Security+ Chapter 2: Understanding identify and access management

SAML and Authentication

*Primary purpose of SSO is for identification and authentication of users* SAML is an XML-based standard used to exchange authentication and authorization information between different parties. SAML provides SSO for web-based applications. -Note that SSO does not automatically provide authorization. But many federation SSO systems, including SAML, include the ability to transfer authorization data. In other words, SAML can be used for SSO authentication and authorization.

Kerberos

-A network authentication mechanism used within Windows Active Directory domains and some Unix environments known as realms. -provides mutual authentication that can help prevent "man-in-the-middle" attacker and uses tickets to help prevent replay attacks requirements for it to work properly: 1) A method of issuing tickets used for authentication ->The Key distribution Center (KDC) uses a complex process of issuing ticket-granted tickets (TGTs) and other tickets. The KDC (or TGT server) packages user credentials within a ticket. Tickets provide authentication for users when they access resources such as files on a file server. These tickets are sometimes referred to as tokens, but they are logical tokens, not a key fob. 2) Time synchronization -> requires all systems to be synchronized within 5 minutes of each other. The clock that provides the time synchronization is sued to timestamp tickets, ensuring they expire correctly. This helps prevent replay attacks. In a replay attack, a 3rd party attempts to impersonate a client after intercepting data captured in a session. However, if an attacker intercepts a ticket, the timestamp limits the amount of time an attacker can use the ticket. 3) A database of subjects or users -> In Microsoft, this is the Active Directory. But it can be any database of users. -Additionally, Kerberos uses symmetric-key cryptology to prevent unauthorized disclosure and to ensure confidentiality How it works summary: -When a user logs on with Kerberos, the KDC issues the user a ticket-granting ticket, which typically has a lifetime of 10 hours to be useful for a single workday. When the user tries to access a resource, the ticket-granting ticket is presented as authentication, and the user is issued a ticket for the resource. However, the ticket expires if users stay logged on for an extended period such as longer than 10 hours. This prevents them from accessing network resources. In this case, users may be prompted to provide a password to renew the ticket-granting ticket, or they may need to log off and log back on to generate a new ticket-granting ticket.

Fingerprint Scanner

-Common on laptops, tablets, and smart phones. Some USB drives have a thumbprint. -used by law enforcement for identification, not access

Identification Methods Summary

-Include usernames, photos, identification cards, and biometrics -most common identification method is usernames-> can be a username or email address -CACs and PIVs include a photo and other information about the owner, so often owners use them as IDs. They also function as smart cards in the something you have authentication factor. -The "something you are" section pretty much focuses on biometric

Using a password policy

-These settings are usually updated in a GPO by adjusting a technical control such as a technical password policy For example, the technical settings may say all users within the GPO must have a password of 14 characters or longer, complex, and changed every 45 days. *Add picture later on pg. 101* *Common password policies you should include: 1) Enforce password history - log 24 last passwords and force the user to make a new one. 2) Maximum password age - number of days before the password is reset. 3) Minimum password age - how long a user must wait before changing their password. Setting this to one day is useful in preventing a user from trying to get back to their original password because it will take 25 days to do so. 4) minimum password length - at least 14, some organizations require longer than 14 5) "password must meet complexity requirements" - forces user to have 3-4 character types 6) "store passwords using reversible encryption" - reversible encryption stores the password in such a way that the original password can be discovered. This is rarely enabled *password complexity increases the key spaces*

Password Recovery

-Very important to verify someone identity prior to resetting the password. A bad actor could get access to someone else account, or the intended user may get locked out. -When help desks manually reset a password, it should be a temporary, 1-uses password that a user immediately resets. This prevents the help desk from also having the new password. -Automated password reset services should be used rather than a manual helpdesk reset, so IT resources are not wasting their time. Typically these systems will send a reset link to your email and then invoke some sort of identity proofing system. This system likely will ask you to answer security questions that you previously answered. Once you prove your ID by answering the questions, the system lets you reset you pass. Other password reset systems send you a code, such as a 6-digit pin to your cell phone and make you enter it in your email, where you are then allowed to change the pass.

Practice of requiring administrators to use two accounts

-common practice to require administrators to have two accounts... 1) For day-to-day activities that is a regular account with the same limited privileges as a regular end-user. 2) An account with elevated privileges required to perform administrative work, and they use this only when performing administrative work. -benefit of this practice is that it reduces the exposure of the administrator account to an attack. When malware attacks a system it attempts to gain elevated privileges...When this happens on an admin account they can do it. When this happens on a regular account, they must take extra steps to try and get elevated privileges. -also a good practice to protect administrators...When an admin has normal day-to-day work and forgets to lock computer...If in admin account, someone can steal admin privileges...If they are only in their normal account, then no worries...Sometimes screensavers take 10 mins to lock...this is plenty of time.

