Sec+ Chapter 08: Identity and Access Management

Question 1

Common ways to assert or claim an identity

Answer 1

1) Username: The most commonly used means of claiming an identity. Remember: associated with an identity, not an authentication factor itself

2) Certs: Stored on a system or paired with a storage device or security token

3) Tokens: A physical device that might generate a code, plug in via USB, or connect via Bluetooth to present a cert or other info

4) SSH keys: Cryptographic representations of identity that replace a username and password

5) Smartcards: Cards that use an embedded chip. Both contactless and physical chip reader-capable cards as well as hybrid cards are broadly deployed, and cryptographic smartcards can generate key pairs on the card itself

Question 2

EAP

Answer 2

Extensible authentication protocol

An authentication framework that’s commonly used for wireless network authentication. Many implementations exist that use the EAP framework, including vendor-specific and open methods like EAP-TLS, LEAP, and EAP-TTLS

Each of these protocols implements EAP messages using the protocol’s messaging standards

Question 3

CHAP

Answer 3

Challenge handshake authentication protocol

An encrypted challenge sent across the network, which provides more security than PAP

CHAP uses an encrypted challenge and 3 way handshake:

1) After the link is established, the server sends a challenge message

2) Client sends combined challenge message and password hash back to server

3) Server evaluates the password and challenge to see if it matches what’s expected

This occurs at the beginning of the process, but also periodically during the connection

Question 4

MS-CHAP

Answer 4

Microsoft’s own version of CHAP, commonly used with point to point tunneling protocol (PPTP)

It’s been largely replaced because it uses DES for encryption, which is super weak and makes it easy to brute force keys during the connection

Don’t use it or v2

Use L2TP, IPsec, 802.1x

Question 5

PAP

Answer 5

Password authentication protocol

A password-centric authentication protocol that was commonly used with point to point protocol (PPP) to authenticate users

Almost nobody uses PAP anymore because it’s been replaced by CHAP and EAP. PAP sends unencrypted passwords YIKES

Question 6

802.1X

Answer 6

An IEEE standard for NAC, also called port based NAC, and used for authentication for devices that want to connect to a network

User tries to connect, 802.1x stops the connection and asks for credentials

User provides credentials

Checked with databases on the back end for proper access

If authenticates properly, they can access the network

802.1x can prevent people from accessing the network until they’ve gone through this specific authentication method

Common to see this used with wireless or wired authentication, and is integrated with EAP

Used in conjunction with RADIUS, LDAP, TACACS+, or other authentication servers

Question 7

RADIUS

Answer 7

Remote authentication dial-in user service

One of the most common AAA systems for network devices, wireless networks, and WAN/LAN, etc

Centralize authentication for users, if they’re logging into the network, VPN concentrator, or authenticating to switch or router, they can use RADIUS

Sends passwords obfuscated by a shared secret and MD5 hash (aka, not great security)

Traffic between RADIUS network access server and RADIUS server is usually encrypted with IPsec tunnels or other protections

Question 8

AAA

Answer 8

Authentication, authorization, and accounting

In these systems, users must first authenticate with user and pass

The system then allows them to perform actions they’re authorized to by policies or permissions settings

Accounting tracks the resource utilization like time, bandwidth, or CPU use

Question 9

TACACS+

Answer 9

Terminal access controller access control system plus

A remote authentication protocol

A Cisco designed an extension called XTACACS (extended) which provided additional support for accounting and auditing

Today, it’s TACTACS+ which uses TCP traffic to provide AAA services as well as full-packet encryption and granular command controls, allowing individual commands to be secured as needed

Question 10

Kerberos

Answer 10

A more complex but robust authentication method that can use SSO

Authenticate once and then be trusted by the system, no need to reauthenticate to everything

Also provides mutual authentication which means you authenticate to the server and it to you so both sides know exactly who they’re talking to

Protects against MITM and replay attacks

Question 11

Kerberos authentication flow

Answer 11

The cryptography used in Kerberos is referred to as a cryptographic ticket

When you authenticate to a KDC (ticket granting service / key distribution center which is your centralized authentication server), it gives you a service ticket

Instead of putting in a username and password every time you access a resource, you show the service ticket to a device which recognizes you’re authenticated by the KDC, then provides access to services

Question 12

SAML

Answer 12

Security assertion markup language

An XML based open standard for exchanging authentication and authorization for users to access third party resources

User accesses an application URL

The site sees we haven’t authenticated, sends back a signed and encrypted SAML request and asks us to send it to the authorization server

We communicate to the authorization server with our login credentials and the SAML request

If it’s correct, authorization server sends us a successful notification and SAML token

We present the SAML token to the third party website, and it gives access to the service

Good for federated environments, but not great for mobile apps which means we’ll likely see it decline in the coming years

Question 13

OpenID Connect

Answer 13

Works in conjunction with OAuth

Provides all the authentication functionality to access third party apps while OAuth determines what types of data that app can access

EX: Log in with Google options on websites

Question 14

OAuth

Answer 14

A framework that allows us to control what types of resources a third party app can access

Unlike SAML, OAuth is used in conjunction with OpenID connect which provides the authentication functionality

EX: Zoom wants to access your Google Calendar, and this will allow Zoom to…

Question 15

SSO

Answer 15

Single sign on

Allows a user to log in with a single identity and then use multiple systems or services without reauthenticating. SSO systems provide significant advantages because it simplifies user interactions with authentication and authorization systems.

