Sec+ Chapter 08: Identity and Access Management Flashcards
Common ways to assert or claim an identity
1) Username: The most commonly used means of claiming an identity. Remember: associated with an identity, not an authentication factor itself
2) Certs: Stored on a system or paired with a storage device or security token
3) Tokens: A physical device that might generate a code, plug in via USB, or connect via Bluetooth to present a cert or other info
4) SSH keys: Cryptographic representations of identity that replace a username and password
5) Smartcards: Cards that use an embedded chip. Both contactless and physical chip reader-capable cards as well as hybrid cards are broadly deployed, and cryptographic smartcards can generate key pairs on the card itself
EAP
Extensible authentication protocol
An authentication framework that’s commonly used for wireless network authentication. Many implementations exist that use the EAP framework, including vendor-specific and open methods like EAP-TLS, LEAP, and EAP-TTLS
Each of these protocols implements EAP messages using the protocol’s messaging standards
CHAP
Challenge handshake authentication protocol
An encrypted challenge sent across the network, which provides more security than PAP
CHAP uses an encrypted challenge and 3 way handshake:
1) After the link is established, the server sends a challenge message
2) Client sends combined challenge message and password hash back to server
3) Server evaluates the password and challenge to see if it matches what’s expected
This occurs at the beginning of the process, but also periodically during the connection
MS-CHAP
Microsoft’s own version of CHAP, commonly used with point to point tunneling protocol (PPTP)
It’s been largely replaced because it uses DES for encryption, which is super weak and makes it easy to brute force keys during the connection
Don’t use it or v2
Use L2TP, IPsec, 802.1x
PAP
Password authentication protocol
A password-centric authentication protocol that was commonly used with point to point protocol (PPP) to authenticate users
Almost nobody uses PAP anymore because it’s been replaced by CHAP and EAP. PAP sends unencrypted passwords YIKES
802.1X
An IEEE standard for NAC, also called port based NAC, and used for authentication for devices that want to connect to a network
User tries to connect, 802.1x stops the connection and asks for credentials
User provides credentials
Checked with databases on the back end for proper access
If authenticates properly, they can access the network
802.1x can prevent people from accessing the network until they’ve gone through this specific authentication method
Common to see this used with wireless or wired authentication, and is integrated with EAP
Used in conjunction with RADIUS, LDAP, TACACS+, or other authentication servers
RADIUS
Remote authentication dial-in user service
One of the most common AAA systems for network devices, wireless networks, and WAN/LAN, etc
Centralize authentication for users, if they’re logging into the network, VPN concentrator, or authenticating to switch or router, they can use RADIUS
Sends passwords obfuscated by a shared secret and MD5 hash (aka, not great security)
Traffic between RADIUS network access server and RADIUS server is usually encrypted with IPsec tunnels or other protections
AAA
Authentication, authorization, and accounting
In these systems, users must first authenticate with user and pass
The system then allows them to perform actions they’re authorized to by policies or permissions settings
Accounting tracks the resource utilization like time, bandwidth, or CPU use
TACACS+
Terminal access controller access control system plus
A remote authentication protocol
A Cisco designed an extension called XTACACS (extended) which provided additional support for accounting and auditing
Today, it’s TACTACS+ which uses TCP traffic to provide AAA services as well as full-packet encryption and granular command controls, allowing individual commands to be secured as needed
Kerberos
A more complex but robust authentication method that can use SSO
Authenticate once and then be trusted by the system, no need to reauthenticate to everything
Also provides mutual authentication which means you authenticate to the server and it to you so both sides know exactly who they’re talking to
Protects against MITM and replay attacks
Kerberos authentication flow
The cryptography used in Kerberos is referred to as a cryptographic ticket
When you authenticate to a KDC (ticket granting service / key distribution center which is your centralized authentication server), it gives you a service ticket
Instead of putting in a username and password every time you access a resource, you show the service ticket to a device which recognizes you’re authenticated by the KDC, then provides access to services
SAML
Security assertion markup language
An XML based open standard for exchanging authentication and authorization for users to access third party resources
User accesses an application URL
The site sees we haven’t authenticated, sends back a signed and encrypted SAML request and asks us to send it to the authorization server
We communicate to the authorization server with our login credentials and the SAML request
If it’s correct, authorization server sends us a successful notification and SAML token
We present the SAML token to the third party website, and it gives access to the service
Good for federated environments, but not great for mobile apps which means we’ll likely see it decline in the coming years
OpenID Connect
Works in conjunction with OAuth
Provides all the authentication functionality to access third party apps while OAuth determines what types of data that app can access
EX: Log in with Google options on websites
OAuth
A framework that allows us to control what types of resources a third party app can access
Unlike SAML, OAuth is used in conjunction with OpenID connect which provides the authentication functionality
EX: Zoom wants to access your Google Calendar, and this will allow Zoom to…
SSO
Single sign on
Allows a user to log in with a single identity and then use multiple systems or services without reauthenticating. SSO systems provide significant advantages because it simplifies user interactions with authentication and authorization systems.
