CYSA + Chapter 8 Identity and Access Management Security

Pataasin ang iyong marka sa homework at exams ngayon gamit ang Quizwiz!

Identities are used as part of the ________ framework that is used to control access to computers, networks and services.

AAA (Authentication, Authorization and Accounting)

_______ is the core identity store and AAA service for many Windows-centric organizations.

AD (Active Directory)

______ is the Microsoft answer to federations. It provides authentication and identity info as claims to third-party partner sites. Partner sites then use trust policies to match claims to claims supported by a service, and the it uses those claims to make authorization decisions.

ADFS (Active Directory Federation Services) Pg 295

Oauth relies on _____ ____ which are issues by an authorization server and then presented to resource servers like third-party web apps by clients.

Access Tokens

The creation, provisioning, maintenance, and de-provisioning and deletion is know as ____ _____ _____

Account life cycle

Common Kerberos attacks? _____ ____ attacks. Kerberos ____ _____ ________-focused attacks

Administrator Account Ticket Reuse (Pass-The-Ticket attacks) TGT (Ticket granting ticket)

What are the three modes of operation that LDAP provide?

Anonymous Unauthenticated Username/Password

____ access control gives users rights based on polices. Logic-Based collections of rights.

Atrribute-based

The ____ associated with and identity include information about a subject and often include the name, address, title, contact info, and other details.

Attributes

CAPTCHA-style methods and account lockout techniques are used to combat against what type of attacks?

Brute-Force attacks

____ attacks focus on getting a user to click a link that causes that user's browser to perform an action as that user.

CSRF (Cross-Site request forgery)

Open ID and OAuth2 is susceptible to ____ attacks.

CSRF (Cross-site request forgery)

What are some common Centralized Identity Management Suites that provide monitoring and privilege management throughout an accounts life cycle and can detect privilege creep?

Centrify Okta SailPoint Ping Identity

What are the four Identity Management systems mentioned in this chapter?

Centrify Okta Sailpoint Ping Identity

What is "The Realm" as it contains to Kerberos?

Consists of groups of principals

User roles and groups, IP Address and reputation, Time of Day, Location, Frequency, and Device-based fingerprint info is common data used for _______ authentication.

Context-Based Pg 284

_______ authentication allows authentication decisions to be made based on info about the user, the sys the user is connecting from, or other info that is relevant to the sys or org.

Context-based authentication

Which access control lacks central access control?

DAC (Discretionary access control)

LDAP _____ attacks disrupt authentication services that rely on LDAP or cause apps and services that rely on LDAP to fail

DOS

_______ _______ are used in networks to provide info about systems, users, and other information about an organization

Directory Services

_______ access control delegate control to the admins or owners of the protected resources like systems or data.

Discretionary

______ _______ of sessions or network links can help reduce the changes of successful MitM attacks.

End-to-end Encryption

Context-based authentication can be combined with MFA, allowing you to require users to provide ________ authentication when additional verification is needed or desired.

Enhanced

____ ____ is a shared authentication system that relies on Facebook credentials for authentication.

Facebook Connect

The process of linking an identity and it's related attributes between multiple identity management systems is know as a _________ ______.

Federate Identity Ex: Using a google account to access sites that aren't hosted by google such as Patreon

______ of Identity info allow the use of Identities outside of your home organization.

Federation

______ systems are Central Management systems that are built to create, store, and manage Identity information as well as the permissions, groups, and other info needed to support the use of identities.

IAM ( Identity and Access Management)

Federated Security from three points of view: As an ______, members of a federation must provide identities, make assertions about those identities to relying parties, and release info to relying parties about identity holders. As the _____ or ____, members of a federation must provide services to members of the federation, and handle data from both users and identity providers securely The ________ or user of the federated services may be asked to make decisions about attribute release, and to provide validation information about their identity claims to the IDP.

IDP (Identity Provider) RP, SP (Relying Party, Service Provider) Consumer

_______ has significant potential security benefits for orgs that don't have a strong in-house identity management capability or that need to better integrate with third-party services.

IDaaS

______ services provide authentication services, typically as a cloud-hosted service.

IDaaS (Identity as a Service)

RADIUS traffic between the RADIUS network access server and the RADIUS server is typically encrypted using _______ tunnels or other protections to protect traffic.

IPsec

______ are the set of claims made about an individual or account holder that are made about one party to another party ( Service provider, application, or system).

Identities

______ _______ create and manage Identities, authenticate and authorize, and Federation of Identity.

Identity Systems

IDaaS provides what six features?

Identity life cycle management Privileged account management and monitoring Directory services Access management (authentication and authorization) SSO via SAML, OAuth, or other standards Reporting and Auditing (Management capabilities) Pg 287

What will a compromise of the KDC allow an attacker to do?

Impersonate any user

Strong Session Handling, Secure Session Identifiers, and End-to-end Encryption can prevent what three kinds of attacks?

Impersonation MitM Session Hijacking

Security issues like "OAuth open redirects" allow what type of attacks to occur?

