Domain 5: Identity and Access Management Flashcards
What is Access?
Flow of information between a subject and an object
What is an Access Control?
It is a security feature that controls how subjects and objects communicate and interact with other systems and resources.
What is Object?
Passive entity that contains information (computer, database, file, program) that is accessed by a subject.
Centralised administration: Approaches to Administration
One element responsible for configuring access controls. Only modified through central administration, very strict control.
Decentralised administration: Approaches to Administration
Access to information is controlled by owners or creators of information. There may be a lack of consistency with regards to procedures, as it is difficult to form a system wide view of all user access at any given time
Hybrid: Approaches to Administration
Centralised control is exercised for some infomation and decentralised for other information
IAAA
Four key principles upon which access control relies:
- Identification
- Authentication
- Authorisation
- Accountability
Explain the principle of Identification/Assertion
This is about ensuring a subject is who he says he is. It binds a user to the appropriate controls based on the unique user instance. This may also include Registration which is about verifying an individual’s identity and adds a unique idenfier to an identity system.
Explain the principle of Authentication
Process of verifying the user where the user provides private data and establishes trust between the user and the system for the allocation of privileges.
Explain the principle of Authorisation
Checks the resources user is allowed to access. These resources must be defined and monitored.
Explain the principle of Accountability
Who was responsible for an action? Logging is the best way to provide accountability, where change log for approved changes and change management process is captured.
Relationship between Identity, Authentication, and Authorisation
- Identification provides uniquness
- Authentication provides validity
- Authorsiation provides control
Logical Access Controls
Tools used to administer IAAA
MAC Address
48 bit number, supposed to be globally unique, however, can be spoofed by software and no longer acts as a strong ID or authentication.
SSO
Single Sign On. It is also referred to as Reduced Sign On or federated ID management.
SSO Advantages
Ability to use stronger passwords, easier administration, and less time to access resources
SSO Disadvantages
Once a key is compromised, all resources can be accessed. Similarly, if DB is compromised all PWs are compromised. A thin client is also a SSO approach.
Kerberos
Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using symmetric keys. Additionally, it addresses confidentiality, integrity, and authentication.
Benefits of Kerberos
Inexpensive, supported by a number of OS’s and is a mature protocol
Disadvantages of Kerberos
Takes time to administer, can be bottleneck or single point of failure
What is ‘Realm’?
Indicates an authentication administrative domain. Its intention is to establish the boundaries within which an authentication server has the authority to authenticate a user, host, or service. Uses symmetric Key cryptography.
KDC
The Key Distribution Centre grants tickets to client for specific servers. It knows all secret keys of all clients and servers from the network, TGS and AS. However, acts as a single point of failure.
AS
Authentication Server
TGS
Ticket Granting Server
Explain the Kerberos logon process
- The user types a username and password into the client
- The client encrypts the username with AES for transfer to the KDC.
- The KDC verifies the username against a database of known credentials.
- The KDC generates a symmetric key that will be used by the client and the Kerberos server. It encrypts this with a hash of the user’s password. The KDC also generates an encrypted time stamped TGT to the client.
- The client installs the TGT for use until it expires. The client also decrypts the symmetric key using a hash of the user’s password.
- Finally, the user can use this ticket to access to the desired service.
SESAME
Is a public key cryptology based authentication protocol. Its weakness is that it only authenticates first block and not the complete message. SESAME uses one ticket for authentication, while the other ticket is used for access privileges. This works with Privileged Attribute Certificates (PACS) and can use both symmetric and asymmetric encryption.
Logon scripting
Uses scripts to authenticate users
Directory service
A centralised database that includes information about subjects and objects. Hierarchical naming scheme, active directory has sophisticated security resources (group policy, user rights accounts, DNS services.
Type 1: Single Factor Authentication
Authentication factor is something you know, for example, password, PIN or passphrase
Type 2: Multi Factor Authentication
Something you have, such as physical devices that a user can use to provide authentication. Examples include smartcard, hardware token, smartcard, memory card, or USB drive.
Type 3: Multi Factor Authentication
Something you are, or something you do. It is a physical characteristic of a person identified with different types of biometrics, such as fingerprint or iris scans.
Type 1: Single Factor Authentication Examples
Passwords. A user can chose their own password, however, generally a longer password is a safer one.
Salting
A unique value is added to the end of the password to create a different hash value. This adds a layer of security to the hashing process, specifically against brute force attacks.
One Time Passwords
Can be one solution to increase security for type 1
Passphrase
Easiest to remember. This is converted to a virtual password by the system.
