Sec+ preparation #9 (access management)


Intro
Let’s jump into next day of preparing for SEC+.
Before beginning I just want to give credit to Master OTW at Hackers-Arise. I really enjoy how he describes concepts of various topics. Real professional.
You can purchase Security+ SY0-701 boot camp here
Identity and Access Management
Establish a baseline?
It is a minimum acceptable level of security
Could be as simple as minimum password length
Security is a process (exam emphasizes it)
Use the PDCA model
- Plan, Do, Check, Act model
It is not a destination but a journey
New threats and vulnerabilities all the time
Cybersecurity is a blessing and a curse. You must constantly learn. That’s why it is so important to love what you do.
DMZ (Demilitarized zone) (always in exam)
Demilitarized zone is kind of a border between friendly networks and unfriendly networks. It’s one step upper after firewall.
There’s demilitarized zone in for example south and north Korea. Border in the network.
Firewall directs traffic to internal network or to DMZ.
DMZ is kind of additional firewall.
Identification
Claimed identity
Public information
Based upon first and last name
User name
User account
Employee number
There is no secret
Authentication
Verifying if identification is true.
Three types:
Authenticate by knowledge
By ownership
By characteristics
Single factor
Two factor
Three factor
Multi factor authentication is when you check two types, for example knowledge (password) and characteristics (fingerprint). Multi factor means two different groups.
Two factor is when you check for example two passwords. Or two different entry cards.
Access control
A model for developers
Look at one need or another
Use access control technologies and mechanisms
Authentication factors
There’s three main ways:
Something you know (password, pin)
Type 1
Size is limited
Insecure storage
Operational problems
Help desk, easy to guess
Easy to get passwords
Physical problems
- Can be compromised through lack of physical security
Hard to remember a complex pin or password.
Something you have (card, token)
Based on ownership
Also called type 2
Cryptographic keys or digital certificates
Smart cards
Magnetic cards
Memory cards
Something you are (biometric)
Based on unique physical characteristics
Type3
Sophisticated and expensive
Biometric errors
Type1 - false reject rate (FRR)
Type2 - false accept rate (FAR)
Accuracy
Crossover error rate (CER)
Equal error rate (EER)
The more accurate, the more errors you get.
Biometric authentication is tricky because if someone steals your fingerprint, you can’t change the fingerprint.
Mutual authentication
User and server authenticate to each other
Commonly used for:
Private web site
- User must show his certificate to the web
To authenticate to VPN device
To access to intranet
Access Control Models (for sure will be in Sec+)
Discretionary Access Control (DAC)
Owner decides who has access
Owner manage their own files
Access is granted based on the identity of the user
Implemented through access control lists (ACL)
It is adequate for low level security environment ONLY.
Mandatory access control (MAC)
Orange book class “B”, high security
Military uses this model
Controls are imposed by System Owner.
Based upon the sensitivity of an object
Subject must have appropriate Security Clearance
In MAC there are labels
Categories are used for the Need to Know (NDK)
Trusted operating systems
In order to use MAC, you need secure OS
Trusted Solaris
SELinux (used by Russian military)
Root is only another user in the system
Lattice Based Access Control
Use to implement MAC, File Access, Integrity levels
Use for complex access control decisions
It defines:
Greatest upper band
Least upper bound
Rule based Access Control (RuBAC)
Use to implement rules based mechanisms
Can filter not only based on Identity
Can use IP, Protocols, Ports
More secure than DAC (Discretionary Access Control)
Rules are applied universaly
Role based access Control (RBAC)
Also called Non-Discretionary Access control
Policies are defined by the System
Distinguished from MAC
Maps well to organizational structure
Good for high turnaround of personnel
User can belong to one or many roles
Groups and roles
Requires planning
Based on company mission and goals
You must analyze job tasks
Apply separation of duties
Consult the owner to determine access.
Appropriate roles and permissions
Three approaches:
Centralize
- Single team, person, department
Decentralize
- Each site has their own administrator
Hybrid
A mix of the two
Most commonly used
Access control matrix and ACL
Usually use in DAC
Password Policy
Forces to use strong password
Does not let user to choose their own password
Dictates to user:
Password length
Type of characters
Part of company security policies
Avoid overly complex passwords because people forget it.
Password Creation
You need to teach users how to construct a password
All passwords should be at least 12 characters long
Change password regularly
Do not allow reuse of passwords
Changing letters with numbers is called munging. Example: Hell0
Protect your password
Memorize passwords, do not write them down
- Writing them down makes the concept of password disappear.
Use different password for different applications
Minimum password history should be at least 5 to 10 passwords.
Password policies are stored in Local Security Policy
Usernames and passwords
Most commonly used
Used on Web Apps and Portals
- Should be encrypted in storage
Should never be transmitted in clear text
Do not use simple password
Time of day restriction
Also called Temporal access control
Access is based on time of day.
These days when there are lots of ransom, you should do backups as often as possible.
Account expiration
Great for temporary worker, for example intern or contractor.
Ensure there is no dormant account
Ease system administration
Logical Tokens
Two categories:
Synchronous (clock is involved)
Asynchronous (series of steps)
Better than static password
You must educate workers on how to use them
Token is kind of like ID card.
You should know about: Seed, Salt, IV, Nonce (could be in exam)
Salt is added to a password to make it harder to identify your hash of the password. Same password hashes would look different because of the SALT.
Single Sign-On (SSO)
Authenticate only once and access to all resources
Advantages:
Requires less passwords
Authenticate once and not many times
Expires after some time
Disadvantages:
One key for all places
Interoperability issues
Requires significant Planning and Analysis
Lightweight Directory Access Protocol (LDAP)
It’s a directory publishing service
Parent protocol is X.500
Stores attribute based data (kind of a database)
Data generally read and not written
Uses port 389 for LDAP and 636 for Secure LDAP
Kerberos (SSO)
Built by MIT in the 1980
Uses Symmetric Keys or Secret Keys
Key Distribution Centre (KDC) - it is unique to Kerberos
Authentication Server (AS)
Ticket Granting Service (TGS)
Principals
- Users, Services, Applications
Uses Tickets Granting Ticket (TGT) and Tickets
- Tickets define on what you have acces to
If exam will talk about tickets it is Kerberos. (mark this)
Remote Authentication Dial-In User Service (RADIUS)
It is open source
A client/server protocol
Shared Key between client and server
Authenticate dial-in or network users
Profiles are kept in a central database
Track usage for billing
Uses the UDP
Terminal Access Controller Access-Control System (TACACS+)
Service from CISCO
TACACS+ is an industry standard under RFC (Request for Comment) 1492 - it’s kind of a standard
More detailed logging than RADIUS
Uses TCP (was seen in exam, keep in mind)
TACACS+ improves security.
It uses LDAP in authentication phase.
Remember that RADIUS uses UDP and TACACS uses TCP.
Due care and Due Diligence (important concepts)
Due Diligence - Do Detect
Identifying risk
Based on best practices
For example: All computers must have antivirus.
Due Care = Do correct
Bringing the risk down to an acceptable level
Maintaining the risk at that lever over time
For example: Updating virus database 10 times a day
Personal Identity Verification (PIV) Cards
CAC card is an example
Required for all US Government Employees
Used for secure access to computers and buildings
Subscribe to my newsletter
Read articles from Jonas Satkauskas directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by