Privileged Account

-has additional rights and privileges beyond what a regular user has. Ex: full admin rights

Guest Account

-included in Windows OS -useful when you want to grant someone limited access to a computer or network without creating a new account. Ex: if your company hires a contractor that changes daily...You wouldn't want to create a new account each time. -Administrators commonly disable the guest account and only enable it in special situations

End user account

-most of these accounts are used for regular users -administrators create these accounts and then assign appropriate privileges based on the user's job responsibilities. -Microsoft refers to this as a standard user acocunt

Least Privilege

-technical control implemented with access controls. Least privileges specifies that individuals and processes are granted only the rights and permissions needed to perform the assigned tasks or functions, but no more. -a primary goal of implementing least privileges is to reduce risk -this principle applies to regular users and administrators. Many services and applications run under the context of user accounts. it is important to ensure these accounts are given limited privileges....In the past user accounts were given full admin privileges...when an attacker hacked the system they wreaked havoc on the network.

Account Types

1) End user Account 2) Privileged Account 3) Guest Account 4) Service Account

Policy statements include 4 elements:

1) Subject - This is typically a user. You can use any property as an attribute such as employment status, group membership, job roles, logged-on status, and more. Ex: The subject is identified as being logged-on and a member of a researcher group. 2) Object - This is the resource (such as a file, database, or application) that the user is trying to access. Ex: an object could be the research sites. The research site object would include internet access via a proxy server along with a specific list of URLs of research sites. 3) Action - The action is what the user is attempting to do, such as reading or modifying a file, accessing specific web sites, and accessing web site applications. The example allows specific access to specific web sites 4) Environment - The environment includes everything outside outside of the subject and object attributes. This is often referred to as the context of the access request. It can include the time, location, protocols, encryption, devices, and communication method. In the example, it specifies the main network as an environment attribute.

Recovering Accounts

2 scenarios: 1) Enable a disabled account - Administrators can reset the users password and take control of the account. They can also pass control of the account over to the ex-employees supervisor or manager. They then can reset the user's password and set it to expire on first use, turning over control. 2) Recover a deleted account - It is possible to recover a deleted account. However, it is more complicated than creating another account with the same name...Instead, administrators have to follow a detailed recovery procedure

Disablement Policy

A policy that specifies how to manage accounts in different situations. -disabling is preferred over deleting because they do not want to delete the data and security keys associated with the account. Ex: if someone has encrypted files on their comp, the OS uses crypto keys to encrypt and decrypt the files. If administrators delete this account, they may never be able to decrypt the files. Different situations: 1) Terminated employees - these accounts should be disabled as soon as possible to prevent disgruntled ex-employees from wreaking havoc on a network. (also applies to employees who resign) 2) Leave of Absence - If the employee is gone for an extended period of time, their account should be disabled while they are away. Period is typically from 2 weeks - 2 months 3) Delete Account - When organizations determine the account is no longer needed, administrators delete it. Ex: the policy may say delete the account when it has not been used for 60-90 days.

Common Access Card (CAC)

A specialized type of smart card used by the DoD. -in addition to including the capabilities of a smart card, it also includes a picture of the user and other readable information. Users an use the card as a form of ID to security guards, then use it to log on to computers once they are inside the gates. Your yellow ITAR badge. Personal Identity Verification - same as CAC but used by US federal agencies. These are also usually dual factor authentication where the user has the smart card and a password. These also contain the embedded certificates used for digital signatures and encryption.

Tokens and Key Fobs

A token or key fob (sometimes called hardware fobs) have a tiny LCD screen that displays a number that changes periodically, usually 60 seconds. -The token is synched with a server that knows the exact number at any time. This number is then used as a one-time use, rolling password. -This is an effective method because even if someone were to see your number, it is only active for 60 seconds. -These are usually used to authenticate via a website. The user typically enter the number displayed on the token and a username and password (dual-factor). -common brand is RSA secure ID

Access Control Methods

Access controls ensure only authenticated and authorized entities can access resources. This process starts by ensuring users are accurately identified and authenticated. Then you can grant them access using one of several different models: 1) Role-based access control (race-BAC) 2) Rule-based access control (rule-BAC) 3) Discretionary access control (DAC) 4) Mandatory access control (MAC) 5) Attribute-based access control (ABAC) Clarification: You may notice that the CompTIA uses the acronym RBAC for both rule-based access control and role-based access control. For clarity, we separate them out. Models include: -subjects -objects

Account maintenance

Administrators routinely perform account maintenance (with scripts to automate the process) Ex: create a script to list all enabled accounts that haven't been used in the last 30 days. Often, these accounts belong to ex employees and temporary employees who are no longer with the organization. The script may also perform a check to verify that inactive accounts are disabled. account maintenance also includes deleting accounts that are no longer needed.

