Sec+ preparation #9 (access management)

Intro

Let’s jump into next day of preparing for SEC+.

Before beginning I just want to give credit to Master OTW at Hackers-Arise. I really enjoy how he describes concepts of various topics. Real professional.

You can purchase Security+ SY0-701 boot camp here

Identity and Access Management

Establish a baseline?

It is a minimum acceptable level of security

Could be as simple as minimum password length

Security is a process (exam emphasizes it)

  • Use the PDCA model

    • Plan, Do, Check, Act model
  • It is not a destination but a journey

  • New threats and vulnerabilities all the time

Cybersecurity is a blessing and a curse. You must constantly learn. That’s why it is so important to love what you do.

DMZ (Demilitarized zone) (always in exam)

Demilitarized zone is kind of a border between friendly networks and unfriendly networks. It’s one step upper after firewall.

There’s demilitarized zone in for example south and north Korea. Border in the network.

Firewall directs traffic to internal network or to DMZ.

DMZ is kind of additional firewall.

Identification

  • Claimed identity

  • Public information

  • Based upon first and last name

  • User name

  • User account

  • Employee number

  • There is no secret

Authentication

  • Verifying if identification is true.

  • Three types:

    • Authenticate by knowledge

    • By ownership

    • By characteristics

  • Single factor

  • Two factor

  • Three factor

Multi factor authentication is when you check two types, for example knowledge (password) and characteristics (fingerprint). Multi factor means two different groups.

Two factor is when you check for example two passwords. Or two different entry cards.

Access control

  • A model for developers

  • Look at one need or another

  • Use access control technologies and mechanisms

Authentication factors

There’s three main ways:

  • Something you know (password, pin)

    • Type 1

    • Size is limited

    • Insecure storage

    • Operational problems

      • Help desk, easy to guess

      • Easy to get passwords

    • Physical problems

      • Can be compromised through lack of physical security
    • Hard to remember a complex pin or password.

  • Something you have (card, token)

    • Based on ownership

    • Also called type 2

    • Cryptographic keys or digital certificates

    • Smart cards

    • Magnetic cards

    • Memory cards

  • Something you are (biometric)

    • Based on unique physical characteristics

    • Type3

    • Sophisticated and expensive

    • Biometric errors

      • Type1 - false reject rate (FRR)

      • Type2 - false accept rate (FAR)

    • Accuracy

      • Crossover error rate (CER)

      • Equal error rate (EER)

      • The more accurate, the more errors you get.

Biometric authentication is tricky because if someone steals your fingerprint, you can’t change the fingerprint.

Mutual authentication

  • User and server authenticate to each other

  • Commonly used for:

    • Private web site

      • User must show his certificate to the web
    • To authenticate to VPN device

    • To access to intranet

Access Control Models (for sure will be in Sec+)

Discretionary Access Control (DAC)

  • Owner decides who has access

  • Owner manage their own files

  • Access is granted based on the identity of the user

  • Implemented through access control lists (ACL)

It is adequate for low level security environment ONLY.

Mandatory access control (MAC)

  • Orange book class “B”, high security

  • Military uses this model

  • Controls are imposed by System Owner.

  • Based upon the sensitivity of an object

  • Subject must have appropriate Security Clearance

  • In MAC there are labels

  • Categories are used for the Need to Know (NDK)

Trusted operating systems
  • In order to use MAC, you need secure OS

  • Trusted Solaris

  • SELinux (used by Russian military)

  • Root is only another user in the system

Lattice Based Access Control

  • Use to implement MAC, File Access, Integrity levels

  • Use for complex access control decisions

It defines:

  • Greatest upper band

  • Least upper bound

Rule based Access Control (RuBAC)

  • Use to implement rules based mechanisms

    • Can filter not only based on Identity

    • Can use IP, Protocols, Ports

    • More secure than DAC (Discretionary Access Control)

  • Rules are applied universaly

Role based access Control (RBAC)

  • Also called Non-Discretionary Access control

  • Policies are defined by the System

  • Distinguished from MAC

  • Maps well to organizational structure

  • Good for high turnaround of personnel

  • User can belong to one or many roles

Groups and roles

  • Requires planning

  • Based on company mission and goals

  • You must analyze job tasks

  • Apply separation of duties

  • Consult the owner to determine access.