Impersonation attacks

Common methods of targeting identity and access management systems.

Impersonation attacks MitM (Man in the Middle) Session Hijacking Privilege Escalation Rootkits

What are common LDAP directory server attacks?

Insecure binding (connection) method attacks Improper LDAP access controls LDAP Injections DOS attacks

What authentication protocol does Active Directory use?

Kerberos

Which authentication protocol is designed to operate on untrusted networks and use encryption to protect its authentication traffic?

Kerberos

Which authentication protocol relies on a central key distribution center (KDC)?

Kerberos

MFA relies on what four factors?

Knowledge Possession Biometric Location

_____ is an example of a a commonly deployed directory service. They are frequently used to make available an organizational directory for email and other contact info.

LDAP (Lightweight Directory Access Protocol)

_____ _____ exploits web apps that build LDAP queries using user inputs, allowing attackers to gather additional info or to make changes they shouldn't be authorized to make by OPERATING as the WEB SERVER.

LDAP Injection

One of the most common attacks on web services that use LDAP is _______ ______, which uses improperly filtered user input via web apps to send arbitrary LDAP queries.

LDAP Injections

What are the two flaws mentioned in this chapter that TACACS+ suffers from?

Lack of Integrity checking Encryptions flaws that compromise encryption keys.

A lost phone or token, insecure method of delivering a second factor, or backup access method that allows users to bypass second factor is a weakness of _______.

MFA

______ can help limit the impact of a successful phishing attack by requiring users to take addition action and by providing an authentication with a limited lifespan.

MFA

Common AD attacks include: ________-focused attacks that seek to place credential capturing or exploit-based ________ onto Windows systems or AD servers Credential theft via ______ or other techniques _______ ______ attacks using known or new Windows exploits _____ ______that are often forgotten elements of AD environments and may suffer from both privilege creep and overly permissive rights _____ _____ rights that exist for more staff than is necessary, creating more targets for attackers and a greater likelihood that an AD ______ ______ will not be properly maintained or that it's password will be exposed The use of _____ versions of protocols used in Windows domains like NTLM v1 and LANMAN, NetBIOS, and unsigned LDAP and SMB to capture credentials or to conduct other attacks

Malware Phishing Privilege Escalation Service Accounts Domain Admin Down-Level

_______ access control rely on the OS to control what subjects can access and what actions can be performed. Relies on a sys admin. Typically associated with military systems.

Mandatory

Organizations use ______ ______ processes to validate roles and rights. Sometimes necessary for access control but can require effort and time and are error prone.

Manual Review

When redirects and forwards aren't validated, untrusted user input can be sent to relying web apps, resulting in users being redirected to untrusted sites, allowing phishing scams or permitting attacks to bypass security layers is a flaw of _____ and _____

OAuth OpenID

______ _____ protocol provides an authorization framework designed to allow third part apps to access HTTP-based services. It was developed by IETF. Provides delegation access.

OAuth 2.0

_____ is an open authorization standard used by major websites like Google, Microsoft, and Facebook that allow users to share elements of their ID or account info while authenticating via the "Original" ID provider.

Oauth

_____ is an open source standard for decentralized authentication used by major websites (ID providers) like Google, Amazon, and Microsoft. Users create credentials with one of those ID Providers then sites (relying parties) use that identity.

OpenID

____ ____ is an authentication layer built using the OAuth protocol.

OpenID Connect

_____ _____ is often paired with OAuth to provide authentication. It allows the authorization server to issue an ID token in addition to the authorization provided by OAuth.

OpenID Connect

_____ _____ offers additional protections for encryption, and signing, which can help prevent many of the exploits conducted agains OpenID services.

OpenID Connect

Kerberos attack which reuse a secret key to acquire tickets?

Pass-the-key attacks

Authentication Flow Model Diagram

Pg 281

Context-Based authentication Chart

Pg 285

Comparison of Federated Identity Technologies 1:

Pg 293

Comparison of Federated Identity Technologies 2:

Pg 294

Advanced versions of ________ attacks can replay entries into legitimate sites to prevent their targets from noticing that their login didn't work

Phishing

What are user's called in Kerberos?

Principals

Steady accrual of additional rights over time is known as _____ _____.

Privilege Creep

The practice of managing and controlling identity rights is known as ______ _____

Privilege Management

Which authentication protocol can operate via TCP or UDP and operates in a client-server model?

RADIUS

Which authentication protocol password security isn't very strong?

RADIUS

Which authentication protocol sends obfuscated passwords by a shared secret and MD5 hash?

RADIUS

_____ is one of the most common AAA authentication protocols for net devices, VPNs, wireless nets, and other devices.

RADIUS

_____ access control uses roles associated with job functions or other criteria.

RBAC (Role-Based access control)

Attackers can capture information from you that can be replayed across the net that makes it seem like it's coming from you is called a ______ attack. This attack gathers Session IDs and Credentials and can use that information later on across the net.

