CompTIA Security+ (SY0-501) - Identity and Access Management
Hardware Token
A separate piece of hardware that provides a token for authentication.
Discretionary Access Control (DAC)
Allows users to dynamically share information with others. Flexible, dynamic access - least secure. Harder to control information leakage.
Software Token
An app, or other software that generates a token for authentication.
Location-Based Policies
As users move from location to location, ensure permissions/access is adjusted accordingly.
Group-based Access Control
Assign permissions to groups, not individual users.
SAML (Security Association Markup Language)
Authenticating through a third party to gain access. The resource being access isn't responsible for authentication. Authentication requests are passed to the trusted 3rd party server. User authenticates to the 3rd party server and the token is issued, which is passed to the target of the resource.
Secure Token
Authentication mechanism that can identify and authenticate. Tell servers (resources) what access rights a user possesses. Can allow or deny access.
RADIUS (Remote Authentication and Dial-in User service)
Authentication service that provides AAA. Combines authentication and authorization. Encrypts only the password. Requires each network device to contain authorization configuration. No command logging. Minimal vendor support. UDP - Connectionless Ports 1645/1646, 1812/1813
Account Maintenance
Automatically disable temporary accounts after a period of time. Periodically audit to ensure group memberships are appropriate.
Shibboleth
Based on SAML, it provides a free and open-source federated single sign-on and attribute exchange framework. Provides extended privacy functionality allowing a user and their home site to control attributes released to each application.
Group Policy
Can be used to enforce password rules. Complexity, Expiration, Group membership, remote access time of day/length of connection.
Account Recovery
Can users recover their own passwords? Ensure security questions aren't easily discovered via socail engineering (favorite dog, children's names, favorite card, vacation spot, sports figure, etc.) Policy defines if users need to call help desk or have self-service options.
Standard Naming Convention
Easier to identify resource location and purpose. Reduces time to troubleshoot events and issues. Reduces time to onboard/train new personnel.
Transparent Data Encryption (TDE)
Encrypts contents of individual databases. Encrypts data at-rest.
Cell-Level Encryption (CLE)
Encrypts individual cells of a database. Encrypts data at-rest as well as data in-transit.
Permissions Auditing and Review
Ensure permissions are intact and still appropriate. Ensure additional rights haven't been granted or changes without permission. Permissions are not a "set it and forget it" thing.
File system security
Ensures that files are encrypted and only authorized users have access to them, or the correct access (read, write, delete, etc.)
Usage Auditing and Review
Ensuring that applications and resources are used as expected (actions performed and amount of time accessed).
HOTP (HMAC-Based One-Time Password)
Hash Message Authentication code algorithm. Open standard (oAuth), Similar to TOTP but uses the hash rather than time.
NTLM/NTMLv2 (New Technology LAN Manager)
LANMAN was originally developed by Microsoft for their early network operating systems. 2nd version (NTLM) was used as the authentication protocol in early Microsoft OS Versions. NTLMv2 was introduced with Windows NT4. Kerberos replaced NTLM but NTLM will still be used in certain situations (mixed OS environments)
Secure LDAP
LDAP over SSL/TLS. Uses TCP port 636 Mitigates vulnerability of sending LDAP queries in plan text.
Access Control Models
Mandatory Access Control (MAC) Discretionary Access Control (DAC) Role-Based Access Control (RBAC) Rule-Based Access Control (RBAC)
Identification
Means of finding out who a specific person or user is. Who you are. Labeling a person via username, security ID, smart card, PIV, biometrics, etc.
Single Sign-on
Method of allowing users access to all resources they need within an environment with single username and password. Negates having to remember multiple usernames and passwords. Mitigates risk by keeping users from writing down credentials. Easier to manage and allows for centralized control over password changes.
Password Length
Minimum number of characters allowed in a password. Most security passwords are at least 6-8 characters in length. Used in conjunction with complexity requirements.
OpenID Connect
Open SSO standard that provides SSO capbilities. Cooperating sites are called Relying Parties (RP). A user chooses an OpenID provider and uses that account to log into any website that accepts OpenID authentication.
ABAC Architecture
Policy Enforcement Policy (PEP) Policy Decision Point (PDP) Policy Information Point (PIP)
Service Accounts
Should be used only for services (not users) and unique for each service. Troubleshooting, audits and revoking permission when necessary is much easier.
Guest Accounts
Should be used sparingly, kiosks or other public access locations. The OS should be reimaged frequently and locked down as much as possible.
Privileged Accounts
Should be used sparingly, only to perform admin level functions. Users should use non-admin accounts for their daily tasks/activities. Invoked when necessary to perform specific admin tasks.