But they require a trade-off in the number of identity-based security boundaries that are in place.

Commonly implemented using LDAP and Kerberos in Windows domains or Linux infrastructures. SAML for web apps and federated services.

Question 16

IdP

Answer 16

Identity provider

Manages the life cycle of digital identities from creation through maintenance to retirement of the identity in the systems and services it supports.

Often part of federated identity deployments, where they’re paired with relying parties which trust the IdP to handle authentication and then rely on that to grant access to services

Question 17

Terms used in federated environments

Answer 17

1) The principal: typically, a user

2) IdPs: Identity providers who provide identity and authentication services via an attestation process in which the IdP validates that the user is who they claim to be

3) SPs: Service providers who provide services to users whose identities have been attested to by an identity provider

Question 18

LDAP

Answer 18

Lightweight directory access protocol

Question 19

Directory services

Answer 19

Used in networks to provide info about systems, users, and other information about an org

LDAP is a type of directory service that’s commonly deployed as part of an identity management infrastructure and offers hierarchically organized info about the org

Frequently used to make an organizational directory for email and other contact info available

Question 20

MFA

Answer 20

Multifactor authentication

Becoming a default option for security-conscious orgs

Question 21

7 Types of MFA factors

Answer 21

1) Something you know, including passwords, PINs, or answers to security questions

2) Something you have, like your phone, a smartcard, USB or Bluetooth token, or item in your possession like a Titan security key

3) Something you are, which relies on a physical characteristic of the person who is authenticating themselves. Fingerprints, retina scans, voice prints, and even typing speed are all options

4) Somewhere you are, based on your current location. GPS, network location, etc to ensure only users who are in a specific location can authenticate

5) Something you can do, like picture password features in Windows or gesture authentication on Android phones

6) Something you exhibit, like a behavior pattern or similar characteristic. Typically a form of the something you are factor like typing speed

7) Someone you know, which can include trust relationships from others

Question 22

One-time passwords

Answer 22

A form of second-factor authentication. Important in fighting password theft and password-based attacks.

Attackers might obtain a one-time password, but they can’t continue using it.

Question 23

TOTP

Answer 23

Time based one time passwords

Uses an algo to derive a one-time password using the current time as part of the code-generation process.

EX: Authenticator apps use TOTP

TOKEN KEY is how sec+ calls it on the exam

Question 24

HOTP

Answer 24

HMAC-based one time password

HMAC = Hash-based message authentication codes

You have a number you use once, and that number is thrown away and never used again

Uses a seed value that both the token or HOTP code-generation app and the validation server use, as well as a moving factor

EX: PayPal token

TOKEN KEY is how sec+ calls it on the exam

Question 25

SMS security token

Answer 25

Short message service token, aka text message token

When you receive an SMS with a code to input for authentication purposes

Question 26

Common attacks with one-time passwords

Answer 26

1) TOTP can be stolen by either tricking a user into providing them, gaining access to a device like a phone where they’re generated, or having near real-time access to them

2) SMS can be redirected using a cloned SIM card, or if the phone is part of a VOIP network that’s been compromised

Question 27

Static codes

Answer 27

Algorithmically generated like one-time passwords, but pre-generated and often printed or stored in secure locations.

Useful in situations when you need a one-time password that doesn’t require a device or connectivity

Question 28

Common biometric technologies

Answer 28

1) Fingerprint scans

2) Retina scans

3) Iris recognition

4) Facial recognition

5) Voice recognition

6) Vein recognition

7) Gait analysis

Question 29

4 measures of biometric tech

Answer 29

1) Type I: false rejection rate (FRR). Means a legit biometric measure was presented and the system rejected it

2) Type II: false acceptance rate (FAR). Biometric factor is presented and accepted when it shouldn’t be

3) ROC (relative operating characteristic): Compares the FRR against the FAR of a system. For most systems, as you decrease the likelihood of false rejection, you increase the rate of false acceptance. ROC determines where your accuracy should be set to minimize these

4) CER (crossover error rate): The area on the ROC graph where you minimize FAR and FRR, and have gotten both to an equal level

Question 30

KBA

Answer 30

Knowledge based authentication

Frequently used for password resets in the form of security questions

Also dynamically generates questions that the account requestor can be expected to know

