Please enable JavaScript.
Coggle requires JavaScript to display documents.
CISSP Domain 5: Identity and Access Management (Controlling access and…
CISSP Domain 5: Identity and Access Management (Controlling access and managing identity)
Authentication Methods
Type 1 Authentication: Something you Know
:notebook_with_decorative_cover: Type 1 authentication requires testing the subject with some sort of challenge and response where the subject must respond with a knowledgeable answer.
:pencil2:Static passwords
:pencil2:Passphrases
:pencil2: One-time passwords
:pencil2: Dynamic passwords
:crossed_swords:Attacks against Type 1 Authentication
:crossed_swords::pencil2:
password guessing
(Online attack)
:shield: :pencil2:
account lockouts
:crossed_swords::pencil2:
password cracking
(offline attack)
:notebook_with_decorative_cover:Hashing and general attack context. "While hashes may not be reversed, an attacker may run the hash algorithm forward many times, selecting various possible passwords, and comparing the output to a desired hash, hoping to find a match (and therefore deriving the original password).
:crossed_swords::pencil2: Dictionary Attacks
:notebook_with_decorative_cover:uses a word list, which is a predefined list of words, each of which is hashed. If the cracking software matches the hash output from the dictionary attack to the password hash, the attacker has successfully identified the original password.
:crossed_swords::pencil2: hybrid attack
:notebook_with_decorative_cover: appends, prepends, or changes characters in words from a dictionary before hashing in order to attempt the fastest crack of complex passwords. For example, an attacker may have a dictionary of potential system administrator passwords but also replaces each letter 'o' with the number '0'.
:crossed_swords::pencil2: brute-force attacks
:notebook_with_decorative_cover: take more time, but are more effective. The attacker calculates the hash outputs for every possible password. Just a few years ago, basic computer speed was still slow enough to make this a duanting task. However, with the advances in CPU speeds and parallel computing, the time required to execute brute-force attacks on complex passwords has been considerably reduced.
:crossed_swords::pencil2: Rainbow tables
:notebook_with_decorative_cover:: acts as a database that contains the precomputed hashed output for most or all possible passwords. Rainbow tables take a considerable amount of time to generate and are not always complete: They may not include all possible password/hash combinations. Though rainbow tables as as a database, they are more complex under the hood, relying on a time/memory tradeoff to represent and recover passwords and hashes.
:shield: Store password hashes
:shield: Store encrypted passwords (Not considered appropriate)
:shield: Salt Hashes
:dart: A salt ensures that the same password will encrypt differently when used by different users. This method offers the advantage that an attacker must encrypt the same word multiple times (once for each salt or user) in order to mount a successful password-guessing attack
:dart:A salt is added to the hashing process to force their uniqueness, increase their complexity without increasing user requirements, and to mitigate password attacks like rainbow tables, while slowing down dictionary and brute-force attacks.
https://auth0.com/blog/adding-salt-to-hashing-a-better-way-to-store-passwords/
What's a good salt?
Credential specific ("Generate a unique salt upon creation of each stored credential (not just per user or system-wide)" (OWASP))
Cryptogrpahically strong ("Use cryptographically-strong random data."(OWASP))
Notes
A longer salt effectively increases the computational complexity of attacking passwords which in turn increases the candidate set exponentially. A longer salt also increases the space required to store rainbow tables while decreasing the possibility that such table exists in the wild.
Scheme security does not depend on hiding, splitting, or otherwise obscuring the salt.
Simply put, do not mess with the salt. The salt doesn't need to be encrypted, for example. Salts are in place to prevent someone from cracking passwords at large and can be stored in cleartext in our database next to the hashes. However, we do not want to make the salts readily accessible to the public. For that reason, usernames are bad candidates to use as salts.
:shield: Pepper Hashes
Type 2 Authentication: Something you Have
:notebook_with_decorative_cover: Type 2 authentication (something you have) requires that users possess something, such as a token, which proves they are an authenticated user. A token is an object that helps prove an identity claim.
:pencil2:Synchronous dynamic token
:pencil2:Time-based
:notebook_with_decorative_cover:use time or counters to synchronize a displayed token code with the code expected by the authentication server (AS)
:pencil2: Counter-based
:notebook_with_decorative_cover: use a simple counter; the AS expects token code 1, and the user's token displays the same code 1. Once used, the token displays the second code, and the server also expects token code 2.
