Identity and Access Management

Question 1

Access Control Types (10)

Answer 1

1. Preventative
2. Detective
3. Corrective
4. Deterrent
5. Recovery
6. Directive
7. Compensating
8. Administrative
9. Logical/Technical
10. Physical

Question 2

Preventative Access Control

Answer 2

thwarts or stops unwanted or unauthorized activity

Examples:
fences, locks, biometrics, mantraps, lighting, alarm systems, security cameras, CCTV, smart cards

separation of duties, policies, job rotation policies, data classification, pen-testing, access control, encryption auditing, callback procedures, security policies, security awareness training, antivirus software, firewalls, and intrusion prevention systems

Question 3

Detective Access Controls

Answer 3

attempts to discover or detect unwanted or unauthorized activity - can only be discovered after the fact.

Examples:
security guards, motion detectors, recording and reviewing events by security cameras, CCTV,

job rotation policies, mandatory vacation policies, audit trails, honeypots/nets, intrusion detection systems, violation reports, supervision and review of users, and incident investigations

Question 4

Corrective Access Control

Answer 4

modifies the environment to return systems back to normal after unwanted or unauthorized activity

Examples:
terminating malicious activity, rebooting a system, antivirus solutions (quarantine, isolation), backup and restore plans, IDS systems modifying environments to stop an attack in progress

Question 5

Deterrent Access Control

Answer 5

attempts to discourage security policy violations - very similar to preventative controls, but relies on the individual to be dissuaded from taking the action

Examples: policies, security awareness training, locks, fences, security badges, guards, mantraps and security cameras

Question 6

Recovery Access Control

Answer 6

attempts to repair or restore resources, functions and capabilities after a security violation - an extension of corrective controls but have more advanced capabilities

Examples: backups, restores, fault-tolerant drive systems, system imaging, server clustering, antivirus software, and database or virtual machine shadowing

Question 7

Directive Access Control

Answer 7

attempts to direct, confine or control the actions of subjects to force or encourage compliance with security policies

Examples: security policy requirements or criteria, posted notifications, escape route exist signs, monitoring, supervision and procedures

Question 8

Compensating Access Control

Answer 8

provides an alternative when it isn’t possible to use a primary control, or when necessary to increase the effectiveness of a primary control.

Example: A security policy might dictate the use of smart cards by all employees, but it might take a long time for new employees to get a smartcard. The org can issue hardware tokens to employees as a compensating control. Tokens provide a stronger auth than just username or password.

Question 9

Administrative Access Controls

Answer 9

the policies and procedures defined by an org’s security policy and other regulations or requirements - sometimes referred to as management controls

Examples: policies, procedures, hiring practices, background checks, classifying and labeling data, security awareness and training efforts, reports and reviews, personnel controls, and testing.

Question 10

Logical and Technical Controls

Answer 10

hardware or software mechanisms used to manage access and to provide protection of the

Question 11

Smartcard

Answer 11

ID or badge with a circuit chip embedded in it and stores information of the authorized user’s identification and authentication

Usually contains a microprocessor and one or more certificate - used for asymmetric cryptography such as encrypting data or digitally signing email.

Tamper resistant

US government personnel:
CACs: common access cards
PICs: personal identity verification cards

Question 12

Synchronous Dynamic Password Tokens

Answer 12

Time-based and synchronized with an authentication server

They generate a new password periodically, e.g. every 60 seconds

The token and the server must have accurate time

Common method is for a user to enter a username, a static password and the dynamic one-time password into a webpage

Question 13

Asynchronous Dynamic Password Tokens

Answer 13

Does not us a clock - instead the hardware token generates passwords based on an algorithm and an incrementing counter > this creates dynamic, one-time password that stays the same until used for authentication

some tokens create a onetime password when the user enters a PIN provided by the authentication server into the token

Example: a user submits a user name and password to a webpage. After validation, the authentication system used the token’s identifier and incrementing counter to create a challenge number and sends it back to the user. The challenge number changes each time a user authenticates, so it is often called a NONCE (short for number used once). The challenge number will only produce the correct onetime passwork on the device belonging to the user > they enter the password into the website to complete authentication

Question 14

HMAC

Answer 14

Hash Message Authentication Code

Question 15

HOTP

Answer 15

HMAC-based-One-Time-Password

The HMAC includes a hash function used by the HOTP standard to create onetime passwords

It typically creates HOTP values of 6-8 numbers

Similar to the asynchronous dynamic passwords created by tokens

HOTP values remain valid until used

Question 16

TOTP

Answer 16

Time-based One-Time Password

TOTP uses a timestamp and remains valid for a certain timeframe, such as 30 seconds