EX: IRS asking how much you received on last year’s tax return when logging in

Question 31

Password keys

Answer 31

AKA: Security keys like YubiKey and Titan Key

Hardware devices that support one-time passwords, public key cryptography for security certs, and various other security protocols like FIDO and U2F (universal second factor)

Question 32

Password vaults

Answer 32

AKA: Password managers

Software solutions that store, manage, and secure passwords and other information, allowing the use of strong passwords without memorizing them

Question 33

TPM

Answer 33

Trusted platform module

Modules or chips that have built in cryptoprocessors used to store RSA key pairs protected by a password, which is set by the system owner

TPM modules can prevent unauthorized changes to firmware and software as part of a trusted or secure boot process. And they’re supported by OS allowing drive encryption and other cryptographic security features

Question 34

HSM

Answer 34

Hardware security module

Either independent physical device or plug in expansion card for a computer. These integrate cryptoprocessors to securely create, store, and manage encryption keys.

Also provide encryption and decryption services.

Cloud providers now provide HSM as a service.

Question 35

Password complexity

Answer 35

Determines the makeup of passwords.

Password complexity settings will set which characters can and can’t be used for a password, show how long it should be, indicate which special characters are accepted, and any other related settings

Question 36

Password lifespan

Answer 36

Determines the time a password has before it needs to be reset

Password histories make it so people can’t reuse passwords

Question 37

Account audits

Answer 37

A practice that helps make sure accounts are well managed, have the proper account permissions, and that appropriate controls are in place.

Ensures the account is configured as expected and all the policies are being used on the systems

Should also review disabled accounts

Question 38

PAM

Answer 38

Privileged access management

A centralized way to handle elevated access to system resources and manage admin access for each individual admin on the system

If you’re in a large org with many admins, consider using PAM

If you do use it, admins to the system don’t all have admin rights

They need to access a centralized, digital vault which gives them privileged access that only last for a certain amount of time before being revoked

You get much more control over what someone with admin access can do, and can log and audit for anyone who’s assigned these particular administrative rights

Question 39

ABAC

Answer 39

Attribute based access control

A type of access control scheme that’s defined by criteria and parameters

Very flexible and allows for complex rules, but can be complex to manage

EX: If a user is trying to access a spreadsheet, they’ll be evaluated by things like:
1) What resource they want to access
2) What IP they’re accessing it from
3) What time of day they’re accessing
4) What type of action they’re performing
5) What their relationship is to the data

Once all the parameters are evaluated and the user meets all parameters that have been defined, they get access

Question 40

RBAC

Answer 40

Role based access control

Associated with the role an employee has in a company and they’ve been assigned rights and permissions based on that role

Admin of the system or network assigns these access control rights

RBAC boils down to three rules:

1) Role assignment: you can only use permissions that match you assigned role

2) Role authorization: your active role must be authorized, which prevents you from taking on roles you shouldn’t

3) Permission authorization: you can only use permissions your active role is allowed to use

Question 41

RuBAC

Answer 41

Rule based access control (also RBAC)

Generic term that can be applied across many different OS or ways to allow someone a resource

System admin sets the rules, not the users

The rule is associated with the object they want to access

EX: If someone is trying to access a lab, there could be a rule that says they can only access between 8 am and 5pm

EX: If someone wants to fill out a web form, they can only see and complete it with a specific type of browser

RuBAC is built into the OS we use every day

Some users get certain rights, and other users gets completely different rights

Generically, it’s an ACL but in Windows it’s group or user rights managed through Group Policy

Question 42

MAC

Answer 42

Mandatory access control

Requires you to configure separate security clearance levels and then associate objects in the OS with one of those security levels

Every object you work with gets a security label like confidential, secret, top secret, etc

Users get minimum types of access configured by the admin that correlates to what objects they get to access

Question 43

DAC

Answer 43

Discretionary access control

You create an object, and you as the owner assign rights and permissions to it

As the owner, you control who can access and you can modify it at any time

Flexible access control, but could be weak security since the owner needs to be fully responsible for the permissions

Question 44

Conditional access

Answer 44

Allows us to set certain conditions like if someone is an employee or part of a third party organization

Once we know the condition, we apply certain controls to it

If they’re employees, they get more access to files but if they’re a third party they need MFA or limited access to the file

Many cloud services include this as part of their system, and you can build complex access rules to customize the precise security you have over your data

Question 45

Filesystem permissions

Answer 45

These determine what accounts, users, groups, or services can perform actions like r, w, and x files.

Each OS has its own set of filesystem permissions and capabilities for control.

Question 46

Federation

Answer 46

A way you can provide access to your network using credentials someone uses for other services

EX: Log in with Google account

Question 47

Attestation

Answer 47

A way to prove that the hardware connecting into your network is something that was set up as trustworthy and is allowed access to your internal systems