Lesson 6: Implementing Identity and Access Management Controls

Question 1

access control system

Answer 1

set of technical controls that govern how subjects may interact with objects

Question 2

subjects

Answer 2

users, devices, or software processes, or anything else that can request and be granted access to a resource

Question 3

objects

Answer 3

• resources
• examples:
• networks
• servers
• databases
• files

Question 4

Access Control List (ACL)

Answer 4

• basis of access control

- list of subjects and rights or permissions they have been granted on the object

Question 5

Identity and Access Management (IAM)

Answer 5

four main processes:

• Identification
• creating an account or ID that identifies the user, device, or process on the network
• associates a particular user (or software process) with an action performed on a network system
• vital first steps in access control process
• Authentication
• proving that a subject is who or what it claims to be when it attempts to access the resource
• that someone or something is not masquerading as a genuine user
• vital first steps in access control process
• Authorization - determining what rights subjects should have on each resource, and enforcing those rights
• Accounting - tracking authorized usage of a resource or use of rights by a subject and alerting when unauthorized use is detected or attempted

Question 6

non-repudiation

Answer 6

user should not be able to deny what s/he has done

Question 7

account

Answer 7

consists of an identifier (must be unique), credentials, and a profile

Question 8

Security Identifier (SID) string

Answer 8

• account is actually defined on this system
• if the user account was deleted and another account with the same name subsequently created, the new account would have a new SID and, therefore, not inherit any of the permissions of the old account

Question 9

issuance (or enrollment)

Answer 9

means processes by which a subject’s credentials are recorded, issued, and linked to the correct account, and by which the account profile is created and maintained

Question 10

issues of issuance (or enrollment)

Answer 10

• identity proofing - verifying that subjects are who they say they are at the time the account is created
  (Websites that allow users to self-register typically employ a CAPTCHA (Completed Automated Public Turing Test to Tell Computers and Humans Apart - a CAPTCHA is usually a graphic or audio of some distorted letters and digits)
• ensuring only valid accounts are created
• secure transmission of credentials
• revoking the account if it is compromised or no longer in use

Question 11

two techniques to mitigate confusion of digital identities

Answer 11

• password reset - automating the password reset process reduces the administration costs associated with users forgetting passwords but making the reset process secure can be problematic
• single sign-on - this means that all network resources and applications accept the same set of credentials, so subject only needs to authenticate once per session

Question 12

something you know authentication

Answer 12

• username
• password
• passphrase (longer password comprising several words, advantages of being more secure and easier to remember)
• Personal Identification Number (PIN)
• account reset mechanisms:
• challenge questions

Question 13

something you have authentication

Answer 13

• smart card
• USB token
• key fob
• digital certificate

concerns:
- cryptographic access control technologies are subject to loss and theft

Question 14

something you are authentication

Answer 14

• employ some sort of biometric recognition system
• fingerprint
• iris or retina recognition
• facial recognition
• template: the chosen biometric information scanned and recorded in a database

main problems:

• users can find it intrusive and threatening to privacy
• technology can be discriminatory or inaccessible to those with disabilities
• setup and maintenance costs to provision biometric readers
• vulnerability to spoofing methods

Question 15

something you do authentication

Answer 15

• refers to behavioral biometric recognition

- analyzes a behavior such as typing or writing a signature, variations in speed and pressure

Question 16

somewhere you are authentication

Answer 16

• location-based authentication measures some statistic about where you are:
• Global Positioning System (GPS) or indoor Position System (IPS): this could be a geographic location, measured using a device’s location service
• IP address or geolocation
• VPN gateway

Question 17

multifactor authentication

Answer 17

• combines use of more than one type of something you know/have/are (multifactor)
• two-factor authentication (2FA): combines something like a smart card or biometric mechanism with something you know, such as a password or PIN
• three-factor authentication combines all three technologies, or incorporates an additional location-based factor

Question 18

mutual authentication

Answer 18

• security mechanism that requires that each party in a communication verifies each other’s identity
• shared secret (configured on both server and client)
• prevents:
• client from inadvertently submitting confidential information to a non-secure server
• helps in avoiding Man-in-the-Middle and session hijacking attacks

Question 19

LAN Manager (LM or LANMAN)

Answer 19

challenge/response authentication protocol; this means that the user’s password is not sent to the server in plaintext

Question 20

NTLM authentication

Answer 20

• designed to work over trusted local network
• password is Unicode and mixed case and can be up to 127 characters long
• the 128-bit MD4 hash function is used in place of DES

Question 21

LM/NTLM vulnerabilties

Answer 21

• obsolete
• designed to work over trusted local network

NTLM

• only provides for client authentication, making it vulnerable to Man-in-the-Middle attacks
• vulnerable to pass-the-hash attack (where an attacker submits a captured authentication hash rather than trying to obtain the plaintext password)
• does not support token or biometric authentication