TOTP expires if the user doesn’t use within the timeframe

Similar to the synchronous dynamic passwords used by tokens

Question 17

Iris Scans > Retina Scans

Answer 17

Iris is second most accurate, but it does not reveal health information and can be done from a distance

Con: it can be spoofed by really high quality pictures of the eye
Con: accuracy can be affected by light, glasses or contact lenses

Question 18

Biometric Factor Error Ratings

Answer 18

Biometrics devices are rated for performance by examining the different types of errors they produce,

False Rejection Rate (FRR): a valid subject is not authenticated, Type 1 Error - when the biometric device is more sensitive

False Acceptance Rate (FAR): an invalid subject is authenticated, Type 2 Error - when biometric device is not sensitive enough

Question 19

CER or ERR

Answer 19

Crossover Error Rate or Equal Error Rate

The point where the FRR and the FAR percentages are equal - this is used as the standard assessment value to compare accuracy of different biometric devices

Lower CER = more accurate

Question 20

Device Fingerprinting

Answer 20

Users can register their devices with the organization and associate them with their user accounts

During registration, the authentication system captures characteristics about the device - usually via a webpage - and captures characteristics like OS, version, browser, fonts, plugins, time zone, storage, screen resolution, cookie settings and HTTP headers

When the user logs in, the auth system checks the user account for a registered device and verifies the characteristics - even though the characteristics can change, it’s pretty successful method

SecureAuth Identity Provider (IdP) is commonly used for device authentication

Question 21

802.1z

Answer 21

Device Authentication Method

Used for port-based authentication on some routers and switches - often used with wireless systems forcing users to log on with an account before being granted access to a network

Recently, some 802.1z solutions have been implemented with MDM and/or NAC solutions to control access from mobile devices - if the device or user cannot authenticate through the 802/1x system, they are not granted access to the network

Question 22

Service Accounts

Answer 22

Services also require authentication so service accounts are created - e.g. third-party tools need permission to scan all mailboxes looking for spam, malware, potential data exfiltration and more. Admins can create a Microsoft domain account and give the account the privileges to complete the task.

Password usually doesn’t expire, and configured with a strength, and complexity, that is changed more often than a user account. An alternative is to configure the account to be non-interactive, which prevents user from logging onto the account using traditional methods

Question 23

Certificate-based Authentication for Services

Answer 23

Services can also authenticate using certificate-based authentication for services

Certs are issued to the device running the service and presented by the service when accessing resources.

API: application programming interface used for web-based services to exchange information between systems

• API methods are different depending on the web-based service
• example: Google and Facebook provide web-based services that web developers use, but their implementation is different

Question 24

Access Control Management

Answer 24

Centralized access control: all authorization verification is performed by a single entity within a system

• can be managed by a small team or individual
• administrative overhead is lower because all changes are made in a single location and a single change affects the entire system

Decentralized access control: aka distributed access control, implies various entities located throughout a system perform authorization verification

• requires several teams or many people
• administrative overhead is higher because changes must be implemented across numerous locations
• maintaining consistency across a system becomes more difficult as the number of access control points increases > changes made to any individual access control point need to be repeated for every access point

Question 25

Single Sign-On

Answer 25

SSO is a centralized access control technique that allows a subject to be authenticated once on a system and access multiple resources without authenticating again

Pros:

• very convenient for users; one password and less accounts
• increases security

Cons:
- once an account is compromised, an attacker gains unrestricted access to all of the authorized recourses - however most SSO systems include methods to protect credentials

Question 26

LDAP

Answer 26

Lightweight Directory Access Protocol: similar to a telephone directory, it is a directory for network services and assets. Users, clients and processes can search the directory to find where a desired system or resource resides

Subjects must authenticate to the directory service before performing queries and lookup activities and what the subject sees is based on their privileges

Example: MS Active Directory Domain Services

Question 27

LDAP - Security domain

Answer 27

a collection of subjects and objects that share a common security policy, and individual domains can operate separately form other domains

Question 28

LDAP - Trusts

Answer 28

trusts are established between domains to create a security bridge that allows users from one domain to access resources in a another domain

can be one-way or two-way

Question 29

LDAP - PKI

Answer 29

Public-key infrastructure uses LDAP when integrating digital certificates into transmissions

PKI is a group of technologies used to manage digital certificates during the certificate lifecycle

Example: a client needs to query a certificate authority (CA) for information on a certificate, and LDAP is a protocol that is used

