Chapter 2 - Identity & Access Management Flashcards
Identification
Occurs when users claim or profess their identity with identifiers such as usernames or email addresses
Authentication
Proves an identity with some type of credentials such as a username and password.
AAA
Authentication, authorization and accounting work together with identification to provide a comprehensive access management system.
- Authorization: if users can provide their identitiy, they are not automatically granted access to all resources within a system. Instead, they are granted authorization to access resources based on their proven identity
- Accounting methods track user activity and record it in activity logs, enabling admins to be able to create an audit trail
Password keys
Used to reset passwords on a system. Often a bootable optical disc or bootable USB flash drive. After rebooting the system to the device they allow you to recover or reset all user and administrator passwords.
KBA
Knowledge-Based-Authentication can be used to prove the identity of individuals.
- Static KBA: typically used to verify your identity when you have forgotten your password, ie. being prompted to answer questions you previously did when registering such as your mother’s maiden name.
- Dynamic KBA: identifies individuals without an account, often used for high-risk transactions such as with a financial institution or healthcare company. The site queries public and private data sources, such as credit reports or third party organizations, then crafts multiple choice questions only the user would know and often includes a “none of these apply” answer.
Smart card
Credit-card sized cards that have an embedded microchip and certificate and uses certificate-based authentication to satisfy the “something you have” authentication, often used in 2FA.
They use embedded certificates with digital signatured and encryption.
Certificates
Digital files that support cryptography for increased security.
-Embedded certificate holds a user’s private key (which is only accessible to the user) and is matched with a public key (that is publicly available to others). The private key is used each time the user logs on to a network.
PKI supports issuing and managing certificates
Token key
Also called a key fob or a token, it’s an electronic device the size of a remote key of a car that includes an LCD (liquid crystal display) that displays a number, which changes periodically, such as every 60 seconds. They are sometimes called hardware tokens to differentiate them from software tokens.
The token is synced to a server that knows what the number is at any moment. It’s a one-time use, rolling password. Users often use tokens to authenticate via a website.
HMAC
Hash-based Message Authentication Code uses a hash function and cryptographic key for manty different cryptographic functions.
HOTP
HMAC-based One-Time Password is an open source standard used for creating one-time passwords, similar to those used in tokens or key fobs, using a secret key, incremental timer and HMAC to create a hash of the result, resulting in a HOTP value of six to eight digits.
*NOTE: a password created with HOTP remains valid until it is used and thus remains usable forever potentially if never used.
TOTP
Time-based One-Time Password is similar to HOTP but uses a timestamp instead of a counter to expire after 30 seconds or whenever you choose. Also open source.
Hardware tokens that use the HOTP and TOTP standards are very inexpensive compared to ones using proprietary algorithms.
SMS
Short Message Service, can be used to send a PIN for 2FA.
Push notifications can similarly be enabled for 2FA so users don’t need to re-enter data/remember a password, just press “allow” or similar, making it user friendly.
FAR
False Acceptance Rate, in regards to the efficacy rate of user identification/authorization.
Alt: True Acceptance
FRR
False Rejection Rate, in regards to the efficacy rate of user identification/authorization.
Alt: True Rejection
CER
Crossover Error Rate, referring to the point with the FRR crosses over with the FAR. A lower CER indicates a biometric system is more accurate.
Biometric systems allow you to adjust the sensitivity or threshold level where errors occur. Increasing sensitivity decreases the number of false matches and increasing the number of false rejections, and vice versa.
CAC or PIV cards
Common Access Cards or Personal Identification Verification cards, often used by military organizations showing pictures of a user and their personnel information, to be worn around a building and also include smart card capabilities.
Service accounts
Service accounts fill the need when you need to run an application or service under the context of an account such as a SQL server database application running on a server, which needs access to resources on the server and on the network.
-Admins can create a regular user account and name it something like sqlservice, assign it appropriate privileges, and configure the SQL server to use this account.
-Like a regular end user account, the only difference being it’s used by the service or application, not an end user.
*Credential policies may require long, complex passwords but they should not expire, which will make the service or application stop.
PAM
Privileged Access Management, or account management, allows an organization to apply more stringent security controls over accounts with elevated privileges, such as administrator or root-level accounts.
PAM implements the concept of just-in-time administration where admins don’t have administrative privileges until they need them, where they then send a request for the elevated privileges.