Appropriate roles and permissions

Three approaches:

  • Centralize

    • Single team, person, department
  • Decentralize

    • Each site has their own administrator
  • Hybrid

    • A mix of the two

    • Most commonly used

Access control matrix and ACL

Usually use in DAC

Password Policy

  • Forces to use strong password

  • Does not let user to choose their own password

  • Dictates to user:

    • Password length

    • Type of characters

  • Part of company security policies

  • Avoid overly complex passwords because people forget it.

Password Creation

  • You need to teach users how to construct a password

  • All passwords should be at least 12 characters long

  • Change password regularly

  • Do not allow reuse of passwords

  • Changing letters with numbers is called munging. Example: Hell0

Protect your password

  • Memorize passwords, do not write them down

    • Writing them down makes the concept of password disappear.
  • Use different password for different applications

  • Minimum password history should be at least 5 to 10 passwords.

Password policies are stored in Local Security Policy

Usernames and passwords

  • Most commonly used

  • Used on Web Apps and Portals

    • Should be encrypted in storage
  • Should never be transmitted in clear text

  • Do not use simple password

Time of day restriction

  • Also called Temporal access control

  • Access is based on time of day.

  • These days when there are lots of ransom, you should do backups as often as possible.

Account expiration

  • Great for temporary worker, for example intern or contractor.

  • Ensure there is no dormant account

  • Ease system administration

Logical Tokens

  • Two categories:

    • Synchronous (clock is involved)

    • Asynchronous (series of steps)

  • Better than static password

  • You must educate workers on how to use them

  • Token is kind of like ID card.

  • You should know about: Seed, Salt, IV, Nonce (could be in exam)

  • Salt is added to a password to make it harder to identify your hash of the password. Same password hashes would look different because of the SALT.

Single Sign-On (SSO)

  • Authenticate only once and access to all resources

  • Advantages:

    • Requires less passwords

    • Authenticate once and not many times

    • Expires after some time

  • Disadvantages:

    • One key for all places

    • Interoperability issues

    • Requires significant Planning and Analysis

Lightweight Directory Access Protocol (LDAP)

  • It’s a directory publishing service

  • Parent protocol is X.500

  • Stores attribute based data (kind of a database)

  • Data generally read and not written

  • Uses port 389 for LDAP and 636 for Secure LDAP

Kerberos (SSO)

  • Built by MIT in the 1980

  • Uses Symmetric Keys or Secret Keys

  • Key Distribution Centre (KDC) - it is unique to Kerberos

    • Authentication Server (AS)

    • Ticket Granting Service (TGS)

  • Principals

    • Users, Services, Applications
  • Uses Tickets Granting Ticket (TGT) and Tickets

    • Tickets define on what you have acces to

If exam will talk about tickets it is Kerberos. (mark this)

Remote Authentication Dial-In User Service (RADIUS)

  • It is open source

  • A client/server protocol

  • Shared Key between client and server

  • Authenticate dial-in or network users

  • Profiles are kept in a central database

  • Track usage for billing

  • Uses the UDP

Terminal Access Controller Access-Control System (TACACS+)

  • Service from CISCO

  • TACACS+ is an industry standard under RFC (Request for Comment) 1492 - it’s kind of a standard

  • More detailed logging than RADIUS

  • Uses TCP (was seen in exam, keep in mind)

  • TACACS+ improves security.

  • It uses LDAP in authentication phase.

Remember that RADIUS uses UDP and TACACS uses TCP.

Due care and Due Diligence (important concepts)

  • Due Diligence - Do Detect

    • Identifying risk

    • Based on best practices

    • For example: All computers must have antivirus.

  • Due Care = Do correct

    • Bringing the risk down to an acceptable level

    • Maintaining the risk at that lever over time

    • For example: Updating virus database 10 times a day

Personal Identity Verification (PIV) Cards

  • CAC card is an example

  • Required for all US Government Employees

  • Used for secure access to computers and buildings

0
Subscribe to my newsletter

Read articles from Jonas Satkauskas directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Written by

Jonas Satkauskas
Jonas Satkauskas