Cognitive password
Easy to remember like your mother’s maiden name
Hacking
Unauthorised access to password file
Brute force attack
Trying many different characters. This is an exhaustive attack
Dictionary attack
Trying common words in the dictionary
Social Engineering
Spoofing your identity to someone
Rainbow tables
Tables with passwords that are already in has formt, pre-hashed PW’s paired with high-speed look up functions
Implementation attack
This is a type of attack that exploits weaknesses in the implementation of a cryptography system. It focuses on exploiting the software code, not just errors and flaws but the methodology employed to program the encryption system.
Statistical Attack
Exploits statistical weaknesses in a cryptosystem, such as floating point errors and inability to produce truly random numbers. Statistical attacks attempt to find a vulnerability in the hardware or OS hosting the cryptography application.
Password checker and password hacker
Both programs that can find passwords (checker to see if its compliant, hackers to use it by the hacker).
Nonce
A number or bit string used only once, in security engineering
Type 2: Authentication Examples
Such as key, swipe card, access card, badge, and tokens
Static Password Token
Owner authenticates to token, token authenticates to the information system
Synchronous (Time Based) Dynamic
Uses time or a counter between the token and the authentication server. Secure ID RSA keys are an example.
Asynchronous (Not Time Based) OTP Generation
Server sends a nonce (random value). This goes into the token device, encrypts and delivers a OTP, with an added PIN.
Challange/response token
Generates response on a system/workstation provided challenge; synchronous - timing, asynchronous - challenge.
Type 3: Authentication Examples
Biometrics, such as fingerprints.
Type 1: Biometric Errors
False Rejection Rate (FRR)
Type 2: Biometric Error
False Acceptance Rate (FAR)
Crossover Error Rate (CER)
Where FRR = FAR. The lower the CER, the more accurate the system.
Fingerprint biometric
Made up of ridge engings and bifurcations exhibited by the friction ridges and other detailed characteristics that are called minutiae.
Retina Scans
Scans the blood-vesel pattern of the retina on the backside of the eyeball. Can show medical conditions, however, is the most accurate
Iris Scans
Scans the coloured portion of the eye that surrounds the pupil
Facial Scans
Takes attributes and characteristics like bone structure, nose ridges, eye widths, forehead sies, and chin shapes into account.
Palm Scans
The palm has creases, ridges and grooves throughout it that are unique to a specific person. Appropriate by itself as a Type 3 authenicator.
Hand Geometry
The shape of a person’s hand (the length and width of the hand and fingers) measures hand geometry.
Voice Print
Distinguishing the differences in people’s speech sounds and patterns.
Signature Dynamics
Electrical signals of speed and time that can be captured when a person writes a signature
Keyboard Dynamics
Captures the electrical signals when a person types a certain phrase
Hand Topology
Looks at size and width of an individual’s hand and fingers
SAML
Security Assertion Markup Language is an open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider.
SAML 2 and its roles
SAML 2 enables web based applications to include SSO. Roles include:
- Principal (user)
- Identity Provider (IdP)
- Service Provider (SP)
XML Signature
Uses digital signature for authentication and message integrity based on XML signature standard.
IDaaS
Identity as a Service, is a third party service that provides identity and access managment. Effectively provides SSO for the cloud and is especially useful when internal clients access cloud-based Software as a Service (SaaS) applications. Allows provision of identities held by the service to target applications
Cloud Identity
Users are created and managed by an online system, such as Office 365
Directory Synchronisation
Users are created and managed in an on premises identity provider
Federated Identity
An arrangement that can be made between multiple enterprises to let subscribers use the same identification data to obtain access to the networks of all the enterprises in the group. The use of such a system is sometimes called identity federation.
What is an Object
Passive entity that provides information to active subjects.
What is a Subject
Active entity that accesses a passive object
Four Main types of access control techniques
- Discretionary Access Control (DAC)
- Mandatory Access Control (MAC)
- Role Based Access Control (role BAC)
- Rule Based Access Control (rule-BAC)
RADIUS
Typically used for wireless networks, modems, and network devices.
OAuth
An open standard for access delegation, commonly used as a way for Internet users to grant websites or applications access to their information on other websites but without giving them the passwords.
Role BAC
Task based access controls define a subject’s ability to access an object based on the subject’s role or assigned tasks, is often implemented using groups, form of nondiscretionary. Types of RBAC include, Hybrid RBAC, and Limited RBAC.