Audit Trail

Allows security professionals to re-create events that proceed a security incident.

Something you are

An authentication factor that uses biometrics for authentication. *Biometrics are the strongest form of authentication because they are the hardest for hackers to duplicate. Out of the biometrics categories, the strongest are Iris and Retina scans....Iris scans are used more often due to the privacy issues and scanning requirements* -Facial recognition paired with IR has the potential to be the most flexible and most popular. -Lower CERs are better = higher accuracy -2 step process: 1) Register with the authentication system. Ex: use fingerprint scanner that associates a finger print with an identity. 2) Then the finger print is used to access data. Common Types: -fingerprint scanner -retina scanner -iris scanner -voice recognition -facial recognition

Somewhere you are

Authentication factor that identifies a user's location. -Geolocation is a group of technologies used to identify a user's location and is the most common method used in this factor. -Many authentication systems use the IP address for geolocation. The IP address provides information regarding the country, region, state, city and sometimes even the zip code. -> Using IP for geo is not fool proof...there are many VPN IP address changers available. For example, someone in Russia can visit a site and the site will only see the IP address of the VPN service, not the computer in Russia. -Within an organization, it's possible to use the computer name or the Media Access Control (MAC) address of a system for the somewhere you are factor. For example, in a Microsoft Active directory domain, you can configure accounts so that users can only log on to the network through one specific computer. If they aren't at that computer, the system blocks them from logging on at all.

Something you do

Authentication factor that refers to actions you take such as gestures on a touch screen. -Ex: Microsoft Windows 10 supports picture passwords. Where a user selects a picture, then adds 3 gestures as their picture password. After registering gestures to a picture, a user can use them to log in. Gestures include: 1) tapping on a specific place in the picture 2) drawing lines between items with your finger 3) drawing circles around something in the picture, such as someone head. -how you write or type. Referred to as behavioral biometrics because it identifies behavioral traits of an individual. Some people put these actions into the something you do authentication factor. Ex: keystroke dynamics measure the pattern and rhythm as a user types on a keyboard. It measures details such as speed, dwell time, and flight time. 1) Dwell time - the time that a key is pressed 2) Flight time - time between releasing one key and pressing the next key

Authentication Factors

Authentication is typically simplified as types, or factors, of authentication. -Authentication may require one factor for basic authentication, 2 factors for more secure applications, or more factors for higher security... The factors are: 1) Something you know - a password or personal identification number (PIN) 2) Something you have - a smart card or USB token 3) Something you are - fingerprint or biometric identification 4) Something you are - location using geolocation technology. 5) Something you do - gestures on a touchscreen

Biometric Errors

Companies taking short cuts with Biometrics cause false readings... 2 types: 1) False Acceptance 2) False Rejection -A true reading occurs when the biometric system accurately accepts or rejects a user -biometric systems allow you to adjust sensitivity or threshold level where errors occur. -As sensitivity increases, the number of false matches decreases and the number of of false rejections increases. The opposite is true for lowering sensitivity. -plotting FAR and FRR by sensitivity can determine the effectiveness of a biometric system. The Crossover Error Rate (CER) is the point where the FAR crosses over the FRR. A lower CER indicates that the biometric system is more accurate.

Smart Cards

Credit-card sized cards that have an embedded microchip and a certificate. A user inserts the smart card into a smart card reader, similar to a credit card. Basically, the key's embedded certificate allows the use of complex encryption key and provides much more secure authentication than is possible with a simple password. Additionally, the certificate can be used with digital signatures and data encryption. Smart card requirements: 1) Embedded certificate - the embedded certificate holds a user's private key (which is only accessible to the user) and is matched with a public key (that is publicly available to others). The private key is used each time the user logs onto a network. 2) Public key infrastructure (PKI) - PKI supports issuing and managing certificates (more covered in ch. 10) *Smart cards are often paired with another factor of authentication (Dual-Factor authentication). For example, a user may also have to enter a pin in addition to using a smart card. Because the smart card is a "something you have" factor an the PIN is "something you know" factor*

Dual-Factor and multi factor authentication

Dual Factor (2 factor) - uses two different factors of authentication, such as something you have and something you know. 1) often uses a smart card and pin 2) Uses a USB token and a pin 3) Combines a smart card or hardware token with a password Multifactor - Uses 2 or more factors of authentication. NOTE: you can technically call a system that uses 2 different factors either dual-factor or multi factor authentication. -multifactor authentication indicates multiple factors and multiple is simply more than one NOTE: using two methods of authentication in the same factor is not dual-factor authentication. Example: using 1) a password and pin, or 2) thumbprint and retina are both individually considered single-factor authentication since they are each respectively in the same classes.

