Chapter 8. Identity and Access Management

Authentication systems based on passwords have been used for many years because they are cheaper and easier to integrate. Today, many more organizations are using tokens and biometrics. Some organizations even enforce two-factor authentication, whereas other entities are moving to federated authentication.

Security administrators have more to worry about than just authentication. Many employees now have multiple accounts to keep up with. Luckily, there is a way to consolidate these accounts: single sign-on solutions. A single sign-on solution allows users the ability to authenticate only once to access all needed resources and systems. Authentication systems can be centralized, decentralized, or hybrid. This chapter introduces each concept.

Although knowing who to authenticate serves as a basis of access control, there also exists the issue of authorization. Authorization defines what access the user has and what abilities are present. Authorization is a core component of access control. Once a user has been authenticated to a domain, server, application, or system, what are they authorized to do?. As an example, administrators are typically authorized to perform many more functions than an average user. Controlling access is the first line of defense in allowing authorized users access while keeping unauthorized users out.

This chapter examines authorization in the context of discretionary, nondiscretionary, and role-based access control. Authorization should be implemented to allow the minimum access required for a user to accomplish his or her task. This approach helps control access, minimizes the damage that a single employee can inflict on the organization, and mitigates the risks associated with access control. The principle that employees should be provided only the amount of control and access that they need to accomplish their job duties, and nothing more is referred to as the principle of least privilege.

If something does go wrong, a method will be required to determine who has done what. That is the process of audit and accountability. In an audit, those individuals tasked with enforcement of network security review records to determine what was done, and by whom. Accountability means that malicious and repetitive mistakes can be tracked and tied to a specific individual, or at least traced to that individual’s credentials.

Identification is the process of identifying yourself to an authentication service.

Authentication is the process of proving the veracity of an identity claim; phrased differently, it is used to determine whether a user is who he or she claims to be.

Authorization is the process of determining whether a user has the right to access a requested resource.

Accountability is the ability to relate specific actions and operations to a unique individual, system, or process.

Access is the transfer of information between two entities. When access control is discussed, it is usually in terms of access, subjects, and objects.

A subject is an active entity that can be a person, application, or process.

An object is a passive entity that contains or holds information. An object can be a server, database, information system, etc.

Something you know (Type 1)—Typically an alphanumeric password or PIN number.

Something you have (Type 2)—Can include smart cards, tokens, memory cards, or key fobs.

Something you are (Type 3)—Items like fingerprints, facial scans, retina scans, or voice recognition.

The authentication process is something that most individuals have performed thousands of times. Consider the log-in prompt at the website of your local bank. You are prompted to enter your username and password, which, if entered correctly, provides you with access. As an example, you might now be able to access your own bank records, but you should not be able to see someone else’s bank balance or access their funds. Your level of authorization as a bank user will be much different from that of a bank manager or loan officer. What is important to understand is that authorization can offer a wide range of access levels from all to nothing.

Organizations require this level of control to enforce effective controls and maintain a secure environment. Enforcement also requires audit and accountability. Enforcement means that someone must review employee and user activities. Just as the bank manager has a greater level of access than the average bank user doesn’t mean that his or her access is unchecked. Controls are needed to limit what the bank manager can access; furthermore, it is needed to enforce accountability so that fraud can be detected if the manager were to decide to take a small amount of the customers’ money each month and stash it away in a Swiss account.

The way in which authentication is handled is changing. As an example, federated authentication allows you to log in once and access multiple resources without having to log in to each unique site or service. The overarching framework is for organizations to share authentication information over the world wide web using Security Association Markup Language (SAML) with HTTPS; therefore, once users have proven their identity, if two organizations trust each other, a user’s shopping experience online gets easier and their security token goes with them. For example, if you were to book an airline ticket, you might be presented with a pop-up that asks if you also need to book a hotel room. Clicking Yes might take you to a major hotel chain website to which your identity and travel information have already been passed. This saves you the process of logging in a second time to the hotel website.

Such systems are already in use, and one early example was Microsoft Passport. These technologies allow for third-party identity management. As another example, you might go to a shopping site and be asked to log in with your Facebook credentials. These systems function by establishing a trust relationship between the identity provider and the service or application. Also, more organizations are starting to adopt authentication as a service (AaaS). AaaS enables organizations to easily apply strong authentication delivered from the cloud and use it as needed, from anywhere.

People use passwords that are easy to remember.

Difficult passwords might be written down and left where others can find them.

Most of us are guilty of reusing passwords.

Reputability is a real issue with passwords because it is hard to prove who made a specific transaction or gained access.

Passwords can be cracked, sniffed, observed, replayed, or broken. Common password cracking can use dictionary, hybrid, or exhaustive search (brute force) attacks.

Dictionary attacks use common dictionary words, and hybrid password cracking uses a combination of words as random characters, such as 1password or p@ssw0rd. Brute force attempts all possible variations, which is typically time consuming. Rainbow table attacks use precomputed hash tables to reduce password cracking time and recover the plaintext password.

Many people are predictable and, as such, might use passwords that are easily guessed. Many times passwords are based on birthdays, anniversaries, a child’s name, or even a favorite pet. With the massive growth of the Internet and “Big Data” it is easy to use social engineering to find this information.

This makes password security an important topic for anyone studying access control. Many times a password is all that stands between an unauthorized user and account access. If you can’t make the change to a more robust form of authentication, you can implement controls to make passwords more robust. A few of these options are as follows:

Password length—Short passwords can be broken quickly via brute force attacks.

Password composition—Passwords should not be based on personal information or consist of common words or names. If you use cognitive information, you should make this information up during enrollment. Remember, your “real” information can be found on the Internet.

Password complexity—A combination of numbers, symbols, upper/lowercase letters, and so on should be used. As an example, a company might use a standard that requires passwords must be at least eight characters, two of which must be numbers and two of which must be uppercase letters. The company might also suggest using a combination of symbols and lowercase letters for the remaining characters.

Password aging—Unlike fine wine, passwords do not get better with age. Two items of concern are maximum age and minimum age. Maximum age is the longest amount of time a user can use a password. Minimum age defines the minimum amount of time the user must keep the password.