Rule BAC
Based on rules within an ACL, uses a set of rules, restrictions, or filters to determine what can and cannot occur on a system. It includes granting a subject access to an object, or granting the subject the ability to perform an action. A distinctive characteristic about rule BAC models is that they have global rules that apply to all subjects.
Rule BAC Example
A firewall, which includes a set of rules or filters within an ACL, defined by an administrator. The firewall examines all the traffic going through it and only allows traffic that meets one of the rules.
Mandatory Access Control (BELL Model)
Latice based. Label all objects and subjects. Authorisation depends on security labels which indicate clearance and classification of objects. Access provided on a needs to know basis.
Non-discretionary access control / Mandatory
A central authority determines what subjects have access based on policies. Role based / task based. Also lattice base can be applied
Discretionary Access Control - Graham Denning
Allows the owner, creator, or data custodian of an object to control and define access to that object. DAC is implemented using ACLS on objects. Identity based access control is a subset of DAC. DAC is not centrally managed as the permissions of a file can be changed at the object level.
Implicit Deny
Basic principle that most authorisation mechanisms use it. The implicit deny principle ensures that access to an object is denied unless access has been explicitly granted to a subject.
Access Control Matrix
A table that includes subjects, objects, and assigned privileges. When a subject attempts an action, the system checks the access control matrix to determine if the subject has the appropriate privileges to perform the action.
Capability Tables
They are different from ACLs in that a capability table is focused on subjects (such as users, groups, or roles). For example, a capability table created for the accounting role will include a list of all objects that the accounting role can access and will include the specific privileges assigned to the role for these objects.
Difference between ACL and Capability Table
Difference is in focus. ACL are object focused and identify access granted to subjects for any specific object. While capability tables are subject focused and identify the objects that subjects can access.
Permissions
Refer to the access granted for an object and determine what you can do with it. If you have read permission for a file, you’ll be able to open it and read it. You can grant user permissions to create, read, edit, or delete a file on a file server. Similarly, you can grant user access rights to a file, so in this context, access rights and permissions are synonymous.
Rights
Refers to the ability to take an action on an object. For example, a user might have the right to modify the system time on a computer or the right to restore backed-up data. This is a subtle distintion and not always stressed. You’ll rarely see the right to take action on a system referred to as a permission.
Privileges
Are the combination of rights and permissions. For example, an administrator for a computer will have full privileges, granting the administrator full rights and permissions on the computer. The administrator will be able to perform any actions and access any data on the computer.
Constrained Interface Applications
This restricts what users can do or see based on their privileges. Applications constrain the interface using different methods. A common method is to hide the capability if the user doesn’t have permissions to use it. Other times, the application displays the menu item but shows it dimmed or disabled.
Content-Dependent
Internal data of each field, data stored by a field, restrict access to data based on the content within an object. A database view is a content-dependent control. A view retrieves specific columns from one or more tables, creating a virtual table.
Work Hours
Context-dependent control (such as 9-5)
Need to Know
Ensures that subjects are granted access only to what they need to know for their work tasks and job functions. Subjects may have clearance to access classified or restricted data but are not granted authorisation to the data unless they actually need it to perform a job.
Least Privilege
Ensures that subjects are granted only the privileges they need to perform their work tasks and job functions. This is sometimes lumped together with need to know. The only difference is that least privilege will also include rights to take action on a system.
Seperation of Duties and Responsibilities
Ensures that sensitive functions are split into tasks performed by two or more employees. It helps to prevent fraud and errors by creating a system of checks and blanaces.
Reconnaissance
Allows an attacker to find weak points to target directly with their attack code. Automated tools are used to assist in this process.
IP Probes
First type of network reconnaissance carried out against a targeted network. Each address in a range is pinged with all responses logged. Addresses that do not produce a response are assumed to be unused and are ignored.
Nmap Tool
One of the most common tools used to perform both IP probes and port scans.
Three states of network ports
- Open: Port is open on system and application is actively receiving connections.
- Closed. The port is accessible, meaning firewall is allowing access, but there is no application accepting connections on that port.
- Filtered Nmap: Unable to determine whether a port is open or closed because a firewall is interfering with the connection attempt.
Port Scans Results
Once identifying open ports, they identify public services running on each machine, for example, port 80 is used for web servers.
Vulnerability Scans
Probe targeted systems to locate security flaws
Service Provisioning Markup Language (SPML)
XML based language designed to allow platforms to generate and respond to provisioning requests.
SOAP
Simple Object Access Protocol is a messaging protocol and could be used for any XML messaging, but is not a markup language itself.