ABAC Attributes
Subject Attributes - User requesting access (i.e. age, security clearance, job title, etc.) Action Attributes - Actions being attempted (i.e read, write, delete, approve, deny, etc.) Resource/Object Attributes - Describes the object being access (i.e. type, department, classification, sensitivity, etc.) Contextual/Environment Attributes - Time, location, or other dynamic aspects.
Accounting
Tracks the start and stop time of each session. Can be used for billing or "showback" (how long a user was connected.)
Transitive Trust
Trust that exists between domains or companies. A trusts B, B trusts C, so A trusts C.
Multifactor Authentication
Two or more pieces of information used to authenticate. Must be from different categories. Password and PIN would only be 1-factor (both fall under "something you know".
False Rejection Rate (FRR)
Type I error - probability that the system incorrectly rejects access to an authorized person.
False Acceptance Rate (FAR)
Type II error - probability that the system incorrectly authorizes a non-authorized person.
TOTP (Time-Based One-Time Password)
Unique password that uses time-based algorithm to generate the password.
OAUTH (Open Standard for Authorization)
Use login from bigger services (trusted 3rd parties). A lot of token authentication is happening in background that user doesn't see. Client server redirects user to 3rd party authentication service, which sends them back with authorization token.
Recertification
Used for contractors and 3rd party personnel. Credentials/required clearances audited and re-certified. Level of access/locations accessed. Used with equipment/infrastructure as well. When infrastructure is refreshed or application are updated.
PAP (Password Authentication Protocol)
Username and password is sent in plain text and no longer used.
Credential Mangement
Utilize centralized account management (i.e. Active Directory) Ensure that credentials are encrypted. Encrypted connection when entering into websites, etc. (SSL/TLS). Enforce password rules to make them change password every "X" number of days.
Biometrics
Verification of identity through a physical characteristic. Fingerprint, retina scan, voice id.
802.1x Authentication
uses EAPOL (Extensible Authentication Access Protocol over LAN). Allows only EAPOL traffic over port until client authenticates with a RADIUS or authentication server.
Mandatory Access Control (MAC)
A predefined set of capabilities and access to information (who can share what to who). Inflexible, rigid - most secure. Must be carefully thought out and planned ahead of time.
One-way Trust
A trusts B / B doesn't trust A
Two-way Trust
A trusts B / B trusts A
Non-transitive Trust
A trusts B but doesn't allow that trust to extend.
Role-Based Access Control (RBAC)
Access based on role or group membership, depending on the users role in the company. Group membership determines what a user can or can't do. Once a user changes roles, their access changes accordingly.
Smart Card
Access control and security device that contains a chip or small amount of memory. Contains user permissions/access information. Typically combined with multi-factor authentication such as password or PIN. Incorrectly entering PIN or password X number of times can she the card down.
User Account
Accounts that are unique and used to each person accessing a resource. Unique identifies assigned to each account. SID (Windows accounts). Every user should have their own account and be given the least privileges required to do their work.
Federation
Allowing access to company resources to outside parties. Trusted 3rd party authenticates the client/host/user. Social media sites like Facebook, Twitter, Google+ provide federation services.
Proximity Cards
Allows access based on a physical card and how close you are to the resource (if authorized to access). RFID and NFC are two types of proximity devices. Security cards and badges for building entry, toll-booths, etc. NFC is an evolution of RFID.
Port Security
Configure a switch so that it only learns one MAC address per port. Keep attackers from sending multiple fake MAC addresses. Can be set to trigger alert. Can be used in conjunction with 802.1X to strengthen security at the wall jack.
Rule-Based Access Control (RBAC)
Consists of preconfigured security policies that decide access. Access based on predefined lists (allow or deny lists). Deny all except those in an allow list. Implicit Deny Deny only those who specifically appear in a deny list. Implicit Allow More flexible than MAC but less flexible than DAC.
Authorization
Defines what you're allowed to access. Occurs after you're authenticated. Can be controlled via policy (i.e. Group Policy) - time of day restrictions, length of time restrictions, file/folder access rights. Provides things like the length of time allowed on the network, ACLs for various resources, etc. Permissions What you're allowed to access after authentication.
Shared and Generic Accounts/Credentials
Difficult to troubleshoot or audit in the even of a breach, as multiple users use them. Each user should have their own non-admin account.
Account Disablement
Disable unused accounts instead of deleting them. Deleted accounts that are recreated with the same name have different SID. Encrypted documents can be difficult to recover.
ABAC (Attribute Based Access Control)
Dynamic "next-gen" authorization method. Policies comprised of attributes that can be about anything or anyone. Allow for set-valued or atomic-valued can be combined for complex Boolean rule set.
Username
Every operating system creates names for each user of a system. Each is assigned a unique ID. Windows uses a SID (Security Identifier)
Time of Day Restrictions
Limit a user's access to files, folders, servers or the entire network depending on the time of the day. Keeps users who have no need to access corporate resources after hours from poking around sensitive company information. By Limiting a user's access to just before and just after normal working hours, you limit exposure risk by ~16 hours a day.