Password history—Authentication systems should track previous passwords so that users cannot reuse previous passwords.

Password attempts—Log-on attempts should be limited to a small number of times, such as three successive attempts. Applying this control is also called setting a clipping or threshold level. The result of a threshold or clipping event can be anything from a locking of the account to a delayed re-enabling of the account

Password storage—Use the strongest form of one-way encryption available for storage of passwords, and never store in cleartext.

If all this talk of passwords has left you feeling somewhat vulnerable, you may want to consider a passphrase. A passphrase is often a modified sentence or phrase like “Uaremy#1lady4l!fe.” After being entered into a computer system, it is converted into a virtual password. Passphrases function by having someone enter the phrase into the computer. Software converts, or hashes, that phrase into a stronger virtual password that is harder for an attacker to crack. Using a passphrase adds a second layer of protection and requires the passphrase to be used to access the secret key.

What country were you born in?

What department do you work for?

What is your pet’s name?

What is the model of your first car?

What is your mother’s maiden name?

If you answer all the questions correctly, you are authenticated. Cognitive passwords are widely used during enrollment processes and when individuals call help desks or request other services that require authentication. Cognitive passwords are not without their problems. For example, if your name is Sarah Palin and the cognitive password you’re prompted for by Yahoo! Mail is “What’s the name of your high school,” anyone who knows that fact or that you grew up in Wasilla, Alaska could probably figure out where you went to high school and easily access your account. The most common area that cognitive systems are used is in self-service password reset systems. Should you forget your password, you are prompted with several questions that were answered during registration to verify your authenticity. If you answer correctly, the password is emailed or sent to you to restore access.

One of the most common examples of type 2 authentication is a token. As an example, if you have been to a sports event lately, you most likely had to possess a token to enter the game. In this instance, the token was in the form of a ticket. In the world of network security, a token can be a synchronous token or an asynchronous token device. Tokens are widely used with one-time passwords (OTPs) or single-use passwords. These passwords change every time they are used. Thus, OTPs are often implemented with tokens.

Another great feature of token-based devices is that they can be used for two-factor authentication. Although physical tokens and key fobs can suffer from problems like battery failure and device failure, using tokens offers a much more secure form of authentication than using passwords.

These devices work as follows:

1. The computer generates a value and displays it to the user.

2. The value is entered into the token.

3. The user is prompted to enter a secret passphrase.

4. The token performs a computation on the entered value.

5. The new value is displayed on the LCD screen of the token device.

6. The user enters the displayed value into the computer for authentication.

7. The value is forwarded to an authentication server and compared to the value the authentication server is expecting.

Contact smart cards—When inserted into the reader, electrical contacts touch the card in the area of the integrated circuit (IC). These contacts provide power and a data path to the smart card.

Contactless smart card—When brought into the proximity of a reader, an embedded antenna provides power to the IC. When the correct PIN is entered into the smart card, processing can begin. Figure 8.3 shows an example of a generic smart card.

Memory cards are like smart cards but cannot process information. They must be used in conjunction with readers and systems that can process the data held on the memory card. One of the primary advantages of a memory card is that, unlike passwords, memory cards require the user to possess the card to perform authentication. An older form of a card token is the magnetic stripe card, established as a widely used standard in the 1970s. The magnetic stripe contains information used to authenticate the user. Care must be exercised in the storage of information on the magnetic card. Although cleartext should not be used, some credit cards still hold information in cleartext. Magnetic stripe readers are cheap and easy to use. Anyone possessing such a device and a PC can steal card information anywhere cards are used, such as at a restaurant or store. Memory cards typically hold a PIN that when activated by a computer system will pull authentication information from a database.

Digital certificates typically contain the following critical pieces of information:

Identification information that includes username, serial number, and validity dates of the certificates.

The public key of the certificate holder.

The digital signature of the signature authority. This piece is critical because it validates the entire package.

X.509 is the standard for digital signatures because it specifies information and attributes required for the identification of a person or a computer system. Version 3 is the most current. It is considered a secure process to store digital certificates in tokens.

Biometric authentication systems have been slow to mature because many individuals are opposed to the technology. Issues like privacy are typically raised. Some individuals see the technology as too much of a Big Brother technology. Individuals who are accustomed to quickly entering usernames and passwords are forced to be much more patient and allow the biometric system to gather multiple sets of biometric data. Issues like sanitization are can be a barrier because users often have to touch authentication devices, including but not limited to placing their face on or near a small device for the retina scan.

During the authentication process, the biometric system might not be able to collect enough data on the first reading to compare to the reference file in the authentication store. This could mean that the user must allow the biometric system to make two or more passes before authentication takes place. These technical barriers further reduce acceptance of the biometric system.

However, the need for greater security has led more companies to look at biometric authentication systems as a way to meet the need for stronger security. Biometric authentication offers the capability of unique authentication of every single person on the planet. Biometric systems work by recording information that is very minute and unique to every person.

When the biometric system is first used, the system must develop a database of information about the user. This is considered the enrollment period. When enrollment is complete, the system is ready for use. If an employee then places his or her hand on the company’s new biometric palm scanner, the scanner compares the ridges and creases found on the employee’s palm to the one identified as belonging to that individual in the device’s database. This process is considered a one-to-one match of the individual’s biometric data.

In reality, the user’s unique attribute value is converted into a binary value and then hashed before being stored in an authentication server. In organizations that implement strong security, a user may be authenticated with both biometrics and a username/password. This is to ensure if one layer of security fails the system or facility is still protected, following the defense-in-depth approach. Different biometric systems have varying levels of accuracy and sensitivity.

The attributes are measured by the percentage of Type I and Type II errors it produces.

Type I errors, known as the false rejection rate (FRR), are a measurement of the percentage of individuals who should have been but were not allowed access. Think of the FRR as the insult rate. It’s called that because valid users are insulted that they were denied access even though they are legitimate users.

