- 4.0 Identity and Access Management
(James Messer, Jason Dion, Mike Meyers)
- Identification: Who you claim to be (username)
- Authentication: Prove who you say you are (password and other auth factors)
- Authorization: What access do you have? (what access do you have to do what)
- Accounting: Resourced used; log
- Something you are
- Biometric
- Something you have (Type II)
- Smart card
- USB token
- Phone
- Something you know
- Password
- PIN
- Pattern
- Somewhere you are
- Geography
- IPv4 address
- GPS
- Something you do
- Signature comparison
- Handwriting
- Typing technique; delays between keystrokes
- Federation or federated identity is a means of linking a subject’s accounts from several sites, services, or entities in a single account. (Stewart).
- Partners, supplies
- Facebook, Twitter credentials
- Third parties must establish a trust relationship
- Authenticate one time and gain access to everything
- Save time and mask end users with the complexity of auth
- Windows: Kerberos
- One-way trust: Domain B trusts domain A; domain A does not trust domain B
- Two-way trust: Both trust each other equally
- Non-transitive trust: "A trust is specifically created and applies only to that domain."
- Transitive trust: Domain A trust B, B trusts C, therefore A trusts C
(James Messer 1, James Messer 2, James Messer 3, Mike Meyers 1, Mike Meyers 2, Mike Meyers 3)
- These are the methods AAA server use to authenticate users in order for them toi gain access
- Protocol for reading and writing directories over IP network, and organized set of records like a phone directory
- X.500 specification
- X.500 Directory Information Tree (DIT)
- "Lightweight Directory Access Protocol (LDAP) entries are contained in a directory information tree (DIT), which is a hierarchical structure that can be searched for directory information. The start of the LDAP tree is called the root." (uCertify)
- Hierarchical structure - builds a tree
- Container objects - country, organization, organizational units
- Leaf objects - users, computers, printers, files
- "Common uses of directories include e-mail address lists, domain server data, and resource maps of network resources." (Conklin)
- Uses tcp/389 and udp/389. When encrypted: 636.
- Microsoft's implementation: Active Directory.
- Modern windows Auth method, its SSO
- Mutual authentication. Protected from man-in-the-middle or replay attacks.
- Kerberos is a trusted third-party authentication protocol. It uses encryption keys as tickets with time stamps to prove identity and grant access to resources. Kerberos is a single sign-on solution employing a key distribution center (KDC) to manage its centralized authentication mechanism. (Stewart)
- Port 88
- Similar to RADIUS, Terminal Access controller Access control system (TACACS) is a remote auth protocol
- TACACS is a centralized remote access authentication solution. It’s an Internet standard (RFC 1492); however, Cisco’s proprietary implementations of XTACACS and now TACACS+ have quickly gained popularity as RADIUS alternatives. (Stewart)
- TACACS -> XTACACS (Cisco) -> TACACS+ (open standard)
- "TACACS+ is commonly used to control access to networks through Cisco routers." (uCertify)
- Non-ethernet networks
- PPP (point to point authentication) - dialup , ISDN
- PPTP (point to point tunneling protocol) -windows
- PPPoE (point to point over ethernet) - DSL networks
- For authenticating over non-Ethernet networks
- PAP, CHAP, MS-CHAP
- PAP: Password Authentication Protocol(James Messer)
- (Legacy; no encryption?)
- Challenge-Handshake Authentication Protocol
- Encrypted challenge sent over the network
- Three-way handshake
- "Uses a challenge/response mechanism." (uCertifyF)
- Password Authentication Protocol (PAP)
- Used in legacy syatems, one of the basic auth systems
- send information on clear
(James Messer) - Microsoft's implementation of CHAP - Used commonly on Microsoft's PPTP - MSCHAP v2 - Security issues due to DES - Many have migrated to L2TP, IPsec, or other secure VPN tech
- "L2TP (Layer Two Tunneling Protocol) implements an unencrypted tunnel between two devices or networks." (uCertify)
- (Jason Dion,Mike Chapple)
- One of the most common AAA protocols, available on almost any server OS
- Centralize Auth for users
- routers, switches, firewalls
- server auth
- remote VPN access
- 802.1x network access
- "Connection-less protocol utilizing User Datagram Protocol (UDP) as its transport-level protocol... RADIUS utilizes UDP ports 1812 for authentication and authorization and 1813 for accounting functions. RADIUS is a client/server protocol. The RADIUS client is typically a network access server (NAS)." (Conklin)
- "Communications between a RADIUS client and RADIUS server are encrypted using a shared secret that is manually configured into each entity and not shared over a connection... Communications between a user (typically a PC) and the RADIUS client are subject to compromise." (Conklin)
- "Remote Authentication Dial-In User Service (RADIUS) provides centralized remote user authentication, authorization, and accounting." (uCertify)
- "The Diameter protocol is, like RADIUS, another AAA protocol, but is a more evolved protocol and utilizes more reliable transport mechanisms such as TCP and Stream Control Transmission Protocol (SCTP), as opposed to UDP." (uCertify)
- Security Assertion Markup Language
- You can authenticate through a 3rd party to gain access
- Wasn't designed for mobile applications.