Group Policy

Group policy is implemented on a domain controller within a domain. Administrators use it to create password policies, implement security settings, configure host-based firewalls, and much more. -used on Windows domains, included with most windows servers operating systems. -group policy object (GPO) - where administrators can configure a setting once and apply the setting to all users and computers with the domain. Ex: if you want to change the local administrator password to change on all computers in your domain, you can configure the GPO once, link the GPO to the domain, and it changes the local administrator password for all computers within the domain. -Organizational units (OUs) allows administrators to target specific users and computer accounts. They can create a GPO, link it to a specific OU, and the GPO only applies to specific users and computers within the OU, but not to other users not in the OU.

HOTP and TOTP

HOTP and TOTP are both open source standards used to create a one-time use password. Both can be used as software tokens for authentication. The underlying principle behind these uses Hash-based message authentication codes (HMAC) that uses a hash function and cryptographic key for many different crypto function. These algorithms combine a secret key and an incrementing counter, and uses HMAC to create a hash of the result. -HOTP creates a one-time password that does not expire. (a little risky is someone discovers the password since it doesn't expire) -TOTP creates a one time password that expires after 30 seconds -Pro for both of these is that these hardware tokens using open source standards are significantly less than tokens that use proprietary algorithms. can be used as hardware or software based tokens. An example of software based can be seen on pg. 105. The VIP Access app created by Symantic is used by many sites light Ebay and PayPal.

Discretionary Access Controls (DAC)

In this model, every object (such as files and folders) has an owner, and the owner establishes access for the objects. Many operating systems such as Windows and most Unix-based systems, use the DAC model. Ex: Windows New Technology File System (NTFS) provides security by allowing users and administrators to restrict access to files and folders with permissions. -SIDs and DACLs -access is established by the owner, or the person who created the file -More flexible than MAC...if you want to grant another user access to a file you own, you simply make the change, and that user has access. -BEWARE OF TROJANS - an inherent flaw with the DAC model is that it is susceptible to Trojans. Trojan horse are executable files that act like something good, but include malware. When you download a file that you think is good, you get infected. Administrators can combat trojans by having 2 accounts. -used by Windows OS

Object

Items such as files, folders, shares, and printers that subjects access. Access controls determine how a system grants authorization to objects. In other terms, the access control model determines how a system grants users access to files or other resources.

LDAP(s)

Lightweight Directory Access Protocol (LDAP) - specifies formats and methods to query directories. In this context, a directory is a database of objects that provides a central access point to manage users, computers, and other directory objects. -LDAP is an extension of the X.500 standard that Novell and Microsoft Exchange server versions used extensively. -Windows Domains use Active Directory, which is based on LDAP. Active directory is a directory of objects (such as users, computers, and groups) and it provides a single location for object management. Queries to active directory use the LDAP format. Similarly, Unix realms use LDAP to ID objects. -Active Directory domains and Unix realms use LDAP to identify objects in query strings with codes.Example: a user named Homer in the Users container within the GetCertifiedGetAhead.com domain is identified with the following LDAP strings: LDAP://CN=Homer, CN=Users, DC=getceritifiedGetAhead, DC=com -CN=Homer. CN is short for common name. -CN=Users. CN is sometimes referred to as container in this context. -DC=GetCertifiedGetAhead. DC is short for domain component. -DC=com. DC is short for the second domain component in the domain name. -LDAP secure (LDAPs) uses encryption to protect LDAP transmissions. When a client connects with a server using LDAPs, the two systems establish a Transport Layer Security (TLS) session before transmitting any data. TLS encrypts the data before transmission.

Password history and reuse

Many users prefer to use the same password over and over and never change it. even when policies require them to change it, they usually just change it back to the original, causing a huge security risk. To combat this, implement a password history system that remembers past passwords and prevents a user from reusing old passwords. *It is standard practice for the password history system to remember the last 24 passwords. *

Which authentication protocol should you use with Windows? A) Kerberos B) NTLM c) NTLMv2 D) NTLMv2 Session E) None

Microsoft recommends that users do not select a protocol..Instead, developers should use the "negotiate security package" within their application. The security package selects the most secure security protocols available between the systems. It first tries to use Kerberos if it is available. If not, it uses either NTLMv2 or NTLMv2 Session depending on the capabilities of the system involved in the session.

Attribute-Based Access Control (ABAC)

Model that evaluates attributes and grants access based on the value of these attributes. Attributes can be almost any characteristic of a user, the environment, or the resource. ABAC uses policies to evaluate attributes and grant access when the system detects a match in the policy. Ex: Homer is a Nuclear safety inspector. His user account may be defined with the following attributes: employee, inspector, and nuclear aware. A file server at the plant includes a share called inspector and it holds documents commonly used by nuclear safety inspectors. An ABAC policy for the share might grant access to the share for any subjects that have the attributes of employee, inspector, and nuclear aware. -many software defined networks (SDNs) use ABAC models. Instead of rules on physical routers, policies in the ABAC system control the traffic. These policies typically use plain language statements. Ex: an ABAC policy rule for a company that employs researchers might be "allow logon-on researchers to access research sites via the main network" -policy statements include: 1) Subject 2) Object 3) Action 4) Environment -ABAC systems have a lot of flexibility and can enforce both a DAC and a MAC model.