Type II errors, known as the false acceptance rate (FAR), are the percentage of individuals or subjects are a measurement of the percentage who got in but should not have been allowed access. Consider a situation where I, the author of this book and not an employee of your organization, show up at your work site and attempt to authenticate to one of the company’s systems. If I were allowed in, that would be an example of a Type II error.

Together these two values can be used to determine the overall accuracy of the system. This is one of the primary ways to evaluate the accuracy of a biometric device. Suppose you have been asked to assess similar biometric devices. In this situation, the crossover error rate (CER) can be used to help guide you into selecting the best system for your organization. This is determined by mapping the point at which Type I errors equal Type II errors. Figure 8.4 depicts the CER. The lower the CER, the more accurate is the biometric system. For example, if system A has a CER of 4 and system B has a CER of 2, system B has the greater accuracy.

The following are some of the more common biometric authentication systems. These systems are listed in order of best response times and lowest error rates.

1. Palm scan—Analyzes characteristics associated with a user’s palm, such as the creases and ridges. If a match is found, the individual is allowed access.

2. Hand geometry—Another biometric system that uses the unique geometry of a user’s shape, length, and width of his or her fingers and hand to determine the user’s identity. It is one of the oldest biometric techniques.

3. Iris recognition—An eye-recognition system that is considered the most accurate biometric system because it has more than 400 points of reference when matching the irises of an individual’s eyes. These systems typically work by taking a picture of the iris and comparing it to one stored in a database.

4. Retina pattern—Another ocular-based technology that scans the blood vessels in the back of the eye. It requires users to place their eye close to the reader. Older systems used a cup-and-air technique that some users found invasive as you must put. The cup-and-air technique also raises the possibility of exchange of bodily fluids. Although retina-based biometric system are considered very accurate, drawbacks include the fact that the retina can change due to medical conditions like diabetes. Pregnancy can also cause subtle changes in the blood vessels of the retina. Because of the privacy concerns related to revealed medical conditions, retina scans are not readily accepted by users.

5. Fingerprint—Widely used for access control to facilities and items, such as laptops. It works by distinguishing up to 30 to 40 details about the peaks, valleys, ridges, and minutiae of the user’s fingerprint. However, many commercial systems limit the number that is matched to around eight to ten.

6. Facial recognition—Requires users to place their face in front of a camera. The facial scan device performs a mathematical comparison with the face prints (eigenfeatures) it holds in a database to allow or block access.

7. Voice recognition—Uses voice analysis for identification and authentication. Its main advantage is that it can be used for telephone applications, but it is vulnerable to replay attacks. Anyone that has seen the movie Sneakers might remember the line “Hi, my name is Werner Brandes. My voice is my passport. Verify me.”

Regardless of which of the previous methods is used, all biometric systems basically follow a similar usage pattern:

1. Users must first enroll into the system—Enrollment is not much more than allowing the system to take multiple samples for analysis and feature extraction. These features will be used later for comparison.

2. A user requests to be authenticated—A sample is obtained, analyzed, and features are extracted.

3. A decision is reached—A match of multiple features allows the user access, whereas a discrepancy between the sample and the stored features causes the user to be denied access.

Different biometric systems have varying levels of accuracy. For example, fingerprint-scanning systems base their accuracy on fingerprint patterns and minutiae. Fingerprint patterns include arches, loops, and whorls, whereas minutiae include ridge endings, bifurcations, and short ridges. These are found on the fingertips, as seen in Figure 8.5.

Although the number of minutiae varies from finger to finger, the information can be stored electronically in file sizes that are usually from 250 to 1,000 bytes. When a user logs in, the stored file containing the minutiae is compared to the individual’s finger being scanned.

Other considerations must be made before deploying a biometric system:

Employee buy-in—Users might not like or want to interact with the system. If so, the performance of the system will suffer. For example, a retina scan requires individuals to look into a cuplike device, whereas an iris scanner requires only a quick look into a camera.

Age, gender, or occupation of the user—Older users might find biometric devices too Big Brotherish; women might not like the idea that the company’s new retina scanner can be used to detect whether they are pregnant. Users who perform physical labor or work in an unclean environment might find fingerprint scanners frustrating.

The physical status of the user—Users who are physically challenged or disabled might find the eye scanners difficult to reach. Those without use of their hands or fingers will be unable to use fingerprint readers, palm scanners, or hand geometry systems.

If the user can use the biometric—Some users may not be able to use the biometric. For example, some people cannot have their fingerprints read. This can be genetic or based on the job the person does. For example, brick layers and bank tellers typically cannot use fingerprint readers because their fingerprints may be worn off.

A final consideration of biometrics is selection. With so many technologies, it takes a significant amount of effort to get the right system that meets user criteria and is technologically feasible. One tool that can aid in this task is the Zephyr chart. The International Biometric Group’s Zephyr Analysis provides a means of evaluating different biometric technologies. Two categories are defined as follows:

User Criteria—Effort and intrusiveness

Technology Criteria—Cost and accuracy

The decision to use strong authentication depends on your analysis of the value of the assets being protected. What are the dollar values of the assets being protected? What might it cost the organization in dollars, lost profit, potential public embarrassment, or liability if unauthorized access is successful?

Managing users is just the start of the process. Another area of concern is password management. Password management has forced organizations to develop different methods to address the access control needs of a complex world. Several techniques include the following:

Self-Service Password Reset—This approach allows users to reset their own password. For example, if you cannot access your LinkedIn account, their site allows you to reset your own password.

Assisted Password Reset—This method provides helpdesk and other authorized personnel a standardized mechanism to reset passwords. For example, Hitachi Systems makes a web portal product for just this application.

Password Synchronization—These systems are used to replicate a user’s password so that all systems are synchronized.

Any identity management systems must also consider account management. Account management should include the following:

How to establish, manage, and close accounts

Periodic account review

Periodic rescreening for individuals in sensitive positions

Typically, when an account is established a profile is created. Profile management is the control of information associated with an individual or group. Profiles can contain information like name, age, date of birth, address, phone number, and so on. Modern corporations have so much data to manage that systems like directory management are used. The idea is to simplify the management of data. One of the primary disadvantages of such systems is the integration of legacy systems. Mainframes, non-networked applications, and applications written in archaic languages like FORTRAN and COBOL make it more difficult to centrally manage users.

