Lesson 8 Flashcards
Federated Identify management
cloud based identify manage provider enables access to many platforms. similar to Kerberos SSO
• Certificates and smart cards
- Public key cryptography
- Subject identified by a public key, wrapped in digital certificate
- Private key must be kept secure
Tokens
- Authorizations issued under single sign-on
* Avoids need for user to authenticate to each service
• Identity provider
- Provisions and manages accounts
- Processes authentication
- Federated identity management
• Separation of duties
- Separation of duties
- Standard operating procedures (SOPs)
- Shared authority
• Least privilege
Assign sufficient permissions only
• Reduce risk from compromised accounts
• Job rotation
- Distributes institutional knowledge and expertise
* Reduces critical dependencies
• Mandatory vacations
During that time, the
corporate audit and security employees have time to investigate and discover any
discrepancies in employee activity.
• User-assigned privileges
• Assign privileges directly to user
accounts
• Unmanageable if number of users
is large
• Group-based privileges
• Assign permissions to security groups and assign user accounts to relevant groups • Issues with users inheriting multiple permissions
Service accounts
are used by scheduled processes and application server software, such
as databases.
Must manage share service acccount credentials
Shared/Generic/Device Accounts and Credentials
- Shared accounts
- Accounts whose credentials are known to more than one person
- Generic accounts
- Accounts created by default on OS install
- Only account available to manage a device
- Might use a default password
- Risks from shared and generic accounts
- Breaks principle of non-repudiation
- Difficult to keep credential secure
- Credential policies for devices
- Privilege access management software
• Privilege access management software
stores high-risk credentials somewhere other than a spreadsheet
SSH
• Secure Shell (SSH) used for remote access • Host key identifies the server • User key pair used to authenticate to server • Server holds copy of valid users’ public keys • Keys must be actively managed
• Third-party credentials
Passwords and keys to manage
cloud services
• Highly vulnerable to accidental
disclosure
Account Password Policy Settings
- Length
- Complexity
- Character combinations
- Aging
- History and reuse
- NIST guidance
- Password hints
Account Restrictions
Network location • Connecting from a VLAN or IP subnet/remote IP • Connecting to a machine type or group (clients versus servers) • Interactive versus remote logon • Geolocation • By IP address • By Location Services • Geofencing • Geotagging • Time-based restrictions • Logon hours • Logon duration • Impossible travel time/risky login
geoloction vs geotagging vs geofencing
geolocation: location of a user or device can also be calculated using a geolocation
Geofencing: refers to accepting or rejecting access requests based on location.\
Geotagging refers to the addition of location
metadata to files or devices.
Account Audits
• Accounting and auditing to detect account misuse • Use of file permissions to read and modify data • Failed login or resource access attempts
• Recertification • Monitoring use of privileges • Granting/revoking privileges • Communication between IT and HR
Account Permissions
• Impact of improperly configured accounts • Insufficient permissions • Unnecessary permissions • Escalating and revoking privileges • Permission auditing tools
Disablement vs lockout
• Disablement • Login is disabled until manually reenabled • Combine with remote logoff • Lockout • Login is prevented for a period and then re-enabled • Policies to enforce automatic lockout
Discretionary vs Role-based access
- Discretionary Access Control (DAC)
- Based on resource ownership
- Access Control Lists (ACLs)
- Vulnerable to compromised privileged user accounts
- Role-Based Access Control (RBAC)
- Non-discretionary and more centralized control
- Based on defining roles then allocating users to roles
- Users should only inherit role permissions to perform particular tasks
File System Security
- Access Control List (ACL)
- Access Control Entry (ACE)
- File system support
- Linux permissions and chmod
- Symbolic (rwx)
- User, group, world
- Octal
- r=4
- w=2
- x=1
Mandatory vs Attribute-based access control
Mandatory Access control
Labels applied to objects (secret, top seecrat) and clearanced applied subjects
Attribute-Based Access Control (ABAC)
• Access decisions based on a combination of subject and object attributes plus
any context-sensitive or system-wide attributes
• Conditional access
