Lesson 4: Implement Identity and Access Management Flashcards
Define Confidentiality in authentication
If account credentials are leaked, threat actors can impersonate the account.
Define Integrity in authentication
Authentication mechanism is reliable and not easy for threat actors to bypass or trick with counterfeit credentials.
Define Availability in authentication
Time taken to authenticate does not impede workflows and is easy enough for users to operate.
Define an ‘authentication factor’
Different technologies for implementing authentication
List main authentication factors
Knowledge (username/password/PIN), ownership/token, and biometric/inherence.
Define the term ‘password best practices’
Policies to govern secure selection and maintenance of authentication factors; Secrets, such as length, complexity, age, and reuse, smart card, biometric ID.
Define the term ‘account policies’
Policies governing user security information, such as password expiration and uniqueness.
Define a ‘Password Length’ policy
Enforces a min/max length for passwords.
Define a ‘Password Complexity’ policy
Enforces password entropy; Enforces complex passwords that aren’t easy to crack.
What are examples of password complexity?
No use of a username within the password and a combination of at least eight uppercase/lowercase alphanumeric and non-alphanumeric characters.
Define a ‘Password Age’ policy
Forces the user to select a new password after a set number of days.
Define a ‘Password Reuse and History’ policy
Prevents the selection of a password that has been used already.
Define the purpose of ‘history’ attribute of a ‘Password Reuse and History’ policy
How many previous passwords are blocked from use.
Define the purpose of ‘minimum age’ attribute of a ‘Password Reuse and History’ policy
Prevents a user from quickly cycling through password changes to revert to a preferred phrase.
Define a ‘password manager’
Software that can suggest and store passwords to reduce risks from poor user choices and behavior.
What is the purpose of a password manager?
To mitigate risk of poor user credential management practices.
What are the main risks of using a password manager?
Selection of a weak master password, compromise of the vendor’s cloud storage or systems, impersonation attacks.
Define ‘multifactor authentication (MFA)’
Authentication scheme that requires the user to present at least two different factors as credentials.
Define an ‘ownership authentication factor’
Something unique you have; smart card, key fob, cryptographic token.
Define a ‘biometric/inherence authentication factor’
Something you are; Fingerprint, retinal scan, facial scan.
Define a ‘location-based authentication factor’
Somewhere you are; system applies a location-based factor to an authentication decision based on location/IP address.
What does it take to configure biometric authentication?
- A sensor module to acquire biometric samples
- Extraction module that creates a ‘template’/mathematical representation of the sample
Define the process of biometric authentication
A user is rescanned and the scan is compared to their initial template.
List the 3 metrics that are used to evaluate biometric authentication performance
- False Rejection Rate (FRR)
- False Acceptance Rate (FAR)
- Crossover Error Rate (CER)
Define ‘False Rejection Rate (FRR)’
Measures the number of valid subjects who are denied access as a percentage.
Define ‘False Acceptance Rate (FAR)’
Measures the number of unauthorized users who are mistakenly allowed access as a percentage.
What is the outcome of a high False Rejection Rate (FRR)?
Causes inconvenience to authorized users.
What is the outcome of a high False Acceptance Rate (FAR)?
Can lead to security breaches.
Define ‘Crossover Error Rate (CER)’
Expressing the point at which FAR and FRR meet, with a low value indicating better performance.
Define throughput in biometric authentication performance
Time required to create a template for each user and the time required to authenticate.
Define ‘Failure to Enroll Rate (FER)’
Incidents in which a template cannot be created and matched for a user during enrollment.
What are user concerns with biometric authentication?
Users can find it intrusive and threatening to privacy; The technology can be discriminatory or inaccessible to those with disabilities.
What is the most common form of biometric authentication?
Fingerprint recognition.
List the 3 types of tokens in ownership authentication
- Certificate-Based Authentication
- One-Time Password (OTP)
- Fast Identity Online (FIDO) Universal 2nd Factor (U2F)
Define ‘Certificate-Based Authentication’
Supplicant provides a private key that can generate a unique signed token verified in the identity provider by the signature via the public key.
Define ‘One-Time Password (OTP)’
A token generated for each authentication decision using some sort of hash function on a shared secret value plus a synchronization seed, such as a timestamp; Does not require PKI
Define ‘Fast Identity Online (FIDO) Universal 2nd Factor (U2F)’
Uses asymmetric key pairs to register each account.
Define the authentication process of ‘Fast Identity Online (FIDO) Universal 2nd Factor (U2F)’
Private key is locked to the U2F device and signs the token; the public key is registered with the authentication server and verifies the token; Does not use PKI because there is no digital cert.