Mandatory Access Control (MAC)

Model that uses labels (sometimes referred to as sensitivity labels or security labels) to determine access. Security administrators assign labels to both subjects (users) and objects (files or folders). When the labels match, the system can grant a subject access to an object. When the labels don't match, the access model blocks access. -Military units make wide use of this model to protect data. Ex: a TS/SCI folder with a big red top secret stamp. The stamp is the sensitivity label and the file are the papers in the folder. If the user has TS/SCI and the need to know, they can open the folder. -Security-Enhanced Linux (SELinux) is one of the few operating systems that use this model -MAC model uses a lattice to divide access into separate compartments based on a need to know. Ex: If Tom has Top secret clearance and a nuclear power plant SAP, he has access to that data but not 007 or Happy Sumo. Also, because Tom has TS, he can potentially have access to Secret, Confidential, and official, but only if he has a need to know.

Implementing account lockout policies

Most accounts have lockout policies that prevent a user from guessing at a password, such as lockout after 3 or 5 guesses. 2 key phrases associated with lockout policies: 1) Account lockout threshold - the maximum number of times a user can enter the wrong password. When the user exceeds the threshold, the system locks the account. 2) Account lockout duration - this setting indicates how long an account remains locked out. If set to 30, the account unlocks after 30 minutes, if it is set to 0, the account will only unlock when the admin unlocks it.

Changing default passwords

Most systems and devices start with a default password. A basic security practice is to immediately change these. Anyone who knows the default password of that system can get into your system and even lock you out. *Changing defaults includes changing the name of the administrator account and password. We want to change the name of the admin account, because admin accounts usually don't follow the same lockout policies and cannot get locked out. Hackers know the and will brute force the account, knowing they can't get locked out. * *Some administrators go a step further and create a dummy account called "Admin" or "Administrator" with know privileges that will get locked out..This tricks hackers and alerts the administrator of potential illicit activity*

Authentication Service Comparison

NOTE: these services fall outside of the previously defined factors...The main goal of these services is to ensure that unencrypted credentials are not sent across a network. In other words, they ensure that credentials are not sent in cleartext since attackers can use tools like protocol analyzers to capture and view them. 1) Kerberos 2) NTLM 3) LDAPs 4) Single Sign On (SSO) 5) SSO and Transitive Trusts 6) SSO and SAML 7) SSO and Federation 8) OAuth and OpenID Connect

NTLM

New Technology LAN Manager (NTLM) - Is a suite of protocols that provide authentication, integrity, and confidentiality within Windows systems. They use a message digest hashing algorithm to challenge users and check their credentials...There are three versions: 1) NTLM - is a simple MD4 hash of a user's password. MD4 has been cracked and neither rMD4 or NTLM are recommended for use today* 2) NTLMv2 - is a challenge-response authentication protocol. When a user attempts to log on, NTLMv2 creates a HMAC-MD5 hash composed of a combination of the username, the logon domain (or compute name), the user's password, the current time, and more. To create an HMAC-MD5 message, authentication code starts as the MD5 hash of a user's password, which is then encrypted. 3) NTLMv2 Session - Improves upon NTLMv2 by adding in mutual authentication. In other words, the client authenticates with the server, and the server authenticates with the client.

OAuth and OpenID Connect

OAuth - an open standard for authorization many companies use to provide secure access to protected resources. Instead of creating a different account for each website you access, you can often use the same account that you've created with Google, Facebook, PayPal, Microsoft, or Twitter. Ex: A department store decides to sell stuff online and management decides to allow customers to pay using PayPal...Developers configure the website to exchange API calls between it and PayPal servers. Now, when customers login to PayPal and make their purchase, OAuth transfers data between PayPal and the department store. A benefit is that the customer does not have to create another account for the department store. OpenID Connect - works with OAuth 2.0 and allows clients to verify the identity of end users without managing their credentials. In this context, the client is typically a website or application that needs to authenticate users. Pros: -OpenID Connect provides identification services, without requiring the application to handle the credentials. -Streamlines the user experience for users. Ex: Skyscanner is an app for finding flights, hotels, and car rentals. IT allows users to sign in using their Facebook credentials. After doing so, Skyscanner provides a more personalized experience for the user.

Location-Based Policies

Policies that restrict access based on the location of the user. Ex: geolocation technology can be used to detect the location of an IP address. Ex2: you can also identify a set of IP addresses as the only addresses that are acceptable (known as whitelisting) -it is also possible to restrict access based on a computer name or MAC address within a network.