Another approach to the management of user access to multiple sites is federation. Federation is used in identity management systems to manage identity across multiple platforms and entities. Some of the directory standards used to ease user management are the X.500 standard, Lightweight Directory Access Protocol, and Active Directory.

Today’s systems are much more distributed than in the past and have a much greater reliance on the Internet. At the same time, there has been a move toward service-enabled delivery of services. There has also been a move to create web services that have a more abstract architectural style. This style, known as service-oriented architecture (SOA), attempts to bind together disjointed pieces of software. SOA allows for a company with distributed departments using different systems and services in different business domains to access services with security designed into the process. For example, suppose the legal department and the IT department provide different services on different systems and you want to have the legal department programs loaded on IT department systems. With the use of a web portal, the other department can access the service if required by employing Security Association Markup Language using HTTP.

A CISSP should have some knowledge of components of identity management, such as the following:

Web Services Security—WS Security is an extension to Simple Object Access Protocol (SOAP) and is designed to add security to web services.

XML—Years ago, hypertext markup language (HTML) dominated the web. Today, extensible markup language (XML) is the standard framework. XML is a standard that allows for a common expression of metadata. XML typically follows the SOAP standard.

SPML—Service Provisioning Markup Language is an XML-based framework that can be used to exchange access control information between organizations so that a user logged into one entity can have the access rights passed to the other.

Before you run out and decide to implement single sign-on at your organization, you should be aware that it is expensive, and if an attacker can authenticate, that attacker then has access to everything. Kerberos, SESAME, KryptoKnight (by IBM), NetSP (a KryptoKnight derivative), thin clients, directory services, and scripted access are all examples of authentication systems with operational modes that can implement single sign-on.

Ticket—Generated by the KDC and given to a principal for use in authenticating to another principal.

Realm—A domain consisting of all the principals for which the KDC provides security services; used to logically group resources and users.

Credentials—A ticket and a service key.

Principal—Can be a user, a process, or an application. Kerberos systems authenticate one principal to another.

The KDC is a service that runs on a physically secure server. The KDC consists of two components:

Authentication service—The authentication service issues ticket-granting tickets (TGTs) that are good for admission to the ticket-granting service (TGS). Before network clients can get tickets for services, they must obtain a TGT from the authentication service.

Ticket-granting service—Clients receive tickets to specific target services.

The basic operation of Kerberos, as depicted in Figure 8.6, is as follows:

1. The client asks the KDC for a ticket, making use of the authentication service.

2. The client receives the encrypted ticket and the session key.

3. The client sends the encrypted TGT to the TGS and requests a ticket for access to the application server. This ticket has two copies of the session key: One copy is encrypted with the client key, and the other copy is encrypted with the application server key.

4. The TGS decrypts the TGT using its own private key and returns the ticket to the client, granting it access to the application server.

5. The client sends this ticket, along with an authenticator, to the application server.

6. The application server sends confirmation of its identity to the client.

Although Kerberos can provide authentication, integrity, and confidentiality, it’s not without its weaknesses. One weakness is that Kerberos cannot guarantee availability. Some other weaknesses are as follows:

Kerberos is time-sensitive; therefore, it requires all system clocks to be closely synchronized.

The tickets used by Kerberos, which are authentication tokens, can be sniffed and potentially cracked.

If an attacker targets the Kerberos server, it can prevent anyone in the realm from logging in. It is important to note that the Kerberos server can be a single point of failure.

Secret keys are temporarily stored and decrypted on user workstations, making them vulnerable to an intruder who gets access to the workstation.

Kerberos is vulnerable to brute force attacks.

Kerberos may not be well-suited for large environments that have many systems, applications, users, and simultaneous requests.

SESAME uses Privilege Attribute Certificates (PACs). PACs contain the requesting subject’s identity, access capabilities of the subject, and life span of the subject requiring access. KryptoKnight by IBM and NetSP, a KryptoKnight derivative, are also SSO technologies, but are not widely deployed. Although you are unlikely to see these systems, you should know their names and that they are used for SSO if they happen to show up on the exam.

Discretionary access control (DAC)

Mandatory access control (MAC)

Role-based access control (RBAC)

These might not be concepts that you are used to thinking about; however, in reality these types of decisions are made early on in the design of an operating system. Consider the design of early Microsoft Windows products where the design of the operating system was peer-to-peer—this is much different from SUSE Linux 12.0. Let’s look at each model to further describe their differences.

These are the two primary components of a DAC:

File and data ownership—All objects within a system must have an owner. Objects without an owner will be left unprotected.

Access rights and permissions—These control the access rights of an individual. Variations exist, but a basic access control list (ACL) checks read, write, or execute privileges.

The ACL identifies users who have authorization to specific information. This is a dynamic model that allows data to be easily shared. As an example, I might inform my son that he may not download any more music from the Internet onto his computer upstairs. From my computer in the den, my son might simply deny me access to the folder he has been downloading music into to prevent me from accessing it to monitor his activities. This case demonstrates that DAC is much like a peer-to-peer network in that users are in charge of their own resources and data.

Table 8.1 shows a sample ACL, with columns defining access to objects. A subject’s capabilities refers to a row within the matrix, and describe what actions can be taken on which objects. A subject’s capabilities refer to a row within the matrix and reference what action can be taken.

You can think of capabilities as the actions that a specific user can perform within the access matrix. DAC controls are based upon this matrix, and you can think of it as a means to establish access permission of a subject to an object.

Although the data owner can create an ACL to determine who has access to a specific object, mistakes can lead to a loss of confidentiality, and no central oversight exists as in other more restrictive models.