Define ‘hard authentication token’
Authentication token generated by a cryptoprocessor on a dedicated hardware device.
What makes hard authentication token secure?
As the token is never transmitted directly, this implements an ownership factor within a multifactor authentication scheme.
List the 3 types of hard authentication tokens
- Smart cards
- One-time password (OTP)
- Security key
Define a ‘Smart card’
A security device similar to a credit card that can store authentication information.
What authentication information is stored on a smart card?
User’s digital certificate, the private key associated with the certificate, and a personal identification number (PIN) used to activate the card.
Define a ‘Security key’
Refers to a portable hardware security module (HSM) with a computer interface, such as USB or NFC; Most closely associated with U2F.
Define a ‘soft authentication token’
An OTP generated by the identity provider that is transmitted to the supplicant.
How can a soft authentication token be made more secure?
With the use of an authenticator app.
Define ‘Passwordless Authentication’
Multifactor authentication scheme that uses ownership and biometric factors, but not knowledge factors.
What is best practice for securing passwordless authentication?
The authenticator must be trusted and resistant to spoofing or cloning attacks.
What concept is used to ensure secure passwordless authentication?
Attestation
Define ‘Attestation’ in context of passwordless authentication
Capability of an authenticator to prove that it is a trusted root.
How is an authenticator attested?
Each security key is manufactured with an attestation and model ID.
Define ‘permissions’ in the context of authorization
Security settings that control access to objects.
Define ‘Discretionary access control (DAC)’
Access control model; Each resource is protected by an access control list (ACL) managed by the resource’s owner(s)
Why is ‘Discretionary access control (DAC)’ considered insecure?
Makes centralized administration of security policies the most difficult to enforce; Vulnerable to insider threats and abuse of compromised accounts.
Define ‘Mandatory access control (MAC)’
Access control model; Object and users are allocated a clearance level - Subjects are permitted to read objects classified at their own clearance level or below.
Define ‘Role-based access control (RBAC)’
Access control model; Resources are protected by ACLs that are managed by administrators providing permissions based on job function.
What makes ‘Role-based access control (RBAC)’ nondiscretionary?
Right to modify the permissions assigned to each role is reserved to a system owner; Each principal cannot modify the ACL of a resource.
Define a ‘security group’
Collection of user accounts to establish Role-based access control (RBAC).
Define ‘Attribute-based access control (ABAC)’
Access control technique that evaluates a set of attributes that each subject possesses to determine if access should be granted.
What attributes can be used in Attribute-based access control (ABAC)?
group/role memberships; IP/location; OS version; current patches and AV.
Define ‘Rule-based access control’/ nondiscretionary access control
Any access control model where access control policies are determined by system-enforced rules rather than system users; RBAC, ABAC, MAC, conditional access.
Define ‘Conditional Access’
Conditional access system monitors account or device behavior throughout a session; If certain conditions are met, it may suspend the account or may require the user to reauthenticate.
What makes User Account Control (UAC) a form of conditional access?
User is prompted for confirmation or authentication when making requests that require elevated privileges.
Define ‘Least privilege’
Subject should be allocated the minimum necessary rights, privileges, or information to perform its role.
Define ‘authorization creep’
Over time, a user acquires more and more rights, either directly or by being added to security groups or roles.
Define ‘provisioning’
Process of setting up a service according to a standard procedure or best practice checklist.
What are the 5 general steps of provisioning a user account?
- Identity Proofing
- Issuing Credentials
- Issuing Hardware and Software Assets
- Creating Permissions Assignment
- Teaching Policy Awareness
Define ‘Deprovisioning’
Process of removing an account, host, or application from the production environment; Revoking any access that had been assigned to the subject/object.
Define a ‘security identifier (SID)’
A unique value assigned to an account by Windows and that is used by the OS to identify that account.
Define ‘group policy objects (GPOs)’
On a Windows domain, a way to deploy per-user and per-computer settings.
Define ‘geolocation’
Identification or estimation of the physical location of an object and applying rule based access control.
How does geolocation determine the location of a subject/object?
IP address and location services/GPS.
Define a ‘time-of-day restrictions’
Establishes authorized login hours for a subject.
Define a ‘duration-based login policy’
Establishes maximum amount of time a subject may be logged in for.
Define a ‘impossible travel time/risky login policy’
Tracks the location of login events over time. If these do not meet a threshold, the account will be disabled.
Define a ‘temporary permissions policy’
Removes an account from a security role or group after a defined period.
Define a ‘privileged account’
Can make significant configuration changes to a host, rights to network appliances, application servers, and databases.
Define ‘Privileged access management (PAM)’
Policies, procedures, and technical controls to prevent compromise of privileged accounts.