Authentication

Proves an identity with some type of credentials, such as a username or password -extremely important...you cannot have any type of access control if you cannot identify the user. -not limited to users. services, processes, workstations, servers, and network devices all use identification to prove their identities. many computers use mutual authentication, where both parties check each other.

Something you have

Refers to an authentication factor that you can physically hold. Common types: -Smart Cards -CACs and PIVs -Tokens or Key Fobs -HOTP and TOTP underlying principles

Single Sign-On (SSO)

Refers to the ability of a user to log on or access multiple systems by providing credentials only once. -increases security by reducing the possibility of a user writing down a password. -convenient for users to only have to login once. Ex: a user who needs to use multiple servers within a network to perform work...he would normally have to remember a set of credentials for each server. The key is that one set of credentials is used for the entire session. -SSO systems typically create some type of SSO token used during the entire session. Each time the user accesses a network resource, the SSO uses this secure token for authentication. Kerberos and LDAP both use SSO -SSO can provide central authentication against a federated database for different OS -*SSO requires strong authentication to be effective. If users use weak passwords, hackers can guess them and have access to multiple systems. Some claim this as a weakness..if a hacker gan gain access to credentials the whole system collapses. -"Same-Sign-On" is not the same as SSO. In same-sign-on, the user enters the same credentials, but they have to enter them each time they access a new resource.

Rule-BAC

Rule-Based access control is based on a set of approved instructions, such as an access control list. Some rule-BAC systems use rules that trigger in response to an event, such as modifying access control list (ACLs) after detecting an attack or granting additional permissions to a user in certain situations. -routers and firewalls use rules within access control lists (ACLs). These rules define the traffic that the devices allow into the network, such as allowing HTTP traffic for web browsers. These rules are static meaning administrators create the rules and the rules stay the same unless they are changed. However, some rules are dynamic such as the intrusion prevention system that can detect attacks, and then modify rules to block traffic from an attacker. In this case, the attack triggers a change in the rules.

SSO and SAML

Security Assertion Markup Language (SAML) is an Extensible Markup Language (XML) based data format used for SSO on web browsers. Ex: Imagine two websites hosted by two different organizations. Normally, a user would have to provide different credentials to access either web sites. However, if the organizations trust each other, they can use SAML as a federated identity management system. Users authenticate with one web site and are not required to authenticate again when accessing the second web site. -Many web-based portals use SAML for SSO. The user logs on to the portal once, and the portal then passes proof of the user's authentication to back-end systems. As long as one of the organizations have authenticated the user, they are not required to authenticate again to access other sites within the portal. -SAML defines 3 roles: 1) Principal - Typically a user. The user logs in once. If necessary, the principal requests an identity from the identity provider. 2) Identity Provider - Creates, maintains, and manages identity information for principles 3) Service Providers - entity that provides services to principals. Ex: a service provider could host one or more web sites accessible through a web-based portal. When a principal tries to access a resource, the service provider redirects the principal to obtain an identity first. *The 3 role process typically sends several XML-based messages between the systems. However, it is usually transparent to the user.

SIDs and DACLs

Security Identifier (SIDs) - are a long string of characters used by Microsoft systems to identify groups. The system looks up the name associated with the SID and displays the name. -Ex: S-1-5-21-3991871189-223218 Discretionary access control list (DACL) - Every object (such as a file or folder) has one and it identifies who can access it in a system using the DAC model. The DACL is a list of access control entries (ACEs). Each ACE is composed of a SID and the permission(s) granted to the SID. For example, a folder named study notes might have the following permissions assigned: Lisa: Full Control Bart: Read Maggie: Modify Each of the above entries is an ACE and combined they are a DACL.

SSO and Federation

Some SSO systems can connect authentication mechanisms from different environments, such as different operating systems or different networks. -a common method is with a federated identity management system, often integrated as a federated database. The federated database provides central authentication in a nonhomogenious environment. Ex: imagine a nuclear power plant establishes a relationship with a school system, allowing the power plant employees to access school resources. It i snot a good idea to join these networks together. However, you can create a federation of the two networks. Once it is established, the power plant employees will log on using their power plant account, and then access the shared school resources without logging on again Federation vs. Shibboleth

Service Accounts

Some applications and services need to run under the context of an account. Ex: an SQL server is a database application that runs on a server and it needs access to resources on the server and the network. Administrators create a regular user account, name it something like sqlservice, assign it appropriate privileges, and configure the SQL server to use this account. -note that this is like a regular end-user account. The only difference is that it's only used by the service or application, not the end-user. -A problem with service accounts is that they often aren't managed. for example, an accounts password may expire after 45 days. When it is about to expire the account gets a notification, but it is ignored by the application, causing the account to get locked out. One solution is to configure the service account so that it doesn't have to comply with the password policy. But administrators need to pick and choose which they want to follow and ensure it is secure.

