Domain_05: Identity and Access Management
-
Security Principles
-
• Availability
-
• Integrity
-
• Confidentiality
-
-
Access Control Matrix
-
Access Control List: Object Focused
-
Capability Table: Subject Focused
-
-
Identification, Authentication,Authorization,and Accountability
-
Race Condition
-
Four steps must happen for a subject to access an object
-
IAAA
-
Identification : User should be uniquely Identified
- Authentication : Validation of an entity’s identity claim
-
Authentication: Subjects prove their identity by providing authentication credentials such as the
matching password for a username. -
Authorization : Confirms that an authenticated entity has the privileges and permissions necessary.
-
Memory Tips: Identity & Authentication is must for accountability but not authorization. (IAAA)
-
Auditing : Any activity in the application/system should be audited (Identify technical issues/Breaches)
-
Accountability: Tracing an action to a subject
-
-
-
Identification and Authentication
-
Strong authentication
-
something a person knows
-
something a person has
-
something a person is
-
-
multifactor authentication(MFA)
-
Identity Management(IdM)
-
Identity and access management(IAM)
-
Directories
-
Lightweight Directory Access Protocol (LDAP)
-
X.500 standard
- dn: cn=Shon Harris,dc=LogicalSecurity,dc=com cn: Shon Harris
-
-
Directories’ Role in Identity Management
-
meta-directory
-
virtual directory
-
-
-
Web access management (WAM)
-
-
Authentication Methods
-
Credential Management Systems
-
Registration
-
Profile Update
-
Password Managers
-
Password Synchronization
-
Self-Service Password Reset
-
Assisted Password Reset
-
Legacy Single Sign-On
-
-
Biometrics
-
Biometrics: vein patterns are most reliable and accurate.
-
Biometric Error Type
-
Type 1 error: False Rejection Rate (FRR) – Right person Rejected
-
Type 2 error: False Acceptance Rate (FAR) – number 2 is FARther from zero than number 1
-
Crossover Error Rate: when both error rates are equal, as one goes up, the other goes down.
-
-
Iris vs. retina scans = Iris became “The Flash” so iris scans are quicker (note: the iris bit may have come out of the CBK but leaving here for knowledge & learning).
-
Fingerprint
-
Palm Scan
-
Hand Geometry
-
Retina Scan
-
Iris Scan
-
Signature Dynamics
-
Keystroke Dynamics
-
Voice Print
-
Facial Scan
-
Hand Topography
-
-
Passwords
-
Password Policies
-
• Electronic monitoring
-
• Access the password file
-
• Brute-force attacks
-
• Dictionary attacks
-
• Social engineering
-
• Rainbow table
-
-
Clipping level
-
Password Checkers
-
Password Hashing and Encryption
-
Password Aging
-
Limit Logon Attempts
-
-
-
Cognitive Password
-
One-Time Password
-
The Token Device
-
Synchronous
-
time-based
-
counter-based(event-based)
-
-
Asynchronous
-
asynchronous token–generating method
-
challenge/response scheme
-
-
-
-
Cryptographic Keys
-
Passphrase
-
Memory Cards
-
Smart Card
-
Smart Card Attacks
-
fault generation
-
Side-channel attacks
-
differential power analysis
-
electromagnetic analysis
-
timing
-
-
Software attacks
-
microprobing
-
An ISO/IEC standard, 14443
-
• ISO/IEC 14443-1 Physical characteristics
-
• ISO/IEC 14443-2 Radio frequency power and signal interface
-
• ISO/IEC 14443-3 Initialization and anticollision
-
• ISO/IEC 14443-4 Transmission protocol
-
-
Radio-Frequency Identification (RFID)
-
-
-
-
Authentication Types
-
Type1: Something you know (password, pin)
-
Type2: Something you have (smart card, token)
-
Type3: Something you are (biometric)
-
Type4: Somewhere you are (location)
-
-
Authorization
-
Access Criteria
-
roles
-
groups
-
Physical or logical location
-
Time of day, or temporal isolation
-
Transaction-type restrictions
-
-
Default to No Access
-
Need to Know
- Authorization Creep
-
Single Sign-On
-
Kerberos
-
Main Components in Kerberos
-
authentication Server (AS)
-
Key Distribution Center (KDC)
-
ticket granting service (TGS)
- ticket granting ticket (TGT)
-
-
The Kerberos Authentication Process
-
Weaknesses of Kerberos
-
• The KDC can be a single point of failure.
-
• The KDC must be able to handle the number of requests it receives in a timely manner. It must be scalable.
-
• Secret keys are temporarily stored on the users’ workstations, which means it is possible for an intruder to obtain these cryptographic keys.
-
• Session keys are decrypted and reside on the users’ workstations,either in a cache or in a key table. Again, an intruder can capture these keys.