But they require a trade-off in the number of identity-based security boundaries that are in place.
Commonly implemented using LDAP and Kerberos in Windows domains or Linux infrastructures. SAML for web apps and federated services.
IdP
Identity provider
Manages the life cycle of digital identities from creation through maintenance to retirement of the identity in the systems and services it supports.
Often part of federated identity deployments, where they’re paired with relying parties which trust the IdP to handle authentication and then rely on that to grant access to services
Terms used in federated environments
1) The principal: typically, a user
2) IdPs: Identity providers who provide identity and authentication services via an attestation process in which the IdP validates that the user is who they claim to be
3) SPs: Service providers who provide services to users whose identities have been attested to by an identity provider
LDAP
Lightweight directory access protocol
Directory services
Used in networks to provide info about systems, users, and other information about an org
LDAP is a type of directory service that’s commonly deployed as part of an identity management infrastructure and offers hierarchically organized info about the org
Frequently used to make an organizational directory for email and other contact info available
MFA
Multifactor authentication
Becoming a default option for security-conscious orgs
7 Types of MFA factors
1) Something you know, including passwords, PINs, or answers to security questions
2) Something you have, like your phone, a smartcard, USB or Bluetooth token, or item in your possession like a Titan security key
3) Something you are, which relies on a physical characteristic of the person who is authenticating themselves. Fingerprints, retina scans, voice prints, and even typing speed are all options
4) Somewhere you are, based on your current location. GPS, network location, etc to ensure only users who are in a specific location can authenticate
5) Something you can do, like picture password features in Windows or gesture authentication on Android phones
6) Something you exhibit, like a behavior pattern or similar characteristic. Typically a form of the something you are factor like typing speed
7) Someone you know, which can include trust relationships from others
One-time passwords
A form of second-factor authentication. Important in fighting password theft and password-based attacks.
Attackers might obtain a one-time password, but they can’t continue using it.
TOTP
Time based one time passwords
Uses an algo to derive a one-time password using the current time as part of the code-generation process.
EX: Authenticator apps use TOTP
TOKEN KEY is how sec+ calls it on the exam
HOTP
HMAC-based one time password
HMAC = Hash-based message authentication codes
You have a number you use once, and that number is thrown away and never used again
Uses a seed value that both the token or HOTP code-generation app and the validation server use, as well as a moving factor
EX: PayPal token
TOKEN KEY is how sec+ calls it on the exam
SMS security token
Short message service token, aka text message token
When you receive an SMS with a code to input for authentication purposes
Common attacks with one-time passwords
1) TOTP can be stolen by either tricking a user into providing them, gaining access to a device like a phone where they’re generated, or having near real-time access to them
2) SMS can be redirected using a cloned SIM card, or if the phone is part of a VOIP network that’s been compromised
Static codes
Algorithmically generated like one-time passwords, but pre-generated and often printed or stored in secure locations.
Useful in situations when you need a one-time password that doesn’t require a device or connectivity
Common biometric technologies
1) Fingerprint scans
2) Retina scans
3) Iris recognition
4) Facial recognition
5) Voice recognition
6) Vein recognition
7) Gait analysis
4 measures of biometric tech
1) Type I: false rejection rate (FRR). Means a legit biometric measure was presented and the system rejected it
2) Type II: false acceptance rate (FAR). Biometric factor is presented and accepted when it shouldn’t be
3) ROC (relative operating characteristic): Compares the FRR against the FAR of a system. For most systems, as you decrease the likelihood of false rejection, you increase the rate of false acceptance. ROC determines where your accuracy should be set to minimize these
4) CER (crossover error rate): The area on the ROC graph where you minimize FAR and FRR, and have gotten both to an equal level
KBA
Knowledge based authentication
Frequently used for password resets in the form of security questions
Also dynamically generates questions that the account requestor can be expected to know
EX: IRS asking how much you received on last year’s tax return when logging in
Password keys
AKA: Security keys like YubiKey and Titan Key
Hardware devices that support one-time passwords, public key cryptography for security certs, and various other security protocols like FIDO and U2F (universal second factor)
Password vaults
AKA: Password managers
Software solutions that store, manage, and secure passwords and other information, allowing the use of strong passwords without memorizing them
TPM
Trusted platform module
Modules or chips that have built in cryptoprocessors used to store RSA key pairs protected by a password, which is set by the system owner
TPM modules can prevent unauthorized changes to firmware and software as part of a trusted or secure boot process. And they’re supported by OS allowing drive encryption and other cryptographic security features
HSM
Hardware security module
Either independent physical device or plug in expansion card for a computer. These integrate cryptoprocessors to securely create, store, and manage encryption keys.
