Domain 5 - Identity and Access Management

Outline
1. Control physical and logical access to assets
a. Information
b. Systems
c. Devices
d. Facilities
2. Manage identification and authentication of people and
devices
a. Identity management implementation (e.g., SSO, LDAP)
b. Single/multi-factor authentication (e.g., factors, strength, errors)
c. Accountability
d. Session management (e.g., timeouts, screensavers)
e. Registration and proofing of identity
f. Federated identity management (e.g., SAML)
g. Credential management systems
3. Integrate identity as a service (e.g., cloud identity)
4. Integrate third-party identity services (e.g., on-premise)

Outline
5. Implement and manage authorization mechanisms
a. Role-Based Access Control (RBAC) methods
b. Rule-based access control methods
c. Mandatory Access Control (MAC)
d. Discretionary Access Control (DAC)
6. Prevent or mitigate access control attacks
7. Manage the identity and access provisioning lifecycle
(e.g., provisioning, review)

Control Physical and Logical Access to Assets
Controlling Access to Assets
An asset includes information, systems, devices, facilities, and personnel.
1. Information
a. An organization’s information includes all of its data. Data might be stored in simple files on servers,
computers, and smaller devices. It can also be stored on huge databases within a server farm. Access controls
attempt to prevent unauthorized access to the information.
2. Systems
a. An organization’s systems include any information technology (IT) systems which provide one or more
services. For example, a simple file server that stores user files is a system. Additionally, a web server working
with a database server to provide an e-commerce service is a system.
3. Devices
a. Devices include any computing system, including servers, desktop computers, portable laptop computers,
tablets, smart phones, and external devices such as printers. More and more organizations have adopted
bring your own device (BYOD) policies allowing employees to connect their personally owned device to an
organization’s network. Although the devices are the property of their owners, organizational data stored on
the devices is still an asset of the organization.
4. Facilities
a. An organization’s facilities include any physical location that it owns or rents. This could be individual rooms,
entire buildings, or entire complexes of several buildings. Physical security controls help protect facilities.
5. Personnel
a. Personnel working for an organization are also a valuable asset to an organization. One of the primary ways to
protect personnel is to ensure that adequate safety practices are in place to prevent injury or death.

Comparing Subjects and Objects
1. Subject
a. A subject is an active entity that accesses a passive object to receive
information from, or data about, an object. Subjects can be users,
programs, processes, computers, or anything else that can access a
resource. When authorized, subjects can modify objects.
2. Object
a. An object is a passive entity that provides information to active
subjects. Some examples of objects include files, databases,
computers, programs, processes, printers, and storage media.

Types of Access Control
Access control includes the following overall steps:
a. Identify and authenticate users or other subjects attempting to access resources.
b. Determine whether the access is authorized.
c. Grant or restrict access based on the subject’s identity.
d. Monitor and record access attempts.
1. A broad range of controls is involved in these steps.
2. The three primary control types are preventive, detective, and corrective.
3. Whenever possible you want to prevent any type of security problem or incident.
4. Of course, this isn’t always possible and unwanted events occur.
5. When they do, you want to detect the event as soon as possible.
6. If you detect an event, you want to correct it.
7. There are also four other access control types, commonly known as deterrent, recovery,
directive, and compensation access controls.

1. Preventive Access Control
a. A preventive control attempts to thwart or stop unwanted or unauthorized activity from
occurring. Examples of preventive access controls include fences, locks, biometrics, mantraps,
lighting, alarm systems, separation of duties policies, job rotation policies, data classification,
penetration testing, access control methods, encryption, auditing, the presence of security
cameras or closed circuit television (CCTV), smartcards, call back procedures, security
policies, security awareness training, antivirus software, firewalls, and intrusion prevention
systems.
2. Detective Access Control
a. A detective control attempts to discover or detect unwanted or unauthorized activity.
b. Detective controls operate after the fact and can discover the activity only after it has occurred.
c. Examples of detective access controls include security guards, motion detectors, recording and
reviewing of events captured by security cameras or CCTV, job rotation policies, mandatory
vacation policies, audit trails, honey pots or honey nets, intrusion detection systems, violation
reports, supervision and reviews of users, and incident investigations.

3. Corrective Access Control
a. A corrective control modifies the environment to return systems to normal after an unwanted
or unauthorized activity has occurred.
b. Corrective controls attempt to correct any problems that occurred as a result of a security
incident.
c. Corrective controls can be simple, such as terminating malicious activity or rebooting a
system.
d. They also include antivirus solutions that can remove or quarantine a virus, backup and
restore plans to ensure that lost data can be restored, and active intrusion detection systems
that can modify the environment to stop an attack in progress..
4. Deterrent Access Control
a. A deterrent control attempts to discourage security policy violations.
b. Deterrent and preventive controls are similar, but deterrent controls often depend on
individuals deciding not to take an unwanted action.
c. In contrast, a preventive control actually blocks the action. Some examples include policies,
security awareness training, locks, fences, security badges, guards, mantraps, and security
cameras.

5. Recovery Access Control
a. A recovery control attempts to repair or restore resources, functions, and capabilities after a
security policy violation.
b. Recovery controls are an extension of corrective controls but have more advanced or complex
abilities.
c. Examples of recovery access controls include backups and restores, fault-tolerant drive
systems, system imaging, server clustering, antivirus software, and database or virtual machine
shadowing.
6. Directive Access Control
a. A directive control attempts to direct, confine, or control the actions of subjects to force or
encourage compliance with security policies.
b. Examples of directive access controls include security policy requirements or criteria, posted
notifications, escape route exit signs, monitoring, supervision, and procedures.

7. Compensation Access Control
a. A compensation control provides an alternative when it isn’t possible to use a primary control,
or when necessary to increase the effectiveness of a primary control.
b. As an example, a security policy might dictate the use of smartcards by all employees but it
takes a long time for new employees to get a smartcard.
c. The organization could issue hardware tokens to employees as a compensating control. These
tokens provide stronger authentication than just a username and password.
Access controls are also categorized by how they are implemented.
Controls can be implemented administratively, logically/technically, or physically.
Any of the access control types mentioned previously can include any of these
implementation types.

1. Administrative Access
a. Controls Administrative access controls are the policies and procedures defined by an organization’s security
policy and other regulations or requirements.
b. They are sometimes referred to as management controls.
c. These controls focus on personnel and business practices.
d. Examples of administrative access controls include policies, procedures, hiring practices, background checks,
classifying and labeling data, security awareness and training efforts, reports and reviews, personnel controls,
and testing.
2. Logical/Technical Controls
a. Logical access controls (also known as technical access controls ) are the hardware or software mechanisms
used to manage access and to provide protection for resources and systems.
b. As the name implies, they use technology.
c. Examples of logical or technical access controls include authentication methods (such as passwords,
smartcards, and biometrics), encryption, constrained interfaces, access control lists, protocols, firewalls,
routers, intrusion detection systems, and clipping levels.
3. Physical Controls
a. Physical access controls are items you can physically touch.
b. They include physical mechanisms deployed to prevent, monitor, or detect direct contact with systems or areas
within a facility.
c. Examples of physical access controls include guards, fences, motion detectors, locked doors, sealed windows,
lights, cable protection, laptop locks, badges, swipe cards, guard dogs, video cameras, mantraps, and alarms.

