top of page

CruSec’s 2019 CISSP Study Guide - Domain 5: Identity and Access Management

Domain 5: Identity and Access Management

5.1 Control physical and logical access to assets

  • IAAA Five elements:

  • Identification – claiming to be someone

  • Authentication – proving you are that person

  • Authorization – allows you to access resources

  • Auditing – records a log of what you do

  • Accounting – reviews log files to hold subjects accountable

  • Non-repudiation – prevents entities from denying they took an action. This is accomplished by auditing and digital signatures

5.2 Manage identification and authentication of people, devices and services

Authentication

  • 5 Types

  • Type 1 – something you know

  • Type 2 – something you have. Rokens, smart cards, ID badge, etc.

  • Microcards have a magnetic strip with info. They are easily copied

  • Smartcards utilize microprocessors and cryptographic certificates.. Often paired with a PIN

  • Type 3 – something you are

  • Type 4 – Somewhere you are (IP address/location)

  • Type 5 – Something you do – signature, pattern lock

  • Types of Biometric Authentication Errors:

  • Type 1 – when a valid subject is not authenticated. Also known as False Rejection Rate (FRR)

  • Type 2 – when an invalid subject is incorrectly authenticated. Also known as False

Acceptance Rate (FAR)

  • The point where these intersect is called the Crossover Error Rate (CER) and is used as a metric for evaluating biometric authentication solutions. This is discussed later in more detail

  • Any combination of these is 2FA or multifactor authentication

  • Types of passwords

  • Static – just a normal password. Most common and weakest type

  • Passphrases – long, static passwords combining multiple words

  • One-time passwords – Very secure but can be hard to implement across the board

  • Dynamic – tokens like FreeOTP and RSA

  • Cognitive – like recovery questions

Password Attacks

  • Passwords are located in SAM on Windows and etc/passwd in Linux

  • Dictionary attacks

  • Implement maximum attempts, lockout time, etc

  • Brute Force

  • Rainbow tables

  • Password guessing

  • Clipping levels are a subset of sampling, where alerts are created when behavior exceeds a certain threshold.

Type 2 Authentication

  • Synchronous Dynamic Token:

  • syncs with a central server and uses time to change values. Examples include RSA, Googe Authenticator, etc. Relies on timing or clock mechanisms

  • Asynchronous Dynamic Token

  • Not synced with a central sesrver. Relies on start and stop flags to manage data transmissions.

Type 3 Authentication

  • Steps:

  • Enrollment – initial registering of user with the biometric system, such as taking their fingerprints

  • Throughput – time required for users to actually authenticate, such as swiping a badge to get in each morning. Should not exceed 6-10 seconds

  • Fingerprints are very common. They measure ridge endings, bifurcations and other details of the finger, called minutiae. (Know that these terms are associated with fingerprinting)

  • The entire fingerprint isn’t normally detected. A scanner only needs to match a few points that match your enrollment print exactly to authenticate you.

  • Retina Scans look at the blood vessels in your eyes. This is the second most accurate biometric system but is rarely used because of health risks and invasion of privacy issues by revealing health information

  • Iris scan – looks at the colored portion of your eye. Works through contact lenses and glasses. Each person’s two irises are unique, even among twins. This is the most accurate biometric authentication factor.

  • The primary benefit of iris scanning is in the fact that irises do not change as often as other biometric factors

  • Hand Geometry/Palm Scans - require a second form of authentication. They aren’t

reliable and can’t even determine if a person is alive

  • Keyboard dynamics – rhythm of keypresses, how hard someone presses each key, speed of typing. Cheap to implement, somewhat effective.

  • Signature Dynamics – same thing, just a physical signature

  • Voiceprint – not secure, vulnerable to recordings, voices may change due to illness and other factors.

  • Facial Scans – like iPhone face-unlock feature.

  • All biometric factors can give incorrect results and are subject to:

  • False Negatives – “False Rejection Rate (FRR)” Type 1 Error. Incorrectly rejects someone

  • False Positive – “False Acceptance Rate (FAR)” Type 2 Error. Incorrectly allows access

  • You must increase sensitivity until you reach an acceptable Crossover Error Rate (CER), which is where FAR and FRR intersect. Lower is better, so use this as a metric when comparing vendor products

  • Reasons against biometrics:

  • Many people feel it is intrusive and has health concerns

  • Time for enrollment and verification can be excessive

  • No way to revoke biometrics

5.3 Integrate identity as a third-party service

Identity Management

  • Centralized Access Control – uses one logical point for access, like a domain controller. Can provide SSO and AAA services (Authentication, Authorization and Accountability).