- You’ve more likely experienced SAML authentication in action in the work environment. For example, it enables you to log into your corporate intranet or IdP and then access numerous additional services, such as Salesforce, Box, or Workday, without having to re-enter your credentials. SAML is an XML-based standard for exchanging authentication and authorization data between IdPs and service providers to verify the user’s identity and permissions, then grant or deny their access to services.
- OpenID Connect is an open standard that organizations use to authenticate users. identity providers (IdP) use this so that users can sign in to the IdP, and then access other websites and apps without having to log in or share their sign-in information.
- If you’ve used your Google to sign in to applications like YouTube, or Facebook to log into an online shopping cart, then you’re familiar with this authentication option.
- OAuth is an open standard for authorization many companies use to provide secure access to protected resources.
- Significant industry support
- Provides resource authorization. Usually combined with OpenID Connect for Authentication.
- If you’ve ever signed up to a new application and agreed to let it automatically source new contacts via Facebook or your phone contacts, then you’ve likely used OAuth 2.0.
- Open source implementation of SAML to provide federated SSO
- SAML defines the standard that Shibboleth uses
- No session info stored in server, stateless just like HTTP
- After user authenticate the app sends a token to the client
- The client stores the token locally
- "NT LAN Manager (NTLM), also known as Windows Challenge/Response" is an old windows Auth system
- Was "successor to the authentication protocol in Microsoft LAN Manager (LANMAN)" (Conklin)
- "Both of these suites have been widely replaced by Microsoft’s Kerberos implementation, although NTLM is still used for logon authentication on stand-alone Windows machines." (Conklin)
- "NTLM uses an encrypted challenge/ response protocol to authenticate a user without sending the user’s password over the wire, but the cryptography used for this, MD4, is considered weak and deprecated by today’s standards." (Conklin)
- NTLM2 uses MD5 (not recommended)
- Some windows password DB contain LM hash versions, to be compatible with older systems
- Vulnerable to credential forwarding attack (use credential of one PC to gain access to another)
- Policy enforcement : Authorization is the start of the process to determine if the user has right to exercise certain things in particular resource
- Policy definition: Is the process of determining what those rights are
- Users will receive rights based on Access Control Models - different business needs or mission requirements.
(James Messer, Jason Dion, Mike Meyers)
- Authorization is the mechanism that controls what a subject can and can’t do, access, use, or view. Authorization is commonly called access control or access restriction. (Stewart)
- Access control or privilege management can be addressed using one of three primary schemes: user, group, or role. These schemes correspond directly to the access-control methodologies DAC, MAC, and RBAC. (Stewart)
- MAC: Mandatory Access Control (Mike Chapple)
- Mandatory access control (MAC) is based on classification rules. Objects are assigned sensitivity labels. Subjects are assigned clearance labels. Users obtain access by having the proper clearance for the specific resource. Classifications are hierarchical.
