CYSA + Chapter 8 Identity and Access Management Security
Identities are used as part of the ________ framework that is used to control access to computers, networks and services.
AAA (Authentication, Authorization and Accounting)
_______ is the core identity store and AAA service for many Windows-centric organizations.
AD (Active Directory)
______ is the Microsoft answer to federations. It provides authentication and identity info as claims to third-party partner sites. Partner sites then use trust policies to match claims to claims supported by a service, and the it uses those claims to make authorization decisions.
ADFS (Active Directory Federation Services) Pg 295
Oauth relies on _____ ____ which are issues by an authorization server and then presented to resource servers like third-party web apps by clients.
Access Tokens
The creation, provisioning, maintenance, and de-provisioning and deletion is know as ____ _____ _____
Account life cycle
Common Kerberos attacks? _____ ____ attacks. Kerberos ____ _____ ________-focused attacks
Administrator Account Ticket Reuse (Pass-The-Ticket attacks) TGT (Ticket granting ticket)
What are the three modes of operation that LDAP provide?
Anonymous Unauthenticated Username/Password
____ access control gives users rights based on polices. Logic-Based collections of rights.
Atrribute-based
The ____ associated with and identity include information about a subject and often include the name, address, title, contact info, and other details.
Attributes
CAPTCHA-style methods and account lockout techniques are used to combat against what type of attacks?
Brute-Force attacks
____ attacks focus on getting a user to click a link that causes that user's browser to perform an action as that user.
CSRF (Cross-Site request forgery)
Open ID and OAuth2 is susceptible to ____ attacks.
CSRF (Cross-site request forgery)
What are some common Centralized Identity Management Suites that provide monitoring and privilege management throughout an accounts life cycle and can detect privilege creep?
Centrify Okta SailPoint Ping Identity
What are the four Identity Management systems mentioned in this chapter?
Centrify Okta Sailpoint Ping Identity
What is "The Realm" as it contains to Kerberos?
Consists of groups of principals
User roles and groups, IP Address and reputation, Time of Day, Location, Frequency, and Device-based fingerprint info is common data used for _______ authentication.
Context-Based Pg 284
_______ authentication allows authentication decisions to be made based on info about the user, the sys the user is connecting from, or other info that is relevant to the sys or org.
Context-based authentication
Which access control lacks central access control?
DAC (Discretionary access control)
LDAP _____ attacks disrupt authentication services that rely on LDAP or cause apps and services that rely on LDAP to fail
DOS
_______ _______ are used in networks to provide info about systems, users, and other information about an organization
Directory Services
_______ access control delegate control to the admins or owners of the protected resources like systems or data.
Discretionary
______ _______ of sessions or network links can help reduce the changes of successful MitM attacks.
End-to-end Encryption
Context-based authentication can be combined with MFA, allowing you to require users to provide ________ authentication when additional verification is needed or desired.
Enhanced
____ ____ is a shared authentication system that relies on Facebook credentials for authentication.
Facebook Connect
The process of linking an identity and it's related attributes between multiple identity management systems is know as a _________ ______.
Federate Identity Ex: Using a google account to access sites that aren't hosted by google such as Patreon
______ of Identity info allow the use of Identities outside of your home organization.
Federation
______ systems are Central Management systems that are built to create, store, and manage Identity information as well as the permissions, groups, and other info needed to support the use of identities.
IAM ( Identity and Access Management)
Federated Security from three points of view: As an ______, members of a federation must provide identities, make assertions about those identities to relying parties, and release info to relying parties about identity holders. As the _____ or ____, members of a federation must provide services to members of the federation, and handle data from both users and identity providers securely The ________ or user of the federated services may be asked to make decisions about attribute release, and to provide validation information about their identity claims to the IDP.
IDP (Identity Provider) RP, SP (Relying Party, Service Provider) Consumer
_______ has significant potential security benefits for orgs that don't have a strong in-house identity management capability or that need to better integrate with third-party services.
IDaaS
______ services provide authentication services, typically as a cloud-hosted service.
IDaaS (Identity as a Service)
RADIUS traffic between the RADIUS network access server and the RADIUS server is typically encrypted using _______ tunnels or other protections to protect traffic.
IPsec
______ are the set of claims made about an individual or account holder that are made about one party to another party ( Service provider, application, or system).
Identities
______ _______ create and manage Identities, authenticate and authorize, and Federation of Identity.
Identity Systems
IDaaS provides what six features?
Identity life cycle management Privileged account management and monitoring Directory services Access management (authentication and authorization) SSO via SAML, OAuth, or other standards Reporting and Auditing (Management capabilities) Pg 287
What will a compromise of the KDC allow an attacker to do?
Impersonate any user
Strong Session Handling, Secure Session Identifiers, and End-to-end Encryption can prevent what three kinds of attacks?
Impersonation MitM Session Hijacking
Security issues like "OAuth open redirects" allow what type of attacks to occur?
