Security+ Identity and Access Management (Domain #4) Notes

Security+ Identity and Access Management Notes

---- Access Control Process ----

3 Steps of the Access Control Process

Identification - Claim of identity - provides appropriate credentials (assertion only) - nothing is presented
Authentication - Proof of Identity - Identity gets verified
Authorization - What you can access

---- Authentication ----

Authentication, Authorization & Accounting (AAA) includes 5 different authentication factors, namely:

Something you Know → Mannually configured Username & Password, PIN or answers to some security questions

Something you Are → Finger print, Iris scan, Retinal scan, voice print, facial recognition or some combination thereof

Something you Have → Smart card, Security badge, an autogenerated temporary PIN or One Time Password (OTP)
Something you Do → Picture password (involves drawing lines or shapes on a picture) or gestures
Somewhere you Are → GPS Location or Location via a public IP subnet address

Multi-factor Authentication
The authetication processes must come from different factors (above) to be considered Multi-Factor Authentication (MFA). For example:

Authentication Process Combination	MFA?	Why or Why not?
Password + PIN	No	Something you know + Something you know → Same Factors
Finger Print + Draw a Pattern	Yes	Something you Are + Something you Do → Different Factors
Facial Recognition + Smart Card	Yes	Something you Are + Something you Have → Different Factors
GPS Location + User Credentials	Yes	Somewhere you Are + Something you Know → Different Factors
Voice Print + Retinal Scan	No	Something you Are + Something you Are → Same Factors
Iris Scan + Finger Print + PIN	Yes	2 x Something you Are + Something you Know → Different factor on the last process than on the first two processes
Voice Recognition + Facial Recognition + Finger Print	No	3 x Something you Are →Same Factors
User Credentials + Finger Print + Credit Card	Yes	Something you Know + Somthing you Are + Something you Have → Different Factors on all three processes

The major components of AAA are:

The client or device that seeks access
Policy Enforcement Point (PEP) - The Authenticator
Policy Information Point (PIP) - Holds the data relevant to the decision on whether to grant or deny access
Policy Decision Point (PDP) - Responsible for the final decision on whether to grant or deny access
Accounting and Reporting System - Tracks the client network usage and reports on who did what, when did they do it, where did they do it and why did they do it.

Authentication Error and Vulnerability Management

False Acceptance Rate (FAR) - % System allowing unauthorized users access
False Rejection Rate (FRR) - % System denying authorized users access
Cross-over Error Rate (CER) - The percentage of FAR and FRR combined to the total number of authentication decisions. For example, if a voice print (voice recognition) system has a FRR of 3.5% and a FAR of 1.5% then the total CER for that voice print system is 5%.
Multifactor authentication requires a combination of 1, 2 & 3 (above)

Authentication Methods

Keyed-Hashing for Message Authentication Code (HMAC) - Provides a way to check the integrity of information that is stored or transmitted over an unreliable medium (event-based) and is a prime necessity in the world of open computing and communications
Certificate-based Authentication - Allows users to logon to a server with a client certificate, generated by Public Key Infrastructure (PKI)
Homeland Security Presidential Directive 12 (HSPD12) - Government-wide standard for secure and reliable forms of identification issued by the Federal Government to its employees and contractors (including contractor employees), namely:
- Personal Information Verfication (PIV) - A credit card sized (2¼"x3½") smart card which conforms to the Federal Information Processing Standards (FIPS) publication 201-2 which is used for Federal employees and contractors
- Common Access Card (CAC) - A PIV card which identifies the employee/contractor, specifies the role, branch of service & access levels, and contains an Integrated Circuit Chip (ICC) as well as a barcode and magnetic strip for automated authentication that the United States Department of Defense (DoD) requires for all Military personnel, all of its civilian employees and all of its contractors to gain access of any of its classified resources.

