Module 04 - Identity and Acess Management Flashcards
Definition:
Non-repudiation
Cannot deny having done something in systems or network
Acronym:
CSF
Cybersecurity Framework
Acronym:
NIST
National Institute of Standards and Technology
According to NIST, what are the classification of security tasks?
[NUST Categories]
- Identify
- Protect
- Detect
- Respond
- Recover
Definition:
Gap Analysis
Process that identifies how security systems deviate from outcomes required, or recommended, by CSTs
Definition:
Access Control
Defines how subjects interact with objects.
Subjects => Can be granted access to resources
Objects => Resources
Acronym:
IAM
Identity and Access Management
Definition:
Identity and Access Management - IAM systems
System that implements access controls
What are the processes of IAM?
- Identification
- Authentication
- Authorization
- Accounting
Acronym:
AAA
Authentication, Authorization and Accounting
Definition
Zero Trust
Security model that assumes that all devices, users, and services are not inherently trusted, regardless of whether inside or outside a network’s perimeter
What are the main concepts of Zero Trust Model?
- Adaptive identity [UBA]
- Threat scope reduction [Principle of Least Privilege]
- Policy-drive access control [Device posture, network context, user identity]
Definition:
Adaptive identity [Zero Trust Concept]
Recognition of identity not being static.
UBA
Definition:
Threat scope reduction [Zero Trust Concept]
Access to resources are only to the ones needed to complete a task.
[Principle of least privilege]
Definition:
Policy-driven access control [Zero Trust Concept]
Access Control policies enforces access restriction based on user identity, device posture and network context.
Definition:
Device Posture
Security status of a device, including its security configurations, software versions, and patch levels.
In Zero Trust architecture, what are the planes?
Control and data planes
Definition:
Control plane
Manages policies that dictate how users and devices are authorized to access network resources.
Divided in Policy Engine and Policy Administrator
Definition:
Data plane
Where a subject makes access requests for a given resource.
Definition:
Policy Engine
Responsible for making authentication and authorization decisions per-request.
Definition:
Policy Administrator
Issues access tokens and establishes or tears down sessions based on the decisions made by the policy engine.
List the access control best practices
- Principle of least privilege
- Need to know [Information classification]
- Separation of Duties [Conflict of interest]
- Multi-Factor Authentication
- Mutual Authentication
- Time of day restrictions
Acronym:
MFA
Multi-Factor Authentication
What are the common methods of controlling access?
Implicit Deny
Explicit Deny
Explicit Allow
Acronym:
ACL
Access Control List
Acronym:
MAC [Access Control]
Mandatory Access Control
Acronym:
DAC
Discretionary Access Control
Acronym:
RBAC
Role-Based Access Control
Acronym:
ABAC
Attribute-Based Access Control
List the types of Access Controls
Discretionary Access Control [DAC]
Mandatory Access Control [MAC]
Role-Based Access Control [RBAC]
Attribute-Based Access Control [ABAC]
Definition:
Discretionary Access Control - DAC
In the DAC Model, every resource has an owner which has full control over the resource, and they can modify its access control list (ACL) to grant rights to others.
Discretionary => By one’s judgment
Definition:
Mandatory Access Control - MAC
Model based on security clearance levels.
Each object is given a classification label, and each subject is granted a clearance level.
Definition:
Role-Based Access Control - RBAC
Permissions depends on the tasks that an employee or service must be able to perform.
Each set of permissions is a role, or a group account.
Definition:
Attribute-Based Access Control - ABAC
Based on a combination of subject and object attributes plus any context-sensitive or system-wide attributes.
Definition:
Rule-Based Access Control
Any sort of access control model where access control policies are determined by system-enforced rules rather than system users.
Anything but discretionary access control models.
Ex: RBAC, ABAC, and MAC
Definition:
Provisioning
Setting up a service according to a standard procedure or best practice checklist.
Definition:
Deprovisioning
Removing the access rights and permissions allocated to a subject
Time-based restrictions:
A time-of-day restrictions policy [Login hours]
A duration-based login policy
Impossible travel time/risky login policy
Temporary permissions
Identification x Authentication
Identification is saying who you are
Authentication is confirming who you are
List the authentication factors
- Something you know
- Something you are
- Somewhere you are
- Something you can do
- Something you exhibit
- Someone you know [CA or Attestation]
- Something you have
Definition and list:
Hard authentication token
Token generated within a secure cryptoprocessor
- Smart card
- OTP
- Security Key
Definition and list:
Soft authentication token
OTP generated by the Identity provider (IdP) and transmitted to the supplicant.