:pencil2: Asynchronous dynamic token
Type 3 Authentication: Something you Are
:notebook_with_decorative_cover: is biometrics, which uses physical characteristics as a means of identification or authentication.
Establish an identity
for example. an airport facial reognition system may be used to establish the identity of a known terrorist.
authenticate or prove an identity claim
for example. a fingerprint scanner may be used to authenticate the identity of a subject who makes the identity claim, and then swipes his/her finger to prove it.
Biometric enrollment and throughput
:notebook_with_decorative_cover: :pencil2:
Enrollment
describes the process of registering with a biometric system, which involves creating an account for the first time.
Users typically provide their username (identity) and a password/pin followed by biometric information
:notebook_with_decorative_cover: :pencil2:
Throughput
describes the process of authenticatin to a biometric system.
a.k.a. :pencil2: Biometric system response time
Accuracy of biometric systems
:pencil2: False Reject Rate (FRR)
a.k.a :pencil2:: Type 1 Error
:notebook_with_decorative_cover: A false rejection occurs when an authorised subject is rejected by the biometric system as unauthorised.
:pencil2: False Accept Rate (FAR)
a.k.a :pencil2: Type 2 Error
:notebook_with_decorative_cover: A false acceptance occurs when an unauthorised subject is accepted as valid
False accept is worse than false reject
:pencil2:Crossover error rate (CER)
a.k.a :pencil2: equal error rate (EER)
:notebook_with_decorative_cover: The CER describes the point where the FRR and FAR are equal. The CER describes the overall accuracy of a biometric system
Types of biometric controls
:pencil2: Fingerprints
:pencil2: Retina Scan
Rarely used because of health risks (risk of exchange of bodily fluids) and privacy issues (Can identify conditions such as pregnancy and diabetes).
:pencil2: Iris Scan
:pencil2: Hand geometry
:pencil2: Keyboard Dynamics
:pencil2: Dynamic Signature
:pencil2: Voiceprint
:pencil2: Facial Scan
Someplace you are
:notebook_with_decorative_cover:Key concept for implementing any type of access control is the propoer authentication of subjects
Step 1:
Subject identifies themselves (This cannot be trusted alone)
:pencil2:
Credential Set
- Term used for combination of both identification and authentication of user
Step 2
: Subject authenticates by providing an assurance that the claimed identity is valid
Someplace you are
GPS
IP address-based geolocation
physical location (for example point-of-sale purchase)
:notebook_with_decorative_cover:The purpose of access management is to allow authorised users access to appropriate data and deny access to unauthorised users.
Access Control Technologies
:pencil2:Centralised Access Control
Concentrates access control in one logical point for a system or organisation
Systems authenticate via a 3rd party Authentication Server (AS)
can be used to provide single sign-on (SSO), wherea subject may authenticate once, then access multiple systems
:pencil2:Single Sign On
:notebook_with_decorative_cover: Allows users to authenticate once and have access to multiple different systems.
:warning: SSO may allow an attacker to gain access to multiple resources after compromising one authentication method.
:pencil2:Federated Identity Management
:notebook_with_decorative_cover: applies SSO at a much wider scale: ranging from cross-organisation to Internet scale.
a.k.a. :pencil2: identity management (IdM)
:satellite: SAML
:satellite: OpenID
:pencil2:Decentralised access control
a.k.a :pencil2: distributed access control
:warning:This model provides more local power because each site has control over its data. Different sites may employ different access control models, different policies, and different levels of security, leading to an inconsistent view.
:shield: User entitlement, access review, and audit
:pencil2: Access aggregation
:notebook_with_decorative_cover: occurs as individual users gain more access to more systems.
Can happen intentionally
function of SSO
:warning:Can happen unintentionally
because users often gain new entitlements, also called access rights, as they take on new roles or duties.
:warning::pencil2: Authroisation creep
:notebook_with_decorative_cover: in which users gain more entittlemens without shedding the old ones
:warning: The power of these entitlements can compound over time, defeating controls such as least privilege and separation of duties
:shield: User entitlements must be routinely reviewed and audited. Processes should be developed that reduce or eliminate old entitlements as new ones are granted.