Impersonation attacks
Common methods of targeting identity and access management systems.
Impersonation attacks MitM (Man in the Middle) Session Hijacking Privilege Escalation Rootkits
What are common LDAP directory server attacks?
Insecure binding (connection) method attacks Improper LDAP access controls LDAP Injections DOS attacks
What authentication protocol does Active Directory use?
Kerberos
Which authentication protocol is designed to operate on untrusted networks and use encryption to protect its authentication traffic?
Kerberos
Which authentication protocol relies on a central key distribution center (KDC)?
Kerberos
MFA relies on what four factors?
Knowledge Possession Biometric Location
_____ is an example of a a commonly deployed directory service. They are frequently used to make available an organizational directory for email and other contact info.
LDAP (Lightweight Directory Access Protocol)
_____ _____ exploits web apps that build LDAP queries using user inputs, allowing attackers to gather additional info or to make changes they shouldn't be authorized to make by OPERATING as the WEB SERVER.
LDAP Injection
One of the most common attacks on web services that use LDAP is _______ ______, which uses improperly filtered user input via web apps to send arbitrary LDAP queries.
LDAP Injections
What are the two flaws mentioned in this chapter that TACACS+ suffers from?
Lack of Integrity checking Encryptions flaws that compromise encryption keys.
A lost phone or token, insecure method of delivering a second factor, or backup access method that allows users to bypass second factor is a weakness of _______.
MFA
______ can help limit the impact of a successful phishing attack by requiring users to take addition action and by providing an authentication with a limited lifespan.
MFA
Common AD attacks include: ________-focused attacks that seek to place credential capturing or exploit-based ________ onto Windows systems or AD servers Credential theft via ______ or other techniques _______ ______ attacks using known or new Windows exploits _____ ______that are often forgotten elements of AD environments and may suffer from both privilege creep and overly permissive rights _____ _____ rights that exist for more staff than is necessary, creating more targets for attackers and a greater likelihood that an AD ______ ______ will not be properly maintained or that it's password will be exposed The use of _____ versions of protocols used in Windows domains like NTLM v1 and LANMAN, NetBIOS, and unsigned LDAP and SMB to capture credentials or to conduct other attacks
Malware Phishing Privilege Escalation Service Accounts Domain Admin Down-Level
_______ access control rely on the OS to control what subjects can access and what actions can be performed. Relies on a sys admin. Typically associated with military systems.
Mandatory
Organizations use ______ ______ processes to validate roles and rights. Sometimes necessary for access control but can require effort and time and are error prone.
Manual Review
When redirects and forwards aren't validated, untrusted user input can be sent to relying web apps, resulting in users being redirected to untrusted sites, allowing phishing scams or permitting attacks to bypass security layers is a flaw of _____ and _____
OAuth OpenID
______ _____ protocol provides an authorization framework designed to allow third part apps to access HTTP-based services. It was developed by IETF. Provides delegation access.
OAuth 2.0
_____ is an open authorization standard used by major websites like Google, Microsoft, and Facebook that allow users to share elements of their ID or account info while authenticating via the "Original" ID provider.
Oauth
_____ is an open source standard for decentralized authentication used by major websites (ID providers) like Google, Amazon, and Microsoft. Users create credentials with one of those ID Providers then sites (relying parties) use that identity.
OpenID
____ ____ is an authentication layer built using the OAuth protocol.
OpenID Connect
_____ _____ is often paired with OAuth to provide authentication. It allows the authorization server to issue an ID token in addition to the authorization provided by OAuth.
OpenID Connect
_____ _____ offers additional protections for encryption, and signing, which can help prevent many of the exploits conducted agains OpenID services.
OpenID Connect
Kerberos attack which reuse a secret key to acquire tickets?
Pass-the-key attacks
Authentication Flow Model Diagram
Pg 281
Context-Based authentication Chart
Pg 285
Comparison of Federated Identity Technologies 1:
Pg 293
Comparison of Federated Identity Technologies 2:
Pg 294
Advanced versions of ________ attacks can replay entries into legitimate sites to prevent their targets from noticing that their login didn't work
Phishing
What are user's called in Kerberos?
Principals
Steady accrual of additional rights over time is known as _____ _____.
Privilege Creep
The practice of managing and controlling identity rights is known as ______ _____
Privilege Management
Which authentication protocol can operate via TCP or UDP and operates in a client-server model?
RADIUS
Which authentication protocol password security isn't very strong?
RADIUS
Which authentication protocol sends obfuscated passwords by a shared secret and MD5 hash?
RADIUS
_____ is one of the most common AAA authentication protocols for net devices, VPNs, wireless nets, and other devices.
RADIUS
_____ access control uses roles associated with job functions or other criteria.
RBAC (Role-Based access control)
Attackers can capture information from you that can be replayed across the net that makes it seem like it's coming from you is called a ______ attack. This attack gathers Session IDs and Credentials and can use that information later on across the net.
