Exam Essentials: Chapter 13

Posted byChrisPosted inUncategorized

Chapter 13: Managing Identity & Authentication

Know the difference between subjects & objects

  • Subjects are active entities (such as users) that access passive objects (such as files)
  • A user is a subject who accesses objects while performing some action or accomplishing a work task.

Know the various types of access controls

  • You should be able to identify the type of any given access control.
  • Access controls may be:
    • preventive (to stop unwanted or unauthorised activity from occurring)
    • detective (to discover unwanted or unauthorised activity)
    • corrective (to restore systems to normal after an unwanted or unauthorised activity has occurred)
    • deterrent (attempt to discourage violation of security policies, by encouraging people not to take an unwanted action)
    • recovery (attempt to repair/restore resources, functions & capabilities after a security policy violation)
    • directive (attempt to direct, confine or control the action of subjects to force or encourage compliance with security policy)
    • compensating (provide options or alternatives to existing controls to a aid in enforcement & support of a security policy)

Know the implementation methods of access controls

  • Controls are implemented as administrative, logical/technical or physical controls.
  • Administrative (or management) controls include policies or procedures to enforce overall access control.
  • Logical/technical controls include hardware or software mechanisms used to manage access to resources and systems, and provide protection for those resources and systems.
  • Physical controls include physical barriers deployed to prevent direct contact and access with systems or areas within a facility.

Understand the difference between identification & authentication

  • Access controls depend on effective identification & authentication, so it’s important to understand the differences between them.
  • Subjects claim an identity, and identification can be as simple as a username.
  • Subjects provide their identity by providing authentication credentials such as the matching password for a username.

Understand the difference between authorisation & accountability

  • After authenticating subjects, systems authorise access to objects based on their proven identity.
  • Auditing logs and audit trails record events including the identity of the subject that performed the action.
  • The combination of effective identification, authentication & auditing provides accountability.

Understand the details of primary authentication factors

  • The three primary factors of authentication are:
    • something you know (such as a password or PIN)
    • something you have (such as a smartcard or token)
    • something you are (based on biometrics)
  • Multi-factor authentication includes two or more authentication factors, and using it is more secure than using a single authentication factor.
  • Passwords are the weakest form of authentication, but password policies help increase their security by enforcing complexity and history requirements.
  • Smartcards include microprocessors and cryptographic certificates, and tokens create one-time passwords.
  • Biometric methods identify users based on characteristics such as fingerprints.
  • The crossover error rate (CER) identifies the accuracy of a biometric method. It shows where the false rejection rate (FRR) is equal to the false acceptance rate (FAR).

Understand single sign-on

  • Single sign-on (SSO) is a mechanism that allows subjects to authenticate once and access multiple objects without authenticating again.
  • Kerberos is the most common SSO method used within organisations, and it uses symmetric cryptography and tickets to prove identification and provide authentication.
  • When multiple organisations want to use a common SSO system, they often use a federated identity management system, where the federation (group of organisations) agrees on a common method of authentication.
  • Security Assertion Markup Language (SAML) is commonly used to share federated identity information.
  • Other SSO methods are scripted access, SESAME and KryptoKnight.
  • OAuth and OpenID are two newer SSO technologies used on the Internet. OAuth 2.0 is recommended over OAuth 1.0 by many large organisations such as Google.

Understand the purpose of AAA protocols

  • Several protocols provide centralised authentication, authorisation and accounting services.
  • Network access (or remote access) systems use AAA protocols. For example, a network access server is a client to a RADIUS server, and the RADIUS server provides AAA services.
  • RADIUS uses UDP and encrypts the password only.
  • TACACS+ uses TCP and encrypts the entire session.
  • Diameter is based on RADIUS and improves many of its weaknesses, but is not cross-compatible
  • Diameter is becoming more popular with mobile IP systems such as smartphones.

Understand the identity & access provisioning lifecycle

  • The identity & access provisioning lifecycle refers to the creation, management & deletion of accounts.
  • Provisioning accounts ensures that they have appropriate privileges based on task requirements.
  • Periodic reviews ensure that accounts don’t have excessive privileges, and follow the principle of least privilege.
  • Revocation includes disabling accounts as soon as possible when an employee leaves the company, and deleting accounts when they are no longer needed.

Leave a comment

Design a site like this with WordPress.com
Get started