The CIA Triad
1. One of the primary reasons organizations implement access control mechanisms is to
prevent losses. There are three categories of IT loss: loss of confidentiality, loss of
availability, and loss of integrity . Protecting against these losses is so integral to IT
security that they are frequently referred to as the CIA Triad (or sometimes the AIC
Triad or Security Triad).
2. Confidentiality
a. Access controls help ensure that only authorized subjects can access objects. When
unauthorized entities are able to access systems or data, it results in a loss of confidentiality.
3. Integrity
a. Integrity ensures that data or system configurations are not modified without authorization,
or if unauthorized changes occur, security controls detect the changes. If unauthorized or
unwanted changes to objects occur, it results in a loss of integrity.
4. Availability
a. Authorized requests for objects must be granted to subjects within a reasonable amount of
time. In other words, systems and data should be available to users and other subjects when
they are needed. If the systems are not operational, or the data is not accessible, it results in a
loss of availability..

Manage Identification and Authentication of People and Devices
Comparing Identification and Authentication
1. Identification
a. is the process of a subject claiming, or professing, an identity.
b. A subject must provide an identity to a system to start the authentication,
authorization, and accountability processes.
c. Providing an identity might entail typing a username; swiping a smartcard;
waving a token device; speaking a phrase; or positioning your face, hand, or
finger in front of a camera or in proximity to a scanning device. A core
principle with authentication is that all subjects must have unique identities.
2. Authentication
a. verifies the identity of the subject by comparing one or more factors against a
database of valid identities, such as user accounts.
b. Authentication information used to verify identity is private information and
needs to be protected. As an example, passwords are rarely stored in clear text
within a database.
c. Instead, authentication systems store hashes of passwords within the
authentication database.
d. The ability of the subject and system to maintain the secrecy of the
authentication information for identities directly reflects the level of security
of that system.

Registration and Proofing of Identity
1. The registration process occurs when a user is first given an identity.
2. Registration is more complex with more secure authentication methods. For
example, if the organization uses fingerprinting as a biometric method for
authentication, registration includes capturing user fingerprint.
3. Identity proofing is a little different for users interacting with online sites, such as
an
4. online banking site.
5. When a user first tries to create an account, the bank will take extra steps to
validate the user’s identity.
6. This normally entails asking the user to provide information that is known to the
user and the bank such as account numbers and personal information about the
user such as a national identification number or Social Security Number.
7. During this initial registration process, the bank will also ask the user to provide
additional information, such as the user’s favourite colour, the middle name of
their oldest sibling, or the model of their first car.
8. Later, if the user needs to change their password or wants to transfer money, the
bank can challenge the user with these questions as a method of identity
proofing.

Authorization and Accountability
1. Two additional security elements in an access control
system are authorization and accountability.
a. Authorization
i. Subjects are granted access to objects based on proven identities.
For example, administrators grant users access to files based on
the user’s proven identity.
b. Accountability
i. Users and other subjects can be held accountable for their actions
when auditing is implemented. Auditing tracks subjects and
records when they access objects, creating an audit trail in one or
more audit logs. For example, auditing can record when a user
reads, modifies, or deletes a file. Auditing provides accountability.

1. Authorisation
a. Authorization indicates who is trusted to perform specific operations.
b. If the action is allowed, the subject is authorized; if disallowed, the subject is not
authorized.
c. Here’s a simple example: if a user attempts to open a file, the authorization
mechanism checks to ensure that the user has at least read permission on the file.
d. It’s important to realize that just because users or other entities can authenticate to
a system, that doesn’t mean they are given access to anything and everything.
e. Instead, subjects are authorized access to specific objects based on their proven
identity.
f. The process of authorization ensures that the requested activity or object access is
possible based on the privileges assigned to the subject.
g. Identification and authentication are “all-or-nothing” aspects of access control.
h. Either a user’s credentials prove a professed identity, or they don’t.
i. In contrast, authorization occupies a wide range of variations.
j. For example, a user may be able to read a file but not delete it or print a document
but not alter the print queue.

2. Accountability
a. Auditing, logging, and monitoring provide accountability by ensuring that
subjects can be held accountable for their actions.
b. Auditing is the process of tracking and recording subject activities within
logs.
c. Logs typically record who took an action, when and where the action was
taken, and what the action was.
d. One or more logs create an audit trail that researchers can use to reconstruct
events and identify security incidents.
e. When investigators review the contents of audit trails, they can provide
evidence to hold people accountable for their actions.
f. There’s a subtle but important point to stress about accountability.
g. Accountability relies on effective identification and authentication, but it
does not require effective authorization.
h. In other words, after identifying and authenticating users, accountability
mechanisms such as audit logs can track their activity, even when they try to
access resources that they aren’t authorized to access.

Authentication Factors
1. The three basic methods of authentication are also known as
types or factors. They are as follows:
a. Type 1 A
i. Type 1 authentication factor is something you know. Examples include
a password, personal identification number (PIN), or passphrase.
b. Type 2 A
i. Type 2 authentication factor is something you have. Physical devices
that a user possesses can help them provide authentication. Examples
include a smartcard, hardware token, smartcard, memory card , or
USB drive.
c. Type 3 A
i. Type 3 authentication factor is something you are or something you
do. It is a physical characteristic of a person identified with different
types of biometrics. Examples in the something-you-are category
include fingerprints, voice prints, retina patterns, iris patterns, face
shapes, palm topology, and hand geometry. Examples in the
something-you-do category include signature and keystroke
dynamics, also known as behavioural biometrics.

1. Passwords
a. The most common authentication technique is the use of a password
(a string of characters entered by a user) with Type 1 authentication
(something you know). Passwords are typically static. A static
password stays the same for a length of time such as 30 days, but
static passwords are the weakest form of authentication. Passwords
are weak security mechanisms for several reasons:
i. Users often choose passwords that are easy to remember and therefore easy to
guess or crack.
ii. Randomly generated passwords are hard to remember; thus, many users write
them down.
iii. Users often share their passwords, or forget them.
iv. Attackers detect passwords through many means, including observation,
sniffing networks, and stealing security databases.
v. Passwords are sometimes transmitted in clear text or with easily broken
encryption protocols. Attackers can capture these passwords with network
sniffers.
vi. Password databases are sometimes stored in publicly accessible online
locations.
vii. Brute-force attacks can quickly discover weak passwords.

2. Creating Strong Passwords
a. The following list includes some common password policy settings:
i. Maximum Age - This setting requires users to change their password periodically,
such as every 45 days.
ii. Password Complexity - The complexity of a password refers to how many character
types it includes. An eight-character password using uppercase characters,
lowercase characters, symbols, and numbers is much stronger than an eight-
character password using only numbers.
iii. Password Length - The length is the number of characters in the password. Shorter
passwords are easier to crack. As an example, password crackers can discover a
complex five character password in less than a second but it takes thousands of
years to crack a complex 12-character password. Many organizations require
privileged account passwords to be at least 15 characters long. This specifically
overcomes a weakness in how passwords are stored in some Windows systems.
iv. Password History - Many users get into the habit of rotating between two
passwords. A password history remembers a certain number of previous passwords
and prevents users from reusing a password in the history. This is often combined
with a minimum password age setting, preventing users from changing a password
repeatedly until they can set the password back to the original one. Minimum
password age is often set to one day.

3. Password Phrases
a. A password mechanism that is more effective than a basic password is a
passphrase . A passphrase is a string of characters similar to a password
but that has unique meaning to the user. Passphrases are often basic
sentences modified to simplify memorization. Using a passphrase has
several benefits. It is difficult to crack a passphrase using a brute-force
tool, and it encourages the use of a lengthy string with numerous
characters but it is still easy to remember.