Question 22

Kerberos

Answer 22

• network authentication protocol developed by Massachusetts Institute of Technology (MIT)
• named after the three-headed guard dog of Hades (Cerberus), consists of three parts:
• clients: requests services from a server
• server
• • both clients and servers rely on an intermediary–a Key Distribution Center (KDC)–to vouch for their identity
• drawbacks of Kerberos:
• KDC represents a single point-of-failure for the network

Question 23

Key Distribution Center (KDC)

Answer 23

• runs on port 88 using TCP or UDP
• two services that make up a KDC:
• Authentication Service (AS)
• responsible for authenticating user logon requests
• Ticket Granting Ticket (TGT)
• client sends AS a request for a TGT, composed by encrypting the date and time on the local computer with the user’s password hash as the key
• TGS session key - for use in communications between client and the Ticket Granting Service (TGS)
• Service ticket - token that grants access to a target application server (contains info about the user, timestamp, system IP address, Security Identifier (SID), and the SIDs of groups to which s/he belongs, and the service session key)

Question 24

Password Authentication Protocol (PAP)

Answer 24

unsophisticated authentication method developed as part of the TCP/IP Point-to-Point Protocol (PPP), used to transfer TCP/IP data over serial or dial-up connections

Question 25

Challenge Handshake Authentication Protocol (CHAP)

Answer 25

• also developed as part of PPP as a means of authenticating users over a remote link
• relies on an encrypted challenge in a system called a three-way handshake:
• challenge-server challenges the client, sending a randomly generated challenge message
• response-client responds with a hash calculated from the server challenge message and client password (or other shared secret)
• verification-server performs its own hash using the password hash stored for the client

Question 26

Microsoft Challenge Handshake Authentication Protocol (MS-CHAP)

Answer 26

• Microsoft’s first implementation of CHAP
• should not be deployed without the protection of a secure connection tunnel so that the credentials being passed are encrypted

Question 27

password attacks

Answer 27

• adversary directly interacts with the authentication service–a web login form or VPN gateway, for instance
• attacker will submit passwords using either a database of known passwords (and variations) or list of passwords that have been cracked offline
• online password attack can show up in audit logs as repeatedly failed logons and then a successful logon, or as several successful logon attempts at unusual times or locations

Question 28

password cracker

Answer 28

• software works on basis of exploiting known vulnerabilities in password transmission and storage algorithms (LM and NTLM hashes, for instance)
• can perform brute force attacks and use precompiled dictionaries and rainbow tables to break naively chose passwords
• as once the password database has been obtained, the cracker does not interact with the authentication system to perform the cracking (offline attack)

Question 29

well-known password cracking tools

Answer 29

John the Ripper
- multi-platform password hash cracker

THC Hydra
- often used against remote authentication (protocols such as Telnet, FTP, HTTPS, SMB, and so on)

Aircrack
- sniffs and decrypts WEP and WPA wireless traffic

L0phtcrack
- one of the best-known Windows password recovery tools, also an open source version (ophcrack)

Cain and Abel
- Windows password recovery with password sniffing utility

Question 30

password cracker attack types

Answer 30

brute force attack
- attempts every possible combination in the key space (determined by number of bits used, length of key) in order to derive a plaintext password from a hash

dictionary and rainbow table attacks
- dictionary attack can be used where there is a good chance of guessing the likely value of the plaintext, such as a non-complex password, rather than attempting to compute every possible value, the software enumerates values in the dictionary

• rainbow table attacks
• refine dictionary approach, attacker uses a precomputed lookup table of all possible passwords and their matching hashes

hybrid attack
- uses a combination of dictionary and brute force attacks

Question 31

salt

Answer 31

• random value added to the plaintext
• can help hash functions be more secured
• helps slow down rainbow table attacks against a hashed password database

Question 32

key stretching

Answer 32

• technique to make the key generated from a user password stronger is by–basically–playing around with it lots of times
• initial key may be put through thousands of rounds of hashing

Question 33

bcrypt

Answer 33

• extension of the crypt UNIX library for generating hashes from passwords, uses Blowfish cipher to perform multiple rounds of hashing

Question 34

Password-Based Key Derivation Function 2 (PBKDF2)

Answer 34

part of RSA security’s public key cryptography standards (PKCS#5)

Question 35

Pass-the-Hash (PtH) attacks

Answer 35

• if an attacker can obtain the hash of a user password, it is possible to present the hash (without cracking it) to authenticate to network protocols such as CIFS
• principal defense against these types of attacks is to strongly restrict the workstations that will accept logon (interactive or remote) from an account with domain administrative privileges

Question 36

token

Answer 36

• various ways to authenticate a user based on something they have
• examples
• smart card
• USB token
• key fob (that contains a chip with authentication data, such as a digital certificate)

