Security+ Domain 4.0: Identity and Access Management: Chapter 18

  1. Security+ Certification
  2. Security+: Definitions and Catchwords
  3. Security+ Domain 1.0: Threats, Attacks and Vulnerabilities
  4. Security+ Domain 2.0: Technologies and Tools, Chapter 6
  5. Security+ Domain 2.0: Technologies and Tools, Chapter 7
  6. Security+ Domain 2.0: Technologies and Tools, Chapter 8
  7. Security+ Domain 2.0: Technologies and Tools, Chapter 9
  8. Security+ Domain 2.0: Technologies and Tools, Chapter 10
  9. Security+ Domain 3.0: Architecture and Design: Chapter 11
  10. Security+ Domain 3.0: Secure Systems Design and Deployment: Chapter 12
  11. Security+ Domain 3.0: Secure Systems Design and Deployment: Chapter 12 cont’d
  12. Security+ Domain 3.0: Architecture and Design: Chapter 13: Embedded Systems
  13. Security+ Domain 3.0: Architecture and Design: Chapter 14: Application Development
  14. Security+ Domain 3.0: Architecture and Design: Chapter 15: Cloud and Virtualization
  15. Security+ Domain 3.0: Architecture and Design: Chapter 16: Resiliency and Automation
  16. Security+ Domain 3.0: Architecture and Design: Chapter 17: Physical Security
  17. Security+ Domain 4.0: Identity and Access Management: Chapter 18
  18. Security+ Domain 4.0: Identity and Access Management: Chapter 19
  19. Security+ Domain 4.0: Identity and Access Management: Chapter 20
  20. Security+ Domain 5.0: Risk Management: Chapter 21
  21. Security+ Domain 5.0: Risk Management: Chapter 22
  22. Security+ : Sample Questions
  23. Security+ Domain 5.0: Risk Management: Chapter 23
  24. bastion.inf
  25. Security+ Domain 5.0: Risk Management: Chapter 24
  26. Security+ Domain 5.0: Risk Management: Chapter 25
  27. Security+ Domain 5.0: Risk Management: Chapter 26
  28. Security+ Domain 5.0: Risk Management: Chapter 27
  29. Security+ Domain 5.0: Risk Management: Chapter 28
  30. Security+ Domain 5.0: Risk Management: Chapter 29
  31. Security+: My Favorite Free Tools

Chapter 18: Identity, Access and Accounts

Authentication, Access Control & Auditing

Know For The Security+ Test: The three “pillars” or “foundations” of information security are Authentication, Access Control and Auditing. (The mnemonic “AAA” may help you remember.)

Something You Know – A password, PIN, or mother’s maiden name

Something You Have – A key, SmartCard or ID card

Something You Are – Unique characteristics like a fingerprint or retina pattern

Something You Do

Somewhere You Are

Multifactor

Username and Password – (what you know)

This is the most common authentication method.

This is also the weakest.

Tokens (what you have)

This can be a plastic card with either a magnetic strip or an embedded chip, or a USB device, or a key-fob device like an RSA token.

Another type is the Proximity Card, which enables contactless authentication just by bringing the card near the reader.

Biometrics (what you are)

Fingerprint, retina, voice or other bodily characteristics

We mus point out that these characteristics can be stolen.

Digital Certificates (or simply Certificates) – (what you have)

A certificate proves identity.

A certificate provides identification.

A certificate is not a key; it does not encrypt information.

But it does contain the public key.

Certificates are issued by Certification Authorities (CAs).

Federation

Managing identities across systems and organizations

SAML

Single Sign-On: Kerberos

Let us introduce you to CBT Nuggets, a commercial channel that sells access to short video trainings. Depending on your needs, the price might be worth it to you. (One of their best trainers was Network Chuck, who now works from his channel by that name on YouTube.) This isn’t him, but it’s a very good explanation of Kerberos. Do note that when he says “password” he actually means “password hash”. This is a critical distinction, because your naked password is NOT passed over the network.

Element one is a KDC, or Key Distribution Center, which takes your username/password, token, or what have you, and issues you a Ticket Granting Ticket (TGT). Your computer will cache the TGT during your session.

Then, when you want access to an actual network resource, your computer presents its TGT back to the KDC. The KDC then gives you a session ticket. Then the server that controls that resource will accept your session ticket (if it’s valid) and give you access (if you have permission).

Tickets:

    • are encrypted
    • contain user identification information
    • expire

Transitive Trusts

Challenge Handshake Authentication Protocol (CHAP)

CHAP is more secure than password authentication.

    1. The user enters a username and password, which are sent to a server.
    2. The server returns a challenge message.
    3. The user’s computer creates a response using an algorythm, and sends it to the server.
    4. The server compares this response to its own algorythm-encrypted response to validate the user.

The server may require reauthentication at any time.

Mutual Authentication

Mutual Authentication helps prevent man-in-the-middle and replay attacks.

Each party is required to identify and authenticate themself to the other.

Multifactor Authentication

Put simply, this means requiring more than one method of authentication, e.g. both username/password authentication and a token or PIN.

Account Types

    • User
    • Shared / Generic Accounts / Credentials
    • Guest
    • Service
    • Privileged

General Concepts

Least Privilege

Onboarding / Offboarding

Permissions Auditing

In Windows, use the Security Configuration and Analysis Tool (SCAT), which uses templates to perform the compliance analysis.

Usage Auditing

Time-of-Day Restrictions

Recertification

Standard naming conventions

Account Maintenance (auditing)

Account Policy Enforcement

      • Credential Management
      • Group Policy
      • Password Complexity
      • Expiration
      • Recovery (of passwords)
      • Disablement
      • Lockout
      • Password history
      • Password reuse
      • Password length