Facial Recognition

System identifies people based on facial features. This includes size of the face compared with the rest of their body, and the size, shape, and position of their eyes, nose, and mouth, cheek bones, and jaw. -a con of this technology is that this is sometimes negatively affected by changes in lighting. Ex: Microsoft Windows Hello uses InfaRed (IR) to counter lighting problems allowing it to operate in diverse lighting conditions.

Hierarchy-based (role-BAC)

System layout where roles mimic the hierarchy of an organization. For example, the executives and administrators have much more access and permissions than the low level team member.

Password Expiration

Systems should be set up in a way where they require users to change their password on a regular basis, such as every 45 or 90 days. -some systems do not allow a user to login until they change their expired password. *from experience, a user will not update their password unless you force them too aka lockout of account*

Something you know

This authentication factor usually refers to a shard secret, such as a password or even a pin. *Least secure form of authentification* -password security can be improved by following good practices: ->See password complexity, password expiration, password recovery, password history and rescue, group policy, password policy, account lockout policies, and changing default passwords

Password complexity

To make passwords more secure, you can require them to be complex and strong. -use a mix of character types and must have a minimum character length of 14 characters (this varies on type of account but this is a good rule of thumb). Organizations typically require administrators to have longer passwords. -Mix of character types means at least 3 or 4 of the following character types mixed up: ->uppercase characters (26 letters A-Z) ->lowercase characters (26 letters a-z) ->numbers (10 numbers 0-9) ->Special characters (32 printable characters, such as !, $, and *) -dont include words that can be found in the dictionary, or your name...things that are easily guessed. **security experts often mention that if you make passwords too complex, they become less secure. This is because users have problems remembering them and then they are more likely to write them down or store them on their computer, significantly reducing security. ** **security experts recommend using "passphrase" which is a string of characters that have meaning to the user** Ex: 7ac|nP@$$ Note: some hackers can check 20 billion passwords a second..adding more characters increases the amount of time it takes.

SSO and Transitive Trusts

Transitive trust creates an indirect trust relationship. Ex: -Homer trusts Moe -Moe trusts Fat Tony -Homer trusts Fat Tony because of Transitive trust. -helps reduce network administration in a domain. -In LDAP-based networks, domains use trusts for SSO. See good example on Pg. 113 -basically you can access various domains with one account...Without Transitive Trust you would have an account for each domain.

Role-Based Access Control (Role-BAC)

Uses roles to manage rights and permissions for users. This is useful for users within a specific department who perform the same job functions. AN administrator creates the roles and then assigns specific rights and permissions to the roles (instead of the users). When an administrator adds a user to a role, the user has all the rights and permissions of that role. Think accounting, engineering IT... Case Example: Microsoft Project Server uses role-based BAC with the following common roles (There are more): 1) Administrator-have complete access and control over everything on the server, including the projects managed on the server. 2) Executive - can access data from any project held on the server, but do not have access to modify system settings on the server. 3) Project Managers - have full access over their projects, but do not have access to any other projects owned by other PMs. 4) Team Members - can access and report on data, but do not have any other accesses. -it is common practice to use a matrix (planning document) to document roles and their specific privileges. -Role-based-BAC is also called hierarchy-based or job-based

Prohibiting Shared and Generic Accounts

You should not allow users to have shared or guest accounts where multiple users share a single account. Each user should have their own account. -when accounts are shared, you cannot implement basic authorization controls. Ex: If someone deletes a file, you do not know who did it

Credential Management

over time, users have multiple credentials that they need to remember, especially when they access many web sites. credential management system help users store their credentials securely. The goal of these systems is to ensure that users can easily access their credentials while making sure that unauthorized personnel do not have access to the user's credentials. Ex: Windows 10 has the credential manager accessible from the control panel. Users are able to add credentials into the credential manager which securely stores them into special folders called vaults. When users access the web sites needing credentials, the system automatically retrieves credentials from the vault. Google Chrome has a similar system.

Accounting

track users activity and record the activity in logs. Ex: audit logs track activity and administrators use these to create an audit trail.

Troubleshooting Authentication Issues

Main causes: 1) weak passwords 2) Forgotten passwords 3) Biometric errors (FAR, FRR)

Access Control systems

Provide authorization by granting access to resources based on permissions granted to prove identity. -Effective access control starts with strong authentication mechanisms, such as the use of robust passwords, smart cards, or biometrics. If users can bypass the authentication process, the authorization and accounting process are ineffective.

Subjects

Typically users or groups that access an object. Occasionally, the subject may be a service that is using a service account to access an object

Shibboleth

**One of the federated identity solutions mentioned in Security+** -Open source and freely available, more affordable than commercially available federated identity solutions. -Includes open SAML libraries written in C++ and JAVA, making it easier for developers to expand its usefulness.