Replay

Proper patching, layered security, whitelisting, heuristic detection, and malicious software detection tools can combat against ________

Rootkits

______ combine multiple malicious software tools to provide continued access to a computer while hiding there own existence.

Rootkits

______ access control systems use a set of rules implemented by an admin.

Rule-based

ACL are usually associated with which access control?

Rule-based access control

What technologies can you adopt if you want to Federate your own organization?

SAML OAuth OpenID Connect Facebook Connect

What are four major technologies that serve as the core of Federate Identity that provides a way for identity providers to integrate with service providers in a SECURE manner?

SAML OpenID OAuth2 ADFS

______ is an XML-based language used to send authentication and authorization data between identity providers and service providers. It allows authentication, attribute, and authorization statements to be exchanged. Provides SSO capabilities.

SAML (Security Assertion Markup Language)

Using identity info provides the "who" when reviewing events an incidents when paired with other _______ data and event logs, it provides a complete view of what occurred and what the user, service or account behavior was.

SIEM

______ isn't a secure second factor and NIST 800-63-3 recommends for it to be deprecated.

SMS (Text Message codes sent to your phone)

LDAP and Central Authentication Serice (CAS) is an example of what technology?

SSO

____ reduce the occurence of password reuse and likelihood of credential exposure to third parties. It's cost saving due to fewer password resets and support calls.

SSO

Many web apps rely on _____ systems to allow users to authenticate once and then to use multiple systems or services without having to use different usernames or passwords

SSO (Single Sign On)

Preventing Impersonation attacks can required strong _________ ________ techniques and securing _______ ______

Session Handling Session Identifiers

________ ______ focuses on taking over an already existing session, either by acquiring the session key or cookies used by the remote server to validate the session or by causing the session to pass through a system the attacker controls.

Session Hijacking

RADIUS attacks often focus on the following: _____ _____ of server responses by matching known traffic and replaying previous responses or replaying server responses to authentic client without valid credentials Targeting the RADIUS _____ _____, since RADIUS uses a fixed ______ ____ that can be compromised at the client level _____ attacks aimed to prevent users from authenticating _____ attacks that rely on the use of a RADIUS-shared secret to brute-force the shared secret give a known password

Session replay Shared Secret DoS Credential-based

OpenID, OpenID Connect, Facebook Connect, and OAuth are an example of what type of technology?

Shared Authentication

_____ ______ schemes allow an identity to be reused on multiple sites while relying on authentication via a single identity provider. Ex: Using your Google account to access Patreon

Shared Authentication

______ _____ allows users to use their credentials without having to create new accounts on each site.

Shared Authentication

What's one main difference between Shared Authentication and SSO?

Shared Authentication requires users to enter credentials when authenticating to each site.

Privilege Escalation attacks relies on _____ _____, requiring admins to ensure the local apps, services, and utilities aren't vulnerable.

Software Vulernabilites

The user accounts we use to log in require the ability to uniquely ID individuals and other ______ such as services to allow permissions, rights, group memberships, and attributes to be associated with them.

Subjects

What are three common authentication protocols used for Centralized Authentication Services?

TACACS + RADIUS Kerberos

______ is a Cisco-designed authentication protocol that uses TCP traffic to provide AAA services.

TACACS + (Terminal Access Controller Access Control System) Note: Stupidest name in history.

_______ systems that provide AAA services for network devices should operate on an isolated administrative network if possible due to it's flaws.

TACACS+

____ attacks are incredibly valuable and can be created with extended lifespans. Often called "Golden Tickets" because they allow complete access to the Kerberos-connected systems, including creation of new tickets, accounts changes, and even falsification of accounts or services.

TGT (Ticket-granting ticket)

Using _____ to protect RADIUS authentication instead of relying on the protections built into RADIUS can help mitigate many RADIUS attacks

TLS

What are the common things to consider when implementing a secure LDAP server? Enabling and requiring _________ to keep LDAP queries and authentication secure. Setting _____ _______ to use a secure method because they're normally stored in plain text. Using ______ authentication and requiring TLS ______ of LDAP servers, which can help prevent DOS attacks and other service outages _______ _______ ______ for LDAP, which offer the ability to limit access to specific objects in the directory as well as overall rules for how entries are created, modified and deleted.

TLS Password Storage Password-Based Replication Access Control Lists

What are the three elements that Principals are composed of in Kerberos?

The Primary The Instance The Realm

What is "The Primary" as it contains to Kerberos?

The username

Kerberos _____ _____ allows impersonation of legitimate users for the lifespan of the ticket.

Ticket Reuse (Pass-The-Ticket attacks)

Realms are often separated by _____ ____ and have distinct ________

Trust Boundaries KDC (Key distribution centers)

What is "The Instance" as it contains to Kerberos?

Used to differentiate the primaries


Kaugnay na mga set ng pag-aaral

Regulations - Securities Act of 1933 : Review Questions

View Set

Chapter 8 Federal Government Information Security and Privacy Regulations

View Set

Pharm 3- lifespan considerations

View Set