Federation/Single-Sign-On

Federation - Leverages the fact that a single individual may have accounts across a wide variety of systems by sharing some authentication information across the organizations to reduce the number of individual identities that a user must have, which eases the burden on both the user, and the organization
Single Sign-On (SSO) - The users log on to the first SSO-enabled system they encounter, and then that logon session persists across other systems until it reaches its expiration time. Therefore, elliminating the need for reauthentication during that period of time.
Shibboleth - An open-source project that provides Single Sign-On capabilities and allows sites to make informed authorization decisions for individual access of protected online resources in a privacy-preserving manner
Trust Relationships - Trusts that are transferred from one domain to another domain - Different Types include:
- One-Way - One domain (Alfa) trusts another domain (Bravo), but Bravo does not trust Alfa
- Two-Way - Alfa trusts Bravo and Bravo trusts Alfa
- Non-Transitive - Trust from one trusted domain does not extend to other trusted domains - Alfa trusts Bravo and yet another domain (Charlie), but Alfa does not assume that Charlie will trust Bravo and neither will Alfa assume that Bravo will assume that Bravo will trust Charlie
- Transitive - Trust from one trusted domain extends to other trusted domains - Alfa trusts Bravo and Charlie, and Alfa assumes that Charlie will trust Bravo and that Bravo will assume that Bravo will trust Charlie
The Initiative for Open Authentication (OAth) - An industrial collaborative effort to develop a reference architecture, using open standards to promote the adoption of strong authentication
Open Authorization (OAuth) - Authorization (not authentication) to allow the login credentials for one service provider (e.g. Gmail) login to count as sufficient proof of identity for some other service (e.g. Zoom) for accessing data or resources from the other service provider - Provides Authorization to resources, but not Authentication for those resources.
**** Warning: OAth is different from OAuth! Be careful on the Security+ Exam questions that require you to clearly differentiate between OAth and OAuth. ****
OpenID - Authentication protocol which commonly works with OAuth
One Time Password (OTP) - Generation of passwords which can only be used once - There are two types of OTP, namely:
1. HMAC-based OTP (HOTP) - Event-based - Relies on a secret key (seed) which is known by the token (see below) and the server which validates the submitted OTP codes.
2. Time-based OTP (TOTP) - Uses time stamps instead of events to validate the user - These tokens expire after a short period of time.
Token (digital) - A highly secure format used to transmit sensitive information between two parties in a compact and self-contained manner. For example, when you successfully login to your credit union account with your username and password, a token gets sent to an authentication system which sends you a PIN or OTP to your email or smartphone that you have to type in to access what you are trying get.

Authentication Protocols

Protocol	TCP or UDP	Port #	Description
Password Authentication Protocol (PAP)	TCP	3666	A simple authentication protocol in which the user credentials are sent in plain text (unencrypted) - Insecure
Challenge Handshake Authentication Protocol (CHAP)	NA	runs at Data Link Layer	A protocol that sends usernames in plain text, but uses Message Digest version 5 (MD5) encryption to send passwords to an authenticator via Point-to-Point Protocol (PPP) to provide on-demand authentication with on-going data transmission - Secure
MicroSoft - CHAP (MS-CHAP)	NA	runs at Data Link Layer	Microsoft's version of CHAP which came with version 1 and version 2 - both versions are insecure. However, MS-CHAP can be used with the following protocols to enhance security: Protected Extensible Authentication Protocol (PEAP) which acts as a Transport Layer Security (TLS) or a Secure Socket Layer (SSL) tunnel or Layer 2 Tunneling Protocol (L2TP) with IPsec which provides the secure transfer of authentication data for MS-CHAP.
Extensible Authentication Protocol (EAP)	NA	runs at Data Link Layer	An authentication framework which supports multiple authentication methods
Remote Authentication Dial In User Service (RADIUS)	TCP and UDP	1812 - Athentication Process	An access server authentication and accounting protocol that manages a single "database" of users, which allows for authentication (verifying user name and password) as well as configuration information detailing the type of service to deliver to the user (for example, SLIP, PPP, telnet, rlogin). RADIUS uses UDP.
		1645 - Authentication Request
		1813 - Accounting Process
		1646 - Accounting Request
Terminal Access Controller Access-Control System (TACACS)	TCP	49	A security application that provides centralized validation of users attempting to gain access to a router or network access server
Kerberos	TCP and UDP	88	Designed to provide strong authentication for client/server applications by using a symmetric secret-key cryptography which is Ticket-based (see below) Please review the Kerberos authentication process for more information.
Light weight Directory Protocol (LDAP)	TCP and UDP	389 (unencrypted)	Insecure protocol for authentication that uses BIND to authenticate users, except the connection is unencrypted
Light weight Directory Protocol (LDAP)	TCP and UDP	636 (encrypted)	Secure protocol for authentication that uses BIND to authenticate users
New Technology Login Management (NTLM)	UDP	137 - NetBIOS Name	Not secure (Microsoft recommends disabling) - This was widely used on older Windows systems before Kerberos and LDAP became widely available - Uses the Security Account Manager (SAM) to validate users
	UDP	138 - NetBIOS Netlogon and Browsing
	TCP	139 - NetBIOS Session

* IANA assigns TCP/UDP port numbers to the protocols that operate at the Transport layer of the OSI model and are listed on IANA's Service Name and Trasport Protocol Port Number Registry.

