3.

Identity and Account Management:

Obj. 2.4: Summarize Authentication and Authorization design concepts:

* Identification, Authentication, Authorization &

Accounting:

> Identification: Claiming an identity such as

username, driving license, identity card
> Authentication: Proving the identity such as
Pin number, password
> Authorization: Permitting specific actions
once a user has been authenticated
> Accounting: It is the process of auditing, or
accounting for, the activities of a user while they are on a system
> Multifactor Authentication (MFA): Using more
than one factor of authentication. Authentication Factors --> Something you know
(password/pin), Something you have (smart card, RSA Token), Something you are (Face
Recognition, Retina Scanners, Thumb print)
# Authentication
Attributes: Something you do (Signature), Something you exhibit (Typing Speed),
Someone you know (Digital Certificate), Somewhere you are.

* Authorization:

> Based on permissions granted

> Determines resource permissions
> Can only occur after authentication
> Resources: Targets that have permissions
applied to them. Examples: Files, Database Rows, Web App

* Accounting/Auditing:

> Track permissions usage/activities for

accountabiliy purposes.
> Who or What accessed which resource, how
long, on what date?
> Must have separate user accounts for each
user
> Types of Auditing: Resource Access, Failed
Logon Attempts, Changes to files/database records
> Event (or accounting) logs can be used to
identify unusual or malicious activity.

* Authentication Methods:

> Username/Password: Security risk because they

are both something you know and can be guessed. Also a security risk because common
passwords are still widely used.
Mitigation
is to use different passwords for each resource
> Password vaults: Also called "password
managers". Examples: LastPass, cloud-based vaults to store password keys. A Master
key protects the vault, the key should be remembered by the user.
> One-Time Password (OTP): Unique password
(code) generated for single use. Static code sent via e-mail or SMS text.

# Time-based OTP (TOTP): Code

is only valid for a short period of time.
 # Software notification
methods (push notification): Phone call, Short Message Service (SMS) text, E-mail
# HMAC-based OTP (HOTP): HMAC
encrypts a hash to ensure authenticity

> Certificate-Based Authentication:

# PKI certificates are issued

by a trusted authority to an individual entity: Device, VPN, App access. Can be
stored on a smart card --> Called a personal Identity Verification (PIV) card,
Common access card (CAC) can authenticate to everything.

> SSH Public Key Authentication: Sign in with

username and password (passphrase) as well as a private key. Public key stored on
server, Private key stored on admin device.
> Biometrics: Fingerprint, Retina Scan, Iris
Scan, Facial Recognition, Voice Recognition, Vein Analysis, Gait Analysis
Efficacy rates --> False
acceptance rate, False rejection rate, Crossover error rate

Obj. 3.8: Given a scenario, implement authentication and authorization

solutions:

* Credential Policies:

> Credential Policies determine how credentials

are managed and used to access resources.
> Defines who gets access to what: Employees,
Contractors, Devices, Service Accounts, Administrator/root accounts --> Privileged
Access Management (PAM)

* Resource permissions can be based on attributes ABAC,

roles RBAC or rules RBAC, can also be controlled via MAC, DAC and Physical access
control.
* Attribute-Based Access Control (ABAC):

> Uses attributes to determine permissions:

Example: Date of Birth or Device Type

* Role-Based Access Control (RBAC):

> A role is a collection of related

permissions.
> Role occupants get permissions of the role

* Rule-Based Access Control (RBAC):

> Uses conditional access policies

> Examples: MFA, Device Type, Location

* Mandatory Access Control (MAC):

> Enforced by operating system.

> Resources are labeled: Devices, files,
databases, network, ports, etc.
> Permission assignments are based on resource
labels and security clearance.
 * Discretionary Access Control (DAC):

> Data custodian sets permissions at their

discretion
> Example: Linux File permissions

* Physical Access Control:

> Limited facility access

> Examples: Access Control Vestibules, Door
Locks, Proximity Cards, Key Fob, etc.

Obj. 3.7: Given a scenario, implement identity and account management

controls:

* User Accounts:

> Unique account per user

> Assign permissions to groups
> Principle of least privilege
> User account auditing
> Disablement

* Account Management:

> Setting Rights/privileges

> Account Types: User, Device, Service,
Administrator/root, Privileged, Guest

* Account Policies:

> Employee onboarding

> Password Policies: Complexity, History,
Reuse, Expiration
> Account Lockout
> Time-Based logins: Enforce login/logout times
> Geolocation: Where a user is located,
Geofencing --> User geolocation determines resource access. Geotagging --> Adding
location metadata to files and social media posts.
> Impossible travel time: The user has logged
in from USA and after 10 mins that user logged in from Australia
> Risky login: A baseline of normal activity is
required first

* Network Authentication Protocols:

> Password Authentication Protocol (PAP):

Outdated, Cleartext transmissions
> Microsoft Challenge Handshake Authentication
Protocol (MS-CHAPv2)
> Microsoft New Technology LAN Manager (NTLM):
Supersedes older LANMAN protocol. Used on Windows workgroup computers. Password
hashes with NTLM are not salted. NTLMv2 passwords are salted.
> Kerberos: Microsoft Active Directory
authentication protocol. Kerberos Key Distribution Center (KDC), Authentication
Service (AS), Ticket-Granting Service (TGS), Ticket Granting Ticket (TGT)
> Extensible Authentication Protocol (EAP):
Network authentication framework. Examples: PKI certificate authentication, Smart
card authentication. Uses TLS transport mechanism
> IEEE 802.1x: Port-based network access
control protocol. Centralized RADIUS server authentication. Wired and Wireless
network edge devices --> Ethernet switches, Router, VPN appliances.
> Remote Access Dial-In User Service (RADIUS):
Centralized authentication server, RADIUS clients --> Network switches, VPN
appliances, Wired or Wi-Fi Routers. RADIUS Supplicant --> End-user device trying to
connect to a network.
> RADIUS Variations: Terminal Access Control
Access Control System (TACACS), Terminal Access Control Access Control System Plus
(TACACS+), Extended TACACS (XTACACS).

* Identity Management Systems:

> Single Sign-On (SSO): User credentials are

not requested after initial authentication. Protocols --> OpenID, OAuth (Open
Authorization Framework)
> Identity Federation: Multiple resources that
trust a single authentication source. Centralized trusted identity provider (IdP)
--> Trusted by resource provider (RP). Uses Security Assertion Markup Language
(SAML) --> SAML token is a digital security token that proves identity.