  • SSO is more convenient because a user only has to authenticate once. Examples include Kerberos and Sesame (EU version of Kerberos). A Federation refers to two or more companies that share IAM systems for SSO.

  • A Federated Identity is an identity that can be used across those different services

  • Finding a common language is often a challenge with federations.

  • SAML – security assertion markup language is commonly used to exchange authentication and authorization info between federated organizations. Used to provide SSO capabilities for browser access.

  • OpenID is similar to SSO, but is an open standard for user authentication by third parties.

  • Oauth is an open standard for authorization (not authentication) to third parties. Ex: if you have a LinkedIn account, the system might ask you to let it have access to your Google contacts

  • OAuth2 combines authentication and authorization and is quickly removing the need for OpenID.

5.4 Implement and manage authorization mechanisms

  • LDAP is used by client devices to access a directory service. Uses TCP or UDP 389 (plaintext) or encryped with TLS over TCP/UDP 636

  • Kerberos uses a Key Distribution Center. It works like so:

  • A principal (user or network service) attempts to authenticate with an authentication server (AS)

  • The server grant a Ticket Granting Ticket (TGT)

  • The principal uses the TGT to obtain a Service Ticket to gain access to a network service

  • Analogy: When going to the fair, you pay money to get a ticket INTO the fair. Once inside the fair, you usually have to purchase tickets to get onto rides.

  • Provides confidentiality and integrity.

  • Sesame slightly improves on Kerberos by not storing symmetric keys in plaintext, which Kerberos does. It uses public-key encryption

  • Decentralized Access Control – no centralized point for access

Access Control Models

  • Mandatory Access Control (MAC) – subjects have clearance, objects have labels. Mostly used for military. Expensive and difficult to implement. Uses a lattice.

  • Discretionary Access Control (DAC) – Windows and Linux use this. Owners have full control over assets and can share as they wish.

  • Role-Based Access Control (RBAC) – subjects have roles, and permissions are assigned to those roles, not subjects individually.

  • Abstraction is the grouping of similar elements into groups/classes/roles. They are assigned security controls/restrictions/permissions. It is used to define what types of data an object can contain and what can be performed on or by that object. It just adds efficiency to carrying out a security plan.

  • Scales better than DAC and fights authorization creep where subjects slowly accumulate permissions over a long period of time

  • Rule-Based Access Control (Not RBAC) – rules indicate what can and cannot transpire between subjects and objects.

  • Ex: ”If a user has proper clearance, AND it’s between 9am-5pm, then allow access”

  • Contact Dependent Access Controls – access is determined by the type and content of the data

  • Attribute-Based Access Control – used by software defined networks (SDN)

  • Ex: non-HR subjects can’t see documents with social security numbers

  • Context Dependent Access Controls – systems review a situation and makes a decision for access

  • Constrained User Interfaces restrict user access by not allowing them to see certain data or have certain functionality

Access Control Administration

  • RADIUS is a server and a protocol (UDP 1812 and 1813) Used as a central location for authentication. Network resources and services, such as WAPs and VPNs can all sync to the Radius server. This prevents the need to configure LDAP for everything.

  • Radius is supported by many vendors, but only encrypts passwords

  • Radius is being replaced by Diameter, which improves on many of its weaknesses. It is NOT compatible with Radius. It is particularly popular with mobile IP systems such as smartphones.

  • TACAS and TACAS+ are Cisco spinoffs of RADIUS. They use UDP and, sometimes, TCP 49

  • TACAS+ allows for 2FA and encrypts all data, not just passwords like RADIUS. It is not backwards compatible with TACAS

Extensible Authentication Protocol

  • Key point to remember here is whether or not each of these support or require certificates

  • LEAP – cisco proprietary. Has many security flaws

  • EAP-FAST – secure replacement for LEAP. Supports certs, but they are optional. Otherwise uses a pre-shared password

  • EAP-TLS – is a more secure version of EAP that requires certificates on both the server and each client, meaning you’ll never see this implemented at places with public wifi. It utilizes PKI, and is complex and costly for that reason

  • EAP-TTLS – Tunneled TLS. Requires a certificate on the server, but not the clients

  • PEAP – similar to EAP-TTLS in that it doesn’t require client-side certificates.

5.5 Manage the identity and access provisioning lifecycles

Featured Posts
Recent Posts
Archive
bottom of page