4. Cognitive Passwords
a. Another password mechanism is the cognitive password .
b. A cognitive password is series of questions about facts or pre-defined
responses that only the subject should know.
c. Authentication systems often collect the answers to these questions
during the initial registration of the account, but they can be collected or
modified later.
d. Later, the system uses these questions for authentication.
e. If the user answers all the questions correctly, the system authenticates
the user.
f. The most effective cognitive password systems collect answers for several
questions, and ask a different set of questions each time they are used.
g. Cognitive passwords often assist with password management using self-
service password reset systems or assisted password reset systems.

Smartcards and Tokens
1. Smartcards
a. A smartcard is a credit card–sized ID or badge and has an integrated
circuit chip embedded in it.
b. Smartcards contain information about the authorized user that is used
for identification and/or authentication purposes.
c. Most current smartcards include a microprocessor and one or more
certificates.
d. The certificates are used for asymmetric cryptography such as encrypting
data or digitally signing email.
e. Smartcards are tamper resistant and provide users with an easy way to
carry and use complex encryption keys.
f. Users insert the card into a smartcard reader when authenticating.
g. It’s common to require users to also enter a PIN or password as a second
factor of authentication with the smartcard.

2. Tokens
a. A token, or hardware token , is a password-generating device that users
can carry with them.
b. Hardware tokens use dynamic one-time passwords, making them more
secure than static passwords. The two types of tokens are synchronous
dynamic password tokens and asynchronous dynamic password tokens .
i. Synchronous Dynamic Password Tokens
1. Hardware tokens that create synchronous dynamic passwords are time-based and
synchronized with an authentication server. They generate a new password
periodically, such as every 60 seconds. This does require the token and the server to
have accurate time. A common way this is used is by requiring the user to enter a
username, static password, and the dynamic one-time password into a web page.
ii. Asynchronous Dynamic Password Tokens
1. An asynchronous dynamic password does not use a clock. Instead, the hardware token
generates passwords based on an algorithm and an incrementing counter. When using
an incrementing counter, it creates a dynamic one-time password that stays the same
until used for authentication. Some tokens create a one-time password when the user
enters a PIN provided by the authentication server into the token.

3. Biometrics
a. Another common authentication and identification technique is the use
of biometrics .
b. Biometric factors fall into the Type 3, something-you-are, authentication
category.
c. Biometric characteristics are often defined as either physiological or
behavioural.
d. Physiological biometric methods include fingerprints, face scans, retina
scans, iris scans, palm scans (also known as palm topography or palm
geography), hand geometry, and voice patterns.
e. Behavioural biometric methods include signature dynamics and
keystroke patterns (keystroke dynamics). These are sometimes referred
to as something-you-do authentication.

3. Biometrics
a. Fingerprints
i. Fingerprints are the visible patterns on the fingers and thumbs of people.
ii. They are unique to an individual and have been used for decades in physical security for
identification. Fingerprint readers are now commonly used on laptop computers and USB fl ash
drives as a method of identification and authentication.
b. Face Scans
i. Face scans use the geometric patterns of faces for detection and recognition.
ii. Face scans are used to identify and authenticate people before accessing secure spaces such as a
secure vault.
c. Retina Scans
i. Retina scans focus on the pattern of blood vessels at the back of the eye.
ii. They are the most accurate form of biometric authentication and are able to differentiate between
identical twins. However, they are the least acceptable biometric scanning method because retina
scans can reveal medical conditions, such as high blood pressure and pregnancy.
d. Iris Scans
i. Focusing on the coloured area around the pupil, iris scans are the second most accurate form of
biometric authentication.
ii. Iris scans are often recognized as having a longer useful authentication life span than other
biometric factors because the iris remains relatively unchanged throughout a person’s life (barring
eye damage or illness).

3. Biometrics
e. Palm Scans
i. Palm scans , sometimes called palm topography or palm geography, scan the palm of the hand for
identification.
ii. They use near-infrared light to measure vein patterns in the palm, which are as unique as
fingerprints. Individuals don’t need to touch the scanner but instead place their palm over a
scanner. Some palm scanners include the fingers and measure the layout of ridges, creases, and
grooves, as a full hand scan.
f. Hand Geometry
i. Hand geometry recognizes the physical dimensions of the hand.
ii. This includes the width and length of the palm and fingers. It captures a silhouette of the hand,
but not the details of fingerprints or vein patterns. Hand geometry is rarely used by itself since it is
difficult to uniquely identify an individual using this method.
g. Heart/Pulse Patterns
i. Measuring the user’s pulse or heartbeat ensures that a real person is providing the biometric factor.
ii. It is often employed as a secondary biometric to support another type of authentication. Some
researchers theorize that heartbeats are unique between individuals and claim it is possible to use
electrocardiography for authentication. However, a reliable method has not been created or fully
tested.

3. Biometrics
h. Voice Pattern Recognition
i. This type of biometric authentication relies on the characteristics of a person’s speaking voice,
known as a voiceprint. The user speaks a specific phrase, which is recorded by the authentication
system.
ii. To authenticate, they repeat the same phrase and it is compared to the original. Voice pattern
recognition is sometimes used as an additional authentication mechanism but is rarely used by
itself.
i. Signature Dynamics
i. This recognizes how a subject writes a string of characters. Signature dynamics examine both how
a subject performs the act of writing as well as features in a written sample.
ii. The success of signature dynamics relies on pen pressure, stroke pattern, stroke length, and the
points in time when the pen is lifted from the writing surface. The speed at which the written
sample is created is usually not an important factor.
j. Keystroke Patterns
i. Keystroke patterns (also known as keystroke dynamics) measure how a subject uses a keyboard by
analyzing flight time and dwell time. Flight time is how long it takes between key presses, and
dwell time is how long a key is pressed. Using keystroke patterns is inexpensive, nonintrusive, and
often transparent to the user (for both use and enrolment). Unfortunately, keystroke patterns are
subject to wild variances.
ii. Simple changes in user behaviour greatly affect this biometric factor, such as using only one hand,
being cold, standing rather than sitting, changing keyboards, or sustaining an injury to the hand or
a finger.

4. Biometric Factor Error Ratings
a. Biometric devices are rated for performance by examining the different types of
errors they produce.
b. Type 1 Error
i. A Type 1 error occurs when a valid subject is not authenticated. This is also known as a false
negative authentication. For example, if Dawn uses her fingerprint to authenticate herself but the
system incorrectly rejects her, it is a false negative. The ratio of Type 1 errors to valid
authentications is known as the false rejection rate (FRR).
c. Type 2 Error
i. A Type 2 error occurs when an invalid subject is authenticated. This is also known as a false positive
authentication. For example, if hacker Joe doesn’t have an account but he uses his fingerprint to
authenticate and the system recognizes him, it is a false positive. The ratio of Type 2 errors to valid
authentications is called the false acceptance rate (FAR).
d. You can compare the overall quality of biometric devices with the crossover error
rate (CER), also known as the equal error rate (ERR).
e. Devices with lower CERs are more accurate than devices with higher CERs.

5. Biometric Registration
a. Biometric devices can be ineffective or unacceptable due to factors
known as enrolment time, throughput rate, and acceptance.
b. For a biometric device to work as an identification or
authentication mechanism, a process called enrolment (t or
registration) must take place.
c. During enrolment, a subject’s biometric factor is sampled and
stored in the device’s database. This stored sample of a biometric
factor is the reference profile (also known as a reference template).
d. The throughput rate is the amount of time the system requires to
scan a subject and approve or deny access. The more complex or
detailed a biometric characteristic, the longer processing takes.
Subjects typically accept a throughput rate of about 6 seconds or
faster.

