Presented here is a revision of the concepts discussed in the previous four chapters, that is, chapters eleven through fourteen. They are provided in bullet points as snippets that are easy to revise. These snippets are for a quick revision and reinforcement of the knowledge learned:
The following bullet points are in an exam cram format for a quick revision. They cover important points from the identity and access management domain. The covered topics include physical and logical access to assets, Identity Management principles and implementation, identity as a service, third-party identity services, access management, authorization mechanisms, identity and provisioning life cycle, and preventing or mitigating access control attacks:
- The overall process of facilitating and managing identities and controlling access to assets while ensuring information security is termed as identity and access management (IAM).
- Identity and access management domain can further be subdivided into two interrelated management activities, such as Identity Management and Access Management.
- Identity and access management consists of four distinctive principles and practices. They are Identification, Authentication, Authorization, and Accountability.
- Authentication, Authorization, and Accountability are together referred to as the Triple A of Access Control.
- Identity management includes some or all of the following:
- The enrollment of user identifiers.
- The provisioning of user identities to different systems.
- Updating all associated accounts whenever there is a change in user information.
- If the user no longer needs access or is retired, then deprovisioning user accounts that are no longer required.
- When software is delivered as a service through the Internet cloud, then it is generically termed as Software as a Service (SaaS).
- When identity and access management applications and associated services are delivered through subscription-based cloud models, such services are termed as Identity as a Service (IDaaS).
- Access management is facilitated through authentication and authorization processes.
- The access management layer also consists of accountability mechanisms, such as logging and monitoring activities.
- The primary concept in access control is to understand about a subject and an object.
- A subject may be a person, process, or technology component that either seeks access or controls the access.
- An object can be a file, data, a physical equipment, or premises that needs controlled access.
- Controlling access to the object by a subject is the core requirement of access control.
- If access to an object is controlled based on certain contextual parameters such as location, time, sequence of responses, access history and more, then it is known as context-dependent access control.
- If the access is provided based on the attributes or content of an object, then it is called content-dependent access control.
- Access control models define methods by which a system controls the access to the object by a subject.
- Discretionary access control is one in which the subject has some authority to specify the objects that are accessible to them. Access control list (ACL) is an example of discretionary access control.
- When access to the object is based on certain rules, then it is called Rule-Based Access Control (RBAC).
- When the access is controlled based on mandatory rules, then it is known as Mandatory Access Control (MAC).
- If a centralized authority controls the access based on a specific policy, then the same is referred to as non-discretionary access control.
- A Role-Based Access Control (RBAC) is a non-discretionary access control based on the subject's role or position in the organization.
- A task-based access control is based on a subject's responsibilities in the organization.
- A lattice-based access control is one where there is a pair of values that determine the access rights.
- Decentralized access control or Distributed access control is where the core functions of access are distributed over a network.
- Identity and access management consists of two distinctive activities:
- One is related to the identification of the subject by the system.
- The other is authentication and authorization, which is the system's ability to validate the credential supplied by the subject and determine access levels.
- When an entity (subject) is validated against a single credential, then it is called a one-factor authentication and generally uses the what you know principle.
- When an entity (subject) is validated against two different credentials, then it is called a two-factor authentication and generally uses the what you have principle.
- When an entity (subject) is validated against two or more different credentials, then it is called a multifactor authentication and generally uses the what you are principle.
- Authorization is a process of determining the levels of access a subject may have on the object.
- In the identity and provisioning life cycle, there are two distinctive activities. One is user management and the other is system or application access.
- There are many attacks that can be attributed to the compromise of access control systems and processes to gain unauthorized access.
- Backdoors are unauthorized open ports created by malicious programs that allow an authorized entity to gain access into the system.
- Denial-of-Service (DoS) is a type of attack wherein the legitimate users of the system are prevented from access by disturbing the availability.
- A Distributed Denial-of-Service (DDoS) is a type of attack where multiple systems attack a single resource from distributed locations.
- Hijacking is an attack in which the session established by the client to the server is taken over by the malicious person or process.
- Man-in-the-Middle attack is a type of attack where an attacker hijacks the established session of a client to the server by impersonating a client.
- TCP hijacking is a type of attack in which the TCP session of the trusted client to the server is hijacked by an attacker.
- Malicious codes executes itself in the client machine and compromises the security.