Replay
Proper patching, layered security, whitelisting, heuristic detection, and malicious software detection tools can combat against ________
Rootkits
______ combine multiple malicious software tools to provide continued access to a computer while hiding there own existence.
Rootkits
______ access control systems use a set of rules implemented by an admin.
Rule-based
ACL are usually associated with which access control?
Rule-based access control
What technologies can you adopt if you want to Federate your own organization?
SAML OAuth OpenID Connect Facebook Connect
What are four major technologies that serve as the core of Federate Identity that provides a way for identity providers to integrate with service providers in a SECURE manner?
SAML OpenID OAuth2 ADFS
______ is an XML-based language used to send authentication and authorization data between identity providers and service providers. It allows authentication, attribute, and authorization statements to be exchanged. Provides SSO capabilities.
SAML (Security Assertion Markup Language)
Using identity info provides the "who" when reviewing events an incidents when paired with other _______ data and event logs, it provides a complete view of what occurred and what the user, service or account behavior was.
SIEM
______ isn't a secure second factor and NIST 800-63-3 recommends for it to be deprecated.
SMS (Text Message codes sent to your phone)
LDAP and Central Authentication Serice (CAS) is an example of what technology?
SSO
____ reduce the occurence of password reuse and likelihood of credential exposure to third parties. It's cost saving due to fewer password resets and support calls.
SSO
Many web apps rely on _____ systems to allow users to authenticate once and then to use multiple systems or services without having to use different usernames or passwords
SSO (Single Sign On)
Preventing Impersonation attacks can required strong _________ ________ techniques and securing _______ ______
Session Handling Session Identifiers
________ ______ focuses on taking over an already existing session, either by acquiring the session key or cookies used by the remote server to validate the session or by causing the session to pass through a system the attacker controls.
Session Hijacking
RADIUS attacks often focus on the following: _____ _____ of server responses by matching known traffic and replaying previous responses or replaying server responses to authentic client without valid credentials Targeting the RADIUS _____ _____, since RADIUS uses a fixed ______ ____ that can be compromised at the client level _____ attacks aimed to prevent users from authenticating _____ attacks that rely on the use of a RADIUS-shared secret to brute-force the shared secret give a known password
Session replay Shared Secret DoS Credential-based
OpenID, OpenID Connect, Facebook Connect, and OAuth are an example of what type of technology?
Shared Authentication
_____ ______ schemes allow an identity to be reused on multiple sites while relying on authentication via a single identity provider. Ex: Using your Google account to access Patreon
Shared Authentication
______ _____ allows users to use their credentials without having to create new accounts on each site.
Shared Authentication
What's one main difference between Shared Authentication and SSO?
Shared Authentication requires users to enter credentials when authenticating to each site.
Privilege Escalation attacks relies on _____ _____, requiring admins to ensure the local apps, services, and utilities aren't vulnerable.
Software Vulernabilites
The user accounts we use to log in require the ability to uniquely ID individuals and other ______ such as services to allow permissions, rights, group memberships, and attributes to be associated with them.
Subjects
What are three common authentication protocols used for Centralized Authentication Services?
TACACS + RADIUS Kerberos
______ is a Cisco-designed authentication protocol that uses TCP traffic to provide AAA services.
TACACS + (Terminal Access Controller Access Control System) Note: Stupidest name in history.
_______ systems that provide AAA services for network devices should operate on an isolated administrative network if possible due to it's flaws.
TACACS+
____ attacks are incredibly valuable and can be created with extended lifespans. Often called "Golden Tickets" because they allow complete access to the Kerberos-connected systems, including creation of new tickets, accounts changes, and even falsification of accounts or services.
TGT (Ticket-granting ticket)
Using _____ to protect RADIUS authentication instead of relying on the protections built into RADIUS can help mitigate many RADIUS attacks
TLS
What are the common things to consider when implementing a secure LDAP server? Enabling and requiring _________ to keep LDAP queries and authentication secure. Setting _____ _______ to use a secure method because they're normally stored in plain text. Using ______ authentication and requiring TLS ______ of LDAP servers, which can help prevent DOS attacks and other service outages _______ _______ ______ for LDAP, which offer the ability to limit access to specific objects in the directory as well as overall rules for how entries are created, modified and deleted.
TLS Password Storage Password-Based Replication Access Control Lists
What are the three elements that Principals are composed of in Kerberos?
The Primary The Instance The Realm
What is "The Primary" as it contains to Kerberos?
The username
Kerberos _____ _____ allows impersonation of legitimate users for the lifespan of the ticket.
Ticket Reuse (Pass-The-Ticket attacks)
Realms are often separated by _____ ____ and have distinct ________
Trust Boundaries KDC (Key distribution centers)
What is "The Instance" as it contains to Kerberos?
Used to differentiate the primaries