Multifactor Authentication
1. Multifactor authentication is any authentication using
two or more factors.
2. Two-factor authentication requires two different factors
to provide authentication.
3. For example, when using a debit card at the grocery store,
you must usually swipe the card (something you have)
and enter a PIN (something you know) to complete the
transaction.
4. Similarly, smartcards typically require users to insert their
card into a reader and also enter a PIN.
5. As a general rule, using more types or factors results in
more secure authentication.

Device Authentication
1. Today, more and more employees are bringing their own devices to
work and hooking them up to the network.
2. Some organizations embrace this, but implement BYOD security
policies as a measure of control.
3. These devices aren’t necessarily able to join a domain, but it is
possible to implement device identification and authentication
methods for these devices.
4. When the user logs on from the device, the authentication system
checks the user account for a registered device.
5. It then verifies the characteristics of the user’s device withthe
registered device.
6. Even though some of these characteristics change over time, this has
proven to be a successful device authentication method.
7. Organizations typically use third party tools, such as the SecureAuth
Identity Provider (IdP), for device authentication.

Implementing Identity Management
1. Identity management techniques generally fall into one of two
categories: centralized and decentralized/distributed.
a. Centralized access control implies that all authorization verification is
performed by a single entity within a system.
b. Decentralized access control (also known as distributed access control )
implies that various entities located throughout a system perform
authorization verification.

1. Single Sign-On
a. Single sign-on (SSO) is a centralized access control technique that allows
a subject to be authenticated only once on a system and to access multiple
resources without authenticating again.
b. The primary disadvantage to SSO is that once an account is
compromised, an attacker gains unrestricted access to all of the
authorized resources. However, most SSO systems include methods to
protect user credentials.
c. LDAP and Centralized Access Control
i. A directory service is a centralized database that includes information about subjects
and objects. Many directory services are based on the Lightweight Directory Access
Protocol (LDAP).
ii. Multiple domains and trusts are commonly used in access control systems.
iii. A security domain is a collection of subjects and objects that share a common
security policy, and individual domains can operate separately from other domains.
iv. Trusts are established between the domains to create a security bridge and allow
users from one domain to access resources in another domain.
v. Trusts can be one way only, or they can be two way.

1. Single Sign-On
d. LDAP and PKIs
i. A Public Key Infrastructure (PKI) uses LDAP when integrating digital
certificates into transmissions.
ii. A PKI is a group of technologies used to manage digital certificates during the
certificate life cycle.
iii. There are many times when clients need to query a certificate authority (CA) for
information on a certificate and LDAP is one of the protocols used.
iv. LDAP and centralized access control systems can be used to support single sign-
on capabilities.

1. Single Sign-On
e. Kerberos
1. Ticket authentication is a mechanism that employs a third-party entity to prove
identification and provide authentication.
2. The most common and well-known ticket system is Kerberos .
3. Kerberos offers a single sign-on solution for users and provides protection for
logon credentials.
4. Key Distribution Centre
1. The key distribution centre (KDC) is the trusted third party that provides
authentication services. Kerberos uses symmetric-key cryptography to
authenticate clients to servers. All clients and servers are registered with the KDC,
and it maintains the secret keys for all network members.
5. Kerberos Authentication Server
1. The authentication server hosts the functions of the KDC: a ticket-granting
service (TGS), and an authentication service (AS). However, it is possible to host
the ticket-granting service on another server. The authentication service verifies
or rejects the authenticity and timeliness of tickets. This server is often called the
KDC.

1. Single Sign-On
e. Kerberos
i. Ticket-Granting
1. Ticket A ticket-granting ticket (TGT) provides proof that a subject has
authenticated through a KDC and is authorized to request tickets to access other
objects. A TGT is encrypted and includes a symmetric key, an expiration time,
and the user’s IP address. Subjects present the TGT when requesting tickets to
access objects.
ii. Ticket
1. A ticket is an encrypted message that provides proof that a subject is authorized
to access an object. It is sometimes called a service ticket (ST). Subjects request
tickets to access objects, and if they have authenticated and are authorized to
access the object, Kerberos issues them a ticket. Kerberos tickets have specific
lifetimes and usage parameters. Once a ticket expires, a client must request a
renewal or a new ticket to continue communications with any server..

2. Federated Identity Management and SSO
a. Federated identity management extends this beyond a single
organization.
b. Multiple organizations can join a federation, or group, where they agree
on a method to share identities between them.
c. Users in each organization can log on once in their own organization and
their credentials are matched with a federated identity.
d. They can then use this federated identity to access resources in any other
organization within the group.
e. A challenge with multiple companies communicating in a federation is
finding a common language.
f. They often have different operating systems, but they still need to share a
common language.
g. Federated identity systems often use the Security Assertion Markup
Language (SAML) and/or the Service Provisioning Markup Language
(SPML) to meet this need.

2. Federated Identity Management and SSO
a. Hypertext Markup Language
i. Hypertext Markup Language (HTML) is commonly used to display static web pages. HTML
was derived from the Standard Generalized Markup Language (SGML) and the
Generalized Markup Language (GML).
b. Extensible Markup Language
i. Extensible Markup Language (XML) goes beyond describing how to display the data by
actually describing the data. XML can include tags to describe data as anything desired.
c. Security Assertion Markup Language
i. Security Assertion Markup Language (SAML) is an XML-based language that is commonly
used to exchange authentication and authorization (AA) information between federated
organizations. It is often used to provide SSO capabilities for browser access.
d. Service Provisioning Markup Language
i. Service Provisioning Markup Language (SPML) is a newer framework based on XML but
specifically designed for exchanging user information for federated identity single sign-on
purposes. It is based on the Directory Service Markup Language (DSML), which can
display LDAP-based directory service information in an XML format.
e. Extensible Access Control Markup Language
i. Extensible Access Control Markup Language (XACML) is used to define access control policies
within an XML format, and it commonly implements role-based access controls.

1. Credential Management Systems
a. A credential management system provides a storage space for users to keep their
credentials when SSO isn’t available.
b. Users can store credentials for websites and network resources that require a
different set of credentials. The management system secures the credentials with
encryption to prevent unauthorized access.
c. Third-party credential management systems are also available.
d. For example, KeePass is a freeware tool that allows you to store your credentials.
e. Credentials are stored in an encrypted database and users can unlock the database
with a master password.
f. Once unlocked, users can easily copy their passwords to paste into a website form.
It’s also possible to configure the app to enter the credentials automatically into the
web page form.
g. Of course, it’s important to use a strong master password to protect all the other
credentials.

Integrate identity as a service
Integrating Identity Services
1. Identity services provide additional tools for
identification and authentication.
2. Some of the tools are designed specifically for cloud-
based applications whereas others are third-party
identity services designed for use within the
organization (on-premises).
3. Identity as a Service, or Identity and Access as a
Service (IDaaS) is a third-party service that provides
identity and access management.
4. IDaaS effectively provides SSO for the cloud and is
especially useful when internal clients access cloud-
based Software as a Service (SaaS) applications.

Managing Sessions
1. When using any type of authentication system, it’s
important to manage sessions to prevent
unauthorized access.
2. This includes sessions on regular computers such as
desktop PCs and within online sessions with an
application.
3. Secure online sessions will normally terminate after a
period of time too.

