Domain 5: Identity and Access Management
5.1 Control physical and logical access to assets
IAAA Five elements:
Identification – claiming to be someone
Authentication – proving you are that person
Authorization – allows you to access resources
Auditing – records a log of what you do
Accounting – reviews log files to hold subjects accountable
5.2 Manage identification and authentication of people, devices and services
Type 2 Authentication
Type 3 Authentication
Enrollment – initial registering of user with the biometric system, such as taking their fingerprints
Throughput – time required for users to actually authenticate, such as swiping a badge to get in each morning. Should not exceed 6-10 seconds
Fingerprints are very common. They measure ridge endings, bifurcations and other details of the finger, called minutiae. (Know that these terms are associated with fingerprinting)
Retina Scans look at the blood vessels in your eyes. This is the second most accurate biometric system but is rarely used because of health risks and invasion of privacy issues by revealing health information
Iris scan – looks at the colored portion of your eye. Works through contact lenses and glasses. Each person’s two irises are unique, even among twins. This is the most accurate biometric authentication factor.
Hand Geometry/Palm Scans - require a second form of authentication. They aren’t
reliable and can’t even determine if a person is alive
Keyboard dynamics – rhythm of keypresses, how hard someone presses each key, speed of typing. Cheap to implement, somewhat effective.
Signature Dynamics – same thing, just a physical signature
Voiceprint – not secure, vulnerable to recordings, voices may change due to illness and other factors.
Facial Scans – like iPhone face-unlock feature.
All biometric factors can give incorrect results and are subject to:
Reasons against biometrics:
Many people feel it is intrusive and has health concerns
Time for enrollment and verification can be excessive
No way to revoke biometrics
5.3 Integrate identity as a third-party service
5.4 Implement and manage authorization mechanisms
Access Control Models
Mandatory Access Control (MAC) – subjects have clearance, objects have labels. Mostly used for military. Expensive and difficult to implement. Uses a lattice.
Discretionary Access Control (DAC) – Windows and Linux use this. Owners have full control over assets and can share as they wish.
Role-Based Access Control (RBAC) – subjects have roles, and permissions are assigned to those roles, not subjects individually.
Abstraction is the grouping of similar elements into groups/classes/roles. They are assigned security controls/restrictions/permissions. It is used to define what types of data an object can contain and what can be performed on or by that object. It just adds efficiency to carrying out a security plan.
Scales better than DAC and fights authorization creep where subjects slowly accumulate permissions over a long period of time
Rule-Based Access Control (Not RBAC) – rules indicate what can and cannot transpire between subjects and objects.
Contact Dependent Access Controls – access is determined by the type and content of the data
Attribute-Based Access Control – used by software defined networks (SDN)
Context Dependent Access Controls – systems review a situation and makes a decision for access
Constrained User Interfaces restrict user access by not allowing them to see certain data or have certain functionality
Access Control Administration
RADIUS is a server and a protocol (UDP 1812 and 1813) Used as a central location for authentication. Network resources and services, such as WAPs and VPNs can all sync to the Radius server. This prevents the need to configure LDAP for everything.
Radius is supported by many vendors, but only encrypts passwords
Radius is being replaced by Diameter, which improves on many of its weaknesses. It is NOT compatible with Radius. It is particularly popular with mobile IP systems such as smartphones.
TACAS and TACAS+ are Cisco spinoffs of RADIUS. They use UDP and, sometimes, TCP 49
Extensible Authentication Protocol
Key point to remember here is whether or not each of these support or require certificates
LEAP – cisco proprietary. Has many security flaws
EAP-FAST – secure replacement for LEAP. Supports certs, but they are optional. Otherwise uses a pre-shared password
EAP-TLS – is a more secure version of EAP that requires certificates on both the server and each client, meaning you’ll never see this implemented at places with public wifi. It utilizes PKI, and is complex and costly for that reason
EAP-TTLS – Tunneled TLS. Requires a certificate on the server, but not the clients
PEAP – similar to EAP-TTLS in that it doesn’t require client-side certificates.
5.5 Manage the identity and access provisioning lifecycles