Question 30

Kerberos

Answer 30

Ticket authentication system - most common. It is a SSO solution for users that provide protection for logon credentials
- Kerberos 5 relies on symmetric key cryptography (AKA secret key cryptography) used AES symmetric encryption protocol

Kerb provides confidentiality and integrity for authentication traffic using end-to-end security and helps protects against eavesdropping and replay attacks

It uses Key distribution center, kerberos authentication server, ticket-granting ticket, and tickets

Question 31

Kerberos - Key Distribution Center

Answer 31

The KDC is the trusted third-party that provides authentication services > all clients are registered with the KDC and it maintains the secret keys for all network members

Question 32

Kerberos Authentication Server

Answer 32

hosts the functions of the KDC: a ticket-granting server and an authentication server

The authentication service verifies or rejects the authenticity and timeliness of tickets

Question 33

TGT

Answer 33

Ticket-Granting Ticket: provides proof that a subject has authenticated through a KDC and is authorized to request tickets to access other objects

A TGT is encrypted and includes a symmetric key, and expiration time, and the user’s IP address

Subjects present the TGT when requesting tickets to access objects

Question 34

Ticket

Answer 34

A ticket is an encrypted message that provides proof that a subject is authorized to access an object aka service ticket (ST)

Subjects request tickets to access objects, and if they have authenticated and are authorized to access the object, Kerberos issues them a ticket

Kerberos tickets have specific lifetimes and usage parameters - once a ticket expires, a client must request a renewal or a new ticket to continue communications with any server

Question 35

Kerberos Login Process - Client

Answer 35

> User types username and password into the client
client encrypts the username with AES for transmission to the KDC
the KDC verifies the username against a database of known credentials
the KDC generates a symmetric key that will be used by the client and the Kerberos server. it encrypts this with a hash of the user’s password. The KDC also generates an encrypted time-stamped TGT
the KDC then transmits the encrypted symmetric key and the encrypted time-stamped TGT to the client
the client installs the TGT for use until it expires. The client also decrypts the symmetric key using a hash of the user’s password

NOTE: the password is never transmitted over the network - the symmetric key is encrypted and decrypted with with the hash of the user’s password. This will only work if the user enters in the correct password

Question 36

Kerberos Login process - Resource

Answer 36

> client sends its TGT back to the KDC with a request for access to the resource
the KDC verifies that the TGT is valid and checks its access control matrix to verify that the user has sufficient privileges to access the requested resource
the KDC generates a service ticket and sends it to the client
the client sends the ticket to the server or service hosting the resource
the server or service hosting the resource verifies the validity of the ticket with the KDC
once identity and authorization are verified, Kerberos activity is complete. The server or service host then opens a session with the client and begins communications or data transmission

Question 37

Biggest Kerberos Concern

Answer 37

Kerberos has a single point of failure - the KDC. If the KDC is compromised, the secret key for every system on the network is also compromised

If the KDC goes offline, no subject authentication can occur.

It has strict time requirements, and the default configuration requires that all systems be time-synchronized within 5 minutes of each other. If a system is not synchronized or time is changed, a previously issued TGT will no longer be valid and the system will not be able to receive any new tickets. The Client will be denied access to any protected network resources.

Question 38

FIM

Answer 38

Federated Identity Management, a form of SSO commonly used by cloud-based services

FIM extends identity management across multiple organizations. Multiple organizations can join a federation where they agree on a method to share identities between them

• users can log in through their own organization and their identities are matches with a federated identity
• they can use the federated identity to access resources in any other organization within the group

An example is is a corporate training platform - a common method is to match the federated identity with the internal login ID

One pain point is different companies having different languages - they can have different operating systems but need the same common language. To make thinks simpler, federated identity systems often use SAML and/or SPML

Question 39

HTML

Answer 39

Hypertext Markup Language

commonly used to display static web pages.

It was derived from the Standard generalized Markup Language (SGML) and the Generalized Markup Language (GML)

HTML describes how data is displayed using tags to manipulate the size and color of the text - for example, the following text is a level one heading <h1>I Passed the CISSP</h1>

Question 40

XML

Answer 40

Extensible Markup Language

it goes beyond describing how to display data by actually describing the data. XML can include tags to describe data as anything desired. The following tag identifies the data as results of taking an exam: Passed

Databases from multiple vendors can import and export data to and from an XML format, making XML a common language used to exchange information. Many specific schemas have been created so that companies know exactly what tags are being used for specific purposes. Each of the schemas effectively creates a new XML language.