User's credentials

2 entities know them: 1) the user who presents them 2) the authenticator who verifies the credentials

Managing Accounts

Account management is concerned with the creation, management, disablement, and termination of accounts. -when the account is active, access control methods are used to control what the user can do. -access controls are used to control when and where users can log in. -improperly configured accounts can lead to increased risk.

Establishing Access and Mandatory Access Control (MAC)

An administrator typically establishes access, but they are usually not cleared high enough to assign everything. So typically, a security professional identifies the specific access that individuals are authorized to access. This person can upgrade or downgrade access, when necessary. The security professional does all of this via paperwork and does not assign the rights and permissions on the computer systems. Instead, the admin assigns the rights based on the direction of the security professional. -multiple approval levels are typically required in the decision-making process to determine what levels a user can access. -When someone needs different access, the administrator typically reaches out to security with a request and waits on their response. This process is lengthy and low in flexibility.

Establishing access with group-based privileges (role-BAC)

Group based privileges reduce the administrative workload of access management. Administrators put user accounts into security groups (Microsoft), and assigns privileges to the groups. Users within the groups automatically inherit the privileges assigned to the group. -security groups can be created on workstations, servers, and within domains -In Windows domains, administrators often create groups that correspond to the departments of the organizations. Ex: MTE is a group -without groups, you would have to assign individual privileges which quickly becomes unmanageable -these groups work very well when you have someone move groups..say from sales to marketing...It is as easy as removing them from the sales group and adding them to the marketing group..this way you don't have to remember all of there privileges when switching (likely that you couldn't remember them all leading to violating the principle of least privileges)

voice recognition

Identifies who is speaking using speech recognition methods to identify different acoustic features. One person's voice varies from another person due to differences in their mouth and throat, and behavioral patterns that affect their speaking style. -Ex: "Hey Siri"

Expiring accounts and Recertification

It is possible to set accounts to expire automatically. When the account expires, the system disables it, and the user is no longer able to log on using the account. -it is common to configure temporary accounts to expire. For example, if a company hires contractors for 90 days, they may set the account to expire at that point. -if an organization decides to extend a contact, it is a simple matter to rectify the account. Administrators verify that the contract has been extended, change the expiration date, and enable the account.

Standard Naming Convention

Most organizations follow standard username naming conventions. Ex: Zach.Havelka or Zach.Havelka2 if there is two of us. -When you move to a new company, understand the naming convention

Identification

Occurs when users claim (r profess) their identity with identifiers such as usernames or email addresses.

Authorization

Once identity is proven, users are not immediately given access to all resources. They are only granted authorization to access resources based on their proven identity. Ex: most users are only given read access to files. Only a select few get full write access. -Access control systems include multiple security measures to ensure users can only access data they are authorized to use.

Federation

Requires a federated identity management system that all members of the federation use. Ex: the members of the federation are the power plant and the school. -members of the federation agree on a standard for federated identities and then exchanges the information based on the standard. A federated identity links a user's credentials from different networks or operating systems, but the federation treats it as one identity.

Retina Scanner

Scans the retina of one or both eyes and use the pattern of blood vessels at the back of the eye (retina) for recognition. -some people object to these methods because they can reveal health issues and because you usually have to have contact with them.

Time-of-day Restrictions

Specify when users can log on to a computer (If users are working past the curfew, the system will not kick them out, but it will prevent any new network connections)

Job-, task, or function-based (role-BAC)

System layout where roles are centered on jobs or functions that users need to perform. AKA your role aligns with your job function.

Training users about password behaviors

Typically, users ignore security practices when making a password, they don't understand the damage that can come with it. -you need to give training on creating a strong password and the importance of not giving it out. Ex: the password "123456" is frequently the most common password used. Instead, teach users to use ICanCountTo6!" or something better.

Iris Scanner

Use camera technologies to capture the patterns of the Iris around the pupil for recognition. -used in many passport free border crossings around the world. They can take a picture from about 3 to 10 inches away, avoiding physical contact.

Need to Know

Users are only granted access to data and information that is needed for their job. Need to know focusses on data and information which is usually protected with permissions. -similar to least privileges (rights and permissions), but need to know only involves permissions. rights - typically refer to rights to change system time, right to install an application, right to join a computer to a domain Permissions - typically refer to permissions on files, such as read, write, modify, read & execute, and full control.

False Acceptance (FAR)

When a biometric system incorrectly identifies an unauthorized user as an authorized user. The false acceptance rate, FAR, also known as, false match rate, identifies the percentage of times false acceptance occurs.

False Rejection Rate (FRR)

When a biometric system incorrectly rejects an authorized user. False rejection rate, FRR, also known as, "false non match rate", identifies the percentage of times false rejection occurs.

Authentication, Authorization, and Accounting (AAA)

the three A's work together with identification to provide a comprehensive access management system.