AAA Protocols
1. Several protocols provide authentication, authorization,
and accounting and are referred to as AAA protocols.
2. These provide centralized access control with remote
access systems such as virtual private networks (VPNs)
and other types of network access servers.
3. They help protect internal LAN authentication systems
and other servers from remote attacks.
4. When using a separate system for remote access, a
successful attack on the system only affects the remote
access users. In other words, the attacker won’t have
access to internal accounts.
5. Mobile IP, which provides access to mobile users with
smartphones, also uses AAA protocols.

AAA Protocols
1. RADIUS
1. Remote Authentication Dial-in User Service (RADIUS) centralizes
authentication for remote connections. It is typically used when
an organization has more than one network access server (or
remote access server).
2. A user can connect to any network access server, which then
passes on the user’s credentials to the RADIUS server to verify
authentication and authorization and to track accounting.
3. In this context, the network access server is the RADIUS client
and a RADIUS server acts as an authentication server.
4. The RADIUS server also provides AAA services for multiple
remote access servers.
5. RADIUS uses the User Datagram Protocol (UDP) and encrypts
only the exchange of the password.
6. It doesn’t encrypt the entire session, but additional protocols
can be used to encrypt the data session. The current version is
defined in RFC 2865.

AAA Protocols
2. TACACS+
1. TACACS and XTACACS are not commonly used today.
2. TACACS Plus (TACACS+) was later created as an open publicly
documented protocol, and it is the most commonly used of the
three.
3. TACACS+ provides several improvements over the earlier versions
and over RADIUS.
4. It separates authentication, authorization, and accounting into
separate processes, which can be hosted on three separate servers
if desired.
5. The other versions combine two or three of these processes.
6. Additionally, TACACS+ encrypts all of the authentication
information, not just the password as RADIUS does.
7. TACACS and XTACACS used UDP port 49, while TACACS+ uses
Transmission Control Protocol (TCP) port 49, providing a higher
level of reliability for the packet transmissions.

AAA Protocols
3. Diameter
1. Building on the success of RADIUS and TACACS+, an
enhanced version of RADIUS named Diameter was
developed.
2. It supports a wide range of protocols, including traditional
IP, Mobile IP, and Voice over IP (VoIP).
3. Because it supports extra commands, it is becoming
popular in situations where roaming support is desirable,
such as with wireless devices and smart phones.
4. While Diameter is an upgrade to RADIUS, it is not
backward compatible to RADIUS.
5. Diameter uses TCP port 3868 or Stream Control
Transmission Protocol (SCTP) port 3868, providing better
reliability than UDP used by RADIUS.
6. It also supports Internet Protocol Security (IPsec) and
Transport Layer Security (TLS) for encryption.

Implement and manage authorization mechanisms
Comparing Access Control Models
1. Comparing Permissions, Rights, and Privileges
1. Permissions
a. In general, permissions refer to the access granted for an object and determine what
you can do with it. If you have read permission for a file, you’ll be able to open it and
read it.
b. You can grant user permissions to create, read, edit, or delete a file on a file server.
Similarly, you can grant user access rights to a file, so in this context, access rights
and permissions are synonymous.
2. Rights
a. A right primarily refers to the ability to take an action on an object. For example, a
user might have the right to modify the system time on a computer or the right to
restore backed-up data.
b. This is a subtle distinction and not always stressed. However, you’ll rarely see the
right to take action on a system referred to as a permission.
3. Privileges
a. Privileges are the combination of rights and privileges. For example, an administrator
for a computer will have full privileges, granting the administrator full rights and
permissions on the computer.
b. The administrator will be able to perform any actions and access any data on the
computer.

Understanding Authorization Mechanisms
1. Implicit Deny
a. A basic principle of access control is implicit deny and most authorization
mechanisms use it.
b. The implicit deny principle ensures that access to an object is denied unless
access has been explicitly granted to a subject.
2. Access Control Matrix
a. An access control matrix is a table that includes subjects, objects, and
assigned privileges.
b. When a subject attempts an action, the system checks the access control
matrix to determine if the subject has the appropriate privileges to perform
the action.
3. Capability Tables
a. Capability tables are another way to identify privileges assigned to subjects.
b. They are different from ACLs in that a capability table is focused on subjects (such
as users, groups, or roles).
c. For example, a capability table created for the accounting role will include a list of
all objects that the accounting role can access and will include the specific
privileges assigned to the accounting role for these objects.
d. In contrast, ACLs are focused on objects.
e. An ACL for a file would list all the users and/or groups that are authorized access
to the file and the specific access granted to each.

4. Constrained Interface
a. Applications use constrained interfaces or restricted interfaces to restrict what users can
do or see based on their privileges.
b. Users with full privileges have access to all the capabilities of the application.
c. Users with restricted privileges have limited access.
d. Applications constrain the interface using different methods.
e. A common method is to hide the capability if the user doesn’t have permissions to use
it.
5. Content-Dependent Control
a. Content-dependent access controls restrict access to data based on the content within
an object.
b. A database view is a content-dependent control.
c. A view retrieves specific columns from one or more tables, creating a virtual table.
6. Context-Dependent Control
a. Context-dependent access controls require specific activity before granting users access.
b. As an example, consider the data flow for a transaction selling digital products online.
c. Users add products to a shopping cart and begin the checkout process.
d. The first page in the checkout flow shows the products in the shopping cart, the next page
collects credit card data, and the last page confirms the purchase and provides instructions
for downloading the digital products.
e. The system denies access to the download page if users don’t go through the purchase process
first.
f. It’s also possible to use date and time controls as context-dependent controls.

7. Need to Know
a. This principle ensures that subjects are granted access only to what
they need to know for their work tasks and job functions.
b. Subjects may have clearance to access classified or restricted data but
are not granted authorization to the data unless they actually need it
to perform a job.
8. Least Privilege
a. The principle of least privilege ensures that subjects are granted only
the privileges they need to perform their work tasks and job
functions.
b. This is sometimes lumped together with need to know.
c. The only difference is that least privilege will also include rights to
take action on a system.
9. Separation of Duties and Responsibilities
a. This principle ensures that sensitive functions are split into tasks
performed by two or more employees.
b. It helps to prevent fraud and errors by creating a system of checks
and balances.

Defining Requirements with a Security Policy
1. A security policy is a document that defines the security
requirements for an organization.
2. It identifies assets that need protection and the extent to
which security solutions should go to protect them.
3. Policies are an important element of access control
because they help personnel within the organization
understand what security requirements are important.
4. Senior leadership approves the security policy and, in
doing so, provides a broad overview of an organization’s
security needs.
5. However, a security policy usually does not go into details
about how to fulfil the security needs or how to
implement the policy.

Implementing Defence in Depth
1. A security policy is a document that defines the security Organizations
implement access controls using a defence-in-depth strategy.
2. This uses multiple layers or levels of access controls to provide layered
security.
3. Intruders or attackers need to overcome multiple layers of defence to reach
these protected assets.

Implementing Defence in Depth
1. This concept of defence in depth highlights several
important points:
a. An organization’s security policy, which is one of the
administrative access controls, provides a layer of defence
for assets by defining security requirements.
b. Personnel are a key component of defence. However, they
need proper training and education to implement, comply
with, and support security elements defined in an
organization’s security policy.
c. A combination of administrative, technical, and physical
access controls provides a much stronger defence. Using
only administrative, only technical, or only physical
controls results in weaknesses that attackers can discover
and exploit.

