Please enable JavaScript.
Coggle requires JavaScript to display documents.
Chapter 2 Identity and Access Management (Somewhere You Are (IPv4 not…
Chapter
2 Identity
and Access
Management
AAA
Accounting
tracks and logs user activity
Authorisation
what your proven
identification allows
you to do
Authentication
proving identification
identification proved by e.g. username
something you know
passwords
strength
cracking
can crack 80 billion a second
complexity
3 out of the four types (U, u, 2, $)
length
At least 14 characters long
Keyspace
complexity to the power of character length.
e.g. example is 26 ^ 7
expiry
should be changed regularly
can make technical requirement
reuse
users will try to cycle back to old pws
To stop this system
must remember old pws
recovery
manual recovery
problematic because then another
person knows the pw so admin
should give a temporary one time pw
automated recovery
better and more efficient but need
to require authorisation
something you have
smart cards
CACs and PIVs
CAC = Common Access Card
used by US Dept of Defence. Basically smart card with photo ID
PIV = Personal Identity Verification card used by federal agencies. includes photo ID
tokens and key fobs
physical fob that has random number
on it
HOTP and TOTP
HOTP = Hash based one time Passcode
Uses a hashing algorithm to produce a number
con
is valid till used
TOTP = Time based
One Time Password
pro
passcodes expire after about 30s
very similar to HOTP
Both are open source
Something you are
Biometrics
Security+ thinks these
are most secure method
fingerprint
con
we leave fingerprints everywhere
retina scanner
physically intrusive and
can identify medical issues
iris scanner
hand veins
problem with all these is hard to change
voice recognition
facial recognition
problems
bad in bad lighting but
some use infrared
Biometric errors
CER crossover error rate
Somewhere You Are
IPv4 not super accurate.
IPv6 will work even less (WHY?)
GPS better than IPv4
can be faked with VPNs
can set by computer name or MAC address
Something you Do
Typing
Signature
drawing a pattern
gestures
SSO Single Sign On
federation
This is when SSO joins networks.
Example product is Shibboleth (uses SAML)
OAuth and OpenID Connect (uses OAuth 2.0) are open standards for SSO
Same Sign On is not SSO
with SSO only one place sees the credentials
transitive trust
is optional
SAML
Security Assertion Markup Language
XML based standard protocol
for SSO
three roles
Principal (usually user)
identity Provider
Service Provider
Authentication Server
Protocols
Kerberos
You authenticate to a TGS or KDC
to get a TGT (Ticket Granting Ticket).
You present this to resources to get tickets to
access that resources
tickets time out
single sign on
used on Microsoft and UNIX
uses symmetric key encryption
mutual authentication
LDAP
Microsoft Active Directory
based on LDAP
Lightweight Directory
Access Protocol
extension of the X.500 protocol
LDAP is a method for querying databases
using query strings like CN=Users
NTLM
old and insecure
used MD4 and MD5
which have been cracked
TACACs
Cisco built XTACAC
and TACTAC+
Managing Accounts
Principle of Least Privilege
Vs
Need to Know
Least Privilege is about rights
and permissions (so actions)
Need to know is about information and data
Account Types
End User Account
In windows this is called "standard"
privileged account
has rights and permissions
beyond the basic end user account
Guest account
A feature on windows
Could be used for temps to
avoid creating new accounts
Sys Admins generally disable these
Service account
used by services/applications
not people. Otherwise the same
Admin accounts
Good idea to give admins two accounts
One for day to day and one for elavated stuff
Naming conventions
Have one or know the one in place
Shared accounts
Baaaaaad idea
Disabling accounts
and
Disablement policy
disable don't delete! (at first)
if you delete an account you
may lose access to stuff it had
access to
(e.g. security keys)
Much easier to reenable than
to recover deleted account
policy should cover
terminated employees
leave of absence (disable while away
delete after certain period of time
Expirating account
can set a/cs to auto expire after certain amount to time
Useful for temporary contractors
Account Maintenance
As a backstop to check disablement policy implementation
Scripts can be run to check for enabled but inactive accounts
Comparing Access
Control Models
RBAC - Role based access control
(aka hierarchy or job based)
Roles with access are created
and assigned to users
In windows roles
are implemented
as
"groups"
Matrix
Planning doc matching
roles to privileges
RBAC - Rule Based
Access Control
Can set user access
based on rules
e.g. when marge
is on holiday
give homer
admin rights
e.g. in response to
an attack lower
access for certain accounts
Discretionary Access
Control
e.g. NTFS (Windows)
every object has
an owner and the
owner sets access on object
for everyone
The owner has
full access
owners full
access makes
trojans a problem
mandatory
access
control
uses labels
get assigned to users
and objects.
if labels match then user
gets access
establishing access
access decisions taken by security pros
(usually needs approval from another higher up)
access decisions implemented by administrator
process is slow and not that flexible
real world usage
SELinux
the military also like using it
Attribute Based Access
Control
ABAC
access based on attribute(s) of
user, environment or resource
user example
Homer has attributes
employee
inspector
nuclear aware
access to a server could
be given to every user
with these attributes
real world example
Many SDNs (Software Defined Networks) use
ABACs
ABAC policies
tend to be plain english
four elements
subject
object
action
environment
(everything outside of subject
and object)