- The Trojan horse is one type of malicious code that comes disguised inside a trusted program.
- When the Trojan horse is activated on a particular event (such as a particular date), then it is called a logic bomb.
- Malicious mobile codes are the ones that are executed in the client system through the network from a remote server.
- Password guessing is one of the attacks that uses various methods to obtain user passwords.
- Dictionary attacks are a type of password-guessing attack that checks the encrypted password database with the words found in the dictionary.
- Brute force attacks are the means by which the password database is attacked with all the types of letters and possible combinations of characters.
- Hybrid attacks combine the dictionary as well as brute force attacks.
- Replay attacks are the ones in which the session (such as authentication) is captured and replayed against the system.
- Scanning is an attack used to probe the network and system to identify the vulnerabilities for planning a possible attack to compromise.
- Vulnerability exploitation is the way of attacking systems by compromising the holes or errors in the operating system or application software to gain access or bypass security controls.
- Spoofing is a type of attack used to imitate a trusted entity, thereby making the system trust this imitated entity.
- Social engineering is a type of attack used to obtain credential information such as passwords, pin numbers, and so on using social skills, such as impersonation, fake e-mails, and so on.
- In identity and access management, accountability aspects play a major role in establishing preventative, detective, and corrective controls to access control attacks.
- Accountability, in simple terms, can be defined as monitoring the activities of the authorized user.
The following bullet points are presented in an exam cram format for a quick revision. They cover important points from the identity and access management domain. The covered topics include security assessment and testing strategies, security control testing, designing and validating assessment and testing strategies, security testing tools, methods and techniques, and evaluating the effectiveness of controls:
- Risk management involves assessment and testing pertaining to security.
- Security assessment and testing is carried out based on suitably designed assessment and test strategies.
- Security assessment and test strategies are administrative controls that provide processes and procedures to operate and continually assess the effectiveness of controls.
- Security assessment and test strategies are based on risk to assets.
- Information security standards, legal-regulatory frameworks, and best practice recommendations provide a baseline requirements for security assessments and expected test outcomes.
- Vulnerability tests and assessments are performed to ascertain the presence of technical vulnerabilities or some kind of weakness in systems.
- When an identified vulnerability is not published by the application vendor, then it is called a zero-day vulnerability.
- When an exploit code is published by security or malicious groups before a patch release by the vendor, then it is called zero-day exploits.
- Penetration testing is often performed to ascertain break-in possibilities in systems.
- In black-box testing, the network and application details are unknown to the tester.
- In white-box testing, the network and application infrastructure is provided to the tester, including configuration details.
- A grey-box testing can be considered as a combination of black box and a white box. In this scenario, some information about the infrastructure is known.
- Log reviews area a part of monitoring activities.
- Logs reveal a trail of transactions or activities that have taken place and in real-time monitoring scenarios while the activities are going on.
- Synthetic transactions are generally used for performance monitoring, and hence, they are directly associated with the availability tenet of the information security triad.
- Stress tests are performed to test the robustness of the operational capabilities.
- Denial-of-Service (DoS) is a type of test used to check the availability of a service under different conditions, such as multiple and simultaneous requests.
- Load tests are performed to simulate the performance of an application under load.
- Concurrency tests are performed to test the application with concurrent user activity.
- Latency tests check the round-trip time of a request response.
- Code review and testing involves testing the source code of an application for the presence of technical vulnerabilities as well as performance and logical issues.
- A manual code review is performed to check for any logical errors based on the application's structure.
- In a dynamic code review or testing of a program, the software is executed in a simulated system or a virtual processor.
- In a static code review, a software code is analyzed without executing the program code.
- A misuse case test is the reverse of a use case test. In other words, doing a malicious act against a system is the misuse case of a normal act.
- An analysis performed to identify metrics for code coverage is called the test coverage analysis.
- Interface testing is done to ascertain the security during interactions between a user to interfaces and interface to modules.
- An API test involves the testing of the functionality, performance, and security of application programming interfaces.
- A User Interface (UI) testing can include Command-Line Interface (CLI) or Graphical User Interface (GUI) testing. The focus of such tests includes operations that can be performed through user interfaces.
- Tests such as pressure, temperature, and environment conditions are used in physical interface tests.
- In security effectiveness, the requirements of tools take precedence over efficiency.
- An assurance of effective software and applications is a requirement and is ascertained through security testing.
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.