Identity and Access Management Flashcards
Access Provision Lifecycle
only setup account for those who require them
review account data for error/inconsistencies
audit access authorization/failures
remove access when necessary
Identification
Positive/Negative Identification
Authentication
Requires a key piece of information that only the users knows - aka password
Authorization
tied closely to principle of least privileges
Types of Authentication
Know, Have, Are, Somplace(GPS/Geo Location)
Passphrases
compared to strong password - less entropy per character but more over entropy due to length
Password guessing
guessing password
Password cracking
determine cleartext password based on stole password hashes
Dictionary attack
word list, hash to see if matches
Hybrid
begin with word list and adds/changes characters
Brute force
attempts every possible password
All combinations
Rainbow tables
calculate hash for every password
Salt makes rainbow ineffective
Salt
random number that is hashed along with the salt
Tokens
Counter Based - asynchronous dynamic password token
Time-Based - Synchronous dynamic password token
Synchronous dynamic password token
same time (RSA token)
Asynchronous dynamic password token
Password available, no time limit
Biometrics Identifiers
Fingerprints Palm scan Hand geometry Voice print Retina pattern Iris scan Facial recognition
False Reject Rate (FRR)
Type I Error
It’s me but rejects me
False Accept Rate (FAR)
Type II Error
It’s not me but accepts it - intruder
Remember Type II is worst than Type I
Crossover Error Rate (CER)
Point where False Reject Rate and False Accept Rate are equal
Equal Error Rate
Enrollment (Biometrics)
Needs to enroll in 2 minutes
Throughput (Biometrics)
10 subjects/min - once ever 6 seconds
Key Distribution Center (KDC)
Vuln - contains all users password in plaintext
access to all keys
issues TGT
Kerberos
symmetric encryption
***Mutual authentication is best part about it
SESAME
European equivalent to Kerberos
Directory Services
TCP: 389
LDAP
Screensaves & timeout
Screensavers - 5 minutes
Automatic logoff after 10 minutes
Federated Identity Management
users across different organization can authenticated
Security Asssertions Markup Language (SAML)
standard-based means of allowing for communication of identity and authentication information.
Service Provider (SP) (SAML)
application that can lever identity/auth assertion
Think of an application that is used google gmail to authenticate
Identity Provider (IdP) (SAML)
This would be google gmail authenticator
Assertions Consumer Services
host by the Service Provider and is the IdP sends the assertions
Identity Provider (IDP) (OpenID)
sites that the sources of identify information
Replaying Parties (RP) (OpenID)
sites that can use identity information from IdP
RedirectURL (OpenID)
redirect URL information RP that the subject has been successfully authenticated
RedirectURL (OpenID)
redirect URL information RP that the subject has been successfully authenticated
Identity As A Service (IDaaS)
Single Sign-On for cloud
Dual Factor authentication and encryption critical components
Subject: Active
user, process, device
Active entity
Subject: Passive
files, directories, pipes
passive entity that contains or receives information
Rules
Filters
Labels
Sensitivity
Mandatory Access Control Strengths
Controlled by systems, can’t be overridden
strict control/cannot share
Mandatory Access Control (MAC) Weakness
Protects information in digital form Assumes: trust users/admin levels have been applies by individual User do not share account or access Proper physical security in place
Discretionary Access Control (DAC)
owner can change security attributes - think Windows file that can be changed by user tabular listing (think how unix displays files across with the permission listed
Discretionary Access Control (DAC) Strengths
fast and can modify their own files
Discretionary Access Control (DAC) Weakness
intentionally/unintentionally grant access when they shouldn’t
Simple error cause unauthorized disclosure
DAC depends on users acting in trustworthy manner
Non-Discretionary Access Control
central authority determines which object a subject can access Rule-based: Firewall Role-Based: Task-Based: focus on task vs roles Attribute-Based:
Non-RBAC Role-Based Access Control (RBAC)
user granted access via Access Control List
Limited RBAC Role-Based Access Control (RBAC)
users mapped to applications
Local system account
Hybrid RBAC Role-Based Access Control (RBAC)
users assigned roles that is assigned access to systems
Full RBAC Role-Based Access Control (RBAC)
access is controlled by roles and applied to applications and systems.
think Active Directory
Attribute-Based Access Control (ABAC)
access decisions based on subject/object attributes, environmental conditions
Complex - e.g. based on time, where you logged in from, etc..
Content Dependent
access based on data content
Think of browsing the web at work
Context Dependent
Account locked out after x number of attempts
think of incrementing counter
Captcha
mechanism for enforcing a context-dependent access control
Constrained User Interface
Limited menu options within an application
Temporal (Time-Based) Isolation
during week accept time cards, then blocks, before opening again.