- SMS
- Authentication app
Acronym:
IdP
Identity provider
Definition:
Passwordless
No longer processes knowledge-based factors.
Acronym:
LSASS
Local Security Authority Subsystem Service
Acronym:
NTLM
NT LAN Manager
Acronym:
VPN
Virtual Private Network
Acronym:
SAM [Windows File]
Security Accounts Manager
List the windows authentication scenarios
- Windows local sign-in or interactive logon
- Windows network sign-in
- Remote sign-in
What protocols are responsible for a network sign-in, in Windows?
Kerberos and NTLM
Acronym:
SSH
Secure SHell
Acronym:
PAM
Type of authentication
Pluggable Authentication Module
In linux, what’s the /etc/passwd file?
It’s where user account names are stored
In linux, what’s the /etc/shadow file?
It’s where user account password hashed are stored
What’s the protocol used in network sign-in, in Linux?
SSH
Definition:
Directory Services
Service that stores information about users, computers, security groups/roles, and services.
What’s the protocol responsible for directory services?
LDAP - Lightweight Directory Access Protocol
Acronym:
LDAP
Lightweight Directory Access Protocol
Acronym:
SSO
Single Sign-On
Definition:
Single Sign-On - SSO
Authentication method that requires only once authentication and recieves authorizations on other compatible applications to be logged in
Definition:
Kerberos
Single sign-on network authentication and authorization protocol.
Named after the three-headed guard dog of Hades (Cerberus)
Acronym:
KDC
Key Distribution Center
Definition:
Key Distribution Center - KDC
System that vouches tokens for identities, made out of two systems:
- Authentication Service (AS)
- Ticket Granting Service (TGS)
True or False:
Kerberos protocol sends the password encrypted in the network
False.
In kerberos talk, what are principals
Users or applications that authenticates
How is the request for a TGT made?
By encrypting the date and time on the local computer with the user’s password hash as the key, and sending to the AS
Acronym:
TGT
Ticket Granting Ticket
Definition:
Token Granting Ticket - TGT
Identifies a principal but doesn’t provide access to any resource
Definition:
Federation [Authentication]
The network trusts accounts created and managed by a different network. The model is similar to Kerberos SSO
List federated network protocols
- SAML - Security Assertion Markup Language
- SOAP - Simple Object Access Protocol
Acronym:
SAML
Security Assertion Markup Language
Written in XML - eXtension Markup Language
Acronym:
SOAP
Simple Object Access Protocol
Written in XML - eXtension Markup Language
Acronym:
XML
eXtension Markup Language
Acronym:
OAuth
Open Authentication
Definition:
Open Authentication - OAuth
Facilitate the sharing of information (resources) within a user profile between sites.
Uses REST APIs for communication and JWTs for authentication
Acronym:
API
Application Programming Interface
Acronym:
REST
REpresentational State Transfer
Acronym:
JWT
JSON Web Token
Acronym:
JSON
JavaScript Object Notation
Definition:
Biometric authentication
Based on a unique physical attribute or characteristic
Definition:
False rejection rate (FRR)
Where a legitimate user is not recognized.
Type I error or false non-match rate (FNMR)
Definition:
False acceptance rate (FAR)
Where an interloper is accepted.
Type II error or false match rate [FMR]
Definition:
Crossover Error Rate (CER)
The point at which FRR and FAR meet
The lower the more efficient and reliable the technology.
List the most common biometric information
- Fingerprint
- Retina
- Iris
- Facial
- Voice
- Vein
- Gait [walk]
Definition:
Authorization
process of determining privileges of an entity and enforcing them.
List the types of permissions
- Effective permissions
- Deny permissions
- Cumulative permissions
Advantages of Hierarchical database as in directory sevices
- Organization
- Replication
- Delegation
- Scalability
List Active Directory Components
- Domain
- Trees and forests
- Organizational Units
- Generic container
- Object
- Domain Controller
Definition:
Tree [Directory Services]
Group of related domains that share the same DNS namespaces.