Discretionary Access Controls
1. A system that employs discretionary access controls (DACs) allows
the owner, creator, or data custodian of an object to control and
define access to that object.
2. All objects have owners, and access control is based on the discretion
or decision of the owner.
3. Identity based access control is a subset of DAC because systems
identify users based on their identity and assign resource ownership
to identities.
4. A DAC model is implemented using access control lists (ACLs) on
objects.
5. Each ACL defines the types of access granted or denied to subjects.
6. It does not offer a centrally controlled management system because
owners can alter the ACLs on their objects at will.
7. Within a DAC environment, administrators can easily suspend user
privileges while they are away, such as on vacation.
8. Similarly, it’s easy to disable accounts when users leave the
organization.

Nondiscretionary Access Controls
1. The major difference between discretionary and nondiscretionary
access controls is in how they are controlled and managed.
2. Administrators centrally administer nondiscretionary access controls
and can make changes that affect the entire environment.
3. In contrast, discretionary access control models allow owners to
make their own changes, and their changes don’t affect other parts of
the environment.
4. In a non-DAC model, access does not focus on user identity.
5. Instead, a static set of rules governing the whole environment
manages access.
6. Non-DAC systems are centrally controlled and easier to manage
(although less flexible).
7. In general, any model that isn’t a discretionary model is a
nondiscretionary model.
8. This includes rule-based, role-based, and lattice-based access
controls.

1. Role-based Access Control
a. Systems that employ role-based or task-based access controls define a subject’s ability to
access an object based on the subject’s role or assigned tasks.
b. Role-based access control (role-BAC) is often implemented using groups.
c. This helps enforce the principle of least privilege by preventing privilege creep.
d. Privilege creep is the tendency for privileges to accrue to users over time as their roles
and access needs change.
e. Ideally, administrators revoke user privileges when users change jobs within an
organization.
f. However, when privileges are assigned to users directly, it is challenging to identify and
revoke all of a user’s unneeded privileges.
g. Role-based access controls are useful in dynamic environments with frequent personnel
changes because administrators can easily grant multiple permissions simply by adding
a new user into the appropriate role.
h. It’s easy to confuse DAC and role-BAC because they can both use groups to organize
users into manageable units, but they differ in their deployment and use.
i. In the DAC model, objects have owners and the owner determines who has access.
j. In the role-BAC model, administrators determine subject privileges and assign
appropriate privileges to roles or groups.
k. In a strict role-BAC model, administrators do not assign privileges to users directly but
only grant privileges by adding user accounts to roles or groups.

2. Rule-based Access Control
a. A rule-based access control (rule-BAC) uses a set of rules, restrictions, or
filters to determine what can and cannot occur on a system.
b. It includes granting a subject access to an object, or granting the subject
the ability to perform an action.
c. A distinctive characteristic about rule-BAC models is that they have
global rules that apply to all subjects.
d. One common example of a rule-BAC model is a firewall.

3. Attribute-based Access Controls
a. Traditional rule-BAC models include global rules that apply to all users.
b. However, an advanced implementation of a rule-BAC is an attribute-based
access control (ABAC) model.
c. ABAC models use policies that include multiple attributes for rules.
d. Many software defined networking applications use ABAC models.
e. As an example, CloudGenix has created a software-defined wide area
network (SD-WAN) solution that implements policies to allow or block
traffic.
f. Administrators create ABAC policies using plain language statements
such as “Allow Managers to access the WAN using tablets or smart
phones.”
g. This allows users in the Managers role to access the WAN using tablet
devices or smart phones. Notice how this improves the rule-BAC model.
h. The rule-BAC applies to all users, but the ABAC can be much more
specific.

4. Mandatory Access Controls
a. A mandatory access control (MAC) model relies on the use of
classification labels.
b. Each classification label represents a security domain , or a realm of
security.
c. A security domain is a collection of subjects and objects that share a
common security policy.
d. For example, a security domain could have the label Secret, and the MAC
model would protect all objects with the Secret label in the same manner.
e. Subjects are only able to access objects with the Secret label, when they
have a matching Secret label.
f. Additionally, the requirement for subjects to gain the Secret label is the
same for all subjects.
g. The MAC model is often referred to as a lattice-based model.

1. Classifications within a MAC model use one of the following three types of
environments:
a. Hierarchical Environment
i. A hierarchical environment relates various classification labels in an ordered structure from low
security to medium security to high security, such as Confidential, Secret, and Top Secret,
respectively.
ii. Each level or classification label in the structure is related. Clearance in one level grants the
subject access to objects in that level as well as to all objects in lower levels but prohibits access to
all objects in higher levels.
iii. For example, someone with a Top Secret clearance can access Top Secret data and Secret data.
b. Compartmentalized Environment
i. In a compartmentalized environment, there is no relationship between one security domain and
another.
ii. Each domain represents a separate isolated compartment.
iii. To gain access to an object, the subject must have specific clearance for its security domain.
c. Hybrid Environment
i. A hybrid environment combines both hierarchical and compartmentalized concepts so that each
hierarchical level may contain numerous subdivisions that are isolated from the rest of the
security domain.
ii. A subject must have the correct clearance and the need to know data within a specific
compartment to gain access to the compartmentalized object.
iii. A hybrid MAC environment provides granular control over access, but becomes increasingly
difficult to manage as it grows.

Prevent or mitigate access control attacks
Understanding Access Control Attacks
1. Risk Elements
a. A risk is the possibility or likelihood that a threat will exploit a vulnerability
resulting in a loss such as harm to an asset.
b. A threat is a potential occurrence that can result in an undesirable outcome.
This includes potential attacks by criminals or other attackers. It also
includes natural occurrences such as floods or earthquakes, and accidental
acts by employees.
c. A vulnerability is any type of weakness.
d. The weakness can be due to a flaw or limitation in hardware or software, or
the absence of a security control such as the absence of antivirus software on
a computer.
e. Risk management attempts to reduce or eliminate vulnerabilities, or reduce
the impact of potential threats by implementing controls or
countermeasures.
f. It is not possible, or desirable, to eliminate risk.
g. With this in mind, key steps early in a risk management process are as
follows:
i. Identifying assets
ii. Identifying threats
iii. Identifying vulnerabilities

2. Identifying Assets
a. Asset valuation refers to identifying the actual value of
assets with the goal of prioritizing them.
b. Risk management focuses on assets with the highest
value and identifies controls to mitigate risks to these
assets.
c. In the context of access control attacks, it’s important
to evaluate the value of data.
d. For example, if an attacker compromises a database
server and downloads a customer database that
includes privacy data and credit card information, it
represents a significant loss to the company.

3. Identifying Threats
a. After identifying and prioritizing assets, an organization
attempts to identify any possible threats to the valuable
systems.
b. Threat modelling refers to the process of identifying,
understanding, and categorizing potential threats.
c. A goal is to identify a potential list of threats to these
systems and to analyze the threats.
d. Threat modelling isn’t meant to be a single event.
e. Instead, it’s common for an organization to begin threat
modelling early in the design process of a system and
continue throughout its life cycle.
f. In other words, it attempts to reduce vulnerabilities and
reduce the impact of any vulnerabilities that remain.
g. The overall result is reduced risk.

a. Threat Modelling Approaches
i. There’s an almost infinite possibility of threats, so it’s important to
use a structured approach to identify relevant threats.
ii. For example, some organizations use one or more of the following
three approaches:
1. Focused on Assets
a) This method uses asset valuation results and attempts to
identify threats to the valuable assets.
b) Personnel evaluate specific assets to determine their
susceptibility to attacks.
c) If the asset hosts data, personnel evaluate the access controls
to identify threats that can bypass authentication or
authorization mechanisms.