- MAC hierarchies. Government or military MAC uses the following levels: unclassified, sensitive but unclassified, confidential, secret, and top secret. Private sector or corporate business environment MAC uses these: public, sensitive, private, and confidential. (Stewart)
- OS limits the operation on object based on clearance levels
- Every object gets a label (e.g. confidential, secret)
- Admin decides who gets what security level, users cant change
- Strict
- "Mandatory access control (MAC) has two common implementations: rule-based access control and lattice-based access control. Lattice-based access control is used for more complex determinations of object access by subjects..." (uCertify)
- "Determined by a computer system, not by a user or owner"
- Rule-based access control
- Compares object label and subject label
- Lattice-based access control
- Complex determinations
- Security-Enhanced Linux (SELinux) is "a set of kernel modifications to Linux that supports DoD-style mandatory access controls such as the requirement for trusted computing base (TCB)." (uCertify)
- TCB: Trusted Computing Base
- "Can be described as the set of all hardware and software components critical to a system's security and all associated protection mechanisms." (uCertify)
- TCB: Trusted Computing Base
- DAC: Discretionary Access Control (Mike Chapple)
- "First, every object in the system has an owner, and the owner has control over its access policy; and second, access rights, or permissions, can be assigned by the owner to users to specifically control object access." (uCertify)
- Used in most OS
- Owner controls who else has access (e,g for the files they created)
- Owner can modify access
- Flexible
- NTFS is an example of this
- RBAC: Role-based access control (Mike Chapple)
- "Works with sets of permissions, instead of individual permissions that are label-based." (uCertify)
- Admin determines access
- Based on role in organization
- e.g. manager, director, team lead, project manager
- Rights are implicit (admin give access to managers group, if directors on that group they will get access too)
- In Windows, use Groups to provide role-based access control
- ABAC: Attribute based access control (Mike Chapple)
- Next Gen authorization model
- Users can have complex relationships to applications and data
- Aware of context (Based on your IP, Time of the day, geographic location)
- if-then
- RBAC Rule-based access control
- "Access is determined through system-enforced rules." (Messer)
- Determined by system administrator, not users
- Usually found on firewalls (ACL) - (e.g Only chrome browser can complete this web form)
- Proximity cards
- Close range card
- Contactless smart card
- Passive device
- Powered inductively from reader
- Not a large data storage device
- Often used as an identifier
- keycard door access, library cards , payment systems
- Close range card
- Smart cards
- More intelligent
- Contactless or contact-mode
- Common on creditcards
- A digital certificate
- Multifactor - use the card with PIN
- Fingerprint scanner
- Retinal scanner
- Unique capillary structure in the back of the eye
- Iris scanner
- Texture, color
- Voice recognition
- Facial recognition
- FAR: False acceptance rate
- "Likelihood an unauthorized user will be accepted." (Messer)
- FRR: False rejection rate
- "Likelihood an authorized user will be rejected." (Messer)
- CER: Crossover error rate
- Rate at which FAR and FRR are equal
- "Adjust sensitivity to equalize both values." (Messer)
- "A security token is a small device that generates time-sensitive passwords." (uCertify)
- Pseudo-random token generators
- Hardware
- Software
- One-time passwords
- "RSA tokens (and other tokens, for that matter) can provide a user with an OTP (one-time password)." (uCertify)
- HOTP
- Ucerify
- "Hashed One Time Passwords (HOTP) are secure passwords used with hardware tokens." (uCertify)
- Messer
- HMAC-based one-time password algorithm
- Keyed-hash message authentication code (HMAC)
- "The keys are based on a secret key and a counter." (Messer)
- HMAC-based one-time password algorithm
- Ucerify
- TOTP: Time-based one-time password algorithm
- "The Time-based One-Time Password (TOTP) algorithm is a specific implementation of an HOTP that uses a secret key with a current timestamp to generate a one-time password." (Conklin)
- Timestamps are synchronized via NTP
- Smart cards are an example of this, private key is on the card
- "A digital certificate is a digital file that is sent as an attachment to a message and is used to verify that the message did indeed come from the entity it claims to have come from. Using a digital certificate is a verifiable means of establishing possession of an item, specifically the certificate." (Conklin)
- PIV
- "The Personal Identity Verification (PIV) card is a U.S. government smart card that contains the cardholder’s credential data used to determine access to federal facilities and information systems." (Conklin)
- "Certificate-based smart card issued to non-military federal employees and contractors." (uCertify)
- CAC/smart card
- "The Common Access Card (CAC) is a smart card used by the U.S. Department of Defense (DoD) for active-duty military, Selected Reserve members, DoD civilians, and eligible contractors. Like the PIV card, it is used for carrying the card- holder’s credential data, in the form of a certificate, used to determine access to federal facilities and information systems." (Conklin)
- IEEE 802.1x
- “802.1x is a port-based authentication mechanism. It’s based on EAP and is commonly used in closed-environment wireless networks. However, 802.1x isn’t exclusively used on WAPs; it can also be used on firewalls, proxies, VPN gateways, and other locations where an authentication handoff service is desired. Think of 802.1x as an authentication proxy. (Stewart)
- "802.1X acts through an intermediate device, such as an edge switch, enabling ports to carry normal traffic if the connection is properly authenticated. This prevents unauthorized clients from accessing the publicly available ports on a switch, keeping unauthorized users out of a LAN." (Conklin)
(Mike Meyers 1, Mike Meyers 2, Mike Chapple)
- Most OS keep ACL or group / user rights and permissions to stored files
- "Can be centrally administered and/or users can manage files they own." (Messer)
- Encryption can be built-in
- Implicit deny , A rule in an ACL that blocks all traffic that hasn’t been explicitly allowed. The implicit deny rule is the last rule in an ACL
- Username, password, permissions
- Most databases support encryption
- Data integrity is usually an option - prevent data loss
- Prevent SQL injections
- Managing Accounts (Mike Chapple)
- Least Privilege
- The principle of least privilege
- Need to Know
- The principle of need to know is similar to the principle of least privilege in that users are granted access only to the data and information that they need to know for their job
- Least Privilege
(James Messer, Mike Meyers, Mike Chapple)
- User account
- "An account on a computer associated with a specific person." (Messer)
- Has limited access to OS.
