CruSec’s 2019 CISSP Study Guide - Domain 5: Identity and Access Management
Domain 5: Identity and Access Management
5.1 Control physical and logical access to assets
IAAA Five elements:
Identification – claiming to be someone
Authentication – proving you are that person
Authorization – allows you to access resources
Auditing – records a log of what you do
Accounting – reviews log files to hold subjects accountable
Non-repudiation – prevents entities from denying they took an action. This is accomplished by auditing and digital signatures
5.2 Manage identification and authentication of people, devices and services
Type 1 – something you know
Type 2 – something you have. Rokens, smart cards, ID badge, etc.
Microcards have a magnetic strip with info. They are easily copied
Smartcards utilize microprocessors and cryptographic certificates.. Often paired with a PIN
Type 3 – something you are
Type 4 – Somewhere you are (IP address/location)
Type 5 – Something you do – signature, pattern lock
Types of Biometric Authentication Errors:
Type 1 – when a valid subject is not authenticated. Also known as False Rejection Rate (FRR)
Type 2 – when an invalid subject is incorrectly authenticated. Also known as False
Acceptance Rate (FAR)
The point where these intersect is called the Crossover Error Rate (CER) and is used as a metric for evaluating biometric authentication solutions. This is discussed later in more detail
Any combination of these is 2FA or multifactor authentication
Types of passwords
Static – just a normal password. Most common and weakest type
Passphrases – long, static passwords combining multiple words
One-time passwords – Very secure but can be hard to implement across the board
Dynamic – tokens like FreeOTP and RSA
Cognitive – like recovery questions
Passwords are located in SAM on Windows and etc/passwd in Linux
Implement maximum attempts, lockout time, etc
Clipping levels are a subset of sampling, where alerts are created when behavior exceeds a certain threshold.
Type 2 Authentication
Synchronous Dynamic Token:
syncs with a central server and uses time to change values. Examples include RSA, Googe Authenticator, etc. Relies on timing or clock mechanisms
Asynchronous Dynamic Token
Not synced with a central sesrver. Relies on start and stop flags to manage data transmissions.
Type 3 Authentication
Enrollment – initial registering of user with the biometric system, such as taking their fingerprints
Throughput – time required for users to actually authenticate, such as swiping a badge to get in each morning. Should not exceed 6-10 seconds
Fingerprints are very common. They measure ridge endings, bifurcations and other details of the finger, called minutiae. (Know that these terms are associated with fingerprinting)
The entire fingerprint isn’t normally detected. A scanner only needs to match a few points that match your enrollment print exactly to authenticate you.
Retina Scans look at the blood vessels in your eyes. This is the second most accurate biometric system but is rarely used because of health risks and invasion of privacy issues by revealing health information
Iris scan – looks at the colored portion of your eye. Works through contact lenses and glasses. Each person’s two irises are unique, even among twins. This is the most accurate biometric authentication factor.
The primary benefit of iris scanning is in the fact that irises do not change as often as other biometric factors
Hand Geometry/Palm Scans - require a second form of authentication. They aren’t
reliable and can’t even determine if a person is alive
Keyboard dynamics – rhythm of keypresses, how hard someone presses each key, speed of typing. Cheap to implement, somewhat effective.
Signature Dynamics – same thing, just a physical signature
Voiceprint – not secure, vulnerable to recordings, voices may change due to illness and other factors.
Facial Scans – like iPhone face-unlock feature.
All biometric factors can give incorrect results and are subject to:
False Negatives – “False Rejection Rate (FRR)” Type 1 Error. Incorrectly rejects someone
False Positive – “False Acceptance Rate (FAR)” Type 2 Error. Incorrectly allows access
You must increase sensitivity until you reach an acceptable Crossover Error Rate (CER), which is where FAR and FRR intersect. Lower is better, so use this as a metric when comparing vendor products
Reasons against biometrics:
Many people feel it is intrusive and has health concerns
Time for enrollment and verification can be excessive
No way to revoke biometrics
5.3 Integrate identity as a third-party service
Centralized Access Control – uses one logical point for access, like a domain controller. Can provide SSO and AAA services (Authentication, Authorization and Accountability).