Kerberos
Network authentication service. Originally developed by MIT. Used for mutual authentication between client/server. Uses a ticket granting system for authentication. If ticket is valid, authentication is allowed. KDC - Key distribution Center AS - Authentication Service TGT - Ticket granting ticket TGS - Ticket Granting Service Principal Authentication KDC is usually both AS and TGS. It gives host a TGT for authentication.
Policy Information Point (PIP)
Part of ABAC Architecture. Bridge between PDP and external sources of information such as LDAP, databases, etc.
Policy Decision Point (PDP)
Part of ABAC Architecture. Evaluates incoming requests against configured policies. Permits or Denies and may request additional information/metadata from PIP.
Policy Enforcement Point (PEP)
Part of ABAC Architecture. Protects the resources being access. Generates authorization request and send to the PDP.
Password History
Password history dictates how many passwords the OS remembers before a user is allowed to reuse a password. Prevent quick cycling through password variation to get back to the one they prefer.
Password Complexity
Password should be complex enough to be hard to guess. Not so long or complex that users need to write them down. Passphrases are often easier to remember. Minimum length, special characters, upper/lowercase, etc.
Password Reuse
Policy defines whether or not a user can ever use the same password again. Can be used in conjunction with password history.
Account Lockout
Policy that automatically locks a user's account after "X" number of incorrect attempts to log in. (Typically 3-5) Lockout duration should be long enough to thwart brute force attacks. 30 minuted time period is typical.
Authentication
Process of validating identity. Proving you are who you say you are. Identifies the user and allows or denies access (or challenges for additional credentials such as PIN or rotating code). Proving who you are. username/password combo, or PIN, OTP or biometric data.
Onboarding/Offboarding
Processes should be defined for both onboarding and offboarding. Users should have a clear understanding of what's acceptable, allowed and expected. Companies should ensure they take possessions of all company assets when an employee leaves (hardware, software, and data).
Biometric Factors
Provide authentication based on physical attributes. Fingerprint scanner, Retinal Scanner, Iris Scanner, Voice recognition, facial recognition.
MS-CHAP (Microsoft CHAP)
Provides two-way, mutual authentication between client and server. Separate cyrptographic keys are generated for transmitted and received data. Two versions exits, v1 and v2. Version 2 is more secure but still considered weak. 5-bit encryption is considered weak (same as NTLMv1)
Least Privilege
Providing a user with the least amount of privileges they need to do their work. Providing just enough to helps mitigate risk. Reduces the chances of installing malware, spyware, and viruses. Helps mitigate "configuration drift" issues. Prevents users from installing/updating drivers, firmware and patches.
Crossover Error Rate (CER)
Rate where both accept and reject error rates are equal.
TACACS+ (Terminal Access Controller Access Control System)
Runs on TCP over port 49. Encrypts the entire communication (username and password). Not vulnerable to security issues with RADIUS. Separates Authentication and Authorization to more granular control.
Common Access Card (CAC)
Smart card issued by the Department of Defense (DoD). General Identification mechanism, used for access DoD computer signing email, etc.
Authentication Factors
Something that you know - Password or some "secret" Something you have - smart card, token, two factor, etc. Something you are - fingerprint, retina scan, etc. Somwhere you are - location based (i.e. IP address, geo-location, etc.) Something you Do - signature, patterns of behavior, language, slang, etc.
Account Expiration
Temporary accounts should have expiration dates set when they're created. Ensures administrators don't forget to disable/expire accounts. Leave accounts intact, just disabled. Can always be enabled later. Extending the account can be automated as well.
Personal Identification Verification Card (PIV)
United States Federal smart card. Grants cardholder access to federal facilities and information systems. Established by the Federal Information Processing Standard (FIPS) 201
Personal Identification Card (PIV)
United States Federal smart card. Grants the cardholder access to federal facilities and information systems. Established by the Federal Information Processing Standard (FIPS) 201.
CHAP (Challenge Handshake Authentication Protocol)
Used to authenticate PPP clients to a server (i.e. VPN). One-way hash based on shared secret (i.e. user's password) is compared on both client and server. Plaintext is never sent over the wire.
LDAP (Lightweight Directory Access Protocol)
Used to query information about the directory (users, resources) Hierarchical in structure. Made up of sub components (CN = Common Name, OU = Orgainzational Unit, DC = Domain Controller) x.500 Directory Protocol Utilizes TCP/IP TCP/UDP ports 389
Authentication Services
Verify the user and control access to resources. Verify the identity of servers and resources being accessed. Provide security and help to ensure confidentiality, integrity, and availability of data.