Define ‘zero standing privileges (ZSP)’
Permissions are explicitly requested and are only granted for a limited period.
List 3 implementations of ‘zero standing privileges (ZSP)’
- Temporary Elevation
- Password Vaulting/Brokering
- Ephemeral Credentials
Define ‘Temporary Elevation’
Account gains administrative rights for a limited period; UAC in windows/sudo in Linux.
Define ‘Password Vaulting/Brokering’
Privileged account must be “checked out” from a repository and is available for a limited amount of time.
Define ‘Ephemeral Credentials’
System generates or enables an account to use to perform the administrative task and then destroys or disables it once the task has been performed.
Where are local windows credentials stored?
Security Accounts Manager (SAM) database in the Registry
What mechanism compares a subjects submitted plaintext/hash password to the hash value stored in the Security Accounts Manager (SAM) database?
Local Security Authority Subsystem Service (LSASS)
What mechanism delivers credentials to Active Directory for authentication?
Local Security Authority Subsystem Service (LSASS)
What are examples of remote sign-in?
VPN, enterprise Wi-Fi, web portal.
Where are local user account names stored in Linux?
/etc/passwd
Where are passwords stored in Linux?
/etc/shadow
Define ‘pluggable authentication module (PAM)’
Package for enabling different authentication providers; smart-card log-in, Directory services
Define a ‘directory service’
Network service that stores identity information and attributes about all the objects in a particular network; Users, groups, servers, client computers, and printers.
What is the most common service used for a directory service?
Lightweight Directory Access Protocol (LDAP)
Define ‘Lightweight Directory Access Protocol (LDAP)’
X.500 Protocol used to access network directory databases.
Define a ‘distinguished name (DN)’
A collection of attributes that define a unique identifier for any given resource within an X.500-like directory.
What makes up a ‘distinguished name (DN)’?
Attribute-value pairs, separated by commas; The most specific attribute is listed first, and successive attributes become progressively broader.
Define ‘single sign-on (SSO)’
Authentication technology that enables a user to authenticate once and receive authorizations for multiple services following the initial authentication.
Define ‘Kerberos’
A single sign-on authentication and authorization protocol that is based on a time-sensitive, ticket-granting system.
Define a ‘key distribution center (KDC)’
A component of Kerberos that authenticates users and issues tickets (tokens).
What are the two services that make up key distribution center (KDC)?
- Authentication Service
- Ticket Granting Service
Who/what can authenticate with Kerberos?
A principal; A user or service
Define a ‘Ticket Granting Ticket (TGT)’
Encrypted using KDC’s secret key; A token issued to an authenticated account to allow access to authorized application servers.
How is a Ticket Granting Ticket (TGT) requested by a principal (user/service)?
Principal sends the authentication service a request for a TGT by encrypting the time and date with the users password hash as the key.
How does a directory service verify a request for Ticket Granting Ticket (TGT)?
If the request hasn’t expired, authentication service checks that the user account is present and the hash in the database matches the decoded hash.
What does a principal receive if the authorization service accepts its request for Ticket Granting Ticket (TGT)?
Ticket Granting Ticket (TGT) and Ticket Granting Service (TGS) session key.
What information is provided in a Ticket Granting Ticket (TGT)?
Name, IP address, time stamp, and validity period.
Define a ‘Ticket Granting Service (TGS)’ session key
Encrypted using a hash of the principal’s password; Communicates between the client and the Ticket Granting Service (TGS)
Define ‘Federation’
Method of linking a user’s identity across multiple separate identity management systems in different organizations.
Define an ‘identity provider (IdP)’
In a federated network, the service that holds the user account and performs authentication.
Define ‘Security Assertion Markup Language (SAML)’
An XML-based data format used to exchange authentication information between a client and a service.
What language is used to create Security Assertion Markup Language (SAML)?
Written in extensible Markup Language (XML)
What protocols are used to establish communications between a client/principal and an identity provider (IdP)?
Using HTTP/HTTPS and Simple Object Access Protocol (SOAP).
Define the ‘Simple Object Access Protocol (SOAP)’
XML-based web services protocol used to exchange messages.
What mechanism is used to trust an identity provider (IdP)?
A digital signature/certificate
Define ‘Representational State Transfer (REST)’
Stateless framework used by application programming interfaces (APIs) for communication and integration.
What protocol does a ‘Representational State Transfer (REST)’ API use for authentication and authorization?
Open Authorization (OAuth)
Define the ‘Open Authorization (OAuth)’ protocol
Facilitates sharing of data within a user profile between sites.
Define ‘JavaScript Object Notation (JSON)’
JavaScript file that uses attribute-value pairs to define configurations .