:satellite:
Identity as a Service
LDAP
:satellite: X.500 Directory (Related but not explicitly clear on how)
:notebook_with_decorative_cover: X.500 is a series of computer networking standards covering electronic directory services.
X.500 is based on OSI. LDAP is built for TCP/IP but keeps X.500 'structure'?
Looks like an X.500 standard directory and uses LDAP to access that directory.
:Satellite:Examples
Apple Open Dictionary
Novell eDirectory
Windows: Active Directory
OpenLDAP
Facts
TCP/IP (TCP/389 and UDP/389)
:shield: LDAP v3
Simple Authentication and Security Layer (SASL)
Option: No authentication -> Anonymous access is granted
:shield: (NOT CONSIDERED APPROPRIATE) Option: Simple authentication -> client provides DN and password (as plaintext)
:shield: Option: Simple Authentication and Security Layer -> Client and server negotiate a security mechanism (Kerberos, TLS)
:shield: :satellite: Kerberos
:closed_lock_with_key:
uses symmetric key cryptography and requires trusted third-party authorisation to verify user identities. (Requires three entities to authenticate.
:cityscape:
Default authorisation technology used by MS Windows
Implementations exist in:
4 more items...
Single Sign On (SSO)
Key Aspects
strong cryptography
third-party ticket authorisation
Mutual authentication
:crossed_swords:
:crossed_swords:Pass-the-ticket: the process of forging a session key and presenting that forgery to the resource as credentials
:crossed_swords:Golden Ticket: A ticket that grants a user domain admin access
:crossed_swords: Silver Ticket: A forged ticket that grants access to a service
:crossed_swords:Credential stuffing/brute force: continues attempts to guess a password
:crossed_swords: Encryption downgrade with Skeleton Key Malware: A malware that can bypass Kerberos, but the attack must have Admin access
:crossed_swords: DCShadow attack: a new attack where attackers gain enough access inside a network to set up their own DC to use in further infiltration
:scroll: RFC 4120
https://www.youtube.com/watch?v=_msfQmCEv4I
:shield: :satellite: TLS
Typically two levels of access
read-only (query)
read-write (update)
Kerberos
SESAME
Access Control Protocols and Frameworks
:pencil2:
RADIUS
succeeded by
:pencil2: Diameter
:pencil2: TACACS and TACACS+
:pencil2: PAP and CHAP
Legend to icons and text
:pencil2: Bold Text
Key term
:notebook_with_decorative_cover:
Key definition / definition
:crossed_swords: An attack
:shield: Safeguard / Security Control
:satellite: Technology
:closed_lock_with_key: cryptography related
:cityscape: Examples of where and when used
:scroll:Standards
Access Control Models
:pencil2: Discretionary Access Controls (DAC)
Example:
standard UNIX and Windows operating systems use DAC for file systems; subjects can grant other subjects access to tehir files, change their attributes, alter them, or delete them.
:notebook_with_decorative_cover: gies subject full control of objects they have created or have been given access to, including sharing the objects with other subjects.
:pencil2: Mandatory Access Controls
MAC systems are usually focused on preserving the confidentiality of data.
:notebook_with_decorative_cover: is a system-enforced access control based on a subject's clearance and an object's labels.
:pencil2:Nondiscretionary Access Control
:pencil2: Role-based access control (RBAC)
:notebook_with_decorative_cover:defines how information is accessed on a system based on the role of the subject. Subjects are grouped into roles, and each defined role has access permissions based upon the role, not the individual.
:pencil2:Task-based access control
#
:notebook_with_decorative_cover: is based on the tasks each subject must perform, such as writing prescriptions, restoring data from a bacup tape, or opening a help desk ticket.
:pencil2:Rule-based Access Controls
:notebook_with_decorative_cover:uses a series of defined rules, restrictions, and filters for accessing objects within a system.
example, proxy firewall for user access to WWW
Content and Context Dependent Access Controls
:pencil2: Content-dependent access control
:notebook_with_decorative_cover:adds additional criteria beyond identification and authentication; that is, the actual content the subject is attempting to access.
example, HR recrods
:pencil2: Context-dependent access control
:notebook_with_decorative_cover: applies additional context before granting access.
example, Time