-
• Kerberos is vulnerable to password guessing.• Network traffic is not protected by Kerberos if encryption is not enabled.
-
• If the keys are too short, they can be vulnerable to brute-force attacks.
-
• Kerberos needs all client and server clocks to be synchronized.
-
-
Kerberos Exploitation Attacks
-
Pass-the-hash (pth)
-
Overpass the Hash
-
Pass the Ticket
-
Silver Ticket
-
Golden Ticket
-
Kerberos Brute-Force:
-
Kerberoasting
-
-
-
Security Domains
- Resources working under the same security policy and managed by the same group
-
Directory Services
- LDAP, NetIQ eDirectory, and Microsoft Active Directory
-
Thin Clients
- Terminals that rely upon a central server for access control,processing, and storage
-
-
-
Accountability
-
events
-
System-level events:
-
• System performance
-
• Logon attempts (successful and unsuccessful)
-
• Logon ID
-
• Date and time of each logon attempt
-
• Lockouts of users and terminals
-
• Use of administration utilities
-
• Devices used
-
• Functions performed
-
• Requests to alter configuration files
-
-
Application-level events
-
• Error messages
-
• Files opened and closed
-
• Modifications of files
-
• Security violations within applications
-
-
User-level events
-
• Identification and authentication attempts
-
• Files, services, and resources used
-
• Commands initiated
-
• Security violations
-
-
-
Keystroke Monitoring
-
-
Session Management
-
• Timeout
-
• Inactivity
-
• Anomaly
-
-
Federation
-
Access Control and Markup Languages
-
Hypertext Markup Language (HTML)
-
Extensible Markup Language (XML)
-
Service Provisioning Markup Language (SPML)
-
the Requesting Authority (RA)
-
the Provisioning Service Provider (PSP)
-
the Provisioning Service Target (PST),
-
-
Security Assertion Markup Language (SAML)
-
Simple Object Access Protocol (SOAP)
- Image not available
-
SAML authentication
-
-
Extensible Access Control Markup Language (XACML).
-
-
OpenID
-
• End user
-
• Relying party
-
• OpenID provider
-
-
OAuth
-
four roles
-
• Client
-
• Resource server
-
• Authorization server
-
• Resource owner
-
-
OAuth authorization steps
-
-
OpenID Connect (OIDC)
-
built on the OAuth 2.0 protocol
-
OIDC supports three flows
-
• Authorization code flow T
-
• Implicit flow
-
• Hybrid flow
-
-
-
Comparing SAML. OAuth, OpenID and OIDC
-
-
-
Identity and Access Provisioning Life Cycle (the creation, management, and deletion of accounts.)
-
Provisioning
- Provisioning pertains to the creation of user objects or accounts.
-
User Access Review
-
• Extended vacation or sabbatical
-
• Hospitalization
-
• Long-term disability (with an expected future return)
-
• Investigation for possible wrong-doing
-
• Unexpected disappearance
-
-
System Account Access Review
- every system account eventually needs to be disabled or deprovisioned.
-
Deprovisioning
-
-
Access Control Model
-
- Discretionary Access Control: Owner, creator or custodian define access to the objects. Uses Access control list (known as Identity based access control)
-
- Non-Discretionary Access Control: Centrally managed by administrators. (Hint: Any model which is not DAC, can be called as Non-DAC)
-
- Role Based Access Control: Access is defined based on the role in an organization and subjects are granted access based on their roles. Normally it is implemented in
the organizations with high employee turnover.
- Role Based Access Control: Access is defined based on the role in an organization and subjects are granted access based on their roles. Normally it is implemented in
-
- Rule Based Access Control: There are set of rules. e.g. Firewall. Global rules are applied to all users equally.
-
- Attribute Based Access Control: Rules that can include multiple attributes. e.g. working hours, place of work, type of connection etc.
-
- Mandatory Access Control (Lattice Based): Implemented in high secure organizations such as Military. It is compartment based.
-
a. Hierarchical - Clearance of Top secret gives access to Top secret as well as Secret
-
b. Compartmentalized - Each domain represents a separate isolated compartment.
-
c. Hybrid - Combination of both
-
-
Integrating Identity as a Service
-
On-premise
- An on-premise (or on-premises) IdM system is one in which all needed resources remain under your physical control.
-
Cloud
-
Integration Issues
-
“Measure twice and cut once.