The MAC model is typically used by organizations that handle highly sensitive data, such as the Department of Defense, NSA, CIA, and FBI. Examples of MAC systems include SELinux, among others. Systems based on the MAC model use clearance on subjects, and mark objects by sensitivity label. For example, the military uses the clearances of top secret, secret, confidential, sensitive but unclassified (SBU), and unclassified. (See Chapter 2, “Logical Asset Security,” for a more in-depth discussion of government data classification.) Terms that you will need to know to understand this model include:

Objects—Passive entities that provide data or information to subjects.

Subjects—Active entities that can be a user, system, program, or file.

When a subject attempts to access an object, the object’s label is examined for a match to the subject’s level of clearance. If no match is found, access is denied. This model excels at supporting the need-to-know concept. Here is an example: Jeff wants to access a top secret file. The file is labeled “top secret, Joints Chiefs of Staff (JCS).” Although Jeff has top secret clearance, he is not JCS; therefore, access is denied. In reality, it is a little more complicated than the previous example details, but remember that the CISSP exam is considered a mile wide and an inch deep.

Clearance—Determines the type of information a user can access.

Category—Applied to objects and used to silo information.

Sensitivity Labels—Used to classify information. As previously mentioned, the U.S. military uses the labels of Top Secret, Secret, Confidential, Sensitive but Unclassified (SBU), and Unclassified.

For the exam, you should know that MAC systems can be hierarchical, compartmentalized, or hybrid. Hierarchical designs work by means of classification levels. Each level of the hierarchy includes the lower levels as well. As an example, in a hierarchical system, Dwayne might be cleared for “top secret” and as such can also view “secret” and “confidential” information because those are less sensitive. If Dwayne was authorized to access only “confidential” data, however, he would not be able to read up to higher levels like “secret.” Compartmentalized objects require clearance from a specific domain or group like the Department of Homeland Security.

In a compartmentalized system, there is the ability to separate data into separate categories. As an example, Dwayne, who works for the Department of Defense, would not be able to read documents cleared for the State Department; therefore, Dwayne has a Top Secret - Sensitive Compartmented Information Clearance (TS-SCI). The military would be exercising a MAC system with least privileges to ensure that because Dwayne has TS, he has only the necessary access required to complete his job.

A hybrid design combines elements of both hierarchical and compartmentalized.

Important items to know about the MAC model include:

It’s considered a need-to-know system.

It has more overhead than DAC.

All users and resources are assigned a security label.

RBAC is well-suited to organizations that have a high turnover rate. Assigning access rights and privileges to a group rather than an individual reduces the burden on administration. How RBAC is implemented is up to the individuals designing the operating system. For RBAC to work, roles within the organization must be clearly defined by policy.

Your organization might decide to use static separation of duty (SSD). SSD dictates that the member of one group cannot be the member of another group. Let’s say Mike is a member of the network administrators group. If that is true, Mike cannot also be a member of the security administrators group or the audit group. For SSD to work, roles must clearly be defined to see where conflicts exist within the organization.

Another design is dynamic separation of duties (DSD). DSD dictates that a user cannot combine duties during any active session. Let’s say Mike is a member of the audit group and audit management group. If Mike logs on to perform an audit test, he does not have management rights. If Mike logs on under the audit management group, he cannot perform an audit test.

An example of separation of duties is shown in Table 8.2.

Finally, there is task-based access control (TBAC). TBAC is similar to RBAC but instead of being based on roles it uses tasks. TBAC is based on tasks so that the allowed duties are based around the types of tasks a specific individual would perform. A good example of this can be seen when you access a Windows Server 2012. In the user administration group, you will see some predefined profiles, such as print manager, backup manager, and power user. The access assigned to each of these is based on the types of tasks that individual would perform.

1. Intercepting each request

2. Comparing it to the level of authorization

3. Making a decision

For instance, a router may use a rule-based ACL that might have permissions set to allow web traffic on port 80 and deny Telnet traffic on port 23. These two basic rules define the ACL. ACLs are tied to objects. Permissions can be assigned in three different ways: explicitly, implicitly, or inherited. ACLs have an implicit deny all statement that is the last item processed. A sample Cisco-formatted ACL is shown here with both allow (permit) and deny statements:

Click here to view code image

no access-list 111
access-list 111 permit tcp 192.168.13.0 0.0.0.255 any eq www
access-list 111 deny tcp any any eq telnet
access-list 111 deny icmp any any
interface ethernet0
ip access-group 111 in

Content-dependent access control (CDAC) is based on the content of the resource. CDAC is primarily used to protect databases that contain potentially sensitive data. CDAC is also used to filter out unauthorized traffic and is typically used by proxies or the firewall. As an example, you may be able to log in to the company SharePoint page and see the number of days you will be expected to travel next month, yet you are unable to see when or where the CEO will be traveling during the same period.

Finally, there is lattice-based access control (LBAC). This MAC-based model derivative functions by defining the least upper and greatest lower bound The upper bound is called a join, and a lower bound is called a meet. This information flow model deals with access in complex situations. The lattice model allows access only if the subject’s capability is greater than or equal to that of the object being accessed. For example, Figure 8.7 demonstrates these boundaries. If you were cleared for secret access, you could read the level below, which is confidential.

One entity makes all access decisions.

Owners decide what users can access, and the administration supports these directives.

Consider old-school dialup. CNET reports that as of 2015 up to 2 million people still pay for it. There is most likely a certain amount of churn each month. The ISP might have many users sign up or leave each billing cycle. Centralized access control gives the ISP an easy way to manage this task. Users who do not pay can be denied access from one centralized point and those users who are paid up can be authenticated and allowed access to the Internet. Users are typically authenticated with one of the following authentication protocols:

Password Authentication Protocol (PAP)—Uses a two-way handshake to authenticate a peer to a server when a link is initially established, but is considered weak because it transmits passwords in cleartext. PAP also offers no protection from replay or brute force attacks.

Challenge Handshake Authentication Protocol (CHAP)—Uses a one-way hash function and a handshake to authenticate the client and the server. This process is performed when a link is initially established and may be repeated at defined intervals throughout the session. Although better than PAP, it is susceptible to replay attacks.

MS-CHAPv2—An authentication method that has been extended to authenticate both the client and the server. MS-CHAPv2 also uses stronger encryption keys than CHAP and MS-CHAP.