Question 41

SAML

Answer 41

Security Assertion Markup Language

An XML based language that is commonly used to exchange authentication and authorization (AA) information between federated organizations. It is often used to provide SSO capabilities for browser access

Question 42

SPML

Answer 42

Service Provisioning Markup Language

a newer framework developed by OASIS, a nonprofit consortium that encourages development of open standards.

It’s based on XML and is specifically designed for exchanging user information for federated identity SSO purposes

It is based on the Directory Service Markup Language (DSML) which can display LDAP-based directory service information in an XML format

Question 43

XACML

Answer 43

Extensible Access Control Markup Language

a standard developed by OASIS and is used to define access control system but can also use role-based access control

It helps provide assurances to all members in a federation that they are granting the same level of access to different roles

Question 44

OAuth 2.0

Answer 44

Implies open authentication

an open standard for access delegation

When one account allows authorization to another account e.g. Acme using Twitter account to tweet about Acme. The main benefit is that Acme never gets the Twitter credential

Many online sites support OAuth 2.0 but not 1.0

Question 45

OpenID

Answer 45

Also an open standard but is maintained by the OpenID foundation rather than the RFC standard

It provides decentralized authentication allowing users to log into multiple unrelated websites with one set of creds maintained by a third-party service referred to as openID provider

When users got o an openID-enabled website (also known as relying party), they are prompted to provide their OpenID identity as a uniform resource located (URL)

The two sites exchange data and create a secure channel. The user is then redirected to the OpenID-enabled site

OpenID Connect: an authentication layer using the OAuth 2.0 framework. It’s maintained by the OpenID Foundation and builds technologies created with OpenID but uses a JavaScript Object Notation (JSON) Web Token (JWT) also called an ID token

OpenID Connect uses Representational State Transfer (REST) compliant web service to retrieve the JWT. In addition to providing authentication, the JWT can also include profile information about the user.

Question 46

Scripted Access

Answer 46

Scripted access aka logon scripts establish communication links by providing an automated process to transmit logon credentials at the start of a logon session

Scripted access can simulate SSO even through the environment still requires a unique authentication process to connect to each server or resource

Scripts can be used to implement SSO in environments where true SSO technologies are not available.

Scripts and batch files should be stored in a protected area because they usually contain access credentials in clear text.

Question 47

Credential Management System

Answer 47

A credential management system provides a storage space for users to keep their credentials when SSO isn’t available.

Users can store credentials for websites and network resources that require a different set of credentials

The management system secures the credentials - the management system secures the credentials with encryption to prevent unauthorized access.

Examples: Windows Credential Manager, KeePass

Question 48

IDaaS

Answer 48

Identity as a Service: a third-party service that provides IAM.

IDaaS effectively provides SSO for the cloud for the cloud, especially for cloud SaaS

Question 49

RADIUS

Answer 49

Remote Authentication Dial-In User Service

Question 50

TACACS+ vs. Old TACACS and RADIUS

Answer 50

uses TCP port 49, older uses UDP 49 = higher level of reliability for packet transmission
encrypts all authentication, not just password
separated authorization, authentication and accounting into three separate processes

Question 51

Diameter

Answer 51

Enhanced version of RADIUS

Supports IP, Mobile IP and Voice IP

Popular with roaming support like with wireless and smartphones

It’s not backward compatible with RADIUS

Uses TCP port 3868 aka Stream Control Transmission Protocol (SCTP) port 3868, also IPSec, and TLS (Transport Layer Security)

Question 52

Identity and Access Management Lifecycle

Answer 52

Creation, management and deletion of accounts

Provisioning: enrollment process creates a new identity and establishes the factors the system needs to perform authentication. It’s important that this is done completely and accurately

Maintenance: altering rights and privileges

Account Review: accounts should be reviewed periodically to ensure that security policies are being enforced. This includes ensuring that inactive accounts are disabled and employees do not have excessive privileges. Auto or manual checks for inactive accounts, privileged group memberships, and unauthorized accounts. There are two problems when it comes to access control:

• excessive privilege: occurs when users have more privileges than they assigned work tasks dictate. If a user account is discovered to have excessive privileges, the unnecessary rights should be immediately revoked.
• creeping privilege: involve a user account accumulating privileges over time as job roles and assigned tasks change. this can occur because new tasks are added to a user’s job, but unneeded rights are never removed
• • both of these situations violate the basic security principle of least privilege - ensures that subjects are granted only the privileges they need to perform their work tasks and job functions but no more - account reviews are effective of discovering these problems

Account Revocation