Also provide encryption and decryption services.
Cloud providers now provide HSM as a service.
Password complexity
Determines the makeup of passwords.
Password complexity settings will set which characters can and can’t be used for a password, show how long it should be, indicate which special characters are accepted, and any other related settings
Password lifespan
Determines the time a password has before it needs to be reset
Password histories make it so people can’t reuse passwords
Account audits
A practice that helps make sure accounts are well managed, have the proper account permissions, and that appropriate controls are in place.
Ensures the account is configured as expected and all the policies are being used on the systems
Should also review disabled accounts
PAM
Privileged access management
A centralized way to handle elevated access to system resources and manage admin access for each individual admin on the system
If you’re in a large org with many admins, consider using PAM
If you do use it, admins to the system don’t all have admin rights
They need to access a centralized, digital vault which gives them privileged access that only last for a certain amount of time before being revoked
You get much more control over what someone with admin access can do, and can log and audit for anyone who’s assigned these particular administrative rights
ABAC
Attribute based access control
A type of access control scheme that’s defined by criteria and parameters
Very flexible and allows for complex rules, but can be complex to manage
EX: If a user is trying to access a spreadsheet, they’ll be evaluated by things like:
1) What resource they want to access
2) What IP they’re accessing it from
3) What time of day they’re accessing
4) What type of action they’re performing
5) What their relationship is to the data
Once all the parameters are evaluated and the user meets all parameters that have been defined, they get access
RBAC
Role based access control
Associated with the role an employee has in a company and they’ve been assigned rights and permissions based on that role
Admin of the system or network assigns these access control rights
RBAC boils down to three rules:
1) Role assignment: you can only use permissions that match you assigned role
2) Role authorization: your active role must be authorized, which prevents you from taking on roles you shouldn’t
3) Permission authorization: you can only use permissions your active role is allowed to use
RuBAC
Rule based access control (also RBAC)
Generic term that can be applied across many different OS or ways to allow someone a resource
System admin sets the rules, not the users
The rule is associated with the object they want to access
EX: If someone is trying to access a lab, there could be a rule that says they can only access between 8 am and 5pm
EX: If someone wants to fill out a web form, they can only see and complete it with a specific type of browser
RuBAC is built into the OS we use every day
Some users get certain rights, and other users gets completely different rights
Generically, it’s an ACL but in Windows it’s group or user rights managed through Group Policy
MAC
Mandatory access control
Requires you to configure separate security clearance levels and then associate objects in the OS with one of those security levels
Every object you work with gets a security label like confidential, secret, top secret, etc
Users get minimum types of access configured by the admin that correlates to what objects they get to access
DAC
Discretionary access control
You create an object, and you as the owner assign rights and permissions to it
As the owner, you control who can access and you can modify it at any time
Flexible access control, but could be weak security since the owner needs to be fully responsible for the permissions
Conditional access
Allows us to set certain conditions like if someone is an employee or part of a third party organization
Once we know the condition, we apply certain controls to it
If they’re employees, they get more access to files but if they’re a third party they need MFA or limited access to the file
Many cloud services include this as part of their system, and you can build complex access rules to customize the precise security you have over your data
Filesystem permissions
These determine what accounts, users, groups, or services can perform actions like r, w, and x files.
Each OS has its own set of filesystem permissions and capabilities for control.
Federation
A way you can provide access to your network using credentials someone uses for other services
EX: Log in with Google account
Attestation
A way to prove that the hardware connecting into your network is something that was set up as trustworthy and is allowed access to your internal systems