Extensible Authentication Protocol (EAP)—A framework that allows for more than just your standard username and password authentication by implementing various authentication mechanisms, such as MD5-challenge, token cards, and digital certificates.

RADIUS is also used for wireless LAN authentication. The IEEE designed EAP to easily integrate with RADIUS to authenticate wireless users. The wireless user takes on the role of the supplicant, and the access point serves as the client. RADIUS uses the following UDP ports.

UDP port 1812 for authentication and authorization services

UDP port 1813 for accounting of RADIUS services

If the organization has an existing RADIUS server that’s being used for remote users, it can be put to use authenticating wireless users, too.

RADIUS functions are as follows (see Figure 8.8):

1. The user connects to the RADIUS client.

2. The RADIUS client requests credentials from the user.

3. The user enters credentials.

4. The RADIUS client encrypts the credentials and passes them to the RADIUS server.

5. The RADIUS server then accepts, rejects, or challenges the credentials.

6. If the authentication was successful, the user is authenticated to the network.

There are some major differences between RADIUS and TACACS+. Where RADIUS only encrypts the password sent between the client and the server, TACACS+ encrypts all the information. TACACS+ also allows for more administration and has more AVPs because it can split up the AAA protocols. Where RADIUS uses UPD, TACACS+ uses TCP.

Diameter is designed to use two protocols. The first is the base protocol that is used to provide secure communication between Diameter devices, and enables various types of information to be transmitted, such as headers, security options, commands, and AVPs.

The second protocol is really a set of extensions. Extensions are built on top of the base protocol to allow various technologies to use Diameter for authentication. This component is what interacts with other services, such as VoIP, wireless, and cell phone authentication. In a world of the Internet of Things, Internet of Everywhere, and System of Systems, where organizations are subscribing to “BYOD,” and all the intelligence is at the edge of the network and growing, Diameter creates the way forward for authentication of these devices into the organization’s network. It provides granular access and authorization beyond what an active directory domain controller can do.

Finally, Diameter is not fully backward-compatible with RADIUS, but there are several options for upgrading RADIUS component communication paths.

Characteristics of a decentralized system include the following:

Gives control to individuals closer to the resource, such as department managers and occasionally users

Maintains multiple domains and trusts

Does not use one centralized entity to process access requests

Used in database-management systems (DBMS)

Peer-to-peer in design

Lacks standardization and overlapping rights, and might include security holes

Although auditing is used only after the fact, it can help detect suspicious activity or identify whether a security breach has taken place. For example, security administrators often review logs for failed log-on attempts only, whereas successful log-ons hurt most and can show you who is in the network but should not be. One example might be if Mike, who works Monday through Friday, 9 to 5, in Houston has been logging in Sundays from 12 to 9 p.m. from San Jose. Maybe Mike is on vacation but there is also the possibility someone is using his account. Since he has a valid user account, it does not raise an alarm.

Accountability must be maintained for network access, software usage, and data access. In a high-security environment, the level of accountability should be substantial, and users should be held responsible by logging and auditing their activities.

Good practice dictates that audit logs are transmitted to a remote centralized site. Centralized logging makes it easier for the person assigned the task to review the data. Exporting the logs to a remote site also makes it harder for hackers to erase or cover their activity. If there is a downside to all this logging, it is that all the information must be recorded and reviewed. A balance must be found between collecting audit data and maintaining a manageable log size. Reviewing it can be expedited by using audit reduction tools. These tools parse the data and eliminate unneeded information. Another useful tool is a variance detection tool. These tools look for trends that fall outside the realm of normal activity. As an example, if an employee normally enters the building around 7 a.m. and leaves about 4 p.m. but is seen entering at 3 a.m., a variance detection tool would detect this abnormality.

An IDS can be configured to scan for attacks, track a hacker’s movements, alert an administrator to ongoing attacks, and highlight possible vulnerabilities that need to be addressed. The key to what type of activity the IDS will detect is dependent on where the intrusion sensors are placed. This requires some consideration because, after all, a sensor in the DMZ will work well at detecting misuse there but will prove useless against attackers inside the network. Even when you have determined where to place sensors, they still require specific tuning. Without specific tuning, the sensor will generate alerts for all traffic that matches given criteria, regardless of whether the traffic is indeed something that should generate an alert. An IDS must be trained to look for suspicious activity. That is why I typically tell people that an IDS is like a 3-year-old. They require constant care and nurturing, and don’t do well if left alone.

A huge problem with intrusion detection systems is that they are after-the-fact devices—the attack has already taken place. Other problems with IDS are false positives and false negatives. False positives refer to when the IDS has triggered an alarm for normal traffic. For example, if you go to your local mall parking lot, you’re likely to hear some car alarms going off due to reasons other than car theft. These car alarms are experiencing false positives. False positives are a big problem because they desensitize the administrator. False negatives are even worse. A false negative occurs when a real attack occurs; however, the IDS does not pick it up.

IDS systems can be divided into two basic types: network-based intrusion detection systems (NIDS) and host-based intrusion detection systems (HIDS).

They monitor network traffic in real time.

They analyze protocols and other relevant packet information.

They integrate with a firewall and define new rules as needed.

When used in a switched environment, they require the user to perform port spanning and/or port mirroring.

They send alerts or terminate an offending connection.

When encryption is used, a NIDS will not be able to analyze the traffic.

HIDS consume some of the host’s resources.

HIDS analyze encrypted traffic.

HIDS send alerts when unusual events are discovered.

HIDS are in some ways just another application running on the local host that is subject to attack.

Signature-based engines rely on a database of known attacks and attack patterns. This system examines data to check for malicious content, which could include fragmented IP packets, streams of SYN packets (DoS), or malformed Internet Control Message Protocol (ICMP) packets. Any time data is found that matches one of these known signatures, it can be flagged to initiate further action. This might include an alarm, an alert, or a change to the firewall configuration. Although signature-based systems work well, their shortcoming is that they are only as effective as their most current update. Any time there is a new or varied attack, the IDS will be unaware of it and will ignore the traffic. The two subcategories of signature-based systems include the following:

Pattern-based—Looks at specific signatures that packets are compared to. The open-source IDS Snort started as a pattern-matching IDS.