2. Focused on Attacks
a) Some organizations identify potential attackers and
identify the threats they represent based on the attacker’s
goals.
b) For example, a government is often able to identify
potential attackers and recognize what the attackers want
to achieve.
c) They can then use this knowledge to identify and protect
their relevant assets.
d) A challenge with this approach is that new attackers
appear that might not have been considered a threat
previously.

3. Focused on Software
a) If an organization develops software, it can consider
potential threats against the software.
b) While organizations didn’t commonly develop their own
software years ago, it’s common to do so today.
c) Specifically, most organizations have a web presence, and
many create their own websites.
d) Fancy websites attract more traffic, but they also require
more sophisticated programming and present additional
threats.

b. Advanced Persistent Threat
1. Any threat model should take into account the existence of
known threats, and a relatively new threat is an advanced
persistent threat (APT) .
2. An APT refers to a group of attackers who are working
together and are highly motivated, skilled, and patient.
3. They have advanced knowledge and a wide variety of skills to
detect and exploit vulnerabilities.
4. They are persistent and focus on exploiting one or more
specific targets rather than just any target of opportunity.
Governments typically fund APTs.
5. However, some groups of organized criminals also fund and
run APTs.

4. Identifying Vulnerabilities
a. After identifying valuable assets and potential threats, an organization will
perform vulnerability analysis .
b. In other words, it attempts to discover weaknesses in these systems against
potential threats.
c. In the context of access control, vulnerability analysis attempts to identify the
strengths and weaknesses of the different access control mechanisms and the
potential of a threat to exploit a weakness.
d. Vulnerability analysis is an ongoing process and can include both technical
and administrative steps.
e. In larger organizations, specific individuals may be doing vulnerability
analysis as a full-time job.
f. They regularly perform vulnerability scans, looking for a wide variety of
vulnerabilities, and report the results.
g. In smaller organizations, a network administrator may run vulnerability
scans on a periodic basis, such as once a week or once a month.
h. A risk analysis will often include a vulnerability analysis by evaluating
systems and the environment against known threats and vulnerabilities,
followed by a penetration test to exploit vulnerabilities.

Common Access Control Attacks
1. Access Aggregation Attacks
a. Access aggregation refers to collecting multiple pieces of
non-sensitive information and combining (i.e.,
aggregating) them to learn sensitive information.
b. In other words, a person or group may be able to collect
multiple facts about a system and then use these facts to
launch an attack.
c. Reconnaissance attacks are access aggregation attacks that
combine multiple tools to identify multiple elements of a
system, such as IP addresses, open ports, running services,
operating systems, and more.
d. Attackers also use aggregation attacks against databases.
e. Combining defence-in-depth, need-to-know, and least
privilege principles helps prevent access aggregation
attacks.

1. Password Attacks
a. If an attacker is successful in a password attack, the attacker can gain
access to the account and access resources authorized to the account.
b. If an attacker discovers a root or administrator password, the attacker
can access any other account and its resources.
c. If attackers discover passwords for privileged accounts in a high-
security environment, the security of the environment can never be
fully trusted again.
d. A strong password helps prevent password attacks and includes at
least eight characters with a combination of at least three of the four
character types (uppercase, lowercase, numbers, and special
characters).
e. As password crackers get better, some people believe that strong
passwords must be at least 15 characters, though it’s difficult to get
regular users to buy into this.
f. While security professionals usually know what makes a strong
password,
g. many users do not, and it is common for users to use short passwords
with only a single character type.

1. Password Attacks
a. Dictionary Attacks
i. A dictionary attack is an attempt to discover passwords by using
every possible password in a predefined database or list of
common or expected passwords.
ii. In other words, an attacker starts with a database of words
commonly found in a dictionary.
iii. Dictionary attack databases also include character combinations
commonly used as passwords, but not found in dictionaries.
iv. For example, you will probably see the list of passwords found in
the published Sony accounts database mentioned earlier in many
password-cracking dictionaries.
v. Additionally, dictionary attacks often scan for one-upped-
constructed passwords.
vi. A one-upped-constructed password is a previously used password,
but with one character different.

1. Password Attacks
b. Brute-Force Attacks
i. A brute-force attack is an attempt to discover passwords for user accounts by
systematically attempting all possible combinations of letters, numbers, and
symbols.
ii. Attackers don’t typically type these in manually but instead have programs that
can programmatically try all the combinations.
iii. A hybrid attack attempts a dictionary attack and then performs a type of brute-
force attack with one-upped-constructed passwords.
iv. The longer and more complex a password is, the more costly and time
consuming a brute-force attack becomes.
v. As the number of possibilities increases, the cost of performing an exhaustive
attack goes up. In other words, the longer the password and the more character
types it includes, the more secure it is against brute-force attacks.
vi. Passwords and usernames are stored in an account database file on secured
systems.
vii. However, instead of being stored as plain text, systems and applications
commonly hash passwords, and only store the hash values.

1. Password Attacks
c. Birthday Attack
i. A birthday attack focuses on finding collisions. Its name comes from a
statistical phenomenon known as the birthday paradox.
ii. The birthday paradox states that if there are 23 people in a room, there is a
50 percent chance that any two of them will have the same birthday.
iii. This is not the same year, but instead the same month and day, such as
March 30.
iv. With February 29 in a leap year, there are only 366 possible days in a year.
With 367
v. people in a room, you have a 100 percent chance of getting at least two
people with the same birthdays. Reduce this to only 23 people in the room,
and you still have a 50 percent chance that any two have the same
birthday.
vi. This is similar to finding any two passwords with the same hash. If a
hashing function could only create 366 different hashes, then an attacker
with a sample of only 23 hashes has a 50 percent chance of discovering two
passwords that create the same hash.
vii. Hashing algorithms can create many more than 366 different hashes, but
the point is that the birthday attack method doesn’t need all possible
hashes to see a match.

1. Password Attacks
d. Rainbow Table Attacks
i. It takes a long time to find a password by guessing it, hashing it,
and then comparing it with a valid password hash.
ii. However, a rainbow table reduces this time by using large
databases of pre-computed hashes.
iii. Attackers guess a password (with either a dictionary or a brute-
force method), hash it, and then put both the guessed password
and the hash of the guessed password into the rainbow table.
iv. A password cracker can then compare every hash in the rainbow
table against the hash in a stolen password database file.
v. A traditional password-cracking tool must guess the password and
hash it before it can compare the hashes.
vi. However, when using the rainbow table the password cracker
doesn’t spend any time guessing and calculating hashes.
vii. It simply compares the hashes until it finds a match. This can
significantly reduce the time it takes to crack a password.

1. Password Attacks
e. Sniffer Attacks
i. Sniffing captures packets sent over a network with the
intent of analyzing the packets.
ii. A sniffer (also called a packet analyzer or protocol analyzer)
is a software application that captures traffic travelling over
the network. Administrators use sniffers to analyze network
traffic and troubleshoot problems.
iii. Of course, attackers can also use sniffers. A sniffer attack
(also called a snooping attack or eavesdropping attack)
occurs when an attacker uses a sniffer to capture
information transmitted over a network.
iv. They can capture and read any data sent over a network in
clear text, including passwords.