Question 37

smart card

Answer 37

• credit card-sized device with an integrated chip and data interface
• either contact-based, meaning physically inserted into a reader or contactless, meaning that data is transferred using a tiny antenna embedded in the card (can also be referred to a proximity card)

Question 38

IEEE 802.1X/Extensible Authentication Protocol (EAP)

Answer 38

• smart cards and other token-based systems are often configured to work with the IEEE 802.1X Port-based Network Access Control framework
• 802.1X establishes several ways for devices and users to be securely authenticated before they are permitted full network access
  (the actual authentication mechanism will be some variant of the Extensible Authentication Protocol, EAP)

Question 39

One-time Password (OTP)

Answer 39

• generated automatically (rather than being selected by a user) and used only once
• not vulnerable to password guessing or sniffing attacks
• generated using some sort of hash function on a secret value plus a synchronization value (seed), such as a timestamp or counter

Question 40

T or F. Software token on a server that is sent to a resource that is assumed to be safely controlled by the user, such as a smartphone or email account is not strictly a something you have have authentication factor.

Answer 40

True

Question 41

Initiative for Open Authentication (OATH)

Answer 41

• an industry body comprising mostly the big PKI providers, such as Verisign and Entrust, established with the developing an open, strong authentication framework
• open means a system that any enterprise can link into to perform authentication or on 2-step verification

Question 42

HMAC-based One-time Password Algorithm (HOTP)

Answer 42

• algorithm for token-based authentication

- authentication server and client token are configured with the same shared secret

Question 43

Time-based One-time Password Algorithm (TOTP)

Answer 43

• refinement of the HOTP
• issue
• tokens can be allowed to persist unexpired, raising the risk that an attacker might be able to obtain one and decrypt data in the future

Question 44

biometric authentication

Answer 44

• first step in setting up biometric authentication is enrollment
• scanned by biometric reader and converted to binary information

two steps in the scanning process:

• sensor module acquires the biometric sample from the target
• feature extraction module records the significant information from the sample (features that uniquely identify the target)
• vendors have developed proprietary biometric cryptosystems to address security

Question 45

biometric factors

Answer 45

• Crossover Error Rate (CER) - point at which FRR and FAR meet, the lower the CER, the more efficient and reliable the technology
• Throughput (speed)—this refers to the time required to create a template for each user and the time required to authenticate. This is a major consideration for high traffic access points, such as airports or railway stations
• key metrics and considerations used to evaluate different technologies include the following:
• false negatives (where legitimate user is not recognized); referred to as False Rejection Rate (FRR) or Type I error
• false positives (where an interloper is accepted); referred to as False Acceptance Rate (FAR) or Type II error

Question 46

fingerprint scanners

Answer 46

• fingerprint recognition is the most widely implemented biometric technology

Question 47

retinal scan

Answer 47

• an infrared light is shone into the eye to identify the pattern of blood vessels
• arrangement of these blood vessels is highly complex and typically does not change from birth to death, except in the event of certain diseases or injuries
• most accurate forms of biometrics, very secure
• equipment required is expensive and the process is relatively intrusive and complex
• false negatives can be produced by disease, such as cataracts

Question 48

iris scan

Answer 48

• patterns on the surface of the eye using near-infrared imaging and so is less intrusive than retinal scanning (the subject can continue to wear glasses, for instance), and a lot quicker
• Iris scanners offer a similar level of accuracy as retinal scanners but are much less likely to be affected by diseases
• Iris scanning is the technology most likely to be rolled out for high-volume applications, such as airport security
• there is a chance that an iris scanner could be fooled by a high-resolution photo of someone’s eye

Question 49

facial recognition scanners

Answer 49

• records multiple indicators about the size and shape of the face, like the distance between each eye, or the width and length of the nose

Question 50

behavioral technologies

Answer 50

• something you do
• can be discriminatory against those with disabilities:
• voice recognition - cheap, as the hardware and software required are built into many standard PCs and mobiles
• signature recognition - tracks stroke speed, and pressure of stylus, easy to duplicate
• typing - matches speed and patter of a user’s input of a passphrase

Question 51

Common Access Cards

Answer 51

• in the US, the homeland Security Presidential Directive 12 (HSPD-12) mandated that access to Federal property must be controlled by a secure identification and authentication mechanism (as defined in FIPS-201 standard)
• two identity cards have been introduced:
• Common Access Card (CAC)–issued to military personnel, civilian employees, and contractors to gain access to Department of Defense (DoD) facilities and systems
• Personal Identification Verification (PIV) Card–for civilian Federal government employees and contractors

Question 52

Guidelines for Implementing IAM

Answer 52

• Ensure robust procedures for creating accounts that identify network subjects (users and computers) and issue credentials to those subjects securely
• Determine which authentication factors and technology provide the best security, given any limitations imposed by existing infrastructure and budget
• Consider that using PIV or CACs may be mandatory if you work with or for the U.S. federal government