State-based—A more advanced design that has the capability to track the state of the traffic and data as it moves between host and target.

A behavioral-based IDS observes traffic and develops a baseline of normal operations. Intrusions are detected by identifying activity outside the normal range of activities. As an example, if Mike typically tries to log on only between the hours of 8 a.m. and 5 p.m., and now he’s trying to log on 5,000 times at 2 a.m., the IDS can trigger an alert that something is wrong. The big disadvantage of a behavior-based IDS system is that an activity taught over time is not seen as an attack, but merely as normal behavior. These systems also tend to have a high number of false positives.

The three subcategories of anomaly-based systems include the following:

Statistical-based—Compares normal to abnormal activity.

Traffic-based—Triggers on abnormal packets and data traffic.

Protocol-based—Possesses the capability to reassemble packets and look at higher-layer activity. If the IDS knows the normal activity of the protocol, it can pick out abnormal activity. Protocol-decoding intrusion detection requires the IDS to maintain state information. As an example, DNS is a two-step process; therefore, if a protocol-matching IDS sees a number of DNS responses that occur without a DNS request having ever taken place, the system can flag that activity as cache poisoning.

An anomaly-based IDS often compares the behavior of a protocol against what the RFC states. For example, it will look at how the flags in a TCP packet are set at the beginning start up session—the SYN flag should be set to 1. In contrast, a behavioral-based IDS will look at system or environment performance that would be considered normal, such as “Mike typically tries to log on only between the hours of 8 a.m. and 5 p.m., and now he’s trying to log on 5,000 times at 2 a.m.” This required the IDS to go through a learning phase to catch this anomaly. The military has been using this for years to monitor their employees.

A rule-based IDS involves rules and pattern descriptors that observe traffic and develop a baseline of normal operations. Intrusions are detected by identifying activity outside the normal range. This expert system follows a four-phase analysis process:

1. Preprocessing

2. Analysis

3. Response

4. Refinement

All IDS systems share some basic components:

Sensors or Agents—Detect and send data to the system. Place the sensor where you want to monitor traffic. On a HIDS, there can be many agents that report back to a server in a large environment.

Central monitoring system—Processes and analyzes data sent from sensors.

Report analysis—Offers information about how to counteract a specific event.

Database and storage components—Perform trend analysis and store the IP address and information about the attacker.

Response box—Inputs information from the previously listed components and forms an appropriate response.

Infrastructure-based NAC—Requires an organization to upgrade its hardware and/or operating systems.

Endpoint-based NAC—Requires the installation of software agents on each network client. These devices are then managed by a centralized management console.

Hardware-based NAC—Requires the installation of a network appliance. The appliance monitors for specific behavior and can limit device connectivity should noncompliant activity be detected.

This acceptable use policy defines the boundaries of the acceptable use of this organization’s systems and resources. Access to any company system or resources is a privilege that may be wholly or partially restricted without prior notice and without consent of the user. In cases of suspected violations or during the process of periodic review, employees can have activities monitored. Monitoring may involve a complete keystroke log of an entire session or sessions as needed to vary compliance to company polices and usage agreements.

Unfortunately, key logging is not just for the good guys. Hackers can use the same tools to monitor and record an individual’s activities. Although an outsider to a company might have some trouble getting one of these devices installed, an insider is in a prime position to plant a keystroke logger. Keystroke loggers come in two basic types:

Hardware keystroke loggers are usually installed while users are away from their desks and are completely undetectable, except for their physical presence. Just take a moment to consider when you last looked at the back of your computer. Even if you see it, a hardware keystroke loggers can be overlooked because it resembles a balun or dongle. These devices are even available in wireless versions that can communicate via 802.11b/g/n/ac and Bluetooth. You can see one example at www.wirelesskeylogger.com/products.php.

Software keystroke loggers sit between the operating system and the keyboard. Most of these software programs are simple, but some are more complex and can even email the logged keystrokes back to a preconfigured address. What they all have in common is that they operate in stealth mode and can grab all the text, mouse clicks, and even all the URLs that a user enters.

A. DAC

B. LBAC

C. RBAC

D. MAC

2. Which of the following biometric systems would be considered the most accurate?

A. Retina scan CER 3

B. Fingerprint CER 4

C. Keyboard dynamics CER 5

D. Voice recognition CER 6

3. What are the two primary components of a DAC?

A. Access rights and permissions, and security labels

B. File and data ownership, and access rights and permissions

C. Security labels and discretionary access lists

D. File and data ownership, and security labels

4. You have been hired as a contractor for a government agency. You have been cleared for secret access based on your need to know. Authentication, authorization, and accountability are also enforced. At the end of each week, the government security officer for whom you work is tasked with the review of security logs to ensure only authorized users have logged into the network and have not attempted to access unauthorized data. The process of ensuring accountability for access to an information system included four phases. What is this an example of?

A. Identification

B. Accountability

C. Authorization

D. Authentication

5. When registering for a new service, you were asked the following questions: “What country were you born in? What’s your pet’s name? What is your mother’s maiden name?” What type of password system is being used?

A. Cognitive

B. One-time

C. Virtual

D. Complex

6. Mark has just completed his new peer-to-peer network for the small insurance office he owns. Although he will allow Internet access, he does not want users to log in remotely. Which of the following models most closely match his design?

A. TACACS+

B. MAC

C. RADIUS

D. DAC

7. Which of the following is the best answer: TACACS+ features what?

A. One-factor authentication

B. Decentralized access control

C. Two-factor authentication

D. Accountability

8. A newly hired junior security administrator will assume your position temporarily while you are on vacation. You’re trying to explain the basics of access control and the functionality of rule-based access control mechanisms like ACL. Which of the following best describes the order in which an ACL operates?