SSO is more convenient because a user only has to authenticate once. Examples include Kerberos and Sesame (EU version of Kerberos). A Federation refers to two or more companies that share IAM systems for SSO.
A Federated Identity is an identity that can be used across those different services
Finding a common language is often a challenge with federations.
SAML – security assertion markup language is commonly used to exchange authentication and authorization info between federated organizations. Used to provide SSO capabilities for browser access.
OpenID is similar to SSO, but is an open standard for user authentication by third parties.
Oauth is an open standard for authorization (not authentication) to third parties. Ex: if you have a LinkedIn account, the system might ask you to let it have access to your Google contacts
OAuth2 combines authentication and authorization and is quickly removing the need for OpenID.
5.4 Implement and manage authorization mechanisms
LDAP is used by client devices to access a directory service. Uses TCP or UDP 389 (plaintext) or encryped with TLS over TCP/UDP 636
Kerberos uses a Key Distribution Center. It works like so:
A principal (user or network service) attempts to authenticate with an authentication server (AS)
The server grant a Ticket Granting Ticket (TGT)
The principal uses the TGT to obtain a Service Ticket to gain access to a network service
Analogy: When going to the fair, you pay money to get a ticket INTO the fair. Once inside the fair, you usually have to purchase tickets to get onto rides.
Provides confidentiality and integrity.
Sesame slightly improves on Kerberos by not storing symmetric keys in plaintext, which Kerberos does. It uses public-key encryption
Decentralized Access Control – no centralized point for access
Access Control Models
Mandatory Access Control (MAC) – subjects have clearance, objects have labels. Mostly used for military. Expensive and difficult to implement. Uses a lattice.
Discretionary Access Control (DAC) – Windows and Linux use this. Owners have full control over assets and can share as they wish.
Role-Based Access Control (RBAC) – subjects have roles, and permissions are assigned to those roles, not subjects individually.
Abstraction is the grouping of similar elements into groups/classes/roles. They are assigned security controls/restrictions/permissions. It is used to define what types of data an object can contain and what can be performed on or by that object. It just adds efficiency to carrying out a security plan.
Scales better than DAC and fights authorization creep where subjects slowly accumulate permissions over a long period of time
Rule-Based Access Control (Not RBAC) – rules indicate what can and cannot transpire between subjects and objects.
Ex: ”If a user has proper clearance, AND it’s between 9am-5pm, then allow access”
Contact Dependent Access Controls – access is determined by the type and content of the data
Attribute-Based Access Control – used by software defined networks (SDN)
Ex: non-HR subjects can’t see documents with social security numbers
Context Dependent Access Controls – systems review a situation and makes a decision for access
Constrained User Interfaces restrict user access by not allowing them to see certain data or have certain functionality
Access Control Administration
RADIUS is a server and a protocol (UDP 1812 and 1813) Used as a central location for authentication. Network resources and services, such as WAPs and VPNs can all sync to the Radius server. This prevents the need to configure LDAP for everything.
Radius is supported by many vendors, but only encrypts passwords
Radius is being replaced by Diameter, which improves on many of its weaknesses. It is NOT compatible with Radius. It is particularly popular with mobile IP systems such as smartphones.
TACAS and TACAS+ are Cisco spinoffs of RADIUS. They use UDP and, sometimes, TCP 49
TACAS+ allows for 2FA and encrypts all data, not just passwords like RADIUS. It is not backwards compatible with TACAS
Extensible Authentication Protocol
Key point to remember here is whether or not each of these support or require certificates
LEAP – cisco proprietary. Has many security flaws
EAP-FAST – secure replacement for LEAP. Supports certs, but they are optional. Otherwise uses a pre-shared password
EAP-TLS – is a more secure version of EAP that requires certificates on both the server and each client, meaning you’ll never see this implemented at places with public wifi. It utilizes PKI, and is complex and costly for that reason
EAP-TTLS – Tunneled TLS. Requires a certificate on the server, but not the clients
PEAP – similar to EAP-TTLS in that it doesn’t require client-side certificates.
5.5 Manage the identity and access provisioning lifecycles