform both IP probes and port scans. IP probes
are extremely prevalent on the Internet today. Indeed, if you configure a system with a public IP
address and connect it to the Internet, you’ll probably receive at least one IP probe within hours of
booting up. The widespread use of this technique makes a strong case for disabling ping functionality,
at least for users external to a network. Default settings miss @64 K ports
When nmap scans a system, it identifies the current state of each network port on the system. For ports
where nmap detects a result, it provides the current status of that port:
Nmap Open
The port is open on the remote system and there is an application that is actively
accepting connections on that port.
Nmap Closed
The port is accessible on the remote system, meaning that the firewall is allowing
access, but there is no application accepting connections on that port.
Filtered Nmap
Is unable to determine whether a port is open or closed because a firewall is
interfering with the connection attempt