A. ACLs apply all deny statements before allow statements.

B. Rule-based access control and role-based access control is basically the same thing.

C. ACLs end with an implicit deny all statement.

D. ACLs are processed from the bottom up.

9. RADIUS provides which of the following?

A. Authorization and accountability

B. Authentication

C. Authentication, authorization, and accountability

D. Authentication and authorization

10. Which of the following is the best description of a situation where a user can sign up for a social media account such as Facebook, and then use their credentials to log in and access another organization’s sites, such as Yahoo?

A. Transitive trust

B. Federated ID

C. Non-transitive trust

D. Single sign-on

11. What type of attack targets pronounceable passwords?

A. Brute-force attacks

B. Dictionary attacks

C. Hybrid attacks

D. Rainbow tables

12. Which of the following represents the best method of password storage?

A. A cleartext file

B. Symmetric encryption

C. A one-way encryption process

D. An XOR process

13. Which access control model makes use of a join and a meet?

A. Rule-based access control

B. MAC

C. DAC

D. Lattice

14. Which of the following access control models is commonly used with firewall and edge devices?

A. Rule-based access control

B. MAC

C. DAC

D. Lattice

15. Because of recent highly publicized hacking news reports, senior management has become more concerned about security. As the senior security administrator, you are asked to suggest changes that should be implemented. Which of the following access methods should you recommend if the method is to be one that is primarily based on pre-established access, can’t be changed by users and works well in situations where there is high turnover?

A. Discretionary access control

B. Mandatory access control

C. Rule-based access control

D. Role-based access control

2. A. The lower the CER, the better; retina scan CER 3 (answer A) is correct. Fingerprint CER 4 (answer B), keyboard dynamics CER 5 (answer C), and voice recognition CER 6 (answer D) are incorrect because they have higher CERs. The CER is determined by combining Type I and Type II errors.

3. B. The two primary components of a DAC are file and data ownership, and access rights and permissions. With file and data ownership, all objects within a system must have an owner. Objects without an owner will be left unprotected. Access rights and permissions control the access rights of an individual. Variation exists, but a basic access control list checks read, write, and execute privileges. Answers A, C, and D are incorrect.

4. B. The four key areas of identity and access management are identification, authentication, authorization, and accountability. The fact that the security officer is reviewing the logs for accuracy is a form of accountability. Therefore, answers A, C, and D are incorrect.

5. A. Cognitive passwords are widely used during enrollment processes, when individuals call help desks, or when individuals request other services that require authentication. All other answers are incorrect: One-time passwords (answer B) are associated with tokens, virtual passwords (answer C) are a form of passphrase, and the question does not describe a complex password (answer D).

6. D. The discretionary access control (DAC) model is so named because access control is left to the owner’s discretion. This can be thought of as being similar to a peer-to-peer computer network. All other answers are incorrect: A MAC model (answer B) is static and based on a predetermined list of access privileges, and both TACACS+ (answer A) and RADIUS (answer C) are used for remote access and do not properly address the question.

7. C. TACACS+ features two-factor authentication. All other answers are incorrect: TACACS+ offers more than one-factor authentication (answer A); it is a centralized, not decentralized, access control system (answer B); and although it offers accountability (answer D), it also offers authorization.

8. C. ACLs have an implicit deny all statement. As an example, if the ACL only had the one statement “Deny ICMP any, any,” ICMP would be denied; however, the implicit “deny all” would block all other traffic. Answers A and D are incorrect as ACLs are processed from top to bottom. Answer B is incorrect because rule-based access control and role-based access control are not the same thing.

9. C. RADIUS provides three services: authentication, authorization, and accountability. RADIUS facilitates centralized user administration and keeps all user profiles in one location that all remote services share. Answers A, B, and D are incorrect because they do not fully answer the question.

10. B. Federation is an arrangement that can be made among multiple enterprises (such as Facebook and Yahoo) that lets subscribers of one service use the same identification/authentication credentials to gain access to the second organization’s resources. It differs from single sign-on (SSO) in that SSO is used within a single organization. Examples of SSO include Kerberos and SESAME. Answers A and C are incorrect as a transitive trust is a two-way relationship automatically created between parent and child domains, and a non-transitive trust is a trust that will not extend past the domains it was created with. Both of these terms are directly associated with Microsoft operating systems.

11. B. Dictionary attacks target pronounceable passwords. Brute-force attacks (answer A), hybrid attacks (answer C), and rainbow tables (answer D) are all used to target any password combination for A–Z, 0–9, special characters, or any combination.

12. C. The best way to store passwords is by means of a one-way process. This one-way process is also known as hashing, and is used by operating systems like Microsoft Windows and Linux. A cleartext file (answer A) can be easily exposed. Symmetric encryption (answer B) would allow the process to be easily reversed by anyone with a key. An XOR process (answer D) would only obscure the password and not provide any real protection.

13. D. The lattice model makes use of a join and a meet. The lattice-based access control model (LBAC) is considered a complex model used to manage the interaction between subjects and objects. Answers A, B, and C are incorrect as they do not use these terms.

14. A. Rule-based access control is used with firewalls and routers. RBAC is based on a specific set of rules, much like a router ACL. Answer B, MAC, makes use of labels and is well suited for high-security environments. Answer C, DAC, describes discretionary control, and answer D, lattice, is a complex model that makes use of upper and lower bounds.

15. D. Role-based access control (RBAC) allows specific people to be assigned to specific roles with specific privileges. It allows access to be assigned to groups and works well where there are high levels of turnover. Answers A, B, and C do not meet that description.

Honeypot resources: www.honeypots.net

Getting a grip on access control: www.owasp.org/index.php/Access_Control_Cheat_Sheet

Performance metrics for biometrics: www.biometric-solutions.com/index.php?story=performance_biometrics

Federated Identity: msdn.microsoft.com/en-us/library/aa479079.aspx

Differences between Kerberos and SESAME: cadse.cs.fiu.edu/corba/corbasec/faq/multi-page/node148.html

Comparison of Biometric Methods: mms.ecs.soton.ac.uk/2011/papers/4.pdf

RADIUS best practices: msdn.microsoft.com/en-us/library/bb742489.aspx