- Shared and generic accounts/credentials
- May be used by more than one person
- e.g. guest account
- Difficult to create audit trail
- Password management difficult
- Dont do it
- Guest accounts
- Service accounts
- "Used exclusively by services running on a computer." (Messer)
- e.g. web server, database server
- Need to determine the password policy
- Access can be defined for a specific service (webserver vs DB server)
- Privileged accounts
- Elevated access
- Administrator, root
- Needs to be highly secured
- Strong passwords, 2FA
- Least privilege
- Basre minimum.
- Only whats needed to complete objective.
- Onboarding
- Hires, transfers
- IT agreements
- Create accounts
- Provide hardware
- Off-boarding
- Process should be pre-planned
- Account deactivated, not deleted
- Permission auditing and review
- Make routine
- Consider tool for log analysis
- "Does everyone have the correct permissions?" (Messer)
- Scheduled recertification
- Usage auditing and review
- How are resources used?
- Are systems secure?
- Time-of-day restrictions
- Recertification
- "Recertification is the process of examining a user's permissions and determining if they still need access to what was previously granted." (uCertify)
- "The best reason to recertify is to audit permissions." (Dion)
- "The most important principle in managing account permissions is the account recertification." (Dion)
- Standard naming convention
- Username should be unique
- "Usernames should not describe a role or status." (Messer)
- "Use the same username for the duration of employment." (Messer)
- Memorable
- Account maintenance
- Resets
- Forced updates
- Audits
- Deprovisioning
- Group-based access control
- Set privileges based on what you do
- Put users in group
- Set privileges on group
- Add/remove users to group
- Users can belong to multiple groups with overlapping permissions
- Avoid conflicting implicit permissions
- Location-based policies
- GPS, mobile devices, accurate
- 802.11 wireless, less accurate
- IP address, not very accurate
- In/out office
- Rules which block traffic from country
- Credential management
- "Refers to the processes, services, and software used to store, manage, and log the use of user credentials." (Conklin)
- Passwords must not be embedded in the application (rather server)
- Communication across the network should be encrypted
- Group policy
- Linked to AD administrative boundaries
- Add or remove programs
- Prohibit changes
- Specify minimum password length
- Group Policy Objects (GPOs)
- "GPOs act through a set of registry settings that can be managed via the enterprise." (Conklin)
- Password complexity
- No single words
- Mix upper and lower case
- Use special characters
- Expiration
- "Account expiration should occur when a user is no longer authorized to use a system." (Conklin)
- All passwords should expire (Messer).
- Recovery
- Should not be trivial.
- Disablement
- "Whenever an employee leaves a firm, all associated accounts should be disabled to prevent further access by the ex-employee. Disabling is preferable to removal as removal may result in permission and ownership problems. Removing an account can orphan items that remain without other forms of ownership, making it more difficult to share the former employee’s files." (Conklin)
- Lockout
- "Account lockout is akin to disablement, although lockout typically refers to temporarily blocking the user’s ability to log in to a system. For example, if a user mistypes her password a certain number of times, she may be forced to wait a set amount of time while her account is locked out before attempting to log in again." (Conklin)
- Password history
- "Tells the system how many passwords to remember and does not allow a user to reuse an old password in that list." (Conklin)
- Password reuse
- Prevent password reuse
- Password length
- Strong: at least 8 characters