2. Spoofing Attacks
a. Spoofing (also known as masquerading) is pretending to be
something, or someone, else.
b. There is a wide variety of spoofing attacks. As an example, an
attacker can use someone else’s credentials to enter a building or
access an IT system.
c. Some applications spoof legitimate logon screens.
d. One attack brought up a logon screen that looked exactly like the
operating system logon screen.
e. When the user entered credentials, the fake application captured
the user’s credentials and the attacker used them later.
f. In an IP spoofing attack, attackers replace a valid source IP
address with a false one to hide their identity or to
impersonate a trusted system.
g. Other types of spoofing used in access control attacks include
email spoofing and phone number spoofing.

2. Spoofing Attacks
1. Email Spoofing
a. Spammers commonly spoof the email address in the From field to
make an email appear to come from another source.
b. Phishing attacks often do this to trick users into thinking the email is
coming from a trusted source.
c. The Reply To field can be a different email address and email
programs typically don’t display this until a user actually replies to the
email. By this time, they often ignore it.
2. Phone Number Spoofing
a. Caller ID services allow users to identify the phone number of any
caller.
b. Phone number spoofing allows a caller to replace this number with
another one, which is a common technique on Voice over Internet
Protocol (VoIP) systems.
c. One technique attackers have been using recently is to replace the
actual calling number with a phone number that includes the same
area code as the called number. This makes it look like it’s a local call.

3. Social Engineering Attacks
1. Phishing
a. Phishing is a form of social engineering that attempts to t g rick
users into giving up sensitive information, opening an attachment,
or clicking a link.
b. It often tries to obtain user credentials or personally identifiable
information (PII) such as usernames, passwords, or credit card
details by masquerading as a legitimate company.
c. Attackers send phishing emails indiscriminately as spam, without
knowing who will get them but in the hope that some users will
respond.
d. Phishing emails commonly inform the user of a bogus problem
and say that if the user doesn’t take action, the company will lock
the user’s account.

2. Spear Phishing
a. Spear phishing is a form of phishing targeted to a specific group of
users, such as employees within a specific organization. It may
appear to originate from a colleague or co-worker within the
organization or from an external source.
b. For example, attackers exploited a zero-day vulnerability in Adobe
PDF files that allowed them to embed malicious code.
c. If users opened the file, it installed malware onto the user’s
systems.
d. The attackers named the PDF file FY12 … Contract Guide and
stated in the email that it provided updated information on a
contract award process.
e. They sent the email to targeted email addresses at well-known
government contractors such as Lockheed Martin.
f. If any contractors opened the file, it installed malware on their
systems that gave attackers remote access to infected systems.

3. Whaling
a. Whaling is a variant of phishing that targets senior or high-level
executives such as CEOs and presidents within a company.
b. A well-known whaling attack targeted about 20,000 senior
corporate executives with an email identifying each recipient by
name and stating they were subpoenaed to appear before a grand
jury.
c. It included a link to get more information on the subpoena.
d. If the executive clicked the link, a message on the website
indicated that the executive needed to install a browser add-on to
read the file.
e. Executives that approved the installation of the add-on actually
installed malicious software that logged their keystrokes,
capturing login credentials for different websites they visited.
f. It also gave the attacker remote access to the executive’s system,
allowing the attacker to install additional malware, or read all the
data on the system.

4. Vishing
a. While attackers primarily launch phishing attacks via
email, they have also used other means to trick users,
such as instant messaging (IM) and VoIP.
b. Vishing is a variant of phishing that uses the phone
system or VoIP.
c. A common attack uses an automated call to the user
explaining a problem with a credit card account.
d. The user is encouraged to verify or validate information
such as a credit card number, expiration date, and
security code on the back of the card.
e. Vishing attacks commonly spoof the caller ID number to
impersonate a valid bank or financial institution.

4. Smartcard Attacks
1. Smartcards provide better authentication than passwords, especially when they’re
combined with another factor of authentication such as a personal identification
number (PIN).
2. However, smartcards are also susceptible to attacks.
3. A side-channel attack is a passive, non-invasive attack intended to observe the operation
of a device.
4. When the attack is successful, the attacker is able to learn valuable information
contained within the card, such as an encryption key.
5. A smartcard includes a microprocessor, but it doesn’t have internal power.
6. Instead, when a user inserts the card into the reader, the reader provides power to the
card.
7. The reader has an electromagnetic coil that excites electronics on the card.
8. This provides enough power for the smartcard to transmit data to the reader.
9. Side-channel attacks analyze the information sent to the reader.
10. Sometimes they are able to measure the power consumption of a chip, using a power
monitoring attack or differential power analysis attack, to extract information.
11. In a timing attack, they are able to monitor the processing timings to gain information
based on how much time different computations require.
12. Fault analysis attacks attempt to cause faults, such as by providing too little power to the
card, to glean valuable information.

5. Denial-of-Service Attacks
1. A denial-of-service (DoS) attack prevents a system from
processing or responding to legitimate traffi c or requests for
resources.
2. When the system fails, all legitimate access to the system is
blocked, disrupted, or slowed.
3. As a simple example, if a server isn’t protected with adequate
physical security, an attacker can unplug it, removing it from
service.
4. DoS attacks often occur over a network, including over the
Internet.
5. Some DoS attacks allow attackers to install malicious code onto
servers.
6. For example, an attacker can install a drive-by download or code
that displays malicious pop-ups on web servers.
7. This code can infect user systems when they visit the infected
website.

Manage the identity and access provisioning lifecycle
1. The identity and access provisioning life cycle refers to
the creation, management, and deletion of accounts.
2. Although these activities may seem mundane, they are
essential to a system’s access control capabilities.
3. Without properly defined and maintained user accounts,
a system is unable to establish accurate identity, perform
authentication, provide authorization, or track
accountability.
4. Access control administration is the collection of tasks
and duties involved in managing accounts, access, and
accountability during the life of the account.
5. These tasks are contained within three main
responsibilities of the identity and access provisioning
life cycle: provisioning, account review, and account
revocation.

1. Provisioning
1. An initial step in identity management is the creation
of new accounts and provisioning them with
appropriate privileges.
2. Creating new user accounts is usually a simple process,
but the process must be protected and secured via
organizational security policy procedures.
3. The initial creation of a new user account is often
called an enrolment t or registration.
4. The enrolment process creates a new identity and
establishes the factors the system needs to perform
authentication.
5. It is critical that the enrolment process be completed
fully and accurately.

2. Account Review
1. Accounts should be reviewed periodically to ensure
that security policies are being enforced.
2. This includes ensuring that inactive accounts are
disabled and employees do not have excessive
privileges.
3. Account review is often formalized in auditing
procedures.

3. Account Revocation
1. When employees leave an organization for any reason, it is
important to disable their user accounts as soon as possible.
2. This includes when an employee takes a leave of absence.
3. If a terminated employee retains access to a user account
after the exit interview, the risk for sabotage is very high.
4. Even if the employee doesn’t take malicious action, other
employees may be able to use the account if they discover
the password.
5. Logs will record the activity in the name of the terminated
employee instead of the person actually taking the action.

References
1. CISSP Study Guide – 7th Edition

Domain 5 - Identity and Access Management

More Related Content

What's hot (20)

Similar to Domain 5 - Identity and Access Management (20)

More from Maganathin Veeraragaloo (20)

Recently uploaded (20)

Domain 5 - Identity and Access Management