-After a pre-set time, such as 15 minutes, their account is automatically removed from the group, revoking the privileges.
CAM CAPABILITIES:
1. Allow users to access the privileged account without knowing the password.
2. Automatically change the privileged account password periodically.
3. Limit time users can use the privileged accoint
4. Allow users to check out credentials.
5. Log all access of credentials
ALWAYS REQUIRE ADMINISTRATORS TO USE 2 ACCOUNTS, WHICH HELPS PREVENT PRIVILEGE ESCALATION ATTACKS.
Disablement Policy
Specifies how to manage accounts in different situations, i.e. disabling when a employees leave an organization.
Also disable default accounts to prevent them from being used.
Disabiling is often better than deleting to avoid deleting all encryption and security keys associated with the account. They would remain encrypted forever unless the company had a key escrow or recovery agent.
-Terminated employee, leave of absence. Disabling ensures the data associated with it remains available.
Time-based logins
prevent users from logging on or accessing network resources during specific hours
often just prevents new network connections and won’t log out an active session if someone is already logged in and working
Account audit
looks at the rights and permissions assigned to users and helps enforce the least privilege principle.
Usage auditing records user activity in logs. A usage auditing review looks at the logs to see what users are doing and can be used to re-create an audit trail.
Permission auditing reviews ensure users only have the access they need and no more and can detect privilege escalation creeps.
COMPARING AUTHENTICATION SERVICES
A common authentication goal is to ensure unencrypted credentials are not sent across a network to avoid them being captured and analyzed with a protocol analyzer.
SSO
Single Sign-On refers to a user’s ability to log on once and access multiple systems without logging on again. SSO increases security because the user only needs to remember one set of credentials and is less likely to write them down, and it’s much more convenient for users to access network resources if they only have to log in once.
EX: If a user needs to access multiple servers within a network to perform normal work. Without SSO they’d need one set of credentials to log in locally and another set of credentials for each of the servers. Many people would write these credentials down. SSO requires strong authentication to be effective, since an attacker gaining access would grant them access to multiple systems.
In a system with SSO capabilities the user logs onto the network once and the SSO system creates some form of SSO secure token used during the entire login session. Each type the user accesses a network resource, the SSO system uses this secure token for authentication.
Kerberos includes SSO capabilities in networks. There are also several SSO alternatives used on the internet.
Kerberos
Kerberos is a network authentication mechanism used within Windows Active Directory domains and some Unix environments known as reals. Kerberos provides mutual authentication that can help prevent on-path attacks and uses tickets to help prevent replay attacks.
Kerberos includes several requirements for it to work properly:
- A METHOD OF ISSUING TICKETS FOR AUTHENTICATION.
The Key Distribution Center (KDC) uses a complex process of issuing ticket-granting tickets (TGTs) and other tickets. The KDC or TGT server packages user credentials with a a ticket. Tickets provide authentication for users when they access resources such as files on a file server. These tickets are sometimes referred to as tokens as in logical tokens.
i) when a user logs into their workstation or device and authenticates with the Kerberos
Authentication Server (AS) they receive a ticket-granting ticket (TGT).
ii) this TGT serves as proof of authentication and allows the user to obtain service tickets from the ticket-granting server (TGS) for accessing various network resources/services.
iii) with the service tickets obtained from the TGS, the user can seamlessly access multiple internal systems, servers, and applications without needing to provide credentials again.
- TIME SYNCHRONIZATION. Kerberos version 5 requires all systems to be synchronized within 5 minutes of each other. This clock doing the time synchronization is responsible for time stamping tickets and ensuring they expire correctly.
- A DATABASE OF SUBJECTS OR USERS. In a Microsoft environment, this is Active Directory, but it could be any database of users.
ALT: Kerberos is a network authentication protocol within a Microsoft Windows Active Directory domain or a Unix realm. It uses a database of objects such as Active Directory and a KDC (Key Distribution Center) or TGTs server to issue timestamped tickets that expire after a certain time period.
METAPHOR: think of Kerberos as a bouncer in a club. The bouncer (the Kerberos server) gives you a stamp (a ticket, called a “ticket-granting-ticket”) that you can show at various doors (servers) to get in without having to prove your identity each time.
Kerberos is a network authentication protocol that uses a trusted third party (the Kerberos server) to authenticate users and provide secure access to network resources without transmitting passwords over the network. It is a form of single sign on.