Kerberos Authentication Process

The client contacts a Certificate Authority (CA) which acts as the Key Distribution Center (KDC) - kinit and Active Directory are two examples of a KDC
The CA creates a time-stamped session key with a limited duration (8 hours by default) using the client's key and a randomly generated key that includes the identification of the target service
This information is sent back to the client in the form of a Ticket Granting Ticket (TGT) - Contains the following phases:
1. An initial authentication that enables all subsequent authentications
2. The subsequent authentications themselves
A TGT is analogous to the approval for the Security Guard to allow someone who checks in to pick up a security badge from the Receptionist for access to the server room.
The client submits the TGT to a Ticket Granting Server (TGS)
The TGS generates a time-stamped key that is encrypted with the server's key and then returns both to the client.
The client uses its key to decrypt it ticket, contacts the server, and offers the encrypted ticket to the server.
The server uses its key to decrypt the ticket to verify that the time stamps match and that the tickets remain valid.
The server contacts the KDC and receives a time stamped, session keyed ticket and then sends it to the client.
The client decrypts the keyed ticket using its key. When both agree that the other is the proper account and that the keys are within their valid lifetime then communication starts.
Note: There is no transfer of user credentials until this process is complete.

---- Access Management ----

Secure Assertion Markup Language (SAML) - allows browser based single sign on for a variety of web services
Authorization - What users are allowed to do, once authenticated
Least Privilege - only minimum permissions required for position
Separation of Duties (SoD) - Requirement of more than one person to complete a task.
Job Rotation - The practice of moving employees between jobs - The goal is to minimize the probability of someone being able to complete some unauthorized activities by virtue of remaining in the same position and having access to certain resources.
Privilege creep which is the gradual accumlation of access rights beyond what is necessary for the job can happen when violating Least Privilege and Separation of Duties
Rule Based Access Control - Access control that is based on rules that a system administrator defines - Sometimes abbreviated RBAC
Watch for context to distinguish between Role-based and Rule-based
- Mandatory Access Controls (MAC) - A protection system that does not permit any untrusted process to modify the protection state of a system, often based on the sensitivity (represented by a security label) of information contained in the objects and the formal authorization of subjects to access information of such sensitivity - Used mainly on highly secure environments. For example, the following sensitivity levels can be assigned:
  1. Extreme - Restricted to top management and those who are explicitly approved to have this information
  2. Very High - Same as above, except this can include approved contractors, approved vendors and other approved associates
  3. High - Same as above, except this can be shared within the Organizational Unit (e.g. Division) which is responsible for this information
  4. Medium - Same as above, except this can be shared with approved personnel within the organization
  5. Low - Can be share with anyone within the organization, including contractors, vendors and other associates
  6. Public - This information is available to everyone
- Access Control Lists (ACLs) - Rules which a router or firewall follows to determine whether or not certain traffic gets access to a network
- Security-Enhanced Linux (SELinux) - A security architecture that allows administrators to have more control over who can access the system - Originally developed by the United States National Security Agency (NSA) - Enabled, Passive & Disabled modes
- Discretionary Access Controls (DAC) - A protection system that permits untrusted processes to modify the protection state of a system (most commonly used) - An access control policy that is enforced over all subjects and objects in an information system where the policy specifies that a subject that has been granted access to information can do one or more of the following:
  1. Pass the information to other subjects or objects;
  2. Grant its privileges to other subjects;
  3. Change security attributes on subjects, objects, information systems, or system components;
  4. Choose the security attributes to be associated with newly-created or revised objects; or
  5. Change the rules governing access control. Mandatory access controls restrict this capability
Role Based Access Control (RBAC) - A method of restricting network access based on the roles of individual users - Also known as Nondiscretionary Access Control
Watch for context to distinguish between Role-based and Rule-based
Attribute-Based Access Control (ABAC) - A logical access control model that is distinguishable because it controls access to objects by evaluating rules against the attributes of the entities (subject and object) actions and the environment relevant to a request
Database Access Control - A method of allowing access to a company's sensitive data (usually via encryption and database permissions) to database users who are assigned access to that data within that database
- SQL Server Authentication
- Windows Authentication
- Mixed Authentication

The navigation options for this page are:

Go back to Domain #3 → Architecture and Design Notes,
Proceed to Domain #5 → Risk Management Notes,
Return to the main Security+ resources page,
Return to the main Nine Star training website, or
Go to the main Nine Star website.