Definition:
Forest [Directory Services]
Highest level of the organization hierarchy and is a collection of related domain trees.
Definition:
Policy [Directory Service]
Set of configuration settings applied to users or computers
Acronym:
GPO
Group Policy Object
Definition:
Group Policy Object - GPO
Collection of files with registry settings, scripts, templates, and software-specific configuration values.
Collection of Group Policy configurations.
What are the types of GPOs and when are applied?
Computer and User configuration types.
Computer => Applied when boots
User => Applied when log on
What’s the order GPOs are applied?
- Local
- Site
- Domain
- OU
LSDOU - Local Site Domain OU
Definition:
Hardening
To stregthen
List Hardening Authentication Methods
- Password Policies
- MFA
- Account restrictions
- Account Monitoring
- Account Maintenance
- Limit Remote Access
- Account Lockout Policies
List Smart Card Benefits
- Tamper-resistant storage por PIIs
- Isolated security-related operations
- Portable security credentials
List Smart Card Weaknesses
- Microprobing (Possibility to interfere with chip)
- Software attacks
- Eavesdropping
- Fault generation
List the options for storing directory information in Linux
- Local file system
- LDAP-Compliant database
- Network Information System (NIS)
- Windows domain
Acronym:
NIS
Network Information System
Definition:
Network Information System - NIS
Allows many Linux computers to share common user accounts, group accounts, and passwords.
In linux, what’s the /etc/group file?
contains information about each user group.
In linux, what’re the managing users configuration files?
- /etc/default/useradd
- /etc/login.defs
- /etc/skel
In linux, what’s the /etc/default/useradd file?
Contains default values used by the useradd utility when creating a user account
In linux, what’s the /etc/login.defs file?
Contains configurations of login, such as password encryption in shadow file, or password expiration values.
In linux, what’s the /etc/skel file?
Contains a set of configuration file templates that are copied into a new user’s home directory when it is created
List Linux User Management Commands
- useradd
- passwd
- usermod
- userdel
List Linux User Security Commands and what they do?
- chage (Set user passwords to expire)
- ulimit (Limits computer resources used for applications launched from the shell)
List Linux Group Commands
- groupadd
- groupmod
- groupdel
- gpasswd
- newgrp [Change group ID]
- usermod [Mod group membership of a user]
- groups [display groups a user is in]
List VPNs architectures
- site-to-site
- client-to-client
- host-to-host
Definition:
Client-to-client VPN
Connects a client on a endpoint to a VPN gateway which it’s inserted on the LAN
Definition:
Site-to-site VPN
Connects two or more private networks, it connects the edge gateways of the private network on a tunnel connection
Definition:
Host-to-host VPN
Securing traffic between two computers where the private network is not trusted.
List most common VPN protocols
- PPTP - Point-to-Point Tunneling Protocol (Deprecated)
- TLS - Transport Layer Security
- IPSec - Internet Protocol Security
Acronym:
RDP
Remote Desktop Protocol
Acronym:
VNC
Virtual Network Computing
Definition
VNC - Virtual Network Computing
Remote access tool and protocol.
Definition:
AAA server
Handles user requests for access to remote computer resources.
2 solutions: RADIUS and TACACS+.
Definition:
RADIUS
AAA Server used by Microsoft.
- Allows separation of Accounting to different servers
- Challenge-response method for authentication.
- Uses UDP ports 1812 (Auths) and 1813 (Account)
- Vulnerable to buffer overflow attacks.
Definition:
TACACS+
AAA CISCO server.
- TCP port 49.
- Supports more protocol suites than RADIUS.
- Provides three protocols, one each AAA
TACACS and XTACACS are older protocols
Acronym:
RADIUS
Remote Authentication Dial-In User Service
Acronym:
TACACS
Terminal Access Controller Access-Control System
List LDAP authentication options
- No authentication
- Simple bind [DN + cleartext passwd]
- Simple Authentication and Security Layer (SASL)
- LDAPS
Acronym:
SASL
Simple Authentication and Security Layer
Definition:
Simple Authentication and Security Layer - SASL
Means the client and server negotiate using a supported authentication mechanism, such as Kerberos.
Acronym:
LDAPS
LDAD Secure