-
”Establishing Connectivity
-
Establishing Trust
-
Incremental Testing
-
Integrating Federated Systems
-
-
Establishing Connectivity
-
-
Access Control Techniques and Technologies
-
Authorization Mechanism
-
Implicit Deny
-
Access Control Matrix
- Access Control List: Object Focused
-
Capability Table: Subject Focused
-
Constrained User Interfaces
-
Database views
-
Physically constraining a user interface
-
-
Content-Dependent Access Control
- database views
-
Context-Dependent Access Control
-
-
Remote Access Control Technologies
-
Remote Authentication Dial-In User Service (RADIUS)
-
Terminal Access Controller Access Control System (TACACS)
- Extended TACACS (XTACACS)
-
Diameter
-
Authentication
-
• PAP, CHAP, EAP
-
• End-to-end protection of authentication information
-
• Replay attack protection
-
-
Authorization
-
• Redirects, secure proxies, relays, and brokers
-
• State reconciliation
-
• Unsolicited disconnect
-
• Reauthorization on demand
-
-
Accounting
- • Reporting, roaming operations (ROAMOPS) accounting, event monitoring
-
-
TACACS+
-
-
-
Access Control Attacks
-
Unauthorized access
-
Password cracking
-
Brute force attack
-
Dictionary attack
-
Rainbow table attack
-
-
Privilege escalation
-
Exploiting software vulnerabilities
-
Exploiting misconfigurations
-
-
Social engineering
-
Phishing
-
Baiting
-
Tailgating
-
Impersonation
-
-
Insider threats
-
Data theft
-
Sabotage
-
Fraud
-
-
Sniffer Attacks
- In a sniffer attack (or snooping attack) an attacker uses a packet capturing tool (such as a sniffer or protocol analyzer) to capture, analyze, and read data sent over a network.
Attackers can easily read data sent over a network in cleartext. Encrypting data in transit stops this type of attack.
- In a sniffer attack (or snooping attack) an attacker uses a packet capturing tool (such as a sniffer or protocol analyzer) to capture, analyze, and read data sent over a network.
-
Spoofing Attacks
- Spoofing is pretending to be something or someone else, and it is used in many types of attacks, including access control attacks. Attackers often try to obtain the credentials of
users so that they can spoof the user’s identity.
Spoofing attacks include email spoofing, phone number spoofing, and IP spoofing. Many phishing attacks use spoofing methods.
- Spoofing is pretending to be something or someone else, and it is used in many types of attacks, including access control attacks. Attackers often try to obtain the credentials of
-
Phishing Attack
- A phishing attack is a type of cyber attack where the attacker pretends to be a trustworthy entity in order to trick the victim into revealing sensitive information, such as passwords or credit card numbers.
-
Access Aggregation
- is a type of attack that combines, or aggregates, non
sensitive information to learn sensitive information and
is used in reconnaissance attacks.
- is a type of attack that combines, or aggregates, non
-
Access Control CounterMeasure
-
Implementing principle of least privilege and Need-to-know
-
Implementing strong and complex passwords
-
Enforcing multi-factor authentication
-
Regularly updating access control policies
-
Implementing role-based access control
-
Monitoring and auditing access control activities
-
Implementing strong encryption for authentication credentials
-
-
-
Controlling Physical and Logical Access
-
Access Control Layers
-
Administrative controls
-
• Policy and procedures
-
• Personnel controls
-
• Supervisory structure
-
• Security-awareness training
-
• Testing
-
-
Physical controls
-
• Network segregation
-
• Perimeter security
-
• Computer controls
-
• Work area separation
-
• Data backups
-
• Cabling
-
• Control zone
-
-
Technical controls:
-
• System access
-
• Network architecture
-
• Network access
-
• Encryption and protocols
-
• Auditing
-
-
-
-
Access Control Practices
-
Unauthorized Disclosure of Information
-
Object Reuse
-
Emanation Security
-
TEMPEST
-
White Noise
-
Control Zone
-
-
-
-
Access Control Monitoring
-
Intrusion Detection Systems
-
network-based IDS (NIDS)
-
host-based IDS (HIDS)
-
Signature-based
-
• Pattern matching
- Knowledge- or Signature-Based Intrusion Detection
-
• Stateful matching
-
-
Anomaly-based
-
• Statistical anomaly–based
-
• Protocol anomaly–based
-
• Traffic anomaly–based
-
• Rule- or heuristic-based
-
-
Application-based IDS
-
-
Intrusion Prevention Systems
-
Intrusion Prevention Systems (IPS) are security devices or software that monitor network traffic for malicious activities and prevent unauthorized access or attacks.
-
IPS works by analyzing network packets, identifying potential threats or anomalies, and taking action to block or mitigate them.
-
IPS can detect and prevent various types of attacks, such as malware infections, network intrusions, denial-of-service attacks, and more.
-
By actively monitoring and protecting the network, IPS helps to ensure the security and integrity of the systems and data.
-
-
Honeypot
- A honeypot is a decoy computer system or network that is designed to attract potential hackers and gather information about their activities.
-
Network Sniffers
- Network sniffers are tools used to capture and analyze network traffic. They intercept data packets flowing through a network and provide insights into the communication happening between devices.
-